LEDE v17.01.6: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.lede-project.org/feed/packages.git^2578f56c298ef8691cc9448dc9f583fc8159260e
-src-git luci https://git.lede-project.org/project/luci.git^b78664c2cd4046a1e77285834b71f9523c91afe7
+src-git packages https://git.lede-project.org/feed/packages.git^40da7ecf21ffe1f3523ffa430c406e1db58ce3d4
+src-git luci https://git.lede-project.org/project/luci.git^7bf036750081787e01339c82865ad45fca6520ef
 src-git routing https://git.lede-project.org/feed/routing.git^d09478290f72c6e58833b65baf14d9173eaf98e1
-src-git telephony https://git.lede-project.org/feed/telephony.git^b60d32979aa1913bf37ae7c09e4773735f9f255f
+src-git telephony https://git.lede-project.org/feed/telephony.git^95498e75db5c6741cd53f8746ffc1473c72b6e5d

include/download.mk

@@ -6,8 +6,10 @@
 # See /LICENSE for more information.
 #
 
-OPENWRT_GIT = http://git.openwrt.org
-LEDE_GIT = https://git.lede-project.org
+PROJECT_GIT = https://git.openwrt.org
+
+OPENWRT_GIT = $(PROJECT_GIT)
+LEDE_GIT = $(PROJECT_GIT)
 
 ifdef PKG_SOURCE_VERSION
 PKG_VERSION ?= $(if $(PKG_SOURCE_DATE),$(PKG_SOURCE_DATE)-)$(call version_abbrev,$(PKG_SOURCE_VERSION))

include/kernel-version.mk

@@ -3,10 +3,10 @@
 LINUX_RELEASE?=1
 
 LINUX_VERSION-3.18 = .43
-LINUX_VERSION-4.4 = .140
+LINUX_VERSION-4.4 = .153
 
 LINUX_KERNEL_HASH-3.18.43 = 1236e8123a6ce537d5029232560966feed054ae31776fe8481dd7d18cdd5492c
-LINUX_KERNEL_HASH-4.4.140 = 184c8f3cde0caca0d2a15ee2b6ce47e3a5b57038bc15a65e631d6b340886c7bb
+LINUX_KERNEL_HASH-4.4.153 = 0f2355515c22ca705600043bedc75218c68dcb8ab528f57f67851fbcb8545402
 
 ifdef KERNEL_PATCHVER
   LINUX_VERSION:=$(KERNEL_PATCHVER)$(strip $(LINUX_VERSION-$(KERNEL_PATCHVER)))

include/package-ipkg.mk

@@ -196,7 +196,7 @@ $(_endef)
 			fi; \
 		done; $(Package/$(1)/extra_provides) \
 	) | sort -u > $(PKG_INFO_DIR)/$(1).provides
-	$(if $(PROVIDES),@for pkg in $(PROVIDES); do cp $(PKG_INFO_DIR)/$(1).provides $(PKG_INFO_DIR)/$$$$pkg.provides; done)
+	$(if $(PROVIDES),@for pkg in $(filter-out $(1),$(PROVIDES)); do cp $(PKG_INFO_DIR)/$(1).provides $(PKG_INFO_DIR)/$$$$pkg.provides; done)
 	$(CheckDependencies)
 
 	$(RSTRIP) $$(IDIR_$(1))

include/version.mk

@@ -31,16 +31,16 @@ qstrip_escape=$(subst ','\'',$(call qstrip,$(1)))
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip_escape,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),17.01.5)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),17.01.6)
 
 VERSION_CODE:=$(call qstrip_escape,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r3919-38e704be71)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r3979-2252731af4)
 
 VERSION_NICK:=$(call qstrip_escape,$(CONFIG_VERSION_NICK))
 VERSION_NICK:=$(if $(VERSION_NICK),$(VERSION_NICK),$(RELEASE))
 
 VERSION_REPO:=$(call qstrip_escape,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.lede-project.org/releases/17.01.5)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.lede-project.org/releases/17.01.6)
 
 VERSION_DIST:=$(call qstrip_escape,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),LEDE)

package/base-files/image-config.in

@@ -190,7 +190,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.lede-project.org/releases/17.01.5"
+		default "http://downloads.lede-project.org/releases/17.01.6"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/grub2/Makefile

@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=grub
 PKG_VERSION:=2.02
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/grub

package/boot/grub2/patches/300-CVE-2015-8370.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Fri, 13 Nov 2015 16:21:09 +0100
+Subject: [PATCH] Fix security issue when reading username and password
+
+  This patch fixes two integer underflows at:
+    * grub-core/lib/crypto.c
+    * grub-core/normal/auth.c
+
+Resolves: CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+---
+ grub-core/lib/crypto.c  | 2 +-
+ grub-core/normal/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/grub-core/lib/crypto.c
++++ b/grub-core/lib/crypto.c
+@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    cur_len--;
+--- a/grub-core/normal/auth.c
++++ b/grub-core/normal/auth.c
+@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    {

package/firmware/amd64-microcode/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=amd64-microcode
-PKG_VERSION:=20171205
+PKG_VERSION:=20180524
 PKG_RELEASE:=1
 
 PKG_SOURCE:=amd64-microcode_3.$(PKG_VERSION).$(PKG_RELEASE).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/non-free/a/amd64-microcode/
-PKG_HASH:=a38bc072f535a3d3c1bf4e9e545197aa5114e979e94ef7e4a67e615df2f853a7
+PKG_HASH:=7c389c357c242e7161f6872bf4e12011a71e4c0683f06fb1bcfad650a78bf0a9
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-3.$(PKG_VERSION).$(PKG_RELEASE)
 
 PKG_LICENSE_FILE:=LICENSE.amd-ucode

package/firmware/intel-microcode/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=intel-microcode
-PKG_VERSION:=20180312
-PKG_RELEASE:=1
+PKG_VERSION:=20180703
+PKG_RELEASE:=2
 
 PKG_SOURCE:=intel-microcode_3.$(PKG_VERSION).$(PKG_RELEASE).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/non-free/i/intel-microcode/
-PKG_HASH:=6ccb295d23961c7b96a69280e30fdce939e1d905147b22b8428886b173812d52
+PKG_HASH:=26dfaa47100ce3d06f968edefa7539da10de7b96d5d8e26ee8174a040ee5cdae
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-3.$(PKG_VERSION).$(PKG_RELEASE)
 
 PKG_BUILD_DEPENDS:=iucode-tool/host
@@ -36,14 +36,14 @@ endef
 
 define Build/Compile
 	IUCODE_TOOL=$(STAGING_DIR)/../host/bin/iucode_tool $(MAKE) -C $(PKG_BUILD_DIR)
-	mkdir $(PKG_BUILD_DIR)/intel-ucode
+	mkdir $(PKG_BUILD_DIR)/intel-ucode-ipkg
 	$(STAGING_DIR)/../host/bin/iucode_tool -q \
-		--write-firmware=$(PKG_BUILD_DIR)/intel-ucode $(PKG_BUILD_DIR)/$(MICROCODE).bin
+		--write-firmware=$(PKG_BUILD_DIR)/intel-ucode-ipkg $(PKG_BUILD_DIR)/$(MICROCODE).bin
 endef
 
 define Package/intel-microcode/install
 	$(INSTALL_DIR) $(1)/lib/firmware/intel-ucode
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/intel-ucode/* $(1)/lib/firmware/intel-ucode
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/intel-ucode-ipkg/* $(1)/lib/firmware/intel-ucode
 endef
 
 $(eval $(call BuildPackage,intel-microcode))

package/kernel/kmod-sched-cake/Makefile

@@ -13,9 +13,10 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/dtaht/sch_cake.git
-PKG_SOURCE_DATE:=2018-01-07
-PKG_SOURCE_VERSION:=568ed96467f41aad37556b0db11fc008e05941e9
-PKG_MIRROR_HASH:=8f3f962824826d07b1029379d91e01bf97fe0bfce1233af5cfa7a54cb1c3632c
+PKG_SOURCE_DATE:=2018-07-16
+PKG_SOURCE_VERSION:=f39ab9a402ad51d7c17d4cde18ca15b2b7022030
+PKG_MIRROR_HASH:=fc22fc6eb7a24f4595c2777f33758ebcf9a2a404c16d00aa37ae389cd7f9c78f
+PKG_MAINTAINER:=Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-01-31
-PKG_RELEASE:=5
+PKG_RELEASE:=14
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_BACKPORT_VERSION:=
 PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317

package/kernel/mac80211/patches/318-v4.11-0007-brcmfmac-use-local-iftype-avoiding-use-after-free-of.patch

@@ -0,0 +1,61 @@
+From d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 28 Mar 2017 09:11:30 +0100
+Subject: [PATCH] brcmfmac: use local iftype avoiding use-after-free of virtual
+ interface
+
+A use-after-free was found using KASAN. In brcmf_p2p_del_if() the virtual
+interface is removed using call to brcmf_remove_interface(). After that
+the virtual interface instance has been freed and should not be referenced.
+Solve this by storing the nl80211 iftype in local variable, which is used
+in a couple of places anyway.
+
+Cc: stable@vger.kernel.org # 4.10.x, 4.9.x
+Reported-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -2240,14 +2240,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 	struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy);
+ 	struct brcmf_p2p_info *p2p = &cfg->p2p;
+ 	struct brcmf_cfg80211_vif *vif;
++	enum nl80211_iftype iftype;
+ 	bool wait_for_disable = false;
+ 	int err;
+ 
+ 	brcmf_dbg(TRACE, "delete P2P vif\n");
+ 	vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev);
+ 
++	iftype = vif->wdev.iftype;
+ 	brcmf_cfg80211_arm_vif_event(cfg, vif);
+-	switch (vif->wdev.iftype) {
++	switch (iftype) {
+ 	case NL80211_IFTYPE_P2P_CLIENT:
+ 		if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state))
+ 			wait_for_disable = true;
+@@ -2277,7 +2279,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 					    BRCMF_P2P_DISABLE_TIMEOUT);
+ 
+ 	err = 0;
+-	if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) {
++	if (iftype != NL80211_IFTYPE_P2P_DEVICE) {
+ 		brcmf_vif_clear_mgmt_ies(vif);
+ 		err = brcmf_p2p_release_p2p_if(vif);
+ 	}
+@@ -2293,7 +2295,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 	brcmf_remove_interface(vif->ifp, true);
+ 
+ 	brcmf_cfg80211_arm_vif_event(cfg, NULL);
+-	if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
++	if (iftype != NL80211_IFTYPE_P2P_DEVICE)
+ 		p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL;
+ 
+ 	return err;

package/kernel/mac80211/patches/319-v4.12-0001-brcmfmac-always-print-error-when-PSM-s-watchdog-fire.patch

@@ -0,0 +1,148 @@
+From f1ac3aa212af6dd0a36dc07a63f95f91be6f4935 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 24 Feb 2017 17:32:46 +0100
+Subject: [PATCH] brcmfmac: always print error when PSM's watchdog fires
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far we were attaching BRCMF_E_PSM_WATCHDOG event listener in
+brcmf_debug_attach which gets compiled only with CONFIG_BRCMDBG. This
+event means something went wrong and firmware / hardware usually can't
+be expected to work (reliably).
+
+Such a problem is significant for user experience so I believe we should
+print an error unconditionally (even with debugging disabled). What can
+be indeed optional is dumping bus memory as this is clearly part of
+debugging process.
+
+In the future we may also try to extend this listener by trying to
+recover from the error or at least signal it to the cfg80211.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c    | 22 ++++++++++++++++++
+ .../wireless/broadcom/brcm80211/brcmfmac/debug.c   | 26 +++-------------------
+ .../wireless/broadcom/brcm80211/brcmfmac/debug.h   |  9 ++++++++
+ 3 files changed, 34 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -748,6 +748,24 @@ void brcmf_remove_interface(struct brcmf
+ 	brcmf_del_if(ifp->drvr, ifp->bsscfgidx, rtnl_locked);
+ }
+ 
++static int brcmf_psm_watchdog_notify(struct brcmf_if *ifp,
++				     const struct brcmf_event_msg *evtmsg,
++				     void *data)
++{
++	int err;
++
++	brcmf_dbg(TRACE, "enter: bsscfgidx=%d\n", ifp->bsscfgidx);
++
++	brcmf_err("PSM's watchdog has fired!\n");
++
++	err = brcmf_debug_create_memdump(ifp->drvr->bus_if, data,
++					 evtmsg->datalen);
++	if (err)
++		brcmf_err("Failed to get memory dump, %d\n", err);
++
++	return err;
++}
++
+ #ifdef CONFIG_INET
+ #define ARPOL_MAX_ENTRIES	8
+ static int brcmf_inetaddr_changed(struct notifier_block *nb,
+@@ -927,6 +945,10 @@ int brcmf_attach(struct device *dev, str
+ 		goto fail;
+ 	}
+ 
++	/* Attach to events important for core code */
++	brcmf_fweh_register(drvr, BRCMF_E_PSM_WATCHDOG,
++			    brcmf_psm_watchdog_notify);
++
+ 	/* attach firmware event handler */
+ 	brcmf_fweh_attach(drvr);
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
+@@ -27,8 +27,8 @@
+ 
+ static struct dentry *root_folder;
+ 
+-static int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
+-				      size_t len)
++int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
++			       size_t len)
+ {
+ 	void *dump;
+ 	size_t ramsize;
+@@ -54,24 +54,6 @@ static int brcmf_debug_create_memdump(st
+ 	return 0;
+ }
+ 
+-static int brcmf_debug_psm_watchdog_notify(struct brcmf_if *ifp,
+-					   const struct brcmf_event_msg *evtmsg,
+-					   void *data)
+-{
+-	int err;
+-
+-	brcmf_dbg(TRACE, "enter: bsscfgidx=%d\n", ifp->bsscfgidx);
+-
+-	brcmf_err("PSM's watchdog has fired!\n");
+-
+-	err = brcmf_debug_create_memdump(ifp->drvr->bus_if, data,
+-					 evtmsg->datalen);
+-	if (err)
+-		brcmf_err("Failed to get memory dump, %d\n", err);
+-
+-	return err;
+-}
+-
+ void brcmf_debugfs_init(void)
+ {
+ 	root_folder = debugfs_create_dir(KBUILD_MODNAME, NULL);
+@@ -99,9 +81,7 @@ int brcmf_debug_attach(struct brcmf_pub
+ 	if (IS_ERR(drvr->dbgfs_dir))
+ 		return PTR_ERR(drvr->dbgfs_dir);
+ 
+-
+-	return brcmf_fweh_register(drvr, BRCMF_E_PSM_WATCHDOG,
+-				   brcmf_debug_psm_watchdog_notify);
++	return 0;
+ }
+ 
+ void brcmf_debug_detach(struct brcmf_pub *drvr)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -99,6 +99,7 @@ do {									\
+ 
+ extern int brcmf_msg_level;
+ 
++struct brcmf_bus;
+ struct brcmf_pub;
+ #ifdef DEBUG
+ void brcmf_debugfs_init(void);
+@@ -108,6 +109,8 @@ void brcmf_debug_detach(struct brcmf_pub
+ struct dentry *brcmf_debugfs_get_devdir(struct brcmf_pub *drvr);
+ int brcmf_debugfs_add_entry(struct brcmf_pub *drvr, const char *fn,
+ 			    int (*read_fn)(struct seq_file *seq, void *data));
++int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
++			       size_t len);
+ #else
+ static inline void brcmf_debugfs_init(void)
+ {
+@@ -128,6 +131,12 @@ int brcmf_debugfs_add_entry(struct brcmf
+ {
+ 	return 0;
+ }
++static inline
++int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
++			       size_t len)
++{
++	return 0;
++}
+ #endif
+ 
+ #endif /* BRCMFMAC_DEBUG_H */

package/kernel/mac80211/patches/319-v4.12-0002-brcmfmac-Do-not-print-the-firmware-version-as-an-err.patch

@@ -0,0 +1,56 @@
+From d79fe4cb70d8deab7b8dc1de547ed4b915574414 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2017 14:50:15 +0100
+Subject: [PATCH] brcmfmac: Do not print the firmware version as an error
+
+Using pr_err for things which are not errors is a bad idea. E.g. it
+will cause the plymouth bootsplash screen to drop back to the text
+console so that the user can see the error, which is not what we
+normally want to happen.
+
+Instead add a new brcmf_info macro and use that.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 2 +-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h  | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -161,7 +161,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 	strsep(&ptr, "\n");
+ 
+ 	/* Print fw version info */
+-	brcmf_err("Firmware version = %s\n", buf);
++	brcmf_info("Firmware version = %s\n", buf);
+ 
+ 	/* locate firmware version number for ethtool */
+ 	ptr = strrchr(buf, ' ') + 1;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -59,6 +59,10 @@ void __brcmf_err(const char *func, const
+ 	} while (0)
+ 
+ #if defined(DEBUG) || defined(CPTCFG_BRCM_TRACING)
++
++/* For debug/tracing purposes treat info messages as errors */
++#define brcmf_info brcmf_err
++
+ __printf(3, 4)
+ void __brcmf_dbg(u32 level, const char *func, const char *fmt, ...);
+ #define brcmf_dbg(level, fmt, ...)				\
+@@ -77,6 +81,11 @@ do {								\
+ 
+ #else /* defined(DEBUG) || defined(CPTCFG_BRCM_TRACING) */
+ 
++#define brcmf_info(fmt, ...)						\
++	do {								\
++		pr_info("%s: " fmt, __func__, ##__VA_ARGS__);		\
++	} while (0)
++
+ #define brcmf_dbg(level, fmt, ...) no_printk(fmt, ##__VA_ARGS__)
+ 
+ #define BRCMF_DATA_ON()		0

package/kernel/mac80211/patches/319-v4.12-0003-brcmfmac-Do-not-complain-about-country-code-00.patch

