OpenWrt v18.06.7: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

.gitignore

@@ -16,6 +16,7 @@
 /overlay
 /package/feeds
 /package/openwrt-packages
+/*.patch
 key-build*
 *.orig
 *.rej

Makefile

@@ -27,6 +27,8 @@ ifneq ($(OPENWRT_BUILD),1)
   export OPENWRT_BUILD
   GREP_OPTIONS=
   export GREP_OPTIONS
+  CDPATH=
+  export CDPATH
   include $(TOPDIR)/include/debug.mk
   include $(TOPDIR)/include/depends.mk
   include $(TOPDIR)/include/toplevel.mk
@@ -85,7 +87,7 @@ prereq: $(target/stamp-prereq) tmp/.prereq_packages
 	fi
 
 checksum: FORCE
-	$(call sha256sums,$(BIN_DIR))
+	$(call sha256sums,$(BIN_DIR),$(CONFIG_BUILDBOT))
 
 diffconfig: FORCE
 	mkdir -p $(BIN_DIR)

config/Config-build.in

@@ -34,6 +34,10 @@ menu "Global build settings"
 		bool "Cryptographically signed package lists"
 		default y
 
+	config SIGNATURE_CHECK
+		bool "Enable signature checking in opkg"
+		default SIGNED_PACKAGES
+
 	comment "General build options"
 
 	config DISPLAY_SUPPORT

config/Config-images.in

@@ -259,12 +259,12 @@ menu "Target Images"
 
 	config TARGET_KERNEL_PARTSIZE
 		int "Kernel partition size (in MB)"
-		depends on GRUB_IMAGES
+		depends on GRUB_IMAGES || USES_BOOT_PART
 		default 16
 
 	config TARGET_ROOTFS_PARTSIZE
 		int "Root filesystem partition size (in MB)"
-		depends on GRUB_IMAGES || TARGET_ROOTFS_EXT4FS || TARGET_rb532 || TARGET_mvebu || TARGET_uml
+		depends on GRUB_IMAGES || USES_ROOTFS_PART || TARGET_ROOTFS_EXT4FS || TARGET_rb532 || TARGET_mvebu || TARGET_uml
 		default 256
 		help
 		  Select the root filesystem partition size.

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^35e0b737ab496f5b51e80079b0d8c9b442e223f5
-src-git luci https://git.openwrt.org/project/luci.git^f64b1523447547032d5280fb0bcdde570f2ca913
-src-git routing https://git.openwrt.org/feed/routing.git^1b9d1c419f0ecefda51922a7845ab2183d6acd76
-src-git telephony https://git.openwrt.org/feed/telephony.git^b9d7b321d15a44c5abb9e5d43a4ec78abfd9031b
+src-git packages https://git.openwrt.org/feed/packages.git^925068d4f8366240d2aeb2d69b3df12382320ec3
+src-git luci https://git.openwrt.org/project/luci.git^41e2258d6dc1ebe8d3874ae6d6b13db49cff2c5c
+src-git routing https://git.openwrt.org/feed/routing.git^0e63ef9276bf41c0d4176127f9f047343b8ffe32
+src-git telephony https://git.openwrt.org/feed/telephony.git^8ecbdabc7c5cadbe571eb947f5cd333a5a785010

include/cmake.mk

@@ -7,8 +7,8 @@ ifneq ($(findstring c,$(OPENWRT_VERBOSE)),)
 endif
 
 CMAKE_BINARY_DIR = $(PKG_BUILD_DIR)$(if $(CMAKE_BINARY_SUBDIR),/$(CMAKE_BINARY_SUBDIR))
-CMAKE_SOURCE_DIR = $(PKG_BUILD_DIR)
-HOST_CMAKE_SOURCE_DIR = $(HOST_BUILD_DIR)
+CMAKE_SOURCE_DIR = $(PKG_BUILD_DIR)$(if $(CMAKE_SOURCE_SUBDIR),/$(CMAKE_SOURCE_SUBDIR))
+HOST_CMAKE_SOURCE_DIR = $(HOST_BUILD_DIR)$(if $(CMAKE_SOURCE_SUBDIR),/$(CMAKE_SOURCE_SUBDIR))
 MAKE_PATH = $(firstword $(CMAKE_BINARY_SUBDIR) .)
 
 ifeq ($(CONFIG_EXTERNAL_TOOLCHAIN),)

include/hardening.mk

@@ -18,7 +18,7 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
 endif
 ifdef CONFIG_PKG_ASLR_PIE
   ifeq ($(strip $(PKG_ASLR_PIE)),1)
-    TARGET_CFLAGS += -fPIC
+    TARGET_CFLAGS += $(FPIC)
     TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
   endif
 endif

include/host-build.mk

@@ -132,7 +132,7 @@ define Host/Exports/Default
   $(1) : export STAGING_PREFIX=$$(HOST_BUILD_PREFIX)
   $(1) : export PKG_CONFIG_PATH=$$(STAGING_DIR_HOST)/lib/pkgconfig:$$(HOST_BUILD_PREFIX)/lib/pkgconfig
   $(1) : export PKG_CONFIG_LIBDIR=$$(HOST_BUILD_PREFIX)/lib/pkgconfig
-  $(1) : export CCACHE_DIR:=$(STAGING_DIR_HOST)/ccache
+  $(if $(CONFIG_CCACHE),$(1) : export CCACHE_DIR:=$(STAGING_DIR_HOST)/ccache)
   $(if $(HOST_CONFIG_SITE),$(1) : export CONFIG_SITE:=$(HOST_CONFIG_SITE))
   $(if $(IS_PACKAGE_BUILD),$(1) : export PATH=$$(TARGET_PATH_PKG))
 endef

include/image.mk

@@ -321,6 +321,7 @@ define Device/Init
   CMDLINE:=
 
   IMAGES :=
+  ARTIFACTS :=
   IMAGE_PREFIX := $(IMG_PREFIX)-$(1)
   IMAGE_NAME = $$(IMAGE_PREFIX)-$$(1)-$$(2)
   KERNEL_PREFIX = $$(IMAGE_PREFIX)
@@ -498,6 +499,19 @@ define Device/Build/image
 
 endef
 
+define Device/Build/artifact
+  $$(_TARGET): $(BIN_DIR)/$(IMAGE_PREFIX)-$(1)
+  $(KDIR)/tmp/$(IMAGE_PREFIX)-$(1): $$(KDIR_KERNEL_IMAGE)
+	@rm -f $$@
+	$$(call concat_cmd,$(ARTIFACT/$(1)))
+
+  .IGNORE: $(BIN_DIR)/$(IMAGE_PREFIX)-$(1)
+
+  $(BIN_DIR)/$(IMAGE_PREFIX)-$(1): $(KDIR)/tmp/$(IMAGE_PREFIX)-$(1)
+	cp $$^ $$@
+
+endef
+
 define Device/Build
   $(if $(CONFIG_TARGET_ROOTFS_INITRAMFS),$(call Device/Build/initramfs,$(1)))
   $(call Device/Build/kernel,$(1))
@@ -508,6 +522,10 @@ define Device/Build
   $$(eval $$(foreach image,$$(IMAGES), \
     $$(foreach fs,$$(filter $(TARGET_FILESYSTEMS),$$(FILESYSTEMS)), \
       $$(call Device/Build/image,$$(fs),$$(image),$(1)))))
+
+  $$(eval $$(foreach artifact,$$(ARTIFACTS), \
+    $$(call Device/Build/artifact,$$(artifact))))
+
 endef
 
 define Device/DumpInfo
@@ -563,7 +581,7 @@ define BuildImage
 		$(call Image/Prepare)
 
     legacy-images-prepare-make: image_prepare
-		$(MAKE) legacy-images-prepare
+		$(MAKE) legacy-images-prepare BIN_DIR="$(BIN_DIR)"
 
   else
     image_prepare:
@@ -587,7 +605,7 @@ define BuildImage
 
   legacy-images-make: install-images
 	$(call Image/mkfs/ubifs/legacy)
-	$(MAKE) legacy-images
+	$(MAKE) legacy-images BIN_DIR="$(BIN_DIR)"
 
   install: install-images
 	$(call Image/Manifest)

include/kernel-version.mk

@@ -2,11 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.9 = .120
-LINUX_VERSION-4.14 = .63
+LINUX_VERSION-4.9 = .211
+LINUX_VERSION-4.14 = .167
 
-LINUX_KERNEL_HASH-4.9.120 = d75af506865edc8145a344c4e73c3bb1000e6c9f1c3489b8dae47ca8f033fd91
-LINUX_KERNEL_HASH-4.14.63 = cd2e52f0e7ba861afa91cf487b2f45e5174115870f256a1d65996647b7bcc6d3
+LINUX_KERNEL_HASH-4.9.211 = 2597608d5d974cfdc015eaf6a4197b36f19d722b8a309b57e741fb02e311b1be
+LINUX_KERNEL_HASH-4.14.167 = 2bb78fc7a902faf4f5dad47fdbc2f4bf3df3cf9b41f408e7260f36656659fe43
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/kernel.mk

@@ -60,9 +60,8 @@ else
   LINUX_KERNEL:=$(KERNEL_BUILD_DIR)/vmlinux
 
   LINUX_SOURCE:=linux-$(LINUX_VERSION).tar.xz
-  TESTING:=$(if $(findstring -rc,$(LINUX_VERSION)),/testing,)
   ifeq ($(call qstrip,$(CONFIG_EXTERNAL_KERNEL_TREE))$(call qstrip,$(CONFIG_KERNEL_GIT_CLONE_URI)),)
-      LINUX_SITE:=@KERNEL/linux/kernel/v$(word 1,$(subst ., ,$(KERNEL_BASE))).x$(TESTING)
+      LINUX_SITE:=@KERNEL/linux/kernel/v$(word 1,$(subst ., ,$(KERNEL_BASE))).x
   else
       LINUX_UNAME_VERSION:=$(strip $(shell cat $(LINUX_DIR)/include/config/kernel.release 2>/dev/null))
   endif
@@ -97,7 +96,7 @@ endif
 
 KERNEL_MAKE = $(MAKE) $(KERNEL_MAKEOPTS)
 
-KERNEL_MAKE_FLAGS := \
+KERNEL_MAKE_FLAGS = \
 	HOSTCFLAGS="$(HOST_CFLAGS) -Wall -Wmissing-prototypes -Wstrict-prototypes" \
 	CROSS_COMPILE="$(KERNEL_CROSS)" \
 	ARCH="$(LINUX_KARCH)" \
@@ -254,6 +253,7 @@ $(call KernelPackage/$(1)/config)
   $$(eval $$(call BuildPackage,kmod-$(1)))
 
   $$(IPKG_kmod-$(1)): $$(wildcard $$(FILES))
+
 endef
 
 version_filter=$(if $(findstring @,$(1)),$(shell $(SCRIPT_DIR)/package-metadata.pl version_filter $(KERNEL_PATCHVER) $(1)),$(1))

include/netfilter.mk

@@ -106,6 +106,7 @@ $(eval $(call nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_ph
 # filter
 
 $(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))
+$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_BPF, $(P_XT)xt_bpf))
 
 
 # ipopt
@@ -257,7 +258,11 @@ $(eval $(call nf_add,IPT_DEBUG,CONFIG_NETFILTER_XT_TARGET_TRACE, $(P_XT)xt_TRACE
 # tproxy
 
 $(eval $(call nf_add,IPT_TPROXY,CONFIG_NETFILTER_XT_MATCH_SOCKET, $(P_XT)xt_socket))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_SOCKET_IPV4, $(P_V4)nf_socket_ipv4, ge 4.10))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_SOCKET_IPV6, $(P_V6)nf_socket_ipv6, ge 4.10))
 $(eval $(call nf_add,IPT_TPROXY,CONFIG_NETFILTER_XT_TARGET_TPROXY, $(P_XT)xt_TPROXY))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_TPROXY_IPV4, $(P_V4)nf_tproxy_ipv4, ge 4.18))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_TPROXY_IPV6, $(P_V6)nf_tproxy_ipv6, ge 4.18))
 
 # led
 $(eval $(call nf_add,IPT_LED,CONFIG_NETFILTER_XT_TARGET_LED, $(P_XT)xt_LED))

include/package.mk

@@ -81,9 +81,10 @@ STAGING_FILES_LIST:=$(PKG_DIR_NAME)$(if $(BUILD_VARIANT),.$(BUILD_VARIANT),).lis
 define CleanStaging
 	rm -f $(STAMP_INSTALLED)
 	@-(\
-		cd "$(STAGING_DIR)"; \
-		if [ -f packages/$(STAGING_FILES_LIST) ]; then \
-			cat packages/$(STAGING_FILES_LIST) | xargs -r rm -f 2>/dev/null; \
+		if [ -f $(STAGING_DIR)/packages/$(STAGING_FILES_LIST) ]; then \
+			$(SCRIPT_DIR)/clean-package.sh \
+				"$(STAGING_DIR)/packages/$(STAGING_FILES_LIST)" \
+				"$(STAGING_DIR)"; \
 		fi; \
 	)
 endef
@@ -144,7 +145,7 @@ define Build/Exports/Default
   $(1) : export CONFIG_SITE:=$$(CONFIG_SITE)
   $(1) : export PKG_CONFIG_PATH:=$$(PKG_CONFIG_PATH)
   $(1) : export PKG_CONFIG_LIBDIR:=$$(PKG_CONFIG_PATH)
-  $(1) : export CCACHE_DIR:=$(STAGING_DIR)/ccache
+  $(if $(CONFIG_CCACHE),$(1) : export CCACHE_DIR:=$(STAGING_DIR)/ccache)
 endef
 Build/Exports=$(Build/Exports/Default)
 

include/prereq-build.mk

@@ -24,10 +24,10 @@ $(eval $(call TestHostCommand,case-sensitive-fs, \
 
 $(eval $(call TestHostCommand,proper-umask, \
 	Please build with umask 022 - other values produce broken packages, \
-	umask | grep -xE 00[012][012]))
+	umask | grep -xE 0?0[012][012]))
 
 $(eval $(call SetupHostCommand,gcc, \
-	Please install the GNU C Compiler (gcc) 4.8 or later \
+	Please install the GNU C Compiler (gcc) 4.8 or later, \
 	$(CC) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	gcc -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	gcc48 --version | grep gcc, \
@@ -46,7 +46,7 @@ $(eval $(call TestHostCommand,working-gcc, \
 		gcc -x c -o $(TMP_DIR)/a.out -))
 
 $(eval $(call SetupHostCommand,g++, \
-	Please install the GNU C++ Compiler (g++) 4.8 or later \
+	Please install the GNU C++ Compiler (g++) 4.8 or later, \
 	$(CXX) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	g++ -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
 	g++48 --version | grep g++, \
@@ -138,18 +138,15 @@ $(eval $(call SetupHostCommand,bzip2,Please install 'bzip2', \
 $(eval $(call SetupHostCommand,wget,Please install GNU 'wget', \
 	wget --version | grep GNU))
 
-$(eval $(call SetupHostCommand,time,Please install GNU 'time' or BusyBox 'time' that supports -f, \
-	gtime --version 2>&1 | grep GNU, \
-	time --version 2>&1 | grep GNU, \
-	busybox time 2>&1 | grep -- '-f FMT'))
-
 $(eval $(call SetupHostCommand,perl,Please install Perl 5.x, \
 	perl --version | grep "perl.*v5"))
 
+$(eval $(call CleanupPython3))
+
 $(eval $(call SetupHostCommand,python,Please install Python 2.x, \
-	python2.7 -V 2>&1 | grep Python, \
-	python2 -V 2>&1 | grep Python, \
-	python -V 2>&1 | grep Python))
+	python2.7 -V 2>&1 | grep 'Python 2.7', \
+	python2 -V 2>&1 | grep 'Python 2', \
+	python -V 2>&1 | grep 'Python 2'))
 
 $(eval $(call SetupHostCommand,git,Please install Git (git-core) >= 1.7.12.2, \
 	git --exec-path | xargs -I % -- grep -q -- --recursive %/git-submodule))

include/prereq.mk

@@ -66,6 +66,18 @@ define RequireHeader
   $$(eval $$(call Require,$(1),$(2)))
 endef
 
+define CleanupPython3
+  define Require/python3-cleanup
+	if [ -f "$(STAGING_DIR_HOST)/bin/python" ] && \
+		$(STAGING_DIR_HOST)/bin/python -V 2>&1 | \
+		grep -q 'Python 3'; then \
+			rm $(STAGING_DIR_HOST)/bin/python; \
+	fi
+  endef
+
+  $$(eval $$(call Require,python3-cleanup))
+endef
+
 define QuoteHostCommand
 '$(subst ','"'"',$(strip $(1)))'
 endef

include/rootfs.mk

@@ -90,6 +90,7 @@ define prepare_rootfs
 	rm -f $(1)/usr/lib/opkg/lists/*
 	rm -f $(1)/usr/lib/opkg/info/*.postinst*
 	rm -f $(1)/var/lock/*.lock
+	rm -rf $(1)/boot
 	$(call clean_ipkg,$(1))
 	$(call mklibs,$(1))
 endef

include/subdir.mk

@@ -43,7 +43,7 @@ log_make = \
 	 $(if $(BUILD_LOG), \
 		set -o pipefail; \
 		mkdir -p $(BUILD_LOG_DIR)/$(1)$(if $(4),/$(4));) \
-	env time -f "time: $(1)$(if $(4),/$(4))/$(if $(3),$(3)-)$(2)\#%U\#%S\#%e" -- \
+	$(SCRIPT_DIR)/time.pl "time: $(1)$(if $(4),/$(4))/$(if $(3),$(3)-)$(2)" \
 	$$(SUBMAKE) $(subdir_make_opts) $(if $(3),$(3)-)$(2) \
 		$(if $(BUILD_LOG),SILENT= 2>&1 | tee $(BUILD_LOG_DIR)/$(1)$(if $(4),/$(4))/$(if $(3),$(3)-)$(2).txt)
 

include/verbose.mk

@@ -54,7 +54,7 @@ ifeq ($(findstring s,$(OPENWRT_VERBOSE)),)
   else
     SILENT:=>/dev/null $(if $(findstring w,$(OPENWRT_VERBOSE)),,2>&1)
     export QUIET:=1
-    SUBMAKE=cmd() { $(SILENT) $(MAKE) -s $$* < /dev/null || { echo "make $$*: build failed. Please re-run make with -j1 V=s to see what's going on"; false; } } 8>&1 9>&2; cmd
+    SUBMAKE=cmd() { $(SILENT) $(MAKE) -s "$$@" < /dev/null || { echo "make $$*: build failed. Please re-run make with -j1 V=s or V=sc for a higher verbosity level to see what's going on"; false; } } 8>&1 9>&2; cmd
   endif
 
   .SILENT: $(MAKECMDGOALS)

include/version.mk

@@ -11,6 +11,7 @@
 # SOURCE_DATE_EPOCH:=x
 
 PKG_CONFIG_DEPENDS += \
+	CONFIG_VERSION_HOME_URL \
 	CONFIG_VERSION_BUG_URL \
 	CONFIG_VERSION_NUMBER \
 	CONFIG_VERSION_CODE \
@@ -25,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.1)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.7)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7258-5eb055306f)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7976-ca47026b7d)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.1)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.7)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)
@@ -46,6 +47,9 @@ VERSION_MANUFACTURER_URL:=$(if $(VERSION_MANUFACTURER_URL),$(VERSION_MANUFACTURE
 VERSION_BUG_URL:=$(call qstrip,$(CONFIG_VERSION_BUG_URL))
 VERSION_BUG_URL:=$(if $(VERSION_BUG_URL),$(VERSION_BUG_URL),http://bugs.openwrt.org/)
 
+VERSION_HOME_URL:=$(call qstrip,$(CONFIG_VERSION_HOME_URL))
+VERSION_HOME_URL:=$(if $(VERSION_HOME_URL),$(VERSION_HOME_URL),http://openwrt.org/)
+
 VERSION_SUPPORT_URL:=$(call qstrip,$(CONFIG_VERSION_SUPPORT_URL))
 VERSION_SUPPORT_URL:=$(if $(VERSION_SUPPORT_URL),$(VERSION_SUPPORT_URL),http://forum.lede-project.org/)
 
@@ -100,6 +104,7 @@ VERSION_SED_SCRIPT:=$(SED) 's,%U,$(call sed_escape,$(VERSION_REPO)),g' \
 	-e 's,%M,$(call sed_escape,$(VERSION_MANUFACTURER)),g' \
 	-e 's,%m,$(call sed_escape,$(VERSION_MANUFACTURER_URL)),g' \
 	-e 's,%b,$(call sed_escape,$(VERSION_BUG_URL)),g' \
+	-e 's,%u,$(call sed_escape,$(VERSION_HOME_URL)),g' \
 	-e 's,%s,$(call sed_escape,$(VERSION_SUPPORT_URL)),g' \
 	-e 's,%P,$(call sed_escape,$(VERSION_PRODUCT)),g' \
 	-e 's,%h,$(call sed_escape,$(VERSION_HWREV)),g'

package/Makefile

@@ -84,8 +84,12 @@ $(curdir)/index: FORCE
 		mkdir -p $$d; \
 		cd $$d || continue; \
 		$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages.manifest; \
-		grep -vE '^(Maintainer|LicenseFiles|Source|Require)' Packages.manifest > Packages && \
-			gzip -9nc Packages > Packages.gz; \
+		grep -vE '^(Maintainer|LicenseFiles|Source|Require)' Packages.manifest > Packages; \
+		case "$$(((64 + $$(stat -L -c%s Packages)) % 128))" in 110|111) \
+			$(call ERROR_MESSAGE,WARNING: Applying padding in $$d/Packages to workaround usign SHA-512 bug!); \
+			{ echo ""; echo ""; } >> Packages;; \
+		esac; \
+		gzip -9nc Packages > Packages.gz; \
 	); done
 ifdef CONFIG_SIGNED_PACKAGES
 	@echo Signing package index...

package/base-files/Makefile

@@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/version.mk
 include $(INCLUDE_DIR)/feeds.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=192
+PKG_RELEASE:=194.3
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
@@ -49,6 +49,7 @@ define Package/base-files/conffiles
 /etc/config/system
 /etc/crontabs/
 /etc/dropbear/
+/etc/ethers
 /etc/group
 /etc/hosts
 /etc/inittab

package/base-files/files/bin/config_generate

@@ -15,10 +15,14 @@ generate_static_network() {
 		set network.loopback.proto='static'
 		set network.loopback.ipaddr='127.0.0.1'
 		set network.loopback.netmask='255.0.0.0'
-		delete network.globals
-		set network.globals='globals'
-		set network.globals.ula_prefix='auto'
 	EOF
+		[ -e /proc/sys/net/ipv6 ] && {
+			uci -q batch <<-EOF
+				delete network.globals
+				set network.globals='globals'
+				set network.globals.ula_prefix='auto'
+			EOF
+		}
 
 	if json_is_a dsl object; then
 		json_select dsl
@@ -81,12 +85,16 @@ generate_network() {
 		set network.$1.proto='none'
 	EOF
 
-	[ -n "$macaddr" ] && uci -q batch <<-EOF
-		delete network.$1_dev
-		set network.$1_dev='device'
-		set network.$1_dev.name='$ifname'
-		set network.$1_dev.macaddr='$macaddr'
-	EOF
+	if [ -n "$macaddr" ]; then
+		for name in $ifname; do
+			uci -q batch <<-EOF
+				delete network.$1_${name/./_}_dev
+				set network.$1_${name/./_}_dev='device'
+				set network.$1_${name/./_}_dev.name='$name'
+				set network.$1_${name/./_}_dev.macaddr='$macaddr'
+			EOF
+		done
+	fi
 
 	case "$protocol" in
 		static)
@@ -102,21 +110,23 @@ generate_network() {
 				set network.$1.proto='static'
 				set network.$1.ipaddr='$ipad'
 				set network.$1.netmask='$netm'
-				set network.$1.ip6assign='60'
 			EOF
+			[ -e /proc/sys/net/ipv6 ] && uci set network.$1.ip6assign='60'
 		;;
 
 		dhcp)
 			# fixup IPv6 slave interface if parent is a bridge
 			[ "$type" = "bridge" ] && ifname="br-$1"
 
