LEDE v17.01.6: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

config/Config-build.in

@@ -9,15 +9,16 @@ menu "Global build settings"
 
 	config ALL_NONSHARED
 		bool "Select all target specific packages by default"
-		default ALL || BUILDBOT
+		select ALL_KMODS
+		default BUILDBOT
 
 	config ALL_KMODS
 		bool "Select all kernel module packages by default"
-		default ALL
 
 	config ALL
 		bool "Select all userspace packages by default"
-		default n
+		select ALL_KMODS
+		select ALL_NONSHARED
 
 	config BUILDBOT
 		bool "Set build defaults for automatic builds (e.g. via buildbot)"

config/Config-images.in

@@ -203,6 +203,11 @@ menu "Target Images"
 		default 38400 if TARGET_x86_generic
 		default 115200
 
+	config GRUB_FLOWCONTROL
+		bool "Use RTE/CTS on serial console"
+		depends on GRUB_SERIAL != ""
+		default n
+
 	config GRUB_BOOTOPTS
 		string "Extra kernel boot options"
 		depends on GRUB_IMAGES

config/Config-kernel.in

@@ -170,10 +170,6 @@ config KERNEL_AIO
 	bool "Compile the kernel with asynchronous IO support"
 	default n
 
-config KERNEL_DIRECT_IO
-	bool "Compile the kernel with direct IO support"
-	default n
-
 config KERNEL_FHANDLE
 	bool "Compile the kernel with support for fhandle syscalls"
 	default n

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.lede-project.org/feed/packages.git^cd5c448758f30868770b9ebf8b656c1a4211a240
-src-git luci https://git.lede-project.org/project/luci.git^d3f0685d63c1291359dc5dd089c82fa1e150e0c6
-src-git routing https://git.lede-project.org/feed/routing.git^d11075cd40a88602bf4ba2b275f72100ddcb4767
-src-git telephony https://git.lede-project.org/feed/telephony.git^ac6415e61f147a6892fd2785337aec93ddc68fa9
+src-git packages https://git.lede-project.org/feed/packages.git^40da7ecf21ffe1f3523ffa430c406e1db58ce3d4
+src-git luci https://git.lede-project.org/project/luci.git^7bf036750081787e01339c82865ad45fca6520ef
+src-git routing https://git.lede-project.org/feed/routing.git^d09478290f72c6e58833b65baf14d9173eaf98e1
+src-git telephony https://git.lede-project.org/feed/telephony.git^95498e75db5c6741cd53f8746ffc1473c72b6e5d

include/download.mk

@@ -6,8 +6,10 @@
 # See /LICENSE for more information.
 #
 
-OPENWRT_GIT = http://git.openwrt.org
-LEDE_GIT = https://git.lede-project.org
+PROJECT_GIT = https://git.openwrt.org
+
+OPENWRT_GIT = $(PROJECT_GIT)
+LEDE_GIT = $(PROJECT_GIT)
 
 ifdef PKG_SOURCE_VERSION
 PKG_VERSION ?= $(if $(PKG_SOURCE_DATE),$(PKG_SOURCE_DATE)-)$(call version_abbrev,$(PKG_SOURCE_VERSION))
@@ -103,7 +105,7 @@ hash_var = $(if $(filter-out x,$(1)),MD5SUM,HASH)
 endif
 
 define DownloadMethod/unknown
-	@echo "ERROR: No download method available"; false
+	echo "ERROR: No download method available"; false
 endef
 
 define DownloadMethod/default

include/host-build.mk

@@ -22,6 +22,7 @@ endif
 include $(INCLUDE_DIR)/host.mk
 include $(INCLUDE_DIR)/unpack.mk
 include $(INCLUDE_DIR)/depends.mk
+include $(INCLUDE_DIR)/quilt.mk
 
 BUILD_TYPES += host
 HOST_STAMP_PREPARED=$(HOST_BUILD_DIR)/.prepared$(if $(HOST_QUILT)$(DUMP),,$(shell $(call find_md5,${CURDIR} $(PKG_FILE_DEPENDS),)))
@@ -32,7 +33,6 @@ HOST_STAMP_INSTALLED:=$(HOST_BUILD_PREFIX)/stamp/.$(PKG_NAME)_installed
 
 override MAKEFLAGS=
 
-include $(INCLUDE_DIR)/quilt.mk
 include $(INCLUDE_DIR)/autotools.mk
 
 Host/Patch:=$(Host/Patch/Default)
@@ -110,7 +110,7 @@ define Host/Compile
 endef
 
 define Host/Install/Default
-	$(_SINGLE)$(MAKE) -C $(HOST_BUILD_DIR) install
+	$(call Host/Compile/Default,install)
 endef
 
 define Host/Install

include/host.mk

@@ -41,11 +41,6 @@ $(TMP_DIR)/.host.mk: $(TOPDIR)/include/host.mk
 		echo "HOST_OS:=$$HOST_OS" > $@; \
 		echo "HOST_ARCH:=$$HOST_ARCH" >> $@; \
 		echo "GNU_HOST_NAME:=$$GNU_HOST_NAME" >> $@; \
-		if gfind -L /dev/null || find -L /dev/null; then \
-			echo "FIND_L=find -L \$$(1)" >> $@; \
-		else \
-			echo "FIND_L=find \$$(1) -follow" >> $@; \
-		fi \
 	) >/dev/null 2>/dev/null
 
 endif

include/image-commands.mk

@@ -8,7 +8,7 @@ define Build/uImage
 		-O linux -T kernel \
 		-C $(1) -a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
 		-n '$(if $(UIMAGE_NAME),$(UIMAGE_NAME),$(call toupper,$(LINUX_KARCH)) LEDE Linux-$(LINUX_VERSION))' -d $@ $@.new
-	@mv $@.new $@
+	mv $@.new $@
 endef
 
 define Build/netgear-chk

include/image.mk

@@ -302,9 +302,9 @@ target-dir-%: FORCE
 		$(opkg_target) update && \
 		$(opkg_target) install \
 			$(call opkg_package_files,$(mkfs_packages_add)))
+	-$(CP) -T $(mkfs_cur_target_dir).opkg/ $(mkfs_cur_target_dir)/etc/opkg/
+	rm -rf $(mkfs_cur_target_dir).opkg $(mkfs_cur_target_dir).conf
 	$(call prepare_rootfs,$(mkfs_cur_target_dir))
-	-mv $(mkfs_cur_target_dir).opkg $(mkfs_cur_target_dir)/etc/opkg
-	rm -f $(mkfs_cur_target_dir).conf
 
 $(KDIR)/root.%: kernel_prepare
 	$(call Image/mkfs/$(word 1,$(target_params)),$(target_params))

include/kernel-build.mk

@@ -152,7 +152,7 @@ define BuildKernel
   endef
 
   download: $(if $(LINUX_SITE),$(DL_DIR)/$(LINUX_SOURCE))
-  prepare: $(STAMP_CONFIGURED)
+  prepare: $(STAMP_PREPARED)
   compile: $(LINUX_DIR)/.modules
 	$(MAKE) -C image compile TARGET_BUILD=
 

include/kernel-defaults.mk

@@ -165,7 +165,7 @@ endef
 ifneq ($(CONFIG_TARGET_ROOTFS_INITRAMFS),)
 define Kernel/CompileImage/Initramfs
 	$(call Kernel/Configure/Initramfs)
-	$(CP) $(GENERIC_PLATFORM_DIR)/base-files/init $(TARGET_DIR)/init
+	$(CP) $(GENERIC_PLATFORM_DIR)/other-files/init $(TARGET_DIR)/init
 	rm -rf $(KERNEL_BUILD_DIR)/linux-$(LINUX_VERSION)/usr/initramfs_data.cpio*
 	+$(MAKE) $(KERNEL_MAKEOPTS) $(if $(KERNELNAME),$(KERNELNAME),all) modules
 	$(call Kernel/CopyImage,-initramfs)

include/kernel-version.mk

@@ -3,10 +3,10 @@
 LINUX_RELEASE?=1
 
 LINUX_VERSION-3.18 = .43
-LINUX_VERSION-4.4 = .92
+LINUX_VERSION-4.4 = .153
 
 LINUX_KERNEL_HASH-3.18.43 = 1236e8123a6ce537d5029232560966feed054ae31776fe8481dd7d18cdd5492c
-LINUX_KERNEL_HASH-4.4.92 = 53f8cd8b024444df0f242f8e6ab5147b0b009d7a30e8b2ed3854e8d17937460d
+LINUX_KERNEL_HASH-4.4.153 = 0f2355515c22ca705600043bedc75218c68dcb8ab528f57f67851fbcb8545402
 
 ifdef KERNEL_PATCHVER
   LINUX_VERSION:=$(KERNEL_PATCHVER)$(strip $(LINUX_VERSION-$(KERNEL_PATCHVER)))

include/netfilter.mk

@@ -106,6 +106,8 @@ $(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_stri
 $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_DSCP, $(P_XT)xt_dscp))
 $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_DSCP, $(P_XT)xt_DSCP))
 $(eval $(call nf_add,IPT_HASHLIMIT,CONFIG_NETFILTER_XT_MATCH_HASHLIMIT, $(P_XT)xt_hashlimit))
+$(eval $(call nf_add,IPT_RPFILTER,CONFIG_IP_NF_MATCH_RPFILTER, $(P_V4)ipt_rpfilter))
+$(eval $(call nf_add,IPT_RPFILTER,CONFIG_IP6_NF_MATCH_RPFILTER, $(P_V6)ip6t_rpfilter))
 $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_LENGTH, $(P_XT)xt_length))
 $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC, $(P_XT)xt_statistic))
 $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss))
@@ -360,7 +362,6 @@ IPT_BUILTIN += $(IPT_NAT_EXTRA-y)
 IPT_BUILTIN += $(NF_NATHELPER-y)
 IPT_BUILTIN += $(NF_NATHELPER_EXTRA-y)
 IPT_BUILTIN += $(IPT_ULOG-y)
-IPT_BUILTIN += $(IPT_DEBUG-y)
 IPT_BUILTIN += $(IPT_TPROXY-y)
 IPT_BUILTIN += $(NFNETLINK-y)
 IPT_BUILTIN += $(NFNETLINK_LOG-y)

include/package-defaults.mk

@@ -62,7 +62,7 @@ Build/Patch:=$(Build/Patch/Default)
 ifneq ($(strip $(PKG_UNPACK)),)
   define Build/Prepare/Default
 	$(PKG_UNPACK)
-	[ ! -d ./src/ ] || $(CP) ./src/* $(PKG_BUILD_DIR)
+	[ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR)
 	$(Build/Patch)
   endef
 endif
@@ -92,7 +92,6 @@ CONFIGURE_ARGS = \
 		--mandir=$(CONFIGURE_PREFIX)/man \
 		--infodir=$(CONFIGURE_PREFIX)/info \
 		$(DISABLE_NLS) \
-		$(DISABLE_LARGEFILE) \
 		$(DISABLE_IPV6)
 
 CONFIGURE_VARS = \

include/package-ipkg.mk

@@ -196,7 +196,7 @@ $(_endef)
 			fi; \
 		done; $(Package/$(1)/extra_provides) \
 	) | sort -u > $(PKG_INFO_DIR)/$(1).provides
-	$(if $(PROVIDES),@for pkg in $(PROVIDES); do cp $(PKG_INFO_DIR)/$(1).provides $(PKG_INFO_DIR)/$$$$pkg.provides; done)
+	$(if $(PROVIDES),@for pkg in $(filter-out $(1),$(PROVIDES)); do cp $(PKG_INFO_DIR)/$(1).provides $(PKG_INFO_DIR)/$$$$pkg.provides; done)
 	$(CheckDependencies)
 
 	$(RSTRIP) $$(IDIR_$(1))

include/package.mk

@@ -40,6 +40,7 @@ include $(INCLUDE_DIR)/prereq.mk
 include $(INCLUDE_DIR)/host.mk
 include $(INCLUDE_DIR)/unpack.mk
 include $(INCLUDE_DIR)/depends.mk
+include $(INCLUDE_DIR)/quilt.mk
 
 find_library_dependencies = $(wildcard $(patsubst %,$(STAGING_DIR)/pkginfo/%.version, \
 	$(filter-out $(BUILD_PACKAGES),$(foreach dep, \
@@ -89,7 +90,6 @@ endif
 
 PKG_INSTALL_STAMP:=$(PKG_INFO_DIR)/$(PKG_DIR_NAME).$(if $(BUILD_VARIANT),$(BUILD_VARIANT),default).install
 
-include $(INCLUDE_DIR)/quilt.mk
 include $(INCLUDE_DIR)/package-defaults.mk
 include $(INCLUDE_DIR)/package-dumpinfo.mk
 include $(INCLUDE_DIR)/package-ipkg.mk

include/rootfs.mk

@@ -49,8 +49,15 @@ TARGET_DIR_ORIG := $(TARGET_ROOTFS_DIR)/root.orig-$(BOARD)
 
 ifdef CONFIG_CLEAN_IPKG
   define clean_ipkg
-	-find $(1)/usr/lib/opkg -type f -and -not -name '*.control' | $(XARGS) rm -rf
+	-find $(1)/usr/lib/opkg/info -type f -and -not -name '*.control' | $(XARGS) rm -rf
 	-sed -i -ne '/^Require-User: /p' $(1)/usr/lib/opkg/info/*.control
+	awk ' \
+		BEGIN { conffiles = 0; print "Conffiles:" } \
+		/^Conffiles:/ { conffiles = 1; next } \
+		!/^ / { conffiles = 0; next } \
+		conffiles == 1 { print } \
+	' $(1)/usr/lib/opkg/status >$(1)/usr/lib/opkg/status.new
+	mv $(1)/usr/lib/opkg/status.new $(1)/usr/lib/opkg/status
 	-find $(1)/usr/lib/opkg -empty | $(XARGS) rm -rf
   endef
 endif
@@ -82,7 +89,6 @@ define prepare_rootfs
 	@-find $(1) -name '.#*' | $(XARGS) rm -f
 	rm -f $(1)/usr/lib/opkg/lists/*
 	rm -f $(1)/usr/lib/opkg/info/*.postinst*
-	rm -f $(1)/usr/lib/opkg/info/*.prerm*
 	$(call clean_ipkg,$(1))
 	$(call mklibs,$(1))
 endef

include/scan.mk

@@ -56,7 +56,7 @@ endif
 
 $(FILELIST): $(OVERRIDELIST)
 	rm -f $(TMP_DIR)/info/.files-$(SCAN_TARGET)-*
-	$(call FIND_L, $(SCAN_DIR)) $(SCAN_EXTRA) -mindepth 1 $(if $(SCAN_DEPTH),-maxdepth $(SCAN_DEPTH)) -name Makefile | xargs grep -aHE 'call $(GREP_STRING)' | sed -e 's#^$(SCAN_DIR)/##' -e 's#/Makefile:.*##' | uniq | awk -v of=$(OVERRIDELIST) -f include/scan.awk > $@
+	find -L $(SCAN_DIR) $(SCAN_EXTRA) -mindepth 1 $(if $(SCAN_DEPTH),-maxdepth $(SCAN_DEPTH)) -name Makefile | xargs grep -aHE 'call $(GREP_STRING)' | sed -e 's#^$(SCAN_DIR)/##' -e 's#/Makefile:.*##' | uniq | awk -v of=$(OVERRIDELIST) -f include/scan.awk > $@
 
 $(TMP_DIR)/info/.files-$(SCAN_TARGET).mk: $(FILELIST)
 	( \

include/target.mk

@@ -218,6 +218,11 @@ ifeq ($(DUMP),1)
     CPU_CFLAGS_arc700 = -marc700
     CPU_CFLAGS_archs = -marchs
   endif
+  ifneq ($(CPU_TYPE),)
+    ifndef CPU_CFLAGS_$(CPU_TYPE)
+      $(warning CPU_TYPE "$(CPU_TYPE)" doesn't correspond to a known type)
+    endif
+  endif
   DEFAULT_CFLAGS=$(strip $(CPU_CFLAGS) $(CPU_CFLAGS_$(CPU_TYPE)) $(CPU_CFLAGS_$(CPU_SUBTYPE)))
 
   ifneq ($(BOARD),)

include/toplevel.mk

@@ -105,7 +105,8 @@ scripts/config/conf:
 	@$(_SINGLE)$(SUBMAKE) -s -C scripts/config conf CC="$(HOSTCC_WRAPPER)"
 
 config: scripts/config/conf prepare-tmpinfo FORCE
-	$< Config.in
+	[ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \
+		$< Config.in
 
 config-clean: FORCE
 	$(_SINGLE)$(NO_TRACE_MAKE) -C scripts/config clean
@@ -113,7 +114,8 @@ config-clean: FORCE
 defconfig: scripts/config/conf prepare-tmpinfo FORCE
 	touch .config
 	@if [ ! -s .config -a -e $(HOME)/.openwrt/defconfig ]; then cp $(HOME)/.openwrt/defconfig .config; fi
-	$< --defconfig=.config Config.in
+	[ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \
+		$< --defconfig=.config Config.in
 
 confdefault-y=allyes
 confdefault-m=allmod
@@ -121,13 +123,15 @@ confdefault-n=allno
 confdefault:=$(confdefault-$(CONFDEFAULT))
 
 oldconfig: scripts/config/conf prepare-tmpinfo FORCE
-	$< --$(if $(confdefault),$(confdefault),old)config Config.in
+	[ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \
+		$< --$(if $(confdefault),$(confdefault),old)config Config.in
 
 menuconfig: scripts/config/mconf prepare-tmpinfo FORCE
 	if [ \! -e .config -a -e $(HOME)/.openwrt/defconfig ]; then \
 		cp $(HOME)/.openwrt/defconfig .config; \
 	fi
-	[ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; $< Config.in
+	[ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \
+		$< Config.in
 
 prepare_kernel_conf: .config FORCE
 
@@ -183,6 +187,9 @@ prereq:: prepare-tmpinfo .config
 check: .config FORCE
 	@+$(NO_TRACE_MAKE) -r -s $@ QUIET= V=s
 
