OpenWrt v18.06.2: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

.github/pull_request_template

@@ -3,6 +3,6 @@ Thanks for your contribution to OpenWrt!
 To help keep the codebase consistent and readable,
 and to help people review your contribution,
 we ask you to follow the rules you find in the wiki at this link
-https://lede-project.org/submitting-patches
+https://openwrt.org/submitting-patches
 
 Please remove this message before posting the pull request.

Makefile

@@ -27,6 +27,8 @@ ifneq ($(OPENWRT_BUILD),1)
   export OPENWRT_BUILD
   GREP_OPTIONS=
   export GREP_OPTIONS
+  CDPATH=
+  export CDPATH
   include $(TOPDIR)/include/debug.mk
   include $(TOPDIR)/include/depends.mk
   include $(TOPDIR)/include/toplevel.mk
@@ -85,7 +87,7 @@ prereq: $(target/stamp-prereq) tmp/.prereq_packages
 	fi
 
 checksum: FORCE
-	$(call sha256sums,$(BIN_DIR))
+	$(call sha256sums,$(BIN_DIR),$(CONFIG_BUILDBOT))
 
 diffconfig: FORCE
 	mkdir -p $(BIN_DIR)

README

@@ -1,26 +1,31 @@
+  _______                     ________        __
+ |       |.-----.-----.-----.|  |  |  |.----.|  |_
+ |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
+ |_______||   __|_____|__|__||________||__|  |____|
+          |__| W I R E L E S S   F R E E D O M
+ -----------------------------------------------------
+
 This is the buildsystem for the OpenWrt Linux distribution.
 
-Please use "make menuconfig" to choose your preferred
-configuration for the toolchain and firmware.
+To build your own firmware you need a Linux, BSD or MacOSX system (case
+sensitive filesystem required). Cygwin is unsupported because of the lack
+of a case sensitive file system.
 
-You need to have installed gcc, binutils, bzip2, flex, python, perl, make,
-find, grep, diff, unzip, gawk, getopt, subversion, libz-dev and libc headers.
+You need gcc, binutils, bzip2, flex, python, perl, make, find, grep, diff,
+unzip, gawk, getopt, subversion, libz-dev and libc headers installed.
 
-Run "./scripts/feeds update -a" to get all the latest package definitions
-defined in feeds.conf / feeds.conf.default respectively
-and "./scripts/feeds install -a" to install symlinks of all of them into
-package/feeds/.
+1. Run "./scripts/feeds update -a" to obtain all the latest package definitions
+defined in feeds.conf / feeds.conf.default
 
-Use "make menuconfig" to configure your image.
+2. Run "./scripts/feeds install -a" to install symlinks for all obtained
+packages into package/feeds/
 
-Simply running "make" will build your firmware.
-It will download all sources, build the cross-compile toolchain, 
-the kernel and all choosen applications.
-
-To build your own firmware you need to have access to a Linux, BSD or MacOSX system
-(case-sensitive filesystem required). Cygwin will not be supported because of
-the lack of case sensitiveness in the file system.
+3. Run "make menuconfig" to select your preferred configuration for the
+toolchain, target system & firmware packages.
 
+4. Run "make" to build your firmware. This will download all sources, build
+the cross-compile toolchain and then cross-compile the Linux kernel & all
+chosen applications for your target system.
 
 Sunshine!
 	Your OpenWrt Community

config/Config-images.in

@@ -259,12 +259,12 @@ menu "Target Images"
 
 	config TARGET_KERNEL_PARTSIZE
 		int "Kernel partition size (in MB)"
-		depends on GRUB_IMAGES
+		depends on GRUB_IMAGES || USES_BOOT_PART
 		default 16
 
 	config TARGET_ROOTFS_PARTSIZE
 		int "Root filesystem partition size (in MB)"
-		depends on GRUB_IMAGES || TARGET_ROOTFS_EXT4FS || TARGET_rb532 || TARGET_mvebu || TARGET_uml
+		depends on GRUB_IMAGES || USES_ROOTFS_PART || TARGET_ROOTFS_EXT4FS || TARGET_rb532 || TARGET_mvebu || TARGET_uml
 		default 256
 		help
 		  Select the root filesystem partition size.

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^8bf5fc17db6072549a4e3bd8230d7962364f2043
-src-git luci https://git.openwrt.org/project/luci.git^6df9a57ef0773c7158dadbb5054a58cb3d70c621
-src-git routing https://git.openwrt.org/feed/routing.git^1b9d1c419f0ecefda51922a7845ab2183d6acd76
-src-git telephony https://git.openwrt.org/feed/telephony.git^88b12368f11f3feeefcd4dcbe54f21159b8356c1
+src-git packages https://git.openwrt.org/feed/packages.git^911bbd6bb4856f1e28ae00af37df62e4fa3529e5
+src-git luci https://git.openwrt.org/project/luci.git^6f6641d97de2c85ee5d87beda92ae8437d1dbdf5
+src-git routing https://git.openwrt.org/feed/routing.git^ea345d16a6e27c2a8fdf67bf543cc36a5f189131
+src-git telephony https://git.openwrt.org/feed/telephony.git^cb939d9677d6e38c428f9f297641d07611edeb04

include/cmake.mk

@@ -7,8 +7,8 @@ ifneq ($(findstring c,$(OPENWRT_VERBOSE)),)
 endif
 
 CMAKE_BINARY_DIR = $(PKG_BUILD_DIR)$(if $(CMAKE_BINARY_SUBDIR),/$(CMAKE_BINARY_SUBDIR))
-CMAKE_SOURCE_DIR = $(PKG_BUILD_DIR)
-HOST_CMAKE_SOURCE_DIR = $(HOST_BUILD_DIR)
+CMAKE_SOURCE_DIR = $(PKG_BUILD_DIR)$(if $(CMAKE_SOURCE_SUBDIR),/$(CMAKE_SOURCE_SUBDIR))
+HOST_CMAKE_SOURCE_DIR = $(HOST_BUILD_DIR)$(if $(CMAKE_SOURCE_SUBDIR),/$(CMAKE_SOURCE_SUBDIR))
 MAKE_PATH = $(firstword $(CMAKE_BINARY_SUBDIR) .)
 
 ifeq ($(CONFIG_EXTERNAL_TOOLCHAIN),)

include/feeds.mk

@@ -34,8 +34,8 @@ endef
 define FeedSourcesAppend
 ( \
   echo 'src/gz %d_core %U/targets/%S/packages'; \
-  echo 'src/gz %d_base %U/packages/%A/base'; \
   $(strip $(if $(CONFIG_PER_FEED_REPO), \
+	echo 'src/gz %d_base %U/packages/%A/base'; \
 	$(foreach feed,$(FEEDS_AVAILABLE), \
 		$(if $(CONFIG_FEED_$(feed)), \
 			echo '$(if $(filter m,$(CONFIG_FEED_$(feed))),# )src/gz %d_$(feed) %U/packages/%A/$(feed)';)))) \

include/hardening.mk

@@ -18,7 +18,7 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
 endif
 ifdef CONFIG_PKG_ASLR_PIE
   ifeq ($(strip $(PKG_ASLR_PIE)),1)
-    TARGET_CFLAGS += -fPIC
+    TARGET_CFLAGS += $(FPIC)
     TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
   endif
 endif

include/host-build.mk

@@ -132,7 +132,7 @@ define Host/Exports/Default
   $(1) : export STAGING_PREFIX=$$(HOST_BUILD_PREFIX)
   $(1) : export PKG_CONFIG_PATH=$$(STAGING_DIR_HOST)/lib/pkgconfig:$$(HOST_BUILD_PREFIX)/lib/pkgconfig
   $(1) : export PKG_CONFIG_LIBDIR=$$(HOST_BUILD_PREFIX)/lib/pkgconfig
-  $(1) : export CCACHE_DIR:=$(STAGING_DIR_HOST)/ccache
+  $(if $(CONFIG_CCACHE),$(1) : export CCACHE_DIR:=$(STAGING_DIR_HOST)/ccache)
   $(if $(HOST_CONFIG_SITE),$(1) : export CONFIG_SITE:=$(HOST_CONFIG_SITE))
   $(if $(IS_PACKAGE_BUILD),$(1) : export PATH=$$(TARGET_PATH_PKG))
 endef

include/image.mk

@@ -321,6 +321,7 @@ define Device/Init
   CMDLINE:=
 
   IMAGES :=
+  ARTIFACTS :=
   IMAGE_PREFIX := $(IMG_PREFIX)-$(1)
   IMAGE_NAME = $$(IMAGE_PREFIX)-$$(1)-$$(2)
   KERNEL_PREFIX = $$(IMAGE_PREFIX)
@@ -498,6 +499,19 @@ define Device/Build/image
 
 endef
 
+define Device/Build/artifact
+  $$(_TARGET): $(BIN_DIR)/$(IMAGE_PREFIX)-$(1)
+  $(KDIR)/tmp/$(IMAGE_PREFIX)-$(1): $$(KDIR_KERNEL_IMAGE)
+	@rm -f $$@
+	$$(call concat_cmd,$(ARTIFACT/$(1)))
+
+  .IGNORE: $(BIN_DIR)/$(IMAGE_PREFIX)-$(1)
+
+  $(BIN_DIR)/$(IMAGE_PREFIX)-$(1): $(KDIR)/tmp/$(IMAGE_PREFIX)-$(1)
+	cp $$^ $$@
+
+endef
+
 define Device/Build
   $(if $(CONFIG_TARGET_ROOTFS_INITRAMFS),$(call Device/Build/initramfs,$(1)))
   $(call Device/Build/kernel,$(1))
@@ -508,6 +522,10 @@ define Device/Build
   $$(eval $$(foreach image,$$(IMAGES), \
     $$(foreach fs,$$(filter $(TARGET_FILESYSTEMS),$$(FILESYSTEMS)), \
       $$(call Device/Build/image,$$(fs),$$(image),$(1)))))
+
+  $$(eval $$(foreach artifact,$$(ARTIFACTS), \
+    $$(call Device/Build/artifact,$$(artifact))))
+
 endef
 
 define Device/DumpInfo

include/kernel-version.mk

@@ -2,15 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-3.18 = .71
-LINUX_VERSION-4.4 = .121
-LINUX_VERSION-4.9 = .111
-LINUX_VERSION-4.14 = .54
+LINUX_VERSION-4.9 = .152
+LINUX_VERSION-4.14 = .95
 
-LINUX_KERNEL_HASH-3.18.71 = 5abc9778ad44ce02ed6c8ab52ece8a21c6d20d21f6ed8a19287b4a38a50c1240
-LINUX_KERNEL_HASH-4.4.121 = 44a88268b5088dc326b30c9b9133ac35a9a200b636b7268d08f32abeae6ca729
-LINUX_KERNEL_HASH-4.9.111 = 5966558959dc580f163766f3fdefd7e57c01b2b45d51202d00b3807c253759dd
-LINUX_KERNEL_HASH-4.14.54 = 451642ac28c539a91072f1fb83b1c061d6d44df870ddf5562400ade5e1c4b6c6
+LINUX_KERNEL_HASH-4.9.152 = 90e47b85c09af47eefafe851685ee731538f640b0650a6a9cfa0234436708e39
+LINUX_KERNEL_HASH-4.14.95 = ce6729e3fca312520e3cb4f27993852dbb019d94c59c0b35cedab571f9cb58e4
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/kernel.mk

@@ -60,9 +60,8 @@ else
   LINUX_KERNEL:=$(KERNEL_BUILD_DIR)/vmlinux
 
   LINUX_SOURCE:=linux-$(LINUX_VERSION).tar.xz
-  TESTING:=$(if $(findstring -rc,$(LINUX_VERSION)),/testing,)
   ifeq ($(call qstrip,$(CONFIG_EXTERNAL_KERNEL_TREE))$(call qstrip,$(CONFIG_KERNEL_GIT_CLONE_URI)),)
-      LINUX_SITE:=@KERNEL/linux/kernel/v$(word 1,$(subst ., ,$(KERNEL_BASE))).x$(TESTING)
+      LINUX_SITE:=@KERNEL/linux/kernel/v$(word 1,$(subst ., ,$(KERNEL_BASE))).x
   else
       LINUX_UNAME_VERSION:=$(strip $(shell cat $(LINUX_DIR)/include/config/kernel.release 2>/dev/null))
   endif
@@ -97,7 +96,7 @@ endif
 
 KERNEL_MAKE = $(MAKE) $(KERNEL_MAKEOPTS)
 
-KERNEL_MAKE_FLAGS := \
+KERNEL_MAKE_FLAGS = \
 	HOSTCFLAGS="$(HOST_CFLAGS) -Wall -Wmissing-prototypes -Wstrict-prototypes" \
 	CROSS_COMPILE="$(KERNEL_CROSS)" \
 	ARCH="$(LINUX_KARCH)" \
@@ -254,6 +253,7 @@ $(call KernelPackage/$(1)/config)
   $$(eval $$(call BuildPackage,kmod-$(1)))
 
   $$(IPKG_kmod-$(1)): $$(wildcard $$(FILES))
+
 endef
 
 version_filter=$(if $(findstring @,$(1)),$(shell $(SCRIPT_DIR)/package-metadata.pl version_filter $(KERNEL_PATCHVER) $(1)),$(1))

include/netfilter.mk

@@ -106,6 +106,7 @@ $(eval $(call nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_ph
 # filter
 
 $(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))
+$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_BPF, $(P_XT)xt_bpf))
 
 
 # ipopt

include/package.mk

@@ -81,9 +81,10 @@ STAGING_FILES_LIST:=$(PKG_DIR_NAME)$(if $(BUILD_VARIANT),.$(BUILD_VARIANT),).lis
 define CleanStaging
 	rm -f $(STAMP_INSTALLED)
 	@-(\
-		cd "$(STAGING_DIR)"; \
-		if [ -f packages/$(STAGING_FILES_LIST) ]; then \
-			cat packages/$(STAGING_FILES_LIST) | xargs -r rm -f 2>/dev/null; \
+		if [ -f $(STAGING_DIR)/packages/$(STAGING_FILES_LIST) ]; then \
+			$(SCRIPT_DIR)/clean-package.sh \
+				"$(STAGING_DIR)/packages/$(STAGING_FILES_LIST)" \
+				"$(STAGING_DIR)"; \
 		fi; \
 	)
 endef
@@ -144,7 +145,7 @@ define Build/Exports/Default
   $(1) : export CONFIG_SITE:=$$(CONFIG_SITE)
   $(1) : export PKG_CONFIG_PATH:=$$(PKG_CONFIG_PATH)
   $(1) : export PKG_CONFIG_LIBDIR:=$$(PKG_CONFIG_PATH)
-  $(1) : export CCACHE_DIR:=$(STAGING_DIR)/ccache
+  $(if $(CONFIG_CCACHE),$(1) : export CCACHE_DIR:=$(STAGING_DIR)/ccache)
 endef
 Build/Exports=$(Build/Exports/Default)
 

include/prereq-build.mk

@@ -24,10 +24,10 @@ $(eval $(call TestHostCommand,case-sensitive-fs, \
 
 $(eval $(call TestHostCommand,proper-umask, \
 	Please build with umask 022 - other values produce broken packages, \
-	umask | grep -xE 00[012][012]))
+	umask | grep -xE 0?0[012][012]))
 
 $(eval $(call SetupHostCommand,gcc, \
-	Please install the GNU C Compiler (gcc) 4.8 or later \
+	Please install the GNU C Compiler (gcc) 4.8 or later, \
 	$(CC) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	gcc -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	gcc48 --version | grep gcc, \
@@ -46,7 +46,7 @@ $(eval $(call TestHostCommand,working-gcc, \
 		gcc -x c -o $(TMP_DIR)/a.out -))
 
 $(eval $(call SetupHostCommand,g++, \
-	Please install the GNU C++ Compiler (g++) 4.8 or later \
+	Please install the GNU C++ Compiler (g++) 4.8 or later, \
 	$(CXX) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	g++ -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	g++48 --version | grep g++, \
@@ -138,11 +138,6 @@ $(eval $(call SetupHostCommand,bzip2,Please install 'bzip2', \
 $(eval $(call SetupHostCommand,wget,Please install GNU 'wget', \
 	wget --version | grep GNU))
 
-$(eval $(call SetupHostCommand,time,Please install GNU 'time' or BusyBox 'time' that supports -f, \
-	gtime --version 2>&1 | grep GNU, \
-	time --version 2>&1 | grep GNU, \
-	busybox time 2>&1 | grep -- '-f FMT'))
-
 $(eval $(call SetupHostCommand,perl,Please install Perl 5.x, \
 	perl --version | grep "perl.*v5"))
 

include/rootfs.mk

@@ -90,6 +90,7 @@ define prepare_rootfs
 	rm -f $(1)/usr/lib/opkg/lists/*
 	rm -f $(1)/usr/lib/opkg/info/*.postinst*
 	rm -f $(1)/var/lock/*.lock
+	rm -rf $(1)/boot
 	$(call clean_ipkg,$(1))
 	$(call mklibs,$(1))
 endef

include/subdir.mk

@@ -43,7 +43,7 @@ log_make = \
 	 $(if $(BUILD_LOG), \
 		set -o pipefail; \
 		mkdir -p $(BUILD_LOG_DIR)/$(1)$(if $(4),/$(4));) \
-	env time -f "time: $(1)$(if $(4),/$(4))/$(if $(3),$(3)-)$(2)\#%U\#%S\#%e" -- \
+	$(SCRIPT_DIR)/time.pl "time: $(1)$(if $(4),/$(4))/$(if $(3),$(3)-)$(2)" \
 	$$(SUBMAKE) $(subdir_make_opts) $(if $(3),$(3)-)$(2) \
 		$(if $(BUILD_LOG),SILENT= 2>&1 | tee $(BUILD_LOG_DIR)/$(1)$(if $(4),/$(4))/$(if $(3),$(3)-)$(2).txt)
 

include/target.mk

@@ -51,7 +51,7 @@ else
   endif
 endif
 
-ifneq ($(filter 3.18 4.4 4.9,$(KERNEL_PATCHVER)),)
+ifneq ($(filter 4.9,$(KERNEL_PATCHVER)),)
   DEFAULT_PACKAGES.router:=$(filter-out kmod-ipt-offload,$(DEFAULT_PACKAGES.router))
 endif
 

include/verbose.mk

@@ -54,7 +54,7 @@ ifeq ($(findstring s,$(OPENWRT_VERBOSE)),)
   else
     SILENT:=>/dev/null $(if $(findstring w,$(OPENWRT_VERBOSE)),,2>&1)
     export QUIET:=1
-    SUBMAKE=cmd() { $(SILENT) $(MAKE) -s $$* < /dev/null || { echo "make $$*: build failed. Please re-run make with -j1 V=s to see what's going on"; false; } } 8>&1 9>&2; cmd
+    SUBMAKE=cmd() { $(SILENT) $(MAKE) -s "$$@" < /dev/null || { echo "make $$*: build failed. Please re-run make with -j1 V=s or V=sc for a higher verbosity level to see what's going on"; false; } } 8>&1 9>&2; cmd
   endif
 
   .SILENT: $(MAKECMDGOALS)

include/version.mk

@@ -11,6 +11,7 @@
 # SOURCE_DATE_EPOCH:=x
 
 PKG_CONFIG_DEPENDS += \
+	CONFIG_VERSION_HOME_URL \
 	CONFIG_VERSION_BUG_URL \
 	CONFIG_VERSION_NUMBER \
 	CONFIG_VERSION_CODE \
@@ -25,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.0)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.2)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7188-b0b5c64c22)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7676-cddd7b4c77)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.0)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.2)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)
@@ -46,6 +47,9 @@ VERSION_MANUFACTURER_URL:=$(if $(VERSION_MANUFACTURER_URL),$(VERSION_MANUFACTURE
 VERSION_BUG_URL:=$(call qstrip,$(CONFIG_VERSION_BUG_URL))
 VERSION_BUG_URL:=$(if $(VERSION_BUG_URL),$(VERSION_BUG_URL),http://bugs.openwrt.org/)
 
+VERSION_HOME_URL:=$(call qstrip,$(CONFIG_VERSION_HOME_URL))
+VERSION_HOME_URL:=$(if $(VERSION_HOME_URL),$(VERSION_HOME_URL),http://openwrt.org/)
+
 VERSION_SUPPORT_URL:=$(call qstrip,$(CONFIG_VERSION_SUPPORT_URL))
 VERSION_SUPPORT_URL:=$(if $(VERSION_SUPPORT_URL),$(VERSION_SUPPORT_URL),http://forum.lede-project.org/)
 
@@ -100,6 +104,7 @@ VERSION_SED_SCRIPT:=$(SED) 's,%U,$(call sed_escape,$(VERSION_REPO)),g' \
 	-e 's,%M,$(call sed_escape,$(VERSION_MANUFACTURER)),g' \
 	-e 's,%m,$(call sed_escape,$(VERSION_MANUFACTURER_URL)),g' \
 	-e 's,%b,$(call sed_escape,$(VERSION_BUG_URL)),g' \
+	-e 's,%u,$(call sed_escape,$(VERSION_HOME_URL)),g' \
 	-e 's,%s,$(call sed_escape,$(VERSION_SUPPORT_URL)),g' \
 	-e 's,%P,$(call sed_escape,$(VERSION_PRODUCT)),g' \
 	-e 's,%h,$(call sed_escape,$(VERSION_HWREV)),g'

package/base-files/Makefile

@@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/version.mk
 include $(INCLUDE_DIR)/feeds.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=192
+PKG_RELEASE:=194.2
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
@@ -49,6 +49,7 @@ define Package/base-files/conffiles
 /etc/config/system
 /etc/crontabs/
 /etc/dropbear/
+/etc/ethers
 /etc/group
 /etc/hosts
 /etc/inittab

package/base-files/files/bin/config_generate

@@ -15,10 +15,14 @@ generate_static_network() {
 		set network.loopback.proto='static'
 		set network.loopback.ipaddr='127.0.0.1'
 		set network.loopback.netmask='255.0.0.0'
-		delete network.globals
-		set network.globals='globals'
-		set network.globals.ula_prefix='auto'
 	EOF
+		[ -e /proc/sys/net/ipv6 ] && {
+			uci -q batch <<-EOF
+				delete network.globals
+				set network.globals='globals'
+				set network.globals.ula_prefix='auto'
+			EOF
+		}
 
 	if json_is_a dsl object; then
 		json_select dsl
@@ -102,21 +106,23 @@ generate_network() {
 				set network.$1.proto='static'
 				set network.$1.ipaddr='$ipad'
 				set network.$1.netmask='$netm'
-				set network.$1.ip6assign='60'
 			EOF
+			[ -e /proc/sys/net/ipv6 ] && uci set network.$1.ip6assign='60'
 		;;
 
 		dhcp)
 			# fixup IPv6 slave interface if parent is a bridge
 			[ "$type" = "bridge" ] && ifname="br-$1"
 
