OpenWrt v18.06.4: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^911bbd6bb4856f1e28ae00af37df62e4fa3529e5
-src-git luci https://git.openwrt.org/project/luci.git^6f6641d97de2c85ee5d87beda92ae8437d1dbdf5
-src-git routing https://git.openwrt.org/feed/routing.git^ea345d16a6e27c2a8fdf67bf543cc36a5f189131
-src-git telephony https://git.openwrt.org/feed/telephony.git^cb939d9677d6e38c428f9f297641d07611edeb04
+src-git packages https://git.openwrt.org/feed/packages.git^5779614d267732fc382c1684202543fdbd924b4c
+src-git luci https://git.openwrt.org/project/luci.git^4d6d8bc5b0d7ee71c7b29b12e7e0c2e1e86cb268
+src-git routing https://git.openwrt.org/feed/routing.git^bb156bf355b54236a52279522fabbec1e8dd7043
+src-git telephony https://git.openwrt.org/feed/telephony.git^507eabe1b60458ceb1a535aec9d12c8be95706f0

include/image.mk

@@ -581,7 +581,7 @@ define BuildImage
 		$(call Image/Prepare)
 
     legacy-images-prepare-make: image_prepare
-		$(MAKE) legacy-images-prepare
+		$(MAKE) legacy-images-prepare BIN_DIR="$(BIN_DIR)"
 
   else
     image_prepare:
@@ -605,7 +605,7 @@ define BuildImage
 
   legacy-images-make: install-images
 	$(call Image/mkfs/ubifs/legacy)
-	$(MAKE) legacy-images
+	$(MAKE) legacy-images BIN_DIR="$(BIN_DIR)"
 
   install: install-images
 	$(call Image/Manifest)

include/kernel-version.mk

@@ -2,11 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.9 = .152
-LINUX_VERSION-4.14 = .95
+LINUX_VERSION-4.9 = .184
+LINUX_VERSION-4.14 = .131
 
-LINUX_KERNEL_HASH-4.9.152 = 90e47b85c09af47eefafe851685ee731538f640b0650a6a9cfa0234436708e39
-LINUX_KERNEL_HASH-4.14.95 = ce6729e3fca312520e3cb4f27993852dbb019d94c59c0b35cedab571f9cb58e4
+LINUX_KERNEL_HASH-4.9.184 = 033114d5350525dede995d31b596c31b0e26db8d77a0a1c53d36cdc36ead9faf
+LINUX_KERNEL_HASH-4.14.131 = 19f6404c30f4a9a1fe3315b902676b6d63a470be5d55cf2a0e47983c643c8ff5
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/version.mk

@@ -26,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.2)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.4)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7676-cddd7b4c77)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7808-ef686b7292)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.2)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.4)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/base-files/files/lib/functions/uci-defaults.sh

@@ -481,6 +481,7 @@ _ucidef_set_led_timer() {
 
 	_ucidef_set_led_common "$1" "$2" "$3"
 
+	json_add_string type "$trigger_name"
 	json_add_string trigger "$trigger_name"
 	json_add_int delayon "$delayon"
 	json_add_int delayoff "$delayoff"

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.2"
+		default "http://downloads.openwrt.org/releases/18.06.4"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/uboot-fritz4040/Makefile

@@ -12,7 +12,7 @@ PKG_SOURCE_URL:=https://github.com/chunkeey/FritzBox-4040-UBOOT
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_VERSION:=6946ebbaf7b12a4a092d763c8f0c87a25984f103
 PKG_SOURCE_DATE:=2017-01-29
-PKG_MIRROR_HASH:=5c2394f51a083dca2a2bf9cb36fa717f252112fc792c9eeae64f6383ad08987b
+PKG_MIRROR_HASH:=4f3f5d9e3f047910d2bbd31325cc622c3dd64662c20ea740b27ac4bef9736a34
 
 PKG_RELEASE:=1
 
@@ -21,11 +21,12 @@ include $(INCLUDE_DIR)/package.mk
 
 define U-Boot/Default
   BUILD_TARGET:=ipq40xx
-  UBOOT_IMAGE:=uboot-fritz4040.bin
 endef
 
 define U-Boot/fritz4040
   NAME:=FritzBox 4040
+  UBOOT_IMAGE:=uboot-fritz4040.bin
+  BUILD_DEVICES:=avm_fritzbox-4040
 endef
 
 UBOOT_CONFIGURE_VARS += USE_PRIVATE_LIBGCC=yes
@@ -34,8 +35,8 @@ export DTC
 
 define Build/Configure
 	$(Build/Configure/U-Boot)
-	$(HOSTCC) -o $(PKG_BUILD_DIR)/fritz/lzma2eva $(PKG_BUILD_DIR)/fritz/src/lzma2eva.c -lz
-	$(HOSTCC) -o $(PKG_BUILD_DIR)/fritz/tichksum $(PKG_BUILD_DIR)/fritz/src/tichksum.c
+	$(HOSTCC) $(HOST_CFLAGS) $(HOST_LDFLAGS) -o $(PKG_BUILD_DIR)/fritz/lzma2eva $(PKG_BUILD_DIR)/fritz/src/lzma2eva.c -lz
+	$(HOSTCC) $(HOST_CFLAGS) $(HOST_LDFLAGS) -o $(PKG_BUILD_DIR)/fritz/tichksum $(PKG_BUILD_DIR)/fritz/src/tichksum.c
 	ln -sf $(STAGING_DIR_HOST)/bin/lzma $(PKG_BUILD_DIR)/fritz
 	ln -sf compiler-gcc5.h $(PKG_BUILD_DIR)/include/linux/compiler-gcc7.h
 endef
@@ -45,6 +46,11 @@ define Build/Compile
 	(cd $(PKG_BUILD_DIR); ./fritz/fritzcreator.sh;)
 endef
 
+define Build/InstallDev
+	$(INSTALL_DIR) $(STAGING_DIR_IMAGE)
+	$(CP) $(PKG_BUILD_DIR)/$(UBOOT_IMAGE) $(STAGING_DIR_IMAGE)/$(UBOOT_IMAGE)
+endef
+
 define Package/u-boot/install
 	$(Package/u-boot/install/default)
 	$(INSTALL_BIN) ./files/upload-to-f4040.sh $(1)/

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-11-01
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_HASH:=8437ab7886b988c8152e7a4db30b7f41009e49a3b2cb863edd05da1ecd7eb05a
 

package/kernel/mac80211/patches/380-v5.0-0001-brcmfmac-fix-spelling-mistake-Retreiving-Retrieving.patch

@@ -0,0 +1,34 @@
+From e966a79c2f761a696dec9cfb0e2d4aa977bf78cb Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 16 Oct 2018 18:43:42 +0100
+Subject: [PATCH] brcmfmac: fix spelling mistake "Retreiving" -> "Retrieving"
+
+Trivial fix to spelling mistake in brcmf_err error message.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -214,7 +214,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 	err = brcmf_fil_iovar_data_get(ifp, "cur_etheraddr", ifp->mac_addr,
+ 				       sizeof(ifp->mac_addr));
+ 	if (err < 0) {
+-		brcmf_err("Retreiving cur_etheraddr failed, %d\n", err);
++		brcmf_err("Retrieving cur_etheraddr failed, %d\n", err);
+ 		goto done;
+ 	}
+ 	memcpy(ifp->drvr->wiphy->perm_addr, ifp->drvr->mac, ETH_ALEN);
+@@ -269,7 +269,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 	strcpy(buf, "ver");
+ 	err = brcmf_fil_iovar_data_get(ifp, "ver", buf, sizeof(buf));
+ 	if (err < 0) {
+-		brcmf_err("Retreiving version information failed, %d\n",
++		brcmf_err("Retrieving version information failed, %d\n",
+ 			  err);
+ 		goto done;
+ 	}

package/kernel/mac80211/patches/380-v5.0-0004-brcmfmac-Fix-out-of-bounds-memory-access-during-fw-l.patch

@@ -0,0 +1,110 @@
+From b72c51a58e6d63ef673ac96b8ab5bc98799c5f7b Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Sat, 24 Nov 2018 17:57:05 -0500
+Subject: [PATCH] brcmfmac: Fix out of bounds memory access during fw load
+
+I ended up tracking down some rather nasty issues with f2fs (and other
+filesystem modules) constantly crashing on my kernel down to a
+combination of out of bounds memory accesses, one of which was coming
+from brcmfmac during module load:
+
+[   30.891382] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
+[   30.894437] ==================================================================
+[   30.901581] BUG: KASAN: global-out-of-bounds in brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
+[   30.909935] Read of size 1 at addr ffff2000024865df by task kworker/6:2/387
+[   30.916805]
+[   30.918261] CPU: 6 PID: 387 Comm: kworker/6:2 Tainted: G           O      4.20.0-rc3Lyude-Test+ #19
+[   30.927251] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
+[   30.935964] Workqueue: events brcmf_driver_register [brcmfmac]
+[   30.941641] Call trace:
+[   30.944058]  dump_backtrace+0x0/0x3e8
+[   30.947676]  show_stack+0x14/0x20
+[   30.950968]  dump_stack+0x130/0x1c4
+[   30.954406]  print_address_description+0x60/0x25c
+[   30.959066]  kasan_report+0x1b4/0x368
+[   30.962683]  __asan_report_load1_noabort+0x18/0x20
+[   30.967547]  brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
+[   30.967639]  brcmf_sdio_probe+0x163c/0x2050 [brcmfmac]
+[   30.978035]  brcmf_ops_sdio_probe+0x598/0xa08 [brcmfmac]
+[   30.983254]  sdio_bus_probe+0x190/0x398
+[   30.983270]  really_probe+0x2a0/0xa70
+[   30.983296]  driver_probe_device+0x1b4/0x2d8
+[   30.994901]  __driver_attach+0x200/0x280
+[   30.994914]  bus_for_each_dev+0x10c/0x1a8
+[   30.994925]  driver_attach+0x38/0x50
+[   30.994935]  bus_add_driver+0x330/0x608
+[   30.994953]  driver_register+0x140/0x388
+[   31.013965]  sdio_register_driver+0x74/0xa0
+[   31.014076]  brcmf_sdio_register+0x14/0x60 [brcmfmac]
+[   31.023177]  brcmf_driver_register+0xc/0x18 [brcmfmac]
+[   31.023209]  process_one_work+0x654/0x1080
+[   31.032266]  worker_thread+0x4f0/0x1308
+[   31.032286]  kthread+0x2a8/0x320
+[   31.039254]  ret_from_fork+0x10/0x1c
+[   31.039269]
+[   31.044226] The buggy address belongs to the variable:
+[   31.044351]  brcmf_firmware_path+0x11f/0xfffffffffffd3b40 [brcmfmac]
+[   31.055601]
+[   31.057031] Memory state around the buggy address:
+[   31.061800]  ffff200002486480: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+[   31.068983]  ffff200002486500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   31.068993] >ffff200002486580: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
+[   31.068999]                                                     ^
+[   31.069017]  ffff200002486600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   31.096521]  ffff200002486680: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
+[   31.096528] ==================================================================
+[   31.096533] Disabling lock debugging due to kernel taint
+
+It appears that when trying to determine the length of the string in the
+alternate firmware path, we make the mistake of not handling the case
+where the firmware path is empty correctly. Since strlen(mp_path) can
+return 0, we'll end up accessing mp_path[-1] when the firmware_path
+isn't provided through the module arguments.
+
+So, fix this by just setting the end char to '\0' by default, and only
+changing it if we have a non-zero length. Additionally, use strnlen()
+with BRCMF_FW_ALTPATH_LEN instead of strlen() just to be extra safe.
+
+Fixes: 2baa3aaee27f ("brcmfmac: introduce brcmf_fw_alloc_request() function")
+Cc: Hante Meuleman <hante.meuleman@broadcom.com>
+Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Cc: Franky Lin <franky.lin@broadcom.com>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Cc: Himanshu Jha <himanshujha199640@gmail.com>
+Cc: Dan Haab <dhaab@luxul.com>
+Cc: Jia-Shyr Chuang <saint.chuang@cypress.com>
+Cc: Ian Molton <ian@mnementh.co.uk>
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/firmware.c   | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -633,8 +633,9 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
+ 	struct brcmf_fw_request *fwreq;
+ 	char chipname[12];
+ 	const char *mp_path;
++	size_t mp_path_len;
+ 	u32 i, j;
+-	char end;
++	char end = '\0';
+ 	size_t reqsz;
+ 
+ 	for (i = 0; i < table_size; i++) {
+@@ -659,7 +660,10 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
+ 		   mapping_table[i].fw_base, chipname);
+ 
+ 	mp_path = brcmf_mp_global.firmware_path;
+-	end = mp_path[strlen(mp_path) - 1];
++	mp_path_len = strnlen(mp_path, BRCMF_FW_ALTPATH_LEN);
++	if (mp_path_len)
++		end = mp_path[mp_path_len - 1];
++
+ 	fwreq->n_items = n_fwnames;
+ 
+ 	for (j = 0; j < n_fwnames; j++) {

package/kernel/mac80211/patches/380-v5.0-0005-brcmfmac-fix-roamoff-1-modparam.patch

@@ -0,0 +1,68 @@
+From 8c892df41500469729e0d662816300196e4f463d Mon Sep 17 00:00:00 2001
+From: Stijn Tintel <stijn@linux-ipv6.be>
+Date: Tue, 4 Dec 2018 20:29:05 +0200
+Subject: [PATCH] brcmfmac: fix roamoff=1 modparam
+
+When the update_connect_param callback is set, nl80211 expects the flag
+WIPHY_FLAG_SUPPORTS_FW_ROAM to be set as well. However, this flag is
+only set when modparam roamoff=0, while the callback is set
+unconditionally. Since commit 7f9a3e150ec7 this causes a warning in
+wiphy_register, which breaks brcmfmac.
+
+Disable the update_connect_param callback when roamoff=0 to fix this.
+
+Fixes: 7f9a3e150ec7 ("nl80211: Update ERP info using NL80211_CMD_UPDATE_CONNECT_PARAMS")
+Cc: Stable <stable@vger.kernel.org> # 4.19+
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c   | 11 +++++++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.h   |  2 +-
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c   |  2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5189,10 +5189,17 @@ static struct cfg80211_ops brcmf_cfg8021
+ 	.del_pmk = brcmf_cfg80211_del_pmk,
+ };
+ 
+-struct cfg80211_ops *brcmf_cfg80211_get_ops(void)
++struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings)
+ {
+-	return kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
++	struct cfg80211_ops *ops;
++
++	ops = kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
+ 		       GFP_KERNEL);
++
++	if (ops && settings->roamoff)
++		ops->update_connect_params = NULL;
++
++	return ops;
+ }
+ 
+ struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+@@ -404,7 +404,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg);
+ s32 brcmf_cfg80211_up(struct net_device *ndev);
+ s32 brcmf_cfg80211_down(struct net_device *ndev);
+-struct cfg80211_ops *brcmf_cfg80211_get_ops(void);
++struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings);
+ enum nl80211_iftype brcmf_cfg80211_get_iftype(struct brcmf_if *ifp);
+ 
+ struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1151,7 +1151,7 @@ int brcmf_attach(struct device *dev, str
+ 
+ 	brcmf_dbg(TRACE, "Enter\n");
+ 
+-	ops = brcmf_cfg80211_get_ops();
++	ops = brcmf_cfg80211_get_ops(settings);
+ 	if (!ops)
+ 		return -ENOMEM;
+ 

package/kernel/mac80211/patches/380-v5.0-0006-brcmfmac-Fix-access-point-mode.patch

@@ -0,0 +1,41 @@
+From 861cb5eb467f5e38dce1aabe4e8db379255bd89b Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 12 Dec 2018 20:20:06 +0100
+Subject: [PATCH] brcmfmac: Fix access point mode
+
+Since commit 1204aa17f3b4 ("brcmfmac: set WIPHY_FLAG_HAVE_AP_SME flag")
+the Raspberry Pi 3 A+ (BCM43455) isn't able to operate in AP mode with
+hostapd (device_ap_sme=1 use_monitor=0):
+
+brcmfmac: brcmf_cfg80211_stop_ap: setting AP mode failed -52
+
+So add the missing mgmt_stypes for AP mode to fix this.
+
+Fixes: 1204aa17f3b4 ("brcmfmac: set WIPHY_FLAG_HAVE_AP_SME flag")
+Suggested-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c    | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6303,6 +6303,16 @@ brcmf_txrx_stypes[NUM_NL80211_IFTYPES] =
+ 		.tx = 0xffff,
+ 		.rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
+ 		      BIT(IEEE80211_STYPE_PROBE_REQ >> 4)
++	},
++	[NL80211_IFTYPE_AP] = {
++		.tx = 0xffff,
++		.rx = BIT(IEEE80211_STYPE_ASSOC_REQ >> 4) |
++		      BIT(IEEE80211_STYPE_REASSOC_REQ >> 4) |
++		      BIT(IEEE80211_STYPE_PROBE_REQ >> 4) |
++		      BIT(IEEE80211_STYPE_DISASSOC >> 4) |
++		      BIT(IEEE80211_STYPE_AUTH >> 4) |
++		      BIT(IEEE80211_STYPE_DEAUTH >> 4) |
++		      BIT(IEEE80211_STYPE_ACTION >> 4)
+ 	}
+ };
+ 

package/kernel/mac80211/patches/381-v5.1-0001-brcmfmac-modify-__brcmf_err-to-take-bus-as-a-paramet.patch

@@ -0,0 +1,104 @@
+From 5cc898fbcb352b764f8d51c16e10e2eb0056173d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Wed, 6 Feb 2019 12:28:15 +0100
+Subject: [PATCH] brcmfmac: modify __brcmf_err() to take bus as a parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far __brcmf_err() was using pr_err() which didn't allow identifying
+device that was affected by an error. It's crucial for systems with more
+than 1 device supported by brcmfmac (a common case for home routers).
+
+This change allows passing struct brcmf_bus to the __brcmf_err(). That
+struct has been agreed to be the most common one. It allows accessing
+struct device easily & using dev_err() printing helper.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/common.c    | 7 +++++--
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h | 8 +++++---
+ .../wireless/broadcom/brcm80211/brcmfmac/tracepoint.c    | 9 +++++++--
+ 3 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -350,7 +350,7 @@ done:
+ }
+ 
+ #ifndef CPTCFG_BRCM_TRACING
+-void __brcmf_err(const char *func, const char *fmt, ...)
++void __brcmf_err(struct brcmf_bus *bus, const char *func, const char *fmt, ...)
+ {
+ 	struct va_format vaf;
+ 	va_list args;
+@@ -359,7 +359,10 @@ void __brcmf_err(const char *func, const
+ 
+ 	vaf.fmt = fmt;
+ 	vaf.va = &args;
+-	pr_err("%s: %pV", func, &vaf);
++	if (bus)
++		dev_err(bus->dev, "%s: %pV", func, &vaf);
++	else
++		pr_err("%s: %pV", func, &vaf);
+ 
+ 	va_end(args);
+ }
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -45,8 +45,10 @@
+ #undef pr_fmt
+ #define pr_fmt(fmt)		KBUILD_MODNAME ": " fmt
+ 
+-__printf(2, 3)
+-void __brcmf_err(const char *func, const char *fmt, ...);
++struct brcmf_bus;
++
++__printf(3, 4)
++void __brcmf_err(struct brcmf_bus *bus, const char *func, const char *fmt, ...);
+ /* Macro for error messages. When debugging / tracing the driver all error
+  * messages are important to us.
+  */
+@@ -55,7 +57,7 @@ void __brcmf_err(const char *func, const
+ 		if (IS_ENABLED(CPTCFG_BRCMDBG) ||			\
+ 		    IS_ENABLED(CPTCFG_BRCM_TRACING) ||			\
+ 		    net_ratelimit())					\
+-			__brcmf_err(__func__, fmt, ##__VA_ARGS__);	\
++			__brcmf_err(NULL, __func__, fmt, ##__VA_ARGS__);\
+ 	} while (0)
+ 
+ #if defined(DEBUG) || defined(CPTCFG_BRCM_TRACING)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/tracepoint.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/tracepoint.c
+@@ -14,14 +14,16 @@
+  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#include <linux/device.h>
+ #include <linux/module.h> /* bug in tracepoint.h, it should include this */
+ 
+ #ifndef __CHECKER__
+ #define CREATE_TRACE_POINTS
++#include "bus.h"
+ #include "tracepoint.h"
+ #include "debug.h"
+ 
+-void __brcmf_err(const char *func, const char *fmt, ...)
++void __brcmf_err(struct brcmf_bus *bus, const char *func, const char *fmt, ...)
+ {
+ 	struct va_format vaf = {
+ 		.fmt = fmt,
+@@ -30,7 +32,10 @@ void __brcmf_err(const char *func, const
+ 
+ 	va_start(args, fmt);
+ 	vaf.va = &args;
+-	pr_err("%s: %pV", func, &vaf);
++	if (bus)
++		dev_err(bus->dev, "%s: %pV", func, &vaf);
++	else
++		pr_err("%s: %pV", func, &vaf);
+ 	trace_brcmf_err(func, &vaf);
+ 	va_end(args);
+ }

package/kernel/mac80211/patches/381-v5.1-0002-brcmfmac-pass-bus-to-the-__brcmf_err-in-pcie.c.patch

@@ -0,0 +1,266 @@
+From 8602e62441aba276cafd68034b72162fbc5ca0a6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Wed, 6 Feb 2019 12:28:16 +0100
+Subject: [PATCH] brcmfmac: pass bus to the __brcmf_err() in pcie.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This enables dev_err() usage (instead of pr_err()) in the __brcmf_err().
+It makes error messages more meaningful and is important for debugging
+errors/bugs on systems with multiple brcmfmac supported devices.
+
+All bus files should follow & get updated similarly (soon).
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/debug.h       |  2 +
+ .../broadcom/brcm80211/brcmfmac/pcie.c        | 59 +++++++++++--------
+ 2 files changed, 38 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -52,6 +52,7 @@ void __brcmf_err(struct brcmf_bus *bus,
+ /* Macro for error messages. When debugging / tracing the driver all error
+  * messages are important to us.
+  */
++#ifndef brcmf_err
+ #define brcmf_err(fmt, ...)						\
+ 	do {								\
+ 		if (IS_ENABLED(CPTCFG_BRCMDBG) ||			\
+@@ -59,6 +60,7 @@ void __brcmf_err(struct brcmf_bus *bus,
+ 		    net_ratelimit())					\
+ 			__brcmf_err(NULL, __func__, fmt, ##__VA_ARGS__);\
+ 	} while (0)
++#endif
+ 
+ #if defined(DEBUG) || defined(CPTCFG_BRCM_TRACING)
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -30,6 +30,15 @@
+ #include <brcmu_wifi.h>
+ #include <brcm_hw_ids.h>
+ 
++/* Custom brcmf_err() that takes bus arg and passes it further */
++#define brcmf_err(bus, fmt, ...)					\
++	do {								\
++		if (IS_ENABLED(CPTCFG_BRCMDBG) ||			\
++		    IS_ENABLED(CPTCFG_BRCM_TRACING) ||			\
++		    net_ratelimit())					\
++			__brcmf_err(bus, __func__, fmt, ##__VA_ARGS__);	\
++	} while (0)
++
+ #include "debug.h"
+ #include "bus.h"
+ #include "commonring.h"
+@@ -531,6 +540,7 @@ static void
+ brcmf_pcie_select_core(struct brcmf_pciedev_info *devinfo, u16 coreid)
+ {
+ 	const struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	struct brcmf_core *core;
+ 	u32 bar0_win;
+ 
+@@ -548,7 +558,7 @@ brcmf_pcie_select_core(struct brcmf_pcie
+ 			}
+ 		}
+ 	} else {
+-		brcmf_err("Unsupported core selected %x\n", coreid);
++		brcmf_err(bus, "Unsupported core selected %x\n", coreid);
+ 	}
+ }
+ 
+@@ -848,9 +858,8 @@ static irqreturn_t brcmf_pcie_isr_thread
+ 
+ static int brcmf_pcie_request_irq(struct brcmf_pciedev_info *devinfo)
+ {
+-	struct pci_dev *pdev;
+-
+-	pdev = devinfo->pdev;
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 
+ 	brcmf_pcie_intr_disable(devinfo);
+ 
+@@ -861,7 +870,7 @@ static int brcmf_pcie_request_irq(struct
+ 				 brcmf_pcie_isr_thread, IRQF_SHARED,
+ 				 "brcmf_pcie_intr", devinfo)) {
+ 		pci_disable_msi(pdev);
+-		brcmf_err("Failed to request IRQ %d\n", pdev->irq);
++		brcmf_err(bus, "Failed to request IRQ %d\n", pdev->irq);
+ 		return -EIO;
+ 	}
+ 	devinfo->irq_allocated = true;
+@@ -871,15 +880,14 @@ static int brcmf_pcie_request_irq(struct
+ 
+ static void brcmf_pcie_release_irq(struct brcmf_pciedev_info *devinfo)
+ {
+-	struct pci_dev *pdev;
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	u32 status;
+ 	u32 count;
+ 
+ 	if (!devinfo->irq_allocated)
+ 		return;
+ 
+-	pdev = devinfo->pdev;
+-
+ 	brcmf_pcie_intr_disable(devinfo);
+ 	free_irq(pdev->irq, devinfo);
+ 	pci_disable_msi(pdev);
+@@ -891,7 +899,7 @@ static void brcmf_pcie_release_irq(struc
+ 		count++;
+ 	}
+ 	if (devinfo->in_irq)
+-		brcmf_err("Still in IRQ (processing) !!!\n");
++		brcmf_err(bus, "Still in IRQ (processing) !!!\n");
+ 
+ 	status = brcmf_pcie_read_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT);
+ 	brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT, status);
+@@ -1102,6 +1110,7 @@ static void brcmf_pcie_release_ringbuffe
+ 
+ static int brcmf_pcie_init_ringbuffers(struct brcmf_pciedev_info *devinfo)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	struct brcmf_pcie_ringbuf *ring;
+ 	struct brcmf_pcie_ringbuf *rings;
+ 	u32 d2h_w_idx_ptr;
+@@ -1254,7 +1263,7 @@ static int brcmf_pcie_init_ringbuffers(s
+ 	return 0;
+ 
+ fail:
+-	brcmf_err("Allocating ring buffers failed\n");
++	brcmf_err(bus, "Allocating ring buffers failed\n");
+ 	brcmf_pcie_release_ringbuffers(devinfo);
+ 	return -ENOMEM;
+ }
+@@ -1277,6 +1286,7 @@ brcmf_pcie_release_scratchbuffers(struct
+ 
+ static int brcmf_pcie_init_scratchbuffers(struct brcmf_pciedev_info *devinfo)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	u64 address;
+ 	u32 addr;
+ 
+@@ -1316,7 +1326,7 @@ static int brcmf_pcie_init_scratchbuffer
+ 	return 0;
+ 
+ fail:
+-	brcmf_err("Allocating scratch buffers failed\n");
++	brcmf_err(bus, "Allocating scratch buffers failed\n");
+ 	brcmf_pcie_release_scratchbuffers(devinfo);
+ 	return -ENOMEM;
+ }
+@@ -1437,6 +1447,7 @@ static int
+ brcmf_pcie_init_share_ram_info(struct brcmf_pciedev_info *devinfo,
+ 			       u32 sharedram_addr)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	struct brcmf_pcie_shared_info *shared;
+ 	u32 addr;
+ 
+@@ -1448,7 +1459,8 @@ brcmf_pcie_init_share_ram_info(struct br
+ 	brcmf_dbg(PCIE, "PCIe protocol version %d\n", shared->version);
+ 	if ((shared->version > BRCMF_PCIE_MAX_SHARED_VERSION) ||
+ 	    (shared->version < BRCMF_PCIE_MIN_SHARED_VERSION)) {
+-		brcmf_err("Unsupported PCIE version %d\n", shared->version);
++		brcmf_err(bus, "Unsupported PCIE version %d\n",
++			  shared->version);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1490,6 +1502,7 @@ static int brcmf_pcie_download_fw_nvram(
+ 					const struct firmware *fw, void *nvram,
+ 					u32 nvram_len)
+ {
++	struct brcmf_bus *bus = dev_get_drvdata(&devinfo->pdev->dev);
+ 	u32 sharedram_addr;
+ 	u32 sharedram_addr_written;
+ 	u32 loop_counter;
+@@ -1544,7 +1557,7 @@ static int brcmf_pcie_download_fw_nvram(
+ 		loop_counter--;
+ 	}
+ 	if (sharedram_addr == sharedram_addr_written) {
+-		brcmf_err("FW failed to initialize\n");
++		brcmf_err(bus, "FW failed to initialize\n");
+ 		return -ENODEV;
+ 	}
+ 	brcmf_dbg(PCIE, "Shared RAM addr: 0x%08x\n", sharedram_addr);
+@@ -1555,16 +1568,15 @@ static int brcmf_pcie_download_fw_nvram(
+ 
+ static int brcmf_pcie_get_resource(struct brcmf_pciedev_info *devinfo)
+ {
+-	struct pci_dev *pdev;
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	int err;
+ 	phys_addr_t  bar0_addr, bar1_addr;
+ 	ulong bar1_size;
+ 
+-	pdev = devinfo->pdev;
+-
+ 	err = pci_enable_device(pdev);
+ 	if (err) {
+-		brcmf_err("pci_enable_device failed err=%d\n", err);
++		brcmf_err(bus, "pci_enable_device failed err=%d\n", err);
+ 		return err;
+ 	}
+ 
+@@ -1577,7 +1589,7 @@ static int brcmf_pcie_get_resource(struc
+ 	/* read Bar-1 mapped memory range */
+ 	bar1_size = pci_resource_len(pdev, 2);
+ 	if ((bar1_size == 0) || (bar1_addr == 0)) {
+-		brcmf_err("BAR1 Not enabled, device size=%ld, addr=%#016llx\n",
++		brcmf_err(bus, "BAR1 Not enabled, device size=%ld, addr=%#016llx\n",
+ 			  bar1_size, (unsigned long long)bar1_addr);
+ 		return -EINVAL;
+ 	}
+@@ -1586,7 +1598,7 @@ static int brcmf_pcie_get_resource(struc
+ 	devinfo->tcm = ioremap_nocache(bar1_addr, bar1_size);
+ 
+ 	if (!devinfo->regs || !devinfo->tcm) {
+-		brcmf_err("ioremap() failed (%p,%p)\n", devinfo->regs,
++		brcmf_err(bus, "ioremap() failed (%p,%p)\n", devinfo->regs,
+ 			  devinfo->tcm);
+ 		return -EINVAL;
+ 	}
+@@ -1873,7 +1885,7 @@ fail_bus:
+ 	kfree(bus->msgbuf);
+ 	kfree(bus);
+ fail:
+-	brcmf_err("failed %x:%x\n", pdev->vendor, pdev->device);
++	brcmf_err(NULL, "failed %x:%x\n", pdev->vendor, pdev->device);
+ 	brcmf_pcie_release_resource(devinfo);
+ 	if (devinfo->ci)
+ 		brcmf_chip_detach(devinfo->ci);
+@@ -1947,7 +1959,7 @@ static int brcmf_pcie_pm_enter_D3(struct
+ 	wait_event_timeout(devinfo->mbdata_resp_wait, devinfo->mbdata_completed,
+ 			   BRCMF_PCIE_MBDATA_TIMEOUT);
+ 	if (!devinfo->mbdata_completed) {
+-		brcmf_err("Timeout on response for entering D3 substate\n");
++		brcmf_err(bus, "Timeout on response for entering D3 substate\n");
+ 		brcmf_bus_change_state(bus, BRCMF_BUS_UP);
+ 		return -EIO;
+ 	}
+@@ -1993,7 +2005,7 @@ cleanup:
+ 
+ 	err = brcmf_pcie_probe(pdev, NULL);
+ 	if (err)
+-		brcmf_err("probe after resume failed, err=%d\n", err);
++		brcmf_err(bus, "probe after resume failed, err=%d\n", err);
+ 
+ 	return err;
+ }
+@@ -2065,7 +2077,8 @@ void brcmf_pcie_register(void)
+ 	brcmf_dbg(PCIE, "Enter\n");
+ 	err = pci_register_driver(&brcmf_pciedrvr);
+ 	if (err)
+-		brcmf_err("PCIE driver registration failed, err=%d\n", err);
++		brcmf_err(NULL, "PCIE driver registration failed, err=%d\n",
++			  err);
+ }
+ 
+ 