+val.%: FORCE
+	@+$(NO_TRACE_MAKE) -r -s $@ QUIET= V=s
+
 WARN_PARALLEL_ERROR = $(if $(BUILD_LOG),,$(and $(filter -j,$(MAKEFLAGS)),$(findstring s,$(OPENWRT_VERBOSE))))
 
 ifeq ($(SDK),1)

include/version.mk

@@ -31,16 +31,16 @@ qstrip_escape=$(subst ','\'',$(call qstrip,$(1)))
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip_escape,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),17.01.4)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),17.01.6)
 
 VERSION_CODE:=$(call qstrip_escape,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r3560-79f57e422d)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r3979-2252731af4)
 
 VERSION_NICK:=$(call qstrip_escape,$(CONFIG_VERSION_NICK))
 VERSION_NICK:=$(if $(VERSION_NICK),$(VERSION_NICK),$(RELEASE))
 
 VERSION_REPO:=$(call qstrip_escape,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.lede-project.org/releases/17.01.4)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.lede-project.org/releases/17.01.6)
 
 VERSION_DIST:=$(call qstrip_escape,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),LEDE)

package/base-files/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 include $(INCLUDE_DIR)/version.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=173.1
+PKG_RELEASE:=173.6
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
@@ -38,27 +38,28 @@ define Package/base-files
 endef
 
 define Package/base-files/conffiles
+/etc/config/
 /etc/config/network
 /etc/config/system
+/etc/crontabs/
+/etc/dropbear/
+/etc/group
 /etc/hosts
 /etc/inittab
-/etc/group
+/etc/iproute2/rt_protos
+/etc/iproute2/rt_tables
 /etc/passwd
-/etc/shadow
 /etc/profile
+/etc/profile.d
 /etc/protocols
+/etc/rc.local
 /etc/services
+/etc/shadow
 /etc/shells
 /etc/sysctl.conf
-/etc/rc.local
-/etc/sysupgrade.conf
-/etc/config/
-/etc/dropbear/
-/etc/crontabs/
-/etc/sysctl.d/local.conf
 /etc/sysctl.d/
-/etc/iproute2/rt_tables
-/etc/iproute2/rt_protos
+/etc/sysctl.d/local.conf
+/etc/sysupgrade.conf
 $(call $(TARGET)/conffiles)
 endef
 

package/base-files/files/etc/banner.failsafe

@@ -8,6 +8,8 @@ after mount_root:
 * /etc/config		    directory with config files
 
 for more help see:
-http://wiki.openwrt.org/doc/howto/generic.failsafe
+https://openwrt.org/docs/guide-user/troubleshooting/
+- failsafe_and_factory_reset
+- root_password_reset
 =======================================================
 

package/base-files/files/etc/init.d/sysctl

@@ -3,22 +3,33 @@
 
 START=11
 
-set_vm_min_free() {
-	mem="$(grep MemTotal /proc/meminfo  | awk '{print $2}')"
+apply_defaults() {
+	local mem="$(awk '/^MemTotal:/ {print $2}' /proc/meminfo)"
+	local min_free frag_low_thresh frag_high_thresh
+
 	if [ "$mem" -gt 65536 ]; then # 128M
-		val=16384
+		min_free=16384
 	elif [ "$mem" -gt 32768 ]; then # 64M
-		val=8192
-	elif [ "$mem" -gt 16384 ]; then # 32M
-		val=1024
+		min_free=8192
 	else
-		return
+		min_free=1024
+		frag_low_thresh=393216
+		frag_high_thresh=524288
 	fi
-	sysctl -qw vm.min_free_kbytes="$val"
+
+	sysctl -qw vm.min_free_kbytes="$min_free"
+
+	[ "$frag_low_thresh" ] && sysctl -qw \
+		net.ipv4.ipfrag_low_thresh="$frag_low_thresh" \
+		net.ipv4.ipfrag_high_thresh="$frag_high_thresh" \
+		net.ipv6.ip6frag_low_thresh="$frag_low_thresh" \
+		net.ipv6.ip6frag_high_thresh="$frag_high_thresh" \
+		net.netfilter.nf_conntrack_frag6_low_thresh="$frag_low_thresh" \
+		net.netfilter.nf_conntrack_frag6_high_thresh="$frag_high_thresh"
 }
 
 start() {
-	set_vm_min_free
+	apply_defaults
 	for CONF in /etc/sysctl.conf /etc/sysctl.d/*.conf; do
 		[ -f "$CONF" ] && sysctl -p "$CONF" -e >&-
 	done

package/base-files/files/etc/profile

@@ -1,6 +1,9 @@
 #!/bin/sh
+[ -e /tmp/.failsafe ] && export FAILSAFE=1
+
 [ -f /etc/banner ] && cat /etc/banner
-[ -e /tmp/.failsafe ] && cat /etc/banner.failsafe
+[ -n "$FAILSAFE" ] && cat /etc/banner.failsafe
+
 fgrep -sq '/ overlay ro,' /proc/mounts && {
 	echo 'Your JFFS2-partition seems full and overlayfs is mounted read-only.'
 	echo 'Please try to remove files from /overlay/upper/... and reboot!'

package/base-files/files/etc/rc.button/reset

@@ -20,7 +20,7 @@ released)
 		echo "REBOOT" > /dev/console
 		sync
 		reboot
-	elif [ "$SEEN" -gt 5 -a -n "$OVERLAY" ]
+	elif [ "$SEEN" -ge 5 -a -n "$OVERLAY" ]
 	then
 		echo "FACTORY RESET" > /dev/console
 		jffs2reset -y && reboot &

package/base-files/files/etc/rc.common

@@ -17,7 +17,7 @@ stop() {
 }
 
 reload() {
-	return 1
+	restart
 }
 
 restart() {
@@ -68,7 +68,7 @@ Available commands:
 	start	Start the service
 	stop	Stop the service
 	restart	Restart the service
-	reload	Reload configuration files (or restart if that fails)
+	reload	Reload configuration files (or restart if service does not implement reload)
 	enable	Enable service autostart
 	disable	Disable service autostart
 $EXTRA_HELP
@@ -141,5 +141,4 @@ ${INIT_TRACE:+set -x}
 
 ALL_COMMANDS="start stop reload restart boot shutdown enable disable enabled depends ${EXTRA_COMMANDS}"
 list_contains ALL_COMMANDS "$action" || action=help
-[ "$action" = "reload" ] && action='eval reload "$@" || restart "$@" && :'
 $action "$@"

package/base-files/files/etc/services

@@ -76,6 +76,8 @@ afpovertcp	548/tcp
 afpovertcp	548/udp
 nntps		563/tcp		snntp
 nntps		563/udp		snntp
+submission	587/tcp
+submission	587/udp
 ldaps		636/tcp
 ldaps		636/udp
 tinc		655/tcp

package/base-files/files/lib/functions.sh

@@ -158,7 +158,7 @@ insert_modules() {
 		if [ -f /etc/modules.d/$m ]; then
 			sed 's/^[^#]/insmod &/' /etc/modules.d/$m | ash 2>&- || :
 		else
-			modprobe $m
+			modprobe $m || :
 		fi
 	done
 }
@@ -240,7 +240,7 @@ default_postinst() {
 		[ -d /tmp/.uci ] || mkdir -p /tmp/.uci
 		for i in $(sed -ne 's!^/etc/uci-defaults/!!p' "/usr/lib/opkg/info/${pkgname}.list"); do (
 			cd /etc/uci-defaults
-			[ -f "$i" ] && . "$i" && rm -f "$i"
+			[ -f "$i" ] && . ./"$i" && rm -f "$i"
 		) done
 		uci commit
 	fi
@@ -353,4 +353,8 @@ user_exists() {
 	grep -qs "^${1}:" ${IPKG_INSTROOT}/etc/passwd
 }
 
+board_name() {
+	[ -e /tmp/sysinfo/board_name ] && cat /tmp/sysinfo/board_name || echo "generic"
+}
+
 [ -z "$IPKG_INSTROOT" -a -f /lib/config/uci.sh ] && . /lib/config/uci.sh

package/base-files/files/lib/preinit/10_indicate_preinit

@@ -43,7 +43,10 @@ preinit_config_switch() {
 			json_select ..
 
 			if [ "$device" = "$lan_if" ]; then
-				swconfig dev $name set reset $reset
+				if [ "$reset" -eq "1" ]; then
+					swconfig dev $name set reset
+				fi
+
 				swconfig dev $name set enable_vlan $enable
 				swconfig dev $name vlan $role set ports "$ports"
 				swconfig dev $name set apply
@@ -144,11 +147,6 @@ preinit_net_echo() {
 	}
 }
 
-preinit_echo() {
-	preinit_net_echo $1
-	echo $1
-}
-
 pi_indicate_preinit() {
 	set_state preinit
 }

package/base-files/files/lib/upgrade/common.sh

@@ -208,7 +208,7 @@ get_magic_long() {
 }
 
 export_bootdevice() {
-	local cmdline uuid disk uevent
+	local cmdline uuid disk uevent line
 	local MAJOR MINOR DEVNAME DEVTYPE
 
 	if read cmdline < /proc/cmdline; then
@@ -241,8 +241,9 @@ export_bootdevice() {
 		esac
 
 		if [ -e "$uevent" ]; then
-			. "$uevent"
-
+			while read line; do
+				export -n "$line"
+			done < "$uevent"
 			export BOOTDEV_MAJOR=$MAJOR
 			export BOOTDEV_MINOR=$MINOR
 			return 0
@@ -254,10 +255,12 @@ export_bootdevice() {
 
 export_partdevice() {
 	local var="$1" offset="$2"
-	local uevent MAJOR MINOR DEVNAME DEVTYPE
+	local uevent line MAJOR MINOR DEVNAME DEVTYPE
 
 	for uevent in /sys/class/block/*/uevent; do
-		. "$uevent"
+		while read line; do
+			export -n "$line"
+		done < "$uevent"
 		if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then
 			export "$var=$DEVNAME"
 			return 0
@@ -267,6 +270,14 @@ export_partdevice() {
 	return 1
 }
 
+hex_le32_to_cpu() {
+	[ "$(echo 01 | hexdump -v -n 2 -e '/2 "%x"')" == "3031" ] && {
+		echo "${1:0:2}${1:8:2}${1:6:2}${1:4:2}${1:2:2}"
+		return
+	}
+	echo "$@"
+}
+
 get_partitions() { # <device> <filename>
 	local disk="$1"
 	local filename="$2"
@@ -274,8 +285,8 @@ get_partitions() { # <device> <filename>
 	if [ -b "$disk" -o -f "$disk" ]; then
 		v "Reading partition table from $filename..."
 
-		local magic="$(hexdump -v -n 2 -s 0x1FE -e '1/2 "0x%04X"' "$disk")"
-		if [ "$magic" != 0xAA55 ]; then
+		local magic=$(dd if="$disk" bs=2 count=1 skip=255 2>/dev/null)
+		if [ "$magic" != $'\x55\xAA' ]; then
 			v "Invalid partition table on $disk"
 			exit
 		fi
@@ -286,9 +297,9 @@ get_partitions() { # <device> <filename>
 		for part in 1 2 3 4; do
 			set -- $(hexdump -v -n 12 -s "$((0x1B2 + $part * 16))" -e '3/4 "0x%08X "' "$disk")
 
-			local type="$(($1 % 256))"
-			local lba="$(($2))"
-			local num="$(($3))"
+			local type="$(( $(hex_le32_to_cpu $1) % 256))"
+			local lba="$(( $(hex_le32_to_cpu $2) ))"
+			local num="$(( $(hex_le32_to_cpu $3) ))"
 
 			[ $type -gt 0 ] || continue
 

package/base-files/files/sbin/sysupgrade

@@ -101,12 +101,31 @@ EOF
 # prevent messages from clobbering the tarball when using stdout
 [ "$CONF_BACKUP" = "-" ] && export VERBOSE=0
 
+
+list_conffiles() {
+	awk '
+		BEGIN { conffiles = 0 }
+		/^Conffiles:/ { conffiles = 1; next }
+		!/^ / { conffiles = 0; next }
+		conffiles == 1 { print }
+	' /usr/lib/opkg/status
+}
+
+list_changed_conffiles() {
+	# Cannot handle spaces in filenames - but opkg cannot either...
+	list_conffiles | while read file csum; do
+		[ -r "$file" ] || continue
+
+		echo "${csum}  ${file}" | sha256sum -sc - || echo "$file"
+	done
+}
+
 add_uci_conffiles() {
 	local file="$1"
 	( find $(sed -ne '/^[[:space:]]*$/d; /^#/d; p' \
 		/etc/sysupgrade.conf /lib/upgrade/keep.d/* 2>/dev/null) \
 		-type f -o -type l 2>/dev/null;
-	  opkg list-changed-conffiles ) | sort -u > "$file"
+	  list_changed_conffiles ) | sort -u > "$file"
 	return 0
 }
 

package/base-files/files/usr/libexec/login.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
 
-[ "$(uci get system.@system[0].ttylogin)" == 1 ] || exec /bin/ash --login
+[ "$(uci -q get system.@system[0].ttylogin)" == 1 ] || exec /bin/ash --login
 
 exec /bin/login

package/base-files/image-config.in

@@ -190,7 +190,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.lede-project.org/releases/17.01.4"
+		default "http://downloads.lede-project.org/releases/17.01.6"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/grub2/Makefile

@@ -9,15 +9,12 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=grub
-PKG_VERSION:=2.02~rc1
-PKG_RELEASE:=1
+PKG_VERSION:=2.02
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://alpha.gnu.org/gnu/grub \
-	http://gnualpha.uib.no/grub/ \
-	http://mirrors.fe.up.pt/pub/gnu-alpha/grub/ \
-	http://www.nic.funet.fi/pub/gnu/alpha/gnu/grub/
-PKG_HASH:=445239e9b96d1143c194c1d37851cf4196b83701c60172e49665e9d453d80278
+PKG_SOURCE_URL:=@GNU/grub
+PKG_HASH:=810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f
 
 PKG_FIXUP:=autoreconf
 HOST_BUILD_PARALLEL:=1

package/boot/grub2/patches/300-CVE-2015-8370.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Fri, 13 Nov 2015 16:21:09 +0100
+Subject: [PATCH] Fix security issue when reading username and password
+
+  This patch fixes two integer underflows at:
+    * grub-core/lib/crypto.c
+    * grub-core/normal/auth.c
+
+Resolves: CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+---
+ grub-core/lib/crypto.c  | 2 +-
+ grub-core/normal/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/grub-core/lib/crypto.c
++++ b/grub-core/lib/crypto.c
+@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    cur_len--;
+--- a/grub-core/normal/auth.c
++++ b/grub-core/normal/auth.c
+@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    {

package/boot/kexec-tools/patches/120-fail-to-get-symbol-debug.patch

@@ -0,0 +1,33 @@
+commit 263e45ccf27b21e9862cc538ed28978533d04e4b
+Author: Baoquan He <bhe@redhat.com>
+Date:   Fri Mar 3 11:52:15 2017 +0800
+
+    Only print debug message when failed to serach for kernel symbol from /proc/kallsyms
+    
+    Kernel symbol page_offset_base could be unavailable when mm KASLR code is
+    not compiled in kernel. It's inappropriate to print out error message
+    when failed to search for page_offset_base from /proc/kallsyms. Seems now
+    there is not a way to find out if mm KASLR is compiled in or not. An
+    alternative approach is only printing out debug message in get_kernel_sym
+    if failed to search a expected kernel symbol.
+    
+    Do it in this patch, a simple fix.
+    
+    Signed-off-by: Baoquan He <bhe@redhat.com>
+    Reviewed-by: Pratyush Anand <panand@redhat.com>
+    Acked-by: Dave Young <dyoung@redhat.com>
+    Signed-off-by: Simon Horman <horms@verge.net.au>
+
+diff --git a/kexec/arch/i386/crashdump-x86.c b/kexec/arch/i386/crashdump-x86.c
+index 88aeee3..c4cf201 100644
+--- a/kexec/arch/i386/crashdump-x86.c
++++ b/kexec/arch/i386/crashdump-x86.c
+@@ -127,7 +127,7 @@ static unsigned long long get_kernel_sym(const char *symbol)
+ 		}
+ 	}
+ 
+-	fprintf(stderr, "Cannot get kernel %s symbol address\n", symbol);
++	dbgprintf("Cannot get kernel %s symbol address\n", symbol);
+ 	return 0;
+ }
+ 