-			uci -q batch <<-EOF
-				set network.$1.proto='dhcp'
-				delete network.${1}6
-				set network.${1}6='interface'
-				set network.${1}6.ifname='$ifname'
-				set network.${1}6.proto='dhcpv6'
-			EOF
+			uci set network.$1.proto='dhcp'
+			[ -e /proc/sys/net/ipv6 ] && {
+				uci -q batch <<-EOF
+					delete network.${1}6
+					set network.${1}6='interface'
+					set network.${1}6.ifname='$ifname'
+					set network.${1}6.proto='dhcpv6'
+				EOF
+			}
 		;;
 
 		pppoe)
@@ -124,12 +130,16 @@ generate_network() {
 				set network.$1.proto='pppoe'
 				set network.$1.username='username'
 				set network.$1.password='password'
-				set network.$1.ipv6='1'
-				delete network.${1}6
-				set network.${1}6='interface'
-				set network.${1}6.ifname='@${1}'
-				set network.${1}6.proto='dhcpv6'
 			EOF
+			[ -e /proc/sys/net/ipv6 ] && {
+				uci -q batch <<-EOF
+					set network.$1.ipv6='1'
+					delete network.${1}6
+					set network.${1}6='interface'
+					set network.${1}6.ifname='@${1}'
+					set network.${1}6.proto='dhcpv6'
+				EOF
+			}
 		;;
 	esac
 }

package/base-files/files/etc/ethers

@@ -0,0 +1,6 @@
+#
+#  Lookup man 5 ethers for syntax documentation
+#
+#  Examples :
+#	02:00:11:22:33:44	OpenWrt.lan
+#	02:00:11:22:33:44	192.168.1.1

package/base-files/files/etc/iproute2/ematch_map

@@ -0,0 +1,8 @@
+# lookup table for ematch kinds
+1	cmp
+2	nbyte
+3	u32
+4	meta
+7	canid
+8	ipset
+9	ipt

package/base-files/files/etc/profile

@@ -14,7 +14,11 @@ export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
 export HOME=${HOME:-/root}
 export PS1='\u@\h:\w\$ '
 
-[ "$TERM" = "xterm" ] && export PS1='\[\e]0;\u@\h: \w\a\]'$PS1
+case "$TERM" in
+	xterm*|rxvt*)
+		export PS1='\[\e]0;\u@\h: \w\a\]'$PS1
+		;;
+esac
 
 [ -x /bin/more ] || alias more=less
 [ -x /usr/bin/vim ] && alias vi=vim || alias vim=vi

package/base-files/files/etc/rc.common

@@ -23,6 +23,7 @@ reload() {
 restart() {
 	trap '' TERM
 	stop "$@"
+	trap - TERM
 	start "$@"
 }
 

package/base-files/files/etc/services

@@ -29,8 +29,8 @@ kerberos	88/tcp		kerberos5 krb5 kerberos-sec
 kerberos	88/udp		kerberos5 krb5 kerberos-sec
 pop3		110/tcp
 pop3		110/udp
-sunrpc		111/tcp
-sunrpc		111/udp
+sunrpc		111/tcp		rpcbind
+sunrpc		111/udp		rpcbind
 auth		113/tcp		ident
 sftp		115/tcp
 nntp		119/tcp

package/base-files/files/lib/functions.sh

@@ -92,7 +92,7 @@ config_unset() {
 # config_get <section> <option>
 config_get() {
 	case "$3" in
-		"") eval echo "\${CONFIG_${1}_${2}:-\${4}}";;
+		"") eval echo "\"\${CONFIG_${1}_${2}:-\${4}}\"";;
 		*)  eval export ${NO_EXPORT:+-n} -- "${1}=\${CONFIG_${2}_${3}:-\${4}}";;
 	esac
 }
@@ -152,22 +152,27 @@ config_list_foreach() {
 
 default_prerm() {
 	local root="${IPKG_INSTROOT}"
-	local name
+	local pkgname="$(basename ${1%.*})"
+	local ret=0
 
-	name=$(basename ${1%.*})
-	[ -f "$root/usr/lib/opkg/info/${name}.prerm-pkg" ] && . "$root/usr/lib/opkg/info/${name}.prerm-pkg"
+	if [ -f "$root/usr/lib/opkg/info/${pkgname}.prerm-pkg" ]; then
+		( . "$root/usr/lib/opkg/info/${pkgname}.prerm-pkg" )
+		ret=$?
+	fi
 
 	local shell="$(which bash)"
-	for i in `cat "$root/usr/lib/opkg/info/${name}.list" | grep "^/etc/init.d/"`; do
+	for i in $(grep -s "^/etc/init.d/" "$root/usr/lib/opkg/info/${pkgname}.list"); do
 		if [ -n "$root" ]; then
 			${shell:-/bin/sh} "$root/etc/rc.common" "$root$i" disable
 		else
 			if [ "$PKG_UPGRADE" != "1" ]; then
 				"$i" disable
 			fi
-			"$i" stop || /bin/true
+			"$i" stop
 		fi
 	done
+
+	return $ret
 }
 
 add_group_and_user() {
@@ -229,10 +234,9 @@ default_postinst() {
 	if [ -z "$root" ] && grep -q -s "^/etc/uci-defaults/" "/usr/lib/opkg/info/${pkgname}.list"; then
 		. /lib/functions/system.sh
 		[ -d /tmp/.uci ] || mkdir -p /tmp/.uci
-		for i in $(sed -ne 's!^/etc/uci-defaults/!!p' "/usr/lib/opkg/info/${pkgname}.list"); do (
-			cd /etc/uci-defaults
-			[ -f "$i" ] && . ./"$i" && rm -f "$i"
-		) done
+		for i in $(grep -s "^/etc/uci-defaults/" "/usr/lib/opkg/info/${pkgname}.list"); do
+			( [ -f "$i" ] && cd "$(dirname $i)" && . "$i" ) && rm -f "$i"
+		done
 		uci commit
 	fi
 

package/base-files/files/lib/functions/network.sh

@@ -271,6 +271,11 @@ network_is_up()
 # 2: interface
 network_get_protocol() { __network_ifstatus "$1" "$2" ".proto"; }
 
+# determine the metric of the given logical interface
+# 1: destination variable
+# 2: interface
+network_get_metric() { __network_ifstatus "$1" "$2" ".metric"; }
+
 # determine the layer 3 linux network device of the given logical interface
 # 1: destination variable
 # 2: interface

package/base-files/files/lib/functions/system.sh

@@ -20,8 +20,7 @@ find_mtd_chardev() {
 	echo "${INDEX:+$PREFIX$INDEX}"
 }
 
-mtd_get_mac_ascii()
-{
+mtd_get_mac_ascii() {
 	local mtdname="$1"
 	local key="$2"
 	local part
@@ -39,6 +38,29 @@ mtd_get_mac_ascii()
 	[ -n "$mac_dirty" ] && macaddr_canonicalize "$mac_dirty"
 }
 
+mtd_get_mac_text() {
+	local mtdname=$1
+	local offset=$2
+	local part
+	local mac_dirty
+
+	part=$(find_mtd_part "$mtdname")
+	if [ -z "$part" ]; then
+		echo "mtd_get_mac_text: partition $mtdname not found!" >&2
+		return
+	fi
+
+	if [ -z "$offset" ]; then
+		echo "mtd_get_mac_text: offset missing!" >&2
+		return
+	fi
+
+	mac_dirty=$(dd if="$part" bs=1 skip="$offset" count=17 2>/dev/null)
+
+	# "canonicalize" mac
+	[ -n "$mac_dirty" ] && macaddr_canonicalize "$mac_dirty"
+}
+
 mtd_get_mac_binary() {
 	local mtdname="$1"
 	local offset="$2"
@@ -87,22 +109,19 @@ macaddr_add() {
 	echo $oui:$nic
 }
 
-macaddr_setbit_la()
-{
+macaddr_setbit_la() {
 	local mac=$1
 
 	printf "%02x:%s" $((0x${mac%%:*} | 0x02)) ${mac#*:}
 }
 
-macaddr_2bin()
-{
+macaddr_2bin() {
 	local mac=$1
 
 	echo -ne \\x${mac//:/\\x}
 }
 
-macaddr_canonicalize()
-{
+macaddr_canonicalize() {
 	local mac="$1"
 	local canon=""
 

package/base-files/files/lib/upgrade/common.sh

@@ -222,6 +222,7 @@ default_do_upgrade() {
 	else
 		get_image "$1" "$2" | mtd write - "${PART_NAME:-image}"
 	fi
+	[ $? -ne 0 ] && exit 1
 }
 
 do_upgrade_stage2() {

package/base-files/files/lib/upgrade/fwtool.sh

@@ -1,7 +1,3 @@
-fwtool_pre_upgrade() {
-	fwtool -q -i /dev/null "$1"
-}
-
 fwtool_check_image() {
 	[ $# -gt 1 ] && return 1
 

package/base-files/files/sbin/sysupgrade

@@ -137,7 +137,7 @@ add_overlayfiles() {
 
 # hooks
 sysupgrade_image_check="fwtool_check_image platform_check_image"
-sysupgrade_pre_upgrade="fwtool_pre_upgrade"
+sysupgrade_pre_upgrade=""
 
 if [ $SAVE_OVERLAY = 1 ]; then
 	[ ! -d /overlay/upper/etc ] && {
@@ -166,6 +166,11 @@ do_save_conffiles() {
 	v "Saving config files..."
 	[ "$VERBOSE" -gt 1 ] && TAR_V="v" || TAR_V=""
 	tar c${TAR_V}zf "$conf_tar" -T "$CONFFILES" 2>/dev/null
+	if [ "$?" -ne 0 ]; then
+		echo "Failed to create the configuration backup."
+		rm -f "$conf_tar"
+		exit 1
+	fi
 
 	rm -f "$CONFFILES"
 }
@@ -199,7 +204,8 @@ type platform_check_image >/dev/null 2>/dev/null || {
 }
 
 case "$IMAGE" in
-	http://*)
+	http://*|\
+	https://*)
 		wget -O/tmp/sysupgrade.img "$IMAGE"
 		IMAGE=/tmp/sysupgrade.img
 		;;
@@ -267,7 +273,7 @@ fi
 run_hooks "" $sysupgrade_pre_upgrade
 
 install_bin /sbin/upgraded
-v "Commencing upgrade. All shell sessions will be closed now."
+v "Commencing upgrade. Closing all shell sessions."
 
 COMMAND='. /lib/functions.sh; include /lib/upgrade; do_upgrade_stage2'
 

package/base-files/files/sbin/wifi

@@ -6,7 +6,7 @@
 
 usage() {
 	cat <<EOF
-Usage: $0 [config|down|reload|status]
+Usage: $0 [config|up|down|reload|status]
 enables (default), disables or configures devices not yet configured.
 EOF
 	exit 1
@@ -241,5 +241,6 @@ case "$1" in
 	reload) wifi_reload "$2";;
 	reload_legacy) wifi_reload_legacy "$2";;
 	--help|help) usage;;
-	*) ubus call network reload; wifi_updown "enable" "$2";;
+	''|up) ubus call network reload; wifi_updown "enable" "$2";;
+	*) usage; exit 1;;
 esac

package/base-files/files/usr/lib/os-release

@@ -4,7 +4,7 @@ ID="%d"
 ID_LIKE="lede openwrt"
 PRETTY_NAME="%D %V"
 VERSION_ID="%v"
-HOME_URL="%m"
+HOME_URL="%u"
 BUG_URL="%b"
 SUPPORT_URL="%s"
 BUILD_ID="%R"

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.0"
+		default "http://downloads.openwrt.org/releases/18.06.2"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:
@@ -202,6 +202,12 @@ if VERSIONOPT
 			 %P .. Product name or "Generic"
 			 %h .. Hardware revision or "v0"
 
+	config VERSION_HOME_URL
+		string
+		prompt "Release Homepage"
+		help
+			This is the release version homepage
+
 	config VERSION_MANUFACTURER
 		string
 		prompt "Manufacturer name"

package/boot/grub2/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=grub
 PKG_CPE_ID:=cpe:/a:gnu:grub2
 PKG_VERSION:=2.02
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/grub

package/boot/grub2/patches/300-CVE-2015-8370.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Fri, 13 Nov 2015 16:21:09 +0100
+Subject: [PATCH] Fix security issue when reading username and password
+
+  This patch fixes two integer underflows at:
+    * grub-core/lib/crypto.c
+    * grub-core/normal/auth.c
+
+Resolves: CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+---
+ grub-core/lib/crypto.c  | 2 +-
+ grub-core/normal/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/grub-core/lib/crypto.c
++++ b/grub-core/lib/crypto.c
+@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    cur_len--;
+--- a/grub-core/normal/auth.c
++++ b/grub-core/normal/auth.c
+@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    {

package/boot/uboot-fritz4040/patches/120-net-Use-packed-structures-for-networking.patch

@@ -0,0 +1,137 @@
+From: Denis Pynkin <denis.pynkin@collabora.com>
+Date: Fri, 21 Jul 2017 19:28:42 +0300
+Subject: [PATCH] net: Use packed structures for networking
+
+PXE boot is broken with GCC 7.1 due option '-fstore-merging' enabled
+by default for '-O2':
+
+BOOTP broadcast 1
+data abort
+pc : [<8ff8bb30>]          lr : [<00004f1f>]
+reloc pc : [<17832b30>]    lr : [<878abf1f>]
+sp : 8f558bc0  ip : 00000000     fp : 8ffef5a4
+r10: 8ffed248  r9 : 8f558ee0     r8 : 8ffef594
+r7 : 0000000e  r6 : 8ffed700     r5 : 00000000  r4 : 8ffed74e
+r3 : 00060101  r2 : 8ffed230     r1 : 8ffed706  r0 : 00000ddd
+Flags: nzcv  IRQs off  FIQs off  Mode SVC_32
+Resetting CPU ...
+
+Core reason is usage of structures for network headers without packed
+attribute.
+
+Reviewed-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+[backported from u-boot main]
+---
+
+--- a/include/net.h
++++ b/include/net.h
+@@ -182,7 +182,7 @@ struct ethernet_hdr {
+ 	uchar		et_dest[6];	/* Destination node		*/
+ 	uchar		et_src[6];	/* Source node			*/
+ 	ushort		et_protlen;	/* Protocol or length		*/
+-};
++} __attribute__((packed));
+ 
+ /* Ethernet header size */
+ #define ETHER_HDR_SIZE	(sizeof(struct ethernet_hdr))
+@@ -198,7 +198,7 @@ struct e802_hdr {
+ 	uchar		et_snap2;
+ 	uchar		et_snap3;
+ 	ushort		et_prot;	/* 802 protocol			*/
+-};
++} __attribute__((packed));
+ 
+ /* 802 + SNAP + ethernet header size */
+ #define E802_HDR_SIZE	(sizeof(struct e802_hdr))
+@@ -212,7 +212,7 @@ struct vlan_ethernet_hdr {
+ 	ushort		vet_vlan_type;	/* PROT_VLAN			*/
+ 	ushort		vet_tag;	/* TAG of VLAN			*/
+ 	ushort		vet_type;	/* protocol type		*/
+-};
++} __attribute__((packed));
+ 
+ /* VLAN Ethernet header size */
+ #define VLAN_ETHER_HDR_SIZE	(sizeof(struct vlan_ethernet_hdr))
+@@ -239,7 +239,7 @@ struct ip_hdr {
+ 	ushort		ip_sum;		/* checksum			*/
+ 	IPaddr_t	ip_src;		/* Source IP address		*/
+ 	IPaddr_t	ip_dst;		/* Destination IP address	*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_OFFS		0x1fff /* ip offset *= 8 */
+ #define IP_FLAGS	0xe000 /* first 3 bits */
+@@ -267,7 +267,7 @@ struct ip_udp_hdr {
+ 	ushort		udp_dst;	/* UDP destination port		*/
+ 	ushort		udp_len;	/* Length of UDP packet		*/
+ 	ushort		udp_xsum;	/* Checksum			*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_UDP_HDR_SIZE		(sizeof(struct ip_udp_hdr))
+ #define UDP_HDR_SIZE		(IP_UDP_HDR_SIZE - IP_HDR_SIZE)
+@@ -306,7 +306,7 @@ struct arp_hdr {
+ 	uchar		ar_tha[];	/* Target hardware address	*/
+ 	uchar		ar_tpa[];	/* Target protocol address	*/
+ #endif /* 0 */
+-};
++} __attribute__((packed));
+ 
+ #define ARP_HDR_SIZE	(8+20)		/* Size assuming ethernet	*/
+ 
+@@ -341,7 +341,7 @@ struct icmp_hdr {
+ 		} frag;
+ 		uchar data[0];
+ 	} un;
+-};
++} __attribute__((packed));
+ 
+ #define ICMP_HDR_SIZE		(sizeof(struct icmp_hdr))
+ #define IP_ICMP_HDR_SIZE	(IP_HDR_SIZE + ICMP_HDR_SIZE)
+--- a/net/bootp.h
++++ b/net/bootp.h
+@@ -49,7 +49,7 @@ struct Bootp_t {
+ 	char		bp_sname[64];	/* Server host name		*/
+ 	char		bp_file[128];	/* Boot file name		*/
+ 	char		bp_vend[OPT_FIELD_SIZE]; /* Vendor information	*/
+-};
++} __attribute__((packed));
+ 
+ #define BOOTP_HDR_SIZE	sizeof(struct Bootp_t)
+ 
+--- a/net/dns.h
++++ b/net/dns.h
+@@ -32,7 +32,7 @@ struct header {
+ 	uint16_t	nauth;		/* Authority PRs */
+ 	uint16_t	nother;		/* Other PRs */
+ 	unsigned char	data[1];	/* Data, variable length */
+-};
++} __attribute__((packed));
+ 
+ extern void DnsStart(void);		/* Begin DNS */
+ 
+--- a/net/nfs.h
++++ b/net/nfs.h
+@@ -71,7 +71,7 @@ struct rpc_t {
+ 			uint32_t data[19];
+ 		} reply;
+ 	} u;
+-};
++} __attribute__((packed));
+ extern void NfsStart(void);	/* Begin NFS */
+ 
+ 
+--- a/net/sntp.h
++++ b/net/sntp.h
+@@ -54,7 +54,7 @@ struct sntp_pkt_t {
+ 	unsigned long long originate_timestamp;
+ 	unsigned long long receive_timestamp;
+ 	unsigned long long transmit_timestamp;
+-};
++} __attribute__((packed));
+ 
+ extern void SntpStart(void);	/* Begin SNTP */
+ 

package/boot/uboot-lantiq/patches/0029-net-Use_packed_structures-for_networking.patch