-			uci -q batch <<-EOF
-				set network.$1.proto='dhcp'
-				delete network.${1}6
-				set network.${1}6='interface'
-				set network.${1}6.ifname='$ifname'
-				set network.${1}6.proto='dhcpv6'
-			EOF
+			uci set network.$1.proto='dhcp'
+			[ -e /proc/sys/net/ipv6 ] && {
+				uci -q batch <<-EOF
+					delete network.${1}6
+					set network.${1}6='interface'
+					set network.${1}6.ifname='$ifname'
+					set network.${1}6.proto='dhcpv6'
+				EOF
+			}
 		;;
 
 		pppoe)
@@ -124,12 +134,16 @@ generate_network() {
 				set network.$1.proto='pppoe'
 				set network.$1.username='username'
 				set network.$1.password='password'
-				set network.$1.ipv6='1'
-				delete network.${1}6
-				set network.${1}6='interface'
-				set network.${1}6.ifname='@${1}'
-				set network.${1}6.proto='dhcpv6'
 			EOF
+			[ -e /proc/sys/net/ipv6 ] && {
+				uci -q batch <<-EOF
+					set network.$1.ipv6='1'
+					delete network.${1}6
+					set network.${1}6='interface'
+					set network.${1}6.ifname='@${1}'
+					set network.${1}6.proto='dhcpv6'
+				EOF
+			}
 		;;
 	esac
 }

package/base-files/files/etc/ethers

@@ -0,0 +1,6 @@
+#
+#  Lookup man 5 ethers for syntax documentation
+#
+#  Examples :
+#	02:00:11:22:33:44	OpenWrt.lan
+#	02:00:11:22:33:44	192.168.1.1

package/base-files/files/etc/iproute2/ematch_map

@@ -0,0 +1,8 @@
+# lookup table for ematch kinds
+1	cmp
+2	nbyte
+3	u32
+4	meta
+7	canid
+8	ipset
+9	ipt

package/base-files/files/etc/profile

@@ -14,7 +14,11 @@ export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
 export HOME=${HOME:-/root}
 export PS1='\u@\h:\w\$ '
 
-[ "$TERM" = "xterm" ] && export PS1='\[\e]0;\u@\h: \w\a\]'$PS1
+case "$TERM" in
+	xterm*|rxvt*)
+		export PS1='\[\e]0;\u@\h: \w\a\]'$PS1
+		;;
+esac
 
 [ -x /bin/more ] || alias more=less
 [ -x /usr/bin/vim ] && alias vi=vim || alias vim=vi

package/base-files/files/etc/rc.common

@@ -23,6 +23,7 @@ reload() {
 restart() {
 	trap '' TERM
 	stop "$@"
+	trap - TERM
 	start "$@"
 }
 

package/base-files/files/etc/services

@@ -29,8 +29,8 @@ kerberos	88/tcp		kerberos5 krb5 kerberos-sec
 kerberos	88/udp		kerberos5 krb5 kerberos-sec
 pop3		110/tcp
 pop3		110/udp
-sunrpc		111/tcp
-sunrpc		111/udp
+sunrpc		111/tcp		rpcbind
+sunrpc		111/udp		rpcbind
 auth		113/tcp		ident
 sftp		115/tcp
 nntp		119/tcp

package/base-files/files/lib/functions.sh

@@ -92,7 +92,7 @@ config_unset() {
 # config_get <section> <option>
 config_get() {
 	case "$3" in
-		"") eval echo "\${CONFIG_${1}_${2}:-\${4}}";;
+		"") eval echo "\"\${CONFIG_${1}_${2}:-\${4}}\"";;
 		*)  eval export ${NO_EXPORT:+-n} -- "${1}=\${CONFIG_${2}_${3}:-\${4}}";;
 	esac
 }
@@ -152,22 +152,27 @@ config_list_foreach() {
 
 default_prerm() {
 	local root="${IPKG_INSTROOT}"
-	local name
+	local pkgname="$(basename ${1%.*})"
+	local ret=0
 
-	name=$(basename ${1%.*})
-	[ -f "$root/usr/lib/opkg/info/${name}.prerm-pkg" ] && . "$root/usr/lib/opkg/info/${name}.prerm-pkg"
+	if [ -f "$root/usr/lib/opkg/info/${pkgname}.prerm-pkg" ]; then
+		( . "$root/usr/lib/opkg/info/${pkgname}.prerm-pkg" )
+		ret=$?
+	fi
 
 	local shell="$(which bash)"
-	for i in `cat "$root/usr/lib/opkg/info/${name}.list" | grep "^/etc/init.d/"`; do
+	for i in $(grep -s "^/etc/init.d/" "$root/usr/lib/opkg/info/${pkgname}.list"); do
 		if [ -n "$root" ]; then
 			${shell:-/bin/sh} "$root/etc/rc.common" "$root$i" disable
 		else
 			if [ "$PKG_UPGRADE" != "1" ]; then
 				"$i" disable
 			fi
-			"$i" stop || /bin/true
+			"$i" stop
 		fi
 	done
+
+	return $ret
 }
 
 add_group_and_user() {
@@ -229,10 +234,9 @@ default_postinst() {
 	if [ -z "$root" ] && grep -q -s "^/etc/uci-defaults/" "/usr/lib/opkg/info/${pkgname}.list"; then
 		. /lib/functions/system.sh
 		[ -d /tmp/.uci ] || mkdir -p /tmp/.uci
-		for i in $(sed -ne 's!^/etc/uci-defaults/!!p' "/usr/lib/opkg/info/${pkgname}.list"); do (
-			cd /etc/uci-defaults
-			[ -f "$i" ] && . ./"$i" && rm -f "$i"
-		) done
+		for i in $(grep -s "^/etc/uci-defaults/" "/usr/lib/opkg/info/${pkgname}.list"); do
+			( [ -f "$i" ] && cd "$(dirname $i)" && . "$i" ) && rm -f "$i"
+		done
 		uci commit
 	fi
 

package/base-files/files/lib/functions/network.sh

@@ -271,6 +271,11 @@ network_is_up()
 # 2: interface
 network_get_protocol() { __network_ifstatus "$1" "$2" ".proto"; }
 
+# determine the metric of the given logical interface
+# 1: destination variable
+# 2: interface
+network_get_metric() { __network_ifstatus "$1" "$2" ".metric"; }
+
 # determine the layer 3 linux network device of the given logical interface
 # 1: destination variable
 # 2: interface

package/base-files/files/lib/functions/system.sh

@@ -4,7 +4,7 @@ get_mac_binary() {
 	local path="$1"
 	local offset="$2"
 
-	if [ -z "$path" ]; then
+	if ! [ -e "$path" ]; then
 		echo "get_mac_binary: file $path not found!" >&2
 		return
 	fi
@@ -20,8 +20,7 @@ find_mtd_chardev() {
 	echo "${INDEX:+$PREFIX$INDEX}"
 }
 
-mtd_get_mac_ascii()
-{
+mtd_get_mac_ascii() {
 	local mtdname="$1"
 	local key="$2"
 	local part
@@ -39,6 +38,29 @@ mtd_get_mac_ascii()
 	[ -n "$mac_dirty" ] && macaddr_canonicalize "$mac_dirty"
 }
 
+mtd_get_mac_text() {
+	local mtdname=$1
+	local offset=$2
+	local part
+	local mac_dirty
+
+	part=$(find_mtd_part "$mtdname")
+	if [ -z "$part" ]; then
+		echo "mtd_get_mac_text: partition $mtdname not found!" >&2
+		return
+	fi
+
+	if [ -z "$offset" ]; then
+		echo "mtd_get_mac_text: offset missing!" >&2
+		return
+	fi
+
+	mac_dirty=$(dd if="$part" bs=1 skip="$offset" count=17 2>/dev/null)
+
+	# "canonicalize" mac
+	[ -n "$mac_dirty" ] && macaddr_canonicalize "$mac_dirty"
+}
+
 mtd_get_mac_binary() {
 	local mtdname="$1"
 	local offset="$2"
@@ -87,22 +109,19 @@ macaddr_add() {
 	echo $oui:$nic
 }
 
-macaddr_setbit_la()
-{
+macaddr_setbit_la() {
 	local mac=$1
 
 	printf "%02x:%s" $((0x${mac%%:*} | 0x02)) ${mac#*:}
 }
 
-macaddr_2bin()
-{
+macaddr_2bin() {
 	local mac=$1
 
 	echo -ne \\x${mac//:/\\x}
 }
 
-macaddr_canonicalize()
-{
+macaddr_canonicalize() {
 	local mac="$1"
 	local canon=""
 

package/base-files/files/lib/functions/uci-defaults.sh

@@ -481,6 +481,7 @@ _ucidef_set_led_timer() {
 
 	_ucidef_set_led_common "$1" "$2" "$3"
 
+	json_add_string type "$trigger_name"
 	json_add_string trigger "$trigger_name"
 	json_add_int delayon "$delayon"
 	json_add_int delayoff "$delayoff"

package/base-files/files/lib/upgrade/common.sh

@@ -222,6 +222,7 @@ default_do_upgrade() {
 	else
 		get_image "$1" "$2" | mtd write - "${PART_NAME:-image}"
 	fi
+	[ $? -ne 0 ] && exit 1
 }
 
 do_upgrade_stage2() {

package/base-files/files/sbin/sysupgrade

@@ -137,6 +137,7 @@ add_overlayfiles() {
 
 # hooks
 sysupgrade_image_check="fwtool_check_image platform_check_image"
+sysupgrade_pre_upgrade=""
 
 if [ $SAVE_OVERLAY = 1 ]; then
 	[ ! -d /overlay/upper/etc ] && {
@@ -165,6 +166,11 @@ do_save_conffiles() {
 	v "Saving config files..."
 	[ "$VERBOSE" -gt 1 ] && TAR_V="v" || TAR_V=""
 	tar c${TAR_V}zf "$conf_tar" -T "$CONFFILES" 2>/dev/null
+	if [ "$?" -ne 0 ]; then
+		echo "Failed to create the configuration backup."
+		rm -f "$conf_tar"
+		exit 1
+	fi
 
 	rm -f "$CONFFILES"
 }
@@ -198,7 +204,8 @@ type platform_check_image >/dev/null 2>/dev/null || {
 }
 
 case "$IMAGE" in
-	http://*)
+	http://*|\
+	https://*)
 		wget -O/tmp/sysupgrade.img "$IMAGE"
 		IMAGE=/tmp/sysupgrade.img
 		;;
@@ -263,6 +270,8 @@ else
 	rm -f /tmp/sysupgrade.always.overwrite.bootdisk.partmap
 fi
 
+run_hooks "" $sysupgrade_pre_upgrade
+
 install_bin /sbin/upgraded
 v "Commencing upgrade. Closing all shell sessions."
 

package/base-files/files/sbin/wifi

@@ -6,7 +6,7 @@
 
 usage() {
 	cat <<EOF
-Usage: $0 [config|down|reload|status]
+Usage: $0 [config|up|down|reload|status]
 enables (default), disables or configures devices not yet configured.
 EOF
 	exit 1
@@ -241,5 +241,6 @@ case "$1" in
 	reload) wifi_reload "$2";;
 	reload_legacy) wifi_reload_legacy "$2";;
 	--help|help) usage;;
-	*) ubus call network reload; wifi_updown "enable" "$2";;
+	''|up) ubus call network reload; wifi_updown "enable" "$2";;
+	*) usage; exit 1;;
 esac

package/base-files/files/usr/lib/os-release

@@ -4,7 +4,7 @@ ID="%d"
 ID_LIKE="lede openwrt"
 PRETTY_NAME="%D %V"
 VERSION_ID="%v"
-HOME_URL="%m"
+HOME_URL="%u"
 BUG_URL="%b"
 SUPPORT_URL="%s"
 BUILD_ID="%R"

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.1"
+		default "http://downloads.openwrt.org/releases/18.06.7"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:
@@ -202,6 +202,12 @@ if VERSIONOPT
 			 %P .. Product name or "Generic"
 			 %h .. Hardware revision or "v0"
 
+	config VERSION_HOME_URL
+		string
+		prompt "Release Homepage"
+		help
+			This is the release version homepage
+
 	config VERSION_MANUFACTURER
 		string
 		prompt "Manufacturer name"

package/boot/grub2/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=grub
 PKG_CPE_ID:=cpe:/a:gnu:grub2
 PKG_VERSION:=2.02
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/grub

package/boot/grub2/patches/300-CVE-2015-8370.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Fri, 13 Nov 2015 16:21:09 +0100
+Subject: [PATCH] Fix security issue when reading username and password
+
+  This patch fixes two integer underflows at:
+    * grub-core/lib/crypto.c
+    * grub-core/normal/auth.c
+
+Resolves: CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+---
+ grub-core/lib/crypto.c  | 2 +-
+ grub-core/normal/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/grub-core/lib/crypto.c
++++ b/grub-core/lib/crypto.c
+@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    cur_len--;
+--- a/grub-core/normal/auth.c
++++ b/grub-core/normal/auth.c
+@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
+ 	  break;
+ 	}
+ 
+-      if (key == '\b')
++      if (key == '\b' && cur_len)
+ 	{
+ 	  if (cur_len)
+ 	    {

package/boot/uboot-envtools/files/ar71xx

@@ -57,7 +57,10 @@ sr3200|\
 t830|\
 tube2h|\
 wam250|\
-wndr3700|\
+wnr1000-v2|\
+wnr2000-v3|\
+wnr2200|\
+wnr612-v2|\
 xd3200)
 	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x10000" "0x10000"
 	;;
@@ -91,6 +94,12 @@ qihoo-c301)
 wi2a-ac200i)
 	ubootenv_add_uci_config "/dev/mtd4" "0x0" "0x8000" "0x10000"
 	;;
+wndr3700)
+	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x20000" "0x10000"
+	;;
+wndr4300)
+	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x40000" "0x20000"
+	;;
 esac
 
 config_load ubootenv

package/boot/uboot-fritz4040/Makefile

@@ -12,7 +12,7 @@ PKG_SOURCE_URL:=https://github.com/chunkeey/FritzBox-4040-UBOOT
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_VERSION:=6946ebbaf7b12a4a092d763c8f0c87a25984f103
 PKG_SOURCE_DATE:=2017-01-29
-PKG_MIRROR_HASH:=5c2394f51a083dca2a2bf9cb36fa717f252112fc792c9eeae64f6383ad08987b
+PKG_MIRROR_HASH:=4f3f5d9e3f047910d2bbd31325cc622c3dd64662c20ea740b27ac4bef9736a34
 
 PKG_RELEASE:=1
 
@@ -21,11 +21,12 @@ include $(INCLUDE_DIR)/package.mk
 
 define U-Boot/Default
   BUILD_TARGET:=ipq40xx
-  UBOOT_IMAGE:=uboot-fritz4040.bin
 endef
 
 define U-Boot/fritz4040
   NAME:=FritzBox 4040
+  UBOOT_IMAGE:=uboot-fritz4040.bin
+  BUILD_DEVICES:=avm_fritzbox-4040
 endef
 
 UBOOT_CONFIGURE_VARS += USE_PRIVATE_LIBGCC=yes
@@ -34,8 +35,8 @@ export DTC
 
 define Build/Configure
 	$(Build/Configure/U-Boot)
-	$(HOSTCC) -o $(PKG_BUILD_DIR)/fritz/lzma2eva $(PKG_BUILD_DIR)/fritz/src/lzma2eva.c -lz
-	$(HOSTCC) -o $(PKG_BUILD_DIR)/fritz/tichksum $(PKG_BUILD_DIR)/fritz/src/tichksum.c
+	$(HOSTCC) $(HOST_CFLAGS) $(HOST_LDFLAGS) -o $(PKG_BUILD_DIR)/fritz/lzma2eva $(PKG_BUILD_DIR)/fritz/src/lzma2eva.c -lz
+	$(HOSTCC) $(HOST_CFLAGS) $(HOST_LDFLAGS) -o $(PKG_BUILD_DIR)/fritz/tichksum $(PKG_BUILD_DIR)/fritz/src/tichksum.c
 	ln -sf $(STAGING_DIR_HOST)/bin/lzma $(PKG_BUILD_DIR)/fritz
 	ln -sf compiler-gcc5.h $(PKG_BUILD_DIR)/include/linux/compiler-gcc7.h
 endef
@@ -45,6 +46,11 @@ define Build/Compile
 	(cd $(PKG_BUILD_DIR); ./fritz/fritzcreator.sh;)
 endef
 
+define Build/InstallDev
+	$(INSTALL_DIR) $(STAGING_DIR_IMAGE)
+	$(CP) $(PKG_BUILD_DIR)/$(UBOOT_IMAGE) $(STAGING_DIR_IMAGE)/$(UBOOT_IMAGE)
+endef
+
 define Package/u-boot/install
 	$(Package/u-boot/install/default)
 	$(INSTALL_BIN) ./files/upload-to-f4040.sh $(1)/

package/boot/uboot-fritz4040/patches/120-net-Use-packed-structures-for-networking.patch

@@ -0,0 +1,137 @@
+From: Denis Pynkin <denis.pynkin@collabora.com>
+Date: Fri, 21 Jul 2017 19:28:42 +0300
+Subject: [PATCH] net: Use packed structures for networking
+
+PXE boot is broken with GCC 7.1 due option '-fstore-merging' enabled
+by default for '-O2':
+
+BOOTP broadcast 1
+data abort
+pc : [<8ff8bb30>]          lr : [<00004f1f>]
+reloc pc : [<17832b30>]    lr : [<878abf1f>]
+sp : 8f558bc0  ip : 00000000     fp : 8ffef5a4
+r10: 8ffed248  r9 : 8f558ee0     r8 : 8ffef594
+r7 : 0000000e  r6 : 8ffed700     r5 : 00000000  r4 : 8ffed74e
+r3 : 00060101  r2 : 8ffed230     r1 : 8ffed706  r0 : 00000ddd
+Flags: nzcv  IRQs off  FIQs off  Mode SVC_32
+Resetting CPU ...
+
+Core reason is usage of structures for network headers without packed
+attribute.
+
+Reviewed-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+[backported from u-boot main]
+---
+
+--- a/include/net.h
++++ b/include/net.h
+@@ -182,7 +182,7 @@ struct ethernet_hdr {
+ 	uchar		et_dest[6];	/* Destination node		*/
+ 	uchar		et_src[6];	/* Source node			*/
+ 	ushort		et_protlen;	/* Protocol or length		*/
+-};
++} __attribute__((packed));
+ 
+ /* Ethernet header size */
+ #define ETHER_HDR_SIZE	(sizeof(struct ethernet_hdr))
+@@ -198,7 +198,7 @@ struct e802_hdr {
+ 	uchar		et_snap2;
+ 	uchar		et_snap3;
+ 	ushort		et_prot;	/* 802 protocol			*/
+-};
++} __attribute__((packed));
+ 
+ /* 802 + SNAP + ethernet header size */
+ #define E802_HDR_SIZE	(sizeof(struct e802_hdr))
+@@ -212,7 +212,7 @@ struct vlan_ethernet_hdr {
+ 	ushort		vet_vlan_type;	/* PROT_VLAN			*/
+ 	ushort		vet_tag;	/* TAG of VLAN			*/
+ 	ushort		vet_type;	/* protocol type		*/
+-};
++} __attribute__((packed));
+ 
+ /* VLAN Ethernet header size */
+ #define VLAN_ETHER_HDR_SIZE	(sizeof(struct vlan_ethernet_hdr))
+@@ -239,7 +239,7 @@ struct ip_hdr {
+ 	ushort		ip_sum;		/* checksum			*/
+ 	IPaddr_t	ip_src;		/* Source IP address		*/
+ 	IPaddr_t	ip_dst;		/* Destination IP address	*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_OFFS		0x1fff /* ip offset *= 8 */
+ #define IP_FLAGS	0xe000 /* first 3 bits */
+@@ -267,7 +267,7 @@ struct ip_udp_hdr {
+ 	ushort		udp_dst;	/* UDP destination port		*/
+ 	ushort		udp_len;	/* Length of UDP packet		*/
+ 	ushort		udp_xsum;	/* Checksum			*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_UDP_HDR_SIZE		(sizeof(struct ip_udp_hdr))
+ #define UDP_HDR_SIZE		(IP_UDP_HDR_SIZE - IP_HDR_SIZE)
+@@ -306,7 +306,7 @@ struct arp_hdr {
+ 	uchar		ar_tha[];	/* Target hardware address	*/
+ 	uchar		ar_tpa[];	/* Target protocol address	*/
+ #endif /* 0 */
+-};
++} __attribute__((packed));
+ 
+ #define ARP_HDR_SIZE	(8+20)		/* Size assuming ethernet	*/
+ 
+@@ -341,7 +341,7 @@ struct icmp_hdr {
+ 		} frag;
+ 		uchar data[0];
+ 	} un;
+-};
++} __attribute__((packed));
+ 
+ #define ICMP_HDR_SIZE		(sizeof(struct icmp_hdr))
+ #define IP_ICMP_HDR_SIZE	(IP_HDR_SIZE + ICMP_HDR_SIZE)
+--- a/net/bootp.h
++++ b/net/bootp.h
+@@ -49,7 +49,7 @@ struct Bootp_t {
+ 	char		bp_sname[64];	/* Server host name		*/
+ 	char		bp_file[128];	/* Boot file name		*/
+ 	char		bp_vend[OPT_FIELD_SIZE]; /* Vendor information	*/
+-};
++} __attribute__((packed));
+ 
+ #define BOOTP_HDR_SIZE	sizeof(struct Bootp_t)
+ 
+--- a/net/dns.h
++++ b/net/dns.h
+@@ -32,7 +32,7 @@ struct header {
+ 	uint16_t	nauth;		/* Authority PRs */
+ 	uint16_t	nother;		/* Other PRs */
+ 	unsigned char	data[1];	/* Data, variable length */
+-};
++} __attribute__((packed));
+ 
+ extern void DnsStart(void);		/* Begin DNS */
+ 
+--- a/net/nfs.h
++++ b/net/nfs.h
+@@ -71,7 +71,7 @@ struct rpc_t {
+ 			uint32_t data[19];
+ 		} reply;
+ 	} u;
+-};
++} __attribute__((packed));
+ extern void NfsStart(void);	/* Begin NFS */
+ 
+ 
+--- a/net/sntp.h
++++ b/net/sntp.h
+@@ -54,7 +54,7 @@ struct sntp_pkt_t {
+ 	unsigned long long originate_timestamp;
+ 	unsigned long long receive_timestamp;
+ 	unsigned long long transmit_timestamp;
+-};
++} __attribute__((packed));
+ 
+ extern void SntpStart(void);	/* Begin SNTP */
+ 

package/boot/uboot-lantiq/patches/0029-net-Use_packed_structures-for_networking.patch