package/boot/kexec-tools/patches/130-dont-use-percentL.patch

@@ -0,0 +1,178 @@
+commit f14881e87b1426d2c439e2fad9a1e03a3b35e196
+Author: Philip Prindeville <philipp@redfish-solutions.com>
+Date:   Fri Mar 10 19:57:11 2017 -0700
+
+    Don't use %L width specifier with integer values
+    
+    MUSL doesn't support %L except for floating-point arguments; therefore,
+    %ll must be used instead with integer arguments.
+    
+    Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
+
+diff --git a/kexec/arch/arm/kexec-arm.c b/kexec/arch/arm/kexec-arm.c
+index 2194b7c..49f35b1 100644
+--- a/kexec/arch/arm/kexec-arm.c
++++ b/kexec/arch/arm/kexec-arm.c
+@@ -47,7 +47,7 @@ int get_memory_ranges(struct memory_range **range, int *ranges,
+ 		int count;
+ 		if (memory_ranges >= MAX_MEMORY_RANGES)
+ 			break;
+-		count = sscanf(line, "%Lx-%Lx : %n",
++		count = sscanf(line, "%llx-%llx : %n",
+ 			&start, &end, &consumed);
+ 		if (count != 2)
+ 			continue;
+diff --git a/kexec/arch/i386/crashdump-x86.c b/kexec/arch/i386/crashdump-x86.c
+index c4cf201..285dea9 100644
+--- a/kexec/arch/i386/crashdump-x86.c
++++ b/kexec/arch/i386/crashdump-x86.c
+@@ -119,7 +119,7 @@ static unsigned long long get_kernel_sym(const char *symbol)
+ 	}
+ 
+ 	while(fgets(line, sizeof(line), fp) != NULL) {
+-		if (sscanf(line, "%Lx %c %s", &vaddr, &type, sym) != 3)
++		if (sscanf(line, "%llx %c %s", &vaddr, &type, sym) != 3)
+ 			continue;
+ 		if (strcmp(sym, symbol) == 0) {
+ 			dbgprintf("kernel symbol %s vaddr = %16llx\n", symbol, vaddr);
+@@ -296,12 +296,12 @@ static int get_crash_memory_ranges(struct memory_range **range, int *ranges,
+ 
+ 		if (memory_ranges >= CRASH_MAX_MEMORY_RANGES)
+ 			break;
+-		count = sscanf(line, "%Lx-%Lx : %n",
++		count = sscanf(line, "%llx-%llx : %n",
+ 			&start, &end, &consumed);
+ 		if (count != 2)
+ 			continue;
+ 		str = line + consumed;
+-		dbgprintf("%016Lx-%016Lx : %s",
++		dbgprintf("%016llx-%016llx : %s",
+ 			start, end, str);
+ 		/* Only Dumping memory of type System RAM. */
+ 		if (memcmp(str, "System RAM\n", 11) == 0) {
+@@ -778,7 +778,7 @@ static int get_crash_notes(int cpu, uint64_t *addr, uint64_t *len)
+ 		*addr = x86__pa(vaddr + (cpu * MAX_NOTE_BYTES));
+ 		*len = MAX_NOTE_BYTES;
+ 
+-		dbgprintf("crash_notes addr = %Lx\n",
++		dbgprintf("crash_notes addr = %llx\n",
+ 			  (unsigned long long)*addr);
+ 
+ 		fclose(fp);
+diff --git a/kexec/arch/i386/kexec-x86-common.c b/kexec/arch/i386/kexec-x86-common.c
+index 3e97239..be03618 100644
+--- a/kexec/arch/i386/kexec-x86-common.c
++++ b/kexec/arch/i386/kexec-x86-common.c
+@@ -81,7 +81,7 @@ static int get_memory_ranges_proc_iomem(struct memory_range **range, int *ranges
+ 		int count;
+ 		if (memory_ranges >= MAX_MEMORY_RANGES)
+ 			break;
+-		count = sscanf(line, "%Lx-%Lx : %n",
++		count = sscanf(line, "%llx-%llx : %n",
+ 			&start, &end, &consumed);
+ 		if (count != 2)
+ 			continue;
+diff --git a/kexec/arch/ia64/kexec-elf-rel-ia64.c b/kexec/arch/ia64/kexec-elf-rel-ia64.c
+index 7f7c08c..500f247 100644
+--- a/kexec/arch/ia64/kexec-elf-rel-ia64.c
++++ b/kexec/arch/ia64/kexec-elf-rel-ia64.c
+@@ -155,6 +155,6 @@ void machine_apply_elf_rel(struct mem_ehdr *ehdr,
+ 	}
+ 	return;
+ overflow:
+-	die("overflow in relocation type %lu val %Lx\n", 
++	die("overflow in relocation type %lu val %llx\n",
+ 			r_type, value);
+ }
+diff --git a/kexec/arch/mips/crashdump-mips.c b/kexec/arch/mips/crashdump-mips.c
+index 9c33599..6308ec8 100644
+--- a/kexec/arch/mips/crashdump-mips.c
++++ b/kexec/arch/mips/crashdump-mips.c
+@@ -173,7 +173,7 @@ static int get_crash_memory_ranges(struct memory_range **range, int *ranges)
+ 		int type, consumed, count;
+ 		if (memory_ranges >= CRASH_MAX_MEMORY_RANGES)
+ 			break;
+-		count = sscanf(line, "%Lx-%Lx : %n",
++		count = sscanf(line, "%llx-%llx : %n",
+ 			&start, &end, &consumed);
+ 		if (count != 2)
+ 			continue;
+diff --git a/kexec/arch/mips/kexec-mips.c b/kexec/arch/mips/kexec-mips.c
+index ee3cd3a..2e5b700 100644
+--- a/kexec/arch/mips/kexec-mips.c
++++ b/kexec/arch/mips/kexec-mips.c
+@@ -48,7 +48,7 @@ int get_memory_ranges(struct memory_range **range, int *ranges,
+ 	while (fgets(line, sizeof(line), fp) != 0) {
+ 		if (memory_ranges >= MAX_MEMORY_RANGES)
+ 			break;
+-		count = sscanf(line, "%Lx-%Lx : %n", &start, &end, &consumed);
++		count = sscanf(line, "%llx-%llx : %n", &start, &end, &consumed);
+ 		if (count != 2)
+ 			continue;
+ 		str = line + consumed;
+diff --git a/kexec/arch/s390/kexec-s390.c b/kexec/arch/s390/kexec-s390.c
+index f863483..33ba6b9 100644
+--- a/kexec/arch/s390/kexec-s390.c
++++ b/kexec/arch/s390/kexec-s390.c
+@@ -170,7 +170,7 @@ int get_memory_ranges_s390(struct memory_range memory_range[], int *ranges,
+ 		if (current_range == MAX_MEMORY_RANGES)
+ 			break;
+ 
+-		sscanf(line,"%Lx-%Lx : %n", &start, &end, &cons);
++		sscanf(line,"%llx-%llx : %n", &start, &end, &cons);
+ 		str = line+cons;
+ 		if ((memcmp(str, sys_ram, strlen(sys_ram)) == 0) ||
+ 		    ((memcmp(str, crash_kernel, strlen(crash_kernel)) == 0) &&
+diff --git a/kexec/crashdump.c b/kexec/crashdump.c
+index 15c1105..0b363c5 100644
+--- a/kexec/crashdump.c
++++ b/kexec/crashdump.c
+@@ -98,7 +98,7 @@ int get_crash_notes_per_cpu(int cpu, uint64_t *addr, uint64_t *len)
+ 	}
+ 	if (!fgets(line, sizeof(line), fp))
+ 		die("Cannot parse %s: %s\n", crash_notes, strerror(errno));
+-	count = sscanf(line, "%Lx", &temp);
++	count = sscanf(line, "%llx", &temp);
+ 	if (count != 1)
+ 		die("Cannot parse %s: %s\n", crash_notes, strerror(errno));
+ 	*addr = (uint64_t) temp;
+@@ -112,7 +112,7 @@ int get_crash_notes_per_cpu(int cpu, uint64_t *addr, uint64_t *len)
+ 		if (!fgets(line, sizeof(line), fp))
+ 			die("Cannot parse %s: %s\n",
+ 			    crash_notes_size, strerror(errno));
+-		count = sscanf(line, "%Lu", &temp);
++		count = sscanf(line, "%llu", &temp);
+ 		if (count != 1)
+ 			die("Cannot parse %s: %s\n",
+ 			    crash_notes_size, strerror(errno));
+@@ -120,7 +120,7 @@ int get_crash_notes_per_cpu(int cpu, uint64_t *addr, uint64_t *len)
+ 		fclose(fp);
+ 	}
+ 
+-	dbgprintf("%s: crash_notes addr = %Lx, size = %Lu\n", __FUNCTION__,
++	dbgprintf("%s: crash_notes addr = %llx, size = %llu\n", __FUNCTION__,
+ 		  (unsigned long long)*addr, (unsigned long long)*len);
+ 
+ 	return 0;
+@@ -141,7 +141,7 @@ static int get_vmcoreinfo(const char *kdump_info, uint64_t *addr, uint64_t *len)
+ 
+ 	if (!fgets(line, sizeof(line), fp))
+ 		die("Cannot parse %s: %s\n", kdump_info, strerror(errno));
+-	count = sscanf(line, "%Lx %Lx", &temp, &temp2);
++	count = sscanf(line, "%llx %llx", &temp, &temp2);
+ 	if (count != 2)
+ 		die("Cannot parse %s: %s\n", kdump_info, strerror(errno));
+ 
+diff --git a/kexec/kexec-iomem.c b/kexec/kexec-iomem.c
+index 485a2e8..7ec3853 100644
+--- a/kexec/kexec-iomem.c
++++ b/kexec/kexec-iomem.c
+@@ -44,7 +44,7 @@ int kexec_iomem_for_each_line(char *match,
+ 		die("Cannot open %s\n", iomem);
+ 
+ 	while(fgets(line, sizeof(line), fp) != 0) {
+-		count = sscanf(line, "%Lx-%Lx : %n", &start, &end, &consumed);
++		count = sscanf(line, "%llx-%llx : %n", &start, &end, &consumed);
+ 		if (count != 2)
+ 			continue;
+ 		str = line + consumed;

package/boot/uboot-envtools/files/lantiq

@@ -7,11 +7,10 @@
 
 touch /etc/config/ubootenv
 
-. /lib/functions/lantiq.sh
 . /lib/uboot-envtools.sh
 . /lib/functions.sh
 
-board=$(lantiq_board_name)
+board=$(board_name)
 
 case "$board" in
 BTHOMEHUBV2B)

package/devel/gdb/Makefile

@@ -60,13 +60,6 @@ CONFIGURE_ARGS+= \
 CONFIGURE_VARS+= \
 	ac_cv_search_tgetent="$(TARGET_LDFLAGS) -lncurses -lreadline"
 
-define Build/Compile
-	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-		DESTDIR="$(PKG_INSTALL_DIR)" \
-		CPPFLAGS="$(TARGET_CPPFLAGS)" \
-		all
-endef
-
 define Build/Install
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		DESTDIR="$(PKG_INSTALL_DIR)" \

package/devel/perf/Makefile

@@ -26,7 +26,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/perf
   SECTION:=devel
   CATEGORY:=Development
-  DEPENDS:= +libelf1 +libdw +libpthread +librt +objdump @!LINUX_3_18 @!IN_SDK
+  DEPENDS:= +libelf1 +libdw +(mips||mipsel||powerpc||i386||x86_64||arm):libunwind +libpthread +librt +objdump @!LINUX_3_18 @!IN_SDK
   TITLE:=Linux performance monitoring tool
   VERSION:=$(LINUX_VERSION)-$(PKG_RELEASE)
   URL:=http://www.kernel.org

package/devel/strace/Makefile

@@ -10,9 +10,9 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=strace
 
-PKG_VERSION:=4.15
+PKG_VERSION:=4.16
 PKG_RELEASE:=1
-PKG_HASH:=c0cdc094d6141fd9dbf6aaad605142d651ae10998b660fda57fc61f7ad583ca9
+PKG_HASH:=98487cb5178ec1259986cc9f6e2a844f50e5d1208c112cc22431a1e4d9adf0ef
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@SF/$(PKG_NAME)

package/devel/strace/patches/100-workaround--pt-reg-collisions-ppc.patch

@@ -1,6 +1,6 @@
 --- a/ptrace.h
 +++ b/ptrace.h
-@@ -55,7 +55,14 @@ extern long ptrace(int, int, char *, lon
+@@ -48,7 +48,14 @@
  # define ptrace_peeksiginfo_args XXX_ptrace_peeksiginfo_args
  #endif
  

package/devel/trace-cmd/Makefile

@@ -1,15 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=trace-cmd
-PKG_VERSION:=v2.6
+PKG_VERSION:=v2.6.1
 PKG_RELEASE=1
 
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=\
-		https://kernel.googlesource.com/pub/scm/linux/kernel/git/rostedt/trace-cmd \
-		https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/trace-cmd.git
-PKG_SOURCE_VERSION:=9be5d74805830a291615f2f34a27c903f6a37b1e
-PKG_MIRROR_HASH:=735b69f61a8c627037dcc01361cdb8415e5ab0ec892fbd731236c444003b0c71
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/trace-cmd.git/snapshot/
+PKG_HASH:=4eb79001778a77c0ada10265e7f4b5515a3e21a46f0a15c2e8cc614efdf3f5df
 PKG_INSTALL:=1
 PKG_USE_MIPS16:=0
 PKG_LICENSE:=GPL-2.0

package/devel/valgrind/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=valgrind
-PKG_VERSION:=3.12.0
+PKG_VERSION:=3.13.0
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://valgrind.org/downloads/
-PKG_HASH:=67ca4395b2527247780f36148b084f5743a68ab0c850cb43e4a5b4b012cf76a1
+PKG_SOURCE_URL:=http://sourceware.org/pub/valgrind/
+PKG_HASH:=d76680ef03f00cd5e970bbdcd4e57fb1f6df7d2e2c071635ef2be74790190c3b
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-2.0+

package/devel/valgrind/patches/100-fix_configure_check.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -328,7 +328,7 @@ case "${host_os}" in
+@@ -323,7 +323,7 @@ case "${host_os}" in
          # Ok, this is linux. Check the kernel version
          AC_MSG_CHECKING([for the kernel version])
  

package/devel/valgrind/patches/200-musl_fix.patch

@@ -1,45 +0,0 @@
---- a/coregrind/vg_preloaded.c
-+++ b/coregrind/vg_preloaded.c
-@@ -57,7 +57,7 @@
- void VG_NOTIFY_ON_LOAD(freeres)(Vg_FreeresToRun to_run);
- void VG_NOTIFY_ON_LOAD(freeres)(Vg_FreeresToRun to_run)
- {
--#  if !defined(__UCLIBC__) \
-+#  if !defined(__UCLIBC__) && defined(__GLIBC__) \
-       && !defined(VGPV_arm_linux_android) \
-       && !defined(VGPV_x86_linux_android) \
-       && !defined(VGPV_mips32_linux_android) \
---- a/include/pub_tool_redir.h
-+++ b/include/pub_tool_redir.h
-@@ -243,7 +243,7 @@
- /* --- Soname of the standard C library. --- */
- 
- #if defined(VGO_linux) || defined(VGO_solaris)
--#  define  VG_Z_LIBC_SONAME  libcZdsoZa              // libc.so*
-+#  define  VG_Z_LIBC_SONAME  libcZdZa                // libc.*
- 
- #elif defined(VGO_darwin) && (DARWIN_VERS <= DARWIN_10_6)
- #  define  VG_Z_LIBC_SONAME  libSystemZdZaZddylib    // libSystem.*.dylib
-@@ -275,7 +275,11 @@
- /* --- Soname of the pthreads library. --- */
- 
- #if defined(VGO_linux)
-+# if defined(__GLIBC__) || defined(__UCLIBC__)
- #  define  VG_Z_LIBPTHREAD_SONAME  libpthreadZdsoZd0     // libpthread.so.0
-+# else
-+#  define  VG_Z_LIBPTHREAD_SONAME  libcZdZa              // libc.*
-+# endif
- #elif defined(VGO_darwin)
- #  define  VG_Z_LIBPTHREAD_SONAME  libSystemZdZaZddylib  // libSystem.*.dylib
- #elif defined(VGO_solaris)
---- a/configure.ac
-+++ b/configure.ac
-@@ -1047,8 +1047,6 @@ case "${GLIBC_VERSION}" in
- 	;;
-      2.0|2.1|*)
- 	AC_MSG_RESULT([unsupported version ${GLIBC_VERSION}])
--	AC_MSG_ERROR([Valgrind requires glibc version 2.2 or later,])
--	AC_MSG_ERROR([Darwin libc, Bionic libc or Solaris libc])
- 	;;
- esac
- 

package/firmware/amd64-microcode/Makefile

@@ -0,0 +1,45 @@
+#
+# Copyright (C) 2018 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=amd64-microcode
+PKG_VERSION:=20180524
+PKG_RELEASE:=1
+
+PKG_SOURCE:=amd64-microcode_3.$(PKG_VERSION).$(PKG_RELEASE).tar.xz
+PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/non-free/a/amd64-microcode/
+PKG_HASH:=7c389c357c242e7161f6872bf4e12011a71e4c0683f06fb1bcfad650a78bf0a9
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-3.$(PKG_VERSION).$(PKG_RELEASE)
+
+PKG_LICENSE_FILE:=LICENSE.amd-ucode
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/amd64-microcode
+  SECTION:=firmware
+  CATEGORY:=Firmware
+  URL:=$(PKG_SOURCE_URL)
+  DEPENDS:=@TARGET_x86
+  TITLE:=AMD64 CPU microcode
+endef
+
+define Build/Prepare
+	rm -rf $(PKG_BUILD_DIR)
+	mkdir -p $(PKG_BUILD_DIR)
+	$(TAR) -C $(BUILD_DIR) -xJf $(DL_DIR)/$(PKG_SOURCE)
+endef
+
+define Build/Compile
+endef
+
+define Package/amd64-microcode/install
+	$(INSTALL_DIR) $(1)/lib/firmware/amd-ucode
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/*.bin $(1)/lib/firmware/amd-ucode
+endef
+
+$(eval $(call BuildPackage,amd64-microcode))

package/firmware/intel-microcode/Makefile

@@ -0,0 +1,49 @@
+#
+# Copyright (C) 2018 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=intel-microcode
+PKG_VERSION:=20180703
+PKG_RELEASE:=2
+
+PKG_SOURCE:=intel-microcode_3.$(PKG_VERSION).$(PKG_RELEASE).tar.xz
+PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/non-free/i/intel-microcode/
+PKG_HASH:=26dfaa47100ce3d06f968edefa7539da10de7b96d5d8e26ee8174a040ee5cdae
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-3.$(PKG_VERSION).$(PKG_RELEASE)
+
+PKG_BUILD_DEPENDS:=iucode-tool/host
+
+ifdef CONFIG_TARGET_x86_64
+	MICROCODE:="intel-microcode-64"
+else
+	MICROCODE:="intel-microcode"
+endif
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/intel-microcode
+  SECTION:=firmware
+  CATEGORY:=Firmware
+  URL:=$(PKG_SOURCE_URL)
+  DEPENDS:=@TARGET_x86 +iucode-tool
+  TITLE:=Intel x86 CPU microcode
+endef
+
+define Build/Compile
+	IUCODE_TOOL=$(STAGING_DIR)/../host/bin/iucode_tool $(MAKE) -C $(PKG_BUILD_DIR)
+	mkdir $(PKG_BUILD_DIR)/intel-ucode-ipkg
+	$(STAGING_DIR)/../host/bin/iucode_tool -q \
+		--write-firmware=$(PKG_BUILD_DIR)/intel-ucode-ipkg $(PKG_BUILD_DIR)/$(MICROCODE).bin
+endef
+
+define Package/intel-microcode/install
+	$(INSTALL_DIR) $(1)/lib/firmware/intel-ucode
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/intel-ucode-ipkg/* $(1)/lib/firmware/intel-ucode
+endef
+
+$(eval $(call BuildPackage,intel-microcode))

package/kernel/kmod-sched-cake/Makefile

@@ -13,10 +13,10 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/dtaht/sch_cake.git
-PKG_SOURCE_DATE:=2017-01-28
-PKG_SOURCE_VERSION:=9789742cfc596d48583ba4cdbc8f38d026121fa6
-PKG_MIRROR_HASH:=2a5afc45722c28ca8778eb50452eb305306e7898b32d7d6d73d3e77edf3cce99
-PKG_MAINTAINER:=Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+PKG_SOURCE_DATE:=2018-07-16
+PKG_SOURCE_VERSION:=f39ab9a402ad51d7c17d4cde18ca15b2b7022030
+PKG_MIRROR_HASH:=fc22fc6eb7a24f4595c2777f33758ebcf9a2a404c16d00aa37ae389cd7f9c78f
+PKG_MAINTAINER:=Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/linux/modules/netfilter.mk