@@ -0,0 +1,28 @@
+From 26e537884a8ef451f5c60f6949b1615069931ffa Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2017 14:50:16 +0100
+Subject: [PATCH] brcmfmac: Do not complain about country code "00"
+
+The country code gets set to "00" by default at boot, ignore this
+rather then logging an error about it.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6736,6 +6736,10 @@ static void brcmf_cfg80211_reg_notifier(
+ 	s32 err;
+ 	int i;
+ 
++	/* The country code gets set to "00" by default at boot, ignore */
++	if (req->alpha2[0] == '0' && req->alpha2[1] == '0')
++		return;
++
+ 	/* ignore non-ISO3166 country codes */
+ 	for (i = 0; i < sizeof(req->alpha2); i++)
+ 		if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {

package/kernel/mac80211/patches/319-v4.12-0004-brcmfmac-Handle-status-BRCMF_E_STATUS_ABORT-in-cfg80.patch

@@ -0,0 +1,35 @@
+From b9472a2e3e452c414634b3ccb1ef6c4098878686 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2017 14:50:17 +0100
+Subject: [PATCH] brcmfmac: Handle status == BRCMF_E_STATUS_ABORT in
+ cfg80211_escan_handler
+
+If a scan gets aborted BRCMF_SCAN_STATUS_BUSY gets cleared in
+cfg->scan_status and when we receive an abort event from the firmware
+the BRCMF_SCAN_STATUS_BUSY check in the cfg80211_escan_handler will
+trigger resulting in multiple errors getting logged.
+
+Check for a status of BRCMF_E_STATUS_ABORT and in this case simply
+cleanly exit the cfg80211_escan_handler. This also avoids a
+BRCMF_E_STATUS_ABORT event arriving after a new scan has been started
+causing the new scan to complete prematurely without any data.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3097,6 +3097,9 @@ brcmf_cfg80211_escan_handler(struct brcm
+ 
+ 	status = e->status;
+ 
++	if (status == BRCMF_E_STATUS_ABORT)
++		goto exit;
++
+ 	if (!test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status)) {
+ 		brcmf_err("scan not ready, bsscfgidx=%d\n", ifp->bsscfgidx);
+ 		return -EPERM;

package/kernel/mac80211/patches/319-v4.12-0005-brcmfmac-restore-bus-state-when-enter_D3-fails.patch

@@ -0,0 +1,29 @@
+From 49fe9b59f0e9b750f173fbe44637c436ba1030d2 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 28 Mar 2017 11:43:27 +0100
+Subject: [PATCH] brcmfmac: restore bus state when enter_D3 fails
+
+In brcmf_pcie_suspend() we inform the firmware on the device that
+it will enter in D3 state. Before this is done we already bring down
+the bus state. However, When entering D3 fails we abort the suspend
+and the bus state need to be restored.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1877,6 +1877,7 @@ static int brcmf_pcie_pm_enter_D3(struct
+ 			   BRCMF_PCIE_MBDATA_TIMEOUT);
+ 	if (!devinfo->mbdata_completed) {
+ 		brcmf_err("Timeout on response for entering D3 substate\n");
++		brcmf_bus_change_state(bus, BRCMF_BUS_UP);
+ 		return -EIO;
+ 	}
+ 

package/kernel/mac80211/patches/319-v4.12-0006-brcmfmac-properly-align-buffers-on-certain-platforms.patch

@@ -0,0 +1,36 @@
+From 6e84ab604bdedaa16239bd1c6e5fcb5660309f02 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 5 Apr 2017 20:33:26 +0200
+Subject: [PATCH] brcmfmac: properly align buffers on certain platforms with 64
+ bit DMA
+
+Systems with 64 bit DMA at least partially require buffers to be used
+for DMA to be 8-byte-aligned. One example is Amlogic Meson GX.
+Switching the MMC/SDIO driver for this platform to SG DMA mode
+resulted in problems due to unaligned buffers.
+
+Fortunately the brcmfmac driver has a global define for the alignment.
+Changing it to 8 fixed the issues with Meson GX.
+
+Suggested-by: Helmut Klein <hgkr.klein@gmail.com>
+Tested-by: Helmut Klein <hgkr.klein@gmail.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -539,7 +539,11 @@ static int qcount[NUMPRIO];
+ /* Limit on rounding up frames */
+ static const uint max_roundup = 512;
+ 
++#ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
++#define ALIGNMENT  8
++#else
+ #define ALIGNMENT  4
++#endif
+ 
+ enum brcmf_sdio_frmtype {
+ 	BRCMF_SDIO_FT_NORMAL,

package/kernel/mac80211/patches/319-v4.12-0007-brcmfmac-add-length-checks-in-scheduled-scan-result-.patch

@@ -0,0 +1,61 @@
+From 4835f37e3bafc138f8bfa3cbed2920dd56fed283 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 6 Apr 2017 13:14:40 +0100
+Subject: [PATCH] brcmfmac: add length checks in scheduled scan result handler
+
+Assure the event data buffer is long enough to hold the array
+of netinfo items and that SSID length does not exceed the maximum
+of 32 characters as per 802.11 spec.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3300,6 +3300,7 @@ brcmf_notify_sched_scan_results(struct b
+ 	struct brcmf_pno_scanresults_le *pfn_result;
+ 	u32 result_count;
+ 	u32 status;
++	u32 datalen;
+ 
+ 	brcmf_dbg(SCAN, "Enter\n");
+ 
+@@ -3326,6 +3327,14 @@ brcmf_notify_sched_scan_results(struct b
+ 		brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
+ 		goto out_err;
+ 	}
++
++	netinfo_start = brcmf_get_netinfo_array(pfn_result);
++	datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
++	if (datalen < result_count * sizeof(*netinfo)) {
++		brcmf_err("insufficient event data\n");
++		goto out_err;
++	}
++
+ 	request = brcmf_alloc_internal_escan_request(wiphy,
+ 						     result_count);
+ 	if (!request) {
+@@ -3333,8 +3342,6 @@ brcmf_notify_sched_scan_results(struct b
+ 		goto out_err;
+ 	}
+ 
+-	netinfo_start = brcmf_get_netinfo_array(pfn_result);
+-
+ 	for (i = 0; i < result_count; i++) {
+ 		netinfo = &netinfo_start[i];
+ 		if (!netinfo) {
+@@ -3344,6 +3351,8 @@ brcmf_notify_sched_scan_results(struct b
+ 			goto out_err;
+ 		}
+ 
++		if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
++			netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
+ 		brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
+ 			  netinfo->SSID, netinfo->channel);
+ 		err = brcmf_internal_escan_add_info(request,

package/kernel/mac80211/patches/319-v4.12-0008-brcmfmac-remove-bogus-check-in-scheduled-scan-result.patch

@@ -0,0 +1,32 @@
+From 6594e1e8343645fe849a2ad42fcab94e2cf5b2c0 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 6 Apr 2017 13:14:41 +0100
+Subject: [PATCH] brcmfmac: remove bogus check in scheduled scan result handler
+
+Checking whether the address of an array element is null is bogus
+so removing it.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3344,12 +3344,6 @@ brcmf_notify_sched_scan_results(struct b
+ 
+ 	for (i = 0; i < result_count; i++) {
+ 		netinfo = &netinfo_start[i];
+-		if (!netinfo) {
+-			brcmf_err("Invalid netinfo ptr. index: %d\n",
+-				  i);
+-			err = -EINVAL;
+-			goto out_err;
+-		}
+ 
+ 		if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+ 			netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;

package/kernel/mac80211/patches/319-v4.12-0009-brcmfmac-only-add-channels-and-ssids-once-in-scan-re.patch

@@ -0,0 +1,56 @@
+From 6ea51fc708aedcf411f355de65a704ecda501bc4 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 6 Apr 2017 13:14:42 +0100
+Subject: [PATCH] brcmfmac: only add channels and ssids once in scan request
+
+When receiving pno results there may be duplicate channels and/or
+ssids. Assure each is added only once when preparing the internal
+escan request.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c  | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3216,7 +3216,7 @@ static int brcmf_internal_escan_add_info
+ {
+ 	struct ieee80211_channel *chan;
+ 	enum nl80211_band band;
+-	int freq;
++	int freq, i;
+ 
+ 	if (channel <= CH_MAX_2G_CHANNEL)
+ 		band = NL80211_BAND_2GHZ;
+@@ -3231,10 +3231,22 @@ static int brcmf_internal_escan_add_info
+ 	if (!chan)
+ 		return -EINVAL;
+ 
+-	req->channels[req->n_channels++] = chan;
+-	memcpy(req->ssids[req->n_ssids].ssid, ssid, ssid_len);
+-	req->ssids[req->n_ssids++].ssid_len = ssid_len;
+-
++	for (i = 0; i < req->n_channels; i++) {
++		if (req->channels[i] == chan)
++			break;
++	}
++	if (i == req->n_channels)
++		req->channels[req->n_channels++] = chan;
++
++	for (i = 0; i < req->n_ssids; i++) {
++		if (req->ssids[i].ssid_len == ssid_len &&
++		    !memcmp(req->ssids[i].ssid, ssid, ssid_len))
++			break;
++	}
++	if (i == req->n_ssids) {
++		memcpy(req->ssids[req->n_ssids].ssid, ssid, ssid_len);
++		req->ssids[req->n_ssids++].ssid_len = ssid_len;
++	}
+ 	return 0;
+ }
+ 

package/kernel/mac80211/patches/319-v4.12-0010-brcmfmac-Ensure-pointer-correctly-set-if-skb-data-lo.patch

@@ -0,0 +1,39 @@
+From 455a1eb4654c24560eb9dfc634f29cba3d87601e Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Mon, 24 Apr 2017 12:40:50 +0100
+Subject: [PATCH] brcmfmac: Ensure pointer correctly set if skb data location
+ changes
+
+The incoming skb header may be resized if header space is
+insufficient, which might change the data adddress in the skb.
+Ensure that a cached pointer to that data is correctly set by
+moving assignment to after any possible changes.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 	int ret;
+ 	struct brcmf_if *ifp = netdev_priv(ndev);
+ 	struct brcmf_pub *drvr = ifp->drvr;
+-	struct ethhdr *eh = (struct ethhdr *)(skb->data);
++	struct ethhdr *eh;
+ 
+ 	brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+ 
+@@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
++	eh = (struct ethhdr *)(skb->data);
++
+ 	if (eh->h_proto == htons(ETH_P_PAE))
+ 		atomic_inc(&ifp->pend_8021x_cnt);
+ 

package/kernel/mac80211/patches/319-v4.12-0011-brcmfmac-Make-skb-header-writable-before-use.patch

@@ -0,0 +1,48 @@
+From 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Tue, 25 Apr 2017 10:15:06 +0100
+Subject: [PATCH] brcmfmac: Make skb header writable before use
+
+The driver was making changes to the skb_header without
+ensuring it was writable (i.e. uncloned).
+This patch also removes some boiler plate header size
+checking/adjustment code as that is also handled by the
+skb_cow_header function used to make header writable.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c   | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -211,22 +211,13 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
+-	/* Make sure there's enough room for any header */
+-	if (skb_headroom(skb) < drvr->hdrlen) {
+-		struct sk_buff *skb2;
+-
+-		brcmf_dbg(INFO, "%s: insufficient headroom\n",
++	/* Make sure there's enough writable headroom*/
++	ret = skb_cow_head(skb, drvr->hdrlen);
++	if (ret < 0) {
++		brcmf_err("%s: skb_cow_head failed\n",
+ 			  brcmf_ifname(ifp));
+-		drvr->bus_if->tx_realloc++;
+-		skb2 = skb_realloc_headroom(skb, drvr->hdrlen);
+ 		dev_kfree_skb(skb);
+-		skb = skb2;
+-		if (skb == NULL) {
+-			brcmf_err("%s: skb_realloc_headroom failed\n",
+-				  brcmf_ifname(ifp));
+-			ret = -ENOMEM;
+-			goto done;
+-		}
++		goto done;
+ 	}
+ 
+ 	/* validate length for ether packet */

package/kernel/mac80211/patches/319-v4.12-0012-brcmfmac-fix-alignment-configuration-on-host-using-6.patch

@@ -0,0 +1,40 @@
+From 1dbf647f31751a4e94fa0435c34f0f5ad5ce0adc Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 26 May 2017 13:02:55 +0200
+Subject: [PATCH] brcmfmac: fix alignment configuration on host using 64-bit
+ DMA
+
+For SDIO the alignment requirement for transfers from device to host
+is configured in firmware. This configuration is limited to minimum
+of 4-byte alignment. However, this is not correct for platforms using
+64-bit DMA when the minimum alignment should be 8 bytes. This issue
+appeared when the ALIGNMENT definition was set according the DMA
+configuration. The configuration in firmware was not using that macro
+defintion, but a hardcoded value of 4. Hence the driver reported
+alignment failures for data coming from the device and causing
+transfers to fail.
+
+Fixes: 6e84ab604bde ("brcmfmac: properly align buffers on certain platforms
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -3420,7 +3420,7 @@ static int brcmf_sdio_bus_preinit(struct
+ 		/* otherwise, set txglomalign */
+ 		value = sdiodev->settings->bus.sdio.sd_sgentry_align;
+ 		/* SDIO ADMA requires at least 32 bit alignment */
+-		value = max_t(u32, value, 4);
++		value = max_t(u32, value, ALIGNMENT);
+ 		err = brcmf_iovar_data_set(dev, "bus:txglomalign", &value,
+ 					   sizeof(u32));
+ 	}

package/kernel/mac80211/patches/323-v4.13-0001-brcmfmac-remove-setting-IBSS-mode-when-stopping-AP.patch

@@ -0,0 +1,34 @@
+From 9029679f66d976f8c720eb03c4898274803c9923 Mon Sep 17 00:00:00 2001
+From: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
+Date: Thu, 18 May 2017 17:22:19 +0800
+Subject: [PATCH] brcmfmac: remove setting IBSS mode when stopping AP
+
+Upon stopping an AP interface the driver disable INFRA mode effectively
+setting the interface in IBSS mode. However, this may affect other
+interfaces running in INFRA mode. For instance, if user creates and stops
+hostap daemon on virtual interface, then association cannot work on
+primary interface because default BSS has been set to IBSS mode in
+firmware side. The IBSS mode should be set when cfg80211 changes the
+interface.
+
+Reviewed-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
+[kvalo@codeaurora.org: rephased commit log based on discussion]
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4676,9 +4676,6 @@ static int brcmf_cfg80211_stop_ap(struct
+ 		err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0);
+ 		if (err < 0)
+ 			brcmf_err("setting AP mode failed %d\n", err);
+-		err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0);
+-		if (err < 0)
+-			brcmf_err("setting INFRA mode failed %d\n", err);
+ 		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS))
+ 			brcmf_fil_iovar_int_set(ifp, "mbss", 0);
+ 		brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,

package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

@@ -0,0 +1,53 @@
+From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Cc: stable@vger.kernel.org # 4.9.x-
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -705,7 +705,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+ 			   struct sk_buff_head *pktq, uint totlen)
+ {
+-	struct sk_buff *glom_skb;
++	struct sk_buff *glom_skb = NULL;
+ 	struct sk_buff *skb;
+ 	u32 addr = sdiodev->sbwad;
+ 	int err = 0;
+@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 			return -ENOMEM;
+ 		err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+ 					 glom_skb);
+-		if (err) {
+-			brcmu_pkt_buf_free_skb(glom_skb);
++		if (err)
+ 			goto done;
+-		}
+ 
+ 		skb_queue_walk(pktq, skb) {
+ 			memcpy(skb->data, glom_skb->data, skb->len);
+@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 					    pktq);
+ 
+ done:
++	brcmu_pkt_buf_free_skb(glom_skb);
+ 	return err;
+ }
+ 

package/kernel/mac80211/patches/323-v4.13-0003-brcmfmac-Use-separate-firmware-for-revision-0-of-the.patch