@@ -0,0 +1,142 @@
+From 704f3acfcf55343043bbed01c5fb0a0094a68e8a Mon Sep 17 00:00:00 2001
+From: Denis Pynkin <denis.pynkin@collabora.com>
+Date: Fri, 21 Jul 2017 19:28:42 +0300
+Subject: [PATCH] net: Use packed structures for networking
+
+PXE boot is broken with GCC 7.1 due option '-fstore-merging' enabled
+by default for '-O2':
+
+BOOTP broadcast 1
+data abort
+pc : [<8ff8bb30>]          lr : [<00004f1f>]
+reloc pc : [<17832b30>]    lr : [<878abf1f>]
+sp : 8f558bc0  ip : 00000000     fp : 8ffef5a4
+r10: 8ffed248  r9 : 8f558ee0     r8 : 8ffef594
+r7 : 0000000e  r6 : 8ffed700     r5 : 00000000  r4 : 8ffed74e
+r3 : 00060101  r2 : 8ffed230     r1 : 8ffed706  r0 : 00000ddd
+Flags: nzcv  IRQs off  FIQs off  Mode SVC_32
+Resetting CPU ...
+
+Core reason is usage of structures for network headers without packed
+attribute.
+
+Reviewed-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+---
+ include/net.h | 14 +++++++-------
+ net/bootp.h   |  2 +-
+ net/dns.h     |  2 +-
+ net/nfs.h     |  2 +-
+ net/sntp.h    |  2 +-
+ 5 files changed, 11 insertions(+), 11 deletions(-)
+
+--- a/include/net.h
++++ b/include/net.h
+@@ -203,7 +203,7 @@ struct ethernet_hdr {
+ 	uchar		et_dest[6];	/* Destination node		*/
+ 	uchar		et_src[6];	/* Source node			*/
+ 	ushort		et_protlen;	/* Protocol or length		*/
+-};
++} __attribute__((packed));
+ 
+ /* Ethernet header size */
+ #define ETHER_HDR_SIZE	(sizeof(struct ethernet_hdr))
+@@ -219,7 +219,7 @@ struct e802_hdr {
+ 	uchar		et_snap2;
+ 	uchar		et_snap3;
+ 	ushort		et_prot;	/* 802 protocol			*/
+-};
++} __attribute__((packed));
+ 
+ /* 802 + SNAP + ethernet header size */
+ #define E802_HDR_SIZE	(sizeof(struct e802_hdr))
+@@ -233,7 +233,7 @@ struct vlan_ethernet_hdr {
+ 	ushort		vet_vlan_type;	/* PROT_VLAN			*/
+ 	ushort		vet_tag;	/* TAG of VLAN			*/
+ 	ushort		vet_type;	/* protocol type		*/
+-};
++} __attribute__((packed));
+ 
+ /* VLAN Ethernet header size */
+ #define VLAN_ETHER_HDR_SIZE	(sizeof(struct vlan_ethernet_hdr))
+@@ -260,7 +260,7 @@ struct ip_hdr {
+ 	ushort		ip_sum;		/* checksum			*/
+ 	IPaddr_t	ip_src;		/* Source IP address		*/
+ 	IPaddr_t	ip_dst;		/* Destination IP address	*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_OFFS		0x1fff /* ip offset *= 8 */
+ #define IP_FLAGS	0xe000 /* first 3 bits */
+@@ -288,7 +288,7 @@ struct ip_udp_hdr {
+ 	ushort		udp_dst;	/* UDP destination port		*/
+ 	ushort		udp_len;	/* Length of UDP packet		*/
+ 	ushort		udp_xsum;	/* Checksum			*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_UDP_HDR_SIZE		(sizeof(struct ip_udp_hdr))
+ #define UDP_HDR_SIZE		(IP_UDP_HDR_SIZE - IP_HDR_SIZE)
+@@ -327,7 +327,7 @@ struct arp_hdr {
+ 	uchar		ar_tha[];	/* Target hardware address	*/
+ 	uchar		ar_tpa[];	/* Target protocol address	*/
+ #endif /* 0 */
+-};
++} __attribute__((packed));
+ 
+ #define ARP_HDR_SIZE	(8+20)		/* Size assuming ethernet	*/
+ 
+@@ -362,7 +362,7 @@ struct icmp_hdr {
+ 		} frag;
+ 		uchar data[0];
+ 	} un;
+-};
++} __attribute__((packed));
+ 
+ #define ICMP_HDR_SIZE		(sizeof(struct icmp_hdr))
+ #define IP_ICMP_HDR_SIZE	(IP_HDR_SIZE + ICMP_HDR_SIZE)
+--- a/net/bootp.h
++++ b/net/bootp.h
+@@ -49,7 +49,7 @@ struct Bootp_t {
+ 	char		bp_sname[64];	/* Server host name		*/
+ 	char		bp_file[128];	/* Boot file name		*/
+ 	char		bp_vend[OPT_FIELD_SIZE]; /* Vendor information	*/
+-};
++} __attribute__((packed));
+ 
+ #define BOOTP_HDR_SIZE	sizeof(struct Bootp_t)
+ 
+--- a/net/dns.h
++++ b/net/dns.h
+@@ -29,7 +29,7 @@ struct header {
+ 	uint16_t	nauth;		/* Authority PRs */
+ 	uint16_t	nother;		/* Other PRs */
+ 	unsigned char	data[1];	/* Data, variable length */
+-};
++} __attribute__((packed));
+ 
+ extern void DnsStart(void);		/* Begin DNS */
+ 
+--- a/net/sntp.h
++++ b/net/sntp.h
+@@ -51,7 +51,7 @@ struct sntp_pkt_t {
+ 	unsigned long long originate_timestamp;
+ 	unsigned long long receive_timestamp;
+ 	unsigned long long transmit_timestamp;
+-};
++} __attribute__((packed));
+ 
+ extern void SntpStart(void);	/* Begin SNTP */
+ 
+--- a/net/nfs.h
++++ b/net/nfs.h
+@@ -68,7 +68,7 @@ struct rpc_t {
+ 			uint32_t data[19];
+ 		} reply;
+ 	} u;
+-};
++} __attribute__((packed));
+ extern void NfsStart(void);	/* Begin NFS */
+ 
+ 

package/devel/strace/Makefile

@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=strace
-PKG_VERSION:=4.20
+PKG_VERSION:=4.22
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=5bf3148dd17306a42566f7da17368fdd781afa147db05ea63a4ca2b50f58c523
+PKG_SOURCE_URL:=https://strace.io/files/$(PKG_VERSION)
+PKG_HASH:=068cd09264c95e4d591bbcd3ea08f99a693ed8663cd5169b0fdad72eb5bdb39d
 
 PKG_LICENSE:=BSD-3c
 PKG_LICENSE_FILES:=COPYRIGHT
@@ -30,6 +30,10 @@ include $(INCLUDE_DIR)/package.mk
 
 HOST_CFLAGS += -I$(LINUX_DIR)/user_headers/include
 
+ifeq ($(ARCH),aarch64)
+  CONFIGURE_ARGS += --enable-mpers=check
+endif
+
 CONFIGURE_VARS+= \
 	LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \
 	CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \

package/firmware/amd64-microcode/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=amd64-microcode
-PKG_VERSION:=20171205
+PKG_VERSION:=20180524
 PKG_RELEASE:=1
 
 PKG_SOURCE:=amd64-microcode_3.$(PKG_VERSION).$(PKG_RELEASE).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/non-free/a/amd64-microcode/
-PKG_HASH:=a38bc072f535a3d3c1bf4e9e545197aa5114e979e94ef7e4a67e615df2f853a7
+PKG_HASH:=7c389c357c242e7161f6872bf4e12011a71e4c0683f06fb1bcfad650a78bf0a9
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-3.$(PKG_VERSION).$(PKG_RELEASE)
 
 PKG_LICENSE_FILE:=LICENSE.amd-ucode

package/firmware/ath10k-firmware/Makefile

@@ -8,9 +8,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ath10k-firmware
-PKG_SOURCE_DATE:=2018-04-19
-PKG_SOURCE_VERSION:=71e50312b54cc972657a7b08c470088447cb9676
-PKG_MIRROR_HASH:=726e7bce9917532e3b39ced6a17ca2d4c39fdf4c9bec4a3f8f2ea3e5defa6a54
+PKG_SOURCE_DATE:=2018-05-12
+PKG_SOURCE_VERSION:=952afa4949cb34193040cd4e7441e1aee50ac731
+PKG_MIRROR_HASH:=dd300f3f28b8f8c07c93065fd9dc1c9785ebda8f15398b4d2d33f9418adcaf46
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
@@ -403,7 +403,7 @@ define Package/ath10k-firmware-qca4019/install
 		$(PKG_BUILD_DIR)/QCA4019/hw1.0/board-2.bin \
 		$(1)/lib/firmware/ath10k/QCA4019/hw1.0/
 	$(INSTALL_DATA) \
-		$(PKG_BUILD_DIR)/QCA4019/hw1.0/3.4/firmware-5.bin_10.4-3.4-00104 \
+		$(PKG_BUILD_DIR)/QCA4019/hw1.0/3.5.3/firmware-5.bin_10.4-3.5.3-00057 \
 		$(1)/lib/firmware/ath10k/QCA4019/hw1.0/firmware-5.bin
 endef
 
@@ -433,13 +433,25 @@ define Package/ath10k-firmware-qca988x/install
 		$(PKG_BUILD_DIR)/QCA988X/hw2.0/board.bin \
 		$(1)/lib/firmware/ath10k/QCA988X/hw2.0/
 	$(INSTALL_DATA) \
-		$(PKG_BUILD_DIR)/QCA988X/hw2.0/10.2.4-1.0/firmware-5.bin_10.2.4-1.0-00033 \
+		$(PKG_BUILD_DIR)/QCA988X/hw2.0/10.2.4-1.0/firmware-5.bin_10.2.4-1.0-00037 \
 		$(1)/lib/firmware/ath10k/QCA988X/hw2.0/firmware-5.bin
 endef
 
 define Package/ath10k-firmware-qca6174/install
-	$(INSTALL_DIR) $(1)/lib/firmware/ath10k
-	$(CP) $(PKG_BUILD_DIR)/QCA6174 $(1)/lib/firmware/ath10k/
+	$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA6174/hw2.1
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw2.1/board-2.bin \
+		$(1)/lib/firmware/ath10k/QCA6174/hw2.1/
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw2.1/firmware-5.bin_SW_RM.1.1.1-00157-QCARMSWPZ-1 \
+		$(1)/lib/firmware/ath10k/QCA6174/hw2.1/firmware-5.bin
+	$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA6174/hw3.0
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw3.0/board-2.bin \
+		$(1)/lib/firmware/ath10k/QCA6174/hw3.0/
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw3.0/4.4.1.c1/firmware-6.bin_RM.4.4.1.c1-00042-QCARMSWP-1 \
+		$(1)/lib/firmware/ath10k/QCA6174/hw3.0/firmware-6.bin
 endef
 
 define Package/ath10k-firmware-qca99x0/install

package/firmware/intel-microcode/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=intel-microcode
-PKG_VERSION:=20180312
-PKG_RELEASE:=1
+PKG_VERSION:=20180703
+PKG_RELEASE:=2
 
 PKG_SOURCE:=intel-microcode_3.$(PKG_VERSION).$(PKG_RELEASE).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/non-free/i/intel-microcode/
-PKG_HASH:=6ccb295d23961c7b96a69280e30fdce939e1d905147b22b8428886b173812d52
+PKG_HASH:=26dfaa47100ce3d06f968edefa7539da10de7b96d5d8e26ee8174a040ee5cdae
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-3.$(PKG_VERSION).$(PKG_RELEASE)
 
 PKG_BUILD_DEPENDS:=iucode-tool/host
@@ -36,14 +36,14 @@ endef
 
 define Build/Compile
 	IUCODE_TOOL=$(STAGING_DIR)/../host/bin/iucode_tool $(MAKE) -C $(PKG_BUILD_DIR)
-	mkdir $(PKG_BUILD_DIR)/intel-ucode
+	mkdir $(PKG_BUILD_DIR)/intel-ucode-ipkg
 	$(STAGING_DIR)/../host/bin/iucode_tool -q \
-		--write-firmware=$(PKG_BUILD_DIR)/intel-ucode $(PKG_BUILD_DIR)/$(MICROCODE).bin
+		--write-firmware=$(PKG_BUILD_DIR)/intel-ucode-ipkg $(PKG_BUILD_DIR)/$(MICROCODE).bin
 endef
 
 define Package/intel-microcode/install
 	$(INSTALL_DIR) $(1)/lib/firmware/intel-ucode
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/intel-ucode/* $(1)/lib/firmware/intel-ucode
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/intel-ucode-ipkg/* $(1)/lib/firmware/intel-ucode
 endef
 
 $(eval $(call BuildPackage,intel-microcode))

package/kernel/brcm2708-gpu-fw/Makefile

@@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=brcm2708-gpu-fw
-PKG_VERSION:=2017-08-08
-PKG_RELEASE:=e7ba7ab135f5a68b2c00a919ea9ac8d5528a5d5b
+PKG_VERSION:=2018-11-29
+PKG_RELEASE:=b428bdd819df8d0ad3009b64492a4b3d1f9453e4
 
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_NAME)/rpi-firmware-$(PKG_RELEASE)
 
@@ -33,7 +33,7 @@ define Download/bootcode_bin
   FILE:=$(RPI_FIRMWARE_FILE)-bootcode.bin
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=bootcode.bin
-  HASH:=b5928ef5253774362014f9e7de856397a932514fe1bc5d7f7817a73c0e10e863
+  HASH:=7b24659eb049333eec69f59cf0c5aa0d49eab5ed67726af3c6f0c9bcf1e3f9e3
 endef
 $(eval $(call Download,bootcode_bin))
 
@@ -41,7 +41,7 @@ define Download/fixup_dat
   FILE:=$(RPI_FIRMWARE_FILE)-fixup.dat
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=fixup.dat
-  HASH:=d95fcac57de7ab71e863a115fd60444f6099cb2ea100f4a68b2c606f79e775ed
+  HASH:=5e5946fe7c0b1f5e270f43a17aef5f6da5758d5e544ed37137628c972c9b8061
 endef
 $(eval $(call Download,fixup_dat))
 
@@ -49,7 +49,7 @@ define Download/fixup_cd_dat
   FILE:=$(RPI_FIRMWARE_FILE)-fixup_cd.dat
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=fixup_cd.dat
-  HASH:=28f3ec8388df4e0c47489f8370a29ca81dbc536fe7db9978342865b5d093ec36
+  HASH:=d7ed04063af818695f6d2f6ffdde8304c19385051c9cee7f8d6d5b20851e4e55
 endef
 $(eval $(call Download,fixup_cd_dat))
 
@@ -57,7 +57,7 @@ define Download/start_elf
   FILE:=$(RPI_FIRMWARE_FILE)-start.elf
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=start.elf
-  HASH:=8712fb4e241a22f7a33de0f1d420e0fdfff237952aa685c907b91e59c8d487fa
+  HASH:=7e69d068c249cd859f5c44a8cf80a5e96a3f3fbeeeb0260de7373130a1d9b0fe
 endef
 $(eval $(call Download,start_elf))
 
@@ -65,7 +65,7 @@ define Download/start_cd_elf
   FILE:=$(RPI_FIRMWARE_FILE)-start_cd.elf
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=start_cd.elf
-  HASH:=c600ab34bea389da10aac541bf2f9c62e5f774093b7e1f2f72c4637f9cf3a83c
+  HASH:=08aee2119a19c3556099ff875181d8e5440ebd1cecf1a5936b9340fe41da4428
 endef
 $(eval $(call Download,start_cd_elf))
 

package/kernel/gpio-nct5104d/src/gpio-nct5104d.c

@@ -434,11 +434,6 @@ static int __init nct5104d_gpio_init(void)
 	const char *board_vendor = dmi_get_system_info(DMI_BOARD_VENDOR);
 	const char *board_name = dmi_get_system_info(DMI_BOARD_NAME);
 
- 	/* Make sure we only run on PC Engine APU boards */
-	if (!board_name || !board_vendor || strcasecmp(board_vendor, "PC Engines") || strncasecmp(board_name, "apu", 3)) {
-		return -ENODEV;
-	}
-
 	if (nct5104d_find(0x2e, &sio) &&
 	    nct5104d_find(0x4e, &sio))
 		return -ENODEV;

package/kernel/kmod-sched-cake/Makefile

@@ -13,9 +13,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/dtaht/sch_cake.git
-PKG_SOURCE_DATE:=2018-07-16
-PKG_SOURCE_VERSION:=f39ab9a402ad51d7c17d4cde18ca15b2b7022030
-PKG_MIRROR_HASH:=fc22fc6eb7a24f4595c2777f33758ebcf9a2a404c16d00aa37ae389cd7f9c78f
+PKG_SOURCE_DATE:=2019-01-08
+PKG_SOURCE_VERSION:=331ac70c8580544cd08a556579dc8807d9941d2e
+PKG_MIRROR_HASH:=e2174531a92d1e9c48bcb74757399255aa205cb64f9863f307e357c5e23c3449
 PKG_MAINTAINER:=Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
 
 include $(INCLUDE_DIR)/package.mk

package/kernel/leds-apu2/src/leds-apu2.c

@@ -331,18 +331,6 @@ static int __init gpio_apu2_init (void)
 	const char *board_vendor = dmi_get_system_info(DMI_BOARD_VENDOR);
 	const char *board_name = dmi_get_system_info(DMI_BOARD_NAME);
 
-	/* Match the device name/model */
-	if (!board_name \
-			|| !board_vendor \
-			|| strcasecmp(board_vendor, "PC Engines") \
-			|| (strcasecmp(board_name, "apu2") \
-				&& strcasecmp(board_name, "apu3") \
-				&& strcasecmp(board_name, "PC Engines apu2") \
-				&& strcasecmp(board_name, "PC Engines apu3"))) {
-		err = -ENODEV;
-		goto exit;
-	}
-
 	pr_info ("%s: load APU2/LED GPIO driver module\n", DEVNAME);
 
 	err = platform_driver_register (&gpio_apu2_driver);

package/kernel/linux/Makefile

@@ -14,7 +14,7 @@ PKG_FLAGS:=hold
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/packages
 SCAN_DEPS=modules/*.mk $(TOPDIR)/target/linux/*/modules.mk $(TOPDIR)/include/netfilter.mk
 
-PKG_LICENSE:=GPLv2
+PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=
 
 export SHELL:=/bin/sh

package/kernel/linux/files/sysctl-tcp-bbr-k4_9.conf

@@ -0,0 +1,5 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+net.ipv4.tcp_congestion_control=bbr
+net.core.default_qdisc=fq

package/kernel/linux/files/sysctl-tcp-bbr.conf

@@ -0,0 +1,4 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+net.ipv4.tcp_congestion_control=bbr

package/kernel/linux/modules/crypto.mk

@@ -441,8 +441,21 @@ $(eval $(call KernelPackage,crypto-michael-mic))
 
 define KernelPackage/crypto-misc
   TITLE:=Other CryptoAPI modules
-  DEPENDS:=+kmod-crypto-manager
+  DEPENDS:=+kmod-crypto-xts
   KCONFIG:= \
+	CONFIG_CRYPTO_CAMELLIA_X86_64 \
+	CONFIG_CRYPTO_BLOWFISH_X86_64 \
+	CONFIG_CRYPTO_TWOFISH_X86_64 \
+	CONFIG_CRYPTO_TWOFISH_X86_64_3WAY \
+	CONFIG_CRYPTO_SERPENT_SSE2_X86_64 \
+	CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 \
+	CONFIG_CRYPTO_CAST5_AVX_X86_64 \
+	CONFIG_CRYPTO_CAST6_AVX_X86_64 \
+	CONFIG_CRYPTO_TWOFISH_AVX_X86_64 \
+	CONFIG_CRYPTO_SERPENT_AVX_X86_64 \
+	CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 \
+	CONFIG_CRYPTO_SERPENT_AVX2_X86_64 \
+	CONFIG_CRYPTO_SERPENT_SSE2_586 \
 	CONFIG_CRYPTO_ANUBIS \
 	CONFIG_CRYPTO_BLOWFISH \
 	CONFIG_CRYPTO_CAMELLIA \
@@ -472,15 +485,50 @@ define KernelPackage/crypto-misc
 	$(LINUX_DIR)/crypto/blowfish_common.ko \
 	$(LINUX_DIR)/crypto/blowfish_generic.ko \
 	$(LINUX_DIR)/crypto/serpent_generic.ko
+  AUTOLOAD:=$(call AutoLoad,10,anubis camellia_generic cast_common \
+	cast5_generic cast6_generic khazad tea tgr192 twofish_common \
+	wp512 blowfish_common serpent_generic)
+  ifndef CONFIG_TARGET_x86
+	AUTOLOAD+= $(call AutoLoad,10,twofish_generic blowfish_generic)
+  endif
   $(call AddDepends/crypto)
 endef
 
 ifndef CONFIG_TARGET_x86_64
   define KernelPackage/crypto-misc/x86
-    FILES+=$(LINUX_DIR)/arch/x86/crypto/twofish-i586.ko
+    FILES+= \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-i586.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-sse2-i586.ko \
+	$(LINUX_DIR)/arch/x86/crypto/glue_helper.ko \
+	$(LINUX_DIR)/crypto/ablk_helper.ko \
+	$(LINUX_DIR)/crypto/cryptd.ko \
+	$(LINUX_DIR)/crypto/lrw.ko
+    AUTOLOAD+= $(call AutoLoad,10,lrw cryptd ablk_helper glue_helper \
+	serpent-sse2-i586 twofish-i586 blowfish_generic)
   endef
 endif
 
+define KernelPackage/crypto-misc/x86/64
+  FILES+= \
+	$(LINUX_DIR)/arch/x86/crypto/camellia-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/blowfish-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-x86_64-3way.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-sse2-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/camellia-aesni-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/cast5-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/cast6-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/camellia-aesni-avx2.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-avx2.ko \
+	$(LINUX_DIR)/crypto/ablk_helper.ko
+  AUTOLOAD+= $(call AutoLoad,10,ablk_helper camellia-x86_64 \
+	camellia-aesni-avx-x86_64 camellia-aesni-avx2 cast5-avx-x86_64 \
+	cast6-avx-x86_64 twofish-x86_64 twofish-x86_64-3way \
+	twofish-avx-x86_64 blowfish-x86_64 serpent-avx-x86_64 serpent-avx2)
+endef
+
 $(eval $(call KernelPackage,crypto-misc))
 
 

package/kernel/linux/modules/fs.mk

@@ -439,9 +439,14 @@ $(eval $(call KernelPackage,fs-nfs-v4))
 define KernelPackage/fs-nfsd
   SUBMENU:=$(FS_MENU)
   TITLE:=NFS kernel server support
-  DEPENDS:=+kmod-fs-nfs-common +kmod-fs-exportfs
+  DEPENDS:=+kmod-fs-nfs-common +kmod-fs-exportfs +kmod-fs-nfs-common-rpcsec
   KCONFIG:= \
 	CONFIG_NFSD \
+	CONFIG_NFSD_V4=y \
+	CONFIG_NFSD_V4_SECURITY_LABEL=n \
+	CONFIG_NFSD_BLOCKLAYOUT=n \
+	CONFIG_NFSD_SCSILAYOUT=n \
+	CONFIG_NFSD_FLEXFILELAYOUT=n \
 	CONFIG_NFSD_FAULT_INJECTION=n
   FILES:=$(LINUX_DIR)/fs/nfsd/nfsd.ko
   AUTOLOAD:=$(call AutoLoad,40,nfsd)

package/kernel/linux/modules/netfilter.mk

@@ -237,6 +237,7 @@ define KernelPackage/ipt-filter/description
  Netfilter (IPv4) kernel modules for packet content inspection
  Includes:
  - string
+ - bpf
 endef
 
 $(eval $(call KernelPackage,ipt-filter))
@@ -642,7 +643,7 @@ define KernelPackage/ipt-cluster
   KCONFIG:=$(KCONFIG_IPT_CLUSTER)
   FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko)
   AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m)))
-  $(call AddDepends/ipt)
+  $(call AddDepends/ipt,+kmod-nf-conntrack)
 endef
 
 define KernelPackage/ipt-cluster/description
@@ -1051,3 +1052,23 @@ define KernelPackage/nft-nat6
 endef
 
 $(eval $(call KernelPackage,nft-nat6))
+
+define KernelPackage/nft-netdev
+  SUBMENU:=$(NF_MENU)
+  TITLE:=Netfilter nf_tables netdev support
+  DEPENDS:=+kmod-nft-core
+  KCONFIG:= \
+	CONFIG_NETFILTER_INGRESS=y \
+	CONFIG_NF_TABLES_NETDEV \
+	CONFIG_NF_DUP_NETDEV \
+	CONFIG_NFT_DUP_NETDEV \
+	CONFIG_NFT_FWD_NETDEV
+  FILES:= \
+	$(LINUX_DIR)/net/netfilter/nf_tables_netdev.ko \
+	$(LINUX_DIR)/net/netfilter/nf_dup_netdev.ko \
+	$(LINUX_DIR)/net/netfilter/nft_dup_netdev.ko \
+	$(LINUX_DIR)/net/netfilter/nft_fwd_netdev.ko
+  AUTOLOAD:=$(call AutoProbe,nf_tables_netdev nf_dup_netdev nft_dup_netdev nft_fwd_netdev)
+endef
+
+$(eval $(call KernelPackage,nft-netdev))

package/kernel/linux/modules/netsupport.mk

@@ -777,6 +777,37 @@ endef
 $(eval $(call KernelPackage,sched))
 