@@ -446,10 +446,9 @@ $(eval $(call KernelPackage,ipt-nfqueue))
 define KernelPackage/ipt-debug
   TITLE:=Module for debugging/development
   KCONFIG:=$(KCONFIG_IPT_DEBUG)
-  DEFAULT:=n
   FILES:=$(foreach mod,$(IPT_DEBUG-m),$(LINUX_DIR)/net/$(mod).ko)
   AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_DEBUG-m)))
-  $(call AddDepends/ipt)
+  $(call AddDepends/ipt,+kmod-ipt-raw +IPV6:kmod-ipt-raw6)
 endef
 
 define KernelPackage/ipt-debug/description
@@ -836,6 +835,24 @@ endef
 
 $(eval $(call KernelPackage,ipt-hashlimit))
 
+define KernelPackage/ipt-rpfilter
+  SUBMENU:=$(NF_MENU)
+  TITLE:=Netfilter rpfilter match
+  DEPENDS:=+kmod-ipt-core
+  KCONFIG:=$(KCONFIG_IPT_RPFILTER)
+  FILES:=$(realpath \
+	$(LINUX_DIR)/net/ipv4/netfilter/ipt_rpfilter.ko \
+	$(LINUX_DIR)/net/ipv6/netfilter/ip6t_rpfilter.ko)
+  AUTOLOAD:=$(call AutoProbe,ipt_rpfilter ip6t_rpfilter)
+  $(call KernelPackage/ipt)
+endef
+
+define KernelPackage/ipt-rpfilter/description
+ Kernel modules support for the Netfilter rpfilter match
+endef
+
+$(eval $(call KernelPackage,ipt-rpfilter))
+
 
 define KernelPackage/nft-core
   SUBMENU:=$(NF_MENU)

package/kernel/linux/modules/other.mk

@@ -469,7 +469,8 @@ $(eval $(call KernelPackage,bcma))
 define KernelPackage/rtc-ds1307
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Dallas/Maxim DS1307 (and compatible) RTC support
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_DS1307 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-ds1307.ko
@@ -487,7 +488,8 @@ $(eval $(call KernelPackage,rtc-ds1307))
 define KernelPackage/rtc-ds1374
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Dallas/Maxim DS1374 RTC support
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_DS1374 \
 	CONFIG_RTC_DRV_DS1374_WDT=n \
 	CONFIG_RTC_CLASS=y
@@ -505,7 +507,8 @@ $(eval $(call KernelPackage,rtc-ds1374))
 define KernelPackage/rtc-ds1672
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Dallas/Maxim DS1672 RTC support
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_DS1672 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-ds1672.ko
@@ -522,7 +525,8 @@ $(eval $(call KernelPackage,rtc-ds1672))
 define KernelPackage/rtc-isl1208
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Intersil ISL1208 RTC support
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_ISL1208 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-isl1208.ko
@@ -539,7 +543,8 @@ $(eval $(call KernelPackage,rtc-isl1208))
 define KernelPackage/rtc-pcf8563
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Philips PCF8563/Epson RTC8564 RTC support
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_PCF8563 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-pcf8563.ko
@@ -557,7 +562,7 @@ $(eval $(call KernelPackage,rtc-pcf8563))
 define KernelPackage/rtc-pcf2123
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Philips PCF2123 RTC support
-  DEPENDS:=@RTC_SUPPORT
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
   KCONFIG:=CONFIG_RTC_DRV_PCF2123 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-pcf2123.ko
@@ -573,7 +578,8 @@ $(eval $(call KernelPackage,rtc-pcf2123))
 define KernelPackage/rtc-pt7c4338
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Pericom PT7C4338 RTC support
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_PT7C4338 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-pt7c4338.ko
@@ -589,7 +595,8 @@ $(eval $(call KernelPackage,rtc-pt7c4338))
 define KernelPackage/rtc-rs5c372a
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Ricoh R2025S/D, RS5C372A/B, RV5C386, RV5C387A
-  DEPENDS:=@RTC_SUPPORT +kmod-i2c-core
+  DEFAULT:=m if ALL_KMODS && RTC_SUPPORT
+  DEPENDS:=+kmod-i2c-core
   KCONFIG:=CONFIG_RTC_DRV_RS5C372 \
 	CONFIG_RTC_CLASS=y
   FILES:=$(LINUX_DIR)/drivers/rtc/rtc-rs5c372.ko

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-01-31
-PKG_RELEASE:=3
+PKG_RELEASE:=14
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_BACKPORT_VERSION:=
 PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317

package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh

@@ -411,6 +411,34 @@ mac80211_check_ap() {
 	has_ap=1
 }
 
+mac80211_iw_interface_add() {
+	local phy="$1"
+	local ifname="$2"
+	local type="$3"
+	local wdsflag="$4"
+	local rc
+
+	iw phy "$phy" interface add "$ifname" type "$type" $wdsflag
+	rc="$?"
+
+	[ "$rc" = 233 ] && {
+		# Device might have just been deleted, give the kernel some time to finish cleaning it up
+		sleep 1
+
+		iw phy "$phy" interface add "$ifname" type "$type" $wdsflag
+		rc="$?"
+	}
+
+	[ "$rc" = 233 ] && {
+		# Device might not support virtual interfaces, so the interface never got deleted in the first place.
+		# Check if the interface already exists, and avoid failing in this case.
+		ip link show dev "$ifname" >/dev/null 2>/dev/null && rc=0
+	}
+
+	[ "$rc" != 0 ] && wireless_setup_failed INTERFACE_CREATION_FAILED
+	return $rc
+}
+
 mac80211_prepare_vif() {
 	json_select config
 
@@ -437,7 +465,7 @@ mac80211_prepare_vif() {
 	# It is far easier to delete and create the desired interface
 	case "$mode" in
 		adhoc)
-			iw phy "$phy" interface add "$ifname" type adhoc
+			mac80211_iw_interface_add "$phy" "$ifname" adhoc || return
 		;;
 		ap)
 			# Hostapd will handle recreating the interface and
@@ -451,21 +479,21 @@ mac80211_prepare_vif() {
 			mac80211_hostapd_setup_bss "$phy" "$ifname" "$macaddr" "$type" || return
 
 			[ -n "$hostapd_ctrl" ] || {
-				iw phy "$phy" interface add "$ifname" type __ap
+				mac80211_iw_interface_add "$phy" "$ifname" __ap || return
 				hostapd_ctrl="${hostapd_ctrl:-/var/run/hostapd/$ifname}"
 			}
 		;;
 		mesh)
-			iw phy "$phy" interface add "$ifname" type mp
+			mac80211_iw_interface_add "$phy" "$ifname" mp || return
 		;;
 		monitor)
-			iw phy "$phy" interface add "$ifname" type monitor
+			mac80211_iw_interface_add "$phy" "$ifname" monitor || return
 		;;
 		sta)
 			local wdsflag=
 			staidx="$(($staidx + 1))"
 			[ "$wds" -gt 0 ] && wdsflag="4addr on"
-			iw phy "$phy" interface add "$ifname" type managed $wdsflag
+			mac80211_iw_interface_add "$phy" "$ifname" managed "$wdsflag" || return
 			[ "$powersave" -gt 0 ] && powersave="on" || powersave="off"
 			iw "$ifname" set power_save "$powersave"
 		;;
@@ -494,6 +522,12 @@ mac80211_setup_supplicant() {
 	wpa_supplicant_run "$ifname" ${hostapd_ctrl:+-H $hostapd_ctrl}
 }
 
+mac80211_setup_supplicant_noctl() {
+	wpa_supplicant_prepare_interface "$ifname" nl80211 || return 1
+	wpa_supplicant_add_network "$ifname"
+	wpa_supplicant_run "$ifname"
+}
+
 mac80211_setup_adhoc_htmode() {
 	case "$htmode" in
 		VHT20|HT20) ibss_htmode=HT20;;
@@ -603,7 +637,7 @@ mac80211_setup_vif() {
 					authsae_start_interface || failed=1
 				else
 					wireless_vif_parse_encryption
-					mac80211_setup_supplicant || failed=1
+					mac80211_setup_supplicant_noctl || failed=1
 				fi
 			else
 				json_get_vars mesh_id mcast_rate
@@ -660,7 +694,7 @@ mac80211_setup_vif() {
 			wireless_vif_parse_encryption
 			mac80211_setup_adhoc_htmode
 			if [ "$wpa" -gt 0 -o "$auto_channel" -gt 0 ]; then
-				mac80211_setup_supplicant || failed=1
+				mac80211_setup_supplicant_noctl || failed=1
 			else
 				mac80211_setup_adhoc
 			fi

package/kernel/mac80211/patches/090-Revert-rt2800-use-TXOP_BACKOFF-for-probe-frames.patch

@@ -0,0 +1,45 @@
+From 52a192362932f333a7ebafd581c4d9b81da2fec8 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Mon, 28 May 2018 13:25:06 +0200
+Subject: [PATCH] Revert "rt2800: use TXOP_BACKOFF for probe frames"
+
+This reverts commit fb47ada8dc3c30c8e7b415da155742b49536c61e.
+
+In some situations when we set TXOP_BACKOFF, the probe frame is
+not sent at all. What it worse then sending probe frame as part
+of AMPDU and can degrade 11n performance to 11g rates.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+index a6884e73d2ab..7ddee980048b 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+@@ -372,16 +372,15 @@ static void rt2x00queue_create_tx_descriptor_ht(struct rt2x00_dev *rt2x00dev,
+ 
+ 	/*
+ 	 * Determine IFS values
+-	 * - Use TXOP_BACKOFF for probe and management frames except beacons
++	 * - Use TXOP_BACKOFF for management frames except beacons
+ 	 * - Use TXOP_SIFS for fragment bursts
+ 	 * - Use TXOP_HTTXOP for everything else
+ 	 *
+ 	 * Note: rt2800 devices won't use CTS protection (if used)
+ 	 * for frames not transmitted with TXOP_HTTXOP
+ 	 */
+-	if ((ieee80211_is_mgmt(hdr->frame_control) &&
+-	     !ieee80211_is_beacon(hdr->frame_control)) ||
+-	    (tx_info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE))
++	if (ieee80211_is_mgmt(hdr->frame_control) &&
++	    !ieee80211_is_beacon(hdr->frame_control))
+ 		txdesc->u.ht.txop = TXOP_BACKOFF;
+ 	else if (!(tx_info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT))
+ 		txdesc->u.ht.txop = TXOP_SIFS;
+-- 
+2.17.1
+

package/kernel/mac80211/patches/318-v4.11-0007-brcmfmac-use-local-iftype-avoiding-use-after-free-of.patch

@@ -0,0 +1,61 @@
+From d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 28 Mar 2017 09:11:30 +0100
+Subject: [PATCH] brcmfmac: use local iftype avoiding use-after-free of virtual
+ interface
+
+A use-after-free was found using KASAN. In brcmf_p2p_del_if() the virtual
+interface is removed using call to brcmf_remove_interface(). After that
+the virtual interface instance has been freed and should not be referenced.
+Solve this by storing the nl80211 iftype in local variable, which is used
+in a couple of places anyway.
+
+Cc: stable@vger.kernel.org # 4.10.x, 4.9.x
+Reported-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -2240,14 +2240,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 	struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy);
+ 	struct brcmf_p2p_info *p2p = &cfg->p2p;
+ 	struct brcmf_cfg80211_vif *vif;
++	enum nl80211_iftype iftype;
+ 	bool wait_for_disable = false;
+ 	int err;
+ 
+ 	brcmf_dbg(TRACE, "delete P2P vif\n");
+ 	vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev);
+ 
++	iftype = vif->wdev.iftype;
+ 	brcmf_cfg80211_arm_vif_event(cfg, vif);
+-	switch (vif->wdev.iftype) {
++	switch (iftype) {
+ 	case NL80211_IFTYPE_P2P_CLIENT:
+ 		if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state))
+ 			wait_for_disable = true;
+@@ -2277,7 +2279,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 					    BRCMF_P2P_DISABLE_TIMEOUT);
+ 
+ 	err = 0;
+-	if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) {
++	if (iftype != NL80211_IFTYPE_P2P_DEVICE) {
+ 		brcmf_vif_clear_mgmt_ies(vif);
+ 		err = brcmf_p2p_release_p2p_if(vif);
+ 	}
+@@ -2293,7 +2295,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 	brcmf_remove_interface(vif->ifp, true);
+ 
+ 	brcmf_cfg80211_arm_vif_event(cfg, NULL);
+-	if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
++	if (iftype != NL80211_IFTYPE_P2P_DEVICE)
+ 		p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL;
+ 
+ 	return err;

package/kernel/mac80211/patches/319-v4.12-0001-brcmfmac-always-print-error-when-PSM-s-watchdog-fire.patch

