diff --git a/core/linux-odroid/kernel-CVE-2016-0728.patch b/core/linux-odroid/0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
similarity index 88%
rename from core/linux-odroid/kernel-CVE-2016-0728.patch
rename to core/linux-odroid/0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
index 49020d7db..b211efce5 100644
--- a/core/linux-odroid/kernel-CVE-2016-0728.patch
+++ b/core/linux-odroid/0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
@@ -1,7 +1,7 @@
-From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001
+From a7c092a19768d6b6dbb5d4afea33136c4637d633 Mon Sep 17 00:00:00 2001
 From: Yevgeny Pats <yevgeny@perception-point.io>
 Date: Tue, 19 Jan 2016 22:09:04 +0000
-Subject: KEYS: Fix keyring ref leak in join_session_keyring()
+Subject: [PATCH 1/4] KEYS: Fix keyring ref leak in join_session_keyring()
 
 This fixes CVE-2016-0728.
 
@@ -65,10 +65,10 @@ Signed-off-by: James Morris <james.l.morris@oracle.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index a3f85d2..e6d50172 100644
+index 42defae..cd871dc 100644
 --- a/security/keys/process_keys.c
 +++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+@@ -792,6 +792,7 @@ long join_session_keyring(const char *name)
  		ret = PTR_ERR(keyring);
  		goto error2;
  	} else if (keyring == new->session_keyring) {
@@ -77,5 +77,5 @@ index a3f85d2..e6d50172 100644
  		goto error2;
  	}
 -- 
-cgit v0.12
+2.10.1
 
diff --git a/core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch b/core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch
new file mode 100644
index 000000000..c7a0dfe29
--- /dev/null
+++ b/core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch
@@ -0,0 +1,101 @@
+From 541267fab71436c4acb361f1557a881c3908b22e Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 13 Oct 2016 13:07:36 -0700
+Subject: [PATCH 2/4] mm: remove gup_flags FOLL_WRITE games from
+ __get_user_pages()
+
+commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
+
+This is an ancient bug that was actually attempted to be fixed once
+(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
+get_user_pages() race for write access") but that was then undone due to
+problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
+
+In the meantime, the s390 situation has long been fixed, and we can now
+fix it by checking the pte_dirty() bit properly (and do it better).  The
+s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
+software dirty bits") which made it into v3.9.  Earlier kernels will
+have to look at the page state itself.
+
+Also, the VM has become more scalable, and what used a purely
+theoretical race back then has become easier to trigger.
+
+To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
+we already did a COW" rather than play racy games with FOLL_WRITE that
+is very fundamental, and then use the pte dirty flag to validate that
+the FOLL_COW flag is still valid.
+
+Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Reviewed-by: Michal Hocko <mhocko@suse.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Nick Piggin <npiggin@gmail.com>
+Cc: Greg Thelen <gthelen@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
+     s/faultin_page/__get_user_page]
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ include/linux/mm.h |  2 ++
+ mm/memory.c        | 14 ++++++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index dbade0f..218be84 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1723,6 +1723,8 @@ struct page *follow_page(struct vm_area_struct *, unsigned long address,
+ #define FOLL_SPLIT	0x80	/* don't return transhuge pages, split them */
+ #define FOLL_HWPOISON	0x100	/* check page is hwpoisoned */
+ #define FOLL_NUMA	0x200	/* force NUMA hinting page fault */
++#define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
++#define FOLL_COW	0x4000	/* internal GUP flag */
+ 
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ 			void *data);
+diff --git a/mm/memory.c b/mm/memory.c
+index 4395fe8..326e9cd 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1458,6 +1458,16 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
+ }
+ EXPORT_SYMBOL_GPL(zap_vma_ptes);
+ 
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++	return pte_write(pte) ||
++		((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ /**
+  * follow_page - look up a page descriptor from a user-virtual address
+  * @vma: vm_area_struct mapping @address
+@@ -1544,7 +1554,7 @@ split_fallthrough:
+ 		goto no_page;
+ 	if ((flags & FOLL_NUMA) && pte_numa(pte))
+ 		goto no_page;
+-	if ((flags & FOLL_WRITE) && !pte_write(pte))
++	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags))
+ 		goto unlock;
+ 
+ 	page = vm_normal_page(vma, address, pte);
+@@ -1847,7 +1857,7 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+ 				 */
+ 				if ((ret & VM_FAULT_WRITE) &&
+ 				    !(vma->vm_flags & VM_WRITE))
+-					foll_flags &= ~FOLL_WRITE;
++					foll_flags |= FOLL_COW;
+ 
+ 				cond_resched();
+ 			}
+-- 
+2.10.1
+
diff --git a/core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch b/core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch
new file mode 100644
index 000000000..da1d417fa
--- /dev/null
+++ b/core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch
@@ -0,0 +1,35 @@
+From 33ec211a483dd5fdc9c590f624ea395a237a59f1 Mon Sep 17 00:00:00 2001
+From: Kevin Mihelich <kevin@archlinuxarm.org>
+Date: Mon, 24 Oct 2016 19:33:31 -0600
+Subject: [PATCH 3/4] Revert "media/mfc: use shipped firmware paths"
+
+This reverts commit 6720e7ffffed9656b006553311b2d85abcd3f0b6.