@@ -0,0 +1,45 @@
+From 1278bd149839f2281db45a910082ba143546a148 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 16 Jun 2017 15:14:49 +0200
+Subject: [PATCH] brcmfmac: Use separate firmware for revision 0 of the
+ brcm43430 chip
+
+The brcm43430 chip needs different firmware files for chip revision 0
+and 1. The file currently in linux-firmware is for revision 1 only.
+
+This commit makes brcmfmac request brcmfmac43430a0-sdio.bin instead
+of brcmfmac43430-sdio.bin for revision 0 chips.
+
+Note that the behavior for revision 1 chips is not changed, ideally those
+would load brcmfmac43430a1-sdio.bin, but that will break existing setups.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -611,7 +611,9 @@ BRCMF_FW_NVRAM_DEF(43340, "brcmfmac43340
+ BRCMF_FW_NVRAM_DEF(4335, "brcmfmac4335-sdio.bin", "brcmfmac4335-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43362, "brcmfmac43362-sdio.bin", "brcmfmac43362-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4339, "brcmfmac4339-sdio.bin", "brcmfmac4339-sdio.txt");
+-BRCMF_FW_NVRAM_DEF(43430, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
++BRCMF_FW_NVRAM_DEF(43430A0, "brcmfmac43430a0-sdio.bin", "brcmfmac43430a0-sdio.txt");
++/* Note the names are not postfixed with a1 for backward compatibility */
++BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
+@@ -629,7 +631,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4335_CHIP_ID, 0xFFFFFFFF, 4335),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43362_CHIP_ID, 0xFFFFFFFE, 43362),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339),
+-	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFF, 43430),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0),
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)

package/kernel/mac80211/patches/323-v4.13-0004-brcmfmac-initialize-oob-irq-data-before-request_irq.patch

@@ -0,0 +1,46 @@
+From 3f426c96895556bb49adfa52f3aeafdedb2d02e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Tue, 13 Jun 2017 18:02:03 +0200
+Subject: [PATCH] brcmfmac: initialize oob irq data before request_irq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes spin-forever in irq handler when IRQ is already asserted
+at request_irq() time.
+
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -107,12 +107,14 @@ int brcmf_sdiod_intr_register(struct brc
+ 	int ret = 0;
+ 	u8 data;
+ 	u32 addr, gpiocontrol;
+-	unsigned long flags;
+ 
+ 	pdata = &sdiodev->settings->bus.sdio;
+ 	if (pdata->oob_irq_supported) {
+ 		brcmf_dbg(SDIO, "Enter, register OOB IRQ %d\n",
+ 			  pdata->oob_irq_nr);
++		spin_lock_init(&sdiodev->irq_en_lock);
++		sdiodev->irq_en = true;
++
+ 		ret = request_irq(pdata->oob_irq_nr, brcmf_sdiod_oob_irqhandler,
+ 				  pdata->oob_irq_flags, "brcmf_oob_intr",
+ 				  &sdiodev->func[1]->dev);
+@@ -121,10 +123,6 @@ int brcmf_sdiod_intr_register(struct brc
+ 			return ret;
+ 		}
+ 		sdiodev->oob_irq_requested = true;
+-		spin_lock_init(&sdiodev->irq_en_lock);
+-		spin_lock_irqsave(&sdiodev->irq_en_lock, flags);
+-		sdiodev->irq_en = true;
+-		spin_unlock_irqrestore(&sdiodev->irq_en_lock, flags);
+ 
+ 		ret = enable_irq_wake(pdata->oob_irq_nr);
+ 		if (ret != 0) {

package/kernel/mac80211/patches/323-v4.13-0005-brcmfmac-Fix-a-memory-leak-in-error-handling-path-in.patch

@@ -0,0 +1,36 @@
+From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Wed, 21 Jun 2017 07:45:53 +0200
+Subject: [PATCH] brcmfmac: Fix a memory leak in error handling path in
+ 'brcmf_cfg80211_attach'
+
+If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
+handling path to free it in such a case.
+
+Cc: stable@vger.kernel.org
+Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6842,7 +6842,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ 	wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
+ 	if (!wiphy) {
+ 		brcmf_err("Could not allocate wiphy device\n");
+-		return NULL;
++		goto ops_out;
+ 	}
+ 	memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN);
+ 	set_wiphy_dev(wiphy, busdev);
+@@ -6985,6 +6985,7 @@ priv_out:
+ 	ifp->vif = NULL;
+ wiphy_out:
+ 	brcmf_free_wiphy(wiphy);
++ops_out:
+ 	kfree(ops);
+ 	return NULL;
+ }

package/kernel/mac80211/patches/323-v4.13-0006-brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch

@@ -0,0 +1,41 @@
+From 8f44c9a41386729fea410e688959ddaa9d51be7c Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 7 Jul 2017 21:09:06 +0100
+Subject: [PATCH] brcmfmac: fix possible buffer overflow in
+ brcmf_cfg80211_mgmt_tx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The lower level nl80211 code in cfg80211 ensures that "len" is between
+25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
+"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
+only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
+overflow.
+
+	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+	       le16_to_cpu(action_frame->len));
+
+Cc: stable@vger.kernel.org # 3.9.x
+Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4850,6 +4850,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+ 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+ 					GFP_KERNEL);
+ 	} else if (ieee80211_is_action(mgmt->frame_control)) {
++		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
++			brcmf_err("invalid action frame length\n");
++			err = -EINVAL;
++			goto exit;
++		}
+ 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
+ 		if (af_params == NULL) {
+ 			brcmf_err("unable to allocate frame\n");

package/kernel/mac80211/patches/326-v4.14-0001-brcmfmac-Add-support-for-CYW4373-SDIO-USB-chipset.patch

@@ -0,0 +1,139 @@
+From 0ec9eb90feec4933637fbde9d5bfbc3b62aea218 Mon Sep 17 00:00:00 2001
+From: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:58 +0800
+Subject: [PATCH] brcmfmac: Add support for CYW4373 SDIO/USB chipset
+
+Add support for CYW4373 SDIO/USB chipset.
+CYW4373 is a 1x1 dual-band 11ac chipset with 20/40/80Mhz channel support.
+It's a WiFi/BT combo device.
+
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c     | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c       | 2 ++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c       | 4 +++-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c        | 9 ++++++++-
+ drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 3 +++
+ include/linux/mmc/sdio_ids.h                                  | 1 +
+ 6 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1104,6 +1104,7 @@ static const struct sdio_device_id brcmf
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43455),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4354),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4356),
++	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_CYPRESS_4373),
+ 	{ /* end: all zeroes */ }
+ };
+ MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+@@ -690,6 +690,8 @@ static u32 brcmf_chip_tcm_rambase(struct
+ 	case BRCM_CC_4365_CHIP_ID:
+ 	case BRCM_CC_4366_CHIP_ID:
+ 		return 0x200000;
++	case CY_CC_4373_CHIP_ID:
++		return 0x160000;
+ 	default:
+ 		brcmf_err("unknown chip: %s\n", ci->pub.name);
+ 		break;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -617,6 +617,7 @@ BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac434
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
++BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt");
+ 
+ static struct brcmf_firmware_mapping brcmf_sdio_fwnames[] = {
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
+ 	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+-	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356)
++	BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
++	BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+ 
+ static void pkt_align(struct sk_buff *p, int len, int align)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -49,6 +49,7 @@ BRCMF_FW_DEF(43143, "brcmfmac43143.bin")
+ BRCMF_FW_DEF(43236B, "brcmfmac43236b.bin");
+ BRCMF_FW_DEF(43242A, "brcmfmac43242a.bin");
+ BRCMF_FW_DEF(43569, "brcmfmac43569.bin");
++BRCMF_FW_DEF(4373, "brcmfmac4373.bin");
+ 
+ static struct brcmf_firmware_mapping brcmf_usb_fwnames[] = {
+ 	BRCMF_FW_ENTRY(BRCM_CC_43143_CHIP_ID, 0xFFFFFFFF, 43143),
+@@ -57,7 +58,8 @@ static struct brcmf_firmware_mapping brc
+ 	BRCMF_FW_ENTRY(BRCM_CC_43238_CHIP_ID, 0x00000008, 43236B),
+ 	BRCMF_FW_ENTRY(BRCM_CC_43242_CHIP_ID, 0xFFFFFFFF, 43242A),
+ 	BRCMF_FW_ENTRY(BRCM_CC_43566_CHIP_ID, 0xFFFFFFFF, 43569),
+-	BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569)
++	BRCMF_FW_ENTRY(BRCM_CC_43569_CHIP_ID, 0xFFFFFFFF, 43569),
++	BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
+ };
+ 
+ #define TRX_MAGIC		0x30524448	/* "HDR0" */
+@@ -1461,15 +1463,20 @@ static int brcmf_usb_reset_resume(struct
+ #define LINKSYS_USB_DEVICE(dev_id)	\
+ 	{ USB_DEVICE(BRCM_USB_VENDOR_ID_LINKSYS, dev_id) }
+ 
++#define CYPRESS_USB_DEVICE(dev_id)	\
++	{ USB_DEVICE(CY_USB_VENDOR_ID_CYPRESS, dev_id) }
++
+ static struct usb_device_id brcmf_usb_devid_table[] = {
+ 	BRCMF_USB_DEVICE(BRCM_USB_43143_DEVICE_ID),
+ 	BRCMF_USB_DEVICE(BRCM_USB_43236_DEVICE_ID),
+ 	BRCMF_USB_DEVICE(BRCM_USB_43242_DEVICE_ID),
+ 	BRCMF_USB_DEVICE(BRCM_USB_43569_DEVICE_ID),
+ 	LINKSYS_USB_DEVICE(BRCM_USB_43235_LINKSYS_DEVICE_ID),
++	CYPRESS_USB_DEVICE(CY_USB_4373_DEVICE_ID),
+ 	{ USB_DEVICE(BRCM_USB_VENDOR_ID_LG, BRCM_USB_43242_LG_DEVICE_ID) },
+ 	/* special entry for device with firmware loaded and running */
+ 	BRCMF_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
++	CYPRESS_USB_DEVICE(BRCM_USB_BCMFW_DEVICE_ID),
+ 	{ /* end: all zeroes */ }
+ };
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+@@ -23,6 +23,7 @@
+ #define BRCM_USB_VENDOR_ID_BROADCOM	0x0a5c
+ #define BRCM_USB_VENDOR_ID_LG		0x043e
+ #define BRCM_USB_VENDOR_ID_LINKSYS	0x13b1
++#define CY_USB_VENDOR_ID_CYPRESS	0x04b4
+ #define BRCM_PCIE_VENDOR_ID_BROADCOM	PCI_VENDOR_ID_BROADCOM
+ 
+ /* Chipcommon Core Chip IDs */
+@@ -57,6 +58,7 @@
+ #define BRCM_CC_4365_CHIP_ID		0x4365
+ #define BRCM_CC_4366_CHIP_ID		0x4366
+ #define BRCM_CC_4371_CHIP_ID		0x4371
++#define CY_CC_4373_CHIP_ID		0x4373
+ 
+ /* USB Device IDs */
+ #define BRCM_USB_43143_DEVICE_ID	0xbd1e
+@@ -66,6 +68,7 @@
+ #define BRCM_USB_43242_LG_DEVICE_ID	0x3101
+ #define BRCM_USB_43569_DEVICE_ID	0xbd27
+ #define BRCM_USB_BCMFW_DEVICE_ID	0x0bdc
++#define CY_USB_4373_DEVICE_ID		0xbd29
+ 
+ /* PCIE Device IDs */
+ #define BRCM_PCIE_4350_DEVICE_ID	0x43a3
+--- a/include/linux/mmc/sdio_ids.h
++++ b/include/linux/mmc/sdio_ids.h
+@@ -39,6 +39,7 @@
+ #define SDIO_DEVICE_ID_BROADCOM_43455		0xa9bf
+ #define SDIO_DEVICE_ID_BROADCOM_4354		0x4354
+ #define SDIO_DEVICE_ID_BROADCOM_4356		0x4356
++#define SDIO_DEVICE_ID_CYPRESS_4373		0x4373
+ 
+ #define SDIO_VENDOR_ID_INTEL			0x0089
+ #define SDIO_DEVICE_ID_INTEL_IWMC3200WIMAX	0x1402

package/kernel/mac80211/patches/326-v4.14-0002-brcmfmac-fix-wrong-num_different_channels-when-mchan.patch

@@ -0,0 +1,47 @@
+From 99976fc084129e07df3a066dc15651853386da19 Mon Sep 17 00:00:00 2001
+From: Wright Feng <wright.feng@cypress.com>
+Date: Thu, 3 Aug 2017 17:37:59 +0800
+Subject: [PATCH] brcmfmac: fix wrong num_different_channels when mchan feature
+ enabled
+
+When the device/firmware supports multi-channel, it can have P2P
+connection and regular connection with AP simultaneous. In this case,
+the num_different_channels in wiphy info was not correct when firmware
+supports multi-channel (The iw wiphy# info showed "#channels <= 1" in
+interface combinations). It caused association failed and error message
+"CTRL-EVENT-FREQ-CONFLICT error" in wpa_supplicant when P2P GO interface
+was running at the same time.
+The root cause is that the num_different_channels was always overridden
+to 1 in brcmf_setup_ifmodes even multi-channel was enabled.
+We correct the logic by moving num_different_channels setting forward.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6311,6 +6311,8 @@ static int brcmf_setup_ifmodes(struct wi
+ 	if (p2p) {
+ 		if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MCHAN))
+ 			combo[c].num_different_channels = 2;
++		else
++			combo[c].num_different_channels = 1;
+ 		wiphy->interface_modes |= BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ 					  BIT(NL80211_IFTYPE_P2P_GO) |
+ 					  BIT(NL80211_IFTYPE_P2P_DEVICE);
+@@ -6320,10 +6322,10 @@ static int brcmf_setup_ifmodes(struct wi
+ 		c0_limits[i++].types = BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ 				       BIT(NL80211_IFTYPE_P2P_GO);
+ 	} else {
++		combo[c].num_different_channels = 1;
+ 		c0_limits[i].max = 1;
+ 		c0_limits[i++].types = BIT(NL80211_IFTYPE_AP);
+ 	}
+-	combo[c].num_different_channels = 1;
+ 	combo[c].max_interfaces = i;
+ 	combo[c].n_limits = i;
+ 	combo[c].limits = c0_limits;

package/kernel/mac80211/patches/326-v4.14-0003-brcmfmac-Log-chip-id-and-revision.patch

@@ -0,0 +1,27 @@
+From f38966a7ace842afd3a9bf5d0fb56640f49df60c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 30 Aug 2017 15:54:49 +0200
+Subject: [PATCH] brcmfmac: Log chip id and revision
+
+For debugging some problems, it is useful to know the chip revision
+add a brcmf_info message logging this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -602,6 +602,9 @@ int brcmf_fw_map_chip_to_name(u32 chip,
+ 	if ((nvram_name) && (mapping_table[i].nvram))
+ 		strlcat(nvram_name, mapping_table[i].nvram, BRCMF_FW_NAME_LEN);
+ 
++	brcmf_info("using %s for chip %#08x(%d) rev %#08x\n",
++		   fw_name, chip, chip, chiprev);
++
+ 	return 0;
+ }
+ 

package/kernel/mac80211/patches/326-v4.14-0004-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch

@@ -25,7 +25,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  	struct brcmf_bss_info_le *bss_info_le;
  	struct brcmf_bss_info_le *bss = NULL;
  	u32 bi_length;
-@@ -3104,11 +3105,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+@@ -3107,11 +3108,23 @@ brcmf_cfg80211_escan_handler(struct brcm
  
  	if (status == BRCMF_E_STATUS_PARTIAL) {
  		brcmf_dbg(SCAN, "ESCAN Partial result\n");
@@ -49,7 +49,7 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  		if (le16_to_cpu(escan_result_le->bss_count) != 1) {
  			brcmf_err("Invalid bss_count %d: ignoring\n",
  				  escan_result_le->bss_count);
-@@ -3125,9 +3138,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+@@ -3128,9 +3141,8 @@ brcmf_cfg80211_escan_handler(struct brcm
  		}
  
  		bi_length = le32_to_cpu(bss_info_le->length);

package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch

@@ -0,0 +1,32 @@
+From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:24 -0700
+Subject: [PATCH] brcmfmac: Add check for short event packets
+
+The length of the data in the received skb is currently passed into
+brcmf_fweh_process_event() as packet_len, but this value is not checked.
+event_packet should be followed by DATALEN bytes of additional event
+data.  Ensure that the received packet actually contains at least
+DATALEN bytes of additional data, to avoid copying uninitialized memory
+into event->data.
+
+Cc: <stable@vger.kernel.org> # v3.8
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
+ 	if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+ 		return;
+ 
+-	if (datalen > BRCMF_DCMD_MAXLEN)
++	if (datalen > BRCMF_DCMD_MAXLEN ||
++	    datalen + sizeof(*event_packet) > packet_len)
+ 		return;
+ 
+ 	if (in_interrupt())

package/kernel/mac80211/patches/328-v4.15-0001-brcmfmac-Avoid-possible-out-of-bounds-read.patch

@@ -0,0 +1,39 @@
+From 73f2c8e933b1dcf432ac8c6965a6e67af630077f Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:22 -0700
+Subject: [PATCH] brcmfmac: Avoid possible out-of-bounds read
+
+In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before
+the length of rxframe is validated.  This could lead to uninitialized
+data being accessed (but not printed).  Since we already have a
+perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec,
+and ch.chspec is not modified by decchspec(), avoid the extra
+assignment and use ch.chspec in the debug print.
+
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1853,7 +1853,6 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ 	struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+ 	struct brcmf_cfg80211_vif *vif = ifp->vif;
+ 	struct brcmf_rx_mgmt_data *rxframe = (struct brcmf_rx_mgmt_data *)data;
+-	u16 chanspec = be16_to_cpu(rxframe->chanspec);
+ 	struct brcmu_chan ch;
+ 	u8 *mgmt_frame;
+ 	u32 mgmt_frame_len;
+@@ -1906,7 +1905,7 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ 	cfg80211_rx_mgmt(&vif->wdev, freq, 0, mgmt_frame, mgmt_frame_len, 0);
+ 
+ 	brcmf_dbg(INFO, "mgmt_frame_len (%d) , e->datalen (%d), chanspec (%04x), freq (%d)\n",
+-		  mgmt_frame_len, e->datalen, chanspec, freq);
++		  mgmt_frame_len, e->datalen, ch.chspec, freq);
+ 
+ 	return 0;
+ }

package/kernel/mac80211/patches/328-v4.15-0002-brcmfmac-handle-FWHALT-mailbox-indication.patch