@@ -0,0 +1,148 @@
+From f1ac3aa212af6dd0a36dc07a63f95f91be6f4935 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 24 Feb 2017 17:32:46 +0100
+Subject: [PATCH] brcmfmac: always print error when PSM's watchdog fires
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far we were attaching BRCMF_E_PSM_WATCHDOG event listener in
+brcmf_debug_attach which gets compiled only with CONFIG_BRCMDBG. This
+event means something went wrong and firmware / hardware usually can't
+be expected to work (reliably).
+
+Such a problem is significant for user experience so I believe we should
+print an error unconditionally (even with debugging disabled). What can
+be indeed optional is dumping bus memory as this is clearly part of
+debugging process.
+
+In the future we may also try to extend this listener by trying to
+recover from the error or at least signal it to the cfg80211.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c    | 22 ++++++++++++++++++
+ .../wireless/broadcom/brcm80211/brcmfmac/debug.c   | 26 +++-------------------
+ .../wireless/broadcom/brcm80211/brcmfmac/debug.h   |  9 ++++++++
+ 3 files changed, 34 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -748,6 +748,24 @@ void brcmf_remove_interface(struct brcmf
+ 	brcmf_del_if(ifp->drvr, ifp->bsscfgidx, rtnl_locked);
+ }
+ 
++static int brcmf_psm_watchdog_notify(struct brcmf_if *ifp,
++				     const struct brcmf_event_msg *evtmsg,
++				     void *data)
++{
++	int err;
++
++	brcmf_dbg(TRACE, "enter: bsscfgidx=%d\n", ifp->bsscfgidx);
++
++	brcmf_err("PSM's watchdog has fired!\n");
++
++	err = brcmf_debug_create_memdump(ifp->drvr->bus_if, data,
++					 evtmsg->datalen);
++	if (err)
++		brcmf_err("Failed to get memory dump, %d\n", err);
++
++	return err;
++}
++
+ #ifdef CONFIG_INET
+ #define ARPOL_MAX_ENTRIES	8
+ static int brcmf_inetaddr_changed(struct notifier_block *nb,
+@@ -927,6 +945,10 @@ int brcmf_attach(struct device *dev, str
+ 		goto fail;
+ 	}
+ 
++	/* Attach to events important for core code */
++	brcmf_fweh_register(drvr, BRCMF_E_PSM_WATCHDOG,
++			    brcmf_psm_watchdog_notify);
++
+ 	/* attach firmware event handler */
+ 	brcmf_fweh_attach(drvr);
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
+@@ -27,8 +27,8 @@
+ 
+ static struct dentry *root_folder;
+ 
+-static int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
+-				      size_t len)
++int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
++			       size_t len)
+ {
+ 	void *dump;
+ 	size_t ramsize;
+@@ -54,24 +54,6 @@ static int brcmf_debug_create_memdump(st
+ 	return 0;
+ }
+ 
+-static int brcmf_debug_psm_watchdog_notify(struct brcmf_if *ifp,
+-					   const struct brcmf_event_msg *evtmsg,
+-					   void *data)
+-{
+-	int err;
+-
+-	brcmf_dbg(TRACE, "enter: bsscfgidx=%d\n", ifp->bsscfgidx);
+-
+-	brcmf_err("PSM's watchdog has fired!\n");
+-
+-	err = brcmf_debug_create_memdump(ifp->drvr->bus_if, data,
+-					 evtmsg->datalen);
+-	if (err)
+-		brcmf_err("Failed to get memory dump, %d\n", err);
+-
+-	return err;
+-}
+-
+ void brcmf_debugfs_init(void)
+ {
+ 	root_folder = debugfs_create_dir(KBUILD_MODNAME, NULL);
+@@ -99,9 +81,7 @@ int brcmf_debug_attach(struct brcmf_pub
+ 	if (IS_ERR(drvr->dbgfs_dir))
+ 		return PTR_ERR(drvr->dbgfs_dir);
+ 
+-
+-	return brcmf_fweh_register(drvr, BRCMF_E_PSM_WATCHDOG,
+-				   brcmf_debug_psm_watchdog_notify);
++	return 0;
+ }
+ 
+ void brcmf_debug_detach(struct brcmf_pub *drvr)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -99,6 +99,7 @@ do {									\
+ 
+ extern int brcmf_msg_level;
+ 
++struct brcmf_bus;
+ struct brcmf_pub;
+ #ifdef DEBUG
+ void brcmf_debugfs_init(void);
+@@ -108,6 +109,8 @@ void brcmf_debug_detach(struct brcmf_pub
+ struct dentry *brcmf_debugfs_get_devdir(struct brcmf_pub *drvr);
+ int brcmf_debugfs_add_entry(struct brcmf_pub *drvr, const char *fn,
+ 			    int (*read_fn)(struct seq_file *seq, void *data));
++int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
++			       size_t len);
+ #else
+ static inline void brcmf_debugfs_init(void)
+ {
+@@ -128,6 +131,12 @@ int brcmf_debugfs_add_entry(struct brcmf
+ {
+ 	return 0;
+ }
++static inline
++int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
++			       size_t len)
++{
++	return 0;
++}
+ #endif
+ 
+ #endif /* BRCMFMAC_DEBUG_H */

package/kernel/mac80211/patches/319-v4.12-0002-brcmfmac-Do-not-print-the-firmware-version-as-an-err.patch

@@ -0,0 +1,56 @@
+From d79fe4cb70d8deab7b8dc1de547ed4b915574414 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2017 14:50:15 +0100
+Subject: [PATCH] brcmfmac: Do not print the firmware version as an error
+
+Using pr_err for things which are not errors is a bad idea. E.g. it
+will cause the plymouth bootsplash screen to drop back to the text
+console so that the user can see the error, which is not what we
+normally want to happen.
+
+Instead add a new brcmf_info macro and use that.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 2 +-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h  | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -161,7 +161,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 	strsep(&ptr, "\n");
+ 
+ 	/* Print fw version info */
+-	brcmf_err("Firmware version = %s\n", buf);
++	brcmf_info("Firmware version = %s\n", buf);
+ 
+ 	/* locate firmware version number for ethtool */
+ 	ptr = strrchr(buf, ' ') + 1;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -59,6 +59,10 @@ void __brcmf_err(const char *func, const
+ 	} while (0)
+ 
+ #if defined(DEBUG) || defined(CPTCFG_BRCM_TRACING)
++
++/* For debug/tracing purposes treat info messages as errors */
++#define brcmf_info brcmf_err
++
+ __printf(3, 4)
+ void __brcmf_dbg(u32 level, const char *func, const char *fmt, ...);
+ #define brcmf_dbg(level, fmt, ...)				\
+@@ -77,6 +81,11 @@ do {								\
+ 
+ #else /* defined(DEBUG) || defined(CPTCFG_BRCM_TRACING) */
+ 
++#define brcmf_info(fmt, ...)						\
++	do {								\
++		pr_info("%s: " fmt, __func__, ##__VA_ARGS__);		\
++	} while (0)
++
+ #define brcmf_dbg(level, fmt, ...) no_printk(fmt, ##__VA_ARGS__)
+ 
+ #define BRCMF_DATA_ON()		0

package/kernel/mac80211/patches/319-v4.12-0003-brcmfmac-Do-not-complain-about-country-code-00.patch

@@ -0,0 +1,28 @@
+From 26e537884a8ef451f5c60f6949b1615069931ffa Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2017 14:50:16 +0100
+Subject: [PATCH] brcmfmac: Do not complain about country code "00"
+
+The country code gets set to "00" by default at boot, ignore this
+rather then logging an error about it.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6736,6 +6736,10 @@ static void brcmf_cfg80211_reg_notifier(
+ 	s32 err;
+ 	int i;
+ 
++	/* The country code gets set to "00" by default at boot, ignore */
++	if (req->alpha2[0] == '0' && req->alpha2[1] == '0')
++		return;
++
+ 	/* ignore non-ISO3166 country codes */
+ 	for (i = 0; i < sizeof(req->alpha2); i++)
+ 		if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {

package/kernel/mac80211/patches/319-v4.12-0004-brcmfmac-Handle-status-BRCMF_E_STATUS_ABORT-in-cfg80.patch

@@ -0,0 +1,35 @@
+From b9472a2e3e452c414634b3ccb1ef6c4098878686 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2017 14:50:17 +0100
+Subject: [PATCH] brcmfmac: Handle status == BRCMF_E_STATUS_ABORT in
+ cfg80211_escan_handler
+
+If a scan gets aborted BRCMF_SCAN_STATUS_BUSY gets cleared in
+cfg->scan_status and when we receive an abort event from the firmware
+the BRCMF_SCAN_STATUS_BUSY check in the cfg80211_escan_handler will
+trigger resulting in multiple errors getting logged.
+
+Check for a status of BRCMF_E_STATUS_ABORT and in this case simply
+cleanly exit the cfg80211_escan_handler. This also avoids a
+BRCMF_E_STATUS_ABORT event arriving after a new scan has been started
+causing the new scan to complete prematurely without any data.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3097,6 +3097,9 @@ brcmf_cfg80211_escan_handler(struct brcm
+ 
+ 	status = e->status;
+ 
++	if (status == BRCMF_E_STATUS_ABORT)
++		goto exit;
++
+ 	if (!test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status)) {
+ 		brcmf_err("scan not ready, bsscfgidx=%d\n", ifp->bsscfgidx);
+ 		return -EPERM;

package/kernel/mac80211/patches/319-v4.12-0005-brcmfmac-restore-bus-state-when-enter_D3-fails.patch

@@ -0,0 +1,29 @@
+From 49fe9b59f0e9b750f173fbe44637c436ba1030d2 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 28 Mar 2017 11:43:27 +0100
+Subject: [PATCH] brcmfmac: restore bus state when enter_D3 fails
+
+In brcmf_pcie_suspend() we inform the firmware on the device that
+it will enter in D3 state. Before this is done we already bring down
+the bus state. However, When entering D3 fails we abort the suspend
+and the bus state need to be restored.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1877,6 +1877,7 @@ static int brcmf_pcie_pm_enter_D3(struct
+ 			   BRCMF_PCIE_MBDATA_TIMEOUT);
+ 	if (!devinfo->mbdata_completed) {
+ 		brcmf_err("Timeout on response for entering D3 substate\n");
++		brcmf_bus_change_state(bus, BRCMF_BUS_UP);
+ 		return -EIO;
+ 	}
+ 

package/kernel/mac80211/patches/319-v4.12-0006-brcmfmac-properly-align-buffers-on-certain-platforms.patch

@@ -0,0 +1,36 @@
+From 6e84ab604bdedaa16239bd1c6e5fcb5660309f02 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 5 Apr 2017 20:33:26 +0200
+Subject: [PATCH] brcmfmac: properly align buffers on certain platforms with 64
+ bit DMA
+
+Systems with 64 bit DMA at least partially require buffers to be used
+for DMA to be 8-byte-aligned. One example is Amlogic Meson GX.
+Switching the MMC/SDIO driver for this platform to SG DMA mode
+resulted in problems due to unaligned buffers.
+
+Fortunately the brcmfmac driver has a global define for the alignment.
+Changing it to 8 fixed the issues with Meson GX.
+
+Suggested-by: Helmut Klein <hgkr.klein@gmail.com>
+Tested-by: Helmut Klein <hgkr.klein@gmail.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -539,7 +539,11 @@ static int qcount[NUMPRIO];
+ /* Limit on rounding up frames */
+ static const uint max_roundup = 512;
+ 
++#ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
++#define ALIGNMENT  8
++#else
+ #define ALIGNMENT  4
++#endif
+ 
+ enum brcmf_sdio_frmtype {
+ 	BRCMF_SDIO_FT_NORMAL,

package/kernel/mac80211/patches/319-v4.12-0007-brcmfmac-add-length-checks-in-scheduled-scan-result-.patch

@@ -0,0 +1,61 @@
+From 4835f37e3bafc138f8bfa3cbed2920dd56fed283 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 6 Apr 2017 13:14:40 +0100
+Subject: [PATCH] brcmfmac: add length checks in scheduled scan result handler
+
+Assure the event data buffer is long enough to hold the array
+of netinfo items and that SSID length does not exceed the maximum
+of 32 characters as per 802.11 spec.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3300,6 +3300,7 @@ brcmf_notify_sched_scan_results(struct b
+ 	struct brcmf_pno_scanresults_le *pfn_result;
+ 	u32 result_count;
+ 	u32 status;
++	u32 datalen;
+ 
+ 	brcmf_dbg(SCAN, "Enter\n");
+ 
+@@ -3326,6 +3327,14 @@ brcmf_notify_sched_scan_results(struct b
+ 		brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
+ 		goto out_err;
+ 	}
++
++	netinfo_start = brcmf_get_netinfo_array(pfn_result);
++	datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
++	if (datalen < result_count * sizeof(*netinfo)) {
++		brcmf_err("insufficient event data\n");
++		goto out_err;
++	}
++
+ 	request = brcmf_alloc_internal_escan_request(wiphy,
+ 						     result_count);
+ 	if (!request) {
+@@ -3333,8 +3342,6 @@ brcmf_notify_sched_scan_results(struct b
+ 		goto out_err;
+ 	}
+ 
+-	netinfo_start = brcmf_get_netinfo_array(pfn_result);
+-
+ 	for (i = 0; i < result_count; i++) {
+ 		netinfo = &netinfo_start[i];
+ 		if (!netinfo) {
+@@ -3344,6 +3351,8 @@ brcmf_notify_sched_scan_results(struct b
+ 			goto out_err;
+ 		}
+ 
++		if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
++			netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
+ 		brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
+ 			  netinfo->SSID, netinfo->channel);
+ 		err = brcmf_internal_escan_add_info(request,

package/kernel/mac80211/patches/319-v4.12-0008-brcmfmac-remove-bogus-check-in-scheduled-scan-result.patch

@@ -0,0 +1,32 @@
+From 6594e1e8343645fe849a2ad42fcab94e2cf5b2c0 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 6 Apr 2017 13:14:41 +0100
+Subject: [PATCH] brcmfmac: remove bogus check in scheduled scan result handler
+
+Checking whether the address of an array element is null is bogus
+so removing it.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3344,12 +3344,6 @@ brcmf_notify_sched_scan_results(struct b
+ 
+ 	for (i = 0; i < result_count; i++) {
+ 		netinfo = &netinfo_start[i];
+-		if (!netinfo) {
+-			brcmf_err("Invalid netinfo ptr. index: %d\n",
+-				  i);
+-			err = -EINVAL;
+-			goto out_err;
+-		}
+ 
+ 		if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+ 			netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;

package/kernel/mac80211/patches/319-v4.12-0009-brcmfmac-only-add-channels-and-ssids-once-in-scan-re.patch

@@ -0,0 +1,56 @@
+From 6ea51fc708aedcf411f355de65a704ecda501bc4 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 6 Apr 2017 13:14:42 +0100
+Subject: [PATCH] brcmfmac: only add channels and ssids once in scan request
+
+When receiving pno results there may be duplicate channels and/or
+ssids. Assure each is added only once when preparing the internal
+escan request.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c  | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3216,7 +3216,7 @@ static int brcmf_internal_escan_add_info
+ {
+ 	struct ieee80211_channel *chan;
+ 	enum nl80211_band band;
+-	int freq;
++	int freq, i;
+ 
+ 	if (channel <= CH_MAX_2G_CHANNEL)
+ 		band = NL80211_BAND_2GHZ;
+@@ -3231,10 +3231,22 @@ static int brcmf_internal_escan_add_info
+ 	if (!chan)
+ 		return -EINVAL;
+ 
+-	req->channels[req->n_channels++] = chan;
+-	memcpy(req->ssids[req->n_ssids].ssid, ssid, ssid_len);
+-	req->ssids[req->n_ssids++].ssid_len = ssid_len;
+-
++	for (i = 0; i < req->n_channels; i++) {
++		if (req->channels[i] == chan)
++			break;
++	}
++	if (i == req->n_channels)
++		req->channels[req->n_channels++] = chan;
++
++	for (i = 0; i < req->n_ssids; i++) {
++		if (req->ssids[i].ssid_len == ssid_len &&
++		    !memcmp(req->ssids[i].ssid, ssid, ssid_len))
++			break;
++	}
++	if (i == req->n_ssids) {
++		memcpy(req->ssids[req->n_ssids].ssid, ssid, ssid_len);
++		req->ssids[req->n_ssids++].ssid_len = ssid_len;
++	}
+ 	return 0;
+ }
+ 

package/kernel/mac80211/patches/319-v4.12-0010-brcmfmac-Ensure-pointer-correctly-set-if-skb-data-lo.patch

@@ -0,0 +1,39 @@
+From 455a1eb4654c24560eb9dfc634f29cba3d87601e Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Mon, 24 Apr 2017 12:40:50 +0100
+Subject: [PATCH] brcmfmac: Ensure pointer correctly set if skb data location
+ changes
+
+The incoming skb header may be resized if header space is
+insufficient, which might change the data adddress in the skb.
+Ensure that a cached pointer to that data is correctly set by
+moving assignment to after any possible changes.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 	int ret;
+ 	struct brcmf_if *ifp = netdev_priv(ndev);
+ 	struct brcmf_pub *drvr = ifp->drvr;
+-	struct ethhdr *eh = (struct ethhdr *)(skb->data);
++	struct ethhdr *eh;
+ 
+ 	brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+ 
+@@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
++	eh = (struct ethhdr *)(skb->data);
++
+ 	if (eh->h_proto == htons(ETH_P_PAE))
+ 		atomic_inc(&ifp->pend_8021x_cnt);
+ 

package/kernel/mac80211/patches/319-v4.12-0011-brcmfmac-Make-skb-header-writable-before-use.patch

@@ -0,0 +1,48 @@
+From 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Tue, 25 Apr 2017 10:15:06 +0100
+Subject: [PATCH] brcmfmac: Make skb header writable before use
+
+The driver was making changes to the skb_header without
+ensuring it was writable (i.e. uncloned).
+This patch also removes some boiler plate header size
+checking/adjustment code as that is also handled by the
+skb_cow_header function used to make header writable.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c   | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -211,22 +211,13 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
+-	/* Make sure there's enough room for any header */
+-	if (skb_headroom(skb) < drvr->hdrlen) {
+-		struct sk_buff *skb2;
+-
+-		brcmf_dbg(INFO, "%s: insufficient headroom\n",
++	/* Make sure there's enough writable headroom*/
++	ret = skb_cow_head(skb, drvr->hdrlen);
++	if (ret < 0) {
++		brcmf_err("%s: skb_cow_head failed\n",
+ 			  brcmf_ifname(ifp));
+-		drvr->bus_if->tx_realloc++;
+-		skb2 = skb_realloc_headroom(skb, drvr->hdrlen);
+ 		dev_kfree_skb(skb);
+-		skb = skb2;
+-		if (skb == NULL) {
+-			brcmf_err("%s: skb_realloc_headroom failed\n",
+-				  brcmf_ifname(ifp));
+-			ret = -ENOMEM;
+-			goto done;
+-		}
++		goto done;
+ 	}
+ 
+ 	/* validate length for ether packet */

package/kernel/mac80211/patches/319-v4.12-0012-brcmfmac-fix-alignment-configuration-on-host-using-6.patch