 
+define KernelPackage/tcp-bbr
+  SUBMENU:=$(NETWORK_SUPPORT_MENU)
+  TITLE:=BBR TCP congestion control
+  DEPENDS:=@!LINUX_3_18 @!LINUX_4_1 @!LINUX_4_4 +LINUX_4_9:kmod-sched
+  KCONFIG:= \
+	CONFIG_TCP_CONG_ADVANCED=y \
+	CONFIG_TCP_CONG_BBR
+  FILES:=$(LINUX_DIR)/net/ipv4/tcp_bbr.ko
+  AUTOLOAD:=$(call AutoLoad,74,tcp_bbr)
+endef
+
+define KernelPackage/tcp-bbr/description
+ Kernel module for BBR (Bottleneck Bandwidth and RTT) TCP congestion
+ control. It requires the fq ("Fair Queue") pacing packet scheduler.
+ For kernel 4.13+, TCP internal pacing is implemented as fallback.
+endef
+
+ifdef CONFIG_LINUX_4_9
+  TCP_BBR_SYSCTL_CONF:=sysctl-tcp-bbr-k4_9.conf
+else
+  TCP_BBR_SYSCTL_CONF:=sysctl-tcp-bbr.conf
+endif
+
+define KernelPackage/tcp-bbr/install
+	$(INSTALL_DIR) $(1)/etc/sysctl.d
+	$(INSTALL_DATA) ./files/$(TCP_BBR_SYSCTL_CONF) $(1)/etc/sysctl.d/12-tcp-bbr.conf
+endef
+
+$(eval $(call KernelPackage,tcp-bbr))
+
+
 define KernelPackage/ax25
   SUBMENU:=$(NETWORK_SUPPORT_MENU)
   TITLE:=AX25 support

package/kernel/linux/modules/other.mk

@@ -227,10 +227,14 @@ $(eval $(call KernelPackage,gpio-dev))
 define KernelPackage/gpio-mcp23s08
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Microchip MCP23xxx I/O expander
-  DEPENDS:=@GPIO_SUPPORT +kmod-i2c-core
-  KCONFIG:=CONFIG_GPIO_MCP23S08
-  FILES:=$(LINUX_DIR)/drivers/gpio/gpio-mcp23s08.ko
-  AUTOLOAD:=$(call AutoLoad,40,gpio-mcp23s08)
+  DEPENDS:=@GPIO_SUPPORT +kmod-i2c-core +LINUX_4_14:kmod-regmap
+  KCONFIG:= \
+	CONFIG_GPIO_MCP23S08 \
+	CONFIG_PINCTRL_MCP23S08
+  FILES:= \
+	$(LINUX_DIR)/drivers/gpio/gpio-mcp23s08.ko@lt4.13 \
+	$(LINUX_DIR)/drivers/pinctrl/pinctrl-mcp23s08.ko@ge4.13
+  AUTOLOAD:=$(call AutoLoad,40,gpio-mcp23s08@lt4.13 pinctrl-mcp23s08@ge4.13)
 endef
 
 define KernelPackage/gpio-mcp23s08/description

package/kernel/linux/modules/video.mk

@@ -56,34 +56,13 @@ $(eval $(call KernelPackage,backlight-pwm))
 
 define KernelPackage/fb
   SUBMENU:=$(VIDEO_MENU)
-  TITLE:=Framebuffer support
+  TITLE:=Framebuffer and framebuffer console support
   DEPENDS:=@DISPLAY_SUPPORT
   KCONFIG:= \
 	CONFIG_FB \
 	CONFIG_FB_MXS=n \
-	CONFIG_FB_SM750=n
-  FILES:=$(LINUX_DIR)/drivers/video/fbdev/core/fb.ko
-  AUTOLOAD:=$(call AutoLoad,06,fb)
-endef
-
-define KernelPackage/fb/description
- Kernel support for framebuffers
-endef
-
-define KernelPackage/fb/x86
-  FILES+=$(LINUX_DIR)/arch/x86/video/fbdev.ko
-  AUTOLOAD+=$(call AutoLoad,06,fbdev fb)
-endef
-
-$(eval $(call KernelPackage,fb))
-
-
-define KernelPackage/fbcon
-  SUBMENU:=$(VIDEO_MENU)
-  TITLE:=Framebuffer Console support
-  DEPENDS:=+kmod-fb @!LINUX_4_14
-  KCONFIG:= \
-	CONFIG_FRAMEBUFFER_CONSOLE \
+	CONFIG_FB_SM750=n \
+	CONFIG_FRAMEBUFFER_CONSOLE=y \
 	CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y \
 	CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y \
 	CONFIG_FONTS=y \
@@ -102,23 +81,22 @@ define KernelPackage/fbcon
 	CONFIG_CONSOLE_TRANSLATIONS=y \
 	CONFIG_VT_CONSOLE=y \
 	CONFIG_VT_HW_CONSOLE_BINDING=y
-  FILES:= \
-	$(LINUX_DIR)/drivers/video/console/bitblit.ko \
-	$(LINUX_DIR)/drivers/video/console/softcursor.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_rotate.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_cw.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_ud.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_ccw.ko \
+  FILES:=$(LINUX_DIR)/drivers/video/fbdev/core/fb.ko \
 	$(LINUX_DIR)/lib/fonts/font.ko
-  AUTOLOAD:=$(call AutoLoad,94,font softcursor tileblit fbcon_cw fbcon_ud fbcon_ccw fbcon_rotate bitblit fbcon)
+  AUTOLOAD:=$(call AutoLoad,06,fb font)
 endef
 
-define KernelPackage/fbcon/description
-  Kernel support for framebuffer console
+define KernelPackage/fb/description
+ Kernel support for framebuffers and framebuffer console.
 endef
 
-$(eval $(call KernelPackage,fbcon))
+define KernelPackage/fb/x86
+  FILES+=$(LINUX_DIR)/arch/x86/video/fbdev.ko
+  AUTOLOAD:=$(call AutoLoad,06,fbdev fb font)
+endef
+
+$(eval $(call KernelPackage,fb))
+
 
 define KernelPackage/fb-cfb-fillrect
   SUBMENU:=$(VIDEO_MENU)

package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh

@@ -14,6 +14,10 @@ MP_CONFIG_INT="mesh_retry_timeout mesh_confirm_timeout mesh_holding_timeout mesh
 MP_CONFIG_BOOL="mesh_auto_open_plinks mesh_fwding"
 MP_CONFIG_STRING="mesh_power_mode"
 
+iw() {
+	command iw $@ || logger -t mac80211 "Failed command: iw $@"
+}
+
 drv_mac80211_init_device_config() {
 	hostapd_common_add_device_config
 

package/kernel/mac80211/patches/009-backport_sg_init_marker.patch

@@ -0,0 +1,30 @@
+--- a/backport-include/linux/scatterlist.h
++++ b/backport-include/linux/scatterlist.h
+@@ -102,4 +102,27 @@ size_t sg_pcopy_from_buffer(struct scatt
+ 
+ #endif /* LINUX_VERSION_IS_LESS(3, 11, 0) */
+ 
++#if LINUX_VERSION_IS_LESS(4, 17, 0)
++
++#define sg_init_marker LINUX_BACKPORT(sg_init_marker)
++/**
++ * sg_init_marker - Initialize markers in sg table
++ * @sgl:	   The SG table
++ * @nents:	   Number of entries in table
++ *
++ **/
++static inline void sg_init_marker(struct scatterlist *sgl,
++				  unsigned int nents)
++{
++#ifdef CONFIG_DEBUG_SG
++	unsigned int i;
++
++	for (i = 0; i < nents; i++)
++		sgl[i].sg_magic = SG_MAGIC;
++#endif
++	sg_mark_end(&sgl[nents - 1]);
++}
++
++#endif /* LINUX_VERSION_IS_LESS(4, 17, 0) */
++
+ #endif /* __BACKPORT_SCATTERLIST_H */

package/kernel/mac80211/patches/011-backport-overflow_h.patch

@@ -0,0 +1,322 @@
+--- a/backport-include/linux/slab.h
++++ b/backport-include/linux/slab.h
+@@ -1,6 +1,7 @@
+ #ifndef __BACKPORT_SLAB_H
+ #define __BACKPORT_SLAB_H
+ #include_next <linux/slab.h>
++#include <linux/overflow.h>
+ #include <linux/version.h>
+ 
+ #if LINUX_VERSION_IS_LESS(3,4,0)
+--- /dev/null
++++ b/include/linux/overflow.h
+@@ -0,0 +1,309 @@
++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
++#ifndef __LINUX_OVERFLOW_H
++#define __LINUX_OVERFLOW_H
++
++#include <linux/compiler.h>
++
++/*
++ * In the fallback code below, we need to compute the minimum and
++ * maximum values representable in a given type. These macros may also
++ * be useful elsewhere, so we provide them outside the
++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
++ *
++ * It would seem more obvious to do something like
++ *
++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
++ *
++ * Unfortunately, the middle expressions, strictly speaking, have
++ * undefined behaviour, and at least some versions of gcc warn about
++ * the type_max expression (but not if -fsanitize=undefined is in
++ * effect; in that case, the warning is deferred to runtime...).
++ *
++ * The slightly excessive casting in type_min is to make sure the
++ * macros also produce sensible values for the exotic type _Bool. [The
++ * overflow checkers only almost work for _Bool, but that's
++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third
++ * argument.]
++ *
++ * Idea stolen from
++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
++ * credit to Christian Biere.
++ */
++#define is_signed_type(type)       (((type)(-1)) < (type)1)
++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
++#define type_min(T) ((T)((T)-type_max(T)-(T)1))
++
++
++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
++/*
++ * For simplicity and code hygiene, the fallback code below insists on
++ * a, b and *d having the same type (similar to the min() and max()
++ * macros), whereas gcc's type-generic overflow checkers accept
++ * different types. Hence we don't just make check_add_overflow an
++ * alias for __builtin_add_overflow, but add type checks similar to
++ * below.
++ */
++#define check_add_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_add_overflow(__a, __b, __d);	\
++})
++
++#define check_sub_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_sub_overflow(__a, __b, __d);	\
++})
++
++#define check_mul_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_mul_overflow(__a, __b, __d);	\
++})
++
++#else
++
++
++/* Checking for unsigned overflow is relatively easy without causing UB. */
++#define __unsigned_add_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = __a + __b;			\
++	*__d < __a;				\
++})
++#define __unsigned_sub_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = __a - __b;			\
++	__a < __b;				\
++})
++/*
++ * If one of a or b is a compile-time constant, this avoids a division.
++ */
++#define __unsigned_mul_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);				\
++	typeof(b) __b = (b);				\
++	typeof(d) __d = (d);				\
++	(void) (&__a == &__b);				\
++	(void) (&__a == __d);				\
++	*__d = __a * __b;				\
++	__builtin_constant_p(__b) ?			\
++	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
++	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
++})
++
++/*
++ * For signed types, detecting overflow is much harder, especially if
++ * we want to avoid UB. But the interface of these macros is such that
++ * we must provide a result in *d, and in fact we must produce the
++ * result promised by gcc's builtins, which is simply the possibly
++ * wrapped-around value. Fortunately, we can just formally do the
++ * operations in the widest relevant unsigned type (u64) and then
++ * truncate the result - gcc is smart enough to generate the same code
++ * with and without the (u64) casts.
++ */
++
++/*
++ * Adding two signed integers can overflow only if they have the same
++ * sign, and overflow has happened iff the result has the opposite
++ * sign.
++ */
++#define __signed_add_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = (u64)__a + (u64)__b;		\
++	(((~(__a ^ __b)) & (*__d ^ __a))	\
++		& type_min(typeof(__a))) != 0;	\
++})
++
++/*
++ * Subtraction is similar, except that overflow can now happen only
++ * when the signs are opposite. In this case, overflow has happened if
++ * the result has the opposite sign of a.
++ */
++#define __signed_sub_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = (u64)__a - (u64)__b;		\
++	((((__a ^ __b)) & (*__d ^ __a))		\
++		& type_min(typeof(__a))) != 0;	\
++})
++
++/*
++ * Signed multiplication is rather hard. gcc always follows C99, so
++ * division is truncated towards 0. This means that we can write the
++ * overflow check like this:
++ *
++ * (a > 0 && (b > MAX/a || b < MIN/a)) ||
++ * (a < -1 && (b > MIN/a || b < MAX/a) ||
++ * (a == -1 && b == MIN)
++ *
++ * The redundant casts of -1 are to silence an annoying -Wtype-limits
++ * (included in -Wextra) warning: When the type is u8 or u16, the
++ * __b_c_e in check_mul_overflow obviously selects
++ * __unsigned_mul_overflow, but unfortunately gcc still parses this
++ * code and warns about the limited range of __b.
++ */
++
++#define __signed_mul_overflow(a, b, d) ({				\
++	typeof(a) __a = (a);						\
++	typeof(b) __b = (b);						\
++	typeof(d) __d = (d);						\
++	typeof(a) __tmax = type_max(typeof(a));				\
++	typeof(a) __tmin = type_min(typeof(a));				\
++	(void) (&__a == &__b);						\
++	(void) (&__a == __d);						\
++	*__d = (u64)__a * (u64)__b;					\
++	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
++	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
++	(__b == (typeof(__b))-1 && __a == __tmin);			\
++})
++
++
++#define check_add_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_add_overflow(a, b, d),			\
++			__unsigned_add_overflow(a, b, d))
++
++#define check_sub_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_sub_overflow(a, b, d),			\
++			__unsigned_sub_overflow(a, b, d))
++
++#define check_mul_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_mul_overflow(a, b, d),			\
++			__unsigned_mul_overflow(a, b, d))
++
++
++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
++
++/** check_shl_overflow() - Calculate a left-shifted value and check overflow
++ *
++ * @a: Value to be shifted
++ * @s: How many bits left to shift
++ * @d: Pointer to where to store the result
++ *
++ * Computes *@d = (@a << @s)
++ *
++ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
++ * make sense. Example conditions:
++ * - 'a << s' causes bits to be lost when stored in *d.
++ * - 's' is garbage (e.g. negative) or so large that the result of
++ *   'a << s' is guaranteed to be 0.
++ * - 'a' is negative.
++ * - 'a << s' sets the sign bit, if any, in '*d'.
++ *
++ * '*d' will hold the results of the attempted shift, but is not
++ * considered "safe for use" if false is returned.
++ */
++#define check_shl_overflow(a, s, d) ({					\
++	typeof(a) _a = a;						\
++	typeof(s) _s = s;						\
++	typeof(d) _d = d;						\
++	u64 _a_full = _a;						\
++	unsigned int _to_shift =					\
++		_s >= 0 && _s < 8 * sizeof(*d) ? _s : 0;		\
++	*_d = (_a_full << _to_shift);					\
++	(_to_shift != _s || *_d < 0 || _a < 0 ||			\
++		(*_d >> _to_shift) != _a);				\
++})
++
++/**
++ * array_size() - Calculate size of 2-dimensional array.
++ *
++ * @a: dimension one
++ * @b: dimension two
++ *
++ * Calculates size of 2-dimensional array: @a * @b.
++ *
++ * Returns: number of bytes needed to represent the array or SIZE_MAX on
++ * overflow.
++ */
++static inline __must_check size_t array_size(size_t a, size_t b)
++{
++	size_t bytes;
++
++	if (check_mul_overflow(a, b, &bytes))
++		return SIZE_MAX;
++
++	return bytes;
++}
++
++/**
++ * array3_size() - Calculate size of 3-dimensional array.
++ *
++ * @a: dimension one
++ * @b: dimension two
++ * @c: dimension three
++ *
++ * Calculates size of 3-dimensional array: @a * @b * @c.
++ *
++ * Returns: number of bytes needed to represent the array or SIZE_MAX on
++ * overflow.
++ */
++static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
++{
++	size_t bytes;
++
++	if (check_mul_overflow(a, b, &bytes))
++		return SIZE_MAX;
++	if (check_mul_overflow(bytes, c, &bytes))
++		return SIZE_MAX;
++
++	return bytes;
++}
++
++static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
++{
++	size_t bytes;
++
++	if (check_mul_overflow(n, size, &bytes))
++		return SIZE_MAX;
++	if (check_add_overflow(bytes, c, &bytes))
++		return SIZE_MAX;
++
++	return bytes;
++}
++
++/**
++ * struct_size() - Calculate size of structure with trailing array.
++ * @p: Pointer to the structure.
++ * @member: Name of the array member.
++ * @n: Number of elements in the array.
++ *
++ * Calculates size of memory needed for structure @p followed by an
++ * array of @n @member elements.
++ *
++ * Return: number of bytes needed or SIZE_MAX on overflow.
++ */
++#define struct_size(p, member, n)					\
++	__ab_c_size(n,							\
++		    sizeof(*(p)->member) + __must_be_array((p)->member),\
++		    sizeof(*(p)))
++
++#endif /* __LINUX_OVERFLOW_H */

package/kernel/mac80211/patches/013-backport-firmware_request_nowarn.patch

@@ -0,0 +1,19 @@
+--- a/backport-include/linux/firmware.h
++++ b/backport-include/linux/firmware.h
+@@ -5,5 +5,16 @@
+ #if LINUX_VERSION_IS_LESS(3,14,0)
+ #define request_firmware_direct(fw, name, device) request_firmware(fw, name, device)
+ #endif
++#if LINUX_VERSION_IS_LESS(4,18,0)
++#define firmware_request_nowarn(fw, name, device) request_firmware(fw, name, device)
++#endif
++
++#if LINUX_VERSION_IS_LESS(4,17,0)
++#define firmware_request_cache LINUX_BACKPORT(firmware_request_cache)
++static inline int firmware_request_cache(struct device *device, const char *name)
++{
++	return 0;
++}
++#endif
+ 
+ #endif /* __BACKPORT_LINUX_FIRMWARE_H */

package/kernel/mac80211/patches/090-Revert-rt2800-use-TXOP_BACKOFF-for-probe-frames.patch

@@ -38,6 +38,3 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  		txdesc->u.ht.txop = TXOP_BACKOFF;
  	else if (!(tx_info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT))
  		txdesc->u.ht.txop = TXOP_SIFS;
--- 
-2.17.1
-

package/kernel/mac80211/patches/338-v4.19-0001-brcmfmac-detect-firmware-support-for-monitor-interfa.patch

@@ -0,0 +1,59 @@
+From 01f69dfafdbe7deff58b58053bc3a4a75c6a570c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:35 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for monitor interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Many/most of firmwares support creating monitor interface but only the
+most recent ones explicitly /announce/ it using a "monitor" entry in the
+list of capabilities.
+
+Check for that entry and store internally info about monitor mode
+support using a new feature flag. Once we sort out all details of
+handling monitor interface it will be used when reporting available
+interfaces to the cfg80211.
+
+Later some fallback detecion method may be added for older firmwares.
+For now just stick to the "monitor" capability which should be 100%
+reliable.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -48,6 +48,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MBSS, "mbss" },
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
++	{ BRCMF_FEAT_MONITOR, "monitor" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -33,6 +33,7 @@
+  * MFP: 802.11w Management Frame Protection.
+  * GSCAN: enhanced scan offload feature.
+  * FWSUP: Firmware supplicant.
++ * MONITOR: firmware can pass monitor packets to host.
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -48,7 +49,8 @@
+ 	BRCMF_FEAT_DEF(WOWL_ARP_ND) \
+ 	BRCMF_FEAT_DEF(MFP) \
+ 	BRCMF_FEAT_DEF(GSCAN) \
+-	BRCMF_FEAT_DEF(FWSUP)
++	BRCMF_FEAT_DEF(FWSUP) \
++	BRCMF_FEAT_DEF(MONITOR)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/338-v4.19-0002-brcmfmac-detect-firmware-support-for-radiotap-monito.patch

@@ -0,0 +1,51 @@
+From e63410ac65e0ead2040bbd3927c116889edf87e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:36 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for radiotap monitor frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Depending on used build-time options some firmwares may already include
+radiotap header in passed monitor frames. Add a new feature flag to
+store info about it. It's needed for proper handling of received frames
+before passing them up.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -49,6 +49,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
+ 	{ BRCMF_FEAT_MONITOR, "monitor" },
++	{ BRCMF_FEAT_MONITOR_FMT_RADIOTAP, "rtap" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -34,6 +34,7 @@
+  * GSCAN: enhanced scan offload feature.
+  * FWSUP: Firmware supplicant.
+  * MONITOR: firmware can pass monitor packets to host.
++ * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -50,7 +51,8 @@
+ 	BRCMF_FEAT_DEF(MFP) \
+ 	BRCMF_FEAT_DEF(GSCAN) \
+ 	BRCMF_FEAT_DEF(FWSUP) \
+-	BRCMF_FEAT_DEF(MONITOR)
++	BRCMF_FEAT_DEF(MONITOR) \
++	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/338-v4.19-0003-brcmfmac-handle-msgbuf-packets-marked-with-monitor-m.patch