@@ -0,0 +1,60 @@
+From 2fd3877b5bb7d39782c3205a1dcda02023b8514a Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 8 Nov 2017 14:36:31 +0100
+Subject: [PATCH] brcmfmac: handle FWHALT mailbox indication
+
+The firmware uses a mailbox to communicate to the host what is going
+on. In the driver we validate the bit received. Various people seen
+the following message:
+
+ brcmfmac: brcmf_sdio_hostmail: Unknown mailbox data content: 0x40012
+
+Bit 4 is cause of this message, but this actually indicates the firmware
+has halted. Handle this bit by giving a more meaningful error message.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -259,10 +259,11 @@ struct rte_console {
+ #define I_HMB_HOST_INT	I_HMB_SW3	/* Miscellaneous Interrupt */
+ 
+ /* tohostmailboxdata */
+-#define HMB_DATA_NAKHANDLED	1	/* retransmit NAK'd frame */
+-#define HMB_DATA_DEVREADY	2	/* talk to host after enable */
+-#define HMB_DATA_FC		4	/* per prio flowcontrol update flag */
+-#define HMB_DATA_FWREADY	8	/* fw ready for protocol activity */
++#define HMB_DATA_NAKHANDLED	0x0001	/* retransmit NAK'd frame */
++#define HMB_DATA_DEVREADY	0x0002	/* talk to host after enable */
++#define HMB_DATA_FC		0x0004	/* per prio flowcontrol update flag */
++#define HMB_DATA_FWREADY	0x0008	/* fw ready for protocol activity */
++#define HMB_DATA_FWHALT		0x0010	/* firmware halted */
+ 
+ #define HMB_DATA_FCDATA_MASK	0xff000000
+ #define HMB_DATA_FCDATA_SHIFT	24
+@@ -1093,6 +1094,10 @@ static u32 brcmf_sdio_hostmail(struct br
+ 			  offsetof(struct sdpcmd_regs, tosbmailbox));
+ 	bus->sdcnt.f1regdata += 2;
+ 
++	/* dongle indicates the firmware has halted/crashed */
++	if (hmb_data & HMB_DATA_FWHALT)
++		brcmf_err("mailbox indicates firmware halted\n");
++
+ 	/* Dongle recomposed rx frames, accept them again */
+ 	if (hmb_data & HMB_DATA_NAKHANDLED) {
+ 		brcmf_dbg(SDIO, "Dongle reports NAK handled, expect rtx of %d\n",
+@@ -1150,6 +1155,7 @@ static u32 brcmf_sdio_hostmail(struct br
+ 			 HMB_DATA_NAKHANDLED |
+ 			 HMB_DATA_FC |
+ 			 HMB_DATA_FWREADY |
++			 HMB_DATA_FWHALT |
+ 			 HMB_DATA_FCDATA_MASK | HMB_DATA_VERSION_MASK))
+ 		brcmf_err("Unknown mailbox data content: 0x%02x\n",
+ 			  hmb_data);

package/kernel/mac80211/patches/329-v4.16-0001-brcmfmac-enlarge-buffer-size-of-caps-to-512-bytes.patch

@@ -0,0 +1,44 @@
+From 7762bb134e3b40e8ee2611365775b7432190a9c7 Mon Sep 17 00:00:00 2001
+From: Wright Feng <wright.feng@cypress.com>
+Date: Mon, 11 Dec 2017 15:38:21 +0800
+Subject: [PATCH] brcmfmac: enlarge buffer size of caps to 512 bytes
+
+The buffer size of return of cap iovar is greater than 256 bytes in some
+firmwares. For instance, the return size of cap iovar is 271 bytes in 4373
+13.10.246.79 firmare. It makes feature capability parsing failed because
+caps buffer is default value.
+So we enlarge caps buffer size to 512 bytes and add the error print for
+cap iovar error.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -113,13 +113,19 @@ static void brcmf_feat_iovar_int_get(str
+ 	}
+ }
+ 
++#define MAX_CAPS_BUFFER_SIZE	512
+ static void brcmf_feat_firmware_capabilities(struct brcmf_if *ifp)
+ {
+-	char caps[256];
++	char caps[MAX_CAPS_BUFFER_SIZE];
+ 	enum brcmf_feat_id id;
+-	int i;
++	int i, err;
++
++	err = brcmf_fil_iovar_data_get(ifp, "cap", caps, sizeof(caps));
++	if (err) {
++		brcmf_err("could not get firmware cap (%d)\n", err);
++		return;
++	}
+ 
+-	brcmf_fil_iovar_data_get(ifp, "cap", caps, sizeof(caps));
+ 	brcmf_dbg(INFO, "[ %s]\n", caps);
+ 
+ 	for (i = 0; i < ARRAY_SIZE(brcmf_fwcap_map); i++) {

package/kernel/mac80211/patches/329-v4.16-0002-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch

@@ -136,10 +136,10 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 +		goto done;
 +	}
 +
- 	/* Make sure there's enough room for any header */
- 	if (skb_headroom(skb) < drvr->hdrlen) {
- 		struct sk_buff *skb2;
-@@ -295,6 +343,15 @@ void brcmf_txflowblock(struct device *de
+ 	/* Make sure there's enough writable headroom*/
+ 	ret = skb_cow_head(skb, drvr->hdrlen);
+ 	if (ret < 0) {
+@@ -288,6 +336,15 @@ void brcmf_txflowblock(struct device *de
  
  void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
  {

package/kernel/mac80211/patches/329-v4.16-0003-brcmfmac-Fix-check-for-ISO3166-code.patch

@@ -0,0 +1,29 @@
+From 9b9322db5c5a1917a66c71fe47c3848a9a31227e Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 14 Mar 2018 20:02:59 +0100
+Subject: [PATCH] brcmfmac: Fix check for ISO3166 code
+
+The commit "regulatory: add NUL to request alpha2" increases the length of
+alpha2 to 3. This causes a regression on brcmfmac, because
+brcmf_cfg80211_reg_notifier() expect valid ISO3166 codes in the complete
+array. So fix this accordingly.
+
+Fixes: 657308f73e67 ("regulatory: add NUL to request alpha2")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6775,7 +6775,7 @@ static void brcmf_cfg80211_reg_notifier(
+ 		return;
+ 
+ 	/* ignore non-ISO3166 country codes */
+-	for (i = 0; i < sizeof(req->alpha2); i++)
++	for (i = 0; i < 2; i++)
+ 		if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
+ 			brcmf_err("not a ISO3166 code (0x%02x 0x%02x)\n",
+ 				  req->alpha2[0], req->alpha2[1]);

package/kernel/mac80211/patches/330-v4.18-0001-brcmfmac-add-support-for-BCM4366E-chipset.patch

@@ -22,8 +22,8 @@ Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
  	case BRCM_CC_4366_CHIP_ID:
 +	case BRCM_CC_43664_CHIP_ID:
  		return 0x200000;
- 	default:
- 		brcmf_err("unknown chip: %s\n", ci->pub.name);
+ 	case CY_CC_4373_CHIP_ID:
+ 		return 0x160000;
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
 @@ -75,6 +75,7 @@ static struct brcmf_firmware_mapping brc
@@ -36,11 +36,11 @@ Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
  
 --- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
 +++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
-@@ -56,6 +56,7 @@
+@@ -57,6 +57,7 @@
  #define BRCM_CC_43602_CHIP_ID		43602
  #define BRCM_CC_4365_CHIP_ID		0x4365
  #define BRCM_CC_4366_CHIP_ID		0x4366
 +#define BRCM_CC_43664_CHIP_ID		43664
  #define BRCM_CC_4371_CHIP_ID		0x4371
+ #define CY_CC_4373_CHIP_ID		0x4373
  
- /* USB Device IDs */

package/kernel/mac80211/patches/331-v4.18-0002-brcmfmac-coarse-support-for-PCIe-shared-structure-re.patch

@@ -0,0 +1,97 @@
+From f56324baf329bc9362a52ad77a4a1a0f3356d1bc Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Thu, 26 Apr 2018 12:16:51 +0200
+Subject: [PATCH] brcmfmac: coarse support for PCIe shared structure rev7
+
+Revision 7 of PCIe dongle interface increases the item size of tx and rx
+complete rings to accommodate extra payload for new feature. This patch
+simply bump up the size of these two rings without adding the support
+for utilizing the new space. This makes brcmfmac compatible with rev7
+firmware.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.h  |  6 ++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/pcie.c    | 23 ++++++++++++++++++----
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.h
+@@ -27,8 +27,10 @@
+ #define BRCMF_H2D_MSGRING_CONTROL_SUBMIT_ITEMSIZE	40
+ #define BRCMF_H2D_MSGRING_RXPOST_SUBMIT_ITEMSIZE	32
+ #define BRCMF_D2H_MSGRING_CONTROL_COMPLETE_ITEMSIZE	24
+-#define BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE		16
+-#define BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE		32
++#define BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE_PRE_V7	16
++#define BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE		24
++#define BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE_PRE_V7	32
++#define BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE		40
+ #define BRCMF_H2D_TXFLOWRING_ITEMSIZE			48
+ 
+ struct msgbuf_buf_addr {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -135,8 +135,9 @@ static struct brcmf_firmware_mapping brc
+ 						 BRCMF_PCIE_MB_INT_D2H3_DB0 | \
+ 						 BRCMF_PCIE_MB_INT_D2H3_DB1)
+ 
++#define BRCMF_PCIE_SHARED_VERSION_7		7
+ #define BRCMF_PCIE_MIN_SHARED_VERSION		5
+-#define BRCMF_PCIE_MAX_SHARED_VERSION		6
++#define BRCMF_PCIE_MAX_SHARED_VERSION		BRCMF_PCIE_SHARED_VERSION_7
+ #define BRCMF_PCIE_SHARED_VERSION_MASK		0x00FF
+ #define BRCMF_PCIE_SHARED_DMA_INDEX		0x10000
+ #define BRCMF_PCIE_SHARED_DMA_2B_IDX		0x100000
+@@ -316,6 +317,14 @@ static const u32 brcmf_ring_max_item[BRC
+ 	BRCMF_D2H_MSGRING_RX_COMPLETE_MAX_ITEM
+ };
+ 
++static const u32 brcmf_ring_itemsize_pre_v7[BRCMF_NROF_COMMON_MSGRINGS] = {
++	BRCMF_H2D_MSGRING_CONTROL_SUBMIT_ITEMSIZE,
++	BRCMF_H2D_MSGRING_RXPOST_SUBMIT_ITEMSIZE,
++	BRCMF_D2H_MSGRING_CONTROL_COMPLETE_ITEMSIZE,
++	BRCMF_D2H_MSGRING_TX_COMPLETE_ITEMSIZE_PRE_V7,
++	BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE_PRE_V7
++};
++
+ static const u32 brcmf_ring_itemsize[BRCMF_NROF_COMMON_MSGRINGS] = {
+ 	BRCMF_H2D_MSGRING_CONTROL_SUBMIT_ITEMSIZE,
+ 	BRCMF_H2D_MSGRING_RXPOST_SUBMIT_ITEMSIZE,
+@@ -999,8 +1008,14 @@ brcmf_pcie_alloc_dma_and_ring(struct brc
+ 	struct brcmf_pcie_ringbuf *ring;
+ 	u32 size;
+ 	u32 addr;
++	const u32 *ring_itemsize_array;
++
++	if (devinfo->shared.version < BRCMF_PCIE_SHARED_VERSION_7)
++		ring_itemsize_array = brcmf_ring_itemsize_pre_v7;
++	else
++		ring_itemsize_array = brcmf_ring_itemsize;
+ 
+-	size = brcmf_ring_max_item[ring_id] * brcmf_ring_itemsize[ring_id];
++	size = brcmf_ring_max_item[ring_id] * ring_itemsize_array[ring_id];
+ 	dma_buf = brcmf_pcie_init_dmabuffer_for_device(devinfo, size,
+ 			tcm_ring_phys_addr + BRCMF_RING_MEM_BASE_ADDR_OFFSET,
+ 			&dma_handle);
+@@ -1010,7 +1025,7 @@ brcmf_pcie_alloc_dma_and_ring(struct brc
+ 	addr = tcm_ring_phys_addr + BRCMF_RING_MAX_ITEM_OFFSET;
+ 	brcmf_pcie_write_tcm16(devinfo, addr, brcmf_ring_max_item[ring_id]);
+ 	addr = tcm_ring_phys_addr + BRCMF_RING_LEN_ITEMS_OFFSET;
+-	brcmf_pcie_write_tcm16(devinfo, addr, brcmf_ring_itemsize[ring_id]);
++	brcmf_pcie_write_tcm16(devinfo, addr, ring_itemsize_array[ring_id]);
+ 
+ 	ring = kzalloc(sizeof(*ring), GFP_KERNEL);
+ 	if (!ring) {
+@@ -1019,7 +1034,7 @@ brcmf_pcie_alloc_dma_and_ring(struct brc
+ 		return NULL;
+ 	}
+ 	brcmf_commonring_config(&ring->commonring, brcmf_ring_max_item[ring_id],
+-				brcmf_ring_itemsize[ring_id], dma_buf);
++				ring_itemsize_array[ring_id], dma_buf);
+ 	ring->dma_handle = dma_handle;
+ 	ring->devinfo = devinfo;
+ 	brcmf_commonring_register_cb(&ring->commonring,

package/kernel/mac80211/patches/331-v4.18-0003-brcmfmac-Add-support-for-bcm43364-wireless-chipset.patch

@@ -0,0 +1,45 @@
+From 9c4a121e82634aa000a702c98cd6f05b27d6e186 Mon Sep 17 00:00:00 2001
+From: Sean Lanigan <sean@lano.id.au>
+Date: Fri, 4 May 2018 16:48:23 +1000
+Subject: [PATCH] brcmfmac: Add support for bcm43364 wireless chipset
+
+Add support for the BCM43364 chipset via an SDIO interface, as used in
+e.g. the Murata 1FX module.
+
+The BCM43364 uses the same firmware as the BCM43430 (which is already
+included), the only difference is the omission of Bluetooth.
+
+However, the SDIO_ID for the BCM43364 is 02D0:A9A4, giving it a MODALIAS
+of sdio:c00v02D0dA9A4, which doesn't get recognised and hence doesn't
+load the brcmfmac module. Adding the 'A9A4' ID in the appropriate place
+triggers the brcmfmac driver to load, and then correctly use the
+firmware file 'brcmfmac43430-sdio.bin'.
+
+Signed-off-by: Sean Lanigan <sean@lano.id.au>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
+ include/linux/mmc/sdio_ids.h                              | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1097,6 +1097,7 @@ static const struct sdio_device_id brcmf
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43340),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43341),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43362),
++ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43364),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4335_4339),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4339),
+ 	BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43430),
+--- a/include/linux/mmc/sdio_ids.h
++++ b/include/linux/mmc/sdio_ids.h
+@@ -34,6 +34,7 @@
+ #define SDIO_DEVICE_ID_BROADCOM_4335_4339	0x4335
+ #define SDIO_DEVICE_ID_BROADCOM_4339		0x4339
+ #define SDIO_DEVICE_ID_BROADCOM_43362		0xa962
++#define SDIO_DEVICE_ID_BROADCOM_43364		0xa9a4
+ #define SDIO_DEVICE_ID_BROADCOM_43430		0xa9a6
+ #define SDIO_DEVICE_ID_BROADCOM_4345		0x4345
+ #define SDIO_DEVICE_ID_BROADCOM_43455		0xa9bf

package/kernel/mac80211/patches/331-v4.18-0004-brcmfmac-set-WIPHY_FLAG_HAVE_AP_SME-flag.patch

@@ -0,0 +1,34 @@
+From 1204aa17f3b4f63e67ac9b7c9afa9496485969c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 10 May 2018 15:21:39 +0200
+Subject: [PATCH] brcmfmac: set WIPHY_FLAG_HAVE_AP_SME flag
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+brcmfmac is a FullMAC driver and it implements/uses cfg80211 interface
+for stations management. At the same time it doesn't receive or pass up
+management frames.
+
+This flag indicates that authenticator doesn't have to subscribe to or
+handle management frames. Some authenticators (e.g. hostapd) were
+working with brcmfmac thanks to some extra assumptions. This commit
+clears up the situation.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6485,6 +6485,7 @@ static int brcmf_setup_wiphy(struct wiph
+ 				    BIT(NL80211_BSS_SELECT_ATTR_RSSI_ADJUST);
+ 
+ 	wiphy->flags |= WIPHY_FLAG_PS_ON_BY_DEFAULT |
++			WIPHY_FLAG_HAVE_AP_SME |
+ 			WIPHY_FLAG_OFFCHAN_TX |
+ 			WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
+ 	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_TDLS))

package/kernel/mac80211/patches/331-v4.18-0005-brcmfmac-add-debugfs-entry-for-reading-firmware-capa.patch