@@ -0,0 +1,142 @@
+From 704f3acfcf55343043bbed01c5fb0a0094a68e8a Mon Sep 17 00:00:00 2001
+From: Denis Pynkin <denis.pynkin@collabora.com>
+Date: Fri, 21 Jul 2017 19:28:42 +0300
+Subject: [PATCH] net: Use packed structures for networking
+
+PXE boot is broken with GCC 7.1 due option '-fstore-merging' enabled
+by default for '-O2':
+
+BOOTP broadcast 1
+data abort
+pc : [<8ff8bb30>]          lr : [<00004f1f>]
+reloc pc : [<17832b30>]    lr : [<878abf1f>]
+sp : 8f558bc0  ip : 00000000     fp : 8ffef5a4
+r10: 8ffed248  r9 : 8f558ee0     r8 : 8ffef594
+r7 : 0000000e  r6 : 8ffed700     r5 : 00000000  r4 : 8ffed74e
+r3 : 00060101  r2 : 8ffed230     r1 : 8ffed706  r0 : 00000ddd
+Flags: nzcv  IRQs off  FIQs off  Mode SVC_32
+Resetting CPU ...
+
+Core reason is usage of structures for network headers without packed
+attribute.
+
+Reviewed-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+---
+ include/net.h | 14 +++++++-------
+ net/bootp.h   |  2 +-
+ net/dns.h     |  2 +-
+ net/nfs.h     |  2 +-
+ net/sntp.h    |  2 +-
+ 5 files changed, 11 insertions(+), 11 deletions(-)
+
+--- a/include/net.h
++++ b/include/net.h
+@@ -203,7 +203,7 @@ struct ethernet_hdr {
+ 	uchar		et_dest[6];	/* Destination node		*/
+ 	uchar		et_src[6];	/* Source node			*/
+ 	ushort		et_protlen;	/* Protocol or length		*/
+-};
++} __attribute__((packed));
+ 
+ /* Ethernet header size */
+ #define ETHER_HDR_SIZE	(sizeof(struct ethernet_hdr))
+@@ -219,7 +219,7 @@ struct e802_hdr {
+ 	uchar		et_snap2;
+ 	uchar		et_snap3;
+ 	ushort		et_prot;	/* 802 protocol			*/
+-};
++} __attribute__((packed));
+ 
+ /* 802 + SNAP + ethernet header size */
+ #define E802_HDR_SIZE	(sizeof(struct e802_hdr))
+@@ -233,7 +233,7 @@ struct vlan_ethernet_hdr {
+ 	ushort		vet_vlan_type;	/* PROT_VLAN			*/
+ 	ushort		vet_tag;	/* TAG of VLAN			*/
+ 	ushort		vet_type;	/* protocol type		*/
+-};
++} __attribute__((packed));
+ 
+ /* VLAN Ethernet header size */
+ #define VLAN_ETHER_HDR_SIZE	(sizeof(struct vlan_ethernet_hdr))
+@@ -260,7 +260,7 @@ struct ip_hdr {
+ 	ushort		ip_sum;		/* checksum			*/
+ 	IPaddr_t	ip_src;		/* Source IP address		*/
+ 	IPaddr_t	ip_dst;		/* Destination IP address	*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_OFFS		0x1fff /* ip offset *= 8 */
+ #define IP_FLAGS	0xe000 /* first 3 bits */
+@@ -288,7 +288,7 @@ struct ip_udp_hdr {
+ 	ushort		udp_dst;	/* UDP destination port		*/
+ 	ushort		udp_len;	/* Length of UDP packet		*/
+ 	ushort		udp_xsum;	/* Checksum			*/
+-};
++} __attribute__((packed));
+ 
+ #define IP_UDP_HDR_SIZE		(sizeof(struct ip_udp_hdr))
+ #define UDP_HDR_SIZE		(IP_UDP_HDR_SIZE - IP_HDR_SIZE)
+@@ -327,7 +327,7 @@ struct arp_hdr {
+ 	uchar		ar_tha[];	/* Target hardware address	*/
+ 	uchar		ar_tpa[];	/* Target protocol address	*/
+ #endif /* 0 */
+-};
++} __attribute__((packed));
+ 
+ #define ARP_HDR_SIZE	(8+20)		/* Size assuming ethernet	*/
+ 
+@@ -362,7 +362,7 @@ struct icmp_hdr {
+ 		} frag;
+ 		uchar data[0];
+ 	} un;
+-};
++} __attribute__((packed));
+ 
+ #define ICMP_HDR_SIZE		(sizeof(struct icmp_hdr))
+ #define IP_ICMP_HDR_SIZE	(IP_HDR_SIZE + ICMP_HDR_SIZE)
+--- a/net/bootp.h
++++ b/net/bootp.h
+@@ -49,7 +49,7 @@ struct Bootp_t {
+ 	char		bp_sname[64];	/* Server host name		*/
+ 	char		bp_file[128];	/* Boot file name		*/
+ 	char		bp_vend[OPT_FIELD_SIZE]; /* Vendor information	*/
+-};
++} __attribute__((packed));
+ 
+ #define BOOTP_HDR_SIZE	sizeof(struct Bootp_t)
+ 
+--- a/net/dns.h
++++ b/net/dns.h
+@@ -29,7 +29,7 @@ struct header {
+ 	uint16_t	nauth;		/* Authority PRs */
+ 	uint16_t	nother;		/* Other PRs */
+ 	unsigned char	data[1];	/* Data, variable length */
+-};
++} __attribute__((packed));
+ 
+ extern void DnsStart(void);		/* Begin DNS */
+ 
+--- a/net/sntp.h
++++ b/net/sntp.h
+@@ -51,7 +51,7 @@ struct sntp_pkt_t {
+ 	unsigned long long originate_timestamp;
+ 	unsigned long long receive_timestamp;
+ 	unsigned long long transmit_timestamp;
+-};
++} __attribute__((packed));
+ 
+ extern void SntpStart(void);	/* Begin SNTP */
+ 
+--- a/net/nfs.h
++++ b/net/nfs.h
+@@ -68,7 +68,7 @@ struct rpc_t {
+ 			uint32_t data[19];
+ 		} reply;
+ 	} u;
+-};
++} __attribute__((packed));
+ extern void NfsStart(void);	/* Begin NFS */
+ 
+ 

package/devel/strace/Makefile

@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=strace
-PKG_VERSION:=4.20
+PKG_VERSION:=4.22
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=5bf3148dd17306a42566f7da17368fdd781afa147db05ea63a4ca2b50f58c523
+PKG_SOURCE_URL:=https://strace.io/files/$(PKG_VERSION)
+PKG_HASH:=068cd09264c95e4d591bbcd3ea08f99a693ed8663cd5169b0fdad72eb5bdb39d
 
 PKG_LICENSE:=BSD-3c
 PKG_LICENSE_FILES:=COPYRIGHT
@@ -30,6 +30,10 @@ include $(INCLUDE_DIR)/package.mk
 
 HOST_CFLAGS += -I$(LINUX_DIR)/user_headers/include
 
+ifeq ($(ARCH),aarch64)
+  CONFIGURE_ARGS += --enable-mpers=check
+endif
+
 CONFIGURE_VARS+= \
 	LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \
 	CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \

package/firmware/ath10k-firmware/Makefile

@@ -8,9 +8,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ath10k-firmware
-PKG_SOURCE_DATE:=2018-04-19
-PKG_SOURCE_VERSION:=71e50312b54cc972657a7b08c470088447cb9676
-PKG_MIRROR_HASH:=726e7bce9917532e3b39ced6a17ca2d4c39fdf4c9bec4a3f8f2ea3e5defa6a54
+PKG_SOURCE_DATE:=2018-05-12
+PKG_SOURCE_VERSION:=952afa4949cb34193040cd4e7441e1aee50ac731
+PKG_MIRROR_HASH:=dd300f3f28b8f8c07c93065fd9dc1c9785ebda8f15398b4d2d33f9418adcaf46
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
@@ -403,7 +403,7 @@ define Package/ath10k-firmware-qca4019/install
 		$(PKG_BUILD_DIR)/QCA4019/hw1.0/board-2.bin \
 		$(1)/lib/firmware/ath10k/QCA4019/hw1.0/
 	$(INSTALL_DATA) \
-		$(PKG_BUILD_DIR)/QCA4019/hw1.0/3.4/firmware-5.bin_10.4-3.4-00104 \
+		$(PKG_BUILD_DIR)/QCA4019/hw1.0/3.5.3/firmware-5.bin_10.4-3.5.3-00057 \
 		$(1)/lib/firmware/ath10k/QCA4019/hw1.0/firmware-5.bin
 endef
 
@@ -433,13 +433,25 @@ define Package/ath10k-firmware-qca988x/install
 		$(PKG_BUILD_DIR)/QCA988X/hw2.0/board.bin \
 		$(1)/lib/firmware/ath10k/QCA988X/hw2.0/
 	$(INSTALL_DATA) \
-		$(PKG_BUILD_DIR)/QCA988X/hw2.0/10.2.4-1.0/firmware-5.bin_10.2.4-1.0-00033 \
+		$(PKG_BUILD_DIR)/QCA988X/hw2.0/10.2.4-1.0/firmware-5.bin_10.2.4-1.0-00037 \
 		$(1)/lib/firmware/ath10k/QCA988X/hw2.0/firmware-5.bin
 endef
 
 define Package/ath10k-firmware-qca6174/install
-	$(INSTALL_DIR) $(1)/lib/firmware/ath10k
-	$(CP) $(PKG_BUILD_DIR)/QCA6174 $(1)/lib/firmware/ath10k/
+	$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA6174/hw2.1
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw2.1/board-2.bin \
+		$(1)/lib/firmware/ath10k/QCA6174/hw2.1/
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw2.1/firmware-5.bin_SW_RM.1.1.1-00157-QCARMSWPZ-1 \
+		$(1)/lib/firmware/ath10k/QCA6174/hw2.1/firmware-5.bin
+	$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA6174/hw3.0
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw3.0/board-2.bin \
+		$(1)/lib/firmware/ath10k/QCA6174/hw3.0/
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/QCA6174/hw3.0/4.4.1.c1/firmware-6.bin_RM.4.4.1.c1-00042-QCARMSWP-1 \
+		$(1)/lib/firmware/ath10k/QCA6174/hw3.0/firmware-6.bin
 endef
 
 define Package/ath10k-firmware-qca99x0/install

package/kernel/brcm2708-gpu-fw/Makefile

@@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=brcm2708-gpu-fw
-PKG_VERSION:=2017-08-08
-PKG_RELEASE:=e7ba7ab135f5a68b2c00a919ea9ac8d5528a5d5b
+PKG_VERSION:=2018-11-29
+PKG_RELEASE:=b428bdd819df8d0ad3009b64492a4b3d1f9453e4
 
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_NAME)/rpi-firmware-$(PKG_RELEASE)
 
@@ -33,7 +33,7 @@ define Download/bootcode_bin
   FILE:=$(RPI_FIRMWARE_FILE)-bootcode.bin
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=bootcode.bin
-  HASH:=b5928ef5253774362014f9e7de856397a932514fe1bc5d7f7817a73c0e10e863
+  HASH:=7b24659eb049333eec69f59cf0c5aa0d49eab5ed67726af3c6f0c9bcf1e3f9e3
 endef
 $(eval $(call Download,bootcode_bin))
 
@@ -41,7 +41,7 @@ define Download/fixup_dat
   FILE:=$(RPI_FIRMWARE_FILE)-fixup.dat
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=fixup.dat
-  HASH:=d95fcac57de7ab71e863a115fd60444f6099cb2ea100f4a68b2c606f79e775ed
+  HASH:=5e5946fe7c0b1f5e270f43a17aef5f6da5758d5e544ed37137628c972c9b8061
 endef
 $(eval $(call Download,fixup_dat))
 
@@ -49,7 +49,7 @@ define Download/fixup_cd_dat
   FILE:=$(RPI_FIRMWARE_FILE)-fixup_cd.dat
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=fixup_cd.dat
-  HASH:=28f3ec8388df4e0c47489f8370a29ca81dbc536fe7db9978342865b5d093ec36
+  HASH:=d7ed04063af818695f6d2f6ffdde8304c19385051c9cee7f8d6d5b20851e4e55
 endef
 $(eval $(call Download,fixup_cd_dat))
 
@@ -57,7 +57,7 @@ define Download/start_elf
   FILE:=$(RPI_FIRMWARE_FILE)-start.elf
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=start.elf
-  HASH:=8712fb4e241a22f7a33de0f1d420e0fdfff237952aa685c907b91e59c8d487fa
+  HASH:=7e69d068c249cd859f5c44a8cf80a5e96a3f3fbeeeb0260de7373130a1d9b0fe
 endef
 $(eval $(call Download,start_elf))
 
@@ -65,7 +65,7 @@ define Download/start_cd_elf
   FILE:=$(RPI_FIRMWARE_FILE)-start_cd.elf
   URL:=$(RPI_FIRMWARE_URL)
   URL_FILE:=start_cd.elf
-  HASH:=c600ab34bea389da10aac541bf2f9c62e5f774093b7e1f2f72c4637f9cf3a83c
+  HASH:=08aee2119a19c3556099ff875181d8e5440ebd1cecf1a5936b9340fe41da4428
 endef
 $(eval $(call Download,start_cd_elf))
 

package/kernel/i2c-gpio-custom/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=i2c-gpio-custom
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/i2c-gpio-custom/src/i2c-gpio-custom.c

@@ -51,7 +51,7 @@
 
 #define DRV_NAME	"i2c-gpio-custom"
 #define DRV_DESC	"Custom GPIO-based I2C driver"
-#define DRV_VERSION	"0.1.1"
+#define DRV_VERSION	"0.1.2"
 
 #define PFX		DRV_NAME ": "
 
@@ -96,7 +96,7 @@ static void i2c_gpio_custom_cleanup(void)
 
 	for (i = 0; i < nr_devices; i++)
 		if (devices[i])
-			platform_device_put(devices[i]);
+			platform_device_unregister(devices[i]);
 }
 
 static int __init i2c_gpio_custom_add_one(unsigned int id, unsigned int *params)

package/kernel/kmod-sched-cake/Makefile

@@ -13,9 +13,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/dtaht/sch_cake.git
-PKG_SOURCE_DATE:=2018-07-16
-PKG_SOURCE_VERSION:=f39ab9a402ad51d7c17d4cde18ca15b2b7022030
-PKG_MIRROR_HASH:=fc22fc6eb7a24f4595c2777f33758ebcf9a2a404c16d00aa37ae389cd7f9c78f
+PKG_SOURCE_DATE:=2019-01-08
+PKG_SOURCE_VERSION:=331ac70c8580544cd08a556579dc8807d9941d2e
+PKG_MIRROR_HASH:=e2174531a92d1e9c48bcb74757399255aa205cb64f9863f307e357c5e23c3449
 PKG_MAINTAINER:=Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
 
 include $(INCLUDE_DIR)/package.mk

package/kernel/lantiq/ltq-ptm/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ltq-ptm
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/ltq-ptm-$(BUILD_VARIANT)
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

package/kernel/lantiq/ltq-ptm/src/ifxmips_ptm_vdsl.c

@@ -334,6 +334,9 @@ static int ptm_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         dma_cache_wback((unsigned long)skb->data, skb->len);
     }
 
+    /* make the skb unowned */
+    skb_orphan(skb);
+
     *(struct sk_buff **)((unsigned int)skb->data - byteoff - sizeof(struct sk_buff *)) = skb;
     /*  write back to physical memory   */
     dma_cache_wback((unsigned long)skb->data - byteoff - sizeof(struct sk_buff *), skb->len + byteoff + sizeof(struct sk_buff *));

package/kernel/linux/files/sysctl-tcp-bbr-k4_9.conf

@@ -0,0 +1,5 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+net.ipv4.tcp_congestion_control=bbr
+net.core.default_qdisc=fq

package/kernel/linux/files/sysctl-tcp-bbr.conf

@@ -0,0 +1,4 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+net.ipv4.tcp_congestion_control=bbr

package/kernel/linux/modules/crypto.mk

@@ -441,8 +441,21 @@ $(eval $(call KernelPackage,crypto-michael-mic))
 
 define KernelPackage/crypto-misc
   TITLE:=Other CryptoAPI modules
-  DEPENDS:=+kmod-crypto-manager
+  DEPENDS:=+kmod-crypto-xts
   KCONFIG:= \
+	CONFIG_CRYPTO_CAMELLIA_X86_64 \
+	CONFIG_CRYPTO_BLOWFISH_X86_64 \
+	CONFIG_CRYPTO_TWOFISH_X86_64 \
+	CONFIG_CRYPTO_TWOFISH_X86_64_3WAY \
+	CONFIG_CRYPTO_SERPENT_SSE2_X86_64 \
+	CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 \
+	CONFIG_CRYPTO_CAST5_AVX_X86_64 \
+	CONFIG_CRYPTO_CAST6_AVX_X86_64 \
+	CONFIG_CRYPTO_TWOFISH_AVX_X86_64 \
+	CONFIG_CRYPTO_SERPENT_AVX_X86_64 \
+	CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 \
+	CONFIG_CRYPTO_SERPENT_AVX2_X86_64 \
+	CONFIG_CRYPTO_SERPENT_SSE2_586 \
 	CONFIG_CRYPTO_ANUBIS \
 	CONFIG_CRYPTO_BLOWFISH \
 	CONFIG_CRYPTO_CAMELLIA \
@@ -472,15 +485,50 @@ define KernelPackage/crypto-misc
 	$(LINUX_DIR)/crypto/blowfish_common.ko \
 	$(LINUX_DIR)/crypto/blowfish_generic.ko \
 	$(LINUX_DIR)/crypto/serpent_generic.ko
+  AUTOLOAD:=$(call AutoLoad,10,anubis camellia_generic cast_common \
+	cast5_generic cast6_generic khazad tea tgr192 twofish_common \
+	wp512 blowfish_common serpent_generic)
+  ifndef CONFIG_TARGET_x86
+	AUTOLOAD+= $(call AutoLoad,10,twofish_generic blowfish_generic)
+  endif
   $(call AddDepends/crypto)
 endef
 
 ifndef CONFIG_TARGET_x86_64
   define KernelPackage/crypto-misc/x86
-    FILES+=$(LINUX_DIR)/arch/x86/crypto/twofish-i586.ko
+    FILES+= \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-i586.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-sse2-i586.ko \
+	$(LINUX_DIR)/arch/x86/crypto/glue_helper.ko \
+	$(LINUX_DIR)/crypto/ablk_helper.ko \
+	$(LINUX_DIR)/crypto/cryptd.ko \
+	$(LINUX_DIR)/crypto/lrw.ko
+    AUTOLOAD+= $(call AutoLoad,10,lrw cryptd ablk_helper glue_helper \
+	serpent-sse2-i586 twofish-i586 blowfish_generic)
   endef
 endif
 
+define KernelPackage/crypto-misc/x86/64
+  FILES+= \
+	$(LINUX_DIR)/arch/x86/crypto/camellia-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/blowfish-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-x86_64-3way.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-sse2-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/camellia-aesni-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/cast5-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/cast6-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/twofish-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-avx-x86_64.ko \
+	$(LINUX_DIR)/arch/x86/crypto/camellia-aesni-avx2.ko \
+	$(LINUX_DIR)/arch/x86/crypto/serpent-avx2.ko \
+	$(LINUX_DIR)/crypto/ablk_helper.ko
+  AUTOLOAD+= $(call AutoLoad,10,ablk_helper camellia-x86_64 \
+	camellia-aesni-avx-x86_64 camellia-aesni-avx2 cast5-avx-x86_64 \
+	cast6-avx-x86_64 twofish-x86_64 twofish-x86_64-3way \
+	twofish-avx-x86_64 blowfish-x86_64 serpent-avx-x86_64 serpent-avx2)
+endef
+
 $(eval $(call KernelPackage,crypto-misc))
 
 

package/kernel/linux/modules/fs.mk

@@ -439,9 +439,14 @@ $(eval $(call KernelPackage,fs-nfs-v4))
 define KernelPackage/fs-nfsd
   SUBMENU:=$(FS_MENU)
   TITLE:=NFS kernel server support
-  DEPENDS:=+kmod-fs-nfs-common +kmod-fs-exportfs
+  DEPENDS:=+kmod-fs-nfs-common +kmod-fs-exportfs +kmod-fs-nfs-common-rpcsec
   KCONFIG:= \
 	CONFIG_NFSD \
+	CONFIG_NFSD_V4=y \
+	CONFIG_NFSD_V4_SECURITY_LABEL=n \
+	CONFIG_NFSD_BLOCKLAYOUT=n \
+	CONFIG_NFSD_SCSILAYOUT=n \
+	CONFIG_NFSD_FLEXFILELAYOUT=n \
 	CONFIG_NFSD_FAULT_INJECTION=n
   FILES:=$(LINUX_DIR)/fs/nfsd/nfsd.ko
   AUTOLOAD:=$(call AutoLoad,40,nfsd)

package/kernel/linux/modules/netfilter.mk

@@ -237,6 +237,7 @@ define KernelPackage/ipt-filter/description
  Netfilter (IPv4) kernel modules for packet content inspection
  Includes:
  - string
+ - bpf
 endef
 
 $(eval $(call KernelPackage,ipt-filter))
@@ -553,6 +554,8 @@ define KernelPackage/ipt-tproxy
   TITLE:=Transparent proxying support
   DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables
   KCONFIG:= \
+  	CONFIG_NF_SOCKET_IPV4 \
+  	CONFIG_NF_SOCKET_IPV6 \
   	CONFIG_NETFILTER_XT_MATCH_SOCKET \
   	CONFIG_NETFILTER_XT_TARGET_TPROXY
   FILES:= \
@@ -642,7 +645,7 @@ define KernelPackage/ipt-cluster
   KCONFIG:=$(KCONFIG_IPT_CLUSTER)
   FILES:=$(foreach mod,$(IPT_CLUSTER-m),$(LINUX_DIR)/net/$(mod).ko)
   AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_CLUSTER-m)))
-  $(call AddDepends/ipt)
+  $(call AddDepends/ipt,+kmod-nf-conntrack)
 endef
 
 define KernelPackage/ipt-cluster/description
@@ -1051,3 +1054,23 @@ define KernelPackage/nft-nat6
 endef
 
 $(eval $(call KernelPackage,nft-nat6))
+
+define KernelPackage/nft-netdev
+  SUBMENU:=$(NF_MENU)
+  TITLE:=Netfilter nf_tables netdev support
+  DEPENDS:=+kmod-nft-core
+  KCONFIG:= \
+	CONFIG_NETFILTER_INGRESS=y \
+	CONFIG_NF_TABLES_NETDEV \
+	CONFIG_NF_DUP_NETDEV \
+	CONFIG_NFT_DUP_NETDEV \
+	CONFIG_NFT_FWD_NETDEV
+  FILES:= \
+	$(LINUX_DIR)/net/netfilter/nf_tables_netdev.ko \
+	$(LINUX_DIR)/net/netfilter/nf_dup_netdev.ko \
+	$(LINUX_DIR)/net/netfilter/nft_dup_netdev.ko \
+	$(LINUX_DIR)/net/netfilter/nft_fwd_netdev.ko
+  AUTOLOAD:=$(call AutoProbe,nf_tables_netdev nf_dup_netdev nft_dup_netdev nft_fwd_netdev)
+endef
+
+$(eval $(call KernelPackage,nft-netdev))

package/kernel/linux/modules/netsupport.mk

@@ -777,6 +777,37 @@ endef
 $(eval $(call KernelPackage,sched))
 