@@ -0,0 +1,137 @@
+From a8d7631858aff156b72f807ee7cc062048e63836 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:37 +0200
+Subject: [PATCH] brcmfmac: handle msgbuf packets marked with monitor mode flag
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New Broadcom firmwares mark monitor mode packets using a newly defined
+bit in the flags field. Use it to filter them out and pass to the
+monitor interface. These defines were found in bcmmsgbuf.h from SDK.
+
+As not every firmware generates radiotap header this commit introduces
+BRCMF_FEAT_MONITOR_FMT_RADIOTAP flag. It has to be has based on firmware
+capabilities. If not present brcmf_netif_mon_rx() will assume packet is
+a raw 802.11 frame and will prepend it with an empty radiotap header.
+
+This new code is limited to the msgbuf protocol at this point. Adding
+support for SDIO/USB devices will require some extra work (possibly a
+new firmware release).
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c    | 25 ++++++++++++++++++++++
+ .../wireless/broadcom/brcm80211/brcmfmac/core.h    |  2 ++
+ .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.c  | 18 ++++++++++++++++
+ 3 files changed, 45 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -21,6 +21,7 @@
+ #include <net/cfg80211.h>
+ #include <net/rtnetlink.h>
+ #include <net/addrconf.h>
++#include <net/ieee80211_radiotap.h>
+ #include <net/ipv6.h>
+ #include <brcmu_utils.h>
+ #include <brcmu_wifi.h>
+@@ -404,6 +405,30 @@ void brcmf_netif_rx(struct brcmf_if *ifp
+ 		netif_rx_ni(skb);
+ }
+ 
++void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb)
++{
++	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_RADIOTAP)) {
++		/* Do nothing */
++	} else {
++		struct ieee80211_radiotap_header *radiotap;
++
++		/* TODO: use RX status to fill some radiotap data */
++		radiotap = skb_push(skb, sizeof(*radiotap));
++		memset(radiotap, 0, sizeof(*radiotap));
++		radiotap->it_len = cpu_to_le16(sizeof(*radiotap));
++
++		/* TODO: 4 bytes with receive status? */
++		skb->len -= 4;
++	}
++
++	skb->dev = ifp->ndev;
++	skb_reset_mac_header(skb);
++	skb->pkt_type = PACKET_OTHERHOST;
++	skb->protocol = htons(ETH_P_802_2);
++
++	brcmf_netif_rx(ifp, skb);
++}
++
+ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb,
+ 			    struct brcmf_if **ifp)
+ {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+@@ -121,6 +121,7 @@ struct brcmf_pub {
+ 
+ 	struct brcmf_if *iflist[BRCMF_MAX_IFS];
+ 	s32 if2bss[BRCMF_MAX_IFS];
++	struct brcmf_if *mon_if;
+ 
+ 	struct mutex proto_block;
+ 	unsigned char proto_buf[BRCMF_DCMD_MAXLEN];
+@@ -216,6 +217,7 @@ void brcmf_txflowblock_if(struct brcmf_i
+ 			  enum brcmf_netif_stop_reason reason, bool state);
+ void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
+ void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb);
++void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb);
+ void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on);
+ int __init brcmf_core_init(void);
+ void __exit brcmf_core_exit(void);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -69,6 +69,8 @@
+ #define BRCMF_MSGBUF_MAX_EVENTBUF_POST		8
+ 
+ #define BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3	0x01
++#define BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_11	0x02
++#define BRCMF_MSGBUF_PKT_FLAGS_FRAME_MASK	0x07
+ #define BRCMF_MSGBUF_PKT_FLAGS_PRIO_SHIFT	5
+ 
+ #define BRCMF_MSGBUF_TX_FLUSH_CNT1		32
+@@ -1128,6 +1130,7 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	struct sk_buff *skb;
+ 	u16 data_offset;
+ 	u16 buflen;
++	u16 flags;
+ 	u32 idx;
+ 	struct brcmf_if *ifp;
+ 
+@@ -1137,6 +1140,7 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	data_offset = le16_to_cpu(rx_complete->data_offset);
+ 	buflen = le16_to_cpu(rx_complete->data_len);
+ 	idx = le32_to_cpu(rx_complete->msg.request_id);
++	flags = le16_to_cpu(rx_complete->flags);
+ 
+ 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
+ 				     msgbuf->rx_pktids, idx);
+@@ -1150,6 +1154,20 @@ brcmf_msgbuf_process_rx_complete(struct
+ 
+ 	skb_trim(skb, buflen);
+ 
++	if ((flags & BRCMF_MSGBUF_PKT_FLAGS_FRAME_MASK) ==
++	    BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_11) {
++		ifp = msgbuf->drvr->mon_if;
++
++		if (!ifp) {
++			brcmf_err("Received unexpected monitor pkt\n");
++			brcmu_pkt_buf_free_skb(skb);
++			return;
++		}
++
++		brcmf_netif_mon_rx(ifp, skb);
++		return;
++	}
++
+ 	ifp = brcmf_get_ifp(msgbuf->drvr, rx_complete->msg.ifidx);
+ 	if (!ifp || !ifp->ndev) {
+ 		brcmf_err("Received pkt for invalid ifidx %d\n",

package/kernel/mac80211/patches/339-v4.19-brcmfmac-define-more-bits-for-the-flags-of-struct-br.patch

@@ -0,0 +1,60 @@
+From 4b4a8d808c58fc0defc32a26b2fea35d66692c45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Jun 2018 08:16:13 +0200
+Subject: [PATCH] brcmfmac: define more bits for the flags of struct
+ brcmf_sta_info_le
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+That struct is passed by a firmware when querying for STA info. Flags
+are used to indicate what info could be obtained.
+
+These new defines may allow passing more info to the cfg80211 in the
+future. They had been obtained from Broadcom's SDK file wlioctl_defs.h
+used by DD-WRT.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 29 ++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -32,11 +32,30 @@
+ #define	BRCMF_BSS_INFO_VERSION	109 /* curr ver of brcmf_bss_info_le struct */
+ #define BRCMF_BSS_RSSI_ON_CHANNEL	0x0002
+ 
+-#define BRCMF_STA_WME              0x00000002      /* WMM association */
+-#define BRCMF_STA_AUTHE            0x00000008      /* Authenticated */
+-#define BRCMF_STA_ASSOC            0x00000010      /* Associated */
+-#define BRCMF_STA_AUTHO            0x00000020      /* Authorized */
+-#define BRCMF_STA_SCBSTATS         0x00004000      /* Per STA debug stats */
++#define BRCMF_STA_BRCM			0x00000001	/* Running a Broadcom driver */
++#define BRCMF_STA_WME			0x00000002	/* WMM association */
++#define BRCMF_STA_NONERP		0x00000004	/* No ERP */
++#define BRCMF_STA_AUTHE			0x00000008	/* Authenticated */
++#define BRCMF_STA_ASSOC			0x00000010	/* Associated */
++#define BRCMF_STA_AUTHO			0x00000020	/* Authorized */
++#define BRCMF_STA_WDS			0x00000040	/* Wireless Distribution System */
++#define BRCMF_STA_WDS_LINKUP		0x00000080	/* WDS traffic/probes flowing properly */
++#define BRCMF_STA_PS			0x00000100	/* STA is in power save mode from AP's viewpoint */
++#define BRCMF_STA_APSD_BE		0x00000200	/* APSD delv/trigger for AC_BE is default enabled */
++#define BRCMF_STA_APSD_BK		0x00000400	/* APSD delv/trigger for AC_BK is default enabled */
++#define BRCMF_STA_APSD_VI		0x00000800	/* APSD delv/trigger for AC_VI is default enabled */
++#define BRCMF_STA_APSD_VO		0x00001000	/* APSD delv/trigger for AC_VO is default enabled */
++#define BRCMF_STA_N_CAP			0x00002000	/* STA 802.11n capable */
++#define BRCMF_STA_SCBSTATS		0x00004000	/* Per STA debug stats */
++#define BRCMF_STA_AMPDU_CAP		0x00008000	/* STA AMPDU capable */
++#define BRCMF_STA_AMSDU_CAP		0x00010000	/* STA AMSDU capable */
++#define BRCMF_STA_MIMO_PS		0x00020000	/* mimo ps mode is enabled */
++#define BRCMF_STA_MIMO_RTS		0x00040000	/* send rts in mimo ps mode */
++#define BRCMF_STA_RIFS_CAP		0x00080000	/* rifs enabled */
++#define BRCMF_STA_VHT_CAP		0x00100000	/* STA VHT(11ac) capable */
++#define BRCMF_STA_WPS			0x00200000	/* WPS state */
++#define BRCMF_STA_DWDS_CAP		0x01000000	/* DWDS CAP */
++#define BRCMF_STA_DWDS			0x02000000	/* DWDS active */
+ 
+ /* size of brcmf_scan_params not including variable length array */
+ #define BRCMF_SCAN_PARAMS_FIXED_SIZE	64

package/kernel/mac80211/patches/340-v4.19-brcmfmac-update-STA-info-struct-to-the-v5.patch

@@ -0,0 +1,75 @@
+From 07b1ae46874949252625c96f309f96ca0f337020 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Jun 2018 12:36:23 +0200
+Subject: [PATCH] brcmfmac: update STA info struct to the v5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+That struct is used when querying firmware for the STA. It seem is has
+been changing during the time. Luckily its format seems to be backward
+compatible starting with v2 (the only breakage was v1 -> v2).
+
+The version that was supported by brcmfmac so far was v4. It was what
+43602a1 and 4366b1 firmwares (7.35.177.56 and 10.10.69.3309 accordingly)
+were using. It also seems to be used by early 4366c0 firmwares
+(10.10.69.6908 and 10.10.69.69017).
+
+The problem appears when switching to the 10.10.122.20 firmware. It uses
+v5 and instead of falling back to v4 when submitted buffer isn't big
+enough it fallbacks to the v3.
+
+To receive all v4 specific info with the newest firmware we have to
+submit a struct (buffer) that matches v5.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h  | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -174,6 +174,8 @@
+ #define BRCMF_MFP_CAPABLE		1
+ #define BRCMF_MFP_REQUIRED		2
+ 
++#define BRCMF_VHT_CAP_MCS_MAP_NSS_MAX	8
++
+ /* MAX_CHUNK_LEN is the maximum length for data passing to firmware in each
+  * ioctl. It is relatively small because firmware has small maximum size input
+  * playload restriction for ioctls.
+@@ -550,6 +552,8 @@ struct brcmf_sta_info_le {
+ 						/* w/hi bit set if basic */
+ 	__le32 in;		/* seconds elapsed since associated */
+ 	__le32 listen_interval_inms; /* Min Listen interval in ms for STA */
++
++	/* Fields valid for ver >= 3 */
+ 	__le32 tx_pkts;	/* # of packets transmitted */
+ 	__le32 tx_failures;	/* # of packets failed */
+ 	__le32 rx_ucast_pkts;	/* # of unicast packets received */
+@@ -558,6 +562,8 @@ struct brcmf_sta_info_le {
+ 	__le32 rx_rate;	/* Rate of last successful rx frame */
+ 	__le32 rx_decrypt_succeeds;	/* # of packet decrypted successfully */
+ 	__le32 rx_decrypt_failures;	/* # of packet decrypted failed */
++
++	/* Fields valid for ver >= 4 */
+ 	__le32 tx_tot_pkts;    /* # of tx pkts (ucast + mcast) */
+ 	__le32 rx_tot_pkts;    /* # of data packets recvd (uni + mcast) */
+ 	__le32 tx_mcast_pkts;  /* # of mcast pkts txed */
+@@ -594,6 +600,14 @@ struct brcmf_sta_info_le {
+ 						*/
+ 	__le32 rx_pkts_retried;        /* # rx with retry bit set */
+ 	__le32 tx_rate_fallback;       /* lowest fallback TX rate */
++
++	/* Fields valid for ver >= 5 */
++	struct {
++		__le32 count;					/* # rates in this set */
++		u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++		u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++		__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++	} rateset_adv;
+ };
+ 
+ struct brcmf_chanspec_list {

package/kernel/mac80211/patches/341-v4.19-brcmfmac-specify-some-features-per-firmware-version.patch

@@ -0,0 +1,84 @@
+From 1e591c56a65fbbcd5754a4210a0ef0402d5e5f33 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 9 Jul 2018 06:55:43 +0200
+Subject: [PATCH] brcmfmac: specify some features per firmware version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some features supported by firmware aren't advertised and there is no
+way for a driver to query them. This includes e.g. monitor mode details.
+
+Most firmwares support monitor interface but only the latest ones
+/announce/ it with a "monitor" flag in the "cap" iovar. There isn't any
+reliable detection method for older firmwares (BRCMF_C_MONITOR was tried
+but "it only indicates the core part of the stack supports").
+
+Similarly support for tagging monitor frames and building radiotap
+headers can't be reliably detected for all firmwares.
+
+This commit adds table that allows mapping features to firmware version.
+It adds mappings for 43602a1 and 4366b1 firmwares from
+linux-firmware.git. Both were confirmed to be passing monitor frames.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/feature.c | 38 ++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -93,6 +93,42 @@ static int brcmf_feat_debugfs_read(struc
+ }
+ #endif /* DEBUG */
+ 
++struct brcmf_feat_fwfeat {
++	const char * const fwid;
++	u32 feat_flags;
++};
++
++static const struct brcmf_feat_fwfeat brcmf_feat_fwfeat_map[] = {
++	/* brcmfmac43602-pcie.ap.bin from linux-firmware.git commit ea1178515b88 */
++	{ "01-6cb8e269", BIT(BRCMF_FEAT_MONITOR) },
++	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 52442afee990 */
++	{ "01-c47a91a4", BIT(BRCMF_FEAT_MONITOR) },
++};
++
++static void brcmf_feat_firmware_overrides(struct brcmf_pub *drv)
++{
++	const struct brcmf_feat_fwfeat *e;
++	u32 feat_flags = 0;
++	int i;
++
++	for (i = 0; i < ARRAY_SIZE(brcmf_feat_fwfeat_map); i++) {
++		e = &brcmf_feat_fwfeat_map[i];
++		if (!strcmp(e->fwid, drv->fwver)) {
++			feat_flags = e->feat_flags;
++			break;
++		}
++	}
++
++	if (!feat_flags)
++		return;
++
++	for (i = 0; i < BRCMF_FEAT_LAST; i++)
++		if (feat_flags & BIT(i))
++			brcmf_dbg(INFO, "enabling firmware feature: %s\n",
++				  brcmf_feat_names[i]);
++	drv->feat_flags |= feat_flags;
++}
++
+ /**
+  * brcmf_feat_iovar_int_get() - determine feature through iovar query.
+  *
+@@ -253,6 +289,8 @@ void brcmf_feat_attach(struct brcmf_pub
+ 	}
+ 	brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
+ 
++	brcmf_feat_firmware_overrides(drvr);
++
+ 	/* set chip related quirks */
+ 	switch (drvr->bus_if->chip) {
+ 	case BRCM_CC_43236_CHIP_ID:

package/kernel/mac80211/patches/342-v4.20-0001-brcmfmac-add-CYW89342-mini-PCIe-device.patch

@@ -0,0 +1,25 @@
+From 2fef681a4cf7994c882190fd2417b95f30510afb Mon Sep 17 00:00:00 2001
+From: Jia-Shyr Chuang <saint.chuang@cypress.com>
+Date: Wed, 15 Aug 2018 04:23:09 -0500
+Subject: [PATCH] brcmfmac: add CYW89342 mini-PCIe device
+
+CYW89342 is a 2x2 MIMO, 802.11a/b/g/n/ac for WLAN. It is a member of
+4355/4359 family.
+
+Signed-off-by: Jia-Shyr Chuang <saint.chuang@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -2017,6 +2017,7 @@ static const struct dev_pm_ops brcmf_pci
+ 
+ static const struct pci_device_id brcmf_pcie_devid_table[] = {
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_4350_DEVICE_ID),
++	BRCMF_PCIE_DEVICE_SUB(0x4355, BRCM_PCIE_VENDOR_ID_BROADCOM, 0x4355),
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_4356_DEVICE_ID),
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_43567_DEVICE_ID),
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_43570_DEVICE_ID),

package/kernel/mac80211/patches/344-v4.20-0001-brcmfmac-fix-wrong-strnchr-usage.patch

@@ -0,0 +1,38 @@
+From cb18e2e9ec71d42409a51b83546686c609780dde Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Wed, 22 Aug 2018 15:22:15 +0200
+Subject: [PATCH] brcmfmac: fix wrong strnchr usage
+
+strnchr takes arguments in the order of its name: string, max bytes to
+read, character to search for. Here we're passing '\n' aka 10 as the
+buffer size, and searching for sizeof(buf) aka BRCMF_DCMD_SMLEN aka
+256 (aka '\0', since it's implicitly converted to char) within those 10
+bytes.
+
+Just interchanging the last two arguments would still leave a bug,
+because if we've been successful once, there are not sizeof(buf)
+characters left after the new value of p.
+
+Since clmver is immediately afterwards passed as a %s argument, I assume
+that it is actually a properly nul-terminated string. For that case, we
+have strreplace().
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -296,9 +296,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 		/* Replace all newline/linefeed characters with space
+ 		 * character
+ 		 */
+-		ptr = clmver;
+-		while ((ptr = strnchr(ptr, '\n', sizeof(buf))) != NULL)
+-			*ptr = ' ';
++		strreplace(clmver, '\n', ' ');
+ 
+ 		brcmf_dbg(INFO, "CLM version = %s\n", clmver);
+ 	}

package/kernel/mac80211/patches/345-v4.20-0001-brcmfmac-fix-for-proper-support-of-160MHz-bandwidth.patch

@@ -0,0 +1,117 @@
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 5 Sep 2018 09:48:58 +0200
+Subject: [PATCH] brcmfmac: fix for proper support of 160MHz bandwidth
+
+Decoding of firmware channel information was not complete for 160MHz
+support. This resulted in the following warning:
+
+  WARNING: CPU: 2 PID: 2222 at .../broadcom/brcm80211/brcmutil/d11.c:196
+	brcmu_d11ac_decchspec+0x2e/0x100 [brcmutil]
+  Modules linked in: brcmfmac(O) brcmutil(O) sha256_generic cfg80211 ...
+  CPU: 2 PID: 2222 Comm: kworker/2:0 Tainted: G           O
+  4.17.0-wt-testing-x64-00002-gf1bed50 #1
+  Hardware name: Dell Inc. Latitude E6410/07XJP9, BIOS A07 02/15/2011
+  Workqueue: events request_firmware_work_func
+  RIP: 0010:brcmu_d11ac_decchspec+0x2e/0x100 [brcmutil]
+  RSP: 0018:ffffc90000047bd0 EFLAGS: 00010206
+  RAX: 000000000000e832 RBX: ffff8801146fe910 RCX: ffff8801146fd3c0
+  RDX: 0000000000002800 RSI: 0000000000000070 RDI: ffffc90000047c30
+  RBP: ffffc90000047bd0 R08: 0000000000000000 R09: ffffffffa0798c80
+  R10: ffff88012bca55e0 R11: ffff880110a4ea00 R12: ffff8801146f8000
+  R13: ffffc90000047c30 R14: ffff8801146fe930 R15: ffff8801138e02e0
+  FS:  0000000000000000(0000) GS:ffff88012bc80000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  CR2: 00007f18ce8b8070 CR3: 000000000200a003 CR4: 00000000000206e0
+  Call Trace:
+   brcmf_setup_wiphybands+0x212/0x780 [brcmfmac]
+   brcmf_cfg80211_attach+0xae2/0x11a0 [brcmfmac]
+   brcmf_attach+0x1fc/0x4b0 [brcmfmac]
+   ? __kmalloc+0x13c/0x1c0
+   brcmf_pcie_setup+0x99b/0xe00 [brcmfmac]
+   brcmf_fw_request_done+0x16a/0x1f0 [brcmfmac]
+   request_firmware_work_func+0x36/0x60
+   process_one_work+0x146/0x350
+   worker_thread+0x4a/0x3b0
+   kthread+0x102/0x140
+   ? process_one_work+0x350/0x350
+   ? kthread_bind+0x20/0x20
+   ret_from_fork+0x35/0x40
+  Code: 66 90 0f b7 07 55 48 89 e5 89 c2 88 47 02 88 47 03 66 81 e2 00 38
+	66 81 fa 00 18 74 6e 66 81 fa 00 20 74 39 66 81 fa 00 10 74 14 <0f>
+	0b 66 25 00 c0 74 20 66 3d 00 c0 75 20 c6 47 04 01 5d c3 66
+  ---[ end trace 550c46682415b26d ]---
+  brcmfmac: brcmf_construct_chaninfo: Ignoring unexpected firmware channel 50
+
+This patch adds the missing stuff to properly handle this.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+---
+ .../net/wireless/broadcom/brcm80211/brcmutil/d11.c | 34 +++++++++++++++++++++-
+ .../broadcom/brcm80211/include/brcmu_wifi.h        |  2 ++
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -77,6 +77,8 @@ static u16 d11ac_bw(enum brcmu_chan_bw b
+ 		return BRCMU_CHSPEC_D11AC_BW_40;
+ 	case BRCMU_CHAN_BW_80:
+ 		return BRCMU_CHSPEC_D11AC_BW_80;
++	case BRCMU_CHAN_BW_160:
++		return BRCMU_CHSPEC_D11AC_BW_160;
+ 	default:
+ 		WARN_ON(1);
+ 	}
+@@ -190,8 +192,38 @@ static void brcmu_d11ac_decchspec(struct
+ 			break;
+ 		}
+ 		break;
+-	case BRCMU_CHSPEC_D11AC_BW_8080:
+ 	case BRCMU_CHSPEC_D11AC_BW_160:
++		switch (ch->sb) {
++		case BRCMU_CHAN_SB_LLL:
++			ch->control_ch_num -= CH_70MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_LLU:
++			ch->control_ch_num -= CH_50MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_LUL:
++			ch->control_ch_num -= CH_30MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_LUU:
++			ch->control_ch_num -= CH_10MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_ULL:
++			ch->control_ch_num += CH_10MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_ULU:
++			ch->control_ch_num += CH_30MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_UUL:
++			ch->control_ch_num += CH_50MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_UUU:
++			ch->control_ch_num += CH_70MHZ_APART;
++			break;
++		default:
++			WARN_ON_ONCE(1);
++			break;
++		}
++		break;
++	case BRCMU_CHSPEC_D11AC_BW_8080:
+ 	default:
+ 		WARN_ON_ONCE(1);
+ 		break;
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
+@@ -29,6 +29,8 @@
+ #define CH_UPPER_SB			0x01
+ #define CH_LOWER_SB			0x02
+ #define CH_EWA_VALID			0x04
++#define CH_70MHZ_APART			14
++#define CH_50MHZ_APART			10
+ #define CH_30MHZ_APART			6
+ #define CH_20MHZ_APART			4
+ #define CH_10MHZ_APART			2

package/kernel/mac80211/patches/345-v4.20-0002-brcmfmac-increase-buffer-for-obtaining-firmware-capa.patch

@@ -0,0 +1,28 @@
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 5 Sep 2018 09:48:59 +0200
+Subject: [PATCH] brcmfmac: increase buffer for obtaining firmware capabilities
+
+When obtaining the firmware capability a buffer is provided of 512
+bytes. However, if all features in firmware are supported the buffer
+needs to be 565 bytes as otherwise truncated information is retrieved
+from firmware. Increasing the buffer to 768 bytes on stack.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -178,7 +178,7 @@ static void brcmf_feat_iovar_data_set(st
+ 	ifp->fwil_fwerr = false;
+ }
+ 
+-#define MAX_CAPS_BUFFER_SIZE	512
++#define MAX_CAPS_BUFFER_SIZE	768
+ static void brcmf_feat_firmware_capabilities(struct brcmf_if *ifp)
+ {
+ 	char caps[MAX_CAPS_BUFFER_SIZE];

package/kernel/mac80211/patches/346--v4.20-0001-brcmfmac-remove-set-but-not-used-variables-sfdoff-an.patch