@@ -0,0 +1,75 @@
+From 88001968245c42c26416476bf0ef960442371605 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 14 May 2018 08:48:20 +0200
+Subject: [PATCH] brcmfmac: add debugfs entry for reading firmware capabilities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows reading all capabilities as reported by a firmware. They are
+printed using native (raw) names, just like developers like it the most.
+It's how firmware reports support for various features, e.g. supported
+modes, supported standards, power saving details, max BSS-es.
+
+Access to all that info is useful for trying new firmwares, comparing
+them and debugging features AKA bugs.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/feature.c | 36 ++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -138,6 +138,41 @@ static void brcmf_feat_firmware_capabili
+ 	}
+ }
+ 
++/**
++ * brcmf_feat_fwcap_debugfs_read() - expose firmware capabilities to debugfs.
++ *
++ * @seq: sequence for debugfs entry.
++ * @data: raw data pointer.
++ */
++static int brcmf_feat_fwcap_debugfs_read(struct seq_file *seq, void *data)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(seq->private);
++	struct brcmf_if *ifp = brcmf_get_ifp(bus_if->drvr, 0);
++	char caps[MAX_CAPS_BUFFER_SIZE + 1] = { };
++	char *tmp;
++	int err;
++
++	err = brcmf_fil_iovar_data_get(ifp, "cap", caps, sizeof(caps));
++	if (err) {
++		brcmf_err("could not get firmware cap (%d)\n", err);
++		return err;
++	}
++
++	/* Put every capability in a new line */
++	for (tmp = caps; *tmp; tmp++) {
++		if (*tmp == ' ')
++			*tmp = '\n';
++	}
++
++	/* Usually there is a space at the end of capabilities string */
++	seq_printf(seq, "%s", caps);
++	/* So make sure we don't print two line breaks */
++	if (tmp > caps && *(tmp - 1) != '\n')
++		seq_printf(seq, "\n");
++
++	return 0;
++}
++
+ void brcmf_feat_attach(struct brcmf_pub *drvr)
+ {
+ 	struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0);
+@@ -196,6 +231,7 @@ void brcmf_feat_attach(struct brcmf_pub
+ 	}
+ 
+ 	brcmf_debugfs_add_entry(drvr, "features", brcmf_feat_debugfs_read);
++	brcmf_debugfs_add_entry(drvr, "fwcap", brcmf_feat_fwcap_debugfs_read);
+ }
+ 
+ bool brcmf_feat_is_enabled(struct brcmf_if *ifp, enum brcmf_feat_id id)

package/kernel/mac80211/patches/331-v4.18-0006-brcmfmac-add-support-for-sysfs-initiated-coredump.patch

@@ -0,0 +1,74 @@
+From 8e072168f75ebce85b96cbcefea2b10ddbd5913f Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 16 May 2018 14:11:59 +0200
+Subject: [PATCH] brcmfmac: add support for sysfs initiated coredump
+
+The driver already supports device coredump initiated by firmware
+event. Since commit 3c47d19ff4dc ("drivers: base: add coredump driver
+ops") it is also possible to initiate it from user-space through
+sysfs. This patch adds support for SDIO and PCIe devices.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h    | 2 ++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c   | 8 ++++++++
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c   | 1 +
+ 4 files changed, 12 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1299,6 +1299,9 @@ static struct sdio_driver brcmf_sdmmc_dr
+ #ifdef CONFIG_PM_SLEEP
+ 		.pm = &brcmf_sdio_pm_ops,
+ #endif	/* CONFIG_PM_SLEEP */
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
++		.coredump = brcmf_dev_coredump,
++#endif
+ 	},
+ };
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
+@@ -231,6 +231,8 @@ void brcmf_detach(struct device *dev);
+ void brcmf_dev_reset(struct device *dev);
+ /* Indication from bus module to change flow-control state */
+ void brcmf_txflowblock(struct device *dev, bool state);
++/* Request from bus module to initiate a coredump */
++void brcmf_dev_coredump(struct device *dev);
+ 
+ /* Notify the bus has transferred the tx packet to firmware */
+ void brcmf_txcomplete(struct device *dev, struct sk_buff *txp, bool success);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1159,6 +1159,14 @@ void brcmf_dev_reset(struct device *dev)
+ 		brcmf_fil_cmd_int_set(drvr->iflist[0], BRCMF_C_TERMINATED, 1);
+ }
+ 
++void brcmf_dev_coredump(struct device *dev)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(dev);
++
++	if (brcmf_debug_create_memdump(bus_if, NULL, 0) < 0)
++		brcmf_dbg(TRACE, "failed to create coredump\n");
++}
++
+ void brcmf_detach(struct device *dev)
+ {
+ 	s32 i;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1995,6 +1995,9 @@ static struct pci_driver brcmf_pciedrvr
+ #ifdef CONFIG_PM
+ 	.driver.pm = &brcmf_pciedrvr_pm,
+ #endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
++	.driver.coredump = brcmf_dev_coredump,
++#endif
+ };
+ 
+ 

package/kernel/mac80211/patches/331-v4.18-0007-brcmfmac-validate-user-provided-data-for-memdump-bef.patch

@@ -0,0 +1,32 @@
+From d2af9b566554e01f9ad67b330ce569dbc130e5d3 Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Wed, 16 May 2018 14:12:01 +0200
+Subject: [PATCH] brcmfmac: validate user provided data for memdump before
+ copying
+
+In patch "brcmfmac: add support for sysfs initiated coredump", a new
+scenario of brcmf_debug_create_memdump was added in which the user of
+the function might not necessarily provide prefix data. Hence the
+function should not assume the data is always valid and should perform a
+check before copying.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.c
+@@ -42,7 +42,8 @@ int brcmf_debug_create_memdump(struct br
+ 	if (!dump)
+ 		return -ENOMEM;
+ 
+-	memcpy(dump, data, len);
++	if (data && len > 0)
++		memcpy(dump, data, len);
+ 	err = brcmf_bus_get_memdump(bus, dump + len, ramsize);
+ 	if (err) {
+ 		vfree(dump);

package/kernel/mac80211/patches/331-v4.18-0008-brcmfmac-trigger-memory-dump-upon-firmware-halt-sign.patch

@@ -0,0 +1,38 @@
+From 8a3ab2f38f1669e3be6433a1f6b82a077b38c4c7 Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Wed, 16 May 2018 14:12:02 +0200
+Subject: [PATCH] brcmfmac: trigger memory dump upon firmware halt signal
+
+PCIe dongle firmware signals a halt/trap through mailbox interrupt.
+Trigger a memory dump upon receiving such signal could help to provide
+useful information for issue debug.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -180,6 +180,7 @@ static struct brcmf_firmware_mapping brc
+ #define BRCMF_D2H_DEV_D3_ACK			0x00000001
+ #define BRCMF_D2H_DEV_DS_ENTER_REQ		0x00000002
+ #define BRCMF_D2H_DEV_DS_EXIT_NOTE		0x00000004
++#define BRCMF_D2H_DEV_FWHALT			0x10000000
+ 
+ #define BRCMF_H2D_HOST_D3_INFORM		0x00000001
+ #define BRCMF_H2D_HOST_DS_ACK			0x00000002
+@@ -715,6 +716,10 @@ static void brcmf_pcie_handle_mb_data(st
+ 		devinfo->mbdata_completed = true;
+ 		wake_up(&devinfo->mbdata_resp_wait);
+ 	}
++	if (dtoh_mb_data & BRCMF_D2H_DEV_FWHALT) {
++		brcmf_dbg(PCIE, "D2H_MB_DATA: FW HALT\n");
++		brcmf_dev_coredump(&devinfo->pdev->dev);
++	}
+ }
+ 
+ 

package/kernel/mac80211/patches/331-v4.18-0009-brcmfmac-trigger-memory-dump-on-SDIO-firmware-halt-m.patch

@@ -0,0 +1,40 @@
+From b8248236e92790ac635caeb4156e46ea2417e037 Mon Sep 17 00:00:00 2001
+From: Franky Lin <franky.lin@broadcom.com>
+Date: Wed, 16 May 2018 14:12:03 +0200
+Subject: [PATCH] brcmfmac: trigger memory dump on SDIO firmware halt message
+
+Attempt to dump dongle memory for debug upon receiving firmware halt
+message through dongle to host mail box interrupt.
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[rmilecki: add sdiod variable and use func[1]]
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1078,6 +1078,7 @@ static void brcmf_sdio_get_console_addr(
+ 
+ static u32 brcmf_sdio_hostmail(struct brcmf_sdio *bus)
+ {
++	struct brcmf_sdio_dev *sdiod = bus->sdiodev;
+ 	u32 intstatus = 0;
+ 	u32 hmb_data;
+ 	u8 fcbits;
+@@ -1095,8 +1096,10 @@ static u32 brcmf_sdio_hostmail(struct br
+ 	bus->sdcnt.f1regdata += 2;
+ 
+ 	/* dongle indicates the firmware has halted/crashed */
+-	if (hmb_data & HMB_DATA_FWHALT)
++	if (hmb_data & HMB_DATA_FWHALT) {
+ 		brcmf_err("mailbox indicates firmware halted\n");
++		brcmf_dev_coredump(&sdiod->func[1]->dev);
++	}
+ 
+ 	/* Dongle recomposed rx frames, accept them again */
+ 	if (hmb_data & HMB_DATA_NAKHANDLED) {

package/kernel/mac80211/patches/332-v4.19-0001-brcmfmac-detect-firmware-support-for-monitor-interfa.patch

@@ -0,0 +1,59 @@
+From 01f69dfafdbe7deff58b58053bc3a4a75c6a570c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:35 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for monitor interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Many/most of firmwares support creating monitor interface but only the
+most recent ones explicitly /announce/ it using a "monitor" entry in the
+list of capabilities.
+
+Check for that entry and store internally info about monitor mode
+support using a new feature flag. Once we sort out all details of
+handling monitor interface it will be used when reporting available
+interfaces to the cfg80211.
+
+Later some fallback detecion method may be added for older firmwares.
+For now just stick to the "monitor" capability which should be 100%
+reliable.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -47,6 +47,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MBSS, "mbss" },
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
++	{ BRCMF_FEAT_MONITOR, "monitor" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -31,6 +31,7 @@
+  * WOWL_GTK: (WOWL) GTK rekeying offload
+  * WOWL_ARP_ND: ARP and Neighbor Discovery offload support during WOWL.
+  * MFP: 802.11w Management Frame Protection.
++ * MONITOR: firmware can pass monitor packets to host.
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -44,7 +45,8 @@
+ 	BRCMF_FEAT_DEF(WOWL_ND) \
+ 	BRCMF_FEAT_DEF(WOWL_GTK) \
+ 	BRCMF_FEAT_DEF(WOWL_ARP_ND) \
+-	BRCMF_FEAT_DEF(MFP)
++	BRCMF_FEAT_DEF(MFP) \
++	BRCMF_FEAT_DEF(MONITOR)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/332-v4.19-0002-brcmfmac-detect-firmware-support-for-radiotap-monito.patch

@@ -0,0 +1,51 @@
+From e63410ac65e0ead2040bbd3927c116889edf87e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:36 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for radiotap monitor frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Depending on used build-time options some firmwares may already include
+radiotap header in passed monitor frames. Add a new feature flag to
+store info about it. It's needed for proper handling of received frames
+before passing them up.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -48,6 +48,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
+ 	{ BRCMF_FEAT_MONITOR, "monitor" },
++	{ BRCMF_FEAT_MONITOR_FMT_RADIOTAP, "rtap" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -32,6 +32,7 @@
+  * WOWL_ARP_ND: ARP and Neighbor Discovery offload support during WOWL.
+  * MFP: 802.11w Management Frame Protection.
+  * MONITOR: firmware can pass monitor packets to host.
++ * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -46,7 +47,8 @@
+ 	BRCMF_FEAT_DEF(WOWL_GTK) \
+ 	BRCMF_FEAT_DEF(WOWL_ARP_ND) \
+ 	BRCMF_FEAT_DEF(MFP) \
+-	BRCMF_FEAT_DEF(MONITOR)
++	BRCMF_FEAT_DEF(MONITOR) \
++	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/332-v4.19-0003-brcmfmac-handle-msgbuf-packets-marked-with-monitor-m.patch

@@ -0,0 +1,141 @@
+From a8d7631858aff156b72f807ee7cc062048e63836 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:37 +0200
+Subject: [PATCH] brcmfmac: handle msgbuf packets marked with monitor mode flag
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New Broadcom firmwares mark monitor mode packets using a newly defined
+bit in the flags field. Use it to filter them out and pass to the
+monitor interface. These defines were found in bcmmsgbuf.h from SDK.
+
+As not every firmware generates radiotap header this commit introduces
+BRCMF_FEAT_MONITOR_FMT_RADIOTAP flag. It has to be has based on firmware
+capabilities. If not present brcmf_netif_mon_rx() will assume packet is
+a raw 802.11 frame and will prepend it with an empty radiotap header.
+
+This new code is limited to the msgbuf protocol at this point. Adding
+support for SDIO/USB devices will require some extra work (possibly a
+new firmware release).
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c    | 25 ++++++++++++++++++++++
+ .../wireless/broadcom/brcm80211/brcmfmac/core.h    |  2 ++
+ .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.c  | 18 ++++++++++++++++
+ 3 files changed, 45 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -21,6 +21,7 @@
+ #include <net/cfg80211.h>
+ #include <net/rtnetlink.h>
+ #include <net/addrconf.h>
++#include <net/ieee80211_radiotap.h>
+ #include <net/ipv6.h>
+ #include <brcmu_utils.h>
+ #include <brcmu_wifi.h>
+@@ -367,6 +368,34 @@ void brcmf_netif_rx(struct brcmf_if *ifp
+ 		netif_rx_ni(skb);
+ }
+ 
++void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb)
++{
++	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_RADIOTAP)) {
++		/* Do nothing */
++	} else {
++		struct ieee80211_radiotap_header *radiotap;
++
++		/* TODO: use RX status to fill some radiotap data */
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
++		radiotap = skb_push(skb, sizeof(*radiotap));
++#else
++		radiotap = (struct ieee80211_radiotap_header *)skb_push(skb, sizeof(*radiotap));
++#endif
++		memset(radiotap, 0, sizeof(*radiotap));
++		radiotap->it_len = cpu_to_le16(sizeof(*radiotap));
++
++		/* TODO: 4 bytes with receive status? */
++		skb->len -= 4;
++	}
++
++	skb->dev = ifp->ndev;
++	skb_reset_mac_header(skb);
++	skb->pkt_type = PACKET_OTHERHOST;
++	skb->protocol = htons(ETH_P_802_2);
++
++	brcmf_netif_rx(ifp, skb);
++}
++
+ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb,
+ 			    struct brcmf_if **ifp)
+ {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+@@ -121,6 +121,7 @@ struct brcmf_pub {
+ 
+ 	struct brcmf_if *iflist[BRCMF_MAX_IFS];
+ 	s32 if2bss[BRCMF_MAX_IFS];
++	struct brcmf_if *mon_if;
+ 
+ 	struct mutex proto_block;
+ 	unsigned char proto_buf[BRCMF_DCMD_MAXLEN];
+@@ -215,6 +216,7 @@ void brcmf_txflowblock_if(struct brcmf_i
+ 			  enum brcmf_netif_stop_reason reason, bool state);
+ void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
+ void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb);
++void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb);
+ void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on);
+ int __init brcmf_core_init(void);
+ void __exit brcmf_core_exit(void);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -69,6 +69,8 @@
+ #define BRCMF_MSGBUF_MAX_EVENTBUF_POST		8
+ 
+ #define BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3	0x01
++#define BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_11	0x02
++#define BRCMF_MSGBUF_PKT_FLAGS_FRAME_MASK	0x07
+ #define BRCMF_MSGBUF_PKT_FLAGS_PRIO_SHIFT	5
+ 
+ #define BRCMF_MSGBUF_TX_FLUSH_CNT1		32
+@@ -1126,6 +1128,7 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	struct sk_buff *skb;
+ 	u16 data_offset;
+ 	u16 buflen;
++	u16 flags;
+ 	u32 idx;
+ 	struct brcmf_if *ifp;
+ 
+@@ -1135,6 +1138,7 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	data_offset = le16_to_cpu(rx_complete->data_offset);
+ 	buflen = le16_to_cpu(rx_complete->data_len);
+ 	idx = le32_to_cpu(rx_complete->msg.request_id);
++	flags = le16_to_cpu(rx_complete->flags);
+ 
+ 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
+ 				     msgbuf->rx_pktids, idx);
+@@ -1148,6 +1152,20 @@ brcmf_msgbuf_process_rx_complete(struct
+ 
+ 	skb_trim(skb, buflen);
+ 
++	if ((flags & BRCMF_MSGBUF_PKT_FLAGS_FRAME_MASK) ==
++	    BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_11) {
++		ifp = msgbuf->drvr->mon_if;
++
++		if (!ifp) {
++			brcmf_err("Received unexpected monitor pkt\n");
++			brcmu_pkt_buf_free_skb(skb);
++			return;
++		}
++
++		brcmf_netif_mon_rx(ifp, skb);
++		return;
++	}
++
+ 	ifp = brcmf_get_ifp(msgbuf->drvr, rx_complete->msg.ifidx);
+ 	if (!ifp || !ifp->ndev) {
+ 		brcmf_err("Received pkt for invalid ifidx %d\n",

package/kernel/mac80211/patches/332-v4.19-0004-brcmfmac-define-more-bits-for-the-flags-of-struct-br.patch