 
+define KernelPackage/tcp-bbr
+  SUBMENU:=$(NETWORK_SUPPORT_MENU)
+  TITLE:=BBR TCP congestion control
+  DEPENDS:=@!LINUX_3_18 @!LINUX_4_1 @!LINUX_4_4 +LINUX_4_9:kmod-sched
+  KCONFIG:= \
+	CONFIG_TCP_CONG_ADVANCED=y \
+	CONFIG_TCP_CONG_BBR
+  FILES:=$(LINUX_DIR)/net/ipv4/tcp_bbr.ko
+  AUTOLOAD:=$(call AutoLoad,74,tcp_bbr)
+endef
+
+define KernelPackage/tcp-bbr/description
+ Kernel module for BBR (Bottleneck Bandwidth and RTT) TCP congestion
+ control. It requires the fq ("Fair Queue") pacing packet scheduler.
+ For kernel 4.13+, TCP internal pacing is implemented as fallback.
+endef
+
+ifdef CONFIG_LINUX_4_9
+  TCP_BBR_SYSCTL_CONF:=sysctl-tcp-bbr-k4_9.conf
+else
+  TCP_BBR_SYSCTL_CONF:=sysctl-tcp-bbr.conf
+endif
+
+define KernelPackage/tcp-bbr/install
+	$(INSTALL_DIR) $(1)/etc/sysctl.d
+	$(INSTALL_DATA) ./files/$(TCP_BBR_SYSCTL_CONF) $(1)/etc/sysctl.d/12-tcp-bbr.conf
+endef
+
+$(eval $(call KernelPackage,tcp-bbr))
+
+
 define KernelPackage/ax25
   SUBMENU:=$(NETWORK_SUPPORT_MENU)
   TITLE:=AX25 support

package/kernel/linux/modules/other.mk

@@ -227,10 +227,14 @@ $(eval $(call KernelPackage,gpio-dev))
 define KernelPackage/gpio-mcp23s08
   SUBMENU:=$(OTHER_MENU)
   TITLE:=Microchip MCP23xxx I/O expander
-  DEPENDS:=@GPIO_SUPPORT +kmod-i2c-core
-  KCONFIG:=CONFIG_GPIO_MCP23S08
-  FILES:=$(LINUX_DIR)/drivers/gpio/gpio-mcp23s08.ko
-  AUTOLOAD:=$(call AutoLoad,40,gpio-mcp23s08)
+  DEPENDS:=@GPIO_SUPPORT +kmod-i2c-core +LINUX_4_14:kmod-regmap
+  KCONFIG:= \
+	CONFIG_GPIO_MCP23S08 \
+	CONFIG_PINCTRL_MCP23S08
+  FILES:= \
+	$(LINUX_DIR)/drivers/gpio/gpio-mcp23s08.ko@lt4.13 \
+	$(LINUX_DIR)/drivers/pinctrl/pinctrl-mcp23s08.ko@ge4.13
+  AUTOLOAD:=$(call AutoLoad,40,gpio-mcp23s08@lt4.13 pinctrl-mcp23s08@ge4.13)
 endef
 
 define KernelPackage/gpio-mcp23s08/description

package/kernel/linux/modules/usb.mk

@@ -852,6 +852,7 @@ define KernelPackage/usb-serial-wwan
   TITLE:=Support for GSM and CDMA modems
   KCONFIG:=CONFIG_USB_SERIAL_WWAN
   FILES:=$(LINUX_DIR)/drivers/usb/serial/usb_wwan.ko
+  HIDDEN:=1
   AUTOLOAD:=$(call AutoProbe,usb_wwan)
   $(call AddDepends/usb-serial)
 endef
@@ -865,11 +866,10 @@ $(eval $(call KernelPackage,usb-serial-wwan))
 
 define KernelPackage/usb-serial-option
   TITLE:=Support for Option HSDPA modems
-  DEPENDS:=+kmod-usb-serial-wwan
   KCONFIG:=CONFIG_USB_SERIAL_OPTION
   FILES:=$(LINUX_DIR)/drivers/usb/serial/option.ko
   AUTOLOAD:=$(call AutoProbe,option)
-  $(call AddDepends/usb-serial)
+  $(call AddDepends/usb-serial,+kmod-usb-serial-wwan)
 endef
 
 define KernelPackage/usb-serial-option/description

package/kernel/linux/modules/video.mk

@@ -56,34 +56,13 @@ $(eval $(call KernelPackage,backlight-pwm))
 
 define KernelPackage/fb
   SUBMENU:=$(VIDEO_MENU)
-  TITLE:=Framebuffer support
+  TITLE:=Framebuffer and framebuffer console support
   DEPENDS:=@DISPLAY_SUPPORT
   KCONFIG:= \
 	CONFIG_FB \
 	CONFIG_FB_MXS=n \
-	CONFIG_FB_SM750=n
-  FILES:=$(LINUX_DIR)/drivers/video/fbdev/core/fb.ko
-  AUTOLOAD:=$(call AutoLoad,06,fb)
-endef
-
-define KernelPackage/fb/description
- Kernel support for framebuffers
-endef
-
-define KernelPackage/fb/x86
-  FILES+=$(LINUX_DIR)/arch/x86/video/fbdev.ko
-  AUTOLOAD+=$(call AutoLoad,06,fbdev fb)
-endef
-
-$(eval $(call KernelPackage,fb))
-
-
-define KernelPackage/fbcon
-  SUBMENU:=$(VIDEO_MENU)
-  TITLE:=Framebuffer Console support
-  DEPENDS:=+kmod-fb @!LINUX_4_14
-  KCONFIG:= \
-	CONFIG_FRAMEBUFFER_CONSOLE \
+	CONFIG_FB_SM750=n \
+	CONFIG_FRAMEBUFFER_CONSOLE=y \
 	CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y \
 	CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y \
 	CONFIG_FONTS=y \
@@ -102,23 +81,22 @@ define KernelPackage/fbcon
 	CONFIG_CONSOLE_TRANSLATIONS=y \
 	CONFIG_VT_CONSOLE=y \
 	CONFIG_VT_HW_CONSOLE_BINDING=y
-  FILES:= \
-	$(LINUX_DIR)/drivers/video/console/bitblit.ko \
-	$(LINUX_DIR)/drivers/video/console/softcursor.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_rotate.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_cw.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_ud.ko \
-	$(LINUX_DIR)/drivers/video/console/fbcon_ccw.ko \
+  FILES:=$(LINUX_DIR)/drivers/video/fbdev/core/fb.ko \
 	$(LINUX_DIR)/lib/fonts/font.ko
-  AUTOLOAD:=$(call AutoLoad,94,font softcursor tileblit fbcon_cw fbcon_ud fbcon_ccw fbcon_rotate bitblit fbcon)
+  AUTOLOAD:=$(call AutoLoad,06,fb font)
 endef
 
-define KernelPackage/fbcon/description
-  Kernel support for framebuffer console
+define KernelPackage/fb/description
+ Kernel support for framebuffers and framebuffer console.
 endef
 
-$(eval $(call KernelPackage,fbcon))
+define KernelPackage/fb/x86
+  FILES+=$(LINUX_DIR)/arch/x86/video/fbdev.ko
+  AUTOLOAD:=$(call AutoLoad,06,fbdev fb font)
+endef
+
+$(eval $(call KernelPackage,fb))
+
 
 define KernelPackage/fb-cfb-fillrect
   SUBMENU:=$(VIDEO_MENU)

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-11-01
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_HASH:=8437ab7886b988c8152e7a4db30b7f41009e49a3b2cb863edd05da1ecd7eb05a
 

package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh

@@ -14,6 +14,10 @@ MP_CONFIG_INT="mesh_retry_timeout mesh_confirm_timeout mesh_holding_timeout mesh
 MP_CONFIG_BOOL="mesh_auto_open_plinks mesh_fwding"
 MP_CONFIG_STRING="mesh_power_mode"
 
+iw() {
+	command iw $@ || logger -t mac80211 "Failed command: iw $@"
+}
+
 drv_mac80211_init_device_config() {
 	hostapd_common_add_device_config
 

package/kernel/mac80211/patches/009-backport_sg_init_marker.patch

@@ -0,0 +1,30 @@
+--- a/backport-include/linux/scatterlist.h
++++ b/backport-include/linux/scatterlist.h
+@@ -102,4 +102,27 @@ size_t sg_pcopy_from_buffer(struct scatt
+ 
+ #endif /* LINUX_VERSION_IS_LESS(3, 11, 0) */
+ 
++#if LINUX_VERSION_IS_LESS(4, 17, 0)
++
++#define sg_init_marker LINUX_BACKPORT(sg_init_marker)
++/**
++ * sg_init_marker - Initialize markers in sg table
++ * @sgl:	   The SG table
++ * @nents:	   Number of entries in table
++ *
++ **/
++static inline void sg_init_marker(struct scatterlist *sgl,
++				  unsigned int nents)
++{
++#ifdef CONFIG_DEBUG_SG
++	unsigned int i;
++
++	for (i = 0; i < nents; i++)
++		sgl[i].sg_magic = SG_MAGIC;
++#endif
++	sg_mark_end(&sgl[nents - 1]);
++}
++
++#endif /* LINUX_VERSION_IS_LESS(4, 17, 0) */
++
+ #endif /* __BACKPORT_SCATTERLIST_H */

package/kernel/mac80211/patches/011-backport-overflow_h.patch

@@ -0,0 +1,322 @@
+--- a/backport-include/linux/slab.h
++++ b/backport-include/linux/slab.h
+@@ -1,6 +1,7 @@
+ #ifndef __BACKPORT_SLAB_H
+ #define __BACKPORT_SLAB_H
+ #include_next <linux/slab.h>
++#include <linux/overflow.h>
+ #include <linux/version.h>
+ 
+ #if LINUX_VERSION_IS_LESS(3,4,0)
+--- /dev/null
++++ b/include/linux/overflow.h
+@@ -0,0 +1,309 @@
++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
++#ifndef __LINUX_OVERFLOW_H
++#define __LINUX_OVERFLOW_H
++
++#include <linux/compiler.h>
++
++/*
++ * In the fallback code below, we need to compute the minimum and
++ * maximum values representable in a given type. These macros may also
++ * be useful elsewhere, so we provide them outside the
++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
++ *
++ * It would seem more obvious to do something like
++ *
++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
++ *
++ * Unfortunately, the middle expressions, strictly speaking, have
++ * undefined behaviour, and at least some versions of gcc warn about
++ * the type_max expression (but not if -fsanitize=undefined is in
++ * effect; in that case, the warning is deferred to runtime...).
++ *
++ * The slightly excessive casting in type_min is to make sure the
++ * macros also produce sensible values for the exotic type _Bool. [The
++ * overflow checkers only almost work for _Bool, but that's
++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third
++ * argument.]
++ *
++ * Idea stolen from
++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
++ * credit to Christian Biere.
++ */
++#define is_signed_type(type)       (((type)(-1)) < (type)1)
++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
++#define type_min(T) ((T)((T)-type_max(T)-(T)1))
++
++
++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
++/*
++ * For simplicity and code hygiene, the fallback code below insists on
++ * a, b and *d having the same type (similar to the min() and max()
++ * macros), whereas gcc's type-generic overflow checkers accept
++ * different types. Hence we don't just make check_add_overflow an
++ * alias for __builtin_add_overflow, but add type checks similar to
++ * below.
++ */
++#define check_add_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_add_overflow(__a, __b, __d);	\
++})
++
++#define check_sub_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_sub_overflow(__a, __b, __d);	\
++})
++
++#define check_mul_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_mul_overflow(__a, __b, __d);	\
++})
++
++#else
++
++
++/* Checking for unsigned overflow is relatively easy without causing UB. */
++#define __unsigned_add_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = __a + __b;			\
++	*__d < __a;				\
++})
++#define __unsigned_sub_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = __a - __b;			\
++	__a < __b;				\
++})
++/*
++ * If one of a or b is a compile-time constant, this avoids a division.
++ */
++#define __unsigned_mul_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);				\
++	typeof(b) __b = (b);				\
++	typeof(d) __d = (d);				\
++	(void) (&__a == &__b);				\
++	(void) (&__a == __d);				\
++	*__d = __a * __b;				\
++	__builtin_constant_p(__b) ?			\
++	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
++	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
++})
++
++/*
++ * For signed types, detecting overflow is much harder, especially if
++ * we want to avoid UB. But the interface of these macros is such that
++ * we must provide a result in *d, and in fact we must produce the
++ * result promised by gcc's builtins, which is simply the possibly
++ * wrapped-around value. Fortunately, we can just formally do the
++ * operations in the widest relevant unsigned type (u64) and then
++ * truncate the result - gcc is smart enough to generate the same code
++ * with and without the (u64) casts.
++ */
++
++/*
++ * Adding two signed integers can overflow only if they have the same
++ * sign, and overflow has happened iff the result has the opposite
++ * sign.
++ */
++#define __signed_add_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = (u64)__a + (u64)__b;		\
++	(((~(__a ^ __b)) & (*__d ^ __a))	\
++		& type_min(typeof(__a))) != 0;	\
++})
++
++/*
++ * Subtraction is similar, except that overflow can now happen only
++ * when the signs are opposite. In this case, overflow has happened if
++ * the result has the opposite sign of a.
++ */
++#define __signed_sub_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = (u64)__a - (u64)__b;		\
++	((((__a ^ __b)) & (*__d ^ __a))		\
++		& type_min(typeof(__a))) != 0;	\
++})
++
++/*
++ * Signed multiplication is rather hard. gcc always follows C99, so
++ * division is truncated towards 0. This means that we can write the
++ * overflow check like this:
++ *
++ * (a > 0 && (b > MAX/a || b < MIN/a)) ||
++ * (a < -1 && (b > MIN/a || b < MAX/a) ||
++ * (a == -1 && b == MIN)
++ *
++ * The redundant casts of -1 are to silence an annoying -Wtype-limits
++ * (included in -Wextra) warning: When the type is u8 or u16, the
++ * __b_c_e in check_mul_overflow obviously selects
++ * __unsigned_mul_overflow, but unfortunately gcc still parses this
++ * code and warns about the limited range of __b.
++ */
++
++#define __signed_mul_overflow(a, b, d) ({				\
++	typeof(a) __a = (a);						\
++	typeof(b) __b = (b);						\
++	typeof(d) __d = (d);						\
++	typeof(a) __tmax = type_max(typeof(a));				\
++	typeof(a) __tmin = type_min(typeof(a));				\
++	(void) (&__a == &__b);						\
++	(void) (&__a == __d);						\
++	*__d = (u64)__a * (u64)__b;					\
++	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
++	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
++	(__b == (typeof(__b))-1 && __a == __tmin);			\
++})
++
++
++#define check_add_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_add_overflow(a, b, d),			\
++			__unsigned_add_overflow(a, b, d))
++
++#define check_sub_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_sub_overflow(a, b, d),			\
++			__unsigned_sub_overflow(a, b, d))
++
++#define check_mul_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_mul_overflow(a, b, d),			\
++			__unsigned_mul_overflow(a, b, d))
++
++
++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
++
++/** check_shl_overflow() - Calculate a left-shifted value and check overflow
++ *
++ * @a: Value to be shifted
++ * @s: How many bits left to shift
++ * @d: Pointer to where to store the result
++ *
++ * Computes *@d = (@a << @s)
++ *
++ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
++ * make sense. Example conditions:
++ * - 'a << s' causes bits to be lost when stored in *d.
++ * - 's' is garbage (e.g. negative) or so large that the result of
++ *   'a << s' is guaranteed to be 0.
++ * - 'a' is negative.
++ * - 'a << s' sets the sign bit, if any, in '*d'.
++ *
++ * '*d' will hold the results of the attempted shift, but is not
++ * considered "safe for use" if false is returned.
++ */
++#define check_shl_overflow(a, s, d) ({					\
++	typeof(a) _a = a;						\
++	typeof(s) _s = s;						\
++	typeof(d) _d = d;						\
++	u64 _a_full = _a;						\
++	unsigned int _to_shift =					\
++		_s >= 0 && _s < 8 * sizeof(*d) ? _s : 0;		\
++	*_d = (_a_full << _to_shift);					\
++	(_to_shift != _s || *_d < 0 || _a < 0 ||			\
++		(*_d >> _to_shift) != _a);				\
++})
++
++/**
++ * array_size() - Calculate size of 2-dimensional array.
++ *
++ * @a: dimension one
++ * @b: dimension two
++ *
++ * Calculates size of 2-dimensional array: @a * @b.
++ *
++ * Returns: number of bytes needed to represent the array or SIZE_MAX on
++ * overflow.
++ */
++static inline __must_check size_t array_size(size_t a, size_t b)
++{
++	size_t bytes;
++
++	if (check_mul_overflow(a, b, &bytes))
++		return SIZE_MAX;
++
++	return bytes;
++}
++
++/**
++ * array3_size() - Calculate size of 3-dimensional array.
++ *
++ * @a: dimension one
++ * @b: dimension two
++ * @c: dimension three
++ *
++ * Calculates size of 3-dimensional array: @a * @b * @c.
++ *
++ * Returns: number of bytes needed to represent the array or SIZE_MAX on
++ * overflow.
++ */
++static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
++{
++	size_t bytes;
++
++	if (check_mul_overflow(a, b, &bytes))
++		return SIZE_MAX;
++	if (check_mul_overflow(bytes, c, &bytes))
++		return SIZE_MAX;
++
++	return bytes;
++}
++
++static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
++{
++	size_t bytes;
++
++	if (check_mul_overflow(n, size, &bytes))
++		return SIZE_MAX;
++	if (check_add_overflow(bytes, c, &bytes))
++		return SIZE_MAX;
++
++	return bytes;
++}
++
++/**
++ * struct_size() - Calculate size of structure with trailing array.
++ * @p: Pointer to the structure.
++ * @member: Name of the array member.
++ * @n: Number of elements in the array.
++ *
++ * Calculates size of memory needed for structure @p followed by an
++ * array of @n @member elements.
++ *
++ * Return: number of bytes needed or SIZE_MAX on overflow.
++ */
++#define struct_size(p, member, n)					\
++	__ab_c_size(n,							\
++		    sizeof(*(p)->member) + __must_be_array((p)->member),\
++		    sizeof(*(p)))
++
++#endif /* __LINUX_OVERFLOW_H */

package/kernel/mac80211/patches/013-backport-firmware_request_nowarn.patch

@@ -0,0 +1,19 @@
+--- a/backport-include/linux/firmware.h
++++ b/backport-include/linux/firmware.h
+@@ -5,5 +5,16 @@
+ #if LINUX_VERSION_IS_LESS(3,14,0)
+ #define request_firmware_direct(fw, name, device) request_firmware(fw, name, device)
+ #endif
++#if LINUX_VERSION_IS_LESS(4,18,0)
++#define firmware_request_nowarn(fw, name, device) request_firmware(fw, name, device)
++#endif
++
++#if LINUX_VERSION_IS_LESS(4,17,0)
++#define firmware_request_cache LINUX_BACKPORT(firmware_request_cache)
++static inline int firmware_request_cache(struct device *device, const char *name)
++{
++	return 0;
++}
++#endif
+ 
+ #endif /* __BACKPORT_LINUX_FIRMWARE_H */

package/kernel/mac80211/patches/090-Revert-rt2800-use-TXOP_BACKOFF-for-probe-frames.patch

@@ -38,6 +38,3 @@ Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  		txdesc->u.ht.txop = TXOP_BACKOFF;
  	else if (!(tx_info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT))
  		txdesc->u.ht.txop = TXOP_SIFS;
--- 
-2.17.1
-

package/kernel/mac80211/patches/338-v4.19-0001-brcmfmac-detect-firmware-support-for-monitor-interfa.patch

@@ -0,0 +1,59 @@
+From 01f69dfafdbe7deff58b58053bc3a4a75c6a570c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:35 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for monitor interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Many/most of firmwares support creating monitor interface but only the
+most recent ones explicitly /announce/ it using a "monitor" entry in the
+list of capabilities.
+
+Check for that entry and store internally info about monitor mode
+support using a new feature flag. Once we sort out all details of
+handling monitor interface it will be used when reporting available
+interfaces to the cfg80211.
+
+Later some fallback detecion method may be added for older firmwares.
+For now just stick to the "monitor" capability which should be 100%
+reliable.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -48,6 +48,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MBSS, "mbss" },
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
++	{ BRCMF_FEAT_MONITOR, "monitor" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -33,6 +33,7 @@
+  * MFP: 802.11w Management Frame Protection.
+  * GSCAN: enhanced scan offload feature.
+  * FWSUP: Firmware supplicant.
++ * MONITOR: firmware can pass monitor packets to host.
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -48,7 +49,8 @@
+ 	BRCMF_FEAT_DEF(WOWL_ARP_ND) \
+ 	BRCMF_FEAT_DEF(MFP) \
+ 	BRCMF_FEAT_DEF(GSCAN) \
+-	BRCMF_FEAT_DEF(FWSUP)
++	BRCMF_FEAT_DEF(FWSUP) \
++	BRCMF_FEAT_DEF(MONITOR)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/338-v4.19-0002-brcmfmac-detect-firmware-support-for-radiotap-monito.patch

@@ -0,0 +1,51 @@
+From e63410ac65e0ead2040bbd3927c116889edf87e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:36 +0200
+Subject: [PATCH] brcmfmac: detect firmware support for radiotap monitor frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Depending on used build-time options some firmwares may already include
+radiotap header in passed monitor frames. Add a new feature flag to
+store info about it. It's needed for proper handling of received frames
+before passing them up.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -49,6 +49,7 @@ static const struct brcmf_feat_fwcap brc
+ 	{ BRCMF_FEAT_MCHAN, "mchan" },
+ 	{ BRCMF_FEAT_P2P, "p2p" },
+ 	{ BRCMF_FEAT_MONITOR, "monitor" },
++	{ BRCMF_FEAT_MONITOR_FMT_RADIOTAP, "rtap" },
+ };
+ 
+ #ifdef DEBUG
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -34,6 +34,7 @@
+  * GSCAN: enhanced scan offload feature.
+  * FWSUP: Firmware supplicant.
+  * MONITOR: firmware can pass monitor packets to host.
++ * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -50,7 +51,8 @@
+ 	BRCMF_FEAT_DEF(MFP) \
+ 	BRCMF_FEAT_DEF(GSCAN) \
+ 	BRCMF_FEAT_DEF(FWSUP) \
+-	BRCMF_FEAT_DEF(MONITOR)
++	BRCMF_FEAT_DEF(MONITOR) \
++	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/338-v4.19-0003-brcmfmac-handle-msgbuf-packets-marked-with-monitor-m.patch

@@ -0,0 +1,137 @@
+From a8d7631858aff156b72f807ee7cc062048e63836 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 24 Jun 2018 21:44:37 +0200
+Subject: [PATCH] brcmfmac: handle msgbuf packets marked with monitor mode flag
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New Broadcom firmwares mark monitor mode packets using a newly defined
+bit in the flags field. Use it to filter them out and pass to the
+monitor interface. These defines were found in bcmmsgbuf.h from SDK.
+
+As not every firmware generates radiotap header this commit introduces
+BRCMF_FEAT_MONITOR_FMT_RADIOTAP flag. It has to be has based on firmware
+capabilities. If not present brcmf_netif_mon_rx() will assume packet is
+a raw 802.11 frame and will prepend it with an empty radiotap header.
+
+This new code is limited to the msgbuf protocol at this point. Adding
+support for SDIO/USB devices will require some extra work (possibly a
+new firmware release).
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c    | 25 ++++++++++++++++++++++
+ .../wireless/broadcom/brcm80211/brcmfmac/core.h    |  2 ++
+ .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.c  | 18 ++++++++++++++++
+ 3 files changed, 45 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -21,6 +21,7 @@
+ #include <net/cfg80211.h>
+ #include <net/rtnetlink.h>
+ #include <net/addrconf.h>
++#include <net/ieee80211_radiotap.h>
+ #include <net/ipv6.h>
+ #include <brcmu_utils.h>
+ #include <brcmu_wifi.h>
+@@ -404,6 +405,30 @@ void brcmf_netif_rx(struct brcmf_if *ifp
+ 		netif_rx_ni(skb);
+ }
+ 
++void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb)
++{
++	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_RADIOTAP)) {
++		/* Do nothing */
++	} else {
++		struct ieee80211_radiotap_header *radiotap;
++
++		/* TODO: use RX status to fill some radiotap data */
++		radiotap = skb_push(skb, sizeof(*radiotap));
++		memset(radiotap, 0, sizeof(*radiotap));
++		radiotap->it_len = cpu_to_le16(sizeof(*radiotap));
++
++		/* TODO: 4 bytes with receive status? */
++		skb->len -= 4;
++	}
++
++	skb->dev = ifp->ndev;
++	skb_reset_mac_header(skb);
++	skb->pkt_type = PACKET_OTHERHOST;
++	skb->protocol = htons(ETH_P_802_2);
++
++	brcmf_netif_rx(ifp, skb);
++}
++
+ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb,
+ 			    struct brcmf_if **ifp)
+ {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+@@ -121,6 +121,7 @@ struct brcmf_pub {
+ 
+ 	struct brcmf_if *iflist[BRCMF_MAX_IFS];
+ 	s32 if2bss[BRCMF_MAX_IFS];
++	struct brcmf_if *mon_if;
+ 
+ 	struct mutex proto_block;
+ 	unsigned char proto_buf[BRCMF_DCMD_MAXLEN];
+@@ -216,6 +217,7 @@ void brcmf_txflowblock_if(struct brcmf_i
+ 			  enum brcmf_netif_stop_reason reason, bool state);
+ void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
+ void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb);
++void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb);
+ void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on);
+ int __init brcmf_core_init(void);
+ void __exit brcmf_core_exit(void);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -69,6 +69,8 @@
+ #define BRCMF_MSGBUF_MAX_EVENTBUF_POST		8
+ 
+ #define BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3	0x01
++#define BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_11	0x02
++#define BRCMF_MSGBUF_PKT_FLAGS_FRAME_MASK	0x07
+ #define BRCMF_MSGBUF_PKT_FLAGS_PRIO_SHIFT	5
+ 
+ #define BRCMF_MSGBUF_TX_FLUSH_CNT1		32
+@@ -1128,6 +1130,7 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	struct sk_buff *skb;
+ 	u16 data_offset;
+ 	u16 buflen;
++	u16 flags;
+ 	u32 idx;
+ 	struct brcmf_if *ifp;
+ 
+@@ -1137,6 +1140,7 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	data_offset = le16_to_cpu(rx_complete->data_offset);
+ 	buflen = le16_to_cpu(rx_complete->data_len);
+ 	idx = le32_to_cpu(rx_complete->msg.request_id);
++	flags = le16_to_cpu(rx_complete->flags);
+ 
+ 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
+ 				     msgbuf->rx_pktids, idx);
+@@ -1150,6 +1154,20 @@ brcmf_msgbuf_process_rx_complete(struct
+ 
+ 	skb_trim(skb, buflen);
+ 
++	if ((flags & BRCMF_MSGBUF_PKT_FLAGS_FRAME_MASK) ==
++	    BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_11) {
++		ifp = msgbuf->drvr->mon_if;
++
++		if (!ifp) {
++			brcmf_err("Received unexpected monitor pkt\n");
++			brcmu_pkt_buf_free_skb(skb);
++			return;
++		}
++
++		brcmf_netif_mon_rx(ifp, skb);
++		return;
++	}
++
+ 	ifp = brcmf_get_ifp(msgbuf->drvr, rx_complete->msg.ifidx);
+ 	if (!ifp || !ifp->ndev) {
+ 		brcmf_err("Received pkt for invalid ifidx %d\n",

package/kernel/mac80211/patches/339-v4.19-brcmfmac-define-more-bits-for-the-flags-of-struct-br.patch