@@ -0,0 +1,57 @@
+From a8254fa4ba60b85829b6e5ede6564f81cd70d59f Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 11 Sep 2018 11:24:04 +0800
+Subject: [PATCH] brcmfmac: remove set but not used variables 'sfdoff' and
+ 'pad_size'
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function 'brcmf_sdio_rxglom':
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1466:11: warning:
+ variable 'sfdoff' set but not used [-Wunused-but-set-variable]
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function 'brcmf_sdio_bus_preinit':
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3408:7: warning:
+ variable 'pad_size' set but not used [-Wunused-but-set-variable]
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1463,7 +1463,7 @@ static u8 brcmf_sdio_rxglom(struct brcmf
+ 	struct sk_buff *pfirst, *pnext;
+ 
+ 	int errcode;
+-	u8 doff, sfdoff;
++	u8 doff;
+ 
+ 	struct brcmf_sdio_hdrinfo rd_new;
+ 
+@@ -1597,7 +1597,6 @@ static u8 brcmf_sdio_rxglom(struct brcmf
+ 
+ 		/* Remove superframe header, remember offset */
+ 		skb_pull(pfirst, rd_new.dat_offset);
+-		sfdoff = rd_new.dat_offset;
+ 		num = 0;
+ 
+ 		/* Validate all the subframe headers */
+@@ -3405,7 +3404,6 @@ static int brcmf_sdio_bus_preinit(struct
+ 	struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
+ 	struct brcmf_sdio *bus = sdiodev->bus;
+ 	struct brcmf_core *core = bus->sdio_core;
+-	uint pad_size;
+ 	u32 value;
+ 	int err;
+ 
+@@ -3448,7 +3446,6 @@ static int brcmf_sdio_bus_preinit(struct
+ 	if (sdiodev->sg_support) {
+ 		bus->txglom = false;
+ 		value = 1;
+-		pad_size = bus->sdiodev->func2->cur_blksize << 1;
+ 		err = brcmf_iovar_data_set(bus->sdiodev->dev, "bus:rxglom",
+ 					   &value, sizeof(u32));
+ 		if (err < 0) {

package/kernel/mac80211/patches/347-v4.20-0001-brcmfmac-reduce-timeout-for-action-frame-scan.patch

@@ -0,0 +1,67 @@
+From edb6d6885bef82d1eac432dbeca9fbf4ec349d7e Mon Sep 17 00:00:00 2001
+From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Date: Thu, 27 Sep 2018 14:59:44 +0000
+Subject: [PATCH] brcmfmac: reduce timeout for action frame scan
+
+Finding a common channel to send an action frame out is required for
+some action types. Since a loop with several scan retry is used to find
+the channel, a short wait time could be considered for each attempt.
+This patch reduces the wait time from 1500 to 450 msec for each action
+frame scan.
+
+This patch fixes the WFA p2p certification 5.1.20 failure caused by the
+long action frame send time.
+
+Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -74,7 +74,7 @@
+ #define P2P_AF_MAX_WAIT_TIME		msecs_to_jiffies(2000)
+ #define P2P_INVALID_CHANNEL		-1
+ #define P2P_CHANNEL_SYNC_RETRY		5
+-#define P2P_AF_FRM_SCAN_MAX_WAIT	msecs_to_jiffies(1500)
++#define P2P_AF_FRM_SCAN_MAX_WAIT	msecs_to_jiffies(450)
+ #define P2P_DEFAULT_SLEEP_TIME_VSDB	200
+ 
+ /* WiFi P2P Public Action Frame OUI Subtypes */
+@@ -1134,7 +1134,6 @@ static s32 brcmf_p2p_af_searching_channe
+ {
+ 	struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+ 	struct brcmf_cfg80211_vif *pri_vif;
+-	unsigned long duration;
+ 	s32 retry;
+ 
+ 	brcmf_dbg(TRACE, "Enter\n");
+@@ -1150,7 +1149,6 @@ static s32 brcmf_p2p_af_searching_channe
+ 	 * pending action frame tx is cancelled.
+ 	 */
+ 	retry = 0;
+-	duration = msecs_to_jiffies(P2P_AF_FRM_SCAN_MAX_WAIT);
+ 	while ((retry < P2P_CHANNEL_SYNC_RETRY) &&
+ 	       (afx_hdl->peer_chan == P2P_INVALID_CHANNEL)) {
+ 		afx_hdl->is_listen = false;
+@@ -1158,7 +1156,8 @@ static s32 brcmf_p2p_af_searching_channe
+ 			  retry);
+ 		/* search peer on peer's listen channel */
+ 		schedule_work(&afx_hdl->afx_work);
+-		wait_for_completion_timeout(&afx_hdl->act_frm_scan, duration);
++		wait_for_completion_timeout(&afx_hdl->act_frm_scan,
++					    P2P_AF_FRM_SCAN_MAX_WAIT);
+ 		if ((afx_hdl->peer_chan != P2P_INVALID_CHANNEL) ||
+ 		    (!test_bit(BRCMF_P2P_STATUS_FINDING_COMMON_CHANNEL,
+ 			       &p2p->status)))
+@@ -1171,7 +1170,7 @@ static s32 brcmf_p2p_af_searching_channe
+ 			afx_hdl->is_listen = true;
+ 			schedule_work(&afx_hdl->afx_work);
+ 			wait_for_completion_timeout(&afx_hdl->act_frm_scan,
+-						    duration);
++						    P2P_AF_FRM_SCAN_MAX_WAIT);
+ 		}
+ 		if ((afx_hdl->peer_chan != P2P_INVALID_CHANNEL) ||
+ 		    (!test_bit(BRCMF_P2P_STATUS_FINDING_COMMON_CHANNEL,

package/kernel/mac80211/patches/347-v4.20-0002-brcmfmac-fix-full-timeout-waiting-for-action-frame-o.patch

@@ -0,0 +1,79 @@
+From fbf07000960d9c8a13fdc17c6de0230d681c7543 Mon Sep 17 00:00:00 2001
+From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Date: Thu, 27 Sep 2018 14:59:49 +0000
+Subject: [PATCH] brcmfmac: fix full timeout waiting for action frame
+ on-channel tx
+
+The driver sends an action frame down and waits for a completion signal
+triggered by the received BRCMF_E_ACTION_FRAME_OFF_CHAN_COMPLETE event
+to continue the process. However, the action frame could be transmitted
+either on the current channel or on an off channel. For the on-channel
+case, only BRCMF_E_ACTION_FRAME_COMPLETE event will be received when
+the frame is transmitted, which make the driver always wait a full
+timeout duration. This patch has the completion signal be triggered by
+receiving the BRCMF_E_ACTION_FRAME_COMPLETE event for the on-channel
+case.
+
+This change fixes WFA p2p certification 5.1.19 failure.
+
+Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 17 +++++++++++++++--
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h |  2 ++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1457,10 +1457,12 @@ int brcmf_p2p_notify_action_tx_complete(
+ 		return 0;
+ 
+ 	if (e->event_code == BRCMF_E_ACTION_FRAME_COMPLETE) {
+-		if (e->status == BRCMF_E_STATUS_SUCCESS)
++		if (e->status == BRCMF_E_STATUS_SUCCESS) {
+ 			set_bit(BRCMF_P2P_STATUS_ACTION_TX_COMPLETED,
+ 				&p2p->status);
+-		else {
++			if (!p2p->wait_for_offchan_complete)
++				complete(&p2p->send_af_done);
++		} else {
+ 			set_bit(BRCMF_P2P_STATUS_ACTION_TX_NOACK, &p2p->status);
+ 			/* If there is no ack, we don't need to wait for
+ 			 * WLC_E_ACTION_FRAME_OFFCHAN_COMPLETE event
+@@ -1511,6 +1513,17 @@ static s32 brcmf_p2p_tx_action_frame(str
+ 	p2p->af_sent_channel = le32_to_cpu(af_params->channel);
+ 	p2p->af_tx_sent_jiffies = jiffies;
+ 
++	if (test_bit(BRCMF_P2P_STATUS_DISCOVER_LISTEN, &p2p->status) &&
++	    p2p->af_sent_channel ==
++	    ieee80211_frequency_to_channel(p2p->remain_on_channel.center_freq))
++		p2p->wait_for_offchan_complete = false;
++	else
++		p2p->wait_for_offchan_complete = true;
++
++	brcmf_dbg(TRACE, "Waiting for %s tx completion event\n",
++		  (p2p->wait_for_offchan_complete) ?
++		   "off-channel" : "on-channel");
++
+ 	timeout = wait_for_completion_timeout(&p2p->send_af_done,
+ 					      P2P_AF_MAX_WAIT_TIME);
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
+@@ -124,6 +124,7 @@ struct afx_hdl {
+  * @gon_req_action: about to send go negotiation requets frame.
+  * @block_gon_req_tx: drop tx go negotiation requets frame.
+  * @p2pdev_dynamically: is p2p device if created by module param or supplicant.
++ * @wait_for_offchan_complete: wait for off-channel tx completion event.
+  */
+ struct brcmf_p2p_info {
+ 	struct brcmf_cfg80211_info *cfg;
+@@ -144,6 +145,7 @@ struct brcmf_p2p_info {
+ 	bool gon_req_action;
+ 	bool block_gon_req_tx;
+ 	bool p2pdev_dynamically;
++	bool wait_for_offchan_complete;
+ };
+ 
+ s32 brcmf_p2p_attach(struct brcmf_cfg80211_info *cfg, bool p2pdev_forced);

package/kernel/mac80211/patches/348-v4.20-0001-brcmutil-really-fix-decoding-channel-info-for-160-MH.patch

@@ -0,0 +1,41 @@
+From 3401d42c7ea2d064d15c66698ff8eb96553179ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 26 Oct 2018 12:50:39 +0200
+Subject: [PATCH] brcmutil: really fix decoding channel info for 160 MHz
+ bandwidth
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previous commit /adding/ support for 160 MHz chanspecs was incomplete.
+It didn't set bandwidth info and didn't extract control channel info. As
+the result it was also using uninitialized "sb" var.
+
+This change has been tested for two chanspecs found to be reported by
+some devices/firmwares:
+1) 60/160 (0xee32)
+   Before: chnum:50 control_ch_num:36
+    After: chnum:50 control_ch_num:60
+2) 120/160 (0xed72)
+   Before: chnum:114 control_ch_num:100
+    After: chnum:114 control_ch_num:120
+
+Fixes: 330994e8e8ec ("brcmfmac: fix for proper support of 160MHz bandwidth")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -193,6 +193,9 @@ static void brcmu_d11ac_decchspec(struct
+ 		}
+ 		break;
+ 	case BRCMU_CHSPEC_D11AC_BW_160:
++		ch->bw = BRCMU_CHAN_BW_160;
++		ch->sb = brcmu_maskget16(ch->chspec, BRCMU_CHSPEC_D11AC_SB_MASK,
++					 BRCMU_CHSPEC_D11AC_SB_SHIFT);
+ 		switch (ch->sb) {
+ 		case BRCMU_CHAN_SB_LLL:
+ 			ch->control_ch_num -= CH_70MHZ_APART;

package/kernel/mac80211/patches/349-v4.20-brcmfmac-fix-reporting-support-for-160-MHz-channels.patch

@@ -0,0 +1,34 @@
+From 8eefb59de817125eeedde2a2cc1e4ac3660062f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 8 Nov 2018 16:08:29 +0100
+Subject: [PATCH] brcmfmac: fix reporting support for 160 MHz channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Driver can report IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ so it's
+important to provide valid & complete info about supported bands for
+each channel. By default no support for 160 MHz should be assumed unless
+firmware reports it for a given channel later.
+
+This fixes info passed to the userspace. Without that change userspace
+could try to use invalid channel and fail to start an interface.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Cc: stable@vger.kernel.org
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5992,7 +5992,8 @@ static int brcmf_construct_chaninfo(stru
+ 			 * for subsequent chanspecs.
+ 			 */
+ 			channel->flags = IEEE80211_CHAN_NO_HT40 |
+-					 IEEE80211_CHAN_NO_80MHZ;
++					 IEEE80211_CHAN_NO_80MHZ |
++					 IEEE80211_CHAN_NO_160MHZ;
+ 			ch.bw = BRCMU_CHAN_BW_20;
+ 			cfg->d11inf.encchspec(&ch);
+ 			chaninfo = ch.chspec;

package/kernel/mac80211/patches/355-v5.0-0001-brcmfmac-Remove-firmware-loading-code-duplication.patch

@@ -0,0 +1,102 @@
+From a1a3b762163868ad07a4499a73df324f40d5ab0b Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:00:58 +0200
+Subject: [PATCH] brcmfmac: Remove firmware-loading code duplication
+
+brcmf_fw_request_next_item and brcmf_fw_request_done both have identical
+code to complete the fw-request depending on the item-type.
+
+This commit adds a new brcmf_fw_complete_request helper removing this code
+duplication.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/firmware.c         | 62 +++++++++++-----------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -504,6 +504,34 @@ fail:
+ 	return -ENOENT;
+ }
+ 
++static int brcmf_fw_complete_request(const struct firmware *fw,
++				     struct brcmf_fw *fwctx)
++{
++	struct brcmf_fw_item *cur = &fwctx->req->items[fwctx->curpos];
++	int ret = 0;
++
++	brcmf_dbg(TRACE, "firmware %s %sfound\n", cur->path, fw ? "" : "not ");
++
++	switch (cur->type) {
++	case BRCMF_FW_TYPE_NVRAM:
++		ret = brcmf_fw_request_nvram_done(fw, fwctx);
++		break;
++	case BRCMF_FW_TYPE_BINARY:
++		if (fw)
++			cur->binary = fw;
++		else
++			ret = -ENOENT;
++		break;
++	default:
++		/* something fishy here so bail out early */
++		brcmf_err("unknown fw type: %d\n", cur->type);
++		release_firmware(fw);
++		ret = -EINVAL;
++	}
++
++	return (cur->flags & BRCMF_FW_REQF_OPTIONAL) ? 0 : ret;
++}
++
+ static int brcmf_fw_request_next_item(struct brcmf_fw *fwctx, bool async)
+ {
+ 	struct brcmf_fw_item *cur;
+@@ -525,15 +553,7 @@ static int brcmf_fw_request_next_item(st
+ 	if (ret < 0) {
+ 		brcmf_fw_request_done(NULL, fwctx);
+ 	} else if (!async && fw) {
+-		brcmf_dbg(TRACE, "firmware %s %sfound\n", cur->path,
+-			  fw ? "" : "not ");
+-		if (cur->type == BRCMF_FW_TYPE_BINARY)
+-			cur->binary = fw;
+-		else if (cur->type == BRCMF_FW_TYPE_NVRAM)
+-			brcmf_fw_request_nvram_done(fw, fwctx);
+-		else
+-			release_firmware(fw);
+-
++		brcmf_fw_complete_request(fw, fwctx);
+ 		return -EAGAIN;
+ 	}
+ 	return 0;
+@@ -547,28 +567,8 @@ static void brcmf_fw_request_done(const
+ 
+ 	cur = &fwctx->req->items[fwctx->curpos];
+ 
+-	brcmf_dbg(TRACE, "enter: firmware %s %sfound\n", cur->path,
+-		  fw ? "" : "not ");
+-
+-	if (!fw)
+-		ret = -ENOENT;
+-
+-	switch (cur->type) {
+-	case BRCMF_FW_TYPE_NVRAM:
+-		ret = brcmf_fw_request_nvram_done(fw, fwctx);
+-		break;
+-	case BRCMF_FW_TYPE_BINARY:
+-		cur->binary = fw;
+-		break;
+-	default:
+-		/* something fishy here so bail out early */
+-		brcmf_err("unknown fw type: %d\n", cur->type);
+-		release_firmware(fw);
+-		ret = -EINVAL;
+-		goto fail;
+-	}
+-
+-	if (ret < 0 && !(cur->flags & BRCMF_FW_REQF_OPTIONAL))
++	ret = brcmf_fw_complete_request(fw, fwctx);
++	if (ret < 0)
+ 		goto fail;
+ 
+ 	do {

package/kernel/mac80211/patches/355-v5.0-0002-brcmfmac-Remove-recursion-from-firmware-load-error-h.patch

@@ -0,0 +1,127 @@
+From 5b587496dc63595b71265d986ce69728c2724370 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:00:59 +0200
+Subject: [PATCH] brcmfmac: Remove recursion from firmware load error handling
+
+Before this commit brcmf_fw_request_done would call
+brcmf_fw_request_next_item to load the next item, which on an error would
+call brcmf_fw_request_done, which if the error is recoverable (*) will
+then continue calling brcmf_fw_request_next_item for the next item again
+which on an error will call brcmf_fw_request_done again...
+
+This does not blow up because we only have a limited number of items so
+we never recurse too deep. But the recursion is still quite ugly and
+frankly is giving me a headache, so lets fix this.
+
+This commit fixes this by removing brcmf_fw_request_next_item and by
+making brcmf_fw_get_firmwares and brcmf_fw_request_done directly call
+firmware_request_nowait resp. firmware_request themselves.
+
+*) brcmf_fw_request_nvram_done fallback path succeeds or
+   BRCMF_FW_REQF_OPTIONAL is set
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/firmware.c         | 65 +++++++---------------
+ 1 file changed, 19 insertions(+), 46 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -532,33 +532,6 @@ static int brcmf_fw_complete_request(con
+ 	return (cur->flags & BRCMF_FW_REQF_OPTIONAL) ? 0 : ret;
+ }
+ 
+-static int brcmf_fw_request_next_item(struct brcmf_fw *fwctx, bool async)
+-{
+-	struct brcmf_fw_item *cur;
+-	const struct firmware *fw = NULL;
+-	int ret;
+-
+-	cur = &fwctx->req->items[fwctx->curpos];
+-
+-	brcmf_dbg(TRACE, "%srequest for %s\n", async ? "async " : "",
+-		  cur->path);
+-
+-	if (async)
+-		ret = request_firmware_nowait(THIS_MODULE, true, cur->path,
+-					      fwctx->dev, GFP_KERNEL, fwctx,
+-					      brcmf_fw_request_done);
+-	else
+-		ret = request_firmware(&fw, cur->path, fwctx->dev);
+-
+-	if (ret < 0) {
+-		brcmf_fw_request_done(NULL, fwctx);
+-	} else if (!async && fw) {
+-		brcmf_fw_complete_request(fw, fwctx);
+-		return -EAGAIN;
+-	}
+-	return 0;
+-}
+-
+ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx)
+ {
+ 	struct brcmf_fw *fwctx = ctx;
+@@ -568,26 +541,19 @@ static void brcmf_fw_request_done(const
+ 	cur = &fwctx->req->items[fwctx->curpos];
+ 
+ 	ret = brcmf_fw_complete_request(fw, fwctx);
+-	if (ret < 0)
+-		goto fail;
+ 
+-	do {
+-		if (++fwctx->curpos == fwctx->req->n_items) {
+-			ret = 0;
+-			goto done;
+-		}
+-
+-		ret = brcmf_fw_request_next_item(fwctx, false);
+-	} while (ret == -EAGAIN);
+-
+-	return;
+-
+-fail:
+-	brcmf_dbg(TRACE, "failed err=%d: dev=%s, fw=%s\n", ret,
+-		  dev_name(fwctx->dev), cur->path);
+-	brcmf_fw_free_request(fwctx->req);
+-	fwctx->req = NULL;
+-done:
++	while (ret == 0 && ++fwctx->curpos < fwctx->req->n_items) {
++		cur = &fwctx->req->items[fwctx->curpos];
++		request_firmware(&fw, cur->path, fwctx->dev);
++		ret = brcmf_fw_complete_request(fw, ctx);
++	}
++
++	if (ret) {
++		brcmf_dbg(TRACE, "failed err=%d: dev=%s, fw=%s\n", ret,
++			  dev_name(fwctx->dev), cur->path);
++		brcmf_fw_free_request(fwctx->req);
++		fwctx->req = NULL;
++	}
+ 	fwctx->done(fwctx->dev, ret, fwctx->req);
+ 	kfree(fwctx);
+ }
+@@ -611,7 +577,9 @@ int brcmf_fw_get_firmwares(struct device
+ 			   void (*fw_cb)(struct device *dev, int err,
+ 					 struct brcmf_fw_request *req))
+ {
++	struct brcmf_fw_item *first = &req->items[0];
+ 	struct brcmf_fw *fwctx;
++	int ret;
+ 
+ 	brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
+ 	if (!fw_cb)
+@@ -628,7 +596,12 @@ int brcmf_fw_get_firmwares(struct device
+ 	fwctx->req = req;
+ 	fwctx->done = fw_cb;
+ 
+-	brcmf_fw_request_next_item(fwctx, true);
++	ret = request_firmware_nowait(THIS_MODULE, true, first->path,
++				      fwctx->dev, GFP_KERNEL, fwctx,
++				      brcmf_fw_request_done);
++	if (ret < 0)
++		brcmf_fw_request_done(NULL, fwctx);
++
+ 	return 0;
+ }
+ 

package/kernel/mac80211/patches/355-v5.0-0003-brcmfmac-Add-support-for-first-trying-to-get-a-board.patch