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index 6a1cef5..0da338c 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1293,7 +1293,7 @@ static struct s5p_mfc_variant mfc_drvdata_v5 = {
+ 	.buf_size	= &buf_size_v5,
+ 	.buf_align	= &mfc_buf_align_v5,
+ 	.mclk_name	= "sclk_mfc",
+-	.fw_name	= "s5p-mfc/s5p-mfc.fw",
++	.fw_name	= "s5p-mfc.fw",
+ };
+ 
+ struct s5p_mfc_buf_size_v6 mfc_buf_size_v6 = {
+@@ -1320,7 +1320,7 @@ static struct s5p_mfc_variant mfc_drvdata_v6 = {
+ 	.buf_size	= &buf_size_v6,
+ 	.buf_align	= &mfc_buf_align_v6,
+ 	.mclk_name      = "aclk_333",
+-	.fw_name        = "s5p-mfc/s5p-mfc-v6.fw",
++	.fw_name        = "s5p-mfc-v6.fw",
+ };
+ 
+ static struct platform_device_id mfc_driver_ids[] = {
+-- 
+2.10.1
+
diff --git a/core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch b/core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch
new file mode 100644
index 000000000..f1b29a0d0
--- /dev/null
+++ b/core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch
@@ -0,0 +1,96 @@
+From 9610e2bda9ccee379887600bac748aeb13a61cbe Mon Sep 17 00:00:00 2001
+From: popcornmix <popcornmix@gmail.com>
+Date: Tue, 26 Mar 2013 17:26:38 +0000
+Subject: [PATCH 4/4] Allow mac address to be set in smsc95xx
+
+Signed-off-by: popcornmix <popcornmix@gmail.com>
+---
+ drivers/net/usb/smsc95xx.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 19a8db7..fdde874 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -54,6 +54,7 @@
+ #define FEATURE_8_WAKEUP_FILTERS	(0x01)
+ #define FEATURE_PHY_NLP_CROSSOVER	(0x02)
+ #define FEATURE_AUTOSUSPEND		(0x04)
++#define MAC_ADDR_LEN                    (6)
+ 
+ struct smsc95xx_priv {
+ 	u32 mac_cr;
+@@ -129,6 +130,10 @@ int smsc95xx_read_mac_addr(unsigned char *mac)
+ }
+ #endif  
+ 
++static char *macaddr = ":";
++module_param(macaddr, charp, 0);
++MODULE_PARM_DESC(macaddr, "MAC address");
++
+ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
+ 					    u32 *data, int in_pm)
+ {
+@@ -836,8 +841,59 @@ static int smsc95xx_ioctl(struct net_device *netdev, struct ifreq *rq, int cmd)
+ 	return generic_mii_ioctl(&dev->mii, if_mii(rq), cmd, NULL);
+ }
+ 
++/* Check the macaddr module parameter for a MAC address */
++static int smsc95xx_is_macaddr_param(struct usbnet *dev, u8 *dev_mac)
++{
++       int i, j, got_num, num;
++       u8 mtbl[MAC_ADDR_LEN];
++
++       if (macaddr[0] == ':')
++               return 0;
++
++       i = 0;
++       j = 0;
++       num = 0;
++       got_num = 0;
++       while (j < MAC_ADDR_LEN) {
++               if (macaddr[i] && macaddr[i] != ':') {
++                       got_num++;
++                       if ('0' <= macaddr[i] && macaddr[i] <= '9')
++                               num = num * 16 + macaddr[i] - '0';
++                       else if ('A' <= macaddr[i] && macaddr[i] <= 'F')
++                               num = num * 16 + 10 + macaddr[i] - 'A';
++                       else if ('a' <= macaddr[i] && macaddr[i] <= 'f')
++                               num = num * 16 + 10 + macaddr[i] - 'a';
++                       else
++                               break;
++                       i++;
++               } else if (got_num == 2) {