@@ -0,0 +1,60 @@
+From 4b4a8d808c58fc0defc32a26b2fea35d66692c45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Jun 2018 08:16:13 +0200
+Subject: [PATCH] brcmfmac: define more bits for the flags of struct
+ brcmf_sta_info_le
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+That struct is passed by a firmware when querying for STA info. Flags
+are used to indicate what info could be obtained.
+
+These new defines may allow passing more info to the cfg80211 in the
+future. They had been obtained from Broadcom's SDK file wlioctl_defs.h
+used by DD-WRT.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 29 ++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -32,11 +32,30 @@
+ #define	BRCMF_BSS_INFO_VERSION	109 /* curr ver of brcmf_bss_info_le struct */
+ #define BRCMF_BSS_RSSI_ON_CHANNEL	0x0002
+ 
+-#define BRCMF_STA_WME              0x00000002      /* WMM association */
+-#define BRCMF_STA_AUTHE            0x00000008      /* Authenticated */
+-#define BRCMF_STA_ASSOC            0x00000010      /* Associated */
+-#define BRCMF_STA_AUTHO            0x00000020      /* Authorized */
+-#define BRCMF_STA_SCBSTATS         0x00004000      /* Per STA debug stats */
++#define BRCMF_STA_BRCM			0x00000001	/* Running a Broadcom driver */
++#define BRCMF_STA_WME			0x00000002	/* WMM association */
++#define BRCMF_STA_NONERP		0x00000004	/* No ERP */
++#define BRCMF_STA_AUTHE			0x00000008	/* Authenticated */
++#define BRCMF_STA_ASSOC			0x00000010	/* Associated */
++#define BRCMF_STA_AUTHO			0x00000020	/* Authorized */
++#define BRCMF_STA_WDS			0x00000040	/* Wireless Distribution System */
++#define BRCMF_STA_WDS_LINKUP		0x00000080	/* WDS traffic/probes flowing properly */
++#define BRCMF_STA_PS			0x00000100	/* STA is in power save mode from AP's viewpoint */
++#define BRCMF_STA_APSD_BE		0x00000200	/* APSD delv/trigger for AC_BE is default enabled */
++#define BRCMF_STA_APSD_BK		0x00000400	/* APSD delv/trigger for AC_BK is default enabled */
++#define BRCMF_STA_APSD_VI		0x00000800	/* APSD delv/trigger for AC_VI is default enabled */
++#define BRCMF_STA_APSD_VO		0x00001000	/* APSD delv/trigger for AC_VO is default enabled */
++#define BRCMF_STA_N_CAP			0x00002000	/* STA 802.11n capable */
++#define BRCMF_STA_SCBSTATS		0x00004000	/* Per STA debug stats */
++#define BRCMF_STA_AMPDU_CAP		0x00008000	/* STA AMPDU capable */
++#define BRCMF_STA_AMSDU_CAP		0x00010000	/* STA AMSDU capable */
++#define BRCMF_STA_MIMO_PS		0x00020000	/* mimo ps mode is enabled */
++#define BRCMF_STA_MIMO_RTS		0x00040000	/* send rts in mimo ps mode */
++#define BRCMF_STA_RIFS_CAP		0x00080000	/* rifs enabled */
++#define BRCMF_STA_VHT_CAP		0x00100000	/* STA VHT(11ac) capable */
++#define BRCMF_STA_WPS			0x00200000	/* WPS state */
++#define BRCMF_STA_DWDS_CAP		0x01000000	/* DWDS CAP */
++#define BRCMF_STA_DWDS			0x02000000	/* DWDS active */
+ 
+ /* size of brcmf_scan_params not including variable length array */
+ #define BRCMF_SCAN_PARAMS_FIXED_SIZE	64

package/kernel/mac80211/patches/340-v4.19-brcmfmac-update-STA-info-struct-to-the-v5.patch

@@ -0,0 +1,75 @@
+From 07b1ae46874949252625c96f309f96ca0f337020 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Jun 2018 12:36:23 +0200
+Subject: [PATCH] brcmfmac: update STA info struct to the v5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+That struct is used when querying firmware for the STA. It seem is has
+been changing during the time. Luckily its format seems to be backward
+compatible starting with v2 (the only breakage was v1 -> v2).
+
+The version that was supported by brcmfmac so far was v4. It was what
+43602a1 and 4366b1 firmwares (7.35.177.56 and 10.10.69.3309 accordingly)
+were using. It also seems to be used by early 4366c0 firmwares
+(10.10.69.6908 and 10.10.69.69017).
+
+The problem appears when switching to the 10.10.122.20 firmware. It uses
+v5 and instead of falling back to v4 when submitted buffer isn't big
+enough it fallbacks to the v3.
+
+To receive all v4 specific info with the newest firmware we have to
+submit a struct (buffer) that matches v5.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h  | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -174,6 +174,8 @@
+ #define BRCMF_MFP_CAPABLE		1
+ #define BRCMF_MFP_REQUIRED		2
+ 
++#define BRCMF_VHT_CAP_MCS_MAP_NSS_MAX	8
++
+ /* MAX_CHUNK_LEN is the maximum length for data passing to firmware in each
+  * ioctl. It is relatively small because firmware has small maximum size input
+  * playload restriction for ioctls.
+@@ -550,6 +552,8 @@ struct brcmf_sta_info_le {
+ 						/* w/hi bit set if basic */
+ 	__le32 in;		/* seconds elapsed since associated */
+ 	__le32 listen_interval_inms; /* Min Listen interval in ms for STA */
++
++	/* Fields valid for ver >= 3 */
+ 	__le32 tx_pkts;	/* # of packets transmitted */
+ 	__le32 tx_failures;	/* # of packets failed */
+ 	__le32 rx_ucast_pkts;	/* # of unicast packets received */
+@@ -558,6 +562,8 @@ struct brcmf_sta_info_le {
+ 	__le32 rx_rate;	/* Rate of last successful rx frame */
+ 	__le32 rx_decrypt_succeeds;	/* # of packet decrypted successfully */
+ 	__le32 rx_decrypt_failures;	/* # of packet decrypted failed */
++
++	/* Fields valid for ver >= 4 */
+ 	__le32 tx_tot_pkts;    /* # of tx pkts (ucast + mcast) */
+ 	__le32 rx_tot_pkts;    /* # of data packets recvd (uni + mcast) */
+ 	__le32 tx_mcast_pkts;  /* # of mcast pkts txed */
+@@ -594,6 +600,14 @@ struct brcmf_sta_info_le {
+ 						*/
+ 	__le32 rx_pkts_retried;        /* # rx with retry bit set */
+ 	__le32 tx_rate_fallback;       /* lowest fallback TX rate */
++
++	/* Fields valid for ver >= 5 */
++	struct {
++		__le32 count;					/* # rates in this set */
++		u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++		u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++		__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++	} rateset_adv;
+ };
+ 
+ struct brcmf_chanspec_list {

package/kernel/mac80211/patches/341-v4.19-brcmfmac-specify-some-features-per-firmware-version.patch

@@ -0,0 +1,84 @@
+From 1e591c56a65fbbcd5754a4210a0ef0402d5e5f33 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 9 Jul 2018 06:55:43 +0200
+Subject: [PATCH] brcmfmac: specify some features per firmware version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some features supported by firmware aren't advertised and there is no
+way for a driver to query them. This includes e.g. monitor mode details.
+
+Most firmwares support monitor interface but only the latest ones
+/announce/ it with a "monitor" flag in the "cap" iovar. There isn't any
+reliable detection method for older firmwares (BRCMF_C_MONITOR was tried
+but "it only indicates the core part of the stack supports").
+
+Similarly support for tagging monitor frames and building radiotap
+headers can't be reliably detected for all firmwares.
+
+This commit adds table that allows mapping features to firmware version.
+It adds mappings for 43602a1 and 4366b1 firmwares from
+linux-firmware.git. Both were confirmed to be passing monitor frames.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/feature.c | 38 ++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -93,6 +93,42 @@ static int brcmf_feat_debugfs_read(struc
+ }
+ #endif /* DEBUG */
+ 
++struct brcmf_feat_fwfeat {
++	const char * const fwid;
++	u32 feat_flags;
++};
++
++static const struct brcmf_feat_fwfeat brcmf_feat_fwfeat_map[] = {
++	/* brcmfmac43602-pcie.ap.bin from linux-firmware.git commit ea1178515b88 */
++	{ "01-6cb8e269", BIT(BRCMF_FEAT_MONITOR) },
++	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 52442afee990 */
++	{ "01-c47a91a4", BIT(BRCMF_FEAT_MONITOR) },
++};
++
++static void brcmf_feat_firmware_overrides(struct brcmf_pub *drv)
++{
++	const struct brcmf_feat_fwfeat *e;
++	u32 feat_flags = 0;
++	int i;
++
++	for (i = 0; i < ARRAY_SIZE(brcmf_feat_fwfeat_map); i++) {
++		e = &brcmf_feat_fwfeat_map[i];
++		if (!strcmp(e->fwid, drv->fwver)) {
++			feat_flags = e->feat_flags;
++			break;
++		}
++	}
++
++	if (!feat_flags)
++		return;
++
++	for (i = 0; i < BRCMF_FEAT_LAST; i++)
++		if (feat_flags & BIT(i))
++			brcmf_dbg(INFO, "enabling firmware feature: %s\n",
++				  brcmf_feat_names[i]);
++	drv->feat_flags |= feat_flags;
++}
++
+ /**
+  * brcmf_feat_iovar_int_get() - determine feature through iovar query.
+  *
+@@ -253,6 +289,8 @@ void brcmf_feat_attach(struct brcmf_pub
+ 	}
+ 	brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
+ 
++	brcmf_feat_firmware_overrides(drvr);
++
+ 	/* set chip related quirks */
+ 	switch (drvr->bus_if->chip) {
+ 	case BRCM_CC_43236_CHIP_ID:

package/kernel/mac80211/patches/342-v4.20-0001-brcmfmac-add-CYW89342-mini-PCIe-device.patch

@@ -0,0 +1,25 @@
+From 2fef681a4cf7994c882190fd2417b95f30510afb Mon Sep 17 00:00:00 2001
+From: Jia-Shyr Chuang <saint.chuang@cypress.com>
+Date: Wed, 15 Aug 2018 04:23:09 -0500
+Subject: [PATCH] brcmfmac: add CYW89342 mini-PCIe device
+
+CYW89342 is a 2x2 MIMO, 802.11a/b/g/n/ac for WLAN. It is a member of
+4355/4359 family.
+
+Signed-off-by: Jia-Shyr Chuang <saint.chuang@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -2017,6 +2017,7 @@ static const struct dev_pm_ops brcmf_pci
+ 
+ static const struct pci_device_id brcmf_pcie_devid_table[] = {
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_4350_DEVICE_ID),
++	BRCMF_PCIE_DEVICE_SUB(0x4355, BRCM_PCIE_VENDOR_ID_BROADCOM, 0x4355),
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_4356_DEVICE_ID),
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_43567_DEVICE_ID),
+ 	BRCMF_PCIE_DEVICE(BRCM_PCIE_43570_DEVICE_ID),

package/kernel/mac80211/patches/344-v4.20-0001-brcmfmac-fix-wrong-strnchr-usage.patch

@@ -0,0 +1,38 @@
+From cb18e2e9ec71d42409a51b83546686c609780dde Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Wed, 22 Aug 2018 15:22:15 +0200
+Subject: [PATCH] brcmfmac: fix wrong strnchr usage
+
+strnchr takes arguments in the order of its name: string, max bytes to
+read, character to search for. Here we're passing '\n' aka 10 as the
+buffer size, and searching for sizeof(buf) aka BRCMF_DCMD_SMLEN aka
+256 (aka '\0', since it's implicitly converted to char) within those 10
+bytes.
+
+Just interchanging the last two arguments would still leave a bug,
+because if we've been successful once, there are not sizeof(buf)
+characters left after the new value of p.
+
+Since clmver is immediately afterwards passed as a %s argument, I assume
+that it is actually a properly nul-terminated string. For that case, we
+have strreplace().
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -296,9 +296,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 		/* Replace all newline/linefeed characters with space
+ 		 * character
+ 		 */
+-		ptr = clmver;
+-		while ((ptr = strnchr(ptr, '\n', sizeof(buf))) != NULL)
+-			*ptr = ' ';
++		strreplace(clmver, '\n', ' ');
+ 
+ 		brcmf_dbg(INFO, "CLM version = %s\n", clmver);
+ 	}

package/kernel/mac80211/patches/345-v4.20-0001-brcmfmac-fix-for-proper-support-of-160MHz-bandwidth.patch

@@ -0,0 +1,117 @@
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 5 Sep 2018 09:48:58 +0200
+Subject: [PATCH] brcmfmac: fix for proper support of 160MHz bandwidth
+
+Decoding of firmware channel information was not complete for 160MHz
+support. This resulted in the following warning:
+
+  WARNING: CPU: 2 PID: 2222 at .../broadcom/brcm80211/brcmutil/d11.c:196
+	brcmu_d11ac_decchspec+0x2e/0x100 [brcmutil]
+  Modules linked in: brcmfmac(O) brcmutil(O) sha256_generic cfg80211 ...
+  CPU: 2 PID: 2222 Comm: kworker/2:0 Tainted: G           O
+  4.17.0-wt-testing-x64-00002-gf1bed50 #1
+  Hardware name: Dell Inc. Latitude E6410/07XJP9, BIOS A07 02/15/2011
+  Workqueue: events request_firmware_work_func
+  RIP: 0010:brcmu_d11ac_decchspec+0x2e/0x100 [brcmutil]
+  RSP: 0018:ffffc90000047bd0 EFLAGS: 00010206
+  RAX: 000000000000e832 RBX: ffff8801146fe910 RCX: ffff8801146fd3c0
+  RDX: 0000000000002800 RSI: 0000000000000070 RDI: ffffc90000047c30
+  RBP: ffffc90000047bd0 R08: 0000000000000000 R09: ffffffffa0798c80
+  R10: ffff88012bca55e0 R11: ffff880110a4ea00 R12: ffff8801146f8000
+  R13: ffffc90000047c30 R14: ffff8801146fe930 R15: ffff8801138e02e0
+  FS:  0000000000000000(0000) GS:ffff88012bc80000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  CR2: 00007f18ce8b8070 CR3: 000000000200a003 CR4: 00000000000206e0
+  Call Trace:
+   brcmf_setup_wiphybands+0x212/0x780 [brcmfmac]
+   brcmf_cfg80211_attach+0xae2/0x11a0 [brcmfmac]
+   brcmf_attach+0x1fc/0x4b0 [brcmfmac]
+   ? __kmalloc+0x13c/0x1c0
+   brcmf_pcie_setup+0x99b/0xe00 [brcmfmac]
+   brcmf_fw_request_done+0x16a/0x1f0 [brcmfmac]
+   request_firmware_work_func+0x36/0x60
+   process_one_work+0x146/0x350
+   worker_thread+0x4a/0x3b0
+   kthread+0x102/0x140
+   ? process_one_work+0x350/0x350
+   ? kthread_bind+0x20/0x20
+   ret_from_fork+0x35/0x40
+  Code: 66 90 0f b7 07 55 48 89 e5 89 c2 88 47 02 88 47 03 66 81 e2 00 38
+	66 81 fa 00 18 74 6e 66 81 fa 00 20 74 39 66 81 fa 00 10 74 14 <0f>
+	0b 66 25 00 c0 74 20 66 3d 00 c0 75 20 c6 47 04 01 5d c3 66
+  ---[ end trace 550c46682415b26d ]---
+  brcmfmac: brcmf_construct_chaninfo: Ignoring unexpected firmware channel 50
+
+This patch adds the missing stuff to properly handle this.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+---
+ .../net/wireless/broadcom/brcm80211/brcmutil/d11.c | 34 +++++++++++++++++++++-
+ .../broadcom/brcm80211/include/brcmu_wifi.h        |  2 ++
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -77,6 +77,8 @@ static u16 d11ac_bw(enum brcmu_chan_bw b
+ 		return BRCMU_CHSPEC_D11AC_BW_40;
+ 	case BRCMU_CHAN_BW_80:
+ 		return BRCMU_CHSPEC_D11AC_BW_80;
++	case BRCMU_CHAN_BW_160:
++		return BRCMU_CHSPEC_D11AC_BW_160;
+ 	default:
+ 		WARN_ON(1);
+ 	}
+@@ -190,8 +192,38 @@ static void brcmu_d11ac_decchspec(struct
+ 			break;
+ 		}
+ 		break;
+-	case BRCMU_CHSPEC_D11AC_BW_8080:
+ 	case BRCMU_CHSPEC_D11AC_BW_160:
++		switch (ch->sb) {
++		case BRCMU_CHAN_SB_LLL:
++			ch->control_ch_num -= CH_70MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_LLU:
++			ch->control_ch_num -= CH_50MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_LUL:
++			ch->control_ch_num -= CH_30MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_LUU:
++			ch->control_ch_num -= CH_10MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_ULL:
++			ch->control_ch_num += CH_10MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_ULU:
++			ch->control_ch_num += CH_30MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_UUL:
++			ch->control_ch_num += CH_50MHZ_APART;
++			break;
++		case BRCMU_CHAN_SB_UUU:
++			ch->control_ch_num += CH_70MHZ_APART;
++			break;
++		default:
++			WARN_ON_ONCE(1);
++			break;
++		}
++		break;
++	case BRCMU_CHSPEC_D11AC_BW_8080:
+ 	default:
+ 		WARN_ON_ONCE(1);
+ 		break;
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
+@@ -29,6 +29,8 @@
+ #define CH_UPPER_SB			0x01
+ #define CH_LOWER_SB			0x02
+ #define CH_EWA_VALID			0x04
++#define CH_70MHZ_APART			14
++#define CH_50MHZ_APART			10
+ #define CH_30MHZ_APART			6
+ #define CH_20MHZ_APART			4
+ #define CH_10MHZ_APART			2

package/kernel/mac80211/patches/345-v4.20-0002-brcmfmac-increase-buffer-for-obtaining-firmware-capa.patch

@@ -0,0 +1,28 @@
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 5 Sep 2018 09:48:59 +0200
+Subject: [PATCH] brcmfmac: increase buffer for obtaining firmware capabilities
+
+When obtaining the firmware capability a buffer is provided of 512
+bytes. However, if all features in firmware are supported the buffer
+needs to be 565 bytes as otherwise truncated information is retrieved
+from firmware. Increasing the buffer to 768 bytes on stack.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -178,7 +178,7 @@ static void brcmf_feat_iovar_data_set(st
+ 	ifp->fwil_fwerr = false;
+ }
+ 
+-#define MAX_CAPS_BUFFER_SIZE	512
++#define MAX_CAPS_BUFFER_SIZE	768
+ static void brcmf_feat_firmware_capabilities(struct brcmf_if *ifp)
+ {
+ 	char caps[MAX_CAPS_BUFFER_SIZE];

package/kernel/mac80211/patches/346--v4.20-0001-brcmfmac-remove-set-but-not-used-variables-sfdoff-an.patch

@@ -0,0 +1,57 @@
+From a8254fa4ba60b85829b6e5ede6564f81cd70d59f Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 11 Sep 2018 11:24:04 +0800
+Subject: [PATCH] brcmfmac: remove set but not used variables 'sfdoff' and
+ 'pad_size'
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function 'brcmf_sdio_rxglom':
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1466:11: warning:
+ variable 'sfdoff' set but not used [-Wunused-but-set-variable]
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function 'brcmf_sdio_bus_preinit':
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3408:7: warning:
+ variable 'pad_size' set but not used [-Wunused-but-set-variable]
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1463,7 +1463,7 @@ static u8 brcmf_sdio_rxglom(struct brcmf
+ 	struct sk_buff *pfirst, *pnext;
+ 
+ 	int errcode;
+-	u8 doff, sfdoff;
++	u8 doff;
+ 
+ 	struct brcmf_sdio_hdrinfo rd_new;
+ 
+@@ -1597,7 +1597,6 @@ static u8 brcmf_sdio_rxglom(struct brcmf
+ 
+ 		/* Remove superframe header, remember offset */
+ 		skb_pull(pfirst, rd_new.dat_offset);
+-		sfdoff = rd_new.dat_offset;
+ 		num = 0;
+ 
+ 		/* Validate all the subframe headers */
+@@ -3405,7 +3404,6 @@ static int brcmf_sdio_bus_preinit(struct
+ 	struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
+ 	struct brcmf_sdio *bus = sdiodev->bus;
+ 	struct brcmf_core *core = bus->sdio_core;
+-	uint pad_size;
+ 	u32 value;
+ 	int err;
+ 
+@@ -3448,7 +3446,6 @@ static int brcmf_sdio_bus_preinit(struct
+ 	if (sdiodev->sg_support) {
+ 		bus->txglom = false;
+ 		value = 1;
+-		pad_size = bus->sdiodev->func2->cur_blksize << 1;
+ 		err = brcmf_iovar_data_set(bus->sdiodev->dev, "bus:rxglom",
+ 					   &value, sizeof(u32));
+ 		if (err < 0) {

package/kernel/mac80211/patches/347-v4.20-0001-brcmfmac-reduce-timeout-for-action-frame-scan.patch

@@ -0,0 +1,67 @@
+From edb6d6885bef82d1eac432dbeca9fbf4ec349d7e Mon Sep 17 00:00:00 2001
+From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Date: Thu, 27 Sep 2018 14:59:44 +0000
+Subject: [PATCH] brcmfmac: reduce timeout for action frame scan
+
+Finding a common channel to send an action frame out is required for
+some action types. Since a loop with several scan retry is used to find
+the channel, a short wait time could be considered for each attempt.
+This patch reduces the wait time from 1500 to 450 msec for each action
+frame scan.
+
+This patch fixes the WFA p2p certification 5.1.20 failure caused by the
+long action frame send time.
+
+Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -74,7 +74,7 @@
+ #define P2P_AF_MAX_WAIT_TIME		msecs_to_jiffies(2000)
+ #define P2P_INVALID_CHANNEL		-1
+ #define P2P_CHANNEL_SYNC_RETRY		5
+-#define P2P_AF_FRM_SCAN_MAX_WAIT	msecs_to_jiffies(1500)
++#define P2P_AF_FRM_SCAN_MAX_WAIT	msecs_to_jiffies(450)
+ #define P2P_DEFAULT_SLEEP_TIME_VSDB	200
+ 
+ /* WiFi P2P Public Action Frame OUI Subtypes */
+@@ -1134,7 +1134,6 @@ static s32 brcmf_p2p_af_searching_channe
+ {
+ 	struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+ 	struct brcmf_cfg80211_vif *pri_vif;
+-	unsigned long duration;
+ 	s32 retry;
+ 
+ 	brcmf_dbg(TRACE, "Enter\n");
+@@ -1150,7 +1149,6 @@ static s32 brcmf_p2p_af_searching_channe
+ 	 * pending action frame tx is cancelled.
+ 	 */
+ 	retry = 0;
+-	duration = msecs_to_jiffies(P2P_AF_FRM_SCAN_MAX_WAIT);
+ 	while ((retry < P2P_CHANNEL_SYNC_RETRY) &&
+ 	       (afx_hdl->peer_chan == P2P_INVALID_CHANNEL)) {
+ 		afx_hdl->is_listen = false;
+@@ -1158,7 +1156,8 @@ static s32 brcmf_p2p_af_searching_channe
+ 			  retry);
+ 		/* search peer on peer's listen channel */
+ 		schedule_work(&afx_hdl->afx_work);
+-		wait_for_completion_timeout(&afx_hdl->act_frm_scan, duration);
++		wait_for_completion_timeout(&afx_hdl->act_frm_scan,
++					    P2P_AF_FRM_SCAN_MAX_WAIT);
+ 		if ((afx_hdl->peer_chan != P2P_INVALID_CHANNEL) ||
+ 		    (!test_bit(BRCMF_P2P_STATUS_FINDING_COMMON_CHANNEL,
+ 			       &p2p->status)))
+@@ -1171,7 +1170,7 @@ static s32 brcmf_p2p_af_searching_channe
+ 			afx_hdl->is_listen = true;
+ 			schedule_work(&afx_hdl->afx_work);
+ 			wait_for_completion_timeout(&afx_hdl->act_frm_scan,
+-						    duration);
++						    P2P_AF_FRM_SCAN_MAX_WAIT);
+ 		}
+ 		if ((afx_hdl->peer_chan != P2P_INVALID_CHANNEL) ||
+ 		    (!test_bit(BRCMF_P2P_STATUS_FINDING_COMMON_CHANNEL,

package/kernel/mac80211/patches/347-v4.20-0002-brcmfmac-fix-full-timeout-waiting-for-action-frame-o.patch