@@ -0,0 +1,77 @@
+From eae8e50669e15002b195177212a6e25afbe7cf4d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:00 +0200
+Subject: [PATCH] brcmfmac: Add support for first trying to get a board
+ specific nvram file
+
+The nvram files which some brcmfmac chips need are board-specific. To be
+able to distribute these as part of linux-firmware, so that devices with
+such a wifi chip will work OOTB, multiple (one per board) versions must
+co-exist under /lib/firmware.
+
+This commit adds support for callers of the brcmfmac/firmware.c code to
+pass in a board_type parameter through the request structure.
+
+If that parameter is set then the code will first try to load
+chipmodel.board_type.txt before falling back to the old chipmodel.txt name.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/firmware.c         | 27 +++++++++++++++++++++-
+ .../broadcom/brcm80211/brcmfmac/firmware.h         |  1 +
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -532,6 +532,31 @@ static int brcmf_fw_complete_request(con
+ 	return (cur->flags & BRCMF_FW_REQF_OPTIONAL) ? 0 : ret;
+ }
+ 
++static int brcmf_fw_request_firmware(const struct firmware **fw,
++				     struct brcmf_fw *fwctx)
++{
++	struct brcmf_fw_item *cur = &fwctx->req->items[fwctx->curpos];
++	int ret;
++
++	/* nvram files are board-specific, first try a board-specific path */
++	if (cur->type == BRCMF_FW_TYPE_NVRAM && fwctx->req->board_type) {
++		char alt_path[BRCMF_FW_NAME_LEN];
++
++		strlcpy(alt_path, cur->path, BRCMF_FW_NAME_LEN);
++		/* strip .txt at the end */
++		alt_path[strlen(alt_path) - 4] = 0;
++		strlcat(alt_path, ".", BRCMF_FW_NAME_LEN);
++		strlcat(alt_path, fwctx->req->board_type, BRCMF_FW_NAME_LEN);
++		strlcat(alt_path, ".txt", BRCMF_FW_NAME_LEN);
++
++		ret = request_firmware(fw, alt_path, fwctx->dev);
++		if (ret == 0)
++			return ret;
++	}
++
++	return request_firmware(fw, cur->path, fwctx->dev);
++}
++
+ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx)
+ {
+ 	struct brcmf_fw *fwctx = ctx;
+@@ -544,7 +569,7 @@ static void brcmf_fw_request_done(const
+ 
+ 	while (ret == 0 && ++fwctx->curpos < fwctx->req->n_items) {
+ 		cur = &fwctx->req->items[fwctx->curpos];
+-		request_firmware(&fw, cur->path, fwctx->dev);
++		brcmf_fw_request_firmware(&fw, fwctx);
+ 		ret = brcmf_fw_complete_request(fw, ctx);
+ 	}
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
+@@ -70,6 +70,7 @@ struct brcmf_fw_request {
+ 	u16 domain_nr;
+ 	u16 bus_nr;
+ 	u32 n_items;
++	const char *board_type;
+ 	struct brcmf_fw_item items[0];
+ };
+ 

package/kernel/mac80211/patches/355-v5.0-0004-brcmfmac-Set-board_type-used-for-nvram-file-selectio.patch

@@ -0,0 +1,77 @@
+From 0ad4b55b2f29784f93875e6231bf57cd233624a2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:01 +0200
+Subject: [PATCH] brcmfmac: Set board_type used for nvram file selection to
+ machine-compatible
+
+For of/devicetree using machines, set the board_type used for nvram file
+selection to the first string listed in the top-level's node compatible
+string, aka the machine-compatible as used by of_machine_is_compatible().
+
+The board_type setting is used to load the board-specific nvram file with
+a board-specific name so that we can ship files for each supported board
+in linux-firmware.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h |  1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c     | 11 ++++++++++-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c   |  1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c   |  1 +
+ 4 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
+@@ -59,6 +59,7 @@ struct brcmf_mp_device {
+ 	bool		iapp;
+ 	bool		ignore_probe_fail;
+ 	struct brcmfmac_pd_cc *country_codes;
++	const char	*board_type;
+ 	union {
+ 		struct brcmfmac_sdio_pd sdio;
+ 	} bus;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+@@ -27,11 +27,20 @@ void brcmf_of_probe(struct device *dev,
+ 		    struct brcmf_mp_device *settings)
+ {
+ 	struct brcmfmac_sdio_pd *sdio = &settings->bus.sdio;
+-	struct device_node *np = dev->of_node;
++	struct device_node *root, *np = dev->of_node;
++	struct property *prop;
+ 	int irq;
+ 	u32 irqf;
+ 	u32 val;
+ 
++	/* Set board-type to the first string of the machine compatible prop */
++	root = of_find_node_by_path("/");
++	if (root) {
++		prop = of_find_property(root, "compatible", NULL);
++		settings->board_type = of_prop_next_string(prop, NULL);
++		of_node_put(root);
++	}
++
+ 	if (!np || bus_type != BRCMF_BUSTYPE_SDIO ||
+ 	    !of_device_is_compatible(np, "brcm,bcm4329-fmac"))
+ 		return;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1785,6 +1785,7 @@ brcmf_pcie_prepare_fw_request(struct brc
+ 	fwreq->items[BRCMF_PCIE_FW_CODE].type = BRCMF_FW_TYPE_BINARY;
+ 	fwreq->items[BRCMF_PCIE_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM;
+ 	fwreq->items[BRCMF_PCIE_FW_NVRAM].flags = BRCMF_FW_REQF_OPTIONAL;
++	fwreq->board_type = devinfo->settings->board_type;
+ 	/* NVRAM reserves PCI domain 0 for Broadcom's SDK faked bus */
+ 	fwreq->domain_nr = pci_domain_nr(devinfo->pdev->bus) + 1;
+ 	fwreq->bus_nr = devinfo->pdev->bus->number;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -4174,6 +4174,7 @@ brcmf_sdio_prepare_fw_request(struct brc
+ 
+ 	fwreq->items[BRCMF_SDIO_FW_CODE].type = BRCMF_FW_TYPE_BINARY;
+ 	fwreq->items[BRCMF_SDIO_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM;
++	fwreq->board_type = bus->sdiodev->settings->board_type;
+ 
+ 	return fwreq;
+ }

package/kernel/mac80211/patches/355-v5.0-0005-brcmfmac-Set-board_type-from-DMI-on-x86-based-machin.patch

@@ -0,0 +1,179 @@
+From bd1e82bb420adf4ad7cd468d8a482cde622dd69d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:02 +0200
+Subject: [PATCH] brcmfmac: Set board_type from DMI on x86 based machines
+
+For x86 based machines, set the board_type used for nvram file selection
+based on the DMI sys-vendor and product-name strings.
+
+Since on some models these strings are too generic, this commit also adds
+a quirk table overriding the strings for models listed in that table.
+
+The board_type setting is used to load the board-specific nvram file with
+a board-specific name so that we can ship files for each supported board
+in linux-firmware.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/Makefile  |   2 +
+ .../wireless/broadcom/brcm80211/brcmfmac/common.c  |   3 +-
+ .../wireless/broadcom/brcm80211/brcmfmac/common.h  |   7 ++
+ .../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 116 +++++++++++++++++++++
+ 4 files changed, 127 insertions(+), 1 deletion(-)
+ create mode 100644 drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile
+@@ -54,3 +54,5 @@ brcmfmac-$(CPTCFG_BRCM_TRACING) += \
+ 		tracepoint.o
+ brcmfmac-$(CONFIG_OF) += \
+ 		of.o
++brcmfmac-$(CONFIG_DMI) += \
++		dmi.o
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -448,8 +448,9 @@ struct brcmf_mp_device *brcmf_get_module
+ 		}
+ 	}
+ 	if (!found) {
+-		/* No platform data for this device, try OF (Open Firwmare) */
++		/* No platform data for this device, try OF and DMI data */
+ 		brcmf_of_probe(dev, bus_type, settings);
++		brcmf_dmi_probe(settings, chip, chiprev);
+ 	}
+ 	return settings;
+ }
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
+@@ -75,4 +75,11 @@ void brcmf_release_module_param(struct b
+ /* Sets dongle media info (drv_version, mac address). */
+ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp);
+ 
++#ifdef CONFIG_DMI
++void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev);
++#else
++static inline void
++brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev) {}
++#endif
++
+ #endif /* BRCMFMAC_COMMON_H */
+--- /dev/null
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -0,0 +1,116 @@
++/*
++ * Copyright 2018 Hans de Goede <hdegoede@redhat.com>
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#include <linux/dmi.h>
++#include <linux/mod_devicetable.h>
++#include "core.h"
++#include "common.h"
++#include "brcm_hw_ids.h"
++
++/* The DMI data never changes so we can use a static buf for this */
++static char dmi_board_type[128];
++
++struct brcmf_dmi_data {
++	u32 chip;
++	u32 chiprev;
++	const char *board_type;
++};
++
++/* NOTE: Please keep all entries sorted alphabetically */
++
++static const struct brcmf_dmi_data gpd_win_pocket_data = {
++	BRCM_CC_4356_CHIP_ID, 2, "gpd-win-pocket"
++};
++
++static const struct brcmf_dmi_data jumper_ezpad_mini3_data = {
++	BRCM_CC_43430_CHIP_ID, 0, "jumper-ezpad-mini3"
++};
++
++static const struct brcmf_dmi_data meegopad_t08_data = {
++	BRCM_CC_43340_CHIP_ID, 2, "meegopad-t08"
++};
++
++static const struct dmi_system_id dmi_platform_data[] = {
++	{
++		/* Match for the GPDwin which unfortunately uses somewhat
++		 * generic dmi strings, which is why we test for 4 strings.
++		 * Comparing against 23 other byt/cht boards, board_vendor
++		 * and board_name are unique to the GPDwin, where as only one
++		 * other board has the same board_serial and 3 others have
++		 * the same default product_name. Also the GPDwin is the
++		 * only device to have both board_ and product_name not set.
++		 */
++		.matches = {
++			DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
++			DMI_MATCH(DMI_BOARD_NAME, "Default string"),
++			DMI_MATCH(DMI_BOARD_SERIAL, "Default string"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
++		},
++		.driver_data = (void *)&gpd_win_pocket_data,
++	},
++	{
++		/* Jumper EZpad mini3 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"),
++			/* jumperx.T87.KFBNEEA02 with the version-nr dropped */
++			DMI_MATCH(DMI_BIOS_VERSION, "jumperx.T87.KFBNEEA"),
++		},
++		.driver_data = (void *)&jumper_ezpad_mini3_data,
++	},
++	{
++		/* Meegopad T08 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Default string"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
++			DMI_MATCH(DMI_BOARD_NAME, "T3 MRD"),
++			DMI_MATCH(DMI_BOARD_VERSION, "V1.1"),
++		},
++		.driver_data = (void *)&meegopad_t08_data,
++	},
++	{}
++};
++
++void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
++{
++	const struct dmi_system_id *match;
++	const struct brcmf_dmi_data *data;
++	const char *sys_vendor;
++	const char *product_name;
++
++	/* Some models have DMI strings which are too generic, e.g.
++	 * "Default string", we use a quirk table for these.
++	 */
++	for (match = dmi_first_match(dmi_platform_data);
++	     match;
++	     match = dmi_first_match(match + 1)) {
++		data = match->driver_data;
++
++		if (data->chip == chip && data->chiprev == chiprev) {
++			settings->board_type = data->board_type;
++			return;
++		}
++	}
++
++	/* Not found in the quirk-table, use sys_vendor-product_name */
++	sys_vendor = dmi_get_system_info(DMI_SYS_VENDOR);
++	product_name = dmi_get_system_info(DMI_PRODUCT_NAME);
++	if (sys_vendor && product_name) {
++		snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
++			 sys_vendor, product_name);
++		settings->board_type = dmi_board_type;
++	}
++}

package/kernel/mac80211/patches/355-v5.0-0006-brcmfmac-Cleanup-brcmf_fw_request_done.patch

@@ -0,0 +1,41 @@
+From 55e491edbf14b2da5419c2a319ea3b1d6368d9a2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:03 +0200
+Subject: [PATCH] brcmfmac: Cleanup brcmf_fw_request_done()
+
+The "cur" variable is now only used for a debug print and we already
+print the same info from brcmf_fw_complete_request(), so the debug print
+does not provide any extra info and we can remove it.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -560,22 +560,16 @@ static int brcmf_fw_request_firmware(con
+ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx)
+ {
+ 	struct brcmf_fw *fwctx = ctx;
+-	struct brcmf_fw_item *cur;
+-	int ret = 0;
+-
+-	cur = &fwctx->req->items[fwctx->curpos];
++	int ret;
+ 
+ 	ret = brcmf_fw_complete_request(fw, fwctx);
+ 
+ 	while (ret == 0 && ++fwctx->curpos < fwctx->req->n_items) {
+-		cur = &fwctx->req->items[fwctx->curpos];
+ 		brcmf_fw_request_firmware(&fw, fwctx);
+ 		ret = brcmf_fw_complete_request(fw, ctx);
+ 	}
+ 
+ 	if (ret) {
+-		brcmf_dbg(TRACE, "failed err=%d: dev=%s, fw=%s\n", ret,
+-			  dev_name(fwctx->dev), cur->path);
+ 		brcmf_fw_free_request(fwctx->req);
+ 		fwctx->req = NULL;
+ 	}

package/kernel/mac80211/patches/380-v4.21-0001-brcmutil-print-invalid-chanspec-when-WARN-ing.patch

@@ -0,0 +1,83 @@
+From ae5848cb4511bbbfe0306fcdbe5d9a95cd9546a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 26 Oct 2018 13:22:32 +0200
+Subject: [PATCH] brcmutil: print invalid chanspec when WARN-ing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On one of my devices I got WARNINGs when brcmfmac tried to decode
+chanspec. I couldn't tell if it was some unsupported format or just a
+malformed value passed by a firmware.
+
+Print chanspec value so it's possible to debug a possible problem.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -128,7 +128,7 @@ static void brcmu_d11n_decchspec(struct
+ 		}
+ 		break;
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ 
+@@ -140,7 +140,7 @@ static void brcmu_d11n_decchspec(struct
+ 		ch->band = BRCMU_CHAN_BAND_2G;
+ 		break;
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ }
+@@ -167,7 +167,7 @@ static void brcmu_d11ac_decchspec(struct
+ 			ch->sb = BRCMU_CHAN_SB_U;
+ 			ch->control_ch_num += CH_10MHZ_APART;
+ 		} else {
+-			WARN_ON_ONCE(1);
++			WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		}
+ 		break;
+ 	case BRCMU_CHSPEC_D11AC_BW_80:
+@@ -188,7 +188,7 @@ static void brcmu_d11ac_decchspec(struct
+ 			ch->control_ch_num += CH_30MHZ_APART;
+ 			break;
+ 		default:
+-			WARN_ON_ONCE(1);
++			WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 			break;
+ 		}
+ 		break;
+@@ -222,13 +222,13 @@ static void brcmu_d11ac_decchspec(struct
+ 			ch->control_ch_num += CH_70MHZ_APART;
+ 			break;
+ 		default:
+-			WARN_ON_ONCE(1);
++			WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 			break;
+ 		}
+ 		break;
+ 	case BRCMU_CHSPEC_D11AC_BW_8080:
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ 
+@@ -240,7 +240,7 @@ static void brcmu_d11ac_decchspec(struct
+ 		ch->band = BRCMU_CHAN_BAND_2G;
+ 		break;
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ }

package/kernel/mac80211/patches/381-v4.21-0001-brcmfmac-support-STA-info-struct-v7.patch

@@ -0,0 +1,78 @@
+From a4dad0334732f62c67058037d9edb17945bec598 Mon Sep 17 00:00:00 2001
+From: Dan Haab <riproute@gmail.com>
+Date: Fri, 9 Nov 2018 09:38:55 -0700
+Subject: [PATCH] brcmfmac: support STA info struct v7
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The newest firmwares provide STA info using v7 of the struct. As v7
+isn't backward compatible, a union is needed.
+
+Even though brcmfmac does not use any of the new info it's important to
+provide the proper struct buffer. Without this change new firmwares will
+fallback to the very limited v3 instead of something in between such as
+v4.
+
+Signed-off-by: Dan Haab <dan.haab@luxul.com>
+Reviewed-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 40 ++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -176,6 +176,8 @@
+ 
+ #define BRCMF_VHT_CAP_MCS_MAP_NSS_MAX	8
+ 
++#define BRCMF_HE_CAP_MCS_MAP_NSS_MAX	8
++
+ /* MAX_CHUNK_LEN is the maximum length for data passing to firmware in each
+  * ioctl. It is relatively small because firmware has small maximum size input
+  * playload restriction for ioctls.
+@@ -601,13 +603,37 @@ struct brcmf_sta_info_le {
+ 	__le32 rx_pkts_retried;        /* # rx with retry bit set */
+ 	__le32 tx_rate_fallback;       /* lowest fallback TX rate */
+ 
+-	/* Fields valid for ver >= 5 */
+-	struct {
+-		__le32 count;					/* # rates in this set */
+-		u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
+-		u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
+-		__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
+-	} rateset_adv;
++	union {
++		struct {
++			struct {
++				__le32 count;					/* # rates in this set */
++				u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++				u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++				__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++			} rateset_adv;
++		} v5;
++
++		struct {
++			__le32 rx_dur_total;	/* total user RX duration (estimated) */
++			__le16 chanspec;	/** chanspec this sta is on */
++			__le16 pad_1;
++			struct {
++				__le16 version;					/* version */
++				__le16 len;					/* length */
++				__le32 count;					/* # rates in this set */
++				u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++				u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++				__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++				__le16 he_mcs[BRCMF_HE_CAP_MCS_MAP_NSS_MAX];	/* supported he mcs index bit map per nss */
++			} rateset_adv;		/* rateset along with mcs index bitmap */
++			__le16 wpauth;		/* authentication type */
++			u8 algo;		/* crypto algorithm */
++			u8 pad_2;
++			__le32 tx_rspec;	/* Rate of last successful tx frame */
++			__le32 rx_rspec;	/* Rate of last successful rx frame */
++			__le32 wnm_cap;		/* wnm capabilities */
++		} v7;
++	};
+ };
+ 
+ struct brcmf_chanspec_list {

package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch

@@ -0,0 +1,38 @@
+From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
+Date: Mon, 13 Aug 2018 14:16:25 +0200
+Subject: [PATCH] mac80211: Run TXQ teardown code before de-registering
+ interfaces
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The TXQ teardown code can reference the vif data structures that are
+stored in the netdev private memory area if there are still packets on
+the queue when it is being freed. Since the TXQ teardown code is run
+after the netdevs are freed, this can lead to a use-after-free. Fix this
+by moving the TXQ teardown code to earlier in ieee80211_unregister_hw().
+
+Reported-by: Ben Greear <greearb@candelatech.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1172,6 +1172,7 @@ void ieee80211_unregister_hw(struct ieee
+ #if IS_ENABLED(__disabled__CONFIG_IPV6)
+ 	unregister_inet6addr_notifier(&local->ifa6_notifier);
+ #endif
++	ieee80211_txq_teardown_flows(local);
+ 
+ 	rtnl_lock();
+ 
+@@ -1200,7 +1201,6 @@ void ieee80211_unregister_hw(struct ieee
+ 	skb_queue_purge(&local->skb_queue);
+ 	skb_queue_purge(&local->skb_queue_unreliable);
+ 	skb_queue_purge(&local->skb_queue_tdls_chsw);
+-	ieee80211_txq_teardown_flows(local);
+ 
+ 	destroy_workqueue(local->workqueue);
+ 	wiphy_unregister(local->hw.wiphy);

package/kernel/mac80211/patches/383-mac80211-mesh-fix-HWMP-sequence-numbering-to-follow-.patch

@@ -0,0 +1,28 @@
+From: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Date: Wed, 29 Aug 2018 09:30:08 +0800
+Subject: [PATCH] mac80211: mesh: fix HWMP sequence numbering to follow
+ standard
+
+IEEE 802.11-2016 14.10.8.3 HWMP sequence numbering says:
+If it is a target mesh STA, it shall update its own HWMP SN to
+maximum (current HWMP SN, target HWMP SN in the PREQ element) + 1
+immediately before it generates a PREP element in response to a
+PREQ element.
+
+Signed-off-by: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -572,6 +572,10 @@ static void hwmp_preq_frame_process(stru
+ 		forward = false;
+ 		reply = true;
+ 		target_metric = 0;
++
++		if (SN_GT(target_sn, ifmsh->sn))
++			ifmsh->sn = target_sn;
++
+ 		if (time_after(jiffies, ifmsh->last_sn_update +
+ 					net_traversal_jiffies(sdata)) ||
+ 		    time_before(jiffies, ifmsh->last_sn_update)) {

package/kernel/mac80211/patches/384-mac80211-avoid-kernel-panic-when-building-AMSDU-from.patch

@@ -0,0 +1,102 @@
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Wed, 29 Aug 2018 08:57:02 +0200
+Subject: [PATCH] mac80211: avoid kernel panic when building AMSDU from
+ non-linear SKB
+
+When building building AMSDU from non-linear SKB, we hit a
+kernel panic when trying to push the padding to the tail.
+Instead, put the padding at the head of the next subframe.
+This also fixes the A-MSDU subframes to not have the padding
+accounted in the length field and not have pad at all for
+the last subframe, both required by the spec.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Reviewed-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3064,27 +3064,18 @@ void ieee80211_clear_fast_xmit(struct st
+ }
+ 
+ static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
+-					struct sk_buff *skb, int headroom,
+-					int *subframe_len)
++					struct sk_buff *skb, int headroom)
+ {
+-	int amsdu_len = *subframe_len + sizeof(struct ethhdr);
+-	int padding = (4 - amsdu_len) & 3;
+-
+-	if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
++	if (skb_headroom(skb) < headroom) {
+ 		I802_DEBUG_INC(local->tx_expand_skb_head);
+ 
+-		if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
++		if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) {
+ 			wiphy_debug(local->hw.wiphy,
+ 				    "failed to reallocate TX buffer\n");
+ 			return false;
+ 		}
+ 	}
+ 
+-	if (padding) {
+-		*subframe_len += padding;
+-		skb_put_zero(skb, padding);
+-	}
+-
+ 	return true;
+ }
+ 
+@@ -3108,8 +3099,7 @@ static bool ieee80211_amsdu_prepare_head
+ 	if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
+ 		return true;
+ 
+-	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
+-					 &subframe_len))
++	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
+ 		return false;
+ 
+ 	data = skb_push(skb, sizeof(*amsdu_hdr));
+@@ -3176,7 +3166,8 @@ static bool ieee80211_amsdu_aggregate(st
+ 	void *data;
+ 	bool ret = false;
+ 	unsigned int orig_len;
+-	int n = 1, nfrags;
++	int n = 1, nfrags, pad = 0;
++	u16 hdrlen;
+ 
+ 	if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
+ 		return false;
+@@ -3228,8 +3219,19 @@ static bool ieee80211_amsdu_aggregate(st
+ 	if (max_frags && nfrags > max_frags)
+ 		goto out;
+ 
+-	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
+-					 &subframe_len))
++	/*
++	 * Pad out the previous subframe to a multiple of 4 by adding the
++	 * padding to the next one, that's being added. Note that head->len
++	 * is the length of the full A-MSDU, but that works since each time
++	 * we add a new subframe we pad out the previous one to a multiple
++	 * of 4 and thus it no longer matters in the next round.
++	 */
++	hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header);
++	if ((head->len - hdrlen) & 3)
++		pad = 4 - ((head->len - hdrlen) & 3);
++
++	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
++						     2 + pad))
+ 		goto out;
+ 
+ 	ret = true;
+@@ -3241,6 +3243,8 @@ static bool ieee80211_amsdu_aggregate(st
+ 	memcpy(data, &len, 2);
+ 	memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
+ 
++	memset(skb_push(skb, pad), 0, pad);
++
+ 	head->len += skb->len;
+ 	head->data_len += skb->len;
+ 	*frag_tail = skb;

package/kernel/mac80211/patches/385-cfg80211-nl80211_update_ft_ies-to-validate-NL80211_A.patch