package/kernel/mac80211/patches/381-v5.1-0004-brcmfmac-support-monitor-frames-with-the-hardware-uc.patch

@@ -0,0 +1,143 @@
+From e665988be29ccea3584528967b432a5cfd801ca4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Feb 2019 07:42:30 +0100
+Subject: [PATCH] brcmfmac: support monitor frames with the hardware/ucode
+ header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far there were two monitor frame formats:
+1) 802.11 frames (with frame (sub)type & all addresses)
+2) 802.11 frames with the radiotap header
+
+Testing the latest FullMAC firmwares for 4366b1/4366c0 resulted in
+discovering a new format being used. It seems (almost?) identical to the
+one known from ucode used in SoftMAC devices which is most likely the
+same codebase anyway.
+
+While new firmwares will /announce/ radiotap header support using the
+"rtap" fw capability string it seems no string was added for the new
+ucode header format.
+
+All above means that:
+1) We need new format support when dealing with a received frame
+2) A new feature bit & mapping quirks have to be added manually
+
+As for now only an empty radiotap is being created. Adding support for
+extracting some info (band, channel, signal, etc.) is planned for the
+future.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/core.c        | 55 +++++++++++++++++++
+ .../broadcom/brcm80211/brcmfmac/feature.c     |  4 ++
+ .../broadcom/brcm80211/brcmfmac/feature.h     |  4 +-
+ 3 files changed, 62 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -43,6 +43,36 @@
+ 
+ #define BRCMF_BSSIDX_INVALID			-1
+ 
++#define	RXS_PBPRES				BIT(2)
++
++#define	D11_PHY_HDR_LEN				6
++
++struct d11rxhdr_le {
++	__le16 RxFrameSize;
++	u16 PAD;
++	__le16 PhyRxStatus_0;
++	__le16 PhyRxStatus_1;
++	__le16 PhyRxStatus_2;
++	__le16 PhyRxStatus_3;
++	__le16 PhyRxStatus_4;
++	__le16 PhyRxStatus_5;
++	__le16 RxStatus1;
++	__le16 RxStatus2;
++	__le16 RxTSFTime;
++	__le16 RxChan;
++	u8 unknown[12];
++} __packed;
++
++struct wlc_d11rxhdr {
++	struct d11rxhdr_le rxhdr;
++	__le32 tsf_l;
++	s8 rssi;
++	s8 rxpwr0;
++	s8 rxpwr1;
++	s8 do_rssi_ma;
++	s8 rxpwr[4];
++} __packed;
++
+ char *brcmf_ifname(struct brcmf_if *ifp)
+ {
+ 	if (!ifp)
+@@ -409,6 +439,31 @@ void brcmf_netif_mon_rx(struct brcmf_if
+ {
+ 	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_RADIOTAP)) {
+ 		/* Do nothing */
++	} else if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MONITOR_FMT_HW_RX_HDR)) {
++		struct wlc_d11rxhdr *wlc_rxhdr = (struct wlc_d11rxhdr *)skb->data;
++		struct ieee80211_radiotap_header *radiotap;
++		unsigned int offset;
++		u16 RxStatus1;
++
++		RxStatus1 = le16_to_cpu(wlc_rxhdr->rxhdr.RxStatus1);
++
++		offset = sizeof(struct wlc_d11rxhdr);
++		/* MAC inserts 2 pad bytes for a4 headers or QoS or A-MSDU
++		 * subframes
++		 */
++		if (RxStatus1 & RXS_PBPRES)
++			offset += 2;
++		offset += D11_PHY_HDR_LEN;
++
++		skb_pull(skb, offset);
++
++		/* TODO: use RX header to fill some radiotap data */
++		radiotap = skb_push(skb, sizeof(*radiotap));
++		memset(radiotap, 0, sizeof(*radiotap));
++		radiotap->it_len = cpu_to_le16(sizeof(*radiotap));
++
++		/* TODO: 4 bytes with receive status? */
++		skb->len -= 4;
+ 	} else {
+ 		struct ieee80211_radiotap_header *radiotap;
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -103,6 +103,10 @@ static const struct brcmf_feat_fwfeat br
+ 	{ "01-6cb8e269", BIT(BRCMF_FEAT_MONITOR) },
+ 	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 52442afee990 */
+ 	{ "01-c47a91a4", BIT(BRCMF_FEAT_MONITOR) },
++	/* brcmfmac4366b-pcie.bin from linux-firmware.git commit 211de1679a68 */
++	{ "01-801fb449", BIT(BRCMF_FEAT_MONITOR_FMT_HW_RX_HDR) },
++	/* brcmfmac4366c-pcie.bin from linux-firmware.git commit 211de1679a68 */
++	{ "01-d2cbb8fd", BIT(BRCMF_FEAT_MONITOR_FMT_HW_RX_HDR) },
+ };
+ 
+ static void brcmf_feat_firmware_overrides(struct brcmf_pub *drv)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -35,6 +35,7 @@
+  * FWSUP: Firmware supplicant.
+  * MONITOR: firmware can pass monitor packets to host.
+  * MONITOR_FMT_RADIOTAP: firmware provides monitor packets with radiotap header
++ * MONITOR_FMT_HW_RX_HDR: firmware provides monitor packets with hw/ucode header
+  */
+ #define BRCMF_FEAT_LIST \
+ 	BRCMF_FEAT_DEF(MBSS) \
+@@ -52,7 +53,8 @@
+ 	BRCMF_FEAT_DEF(GSCAN) \
+ 	BRCMF_FEAT_DEF(FWSUP) \
+ 	BRCMF_FEAT_DEF(MONITOR) \
+-	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP)
++	BRCMF_FEAT_DEF(MONITOR_FMT_RADIOTAP) \
++	BRCMF_FEAT_DEF(MONITOR_FMT_HW_RX_HDR)
+ 
+ /*
+  * Quirks:

package/kernel/mac80211/patches/381-v5.1-0005-brcmfmac-print-firmware-reported-ring-status-errors.patch

@@ -0,0 +1,67 @@
+From c988b78244df8216902e20de536434e2f474a37e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Feb 2019 15:24:39 +0100
+Subject: [PATCH] brcmfmac: print firmware reported ring status errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Firmware is capable of reporting ring status. It's used e.g. to signal
+some problem with a specific ring setup. This patch adds support for
+printing ring & error number which may be useful for debugging setup
+issues.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/msgbuf.c      | 25 +++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -134,6 +134,14 @@ struct msgbuf_completion_hdr {
+ 	__le16				flow_ring_id;
+ };
+ 
++/* Data struct for the MSGBUF_TYPE_RING_STATUS */
++struct msgbuf_ring_status {
++	struct msgbuf_common_hdr	msg;
++	struct msgbuf_completion_hdr	compl_hdr;
++	__le16				write_idx;
++	__le32				rsvd0[5];
++};
++
+ struct msgbuf_rx_event {
+ 	struct msgbuf_common_hdr	msg;
+ 	struct msgbuf_completion_hdr	compl_hdr;
+@@ -1180,6 +1188,19 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	brcmf_netif_rx(ifp, skb);
+ }
+ 
++static void brcmf_msgbuf_process_ring_status(struct brcmf_msgbuf *msgbuf,
++					     void *buf)
++{
++	struct msgbuf_ring_status *ring_status = buf;
++	int err;
++
++	err = le16_to_cpu(ring_status->compl_hdr.status);
++	if (err) {
++		int ring = le16_to_cpu(ring_status->compl_hdr.flow_ring_id);
++
++		brcmf_err("Firmware reported ring %d error: %d\n", ring, err);
++	}
++}
+ 
+ static void
+ brcmf_msgbuf_process_flow_ring_create_response(struct brcmf_msgbuf *msgbuf,
+@@ -1241,6 +1262,10 @@ static void brcmf_msgbuf_process_msgtype
+ 
+ 	msg = (struct msgbuf_common_hdr *)buf;
+ 	switch (msg->msgtype) {
++	case MSGBUF_TYPE_RING_STATUS:
++		brcmf_dbg(MSGBUF, "MSGBUF_TYPE_RING_STATUS\n");
++		brcmf_msgbuf_process_ring_status(msgbuf, buf);
++		break;
+ 	case MSGBUF_TYPE_FLOW_RING_CREATE_CMPLT:
+ 		brcmf_dbg(MSGBUF, "MSGBUF_TYPE_FLOW_RING_CREATE_CMPLT\n");
+ 		brcmf_msgbuf_process_flow_ring_create_response(msgbuf, buf);

package/kernel/mac80211/patches/381-v5.1-0006-brcmfmac-improve-code-handling-bandwidth-of-firmware.patch

@@ -0,0 +1,42 @@
+From f4e183293b871c96c0220dcc549d5ca4c72628ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 11 Feb 2019 23:04:53 +0100
+Subject: [PATCH] brcmfmac: improve code handling bandwidth of firmware
+ reported channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+1) Use switch to simplify/improve the code & avoid some duplication
+2) Add warning for unsupported values
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6036,11 +6036,18 @@ static int brcmf_construct_chaninfo(stru
+ 		/* assuming the chanspecs order is HT20,
+ 		 * HT40 upper, HT40 lower, and VHT80.
+ 		 */
+-		if (ch.bw == BRCMU_CHAN_BW_80) {
++		switch (ch.bw) {
++		case BRCMU_CHAN_BW_80:
+ 			channel->flags &= ~IEEE80211_CHAN_NO_80MHZ;
+-		} else if (ch.bw == BRCMU_CHAN_BW_40) {
++			break;
++		case BRCMU_CHAN_BW_40:
+ 			brcmf_update_bw40_channel_flag(channel, &ch);
+-		} else {
++			break;
++		default:
++			wiphy_warn(wiphy, "Firmware reported unsupported bandwidth %d\n",
++				   ch.bw);
++			/* fall through */
++		case BRCMU_CHAN_BW_20:
+ 			/* enable the channel and disable other bandwidths
+ 			 * for now as mentioned order assure they are enabled
+ 			 * for subsequent chanspecs.

package/kernel/mac80211/patches/381-v5.1-0007-brcmfmac-support-firmware-reporting-160-MHz-channels.patch

@@ -0,0 +1,30 @@
+From 30519cbe339a45bd11a57ca8ece07f4f6a1cda2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 11 Feb 2019 23:04:54 +0100
+Subject: [PATCH] brcmfmac: support firmware reporting 160 MHz channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far 160 MHz channels were treated as 20 MHz ones which was breaking
+support for 40/80 MHz due to the brcmf_construct_chaninfo() logic and
+its assumptions.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6037,6 +6037,9 @@ static int brcmf_construct_chaninfo(stru
+ 		 * HT40 upper, HT40 lower, and VHT80.
+ 		 */
+ 		switch (ch.bw) {
++		case BRCMU_CHAN_BW_160:
++			channel->flags &= ~IEEE80211_CHAN_NO_160MHZ;
++			break;
+ 		case BRCMU_CHAN_BW_80:
+ 			channel->flags &= ~IEEE80211_CHAN_NO_80MHZ;
+ 			break;

package/kernel/mac80211/patches/381-v5.1-0010-brcmfmac-add-basic-validation-of-shared-RAM-address.patch

@@ -0,0 +1,38 @@
+From e0a8ef4d7b4315bc4c1641fb3f3a7dfdfa6627b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Wed, 20 Feb 2019 11:30:47 +0100
+Subject: [PATCH] brcmfmac: add basic validation of shared RAM address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While experimenting with firmware loading I ended up in a state of
+firmware reporting shared RAM address 0x04000001. It was causing:
+[   94.448015] Unable to handle kernel paging request at virtual address cd680001
+due to reading out of the mapped memory.
+
+This patch adds some basic validation to avoid kernel crashes due to the
+unexpected firmware behavior.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1560,6 +1560,12 @@ static int brcmf_pcie_download_fw_nvram(
+ 		brcmf_err(bus, "FW failed to initialize\n");
+ 		return -ENODEV;
+ 	}
++	if (sharedram_addr < devinfo->ci->rambase ||
++	    sharedram_addr >= devinfo->ci->rambase + devinfo->ci->ramsize) {
++		brcmf_err(bus, "Invalid shared RAM address 0x%08x\n",
++			  sharedram_addr);
++		return -ENODEV;
++	}
+ 	brcmf_dbg(PCIE, "Shared RAM addr: 0x%08x\n", sharedram_addr);
+ 
+ 	return (brcmf_pcie_init_share_ram_info(devinfo, sharedram_addr));

package/kernel/mac80211/patches/381-v5.1-0011-brcmfmac-fix-size-of-the-struct-msgbuf_ring_status.patch

@@ -0,0 +1,29 @@
+From 0c7051610c577b60b01b3b5aec14d6765e177b0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 21 Feb 2019 11:33:24 +0100
+Subject: [PATCH] brcmfmac: fix size of the struct msgbuf_ring_status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This updates host struct to match the in-firmawre definition. It's a
+cosmetic change as it only applies to the reserved struct space.
+
+Fixes: c988b78244df ("brcmfmac: print firmware reported ring status errors")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -139,7 +139,7 @@ struct msgbuf_ring_status {
+ 	struct msgbuf_common_hdr	msg;
+ 	struct msgbuf_completion_hdr	compl_hdr;
+ 	__le16				write_idx;
+-	__le32				rsvd0[5];
++	__le16				rsvd0[5];
+ };
+ 
+ struct msgbuf_rx_event {

package/kernel/mac80211/patches/381-v5.1-0012-brcmfmac-print-firmware-reported-general-status-erro.patch

@@ -0,0 +1,69 @@
+From c91377495192cda096e52dc09c266b0d05f16d86 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 21 Feb 2019 11:33:25 +0100
+Subject: [PATCH] brcmfmac: print firmware reported general status errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Firmware may report general errors using a special message type. Add
+basic support for it by simply decoding & printing an error number.
+
+A sample situation in which firmware reports a buf error:
+CONSOLE: 027084.733 no host response IOCTL buffer available..so fail the request
+will now produce a "Firmware reported general error: 9" on the host.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/msgbuf.c      | 24 +++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -134,6 +134,14 @@ struct msgbuf_completion_hdr {
+ 	__le16				flow_ring_id;
+ };
+ 
++/* Data struct for the MSGBUF_TYPE_GEN_STATUS */
++struct msgbuf_gen_status {
++	struct msgbuf_common_hdr	msg;
++	struct msgbuf_completion_hdr	compl_hdr;
++	__le16				write_idx;
++	__le32				rsvd0[3];
++};
++
+ /* Data struct for the MSGBUF_TYPE_RING_STATUS */
+ struct msgbuf_ring_status {
+ 	struct msgbuf_common_hdr	msg;
+@@ -1194,6 +1202,18 @@ brcmf_msgbuf_process_rx_complete(struct
+ 	brcmf_netif_rx(ifp, skb);
+ }
+ 
++static void brcmf_msgbuf_process_gen_status(struct brcmf_msgbuf *msgbuf,
++					    void *buf)
++{
++	struct msgbuf_gen_status *gen_status = buf;
++	struct brcmf_pub *drvr = msgbuf->drvr;
++	int err;
++
++	err = le16_to_cpu(gen_status->compl_hdr.status);
++	if (err)
++		bphy_err(drvr, "Firmware reported general error: %d\n", err);
++}
++
+ static void brcmf_msgbuf_process_ring_status(struct brcmf_msgbuf *msgbuf,
+ 					     void *buf)
+ {
+@@ -1273,6 +1293,10 @@ static void brcmf_msgbuf_process_msgtype
+ 
+ 	msg = (struct msgbuf_common_hdr *)buf;
+ 	switch (msg->msgtype) {
++	case MSGBUF_TYPE_GEN_STATUS:
++		brcmf_dbg(MSGBUF, "MSGBUF_TYPE_GEN_STATUS\n");
++		brcmf_msgbuf_process_gen_status(msgbuf, buf);
++		break;
+ 	case MSGBUF_TYPE_RING_STATUS:
+ 		brcmf_dbg(MSGBUF, "MSGBUF_TYPE_RING_STATUS\n");
+ 		brcmf_msgbuf_process_ring_status(msgbuf, buf);

package/kernel/mac80211/patches/398-mac80211-add-stop-start-logic-for-software-TXQs.patch

@@ -0,0 +1,272 @@
+From: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Date: Wed, 11 Jul 2018 00:12:53 +0530
+Subject: [PATCH] mac80211: add stop/start logic for software TXQs
+
+Sometimes, it is required to stop the transmissions momentarily and
+resume it later; stopping the txqs becomes very critical in scenarios where
+the packet transmission has to be ceased completely. For example, during
+the hardware restart, during off channel operations,
+when initiating CSA(upon detecting a radar on the DFS channel), etc.
+
+The TX queue stop/start logic in mac80211 works well in stopping the TX
+when drivers make use of netdev queues, i.e, when Qdiscs in network layer
+take care of traffic scheduling. Since the devices implementing
+wake_tx_queue can run without Qdiscs, packets will be handed to mac80211
+directly without queueing them in the netdev queues.
+
+Also, mac80211 does not invoke any of the
+netif_stop_*/netif_wake_* APIs if wake_tx_queue is implemented.
+Since the queues are not stopped in this case, transmissions can continue
+and this will impact negatively on the operation of the wireless device.
+
+For example,
+During hardware restart, we stop the netdev queues so that packets are
+not sent to the driver. Since ath10k implements wake_tx_queue,
+TX queues will not be stopped and packets might reach the hardware while
+it is restarting; this can make hardware unresponsive and the only
+possible option for recovery is to reboot the entire system.
+
+There is another problem to this, it is observed that the packets
+were sent on the DFS channel for a prolonged duration after radar
+detection impacting the channel closing time.
+
+We can still invoke netif stop/wake APIs when wake_tx_queue is implemented
+but this could lead to packet drops in network layer; adding stop/start
+logic for software TXQs in mac80211 instead makes more sense; the change
+proposed adds the same in mac80211.
+
+Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -1453,6 +1453,8 @@ enum ieee80211_vif_flags {
+  * @drv_priv: data area for driver use, will always be aligned to
+  *	sizeof(void \*).
+  * @txq: the multicast data TX queue (if driver uses the TXQ abstraction)
++ * @txqs_stopped: per AC flag to indicate that intermediate TXQs are stopped,
++ *	protected by fq->lock.
+  */
+ struct ieee80211_vif {
+ 	enum nl80211_iftype type;
+@@ -1477,6 +1479,8 @@ struct ieee80211_vif {
+ 
+ 	unsigned int probe_req_reg;
+ 
++	bool txqs_stopped[IEEE80211_NUM_ACS];
++
+ 	/* must be last */
+ 	u8 drv_priv[0] __aligned(sizeof(void *));
+ };
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -816,6 +816,7 @@ enum txq_info_flags {
+ 	IEEE80211_TXQ_STOP,
+ 	IEEE80211_TXQ_AMPDU,
+ 	IEEE80211_TXQ_NO_AMSDU,
++	IEEE80211_TXQ_STOP_NETIF_TX,
+ };
+ 
+ /**
+@@ -1223,6 +1224,7 @@ struct ieee80211_local {
+ 
+ 	struct sk_buff_head pending[IEEE80211_MAX_QUEUES];
+ 	struct tasklet_struct tx_pending_tasklet;
++	struct tasklet_struct wake_txqs_tasklet;
+ 
+ 	atomic_t agg_queue_stop[IEEE80211_MAX_QUEUES];
+ 
+@@ -2037,6 +2039,7 @@ void ieee80211_txq_purge(struct ieee8021
+ 			 struct txq_info *txqi);
+ void ieee80211_txq_remove_vlan(struct ieee80211_local *local,
+ 			       struct ieee80211_sub_if_data *sdata);
++void ieee80211_wake_txqs(unsigned long data);
+ void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
+ 			 u16 transaction, u16 auth_alg, u16 status,
+ 			 const u8 *extra, size_t extra_len, const u8 *bssid,
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -671,6 +671,10 @@ struct ieee80211_hw *ieee80211_alloc_hw_
+ 	tasklet_init(&local->tx_pending_tasklet, ieee80211_tx_pending,
+ 		     (unsigned long)local);
+ 
++	if (ops->wake_tx_queue)
++		tasklet_init(&local->wake_txqs_tasklet, ieee80211_wake_txqs,
++			     (unsigned long)local);
++
+ 	tasklet_init(&local->tasklet,
+ 		     ieee80211_tasklet_handler,
+ 		     (unsigned long) local);
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3463,13 +3463,19 @@ struct sk_buff *ieee80211_tx_dequeue(str
+ 	struct ieee80211_tx_info *info;
+ 	struct ieee80211_tx_data tx;
+ 	ieee80211_tx_result r;
+-	struct ieee80211_vif *vif;
++	struct ieee80211_vif *vif = txq->vif;
+ 
+ 	spin_lock_bh(&fq->lock);
+ 
+-	if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags))
++	if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
++	    test_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags))
+ 		goto out;
+ 
++	if (vif->txqs_stopped[ieee80211_ac_from_tid(txq->tid)]) {
++		set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags);
++		goto out;
++	}
++
+ 	/* Make sure fragments stay together. */
+ 	skb = __skb_dequeue(&txqi->frags);
+ 	if (skb)
+@@ -3565,6 +3571,7 @@ begin:
+ 	}
+ 
+ 	IEEE80211_SKB_CB(skb)->control.vif = vif;
++
+ out:
+ 	spin_unlock_bh(&fq->lock);
+ 
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -239,6 +239,99 @@ __le16 ieee80211_ctstoself_duration(stru
+ }
+ EXPORT_SYMBOL(ieee80211_ctstoself_duration);
+ 
++static void __ieee80211_wake_txqs(struct ieee80211_sub_if_data *sdata, int ac)
++{
++	struct ieee80211_local *local = sdata->local;
++	struct ieee80211_vif *vif = &sdata->vif;
++	struct fq *fq = &local->fq;
++	struct ps_data *ps = NULL;
++	struct txq_info *txqi;
++	struct sta_info *sta;
++	int i;
++
++	spin_lock_bh(&fq->lock);
++
++	if (sdata->vif.type == NL80211_IFTYPE_AP)
++		ps = &sdata->bss->ps;
++
++	sdata->vif.txqs_stopped[ac] = false;
++
++	list_for_each_entry_rcu(sta, &local->sta_list, list) {
++		if (sdata != sta->sdata)
++			continue;
++
++		for (i = 0; i < ARRAY_SIZE(sta->sta.txq); i++) {
++			struct ieee80211_txq *txq = sta->sta.txq[i];
++
++			txqi = to_txq_info(txq);
++
++			if (ac != txq->ac)
++				continue;
++
++			if (!test_and_clear_bit(IEEE80211_TXQ_STOP_NETIF_TX,
++						&txqi->flags))
++				continue;
++
++			spin_unlock_bh(&fq->lock);
++			drv_wake_tx_queue(local, txqi);
++			spin_lock_bh(&fq->lock);
++		}
++	}
++
++	if (!vif->txq)
++		goto out;
++
++	txqi = to_txq_info(vif->txq);
++
++	if (!test_and_clear_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags) ||
++	    (ps && atomic_read(&ps->num_sta_ps)) || ac != vif->txq->ac)
++		goto out;
++
++	spin_unlock_bh(&fq->lock);
++
++	drv_wake_tx_queue(local, txqi);
++	return;
++out:
++	spin_unlock_bh(&fq->lock);
++}
++
++void ieee80211_wake_txqs(unsigned long data)
++{
++	struct ieee80211_local *local = (struct ieee80211_local *)data;
++	struct ieee80211_sub_if_data *sdata;
++	int n_acs = IEEE80211_NUM_ACS;
++	unsigned long flags;
++	int i;
++
++	rcu_read_lock();
++	spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
++
++	if (local->hw.queues < IEEE80211_NUM_ACS)
++		n_acs = 1;
++
++	for (i = 0; i < local->hw.queues; i++) {
++		if (local->queue_stop_reasons[i])
++			continue;
++
++		spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
++		list_for_each_entry_rcu(sdata, &local->interfaces, list) {
++			int ac;
++
++			for (ac = 0; ac < n_acs; ac++) {
++				int ac_queue = sdata->vif.hw_queue[ac];
++
++				if (ac_queue == i ||
++				    sdata->vif.cab_queue == i)
++					__ieee80211_wake_txqs(sdata, ac);
++			}
++		}
++		spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
++	}
++
++	spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
++	rcu_read_unlock();
++}
++
+ void ieee80211_propagate_queue_wake(struct ieee80211_local *local, int queue)
+ {
+ 	struct ieee80211_sub_if_data *sdata;
+@@ -307,6 +400,9 @@ static void __ieee80211_wake_queue(struc
+ 		rcu_read_unlock();
+ 	} else
+ 		tasklet_schedule(&local->tx_pending_tasklet);
++
++	if (local->ops->wake_tx_queue)
++		tasklet_schedule(&local->wake_txqs_tasklet);
+ }
+ 
+ void ieee80211_wake_queue_by_reason(struct ieee80211_hw *hw, int queue,
+@@ -350,9 +446,6 @@ static void __ieee80211_stop_queue(struc
+ 	if (__test_and_set_bit(reason, &local->queue_stop_reasons[queue]))
+ 		return;
+ 
+-	if (local->ops->wake_tx_queue)
+-		return;
+-
+ 	if (local->hw.queues < IEEE80211_NUM_ACS)
+ 		n_acs = 1;
+ 
+@@ -365,8 +458,15 @@ static void __ieee80211_stop_queue(struc
+ 
+ 		for (ac = 0; ac < n_acs; ac++) {
+ 			if (sdata->vif.hw_queue[ac] == queue ||
+-			    sdata->vif.cab_queue == queue)
+-				netif_stop_subqueue(sdata->dev, ac);
++			    sdata->vif.cab_queue == queue) {
++				if (!local->ops->wake_tx_queue) {
++					netif_stop_subqueue(sdata->dev, ac);
++					continue;
++				}
++				spin_lock(&local->fq.lock);
++				sdata->vif.txqs_stopped[ac] = true;
++				spin_unlock(&local->fq.lock);
++			}
+ 		}
+ 	}
+ 	rcu_read_unlock();

package/kernel/mac80211/patches/399-mac80211-do-not-call-driver-wake_tx_queue-op-during-.patch

@@ -0,0 +1,33 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 1 Mar 2019 14:42:56 +0100
+Subject: [PATCH] mac80211: do not call driver wake_tx_queue op during reconfig
+
+There are several scenarios in which mac80211 can call drv_wake_tx_queue
+after ieee80211_restart_hw has been called and has not yet completed.
+Driver private structs are considered uninitialized until mac80211 has
+uploaded the vifs, stations and keys again, so using private tx queue
+data during that time is not safe.
+
+The driver can also not rely on drv_reconfig_complete to figure out when
+it is safe to accept drv_wake_tx_queue calls again, because it is only
+called after all tx queues are woken again.
+
+To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig
+is set.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/driver-ops.h
++++ b/net/mac80211/driver-ops.h
+@@ -1162,6 +1162,9 @@ static inline void drv_wake_tx_queue(str
+ {
+ 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
+ 
++	if (local->in_reconfig)
++		return;
++
+ 	if (!check_sdata_in_driver(sdata))
+ 		return;
+ 

package/kernel/mac80211/patches/450-v5.2-0001-brcmfmac-support-repeated-brcmf_fw_alloc_request-cal.patch

@@ -0,0 +1,32 @@
+From c9692820710f57c826b2e43a6fb1e4cd307508b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 26 Feb 2019 14:11:16 +0100
+Subject: [PATCH] brcmfmac: support repeated brcmf_fw_alloc_request() calls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+During a normal brcmfmac lifetime brcmf_fw_alloc_request() is called
+once only during the probe. It's safe to assume provided array is clear.
+
+Further brcmfmac improvements may require calling it multiple times
+though. This patch allows it by fixing invalid firmware paths like:
+brcm/brcmfmac4366c-pcie.binbrcm/brcmfmac4366c-pcie.bin
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -668,6 +668,7 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
+ 
+ 	for (j = 0; j < n_fwnames; j++) {
+ 		fwreq->items[j].path = fwnames[j].path;
++		fwnames[j].path[0] = '\0';
+ 		/* check if firmware path is provided by module parameter */
+ 		if (brcmf_mp_global.firmware_path[0] != '\0') {
+ 			strlcpy(fwnames[j].path, mp_path,

package/kernel/mac80211/patches/450-v5.2-0002-brcmfmac-add-a-function-designated-for-handling-firm.patch

@@ -0,0 +1,79 @@
+From a2ec87ddbf1637f854ffcfff9d12d392fa30758b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 26 Feb 2019 14:11:18 +0100
+Subject: [PATCH] brcmfmac: add a function designated for handling firmware
+ fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This improves handling PCIe firmware halts by printing a clear error
+message and replaces a similar code in the SDIO bus support.
+
+It will also allow further improvements like trying to recover from a
+firmware crash.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h |  2 ++
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c    | 10 ++++++++++
+ .../net/wireless/broadcom/brcm80211/brcmfmac/pcie.c    |  2 +-
+ .../net/wireless/broadcom/brcm80211/brcmfmac/sdio.c    |  4 ++--
+ 4 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
+@@ -252,6 +252,8 @@ void brcmf_detach(struct device *dev);
+ void brcmf_dev_reset(struct device *dev);
+ /* Request from bus module to initiate a coredump */
+ void brcmf_dev_coredump(struct device *dev);
++/* Indication that firmware has halted or crashed */
++void brcmf_fw_crashed(struct device *dev);
+ 
+ /* Configure the "global" bus state used by upper layers */
+ void brcmf_bus_change_state(struct brcmf_bus *bus, enum brcmf_bus_state state);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1292,6 +1292,16 @@ void brcmf_dev_coredump(struct device *d
+ 		brcmf_dbg(TRACE, "failed to create coredump\n");
+ }
+ 
++void brcmf_fw_crashed(struct device *dev)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(dev);
++	struct brcmf_pub *drvr = bus_if->drvr;
++
++	bphy_err(drvr, "Firmware has halted or crashed\n");
++
++	brcmf_dev_coredump(dev);
++}
++
+ void brcmf_detach(struct device *dev)
+ {
+ 	s32 i;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -730,7 +730,7 @@ static void brcmf_pcie_handle_mb_data(st
+ 	}
+ 	if (dtoh_mb_data & BRCMF_D2H_DEV_FWHALT) {
+ 		brcmf_dbg(PCIE, "D2H_MB_DATA: FW HALT\n");
+-		brcmf_dev_coredump(&devinfo->pdev->dev);
++		brcmf_fw_crashed(&devinfo->pdev->dev);
+ 	}
+ }
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1073,8 +1073,8 @@ static u32 brcmf_sdio_hostmail(struct br
+ 
+ 	/* dongle indicates the firmware has halted/crashed */
+ 	if (hmb_data & HMB_DATA_FWHALT) {
+-		brcmf_err("mailbox indicates firmware halted\n");
+-		brcmf_dev_coredump(&sdiod->func1->dev);
++		brcmf_dbg(SDIO, "mailbox indicates firmware halted\n");
++		brcmf_fw_crashed(&sdiod->func1->dev);
+ 	}
+ 
+ 	/* Dongle recomposed rx frames, accept them again */

package/kernel/mac80211/patches/450-v5.2-0003-brcmfmac-reset-PCIe-bus-on-a-firmware-crash.patch

@@ -0,0 +1,153 @@
+From 4684997d9eea29380000e062755aa6d368d789a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 26 Feb 2019 14:11:19 +0100
+Subject: [PATCH] brcmfmac: reset PCIe bus on a firmware crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This includes bus reset & reloading a firmware. It should be sufficient
+for a user space to (setup and) use a wireless device again.
+
+Support for reset on USB & SDIO can be added later.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/bus.h         | 10 ++++++
+ .../broadcom/brcm80211/brcmfmac/core.c        | 12 +++++++
+ .../broadcom/brcm80211/brcmfmac/core.h        |  2 ++
+ .../broadcom/brcm80211/brcmfmac/pcie.c        | 35 +++++++++++++++++++
+ 4 files changed, 59 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
+@@ -90,6 +90,7 @@ struct brcmf_bus_ops {
+ 	int (*get_memdump)(struct device *dev, void *data, size_t len);
+ 	int (*get_fwname)(struct device *dev, const char *ext,
+ 			  unsigned char *fw_name);
++	int (*reset)(struct device *dev);
+ };
+ 
+ 
+@@ -235,6 +236,15 @@ int brcmf_bus_get_fwname(struct brcmf_bu
+ 	return bus->ops->get_fwname(bus->dev, ext, fw_name);
+ }
+ 
++static inline
++int brcmf_bus_reset(struct brcmf_bus *bus)
++{
++	if (!bus->ops->reset)
++		return -EOPNOTSUPP;
++
++	return bus->ops->reset(bus->dev);
++}
++
+ /*
+  * interface functions from common layer
+  */
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1104,6 +1104,14 @@ static int brcmf_revinfo_read(struct seq
+ 	return 0;
+ }
+ 
++static void brcmf_core_bus_reset(struct work_struct *work)
++{
++	struct brcmf_pub *drvr = container_of(work, struct brcmf_pub,
++					      bus_reset);
++
++	brcmf_bus_reset(drvr->bus_if);
++}
++
+ static int brcmf_bus_started(struct brcmf_pub *drvr, struct cfg80211_ops *ops)
+ {
+ 	int ret = -1;
+@@ -1175,6 +1183,8 @@ static int brcmf_bus_started(struct brcm
+ #endif
+ #endif /* CONFIG_INET */
+ 
++	INIT_WORK(&drvr->bus_reset, brcmf_core_bus_reset);
++
+ 	/* populate debugfs */
+ 	brcmf_debugfs_add_entry(drvr, "revinfo", brcmf_revinfo_read);
+ 	brcmf_feat_debugfs_create(drvr);
+@@ -1300,6 +1310,8 @@ void brcmf_fw_crashed(struct device *dev
+ 	bphy_err(drvr, "Firmware has halted or crashed\n");
+ 
+ 	brcmf_dev_coredump(dev);
++
++	schedule_work(&drvr->bus_reset);
+ }
+ 
+ void brcmf_detach(struct device *dev)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+@@ -143,6 +143,8 @@ struct brcmf_pub {
+ 	struct notifier_block inet6addr_notifier;
+ 	struct brcmf_mp_device *settings;
+ 
++	struct work_struct bus_reset;
++
+ 	u8 clmver[BRCMF_DCMD_SMLEN];
+ };
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -345,6 +345,10 @@ static const u32 brcmf_ring_itemsize[BRC
+ 	BRCMF_D2H_MSGRING_RX_COMPLETE_ITEMSIZE
+ };
+ 
++static void brcmf_pcie_setup(struct device *dev, int ret,
++			     struct brcmf_fw_request *fwreq);
++static struct brcmf_fw_request *
++brcmf_pcie_prepare_fw_request(struct brcmf_pciedev_info *devinfo);
+ 
+ static u32
+ brcmf_pcie_read_reg32(struct brcmf_pciedev_info *devinfo, u32 reg_offset)
+@@ -1409,6 +1413,36 @@ int brcmf_pcie_get_fwname(struct device
+ 	return 0;
+ }
+ 
++static int brcmf_pcie_reset(struct device *dev)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(dev);
++	struct brcmf_pciedev *buspub = bus_if->bus_priv.pcie;
++	struct brcmf_pciedev_info *devinfo = buspub->devinfo;
++	struct brcmf_fw_request *fwreq;
++	int err;
++
++	brcmf_detach(dev);
++
++	brcmf_pcie_release_irq(devinfo);
++	brcmf_pcie_release_scratchbuffers(devinfo);
++	brcmf_pcie_release_ringbuffers(devinfo);
++	brcmf_pcie_reset_device(devinfo);
++
++	fwreq = brcmf_pcie_prepare_fw_request(devinfo);
++	if (!fwreq) {
++		dev_err(dev, "Failed to prepare FW request\n");
++		return -ENOMEM;
++	}
++
++	err = brcmf_fw_get_firmwares(dev, fwreq, brcmf_pcie_setup);
++	if (err) {
++		dev_err(dev, "Failed to prepare FW request\n");
++		kfree(fwreq);
++	}
++
++	return err;
++}
++
+ static const struct brcmf_bus_ops brcmf_pcie_bus_ops = {
+ 	.txdata = brcmf_pcie_tx,
+ 	.stop = brcmf_pcie_down,
+@@ -1418,6 +1452,7 @@ static const struct brcmf_bus_ops brcmf_
+ 	.get_ramsize = brcmf_pcie_get_ramsize,
+ 	.get_memdump = brcmf_pcie_get_memdump,
+ 	.get_fwname = brcmf_pcie_get_fwname,
++	.reset = brcmf_pcie_reset,
+ };
+ 
+ 

package/kernel/mac80211/patches/451-v5.2-0001-brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch

@@ -0,0 +1,124 @@
+From c80d26e81ef1802f30364b4ad1955c1443a592b9 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Mon, 4 Mar 2019 15:42:49 +0000
+Subject: [PATCH] brcmfmac: fix WARNING during USB disconnect in case of
+ unempty psq
+
+brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
+which is part of any queue. After USB disconnect this may have happened
+when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
+cleaned when removing the interface.
+Change brcmf_fws_macdesc_cleanup() in a way that it removes the
+corresponding packets from hanger table (to avoid double-free when
+brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
+interface specific packet queue.
+
+Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
+running in AP mode. This was reproducible when the interface was
+transmitting during the disconnect and is fixed with this commit.
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
+Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
+CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14)
+[<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c)
+[<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114)
+[<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48)
+[<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40)
+[<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c)
+[<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68)
+[<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150)
+[<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0)
+[<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c)
+[<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0)
+[<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec)
+[<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8)
+[<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308)
+[<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8)
+[<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8)
+[<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50)
+[<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8)
+[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
+[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
+[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xecf8dfb0 to 0xecf8dff8)
+dfa0:                                     00000000 00000000 00000000 00000000
+dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 38d234018e9e2a90 ]---
+------------[ cut here ]------------
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwsignal.c    | 42 +++++++++++--------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -579,24 +579,6 @@ static bool brcmf_fws_ifidx_match(struct
+ 	return ifidx == *(int *)arg;
+ }
+ 
+-static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
+-				int ifidx)
+-{
+-	bool (*matchfn)(struct sk_buff *, void *) = NULL;
+-	struct sk_buff *skb;
+-	int prec;
+-
+-	if (ifidx != -1)
+-		matchfn = brcmf_fws_ifidx_match;
+-	for (prec = 0; prec < q->num_prec; prec++) {
+-		skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+-		while (skb) {
+-			brcmu_pkt_buf_free_skb(skb);
+-			skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+-		}
+-	}
+-}
+-
+ static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger)
+ {
+ 	int i;
+@@ -668,6 +650,28 @@ static inline int brcmf_fws_hanger_poppk
+ 	return 0;
+ }
+ 
++static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
++				int ifidx)
++{
++	bool (*matchfn)(struct sk_buff *, void *) = NULL;
++	struct sk_buff *skb;
++	int prec;
++	u32 hslot;
++
++	if (ifidx != -1)
++		matchfn = brcmf_fws_ifidx_match;
++	for (prec = 0; prec < q->num_prec; prec++) {
++		skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++		while (skb) {
++			hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
++			brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb,
++						true);
++			brcmu_pkt_buf_free_skb(skb);
++			skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++		}
++	}
++}
++
+ static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h,
+ 					    u32 slot_id)
+ {
+@@ -2174,6 +2178,8 @@ void brcmf_fws_del_interface(struct brcm
+ 	brcmf_fws_lock(fws);
+ 	ifp->fws_desc = NULL;
+ 	brcmf_dbg(TRACE, "deleting %s\n", entry->name);
++	brcmf_fws_macdesc_cleanup(fws, &fws->desc.iface[ifp->ifidx],
++				  ifp->ifidx);
+ 	brcmf_fws_macdesc_deinit(entry);
+ 	brcmf_fws_cleanup(fws, ifp->ifidx);
+ 	brcmf_fws_unlock(fws);

package/kernel/mac80211/patches/451-v5.2-0002-brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch

@@ -0,0 +1,217 @@
+From 5cdb0ef6144f47440850553579aa923c20a63f23 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Mon, 4 Mar 2019 15:42:52 +0000
+Subject: [PATCH] brcmfmac: fix NULL pointer derefence during USB disconnect
+
+In case USB disconnect happens at the moment transmitting workqueue is in
+progress the underlying interface may be gone causing a NULL pointer
+dereference. Add synchronization of the workqueue destruction with the
+detach implementation in core so that the transmitting workqueue is stopped
+during detach before the interfaces are removed.
+
+Fix following Oops:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = 9e6a802d
+[00000008] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle
+xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
+iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether
+usb_serial_simple usbserial cdc_acm brcmfmac brcmutil smsc95xx usbnet
+ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base
+libcomposite configfs udc_core
+CPU: 0 PID: 7 Comm: kworker/u8:0 Not tainted 4.19.23-00076-g03740aa-dirty #102
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: brcmf_fws_wq brcmf_fws_dequeue_worker [brcmfmac]
+PC is at brcmf_txfinalize+0x34/0x90 [brcmfmac]
+LR is at brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac]
+pc : [<7f0dee64>]    lr : [<7f0e4140>]    psr: 60010093
+sp : ee8abef0  ip : 00000000  fp : edf38000
+r10: ffffffed  r9 : edf38970  r8 : edf38004
+r7 : edf3e970  r6 : 00000000  r5 : ede69000  r4 : 00000000
+r3 : 00000a97  r2 : 00000000  r1 : 0000888e  r0 : ede69000
+Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
+Control: 10c5387d  Table: 7d03c04a  DAC: 00000051
+Process kworker/u8:0 (pid: 7, stack limit = 0x24ec3e04)
+Stack: (0xee8abef0 to 0xee8ac000)
+bee0:                                     ede69000 00000000 ed56c3e0 7f0e4140
+bf00: 00000001 00000000 edf38004 edf3e99c ed56c3e0 80d03d00 edfea43a edf3e970
+bf20: ee809880 ee804200 ee971100 00000000 edf3e974 00000000 ee804200 80135a70
+bf40: 80d03d00 ee804218 ee809880 ee809894 ee804200 80d03d00 ee804218 ee8aa000
+bf60: 00000088 80135d5c 00000000 ee829f00 ee829dc0 00000000 ee809880 80135d30
+bf80: ee829f1c ee873eac 00000000 8013b1a0 ee829dc0 8013b07c 00000000 00000000
+bfa0: 00000000 00000000 00000000 801010e8 00000000 00000000 00000000 00000000
+bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[<7f0dee64>] (brcmf_txfinalize [brcmfmac]) from [<7f0e4140>] (brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac])
+[<7f0e4140>] (brcmf_fws_dequeue_worker [brcmfmac]) from [<80135a70>] (process_one_work+0x138/0x3f8)
+[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
+[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
+[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xee8abfb0 to 0xee8abff8)
+bfa0:                                     00000000 00000000 00000000 00000000
+bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+Code: e1530001 0a000007 e3560000 e1a00005 (05942008)
+---[ end trace 079239dd31c86e90 ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/bcdc.c  | 11 +++++++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/bcdc.h  |  6 ++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c  |  4 +++-
+ .../broadcom/brcm80211/brcmfmac/fwsignal.c       | 16 ++++++++++++----
+ .../broadcom/brcm80211/brcmfmac/fwsignal.h       |  3 ++-
+ .../wireless/broadcom/brcm80211/brcmfmac/proto.c | 10 ++++++++--
+ .../wireless/broadcom/brcm80211/brcmfmac/proto.h |  3 ++-
+ 7 files changed, 40 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
+@@ -490,11 +490,18 @@ fail:
+ 	return -ENOMEM;
+ }
+ 
+-void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr)
++void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr)
++{
++	struct brcmf_bcdc *bcdc = drvr->proto->pd;
++
++	brcmf_fws_detach_pre_delif(bcdc->fws);
++}
++
++void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr)
+ {
+ 	struct brcmf_bcdc *bcdc = drvr->proto->pd;
+ 
+ 	drvr->proto->pd = NULL;
+-	brcmf_fws_detach(bcdc->fws);
++	brcmf_fws_detach_post_delif(bcdc->fws);
+ 	kfree(bcdc);
+ }
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
+@@ -18,14 +18,16 @@
+ 
+ #ifdef CPTCFG_BRCMFMAC_PROTO_BCDC
+ int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr);
+-void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr);
++void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr);
++void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr);
+ void brcmf_proto_bcdc_txflowblock(struct device *dev, bool state);
+ void brcmf_proto_bcdc_txcomplete(struct device *dev, struct sk_buff *txp,
+ 				 bool success);
+ struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr);
+ #else
+ static inline int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr) { return 0; }
+-static inline void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) {}
++static void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) {};
++static inline void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) {}
+ #endif
+ 
+ #endif /* BRCMFMAC_BCDC_H */
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1340,6 +1340,8 @@ void brcmf_detach(struct device *dev)
+ 
+ 	brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
+ 
++	brcmf_proto_detach_pre_delif(drvr);
++
+ 	/* make sure primary interface removed last */
+ 	for (i = BRCMF_MAX_IFS-1; i > -1; i--)
+ 		brcmf_remove_interface(drvr->iflist[i], false);
+@@ -1349,7 +1351,7 @@ void brcmf_detach(struct device *dev)
+ 
+ 	brcmf_bus_stop(drvr->bus_if);
+ 
+-	brcmf_proto_detach(drvr);
++	brcmf_proto_detach_post_delif(drvr);
+ 
+ 	bus_if->drvr = NULL;
+ 	wiphy_free(drvr->wiphy);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -2416,17 +2416,25 @@ struct brcmf_fws_info *brcmf_fws_attach(
+ 	return fws;
+ 
+ fail:
+-	brcmf_fws_detach(fws);
++	brcmf_fws_detach_pre_delif(fws);
++	brcmf_fws_detach_post_delif(fws);
+ 	return ERR_PTR(rc);
+ }
+ 
+-void brcmf_fws_detach(struct brcmf_fws_info *fws)
++void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws)
+ {
+ 	if (!fws)
+ 		return;
+-
+-	if (fws->fws_wq)
++	if (fws->fws_wq) {
+ 		destroy_workqueue(fws->fws_wq);
++		fws->fws_wq = NULL;
++	}
++}
++
++void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws)
++{
++	if (!fws)
++		return;
+ 
+ 	/* cleanup */
+ 	brcmf_fws_lock(fws);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
+@@ -19,7 +19,8 @@
+ #define FWSIGNAL_H_
+ 
+ struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr);
+-void brcmf_fws_detach(struct brcmf_fws_info *fws);
++void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws);
++void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws);
+ void brcmf_fws_debugfs_create(struct brcmf_pub *drvr);
+ bool brcmf_fws_queue_skbs(struct brcmf_fws_info *fws);
+ bool brcmf_fws_fc_active(struct brcmf_fws_info *fws);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
+@@ -67,16 +67,22 @@ fail:
+ 	return -ENOMEM;
+ }
+ 
+-void brcmf_proto_detach(struct brcmf_pub *drvr)
++void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr)
+ {
+ 	brcmf_dbg(TRACE, "Enter\n");
+ 
+ 	if (drvr->proto) {
+ 		if (drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
+-			brcmf_proto_bcdc_detach(drvr);
++			brcmf_proto_bcdc_detach_post_delif(drvr);
+ 		else if (drvr->bus_if->proto_type == BRCMF_PROTO_MSGBUF)
+ 			brcmf_proto_msgbuf_detach(drvr);
+ 		kfree(drvr->proto);
+ 		drvr->proto = NULL;
+ 	}
+ }
++
++void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr)
++{
++	if (drvr->proto && drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
++		brcmf_proto_bcdc_detach_pre_delif(drvr);
++}
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
+@@ -54,7 +54,8 @@ struct brcmf_proto {
+ 
+ 
+ int brcmf_proto_attach(struct brcmf_pub *drvr);
+-void brcmf_proto_detach(struct brcmf_pub *drvr);
++void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr);
++void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr);
+ 
+ static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws,
+ 				      struct sk_buff *skb,

package/kernel/mac80211/patches/452-v5.2-0001-brcmfmac-fix-race-during-disconnect-when-USB-complet.patch

@@ -0,0 +1,84 @@
+From db3b9e2e1d58080d0754bdf9293dabf8c6491b67 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:04 +0000
+Subject: [PATCH] brcmfmac: fix race during disconnect when USB completion is
+ in progress
+
+It was observed that rarely during USB disconnect happening shortly after
+connect (before full initialization completes) usb_hub_wq would wait
+forever for the dev_init_lock to be unlocked. dev_init_lock would remain
+locked though because of infinite wait during usb_kill_urb:
+
+[ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
+[ 2730.660700] Workqueue: events request_firmware_work_func
+[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
+[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
+[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
+[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
+[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
+[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
+[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
+[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+[ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
+[ 2733.103926] Workqueue: usb_hub_wq hub_event
+[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
+[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
+[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
+[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
+[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
+[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
+[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
+[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
+[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
+[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
+[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+It was traced down to a case where usb_kill_urb would be called on an URB
+structure containing more or less random data, including large number in
+its use_count. During the debugging it appeared that in brcmf_usb_free_q()
+the traversal over URBs' lists is not synchronized with operations on those
+lists in brcmf_usb_rx_complete() leading to handling
+brcmf_usbdev_info structure (holding lists' head) as lists' element and in
+result causing above problem.
+
+Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
+arrays of requests instead of linked lists.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -684,12 +684,18 @@ static int brcmf_usb_up(struct device *d
+ 
+ static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
+ {
++	int i;
++
+ 	if (devinfo->ctl_urb)
+ 		usb_kill_urb(devinfo->ctl_urb);
+ 	if (devinfo->bulk_urb)
+ 		usb_kill_urb(devinfo->bulk_urb);
+-	brcmf_usb_free_q(&devinfo->tx_postq, true);
+-	brcmf_usb_free_q(&devinfo->rx_postq, true);
++	if (devinfo->tx_reqs)
++		for (i = 0; i < devinfo->bus_pub.ntxq; i++)
++			usb_kill_urb(devinfo->tx_reqs[i].urb);
++	if (devinfo->rx_reqs)
++		for (i = 0; i < devinfo->bus_pub.nrxq; i++)
++			usb_kill_urb(devinfo->rx_reqs[i].urb);
+ }
+ 
+ static void brcmf_usb_down(struct device *dev)

package/kernel/mac80211/patches/452-v5.2-0002-brcmfmac-remove-pending-parameter-from-brcmf_usb_fre.patch

@@ -0,0 +1,54 @@
+From 2b78e5f5223666d403d4fdb30af4ad65c8da3cdb Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:06 +0000
+Subject: [PATCH] brcmfmac: remove pending parameter from brcmf_usb_free_q
+
+brcmf_usb_free_q is no longer called with pending=true thus this boolean
+parameter is no longer needed.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/usb.c    | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -445,9 +445,10 @@ fail:
+ 
+ }
+ 
+-static void brcmf_usb_free_q(struct list_head *q, bool pending)
++static void brcmf_usb_free_q(struct list_head *q)
+ {
+ 	struct brcmf_usbreq *req, *next;
++
+ 	int i = 0;
+ 	list_for_each_entry_safe(req, next, q, list) {
+ 		if (!req->urb) {
+@@ -455,12 +456,8 @@ static void brcmf_usb_free_q(struct list
+ 			break;
+ 		}
+ 		i++;
+-		if (pending) {
+-			usb_kill_urb(req->urb);
+-		} else {
+-			usb_free_urb(req->urb);
+-			list_del_init(&req->list);
+-		}
++		usb_free_urb(req->urb);
++		list_del_init(&req->list);
+ 	}
+ }
+ 
+@@ -1031,8 +1028,8 @@ static void brcmf_usb_detach(struct brcm
+ 	brcmf_dbg(USB, "Enter, devinfo %p\n", devinfo);
+ 
+ 	/* free the URBS */
+-	brcmf_usb_free_q(&devinfo->rx_freeq, false);
+-	brcmf_usb_free_q(&devinfo->tx_freeq, false);
++	brcmf_usb_free_q(&devinfo->rx_freeq);
++	brcmf_usb_free_q(&devinfo->tx_freeq);
+ 
+ 	usb_free_urb(devinfo->ctl_urb);
+ 	usb_free_urb(devinfo->bulk_urb);

package/kernel/mac80211/patches/452-v5.2-0003-brcmfmac-remove-unused-variable-i-from-brcmf_usb_fre.patch

@@ -0,0 +1,29 @@
+From 504f06725d015954a0fcafdf1d90a6795ca8f769 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:09 +0000
+Subject: [PATCH] brcmfmac: remove unused variable i from brcmf_usb_free_q
+
+Variable i is not used so remove it.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -449,13 +449,11 @@ static void brcmf_usb_free_q(struct list
+ {
+ 	struct brcmf_usbreq *req, *next;
+ 
+-	int i = 0;
+ 	list_for_each_entry_safe(req, next, q, list) {
+ 		if (!req->urb) {
+ 			brcmf_err("bad req\n");
+ 			break;
+ 		}
+-		i++;
+ 		usb_free_urb(req->urb);
+ 		list_del_init(&req->list);
+ 	}

package/kernel/mac80211/patches/453-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch

@@ -0,0 +1,123 @@
+From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:01 +0000
+Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB
+ disconnect
+
+Fix a race which leads to an Oops with NULL pointer dereference.  The
+dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
+net_device structure of interface with index 0 via if2bss mapping. This
+shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
+but it's not synchronised with USB disconnect and there is a race: after
+the check the bus can be marked down and the mapping for interface 0 may be
+gone.
+
+Solve this by modifying disconnect handling so that the removal of mapping
+of ifidx to brcmf_if structure happens after netdev removal (which is
+synchronous with brcmf_netdev_open() thanks to rtln being locked in
+devinet_ioctl()). This assures brcmf_netdev_open() returns before the
+mapping is removed during disconnect.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = bcae2612
+[00000008] *pgd=8be73831
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
+iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
+nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
+u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
+usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
+udc_core [last unloaded: brcmutil]
+CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
+LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
+pc : [<7f26a91c>]    lr : [<7f26a914>]    psr: a0070013
+sp : eca99d28  ip : 00000000  fp : ee9c6c00
+r10: 00000036  r9 : 00000000  r8 : ece4002c
+r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
+r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
+Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
+Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
+Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
+Stack: (0xeca99d28 to 0xeca9a000)
+9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
+9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
+9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
+9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
+9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
+9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
+9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
+9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
+9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
+9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
+9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
+9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
+9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
+9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
+9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
+9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
+9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
+9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
+9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
+9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
+9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
+[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
+[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
+[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
+[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
+[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
+[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
+[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
+[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
+[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
+[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xeca99fa8 to 0xeca99ff0)
+9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
+Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
+---[ end trace 5cbac2333f3ac5df ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c    | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -861,17 +861,17 @@ static void brcmf_del_if(struct brcmf_pu
+ 			 bool rtnl_locked)
+ {
+ 	struct brcmf_if *ifp;
++	int ifidx;
+ 
+ 	ifp = drvr->iflist[bsscfgidx];
+-	drvr->iflist[bsscfgidx] = NULL;
+ 	if (!ifp) {
+ 		bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx);
+ 		return;
+ 	}
+ 	brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
+ 		  ifp->ifidx);
+-	if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
+-		drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
++	ifidx = ifp->ifidx;
++
+ 	if (ifp->ndev) {
+ 		if (bsscfgidx == 0) {
+ 			if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
+@@ -899,6 +899,10 @@ static void brcmf_del_if(struct brcmf_pu
+ 		brcmf_p2p_ifp_removed(ifp, rtnl_locked);
+ 		kfree(ifp);
+ 	}
++
++	drvr->iflist[bsscfgidx] = NULL;
++	if (drvr->if2bss[ifidx] == bsscfgidx)
++		drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
+ }
+ 
+ void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)

package/kernel/mac80211/patches/454-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch

@@ -0,0 +1,35 @@
+From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5455,6 +5455,8 @@ static s32 brcmf_get_assoc_ies(struct br
+ 		conn_info->req_ie =
+ 		    kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+ 			    GFP_KERNEL);
++		if (!conn_info->req_ie)
++			conn_info->req_ie_len = 0;
+ 	} else {
+ 		conn_info->req_ie_len = 0;
+ 		conn_info->req_ie = NULL;
+@@ -5471,6 +5473,8 @@ static s32 brcmf_get_assoc_ies(struct br
+ 		conn_info->resp_ie =
+ 		    kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+ 			    GFP_KERNEL);
++		if (!conn_info->resp_ie)
++			conn_info->resp_ie_len = 0;
+ 	} else {
+ 		conn_info->resp_ie_len = 0;
+ 		conn_info->resp_ie = NULL;

package/kernel/mac80211/patches/455-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch

@@ -0,0 +1,35 @@
+From e3062e05e1cfe378bb9b3fa0bef46711372bcf13 Mon Sep 17 00:00:00 2001
+From: Ondrej Jirman <megous@megous.com>
+Date: Sat, 6 Apr 2019 01:45:13 +0200
+Subject: [PATCH] brcmfmac: Loading the correct firmware for brcm43456
+
+SDIO based brcm43456 is currently misdetected as brcm43455 and the wrong
+firmware name is used. Correct the detection and load the correct
+firmware file. Chiprev for brcm43456 is "9".
+
+Signed-off-by: Ondrej Jirman <megous@megous.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -615,6 +615,7 @@ BRCMF_FW_DEF(43430A0, "brcmfmac43430a0-s
+ /* Note the names are not postfixed with a1 for backward compatibility */
+ BRCMF_FW_DEF(43430A1, "brcmfmac43430-sdio");
+ BRCMF_FW_DEF(43455, "brcmfmac43455-sdio");
++BRCMF_FW_DEF(43456, "brcmfmac43456-sdio");
+ BRCMF_FW_DEF(4354, "brcmfmac4354-sdio");
+ BRCMF_FW_DEF(4356, "brcmfmac4356-sdio");
+ BRCMF_FW_DEF(4373, "brcmfmac4373-sdio");
+@@ -634,7 +635,8 @@ static const struct brcmf_firmware_mappi
+ 	BRCMF_FW_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339),
+ 	BRCMF_FW_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0),
+ 	BRCMF_FW_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+-	BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
++	BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0x00000200, 43456),
++	BRCMF_FW_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFDC0, 43455),
+ 	BRCMF_FW_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+ 	BRCMF_FW_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
+ 	BRCMF_FW_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)

package/kernel/mac80211/patches/456-v5.2-brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch

@@ -0,0 +1,41 @@
+From a927e8d8ab57e696800e20cf09a72b7dfe3bbebb Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 9 Apr 2019 12:43:33 +0100
+Subject: [PATCH] brcmfmac: fix leak of mypkt on error return path
+
+Currently if the call to brcmf_sdiod_set_backplane_window fails then
+error return path leaks mypkt. Fix this by returning by a new
+error path labelled 'out' that calls brcmu_pkt_buf_free_skb to free
+mypkt.  Also remove redundant check on err before calling
+brcmf_sdiod_skbuff_write.
+
+Addresses-Coverity: ("Resource Leak")
+Fixes: a7c3aa1509e2 ("brcmfmac: Remove brcmf_sdiod_addrprep()")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -617,15 +617,13 @@ int brcmf_sdiod_send_buf(struct brcmf_sd
+ 
+ 	err = brcmf_sdiod_set_backplane_window(sdiodev, addr);
+ 	if (err)
+-		return err;
++		goto out;
+ 
+ 	addr &= SBSDIO_SB_OFT_ADDR_MASK;
+ 	addr |= SBSDIO_SB_ACCESS_2_4B_FLAG;
+ 
+-	if (!err)
+-		err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr,
+-					       mypkt);
+-
++	err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr, mypkt);
++out:
+ 	brcmu_pkt_buf_free_skb(mypkt);
+ 
+ 	return err;

package/kernel/mac80211/patches/457-v5.2-brcmfmac-Add-DMI-nvram-filename-quirk-for-ACEPC-T8-a.patch

@@ -0,0 +1,70 @@
+From b1a0ba8f772d7a6dcb5aa3e856f5bd8274989ebe Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 22 Apr 2019 22:41:23 +0200
+Subject: [PATCH] brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11
+ mini PCs
+
+The ACEPC T8 and T11 mini PCs contain quite generic names in the sys_vendor
+and product_name DMI strings, without this patch brcmfmac will try to load:
+"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which
+is way too generic.
+
+The DMI strings on which we are matching are somewhat generic too, but
+"To be filled by O.E.M." is less common then "Default string" and the
+system-sku and bios-version strings are pretty unique. Beside the DMI
+strings we also check the wifi-module chip-id and revision. I'm confident
+that the combination of all this is unique.
+
+Both the T8 and T11 use the same wifi-module, this commit adds DMI
+quirks for both mini PCs pointing to brcmfmac43455-sdio.acepc-t8.txt .
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/dmi.c         | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -31,6 +31,10 @@ struct brcmf_dmi_data {
+ 
+ /* NOTE: Please keep all entries sorted alphabetically */
+ 
++static const struct brcmf_dmi_data acepc_t8_data = {
++	BRCM_CC_4345_CHIP_ID, 6, "acepc-t8"
++};
++
+ static const struct brcmf_dmi_data gpd_win_pocket_data = {
+ 	BRCM_CC_4356_CHIP_ID, 2, "gpd-win-pocket"
+ };
+@@ -45,6 +49,28 @@ static const struct brcmf_dmi_data meego
+ 
+ static const struct dmi_system_id dmi_platform_data[] = {
+ 	{
++		/* ACEPC T8 Cherry Trail Z8350 mini PC */
++		.matches = {
++			DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
++			DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++			DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T8"),
++			/* also match on somewhat unique bios-version */
++			DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"),
++		},
++		.driver_data = (void *)&acepc_t8_data,
++	},
++	{
++		/* ACEPC T11 Cherry Trail Z8350 mini PC, same wifi as the T8 */
++		.matches = {
++			DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
++			DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++			DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T11"),
++			/* also match on somewhat unique bios-version */
++			DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"),
++		},
++		.driver_data = (void *)&acepc_t8_data,
++	},
++	{
+ 		/* Match for the GPDwin which unfortunately uses somewhat
+ 		 * generic dmi strings, which is why we test for 4 strings.
+ 		 * Comparing against 23 other byt/cht boards, board_vendor

package/kernel/mac80211/patches/458-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch

@@ -0,0 +1,39 @@
+From 9ef77fbedad9ea8895cd5d7fb7aee16071f527dc Mon Sep 17 00:00:00 2001
+From: Wright Feng <Wright.Feng@cypress.com>
+Date: Fri, 26 Apr 2019 03:12:32 +0000
+Subject: [PATCH] brcmfmac: send mailbox interrupt twice for specific hardware
+ device
+
+For PCIE wireless device with core revision less than 14, device may miss
+PCIE to System Backplane Interrupt via PCIEtoSBMailbox. So add sending
+mail box interrupt twice as a hardware workaround.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -675,6 +675,7 @@ static int
+ brcmf_pcie_send_mb_data(struct brcmf_pciedev_info *devinfo, u32 htod_mb_data)
+ {
+ 	struct brcmf_pcie_shared_info *shared;
++	struct brcmf_core *core;
+ 	u32 addr;
+ 	u32 cur_htod_mb_data;
+ 	u32 i;
+@@ -698,7 +699,11 @@ brcmf_pcie_send_mb_data(struct brcmf_pci
+ 
+ 	brcmf_pcie_write_tcm32(devinfo, addr, htod_mb_data);
+ 	pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
+-	pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
++
++	/* Send mailbox interrupt twice as a hardware workaround */
++	core = brcmf_chip_get_core(devinfo->ci, BCMA_CORE_PCIE2);
++	if (core->rev <= 13)
++		pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
+ 
+ 	return 0;
+ }

package/kernel/mac80211/patches/459-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch

@@ -0,0 +1,50 @@
+From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 12:52:18 +0300
+Subject: [PATCH] brcm80211: potential NULL dereference in
+ brcmf_cfg80211_vndr_cmds_dcmd_handler()
+
+If "ret_len" is negative then it could lead to a NULL dereference.
+
+The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
+then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
+brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
+Most of the functions in that call tree check whether the buffer we pass
+is NULL but there are at least a couple places which don't such as
+brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
+from the buffer so it would result in a NULL dereference.
+
+The fix is to change the types so that "ret_len" can't be negative.  (If
+we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
+issue).
+
+Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
+ 	struct brcmf_if *ifp;
+ 	const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
+ 	struct sk_buff *reply;
+-	int ret, payload, ret_len;
++	unsigned int payload, ret_len;
+ 	void *dcmd_buf = NULL, *wr_pointer;
+ 	u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
++	int ret;
+ 
+ 	if (len < sizeof(*cmdhdr)) {
+ 		brcmf_err("vendor command too short: %d\n", len);
+@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
+ 			brcmf_err("oversize return buffer %d\n", ret_len);
+ 			ret_len = BRCMF_DCMD_MAXLEN;
+ 		}
+-		payload = max(ret_len, len) + 1;
++		payload = max_t(unsigned int, ret_len, len) + 1;
+ 		dcmd_buf = vzalloc(payload);
+ 		if (NULL == dcmd_buf)
+ 			return -ENOMEM;

package/kernel/mac80211/patches/460-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch

@@ -0,0 +1,49 @@
+From 2d91c8ad068a5cad4d9e7ece8dc811a697c7176a Mon Sep 17 00:00:00 2001
+From: Wright Feng <Wright.Feng@cypress.com>
+Date: Fri, 26 Apr 2019 03:41:46 +0000
+Subject: [PATCH] brcmfmac: set txflow request id from 1 to pktids array size
+
+Some PCIE firmwares drop txstatus if pktid is 0 and make packet held in
+host side and never be released. If that packet type is 802.1x, the
+pend_8021x_cnt value will be always greater than 0 and show "Timed out
+waiting for no pending 802.1x packets" error message when sending key to
+dongle every time.
+
+To be compatible with all firmwares, host should set txflow request id
+from 1 instead of from 0.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *de
+ 	struct brcmf_msgbuf_pktid *pktid;
+ 	struct sk_buff *skb;
+ 
+-	if (idx >= pktids->array_size) {
++	if (idx < 0 || idx >= pktids->array_size) {
+ 		brcmf_err("Invalid packet id %d (max %d)\n", idx,
+ 			  pktids->array_size);
+ 		return NULL;
+@@ -747,7 +747,7 @@ static void brcmf_msgbuf_txflow(struct b
+ 		tx_msghdr = (struct msgbuf_tx_msghdr *)ret_ptr;
+ 
+ 		tx_msghdr->msg.msgtype = MSGBUF_TYPE_TX_POST;
+-		tx_msghdr->msg.request_id = cpu_to_le32(pktid);
++		tx_msghdr->msg.request_id = cpu_to_le32(pktid + 1);
+ 		tx_msghdr->msg.ifidx = brcmf_flowring_ifidx_get(flow, flowid);
+ 		tx_msghdr->flags = BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3;
+ 		tx_msghdr->flags |= (skb->priority & 0x07) <<
+@@ -884,7 +884,7 @@ brcmf_msgbuf_process_txstatus(struct brc
+ 	u16 flowid;
+ 
+ 	tx_status = (struct msgbuf_tx_status *)buf;
+-	idx = le32_to_cpu(tx_status->msg.request_id);
++	idx = le32_to_cpu(tx_status->msg.request_id) - 1;
+ 	flowid = le16_to_cpu(tx_status->compl_hdr.flow_ring_id);
+ 	flowid -= BRCMF_H2D_MSGRING_FLOWRING_IDSTART;
+ 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,

package/kernel/mac80211/patches/461-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch

@@ -0,0 +1,90 @@
+From 47dd82e3d25e85a7c7c4e4b0eac9d297d1e5e2d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 28 Apr 2019 23:38:26 +0200
+Subject: [PATCH] brcmfmac: print firmware messages after a firmware crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Normally firmware messages are printed with debugging enabled only. It's
+a good idea as firmware may print a lot of messages that normal users
+don't need to care about.
+
+However, on firmware crash, it may be very helpful to log all recent
+messages. There is almost always a backtrace available as well as rought
+info on the latest actions/state.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/pcie.c        | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -764,15 +764,22 @@ static void brcmf_pcie_bus_console_init(
+ 		  console->base_addr, console->buf_addr, console->bufsize);
+ }
+ 
+-
+-static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo)
++/**
++ * brcmf_pcie_bus_console_read - reads firmware messages
++ *
++ * @error: specifies if error has occurred (prints messages unconditionally)
++ */
++static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo,
++					bool error)
+ {
++	struct pci_dev *pdev = devinfo->pdev;
++	struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ 	struct brcmf_pcie_console *console;
+ 	u32 addr;
+ 	u8 ch;
+ 	u32 newidx;
+ 
+-	if (!BRCMF_FWCON_ON())
++	if (!error && !BRCMF_FWCON_ON())
+ 		return;
+ 
+ 	console = &devinfo->shared.console;
+@@ -796,7 +803,10 @@ static void brcmf_pcie_bus_console_read(
+ 		}
+ 		if (ch == '\n') {
+ 			console->log_str[console->log_idx] = 0;
+-			pr_debug("CONSOLE: %s", console->log_str);
++			if (error)
++				brcmf_err(bus, "CONSOLE: %s", console->log_str);
++			else
++				pr_debug("CONSOLE: %s", console->log_str);
+ 			console->log_idx = 0;
+ 		}
+ 	}
+@@ -857,7 +867,7 @@ static irqreturn_t brcmf_pcie_isr_thread
+ 							&devinfo->pdev->dev);
+ 		}
+ 	}
+-	brcmf_pcie_bus_console_read(devinfo);
++	brcmf_pcie_bus_console_read(devinfo, false);
+ 	if (devinfo->state == BRCMFMAC_PCIE_STATE_UP)
+ 		brcmf_pcie_intr_enable(devinfo);
+ 	devinfo->in_irq = false;
+@@ -1426,6 +1436,8 @@ static int brcmf_pcie_reset(struct devic
+ 	struct brcmf_fw_request *fwreq;
+ 	int err;
+ 
++	brcmf_pcie_bus_console_read(devinfo, true);
++
+ 	brcmf_detach(dev);
+ 
+ 	brcmf_pcie_release_irq(devinfo);
+@@ -1818,7 +1830,7 @@ static void brcmf_pcie_setup(struct devi
+ 	if (brcmf_attach(&devinfo->pdev->dev, devinfo->settings) == 0)
+ 		return;
+ 
+-	brcmf_pcie_bus_console_read(devinfo);
++	brcmf_pcie_bus_console_read(devinfo, false);
+ 
+ fail:
+ 	device_release_driver(dev);

package/kernel/mac80211/patches/522-mac80211_configure_antenna_gain.patch

@@ -87,7 +87,7 @@
  	CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd)
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
-@@ -1348,6 +1348,7 @@ struct ieee80211_local {
+@@ -1350,6 +1350,7 @@ struct ieee80211_local {
  	int dynamic_ps_forced_timeout;
  
  	int user_power_level; /* in dBm, for all interfaces */

package/kernel/mac80211/patches/548-ath9k_enable_gpio_chip.patch

@@ -45,7 +45,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  #ifdef CPTCFG_ATH9K_DEBUGFS
 --- a/drivers/net/wireless/ath/ath9k/gpio.c
 +++ b/drivers/net/wireless/ath/ath9k/gpio.c
-@@ -16,13 +16,130 @@
+@@ -16,13 +16,139 @@
  
  #include "ath9k.h"
  #include <linux/ath9k_platform.h>
@@ -126,7 +126,13 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	gc->sc = sc;
 +	snprintf(gc->label, sizeof(gc->label), "ath9k-%s",
 +		 wiphy_name(sc->hw->wiphy));
-+
++#ifdef CONFIG_OF
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,5,0)
++	gc->gchip.parent = sc->dev;
++#else
++	gc->gchip.dev = sc->dev;
++#endif
++#endif
 +	gc->gchip.label = gc->label;
 +	gc->gchip.base = -1;	/* determine base automatically */
 +	gc->gchip.ngpio = ah->caps.num_gpio_pins;
@@ -141,6 +147,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +		return;
 +	}
 +
++#ifdef CONFIG_OF
++	gc->gchip.owner = NULL;
++#endif
 +	sc->gpiochip = gc;
 +}
 +
@@ -178,7 +187,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  static void ath_fill_led_pin(struct ath_softc *sc)
  {
  	struct ath_hw *ah = sc->sc_ah;
-@@ -80,6 +197,12 @@ static int ath_add_led(struct ath_softc
+@@ -80,6 +206,12 @@ static int ath_add_led(struct ath_softc
  	else
  		ath9k_hw_set_gpio(sc->sc_ah, gpio->gpio, gpio->active_low);
  
@@ -191,7 +200,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	return 0;
  }
  
-@@ -136,17 +259,24 @@ void ath_deinit_leds(struct ath_softc *s
+@@ -136,17 +268,24 @@ void ath_deinit_leds(struct ath_softc *s
  
  	while (!list_empty(&sc->leds)) {
  		led = list_first_entry(&sc->leds, struct ath_led, list);
@@ -216,7 +225,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	char led_name[32];
  	const char *trigger;
  	int i;
-@@ -156,6 +286,15 @@ void ath_init_leds(struct ath_softc *sc)
+@@ -156,6 +295,15 @@ void ath_init_leds(struct ath_softc *sc)
  	if (AR_SREV_9100(sc->sc_ah))
  		return;
  
@@ -232,7 +241,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	ath_fill_led_pin(sc);
  
  	if (pdata && pdata->leds && pdata->num_leds)
-@@ -180,6 +319,7 @@ void ath_init_leds(struct ath_softc *sc)
+@@ -180,6 +328,7 @@ void ath_init_leds(struct ath_softc *sc)
  	ath_create_gpio_led(sc, sc->sc_ah->led_pin, led_name, trigger,
  			   !sc->sc_ah->config.led_active_high);
  }

package/kernel/mac80211/patches/549-ath9k_enable_gpio_buttons.patch

@@ -29,7 +29,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  #ifdef CPTCFG_MAC80211_LEDS
  
-@@ -124,6 +126,67 @@ static void ath9k_unregister_gpio_chip(s
+@@ -133,6 +135,67 @@ static void ath9k_unregister_gpio_chip(s
  	sc->gpiochip = NULL;
  }
  
@@ -97,7 +97,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  #else /* CONFIG_GPIOLIB */
  
  static inline void ath9k_register_gpio_chip(struct ath_softc *sc)
-@@ -134,6 +197,14 @@ static inline void ath9k_unregister_gpio
+@@ -143,6 +206,14 @@ static inline void ath9k_unregister_gpio
  {
  }
  
@@ -112,7 +112,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  #endif /* CONFIG_GPIOLIB */
  
  /********************************/
-@@ -257,6 +328,7 @@ void ath_deinit_leds(struct ath_softc *s
+@@ -266,6 +337,7 @@ void ath_deinit_leds(struct ath_softc *s
  {
  	struct ath_led *led;
  
@@ -120,7 +120,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	while (!list_empty(&sc->leds)) {
  		led = list_first_entry(&sc->leds, struct ath_led, list);
  #ifdef CONFIG_GPIOLIB
-@@ -296,6 +368,7 @@ void ath_init_leds(struct ath_softc *sc)
+@@ -305,6 +377,7 @@ void ath_init_leds(struct ath_softc *sc)
  	}
  
  	ath_fill_led_pin(sc);

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch

@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1347,6 +1347,7 @@ int __init brcmf_core_init(void)
+@@ -1434,6 +1434,7 @@ int __init brcmf_core_init(void)
  {
  	if (!schedule_work(&brcmf_driver_work))
  		return -EBUSY;
@@ -40,15 +40,16 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
  	kfree(fwctx);
  }
  
-@@ -598,6 +601,7 @@ int brcmf_fw_get_firmwares(struct device
+@@ -598,6 +601,8 @@ int brcmf_fw_get_firmwares(struct device
  {
  	struct brcmf_fw_item *first = &req->items[0];
  	struct brcmf_fw *fwctx;
 +	struct completion completion;
++	unsigned long time_left;
  	int ret;
  
  	brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
-@@ -615,12 +619,17 @@ int brcmf_fw_get_firmwares(struct device
+@@ -615,12 +620,20 @@ int brcmf_fw_get_firmwares(struct device
  	fwctx->req = req;
  	fwctx->done = fw_cb;
  
@@ -61,7 +62,10 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
  	if (ret < 0)
  		brcmf_fw_request_done(NULL, fwctx);
  
-+	wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));
++	time_left = wait_for_completion_timeout(&completion,
++						msecs_to_jiffies(5000));
++	if (!time_left && fwctx)
++		fwctx->completion = NULL;
 +
  	return 0;
  }

package/kernel/mac80211/patches/861-brcmfmac-workaround-bug-with-some-inconsistent-BSSes.patch

@@ -10,12 +10,11 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -614,9 +614,37 @@ static struct wireless_dev *brcmf_cfg802
- 						     enum nl80211_iftype type,
- 						     struct vif_params *params)
- {
-+	struct net_device *dev;
+@@ -620,8 +620,36 @@ static struct wireless_dev *brcmf_cfg802
+ 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+ 	struct brcmf_pub *drvr = cfg->pub;
  	struct wireless_dev *wdev;
++	struct net_device *dev;
  	int err;
  
 +	/*

package/kernel/mac80211/patches/862-brcmfmac-Disable-power-management.patch

@@ -14,7 +14,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -2725,6 +2725,10 @@ brcmf_cfg80211_set_power_mgmt(struct wip
+@@ -2774,6 +2774,10 @@ brcmf_cfg80211_set_power_mgmt(struct wip
  	 * preference in cfg struct to apply this to
  	 * FW later while initializing the dongle
  	 */

package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch

@@ -0,0 +1,70 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Subject: [PATCH] brcmfmac: get RAM info right before downloading PCIe firmware
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It's important as brcmf_chip_get_raminfo() also makes sure that memory
+is properly setup. Without it the firmware could report invalid RAM
+address like 0x04000001.
+
+During a normal brcmfmac lifetime brcmf_chip_get_raminfo() is called on
+probe by the brcmf_chip_recognition(). This change allows implementing
+further improvements like handling errors by resetting a device with
+the brcmf_pcie_reset_device() and redownloading a firmware afterwards.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 6 ++++--
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h | 1 +
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 6 ++++++
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+@@ -700,8 +700,10 @@ static u32 brcmf_chip_tcm_rambase(struct
+ 	return 0;
+ }
+ 
+-static int brcmf_chip_get_raminfo(struct brcmf_chip_priv *ci)
++int brcmf_chip_get_raminfo(struct brcmf_chip *pub)
+ {
++	struct brcmf_chip_priv *ci = container_of(pub, struct brcmf_chip_priv,
++						  pub);
+ 	struct brcmf_core_priv *mem_core;
+ 	struct brcmf_core *mem;
+ 
+@@ -981,7 +983,7 @@ static int brcmf_chip_recognition(struct
+ 		brcmf_chip_set_passive(&ci->pub);
+ 	}
+ 
+-	return brcmf_chip_get_raminfo(ci);
++	return brcmf_chip_get_raminfo(&ci->pub);
+ }
+ 
+ static void brcmf_chip_disable_arm(struct brcmf_chip_priv *chip, u16 id)
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h
+@@ -80,6 +80,7 @@ struct brcmf_buscore_ops {
+ 	void (*activate)(void *ctx, struct brcmf_chip *chip, u32 rstvec);
+ };
+ 
++int brcmf_chip_get_raminfo(struct brcmf_chip *pub);
+ struct brcmf_chip *brcmf_chip_attach(void *ctx,
+ 				     const struct brcmf_buscore_ops *ops);
+ void brcmf_chip_detach(struct brcmf_chip *chip);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1779,6 +1779,12 @@ static void brcmf_pcie_setup(struct devi
+ 	nvram_len = fwreq->items[BRCMF_PCIE_FW_NVRAM].nv_data.len;
+ 	kfree(fwreq);
+ 
++	ret = brcmf_chip_get_raminfo(devinfo->ci);
++	if (ret) {
++		brcmf_err(bus, "Failed to get RAM info\n");
++		goto fail;
++	}
++
+ 	/* Some of the firmwares have the size of the memory of the device
+ 	 * defined inside the firmware. This is because part of the memory in
+ 	 * the device is shared and the devision is determined by FW. Parse

package/kernel/mt76/Makefile

@@ -8,9 +8,9 @@ PKG_LICENSE_FILES:=
 
 PKG_SOURCE_URL:=https://github.com/openwrt/mt76
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2019-01-25
-PKG_SOURCE_VERSION:=0b939dc7edf0629ee2d1475b6dd6b9a4a1f9384d
-PKG_MIRROR_HASH:=64279b0186a6dabd8916085e6bb272b11a1a8c3f2ad4e41c9fb1cefef71d71ba
+PKG_SOURCE_DATE:=2019-03-23
+PKG_SOURCE_VERSION:=a5f5605f3246e65341cc11098e8168aff22a824b
+PKG_MIRROR_HASH:=a05b1179d82ba79c729eabcb2ba6999d935646607eea2f7a7632766896277fba
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_BUILD_PARALLEL:=1

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.14.1
+PKG_VERSION:=2.16.1
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=baa1121952786f5b2c66c52226a8ca0e05126de920d1756266551df677915b7e
+PKG_HASH:=7ab76eaefab0b02f26ca889230d553facb2598f3a8f077886c41ec1801d2131a
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -557,14 +557,14 @@
+@@ -599,14 +599,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -654,19 +654,19 @@
+@@ -716,19 +716,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -682,7 +682,7 @@
+@@ -777,7 +777,7 @@
   *
   * Comment this macro to disable deterministic ECDSA.
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -768,7 +768,7 @@
+@@ -830,7 +830,7 @@
   *             See dhm.h for more details.
   *
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -788,7 +788,7 @@
+@@ -850,7 +850,7 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -813,7 +813,7 @@
+@@ -875,7 +875,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -947,7 +947,7 @@
+@@ -1009,7 +1009,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -971,7 +971,7 @@
+@@ -1033,7 +1033,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1075,7 +1075,7 @@
+@@ -1137,7 +1137,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -109,7 +109,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1170,14 +1170,14 @@
+@@ -1232,14 +1232,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1160,7 +1160,7 @@
+@@ -1255,7 +1255,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1331,7 +1331,7 @@
+@@ -1393,7 +1393,7 @@
   *          configuration of this extension).
   *
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1506,7 +1506,7 @@
+@@ -1568,7 +1568,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1536,7 +1536,7 @@
+@@ -1598,7 +1598,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1595,7 +1595,7 @@
+@@ -1657,7 +1657,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1925,7 +1925,7 @@
+@@ -1987,7 +1987,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -1991,7 +1991,7 @@
+@@ -2053,7 +2053,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2003,7 +2003,7 @@
+@@ -2065,7 +2065,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -1979,7 +1979,7 @@
+@@ -2074,7 +2074,7 @@
   *
   * Module:  library/chacha20.c
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_CHACHAPOLY_C
-@@ -1990,7 +1990,7 @@
+@@ -2085,7 +2085,7 @@
   *
   * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -2078,7 +2078,7 @@
+@@ -2140,7 +2140,7 @@
   *
   * This module provides debugging functions.
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -2107,7 +2107,7 @@
+@@ -2169,7 +2169,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *            security risk. We recommend considering stronger ciphers instead.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2270,7 +2270,7 @@
+@@ -2332,7 +2332,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -243,7 +243,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2249,7 +2249,7 @@
+@@ -2346,7 +2346,7 @@
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
   */
@@ -252,7 +252,7 @@
  
  /**
   * \def MBEDTLS_NIST_KW_C
-@@ -2580,7 +2580,7 @@
+@@ -2642,7 +2642,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -261,7 +261,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2555,7 +2555,7 @@
+@@ -2652,7 +2652,7 @@
   * Module:  library/poly1305.c
   * Caller:  library/chachapoly.c
   */
@@ -270,7 +270,7 @@
  
  /**
   * \def MBEDTLS_RIPEMD160_C
-@@ -2601,7 +2601,7 @@
+@@ -2663,7 +2663,7 @@
   * Caller:  library/md.c
   *
   */
@@ -279,7 +279,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2708,7 +2708,7 @@
+@@ -2770,7 +2770,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -288,7 +288,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2808,7 +2808,7 @@
+@@ -2870,7 +2870,7 @@
   *
   * This module provides run-time version information.
   */
@@ -297,7 +297,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -2918,7 +2918,7 @@
+@@ -2980,7 +2980,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

package/libs/mbedtls/patches/300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch

@@ -15,7 +15,7 @@ Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 
 --- a/include/mbedtls/bn_mul.h
 +++ b/include/mbedtls/bn_mul.h
-@@ -638,7 +638,8 @@
+@@ -644,7 +644,8 @@
             "r6", "r7", "r8", "r9", "cc"         \
           );
  

package/libs/mbedtls/patches/300-soversion-compatibility.patch

@@ -1,19 +1,19 @@
 --- a/library/CMakeLists.txt
 +++ b/library/CMakeLists.txt
-@@ -159,7 +159,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
+@@ -165,7 +165,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
  
  if(USE_SHARED_MBEDTLS_LIBRARY)
      add_library(mbedcrypto SHARED ${src_crypto})
--    set_target_properties(mbedcrypto PROPERTIES VERSION 2.14.1 SOVERSION 3)
+-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.1 SOVERSION 3)
 +    set_target_properties(mbedcrypto PROPERTIES VERSION 2.12.0 SOVERSION 1)
      target_link_libraries(mbedcrypto ${libs})
  
      add_library(mbedx509 SHARED ${src_x509})
-@@ -167,7 +167,7 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
+@@ -173,7 +173,7 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
      target_link_libraries(mbedx509 ${libs} mbedcrypto)
  
      add_library(mbedtls SHARED ${src_tls})
--    set_target_properties(mbedtls PROPERTIES VERSION 2.14.1 SOVERSION 12)
+-    set_target_properties(mbedtls PROPERTIES VERSION 2.16.1 SOVERSION 12)
 +    set_target_properties(mbedtls PROPERTIES VERSION 2.12.0 SOVERSION 10)
      target_link_libraries(mbedtls ${libs} mbedx509)
  

package/libs/openssl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.0.2
-PKG_BUGFIX:=q
+PKG_BUGFIX:=s
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \
 	http://gd.tuwien.ac.at/infosys/security/openssl/source/ \
 	http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
+PKG_HASH:=cabd5c9492825ce5bd23f3c3aeed6a97f8142f606d893df216411f07d1abab96
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE

package/libs/openssl/patches/200-parallel_build.patch

@@ -92,7 +92,7 @@
  		fi; \
 --- a/crypto/Makefile
 +++ b/crypto/Makefile
-@@ -85,11 +85,11 @@ testapps:
+@@ -87,11 +87,11 @@ testapps:
  	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
  
  subdirs:
@@ -106,7 +106,7 @@
  
  links:
  	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@ links:
+@@ -102,7 +102,7 @@ links:
  # lib: $(LIB): are splitted to avoid end-less loop
  lib:	$(LIB)
  	@touch lib
@@ -115,7 +115,7 @@
  	$(AR) $(LIB) $(LIBOBJ)
  	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
  	$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs
+@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
  	fi
  
  libs:
@@ -124,7 +124,7 @@
  
  install:
  	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@ install:
+@@ -122,7 +122,7 @@ install:
  	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
  	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
  	done;

package/network/config/netifd/Makefile

@@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netifd
-PKG_RELEASE:=2
+PKG_RELEASE:=2.1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/netifd.git
-PKG_SOURCE_DATE:=2018-11-19
-PKG_SOURCE_VERSION:=4b83102da60bf26b455ac8425a1f5e338ea01f8a
-PKG_MIRROR_HASH:=74189ed52039f9d688090cba595ae722174987cd4b804d984e18bdc7ae3773f8
+PKG_SOURCE_DATE:=2019-01-31
+PKG_SOURCE_VERSION:=a2aba5c7ae574452a9f81e9d788afecdd8ec07b2
+PKG_MIRROR_HASH:=c5ff34aa401549e377c9e4ee5ce7443796a02bea743ecdc73f439cd942914c8d
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 
 PKG_LICENSE:=GPL-2.0

package/network/services/dnsmasq/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
 PKG_VERSION:=2.80
-PKG_RELEASE:=1.2
+PKG_RELEASE:=1.4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq

package/network/services/dnsmasq/files/dnsmasq.init

@@ -731,7 +731,9 @@ dhcp_relay_add() {
 
 dnsmasq_start()
 {
-	local cfg="$1" disabled resolvfile user_dhcpscript
+	local cfg="$1"
+	local disabled user_dhcpscript
+	local resolvfile localuse=0
 
 	config_get_bool disabled "$cfg" disabled 0
 	[ "$disabled" -gt 0 ] && return 0
@@ -882,12 +884,12 @@ dnsmasq_start()
 
 	config_get_bool noresolv "$cfg" noresolv 0
 	if [ "$noresolv" != "1" ]; then
-		config_get resolvfile "$cfg" resolvfile "/tmp/resolv.conf.auto"
-		# So jail doesn't complain if file missing
-		[ -n "$resolvfile" -a \! -e "$resolvfile" ] && touch "$resolvfile"
+		config_get resolvfile "$cfg" resolvfile /tmp/resolv.conf.auto
+		[ -n "$resolvfile" -a ! -e "$resolvfile" ] && touch "$resolvfile"
+		xappend "--resolv-file=$resolvfile"
+		[ "$resolvfile" = "/tmp/resolv.conf.auto" ] && localuse=1
 	fi
-
-	[ -n "$resolvfile" ] && xappend "--resolv-file=$resolvfile"
+	config_get_bool localuse "$cfg" localuse "$localuse"
 
 	config_get hostsfile "$cfg" dhcphostsfile
 	[ -e "$hostsfile" ] && xappend "--dhcp-hostsfile=$hostsfile"
@@ -1010,7 +1012,7 @@ dnsmasq_start()
 	mv -f $CONFIGFILE_TMP $CONFIGFILE
 	mv -f $HOSTFILE_TMP $HOSTFILE
 
-	[ "$resolvfile" = "/tmp/resolv.conf.auto" ] && {
+	[ "$localuse" -gt 0 ] && {
 		rm -f /tmp/resolv.conf
 		[ $ADD_LOCAL_DOMAIN -eq 1 ] && [ -n "$DOMAIN" ] && {
 			echo "search $DOMAIN" >> /tmp/resolv.conf
@@ -1036,17 +1038,15 @@ dnsmasq_start()
 
 dnsmasq_stop()
 {
-	local cfg="$1" resolvfile
+	local cfg="$1"
+	local noresolv resolvfile localuse=0
 
+	config_get_bool noresolv "$cfg" noresolv 0
 	config_get resolvfile "$cfg" "resolvfile"
 
-	#relink /tmp/resolve.conf only for main instance
-	[ "$resolvfile" = "/tmp/resolv.conf.auto" ] && {
-		[ -f /tmp/resolv.conf ] && {
-			rm -f /tmp/resolv.conf
-			ln -s "$resolvfile" /tmp/resolv.conf
-		}
-	}
+	[ "$noresolv" = 0 -a "$resolvfile" = "/tmp/resolv.conf.auto" ] && localuse=1
+	config_get_bool localuse "$cfg" localuse "$localuse"
+	[ "$localuse" -gt 0 ] && ln -sf "/tmp/resolv.conf.auto" /tmp/resolv.conf
 
 	rm -f ${BASEDHCPSTAMPFILE}.${cfg}.*.dhcp
 }

package/network/services/hostapd/Makefile

@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git

package/network/services/hostapd/patches/060-0001-EAP-pwd-Move-EC-group-initialization-to-earlier-step.patch

@@ -0,0 +1,104 @@
+From 2a5c291881fa819325d0287d0763776edfcb1943 Mon Sep 17 00:00:00 2001
+From: Dan Harkins <dharkins@lounge.org>
+Date: Fri, 25 May 2018 21:40:04 +0300
+Subject: [PATCH] EAP-pwd: Move EC group initialization to earlier step
+
+This is needed for adding support for salted passwords.
+
+Signed-off-by: Dan Harkins <dharkins@lounge.org>
+---
+ src/eap_common/eap_pwd_common.c | 32 +++++++++++++++++++++++---------
+ src/eap_common/eap_pwd_common.h |  1 +
+ src/eap_peer/eap_pwd.c          |  2 +-
+ src/eap_server/eap_server_pwd.c |  2 +-
+ 4 files changed, 26 insertions(+), 11 deletions(-)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -81,6 +81,27 @@ static int eap_pwd_kdf(const u8 *key, si
+ }
+ 
+ 
++EAP_PWD_group * get_eap_pwd_group(u16 num)
++{
++	EAP_PWD_group *grp;
++
++	grp = os_zalloc(sizeof(EAP_PWD_group));
++	if (!grp)
++		return NULL;
++	grp->group = crypto_ec_init(num);
++	if (!grp->group) {
++		wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
++		os_free(grp);
++		return NULL;
++	}
++
++	grp->group_num = num;
++	wpa_printf(MSG_INFO, "EAP-pwd: provisioned group %d", num);
++
++	return grp;
++}
++
++
+ /*
+  * compute a "random" secret point on an elliptic curve based
+  * on the password and identities.
+@@ -97,12 +118,8 @@ int compute_password_element(EAP_PWD_gro
+ 	size_t primebytelen, primebitlen;
+ 	struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
+ 
+-	grp->pwe = NULL;
+-	grp->group = crypto_ec_init(num);
+-	if (!grp->group) {
+-		wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
+-		goto fail;
+-	}
++	if (grp->pwe)
++		return -1;
+ 
+ 	cofactor = crypto_bignum_init();
+ 	grp->pwe = crypto_ec_point_init(grp->group);
+@@ -234,11 +251,8 @@ int compute_password_element(EAP_PWD_gro
+ 		break;
+ 	}
+ 	wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
+-	grp->group_num = num;
+ 	if (0) {
+  fail:
+-		crypto_ec_deinit(grp->group);
+-		grp->group = NULL;
+ 		crypto_ec_point_deinit(grp->pwe, 1);
+ 		grp->pwe = NULL;
+ 		ret = 1;
+--- a/src/eap_common/eap_pwd_common.h
++++ b/src/eap_common/eap_pwd_common.h
+@@ -50,6 +50,7 @@ struct eap_pwd_id {
+ } STRUCT_PACKED;
+ 
+ /* common routines */
++EAP_PWD_group * get_eap_pwd_group(u16 num);
+ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 			     const u8 *password, size_t password_len,
+ 			     const u8 *id_server, size_t id_server_len,
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -265,7 +265,7 @@ eap_pwd_perform_id_exchange(struct eap_s
+ 	wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
+ 			  data->id_server, data->id_server_len);
+ 
+-	data->grp = os_zalloc(sizeof(EAP_PWD_group));
++	data->grp = get_eap_pwd_group(data->group_num);
+ 	if (data->grp == NULL) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
+ 			   "group");
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -562,7 +562,7 @@ static void eap_pwd_process_id_resp(stru
+ 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PWD (server): peer sent id of",
+ 			  data->id_peer, data->id_peer_len);
+ 
+-	data->grp = os_zalloc(sizeof(EAP_PWD_group));
++	data->grp = get_eap_pwd_group(data->group_num);
+ 	if (data->grp == NULL) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
+ 			   "group");

package/network/services/hostapd/patches/060-0002-EAP-pwd-Mask-timing-of-PWE-derivation.patch

@@ -0,0 +1,247 @@
+From 22ac3dfebf7b25a3aae02f9b4f69025bb4173137 Mon Sep 17 00:00:00 2001
+From: Dan Harkins <dharkins@lounge.org>
+Date: Fri, 25 May 2018 21:40:04 +0300
+Subject: [PATCH] EAP-pwd: Mask timing of PWE derivation
+
+Run through the hunting-and-pecking loop 40 times to mask the time
+necessary to find PWE. The odds of PWE not being found in 40 loops is
+roughly 1 in 1 trillion.
+
+Signed-off-by: Dan Harkins <dharkins@lounge.org>
+---
+ src/eap_common/eap_pwd_common.c | 171 ++++++++++++++++++++++++--------
+ 1 file changed, 130 insertions(+), 41 deletions(-)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -112,18 +112,25 @@ int compute_password_element(EAP_PWD_gro
+ 			     const u8 *id_peer, size_t id_peer_len,
+ 			     const u8 *token)
+ {
++	struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
++	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ 	struct crypto_hash *hash;
+ 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+-	int is_odd, ret = 0;
++	int is_odd, ret = 0, check, found = 0;
+ 	size_t primebytelen, primebitlen;
+ 	struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
++	const struct crypto_bignum *prime;
+ 
+ 	if (grp->pwe)
+ 		return -1;
+ 
++	prime = crypto_ec_get_prime(grp->group);
+ 	cofactor = crypto_bignum_init();
+ 	grp->pwe = crypto_ec_point_init(grp->group);
+-	if (!cofactor || !grp->pwe) {
++	tmp1 = crypto_bignum_init();
++	pm1 = crypto_bignum_init();
++	one = crypto_bignum_init_set((const u8 *) "\x01", 1);
++	if (!cofactor || !grp->pwe || !tmp1 || !pm1 || !one) {
+ 		wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+ 		goto fail;
+ 	}
+@@ -140,15 +147,36 @@ int compute_password_element(EAP_PWD_gro
+ 			   "buffer");
+ 		goto fail;
+ 	}
++	if (crypto_bignum_sub(prime, one, pm1) < 0)
++		goto fail;
++
++	/* get a random quadratic residue and nonresidue */
++	while (!qr || !qnr) {
++		int res;
++
++		if (crypto_bignum_rand(tmp1, prime) < 0)
++			goto fail;
++		res = crypto_bignum_legendre(tmp1, prime);
++		if (!qr && res == 1) {
++			qr = tmp1;
++			tmp1 = crypto_bignum_init();
++		} else if (!qnr && res == -1) {
++			qnr = tmp1;
++			tmp1 = crypto_bignum_init();
++		}
++		if (!tmp1)
++			goto fail;
++	}
++
+ 	os_memset(prfbuf, 0, primebytelen);
+ 	ctr = 0;
+-	while (1) {
+-		if (ctr > 30) {
+-			wpa_printf(MSG_INFO, "EAP-pwd: unable to find random "
+-				   "point on curve for group %d, something's "
+-				   "fishy", num);
+-			goto fail;
+-		}
++
++	/*
++	 * Run through the hunting-and-pecking loop 40 times to mask the time
++	 * necessary to find PWE. The odds of PWE not being found in 40 loops is
++	 * roughly 1 in 1 trillion.
++	 */
++	while (ctr < 40) {
+ 		ctr++;
+ 
+ 		/*
+@@ -199,58 +227,113 @@ int compute_password_element(EAP_PWD_gro
+ 					 x_candidate) < 0)
+ 			goto fail;
+ 
+-		if (crypto_bignum_cmp(x_candidate,
+-				      crypto_ec_get_prime(grp->group)) >= 0)
++		if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+ 			continue;
+ 
+ 		wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
+ 			    prfbuf, primebytelen);
+ 
+ 		/*
+-		 * need to unambiguously identify the solution, if there is
+-		 * one...
++		 * compute y^2 using the equation of the curve
++		 *
++		 *      y^2 = x^3 + ax + b
+ 		 */
+-		is_odd = crypto_bignum_is_odd(rnd);
++		tmp2 = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
++		if (!tmp2)
++			goto fail;
+ 
+ 		/*
+-		 * solve the quadratic equation, if it's not solvable then we
+-		 * don't have a point
++		 * mask tmp2 so doing legendre won't leak timing info
++		 *
++		 * tmp1 is a random number between 1 and p-1
+ 		 */
+-		if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
+-						  x_candidate, is_odd) != 0) {
+-			wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
+-			continue;
+-		}
++		if (crypto_bignum_rand(tmp1, pm1) < 0 ||
++		    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
++		    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
++			goto fail;
++
+ 		/*
+-		 * If there's a solution to the equation then the point must be
+-		 * on the curve so why check again explicitly? OpenSSL code
+-		 * says this is required by X9.62. We're not X9.62 but it can't
+-		 * hurt just to be sure.
++		 * Now tmp2 (y^2) is masked, all values between 1 and p-1
++		 * are equally probable. Multiplying by r^2 does not change
++		 * whether or not tmp2 is a quadratic residue, just masks it.
++		 *
++		 * Flip a coin, multiply by the random quadratic residue or the
++		 * random quadratic nonresidue and record heads or tails.
+ 		 */
+-		if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
+-			wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
+-			continue;
++		if (crypto_bignum_is_odd(tmp1)) {
++			crypto_bignum_mulmod(tmp2, qr, prime, tmp2);
++			check = 1;
++		} else {
++			crypto_bignum_mulmod(tmp2, qnr, prime, tmp2);
++			check = -1;
+ 		}
+ 
+-		if (!crypto_bignum_is_one(cofactor)) {
+-			/* make sure the point is not in a small sub-group */
+-			if (crypto_ec_point_mul(grp->group, grp->pwe,
+-						cofactor, grp->pwe) != 0) {
+-				wpa_printf(MSG_INFO, "EAP-pwd: cannot "
+-					   "multiply generator by order");
++		/*
++		 * Now it's safe to do legendre, if check is 1 then it's
++		 * a straightforward test (multiplying by qr does not
++		 * change result), if check is -1 then it's the opposite test
++		 * (multiplying a qr by qnr would make a qnr).
++		 */
++		if (crypto_bignum_legendre(tmp2, prime) == check) {
++			if (found == 1)
++				continue;
++
++			/* need to unambiguously identify the solution */
++			is_odd = crypto_bignum_is_odd(rnd);
++
++			/*
++			 * We know x_candidate is a quadratic residue so set
++			 * it here.
++			 */
++			if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
++							  x_candidate,
++							  is_odd) != 0) {
++				wpa_printf(MSG_INFO,
++					   "EAP-pwd: Could not solve for y");
+ 				continue;
+ 			}
+-			if (crypto_ec_point_is_at_infinity(grp->group,
+-							   grp->pwe)) {
+-				wpa_printf(MSG_INFO, "EAP-pwd: point is at "
+-					   "infinity");
++
++			/*
++			 * If there's a solution to the equation then the point
++			 * must be on the curve so why check again explicitly?
++			 * OpenSSL code says this is required by X9.62. We're
++			 * not X9.62 but it can't hurt just to be sure.
++			 */
++			if (!crypto_ec_point_is_on_curve(grp->group,
++							 grp->pwe)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-pwd: point is not on curve");
+ 				continue;
+ 			}
++
++			if (!crypto_bignum_is_one(cofactor)) {
++				/* make sure the point is not in a small
++				 * sub-group */
++				if (crypto_ec_point_mul(grp->group, grp->pwe,
++							cofactor,
++							grp->pwe) != 0) {
++					wpa_printf(MSG_INFO,
++						   "EAP-pwd: cannot multiply generator by order");
++					continue;
++				}
++				if (crypto_ec_point_is_at_infinity(grp->group,
++								   grp->pwe)) {
++					wpa_printf(MSG_INFO,
++						   "EAP-pwd: point is at infinity");
++					continue;
++				}
++			}
++			wpa_printf(MSG_DEBUG,
++				   "EAP-pwd: found a PWE in %d tries", ctr);
++			found = 1;
+ 		}
+-		/* if we got here then we have a new generator. */
+-		break;
+ 	}
+-	wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
++	if (found == 0) {
++		wpa_printf(MSG_INFO,
++			   "EAP-pwd: unable to find random point on curve for group %d, something's fishy",
++			   num);
++		goto fail;
++	}
+ 	if (0) {
+  fail:
+ 		crypto_ec_point_deinit(grp->pwe, 1);
+@@ -261,6 +344,12 @@ int compute_password_element(EAP_PWD_gro
+ 	crypto_bignum_deinit(cofactor, 1);
+ 	crypto_bignum_deinit(x_candidate, 1);
+ 	crypto_bignum_deinit(rnd, 1);
++	crypto_bignum_deinit(pm1, 0);
++	crypto_bignum_deinit(tmp1, 1);
++	crypto_bignum_deinit(tmp2, 1);
++	crypto_bignum_deinit(qr, 1);
++	crypto_bignum_deinit(qnr, 1);
++	crypto_bignum_deinit(one, 0);
+ 	os_free(prfbuf);
+ 
+ 	return ret;

package/network/services/hostapd/patches/061-0001-OpenSSL-Use-constant-time-operations-for-private-big.patch

@@ -0,0 +1,88 @@
+From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:43:03 +0200
+Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private
+ bignums
+
+This helps in reducing measurable timing differences in operations
+involving private information. BoringSSL has removed BN_FLG_CONSTTIME
+and expects specific constant time functions to be called instead, so a
+bit different approach is needed depending on which library is used.
+
+The main operation that needs protection against side channel attacks is
+BN_mod_exp() that depends on private keys (the public key validation
+step in crypto_dh_derive_secret() is an exception that can use the
+faster version since it does not depend on private keys).
+
+crypto_bignum_div() is currently used only in SAE FFC case with not
+safe-prime groups and only with values that do not depend on private
+keys, so it is not critical to protect it.
+
+crypto_bignum_inverse() is currently used only in SAE FFC PWE
+derivation. The additional protection here is targeting only OpenSSL.
+BoringSSL may need conversion to using BN_mod_inverse_blinded().
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto_openssl.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -548,7 +548,8 @@ int crypto_mod_exp(const u8 *base, size_
+ 	    bn_result == NULL)
+ 		goto error;
+ 
+-	if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
++	if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
++				      ctx, NULL) != 1)
+ 		goto error;
+ 
+ 	*result_len = BN_bn2bin(bn_result, result);
+@@ -1294,8 +1295,9 @@ int crypto_bignum_exptmod(const struct c
+ 	bnctx = BN_CTX_new();
+ 	if (bnctx == NULL)
+ 		return -1;
+-	res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
+-			 (const BIGNUM *) c, bnctx);
++	res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
++					(const BIGNUM *) b, (const BIGNUM *) c,
++					bnctx, NULL);
+ 	BN_CTX_free(bnctx);
+ 
+ 	return res ? 0 : -1;
+@@ -1314,6 +1316,11 @@ int crypto_bignum_inverse(const struct c
+ 	bnctx = BN_CTX_new();
+ 	if (bnctx == NULL)
+ 		return -1;
++#ifdef OPENSSL_IS_BORINGSSL
++	/* TODO: use BN_mod_inverse_blinded() ? */
++#else /* OPENSSL_IS_BORINGSSL */
++	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
++#endif /* OPENSSL_IS_BORINGSSL */
+ 	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
+ 			     (const BIGNUM *) b, bnctx);
+ 	BN_CTX_free(bnctx);
+@@ -1347,6 +1354,9 @@ int crypto_bignum_div(const struct crypt
+ 	bnctx = BN_CTX_new();
+ 	if (bnctx == NULL)
+ 		return -1;
++#ifndef OPENSSL_IS_BORINGSSL
++	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
++#endif /* OPENSSL_IS_BORINGSSL */
+ 	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
+ 		     (const BIGNUM *) b, bnctx);
+ 	BN_CTX_free(bnctx);
+@@ -1438,8 +1448,8 @@ int crypto_bignum_legendre(const struct
+ 	    /* exp = (p-1) / 2 */
+ 	    !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
+ 	    !BN_rshift1(exp, exp) ||
+-	    !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
+-			bnctx))
++	    !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
++				       (const BIGNUM *) p, bnctx, NULL))
+ 		goto fail;
+ 
+ 	if (BN_is_word(tmp, 1))

package/network/services/hostapd/patches/061-0002-Add-helper-functions-for-constant-time-operations.patch

@@ -0,0 +1,212 @@
+From 6e34f618d37ddbb5854c42e2ad4fca83492fa7b7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 27 Feb 2019 18:38:30 +0200
+Subject: [PATCH 02/14] Add helper functions for constant time operations
+
+These functions can be used to help implement constant time operations
+for various cryptographic operations that must minimize externally
+observable differences in processing (both in timing and also in
+internal cache use, etc.).
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/utils/const_time.h | 191 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 191 insertions(+)
+ create mode 100644 src/utils/const_time.h
+
+--- /dev/null
++++ b/src/utils/const_time.h
+@@ -0,0 +1,191 @@
++/*
++ * Helper functions for constant time operations
++ * Copyright (c) 2019, The Linux Foundation
++ *
++ * This software may be distributed under the terms of the BSD license.
++ * See README for more details.
++ *
++ * These helper functions can be used to implement logic that needs to minimize
++ * externally visible differences in execution path by avoiding use of branches,
++ * avoiding early termination or other time differences, and forcing same memory
++ * access pattern regardless of values.
++ */
++
++#ifndef CONST_TIME_H
++#define CONST_TIME_H
++
++
++#if defined(__clang__)
++#define NO_UBSAN_UINT_OVERFLOW \
++	__attribute__((no_sanitize("unsigned-integer-overflow")))
++#else
++#define NO_UBSAN_UINT_OVERFLOW
++#endif
++
++
++/**
++ * const_time_fill_msb - Fill all bits with MSB value
++ * @val: Input value
++ * Returns: Value with all the bits set to the MSB of the input val
++ */
++static inline unsigned int const_time_fill_msb(unsigned int val)
++{
++	/* Move the MSB to LSB and multiple by -1 to fill in all bits. */
++	return (val >> (sizeof(val) * 8 - 1)) * ~0U;
++}
++
++
++/* Returns: -1 if val is zero; 0 if val is not zero */
++static inline unsigned int const_time_is_zero(unsigned int val)
++	NO_UBSAN_UINT_OVERFLOW
++{
++	/* Set MSB to 1 for 0 and fill rest of bits with the MSB value */
++	return const_time_fill_msb(~val & (val - 1));
++}
++
++
++/* Returns: -1 if a == b; 0 if a != b */
++static inline unsigned int const_time_eq(unsigned int a, unsigned int b)
++{
++	return const_time_is_zero(a ^ b);
++}
++
++
++/* Returns: -1 if a == b; 0 if a != b */
++static inline u8 const_time_eq_u8(unsigned int a, unsigned int b)
++{
++	return (u8) const_time_eq(a, b);
++}
++
++
++/**
++ * const_time_eq_bin - Constant time memory comparison
++ * @a: First buffer to compare
++ * @b: Second buffer to compare
++ * @len: Number of octets to compare
++ * Returns: -1 if buffers are equal, 0 if not
++ *
++ * This function is meant for comparing passwords or hash values where
++ * difference in execution time or memory access pattern could provide external
++ * observer information about the location of the difference in the memory
++ * buffers. The return value does not behave like memcmp(), i.e.,
++ * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike
++ * memcmp(), the execution time of const_time_eq_bin() does not depend on the
++ * contents of the compared memory buffers, but only on the total compared
++ * length.
++ */
++static inline unsigned int const_time_eq_bin(const void *a, const void *b,
++					     size_t len)
++{
++	const u8 *aa = a;
++	const u8 *bb = b;
++	size_t i;
++	u8 res = 0;
++
++	for (i = 0; i < len; i++)
++		res |= aa[i] ^ bb[i];
++
++	return const_time_is_zero(res);
++}
++
++
++/**
++ * const_time_select - Constant time unsigned int selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline unsigned int const_time_select(unsigned int mask,
++					     unsigned int true_val,
++					     unsigned int false_val)
++{
++	return (mask & true_val) | (~mask & false_val);
++}
++
++
++/**
++ * const_time_select_int - Constant time int selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline int const_time_select_int(unsigned int mask, int true_val,
++					int false_val)
++{
++	return (int) const_time_select(mask, (unsigned int) true_val,
++				       (unsigned int) false_val);
++}
++
++
++/**
++ * const_time_select_u8 - Constant time u8 selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline u8 const_time_select_u8(u8 mask, u8 true_val, u8 false_val)
++{
++	return (u8) const_time_select(mask, true_val, false_val);
++}
++
++
++/**
++ * const_time_select_s8 - Constant time s8 selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline s8 const_time_select_s8(u8 mask, s8 true_val, s8 false_val)
++{
++	return (s8) const_time_select(mask, (unsigned int) true_val,
++				      (unsigned int) false_val);
++}
++
++
++/**
++ * const_time_select_bin - Constant time binary buffer selection copy
++ * @mask: 0 (false) or -1 (true) to identify which value to copy
++ * @true_val: Buffer to copy for the true case
++ * @false_val: Buffer to copy for the false case
++ * @len: Number of octets to copy
++ * @dst: Destination buffer for the copy
++ *
++ * This function copies the specified buffer into the destination buffer using
++ * operations with identical memory access pattern regardless of which buffer
++ * is being copied.
++ */
++static inline void const_time_select_bin(u8 mask, const u8 *true_val,
++					 const u8 *false_val, size_t len,
++					 u8 *dst)
++{
++	size_t i;
++
++	for (i = 0; i < len; i++)
++		dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]);
++}
++
++
++static inline int const_time_memcmp(const void *a, const void *b, size_t len)
++{
++	const u8 *aa = a;
++	const u8 *bb = b;
++	int diff, res = 0;
++	unsigned int mask;
++
++	if (len == 0)
++		return 0;
++	do {
++		len--;
++		diff = (int) aa[len] - (int) bb[len];
++		mask = const_time_is_zero((unsigned int) diff);
++		res = const_time_select_int(mask, res, diff);
++	} while (len);
++
++	return res;
++}
++
++#endif /* CONST_TIME_H */

package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch

@@ -0,0 +1,55 @@
+From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 8 Mar 2019 00:24:12 +0200
+Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
+ crypto_bignum_legendre()
+
+Get rid of the branches that depend on the result of the Legendre
+operation. This is needed to avoid leaking information about different
+temporary results in blinding mechanisms.
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto_openssl.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -24,6 +24,7 @@
+ #endif /* CONFIG_ECC */
+ 
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "wpabuf.h"
+ #include "dh_group5.h"
+ #include "sha1.h"
+@@ -1434,6 +1435,7 @@ int crypto_bignum_legendre(const struct
+ 	BN_CTX *bnctx;
+ 	BIGNUM *exp = NULL, *tmp = NULL;
+ 	int res = -2;
++	unsigned int mask;
+ 
+ 	if (TEST_FAIL())
+ 		return -2;
+@@ -1452,12 +1454,13 @@ int crypto_bignum_legendre(const struct
+ 				       (const BIGNUM *) p, bnctx, NULL))
+ 		goto fail;
+ 
+-	if (BN_is_word(tmp, 1))
+-		res = 1;
+-	else if (BN_is_zero(tmp))
+-		res = 0;
+-	else
+-		res = -1;
++	/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
++	 * constant time selection to avoid branches here. */
++	res = -1;
++	mask = const_time_eq(BN_is_word(tmp, 1), 1);
++	res = const_time_select_int(mask, 1, res);
++	mask = const_time_eq(BN_is_zero(tmp), 1);
++	res = const_time_select_int(mask, 0, res);
+ 
+ fail:
+ 	BN_clear_free(tmp);

package/network/services/hostapd/patches/061-0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch

@@ -0,0 +1,242 @@
+From 6513db3e96c43c2e36805cf5ead349765d18eaf7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 13:05:09 +0200
+Subject: [PATCH 05/14] SAE: Minimize timing differences in PWE derivation
+
+The QR test result can provide information about the password to an
+attacker, so try to minimize differences in how the
+sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
+
+Use heap memory for the dummy password to allow the same password length
+to be used even with long passwords.
+
+Use constant time selection functions to track the real vs. dummy
+variables so that the exact same operations can be performed for both QR
+test results.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 106 ++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 57 insertions(+), 49 deletions(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -9,6 +9,7 @@
+ #include "includes.h"
+ 
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/crypto.h"
+ #include "crypto/sha256.h"
+ #include "crypto/random.h"
+@@ -269,15 +270,12 @@ static int sae_test_pwd_seed_ecc(struct
+ 				 const u8 *prime,
+ 				 const struct crypto_bignum *qr,
+ 				 const struct crypto_bignum *qnr,
+-				 struct crypto_bignum **ret_x_cand)
++				 u8 *pwd_value)
+ {
+-	u8 pwd_value[SAE_MAX_ECC_PRIME_LEN];
+ 	struct crypto_bignum *y_sqr, *x_cand;
+ 	int res;
+ 	size_t bits;
+ 
+-	*ret_x_cand = NULL;
+-
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+ 
+ 	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
+@@ -286,7 +284,7 @@ static int sae_test_pwd_seed_ecc(struct
+ 			    prime, sae->tmp->prime_len, pwd_value, bits) < 0)
+ 		return -1;
+ 	if (bits % 8)
+-		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
++		buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8);
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ 			pwd_value, sae->tmp->prime_len);
+ 
+@@ -297,20 +295,13 @@ static int sae_test_pwd_seed_ecc(struct
+ 	if (!x_cand)
+ 		return -1;
+ 	y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
+-	if (!y_sqr) {
+-		crypto_bignum_deinit(x_cand, 1);
++	crypto_bignum_deinit(x_cand, 1);
++	if (!y_sqr)
+ 		return -1;
+-	}
+ 
+ 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+ 	crypto_bignum_deinit(y_sqr, 1);
+-	if (res <= 0) {
+-		crypto_bignum_deinit(x_cand, 1);
+-		return res;
+-	}
+-
+-	*ret_x_cand = x_cand;
+-	return 1;
++	return res;
+ }
+ 
+ 
+@@ -431,25 +422,30 @@ static int sae_derive_pwe_ecc(struct sae
+ 	const u8 *addr[3];
+ 	size_t len[3];
+ 	size_t num_elem;
+-	u8 dummy_password[32];
+-	size_t dummy_password_len;
++	u8 *dummy_password, *tmp_password;
+ 	int pwd_seed_odd = 0;
+ 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ 	size_t prime_len;
+-	struct crypto_bignum *x = NULL, *qr, *qnr;
++	struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++	u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
++	u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+ 	size_t bits;
+-	int res;
+-
+-	dummy_password_len = password_len;
+-	if (dummy_password_len > sizeof(dummy_password))
+-		dummy_password_len = sizeof(dummy_password);
+-	if (random_get_bytes(dummy_password, dummy_password_len) < 0)
+-		return -1;
++	int res = -1;
++	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++		       * mask */
++
++	os_memset(x_bin, 0, sizeof(x_bin));
++
++	dummy_password = os_malloc(password_len);
++	tmp_password = os_malloc(password_len);
++	if (!dummy_password || !tmp_password ||
++	    random_get_bytes(dummy_password, password_len) < 0)
++		goto fail;
+ 
+ 	prime_len = sae->tmp->prime_len;
+ 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
+ 				 prime_len) < 0)
+-		return -1;
++		goto fail;
+ 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
+ 
+ 	/*
+@@ -458,7 +454,7 @@ static int sae_derive_pwe_ecc(struct sae
+ 	 */
+ 	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+ 			      &qr, &qnr) < 0)
+-		return -1;
++		goto fail;
+ 
+ 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ 			      password, password_len);
+@@ -474,7 +470,7 @@ static int sae_derive_pwe_ecc(struct sae
+ 	 */
+ 	sae_pwd_seed_key(addr1, addr2, addrs);
+ 
+-	addr[0] = password;
++	addr[0] = tmp_password;
+ 	len[0] = password_len;
+ 	num_elem = 1;
+ 	if (identifier) {
+@@ -491,9 +487,8 @@ static int sae_derive_pwe_ecc(struct sae
+ 	 * attacks that attempt to determine the number of iterations required
+ 	 * in the loop.
+ 	 */
+-	for (counter = 1; counter <= k || !x; counter++) {
++	for (counter = 1; counter <= k || !found; counter++) {
+ 		u8 pwd_seed[SHA256_MAC_LEN];
+-		struct crypto_bignum *x_cand;
+ 
+ 		if (counter > 200) {
+ 			/* This should not happen in practice */
+@@ -501,40 +496,49 @@ static int sae_derive_pwe_ecc(struct sae
+ 			break;
+ 		}
+ 
+-		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
++		wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter);
++		const_time_select_bin(found, dummy_password, password,
++				      password_len, tmp_password);
+ 		if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ 				       addr, len, pwd_seed) < 0)
+ 			break;
+ 
+ 		res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+-					    prime, qr, qnr, &x_cand);
++					    prime, qr, qnr, x_cand_bin);
++		const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
++				      x_bin);
++		pwd_seed_odd = const_time_select_u8(
++			found, pwd_seed_odd,
++			pwd_seed[SHA256_MAC_LEN - 1] & 0x01);
++		os_memset(pwd_seed, 0, sizeof(pwd_seed));
+ 		if (res < 0)
+ 			goto fail;
+-		if (res > 0 && !x) {
+-			wpa_printf(MSG_DEBUG,
+-				   "SAE: Selected pwd-seed with counter %u",
+-				   counter);
+-			x = x_cand;
+-			pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
+-			os_memset(pwd_seed, 0, sizeof(pwd_seed));
+-
+-			/*
+-			 * Use a dummy password for the following rounds, if
+-			 * any.
+-			 */
+-			addr[0] = dummy_password;
+-			len[0] = dummy_password_len;
+-		} else if (res > 0) {
+-			crypto_bignum_deinit(x_cand, 1);
+-		}
++		/* Need to minimize differences in handling res == 0 and 1 here
++		 * to avoid differences in timing and instruction cache access,
++		 * so use const_time_select_*() to make local copies of the
++		 * values based on whether this loop iteration was the one that
++		 * found the pwd-seed/x. */
++
++		/* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
++		 * (with res converted to 0/0xff) handles this in constant time.
++		 */
++		found |= res * 0xff;
++		wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x",
++			   res, found);
+ 	}
+ 
+-	if (!x) {
++	if (!found) {
+ 		wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
+ 		res = -1;
+ 		goto fail;
+ 	}
+ 
++	x = crypto_bignum_init_set(x_bin, prime_len);
++	if (!x) {
++		res = -1;
++		goto fail;
++	}
++
+ 	if (!sae->tmp->pwe_ecc)
+ 		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
+ 	if (!sae->tmp->pwe_ecc)
+@@ -543,7 +547,6 @@ static int sae_derive_pwe_ecc(struct sae
+ 		res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+ 						    sae->tmp->pwe_ecc, x,
+ 						    pwd_seed_odd);
+-	crypto_bignum_deinit(x, 1);
+ 	if (res < 0) {
+ 		/*
+ 		 * This should not happen since we already checked that there
+@@ -555,6 +558,11 @@ static int sae_derive_pwe_ecc(struct sae
+ fail:
+ 	crypto_bignum_deinit(qr, 0);
+ 	crypto_bignum_deinit(qnr, 0);
++	os_free(dummy_password);
++	bin_clear_free(tmp_password, password_len);
++	crypto_bignum_deinit(x, 1);
++	os_memset(x_bin, 0, sizeof(x_bin));
++	os_memset(x_cand_bin, 0, sizeof(x_cand_bin));
+ 
+ 	return res;
+ }

package/network/services/hostapd/patches/061-0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch

@@ -0,0 +1,139 @@
+From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 19:34:38 +0200
+Subject: [PATCH 06/14] SAE: Avoid branches in is_quadratic_residue_blind()
+
+Make the non-failure path in the function proceed without branches based
+on r_odd and in constant time to minimize risk of observable differences
+in timing or cache use. (CVE-2019-9494)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 64 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 37 insertions(+), 27 deletions(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -209,12 +209,14 @@ get_rand_1_to_p_1(const u8 *prime, size_
+ 
+ static int is_quadratic_residue_blind(struct sae_data *sae,
+ 				      const u8 *prime, size_t bits,
+-				      const struct crypto_bignum *qr,
+-				      const struct crypto_bignum *qnr,
++				      const u8 *qr, const u8 *qnr,
+ 				      const struct crypto_bignum *y_sqr)
+ {
+-	struct crypto_bignum *r, *num;
++	struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
+ 	int r_odd, check, res = -1;
++	u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++	size_t prime_len = sae->tmp->prime_len;
++	unsigned int mask;
+ 
+ 	/*
+ 	 * Use the blinding technique to mask y_sqr while determining
+@@ -225,7 +227,7 @@ static int is_quadratic_residue_blind(st
+ 	 * r = a random number between 1 and p-1, inclusive
+ 	 * num = (v * r * r) modulo p
+ 	 */
+-	r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
++	r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
+ 	if (!r)
+ 		return -1;
+ 
+@@ -235,41 +237,45 @@ static int is_quadratic_residue_blind(st
+ 	    crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
+ 		goto fail;
+ 
+-	if (r_odd) {
+-		/*
+-		 * num = (num * qr) module p
+-		 * LGR(num, p) = 1 ==> quadratic residue
+-		 */
+-		if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
+-			goto fail;
+-		check = 1;
+-	} else {
+-		/*
+-		 * num = (num * qnr) module p
+-		 * LGR(num, p) = -1 ==> quadratic residue
+-		 */
+-		if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
+-			goto fail;
+-		check = -1;
+-	}
++	/*
++	 * Need to minimize differences in handling different cases, so try to
++	 * avoid branches and timing differences.
++	 *
++	 * If r_odd:
++	 * num = (num * qr) module p
++	 * LGR(num, p) = 1 ==> quadratic residue
++	 * else:
++	 * num = (num * qnr) module p
++	 * LGR(num, p) = -1 ==> quadratic residue
++	 */
++	mask = const_time_is_zero(r_odd);
++	const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
++	qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
++	if (!qr_or_qnr ||
++	    crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
++		goto fail;
++	/* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
++	check = const_time_select_int(mask, -1, 1);
+ 
+ 	res = crypto_bignum_legendre(num, sae->tmp->prime);
+ 	if (res == -2) {
+ 		res = -1;
+ 		goto fail;
+ 	}
+-	res = res == check;
++	/* branchless version of res = res == check
++	 * (res is -1, 0, or 1; check is -1 or 1) */
++	mask = const_time_eq(res, check);
++	res = const_time_select_int(mask, 1, 0);
+ fail:
+ 	crypto_bignum_deinit(num, 1);
+ 	crypto_bignum_deinit(r, 1);
++	crypto_bignum_deinit(qr_or_qnr, 1);
+ 	return res;
+ }
+ 
+ 
+ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+-				 const u8 *prime,
+-				 const struct crypto_bignum *qr,
+-				 const struct crypto_bignum *qnr,
++				 const u8 *prime, const u8 *qr, const u8 *qnr,
+ 				 u8 *pwd_value)
+ {
+ 	struct crypto_bignum *y_sqr, *x_cand;
+@@ -429,6 +435,8 @@ static int sae_derive_pwe_ecc(struct sae
+ 	struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
+ 	u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+ 	u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
++	u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
++	u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
+ 	size_t bits;
+ 	int res = -1;
+ 	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+@@ -453,7 +461,9 @@ static int sae_derive_pwe_ecc(struct sae
+ 	 * (qnr) modulo p for blinding purposes during the loop.
+ 	 */
+ 	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+-			      &qr, &qnr) < 0)
++			      &qr, &qnr) < 0 ||
++	    crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
++	    crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
+ 		goto fail;
+ 
+ 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+@@ -504,7 +514,7 @@ static int sae_derive_pwe_ecc(struct sae
+ 			break;
+ 
+ 		res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+-					    prime, qr, qnr, x_cand_bin);
++					    prime, qr_bin, qnr_bin, x_cand_bin);
+ 		const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
+ 				      x_bin);
+ 		pwd_seed_odd = const_time_select_u8(

package/network/services/hostapd/patches/061-0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch

@@ -0,0 +1,113 @@
+From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:24:09 +0200
+Subject: [PATCH 07/14] SAE: Mask timing of MODP groups 22, 23, 24
+
+These groups have significant probability of coming up with pwd-value
+that is equal or greater than the prime and as such, need for going
+through the PWE derivation loop multiple times. This can result in
+sufficient timing different to allow an external observer to determine
+how many rounds are needed and that can leak information about the used
+password.
+
+Force at least 40 loop rounds for these MODP groups similarly to the ECC
+group design to mask timing. This behavior is not described in IEEE Std
+802.11-2016 for SAE, but it does not result in different values (i.e.,
+only different timing), so such implementation specific countermeasures
+can be done without breaking interoperability with other implementation.
+
+Note: These MODP groups 22, 23, and 24 are not considered sufficiently
+strong to be used with SAE (or more or less anything else). As such,
+they should never be enabled in runtime configuration for any production
+use cases. These changes to introduce additional protection to mask
+timing is only for completeness of implementation and not an indication
+that these groups should be used.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -578,22 +578,27 @@ fail:
+ }
+ 
+ 
++static int sae_modp_group_require_masking(int group)
++{
++	/* Groups for which pwd-value is likely to be >= p frequently */
++	return group == 22 || group == 23 || group == 24;
++}
++
++
+ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ 			      const u8 *addr2, const u8 *password,
+ 			      size_t password_len, const char *identifier)
+ {
+-	u8 counter;
++	u8 counter, k;
+ 	u8 addrs[2 * ETH_ALEN];
+ 	const u8 *addr[3];
+ 	size_t len[3];
+ 	size_t num_elem;
+ 	int found = 0;
++	struct crypto_bignum *pwe = NULL;
+ 
+-	if (sae->tmp->pwe_ffc == NULL) {
+-		sae->tmp->pwe_ffc = crypto_bignum_init();
+-		if (sae->tmp->pwe_ffc == NULL)
+-			return -1;
+-	}
++	crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
++	sae->tmp->pwe_ffc = NULL;
+ 
+ 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ 			      password, password_len);
+@@ -617,7 +622,9 @@ static int sae_derive_pwe_ffc(struct sae
+ 	len[num_elem] = sizeof(counter);
+ 	num_elem++;
+ 
+-	for (counter = 1; !found; counter++) {
++	k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
++
++	for (counter = 1; counter <= k || !found; counter++) {
+ 		u8 pwd_seed[SHA256_MAC_LEN];
+ 		int res;
+ 
+@@ -627,19 +634,30 @@ static int sae_derive_pwe_ffc(struct sae
+ 			break;
+ 		}
+ 
+-		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
++		wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
+ 		if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ 				       addr, len, pwd_seed) < 0)
+ 			break;
+-		res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
++		if (!pwe) {
++			pwe = crypto_bignum_init();
++			if (!pwe)
++				break;
++		}
++		res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
+ 		if (res < 0)
+ 			break;
+ 		if (res > 0) {
+-			wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+ 			found = 1;
++			if (!sae->tmp->pwe_ffc) {
++				wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
++				sae->tmp->pwe_ffc = pwe;
++				pwe = NULL;
++			}
+ 		}
+ 	}
+ 
++	crypto_bignum_deinit(pwe, 1);
++
+ 	return found ? 0 : -1;
+ }
+ 

package/network/services/hostapd/patches/061-0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch

@@ -0,0 +1,100 @@
+From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:45:33 +0200
+Subject: [PATCH 08/14] SAE: Use const_time selection for PWE in FFC
+
+This is an initial step towards making the FFC case use strictly
+constant time operations similarly to the ECC case.
+sae_test_pwd_seed_ffc() does not yet have constant time behavior,
+though.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 53 +++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 18 deletions(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -589,17 +589,28 @@ static int sae_derive_pwe_ffc(struct sae
+ 			      const u8 *addr2, const u8 *password,
+ 			      size_t password_len, const char *identifier)
+ {
+-	u8 counter, k;
++	u8 counter, k, sel_counter = 0;
+ 	u8 addrs[2 * ETH_ALEN];
+ 	const u8 *addr[3];
+ 	size_t len[3];
+ 	size_t num_elem;
+-	int found = 0;
+-	struct crypto_bignum *pwe = NULL;
++	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++		       * mask */
++	u8 mask;
++	struct crypto_bignum *pwe;
++	size_t prime_len = sae->tmp->prime_len * 8;
++	u8 *pwe_buf;
+ 
+ 	crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
+ 	sae->tmp->pwe_ffc = NULL;
+ 
++	/* Allocate a buffer to maintain selected and candidate PWE for constant
++	 * time selection. */
++	pwe_buf = os_zalloc(prime_len * 2);
++	pwe = crypto_bignum_init();
++	if (!pwe_buf || !pwe)
++		goto fail;
++
+ 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ 			      password, password_len);
+ 
+@@ -638,27 +649,33 @@ static int sae_derive_pwe_ffc(struct sae
+ 		if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ 				       addr, len, pwd_seed) < 0)
+ 			break;
+-		if (!pwe) {
+-			pwe = crypto_bignum_init();
+-			if (!pwe)
+-				break;
+-		}
+ 		res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
++		/* res is -1 for fatal failure, 0 if a valid PWE was not found,
++		 * or 1 if a valid PWE was found. */
+ 		if (res < 0)
+ 			break;
+-		if (res > 0) {
+-			found = 1;
+-			if (!sae->tmp->pwe_ffc) {
+-				wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+-				sae->tmp->pwe_ffc = pwe;
+-				pwe = NULL;
+-			}
+-		}
++		/* Store the candidate PWE into the second half of pwe_buf and
++		 * the selected PWE in the beginning of pwe_buf using constant
++		 * time selection. */
++		if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
++					 prime_len) < 0)
++			break;
++		const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
++				      prime_len, pwe_buf);
++		sel_counter = const_time_select_u8(found, sel_counter, counter);
++		mask = const_time_eq_u8(res, 1);
++		found = const_time_select_u8(found, found, mask);
+ 	}
+ 
+-	crypto_bignum_deinit(pwe, 1);
++	if (!found)
++		goto fail;
+ 
+-	return found ? 0 : -1;
++	wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
++	sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
++fail:
++	crypto_bignum_deinit(pwe, 1);
++	bin_clear_free(pwe_buf, prime_len * 2);
++	return sae->tmp->pwe_ffc ? 0 : -1;
+ }
+ 
+ 

package/network/services/hostapd/patches/061-0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch

@@ -0,0 +1,133 @@
+From cff138b0747fa39765cbc641b66cfa5d7f1735d1 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 16:05:56 +0200
+Subject: [PATCH 09/14] SAE: Use constant time operations in
+ sae_test_pwd_seed_ffc()
+
+Try to avoid showing externally visible timing or memory access
+differences regardless of whether the derived pwd-value is smaller than
+the group prime.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 75 ++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 46 insertions(+), 29 deletions(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -311,14 +311,17 @@ static int sae_test_pwd_seed_ecc(struct
+ }
+ 
+ 
++/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided
++ * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */
+ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ 				 struct crypto_bignum *pwe)
+ {
+ 	u8 pwd_value[SAE_MAX_PRIME_LEN];
+ 	size_t bits = sae->tmp->prime_len * 8;
+ 	u8 exp[1];
+-	struct crypto_bignum *a, *b;
+-	int res;
++	struct crypto_bignum *a, *b = NULL;
++	int res, is_val;
++	u8 pwd_value_valid;
+ 
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+ 
+@@ -330,16 +333,29 @@ static int sae_test_pwd_seed_ffc(struct
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
+ 			sae->tmp->prime_len);
+ 
+-	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
+-	{
+-		wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
+-		return 0;
+-	}
++	/* Check whether pwd-value < p */
++	res = const_time_memcmp(pwd_value, sae->tmp->dh->prime,
++				sae->tmp->prime_len);
++	/* pwd-value >= p is invalid, so res is < 0 for the valid cases and
++	 * the negative sign can be used to fill the mask for constant time
++	 * selection */
++	pwd_value_valid = const_time_fill_msb(res);
++
++	/* If pwd-value >= p, force pwd-value to be < p and perform the
++	 * calculations anyway to hide timing difference. The derived PWE will
++	 * be ignored in that case. */
++	pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0);
+ 
+ 	/* PWE = pwd-value^((p-1)/r) modulo p */
+ 
++	res = -1;
+ 	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
++	if (!a)
++		goto fail;
+ 
++	/* This is an optimization based on the used group that does not depend
++	 * on the password in any way, so it is fine to use separate branches
++	 * for this step without constant time operations. */
+ 	if (sae->tmp->dh->safe_prime) {
+ 		/*
+ 		 * r = (p-1)/2 for the group used here, so this becomes:
+@@ -353,33 +369,34 @@ static int sae_test_pwd_seed_ffc(struct
+ 		b = crypto_bignum_init_set(exp, sizeof(exp));
+ 		if (b == NULL ||
+ 		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
+-		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {
+-			crypto_bignum_deinit(b, 0);
+-			b = NULL;
+-		}
++		    crypto_bignum_div(b, sae->tmp->order, b) < 0)
++			goto fail;
+ 	}
+ 
+-	if (a == NULL || b == NULL)
+-		res = -1;
+-	else
+-		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
+-
+-	crypto_bignum_deinit(a, 0);
+-	crypto_bignum_deinit(b, 0);
+-
+-	if (res < 0) {
+-		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
+-		return -1;
+-	}
+-
+-	/* if (PWE > 1) --> found */
+-	if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
+-		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
+-		return 0;
+-	}
++	if (!b)
++		goto fail;
+ 
+-	wpa_printf(MSG_DEBUG, "SAE: PWE found");
+-	return 1;
++	res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
++	if (res < 0)
++		goto fail;
++
++	/* There were no fatal errors in calculations, so determine the return
++	 * value using constant time operations. We get here for number of
++	 * invalid cases which are cleared here after having performed all the
++	 * computation. PWE is valid if pwd-value was less than prime and
++	 * PWE > 1. Start with pwd-value check first and then use constant time
++	 * operations to clear res to 0 if PWE is 0 or 1.
++	 */
++	res = const_time_select_u8(pwd_value_valid, 1, 0);
++	is_val = crypto_bignum_is_zero(pwe);
++	res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
++	is_val = crypto_bignum_is_one(pwe);
++	res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
++
++fail:
++	crypto_bignum_deinit(a, 1);
++	crypto_bignum_deinit(b, 1);
++	return res;
+ }
+ 
+ 

package/network/services/hostapd/patches/062-0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch

@@ -0,0 +1,319 @@
+From aaf65feac67c3993935634eefe5bc76b9fce03aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:59:45 +0200
+Subject: [PATCH 04/14] EAP-pwd: Use constant time and memory access for
+ finding the PWE
+
+This algorithm could leak information to external observers in form of
+timing differences or memory access patterns (cache use). While the
+previous implementation had protection against the most visible timing
+differences (looping 40 rounds and masking the legendre operation), it
+did not protect against memory access patterns between the two possible
+code paths in the masking operations. That might be sufficient to allow
+an unprivileged process running on the same device to be able to
+determine which path is being executed through a cache attack and based
+on that, determine information about the used password.
+
+Convert the PWE finding loop to use constant time functions and
+identical memory access path without different branches for the QR/QNR
+cases to minimize possible side-channel information similarly to the
+changes done for SAE authentication. (CVE-2019-9495)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_common/eap_pwd_common.c | 187 +++++++++++++++++++++-------------------
+ 1 file changed, 99 insertions(+), 88 deletions(-)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -8,11 +8,15 @@
+ 
+ #include "includes.h"
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/sha256.h"
+ #include "crypto/crypto.h"
+ #include "eap_defs.h"
+ #include "eap_pwd_common.h"
+ 
++#define MAX_ECC_PRIME_LEN 66
++
++
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ struct crypto_hash * eap_pwd_h_init(void)
+ {
+@@ -102,6 +106,15 @@ EAP_PWD_group * get_eap_pwd_group(u16 nu
+ }
+ 
+ 
++static void buf_shift_right(u8 *buf, size_t len, size_t bits)
++{
++	size_t i;
++	for (i = len - 1; i > 0; i--)
++		buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
++	buf[0] >>= bits;
++}
++
++
+ /*
+  * compute a "random" secret point on an elliptic curve based
+  * on the password and identities.
+@@ -113,17 +126,27 @@ int compute_password_element(EAP_PWD_gro
+ 			     const u8 *token)
+ {
+ 	struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
++	struct crypto_bignum *qr_or_qnr = NULL;
++	u8 qr_bin[MAX_ECC_PRIME_LEN];
++	u8 qnr_bin[MAX_ECC_PRIME_LEN];
++	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
++	u8 x_bin[MAX_ECC_PRIME_LEN];
+ 	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ 	struct crypto_hash *hash;
+ 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+-	int is_odd, ret = 0, check, found = 0;
+-	size_t primebytelen, primebitlen;
+-	struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
++	int ret = 0, check, res;
++	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++		       * mask */
++	size_t primebytelen = 0, primebitlen;
++	struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
+ 	const struct crypto_bignum *prime;
++	u8 mask, found_ctr = 0, is_odd = 0;
+ 
+ 	if (grp->pwe)
+ 		return -1;
+ 
++	os_memset(x_bin, 0, sizeof(x_bin));
++
+ 	prime = crypto_ec_get_prime(grp->group);
+ 	cofactor = crypto_bignum_init();
+ 	grp->pwe = crypto_ec_point_init(grp->group);
+@@ -152,8 +175,6 @@ int compute_password_element(EAP_PWD_gro
+ 
+ 	/* get a random quadratic residue and nonresidue */
+ 	while (!qr || !qnr) {
+-		int res;
+-
+ 		if (crypto_bignum_rand(tmp1, prime) < 0)
+ 			goto fail;
+ 		res = crypto_bignum_legendre(tmp1, prime);
+@@ -167,6 +188,11 @@ int compute_password_element(EAP_PWD_gro
+ 		if (!tmp1)
+ 			goto fail;
+ 	}
++	if (crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
++				 primebytelen) < 0 ||
++	    crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
++				 primebytelen) < 0)
++		goto fail;
+ 
+ 	os_memset(prfbuf, 0, primebytelen);
+ 	ctr = 0;
+@@ -194,17 +220,16 @@ int compute_password_element(EAP_PWD_gro
+ 		eap_pwd_h_update(hash, &ctr, sizeof(ctr));
+ 		eap_pwd_h_final(hash, pwe_digest);
+ 
+-		crypto_bignum_deinit(rnd, 1);
+-		rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
+-		if (!rnd) {
+-			wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
+-			goto fail;
+-		}
++		is_odd = const_time_select_u8(
++			found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
+ 		if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
+ 				(u8 *) "EAP-pwd Hunting And Pecking",
+ 				os_strlen("EAP-pwd Hunting And Pecking"),
+ 				prfbuf, primebitlen) < 0)
+ 			goto fail;
++		if (primebitlen % 8)
++			buf_shift_right(prfbuf, primebytelen,
++					8 - primebitlen % 8);
+ 
+ 		crypto_bignum_deinit(x_candidate, 1);
+ 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -214,24 +239,13 @@ int compute_password_element(EAP_PWD_gro
+ 			goto fail;
+ 		}
+ 
+-		/*
+-		 * eap_pwd_kdf() returns a string of bits 0..primebitlen but
+-		 * BN_bin2bn will treat that string of bits as a big endian
+-		 * number. If the primebitlen is not an even multiple of 8
+-		 * then excessive bits-- those _after_ primebitlen-- so now
+-		 * we have to shift right the amount we masked off.
+-		 */
+-		if ((primebitlen % 8) &&
+-		    crypto_bignum_rshift(x_candidate,
+-					 (8 - (primebitlen % 8)),
+-					 x_candidate) < 0)
+-			goto fail;
+-
+ 		if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+ 			continue;
+ 
+-		wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
+-			    prfbuf, primebytelen);
++		wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
++				prfbuf, primebytelen);
++		const_time_select_bin(found, x_bin, prfbuf, primebytelen,
++				      x_bin);
+ 
+ 		/*
+ 		 * compute y^2 using the equation of the curve
+@@ -260,13 +274,15 @@ int compute_password_element(EAP_PWD_gro
+ 		 * Flip a coin, multiply by the random quadratic residue or the
+ 		 * random quadratic nonresidue and record heads or tails.
+ 		 */
+-		if (crypto_bignum_is_odd(tmp1)) {
+-			crypto_bignum_mulmod(tmp2, qr, prime, tmp2);
+-			check = 1;
+-		} else {
+-			crypto_bignum_mulmod(tmp2, qnr, prime, tmp2);
+-			check = -1;
+-		}
++		mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
++		check = const_time_select_s8(mask, 1, -1);
++		const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
++				      qr_or_qnr_bin);
++		crypto_bignum_deinit(qr_or_qnr, 1);
++		qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
++		if (!qr_or_qnr ||
++		    crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
++			goto fail;
+ 
+ 		/*
+ 		 * Now it's safe to do legendre, if check is 1 then it's
+@@ -274,59 +290,12 @@ int compute_password_element(EAP_PWD_gro
+ 		 * change result), if check is -1 then it's the opposite test
+ 		 * (multiplying a qr by qnr would make a qnr).
+ 		 */
+-		if (crypto_bignum_legendre(tmp2, prime) == check) {
+-			if (found == 1)
+-				continue;
+-
+-			/* need to unambiguously identify the solution */
+-			is_odd = crypto_bignum_is_odd(rnd);
+-
+-			/*
+-			 * We know x_candidate is a quadratic residue so set
+-			 * it here.
+-			 */
+-			if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
+-							  x_candidate,
+-							  is_odd) != 0) {
+-				wpa_printf(MSG_INFO,
+-					   "EAP-pwd: Could not solve for y");
+-				continue;
+-			}
+-
+-			/*
+-			 * If there's a solution to the equation then the point
+-			 * must be on the curve so why check again explicitly?
+-			 * OpenSSL code says this is required by X9.62. We're
+-			 * not X9.62 but it can't hurt just to be sure.
+-			 */
+-			if (!crypto_ec_point_is_on_curve(grp->group,
+-							 grp->pwe)) {
+-				wpa_printf(MSG_INFO,
+-					   "EAP-pwd: point is not on curve");
+-				continue;
+-			}
+-
+-			if (!crypto_bignum_is_one(cofactor)) {
+-				/* make sure the point is not in a small
+-				 * sub-group */
+-				if (crypto_ec_point_mul(grp->group, grp->pwe,
+-							cofactor,
+-							grp->pwe) != 0) {
+-					wpa_printf(MSG_INFO,
+-						   "EAP-pwd: cannot multiply generator by order");
+-					continue;
+-				}
+-				if (crypto_ec_point_is_at_infinity(grp->group,
+-								   grp->pwe)) {
+-					wpa_printf(MSG_INFO,
+-						   "EAP-pwd: point is at infinity");
+-					continue;
+-				}
+-			}
+-			wpa_printf(MSG_DEBUG,
+-				   "EAP-pwd: found a PWE in %d tries", ctr);
+-			found = 1;
+-		}
++		res = crypto_bignum_legendre(tmp2, prime);
++		if (res == -2)
++			goto fail;
++		mask = const_time_eq(res, check);
++		found_ctr = const_time_select_u8(found, found_ctr, ctr);
++		found |= mask;
+ 	}
+ 	if (found == 0) {
+ 		wpa_printf(MSG_INFO,
+@@ -334,6 +303,44 @@ int compute_password_element(EAP_PWD_gro
+ 			   num);
+ 		goto fail;
+ 	}
++
++	/*
++	 * We know x_candidate is a quadratic residue so set it here.
++	 */
++	crypto_bignum_deinit(x_candidate, 1);
++	x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
++	if (!x_candidate ||
++	    crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
++					  is_odd) != 0) {
++		wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++		goto fail;
++	}
++
++	/*
++	 * If there's a solution to the equation then the point must be on the
++	 * curve so why check again explicitly? OpenSSL code says this is
++	 * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
++	 */
++	if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
++		wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
++		goto fail;
++	}
++
++	if (!crypto_bignum_is_one(cofactor)) {
++		/* make sure the point is not in a small sub-group */
++		if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
++					grp->pwe) != 0) {
++			wpa_printf(MSG_INFO,
++				   "EAP-pwd: cannot multiply generator by order");
++			goto fail;
++		}
++		if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
++			wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
++			goto fail;
++		}
++	}
++	wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
++
+ 	if (0) {
+  fail:
+ 		crypto_ec_point_deinit(grp->pwe, 1);
+@@ -343,14 +350,18 @@ int compute_password_element(EAP_PWD_gro
+ 	/* cleanliness and order.... */
+ 	crypto_bignum_deinit(cofactor, 1);
+ 	crypto_bignum_deinit(x_candidate, 1);
+-	crypto_bignum_deinit(rnd, 1);
+ 	crypto_bignum_deinit(pm1, 0);
+ 	crypto_bignum_deinit(tmp1, 1);
+ 	crypto_bignum_deinit(tmp2, 1);
+ 	crypto_bignum_deinit(qr, 1);
+ 	crypto_bignum_deinit(qnr, 1);
++	crypto_bignum_deinit(qr_or_qnr, 1);
+ 	crypto_bignum_deinit(one, 0);
+-	os_free(prfbuf);
++	bin_clear_free(prfbuf, primebytelen);
++	os_memset(qr_bin, 0, sizeof(qr_bin));
++	os_memset(qnr_bin, 0, sizeof(qnr_bin));
++	os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
++	os_memset(pwe_digest, 0, sizeof(pwe_digest));
+ 
+ 	return ret;
+ }

package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch

@@ -0,0 +1,52 @@
+From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 5 Mar 2019 23:43:25 +0200
+Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases
+
+Explicitly verify that own and peer commit scalar/element are available
+when trying to check SAE confirm message. It could have been possible to
+hit a NULL pointer dereference if the peer element could not have been
+parsed. (CVE-2019-9496)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -1464,23 +1464,31 @@ int sae_check_confirm(struct sae_data *s
+ 
+ 	wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
+ 
+-	if (sae->tmp == NULL) {
++	if (!sae->tmp || !sae->peer_commit_scalar ||
++	    !sae->tmp->own_commit_scalar) {
+ 		wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
+ 		return -1;
+ 	}
+ 
+-	if (sae->tmp->ec)
++	if (sae->tmp->ec) {
++		if (!sae->tmp->peer_commit_element_ecc ||
++		    !sae->tmp->own_commit_element_ecc)
++			return -1;
+ 		sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
+ 				   sae->tmp->peer_commit_element_ecc,
+ 				   sae->tmp->own_commit_scalar,
+ 				   sae->tmp->own_commit_element_ecc,
+ 				   verifier);
+-	else
++	} else {
++		if (!sae->tmp->peer_commit_element_ffc ||
++		    !sae->tmp->own_commit_element_ffc)
++			return -1;
+ 		sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
+ 				   sae->tmp->peer_commit_element_ffc,
+ 				   sae->tmp->own_commit_scalar,
+ 				   sae->tmp->own_commit_element_ffc,
+ 				   verifier);
++	}
+ 
+ 	if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
+ 		wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");

package/network/services/hostapd/patches/064-0011-EAP-pwd-server-Verify-received-scalar-and-element.patch

@@ -0,0 +1,53 @@
+From 70ff850e89fbc8bc7da515321b4d15b5eef70581 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:13:06 +0200
+Subject: [PATCH 11/14] EAP-pwd server: Verify received scalar and element
+
+When processing an EAP-pwd Commit frame, the peer's scalar and element
+(elliptic curve point) were not validated. This allowed an adversary to
+bypass authentication, and impersonate any user if the crypto
+implementation did not verify the validity of the EC point.
+
+Fix this vulnerability by assuring the received scalar lies within the
+valid range, and by checking that the received element is not the point
+at infinity and lies on the elliptic curve being used. (CVE-2019-9498)
+
+The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
+is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
+(and also BoringSSL) implicitly validate the elliptic curve point in
+EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
+
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+---
+ src/eap_server/eap_server_pwd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -653,6 +653,26 @@ eap_pwd_process_commit_resp(struct eap_s
+ 		goto fin;
+ 	}
+ 
++	/* verify received scalar */
++	if (crypto_bignum_is_zero(data->peer_scalar) ||
++	    crypto_bignum_is_one(data->peer_scalar) ||
++	    crypto_bignum_cmp(data->peer_scalar,
++			      crypto_ec_get_order(data->grp->group)) >= 0) {
++		wpa_printf(MSG_INFO,
++			   "EAP-PWD (server): received scalar is invalid");
++		goto fin;
++	}
++
++	/* verify received element */
++	if (!crypto_ec_point_is_on_curve(data->grp->group,
++					 data->peer_element) ||
++	    crypto_ec_point_is_at_infinity(data->grp->group,
++					   data->peer_element)) {
++		wpa_printf(MSG_INFO,
++			   "EAP-PWD (server): received element is invalid");
++		goto fin;
++	}
++
+ 	/* check to ensure peer's element is not in a small sub-group */
+ 	if (!crypto_bignum_is_one(cofactor)) {
+ 		if (crypto_ec_point_mul(data->grp->group, data->peer_element,

package/network/services/hostapd/patches/064-0012-EAP-pwd-server-Detect-reflection-attacks.patch

@@ -0,0 +1,40 @@
+From d63edfa90243e9a7de6ae5c275032f2cc79fef95 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:26:01 +0200
+Subject: [PATCH 12/14] EAP-pwd server: Detect reflection attacks
+
+When processing an EAP-pwd Commit frame, verify that the peer's scalar
+and elliptic curve element differ from the one sent by the server. This
+prevents reflection attacks where the adversary reflects the scalar and
+element sent by the server. (CVE-2019-9497)
+
+The vulnerability allows an adversary to complete the EAP-pwd handshake
+as any user. However, the adversary does not learn the negotiated
+session key, meaning the subsequent 4-way handshake would fail. As a
+result, this cannot be abused to bypass authentication unless EAP-pwd is
+used in non-WLAN cases without any following key exchange that would
+require the attacker to learn the MSK.
+
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+---
+ src/eap_server/eap_server_pwd.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -688,6 +688,15 @@ eap_pwd_process_commit_resp(struct eap_s
+ 		}
+ 	}
+ 
++	/* detect reflection attacks */
++	if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
++	    crypto_ec_point_cmp(data->grp->group, data->my_element,
++				data->peer_element) == 0) {
++		wpa_printf(MSG_INFO,
++			   "EAP-PWD (server): detected reflection attack!");
++		goto fin;
++	}
++
+ 	/* compute the shared key, k */
+ 	if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
+ 				 data->peer_scalar, K) < 0) ||

package/network/services/hostapd/patches/064-0013-EAP-pwd-client-Verify-received-scalar-and-element.patch

@@ -0,0 +1,53 @@
+From 8ad8585f91823ddcc3728155e288e0f9f872e31a Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:43:44 +0200
+Subject: [PATCH 13/14] EAP-pwd client: Verify received scalar and element
+
+When processing an EAP-pwd Commit frame, the server's scalar and element
+(elliptic curve point) were not validated. This allowed an adversary to
+bypass authentication, and act as a rogue Access Point (AP) if the
+crypto implementation did not verify the validity of the EC point.
+
+Fix this vulnerability by assuring the received scalar lies within the
+valid range, and by checking that the received element is not the point
+at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
+
+The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
+is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
+(and also BoringSSL) implicitly validate the elliptic curve point in
+EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
+
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+---
+ src/eap_peer/eap_pwd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -436,6 +436,26 @@ eap_pwd_perform_commit_exchange(struct e
+ 		goto fin;
+ 	}
+ 
++	/* verify received scalar */
++	if (crypto_bignum_is_zero(data->server_scalar) ||
++	    crypto_bignum_is_one(data->server_scalar) ||
++	    crypto_bignum_cmp(data->server_scalar,
++			      crypto_ec_get_order(data->grp->group)) >= 0) {
++		wpa_printf(MSG_INFO,
++			   "EAP-PWD (peer): received scalar is invalid");
++		goto fin;
++	}
++
++	/* verify received element */
++	if (!crypto_ec_point_is_on_curve(data->grp->group,
++					 data->server_element) ||
++	    crypto_ec_point_is_at_infinity(data->grp->group,
++					   data->server_element)) {
++		wpa_printf(MSG_INFO,
++			   "EAP-PWD (peer): received element is invalid");
++		goto fin;
++	}
++
+ 	/* check to ensure server's element is not in a small sub-group */
+ 	if (!crypto_bignum_is_one(cofactor)) {
+ 		if (crypto_ec_point_mul(data->grp->group, data->server_element,

package/network/services/hostapd/patches/064-0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch

@@ -0,0 +1,321 @@
+From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 5 Apr 2019 02:12:50 +0300
+Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
+
+This adds an explicit check for 0 < x,y < prime based on RFC 5931,
+2.8.5.2.2 requirement. The earlier checks might have covered this
+implicitly, but it is safer to avoid any dependency on implicit checks
+and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
+
+Furthermore, this moves the EAP-pwd element and scalar parsing and
+validation steps into shared helper functions so that there is no need
+to maintain two separate copies of this common functionality between the
+server and peer implementations.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
+ src/eap_common/eap_pwd_common.h |   3 ++
+ src/eap_peer/eap_pwd.c          |  45 ++---------------
+ src/eap_server/eap_server_pwd.c |  45 ++---------------
+ 4 files changed, 117 insertions(+), 82 deletions(-)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -427,3 +427,109 @@ int compute_keys(EAP_PWD_group *grp, con
+ 
+ 	return 1;
+ }
++
++
++static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
++				    const u8 *buf, size_t len)
++{
++	struct crypto_bignum *val;
++	int ok = 1;
++
++	val = crypto_bignum_init_set(buf, len);
++	if (!val || crypto_bignum_is_zero(val) ||
++	    crypto_bignum_cmp(val, prime) >= 0)
++		ok = 0;
++	crypto_bignum_deinit(val, 0);
++	return ok;
++}
++
++
++struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
++					     const u8 *buf)
++{
++	struct crypto_ec_point *element;
++	const struct crypto_bignum *prime;
++	size_t prime_len;
++	struct crypto_bignum *cofactor = NULL;
++
++	prime = crypto_ec_get_prime(group->group);
++	prime_len = crypto_ec_prime_len(group->group);
++
++	/* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
++	if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
++	    !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
++		wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
++		return NULL;
++	}
++
++	element = crypto_ec_point_from_bin(group->group, buf);
++	if (!element) {
++		wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
++		return NULL;
++	}
++
++	/* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
++	if (!crypto_ec_point_is_on_curve(group->group, element) ||
++	    crypto_ec_point_is_at_infinity(group->group, element)) {
++		wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
++		goto fail;
++	}
++
++	cofactor = crypto_bignum_init();
++	if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
++		wpa_printf(MSG_INFO,
++			   "EAP-pwd: Unable to get cofactor for curve");
++		goto fail;
++	}
++
++	if (!crypto_bignum_is_one(cofactor)) {
++		struct crypto_ec_point *point;
++		int ok = 1;
++
++		/* check to ensure peer's element is not in a small sub-group */
++		point = crypto_ec_point_init(group->group);
++		if (!point ||
++		    crypto_ec_point_mul(group->group, element,
++					cofactor, point) != 0 ||
++		    crypto_ec_point_is_at_infinity(group->group, point))
++			ok = 0;
++		crypto_ec_point_deinit(point, 0);
++
++		if (!ok) {
++			wpa_printf(MSG_INFO,
++				   "EAP-pwd: Small sub-group check on peer element failed");
++			goto fail;
++		}
++	}
++
++out:
++	crypto_bignum_deinit(cofactor, 0);
++	return element;
++fail:
++	crypto_ec_point_deinit(element, 0);
++	element = NULL;
++	goto out;
++}
++
++
++struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
++{
++	struct crypto_bignum *scalar;
++	const struct crypto_bignum *order;
++	size_t order_len;
++
++	order = crypto_ec_get_order(group->group);
++	order_len = crypto_ec_order_len(group->group);
++
++	/* RFC 5931, 2.8.5.2: 1 < scalar < r */
++	scalar = crypto_bignum_init_set(buf, order_len);
++	if (!scalar || crypto_bignum_is_zero(scalar) ||
++	    crypto_bignum_is_one(scalar) ||
++	    crypto_bignum_cmp(scalar, order) >= 0) {
++		wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
++		crypto_bignum_deinit(scalar, 0);
++		scalar = NULL;
++	}
++
++	return scalar;
++}
+--- a/src/eap_common/eap_pwd_common.h
++++ b/src/eap_common/eap_pwd_common.h
+@@ -64,5 +64,8 @@ int compute_keys(EAP_PWD_group *grp, con
+ struct crypto_hash * eap_pwd_h_init(void);
+ void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
+ void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
++struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
++					     const u8 *buf);
++struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
+ 
+ #endif  /* EAP_PWD_COMMON_H */
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -344,7 +344,7 @@ eap_pwd_perform_commit_exchange(struct e
+ 				const struct wpabuf *reqData,
+ 				const u8 *payload, size_t payload_len)
+ {
+-	struct crypto_ec_point *K = NULL, *point = NULL;
++	struct crypto_ec_point *K = NULL;
+ 	struct crypto_bignum *mask = NULL, *cofactor = NULL;
+ 	const u8 *ptr;
+ 	u8 *scalar = NULL, *element = NULL;
+@@ -413,8 +413,7 @@ eap_pwd_perform_commit_exchange(struct e
+ 	/* process the request */
+ 	data->k = crypto_bignum_init();
+ 	K = crypto_ec_point_init(data->grp->group);
+-	point = crypto_ec_point_init(data->grp->group);
+-	if (!data->k || !K || !point) {
++	if (!data->k || !K) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
+ 			   "fail");
+ 		goto fin;
+@@ -422,55 +421,20 @@ eap_pwd_perform_commit_exchange(struct e
+ 
+ 	/* element, x then y, followed by scalar */
+ 	ptr = payload;
+-	data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
++	data->server_element = eap_pwd_get_element(data->grp, ptr);
+ 	if (!data->server_element) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
+ 			   "fail");
+ 		goto fin;
+ 	}
+ 	ptr += prime_len * 2;
+-	data->server_scalar = crypto_bignum_init_set(ptr, order_len);
++	data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
+ 	if (!data->server_scalar) {
+ 		wpa_printf(MSG_INFO,
+ 			   "EAP-PWD (peer): setting peer scalar fail");
+ 		goto fin;
+ 	}
+ 
+-	/* verify received scalar */
+-	if (crypto_bignum_is_zero(data->server_scalar) ||
+-	    crypto_bignum_is_one(data->server_scalar) ||
+-	    crypto_bignum_cmp(data->server_scalar,
+-			      crypto_ec_get_order(data->grp->group)) >= 0) {
+-		wpa_printf(MSG_INFO,
+-			   "EAP-PWD (peer): received scalar is invalid");
+-		goto fin;
+-	}
+-
+-	/* verify received element */
+-	if (!crypto_ec_point_is_on_curve(data->grp->group,
+-					 data->server_element) ||
+-	    crypto_ec_point_is_at_infinity(data->grp->group,
+-					   data->server_element)) {
+-		wpa_printf(MSG_INFO,
+-			   "EAP-PWD (peer): received element is invalid");
+-		goto fin;
+-	}
+-
+-	/* check to ensure server's element is not in a small sub-group */
+-	if (!crypto_bignum_is_one(cofactor)) {
+-		if (crypto_ec_point_mul(data->grp->group, data->server_element,
+-					cofactor, point) < 0) {
+-			wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
+-				   "server element by order!\n");
+-			goto fin;
+-		}
+-		if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
+-			wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
+-				   "is at infinity!\n");
+-			goto fin;
+-		}
+-	}
+-
+ 	/* compute the shared key, k */
+ 	if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
+ 				data->server_scalar, K) < 0 ||
+@@ -544,7 +508,6 @@ fin:
+ 	crypto_bignum_deinit(mask, 1);
+ 	crypto_bignum_deinit(cofactor, 1);
+ 	crypto_ec_point_deinit(K, 1);
+-	crypto_ec_point_deinit(point, 1);
+ 	if (data->outbuf == NULL)
+ 		eap_pwd_state(data, FAILURE);
+ 	else
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -604,7 +604,7 @@ eap_pwd_process_commit_resp(struct eap_s
+ {
+ 	const u8 *ptr;
+ 	struct crypto_bignum *cofactor = NULL;
+-	struct crypto_ec_point *K = NULL, *point = NULL;
++	struct crypto_ec_point *K = NULL;
+ 	int res = 0;
+ 	size_t prime_len, order_len;
+ 
+@@ -623,9 +623,8 @@ eap_pwd_process_commit_resp(struct eap_s
+ 
+ 	data->k = crypto_bignum_init();
+ 	cofactor = crypto_bignum_init();
+-	point = crypto_ec_point_init(data->grp->group);
+ 	K = crypto_ec_point_init(data->grp->group);
+-	if (!data->k || !cofactor || !point || !K) {
++	if (!data->k || !cofactor || !K) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ 			   "fail");
+ 		goto fin;
+@@ -639,55 +638,20 @@ eap_pwd_process_commit_resp(struct eap_s
+ 
+ 	/* element, x then y, followed by scalar */
+ 	ptr = payload;
+-	data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
++	data->peer_element = eap_pwd_get_element(data->grp, ptr);
+ 	if (!data->peer_element) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
+ 			   "fail");
+ 		goto fin;
+ 	}
+ 	ptr += prime_len * 2;
+-	data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
++	data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
+ 	if (!data->peer_scalar) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ 			   "fail");
+ 		goto fin;
+ 	}
+ 
+-	/* verify received scalar */
+-	if (crypto_bignum_is_zero(data->peer_scalar) ||
+-	    crypto_bignum_is_one(data->peer_scalar) ||
+-	    crypto_bignum_cmp(data->peer_scalar,
+-			      crypto_ec_get_order(data->grp->group)) >= 0) {
+-		wpa_printf(MSG_INFO,
+-			   "EAP-PWD (server): received scalar is invalid");
+-		goto fin;
+-	}
+-
+-	/* verify received element */
+-	if (!crypto_ec_point_is_on_curve(data->grp->group,
+-					 data->peer_element) ||
+-	    crypto_ec_point_is_at_infinity(data->grp->group,
+-					   data->peer_element)) {
+-		wpa_printf(MSG_INFO,
+-			   "EAP-PWD (server): received element is invalid");
+-		goto fin;
+-	}
+-
+-	/* check to ensure peer's element is not in a small sub-group */
+-	if (!crypto_bignum_is_one(cofactor)) {
+-		if (crypto_ec_point_mul(data->grp->group, data->peer_element,
+-					cofactor, point) != 0) {
+-			wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
+-				   "multiply peer element by order");
+-			goto fin;
+-		}
+-		if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
+-			wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
+-				   "is at infinity!\n");
+-			goto fin;
+-		}
+-	}
+-
+ 	/* detect reflection attacks */
+ 	if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
+ 	    crypto_ec_point_cmp(data->grp->group, data->my_element,
+@@ -739,7 +703,6 @@ eap_pwd_process_commit_resp(struct eap_s
+ 
+ fin:
+ 	crypto_ec_point_deinit(K, 1);
+-	crypto_ec_point_deinit(point, 1);
+ 	crypto_bignum_deinit(cofactor, 1);
+ 
+ 	if (res)

package/network/services/hostapd/patches/065-0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch

@@ -0,0 +1,40 @@
+From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 17 Apr 2019 01:55:32 +0300
+Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling
+
+data->inbuf allocation might fail and if that were to happen, the next
+fragment in the exchange could have resulted in NULL pointer
+dereference. Unexpected fragment with more bit might also be able to
+trigger this. Fix that by explicitly checking for data->inbuf to be
+available before using it.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_server/eap_server_pwd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -882,6 +882,12 @@ static void eap_pwd_process(struct eap_s
+ 	 * the first and all intermediate fragments have the M bit set
+ 	 */
+ 	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
++		if (!data->inbuf) {
++			wpa_printf(MSG_DEBUG,
++				   "EAP-pwd: No buffer for reassembly");
++			eap_pwd_state(data, FAILURE);
++			return;
++		}
+ 		if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
+ 			wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
+ 				   "attack detected! (%d+%d > %d)",
+@@ -902,7 +908,7 @@ static void eap_pwd_process(struct eap_s
+ 	 * last fragment won't have the M bit set (but we're obviously
+ 	 * buffering fragments so that's how we know it's the last)
+ 	 */
+-	if (data->in_frag_pos) {
++	if (data->in_frag_pos && data->inbuf) {
+ 		pos = wpabuf_head_u8(data->inbuf);
+ 		len = data->in_frag_pos;
+ 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",

package/network/services/hostapd/patches/065-0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch

@@ -0,0 +1,40 @@
+From d2d1a324ce937628e4d9d9999fe113819b7d4478 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 17 Apr 2019 02:21:20 +0300
+Subject: [PATCH 3/3] EAP-pwd peer: Fix reassembly buffer handling
+
+Unexpected fragment might result in data->inbuf not being allocated
+before processing and that could have resulted in NULL pointer
+dereference. Fix that by explicitly checking for data->inbuf to be
+available before using it.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_peer/eap_pwd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -805,6 +805,13 @@ eap_pwd_process(struct eap_sm *sm, void
+ 	 * buffer and ACK the fragment
+ 	 */
+ 	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
++		if (!data->inbuf) {
++			wpa_printf(MSG_DEBUG,
++				   "EAP-pwd: No buffer for reassembly");
++			ret->methodState = METHOD_DONE;
++			ret->decision = DECISION_FAIL;
++			return NULL;
++		}
+ 		data->in_frag_pos += len;
+ 		if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
+ 			wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
+@@ -831,7 +838,7 @@ eap_pwd_process(struct eap_sm *sm, void
+ 	/*
+ 	 * we're buffering and this is the last fragment
+ 	 */
+-	if (data->in_frag_pos) {
++	if (data->in_frag_pos && data->inbuf) {
+ 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+ 			   (int) len);
+ 		pos = wpabuf_head_u8(data->inbuf);

package/network/services/uhttpd/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=uhttpd
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git

package/network/services/uhttpd/files/uhttpd.config

@@ -24,7 +24,7 @@ config uhttpd main
 	# If this number is exceeded, further requests are
 	# queued until the number of running requests drops
 	# below the limit again.
-	option max_requests 1
+	option max_requests 3
 
 	# Maximum number of concurrent connections.
 	# If this number is exceeded, further TCP connection

package/network/utils/comgt/files/ncm.sh

@@ -146,12 +146,18 @@ proto_ncm_setup() {
 	proto_close_data
 	proto_send_update "$interface"
 
+	local zone="$(fw3 -q network "$interface" 2>/dev/null)"
+
 	[ "$pdptype" = "IP" -o "$pdptype" = "IPV4V6" ] && {
 		json_init
 		json_add_string name "${interface}_4"
 		json_add_string ifname "@$interface"
 		json_add_string proto "dhcp"
 		proto_add_dynamic_defaults
+		[ -n "$zone" ] && {
+			json_add_string zone "$zone"
+		}
+		json_close_object
 		ubus call network add_dynamic "$(json_dump)"
 	}
 
@@ -162,6 +168,10 @@ proto_ncm_setup() {
 		json_add_string proto "dhcpv6"
 		json_add_string extendprefix 1
 		proto_add_dynamic_defaults
+		[ -n "$zone" ] && {
+			json_add_string zone "$zone"
+		}
+		json_close_object
 		ubus call network add_dynamic "$(json_dump)"
 	}
 

package/network/utils/curl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.60.0
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://dl.uxnr.de/mirror/curl/ \

package/network/utils/curl/patches/401-CVE-2018-14618.patch

@@ -0,0 +1,32 @@
+From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 13 Aug 2018 10:35:52 +0200
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
+
+... since it would cause an integer overflow if longer than (max size_t
+/ 2).
+
+This is CVE-2018-14618
+
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
+Closes #2756
+Reported-by: Zhaoyang Wu
+---
+ lib/curl_ntlm_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struc
+                                    unsigned char *ntbuffer /* 21 bytes */)
+ {
+   size_t len = strlen(password);
+-  unsigned char *pw = len ? malloc(len * 2) : strdup("");
++  unsigned char *pw;
+   CURLcode result;
++  if(len > SIZE_T_MAX/2) /* avoid integer overflow */
++    return CURLE_OUT_OF_MEMORY;
++  pw = len ? malloc(len * 2) : strdup("");
+   if(!pw)
+     return CURLE_OUT_OF_MEMORY;
+ 

package/network/utils/curl/patches/402-CVE-2018-16839.patch

@@ -0,0 +1,23 @@
+From f3a24d7916b9173c69a3e0ee790102993833d6c5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 28 Sep 2018 16:08:16 +0200
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 

package/network/utils/curl/patches/403-CVE-2018-16840.patch

@@ -0,0 +1,31 @@
+From 81d135d67155c5295b1033679c606165d4e28f3f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 18 Oct 2018 15:07:15 +0200
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
+ use-after-free
+
+Regression from b46cfbc068 (7.59.0)
+CVE-2018-16840
+Reported-by: Brian Carpenter (Geeknik Labs)
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
+---
+ lib/url.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *da
+        and detach this handle from there. */
+     curl_multi_remove_handle(data->multi, data);
+ 
+-  if(data->multi_easy)
++  if(data->multi_easy) {
+     /* when curl_easy_perform() is used, it creates its own multi handle to
+        use and this is the one */
+     curl_multi_cleanup(data->multi_easy);
++    data->multi_easy = NULL;
++  }
+ 
+   /* Destroy the timeout list that is held in the easy handle. It is
+      /normally/ done by curl_multi_remove_handle() but this is "just in

package/network/utils/curl/patches/404-CVE-2018-16842.patch

@@ -0,0 +1,23 @@
+From d530e92f59ae9bb2d47066c3c460b25d2ffeb211 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 28 Oct 2018 01:33:23 +0200
+Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *c
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
++        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);

package/network/utils/curl/patches/405-CVE-2019-3823.patch

@@ -0,0 +1,42 @@
+From 39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484 Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Sat, 19 Jan 2019 00:42:47 +0100
+Subject: [PATCH] smtp: avoid risk of buffer overflow in strtol
+
+If the incoming len 5, but the buffer does not have a termination
+after 5 bytes, the strtol() call may keep reading through the line
+buffer until is exceeds its boundary. Fix by ensuring that we are
+using a bounded read with a temporary buffer on the stack.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
+Reported-by: Brian Carpenter (Geeknik Labs)
+CVE-2019-3823
+---
+ lib/smtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connec
+      Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
+      only send the response code instead as per Section 4.2. */
+   if(line[3] == ' ' || len == 5) {
++    char tmpline[6];
++
+     result = TRUE;
+-    *resp = curlx_sltosi(strtol(line, NULL, 10));
++    memset(tmpline, '\0', sizeof(tmpline));
++    memcpy(tmpline, line, (len == 5 ? 5 : 3));
++    *resp = curlx_sltosi(strtol(tmpline, NULL, 10));
+ 
+     /* Make sure real server never sends internal value */
+     if(*resp == 1)

package/network/utils/curl/patches/406-CVE-2019-3822.patch

@@ -0,0 +1,33 @@
+From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -776,11 +776,14 @@ CURLcode Curl_auth_create_ntlm_type3_mes
+   });
+ 
+ #ifdef USE_NTRESPONSES
+-  if(size < (NTLM_BUFSIZE - ntresplen)) {
+-    DEBUGASSERT(size == (size_t)ntrespoff);
+-    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+-    size += ntresplen;
++  /* ntresplen + size should not be risking an integer overflow here */
++  if(ntresplen + size > sizeof(ntlmbuf)) {
++    failf(data, "incoming NTLM message too big");
++    return CURLE_OUT_OF_MEMORY;
+   }
++  DEBUGASSERT(size == (size_t)ntrespoff);
++  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++  size += ntresplen;
+ 
+   DEBUG_OUT({
+     fprintf(stderr, "\n   ntresp=");

package/network/utils/curl/patches/407-CVE-2018-16890.patch

@@ -0,0 +1,37 @@
+From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+---
+ lib/vauth/ntlm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target
+     target_info_len = Curl_read16_le(&buffer[40]);
+     target_info_offset = Curl_read32_le(&buffer[44]);
+     if(target_info_len > 0) {
+-      if(((target_info_offset + target_info_len) > size) ||
++      if((target_info_offset >= size) ||
++         ((target_info_offset + target_info_len) > size) ||
+          (target_info_offset < 48)) {
+         infof(data, "NTLM handshake failure (bad type-2 message). "
+-                    "Target Info Offset Len is set incorrect by the peer\n");
++              "Target Info Offset Len is set incorrect by the peer\n");
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+ 

package/network/utils/uqmi/Makefile

@@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=uqmi
-PKG_RELEASE:=5
+PKG_RELEASE:=7
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uqmi.git
-PKG_SOURCE_DATE:=2016-12-19
-PKG_SOURCE_VERSION:=8ceeab690d8c6f1e3afbd4bcaee7bc2ba3fbe165
-PKG_MIRROR_HASH:=b3637ff04e51769137af1c5e173e73311e11c3c2dcc49eeaca6aa3520f61d247
+PKG_SOURCE_DATE:=2019-06-27
+PKG_SOURCE_VERSION:=1965c713937495a5cb029165c16acdb6572c3f87
+PKG_MIRROR_HASH:=3c39b1c1f20b7d523b0891d08b3d10233331ada8e11d0b55cfd4882816308951
 PKG_MAINTAINER:=Matti Laakso <malaakso@elisanet.fi>
 
 PKG_LICENSE:=GPL-2.0

package/network/utils/uqmi/files/lib/netifd/proto/qmi.sh

@@ -83,7 +83,7 @@ proto_qmi_setup() {
 		fi
 	done
 
-	if uqmi -s -d "$device" --get-pin-status | grep '"Not supported"' > /dev/null; then
+	if uqmi -s -d "$device" --get-pin-status | grep '"Not supported"\|"Invalid QMI command"' > /dev/null; then
 		[ -n "$pincode" ] && {
 			uqmi -s -d "$device" --verify-pin1 "$pincode" > /dev/null || uqmi -s -d "$device" --uim-verify-pin1 "$pincode" > /dev/null || {
 				echo "Unable to verify PIN"
@@ -298,6 +298,9 @@ proto_qmi_setup() {
 	}
 	proto_close_data
 	proto_send_update "$interface"
+
+	local zone="$(fw3 -q network "$interface" 2>/dev/null)"
+
 	[ -n "$pdh_6" ] && {
 		if [ -z "$dhcpv6" -o "$dhcpv6" = 0 ]; then
 			json_load "$(uqmi -s -d $device --set-client-id wds,$cid_6 --get-current-settings)"
@@ -318,6 +321,11 @@ proto_qmi_setup() {
 				proto_add_dns_server "$dns1_6"
 				proto_add_dns_server "$dns2_6"
 			}
+			[ -n "$zone" ] && {
+		        	proto_add_data
+        			json_add_string zone "$zone"
+			        proto_close_data
+			}
 			proto_send_update "$interface"
 		else
 			json_init
@@ -328,6 +336,7 @@ proto_qmi_setup() {
 			proto_add_dynamic_defaults
 			# RFC 7278: Extend an IPv6 /64 Prefix to LAN
 			json_add_string extendprefix 1
+			[ -n "$zone" ] && json_add_string zone "$zone"
 			json_close_object
 			ubus call network add_dynamic "$(json_dump)"
 		fi
@@ -340,6 +349,7 @@ proto_qmi_setup() {
 		json_add_string proto "dhcp"
 		[ -n "$ip4table" ] && json_add_string ip4table "$ip4table"
 		proto_add_dynamic_defaults
+		[ -n "$zone" ] && json_add_string zone "$zone"
 		json_close_object
 		ubus call network add_dynamic "$(json_dump)"
 	}

package/system/ca-certificates/Makefile

@@ -7,14 +7,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ca-certificates
-PKG_VERSION:=20180409
-PKG_RELEASE:=2
+PKG_VERSION:=20190110
+PKG_RELEASE:=1
 PKG_MAINTAINER:=
 
 PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/c/ca-certificates
-PKG_HASH:=7af6f5bfc619fd29cbf0258c1d95107c38ce840ad6274e343e1e0d971fc72b51
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_HASH:=ee4bf0f4c6398005f5b5ca4e0b87b82837ac5c3b0280a1cb3a63c47555c3a675
 
 PKG_INSTALL:=1
 

package/system/fstools/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fstools
-PKG_RELEASE:=3
+PKG_RELEASE:=5
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/fstools.git
-PKG_SOURCE_DATE:=2018-12-28
-PKG_SOURCE_VERSION:=af93f4b8dc32cf1320dfe8f4b93bb3a12606fc33
-PKG_MIRROR_HASH:=a2d8c2500fe75014ef16c039d8cdb276c1d5c066f8bce6550a3ecf46a9a411a9
+PKG_SOURCE_DATE:=2019-03-28
+PKG_SOURCE_VERSION:=ff1ded63c51e84e239fb422ac8b9d15251d1221f
+PKG_MIRROR_HASH:=2731bbca42c0eafda557d545ebeca243fa4048c433c3b27d31256aca356886bc
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=GPL-2.0
@@ -110,6 +110,7 @@ define Package/block-mount/install
 	$(INSTALL_BIN) ./files/fstab.init $(1)/etc/init.d/fstab
 	$(INSTALL_CONF) ./files/fstab.default $(1)/etc/uci-defaults/10-fstab
 	$(INSTALL_CONF) ./files/mount.hotplug $(1)/etc/hotplug.d/block/10-mount
+	$(INSTALL_CONF) ./files/media-change.hotplug  $(1)/etc/hotplug.d/block/00-media-change
 
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/block $(1)/sbin/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libblkid-tiny.so $(1)/lib/

package/system/fstools/files/fstab.init

@@ -11,6 +11,10 @@ start() {
 	echo "this file has been obsoleted. please call \"/sbin/block mount\" directly"
 }
 
+restart() {
+	start
+}
+
 stop() {
 	/sbin/block umount
 }

package/system/fstools/files/media-change.hotplug

@@ -0,0 +1,8 @@
+[ -n "$DISK_MEDIA_CHANGE" ] && /sbin/block info
+
+if [ "$ACTION" = "add" -a "$DEVTYPE" = "disk" ]; then
+	case "$DEVNAME" in
+		mtd*) : ;;
+		*) echo 2000 > /sys/block/$DEVNAME/events_poll_msecs ;;
+	esac
+fi

package/system/rpcd/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=rpcd
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/rpcd.git

package/system/rpcd/files/rpcd.init

@@ -15,10 +15,7 @@ start_service() {
 	procd_close_instance
 }
 
-stop() {
-	service_stop /sbin/rpcd
+reload_service() {
+	procd_send_signal rpcd
 }
 
-reload() {
-	service_reload /sbin/rpcd
-}