@@ -0,0 +1,79 @@
+From fbf07000960d9c8a13fdc17c6de0230d681c7543 Mon Sep 17 00:00:00 2001
+From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Date: Thu, 27 Sep 2018 14:59:49 +0000
+Subject: [PATCH] brcmfmac: fix full timeout waiting for action frame
+ on-channel tx
+
+The driver sends an action frame down and waits for a completion signal
+triggered by the received BRCMF_E_ACTION_FRAME_OFF_CHAN_COMPLETE event
+to continue the process. However, the action frame could be transmitted
+either on the current channel or on an off channel. For the on-channel
+case, only BRCMF_E_ACTION_FRAME_COMPLETE event will be received when
+the frame is transmitted, which make the driver always wait a full
+timeout duration. This patch has the completion signal be triggered by
+receiving the BRCMF_E_ACTION_FRAME_COMPLETE event for the on-channel
+case.
+
+This change fixes WFA p2p certification 5.1.19 failure.
+
+Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 17 +++++++++++++++--
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h |  2 ++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1457,10 +1457,12 @@ int brcmf_p2p_notify_action_tx_complete(
+ 		return 0;
+ 
+ 	if (e->event_code == BRCMF_E_ACTION_FRAME_COMPLETE) {
+-		if (e->status == BRCMF_E_STATUS_SUCCESS)
++		if (e->status == BRCMF_E_STATUS_SUCCESS) {
+ 			set_bit(BRCMF_P2P_STATUS_ACTION_TX_COMPLETED,
+ 				&p2p->status);
+-		else {
++			if (!p2p->wait_for_offchan_complete)
++				complete(&p2p->send_af_done);
++		} else {
+ 			set_bit(BRCMF_P2P_STATUS_ACTION_TX_NOACK, &p2p->status);
+ 			/* If there is no ack, we don't need to wait for
+ 			 * WLC_E_ACTION_FRAME_OFFCHAN_COMPLETE event
+@@ -1511,6 +1513,17 @@ static s32 brcmf_p2p_tx_action_frame(str
+ 	p2p->af_sent_channel = le32_to_cpu(af_params->channel);
+ 	p2p->af_tx_sent_jiffies = jiffies;
+ 
++	if (test_bit(BRCMF_P2P_STATUS_DISCOVER_LISTEN, &p2p->status) &&
++	    p2p->af_sent_channel ==
++	    ieee80211_frequency_to_channel(p2p->remain_on_channel.center_freq))
++		p2p->wait_for_offchan_complete = false;
++	else
++		p2p->wait_for_offchan_complete = true;
++
++	brcmf_dbg(TRACE, "Waiting for %s tx completion event\n",
++		  (p2p->wait_for_offchan_complete) ?
++		   "off-channel" : "on-channel");
++
+ 	timeout = wait_for_completion_timeout(&p2p->send_af_done,
+ 					      P2P_AF_MAX_WAIT_TIME);
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
+@@ -124,6 +124,7 @@ struct afx_hdl {
+  * @gon_req_action: about to send go negotiation requets frame.
+  * @block_gon_req_tx: drop tx go negotiation requets frame.
+  * @p2pdev_dynamically: is p2p device if created by module param or supplicant.
++ * @wait_for_offchan_complete: wait for off-channel tx completion event.
+  */
+ struct brcmf_p2p_info {
+ 	struct brcmf_cfg80211_info *cfg;
+@@ -144,6 +145,7 @@ struct brcmf_p2p_info {
+ 	bool gon_req_action;
+ 	bool block_gon_req_tx;
+ 	bool p2pdev_dynamically;
++	bool wait_for_offchan_complete;
+ };
+ 
+ s32 brcmf_p2p_attach(struct brcmf_cfg80211_info *cfg, bool p2pdev_forced);

package/kernel/mac80211/patches/348-v4.20-0001-brcmutil-really-fix-decoding-channel-info-for-160-MH.patch

@@ -0,0 +1,41 @@
+From 3401d42c7ea2d064d15c66698ff8eb96553179ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 26 Oct 2018 12:50:39 +0200
+Subject: [PATCH] brcmutil: really fix decoding channel info for 160 MHz
+ bandwidth
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previous commit /adding/ support for 160 MHz chanspecs was incomplete.
+It didn't set bandwidth info and didn't extract control channel info. As
+the result it was also using uninitialized "sb" var.
+
+This change has been tested for two chanspecs found to be reported by
+some devices/firmwares:
+1) 60/160 (0xee32)
+   Before: chnum:50 control_ch_num:36
+    After: chnum:50 control_ch_num:60
+2) 120/160 (0xed72)
+   Before: chnum:114 control_ch_num:100
+    After: chnum:114 control_ch_num:120
+
+Fixes: 330994e8e8ec ("brcmfmac: fix for proper support of 160MHz bandwidth")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -193,6 +193,9 @@ static void brcmu_d11ac_decchspec(struct
+ 		}
+ 		break;
+ 	case BRCMU_CHSPEC_D11AC_BW_160:
++		ch->bw = BRCMU_CHAN_BW_160;
++		ch->sb = brcmu_maskget16(ch->chspec, BRCMU_CHSPEC_D11AC_SB_MASK,
++					 BRCMU_CHSPEC_D11AC_SB_SHIFT);
+ 		switch (ch->sb) {
+ 		case BRCMU_CHAN_SB_LLL:
+ 			ch->control_ch_num -= CH_70MHZ_APART;

package/kernel/mac80211/patches/349-v4.20-brcmfmac-fix-reporting-support-for-160-MHz-channels.patch

@@ -0,0 +1,34 @@
+From 8eefb59de817125eeedde2a2cc1e4ac3660062f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 8 Nov 2018 16:08:29 +0100
+Subject: [PATCH] brcmfmac: fix reporting support for 160 MHz channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Driver can report IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ so it's
+important to provide valid & complete info about supported bands for
+each channel. By default no support for 160 MHz should be assumed unless
+firmware reports it for a given channel later.
+
+This fixes info passed to the userspace. Without that change userspace
+could try to use invalid channel and fail to start an interface.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Cc: stable@vger.kernel.org
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5992,7 +5992,8 @@ static int brcmf_construct_chaninfo(stru
+ 			 * for subsequent chanspecs.
+ 			 */
+ 			channel->flags = IEEE80211_CHAN_NO_HT40 |
+-					 IEEE80211_CHAN_NO_80MHZ;
++					 IEEE80211_CHAN_NO_80MHZ |
++					 IEEE80211_CHAN_NO_160MHZ;
+ 			ch.bw = BRCMU_CHAN_BW_20;
+ 			cfg->d11inf.encchspec(&ch);
+ 			chaninfo = ch.chspec;

package/kernel/mac80211/patches/355-v5.0-0001-brcmfmac-Remove-firmware-loading-code-duplication.patch

@@ -0,0 +1,102 @@
+From a1a3b762163868ad07a4499a73df324f40d5ab0b Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:00:58 +0200
+Subject: [PATCH] brcmfmac: Remove firmware-loading code duplication
+
+brcmf_fw_request_next_item and brcmf_fw_request_done both have identical
+code to complete the fw-request depending on the item-type.
+
+This commit adds a new brcmf_fw_complete_request helper removing this code
+duplication.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/firmware.c         | 62 +++++++++++-----------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -504,6 +504,34 @@ fail:
+ 	return -ENOENT;
+ }
+ 
++static int brcmf_fw_complete_request(const struct firmware *fw,
++				     struct brcmf_fw *fwctx)
++{
++	struct brcmf_fw_item *cur = &fwctx->req->items[fwctx->curpos];
++	int ret = 0;
++
++	brcmf_dbg(TRACE, "firmware %s %sfound\n", cur->path, fw ? "" : "not ");
++
++	switch (cur->type) {
++	case BRCMF_FW_TYPE_NVRAM:
++		ret = brcmf_fw_request_nvram_done(fw, fwctx);
++		break;
++	case BRCMF_FW_TYPE_BINARY:
++		if (fw)
++			cur->binary = fw;
++		else
++			ret = -ENOENT;
++		break;
++	default:
++		/* something fishy here so bail out early */
++		brcmf_err("unknown fw type: %d\n", cur->type);
++		release_firmware(fw);
++		ret = -EINVAL;
++	}
++
++	return (cur->flags & BRCMF_FW_REQF_OPTIONAL) ? 0 : ret;
++}
++
+ static int brcmf_fw_request_next_item(struct brcmf_fw *fwctx, bool async)
+ {
+ 	struct brcmf_fw_item *cur;
+@@ -525,15 +553,7 @@ static int brcmf_fw_request_next_item(st
+ 	if (ret < 0) {
+ 		brcmf_fw_request_done(NULL, fwctx);
+ 	} else if (!async && fw) {
+-		brcmf_dbg(TRACE, "firmware %s %sfound\n", cur->path,
+-			  fw ? "" : "not ");
+-		if (cur->type == BRCMF_FW_TYPE_BINARY)
+-			cur->binary = fw;
+-		else if (cur->type == BRCMF_FW_TYPE_NVRAM)
+-			brcmf_fw_request_nvram_done(fw, fwctx);
+-		else
+-			release_firmware(fw);
+-
++		brcmf_fw_complete_request(fw, fwctx);
+ 		return -EAGAIN;
+ 	}
+ 	return 0;
+@@ -547,28 +567,8 @@ static void brcmf_fw_request_done(const
+ 
+ 	cur = &fwctx->req->items[fwctx->curpos];
+ 
+-	brcmf_dbg(TRACE, "enter: firmware %s %sfound\n", cur->path,
+-		  fw ? "" : "not ");
+-
+-	if (!fw)
+-		ret = -ENOENT;
+-
+-	switch (cur->type) {
+-	case BRCMF_FW_TYPE_NVRAM:
+-		ret = brcmf_fw_request_nvram_done(fw, fwctx);
+-		break;
+-	case BRCMF_FW_TYPE_BINARY:
+-		cur->binary = fw;
+-		break;
+-	default:
+-		/* something fishy here so bail out early */
+-		brcmf_err("unknown fw type: %d\n", cur->type);
+-		release_firmware(fw);
+-		ret = -EINVAL;
+-		goto fail;
+-	}
+-
+-	if (ret < 0 && !(cur->flags & BRCMF_FW_REQF_OPTIONAL))
++	ret = brcmf_fw_complete_request(fw, fwctx);
++	if (ret < 0)
+ 		goto fail;
+ 
+ 	do {

package/kernel/mac80211/patches/355-v5.0-0002-brcmfmac-Remove-recursion-from-firmware-load-error-h.patch

@@ -0,0 +1,127 @@
+From 5b587496dc63595b71265d986ce69728c2724370 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:00:59 +0200
+Subject: [PATCH] brcmfmac: Remove recursion from firmware load error handling
+
+Before this commit brcmf_fw_request_done would call
+brcmf_fw_request_next_item to load the next item, which on an error would
+call brcmf_fw_request_done, which if the error is recoverable (*) will
+then continue calling brcmf_fw_request_next_item for the next item again
+which on an error will call brcmf_fw_request_done again...
+
+This does not blow up because we only have a limited number of items so
+we never recurse too deep. But the recursion is still quite ugly and
+frankly is giving me a headache, so lets fix this.
+
+This commit fixes this by removing brcmf_fw_request_next_item and by
+making brcmf_fw_get_firmwares and brcmf_fw_request_done directly call
+firmware_request_nowait resp. firmware_request themselves.
+
+*) brcmf_fw_request_nvram_done fallback path succeeds or
+   BRCMF_FW_REQF_OPTIONAL is set
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/firmware.c         | 65 +++++++---------------
+ 1 file changed, 19 insertions(+), 46 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -532,33 +532,6 @@ static int brcmf_fw_complete_request(con
+ 	return (cur->flags & BRCMF_FW_REQF_OPTIONAL) ? 0 : ret;
+ }
+ 
+-static int brcmf_fw_request_next_item(struct brcmf_fw *fwctx, bool async)
+-{
+-	struct brcmf_fw_item *cur;
+-	const struct firmware *fw = NULL;
+-	int ret;
+-
+-	cur = &fwctx->req->items[fwctx->curpos];
+-
+-	brcmf_dbg(TRACE, "%srequest for %s\n", async ? "async " : "",
+-		  cur->path);
+-
+-	if (async)
+-		ret = request_firmware_nowait(THIS_MODULE, true, cur->path,
+-					      fwctx->dev, GFP_KERNEL, fwctx,
+-					      brcmf_fw_request_done);
+-	else
+-		ret = request_firmware(&fw, cur->path, fwctx->dev);
+-
+-	if (ret < 0) {
+-		brcmf_fw_request_done(NULL, fwctx);
+-	} else if (!async && fw) {
+-		brcmf_fw_complete_request(fw, fwctx);
+-		return -EAGAIN;
+-	}
+-	return 0;
+-}
+-
+ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx)
+ {
+ 	struct brcmf_fw *fwctx = ctx;
+@@ -568,26 +541,19 @@ static void brcmf_fw_request_done(const
+ 	cur = &fwctx->req->items[fwctx->curpos];
+ 
+ 	ret = brcmf_fw_complete_request(fw, fwctx);
+-	if (ret < 0)
+-		goto fail;
+ 
+-	do {
+-		if (++fwctx->curpos == fwctx->req->n_items) {
+-			ret = 0;
+-			goto done;
+-		}
+-
+-		ret = brcmf_fw_request_next_item(fwctx, false);
+-	} while (ret == -EAGAIN);
+-
+-	return;
+-
+-fail:
+-	brcmf_dbg(TRACE, "failed err=%d: dev=%s, fw=%s\n", ret,
+-		  dev_name(fwctx->dev), cur->path);
+-	brcmf_fw_free_request(fwctx->req);
+-	fwctx->req = NULL;
+-done:
++	while (ret == 0 && ++fwctx->curpos < fwctx->req->n_items) {
++		cur = &fwctx->req->items[fwctx->curpos];
++		request_firmware(&fw, cur->path, fwctx->dev);
++		ret = brcmf_fw_complete_request(fw, ctx);
++	}
++
++	if (ret) {
++		brcmf_dbg(TRACE, "failed err=%d: dev=%s, fw=%s\n", ret,
++			  dev_name(fwctx->dev), cur->path);
++		brcmf_fw_free_request(fwctx->req);
++		fwctx->req = NULL;
++	}
+ 	fwctx->done(fwctx->dev, ret, fwctx->req);
+ 	kfree(fwctx);
+ }
+@@ -611,7 +577,9 @@ int brcmf_fw_get_firmwares(struct device
+ 			   void (*fw_cb)(struct device *dev, int err,
+ 					 struct brcmf_fw_request *req))
+ {
++	struct brcmf_fw_item *first = &req->items[0];
+ 	struct brcmf_fw *fwctx;
++	int ret;
+ 
+ 	brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
+ 	if (!fw_cb)
+@@ -628,7 +596,12 @@ int brcmf_fw_get_firmwares(struct device
+ 	fwctx->req = req;
+ 	fwctx->done = fw_cb;
+ 
+-	brcmf_fw_request_next_item(fwctx, true);
++	ret = request_firmware_nowait(THIS_MODULE, true, first->path,
++				      fwctx->dev, GFP_KERNEL, fwctx,
++				      brcmf_fw_request_done);
++	if (ret < 0)
++		brcmf_fw_request_done(NULL, fwctx);
++
+ 	return 0;
+ }
+ 

package/kernel/mac80211/patches/355-v5.0-0003-brcmfmac-Add-support-for-first-trying-to-get-a-board.patch

@@ -0,0 +1,77 @@
+From eae8e50669e15002b195177212a6e25afbe7cf4d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:00 +0200
+Subject: [PATCH] brcmfmac: Add support for first trying to get a board
+ specific nvram file
+
+The nvram files which some brcmfmac chips need are board-specific. To be
+able to distribute these as part of linux-firmware, so that devices with
+such a wifi chip will work OOTB, multiple (one per board) versions must
+co-exist under /lib/firmware.
+
+This commit adds support for callers of the brcmfmac/firmware.c code to
+pass in a board_type parameter through the request structure.
+
+If that parameter is set then the code will first try to load
+chipmodel.board_type.txt before falling back to the old chipmodel.txt name.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/firmware.c         | 27 +++++++++++++++++++++-
+ .../broadcom/brcm80211/brcmfmac/firmware.h         |  1 +
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -532,6 +532,31 @@ static int brcmf_fw_complete_request(con
+ 	return (cur->flags & BRCMF_FW_REQF_OPTIONAL) ? 0 : ret;
+ }
+ 
++static int brcmf_fw_request_firmware(const struct firmware **fw,
++				     struct brcmf_fw *fwctx)
++{
++	struct brcmf_fw_item *cur = &fwctx->req->items[fwctx->curpos];
++	int ret;
++
++	/* nvram files are board-specific, first try a board-specific path */
++	if (cur->type == BRCMF_FW_TYPE_NVRAM && fwctx->req->board_type) {
++		char alt_path[BRCMF_FW_NAME_LEN];
++
++		strlcpy(alt_path, cur->path, BRCMF_FW_NAME_LEN);
++		/* strip .txt at the end */
++		alt_path[strlen(alt_path) - 4] = 0;
++		strlcat(alt_path, ".", BRCMF_FW_NAME_LEN);
++		strlcat(alt_path, fwctx->req->board_type, BRCMF_FW_NAME_LEN);
++		strlcat(alt_path, ".txt", BRCMF_FW_NAME_LEN);
++
++		ret = request_firmware(fw, alt_path, fwctx->dev);
++		if (ret == 0)
++			return ret;
++	}
++
++	return request_firmware(fw, cur->path, fwctx->dev);
++}
++
+ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx)
+ {
+ 	struct brcmf_fw *fwctx = ctx;
+@@ -544,7 +569,7 @@ static void brcmf_fw_request_done(const
+ 
+ 	while (ret == 0 && ++fwctx->curpos < fwctx->req->n_items) {
+ 		cur = &fwctx->req->items[fwctx->curpos];
+-		request_firmware(&fw, cur->path, fwctx->dev);
++		brcmf_fw_request_firmware(&fw, fwctx);
+ 		ret = brcmf_fw_complete_request(fw, ctx);
+ 	}
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
+@@ -70,6 +70,7 @@ struct brcmf_fw_request {
+ 	u16 domain_nr;
+ 	u16 bus_nr;
+ 	u32 n_items;
++	const char *board_type;
+ 	struct brcmf_fw_item items[0];
+ };
+ 

package/kernel/mac80211/patches/355-v5.0-0004-brcmfmac-Set-board_type-used-for-nvram-file-selectio.patch

@@ -0,0 +1,77 @@
+From 0ad4b55b2f29784f93875e6231bf57cd233624a2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:01 +0200
+Subject: [PATCH] brcmfmac: Set board_type used for nvram file selection to
+ machine-compatible
+
+For of/devicetree using machines, set the board_type used for nvram file
+selection to the first string listed in the top-level's node compatible
+string, aka the machine-compatible as used by of_machine_is_compatible().
+
+The board_type setting is used to load the board-specific nvram file with
+a board-specific name so that we can ship files for each supported board
+in linux-firmware.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h |  1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c     | 11 ++++++++++-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c   |  1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c   |  1 +
+ 4 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
+@@ -59,6 +59,7 @@ struct brcmf_mp_device {
+ 	bool		iapp;
+ 	bool		ignore_probe_fail;
+ 	struct brcmfmac_pd_cc *country_codes;
++	const char	*board_type;
+ 	union {
+ 		struct brcmfmac_sdio_pd sdio;
+ 	} bus;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+@@ -27,11 +27,20 @@ void brcmf_of_probe(struct device *dev,
+ 		    struct brcmf_mp_device *settings)
+ {
+ 	struct brcmfmac_sdio_pd *sdio = &settings->bus.sdio;
+-	struct device_node *np = dev->of_node;
++	struct device_node *root, *np = dev->of_node;
++	struct property *prop;
+ 	int irq;
+ 	u32 irqf;
+ 	u32 val;
+ 
++	/* Set board-type to the first string of the machine compatible prop */
++	root = of_find_node_by_path("/");
++	if (root) {
++		prop = of_find_property(root, "compatible", NULL);
++		settings->board_type = of_prop_next_string(prop, NULL);
++		of_node_put(root);
++	}
++
+ 	if (!np || bus_type != BRCMF_BUSTYPE_SDIO ||
+ 	    !of_device_is_compatible(np, "brcm,bcm4329-fmac"))
+ 		return;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1785,6 +1785,7 @@ brcmf_pcie_prepare_fw_request(struct brc
+ 	fwreq->items[BRCMF_PCIE_FW_CODE].type = BRCMF_FW_TYPE_BINARY;
+ 	fwreq->items[BRCMF_PCIE_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM;
+ 	fwreq->items[BRCMF_PCIE_FW_NVRAM].flags = BRCMF_FW_REQF_OPTIONAL;
++	fwreq->board_type = devinfo->settings->board_type;
+ 	/* NVRAM reserves PCI domain 0 for Broadcom's SDK faked bus */
+ 	fwreq->domain_nr = pci_domain_nr(devinfo->pdev->bus) + 1;
+ 	fwreq->bus_nr = devinfo->pdev->bus->number;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -4174,6 +4174,7 @@ brcmf_sdio_prepare_fw_request(struct brc
+ 
+ 	fwreq->items[BRCMF_SDIO_FW_CODE].type = BRCMF_FW_TYPE_BINARY;
+ 	fwreq->items[BRCMF_SDIO_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM;
++	fwreq->board_type = bus->sdiodev->settings->board_type;
+ 
+ 	return fwreq;
+ }

package/kernel/mac80211/patches/355-v5.0-0005-brcmfmac-Set-board_type-from-DMI-on-x86-based-machin.patch