@@ -0,0 +1,60 @@
+From 4b4a8d808c58fc0defc32a26b2fea35d66692c45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Jun 2018 08:16:13 +0200
+Subject: [PATCH] brcmfmac: define more bits for the flags of struct
+ brcmf_sta_info_le
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+That struct is passed by a firmware when querying for STA info. Flags
+are used to indicate what info could be obtained.
+
+These new defines may allow passing more info to the cfg80211 in the
+future. They had been obtained from Broadcom's SDK file wlioctl_defs.h
+used by DD-WRT.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 29 ++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -32,11 +32,30 @@
+ #define	BRCMF_BSS_INFO_VERSION	109 /* curr ver of brcmf_bss_info_le struct */
+ #define BRCMF_BSS_RSSI_ON_CHANNEL	0x0002
+ 
+-#define BRCMF_STA_WME              0x00000002      /* WMM association */
+-#define BRCMF_STA_AUTHE            0x00000008      /* Authenticated */
+-#define BRCMF_STA_ASSOC            0x00000010      /* Associated */
+-#define BRCMF_STA_AUTHO            0x00000020      /* Authorized */
+-#define BRCMF_STA_SCBSTATS         0x00004000      /* Per STA debug stats */
++#define BRCMF_STA_BRCM			0x00000001	/* Running a Broadcom driver */
++#define BRCMF_STA_WME			0x00000002	/* WMM association */
++#define BRCMF_STA_NONERP		0x00000004	/* No ERP */
++#define BRCMF_STA_AUTHE			0x00000008	/* Authenticated */
++#define BRCMF_STA_ASSOC			0x00000010	/* Associated */
++#define BRCMF_STA_AUTHO			0x00000020	/* Authorized */
++#define BRCMF_STA_WDS			0x00000040	/* Wireless Distribution System */
++#define BRCMF_STA_WDS_LINKUP		0x00000080	/* WDS traffic/probes flowing properly */
++#define BRCMF_STA_PS			0x00000100	/* STA is in power save mode from AP's viewpoint */
++#define BRCMF_STA_APSD_BE		0x00000200	/* APSD delv/trigger for AC_BE is default enabled */
++#define BRCMF_STA_APSD_BK		0x00000400	/* APSD delv/trigger for AC_BK is default enabled */
++#define BRCMF_STA_APSD_VI		0x00000800	/* APSD delv/trigger for AC_VI is default enabled */
++#define BRCMF_STA_APSD_VO		0x00001000	/* APSD delv/trigger for AC_VO is default enabled */
++#define BRCMF_STA_N_CAP			0x00002000	/* STA 802.11n capable */
++#define BRCMF_STA_SCBSTATS		0x00004000	/* Per STA debug stats */
++#define BRCMF_STA_AMPDU_CAP		0x00008000	/* STA AMPDU capable */
++#define BRCMF_STA_AMSDU_CAP		0x00010000	/* STA AMSDU capable */
++#define BRCMF_STA_MIMO_PS		0x00020000	/* mimo ps mode is enabled */
++#define BRCMF_STA_MIMO_RTS		0x00040000	/* send rts in mimo ps mode */
++#define BRCMF_STA_RIFS_CAP		0x00080000	/* rifs enabled */
++#define BRCMF_STA_VHT_CAP		0x00100000	/* STA VHT(11ac) capable */
++#define BRCMF_STA_WPS			0x00200000	/* WPS state */
++#define BRCMF_STA_DWDS_CAP		0x01000000	/* DWDS CAP */
++#define BRCMF_STA_DWDS			0x02000000	/* DWDS active */
+ 
+ /* size of brcmf_scan_params not including variable length array */
+ #define BRCMF_SCAN_PARAMS_FIXED_SIZE	64

package/kernel/mac80211/patches/332-v4.19-0005-brcmfmac-update-STA-info-struct-to-the-v5.patch

@@ -0,0 +1,75 @@
+From 07b1ae46874949252625c96f309f96ca0f337020 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Jun 2018 12:36:23 +0200
+Subject: [PATCH] brcmfmac: update STA info struct to the v5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+That struct is used when querying firmware for the STA. It seem is has
+been changing during the time. Luckily its format seems to be backward
+compatible starting with v2 (the only breakage was v1 -> v2).
+
+The version that was supported by brcmfmac so far was v4. It was what
+43602a1 and 4366b1 firmwares (7.35.177.56 and 10.10.69.3309 accordingly)
+were using. It also seems to be used by early 4366c0 firmwares
+(10.10.69.6908 and 10.10.69.69017).
+
+The problem appears when switching to the 10.10.122.20 firmware. It uses
+v5 and instead of falling back to v4 when submitted buffer isn't big
+enough it fallbacks to the v3.
+
+To receive all v4 specific info with the newest firmware we have to
+submit a struct (buffer) that matches v5.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h  | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -165,6 +165,8 @@
+ #define BRCMF_MFP_NONE			0
+ #define BRCMF_MFP_CAPABLE		1
+ #define BRCMF_MFP_REQUIRED		2
++ 
++#define BRCMF_VHT_CAP_MCS_MAP_NSS_MAX	8
+ 
+ /* join preference types for join_pref iovar */
+ enum brcmf_join_pref_types {
+@@ -514,6 +516,8 @@ struct brcmf_sta_info_le {
+ 						/* w/hi bit set if basic */
+ 	__le32 in;		/* seconds elapsed since associated */
+ 	__le32 listen_interval_inms; /* Min Listen interval in ms for STA */
++
++	/* Fields valid for ver >= 3 */
+ 	__le32 tx_pkts;	/* # of packets transmitted */
+ 	__le32 tx_failures;	/* # of packets failed */
+ 	__le32 rx_ucast_pkts;	/* # of unicast packets received */
+@@ -522,6 +526,8 @@ struct brcmf_sta_info_le {
+ 	__le32 rx_rate;	/* Rate of last successful rx frame */
+ 	__le32 rx_decrypt_succeeds;	/* # of packet decrypted successfully */
+ 	__le32 rx_decrypt_failures;	/* # of packet decrypted failed */
++
++	/* Fields valid for ver >= 4 */
+ 	__le32 tx_tot_pkts;    /* # of tx pkts (ucast + mcast) */
+ 	__le32 rx_tot_pkts;    /* # of data packets recvd (uni + mcast) */
+ 	__le32 tx_mcast_pkts;  /* # of mcast pkts txed */
+@@ -558,6 +564,14 @@ struct brcmf_sta_info_le {
+ 						*/
+ 	__le32 rx_pkts_retried;        /* # rx with retry bit set */
+ 	__le32 tx_rate_fallback;       /* lowest fallback TX rate */
++
++	/* Fields valid for ver >= 5 */
++	struct {
++		__le32 count;					/* # rates in this set */
++		u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++		u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++		__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++	} rateset_adv;
+ };
+ 
+ struct brcmf_chanspec_list {

package/kernel/mac80211/patches/332-v4.19-0006-brcmfmac-specify-some-features-per-firmware-version.patch

@@ -0,0 +1,84 @@
+From 1e591c56a65fbbcd5754a4210a0ef0402d5e5f33 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 9 Jul 2018 06:55:43 +0200
+Subject: [PATCH] brcmfmac: specify some features per firmware version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some features supported by firmware aren't advertised and there is no
+way for a driver to query them. This includes e.g. monitor mode details.
+
+Most firmwares support monitor interface but only the latest ones
+/announce/ it with a "monitor" flag in the "cap" iovar. There isn't any
+reliable detection method for older firmwares (BRCMF_C_MONITOR was tried
+but "it only indicates the core part of the stack supports").
+
+Similarly support for tagging monitor frames and building radiotap
+headers can't be reliably detected for all firmwares.
+
+This commit adds table that allows mapping features to firmware version.
+It adds mappings for 43602a1 and 4366b1 firmwares from
+linux-firmware.git. Both were confirmed to be passing monitor frames.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/feature.c | 38 ++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -92,6 +92,42 @@ static int brcmf_feat_debugfs_read(struc
+ }
+ #endif /* DEBUG */
+ 
++struct brcmf_feat_fwfeat {
++	const char * const fwid;
++	u32 feat_flags;
++};
++
++static const struct brcmf_feat_fwfeat brcmf_feat_fwfeat_map[] = {
++	/* brcmfmac43602-pcie.ap.bin from linux-firmware.git commit ea1178515b88 */
++	{ "01-6cb8e269", BIT(BRCMF_FEAT_MONITOR) },
++	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 52442afee990 */
++	{ "01-c47a91a4", BIT(BRCMF_FEAT_MONITOR) },
++};
++
++static void brcmf_feat_firmware_overrides(struct brcmf_pub *drv)
++{
++	const struct brcmf_feat_fwfeat *e;
++	u32 feat_flags = 0;
++	int i;
++
++	for (i = 0; i < ARRAY_SIZE(brcmf_feat_fwfeat_map); i++) {
++		e = &brcmf_feat_fwfeat_map[i];
++		if (!strcmp(e->fwid, drv->fwver)) {
++			feat_flags = e->feat_flags;
++			break;
++		}
++	}
++
++	if (!feat_flags)
++		return;
++
++	for (i = 0; i < BRCMF_FEAT_LAST; i++)
++		if (feat_flags & BIT(i))
++			brcmf_dbg(INFO, "enabling firmware feature: %s\n",
++				  brcmf_feat_names[i]);
++	drv->feat_flags |= feat_flags;
++}
++
+ /**
+  * brcmf_feat_iovar_int_get() - determine feature through iovar query.
+  *
+@@ -219,6 +255,8 @@ void brcmf_feat_attach(struct brcmf_pub
+ 		ifp->drvr->feat_flags &= ~drvr->settings->feature_disable;
+ 	}
+ 
++	brcmf_feat_firmware_overrides(drvr);
++
+ 	/* set chip related quirks */
+ 	switch (drvr->bus_if->chip) {
+ 	case BRCM_CC_43236_CHIP_ID:

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch

@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1253,6 +1253,7 @@ int __init brcmf_core_init(void)
+@@ -1305,6 +1305,7 @@ int __init brcmf_core_init(void)
  {
  	if (!schedule_work(&brcmf_driver_work))
  		return -EBUSY;

package/kernel/mt76/Makefile

@@ -10,7 +10,7 @@ PKG_SOURCE_URL:=https://github.com/openwrt/mt76
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2017-12-03
 PKG_SOURCE_VERSION:=e326bc2ac4229220203c32e856dcb47d5ee5326d
-PKG_MIRROR_HASH:=0efdde435cc82f3dff0d8cfc5a1de6121998d5ff521f1ba694b15cefd8b0c951
+PKG_MIRROR_HASH:=2342ad2f23aaa17343c7922212c5bc06637f5164a253d5053a9b75049a72f1e5
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_BUILD_PARALLEL:=1

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.7.3
+PKG_VERSION:=2.7.5
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=f1cd52824d1d5b4205c4255501764c5a02a77f029193683b3063bef584e97947
+PKG_HASH:=e9d797ded824e1ca7516faab7fa3c4c73c5bc3199b832a06f61ee8709df71a69
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/300-soversion-compatibility.patch

@@ -8,8 +8,8 @@ the new library with binaries compiled against the old library.
  
  if(USE_SHARED_MBEDTLS_LIBRARY)
      add_library(mbedcrypto SHARED ${src_crypto})
--    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.3 SOVERSION 2)
-+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.3 SOVERSION 0)
+-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.5 SOVERSION 2)
++    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.5 SOVERSION 0)
      target_link_libraries(mbedcrypto ${libs})
  
      add_library(mbedx509 SHARED ${src_x509})

package/libs/openssl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.0.2
-PKG_BUGFIX:=o
+PKG_BUGFIX:=p
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -23,7 +23,7 @@ PKG_SOURCE_URL:=http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/ \
 	ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \
 	ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_HASH:=ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d
+PKG_HASH:=50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE

package/libs/openssl/patches/150-no_engines.patch

@@ -1,6 +1,6 @@
 --- a/Configure
 +++ b/Configure
-@@ -2135,6 +2135,11 @@ EOF
+@@ -2143,6 +2143,11 @@ EOF
  	close(OUT);
    }
    

package/libs/openssl/patches/200-parallel_build.patch

@@ -173,7 +173,7 @@
  
  apps:
  	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -586,7 +586,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
+@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
  #	fi
  
  dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)

package/libs/uclient/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=uclient
 PKG_RELEASE=1
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/uclient.git
-PKG_SOURCE_DATE:=2017-11-02
-PKG_SOURCE_VERSION:=4b87d83160fec70d50b7fcd736a8c538c28a016c
-PKG_MIRROR_HASH:=4bbb4d5f295ebdcd67fec87a6794168bea2176a42cb2907c47d8566fb33dafb3
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/uclient.git
+PKG_SOURCE_DATE:=2018-08-03
+PKG_SOURCE_VERSION:=ae1c656ff041c6f1ccb37b070fa261e0d71f2b12
+PKG_MIRROR_HASH:=e88c92f880d3c1cf4162f62c4eeb8986baa8d73772e51eed3a60a8346aeb1b7c
 CMAKE_INSTALL:=1
 
 PKG_BUILD_DEPENDS:=ustream-ssl

package/network/services/dropbear/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2017.75
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \

package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch

@@ -0,0 +1,221 @@
+From 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Thu, 23 Aug 2018 23:43:12 +0800
+Subject: [PATCH 2/2] Wait to fail invalid usernames
+
+---
+ auth.h           |  6 +++---
+ svr-auth.c       | 19 +++++--------------
+ svr-authpam.c    | 26 ++++++++++++++++++++++----
+ svr-authpasswd.c | 27 ++++++++++++++-------------
+ svr-authpubkey.c | 11 ++++++++++-
+ 5 files changed, 54 insertions(+), 35 deletions(-)
+
+--- a/auth.h
++++ b/auth.h
+@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void);
+ void send_msg_userauth_failure(int partial, int incrfail);
+ void send_msg_userauth_success(void);
+ void send_msg_userauth_banner(buffer *msg);
+-void svr_auth_password(void);
+-void svr_auth_pubkey(void);
+-void svr_auth_pam(void);
++void svr_auth_password(int valid_user);
++void svr_auth_pubkey(int valid_user);
++void svr_auth_pam(int valid_user);
+ 
+ #ifdef ENABLE_SVR_PUBKEY_OPTIONS
+ int svr_pubkey_allows_agentfwd(void);
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -176,10 +176,8 @@ void recv_msg_userauth_request() {
+ 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
+ 				strncmp(methodname, AUTH_METHOD_PASSWORD,
+ 					AUTH_METHOD_PASSWORD_LEN) == 0) {
+-			if (valid_user) {
+-				svr_auth_password();
+-				goto out;
+-			}
++			svr_auth_password(valid_user);
++			goto out;
+ 		}
+ 	}
+ #endif
+@@ -191,10 +189,8 @@ void recv_msg_userauth_request() {
+ 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
+ 				strncmp(methodname, AUTH_METHOD_PASSWORD,
+ 					AUTH_METHOD_PASSWORD_LEN) == 0) {
+-			if (valid_user) {
+-				svr_auth_pam();
+-				goto out;
+-			}
++			svr_auth_pam(valid_user);
++			goto out;
+ 		}
+ 	}
+ #endif
+@@ -204,12 +200,7 @@ void recv_msg_userauth_request() {
+ 	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
+ 			strncmp(methodname, AUTH_METHOD_PUBKEY,
+ 				AUTH_METHOD_PUBKEY_LEN) == 0) {
+-		if (valid_user) {
+-			svr_auth_pubkey();
+-		} else {
+-			/* pubkey has no failure delay */
+-			send_msg_userauth_failure(0, 0);
+-		}
++		svr_auth_pubkey(valid_user);
+ 		goto out;
+ 	}
+ #endif
+--- a/svr-authpam.c
++++ b/svr-authpam.c
+@@ -178,13 +178,14 @@ pamConvFunc(int num_msg,
+  * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
+  * gets very messy trying to send the interactive challenges, and read the
+  * interactive responses, over the network. */
+-void svr_auth_pam() {
++void svr_auth_pam(int valid_user) {
+ 
+ 	struct UserDataS userData = {NULL, NULL};
+ 	struct pam_conv pamConv = {
+ 		pamConvFunc,
+ 		&userData /* submitted to pamvConvFunc as appdata_ptr */ 
+ 	};
++	const char* printable_user = NULL;
+ 
+ 	pam_handle_t* pamHandlep = NULL;
+ 
+@@ -204,12 +205,23 @@ void svr_auth_pam() {
+ 
+ 	password = buf_getstring(ses.payload, &passwordlen);
+ 
++	/* We run the PAM conversation regardless of whether the username is valid
++	in case the conversation function has an inherent delay.
++	Use ses.authstate.username rather than ses.authstate.pw_name.
++	After PAM succeeds we then check the valid_user flag too */
++
+ 	/* used to pass data to the PAM conversation function - don't bother with
+ 	 * strdup() etc since these are touched only by our own conversation
+ 	 * function (above) which takes care of it */
+-	userData.user = ses.authstate.pw_name;
++	userData.user = ses.authstate.username;
+ 	userData.passwd = password;
+ 
++	if (ses.authstate.pw_name) {
++		printable_user = ses.authstate.pw_name;
++	} else {
++		printable_user = "<invalid username>";
++	}
++
+ 	/* Init pam */
+ 	if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
+ 		dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", 
+@@ -236,7 +248,7 @@ void svr_auth_pam() {
+ 				rc, pam_strerror(pamHandlep, rc));
+ 		dropbear_log(LOG_WARNING,
+ 				"Bad PAM password attempt for '%s' from %s",
+-				ses.authstate.pw_name,
++				printable_user,
+ 				svr_ses.addrstring);
+ 		send_msg_userauth_failure(0, 1);
+ 		goto cleanup;
+@@ -247,12 +259,18 @@ void svr_auth_pam() {
+ 				rc, pam_strerror(pamHandlep, rc));
+ 		dropbear_log(LOG_WARNING,
+ 				"Bad PAM password attempt for '%s' from %s",
+-				ses.authstate.pw_name,
++				printable_user,
+ 				svr_ses.addrstring);
+ 		send_msg_userauth_failure(0, 1);
+ 		goto cleanup;
+ 	}
+ 
++	if (!valid_user) {
++		/* PAM auth succeeded but the username isn't allowed in for another reason
++		(checkusername() failed) */
++		send_msg_userauth_failure(0, 1);
++	}
++
+ 	/* successful authentication */
+ 	dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
+ 			ses.authstate.pw_name,
+--- a/svr-authpasswd.c
++++ b/svr-authpasswd.c
+@@ -48,22 +48,14 @@ static int constant_time_strcmp(const ch
+ 
+ /* Process a password auth request, sending success or failure messages as
+  * appropriate */
+-void svr_auth_password() {
++void svr_auth_password(int valid_user) {
+ 	
+ 	char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
+ 	char * testcrypt = NULL; /* crypt generated from the user's password sent */
+-	char * password;
++	char * password = NULL;
+ 	unsigned int passwordlen;
+-
+ 	unsigned int changepw;
+ 
+-	passwdcrypt = ses.authstate.pw_passwd;
+-
+-#ifdef DEBUG_HACKCRYPT
+-	/* debugging crypt for non-root testing with shadows */
+-	passwdcrypt = DEBUG_HACKCRYPT;
+-#endif
+-
+ 	/* check if client wants to change password */
+ 	changepw = buf_getbool(ses.payload);
+ 	if (changepw) {
+@@ -73,12 +65,21 @@ void svr_auth_password() {
+ 	}
+ 
+ 	password = buf_getstring(ses.payload, &passwordlen);
+-
+-	/* the first bytes of passwdcrypt are the salt */
+-	testcrypt = crypt(password, passwdcrypt);
++	if (valid_user) {
++		/* the first bytes of passwdcrypt are the salt */
++		passwdcrypt = ses.authstate.pw_passwd;
++		testcrypt = crypt(password, passwdcrypt);
++	}
+ 	m_burn(password, passwordlen);
+ 	m_free(password);
+ 
++	/* After we have got the payload contents we can exit if the username
++	is invalid. Invalid users have already been logged. */
++	if (!valid_user) {
++		send_msg_userauth_failure(0, 1);
++		return;
++	}
++
+ 	if (testcrypt == NULL) {
+ 		/* crypt() with an invalid salt like "!!" */
+ 		dropbear_log(LOG_WARNING, "User account '%s' is locked",
+--- a/svr-authpubkey.c
++++ b/svr-authpubkey.c
+@@ -79,7 +79,7 @@ static int checkfileperm(char * filename
+ 
+ /* process a pubkey auth request, sending success or failure message as
+  * appropriate */
+-void svr_auth_pubkey() {
++void svr_auth_pubkey(int valid_user) {
+ 
+ 	unsigned char testkey; /* whether we're just checking if a key is usable */
+ 	char* algo = NULL; /* pubkey algo */
+@@ -102,6 +102,15 @@ void svr_auth_pubkey() {
+ 	keybloblen = buf_getint(ses.payload);
+ 	keyblob = buf_getptr(ses.payload, keybloblen);
+ 
++	if (!valid_user) {
++		/* Return failure once we have read the contents of the packet
++		required to validate a public key. 
++		Avoids blind user enumeration though it isn't possible to prevent
++		testing for user existence if the public key is known */
++		send_msg_userauth_failure(0, 0);
++		goto out;
++	}
++
+ 	/* check if the key is valid */
+ 	if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
+ 		send_msg_userauth_failure(0, 0);

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
+@@ -229,14 +229,20 @@ static int checkpubkey(char* algo, unsig
  		goto out;
  	}
  
@@ -29,7 +29,7 @@
  
  	/* open the file as the authenticating user. */
  	origuid = getuid();
-@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
+@@ -405,26 +411,35 @@ static int checkpubkeyperms() {
  		goto out;
  	}
  

package/network/services/hostapd/patches/0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

@@ -0,0 +1,43 @@
+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Sun, 15 Jul 2018 01:25:53 +0200
+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+(CVE-2018-14526)
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2157,6 +2157,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
+ 						    ver, key_data,
+ 						    &key_data_len))

package/network/utils/curl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \

package/network/utils/curl/patches/105-CVE-2017-1000254.patch

@@ -0,0 +1,49 @@
+From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Sep 2017 00:35:22 +0200
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+---
+ lib/ftp.c               |  7 ++++--
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1152     | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct
+         char *ptr=&data->state.buffer[4];  /* start on the first letter */
+         char *dir;
+         char *store;
++        bool entry_extracted = FALSE;
+ 
+         dir = malloc(nread + 1);
+         if(!dir)
+@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct
+               }
+               else {
+                 /* end of path */
+-                *store = '\0'; /* zero terminate */
++                entry_extracted = TRUE;
+                 break; /* get out of this loop */
+               }
+             }
+@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct
+             store++;
+             ptr++;
+           }
+-
++          *store = '\0'; /* zero terminate */
++        }
++        if(entry_extracted) {
+           /* If the path name does not look like an absolute path (i.e.: it
+              does not start with a '/'), we probably need some server-dependent
+              adjustments. For example, this is the case when connecting to

package/network/utils/curl/patches/107-CVE-2017-1000257.patch

@@ -0,0 +1,28 @@
+From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 7 Oct 2017 00:11:31 +0200
+Subject: [PATCH] imap: if a FETCH response has no size, don't call write
+ callback
+
+CVE-2017-1000257
+
+Reported-by: Brian Carpenter and 0xd34db347
+Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
+---
+ lib/imap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -1140,6 +1140,11 @@ static CURLcode imap_state_fetch_resp(st
+         /* The conversion from curl_off_t to size_t is always fine here */
+         chunk = (size_t)size;
+ 
++      if(!chunk) {
++        /* no size, we're done with the data */
++        state(conn, IMAP_STOP);
++        return CURLE_OK;
++      }
+       result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk);
+       if(result)
+         return result;

package/network/utils/curl/patches/107-CVE-2017-8816.patch

@@ -13,13 +13,9 @@ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
  lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
  1 file changed, 21 insertions(+), 2 deletions(-)
 
-diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
-index 1309bf0d9..e8962769c 100644
 --- a/lib/curl_ntlm_core.c
 +++ b/lib/curl_ntlm_core.c
-@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
-   Curl_HMAC_final(ctxt, output);
- 
+@@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch
    return CURLE_OK;
  }
  
@@ -35,9 +31,7 @@ index 1309bf0d9..e8962769c 100644
  /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
   * (uppercase UserName + Domain) as the data
   */
- CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
-                                        const char *domain, size_t domlen,
-                                        unsigned char *ntlmhash,
+@@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
                                         unsigned char *ntlmv2hash)
  {
    /* Unicode representation */
@@ -60,8 +54,3 @@ index 1309bf0d9..e8962769c 100644
    if(!identity)
      return CURLE_OUT_OF_MEMORY;
  
-   ascii_uppercase_to_unicode_le(identity, user, userlen);
-   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
--- 
-2.15.0
-

package/network/utils/curl/patches/108-CVE-2017-8817.patch

@@ -20,13 +20,9 @@ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
  3 files changed, 56 insertions(+), 7 deletions(-)
  create mode 100644 tests/data/test1163
 
-diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
-index da83393b4..8a1e106c4 100644
 --- a/lib/curl_fnmatch.c
 +++ b/lib/curl_fnmatch.c
-@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
-   unsigned char lastchar   = 0;
-   bool something_found = FALSE;
+@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
    unsigned char c;
    for(;;) {
      c = **p;
@@ -36,11 +32,7 @@ index da83393b4..8a1e106c4 100644
      switch(state) {
      case CURLFNM_SCHS_DEFAULT:
        if(ISALNUM(c)) { /* ASCII value */
-         rangestart = c;
-         charset[c] = 1;
-@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
-           (*p)++;
-         }
+@@ -197,9 +200,6 @@ static int setcharset(unsigned char **p,
          else
            return SETCHARSET_FAIL;
        }
@@ -50,11 +42,7 @@ index da83393b4..8a1e106c4 100644
        else {
          charset[c] = 1;
          (*p)++;
-         something_found = TRUE;
-       }
-@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
-         (*p)++;
-       }
+@@ -278,9 +278,6 @@ static int setcharset(unsigned char **p,
        else if(c == ']') {
          return SETCHARSET_OK;
        }
@@ -64,13 +52,9 @@ index da83393b4..8a1e106c4 100644
        else if(ISPRINT(c)) {
          charset[c] = 1;
          (*p)++;
-         state = CURLFNM_SCHS_DEFAULT;
-       }
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index dc1cc03bc..6eb37d81d 100644
---- a/tests/data/Makefile.inc.1	2017-11-29 20:00:26.126452486 +0000
-+++ b/tests/data/Makefile.inc	2017-11-29 20:01:13.057783732 +0000
-@@ -121,6 +121,7 @@
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test
  test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
  test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
  test1144 \
@@ -78,9 +62,6 @@ index dc1cc03bc..6eb37d81d 100644
  test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
  test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
  test1216 test1217 test1218 test1219 \
-diff --git a/tests/data/test1163 b/tests/data/test1163
-new file mode 100644
-index 000000000..a109b511b
 --- /dev/null
 +++ b/tests/data/test1163
 @@ -0,0 +1,52 @@
@@ -136,6 +117,3 @@ index 000000000..a109b511b
 +</errorcode>
 +</verify>
 +</testcase>
--- 
-2.15.0
-

package/network/utils/curl/patches/109-CVE-2018-1000005.patch

@@ -0,0 +1,34 @@
+From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
+From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
+Date: Wed, 10 Jan 2018 10:12:18 -0800
+Subject: [PATCH] http2: fix incorrect trailer buffer size
+
+Prior to this change the stored byte count of each trailer was
+miscalculated and 1 less than required. It appears any trailer
+after the first that was passed to Curl_client_write would be truncated
+or corrupted as well as the size. Potentially the size of some
+subsequent trailer could be erroneously extracted from the contents of
+that trailer, and since that size is used by client write an
+out-of-bounds read could occur and cause a crash or be otherwise
+processed by client write.
+
+The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+Closes https://github.com/curl/curl/pull/2231
+---
+ lib/http2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se
+ 
+   if(stream->bodystarted) {
+     /* This is trailer fields. */
+-    /* 3 is for ":" and "\r\n". */
+-    uint32_t n = (uint32_t)(namelen + valuelen + 3);
++    /* 4 is for ": " and "\r\n". */
++    uint32_t n = (uint32_t)(namelen + valuelen + 4);
+ 
+     DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
+                  value));

package/network/utils/curl/patches/110-CVE-2018-1000007.patch

@@ -0,0 +1,102 @@
+From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Jan 2018 13:19:25 +0100
+Subject: [PATCH] http: prevent custom Authorization headers in redirects
+
+... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+curl already handles Authorization headers created internally.
+
+Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+Added test 317 and 318 to verify.
+
+Reported-by: Craig de Stigter
+Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+---
+ docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++-
+ lib/http.c                             | 10 ++-
+ lib/setopt.c                           |  2 +-
+ lib/urldata.h                          |  2 +-
+ tests/data/Makefile.inc                |  2 +-
+ tests/data/test317                     | 94 +++++++++++++++++++++++++
+ tests/data/test318                     | 95 ++++++++++++++++++++++++++
+ 7 files changed, 212 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test317
+ create mode 100644 tests/data/test318
+
+--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -77,6 +77,16 @@ the headers. They may be private or othe
+ 
+ Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
+ intend them to get sent.
++
++Custom headers are sent in all requests done by the easy handles, which
++implies that if you tell libcurl to follow redirects
++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
++in the subsequent request. Redirects can of course go to other hosts and thus
++those servers will get all the contents of your custom headers too.
++
++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
++from being sent to other hosts than the first used one, unless specifically
++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
+ .SH DEFAULT
+ NULL
+ .SH PROTOCOLS
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata
+   if(!data->state.this_is_a_follow ||
+      conn->bits.netrc ||
+      !data->state.first_host ||
+-     data->set.http_disable_hostname_check_before_authentication ||
++     data->set.allow_auth_to_other_hosts ||
+      strcasecompare(data->state.first_host, conn->host.name)) {
+     result = output_auth_headers(conn, authhost, request, path, FALSE);
+   }
+@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct
+                   checkprefix("Transfer-Encoding:", headers->data))
+             /* HTTP/2 doesn't support chunked requests */
+             ;
++          else if(checkprefix("Authorization:", headers->data) &&
++                  /* be careful of sending this potentially sensitive header to
++                     other hosts */
++                  (data->state.this_is_a_follow &&
++                   data->state.first_host &&
++                   !data->set.allow_auth_to_other_hosts &&
++                   !strcasecompare(data->state.first_host, conn->host.name)))
++            ;
+           else {
+             CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
+                                                headers->data);
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d
+      * Send authentication (user+password) when following locations, even when
+      * hostname changed.
+      */
+-    data->set.http_disable_hostname_check_before_authentication =
++    data->set.allow_auth_to_other_hosts =
+       (0 != va_arg(param, long)) ? TRUE : FALSE;
+     break;
+ 
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1675,7 +1675,7 @@ struct UserDefined {
+   bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
+   bool http_follow_location; /* follow HTTP redirects */
+   bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
+-  bool http_disable_hostname_check_before_authentication;
++  bool allow_auth_to_other_hosts;
+   bool include_header;   /* include received protocol headers in data output */
+   bool http_set_referer; /* is a custom referer used */
+   bool http_auto_referer; /* set "correct" referer when following location: */

package/network/utils/curl/patches/111-CVE-2018-1000120.patch

@@ -0,0 +1,53 @@
+From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 31 Jan 2018 08:40:11 +0100
+Subject: [PATCH] FTP: reject path components with control codes
+
+Refuse to operate when given path components featuring byte values lower
+than 32.
+
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+
+Test case 340 verifies.
+
+CVE-2018-1000120
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+---
+ lib/ftp.c               |  8 ++++----
+ tests/data/Makefile.inc |  3 +++
+ tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test340
+
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3235,7 +3235,7 @@ static CURLcode ftp_done(struct connectd
+ 
+   if(!result)
+     /* get the "raw" path */
+-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
++    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+   if(result) {
+     /* We can limp along anyway (and should try to since we may already be in
+      * the error path) */
+@@ -4241,7 +4241,7 @@ CURLcode ftp_parse_url_path(struct conne
+       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+                               slash_pos ? dirlen : 1,
+                               &ftpc->dirs[0], NULL,
+-                              FALSE);
++                              TRUE);
+       if(result) {
+         freedirs(ftpc);
+         return result;
+@@ -4349,7 +4349,7 @@ CURLcode ftp_parse_url_path(struct conne
+     size_t dlen;
+     char *path;
+     CURLcode result =
+-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
++      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+     if(result) {
+       freedirs(ftpc);
+       return result;

package/network/utils/curl/patches/112-CVE-2018-1000121.patch

@@ -0,0 +1,37 @@
+From 8f341a5d6f15381492ca2013325d485b6d8d1c13 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 6 Mar 2018 23:02:16 +0100
+Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL
+ before using
+
+CVE-2018-1000121
+Reported-by: Dario Weisser
+Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
+---
+ lib/openldap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/openldap.c
++++ b/lib/openldap.c
+@@ -443,7 +443,7 @@ static ssize_t ldap_recv(struct connectd
+ 
+   for(ent = ldap_first_message(li->ld, msg); ent;
+     ent = ldap_next_message(li->ld, ent)) {
+-    struct berval bv, *bvals, **bvp = &bvals;
++    struct berval bv, *bvals;
+     int binary = 0, msgtype;
+     CURLcode writeerr;
+ 
+@@ -505,9 +505,9 @@ static ssize_t ldap_recv(struct connectd
+     }
+     data->req.bytecount += bv.bv_len + 5;
+ 
+-    for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp);
+-      rc == LDAP_SUCCESS;
+-      rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) {
++    for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals);
++        (rc == LDAP_SUCCESS) && bvals;
++        rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) {
+       int i;
+ 
+       if(bv.bv_val == NULL) break;

package/network/utils/curl/patches/113-CVE-2018-1000122.patch

@@ -0,0 +1,33 @@
+From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 8 Mar 2018 10:33:16 +0100
+Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
+
+CVE-2018-1000122
+Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+Detected by OSS-fuzz
+---
+ lib/transfer.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu
+ 
+     } /* if(!header and data to read) */
+ 
+-    if(conn->handler->readwrite &&
+-       (excess > 0 && !conn->bits.stream_was_rewound)) {
++    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
+       /* Parse the excess data */
+       k->str += nread;
++
++      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
++        /* the excess amount was too excessive(!), make sure
++           it doesn't read out of buffer */
++        excess = &k->buf[data->set.buffer_size] - k->str;
++      }
+       nread = (ssize_t)excess;
+ 
+       result = conn->handler->readwrite(data, conn, &nread, &readmore);

package/network/utils/curl/patches/114-CVE-2018-1000301.patch

@@ -0,0 +1,39 @@
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2924,6 +2924,8 @@ CURLcode Curl_http_readwrite_headers(str
+ {
+   CURLcode result;
+   struct SingleRequest *k = &data->req;
++  ssize_t onread = *nread;
++  char *ostr = k->str;
+ 
+   /* header line within buffer loop */
+   do {
+@@ -2988,7 +2990,9 @@ CURLcode Curl_http_readwrite_headers(str
+         else {
+           /* this was all we read so it's all a bad header */
+           k->badheader = HEADER_ALLBAD;
+-          *nread = (ssize_t)rest_length;
++          *nread = onread;
++          k->str = ostr;
++          return CURLE_OK;
+         }
+         break;
+       }

package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch

@@ -9,11 +9,9 @@ vtls must set wait for read/write flags for the socket.
  lib/vtls/vtls.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)
 