@@ -0,0 +1,40 @@
+From 1dbf647f31751a4e94fa0435c34f0f5ad5ce0adc Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 26 May 2017 13:02:55 +0200
+Subject: [PATCH] brcmfmac: fix alignment configuration on host using 64-bit
+ DMA
+
+For SDIO the alignment requirement for transfers from device to host
+is configured in firmware. This configuration is limited to minimum
+of 4-byte alignment. However, this is not correct for platforms using
+64-bit DMA when the minimum alignment should be 8 bytes. This issue
+appeared when the ALIGNMENT definition was set according the DMA
+configuration. The configuration in firmware was not using that macro
+defintion, but a hardcoded value of 4. Hence the driver reported
+alignment failures for data coming from the device and causing
+transfers to fail.
+
+Fixes: 6e84ab604bde ("brcmfmac: properly align buffers on certain platforms
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -3420,7 +3420,7 @@ static int brcmf_sdio_bus_preinit(struct
+ 		/* otherwise, set txglomalign */
+ 		value = sdiodev->settings->bus.sdio.sd_sgentry_align;
+ 		/* SDIO ADMA requires at least 32 bit alignment */
+-		value = max_t(u32, value, 4);
++		value = max_t(u32, value, ALIGNMENT);
+ 		err = brcmf_iovar_data_set(dev, "bus:txglomalign", &value,
+ 					   sizeof(u32));
+ 	}

package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch

@@ -0,0 +1,34 @@
+From 9029679f66d976f8c720eb03c4898274803c9923 Mon Sep 17 00:00:00 2001
+From: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
+Date: Thu, 18 May 2017 17:22:19 +0800
+Subject: [PATCH] brcmfmac: remove setting IBSS mode when stopping AP
+
+Upon stopping an AP interface the driver disable INFRA mode effectively
+setting the interface in IBSS mode. However, this may affect other
+interfaces running in INFRA mode. For instance, if user creates and stops
+hostap daemon on virtual interface, then association cannot work on
+primary interface because default BSS has been set to IBSS mode in
+firmware side. The IBSS mode should be set when cfg80211 changes the
+interface.
+
+Reviewed-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
+[kvalo@codeaurora.org: rephased commit log based on discussion]
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4676,9 +4676,6 @@ static int brcmf_cfg80211_stop_ap(struct
+ 		err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0);
+ 		if (err < 0)
+ 			brcmf_err("setting AP mode failed %d\n", err);
+-		err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0);
+-		if (err < 0)
+-			brcmf_err("setting INFRA mode failed %d\n", err);
+ 		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS))
+ 			brcmf_fil_iovar_int_set(ifp, "mbss", 0);
+ 		brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,

package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

@@ -0,0 +1,53 @@
+From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Cc: stable@vger.kernel.org # 4.9.x-
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -705,7 +705,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+ 			   struct sk_buff_head *pktq, uint totlen)
+ {
+-	struct sk_buff *glom_skb;
++	struct sk_buff *glom_skb = NULL;
+ 	struct sk_buff *skb;
+ 	u32 addr = sdiodev->sbwad;
+ 	int err = 0;
+@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 			return -ENOMEM;
+ 		err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+ 					 glom_skb);
+-		if (err) {
+-			brcmu_pkt_buf_free_skb(glom_skb);
++		if (err)
+ 			goto done;
+-		}
+ 
+ 		skb_queue_walk(pktq, skb) {
+ 			memcpy(skb->data, glom_skb->data, skb->len);
+@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 					    pktq);
+ 
+ done:
++	brcmu_pkt_buf_free_skb(glom_skb);
+ 	return err;
+ }
+ 

package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch

@@ -0,0 +1,45 @@
+From 1278bd149839f2281db45a910082ba143546a148 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 16 Jun 2017 15:14:49 +0200
+Subject: [PATCH] brcmfmac: Use separate firmware for revision 0 of the
+ brcm43430 chip
+
+The brcm43430 chip needs different firmware files for chip revision 0
+and 1. The file currently in linux-firmware is for revision 1 only.
+
+This commit makes brcmfmac request brcmfmac43430a0-sdio.bin instead
+of brcmfmac43430-sdio.bin for revision 0 chips.
+
+Note that the behavior for revision 1 chips is not changed, ideally those
+would load brcmfmac43430a1-sdio.bin, but that will break existing setups.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -611,7 +611,9 @@ BRCMF_FW_NVRAM_DEF(43340, "brcmfmac43340
+ BRCMF_FW_NVRAM_DEF(4335, "brcmfmac4335-sdio.bin", "brcmfmac4335-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43362, "brcmfmac43362-sdio.bin", "brcmfmac43362-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4339, "brcmfmac4339-sdio.bin", "brcmfmac4339-sdio.txt");
+-BRCMF_FW_NVRAM_DEF(43430, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
++BRCMF_FW_NVRAM_DEF(43430A0, "brcmfmac43430a0-sdio.bin", "brcmfmac43430a0-sdio.txt");
++/* Note the names are not postfixed with a1 for backward compatibility */
++BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
+@@ -629,7 +631,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4335_CHIP_ID, 0xFFFFFFFF, 4335),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43362_CHIP_ID, 0xFFFFFFFE, 43362),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339),
+-	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFF, 43430),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)

package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch

@@ -0,0 +1,46 @@
+From 3f426c96895556bb49adfa52f3aeafdedb2d02e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Tue, 13 Jun 2017 18:02:03 +0200
+Subject: [PATCH] brcmfmac: initialize oob irq data before request_irq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes spin-forever in irq handler when IRQ is already asserted
+at request_irq() time.
+
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -107,12 +107,14 @@ int brcmf_sdiod_intr_register(struct brc
+ 	int ret = 0;
+ 	u8 data;
+ 	u32 addr, gpiocontrol;
+-	unsigned long flags;
+ 
+ 	pdata = &sdiodev->settings->bus.sdio;
+ 	if (pdata->oob_irq_supported) {
+ 		brcmf_dbg(SDIO, "Enter, register OOB IRQ %d\n",
+ 			  pdata->oob_irq_nr);
++		spin_lock_init(&sdiodev->irq_en_lock);
++		sdiodev->irq_en = true;
++
+ 		ret = request_irq(pdata->oob_irq_nr, brcmf_sdiod_oob_irqhandler,
+ 				  pdata->oob_irq_flags, "brcmf_oob_intr",
+ 				  &sdiodev->func[1]->dev);
+@@ -121,10 +123,6 @@ int brcmf_sdiod_intr_register(struct brc
+ 			return ret;
+ 		}
+ 		sdiodev->oob_irq_requested = true;
+-		spin_lock_init(&sdiodev->irq_en_lock);
+-		spin_lock_irqsave(&sdiodev->irq_en_lock, flags);
+-		sdiodev->irq_en = true;
+-		spin_unlock_irqrestore(&sdiodev->irq_en_lock, flags);
+ 
+ 		ret = enable_irq_wake(pdata->oob_irq_nr);
+ 		if (ret != 0) {

package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch

@@ -0,0 +1,36 @@
+From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Wed, 21 Jun 2017 07:45:53 +0200
+Subject: [PATCH] brcmfmac: Fix a memory leak in error handling path in
+ 'brcmf_cfg80211_attach'
+
+If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
+handling path to free it in such a case.
+
+Cc: stable@vger.kernel.org
+Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6842,7 +6842,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ 	wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
+ 	if (!wiphy) {
+ 		brcmf_err("Could not allocate wiphy device\n");
+-		return NULL;
++		goto ops_out;
+ 	}
+ 	memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN);
+ 	set_wiphy_dev(wiphy, busdev);
+@@ -6985,6 +6985,7 @@ priv_out:
+ 	ifp->vif = NULL;
+ wiphy_out:
+ 	brcmf_free_wiphy(wiphy);
++ops_out:
+ 	kfree(ops);
+ 	return NULL;
+ }

package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch

@@ -0,0 +1,41 @@
+From 8f44c9a41386729fea410e688959ddaa9d51be7c Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 7 Jul 2017 21:09:06 +0100
+Subject: [PATCH] brcmfmac: fix possible buffer overflow in
+ brcmf_cfg80211_mgmt_tx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The lower level nl80211 code in cfg80211 ensures that "len" is between
+25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
+"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
+only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
+overflow.
+
+	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+	       le16_to_cpu(action_frame->len));
+
+Cc: stable@vger.kernel.org # 3.9.x
+Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4850,6 +4850,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+ 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+ 					GFP_KERNEL);
+ 	} else if (ieee80211_is_action(mgmt->frame_control)) {
++		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
++			brcmf_err("invalid action frame length\n");
++			err = -EINVAL;
++			goto exit;
++		}
+ 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
+ 		if (af_params == NULL) {
+ 			brcmf_err("unable to allocate frame\n");

package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch

@@ -0,0 +1,139 @@
+From 0ec9eb90feec4933637fbde9d5bfbc3b62aea218 Mon Sep 17 00:00:00 2001
+From: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:58 +0800
+Subject: [PATCH] brcmfmac: Add support for CYW4373 SDIO/USB chipset
+
+Add support for CYW4373 SDIO/USB chipset.
+CYW4373 is a 1x1 dual-band 11ac chipset with 20/40/80Mhz channel support.
+It's a WiFi/BT combo device.
+
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c     | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c       | 2 ++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c       | 4 +++-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c        | 9 ++++++++-
+ drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 3 +++
+ include/linux/mmc/sdio_ids.h                                  | 1 +
+ 6 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1104,6 +1104,7 @@ static const struct sdio_device_id brcmf
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43455),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4354),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4356),
++	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_CYPRESS_4373),
+ 	{ /* end: all zeroes */ }
+ };
+ MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+@@ -690,6 +690,8 @@ static u32 brcmf_chip_tcm_rambase(struct
+ 	case BRCM_CC_4365_CHIP_ID:
+ 	case BRCM_CC_4366_CHIP_ID:
+ 		return 0x200000;
++	case CY_CC_4373_CHIP_ID:
++		return 0x160000;
+ 	default:
+ 		brcmf_err("unknown chip: %s\n", ci->pub.name);
+ 		break;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -617,6 +617,7 @@ BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac434
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
++BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt");
+ 
+ static struct brcmf_firmware_mapping brcmf_sdio_fwnames[] = {
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+-	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
++	BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+ 
+ static void pkt_align(struct sk_buff *p, int len, int align)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -49,6 +49,7 @@ BRCMF_FW_DEF(43143, "brcmfmac43143.bin")
+ BRCMF_FW_DEF(43236B, "brcmfmac43236b.bin");
+ BRCMF_FW_DEF(43242A, "brcmfmac43242a.bin");
+ BRCMF_FW_DEF(43569, "brcmfmac43569.bin");
++BRCMF_FW_DEF(4373, "brcmfmac4373.bin");
+ 
+ static struct brcmf_firmware_mapping brcmf_usb_fwnames[] = {
+ 	BRCMF_FW_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -57,7 +58,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_ENTRY(BRCM_CC_43238_CHIP_ID, 0x00000008, 43236B),
+ 	BRCMF_FW_ENTRY(BRCM_CC_43242_CHIP_ID, 0xFFFFFFFF, 43242A),
+ 	BRCMF_FW_ENTRY(BRCM_CC_43566_CHIP_ID, 0xFFFFFFFF, 43569),
+-	BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569)
++	BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569),
++	BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+ 
+ #define TRX_MAGIC		0x30524448	/* "HDR0" */
+@@ -1461,15 +1463,20 @@ static int brcmf_usb_reset_resume(struct
+ #define LINKSYS_USB_DEVICE(dev_id)	\
+ 	{ USB_DEVICE(BRCM_USB_VENDOR_ID_LINKSYS, dev_id) }
+ 
++#define CYPRESS_USB_DEVICE(dev_id)	\
++	{ USB_DEVICE(CY_USB_VENDOR_ID_CYPRESS, dev_id) }
++
+ static struct usb_device_id brcmf_usb_devid_table[] = {
+ 	BRCMF_USB_DEVICE(BRCM_USB_43143_DEVICE_ID),
+ 	BRCMF_USB_DEVICE(BRCM_USB_43236_DEVICE_ID),
+ 	BRCMF_USB_DEVICE(BRCM_USB_43242_DEVICE_ID),
+ 	BRCMF_USB_DEVICE(BRCM_USB_43569_DEVICE_ID),
+ 	LINKSYS_USB_DEVICE(BRCM_USB_43235_LINKSYS_DEVICE_ID),
++	CYPRESS_USB_DEVICE(CY_USB_4373_DEVICE_ID),
+ 	{ USB_DEVICE(BRCM_USB_VENDOR_ID_LG, BRCM_USB_43242_LG_DEVICE_ID) },
+ 	/* special entry for device with firmware loaded and running */
+ 	BRCMF_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
++	CYPRESS_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
+ 	{ /* end: all zeroes */ }
+ };
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+@@ -23,6 +23,7 @@
+ #define BRCM_USB_VENDOR_ID_BROADCOM	0x0a5c
+ #define BRCM_USB_VENDOR_ID_LG		0x043e
+ #define BRCM_USB_VENDOR_ID_LINKSYS	0x13b1
++#define CY_USB_VENDOR_ID_CYPRESS	0x04b4
+ #define BRCM_PCIE_VENDOR_ID_BROADCOM	PCI_VENDOR_ID_BROADCOM
+ 
+ /* Chipcommon Core Chip IDs */
+@@ -57,6 +58,7 @@
+ #define BRCM_CC_4365_CHIP_ID		0x4365
+ #define BRCM_CC_4366_CHIP_ID		0x4366
+ #define BRCM_CC_4371_CHIP_ID		0x4371
++#define CY_CC_4373_CHIP_ID		0x4373
+ 
+ /* USB Device IDs */
+ #define BRCM_USB_43143_DEVICE_ID	0xbd1e
+@@ -66,6 +68,7 @@
+ #define BRCM_USB_43242_LG_DEVICE_ID	0x3101
+ #define BRCM_USB_43569_DEVICE_ID	0xbd27
+ #define BRCM_USB_BCMFW_DEVICE_ID	0x0bdc
++#define CY_USB_4373_DEVICE_ID		0xbd29
+ 
+ /* PCIE Device IDs */
+ #define BRCM_PCIE_4350_DEVICE_ID	0x43a3
+--- a/include/linux/mmc/sdio_ids.h
++++ b/include/linux/mmc/sdio_ids.h
+@@ -39,6 +39,7 @@
+ #define SDIO_DEVICE_ID_BROADCOM_43455		0xa9bf
+ #define SDIO_DEVICE_ID_BROADCOM_4354		0x4354
+ #define SDIO_DEVICE_ID_BROADCOM_4356		0x4356
++#define SDIO_DEVICE_ID_CYPRESS_4373		0x4373
+ 
+ #define SDIO_VENDOR_ID_INTEL			0x0089
+ #define SDIO_DEVICE_ID_INTEL_IWMC3200WIMAX	0x1402

package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch

@@ -0,0 +1,47 @@
+From 99976fc084129e07df3a066dc15651853386da19 Mon Sep 17 00:00:00 2001
+From: Wright Feng <wright.feng@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:59 +0800
+Subject: [PATCH] brcmfmac: fix wrong num_different_channels when mchan feature
+ enabled
+
+When the device/firmware supports multi-channel, it can have P2P
+connection and regular connection with AP simultaneous. In this case,
+the num_different_channels in wiphy info was not correct when firmware
+supports multi-channel (The iw wiphy# info showed "#channels <= 1" in
+interface combinations). It caused association failed and error message
+"CTRL-EVENT-FREQ-CONFLICT error" in wpa_supplicant when P2P GO interface
+was running at the same time.
+The root cause is that the num_different_channels was always overridden
+to 1 in brcmf_setup_ifmodes even multi-channel was enabled.
+We correct the logic by moving num_different_channels setting forward.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6311,6 +6311,8 @@ static int brcmf_setup_ifmodes(struct wi
+ 	if (p2p) {
+ 		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MCHAN))
+ 			combo[c].num_different_channels = 2;
++		else
++			combo[c].num_different_channels = 1;
+ 		wiphy->interface_modes |= BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ 					  BIT(NL80211_IFTYPE_P2P_GO) |
+ 					  BIT(NL80211_IFTYPE_P2P_DEVICE);
+@@ -6320,10 +6322,10 @@ static int brcmf_setup_ifmodes(struct wi
+ 		c0_limits[i++].types = BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ 				       BIT(NL80211_IFTYPE_P2P_GO);
+ 	} else {
++		combo[c].num_different_channels = 1;
+ 		c0_limits[i].max = 1;
+ 		c0_limits[i++].types = BIT(NL80211_IFTYPE_AP);
+ 	}
+-	combo[c].num_different_channels = 1;
+ 	combo[c].max_interfaces = i;
+ 	combo[c].n_limits = i;
+ 	combo[c].limits = c0_limits;

package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch

@@ -0,0 +1,27 @@
+From f38966a7ace842afd3a9bf5d0fb56640f49df60c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 30 Aug 2017 15:54:49 +0200
+Subject: [PATCH] brcmfmac: Log chip id and revision
+
+For debugging some problems, it is useful to know the chip revision
+add a brcmf_info message logging this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -602,6 +602,9 @@ int brcmf_fw_map_chip_to_name(u32 chip,
+ 	if ((nvram_name) && (mapping_table[i].nvram))
+ 		strlcat(nvram_name, mapping_table[i].nvram, BRCMF_FW_NAME_LEN);
+ 
++	brcmf_info("using %s for chip %#08x(%d) rev %#08x\n",
++		   fw_name, chip, chip, chiprev);
++
+ 	return 0;
+ }
+ 

package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch

@@ -25,7 +25,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  	struct brcmf_bss_info_le *bss_info_le;
  	struct brcmf_bss_info_le *bss = NULL;
  	u32 bi_length;
-@@ -3104,11 +3105,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
  
  	if (status == BRCMF_E_STATUS_PARTIAL) {
  		brcmf_dbg(SCAN, "ESCAN Partial result\n");
@@ -49,7 +49,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  		if (le16_to_cpu(escan_result_le->bss_count) != 1) {
  			brcmf_err("Invalid bss_count %d: ignoring\n",
  				  escan_result_le->bss_count);
-@@ -3125,9 +3138,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
  		}
  
  		bi_length = le32_to_cpu(bss_info_le->length);