@@ -0,0 +1,27 @@
+From: Arunk Khandavalli <akhandav@codeaurora.org>
+Date: Thu, 30 Aug 2018 00:40:16 +0300
+Subject: [PATCH] cfg80211: nl80211_update_ft_ies() to validate
+ NL80211_ATTR_IE
+
+nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with
+is_valid_ie_attr() before dereferencing it, but that helper function
+returns true in case of NULL pointer (i.e., attribute not included).
+This can result to dereferencing a NULL pointer. Fix that by explicitly
+checking that NL80211_ATTR_IE is included.
+
+Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition")
+Signed-off-by: Arunk Khandavalli <akhandav@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -11763,6 +11763,7 @@ static int nl80211_update_ft_ies(struct
+ 		return -EOPNOTSUPP;
+ 
+ 	if (!info->attrs[NL80211_ATTR_MDID] ||
++	    !info->attrs[NL80211_ATTR_IE] ||
+ 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
+ 		return -EINVAL;
+ 

package/kernel/mac80211/patches/386-mac80211-do-not-convert-to-A-MSDU-if-frag-subframe-l.patch

@@ -0,0 +1,37 @@
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 29 Aug 2018 21:03:25 +0200
+Subject: [PATCH] mac80211: do not convert to A-MSDU if frag/subframe
+ limited
+
+Do not start to aggregate packets in a A-MSDU frame (converting the
+first subframe to A-MSDU, adding the header) if max_tx_fragments or
+max_amsdu_subframes limits are already exceeded by it. In particular,
+this happens when drivers set the limit to 1 to avoid A-MSDUs at all.
+
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+[reword commit message to be more precise]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3201,9 +3201,6 @@ static bool ieee80211_amsdu_aggregate(st
+ 	if (skb->len + head->len > max_amsdu_len)
+ 		goto unlock;
+ 
+-	if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
+-		goto out;
+-
+ 	nfrags = 1 + skb_shinfo(skb)->nr_frags;
+ 	nfrags += 1 + skb_shinfo(head)->nr_frags;
+ 	frag_tail = &skb_shinfo(head)->frag_list;
+@@ -3219,6 +3216,9 @@ static bool ieee80211_amsdu_aggregate(st
+ 	if (max_frags && nfrags > max_frags)
+ 		goto out;
+ 
++	if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
++		goto out;
++
+ 	/*
+ 	 * Pad out the previous subframe to a multiple of 4 by adding the
+ 	 * padding to the next one, that's being added. Note that head->len

package/kernel/mac80211/patches/387-mac80211-always-account-for-A-MSDU-header-changes.patch

@@ -0,0 +1,51 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 30 Aug 2018 10:55:49 +0200
+Subject: [PATCH] mac80211: always account for A-MSDU header changes
+
+In the error path of changing the SKB headroom of the second
+A-MSDU subframe, we would not account for the already-changed
+length of the first frame that just got converted to be in
+A-MSDU format and thus is a bit longer now.
+
+Fix this by doing the necessary accounting.
+
+It would be possible to reorder the operations, but that would
+make the code more complex (to calculate the necessary pad),
+and the headroom expansion should not fail frequently enough
+to make that worthwhile.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3232,7 +3232,7 @@ static bool ieee80211_amsdu_aggregate(st
+ 
+ 	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
+ 						     2 + pad))
+-		goto out;
++		goto out_recalc;
+ 
+ 	ret = true;
+ 	data = skb_push(skb, ETH_ALEN + 2);
+@@ -3249,11 +3249,13 @@ static bool ieee80211_amsdu_aggregate(st
+ 	head->data_len += skb->len;
+ 	*frag_tail = skb;
+ 
+-	flow->backlog += head->len - orig_len;
+-	tin->backlog_bytes += head->len - orig_len;
+-
+-	fq_recalc_backlog(fq, tin, flow);
++out_recalc:
++	if (head->len != orig_len) {
++		flow->backlog += head->len - orig_len;
++		tin->backlog_bytes += head->len - orig_len;
+ 
++		fq_recalc_backlog(fq, tin, flow);
++	}
+ out:
+ 	fq->memory_usage += head->truesize - orig_truesize;
+ 

package/kernel/mac80211/patches/388-mac80211-fix-an-off-by-one-issue-in-A-MSDU-max_subfr.patch

@@ -0,0 +1,26 @@
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Fri, 31 Aug 2018 01:04:13 +0200
+Subject: [PATCH] mac80211: fix an off-by-one issue in A-MSDU
+ max_subframe computation
+
+Initialize 'n' to 2 in order to take into account also the first
+packet in the estimation of max_subframe limit for a given A-MSDU
+since frag_tail pointer is NULL when ieee80211_amsdu_aggregate
+routine analyzes the second frame.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3166,7 +3166,7 @@ static bool ieee80211_amsdu_aggregate(st
+ 	void *data;
+ 	bool ret = false;
+ 	unsigned int orig_len;
+-	int n = 1, nfrags, pad = 0;
++	int n = 2, nfrags, pad = 0;
+ 	u16 hdrlen;
+ 
+ 	if (!ieee80211_hw_check(&local->hw, TX_AMSDU))

package/kernel/mac80211/patches/389-cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_op.patch

@@ -0,0 +1,33 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 31 Aug 2018 11:10:55 +0300
+Subject: [PATCH] cfg80211: fix a type issue in
+ ieee80211_chandef_to_operating_class()
+
+The "chandef->center_freq1" variable is a u32 but "freq" is a u16 so we
+are truncating away the high bits.  I noticed this bug because in commit
+9cf0a0b4b64a ("cfg80211: Add support for 60GHz band channels 5 and 6")
+we made "freq <= 56160 + 2160 * 6" a valid requency when before it was
+only "freq <= 56160 + 2160 * 4" that was valid.  It introduces a static
+checker warning:
+
+    net/wireless/util.c:1571 ieee80211_chandef_to_operating_class()
+    warn: always true condition '(freq <= 56160 + 2160 * 6) => (0-u16max <= 69120)'
+
+But really we probably shouldn't have been truncating the high bits
+away to begin with.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1377,7 +1377,7 @@ bool ieee80211_chandef_to_operating_clas
+ 					  u8 *op_class)
+ {
+ 	u8 vht_opclass;
+-	u16 freq = chandef->center_freq1;
++	u32 freq = chandef->center_freq1;
+ 
+ 	if (freq >= 2412 && freq <= 2472) {
+ 		if (chandef->width > NL80211_CHAN_WIDTH_40)

package/kernel/mac80211/patches/390-mac80211-fix-a-race-between-restart-and-CSA-flows.patch

@@ -0,0 +1,86 @@
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:06 +0300
+Subject: [PATCH] mac80211: fix a race between restart and CSA flows
+
+We hit a problem with iwlwifi that was caused by a bug in
+mac80211. A bug in iwlwifi caused the firwmare to crash in
+certain cases in channel switch. Because of that bug,
+drv_pre_channel_switch would fail and trigger the restart
+flow.
+Now we had the hw restart worker which runs on the system's
+workqueue and the csa_connection_drop_work worker that runs
+on mac80211's workqueue that can run together. This is
+obviously problematic since the restart work wants to
+reconfigure the connection, while the csa_connection_drop_work
+worker does the exact opposite: it tries to disconnect.
+
+Fix this by cancelling the csa_connection_drop_work worker
+in the restart worker.
+
+Note that this can sound racy: we could have:
+
+driver   iface_work   CSA_work   restart_work
++++++++++++++++++++++++++++++++++++++++++++++
+              |
+ <--drv_cs ---|
+<FW CRASH!>
+-CS FAILED-->
+              |                       |
+              |                 cancel_work(CSA)
+           schedule                   |
+           CSA work                   |
+                         |            |
+                        Race between those 2
+
+But this is not possible because we flush the workqueue
+in the restart worker before we cancel the CSA worker.
+That would be bullet proof if we could guarantee that
+we schedule the CSA worker only from the iface_work
+which runs on the workqueue (and not on the system's
+workqueue), but unfortunately we do have an instance
+in which we schedule the CSA work outside the context
+of the workqueue (ieee80211_chswitch_done).
+
+Note also that we should probably cancel other workers
+like beacon_connection_loss_work and possibly others
+for different types of interfaces, at the very least,
+IBSS should suffer from the exact same problem, but for
+now, do the minimum to fix the actual bug that was actually
+experienced and reproduced.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -255,8 +255,27 @@ static void ieee80211_restart_work(struc
+ 
+ 	flush_work(&local->radar_detected_work);
+ 	rtnl_lock();
+-	list_for_each_entry(sdata, &local->interfaces, list)
++	list_for_each_entry(sdata, &local->interfaces, list) {
++		/*
++		 * XXX: there may be more work for other vif types and even
++		 * for station mode: a good thing would be to run most of
++		 * the iface type's dependent _stop (ieee80211_mg_stop,
++		 * ieee80211_ibss_stop) etc...
++		 * For now, fix only the specific bug that was seen: race
++		 * between csa_connection_drop_work and us.
++		 */
++		if (sdata->vif.type == NL80211_IFTYPE_STATION) {
++			/*
++			 * This worker is scheduled from the iface worker that
++			 * runs on mac80211's workqueue, so we can't be
++			 * scheduling this worker after the cancel right here.
++			 * The exception is ieee80211_chswitch_done.
++			 * Then we can have a race...
++			 */
++			cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work);
++		}
+ 		flush_delayed_work(&sdata->dec_tailroom_needed_wk);
++	}
+ 	ieee80211_scan_cancel(local);
+ 
+ 	/* make sure any new ROC will consider local->in_reconfig */

package/kernel/mac80211/patches/391-mac80211-Fix-station-bandwidth-setting-after-channel.patch

@@ -0,0 +1,96 @@
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 31 Aug 2018 11:31:10 +0300
+Subject: [PATCH] mac80211: Fix station bandwidth setting after channel
+ switch
+
+When performing a channel switch flow for a managed interface, the
+flow did not update the bandwidth of the AP station and the rate
+scale algorithm. In case of a channel width downgrade, this would
+result with the rate scale algorithm using a bandwidth that does not
+match the interface channel configuration.
+
+Fix this by updating the AP station bandwidth and rate scaling algorithm
+before the actual channel change in case of a bandwidth downgrade, or
+after the actual channel change in case of a bandwidth upgrade.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -975,6 +975,10 @@ static void ieee80211_chswitch_work(stru
+ 	 */
+ 
+ 	if (sdata->reserved_chanctx) {
++		struct ieee80211_supported_band *sband = NULL;
++		struct sta_info *mgd_sta = NULL;
++		enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20;
++
+ 		/*
+ 		 * with multi-vif csa driver may call ieee80211_csa_finish()
+ 		 * many times while waiting for other interfaces to use their
+@@ -983,6 +987,48 @@ static void ieee80211_chswitch_work(stru
+ 		if (sdata->reserved_ready)
+ 			goto out;
+ 
++		if (sdata->vif.bss_conf.chandef.width !=
++		    sdata->csa_chandef.width) {
++			/*
++			 * For managed interface, we need to also update the AP
++			 * station bandwidth and align the rate scale algorithm
++			 * on the bandwidth change. Here we only consider the
++			 * bandwidth of the new channel definition (as channel
++			 * switch flow does not have the full HT/VHT/HE
++			 * information), assuming that if additional changes are
++			 * required they would be done as part of the processing
++			 * of the next beacon from the AP.
++			 */
++			switch (sdata->csa_chandef.width) {
++			case NL80211_CHAN_WIDTH_20_NOHT:
++			case NL80211_CHAN_WIDTH_20:
++			default:
++				bw = IEEE80211_STA_RX_BW_20;
++				break;
++			case NL80211_CHAN_WIDTH_40:
++				bw = IEEE80211_STA_RX_BW_40;
++				break;
++			case NL80211_CHAN_WIDTH_80:
++				bw = IEEE80211_STA_RX_BW_80;
++				break;
++			case NL80211_CHAN_WIDTH_80P80:
++			case NL80211_CHAN_WIDTH_160:
++				bw = IEEE80211_STA_RX_BW_160;
++				break;
++			}
++
++			mgd_sta = sta_info_get(sdata, ifmgd->bssid);
++			sband =
++				local->hw.wiphy->bands[sdata->csa_chandef.chan->band];
++		}
++
++		if (sdata->vif.bss_conf.chandef.width >
++		    sdata->csa_chandef.width) {
++			mgd_sta->sta.bandwidth = bw;
++			rate_control_rate_update(local, sband, mgd_sta,
++						 IEEE80211_RC_BW_CHANGED);
++		}
++
+ 		ret = ieee80211_vif_use_reserved_context(sdata);
+ 		if (ret) {
+ 			sdata_info(sdata,
+@@ -993,6 +1039,13 @@ static void ieee80211_chswitch_work(stru
+ 			goto out;
+ 		}
+ 
++		if (sdata->vif.bss_conf.chandef.width <
++		    sdata->csa_chandef.width) {
++			mgd_sta->sta.bandwidth = bw;
++			rate_control_rate_update(local, sband, mgd_sta,
++						 IEEE80211_RC_BW_CHANGED);
++		}
++
+ 		goto out;
+ 	}
+ 

package/kernel/mac80211/patches/392-mac80211-don-t-Tx-a-deauth-frame-if-the-AP-forbade-T.patch

@@ -0,0 +1,78 @@
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:12 +0300
+Subject: [PATCH] mac80211: don't Tx a deauth frame if the AP forbade Tx
+
+If the driver fails to properly prepare for the channel
+switch, mac80211 will disconnect. If the CSA IE had mode
+set to 1, it means that the clients are not allowed to send
+any Tx on the current channel, and that includes the
+deauthentication frame.
+
+Make sure that we don't send the deauthentication frame in
+this case.
+
+In iwlwifi, this caused a failure to flush queues since the
+firmware already closed the queues after having parsed the
+CSA IE. Then mac80211 would wait until the deauthentication
+frame would go out (drv_flush(drop=false)) and that would
+never happen.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1267,6 +1267,16 @@ ieee80211_sta_process_chanswitch(struct
+ 					 cbss->beacon_interval));
+ 	return;
+  drop_connection:
++	/*
++	 * This is just so that the disconnect flow will know that
++	 * we were trying to switch channel and failed. In case the
++	 * mode is 1 (we are not allowed to Tx), we will know not to
++	 * send a deauthentication frame. Those two fields will be
++	 * reset when the disconnection worker runs.
++	 */
++	sdata->vif.csa_active = true;
++	sdata->csa_block_tx = csa_ie.mode;
++
+ 	ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work);
+ 	mutex_unlock(&local->chanctx_mtx);
+ 	mutex_unlock(&local->mtx);
+@@ -2437,6 +2447,7 @@ static void __ieee80211_disconnect(struc
+ 	struct ieee80211_local *local = sdata->local;
+ 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+ 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
++	bool tx;
+ 
+ 	sdata_lock(sdata);
+ 	if (!ifmgd->associated) {
+@@ -2444,6 +2455,8 @@ static void __ieee80211_disconnect(struc
+ 		return;
+ 	}
+ 
++	tx = !sdata->csa_block_tx;
++
+ 	/* AP is probably out of range (or not reachable for another reason) so
+ 	 * remove the bss struct for that AP.
+ 	 */
+@@ -2451,7 +2464,7 @@ static void __ieee80211_disconnect(struc
+ 
+ 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
+ 			       WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
+-			       true, frame_buf);
++			       tx, frame_buf);
+ 	mutex_lock(&local->mtx);
+ 	sdata->vif.csa_active = false;
+ 	ifmgd->csa_waiting_bcn = false;
+@@ -2462,7 +2475,7 @@ static void __ieee80211_disconnect(struc
+ 	}
+ 	mutex_unlock(&local->mtx);
+ 
+-	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
++	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx,
+ 				    WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
+ 
+ 	sdata_unlock(sdata);

package/kernel/mac80211/patches/393-mac80211-shorten-the-IBSS-debug-messages.patch

@@ -0,0 +1,74 @@
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:13 +0300
+Subject: [PATCH] mac80211: shorten the IBSS debug messages
+
+When tracing is enabled, all the debug messages are recorded and must
+not exceed MAX_MSG_LEN (100) columns. Longer debug messages grant the
+user with:
+
+WARNING: CPU: 3 PID: 32642 at /tmp/wifi-core-20180806094828/src/iwlwifi-stack-dev/net/mac80211/./trace_msg.h:32 trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211]
+Workqueue: phy1 ieee80211_iface_work [mac80211]
+ RIP: 0010:trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211]
+ Call Trace:
+  __sdata_dbg+0xbd/0x120 [mac80211]
+  ieee80211_ibss_rx_queued_mgmt+0x15f/0x510 [mac80211]
+  ieee80211_iface_work+0x21d/0x320 [mac80211]
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -947,8 +947,8 @@ static void ieee80211_rx_mgmt_deauth_ibs
+ 	if (len < IEEE80211_DEAUTH_FRAME_LEN)
+ 		return;
+ 
+-	ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n",
+-		 mgmt->sa, mgmt->da, mgmt->bssid, reason);
++	ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++	ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason);
+ 	sta_info_destroy_addr(sdata, mgmt->sa);
+ }
+ 
+@@ -966,9 +966,9 @@ static void ieee80211_rx_mgmt_auth_ibss(
+ 	auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
+ 	auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
+ 
+-	ibss_dbg(sdata,
+-		 "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n",
+-		 mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction);
++	ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++	ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n",
++		 mgmt->bssid, auth_transaction);
+ 
+ 	if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1)
+ 		return;
+@@ -1175,10 +1175,10 @@ static void ieee80211_rx_bss_info(struct
+ 		rx_timestamp = drv_get_tsf(local, sdata);
+ 	}
+ 
+-	ibss_dbg(sdata,
+-		 "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n",
++	ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n",
+ 		 mgmt->sa, mgmt->bssid,
+-		 (unsigned long long)rx_timestamp,
++		 (unsigned long long)rx_timestamp);
++	ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n",
+ 		 (unsigned long long)beacon_timestamp,
+ 		 (unsigned long long)(rx_timestamp - beacon_timestamp),
+ 		 jiffies);
+@@ -1537,9 +1537,9 @@ static void ieee80211_rx_mgmt_probe_req(
+ 
+ 	tx_last_beacon = drv_tx_last_beacon(local);
+ 
+-	ibss_dbg(sdata,
+-		 "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n",
+-		 mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon);
++	ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++	ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n",
++		 mgmt->bssid, tx_last_beacon);
+ 
+ 	if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
+ 		return;

package/kernel/mac80211/patches/394-mac80211-allocate-TXQs-for-active-monitor-interfaces.patch

@@ -0,0 +1,26 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 22 Sep 2018 15:05:59 +0200
+Subject: [PATCH] mac80211: allocate TXQs for active monitor interfaces
+
+Monitor mode interfaces with the active flag are passed down to the driver.
+Drivers using TXQ expect that all interfaces have allocated TXQs before
+they get added.
+
+Fixes: 79af1f866193d ("mac80211: avoid allocating TXQs that won't be used")
+Cc: stable@vger.kernel.org
+Reported-by: Catrinel Catrinescu <cc@80211.de>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1816,7 +1816,8 @@ int ieee80211_if_add(struct ieee80211_lo
+ 
+ 		if (local->ops->wake_tx_queue &&
+ 		    type != NL80211_IFTYPE_AP_VLAN &&
+-		    type != NL80211_IFTYPE_MONITOR)
++		    (type != NL80211_IFTYPE_MONITOR ||
++		     (params->flags & MONITOR_FLAG_ACTIVE)))
+ 			txq_size += sizeof(struct txq_info) +
+ 				    local->hw.txq_data_size;
+ 

package/kernel/mac80211/patches/395-mac80211-fix-setting-IEEE80211_KEY_FLAG_RX_MGMT-for-.patch

@@ -0,0 +1,25 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 29 Sep 2018 15:55:44 +0200
+Subject: [PATCH] mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode
+ keys
+
+key->sta is only valid after ieee80211_key_link, which is called later
+in this function. Because of that, the IEEE80211_KEY_FLAG_RX_MGMT is
+never set when management frame protection is enabled.
+
+Fixes: e548c49e6dc6b ("mac80211: add key flag for management keys")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -426,7 +426,7 @@ static int ieee80211_add_key(struct wiph
+ 	case NL80211_IFTYPE_AP:
+ 	case NL80211_IFTYPE_AP_VLAN:
+ 		/* Keys without a station are used for TX only */
+-		if (key->sta && test_sta_flag(key->sta, WLAN_STA_MFP))
++		if (sta && test_sta_flag(sta, WLAN_STA_MFP))
+ 			key->conf.flags |= IEEE80211_KEY_FLAG_RX_MGMT;
+ 		break;
+ 	case NL80211_IFTYPE_ADHOC:

package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch

@@ -0,0 +1,31 @@
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Thu, 11 Oct 2018 14:21:21 +0200
+Subject: [PATCH] mac80211: free skb fraglist before freeing the skb
+
+mac80211 uses the frag list to build AMSDU. When freeing
+the skb, it may not be really freed, since someone is still
+holding a reference to it.
+In that case, when TCP skb is being retransmitted, the
+pointer to the frag list is being reused, while the data
+in there is no longer valid.
+Since we will never get frag list from the network stack,
+as mac80211 doesn't advertise the capability, we can safely
+free and nullify it before releasing the SKB.
+
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+---
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -550,6 +550,11 @@ static void ieee80211_report_used_skb(st
+ 	}
+ 
+ 	ieee80211_led_tx(local);
++
++	if (skb_has_frag_list(skb)) {
++		kfree_skb_list(skb_shinfo(skb)->frag_list);
++		skb_shinfo(skb)->frag_list = NULL;
++	}
+ }
+ 
+ /*