++                       mtbl[j++] = (u8) num;
++                       num = 0;
++                       got_num = 0;
++                       i++;
++               } else {
++                       break;
++               }
++       }
++
++       if (j == MAC_ADDR_LEN) {
++               netif_dbg(dev, ifup, dev->net, "Overriding MAC address with: "
++               "%02x:%02x:%02x:%02x:%02x:%02x\n", mtbl[0], mtbl[1], mtbl[2],
++                                               mtbl[3], mtbl[4], mtbl[5]);
++               for (i = 0; i < MAC_ADDR_LEN; i++)
++                       dev_mac[i] = mtbl[i];
++               return 1;
++       } else {
++               return 0;
++       }
++}
++
+ static void smsc95xx_init_mac_address(struct usbnet *dev)
+ {
++       /* Check module parameters */
++       if (smsc95xx_is_macaddr_param(dev, dev->net->dev_addr))
++               return;
++
+ 	/* try reading mac address from EEPROM */
+ 	if (smsc95xx_read_eeprom(dev, EEPROM_MAC_OFFSET, ETH_ALEN,
+ 			dev->net->dev_addr) == 0) {
+-- 
+2.10.1
+
diff --git a/core/linux-odroid/PKGBUILD b/core/linux-odroid/PKGBUILD
index 2fa193682..45f28aa20 100644
--- a/core/linux-odroid/PKGBUILD
+++ b/core/linux-odroid/PKGBUILD
@@ -8,7 +8,7 @@ pkgname=('linux-odroid-x' 'linux-odroid-x2' 'linux-odroid-u2' 'linux-headers-odr
 _kernelname=${pkgname#linux}
 _basekernel=3.8
 pkgver=${_basekernel}.13.30
-pkgrel=4
+pkgrel=5
 arch=('armv7h')
 url="http://github.com/hardkernel/linux/"
 license=('GPL2')
@@ -16,16 +16,20 @@ makedepends=('xmlto' 'docbook-xsl' 'kmod' 'git' 'inetutils' 'bc')
 options=('!strip')
 _commit=ddfddf829693c6bb739074e1b14e9e4fa1c55ea8
 source=("https://github.com/hardkernel/linux/archive/${_commit}.tar.gz"
-        'add-gcc6-support.patch'
         'rtl8812_to_v4_3_14_and_enable_rtl8821.patch.xz'
-        'kernel-CVE-2016-0728.patch'
+        '0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch'
+        '0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch'
+        '0003-Revert-media-mfc-use-shipped-firmware-paths.patch'
+        '0004-Allow-mac-address-to-be-set-in-smsc95xx.patch'
         'config_x'
         'config_x2'
         'config_u2')
 md5sums=('e4ff4cbd8bd2145ba26e085de665d806'
-         '840a69592300bf7cbc3ad317e8100114'
          'c6d56cc8134dd25d97d0416ef98a3dfe'
-         '6470e9783bd1c7a8feddc2d67f07afd5'
+         'a78459b6f959991291c0cf16efd701b8'
+         'b13dc91cba30802ee1e6cfd247c8925d'
+         '34bdc31e77b4b74348181ccbf7faaa32'
+         '3fbbb92df6a08005260e9f1aab28cf60'
          'f54b9fa32d672116c73e6e3c9585929f'
          '1211492fdd1125c68d03d0a1f8d6c498'
          '13011519e5c36655bdb5315178c5c1fe')
@@ -33,9 +37,13 @@ md5sums=('e4ff4cbd8bd2145ba26e085de665d806'
 prepare() {
   cd "${srcdir}/linux-${_commit}"
 
-  patch -Np1 -i ${srcdir}/add-gcc6-support.patch
-  patch -p1 -i ${srcdir}/rtl8812_to_v4_3_14_and_enable_rtl8821.patch
-  patch -p1 -i ${srcdir}/kernel-CVE-2016-0728.patch
+  patch -p1 -i ../rtl8812_to_v4_3_14_and_enable_rtl8821.patch
+  patch -p1 -i ../0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+  patch -p1 -i ../0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch
+  patch -p1 -i ../0003-Revert-media-mfc-use-shipped-firmware-paths.patch