package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch

@@ -0,0 +1,32 @@
+From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:24 -0700
+Subject: [PATCH] brcmfmac: Add check for short event packets
+
+The length of the data in the received skb is currently passed into
+brcmf_fweh_process_event() as packet_len, but this value is not checked.
+event_packet should be followed by DATALEN bytes of additional event
+data.  Ensure that the received packet actually contains at least
+DATALEN bytes of additional data, to avoid copying uninitialized memory
+into event->data.
+
+Cc: <stable@vger.kernel.org> # v3.8
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
+ 	if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+ 		return;
+ 
+-	if (datalen > BRCMF_DCMD_MAXLEN)
++	if (datalen > BRCMF_DCMD_MAXLEN ||
++	    datalen + sizeof(*event_packet) > packet_len)
+ 		return;
+ 
+ 	if (in_interrupt())

package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch

@@ -0,0 +1,39 @@
+From 73f2c8e933b1dcf432ac8c6965a6e67af630077f Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:22 -0700
+Subject: [PATCH] brcmfmac: Avoid possible out-of-bounds read
+
+In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before
+the length of rxframe is validated.  This could lead to uninitialized
+data being accessed (but not printed).  Since we already have a
+perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec,
+and ch.chspec is not modified by decchspec(), avoid the extra
+assignment and use ch.chspec in the debug print.
+
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1853,7 +1853,6 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ 	struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+ 	struct brcmf_cfg80211_vif *vif = ifp->vif;
+ 	struct brcmf_rx_mgmt_data *rxframe = (struct brcmf_rx_mgmt_data *)data;
+-	u16 chanspec = be16_to_cpu(rxframe->chanspec);
+ 	struct brcmu_chan ch;
+ 	u8 *mgmt_frame;
+ 	u32 mgmt_frame_len;
+@@ -1906,7 +1905,7 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ 	cfg80211_rx_mgmt(&vif->wdev, freq, 0, mgmt_frame, mgmt_frame_len, 0);
+ 
+ 	brcmf_dbg(INFO, "mgmt_frame_len (%d) , e->datalen (%d), chanspec (%04x), freq (%d)\n",
+-		  mgmt_frame_len, e->datalen, chanspec, freq);
++		  mgmt_frame_len, e->datalen, ch.chspec, freq);
+ 
+ 	return 0;
+ }

package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch

@@ -0,0 +1,60 @@
+From 2fd3877b5bb7d39782c3205a1dcda02023b8514a Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 8 Nov 2017 14:36:31 +0100
+Subject: [PATCH] brcmfmac: handle FWHALT mailbox indication
+
+The firmware uses a mailbox to communicate to the host what is going
+on. In the driver we validate the bit received. Various people seen
+the following message:
+
+ brcmfmac: brcmf_sdio_hostmail: Unknown mailbox data content: 0x40012
+
+Bit 4 is cause of this message, but this actually indicates the firmware
+has halted. Handle this bit by giving a more meaningful error message.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -259,10 +259,11 @@ struct rte_console {
+ #define I_HMB_HOST_INT	I_HMB_SW3	/* Miscellaneous Interrupt */
+ 
+ /* tohostmailboxdata */
+-#define HMB_DATA_NAKHANDLED	1	/* retransmit NAK'd frame */
+-#define HMB_DATA_DEVREADY	2	/* talk to host after enable */
+-#define HMB_DATA_FC		4	/* per prio flowcontrol update flag */
+-#define HMB_DATA_FWREADY	8	/* fw ready for protocol activity */
++#define HMB_DATA_NAKHANDLED	0x0001	/* retransmit NAK'd frame */
++#define HMB_DATA_DEVREADY	0x0002	/* talk to host after enable */
++#define HMB_DATA_FC		0x0004	/* per prio flowcontrol update flag */
++#define HMB_DATA_FWREADY	0x0008	/* fw ready for protocol activity */
++#define HMB_DATA_FWHALT		0x0010	/* firmware halted */
+ 
+ #define HMB_DATA_FCDATA_MASK	0xff000000
+ #define HMB_DATA_FCDATA_SHIFT	24
+@@ -1093,6 +1094,10 @@ static u32 brcmf_sdio_hostmail(struct br
+ 			  offsetof(struct sdpcmd_regs, tosbmailbox));
+ 	bus->sdcnt.f1regdata += 2;
+ 
++	/* dongle indicates the firmware has halted/crashed */
++	if (hmb_data & HMB_DATA_FWHALT)
++		brcmf_err("mailbox indicates firmware halted\n");
++
+ 	/* Dongle recomposed rx frames, accept them again */
+ 	if (hmb_data & HMB_DATA_NAKHANDLED) {
+ 		brcmf_dbg(SDIO, "Dongle reports NAK handled, expect rtx of %d\n",
+@@ -1150,6 +1155,7 @@ static u32 brcmf_sdio_hostmail(struct br
+ 			 HMB_DATA_NAKHANDLED |
+ 			 HMB_DATA_FC |
+ 			 HMB_DATA_FWREADY |
++			 HMB_DATA_FWHALT |
+ 			 HMB_DATA_FCDATA_MASK | HMB_DATA_VERSION_MASK))
+ 		brcmf_err("Unknown mailbox data content: 0x%02x\n",
+ 			  hmb_data);

package/kernel/mac80211/patches/329-v4.16-0001-brcmfmac-enlarge-buffer-size-of-caps-to-512-bytes.patch

@@ -0,0 +1,44 @@
+From 7762bb134e3b40e8ee2611365775b7432190a9c7 Mon Sep 17 00:00:00 2001
+From: Wright Feng <wright.feng@cypress.com>
+Date: Mon, 11 Dec 2017 15:38:21 +0800
+Subject: [PATCH] brcmfmac: enlarge buffer size of caps to 512 bytes
+
+The buffer size of return of cap iovar is greater than 256 bytes in some
+firmwares. For instance, the return size of cap iovar is 271 bytes in 4373
+13.10.246.79 firmare. It makes feature capability parsing failed because
+caps buffer is default value.
+So we enlarge caps buffer size to 512 bytes and add the error print for
+cap iovar error.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -113,13 +113,19 @@ static void brcmf_feat_iovar_int_get(str
+ 	}
+ }
+ 
++#define MAX_CAPS_BUFFER_SIZE	512
+ static void brcmf_feat_firmware_capabilities(struct brcmf_if *ifp)
+ {
+-	char caps[256];
++	char caps[MAX_CAPS_BUFFER_SIZE];
+ 	enum brcmf_feat_id id;
+-	int i;
++	int i, err;
++
++	err = brcmf_fil_iovar_data_get(ifp, "cap", caps, sizeof(caps));
++	if (err) {
++		brcmf_err("could not get firmware cap (%d)\n", err);
++		return;
++	}
+ 
+-	brcmf_fil_iovar_data_get(ifp, "cap", caps, sizeof(caps));
+ 	brcmf_dbg(INFO, "[ %s]\n", caps);
+ 
+ 	for (i = 0; i < ARRAY_SIZE(brcmf_fwcap_map); i++) {

package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch

@@ -0,0 +1,157 @@
+From 1259055170287a350cad453e9eac139c81609860 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 15 Mar 2018 08:29:09 +0100
+Subject: [PATCH] brcmfmac: drop Inter-Access Point Protocol packets by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Testing brcmfmac with more recent firmwares resulted in AP interfaces
+not working in some specific setups. Debugging resulted in discovering
+support for IAPP in Broadcom's firmwares.
+
+Older firmwares were only generating 802.11f frames. Newer ones like:
+1) 10.10 (TOB) (r663589)
+2) 10.10.122.20 (r683106)
+for 4366b1 and 4366c0 respectively seem to also /respect/ 802.11f frames
+in the Tx path by performing a STA disassociation.
+
+This obsoleted standard and its implementation is something that:
+1) Most people don't need / want to use
+2) Can allow local DoS attacks
+3) Breaks AP interfaces in some specific bridge setups
+
+To solve issues it can cause this commit modifies brcmfmac to drop IAPP
+packets. If affects:
+1) Rx path: driver won't be sending these unwanted packets up.
+2) Tx path: driver will reject packets that would trigger STA
+   disassociation perfromed by a firmware (possible local DoS attack).
+
+It appears there are some Broadcom's clients/users who care about this
+feature despite the drawbacks. They can switch it on using a new module
+param.
+
+This change results in only two more comparisons (check for module param
+and check for Ethernet packet length) for 99.9% of packets. Its overhead
+should be very minimal.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/common.c  |  5 ++
+ .../wireless/broadcom/brcm80211/brcmfmac/common.h  |  1 +
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c    | 57 ++++++++++++++++++++++
+ 3 files changed, 63 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -73,6 +73,10 @@ static int brcmf_roamoff;
+ module_param_named(roamoff, brcmf_roamoff, int, S_IRUSR);
+ MODULE_PARM_DESC(roamoff, "Do not use internal roaming engine");
+ 
++static int brcmf_iapp_enable;
++module_param_named(iapp, brcmf_iapp_enable, int, 0);
++MODULE_PARM_DESC(iapp, "Enable partial support for the obsoleted Inter-Access Point Protocol");
++
+ #ifdef DEBUG
+ /* always succeed brcmf_bus_started() */
+ static int brcmf_ignore_probe_fail;
+@@ -287,6 +291,7 @@ struct brcmf_mp_device *brcmf_get_module
+ 	settings->feature_disable = brcmf_feature_disable;
+ 	settings->fcmode = brcmf_fcmode;
+ 	settings->roamoff = !!brcmf_roamoff;
++	settings->iapp = !!brcmf_iapp_enable;
+ #ifdef DEBUG
+ 	settings->ignore_probe_fail = !!brcmf_ignore_probe_fail;
+ #endif
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
+@@ -58,6 +58,7 @@ struct brcmf_mp_device {
+ 	unsigned int	feature_disable;
+ 	int		fcmode;
+ 	bool		roamoff;
++	bool		iapp;
+ 	bool		ignore_probe_fail;
+ 	struct brcmfmac_pd_cc *country_codes;
+ 	union {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -192,6 +192,37 @@ static void brcmf_netdev_set_multicast_l
+ 	schedule_work(&ifp->multicast_work);
+ }
+ 
++/**
++ * brcmf_skb_is_iapp - checks if skb is an IAPP packet
++ *
++ * @skb: skb to check
++ */
++static bool brcmf_skb_is_iapp(struct sk_buff *skb)
++{
++	static const u8 iapp_l2_update_packet[6] __aligned(2) = {
++		0x00, 0x01, 0xaf, 0x81, 0x01, 0x00,
++	};
++	unsigned char *eth_data;
++#if !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
++	const u16 *a, *b;
++#endif
++
++	if (skb->len - skb->mac_len != 6 ||
++	    !is_multicast_ether_addr(eth_hdr(skb)->h_dest))
++		return false;
++
++	eth_data = skb_mac_header(skb) + ETH_HLEN;
++#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
++	return !(((*(const u32 *)eth_data) ^ (*(const u32 *)iapp_l2_update_packet)) |
++		 ((*(const u16 *)(eth_data + 4)) ^ (*(const u16 *)(iapp_l2_update_packet + 4))));
++#else
++	a = (const u16 *)eth_data;
++	b = (const u16 *)iapp_l2_update_packet;
++
++	return !((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]));
++#endif
++}
++
+ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
+ 					   struct net_device *ndev)
+ {
+@@ -211,6 +242,23 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
++	/* Some recent Broadcom's firmwares disassociate STA when they receive
++	 * an 802.11f ADD frame. This behavior can lead to a local DoS security
++	 * issue. Attacker may trigger disassociation of any STA by sending a
++	 * proper Ethernet frame to the wireless interface.
++	 *
++	 * Moreover this feature may break AP interfaces in some specific
++	 * setups. This applies e.g. to the bridge with hairpin mode enabled and
++	 * IFLA_BRPORT_MCAST_TO_UCAST set. IAPP packet generated by a firmware
++	 * will get passed back to the wireless interface and cause immediate
++	 * disassociation of a just-connected STA.
++	 */
++	if (!drvr->settings->iapp && brcmf_skb_is_iapp(skb)) {
++		dev_kfree_skb(skb);
++		ret = -EINVAL;
++		goto done;
++	}
++
+ 	/* Make sure there's enough writable headroom*/
+ 	ret = skb_cow_head(skb, drvr->hdrlen);
+ 	if (ret < 0) {
+@@ -288,6 +336,15 @@ void brcmf_txflowblock(struct device *de
+ 
+ void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
+ {
++	/* Most of Broadcom's firmwares send 802.11f ADD frame every time a new
++	 * STA connects to the AP interface. This is an obsoleted standard most
++	 * users don't use, so don't pass these frames up unless requested.
++	 */
++	if (!ifp->drvr->settings->iapp && brcmf_skb_is_iapp(skb)) {
++		brcmu_pkt_buf_free_skb(skb);
++		return;
++	}
++
+ 	if (skb->pkt_type == PACKET_MULTICAST)
+ 		ifp->stats.multicast++;
+ 

package/kernel/mac80211/patches/329-v4.16-0003-brcmfmac-Fix-check-for-ISO3166-code.patch

@@ -0,0 +1,29 @@
+From 9b9322db5c5a1917a66c71fe47c3848a9a31227e Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 14 Mar 2018 20:02:59 +0100
+Subject: [PATCH] brcmfmac: Fix check for ISO3166 code
+
+The commit "regulatory: add NUL to request alpha2" increases the length of
+alpha2 to 3. This causes a regression on brcmfmac, because
+brcmf_cfg80211_reg_notifier() expect valid ISO3166 codes in the complete
+array. So fix this accordingly.
+
+Fixes: 657308f73e67 ("regulatory: add NUL to request alpha2")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6775,7 +6775,7 @@ static void brcmf_cfg80211_reg_notifier(
+ 		return;
+ 
+ 	/* ignore non-ISO3166 country codes */
+-	for (i = 0; i < sizeof(req->alpha2); i++)
++	for (i = 0; i < 2; i++)
+ 		if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
+ 			brcmf_err("not a ISO3166 code (0x%02x 0x%02x)\n",
+ 				  req->alpha2[0], req->alpha2[1]);

package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch

@@ -0,0 +1,46 @@
+From: Dan Haab <dhaab@luxul.com>
+Date: Tue, 3 Apr 2018 10:21:56 +0200
+Subject: [PATCH] brcmfmac: add support for BCM4366E chipset
+
+BCM4366E is a wireless chipset with a BCM43664 ChipCommon. It's
+supported by the same firmware as 4366c0.
+
+Signed-off-by: Dan Haab <dan.haab@luxul.com>
+[arend: rebase patch and remove unnecessary definition]
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c       | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c       | 1 +
+ drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+@@ -689,6 +689,7 @@ static u32 brcmf_chip_tcm_rambase(struct
+ 	case BRCM_CC_43525_CHIP_ID:
+ 	case BRCM_CC_4365_CHIP_ID:
+ 	case BRCM_CC_4366_CHIP_ID:
++	case BRCM_CC_43664_CHIP_ID:
+ 		return 0x200000;
+ 	case CY_CC_4373_CHIP_ID:
+ 		return 0x160000;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4365_CHIP_ID, 0xFFFFFFF0, 4365C),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0x0000000F, 4366B),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0xFFFFFFF0, 4366C),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43664_CHIP_ID, 0xFFFFFFF0, 4366C),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4371_CHIP_ID, 0xFFFFFFFF, 4371),
+ };
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+@@ -57,6 +57,7 @@
+ #define BRCM_CC_43602_CHIP_ID		43602
+ #define BRCM_CC_4365_CHIP_ID		0x4365
+ #define BRCM_CC_4366_CHIP_ID		0x4366
++#define BRCM_CC_43664_CHIP_ID		43664
+ #define BRCM_CC_4371_CHIP_ID		0x4371
+ #define CY_CC_4373_CHIP_ID		0x4373
+ 

package/kernel/mac80211/patches/331-v4.18-0002-brcmfmac-coarse-support-for-PCIe-shared-structure-re.patch