@@ -0,0 +1,179 @@
+From bd1e82bb420adf4ad7cd468d8a482cde622dd69d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:02 +0200
+Subject: [PATCH] brcmfmac: Set board_type from DMI on x86 based machines
+
+For x86 based machines, set the board_type used for nvram file selection
+based on the DMI sys-vendor and product-name strings.
+
+Since on some models these strings are too generic, this commit also adds
+a quirk table overriding the strings for models listed in that table.
+
+The board_type setting is used to load the board-specific nvram file with
+a board-specific name so that we can ship files for each supported board
+in linux-firmware.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/Makefile  |   2 +
+ .../wireless/broadcom/brcm80211/brcmfmac/common.c  |   3 +-
+ .../wireless/broadcom/brcm80211/brcmfmac/common.h  |   7 ++
+ .../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 116 +++++++++++++++++++++
+ 4 files changed, 127 insertions(+), 1 deletion(-)
+ create mode 100644 drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile
+@@ -54,3 +54,5 @@ brcmfmac-$(CPTCFG_BRCM_TRACING) += \
+ 		tracepoint.o
+ brcmfmac-$(CONFIG_OF) += \
+ 		of.o
++brcmfmac-$(CONFIG_DMI) += \
++		dmi.o
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -448,8 +448,9 @@ struct brcmf_mp_device *brcmf_get_module
+ 		}
+ 	}
+ 	if (!found) {
+-		/* No platform data for this device, try OF (Open Firwmare) */
++		/* No platform data for this device, try OF and DMI data */
+ 		brcmf_of_probe(dev, bus_type, settings);
++		brcmf_dmi_probe(settings, chip, chiprev);
+ 	}
+ 	return settings;
+ }
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
+@@ -75,4 +75,11 @@ void brcmf_release_module_param(struct b
+ /* Sets dongle media info (drv_version, mac address). */
+ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp);
+ 
++#ifdef CONFIG_DMI
++void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev);
++#else
++static inline void
++brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev) {}
++#endif
++
+ #endif /* BRCMFMAC_COMMON_H */
+--- /dev/null
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -0,0 +1,116 @@
++/*
++ * Copyright 2018 Hans de Goede <hdegoede@redhat.com>
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#include <linux/dmi.h>
++#include <linux/mod_devicetable.h>
++#include "core.h"
++#include "common.h"
++#include "brcm_hw_ids.h"
++
++/* The DMI data never changes so we can use a static buf for this */
++static char dmi_board_type[128];
++
++struct brcmf_dmi_data {
++	u32 chip;
++	u32 chiprev;
++	const char *board_type;
++};
++
++/* NOTE: Please keep all entries sorted alphabetically */
++
++static const struct brcmf_dmi_data gpd_win_pocket_data = {
++	BRCM_CC_4356_CHIP_ID, 2, "gpd-win-pocket"
++};
++
++static const struct brcmf_dmi_data jumper_ezpad_mini3_data = {
++	BRCM_CC_43430_CHIP_ID, 0, "jumper-ezpad-mini3"
++};
++
++static const struct brcmf_dmi_data meegopad_t08_data = {
++	BRCM_CC_43340_CHIP_ID, 2, "meegopad-t08"
++};
++
++static const struct dmi_system_id dmi_platform_data[] = {
++	{
++		/* Match for the GPDwin which unfortunately uses somewhat
++		 * generic dmi strings, which is why we test for 4 strings.
++		 * Comparing against 23 other byt/cht boards, board_vendor
++		 * and board_name are unique to the GPDwin, where as only one
++		 * other board has the same board_serial and 3 others have
++		 * the same default product_name. Also the GPDwin is the
++		 * only device to have both board_ and product_name not set.
++		 */
++		.matches = {
++			DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
++			DMI_MATCH(DMI_BOARD_NAME, "Default string"),
++			DMI_MATCH(DMI_BOARD_SERIAL, "Default string"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
++		},
++		.driver_data = (void *)&gpd_win_pocket_data,
++	},
++	{
++		/* Jumper EZpad mini3 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"),
++			/* jumperx.T87.KFBNEEA02 with the version-nr dropped */
++			DMI_MATCH(DMI_BIOS_VERSION, "jumperx.T87.KFBNEEA"),
++		},
++		.driver_data = (void *)&jumper_ezpad_mini3_data,
++	},
++	{
++		/* Meegopad T08 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Default string"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
++			DMI_MATCH(DMI_BOARD_NAME, "T3 MRD"),
++			DMI_MATCH(DMI_BOARD_VERSION, "V1.1"),
++		},
++		.driver_data = (void *)&meegopad_t08_data,
++	},
++	{}
++};
++
++void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
++{
++	const struct dmi_system_id *match;
++	const struct brcmf_dmi_data *data;
++	const char *sys_vendor;
++	const char *product_name;
++
++	/* Some models have DMI strings which are too generic, e.g.
++	 * "Default string", we use a quirk table for these.
++	 */
++	for (match = dmi_first_match(dmi_platform_data);
++	     match;
++	     match = dmi_first_match(match + 1)) {
++		data = match->driver_data;
++
++		if (data->chip == chip && data->chiprev == chiprev) {
++			settings->board_type = data->board_type;
++			return;
++		}
++	}
++
++	/* Not found in the quirk-table, use sys_vendor-product_name */
++	sys_vendor = dmi_get_system_info(DMI_SYS_VENDOR);
++	product_name = dmi_get_system_info(DMI_PRODUCT_NAME);
++	if (sys_vendor && product_name) {
++		snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
++			 sys_vendor, product_name);
++		settings->board_type = dmi_board_type;
++	}
++}

package/kernel/mac80211/patches/355-v5.0-0006-brcmfmac-Cleanup-brcmf_fw_request_done.patch

@@ -0,0 +1,41 @@
+From 55e491edbf14b2da5419c2a319ea3b1d6368d9a2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 10 Oct 2018 13:01:03 +0200
+Subject: [PATCH] brcmfmac: Cleanup brcmf_fw_request_done()
+
+The "cur" variable is now only used for a debug print and we already
+print the same info from brcmf_fw_complete_request(), so the debug print
+does not provide any extra info and we can remove it.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -560,22 +560,16 @@ static int brcmf_fw_request_firmware(con
+ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx)
+ {
+ 	struct brcmf_fw *fwctx = ctx;
+-	struct brcmf_fw_item *cur;
+-	int ret = 0;
+-
+-	cur = &fwctx->req->items[fwctx->curpos];
++	int ret;
+ 
+ 	ret = brcmf_fw_complete_request(fw, fwctx);
+ 
+ 	while (ret == 0 && ++fwctx->curpos < fwctx->req->n_items) {
+-		cur = &fwctx->req->items[fwctx->curpos];
+ 		brcmf_fw_request_firmware(&fw, fwctx);
+ 		ret = brcmf_fw_complete_request(fw, ctx);
+ 	}
+ 
+ 	if (ret) {
+-		brcmf_dbg(TRACE, "failed err=%d: dev=%s, fw=%s\n", ret,
+-			  dev_name(fwctx->dev), cur->path);
+ 		brcmf_fw_free_request(fwctx->req);
+ 		fwctx->req = NULL;
+ 	}

package/kernel/mac80211/patches/370-backports-Adapt-to-changes-to-skb_get_hash_perturb.patch

@@ -0,0 +1,68 @@
+From e3c57dd949835419cee8d3b45db38de58bf6ebd5 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 18 Nov 2019 01:13:37 +0100
+Subject: [PATCH] backports: Adapt to changes to skb_get_hash_perturb()
+
+The skb_get_hash_perturb() function now takes a siphash_key_t instead of
+an u32. This was changed in commit 55667441c84f ("net/flow_dissector:
+switch to siphash"). Use the correct type in the fq header file
+depending on the kernel version.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ include/net/fq.h      | 8 ++++++++
+ include/net/fq_impl.h | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/include/net/fq.h
++++ b/include/net/fq.h
+@@ -70,7 +70,15 @@ struct fq {
+ 	struct list_head backlogs;
+ 	spinlock_t lock;
+ 	u32 flows_cnt;
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	siphash_key_t	perturbation;
++#else
+ 	u32 perturbation;
++#endif
+ 	u32 limit;
+ 	u32 memory_limit;
+ 	u32 memory_usage;
+--- a/include/net/fq_impl.h
++++ b/include/net/fq_impl.h
+@@ -118,7 +118,15 @@ static struct fq_flow *fq_flow_classify(
+ 
+ 	lockdep_assert_held(&fq->lock);
+ 
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	hash = skb_get_hash_perturb(skb, &fq->perturbation);
++#else
+ 	hash = skb_get_hash_perturb(skb, fq->perturbation);
++#endif
+ 	idx = reciprocal_scale(hash, fq->flows_cnt);
+ 	flow = &fq->flows[idx];
+ 
+@@ -307,7 +315,15 @@ static int fq_init(struct fq *fq, int fl
+ 	INIT_LIST_HEAD(&fq->backlogs);
+ 	spin_lock_init(&fq->lock);
+ 	fq->flows_cnt = max_t(u32, flows_cnt, 1);
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	get_random_bytes(&fq->perturbation, sizeof(fq->perturbation));
++#else
+ 	fq->perturbation = prandom_u32();
++#endif
+ 	fq->quantum = 300;
+ 	fq->limit = 8192;
+ 	fq->memory_limit = 16 << 20; /* 16 MBytes */

package/kernel/mac80211/patches/380-v5.0-0001-brcmfmac-fix-spelling-mistake-Retreiving-Retrieving.patch

@@ -0,0 +1,34 @@
+From e966a79c2f761a696dec9cfb0e2d4aa977bf78cb Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 16 Oct 2018 18:43:42 +0100
+Subject: [PATCH] brcmfmac: fix spelling mistake "Retreiving" -> "Retrieving"
+
+Trivial fix to spelling mistake in brcmf_err error message.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -214,7 +214,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 	err = brcmf_fil_iovar_data_get(ifp, "cur_etheraddr", ifp->mac_addr,
+ 				       sizeof(ifp->mac_addr));
+ 	if (err < 0) {
+-		brcmf_err("Retreiving cur_etheraddr failed, %d\n", err);
++		brcmf_err("Retrieving cur_etheraddr failed, %d\n", err);
+ 		goto done;
+ 	}
+ 	memcpy(ifp->drvr->wiphy->perm_addr, ifp->drvr->mac, ETH_ALEN);
+@@ -269,7 +269,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 	strcpy(buf, "ver");
+ 	err = brcmf_fil_iovar_data_get(ifp, "ver", buf, sizeof(buf));
+ 	if (err < 0) {
+-		brcmf_err("Retreiving version information failed, %d\n",
++		brcmf_err("Retrieving version information failed, %d\n",
+ 			  err);
+ 		goto done;
+ 	}

package/kernel/mac80211/patches/380-v5.0-0002-brcmutil-print-invalid-chanspec-when-WARN-ing.patch

@@ -0,0 +1,83 @@
+From ae5848cb4511bbbfe0306fcdbe5d9a95cd9546a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 26 Oct 2018 13:22:32 +0200
+Subject: [PATCH] brcmutil: print invalid chanspec when WARN-ing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On one of my devices I got WARNINGs when brcmfmac tried to decode
+chanspec. I couldn't tell if it was some unsupported format or just a
+malformed value passed by a firmware.
+
+Print chanspec value so it's possible to debug a possible problem.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -128,7 +128,7 @@ static void brcmu_d11n_decchspec(struct
+ 		}
+ 		break;
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ 
+@@ -140,7 +140,7 @@ static void brcmu_d11n_decchspec(struct
+ 		ch->band = BRCMU_CHAN_BAND_2G;
+ 		break;
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ }
+@@ -167,7 +167,7 @@ static void brcmu_d11ac_decchspec(struct
+ 			ch->sb = BRCMU_CHAN_SB_U;
+ 			ch->control_ch_num += CH_10MHZ_APART;
+ 		} else {
+-			WARN_ON_ONCE(1);
++			WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		}
+ 		break;
+ 	case BRCMU_CHSPEC_D11AC_BW_80:
+@@ -188,7 +188,7 @@ static void brcmu_d11ac_decchspec(struct
+ 			ch->control_ch_num += CH_30MHZ_APART;
+ 			break;
+ 		default:
+-			WARN_ON_ONCE(1);
++			WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 			break;
+ 		}
+ 		break;
+@@ -222,13 +222,13 @@ static void brcmu_d11ac_decchspec(struct
+ 			ch->control_ch_num += CH_70MHZ_APART;
+ 			break;
+ 		default:
+-			WARN_ON_ONCE(1);
++			WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 			break;
+ 		}
+ 		break;
+ 	case BRCMU_CHSPEC_D11AC_BW_8080:
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ 
+@@ -240,7 +240,7 @@ static void brcmu_d11ac_decchspec(struct
+ 		ch->band = BRCMU_CHAN_BAND_2G;
+ 		break;
+ 	default:
+-		WARN_ON_ONCE(1);
++		WARN_ONCE(1, "Invalid chanspec 0x%04x\n", ch->chspec);
+ 		break;
+ 	}
+ }

package/kernel/mac80211/patches/380-v5.0-0003-brcmfmac-support-STA-info-struct-v7.patch

@@ -0,0 +1,78 @@
+From a4dad0334732f62c67058037d9edb17945bec598 Mon Sep 17 00:00:00 2001
+From: Dan Haab <riproute@gmail.com>
+Date: Fri, 9 Nov 2018 09:38:55 -0700
+Subject: [PATCH] brcmfmac: support STA info struct v7
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The newest firmwares provide STA info using v7 of the struct. As v7
+isn't backward compatible, a union is needed.
+
+Even though brcmfmac does not use any of the new info it's important to
+provide the proper struct buffer. Without this change new firmwares will
+fallback to the very limited v3 instead of something in between such as
+v4.
+
+Signed-off-by: Dan Haab <dan.haab@luxul.com>
+Reviewed-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ .../broadcom/brcm80211/brcmfmac/fwil_types.h       | 40 ++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -176,6 +176,8 @@
+ 
+ #define BRCMF_VHT_CAP_MCS_MAP_NSS_MAX	8
+ 
++#define BRCMF_HE_CAP_MCS_MAP_NSS_MAX	8
++
+ /* MAX_CHUNK_LEN is the maximum length for data passing to firmware in each
+  * ioctl. It is relatively small because firmware has small maximum size input
+  * playload restriction for ioctls.
+@@ -601,13 +603,37 @@ struct brcmf_sta_info_le {
+ 	__le32 rx_pkts_retried;        /* # rx with retry bit set */
+ 	__le32 tx_rate_fallback;       /* lowest fallback TX rate */
+ 
+-	/* Fields valid for ver >= 5 */
+-	struct {
+-		__le32 count;					/* # rates in this set */
+-		u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
+-		u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
+-		__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
+-	} rateset_adv;
++	union {
++		struct {
++			struct {
++				__le32 count;					/* # rates in this set */
++				u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++				u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++				__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++			} rateset_adv;
++		} v5;
++
++		struct {
++			__le32 rx_dur_total;	/* total user RX duration (estimated) */
++			__le16 chanspec;	/** chanspec this sta is on */
++			__le16 pad_1;
++			struct {
++				__le16 version;					/* version */
++				__le16 len;					/* length */
++				__le32 count;					/* # rates in this set */
++				u8 rates[BRCMF_MAXRATES_IN_SET];		/* rates in 500kbps units w/hi bit set if basic */
++				u8 mcs[BRCMF_MCSSET_LEN];			/* supported mcs index bit map */
++				__le16 vht_mcs[BRCMF_VHT_CAP_MCS_MAP_NSS_MAX];	/* supported mcs index bit map per nss */
++				__le16 he_mcs[BRCMF_HE_CAP_MCS_MAP_NSS_MAX];	/* supported he mcs index bit map per nss */
++			} rateset_adv;		/* rateset along with mcs index bitmap */
++			__le16 wpauth;		/* authentication type */
++			u8 algo;		/* crypto algorithm */
++			u8 pad_2;
++			__le32 tx_rspec;	/* Rate of last successful tx frame */
++			__le32 rx_rspec;	/* Rate of last successful rx frame */
++			__le32 wnm_cap;		/* wnm capabilities */
++		} v7;
++	};
+ };
+ 
+ struct brcmf_chanspec_list {

package/kernel/mac80211/patches/380-v5.0-0004-brcmfmac-Fix-out-of-bounds-memory-access-during-fw-l.patch

@@ -0,0 +1,110 @@
+From b72c51a58e6d63ef673ac96b8ab5bc98799c5f7b Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Sat, 24 Nov 2018 17:57:05 -0500
+Subject: [PATCH] brcmfmac: Fix out of bounds memory access during fw load
+
+I ended up tracking down some rather nasty issues with f2fs (and other
+filesystem modules) constantly crashing on my kernel down to a
+combination of out of bounds memory accesses, one of which was coming
+from brcmfmac during module load:
+
+[   30.891382] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
+[   30.894437] ==================================================================
+[   30.901581] BUG: KASAN: global-out-of-bounds in brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
+[   30.909935] Read of size 1 at addr ffff2000024865df by task kworker/6:2/387
+[   30.916805]
+[   30.918261] CPU: 6 PID: 387 Comm: kworker/6:2 Tainted: G           O      4.20.0-rc3Lyude-Test+ #19
+[   30.927251] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
+[   30.935964] Workqueue: events brcmf_driver_register [brcmfmac]
+[   30.941641] Call trace:
+[   30.944058]  dump_backtrace+0x0/0x3e8
+[   30.947676]  show_stack+0x14/0x20
+[   30.950968]  dump_stack+0x130/0x1c4
+[   30.954406]  print_address_description+0x60/0x25c
+[   30.959066]  kasan_report+0x1b4/0x368
+[   30.962683]  __asan_report_load1_noabort+0x18/0x20
+[   30.967547]  brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
+[   30.967639]  brcmf_sdio_probe+0x163c/0x2050 [brcmfmac]
+[   30.978035]  brcmf_ops_sdio_probe+0x598/0xa08 [brcmfmac]
+[   30.983254]  sdio_bus_probe+0x190/0x398
+[   30.983270]  really_probe+0x2a0/0xa70
+[   30.983296]  driver_probe_device+0x1b4/0x2d8
+[   30.994901]  __driver_attach+0x200/0x280
+[   30.994914]  bus_for_each_dev+0x10c/0x1a8
+[   30.994925]  driver_attach+0x38/0x50
+[   30.994935]  bus_add_driver+0x330/0x608
+[   30.994953]  driver_register+0x140/0x388
+[   31.013965]  sdio_register_driver+0x74/0xa0
+[   31.014076]  brcmf_sdio_register+0x14/0x60 [brcmfmac]
+[   31.023177]  brcmf_driver_register+0xc/0x18 [brcmfmac]
+[   31.023209]  process_one_work+0x654/0x1080
+[   31.032266]  worker_thread+0x4f0/0x1308
+[   31.032286]  kthread+0x2a8/0x320
+[   31.039254]  ret_from_fork+0x10/0x1c
+[   31.039269]
+[   31.044226] The buggy address belongs to the variable:
+[   31.044351]  brcmf_firmware_path+0x11f/0xfffffffffffd3b40 [brcmfmac]
+[   31.055601]
+[   31.057031] Memory state around the buggy address:
+[   31.061800]  ffff200002486480: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+[   31.068983]  ffff200002486500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   31.068993] >ffff200002486580: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
+[   31.068999]                                                     ^
+[   31.069017]  ffff200002486600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   31.096521]  ffff200002486680: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
+[   31.096528] ==================================================================
+[   31.096533] Disabling lock debugging due to kernel taint
+
+It appears that when trying to determine the length of the string in the
+alternate firmware path, we make the mistake of not handling the case
+where the firmware path is empty correctly. Since strlen(mp_path) can
+return 0, we'll end up accessing mp_path[-1] when the firmware_path
+isn't provided through the module arguments.
+
+So, fix this by just setting the end char to '\0' by default, and only
+changing it if we have a non-zero length. Additionally, use strnlen()
+with BRCMF_FW_ALTPATH_LEN instead of strlen() just to be extra safe.
+
+Fixes: 2baa3aaee27f ("brcmfmac: introduce brcmf_fw_alloc_request() function")
+Cc: Hante Meuleman <hante.meuleman@broadcom.com>
+Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Cc: Franky Lin <franky.lin@broadcom.com>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Cc: Himanshu Jha <himanshujha199640@gmail.com>
+Cc: Dan Haab <dhaab@luxul.com>
+Cc: Jia-Shyr Chuang <saint.chuang@cypress.com>
+Cc: Ian Molton <ian@mnementh.co.uk>
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/firmware.c   | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -633,8 +633,9 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
+ 	struct brcmf_fw_request *fwreq;
+ 	char chipname[12];
+ 	const char *mp_path;
++	size_t mp_path_len;
+ 	u32 i, j;
+-	char end;
++	char end = '\0';
+ 	size_t reqsz;
+ 
+ 	for (i = 0; i < table_size; i++) {
+@@ -659,7 +660,10 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
+ 		   mapping_table[i].fw_base, chipname);
+ 
+ 	mp_path = brcmf_mp_global.firmware_path;
+-	end = mp_path[strlen(mp_path) - 1];
++	mp_path_len = strnlen(mp_path, BRCMF_FW_ALTPATH_LEN);
++	if (mp_path_len)
++		end = mp_path[mp_path_len - 1];
++
+ 	fwreq->n_items = n_fwnames;
+ 
+ 	for (j = 0; j < n_fwnames; j++) {

package/kernel/mac80211/patches/380-v5.0-0005-brcmfmac-fix-roamoff-1-modparam.patch

@@ -0,0 +1,68 @@
+From 8c892df41500469729e0d662816300196e4f463d Mon Sep 17 00:00:00 2001
+From: Stijn Tintel <stijn@linux-ipv6.be>
+Date: Tue, 4 Dec 2018 20:29:05 +0200
+Subject: [PATCH] brcmfmac: fix roamoff=1 modparam
+
+When the update_connect_param callback is set, nl80211 expects the flag
+WIPHY_FLAG_SUPPORTS_FW_ROAM to be set as well. However, this flag is
+only set when modparam roamoff=0, while the callback is set
+unconditionally. Since commit 7f9a3e150ec7 this causes a warning in
+wiphy_register, which breaks brcmfmac.
+
+Disable the update_connect_param callback when roamoff=0 to fix this.
+
+Fixes: 7f9a3e150ec7 ("nl80211: Update ERP info using NL80211_CMD_UPDATE_CONNECT_PARAMS")
+Cc: Stable <stable@vger.kernel.org> # 4.19+
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c   | 11 +++++++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.h   |  2 +-
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c   |  2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5189,10 +5189,17 @@ static struct cfg80211_ops brcmf_cfg8021
+ 	.del_pmk = brcmf_cfg80211_del_pmk,
+ };
+ 
+-struct cfg80211_ops *brcmf_cfg80211_get_ops(void)
++struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings)
+ {
+-	return kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
++	struct cfg80211_ops *ops;
++
++	ops = kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
+ 		       GFP_KERNEL);
++
++	if (ops && settings->roamoff)
++		ops->update_connect_params = NULL;
++
++	return ops;
+ }
+ 
+ struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+@@ -404,7 +404,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg);
+ s32 brcmf_cfg80211_up(struct net_device *ndev);
+ s32 brcmf_cfg80211_down(struct net_device *ndev);
+-struct cfg80211_ops *brcmf_cfg80211_get_ops(void);
++struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings);
+ enum nl80211_iftype brcmf_cfg80211_get_iftype(struct brcmf_if *ifp);
+ 
+ struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1151,7 +1151,7 @@ int brcmf_attach(struct device *dev, str
+ 
+ 	brcmf_dbg(TRACE, "Enter\n");
+ 
+-	ops = brcmf_cfg80211_get_ops();
++	ops = brcmf_cfg80211_get_ops(settings);
+ 	if (!ops)
+ 		return -ENOMEM;
+ 

package/kernel/mac80211/patches/380-v5.0-0006-brcmfmac-Fix-access-point-mode.patch

@@ -0,0 +1,41 @@
+From 861cb5eb467f5e38dce1aabe4e8db379255bd89b Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 12 Dec 2018 20:20:06 +0100
+Subject: [PATCH] brcmfmac: Fix access point mode
+
+Since commit 1204aa17f3b4 ("brcmfmac: set WIPHY_FLAG_HAVE_AP_SME flag")
+the Raspberry Pi 3 A+ (BCM43455) isn't able to operate in AP mode with
+hostapd (device_ap_sme=1 use_monitor=0):
+
+brcmfmac: brcmf_cfg80211_stop_ap: setting AP mode failed -52
+
+So add the missing mgmt_stypes for AP mode to fix this.
+
+Fixes: 1204aa17f3b4 ("brcmfmac: set WIPHY_FLAG_HAVE_AP_SME flag")
+Suggested-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c    | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6303,6 +6303,16 @@ brcmf_txrx_stypes[NUM_NL80211_IFTYPES] =
+ 		.tx = 0xffff,
+ 		.rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
+ 		      BIT(IEEE80211_STYPE_PROBE_REQ >> 4)
++	},
++	[NL80211_IFTYPE_AP] = {
++		.tx = 0xffff,
++		.rx = BIT(IEEE80211_STYPE_ASSOC_REQ >> 4) |
++		      BIT(IEEE80211_STYPE_REASSOC_REQ >> 4) |
++		      BIT(IEEE80211_STYPE_PROBE_REQ >> 4) |
++		      BIT(IEEE80211_STYPE_DISASSOC >> 4) |
++		      BIT(IEEE80211_STYPE_AUTH >> 4) |
++		      BIT(IEEE80211_STYPE_DEAUTH >> 4) |
++		      BIT(IEEE80211_STYPE_ACTION >> 4)
+ 	}
+ };
+ 

package/kernel/mac80211/patches/381-v5.1-0001-brcmfmac-modify-__brcmf_err-to-take-bus-as-a-paramet.patch