+  patch -p1 -i ../0004-Allow-mac-address-to-be-set-in-smsc95xx.patch
+
+  cp include/linux/compiler-gcc5.h include/linux/compiler-gcc6.h
 
   # add pkgrel to extraversion
   sed -ri "s|^(EXTRAVERSION =)(.*)|\1 \2-${pkgrel}|" Makefile
diff --git a/core/linux-odroid/add-gcc6-support.patch b/core/linux-odroid/add-gcc6-support.patch
deleted file mode 100644
index 6612dc0bc..000000000
--- a/core/linux-odroid/add-gcc6-support.patch
+++ /dev/null
@@ -1,71 +0,0 @@
---- /dev/null
-+++ b/include/linux/compiler-gcc6.h
-@@ -0,0 +1,66 @@
-+#ifndef __LINUX_COMPILER_H
-+#error "Please don't include <linux/compiler-gcc5.h> directly, include <linux/compiler.h> instead."
-+#endif
-+
-+#define __used				__attribute__((__used__))
-+#define __must_check			__attribute__((warn_unused_result))
-+#define __compiler_offsetof(a, b)	__builtin_offsetof(a, b)
-+
-+/* Mark functions as cold. gcc will assume any path leading to a call
-+   to them will be unlikely.  This means a lot of manual unlikely()s
-+   are unnecessary now for any paths leading to the usual suspects
-+   like BUG(), printk(), panic() etc. [but let's keep them for now for
-+   older compilers]
-+
-+   Early snapshots of gcc 4.3 don't support this and we can't detect this
-+   in the preprocessor, but we can live with this because they're unreleased.
-+   Maketime probing would be overkill here.
-+
-+   gcc also has a __attribute__((__hot__)) to move hot functions into
-+   a special section, but I don't see any sense in this right now in
-+   the kernel context */
-+#define __cold			__attribute__((__cold__))
-+
-+#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
-+
-+#ifndef __CHECKER__
-+# define __compiletime_warning(message) __attribute__((warning(message)))
-+# define __compiletime_error(message) __attribute__((error(message)))
-+#endif /* __CHECKER__ */
-+
-+/*
-+ * Mark a position in code as unreachable.  This can be used to
-+ * suppress control flow warnings after asm blocks that transfer
-+ * control elsewhere.
-+ *
-+ * Early snapshots of gcc 4.5 don't support this and we can't detect
-+ * this in the preprocessor, but we can live with this because they're
-+ * unreleased.  Really, we need to have autoconf for the kernel.
-+ */
-+#define unreachable() __builtin_unreachable()
-+
-+/* Mark a function definition as prohibited from being cloned. */
-+#define __noclone	__attribute__((__noclone__))
-+
-+/*
-+ * Tell the optimizer that something else uses this function or variable.
-+ */
-+#define __visible __attribute__((externally_visible))
-+
-+/*
-+ * GCC 'asm goto' miscompiles certain code sequences:
-+ *
-+ *   http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
-+ *
-+ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
-+ * Fixed in GCC 4.8.2 and later versions.
-+ *
-+ * (asm goto is automatically volatile - the naming reflects this.)
-+ */
-+#define asm_volatile_goto(x...)	do { asm goto(x); asm (""); } while (0)
-+
-+#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP
-+#define __HAVE_BUILTIN_BSWAP32__
-+#define __HAVE_BUILTIN_BSWAP64__
-+#define __HAVE_BUILTIN_BSWAP16__
-+#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */
--- 
-1.9.1