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index fad9335bbf..871622fef1 100644
 --- a/lib/vtls/vtls.c
 +++ b/lib/vtls/vtls.c
-@@ -485,8 +485,9 @@ void Curl_ssl_close_all(struct Curl_easy *data)
+@@ -488,8 +488,9 @@ void Curl_ssl_close_all(struct Curl_easy
  }
  
  #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \

package/network/utils/iproute2/Makefile

@@ -19,6 +19,10 @@ PKG_LICENSE:=GPL-2.0
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 
+USE_CAKE:=$(if $(filter 1y,$(SDK)$(CONFIG_BUILDBOT)),cake-legacy,cake-upstream)
+PKG_FLAGS:=$(if $(filter cake-upstream,$(USE_CAKE)),nonshared)
+PKG_RELEASE:=$(PKG_RELEASE)-$(USE_CAKE)
+
 include $(INCLUDE_DIR)/package.mk
 
 define Package/iproute2/Default
@@ -70,6 +74,14 @@ ifeq ($(BUILD_VARIANT),tiny)
   IP_CONFIG_TINY:=y
 endif
 
+PATCH_DIR:=$(PKG_BUILD_DIR)/openwrt-patches
+
+define Build/Patch
+	$(INSTALL_DIR) $(PATCH_DIR)
+	$(CP) ./patches/* ./patches-$(USE_CAKE)/* $(PATCH_DIR)/
+	$(call Build/Patch/Default)
+endef
+
 define Build/Configure
 	$(SED) "s,-I/usr/include/db3,," $(PKG_BUILD_DIR)/Makefile
 	$(SED) "s,^KERNEL_INCLUDE.*,KERNEL_INCLUDE=$(LINUX_DIR)/include," \

package/system/mtd/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=mtd
-PKG_RELEASE:=21$(if $(SDK),,.1)
+PKG_RELEASE:=23$(if $(SDK),,.1)
 
 PKG_BUILD_DIR := $(KERNEL_BUILD_DIR)/$(PKG_NAME)
 STAMP_PREPARED := $(STAMP_PREPARED)_$(call confvar,CONFIG_MTD_REDBOOT_PARTS)

package/system/mtd/src/trx.c

@@ -46,6 +46,12 @@ struct trx_header {
 	uint32_t offsets[3];    /* Offsets of partitions from start of header */
 };
 
+#define min(x,y) ({		\
+	typeof(x) _x = (x);	\
+	typeof(y) _y = (y);	\
+	(void) (&_x == &_y);	\
+	_x < _y ? _x : _y; })
+
 #if __BYTE_ORDER == __BIG_ENDIAN
 #define STORE32_LE(X)           ((((X) & 0x000000FF) << 24) | (((X) & 0x0000FF00) << 8) | (((X) & 0x00FF0000) >> 8) | (((X) & 0xFF000000) >> 24))
 #elif __BYTE_ORDER == __LITTLE_ENDIAN
@@ -156,7 +162,7 @@ mtd_fixtrx(const char *mtd, size_t offset, size_t data_size)
 	int fd;
 	struct trx_header *trx;
 	char *first_block;
-	char *buf;
+	char *buf, *to;
 	ssize_t res;
 	size_t block_offset;
 
@@ -201,23 +207,41 @@ mtd_fixtrx(const char *mtd, size_t offset, size_t data_size)
 		exit(1);
 	}
 
-	if (trx->len == STORE32_LE(data_size + TRX_CRC32_DATA_OFFSET)) {
-		if (quiet < 2)
-			fprintf(stderr, "Header already fixed, exiting\n");
-		close(fd);
-		return 0;
-	}
-
 	buf = malloc(data_size);
 	if (!buf) {
 		perror("malloc");
 		exit(1);
 	}
 
-	res = pread(fd, buf, data_size, data_offset);
-	if (res != data_size) {
-		perror("pread");
-		exit(1);
+	to = buf;
+	while (data_size) {
+		size_t read_block_offset = data_offset & ~(erasesize - 1);
+		size_t read_chunk;
+
+		read_chunk = erasesize - (data_offset & (erasesize - 1));
+		read_chunk = min(read_chunk, data_size);
+
+		/* Read from good blocks only to match CFE behavior */
+		if (!mtd_block_is_bad(fd, read_block_offset)) {
+			res = pread(fd, to, read_chunk, data_offset);
+			if (res != read_chunk) {
+				perror("pread");
+				exit(1);
+			}
+			to += read_chunk;
+		}
+
+		data_offset += read_chunk;
+		data_size -= read_chunk;
+	}
+	data_size = to - buf;
+
+	if (trx->len == STORE32_LE(data_size + TRX_CRC32_DATA_OFFSET) &&
+	    trx->crc32 == STORE32_LE(crc32buf(buf, data_size))) {
+		if (quiet < 2)
+			fprintf(stderr, "Header already fixed, exiting\n");
+		close(fd);
+		return 0;
 	}
 
 	trx->len = STORE32_LE(data_size + offsetof(struct trx_header, flag_version));
@@ -244,4 +268,3 @@ mtd_fixtrx(const char *mtd, size_t offset, size_t data_size)
 	return 0;
 
 }
-

package/utils/bzip2/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bzip2
 PKG_VERSION:=1.0.6
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.bzip.org/$(PKG_VERSION)

package/utils/bzip2/patches/010-CVE-2016-3189.patch

@@ -0,0 +1,11 @@
+diff -up ./bzip2recover.c.old ./bzip2recover.c
+--- ./bzip2recover.c.old	2016-03-22 08:49:38.855620000 +0100
++++ ./bzip2recover.c	2016-03-30 10:22:27.341430099 +0200
+@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;

scripts/bundle-libraries.sh

@@ -87,7 +87,11 @@ _runas_so() {
 			return 0;
 		}
 
+		#ifdef __APPLE__
+		__attribute__((section("__DATA,__mod_init_func")))
+		#else
 		__attribute__((section(".init_array")))
+		#endif
 		static void *mangle_arg0_constructor = &mangle_arg0;
 	EOT
 
@@ -97,6 +101,30 @@ _runas_so() {
 	}
 }
 
+_patch_ldso() {
+	_cp "$1" "$1.patched"
+	sed -i -e 's,/\(usr\|lib\|etc\)/,/###/,g' "$1.patched"
+
+	if "$1.patched" 2>&1 | grep -q -- --library-path; then
+		_mv "$1.patched" "$1"
+	else
+		echo "binary patched ${1##*/} not executable, using original" >&2
+		rm -f "$1.patched"
+	fi
+}
+
+_patch_glibc() {
+	_cp "$1" "$1.patched"
+	sed -i -e 's,/usr/\(\(lib\|share\)/locale\),/###/\1,g' "$1.patched"
+
+	if "$1.patched" 2>&1 | grep -q -- GNU; then
+		_mv "$1.patched" "$1"
+	else
+		echo "binary patched ${1##*/} not executable, using original" >&2
+		rm -f "$1.patched"
+	fi
+}
+
 for LDD in ${PATH//://ldd }/ldd; do
 	"$LDD" --version >/dev/null 2>/dev/null && break
 	LDD=""
@@ -125,16 +153,20 @@ for BIN in "$@"; do
 	[ -n "$LDD" ] && [ -x "$BIN" ] && file "$BIN" | grep -sqE "ELF.*(executable|interpreter)" && {
 		for token in $("$LDD" "$BIN" 2>/dev/null); do
 			case "$token" in */*.so*)
-				case "$token" in
-					*ld-*.so*) LDSO="${token##*/}" ;;
-				esac
-
 				dest="$DIR/lib/${token##*/}"
 				ddir="${dest%/*}"
 
+				case "$token" in
+					*/ld-*.so*) LDSO="${token##*/}" ;;
+				esac
+
 				[ -f "$token" -a ! -f "$dest" ] && {
 					_md "$ddir"
 					_cp "$token" "$dest"
+					case "$token" in
+						*/ld-*.so*) _patch_ldso "$dest" ;;
+						*/libc.so.6) _patch_glibc "$dest" ;;
+					esac
 				}
 			;; esac
 		done

target/linux/apm821xx/patches-4.4/001-crypto4xx-integrate-ppc4xx-rng-into-crypto4xx.patch

@@ -248,7 +248,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	return 0;
  
  err_start_dev:
-@@ -1248,6 +1250,8 @@ static int crypto4xx_remove(struct platf
+@@ -1247,6 +1249,8 @@ static int crypto4xx_remove(struct platf
  	struct device *dev = &ofdev->dev;
  	struct crypto4xx_core_device *core_dev = dev_get_drvdata(dev);
  
@@ -257,7 +257,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	free_irq(core_dev->irq, dev);
  	irq_dispose_mapping(core_dev->irq);
  
-@@ -1268,7 +1272,7 @@ MODULE_DEVICE_TABLE(of, crypto4xx_match)
+@@ -1267,7 +1271,7 @@ MODULE_DEVICE_TABLE(of, crypto4xx_match)
  
  static struct platform_driver crypto4xx_driver = {
  	.driver = {
@@ -266,7 +266,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.of_match_table = crypto4xx_match,
  	},
  	.probe		= crypto4xx_probe,
-@@ -1280,4 +1284,3 @@ module_platform_driver(crypto4xx_driver)
+@@ -1279,4 +1283,3 @@ module_platform_driver(crypto4xx_driver)
  MODULE_LICENSE("GPL");
  MODULE_AUTHOR("James Hsiao <jhsiao@amcc.com>");
  MODULE_DESCRIPTION("Driver for AMCC PPC4xx crypto accelerator");

target/linux/apm821xx/patches-4.4/040-backport_leds-convert-IDE-trigger-to-common-disk-trigger.patch

@@ -47,7 +47,7 @@ Signed-off-by: Jacek Anaszewski <j.anaszewski@samsung.com>
  #include <linux/pm_runtime.h>
  #include <linux/platform_device.h>
  
-@@ -4942,6 +4943,9 @@ void ata_qc_complete(struct ata_queued_c
+@@ -4945,6 +4946,9 @@ void ata_qc_complete(struct ata_queued_c
  {
  	struct ata_port *ap = qc->ap;
  

target/linux/apm821xx/patches-4.4/302-dw-dma-hprot-fix-and-equal-priortiy.patch

@@ -0,0 +1,25 @@
+--- a/drivers/dma/dw/core.c
++++ b/drivers/dma/dw/core.c
+@@ -150,6 +150,8 @@ static void dwc_initialize(struct dw_dma
+ 	cfghi |= DWC_CFGH_DST_PER(dwc->dst_id);
+ 	cfghi |= DWC_CFGH_SRC_PER(dwc->src_id);
+ 
++	cfghi |= DWC_CFGH_PROTCTL(3); /* bufferable + privileged access */
++
+ 	channel_writel(dwc, CFG_LO, cfglo);
+ 	channel_writel(dwc, CFG_HI, cfghi);
+ 
+@@ -1539,11 +1541,8 @@ int dw_dma_probe(struct dw_dma_chip *chi
+ 		else
+ 			list_add(&dwc->chan.device_node, &dw->dma.channels);
+ 
+-		/* 7 is highest priority & 0 is lowest. */
+-		if (pdata->chan_priority == CHAN_PRIORITY_ASCENDING)
+-			dwc->priority = pdata->nr_channels - i - 1;
+-		else
+-			dwc->priority = i;
++		/* set all channels to the same priority */
++		dwc->priority = pdata->nr_channels - 1;
+ 
+ 		dwc->ch_regs = &__dw_regs(dw)->CHAN[i];
+ 		spin_lock_init(&dwc->lock);

target/linux/apm821xx/patches-4.4/802-usb-xhci-force-msi-renesas-xhci.patch

@@ -44,7 +44,7 @@ produce a noisy warning.
  		/* hcd->irq is 0, we have MSI */
 --- a/drivers/usb/host/xhci.h
 +++ b/drivers/usb/host/xhci.h
-@@ -1652,6 +1652,7 @@ struct xhci_hcd {
+@@ -1656,6 +1656,7 @@ struct xhci_hcd {
  	/* support xHCI 0.96 spec USB2 software LPM */
  	unsigned		sw_lpm_support:1;
  	/* support xHCI 1.0 spec USB2 hardware LPM */

target/linux/ar71xx/patches-4.4/103-MIPS-ath79-fix-register-address-in-ath79_ddr_wb_flus.patch

@@ -1,23 +0,0 @@
-From: Felix Fietkau <nbd@nbd.name>
-Date: Wed, 18 May 2016 18:03:31 +0200
-Subject: [PATCH] MIPS: ath79: fix register address in ath79_ddr_wb_flush()
-
-ath79_ddr_wb_flush_base has the type void __iomem *, so register offsets
-need to be a multiple of 4.
-
-Cc: Alban Bedel <albeu@free.fr>
-Fixes: 24b0e3e84fbf ("MIPS: ath79: Improve the DDR controller interface")
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/arch/mips/ath79/common.c
-+++ b/arch/mips/ath79/common.c
-@@ -58,7 +58,7 @@ EXPORT_SYMBOL_GPL(ath79_ddr_ctrl_init);
- 
- void ath79_ddr_wb_flush(u32 reg)
- {
--	void __iomem *flush_reg = ath79_ddr_wb_flush_base + reg;
-+	void __iomem *flush_reg = ath79_ddr_wb_flush_base + reg * 4;
- 
- 	/* Flush the DDR write buffer. */
- 	__raw_writel(0x1, flush_reg);

target/linux/ar71xx/patches-4.4/910-unaligned_access_hacks.patch

@@ -250,7 +250,7 @@
  					       &sin->sin6_addr);
  			sin->sin6_scope_id = 0;
  		}
-@@ -770,12 +770,12 @@ int ip6_datagram_send_ctl(struct net *ne
+@@ -773,12 +773,12 @@ int ip6_datagram_send_ctl(struct net *ne
  			}
  
  			if (fl6->flowlabel&IPV6_FLOWINFO_MASK) {
@@ -370,7 +370,7 @@
  	return neigh_create(&arp_tbl, pkey, dev);
 --- a/net/ipv4/tcp_output.c
 +++ b/net/ipv4/tcp_output.c
-@@ -451,48 +451,53 @@ static void tcp_options_write(__be32 *pt
+@@ -456,48 +456,53 @@ static void tcp_options_write(__be32 *pt
  	u16 options = opts->options;	/* mungable copy */
  
  	if (unlikely(OPTION_MD5 & options)) {
@@ -447,7 +447,7 @@
  	}
  
  	if (unlikely(opts->num_sack_blocks)) {
-@@ -500,16 +505,17 @@ static void tcp_options_write(__be32 *pt
+@@ -505,16 +510,17 @@ static void tcp_options_write(__be32 *pt
  			tp->duplicate_sack : tp->selective_acks;
  		int this_sack;
  
@@ -471,7 +471,7 @@
  		}
  
  		tp->rx_opt.dsack = 0;
-@@ -522,13 +528,14 @@ static void tcp_options_write(__be32 *pt
+@@ -527,13 +533,14 @@ static void tcp_options_write(__be32 *pt
  
  		if (foc->exp) {
  			len = TCPOLEN_EXP_FASTOPEN_BASE + foc->len;
@@ -838,7 +838,7 @@
  
 --- a/net/ipv4/tcp_input.c
 +++ b/net/ipv4/tcp_input.c
-@@ -3822,14 +3822,16 @@ static bool tcp_parse_aligned_timestamp(
+@@ -3836,14 +3836,16 @@ static bool tcp_parse_aligned_timestamp(
  {
  	const __be32 *ptr = (const __be32 *)(th + 1);