@@ -0,0 +1,104 @@
+From 5cc898fbcb352b764f8d51c16e10e2eb0056173d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Wed, 6 Feb 2019 12:28:15 +0100
+Subject: [PATCH] brcmfmac: modify __brcmf_err() to take bus as a parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far __brcmf_err() was using pr_err() which didn't allow identifying
+device that was affected by an error. It's crucial for systems with more
+than 1 device supported by brcmfmac (a common case for home routers).
+
+This change allows passing struct brcmf_bus to the __brcmf_err(). That
+struct has been agreed to be the most common one. It allows accessing
+struct device easily & using dev_err() printing helper.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/common.c    | 7 +++++--
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h | 8 +++++---
+ .../wireless/broadcom/brcm80211/brcmfmac/tracepoint.c    | 9 +++++++--
+ 3 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -350,7 +350,7 @@ done:
+ }
+ 
+ #ifndef CPTCFG_BRCM_TRACING
+-void __brcmf_err(const char *func, const char *fmt, ...)
++void __brcmf_err(struct brcmf_bus *bus, const char *func, const char *fmt, ...)
+ {
+ 	struct va_format vaf;
+ 	va_list args;
+@@ -359,7 +359,10 @@ void __brcmf_err(const char *func, const
+ 
+ 	vaf.fmt = fmt;
+ 	vaf.va = &args;
+-	pr_err("%s: %pV", func, &vaf);
++	if (bus)
++		dev_err(bus->dev, "%s: %pV", func, &vaf);
++	else
++		pr_err("%s: %pV", func, &vaf);
+ 
+ 	va_end(args);
+ }
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -45,8 +45,10 @@
+ #undef pr_fmt
+ #define pr_fmt(fmt)		KBUILD_MODNAME ": " fmt
+ 
+-__printf(2, 3)
+-void __brcmf_err(const char *func, const char *fmt, ...);
++struct brcmf_bus;
++
++__printf(3, 4)
++void __brcmf_err(struct brcmf_bus *bus, const char *func, const char *fmt, ...);
+ /* Macro for error messages. When debugging / tracing the driver all error
+  * messages are important to us.
+  */
+@@ -55,7 +57,7 @@ void __brcmf_err(const char *func, const
+ 		if (IS_ENABLED(CPTCFG_BRCMDBG) ||			\
+ 		    IS_ENABLED(CPTCFG_BRCM_TRACING) ||			\
+ 		    net_ratelimit())					\
+-			__brcmf_err(__func__, fmt, ##__VA_ARGS__);	\
++			__brcmf_err(NULL, __func__, fmt, ##__VA_ARGS__);\
+ 	} while (0)
+ 
+ #if defined(DEBUG) || defined(CPTCFG_BRCM_TRACING)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/tracepoint.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/tracepoint.c
+@@ -14,14 +14,16 @@
+  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#include <linux/device.h>
+ #include <linux/module.h> /* bug in tracepoint.h, it should include this */
+ 
+ #ifndef __CHECKER__
+ #define CREATE_TRACE_POINTS
++#include "bus.h"
+ #include "tracepoint.h"
+ #include "debug.h"
+ 
+-void __brcmf_err(const char *func, const char *fmt, ...)
++void __brcmf_err(struct brcmf_bus *bus, const char *func, const char *fmt, ...)
+ {
+ 	struct va_format vaf = {
+ 		.fmt = fmt,
+@@ -30,7 +32,10 @@ void __brcmf_err(const char *func, const
+ 
+ 	va_start(args, fmt);
+ 	vaf.va = &args;
+-	pr_err("%s: %pV", func, &vaf);
++	if (bus)
++		dev_err(bus->dev, "%s: %pV", func, &vaf);
++	else
++		pr_err("%s: %pV", func, &vaf);
+ 	trace_brcmf_err(func, &vaf);
+ 	va_end(args);
+ }

package/kernel/mac80211/patches/381-v5.1-0002-brcmfmac-pass-bus-to-the-__brcmf_err-in-pcie.c.patch

@@ -0,0 +1,266 @@
+From 8602e62441aba276cafd68034b72162fbc5ca0a6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Wed, 6 Feb 2019 12:28:16 +0100
+Subject: [PATCH] brcmfmac: pass bus to the __brcmf_err() in pcie.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This enables dev_err() usage (instead of pr_err()) in the __brcmf_err().
+It makes error messages more meaningful and is important for debugging
+errors/bugs on systems with multiple brcmfmac supported devices.
+
+All bus files should follow & get updated similarly (soon).
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/debug.h       |  2 +
+ .../broadcom/brcm80211/brcmfmac/pcie.c        | 59 +++++++++++--------
+ 2 files changed, 38 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -52,6 +52,7 @@ void __brcmf_err(struct brcmf_bus *bus,
+ /* Macro for error messages. When debugging / tracing the driver all error
+  * messages are important to us.
+  */
++#ifndef brcmf_err
+ #define brcmf_err(fmt, ...)						\
+ 	do {								\
+ 		if (IS_ENABLED(CPTCFG_BRCMDBG) ||			\
+@@ -59,6 +60,7 @@ void __brcmf_err(struct brcmf_bus *bus,
+ 		    net_ratelimit())					\
+ 			__brcmf_err(NULL, __func__, fmt, ##__VA_ARGS__);\
+ 	} while (0)
++#endif
+ 
+ #if defined(DEBUG) || defined(CPTCFG_BRCM_TRACING)
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -30,6 +30,15 @@
+ #include <brcmu_wifi.h>
+ #include <brcm_hw_ids.h>
+ 
++/* Custom brcmf_err() that takes bus arg and passes it further */
++#define brcmf_err(bus, fmt, ...)					\
++	do {								\
++		if (IS_ENABLED(CPTCFG_BRCMDBG) ||			\
++		    IS_ENABLED(CPTCFG_BRCM_TRACING) ||			\
++		    net_ratelimit())					\
++			__brcmf_err(bus, __func__, fmt, ##__VA_ARGS__);	\
++	} while (0)
++
+ #include "debug.h"
+ #include "bus.h"
+ #include "commonring.h"
+@@ -531,6 +540,7 @@ static void
+ brcmf_pcie_select_core(struct brcmf_pciedev_info *devinfo, u16 coreid)
+ {
+ 	const struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	struct brcmf_core *core;
+ 	u32 bar0_win;
+ 
+@@ -548,7 +558,7 @@ brcmf_pcie_select_core(struct brcmf_pcie
+ 			}
+ 		}
+ 	} else {
+-		brcmf_err("Unsupported core selected %x\n", coreid);
++		brcmf_err(bus, "Unsupported core selected %x\n", coreid);
+ 	}
+ }
+ 
+@@ -848,9 +858,8 @@ static irqreturn_t brcmf_pcie_isr_thread
+ 
+ static int brcmf_pcie_request_irq(struct brcmf_pciedev_info *devinfo)
+ {
+-	struct pci_dev *pdev;
+-
+-	pdev = devinfo->pdev;
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 
+ 	brcmf_pcie_intr_disable(devinfo);
+ 
+@@ -861,7 +870,7 @@ static int brcmf_pcie_request_irq(struct
+ 				 brcmf_pcie_isr_thread, IRQF_SHARED,
+ 				 "brcmf_pcie_intr", devinfo)) {
+ 		pci_disable_msi(pdev);
+-		brcmf_err("Failed to request IRQ %d\n", pdev->irq);
++		brcmf_err(bus, "Failed to request IRQ %d\n", pdev->irq);
+ 		return -EIO;
+ 	}
+ 	devinfo->irq_allocated = true;
+@@ -871,15 +880,14 @@ static int brcmf_pcie_request_irq(struct
+ 
+ static void brcmf_pcie_release_irq(struct brcmf_pciedev_info *devinfo)
+ {
+-	struct pci_dev *pdev;
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	u32 status;
+ 	u32 count;
+ 
+ 	if (!devinfo->irq_allocated)
+ 		return;
+ 
+-	pdev = devinfo->pdev;
+-
+ 	brcmf_pcie_intr_disable(devinfo);
+ 	free_irq(pdev->irq, devinfo);
+ 	pci_disable_msi(pdev);
+@@ -891,7 +899,7 @@ static void brcmf_pcie_release_irq(struc
+ 		count++;
+ 	}
+ 	if (devinfo->in_irq)
+-		brcmf_err("Still in IRQ (processing) !!!\n");
++		brcmf_err(bus, "Still in IRQ (processing) !!!\n");
+ 
+ 	status = brcmf_pcie_read_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT);
+ 	brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT, status);
+@@ -1102,6 +1110,7 @@ static void brcmf_pcie_release_ringbuffe
+ 
+ static int brcmf_pcie_init_ringbuffers(struct brcmf_pciedev_info *devinfo)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	struct brcmf_pcie_ringbuf *ring;
+ 	struct brcmf_pcie_ringbuf *rings;
+ 	u32 d2h_w_idx_ptr;
+@@ -1254,7 +1263,7 @@ static int brcmf_pcie_init_ringbuffers(s
+ 	return 0;
+ 
+ fail:
+-	brcmf_err("Allocating ring buffers failed\n");
++	brcmf_err(bus, "Allocating ring buffers failed\n");
+ 	brcmf_pcie_release_ringbuffers(devinfo);
+ 	return -ENOMEM;
+ }
+@@ -1277,6 +1286,7 @@ brcmf_pcie_release_scratchbuffers(struct
+ 
+ static int brcmf_pcie_init_scratchbuffers(struct brcmf_pciedev_info *devinfo)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	u64 address;
+ 	u32 addr;
+ 
+@@ -1316,7 +1326,7 @@ static int brcmf_pcie_init_scratchbuffer
+ 	return 0;
+ 
+ fail:
+-	brcmf_err("Allocating scratch buffers failed\n");
++	brcmf_err(bus, "Allocating scratch buffers failed\n");
+ 	brcmf_pcie_release_scratchbuffers(devinfo);
+ 	return -ENOMEM;
+ }
+@@ -1437,6 +1447,7 @@ static int
+ brcmf_pcie_init_share_ram_info(struct brcmf_pciedev_info *devinfo,
+ 			       u32 sharedram_addr)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	struct brcmf_pcie_shared_info *shared;
+ 	u32 addr;
+ 
+@@ -1448,7 +1459,8 @@ brcmf_pcie_init_share_ram_info(struct br
+ 	brcmf_dbg(PCIE, "PCIe protocol version %d\n", shared->version);
+ 	if ((shared->version > BRCMF_PCIE_MAX_SHARED_VERSION) ||
+ 	    (shared->version < BRCMF_PCIE_MIN_SHARED_VERSION)) {
+-		brcmf_err("Unsupported PCIE version %d\n", shared->version);
++		brcmf_err(bus, "Unsupported PCIE version %d\n",
++			  shared->version);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1490,6 +1502,7 @@ static int brcmf_pcie_download_fw_nvram(
+ 					const struct firmware *fw, void *nvram,
+ 					u32 nvram_len)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	u32 sharedram_addr;
+ 	u32 sharedram_addr_written;
+ 	u32 loop_counter;
+@@ -1544,7 +1557,7 @@ static int brcmf_pcie_download_fw_nvram(
+ 		loop_counter--;
+ 	}
+ 	if (sharedram_addr == sharedram_addr_written) {
+-		brcmf_err("FW failed to initialize\n");
++		brcmf_err(bus, "FW failed to initialize\n");
+ 		return -ENODEV;
+ 	}
+ 	brcmf_dbg(PCIE, "Shared RAM addr: 0x%08x\n", sharedram_addr);
+@@ -1555,16 +1568,15 @@ static int brcmf_pcie_download_fw_nvram(
+ 
+ static int brcmf_pcie_get_resource(struct brcmf_pciedev_info *devinfo)
+ {
+-	struct pci_dev *pdev;
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	int err;
+ 	phys_addr_t  bar0_addr, bar1_addr;
+ 	ulong bar1_size;
+ 
+-	pdev = devinfo->pdev;
+-
+ 	err = pci_enable_device(pdev);
+ 	if (err) {
+-		brcmf_err("pci_enable_device failed err=%d\n", err);
++		brcmf_err(bus, "pci_enable_device failed err=%d\n", err);
+ 		return err;
+ 	}
+ 
+@@ -1577,7 +1589,7 @@ static int brcmf_pcie_get_resource(struc
+ 	/* read Bar-1 mapped memory range */
+ 	bar1_size = pci_resource_len(pdev, 2);
+ 	if ((bar1_size == 0) || (bar1_addr == 0)) {
+-		brcmf_err("BAR1 Not enabled, device size=%ld, addr=%#016llx\n",
++		brcmf_err(bus, "BAR1 Not enabled, device size=%ld, addr=%#016llx\n",
+ 			  bar1_size, (unsigned long long)bar1_addr);
+ 		return -EINVAL;
+ 	}
+@@ -1586,7 +1598,7 @@ static int brcmf_pcie_get_resource(struc
+ 	devinfo->tcm = ioremap_nocache(bar1_addr, bar1_size);
+ 
+ 	if (!devinfo->regs || !devinfo->tcm) {
+-		brcmf_err("ioremap() failed (%p,%p)\n", devinfo->regs,
++		brcmf_err(bus, "ioremap() failed (%p,%p)\n", devinfo->regs,
+ 			  devinfo->tcm);
+ 		return -EINVAL;
+ 	}
+@@ -1873,7 +1885,7 @@ fail_bus:
+ 	kfree(bus->msgbuf);
+ 	kfree(bus);
+ fail:
+-	brcmf_err("failed %x:%x\n", pdev->vendor, pdev->device);
++	brcmf_err(NULL, "failed %x:%x\n", pdev->vendor, pdev->device);
+ 	brcmf_pcie_release_resource(devinfo);
+ 	if (devinfo->ci)
+ 		brcmf_chip_detach(devinfo->ci);
+@@ -1947,7 +1959,7 @@ static int brcmf_pcie_pm_enter_D3(struct
+ 	wait_event_timeout(devinfo->mbdata_resp_wait, devinfo->mbdata_completed,
+ 			   BRCMF_PCIE_MBDATA_TIMEOUT);
+ 	if (!devinfo->mbdata_completed) {
+-		brcmf_err("Timeout on response for entering D3 substate\n");
++		brcmf_err(bus, "Timeout on response for entering D3 substate\n");
+ 		brcmf_bus_change_state(bus, BRCMF_BUS_UP);
+ 		return -EIO;
+ 	}
+@@ -1993,7 +2005,7 @@ cleanup:
+ 
+ 	err = brcmf_pcie_probe(pdev, NULL);
+ 	if (err)
+-		brcmf_err("probe after resume failed, err=%d\n", err);
++		brcmf_err(bus, "probe after resume failed, err=%d\n", err);
+ 
+ 	return err;
+ }
+@@ -2065,7 +2077,8 @@ void brcmf_pcie_register(void)
+ 	brcmf_dbg(PCIE, "Enter\n");
+ 	err = pci_register_driver(&brcmf_pciedrvr);
+ 	if (err)
+-		brcmf_err("PCIE driver registration failed, err=%d\n", err);
++		brcmf_err(NULL, "PCIE driver registration failed, err=%d\n",
++			  err);
+ }
+ 
+ 

package/kernel/mac80211/patches/381-v5.1-0004-brcmfmac-support-monitor-frames-with-the-hardware-uc.patch

@@ -0,0 +1,143 @@
+From e665988be29ccea3584528967b432a5cfd801ca4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Feb 2019 07:42:30 +0100
+Subject: [PATCH] brcmfmac: support monitor frames with the hardware/ucode
+ header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far there were two monitor frame formats:
+1) 802.11 frames (with frame (sub)type & all addresses)
+2) 802.11 frames with the radiotap header
+
+Testing the latest FullMAC firmwares for 4366b1/4366c0 resulted in
+discovering a new format being used. It seems (almost?) identical to the
+one known from ucode used in SoftMAC devices which is most likely the
+same codebase anyway.
+
+While new firmwares will /announce/ radiotap header support using the
+"rtap" fw capability string it seems no string was added for the new
+ucode header format.
+
+All above means that:
+1) We need new format support when dealing with a received frame
+2) A new feature bit & mapping quirks have to be added manually
+
+As for now only an empty radiotap is being created. Adding support for
+extracting some info (band, channel, signal, etc.) is planned for the
+future.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/core.c        | 55 +++++++++++++++++++
+ .../broadcom/brcm80211/brcmfmac/feature.c     |  4 ++
+ .../broadcom/brcm80211/brcmfmac/feature.h     |  4 +-
+ 3 files changed, 62 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -43,6 +43,36 @@
+ 
+ #define BRCMF_BSSIDX_INVALID			-1
+ 
++#define	RXS_PBPRES				BIT(2)
++
++#define	D11_PHY_HDR_LEN				6
++
++struct d11rxhdr_le {
++	__le16 RxFrameSize;
++	u16 PAD;
++	__le16 PhyRxStatus_0;
++	__le16 PhyRxStatus_1;
++	__le16 PhyRxStatus_2;
++	__le16 PhyRxStatus_3;
++	__le16 PhyRxStatus_4;
++	__le16 PhyRxStatus_5;
++	__le16 RxStatus1;
++	__le16 RxStatus2;
++	__le16 RxTSFTime;
++	__le16 RxChan;
++	u8 unknown[12];
++} __packed;
++
++struct wlc_d11rxhdr {
++	struct d11rxhdr_le rxhdr;
++	__le32 tsf_l;
++	s8 rssi;
++	s8 rxpwr0;
++	s8 rxpwr1;
++	s8 do_rssi_ma;
++	s8 rxpwr[4];
++} __packed;
++
+ char *brcmf_ifname(struct brcmf_if *ifp)
+ {
+ 	if (!ifp)
+@@ -409,6 +439,31 @@ void brcmf_netif_mon_rx(struct brcmf_if
+ {
+ 	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_RADIOTAP)) {
+ 		/* Do nothing */
++	} else if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_HW_RX_HDR)) {
++		struct wlc_d11rxhdr *wlc_rxhdr = (struct wlc_d11rxhdr *)skb->data;
++		struct ieee80211_radiotap_header *radiotap;
++		unsigned int offset;
++		u16 RxStatus1;
++
++		RxStatus1 = le16_to_cpu(wlc_rxhdr->rxhdr.RxStatus1);
++
++		offset = sizeof(struct wlc_d11rxhdr);
++		/* MAC inserts 2 pad bytes for a4 headers or QoS or A-MSDU
++		 * subframes
++		 */
++		if (RxStatus1 & RXS_PBPRES)
++			offset += 2;
++		offset += D11_PHY_HDR_LEN;
++
++		skb_pull(skb, offset);
++
++		/* TODO: use RX header to fill some radiotap data */
++		radiotap = skb_push(skb, sizeof(*radiotap));
++		memset(radiotap, 0, sizeof(*radiotap));
++		radiotap->it_len = cpu_to_le16(sizeof(*radiotap));
++
++		/* TODO: 4 bytes with receive status? */
++		skb->len -= 4;
+ 	} else {
+ 		struct ieee80211_radiotap_header *radiotap;
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -103,6 +103,10 @@ static const struct brcmf_feat_fwfeat br
+ 	{ "01-6cb8e269", BIT(BRCMF_FEAT_MONITOR) },
+ 	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 52442afee990 */
+ 	{ "01-c47a91a4", BIT(BRCMF_FEAT_MONITOR) },
++	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 211de1679a68 */
++	{ "01-801fb449", BIT(BRCMF_FEAT_MONITOR_FMT_HW_RX_HDR) },
++	/* brcmfmac4366c-pcie.bin from linux-firmware.git commit 211de1679a68 */
++	{ "01-d2cbb8fd", BIT(BRCMF_FEAT_MONITOR_FMT_HW_RX_HDR) },
+ };
+ 
+ static void brcmf_feat_firmware_overrides(struct brcmf_pub *drv)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -35,6 +35,7 @@
+  * FWSUP: Firmware supplicant.
+  * MONITOR: firmware can pass monitor packets to host.
+  * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
++ * MONITOR_FMT_HW_RX_HDR: firmware provides monitor packets with hw/ucode header
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -52,7 +53,8 @@
+ 	BRCMF_FEAT_DEF(GSCAN) \
+ 	BRCMF_FEAT_DEF(FWSUP) \
+ 	BRCMF_FEAT_DEF(MONITOR) \
+-	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
++	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP) \
++	BRCMF_FEAT_DEF(MONITOR_FMT_HW_RX_HDR)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/381-v5.1-0005-brcmfmac-print-firmware-reported-ring-status-errors.patch

@@ -0,0 +1,67 @@
+From c988b78244df8216902e20de536434e2f474a37e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Feb 2019 15:24:39 +0100
+Subject: [PATCH] brcmfmac: print firmware reported ring status errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Firmware is capable of reporting ring status. It's used e.g. to signal
+some problem with a specific ring setup. This patch adds support for
+printing ring & error number which may be useful for debugging setup
+issues.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/msgbuf.c      | 25 +++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -134,6 +134,14 @@ struct msgbuf_completion_hdr {
+ 	__le16				flow_ring_id;
+ };
+ 
++/* Data struct for the MSGBUF_TYPE_RING_STATUS */
++struct msgbuf_ring_status {
++	struct msgbuf_common_hdr	msg;
++	struct msgbuf_completion_hdr	compl_hdr;
++	__le16				write_idx;
++	__le32				rsvd0[5];
++};
++
+ struct msgbuf_rx_event {
+ 	struct msgbuf_common_hdr	msg;
+ 	struct msgbuf_completion_hdr	compl_hdr;
+@@ -1180,6 +1188,19 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	brcmf_netif_rx(ifp, skb);
+ }
+ 
++static void brcmf_msgbuf_process_ring_status(struct brcmf_msgbuf *msgbuf,
++					     void *buf)
++{
++	struct msgbuf_ring_status *ring_status = buf;
++	int err;
++
++	err = le16_to_cpu(ring_status->compl_hdr.status);
++	if (err) {
++		int ring = le16_to_cpu(ring_status->compl_hdr.flow_ring_id);
++
++		brcmf_err("Firmware reported ring %d error: %d\n", ring, err);
++	}
++}
+ 
+ static void
+ brcmf_msgbuf_process_flow_ring_create_response(struct brcmf_msgbuf *msgbuf,
+@@ -1241,6 +1262,10 @@ static void brcmf_msgbuf_process_msgtype
+ 
+ 	msg = (struct msgbuf_common_hdr *)buf;
+ 	switch (msg->msgtype) {
++	case MSGBUF_TYPE_RING_STATUS:
++		brcmf_dbg(MSGBUF, "MSGBUF_TYPE_RING_STATUS\n");
++		brcmf_msgbuf_process_ring_status(msgbuf, buf);
++		break;
+ 	case MSGBUF_TYPE_FLOW_RING_CREATE_CMPLT:
+ 		brcmf_dbg(MSGBUF, "MSGBUF_TYPE_FLOW_RING_CREATE_CMPLT\n");
+ 		brcmf_msgbuf_process_flow_ring_create_response(msgbuf, buf);

package/kernel/mac80211/patches/381-v5.1-0006-brcmfmac-improve-code-handling-bandwidth-of-firmware.patch

@@ -0,0 +1,42 @@
+From f4e183293b871c96c0220dcc549d5ca4c72628ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 11 Feb 2019 23:04:53 +0100
+Subject: [PATCH] brcmfmac: improve code handling bandwidth of firmware
+ reported channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+1) Use switch to simplify/improve the code & avoid some duplication
+2) Add warning for unsupported values
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6036,11 +6036,18 @@ static int brcmf_construct_chaninfo(stru
+ 		/* assuming the chanspecs order is HT20,
+ 		 * HT40 upper, HT40 lower, and VHT80.
+ 		 */
+-		if (ch.bw == BRCMU_CHAN_BW_80) {
++		switch (ch.bw) {
++		case BRCMU_CHAN_BW_80:
+ 			channel->flags &= ~IEEE80211_CHAN_NO_80MHZ;
+-		} else if (ch.bw == BRCMU_CHAN_BW_40) {
++			break;
++		case BRCMU_CHAN_BW_40:
+ 			brcmf_update_bw40_channel_flag(channel, &ch);
+-		} else {
++			break;
++		default:
++			wiphy_warn(wiphy, "Firmware reported unsupported bandwidth %d\n",
++				   ch.bw);
++			/* fall through */
++		case BRCMU_CHAN_BW_20:
+ 			/* enable the channel and disable other bandwidths
+ 			 * for now as mentioned order assure they are enabled
+ 			 * for subsequent chanspecs.

package/kernel/mac80211/patches/381-v5.1-0007-brcmfmac-support-firmware-reporting-160-MHz-channels.patch

@@ -0,0 +1,30 @@
+From 30519cbe339a45bd11a57ca8ece07f4f6a1cda2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 11 Feb 2019 23:04:54 +0100
+Subject: [PATCH] brcmfmac: support firmware reporting 160 MHz channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far 160 MHz channels were treated as 20 MHz ones which was breaking
+support for 40/80 MHz due to the brcmf_construct_chaninfo() logic and
+its assumptions.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6037,6 +6037,9 @@ static int brcmf_construct_chaninfo(stru
+ 		 * HT40 upper, HT40 lower, and VHT80.
+ 		 */
+ 		switch (ch.bw) {
++		case BRCMU_CHAN_BW_160:
++			channel->flags &= ~IEEE80211_CHAN_NO_160MHZ;
++			break;
+ 		case BRCMU_CHAN_BW_80:
+ 			channel->flags &= ~IEEE80211_CHAN_NO_80MHZ;
+ 			break;