@@ -0,0 +1,97 @@
+From f56324baf329bc9362a52ad77a4a1a0f3356d1bc Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Thu, 26 Apr 2018 12:16:51 +0200
+Subject: [PATCH] brcmfmac: coarse support for PCIe shared structure rev7
+
+Revision 7 of PCIe dongle interface increases the item size of tx and rx
+complete rings to accommodate extra payload for new feature. This patch
+simply bump up the size of these two rings without adding the support
+for utilizing the new space. This makes brcmfmac compatible with rev7
+firmware.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.h  |  6 ++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/pcie.c    | 23 ++++++++++++++++++----
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.h
+@@ -27,8 +27,10 @@
+ #define BRCMF_H2D_MSGRING_CONTROL_SUBMIT_ITEMSIZE	40
+ #define BRCMF_H2D_MSGRING_RXPOST_SUBMIT_ITEMSIZE	32
+ #define BRCMF_D2H_MSGRING_CONTROL_COMPLETE_ITEMSIZE	24
+-#define BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE		16
+-#define BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE		32
++#define BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE_PRE_V7	16
++#define BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE		24
++#define BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE_PRE_V7	32
++#define BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE		40
+ #define BRCMF_H2D_TXFLOWRING_ITEMSIZE			48
+ 
+ struct msgbuf_buf_addr {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -135,8 +135,9 @@ static struct brcmf_firmware_mapping brc
+ 						 BRCMF_PCIE_MB_INT_D2H3_DB0 | \
+ 						 BRCMF_PCIE_MB_INT_D2H3_DB1)
+ 
++#define BRCMF_PCIE_SHARED_VERSION_7		7
+ #define BRCMF_PCIE_MIN_SHARED_VERSION		5
+-#define BRCMF_PCIE_MAX_SHARED_VERSION		6
++#define BRCMF_PCIE_MAX_SHARED_VERSION		BRCMF_PCIE_SHARED_VERSION_7
+ #define BRCMF_PCIE_SHARED_VERSION_MASK		0x00FF
+ #define BRCMF_PCIE_SHARED_DMA_INDEX		0x10000
+ #define BRCMF_PCIE_SHARED_DMA_2B_IDX		0x100000
+@@ -316,6 +317,14 @@ static const u32 brcmf_ring_max_item[BRC
+ 	BRCMF_D2H_MSGRING_RX_COMPLETE_MAX_ITEM
+ };
+ 
++static const u32 brcmf_ring_itemsize_pre_v7[BRCMF_NROF_COMMON_MSGRINGS] = {
++	BRCMF_H2D_MSGRING_CONTROL_SUBMIT_ITEMSIZE,
++	BRCMF_H2D_MSGRING_RXPOST_SUBMIT_ITEMSIZE,
++	BRCMF_D2H_MSGRING_CONTROL_COMPLETE_ITEMSIZE,
++	BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE_PRE_V7,
++	BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE_PRE_V7
++};
++
+ static const u32 brcmf_ring_itemsize[BRCMF_NROF_COMMON_MSGRINGS] = {
+ 	BRCMF_H2D_MSGRING_CONTROL_SUBMIT_ITEMSIZE,
+ 	BRCMF_H2D_MSGRING_RXPOST_SUBMIT_ITEMSIZE,
+@@ -999,8 +1008,14 @@ brcmf_pcie_alloc_dma_and_ring(struct brc
+ 	struct brcmf_pcie_ringbuf *ring;
+ 	u32 size;
+ 	u32 addr;
++	const u32 *ring_itemsize_array;
++
++	if (devinfo->shared.version < BRCMF_PCIE_SHARED_VERSION_7)
++		ring_itemsize_array = brcmf_ring_itemsize_pre_v7;
++	else
++		ring_itemsize_array = brcmf_ring_itemsize;
+ 
+-	size = brcmf_ring_max_item[ring_id] * brcmf_ring_itemsize[ring_id];
++	size = brcmf_ring_max_item[ring_id] * ring_itemsize_array[ring_id];
+ 	dma_buf = brcmf_pcie_init_dmabuffer_for_device(devinfo, size,
+ 			tcm_ring_phys_addr + BRCMF_RING_MEM_BASE_ADDR_OFFSET,
+ 			&dma_handle);
+@@ -1010,7 +1025,7 @@ brcmf_pcie_alloc_dma_and_ring(struct brc
+ 	addr = tcm_ring_phys_addr + BRCMF_RING_MAX_ITEM_OFFSET;
+ 	brcmf_pcie_write_tcm16(devinfo, addr, brcmf_ring_max_item[ring_id]);
+ 	addr = tcm_ring_phys_addr + BRCMF_RING_LEN_ITEMS_OFFSET;
+-	brcmf_pcie_write_tcm16(devinfo, addr, brcmf_ring_itemsize[ring_id]);
++	brcmf_pcie_write_tcm16(devinfo, addr, ring_itemsize_array[ring_id]);
+ 
+ 	ring = kzalloc(sizeof(*ring), GFP_KERNEL);
+ 	if (!ring) {
+@@ -1019,7 +1034,7 @@ brcmf_pcie_alloc_dma_and_ring(struct brc
+ 		return NULL;
+ 	}
+ 	brcmf_commonring_config(&ring->commonring, brcmf_ring_max_item[ring_id],
+-				brcmf_ring_itemsize[ring_id], dma_buf);
++				ring_itemsize_array[ring_id], dma_buf);
+ 	ring->dma_handle = dma_handle;
+ 	ring->devinfo = devinfo;
+ 	brcmf_commonring_register_cb(&ring->commonring,

package/kernel/mac80211/patches/331-v4.18-0003-brcmfmac-Add-support-for-bcm43364-wireless-chipset.patch

@@ -0,0 +1,45 @@
+From 9c4a121e82634aa000a702c98cd6f05b27d6e186 Mon Sep 17 00:00:00 2001
+From: Sean Lanigan <sean@lano.id.au>
+Date: Fri, 4 May 2018 16:48:23 +1000
+Subject: [PATCH] brcmfmac: Add support for bcm43364 wireless chipset
+
+Add support for the BCM43364 chipset via an SDIO interface, as used in
+e.g. the Murata 1FX module.
+
+The BCM43364 uses the same firmware as the BCM43430 (which is already
+included), the only difference is the omission of Bluetooth.
+
+However, the SDIO_ID for the BCM43364 is 02D0:A9A4, giving it a MODALIAS
+of sdio:c00v02D0dA9A4, which doesn't get recognised and hence doesn't
+load the brcmfmac module. Adding the 'A9A4' ID in the appropriate place
+triggers the brcmfmac driver to load, and then correctly use the
+firmware file 'brcmfmac43430-sdio.bin'.
+
+Signed-off-by: Sean Lanigan <sean@lano.id.au>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
+ include/linux/mmc/sdio_ids.h                              | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1097,6 +1097,7 @@ static const struct sdio_device_id brcmf
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43340),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43341),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43362),
++ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43364),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4335_4339),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4339),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43430),
+--- a/include/linux/mmc/sdio_ids.h
++++ b/include/linux/mmc/sdio_ids.h
+@@ -34,6 +34,7 @@
+ #define SDIO_DEVICE_ID_BROADCOM_4335_4339	0x4335
+ #define SDIO_DEVICE_ID_BROADCOM_4339		0x4339
+ #define SDIO_DEVICE_ID_BROADCOM_43362		0xa962
++#define SDIO_DEVICE_ID_BROADCOM_43364		0xa9a4
+ #define SDIO_DEVICE_ID_BROADCOM_43430		0xa9a6
+ #define SDIO_DEVICE_ID_BROADCOM_4345		0x4345
+ #define SDIO_DEVICE_ID_BROADCOM_43455		0xa9bf

package/kernel/mac80211/patches/331-v4.18-0004-brcmfmac-set-WIPHY_FLAG_HAVE_AP_SME-flag.patch

@@ -0,0 +1,34 @@
+From 1204aa17f3b4f63e67ac9b7c9afa9496485969c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 10 May 2018 15:21:39 +0200
+Subject: [PATCH] brcmfmac: set WIPHY_FLAG_HAVE_AP_SME flag
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+brcmfmac is a FullMAC driver and it implements/uses cfg80211 interface
+for stations management. At the same time it doesn't receive or pass up
+management frames.
+
+This flag indicates that authenticator doesn't have to subscribe to or
+handle management frames. Some authenticators (e.g. hostapd) were
+working with brcmfmac thanks to some extra assumptions. This commit
+clears up the situation.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6485,6 +6485,7 @@ static int brcmf_setup_wiphy(struct wiph
+ 				    BIT(NL80211_BSS_SELECT_ATTR_RSSI_ADJUST);
+ 
+ 	wiphy->flags |= WIPHY_FLAG_PS_ON_BY_DEFAULT |
++			WIPHY_FLAG_HAVE_AP_SME |
+ 			WIPHY_FLAG_OFFCHAN_TX |
+ 			WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
+ 	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_TDLS))

package/kernel/mac80211/patches/331-v4.18-0005-brcmfmac-add-debugfs-entry-for-reading-firmware-capa.patch

@@ -0,0 +1,75 @@
+From 88001968245c42c26416476bf0ef960442371605 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 14 May 2018 08:48:20 +0200
+Subject: [PATCH] brcmfmac: add debugfs entry for reading firmware capabilities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows reading all capabilities as reported by a firmware. They are
+printed using native (raw) names, just like developers like it the most.
+It's how firmware reports support for various features, e.g. supported
+modes, supported standards, power saving details, max BSS-es.
+
+Access to all that info is useful for trying new firmwares, comparing
+them and debugging features AKA bugs.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/feature.c | 36 ++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -138,6 +138,41 @@ static void brcmf_feat_firmware_capabili
+ 	}
+ }
+ 
++/**
++ * brcmf_feat_fwcap_debugfs_read() - expose firmware capabilities to debugfs.
++ *
++ * @seq: sequence for debugfs entry.
++ * @data: raw data pointer.
++ */
++static int brcmf_feat_fwcap_debugfs_read(struct seq_file *seq, void *data)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(seq->private);
++	struct brcmf_if *ifp = brcmf_get_ifp(bus_if->drvr, 0);
++	char caps[MAX_CAPS_BUFFER_SIZE + 1] = { };
++	char *tmp;
++	int err;
++
++	err = brcmf_fil_iovar_data_get(ifp, "cap", caps, sizeof(caps));
++	if (err) {
++		brcmf_err("could not get firmware cap (%d)\n", err);
++		return err;
++	}
++
++	/* Put every capability in a new line */
++	for (tmp = caps; *tmp; tmp++) {
++		if (*tmp == ' ')
++			*tmp = '\n';
++	}
++
++	/* Usually there is a space at the end of capabilities string */
++	seq_printf(seq, "%s", caps);
++	/* So make sure we don't print two line breaks */
++	if (tmp > caps && *(tmp - 1) != '\n')
++		seq_printf(seq, "\n");
++
++	return 0;
++}
++
+ void brcmf_feat_attach(struct brcmf_pub *drvr)
+ {
+ 	struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0);
+@@ -196,6 +231,7 @@ void brcmf_feat_attach(struct brcmf_pub
+ 	}
+ 
+ 	brcmf_debugfs_add_entry(drvr, "features", brcmf_feat_debugfs_read);
++	brcmf_debugfs_add_entry(drvr, "fwcap", brcmf_feat_fwcap_debugfs_read);
+ }
+ 
+ bool brcmf_feat_is_enabled(struct brcmf_if *ifp, enum brcmf_feat_id id)

package/kernel/mac80211/patches/331-v4.18-0006-brcmfmac-add-support-for-sysfs-initiated-coredump.patch

@@ -0,0 +1,74 @@
+From 8e072168f75ebce85b96cbcefea2b10ddbd5913f Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 16 May 2018 14:11:59 +0200
+Subject: [PATCH] brcmfmac: add support for sysfs initiated coredump
+
+The driver already supports device coredump initiated by firmware
+event. Since commit 3c47d19ff4dc ("drivers: base: add coredump driver
+ops") it is also possible to initiate it from user-space through
+sysfs. This patch adds support for SDIO and PCIe devices.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h    | 2 ++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c   | 8 ++++++++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c   | 1 +
+ 4 files changed, 12 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1299,6 +1299,9 @@ static struct sdio_driver brcmf_sdmmc_dr
+ #ifdef CONFIG_PM_SLEEP
+ 		.pm = &brcmf_sdio_pm_ops,
+ #endif	/* CONFIG_PM_SLEEP */
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
++		.coredump = brcmf_dev_coredump,
++#endif
+ 	},
+ };
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
+@@ -231,6 +231,8 @@ void brcmf_detach(struct device *dev);
+ void brcmf_dev_reset(struct device *dev);
+ /* Indication from bus module to change flow-control state */
+ void brcmf_txflowblock(struct device *dev, bool state);
++/* Request from bus module to initiate a coredump */
++void brcmf_dev_coredump(struct device *dev);
+ 
+ /* Notify the bus has transferred the tx packet to firmware */
+ void brcmf_txcomplete(struct device *dev, struct sk_buff *txp, bool success);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1159,6 +1159,14 @@ void brcmf_dev_reset(struct device *dev)
+ 		brcmf_fil_cmd_int_set(drvr->iflist[0], BRCMF_C_TERMINATED, 1);
+ }
+ 
++void brcmf_dev_coredump(struct device *dev)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(dev);
++
++	if (brcmf_debug_create_memdump(bus_if, NULL, 0) < 0)
++		brcmf_dbg(TRACE, "failed to create coredump\n");
++}
++
+ void brcmf_detach(struct device *dev)
+ {
+ 	s32 i;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1995,6 +1995,9 @@ static struct pci_driver brcmf_pciedrvr
+ #ifdef CONFIG_PM
+ 	.driver.pm = &brcmf_pciedrvr_pm,
+ #endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
++	.driver.coredump = brcmf_dev_coredump,
++#endif
+ };
+ 
+ 

package/kernel/mac80211/patches/331-v4.18-0007-brcmfmac-validate-user-provided-data-for-memdump-bef.patch

@@ -0,0 +1,32 @@
+From d2af9b566554e01f9ad67b330ce569dbc130e5d3 Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Wed, 16 May 2018 14:12:01 +0200
+Subject: [PATCH] brcmfmac: validate user provided data for memdump before
+ copying
+
+In patch "brcmfmac: add support for sysfs initiated coredump", a new
+scenario of brcmf_debug_create_memdump was added in which the user of
+the function might not necessarily provide prefix data. Hence the
+function should not assume the data is always valid and should perform a
+check before copying.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
+@@ -42,7 +42,8 @@ int brcmf_debug_create_memdump(struct br
+ 	if (!dump)
+ 		return -ENOMEM;
+ 
+-	memcpy(dump, data, len);
++	if (data && len > 0)
++		memcpy(dump, data, len);
+ 	err = brcmf_bus_get_memdump(bus, dump + len, ramsize);
+ 	if (err) {
+ 		vfree(dump);

package/kernel/mac80211/patches/331-v4.18-0008-brcmfmac-trigger-memory-dump-upon-firmware-halt-sign.patch

@@ -0,0 +1,38 @@
+From 8a3ab2f38f1669e3be6433a1f6b82a077b38c4c7 Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Wed, 16 May 2018 14:12:02 +0200
+Subject: [PATCH] brcmfmac: trigger memory dump upon firmware halt signal
+
+PCIe dongle firmware signals a halt/trap through mailbox interrupt.
+Trigger a memory dump upon receiving such signal could help to provide
+useful information for issue debug.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -180,6 +180,7 @@ static struct brcmf_firmware_mapping brc
+ #define BRCMF_D2H_DEV_D3_ACK			0x00000001
+ #define BRCMF_D2H_DEV_DS_ENTER_REQ		0x00000002
+ #define BRCMF_D2H_DEV_DS_EXIT_NOTE		0x00000004
++#define BRCMF_D2H_DEV_FWHALT			0x10000000
+ 
+ #define BRCMF_H2D_HOST_D3_INFORM		0x00000001
+ #define BRCMF_H2D_HOST_DS_ACK			0x00000002
+@@ -715,6 +716,10 @@ static void brcmf_pcie_handle_mb_data(st
+ 		devinfo->mbdata_completed = true;
+ 		wake_up(&devinfo->mbdata_resp_wait);
+ 	}
++	if (dtoh_mb_data & BRCMF_D2H_DEV_FWHALT) {
++		brcmf_dbg(PCIE, "D2H_MB_DATA: FW HALT\n");
++		brcmf_dev_coredump(&devinfo->pdev->dev);
++	}
+ }
+ 
+ 

package/kernel/mac80211/patches/331-v4.18-0009-brcmfmac-trigger-memory-dump-on-SDIO-firmware-halt-m.patch

@@ -0,0 +1,40 @@
+From b8248236e92790ac635caeb4156e46ea2417e037 Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Wed, 16 May 2018 14:12:03 +0200
+Subject: [PATCH] brcmfmac: trigger memory dump on SDIO firmware halt message
+
+Attempt to dump dongle memory for debug upon receiving firmware halt
+message through dongle to host mail box interrupt.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[rmilecki: add sdiod variable and use func[1]]
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1078,6 +1078,7 @@ static void brcmf_sdio_get_console_addr(
+ 
+ static u32 brcmf_sdio_hostmail(struct brcmf_sdio *bus)
+ {
++	struct brcmf_sdio_dev *sdiod = bus->sdiodev;
+ 	u32 intstatus = 0;
+ 	u32 hmb_data;
+ 	u8 fcbits;
+@@ -1095,8 +1096,10 @@ static u32 brcmf_sdio_hostmail(struct br
+ 	bus->sdcnt.f1regdata += 2;
+ 
+ 	/* dongle indicates the firmware has halted/crashed */
+-	if (hmb_data & HMB_DATA_FWHALT)
++	if (hmb_data & HMB_DATA_FWHALT) {
+ 		brcmf_err("mailbox indicates firmware halted\n");
++		brcmf_dev_coredump(&sdiod->func[1]->dev);
++	}
+ 
+ 	/* Dongle recomposed rx frames, accept them again */
+ 	if (hmb_data & HMB_DATA_NAKHANDLED) {

package/kernel/mac80211/patches/332-v4.19-0001-brcmfmac-detect-firmware-support-for-monitor-interfa.patch

@@ -0,0 +1,59 @@
+From 01f69dfafdbe7deff58b58053bc3a4a75c6a570c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:35 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for monitor interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Many/most of firmwares support creating monitor interface but only the
+most recent ones explicitly /announce/ it using a "monitor" entry in the
+list of capabilities.
+
+Check for that entry and store internally info about monitor mode
+support using a new feature flag. Once we sort out all details of
+handling monitor interface it will be used when reporting available
+interfaces to the cfg80211.
+
+Later some fallback detecion method may be added for older firmwares.
+For now just stick to the "monitor" capability which should be 100%
+reliable.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -47,6 +47,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MBSS, "mbss" },
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
++	{ BRCMF_FEAT_MONITOR, "monitor" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -31,6 +31,7 @@
+  * WOWL_GTK: (WOWL) GTK rekeying offload
+  * WOWL_ARP_ND: ARP and Neighbor Discovery offload support during WOWL.
+  * MFP: 802.11w Management Frame Protection.
++ * MONITOR: firmware can pass monitor packets to host.
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -44,7 +45,8 @@
+ 	BRCMF_FEAT_DEF(WOWL_ND) \
+ 	BRCMF_FEAT_DEF(WOWL_GTK) \
+ 	BRCMF_FEAT_DEF(WOWL_ARP_ND) \
+-	BRCMF_FEAT_DEF(MFP)
++	BRCMF_FEAT_DEF(MFP) \
++	BRCMF_FEAT_DEF(MONITOR)
+ 
+ /*
+  * Quirks: