OpenWrt v18.06.8: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

.gitignore

@@ -16,6 +16,7 @@
 /overlay
 /package/feeds
 /package/openwrt-packages
+/*.patch
 key-build*
 *.orig
 *.rej

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^340d5ce71ee60c1d699e7e0ead9422bed6f8519f
-src-git luci https://git.openwrt.org/project/luci.git^bc17ef673f734ea8e7e696ba5735588da9111dcd
-src-git routing https://git.openwrt.org/feed/routing.git^c52779c05a4cf838c736327d8b042ee59f782331
-src-git telephony https://git.openwrt.org/feed/telephony.git^06a5323734038c3866f507787256581dba3d8522
+src-git packages https://git.openwrt.org/feed/packages.git^c05ea69d6d4f503c9bf69fd3d5e551e21c434084
+src-git luci https://git.openwrt.org/project/luci.git^41e2258d6dc1ebe8d3874ae6d6b13db49cff2c5c
+src-git routing https://git.openwrt.org/feed/routing.git^0e63ef9276bf41c0d4176127f9f047343b8ffe32
+src-git telephony https://git.openwrt.org/feed/telephony.git^8ecbdabc7c5cadbe571eb947f5cd333a5a785010

include/kernel-version.mk

@@ -2,11 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.9 = .198
-LINUX_VERSION-4.14 = .151
+LINUX_VERSION-4.9 = .214
+LINUX_VERSION-4.14 = .171
 
-LINUX_KERNEL_HASH-4.9.198 = 9572ebfa6ba0efcf9f1ec7b62c7b89baa36a621ab9fd4c5ad025196c549605ac
-LINUX_KERNEL_HASH-4.14.151 = ff519c428ee9bbb513a84db5ec32a7e3705cd8c23a57104b25b944cb79583fae
+LINUX_KERNEL_HASH-4.9.214 = b47f093dac7034c7c4722e80042c05e4ef53c14a4f28aa992117a127d2b1e483
+LINUX_KERNEL_HASH-4.14.171 = 4fe02489e4b4a187eccf0ef87df6100534c9d485e76d876b1fa247c7635332a0
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/prereq-build.mk

@@ -141,10 +141,12 @@ $(eval $(call SetupHostCommand,wget,Please install GNU 'wget', \
 $(eval $(call SetupHostCommand,perl,Please install Perl 5.x, \
 	perl --version | grep "perl.*v5"))
 
+$(eval $(call CleanupPython3))
+
 $(eval $(call SetupHostCommand,python,Please install Python 2.x, \
-	python2.7 -V 2>&1 | grep Python, \
-	python2 -V 2>&1 | grep Python, \
-	python -V 2>&1 | grep Python))
+	python2.7 -V 2>&1 | grep 'Python 2.7', \
+	python2 -V 2>&1 | grep 'Python 2', \
+	python -V 2>&1 | grep 'Python 2'))
 
 $(eval $(call SetupHostCommand,git,Please install Git (git-core) >= 1.7.12.2, \
 	git --exec-path | xargs -I % -- grep -q -- --recursive %/git-submodule))

include/prereq.mk

@@ -66,6 +66,18 @@ define RequireHeader
   $$(eval $$(call Require,$(1),$(2)))
 endef
 
+define CleanupPython3
+  define Require/python3-cleanup
+	if [ -f "$(STAGING_DIR_HOST)/bin/python" ] && \
+		$(STAGING_DIR_HOST)/bin/python -V 2>&1 | \
+		grep -q 'Python 3'; then \
+			rm $(STAGING_DIR_HOST)/bin/python; \
+	fi
+  endef
+
+  $$(eval $$(call Require,python3-cleanup))
+endef
+
 define QuoteHostCommand
 '$(subst ','"'"',$(strip $(1)))'
 endef

include/version.mk

@@ -26,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.5)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.8)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7897-9d401013fc)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7989-82fbd85747)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.5)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.8)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/base-files/Makefile

@@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/version.mk
 include $(INCLUDE_DIR)/feeds.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=194.2
+PKG_RELEASE:=194.3
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/

package/base-files/files/bin/config_generate

@@ -85,12 +85,16 @@ generate_network() {
 		set network.$1.proto='none'
 	EOF
 
-	[ -n "$macaddr" ] && uci -q batch <<-EOF
-		delete network.$1_dev
-		set network.$1_dev='device'
-		set network.$1_dev.name='$ifname'
-		set network.$1_dev.macaddr='$macaddr'
-	EOF
+	if [ -n "$macaddr" ]; then
+		for name in $ifname; do
+			uci -q batch <<-EOF
+				delete network.$1_${name/./_}_dev
+				set network.$1_${name/./_}_dev='device'
+				set network.$1_${name/./_}_dev.name='$name'
+				set network.$1_${name/./_}_dev.macaddr='$macaddr'
+			EOF
+		done
+	fi
 
 	case "$protocol" in
 		static)

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.5"
+		default "http://downloads.openwrt.org/releases/18.06.8"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/uboot-envtools/files/ar71xx

@@ -57,7 +57,10 @@ sr3200|\
 t830|\
 tube2h|\
 wam250|\
-wndr3700|\
+wnr1000-v2|\
+wnr2000-v3|\
+wnr2200|\
+wnr612-v2|\
 xd3200)
 	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x10000" "0x10000"
 	;;
@@ -91,6 +94,12 @@ qihoo-c301)
 wi2a-ac200i)
 	ubootenv_add_uci_config "/dev/mtd4" "0x0" "0x8000" "0x10000"
 	;;
+wndr3700)
+	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x20000" "0x10000"
+	;;
+wndr4300)
+	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x40000" "0x20000"
+	;;
 esac
 
 config_load ubootenv

package/kernel/i2c-gpio-custom/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=i2c-gpio-custom
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/i2c-gpio-custom/src/i2c-gpio-custom.c

@@ -51,7 +51,7 @@
 
 #define DRV_NAME	"i2c-gpio-custom"
 #define DRV_DESC	"Custom GPIO-based I2C driver"
-#define DRV_VERSION	"0.1.1"
+#define DRV_VERSION	"0.1.2"
 
 #define PFX		DRV_NAME ": "
 
@@ -96,7 +96,7 @@ static void i2c_gpio_custom_cleanup(void)
 
 	for (i = 0; i < nr_devices; i++)
 		if (devices[i])
-			platform_device_put(devices[i]);
+			platform_device_unregister(devices[i]);
 }
 
 static int __init i2c_gpio_custom_add_one(unsigned int id, unsigned int *params)

package/kernel/lantiq/ltq-ptm/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ltq-ptm
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/ltq-ptm-$(BUILD_VARIANT)
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

package/kernel/lantiq/ltq-ptm/src/ifxmips_ptm_vdsl.c

@@ -334,6 +334,9 @@ static int ptm_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         dma_cache_wback((unsigned long)skb->data, skb->len);
     }
 
+    /* make the skb unowned */
+    skb_orphan(skb);
+
     *(struct sk_buff **)((unsigned int)skb->data - byteoff - sizeof(struct sk_buff *)) = skb;
     /*  write back to physical memory   */
     dma_cache_wback((unsigned long)skb->data - byteoff - sizeof(struct sk_buff *), skb->len + byteoff + sizeof(struct sk_buff *));

package/kernel/mac80211/patches/370-backports-Adapt-to-changes-to-skb_get_hash_perturb.patch

@@ -0,0 +1,68 @@
+From e3c57dd949835419cee8d3b45db38de58bf6ebd5 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 18 Nov 2019 01:13:37 +0100
+Subject: [PATCH] backports: Adapt to changes to skb_get_hash_perturb()
+
+The skb_get_hash_perturb() function now takes a siphash_key_t instead of
+an u32. This was changed in commit 55667441c84f ("net/flow_dissector:
+switch to siphash"). Use the correct type in the fq header file
+depending on the kernel version.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ include/net/fq.h      | 8 ++++++++
+ include/net/fq_impl.h | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/include/net/fq.h
++++ b/include/net/fq.h
+@@ -70,7 +70,15 @@ struct fq {
+ 	struct list_head backlogs;
+ 	spinlock_t lock;
+ 	u32 flows_cnt;
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	siphash_key_t	perturbation;
++#else
+ 	u32 perturbation;
++#endif
+ 	u32 limit;
+ 	u32 memory_limit;
+ 	u32 memory_usage;
+--- a/include/net/fq_impl.h
++++ b/include/net/fq_impl.h
+@@ -118,7 +118,15 @@ static struct fq_flow *fq_flow_classify(
+ 
+ 	lockdep_assert_held(&fq->lock);
+ 
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	hash = skb_get_hash_perturb(skb, &fq->perturbation);
++#else
+ 	hash = skb_get_hash_perturb(skb, fq->perturbation);
++#endif
+ 	idx = reciprocal_scale(hash, fq->flows_cnt);
+ 	flow = &fq->flows[idx];
+ 
+@@ -307,7 +315,15 @@ static int fq_init(struct fq *fq, int fl
+ 	INIT_LIST_HEAD(&fq->backlogs);
+ 	spin_lock_init(&fq->lock);
+ 	fq->flows_cnt = max_t(u32, flows_cnt, 1);
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	get_random_bytes(&fq->perturbation, sizeof(fq->perturbation));
++#else
+ 	fq->perturbation = prandom_u32();
++#endif
+ 	fq->quantum = 300;
+ 	fq->limit = 8192;
+ 	fq->memory_limit = 16 << 20; /* 16 MBytes */

package/kernel/mac80211/patches/501-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch

@@ -0,0 +1,54 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 18 Nov 2019 11:52:41 +0100
+Subject: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Keeping interrupts on could result in brcmfmac freeing some resources
+and then IRQ handlers trying to use them. That was obviously a straight
+path for crashing a kernel.
+
+Example:
+CPU0                           CPU1
+----                           ----
+brcmf_pcie_reset
+  brcmf_pcie_bus_console_read
+  brcmf_detach
+    ...
+    brcmf_fweh_detach
+    brcmf_proto_detach
+                               brcmf_pcie_isr_thread
+                                 ...
+                                 brcmf_proto_msgbuf_rx_trigger
+                                   ...
+                                   drvr->proto->pd
+    brcmf_pcie_release_irq
+
+[  363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038
+[  363.797339] pgd = c0004000
+[  363.800050] [00000038] *pgd=00000000
+[  363.803635] Internal error: Oops: 17 [#1] SMP ARM
+(...)
+[  364.029209] Backtrace:
+[  364.031725] [<bf243838>] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [<bf2471dc>] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac])
+[  364.043662]  r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800
+
+Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1437,6 +1437,8 @@ static int brcmf_pcie_reset(struct devic
+ 	struct brcmf_fw_request *fwreq;
+ 	int err;
+ 
++	brcmf_pcie_intr_disable(devinfo);
++
+ 	brcmf_pcie_bus_console_read(devinfo, true);
+ 
+ 	brcmf_detach(dev);

package/kernel/mac80211/patches/502-brcmfmac-remove-monitor-interface-when-detaching.patch

@@ -0,0 +1,30 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 18 Nov 2019 13:35:20 +0100
+Subject: [PATCH 5.5] brcmfmac: remove monitor interface when detaching
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a minor WARNING in the cfg80211:
+[  130.658034] ------------[ cut here ]------------
+[  130.662805] WARNING: CPU: 1 PID: 610 at net/wireless/core.c:954 wiphy_unregister+0xb4/0x198 [cfg80211]
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1380,6 +1380,11 @@ void brcmf_detach(struct device *dev)
+ 	brcmf_fweh_detach(drvr);
+ 	brcmf_proto_detach(drvr);
+ 
++	if (drvr->mon_if) {
++		brcmf_net_detach(drvr->mon_if->ndev, false);
++		drvr->mon_if = NULL;
++	}
++
+ 	/* make sure primary interface removed last */
+ 	for (i = BRCMF_MAX_IFS - 1; i > -1; i--) {
+ 		if (drvr->iflist[i])

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch

@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1481,6 +1481,7 @@ int __init brcmf_core_init(void)
+@@ -1486,6 +1486,7 @@ int __init brcmf_core_init(void)
  {
  	if (!schedule_work(&brcmf_driver_work))
  		return -EBUSY;

package/kernel/w1-gpio-custom/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=w1-gpio-custom
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/w1-gpio-custom/src/w1-gpio-custom.c

@@ -47,7 +47,7 @@
 
 #define DRV_NAME	"w1-gpio-custom"
 #define DRV_DESC	"Custom GPIO-based W1 driver"
-#define DRV_VERSION	"0.1.1"
+#define DRV_VERSION	"0.1.2"
 
 #define PFX		DRV_NAME ": "
 
@@ -86,7 +86,7 @@ static void w1_gpio_custom_cleanup(void)
 
 	for (i = 0; i < nr_devices; i++)
 		if (devices[i])
-			platform_device_put(devices[i]);
+			platform_device_unregister(devices[i]);
 }
 
 static int __init w1_gpio_custom_add_one(unsigned int id, unsigned int *params)

package/libs/libubox/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libubox
-PKG_RELEASE=2
+PKG_RELEASE=4
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/libubox.git

package/libs/libubox/patches/0001-blobmsg_json-fix-possible-uninitialized-struct-membe.patch

@@ -0,0 +1,39 @@
+From 2acfe84e4c871fb994c38c9f2508eb9ebd296b74 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 19 Nov 2019 17:34:25 +0100
+Subject: blobmsg_json: fix possible uninitialized struct member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+clang-10 analyzer reports following:
+
+ blobmsg_json.c:285:2: warning: The expression is an uninitialized value. The computed value will also be garbage
+         s->indent_level++;
+         ^~~~~~~~~~~~~~~~~
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -316,7 +316,7 @@ static void setup_strbuf(struct strbuf *
+ 
+ char *blobmsg_format_json_with_cb(struct blob_attr *attr, bool list, blobmsg_json_format_t cb, void *priv, int indent)
+ {
+-	struct strbuf s;
++	struct strbuf s = {0};
+ 	bool array;
+ 	char *ret;
+ 
+@@ -350,7 +350,7 @@ char *blobmsg_format_json_with_cb(struct
+ 
+ char *blobmsg_format_json_value_with_cb(struct blob_attr *attr, blobmsg_json_format_t cb, void *priv, int indent)
+ {
+-	struct strbuf s;
++	struct strbuf s = {0};
+ 	char *ret;
+ 
+ 	setup_strbuf(&s, attr, cb, priv, indent);

package/libs/libubox/patches/0002-jshn-fix-off-by-one-in-jshn_parse_file.patch

@@ -0,0 +1,39 @@
+From f27853d71a2cb99ec5de3881716a14611ada307c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 23 Nov 2019 22:48:25 +0100
+Subject: jshn: fix off by one in jshn_parse_file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error:
+
+ Invalid read of size 1
+   at 0x4C32D04: strlen
+   by 0x5043367: json_tokener_parse_ex
+   by 0x5045316: json_tokener_parse_verbose
+   by 0x504537D: json_tokener_parse
+   by 0x401AB1: jshn_parse (jshn.c:179)
+   by 0x40190D: jshn_parse_file (jshn.c:370)
+   by 0x40190D: main (jshn.c:434)
+ Address 0x5848c4c is 0 bytes after a block of size 1,036 alloc'd
+   at 0x4C2FB0F: malloc
+   by 0x4018E2: jshn_parse_file (jshn.c:357)
+   by 0x4018E2: main (jshn.c:434)
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ jshn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/jshn.c
++++ b/jshn.c
+@@ -384,7 +384,7 @@ int main(int argc, char **argv)
+ 				close(fd);
+ 				return 3;
+ 			}
+-			if (!(fbuf = malloc(sb.st_size))) {
++			if (!(fbuf = calloc(1, sb.st_size+1))) {
+ 				fprintf(stderr, "Error allocating memory for %s\n", optarg);
+ 				close(fd);
+ 				return 3;

package/libs/libubox/patches/0003-blob-refactor-attr-parsing-into-separate-function.patch

@@ -0,0 +1,97 @@
+From af2a074160e32692b570f8a3562b4370d38f34e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 13:53:27 +0100
+Subject: blob: refactor attr parsing into separate function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Making blob_parse easier to review.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 61 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 26 deletions(-)
+
+--- a/blob.c
++++ b/blob.c
+@@ -217,44 +217,53 @@ blob_check_type(const void *ptr, unsigne
+ 	return true;
+ }
+ 
+-int
+-blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++static int
++blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
+-	struct blob_attr *pos;
+ 	int found = 0;
+-	int rem;
++	int id = blob_id(attr);
++	size_t len = blob_len(attr);
+ 
+-	memset(data, 0, sizeof(struct blob_attr *) * max);
+-	blob_for_each_attr(pos, attr, rem) {
+-		int id = blob_id(pos);
+-		int len = blob_len(pos);
++	if (id >= max)
++		return 0;
+ 
+-		if (id >= max)
+-			continue;
++	if (info) {
++		int type = info[id].type;
+ 
+-		if (info) {
+-			int type = info[id].type;
++		if (type < BLOB_ATTR_LAST) {
++			if (!blob_check_type(blob_data(attr), len, type))
++				return 0;
++		}
+ 
+-			if (type < BLOB_ATTR_LAST) {
+-				if (!blob_check_type(blob_data(pos), len, type))
+-					continue;
+-			}
++		if (info[id].minlen && len < info[id].minlen)
++			return 0;
+ 
+-			if (info[id].minlen && len < info[id].minlen)
+-				continue;
++		if (info[id].maxlen && len > info[id].maxlen)
++			return 0;
+ 
+-			if (info[id].maxlen && len > info[id].maxlen)
+-				continue;
++		if (info[id].validate && !info[id].validate(&info[id], attr))
++			return 0;
++	}
+ 
+-			if (info[id].validate && !info[id].validate(&info[id], pos))
+-				continue;
+-		}
++	if (!data[id])
++		found++;
+ 
+-		if (!data[id])
+-			found++;
++	data[id] = attr;
++	return found;
++}
+ 
+-		data[id] = pos;
++int
++blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++{
++	struct blob_attr *pos;
++	int found = 0;
++	size_t rem;
++
++	memset(data, 0, sizeof(struct blob_attr *) * max);
++	blob_for_each_attr(pos, attr, rem) {
++		found += blob_parse_attr(pos, data, info, max);
+ 	}
++
+ 	return found;
+ }
+ 

package/libs/libubox/patches/0004-blob-introduce-blob_parse_untrusted.patch

@@ -0,0 +1,78 @@
+From b6a0a070f2e14808e835c2fcfa3820a55041902f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 14:11:45 +0100
+Subject: blob: introduce blob_parse_untrusted
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+blob_parse can be only used on trusted input as it has no possibility to
+check the length of the provided input buffer, which might lead to
+undefined behaviour and/or crashes when supplied with malformed,
+corrupted or otherwise specially crafted input.
+
+So this introduces blob_parse_untrusted variant which expects additional
+input buffer length argument and thus should be able to process also
+inputs from untrusted sources.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 24 ++++++++++++++++++++++++
+ blob.h |  7 +++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/blob.c
++++ b/blob.c
+@@ -253,6 +253,30 @@ blob_parse_attr(struct blob_attr *attr,
+ }
+ 
+ int
++blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
++{
++	struct blob_attr *pos;
++	size_t len = 0;
++	int found = 0;
++	size_t rem;
++
++	if (!attr || attr_len < sizeof(struct blob_attr))
++		return 0;
++
++	len = blob_raw_len(attr);
++	if (len != attr_len)
++		return 0;
++
++	memset(data, 0, sizeof(struct blob_attr *) * max);
++	blob_for_each_attr_len(pos, attr, len, rem) {
++		found += blob_parse_attr(pos, rem, data, info, max);
++	}
++
++	return found;
++}
++
++/* use only on trusted input, otherwise consider blob_parse_untrusted */
++int
+ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
+ 	struct blob_attr *pos;
+--- a/blob.h
++++ b/blob.h
+@@ -199,6 +199,7 @@ extern void blob_nest_end(struct blob_bu
+ extern struct blob_attr *blob_put(struct blob_buf *buf, int id, const void *ptr, unsigned int len);
+ extern bool blob_check_type(const void *ptr, unsigned int len, int type);
+ extern int blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max);
++extern int blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max);
+ extern struct blob_attr *blob_memdup(struct blob_attr *attr);
+ extern struct blob_attr *blob_put_raw(struct blob_buf *buf, const void *ptr, unsigned int len);
+ 
+@@ -254,5 +255,11 @@ blob_put_u64(struct blob_buf *buf, int i
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
++#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
++	for (rem = attr ? blob_len(attr) : 0, \
++	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
++	     rem >= sizeof(struct blob_attr) && rem < attr_len && (blob_pad_len(pos) <= rem) && \
++	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
++	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+ #endif

package/libs/libubox/patches/0005-blob-fix-OOB-access-in-blob_check_type.patch

@@ -0,0 +1,78 @@
+From 7425d421340594f50c717ff7129b6ee71280a447 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 15:27:16 +0100
+Subject: blob: fix OOB access in blob_check_type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by fuzzer:
+
+ ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
+ The signal is caused by a READ memory access.
+     #0 in blob_check_type blob.c:214:43
+     #1 in blob_parse_attr blob.c:234:9
+     #2 in blob_parse_untrusted blob.c:272:12
+     #3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
+     #4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2
+
+Caused by following line:
+
+	if (type == BLOB_ATTR_STRING && data[len - 1] != 0)
+
+where len was pointing outside of the data buffer.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/blob.c
++++ b/blob.c
+@@ -218,20 +218,33 @@ blob_check_type(const void *ptr, unsigne
+ }
+ 
+ static int
+-blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++blob_parse_attr(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
++	int id;
++	size_t len;
+ 	int found = 0;
+-	int id = blob_id(attr);
+-	size_t len = blob_len(attr);
++	size_t data_len;
+ 
++	if (!attr || attr_len < sizeof(struct blob_attr))
++		return 0;
++
++	id = blob_id(attr);
+ 	if (id >= max)
+ 		return 0;
+ 
++	len = blob_raw_len(attr);
++	if (len > attr_len || len < sizeof(struct blob_attr))
++		return 0;
++
++	data_len = blob_len(attr);
++	if (data_len > len)
++		return 0;
++
+ 	if (info) {
+ 		int type = info[id].type;
+ 
+ 		if (type < BLOB_ATTR_LAST) {
+-			if (!blob_check_type(blob_data(attr), len, type))
++			if (!blob_check_type(blob_data(attr), data_len, type))
+ 				return 0;
+ 		}
+ 
+@@ -285,7 +298,7 @@ blob_parse(struct blob_attr *attr, struc
+ 
+ 	memset(data, 0, sizeof(struct blob_attr *) * max);
+ 	blob_for_each_attr(pos, attr, rem) {
+-		found += blob_parse_attr(pos, data, info, max);
++		found += blob_parse_attr(pos, rem, data, info, max);
+ 	}
+ 
+ 	return found;

package/libs/libubox/patches/0006-blobmsg-fix-heap-buffer-overflow-in-blobmsg_parse.patch

@@ -0,0 +1,32 @@
+From 0773eef13674964d890420673d2501342979d8bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 10 Dec 2019 12:02:40 +0100
+Subject: blobmsg: fix heap buffer overflow in blobmsg_parse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error found by the fuzzer:
+
+ ==29774==ERROR: AddressSanitizer: heap-buffer-overflow
+ READ of size 1 at 0x6020004f1c56 thread T0
+     #0 strcmp sanitizer_common_interceptors.inc:442:3
+     #1 blobmsg_parse blobmsg.c:168:8
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -52,6 +52,9 @@ bool blobmsg_check_attr(const struct blo
+ 
+ 	id = blob_id(attr);
+ 	len = blobmsg_data_len(attr);
++	if (len > blob_raw_len(attr))
++		return false;
++
+ 	data = blobmsg_data(attr);
+ 
+ 	if (id > BLOBMSG_TYPE_LAST)

package/libs/libubox/patches/0007-Ensure-blob_attr-length-check-does-not-perform-out-o.patch

@@ -0,0 +1,51 @@
+From cec3ed2550073abbfe0f1f6131c44f90c9d05aa8 Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Wed, 28 Nov 2018 13:39:29 +0100
+Subject: Ensure blob_attr length check does not perform out of bounds reads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before there might have been as little as one single byte left which
+would result in 3 bytes of blob_attr->id_len being out of bounds.
+
+Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[line wrapped < 72 chars]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.h    | 4 ++--
+ blobmsg.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/blob.h
++++ b/blob.h
+@@ -243,7 +243,7 @@ blob_put_u64(struct blob_buf *buf, int i
+ 
+ #define __blob_for_each_attr(pos, attr, rem) \
+ 	for (pos = (struct blob_attr *) attr; \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+@@ -251,7 +251,7 @@ blob_put_u64(struct blob_buf *buf, int i
+ #define blob_for_each_attr(pos, attr, rem) \
+ 	for (rem = attr ? blob_len(attr) : 0, \
+ 	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -266,7 +266,7 @@ int blobmsg_printf(struct blob_buf *buf,
+ #define blobmsg_for_each_attr(pos, attr, rem) \
+ 	for (rem = attr ? blobmsg_data_len(attr) : 0, \
+ 	     pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 

package/libs/libubox/patches/0008-Replace-use-of-blobmsg_check_attr-by-blobmsg_check_a.patch

@@ -0,0 +1,132 @@
+From 8b6a401638317906b6d9039417c1c19ea8cfeab0 Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Tue, 13 Nov 2018 04:16:12 +0100
+Subject: Replace use of blobmsg_check_attr by blobmsg_check_attr_len
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+blobmsg_check_attr_len adds a length limit specifying the max offset
+from attr that can be read safely.
+
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[rebased and reworked, line wrapped commit message, _safe -> _len]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 59 +++++++++++++++++++++++++++++++++++++++++++------------
+ blobmsg.h |  2 ++
+ 2 files changed, 48 insertions(+), 13 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -33,37 +33,70 @@ blobmsg_namelen(const struct blobmsg_hdr
+ 
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
+ {
++	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
++}
++
++static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
++{
++	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
+-	const char *data;
+-	int id, len;
+ 
+-	if (blob_len(attr) < sizeof(struct blobmsg_hdr))
++	hdr = blob_data(attr);
++	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	hdr = (void *) attr->data;
+-	if (!hdr->namelen && name)
++	if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
+ 		return false;
+ 
+-	if (blobmsg_namelen(hdr) > blob_len(attr) - sizeof(struct blobmsg_hdr))
++	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+ 		return false;
+ 
+ 	if (hdr->name[blobmsg_namelen(hdr)] != 0)
+ 		return false;
+ 
+-	id = blob_id(attr);
+-	len = blobmsg_data_len(attr);
+-	if (len > blob_raw_len(attr))
+-		return false;
++	return true;
++}
++
++static const char* blobmsg_check_data(const struct blob_attr *attr, size_t len, size_t *data_len)
++{
++	char *limit = (char *) attr + len;
++	const char *data;
++
++	*data_len = blobmsg_data_len(attr);
++	if (*data_len > blob_raw_len(attr))
++		return NULL;
+ 
+ 	data = blobmsg_data(attr);
++	if (data + *data_len > limit)
++		return NULL;
+ 
++	return data;
++}
++
++bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len)
++{
++	const char *data;
++	size_t data_len;
++	int id;
++
++	if (len < sizeof(struct blob_attr))
++		return false;
++
++	if (!blobmsg_check_name(attr, len, name))
++		return false;
++
++	id = blob_id(attr);
+ 	if (id > BLOBMSG_TYPE_LAST)
+ 		return false;
+ 
+ 	if (!blob_type[id])
+ 		return true;
+ 
+-	return blob_check_type(data, len, blob_type[id]);
++	data = blobmsg_check_data(attr, len, &data_len);
++	if (!data)
++		return false;
++
++	return blob_check_type(data, data_len, blob_type[id]);
+ }
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+@@ -114,7 +147,7 @@ int blobmsg_parse_array(const struct blo
+ 		    blob_id(attr) != policy[i].type)
+ 			continue;
+ 
+-		if (!blobmsg_check_attr(attr, false))
++		if (!blobmsg_check_attr_len(attr, false, len))
+ 			return -1;
+ 
+ 		if (tb[i])
+@@ -161,7 +194,7 @@ int blobmsg_parse(const struct blobmsg_p
+ 			if (blobmsg_namelen(hdr) != pslen[i])
+ 				continue;
+ 
+-			if (!blobmsg_check_attr(attr, true))
++			if (!blobmsg_check_attr_len(attr, true, len))
+ 				return -1;
+ 
+ 			if (tb[i])
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -107,6 +107,8 @@ static inline int blobmsg_len(const stru
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
+ 
++bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len);
++
+ /*
+  * blobmsg_check_array: validate array/table and return size
+  *

package/libs/libubox/patches/0009-blobmsg-add-_len-variants-for-all-attribute-checking.patch

@@ -0,0 +1,157 @@
+From ad29d0304983e283d4aec4ee5462942eaf5c03ac Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Thu, 15 Nov 2018 03:42:48 +0100
+Subject: blobmsg: add _len variants for all attribute checking methods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduce _len variants of blobmsg attribute checking functions which
+aims to provide safer implementation as those functions should limit all
+memory accesses performed on the blob to the range [attr, attr + len]
+(upper bound non inclusive) and thus should be suited for checking of
+untrusted blob attributes.
+
+While at it add some comments in order to make it clear.
+
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 21 ++++++++++++++++++---
+ blobmsg.h | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 72 insertions(+), 4 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -101,11 +101,21 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
++	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
++}
++
++int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)
++{
+ 	struct blob_attr *cur;
+ 	bool name;
+-	int rem;
+ 	int size = 0;
+ 
++	if (type > BLOBMSG_TYPE_LAST)
++		return -1;
++
++	if (!blobmsg_check_attr_len(attr, false, len))
++		return -1;
++
+ 	switch (blobmsg_type(attr)) {
+ 	case BLOBMSG_TYPE_TABLE:
+ 		name = true;
+@@ -117,11 +127,11 @@ int blobmsg_check_array(const struct blo
+ 		return -1;
+ 	}
+ 
+-	blobmsg_for_each_attr(cur, attr, rem) {
++	__blobmsg_for_each_attr(cur, attr, len) {
+ 		if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
+ 			return -1;
+ 
+-		if (!blobmsg_check_attr(cur, name))
++		if (!blobmsg_check_attr_len(cur, name, len))
+ 			return -1;
+ 
+ 		size++;
+@@ -135,6 +145,11 @@ bool blobmsg_check_attr_list(const struc
+ 	return blobmsg_check_array(attr, type) >= 0;
+ }
+ 
++bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len)
++{
++	return blobmsg_check_array_len(attr, type, len) >= 0;
++}
++
+ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
+ 			struct blob_attr **tb, void *data, unsigned int len)
+ {
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -104,19 +104,66 @@ static inline int blobmsg_len(const stru
+ 	return blobmsg_data_len(attr);
+ }
+ 
++/*
++ * blobmsg_check_attr: validate a list of attributes
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
++ */
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+-bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
+ 
++/*
++ * blobmsg_check_attr_len: validate a list of attributes
++ *
++ * This method should be safer implementation of blobmsg_check_attr.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
+ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len);
+ 
+ /*
++ * blobmsg_check_attr_list: validate a list of attributes
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
++ */
++bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
++
++/*
++ * blobmsg_check_attr_list_len: validate a list of untrusted attributes
++ *
++ * This method should be safer implementation of blobmsg_check_attr_list.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
++bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len);
++
++/*
+  * blobmsg_check_array: validate array/table and return size
+  *
+  * Checks if all elements of an array or table are valid and have
+  * the specified type. Returns the number of elements in the array
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
+  */
+ int blobmsg_check_array(const struct blob_attr *attr, int type);
+ 
++/*
++ * blobmsg_check_array_len: validate untrusted array/table and return size
++ *
++ * Checks if all elements of an array or table are valid and have
++ * the specified type. Returns the number of elements in the array.
++ *
++ * This method should be safer implementation of blobmsg_check_array.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
++int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len);
++
+ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
+                   struct blob_attr **tb, void *data, unsigned int len);
+ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
+@@ -271,5 +318,11 @@ int blobmsg_printf(struct blob_buf *buf,
+ 	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
++
++#define __blobmsg_for_each_attr(pos, attr, rem) \
++	for (pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
++	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
++	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+ #endif

package/libs/libubox/patches/0010-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch

@@ -0,0 +1,39 @@
+From 44d9e85ef058fbb9981d53218cafdc451afa5535 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 25 Dec 2019 10:27:59 +0100
+Subject: blobmsg: fix array out of bounds GCC 10 warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following warning reported by GCC 10.0.0 20191203:
+
+ blobmsg.c:234:2: error: 'strcpy' offset 6 from the object at 'attr' is out of the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
+   234 |  strcpy((char *) hdr->name, (const char *)name);
+       |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ In file included from blobmsg.c:16:
+ blobmsg.h:42:10: note: subobject 'name' declared here
+    42 |  uint8_t name[];
+       |          ^~~~
+
+Reported-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -246,7 +246,10 @@ blobmsg_new(struct blob_buf *buf, int ty
+ 	attr->id_len |= be32_to_cpu(BLOB_ATTR_EXTENDED);
+ 	hdr = blob_data(attr);
+ 	hdr->namelen = cpu_to_be16(namelen);
+-	strcpy((char *) hdr->name, (const char *)name);
++
++	memcpy(hdr->name, name, namelen);
++	hdr->name[namelen] = '\0';
++
+ 	pad_end = *data = blobmsg_data(attr);
+ 	pad_start = (char *) &hdr->name[namelen];
+ 	if (pad_start < pad_end)

package/libs/libubox/patches/0011-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch

@@ -0,0 +1,38 @@
+From d0f05d5e6873b30315127d47abbf4ac9f3c8bfb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 28 Dec 2019 19:00:39 +0100
+Subject: blobmsg: fix wrong payload len passed from blobmsg_check_array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix incorrect use of blob_raw_len() on passed blobmsg to
+blobmsg_check_array_len()  introduced in commit b0e21553ae8c ("blobmsg:
+add _len variants for all attribute checking methods") by using correct
+blobmsg_len().
+
+This wrong (higher) length was then for example causing issues in
+procd's instance_config_parse_command() where blobmsg_check_attr_list()
+was failing sanity checking of service command, thus resulting in the
+startup failures of some services like collectd, nlbwmon and samba4.
+
+Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020840.html
+Fixes: b0e21553ae8c ("blobmsg: add _len variants for all attribute checking methods")
+Reported-by: Hannu Nyman <hannu.nyman@welho.com>
+Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -101,7 +101,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
++	return blobmsg_check_array_len(attr, type, blobmsg_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)

package/libs/libubox/patches/0012-jshn-prefer-snprintf-usage.patch

@@ -0,0 +1,61 @@
+From 31778937b4153492955495e550435c8bbf7cfde8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 08:55:34 +0100
+Subject: jshn: prefer snprintf usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ jshn.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/jshn.c
++++ b/jshn.c
+@@ -68,7 +68,7 @@ static int add_json_array(struct array_l
+ 	int ret;
+ 
+ 	for (i = 0, len = array_list_length(a); i < len; i++) {
+-		sprintf(seq, "%d", i);
++		snprintf(seq, sizeof(seq), "%d", i);
+ 		ret = add_json_element(seq, array_list_get_idx(a, i));
+ 		if (ret)
+ 			return ret;
+@@ -197,25 +197,27 @@ static char *getenv_avl(const char *key)
+ static char *get_keys(const char *prefix)
+ {
+ 	char *keys;
++	size_t len = var_prefix_len + strlen(prefix) + sizeof("K_") + 1;
+ 
+-	keys = alloca(var_prefix_len + strlen(prefix) + sizeof("K_") + 1);
+-	sprintf(keys, "%sK_%s", var_prefix, prefix);
++	keys = alloca(len);
++	snprintf(keys, len, "%sK_%s", var_prefix, prefix);
+ 	return getenv_avl(keys);
+ }
+ 
+ static void get_var(const char *prefix, const char **name, char **var, char **type)
+ {
+ 	char *tmpname, *varname;
++	size_t len = var_prefix_len + strlen(prefix) + 1 + strlen(*name) + 1 + sizeof("T_");
+ 
+-	tmpname = alloca(var_prefix_len + strlen(prefix) + 1 + strlen(*name) + 1 + sizeof("T_"));
++	tmpname = alloca(len);
+ 
+-	sprintf(tmpname, "%s%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%s%s_%s", var_prefix, prefix, *name);
+ 	*var = getenv_avl(tmpname);
+ 
+-	sprintf(tmpname, "%sT_%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%sT_%s_%s", var_prefix, prefix, *name);
+ 	*type = getenv_avl(tmpname);
+ 
+-	sprintf(tmpname, "%sN_%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%sN_%s_%s", var_prefix, prefix, *name);
+ 	varname = getenv_avl(tmpname);
+ 	if (varname)
+ 		*name = varname;

package/libs/libubox/patches/0013-blobmsg-blobmsg_vprintf-prefer-vsnprintf.patch

@@ -0,0 +1,38 @@
+From 935bb933e4a74de7326a4373340fd50655712334 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 08:57:05 +0100
+Subject: blobmsg: blobmsg_vprintf: prefer vsnprintf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry and while at it add handling of possible
+*printf() failures.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -296,10 +296,17 @@ blobmsg_vprintf(struct blob_buf *buf, co
+ 	len = vsnprintf(&cbuf, sizeof(cbuf), format, arg2);
+ 	va_end(arg2);
+ 
++	if (len < 0)
++		return -1;
++
+ 	sbuf = blobmsg_alloc_string_buffer(buf, name, len + 1);
+ 	if (!sbuf)
+ 		return -1;
+-	ret = vsprintf(sbuf, format, arg);
++
++	ret = vsnprintf(sbuf, len + 1, format, arg);
++	if (ret < 0)
++		return -1;
++
+ 	blobmsg_add_string_buffer(buf);
+ 
+ 	return ret;

package/libs/libubox/patches/0014-blobmsg_json-fix-int16-serialization.patch

@@ -0,0 +1,41 @@
+From 1cc755d7c3989b399bf0c60535a858d22819ca27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sun, 12 Jan 2020 22:40:18 +0100
+Subject: blobmsg_json: fix int16 serialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+int16 blobmsg type is currently being serialized as uint16_t due to
+missing cast during JSON output.
+
+Following blobmsg content:
+
+ bar-min: -32768 (i16)
+ bar-max: 32767 (i16)
+
+Produces following JSON:
+
+ { "bar-min":32768,"bar-max":32767 }
+
+Whereas one would expect:
+
+ { "bar-min":-32768,"bar-max":32767 }
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -250,7 +250,7 @@ static void blobmsg_format_element(struc
+ 		sprintf(buf, "%s", *(uint8_t *)data ? "true" : "false");
+ 		break;
+ 	case BLOBMSG_TYPE_INT16:
+-		sprintf(buf, "%d", be16_to_cpu(*(uint16_t *)data));
++		sprintf(buf, "%d", (int16_t) be16_to_cpu(*(uint16_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT32:
+ 		sprintf(buf, "%d", (int32_t) be32_to_cpu(*(uint32_t *)data));

package/libs/libubox/patches/0015-blobmsg_json-prefer-snprintf-usage.patch

@@ -0,0 +1,66 @@
+From 0e330ec3662795aea42ac36ecf7a9f32a249c36d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 09:05:02 +0100
+Subject: blobmsg_json: prefer snprintf usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry and while at it prefer use of PRId16 and PRId32
+formatting constants as well.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -203,7 +203,7 @@ static void blobmsg_format_string(struct
+ 		buf[1] = escape;
+ 
+ 		if (escape == 'u') {
+-			sprintf(buf + 4, "%02x", (unsigned char) *p);
++			snprintf(buf + 4, sizeof(buf) - 4, "%02x", (unsigned char) *p);
+ 			len = 6;
+ 		} else {
+ 			len = 2;
+@@ -220,7 +220,7 @@ static void blobmsg_format_json_list(str
+ static void blobmsg_format_element(struct strbuf *s, struct blob_attr *attr, bool without_name, bool head)
+ {
+ 	const char *data_str;
+-	char buf[32];
++	char buf[317];
+ 	void *data;
+ 	int len;
+ 
+@@ -244,22 +244,22 @@ static void blobmsg_format_element(struc
+ 	data_str = buf;
+ 	switch(blob_id(attr)) {
+ 	case BLOBMSG_TYPE_UNSPEC:
+-		sprintf(buf, "null");
++		snprintf(buf, sizeof(buf), "null");
+ 		break;
+ 	case BLOBMSG_TYPE_BOOL:
+-		sprintf(buf, "%s", *(uint8_t *)data ? "true" : "false");
++		snprintf(buf, sizeof(buf), "%s", *(uint8_t *)data ? "true" : "false");
+ 		break;
+ 	case BLOBMSG_TYPE_INT16:
+-		sprintf(buf, "%d", (int16_t) be16_to_cpu(*(uint16_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId16, (int16_t) be16_to_cpu(*(uint16_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT32:
+-		sprintf(buf, "%d", (int32_t) be32_to_cpu(*(uint32_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId32, (int32_t) be32_to_cpu(*(uint32_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT64:
+-		sprintf(buf, "%" PRId64, (int64_t) be64_to_cpu(*(uint64_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId64, (int64_t) be64_to_cpu(*(uint64_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_DOUBLE:
+-		sprintf(buf, "%lf", blobmsg_get_double(attr));
++		snprintf(buf, sizeof(buf), "%lf", blobmsg_get_double(attr));
+ 		break;
+ 	case BLOBMSG_TYPE_STRING:
+ 		blobmsg_format_string(s, data);

package/libs/libubox/patches/0016-blobmsg-blobmsg_parse-and-blobmsg_parse_array-oob-re.patch

@@ -0,0 +1,110 @@
+From 6289e2d29883d5d9510b6a15c18c597478967a42 Mon Sep 17 00:00:00 2001
+From: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
+Date: Sun, 12 Jan 2020 12:26:18 +0100
+Subject: blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
+out of bounds read happens because blob_attr and blobmsg_hdr have
+flexible array members, whose size is 0 in the corresponding sizeofs.
+For example the __blob_for_each_attr macro checks whether rem >=
+sizeof(struct blob_attr). However, what LibFuzzer discovered was,
+if the input data was only 4 bytes, the data would be casted to blob_attr,
+and later on blob_data(attr) would be called even though attr->data was empty.
+The same issue could appear with data larger than 4 bytes, where data
+wasn't empty, but contained only the start of the blobmsg_hdr struct,
+and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
+blobmsg_parse and blobmsg_array_parse with LibFuzzer.
+
+CC: Luka Perkov <luka.perkov@sartura.hr>
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
+[refactored some checks, added fuzz inputs, adjusted unit test results]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 40 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 32 insertions(+), 8 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -36,16 +36,38 @@ bool blobmsg_check_attr(const struct blo
+ 	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
+ }
+ 
++static const struct blobmsg_hdr* blobmsg_hdr_from_blob(const struct blob_attr *attr, size_t len)
++{
++	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
++		return NULL;
++
++	return blob_data(attr);
++}
++
++static bool blobmsg_hdr_valid_namelen(const struct blobmsg_hdr *hdr, size_t len)
++{
++	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr) + blobmsg_namelen(hdr) + 1)
++		return false;
++
++	return true;
++}
++
+ static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
+ {
+ 	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
+ 
+-	hdr = blob_data(attr);
++	hdr = blobmsg_hdr_from_blob(attr, len);
++	if (!hdr)
++		return false;
++
+ 	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
++	if (name && !blobmsg_hdr_valid_namelen(hdr, len))
++		return false;
++
++	if ((char *) hdr->name + blobmsg_namelen(hdr) + 1 > limit)
+ 		return false;
+ 
+ 	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+@@ -79,9 +101,6 @@ bool blobmsg_check_attr_len(const struct
+ 	size_t data_len;
+ 	int id;
+ 
+-	if (len < sizeof(struct blob_attr))
+-		return false;
+-
+ 	if (!blobmsg_check_name(attr, len, name))
+ 		return false;
+ 
+@@ -176,11 +195,10 @@ int blobmsg_parse_array(const struct blo
+ 	return 0;
+ }
+ 
+-
+ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
+                   struct blob_attr **tb, void *data, unsigned int len)
+ {
+-	struct blobmsg_hdr *hdr;
++	const struct blobmsg_hdr *hdr;
+ 	struct blob_attr *attr;
+ 	uint8_t *pslen;
+ 	int i;
+@@ -197,7 +215,13 @@ int blobmsg_parse(const struct blobmsg_p
+ 	}
+ 
+ 	__blob_for_each_attr(attr, data, len) {
+-		hdr = blob_data(attr);
++		hdr = blobmsg_hdr_from_blob(attr, len);
++		if (!hdr)
++			return -1;
++
++		if (!blobmsg_hdr_valid_namelen(hdr, len))
++			return -1;
++
+ 		for (i = 0; i < policy_len; i++) {
+ 			if (!policy[i].name)
+ 				continue;

package/libs/libubox/patches/0017-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch

@@ -0,0 +1,33 @@
+From 75e300aeec25e032a9778bea34c713969960d1f0 Mon Sep 17 00:00:00 2001
+From: Chris Nisbet <nischris@gmail.com>
+Date: Wed, 12 Feb 2020 21:00:31 +1300
+Subject: [PATCH] blobmsg: fix wrong payload len passed from
+ blobmsg_check_array
+
+Fix incorrect use of blobmsg_len() on passed blobmsg to
+blobmsg_check_array_len() introduced in commit 379cd33d1992
+("fix wrong payload len passed from blobmsg_check_array") by using correct
+blob_len().
+
+By using blobmsg_len() a value too small was passed to blobmsg_check_array()
+which could lead to this function returning an error when there is none.
+
+Fixes: 379cd33d1992 ("fix wrong payload len passed from blobmsg_check_array")
+Signed-off-by: Chris Nisbet <nischris@gmail.com>
+[add fixes tag, rewrap commit message]
+Signed-off-by: Jo-Philipp Wich <jo@mein.io>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -120,7 +120,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blobmsg_len(attr));
++	return blobmsg_check_array_len(attr, type, blob_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.3
+PKG_VERSION:=2.16.4
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=fd01fe4b289116df7781d05e1ef712b6c98823c5334f4a27404f13a8d066ef6a
+PKG_HASH:=5fdb9c43ab43fd9bcc3631508170b089ede7b86dd655253a93cb0ffeb42309f3
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -750,19 +750,19 @@
+@@ -757,19 +757,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -811,7 +811,7 @@
+@@ -818,7 +818,7 @@
   *
   * Comment this macro to disable deterministic ECDSA.
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -864,7 +864,7 @@
+@@ -871,7 +871,7 @@
   *             See dhm.h for more details.
   *
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -884,7 +884,7 @@
+@@ -891,7 +891,7 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -909,7 +909,7 @@
+@@ -916,7 +916,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1043,7 +1043,7 @@
+@@ -1050,7 +1050,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1067,7 +1067,7 @@
+@@ -1074,7 +1074,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1171,7 +1171,7 @@
+@@ -1178,7 +1178,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -109,7 +109,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1266,14 +1266,14 @@
+@@ -1273,14 +1273,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1289,7 +1289,7 @@
+@@ -1296,7 +1296,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1427,7 +1427,7 @@
+@@ -1434,7 +1434,7 @@
   *          configuration of this extension).
   *
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1602,7 +1602,7 @@
+@@ -1609,7 +1609,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1632,7 +1632,7 @@
+@@ -1639,7 +1639,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1691,7 +1691,7 @@
+@@ -1698,7 +1698,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2021,7 +2021,7 @@
+@@ -2028,7 +2028,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2087,7 +2087,7 @@
+@@ -2094,7 +2094,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2099,7 +2099,7 @@
+@@ -2106,7 +2106,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2108,7 +2108,7 @@
+@@ -2115,7 +2115,7 @@
   *
   * Module:  library/chacha20.c
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_CHACHAPOLY_C
-@@ -2119,7 +2119,7 @@
+@@ -2126,7 +2126,7 @@
   *
   * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -2174,7 +2174,7 @@
+@@ -2185,7 +2185,7 @@
   *
   * This module provides debugging functions.
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -2203,7 +2203,7 @@
+@@ -2214,7 +2214,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *            security risk. We recommend considering stronger ciphers instead.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2366,7 +2366,7 @@
+@@ -2377,7 +2377,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -243,7 +243,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2380,7 +2380,7 @@
+@@ -2391,7 +2391,7 @@
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
   */
@@ -252,7 +252,7 @@
  
  /**
   * \def MBEDTLS_NIST_KW_C
-@@ -2676,7 +2676,7 @@
+@@ -2687,7 +2687,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -261,7 +261,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2686,7 +2686,7 @@
+@@ -2697,7 +2697,7 @@
   * Module:  library/poly1305.c
   * Caller:  library/chachapoly.c
   */
@@ -270,7 +270,7 @@
  
  /**
   * \def MBEDTLS_RIPEMD160_C
-@@ -2697,7 +2697,7 @@
+@@ -2708,7 +2708,7 @@
   * Caller:  library/md.c
   *
   */
@@ -279,7 +279,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2804,7 +2804,7 @@
+@@ -2815,7 +2815,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -288,7 +288,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2904,7 +2904,7 @@
+@@ -2915,7 +2915,7 @@
   *
   * This module provides run-time version information.
   */
@@ -297,7 +297,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -3014,7 +3014,7 @@
+@@ -3025,7 +3025,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

package/libs/openssl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.0.2
-PKG_BUGFIX:=t
+PKG_BUGFIX:=u
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \
 	http://gd.tuwien.ac.at/infosys/security/openssl/source/ \
 	http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc
+PKG_HASH:=ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE

package/network/config/netifd/files/lib/netifd/proto/dhcp.sh

@@ -46,6 +46,8 @@ proto_dhcp_setup() {
 	json_for_each_item proto_dhcp_add_sendopts sendopts dhcpopts
 
 	[ -z "$hostname" ] && hostname="$(cat /proc/sys/kernel/hostname)"
+	[ "$hostname" = "*" ] && hostname=
+
 	[ "$defaultreqopts" = 0 ] && defaultreqopts="-o" || defaultreqopts=
 	[ "$broadcast" = 1 ] && broadcast="-B" || broadcast=
 	[ "$release" = 1 ] && release="-R" || release=

package/network/services/hostapd/Makefile

@@ -88,9 +88,6 @@ DRIVER_MAKEOPTS= \
 	CONFIG_IEEE80211AC=$(HOSTAPD_IEEE80211AC) \
 	CONFIG_DRIVER_WEXT=$(CONFIG_DRIVER_WEXT_SUPPORT) \
 
-space :=
-space +=
-
 ifeq ($(LOCAL_VARIANT),full)
   DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_DRIVER_11W_SUPPORT)
 endif

package/network/services/ppp/Makefile

@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ppp
 PKG_VERSION:=2.4.7
-PKG_RELEASE:=12
+PKG_RELEASE:=13
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.samba.org/pub/ppp/

package/network/services/ppp/patches/700-radius-Prevent-buffer-overflow-in-rc_mksid.patch

@@ -0,0 +1,30 @@
+From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Sat, 4 Jan 2020 12:01:32 +1100
+Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()
+
+On some systems getpid() can return a value greater than 65535.
+Increase the size of buf[] to allow for this, and use slprintf()
+to make sure we never overflow it.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/plugins/radius/util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
+index 6f976a712951..740131e8377c 100644
+--- a/pppd/plugins/radius/util.c
++++ b/pppd/plugins/radius/util.c
+@@ -73,9 +73,9 @@ void rc_mdelay(int msecs)
+ char *
+ rc_mksid (void)
+ {
+-  static char buf[15];
++  static char buf[32];
+   static unsigned short int cnt = 0;
+-  sprintf (buf, "%08lX%04X%02hX",
++  slprintf(buf, sizeof(buf), "%08lX%04X%02hX",
+ 	   (unsigned long int) time (NULL),
+ 	   (unsigned int) getpid (),
+ 	   cnt & 0xFF);

package/network/services/ppp/patches/701-pppd-Fix-bounds-check-in-EAP-code.patch

@@ -0,0 +1,37 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname).  This fixes the check so we
+actually avoid overflowing the rhostname array.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f56a336..1b93db01aebd 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';

package/network/services/ppp/patches/702-pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch

@@ -0,0 +1,61 @@
+From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 16:31:42 +1100
+Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP
+
+This adds some basic checks to the subroutines of eap_input to check
+that we have requested or agreed to doing EAP authentication before
+doing any processing on the received packet.  The motivation is to
+make it harder for a malicious peer to disrupt the operation of pppd
+by sending unsolicited EAP packets.  Note that eap_success() already
+has a check that the EAP client state is reasonable, and does nothing
+(apart from possibly printing a debug message) if not.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 1b93db01aebd..082e95343120 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1328,6 +1328,12 @@ int len;
+ 	int fd;
+ #endif /* USE_SRP */
+ 
++	/*
++	 * Ignore requests if we're not open
++	 */
++	if (esp->es_client.ea_state <= eapClosed)
++		return;
++
+ 	/*
+ 	 * Note: we update es_client.ea_id *only if* a Response
+ 	 * message is being generated.  Otherwise, we leave it the
+@@ -1736,6 +1742,12 @@ int len;
+ 	u_char dig[SHA_DIGESTSIZE];
+ #endif /* USE_SRP */
+ 
++	/*
++	 * Ignore responses if we're not open
++	 */
++	if (esp->es_server.ea_state <= eapClosed)
++		return;
++
+ 	if (esp->es_server.ea_id != id) {
+ 		dbglog("EAP: discarding Response %d; expected ID %d", id,
+ 		    esp->es_server.ea_id);
+@@ -2047,6 +2059,12 @@ u_char *inp;
+ int id;
+ int len;
+ {
++	/*
++	 * Ignore failure messages if we're not open
++	 */
++	if (esp->es_client.ea_state <= eapClosed)
++		return;
++
+ 	if (!eap_client_active(esp)) {
+ 		dbglog("EAP unexpected failure message in state %s (%d)",
+ 		    eap_state_name(esp->es_client.ea_state),

package/network/services/uhttpd/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=uhttpd
-PKG_RELEASE:=3
+PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
-PKG_SOURCE_DATE:=2018-11-28
-PKG_SOURCE_VERSION:=cdfc902a4cb77bc538a729f9e1c8a8578454a0e5
-PKG_MIRROR_HASH:=6b21111547a4453355bd6c941a47f0116a652a77d87c1e05a035168b8ab2aa6f
+PKG_SOURCE_DATE:=2020-02-12
+PKG_SOURCE_VERSION:=2ee323c01079248baa9465969df9e25b5fb68cdf
+PKG_MIRROR_HASH:=ebec09286cf5f977cac893931a5a4f27ba891db88d5e44a9b0de9446ae431527
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=ISC
 

package/network/utils/ethtool/Makefile

@@ -23,7 +23,7 @@ PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 
-PKG_CONFIG_DEPENDS:=ETHTOOL_PRETTY_DUMP
+PKG_CONFIG_DEPENDS:=CONFIG_ETHTOOL_PRETTY_DUMP
 
 include $(INCLUDE_DIR)/package.mk
 

package/system/opkg/Makefile

@@ -14,9 +14,9 @@ PKG_FLAGS:=essential
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://git.openwrt.org/project/opkg-lede.git
-PKG_SOURCE_DATE:=2019-06-14
-PKG_SOURCE_VERSION:=dcbc142e51f5f5f2fb9e4e44657e013d3c36a52b
-PKG_MIRROR_HASH:=fca7e71dd06f0d5ee0af0d0a493d641d4d5d7e403d64c67879a462a020aa2299
+PKG_SOURCE_DATE:=2020-01-25
+PKG_SOURCE_VERSION:=c09fe2098718807ddbca13ee36e3e38801822946
+PKG_MIRROR_HASH:=b2fba519fb3bf2da2e325a33eee951b85c7c1886e48ebaac3892435a71ae33d5
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING

package/utils/e2fsprogs/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=e2fsprogs
 PKG_VERSION:=1.44.1
 PKG_HASH:=0ca164c1c87724df904c918b2d7051ef989b51de725db66c67514dbe6dd2b9ef
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/kernel/people/tytso/e2fsprogs/v$(PKG_VERSION)/

package/utils/e2fsprogs/patches/100-CVE-2019-5094-libsupport.patch

@@ -0,0 +1,203 @@
+From 09fe1fd2a1f9efc3091b4fc61f1876d0785956a8 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 1 Sep 2019 00:59:16 -0400
+Subject: libsupport: add checks to prevent buffer overrun bugs in quota code
+
+A maliciously corrupted file systems can trigger buffer overruns in
+the quota code used by e2fsck.  To fix this, add sanity checks to the
+quota header fields as well as to block number references in the quota
+tree.
+
+Addresses: CVE-2019-5094
+Addresses: TALOS-2019-0887
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+(cherry picked from commit 8dbe7b475ec5e91ed767239f0e85880f416fc384)
+---
+ lib/support/mkquota.c      |  1 +
+ lib/support/quotaio_tree.c | 71 ++++++++++++++++++++++++++++++----------------
+ lib/support/quotaio_v2.c   | 28 ++++++++++++++++++
+ 3 files changed, 76 insertions(+), 24 deletions(-)
+
+--- a/lib/support/mkquota.c
++++ b/lib/support/mkquota.c
+@@ -663,6 +663,7 @@ errcode_t quota_compare_and_update(quota
+ 	err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data);
+ 	if (err) {
+ 		log_debug("Error scanning dquots");
++		*usage_inconsistent = 1;
+ 		goto out_close_qh;
+ 	}
+ 
+--- a/lib/support/quotaio_tree.c
++++ b/lib/support/quotaio_tree.c
+@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct qu
+ 	return dquot;
+ }
+ 
++static int check_reference(struct quota_handle *h, unsigned int blk)
++{
++	if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) {
++		log_err("Illegal reference (%u >= %u) in %s quota file",
++			blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
++			quota_type2name(h->qh_type));
++		return -1;
++	}
++	return 0;
++}
++
+ /*
+  * Scan all dquots in file and call callback on each
+  */
+@@ -558,7 +569,7 @@ static int report_block(struct dquot *dq
+ 	int entries, i;
+ 
+ 	if (!buf)
+-		return 0;
++		return -1;
+ 
+ 	set_bit(bitmap, blk);
+ 	read_blk(dquot->dq_h, blk, buf);
+@@ -580,23 +591,12 @@ static int report_block(struct dquot *dq
+ 	return entries;
+ }
+ 
+-static void check_reference(struct quota_handle *h, unsigned int blk)
+-{
+-	if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks)
+-		log_err("Illegal reference (%u >= %u) in %s quota file. "
+-			"Quota file is probably corrupted.\n"
+-			"Please run e2fsck (8) to fix it.",
+-			blk,
+-			h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
+-			quota_type2name(h->qh_type));
+-}
+-
+ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+ 		       char *bitmap,
+ 		       int (*process_dquot) (struct dquot *, void *),
+ 		       void *data)
+ {
+-	int entries = 0, i;
++	int entries = 0, ret, i;
+ 	dqbuf_t buf = getdqbuf();
+ 	__le32 *ref = (__le32 *) buf;
+ 
+@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dqu
+ 	if (depth == QT_TREEDEPTH - 1) {
+ 		for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+ 			blk = ext2fs_le32_to_cpu(ref[i]);
+-			check_reference(dquot->dq_h, blk);
+-			if (blk && !get_bit(bitmap, blk))
+-				entries += report_block(dquot, blk, bitmap,
+-							process_dquot, data);
++			if (check_reference(dquot->dq_h, blk)) {
++				entries = -1;
++				goto errout;
++			}
++			if (blk && !get_bit(bitmap, blk)) {
++				ret = report_block(dquot, blk, bitmap,
++						   process_dquot, data);
++				if (ret < 0) {
++					entries = ret;
++					goto errout;
++				}
++				entries += ret;
++			}
+ 		}
+ 	} else {
+ 		for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+ 			blk = ext2fs_le32_to_cpu(ref[i]);
+ 			if (blk) {
+-				check_reference(dquot->dq_h, blk);
+-				entries += report_tree(dquot, blk, depth + 1,
+-						       bitmap, process_dquot,
+-						       data);
++				if (check_reference(dquot->dq_h, blk)) {
++					entries = -1;
++					goto errout;
++				}
++				ret = report_tree(dquot, blk, depth + 1,
++						  bitmap, process_dquot,
++						  data);
++				if (ret < 0) {
++					entries = ret;
++					goto errout;
++				}
++				entries += ret;
+ 			}
+ 		}
+ 	}
++errout:
+ 	freedqbuf(buf);
+ 	return entries;
+ }
+@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handl
+ 		      int (*process_dquot) (struct dquot *, void *),
+ 		      void *data)
+ {
++	int ret;
+ 	char *bitmap;
+ 	struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi;
+ 	struct qtree_mem_dqinfo *info = &v2info->dqi_qtree;
+@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handl
+ 		ext2fs_free_mem(&dquot);
+ 		return -1;
+ 	}
+-	v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap,
+-					       process_dquot, data);
++	ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
++	if (ret < 0)
++		goto errout;
++	v2info->dqi_used_entries = ret;
+ 	v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks);
++	ret = 0;
++errout:
+ 	ext2fs_free_mem(&bitmap);
+ 	ext2fs_free_mem(&dquot);
+-	return 0;
++	return ret;
+ }
+--- a/lib/support/quotaio_v2.c
++++ b/lib/support/quotaio_v2.c
+@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_ha
+ static int v2_init_io(struct quota_handle *h)
+ {
+ 	struct v2_disk_dqinfo ddqinfo;
++	struct v2_mem_dqinfo *info;
++	__u64 filesize;
+ 
+ 	h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size =
+ 		sizeof(struct v2r1_disk_dqblk);
+@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handl
+ 			 sizeof(ddqinfo)) != sizeof(ddqinfo))
+ 		return -1;
+ 	v2_disk2memdqinfo(&h->qh_info, &ddqinfo);
++
++	/* Check to make sure quota file info is sane */
++	info = &h->qh_info.u.v2_mdqi;
++	if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize))
++		return -1;
++	if ((filesize > (1U << 31)) ||
++	    (info->dqi_qtree.dqi_blocks >
++	     (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) {
++		log_err("Quota inode %u corrupted: file size %llu; "
++			"dqi_blocks %u", h->qh_qf.ino,
++			filesize, info->dqi_qtree.dqi_blocks);
++		return -1;
++	}
++	if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) {
++		log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u",
++			h->qh_qf.ino, info->dqi_qtree.dqi_free_blk,
++			info->dqi_qtree.dqi_blocks);
++		return -1;
++	}
++	if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) {
++		log_err("Quota inode %u corrupted: free_entry %u; "
++			"dqi_blocks %u", h->qh_qf.ino,
++			info->dqi_qtree.dqi_free_entry,
++			info->dqi_qtree.dqi_blocks);
++		return -1;
++	}
+ 	return 0;
+ }
+ 

scripts/download.pl

@@ -197,6 +197,7 @@ foreach my $mirror (@ARGV) {
 		push @mirrors, "https://mirror.netcologne.de/apache.org/$1";
 		push @mirrors, "https://mirror.aarnet.edu.au/pub/apache/$1";
 		push @mirrors, "https://mirror.csclub.uwaterloo.ca/apache/$1";
+		push @mirrors, "https://archive.apache.org/dist/$1";
 		push @mirrors, "http://mirror.cogentco.com/pub/apache/$1";
 		push @mirrors, "http://mirror.navercorp.com/apache/$1";
 		push @mirrors, "http://ftp.jaist.ac.jp/pub/apache/$1";

target/linux/apm821xx/patches-4.14/020-0002-crypto-crypto4xx-remove-unused-definitions-and-write.patch

@@ -67,7 +67,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -973,7 +973,7 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -969,7 +969,7 @@ u32 crypto4xx_build_pd(struct crypto_asy
  
  	sa->sa_command_1.bf.hash_crypto_offset = 0;
  	pd->pd_ctl.w = ctx->pd_ctl;

target/linux/apm821xx/patches-4.14/020-0003-crypto-crypto4xx-set-CRYPTO_ALG_KERN_DRIVER_ONLY-fla.patch

@@ -18,7 +18,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1125,7 +1125,9 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1121,7 +1121,9 @@ struct crypto4xx_alg_common crypto4xx_al
  		.cra_name 	= "cbc(aes)",
  		.cra_driver_name = "cbc-aes-ppc4xx",
  		.cra_priority 	= CRYPTO4XX_CRYPTO_PRIORITY,

target/linux/apm821xx/patches-4.14/020-0005-crypto-crypto4xx-remove-double-assignment-of-pd_uinf.patch

@@ -14,7 +14,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1090,7 +1090,6 @@ static void crypto4xx_bh_tasklet_cb(unsi
+@@ -1086,7 +1086,6 @@ static void crypto4xx_bh_tasklet_cb(unsi
  			pd->pd_ctl.bf.pe_done = 0;
  			crypto4xx_pd_done(core_dev->dev, tail);
  			crypto4xx_put_pd_to_pdr(core_dev->dev, tail);

target/linux/apm821xx/patches-4.14/020-0008-crypto-crypto4xx-enable-AES-RFC3686-ECB-CFB-and-OFB-.patch

@@ -109,7 +109,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include <crypto/sha.h>
  #include "crypto4xx_reg_def.h"
  #include "crypto4xx_core.h"
-@@ -1144,6 +1145,103 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1140,6 +1141,103 @@ struct crypto4xx_alg_common crypto4xx_al
  			}
  		}
  	}},

target/linux/apm821xx/patches-4.14/020-0009-crypto-crypto4xx-refactor-crypto4xx_copy_pkt_to_dst.patch

@@ -27,7 +27,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include "crypto4xx_reg_def.h"
  #include "crypto4xx_core.h"
  #include "crypto4xx_sa.h"
-@@ -483,111 +484,44 @@ static inline struct ce_sd *crypto4xx_ge
+@@ -479,111 +480,44 @@ static inline struct ce_sd *crypto4xx_ge
  	return  (struct ce_sd *)(dev->sdr + sizeof(struct ce_sd) * idx);
  }
  

target/linux/apm821xx/patches-4.14/020-0010-crypto-crypto4xx-replace-crypto4xx_dev-s-scatter_buf.patch

@@ -27,9 +27,9 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 -			dev->scatter_buffer_size * PPC4XX_NUM_SD,
 +			PPC4XX_SD_BUFFER_SIZE * PPC4XX_NUM_SD,
  			&dev->scatter_buffer_pa, GFP_ATOMIC);
- 	if (!dev->scatter_buffer_va) {
- 		dma_free_coherent(dev->core_dev->device,
-@@ -412,7 +411,7 @@ static u32 crypto4xx_build_sdr(struct cr
+ 	if (!dev->scatter_buffer_va)
+ 		return -ENOMEM;
+@@ -408,7 +407,7 @@ static u32 crypto4xx_build_sdr(struct cr
  
  	for (i = 0; i < PPC4XX_NUM_SD; i++) {
  		sd_array[i].ptr = dev->scatter_buffer_pa +
@@ -38,7 +38,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	}
  
  	return 0;
-@@ -427,7 +426,7 @@ static void crypto4xx_destroy_sdr(struct
+@@ -423,7 +422,7 @@ static void crypto4xx_destroy_sdr(struct
  
  	if (dev->scatter_buffer_va)
  		dma_free_coherent(dev->core_dev->device,

target/linux/apm821xx/patches-4.14/020-0012-crypto-crypto4xx-pointer-arithmetic-overhaul.patch

@@ -171,9 +171,9 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
  	/* alloc memory for scatter descriptor ring */
  	dev->sdr = dma_alloc_coherent(dev->core_dev->device,
-@@ -407,10 +403,8 @@ static u32 crypto4xx_build_sdr(struct cr
+@@ -403,10 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr
+ 	if (!dev->scatter_buffer_va)
  		return -ENOMEM;
- 	}
  
 -	sd_array = dev->sdr;
 -
@@ -183,7 +183,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				  PPC4XX_SD_BUFFER_SIZE * i;
  	}
  
-@@ -480,7 +474,7 @@ static inline struct ce_sd *crypto4xx_ge
+@@ -476,7 +470,7 @@ static inline struct ce_sd *crypto4xx_ge
  {
  	*sd_dma = dev->sdr_pa + sizeof(struct ce_sd) * idx;
  
@@ -192,7 +192,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  static void crypto4xx_copy_pkt_to_dst(struct crypto4xx_device *dev,
-@@ -529,11 +523,10 @@ static u32 crypto4xx_copy_digest_to_dst(
+@@ -525,11 +519,10 @@ static u32 crypto4xx_copy_digest_to_dst(
  					struct crypto4xx_ctx *ctx)
  {
  	struct dynamic_sa_ctl *sa = (struct dynamic_sa_ctl *) ctx->sa_in;
@@ -206,7 +206,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		       SA_HASH_ALG_SHA1_DIGEST_SIZE);
  	}
  
-@@ -616,11 +609,9 @@ static u32 crypto4xx_ahash_done(struct c
+@@ -612,11 +605,9 @@ static u32 crypto4xx_ahash_done(struct c
  
  static u32 crypto4xx_pd_done(struct crypto4xx_device *dev, u32 idx)
  {
@@ -220,7 +220,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	if (crypto_tfm_alg_type(pd_uinfo->async_req->tfm) ==
  			CRYPTO_ALG_TYPE_ABLKCIPHER)
  		return crypto4xx_ablkcipher_done(dev, pd_uinfo, pd);
-@@ -721,7 +712,6 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -717,7 +708,6 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	unsigned long flags;
  	struct pd_uinfo *pd_uinfo = NULL;
  	unsigned int nbytes = datalen, idx;
@@ -228,7 +228,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	u32 gd_idx = 0;
  
  	/* figure how many gd is needed */
-@@ -780,17 +770,15 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -776,17 +766,15 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	}
  	spin_unlock_irqrestore(&dev->core_dev->lock, flags);
  
@@ -248,7 +248,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		if (ctx->direction == DIR_INBOUND)
  			memcpy(sa, ctx->sa_in, ctx->sa_len * 4);
  		else
-@@ -800,14 +788,15 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -796,14 +784,15 @@ u32 crypto4xx_build_pd(struct crypto_asy
  			&pd_uinfo->sr_pa, 4);
  
  		if (iv_len)
@@ -267,7 +267,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		}
  	}
  	pd->sa_len = ctx->sa_len;
-@@ -1015,9 +1004,8 @@ static void crypto4xx_bh_tasklet_cb(unsi
+@@ -1011,9 +1000,8 @@ static void crypto4xx_bh_tasklet_cb(unsi
  
  	while (core_dev->dev->pdr_head != core_dev->dev->pdr_tail) {
  		tail = core_dev->dev->pdr_tail;

target/linux/apm821xx/patches-4.14/020-0014-crypto-crypto4xx-fix-off-by-one-AES-OFB.patch

@@ -38,7 +38,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1157,7 +1157,7 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1153,7 +1153,7 @@ struct crypto4xx_alg_common crypto4xx_al
  				.min_keysize	= AES_MIN_KEY_SIZE,
  				.max_keysize	= AES_MAX_KEY_SIZE,
  				.ivsize		= AES_IV_SIZE,

target/linux/apm821xx/patches-4.14/020-0017-crypto-crypto4xx-add-backlog-queue-support.patch

@@ -56,7 +56,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include "crypto4xx_reg_def.h"
  #include "crypto4xx_core.h"
  #include "crypto4xx_sa.h"
-@@ -582,8 +583,10 @@ static u32 crypto4xx_ablkcipher_done(str
+@@ -578,8 +579,10 @@ static u32 crypto4xx_ablkcipher_done(str
  	}
  
  	crypto4xx_ret_sg_desc(dev, pd_uinfo);
@@ -69,7 +69,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
  	return 0;
  }
-@@ -600,9 +603,10 @@ static u32 crypto4xx_ahash_done(struct c
+@@ -596,9 +599,10 @@ static u32 crypto4xx_ahash_done(struct c
  	crypto4xx_copy_digest_to_dst(pd_uinfo,
  				     crypto_tfm_ctx(ahash_req->base.tfm));
  	crypto4xx_ret_sg_desc(dev, pd_uinfo);
@@ -83,7 +83,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
  	return 0;
  }
-@@ -713,6 +717,7 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -709,6 +713,7 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	struct pd_uinfo *pd_uinfo = NULL;
  	unsigned int nbytes = datalen, idx;
  	u32 gd_idx = 0;
@@ -91,7 +91,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
  	/* figure how many gd is needed */
  	num_gd = sg_nents_for_len(src, datalen);
-@@ -743,6 +748,31 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -739,6 +744,31 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	 * already got must be return the original place.
  	 */
  	spin_lock_irqsave(&dev->core_dev->lock, flags);
@@ -123,7 +123,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	if (num_gd) {
  		fst_gd = crypto4xx_get_n_gd(dev, num_gd);
  		if (fst_gd == ERING_WAS_FULL) {
-@@ -897,11 +927,12 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -893,11 +923,12 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	sa->sa_command_1.bf.hash_crypto_offset = 0;
  	pd->pd_ctl.w = ctx->pd_ctl;
  	pd->pd_ctl_len.w = 0x00400000 | datalen;
@@ -138,7 +138,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  /**
-@@ -1006,7 +1037,7 @@ static void crypto4xx_bh_tasklet_cb(unsi
+@@ -1002,7 +1033,7 @@ static void crypto4xx_bh_tasklet_cb(unsi
  		tail = core_dev->dev->pdr_tail;
  		pd_uinfo = &core_dev->dev->pdr_uinfo[tail];
  		pd = &core_dev->dev->pdr[tail];

target/linux/apm821xx/patches-4.14/020-0018-crypto-crypto4xx-use-the-correct-LE32-format-for-IV-.patch

@@ -45,7 +45,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	ctx->is_hash = 0;
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -623,42 +623,6 @@ static u32 crypto4xx_pd_done(struct cryp
+@@ -619,42 +619,6 @@ static u32 crypto4xx_pd_done(struct cryp
  		return crypto4xx_ahash_done(dev, pd_uinfo);
  }
  
@@ -88,7 +88,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  static void crypto4xx_stop_all(struct crypto4xx_core_device *core_dev)
  {
  	crypto4xx_destroy_pdr(core_dev->dev);
-@@ -818,8 +782,8 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -814,8 +778,8 @@ u32 crypto4xx_build_pd(struct crypto_asy
  			&pd_uinfo->sr_pa, 4);
  
  		if (iv_len)

target/linux/apm821xx/patches-4.14/020-0019-crypto-crypto4xx-overhaul-crypto4xx_build_pd.patch

@@ -263,7 +263,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  /**
   * alloc memory for the gather ring
   * no need to alloc buf for the ring
-@@ -520,18 +514,16 @@ static void crypto4xx_copy_pkt_to_dst(st
+@@ -516,18 +510,16 @@ static void crypto4xx_copy_pkt_to_dst(st
  	}
  }
  
@@ -285,7 +285,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  static void crypto4xx_ret_sg_desc(struct crypto4xx_device *dev,
-@@ -600,7 +592,7 @@ static u32 crypto4xx_ahash_done(struct c
+@@ -596,7 +588,7 @@ static u32 crypto4xx_ahash_done(struct c
  	ahash_req = ahash_request_cast(pd_uinfo->async_req);
  	ctx  = crypto_tfm_ctx(ahash_req->base.tfm);
  
@@ -294,7 +294,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				     crypto_tfm_ctx(ahash_req->base.tfm));
  	crypto4xx_ret_sg_desc(dev, pd_uinfo);
  
-@@ -660,17 +652,17 @@ static u32 get_next_sd(u32 current)
+@@ -656,17 +648,17 @@ static u32 get_next_sd(u32 current)
  		return 0;
  }
  
@@ -317,7 +317,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	struct ce_gd *gd;
  	struct ce_pd *pd;
  	u32 num_gd, num_sd;
-@@ -678,8 +670,9 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -674,8 +666,9 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	u32 fst_sd = 0xffffffff;
  	u32 pd_entry;
  	unsigned long flags;
@@ -329,7 +329,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	u32 gd_idx = 0;
  	bool is_busy;
  
-@@ -693,7 +686,7 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -689,7 +682,7 @@ u32 crypto4xx_build_pd(struct crypto_asy
  		num_gd = 0;
  
  	/* figure how many sd is needed */
@@ -338,7 +338,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		num_sd = 0;
  	} else {
  		if (datalen > PPC4XX_SD_BUFFER_SIZE) {
-@@ -764,37 +757,27 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -760,37 +753,27 @@ u32 crypto4xx_build_pd(struct crypto_asy
  	}
  	spin_unlock_irqrestore(&dev->core_dev->lock, flags);
  
@@ -389,7 +389,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		/* get first gd we are going to use */
  		gd_idx = fst_gd;
  		pd_uinfo->first_gd = fst_gd;
-@@ -803,27 +786,30 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -799,27 +782,30 @@ u32 crypto4xx_build_pd(struct crypto_asy
  		pd->src = gd_dma;
  		/* enable gather */
  		sa->sa_command_0.bf.gather = 1;
@@ -430,7 +430,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		/*
  		 * Disable gather in sa command
  		 */
-@@ -834,25 +820,24 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -830,25 +816,24 @@ u32 crypto4xx_build_pd(struct crypto_asy
  		pd_uinfo->first_gd = 0xffffffff;
  		pd_uinfo->num_gd = 0;
  	}
@@ -463,7 +463,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		u32 sd_idx = fst_sd;
  		nbytes = datalen;
  		sa->sa_command_0.bf.scatter = 1;
-@@ -866,7 +851,6 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -862,7 +847,6 @@ u32 crypto4xx_build_pd(struct crypto_asy
  		sd->ctl.done = 0;
  		sd->ctl.rdy = 1;
  		/* sd->ptr should be setup by sd_init routine*/
@@ -471,7 +471,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		if (nbytes >= PPC4XX_SD_BUFFER_SIZE)
  			nbytes -= PPC4XX_SD_BUFFER_SIZE;
  		else
-@@ -877,19 +861,23 @@ u32 crypto4xx_build_pd(struct crypto_asy
+@@ -873,19 +857,23 @@ u32 crypto4xx_build_pd(struct crypto_asy
  			/* setup scatter descriptor */
  			sd->ctl.done = 0;
  			sd->ctl.rdy = 1;

target/linux/apm821xx/patches-4.14/020-0020-crypto-crypto4xx-fix-various-warnings.patch

@@ -42,7 +42,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	if (n >= PPC4XX_NUM_GD)
  		return ERING_WAS_FULL;
  
-@@ -625,17 +626,6 @@ static void crypto4xx_stop_all(struct cr
+@@ -621,17 +622,6 @@ static void crypto4xx_stop_all(struct cr
  	kfree(core_dev);
  }
  

target/linux/apm821xx/patches-4.14/020-0021-crypto-crypto4xx-fix-stalls-under-heavy-load.patch

@@ -44,7 +44,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  /**
-@@ -863,16 +866,16 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -859,16 +862,16 @@ int crypto4xx_build_pd(struct crypto_asy
  		}
  	}
  
@@ -66,7 +66,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	writel(1, dev->ce_base + CRYPTO4XX_INT_DESCR_RD);
  	return is_busy ? -EBUSY : -EINPROGRESS;
  }
-@@ -973,23 +976,23 @@ static void crypto4xx_bh_tasklet_cb(unsi
+@@ -969,23 +972,23 @@ static void crypto4xx_bh_tasklet_cb(unsi
  	struct crypto4xx_core_device *core_dev = dev_get_drvdata(dev);
  	struct pd_uinfo *pd_uinfo;
  	struct ce_pd *pd;

target/linux/apm821xx/patches-4.14/020-0022-crypto-crypto4xx-simplify-sa-and-state-context-acqui.patch

@@ -167,7 +167,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  /**
   * alloc memory for the gather ring
   * no need to alloc buf for the ring
-@@ -892,8 +861,6 @@ static int crypto4xx_alg_init(struct cry
+@@ -888,8 +857,6 @@ static int crypto4xx_alg_init(struct cry
  	ctx->dev = amcc_alg->dev;
  	ctx->sa_in = NULL;
  	ctx->sa_out = NULL;
@@ -176,7 +176,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	ctx->sa_len = 0;
  
  	switch (alg->cra_flags & CRYPTO_ALG_TYPE_MASK) {
-@@ -914,7 +881,6 @@ static void crypto4xx_alg_exit(struct cr
+@@ -910,7 +877,6 @@ static void crypto4xx_alg_exit(struct cr
  	struct crypto4xx_ctx *ctx = crypto_tfm_ctx(tfm);
  
  	crypto4xx_free_sa(ctx);

target/linux/apm821xx/patches-4.14/020-0023-crypto-crypto4xx-prepare-for-AEAD-support.patch

@@ -116,7 +116,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include <crypto/internal/skcipher.h>
  #include "crypto4xx_reg_def.h"
  #include "crypto4xx_core.h"
-@@ -518,7 +520,7 @@ static void crypto4xx_ret_sg_desc(struct
+@@ -514,7 +516,7 @@ static void crypto4xx_ret_sg_desc(struct
  	}
  }
  
@@ -125,7 +125,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				     struct pd_uinfo *pd_uinfo,
  				     struct ce_pd *pd)
  {
-@@ -552,11 +554,9 @@ static u32 crypto4xx_ablkcipher_done(str
+@@ -548,11 +550,9 @@ static u32 crypto4xx_ablkcipher_done(str
  	if (pd_uinfo->state & PD_ENTRY_BUSY)
  		ablkcipher_request_complete(ablk_req, -EINPROGRESS);
  	ablkcipher_request_complete(ablk_req, 0);
@@ -138,7 +138,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				struct pd_uinfo *pd_uinfo)
  {
  	struct crypto4xx_ctx *ctx;
-@@ -572,20 +572,88 @@ static u32 crypto4xx_ahash_done(struct c
+@@ -568,20 +568,88 @@ static u32 crypto4xx_ahash_done(struct c
  	if (pd_uinfo->state & PD_ENTRY_BUSY)
  		ahash_request_complete(ahash_req, -EINPROGRESS);
  	ahash_request_complete(ahash_req, 0);
@@ -234,7 +234,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  static void crypto4xx_stop_all(struct crypto4xx_core_device *core_dev)
-@@ -621,8 +689,10 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -617,8 +685,10 @@ int crypto4xx_build_pd(struct crypto_asy
  		       const unsigned int datalen,
  		       const __le32 *iv, const u32 iv_len,
  		       const struct dynamic_sa_ctl *req_sa,
@@ -246,7 +246,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	struct crypto4xx_device *dev = ctx->dev;
  	struct dynamic_sa_ctl *sa;
  	struct ce_gd *gd;
-@@ -636,18 +706,25 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -632,18 +702,25 @@ int crypto4xx_build_pd(struct crypto_asy
  	unsigned int nbytes = datalen;
  	size_t offset_to_sr_ptr;
  	u32 gd_idx = 0;
@@ -279,7 +279,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	if (sg_is_last(dst)) {
  		num_sd = 0;
  	} else {
-@@ -733,6 +810,7 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -729,6 +806,7 @@ int crypto4xx_build_pd(struct crypto_asy
  	sa = pd_uinfo->sa_va;
  	memcpy(sa, req_sa, sa_len * 4);
  
@@ -287,7 +287,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	offset_to_sr_ptr = get_dynamic_sa_offset_state_ptr_field(sa);
  	*(u32 *)((unsigned long)sa + offset_to_sr_ptr) = pd_uinfo->sr_pa;
  
-@@ -839,7 +917,7 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -835,7 +913,7 @@ int crypto4xx_build_pd(struct crypto_asy
  		((crypto_tfm_alg_type(req->tfm) == CRYPTO_ALG_TYPE_AHASH) |
  		 (crypto_tfm_alg_type(req->tfm) == CRYPTO_ALG_TYPE_AEAD) ?
  			PD_CTL_HASH_FINAL : 0);
@@ -296,7 +296,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	pd_uinfo->state = PD_ENTRY_INUSE | (is_busy ? PD_ENTRY_BUSY : 0);
  
  	wmb();
-@@ -852,40 +930,68 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -848,40 +926,68 @@ int crypto4xx_build_pd(struct crypto_asy
  /**
   * Algorithm Registration Functions
   */
@@ -385,7 +385,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  {
  	struct crypto4xx_alg *alg;
  	int i;
-@@ -900,6 +1006,10 @@ int crypto4xx_register_alg(struct crypto
+@@ -896,6 +1002,10 @@ int crypto4xx_register_alg(struct crypto
  		alg->dev = sec_dev;
  
  		switch (alg->alg.type) {
@@ -396,7 +396,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		case CRYPTO_ALG_TYPE_AHASH:
  			rc = crypto_register_ahash(&alg->alg.u.hash);
  			break;
-@@ -929,6 +1039,10 @@ static void crypto4xx_unregister_alg(str
+@@ -925,6 +1035,10 @@ static void crypto4xx_unregister_alg(str
  			crypto_unregister_ahash(&alg->alg.u.hash);
  			break;
  
@@ -407,7 +407,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		default:
  			crypto_unregister_alg(&alg->alg.u.cipher);
  		}
-@@ -982,7 +1096,7 @@ static irqreturn_t crypto4xx_ce_interrup
+@@ -978,7 +1092,7 @@ static irqreturn_t crypto4xx_ce_interrup
  /**
   * Supported Crypto Algorithms
   */
@@ -416,7 +416,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	/* Crypto AES modes */
  	{ .type = CRYPTO_ALG_TYPE_ABLKCIPHER, .u.cipher = {
  		.cra_name 	= "cbc(aes)",
-@@ -994,8 +1108,8 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -990,8 +1104,8 @@ struct crypto4xx_alg_common crypto4xx_al
  		.cra_blocksize 	= AES_BLOCK_SIZE,
  		.cra_ctxsize 	= sizeof(struct crypto4xx_ctx),
  		.cra_type 	= &crypto_ablkcipher_type,
@@ -427,7 +427,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.cra_module 	= THIS_MODULE,
  		.cra_u 		= {
  			.ablkcipher = {
-@@ -1018,8 +1132,8 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1014,8 +1128,8 @@ struct crypto4xx_alg_common crypto4xx_al
  		.cra_blocksize	= AES_BLOCK_SIZE,
  		.cra_ctxsize	= sizeof(struct crypto4xx_ctx),
  		.cra_type	= &crypto_ablkcipher_type,
@@ -438,7 +438,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.cra_module	= THIS_MODULE,
  		.cra_u		= {
  			.ablkcipher = {
-@@ -1042,8 +1156,8 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1038,8 +1152,8 @@ struct crypto4xx_alg_common crypto4xx_al
  		.cra_blocksize	= AES_BLOCK_SIZE,
  		.cra_ctxsize	= sizeof(struct crypto4xx_ctx),
  		.cra_type	= &crypto_ablkcipher_type,
@@ -449,7 +449,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.cra_module	= THIS_MODULE,
  		.cra_u		= {
  			.ablkcipher = {
-@@ -1068,8 +1182,8 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1064,8 +1178,8 @@ struct crypto4xx_alg_common crypto4xx_al
  		.cra_blocksize	= AES_BLOCK_SIZE,
  		.cra_ctxsize	= sizeof(struct crypto4xx_ctx),
  		.cra_type	= &crypto_ablkcipher_type,
@@ -460,7 +460,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.cra_module	= THIS_MODULE,
  		.cra_u		= {
  			.ablkcipher = {
-@@ -1091,8 +1205,8 @@ struct crypto4xx_alg_common crypto4xx_al
+@@ -1087,8 +1201,8 @@ struct crypto4xx_alg_common crypto4xx_al
  		.cra_blocksize	= AES_BLOCK_SIZE,
  		.cra_ctxsize	= sizeof(struct crypto4xx_ctx),
  		.cra_type	= &crypto_ablkcipher_type,
@@ -471,7 +471,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.cra_module	= THIS_MODULE,
  		.cra_u		= {
  			.ablkcipher = {
-@@ -1158,6 +1272,7 @@ static int crypto4xx_probe(struct platfo
+@@ -1154,6 +1268,7 @@ static int crypto4xx_probe(struct platfo
  	core_dev->device = dev;
  	spin_lock_init(&core_dev->lock);
  	INIT_LIST_HEAD(&core_dev->dev->alg_list);

target/linux/apm821xx/patches-4.14/020-0024-crypto-crypto4xx-add-aes-ccm-support.patch

@@ -209,7 +209,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
   */
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1219,6 +1219,29 @@ static struct crypto4xx_alg_common crypt
+@@ -1215,6 +1215,29 @@ static struct crypto4xx_alg_common crypt
  			}
  		}
  	} },

target/linux/apm821xx/patches-4.14/020-0025-crypto-crypto4xx-add-aes-gcm-support.patch

@@ -178,7 +178,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include <crypto/sha.h>
  #include <crypto/scatterwalk.h>
  #include <crypto/internal/aead.h>
-@@ -1236,6 +1237,27 @@ static struct crypto4xx_alg_common crypt
+@@ -1232,6 +1233,27 @@ static struct crypto4xx_alg_common crypt
  			.cra_priority	= CRYPTO4XX_CRYPTO_PRIORITY,
  			.cra_flags	= CRYPTO_ALG_ASYNC |
  					  CRYPTO_ALG_NEED_FALLBACK |

target/linux/apm821xx/patches-4.14/021-0001-crypto-crypto4xx-shuffle-iomap-in-front-of-request_i.patch

@@ -17,7 +17,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1084,9 +1084,6 @@ static irqreturn_t crypto4xx_ce_interrup
+@@ -1080,9 +1080,6 @@ static irqreturn_t crypto4xx_ce_interrup
  	struct device *dev = (struct device *)data;
  	struct crypto4xx_core_device *core_dev = dev_get_drvdata(dev);
  
@@ -27,7 +27,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  	writel(PPC4XX_INTERRUPT_CLR,
  	       core_dev->dev->ce_base + CRYPTO4XX_INT_CLR);
  	tasklet_schedule(&core_dev->tasklet);
-@@ -1334,13 +1331,6 @@ static int crypto4xx_probe(struct platfo
+@@ -1330,13 +1327,6 @@ static int crypto4xx_probe(struct platfo
  	tasklet_init(&core_dev->tasklet, crypto4xx_bh_tasklet_cb,
  		     (unsigned long) dev);
  
@@ -41,7 +41,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  	core_dev->dev->ce_base = of_iomap(ofdev->dev.of_node, 0);
  	if (!core_dev->dev->ce_base) {
  		dev_err(dev, "failed to of_iomap\n");
-@@ -1348,6 +1338,13 @@ static int crypto4xx_probe(struct platfo
+@@ -1344,6 +1334,13 @@ static int crypto4xx_probe(struct platfo
  		goto err_iomap;
  	}
  
@@ -55,7 +55,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  	/* need to setup pdr, rdr, gdr and sdr before this */
  	crypto4xx_hw_init(core_dev->dev);
  
-@@ -1361,11 +1358,11 @@ static int crypto4xx_probe(struct platfo
+@@ -1357,11 +1354,11 @@ static int crypto4xx_probe(struct platfo
  	return 0;
  
  err_start_dev:

target/linux/apm821xx/patches-4.14/021-0002-crypto-crypto4xx-support-Revision-B-parts.patch

@@ -35,7 +35,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  }
  
  int crypto4xx_alloc_sa(struct crypto4xx_ctx *ctx, u32 size)
-@@ -1079,18 +1086,29 @@ static void crypto4xx_bh_tasklet_cb(unsi
+@@ -1075,18 +1082,29 @@ static void crypto4xx_bh_tasklet_cb(unsi
  /**
   * Top Half of isr.
   */
@@ -68,7 +68,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  /**
   * Supported Crypto Algorithms
   */
-@@ -1272,6 +1290,8 @@ static int crypto4xx_probe(struct platfo
+@@ -1268,6 +1286,8 @@ static int crypto4xx_probe(struct platfo
  	struct resource res;
  	struct device *dev = &ofdev->dev;
  	struct crypto4xx_core_device *core_dev;
@@ -77,7 +77,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  
  	rc = of_address_to_resource(ofdev->dev.of_node, 0, &res);
  	if (rc)
-@@ -1288,6 +1308,7 @@ static int crypto4xx_probe(struct platfo
+@@ -1284,6 +1304,7 @@ static int crypto4xx_probe(struct platfo
  		       mfdcri(SDR0, PPC405EX_SDR0_SRST) | PPC405EX_CE_RESET);
  		mtdcri(SDR0, PPC405EX_SDR0_SRST,
  		       mfdcri(SDR0, PPC405EX_SDR0_SRST) & ~PPC405EX_CE_RESET);
@@ -85,7 +85,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  	} else if (of_find_compatible_node(NULL, NULL,
  			"amcc,ppc460sx-crypto")) {
  		mtdcri(SDR0, PPC460SX_SDR0_SRST,
-@@ -1310,7 +1331,22 @@ static int crypto4xx_probe(struct platfo
+@@ -1306,7 +1327,22 @@ static int crypto4xx_probe(struct platfo
  	if (!core_dev->dev)
  		goto err_alloc_dev;
  
@@ -108,7 +108,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  	core_dev->device = dev;
  	spin_lock_init(&core_dev->lock);
  	INIT_LIST_HEAD(&core_dev->dev->alg_list);
-@@ -1340,7 +1376,9 @@ static int crypto4xx_probe(struct platfo
+@@ -1336,7 +1372,9 @@ static int crypto4xx_probe(struct platfo
  
  	/* Register for Crypto isr, Crypto Engine IRQ */
  	core_dev->irq = irq_of_parse_and_map(ofdev->dev.of_node, 0);

target/linux/apm821xx/patches-4.14/021-0003-crypto-crypto4xx-fix-missing-irq-devname.patch

@@ -16,7 +16,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1379,7 +1379,7 @@ static int crypto4xx_probe(struct platfo
+@@ -1375,7 +1375,7 @@ static int crypto4xx_probe(struct platfo
  	rc = request_irq(core_dev->irq, is_revb ?
  			 crypto4xx_ce_interrupt_handler_revb :
  			 crypto4xx_ce_interrupt_handler, 0,

target/linux/apm821xx/patches-4.14/021-0004-crypto-crypto4xx-kill-MODULE_NAME.patch

@@ -14,7 +14,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1441,7 +1441,7 @@ MODULE_DEVICE_TABLE(of, crypto4xx_match)
+@@ -1437,7 +1437,7 @@ MODULE_DEVICE_TABLE(of, crypto4xx_match)
  
  static struct platform_driver crypto4xx_driver = {
  	.driver = {

target/linux/apm821xx/patches-4.14/021-0005-crypto-crypto4xx-perform-aead-icv-check-in-the-drive.patch

@@ -62,7 +62,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  				 SA_CIPHER_ALG_AES,
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -586,15 +586,14 @@ static void crypto4xx_aead_done(struct c
+@@ -582,15 +582,14 @@ static void crypto4xx_aead_done(struct c
  				struct pd_uinfo *pd_uinfo,
  				struct ce_pd *pd)
  {
@@ -83,7 +83,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  	if (pd_uinfo->using_sd) {
  		crypto4xx_copy_pkt_to_dst(dev, pd, pd_uinfo,
  					  pd->pd_ctl_len.bf.pkt_len,
-@@ -606,38 +605,39 @@ static void crypto4xx_aead_done(struct c
+@@ -602,38 +601,39 @@ static void crypto4xx_aead_done(struct c
  
  	if (pd_uinfo->sa_va->sa_command_0.bf.dir == DIR_OUTBOUND) {
  		/* append icv at the end */

target/linux/apm821xx/patches-4.14/022-0002-crypto-crypto4xx-performance-optimizations.patch

@@ -71,7 +71,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  /**
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -589,7 +589,7 @@ static void crypto4xx_aead_done(struct c
+@@ -585,7 +585,7 @@ static void crypto4xx_aead_done(struct c
  	struct scatterlist *dst = pd_uinfo->dest_va;
  	size_t cp_len = crypto_aead_authsize(
  		crypto_aead_reqtfm(aead_req));
@@ -80,7 +80,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	int err = 0;
  
  	if (pd_uinfo->using_sd) {
-@@ -604,7 +604,7 @@ static void crypto4xx_aead_done(struct c
+@@ -600,7 +600,7 @@ static void crypto4xx_aead_done(struct c
  	if (pd_uinfo->sa_va->sa_command_0.bf.dir == DIR_OUTBOUND) {
  		/* append icv at the end */
  		crypto4xx_memcpy_from_le32(icv, pd_uinfo->sr_va->save_digest,
@@ -89,7 +89,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
  		scatterwalk_map_and_copy(icv, dst, aead_req->cryptlen,
  					 cp_len, 1);
-@@ -614,7 +614,7 @@ static void crypto4xx_aead_done(struct c
+@@ -610,7 +610,7 @@ static void crypto4xx_aead_done(struct c
  			aead_req->assoclen + aead_req->cryptlen -
  			cp_len, cp_len, 0);
  
@@ -98,7 +98,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
  		if (crypto_memneq(icv, pd_uinfo->sr_va->save_digest, cp_len))
  			err = -EBADMSG;
-@@ -1131,8 +1131,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1127,8 +1127,8 @@ static struct crypto4xx_alg_common crypt
  				.max_keysize 	= AES_MAX_KEY_SIZE,
  				.ivsize		= AES_IV_SIZE,
  				.setkey 	= crypto4xx_setkey_aes_cbc,
@@ -109,7 +109,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  			}
  		}
  	}},
-@@ -1155,8 +1155,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1151,8 +1151,8 @@ static struct crypto4xx_alg_common crypt
  				.max_keysize	= AES_MAX_KEY_SIZE,
  				.ivsize		= AES_IV_SIZE,
  				.setkey		= crypto4xx_setkey_aes_cfb,
@@ -120,7 +120,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  			}
  		}
  	} },
-@@ -1204,8 +1204,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1200,8 +1200,8 @@ static struct crypto4xx_alg_common crypt
  				.min_keysize	= AES_MIN_KEY_SIZE,
  				.max_keysize	= AES_MAX_KEY_SIZE,
  				.setkey		= crypto4xx_setkey_aes_ecb,
@@ -131,7 +131,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  			}
  		}
  	} },
-@@ -1228,8 +1228,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1224,8 +1224,8 @@ static struct crypto4xx_alg_common crypt
  				.max_keysize	= AES_MAX_KEY_SIZE,
  				.ivsize		= AES_IV_SIZE,
  				.setkey		= crypto4xx_setkey_aes_ofb,

target/linux/apm821xx/patches-4.14/022-0003-crypto-crypto4xx-convert-to-skcipher.patch

@@ -196,7 +196,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include <crypto/internal/aead.h>
  #include <crypto/internal/skcipher.h>
  #include "crypto4xx_reg_def.h"
-@@ -526,21 +527,19 @@ static void crypto4xx_ret_sg_desc(struct
+@@ -522,21 +523,19 @@ static void crypto4xx_ret_sg_desc(struct
  	}
  }
  
@@ -223,7 +223,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	} else {
  		dst = pd_uinfo->dest_va;
  		addr = dma_map_page(dev->core_dev->device, sg_page(dst),
-@@ -558,8 +557,8 @@ static void crypto4xx_ablkcipher_done(st
+@@ -554,8 +553,8 @@ static void crypto4xx_ablkcipher_done(st
  	crypto4xx_ret_sg_desc(dev, pd_uinfo);
  
  	if (pd_uinfo->state & PD_ENTRY_BUSY)
@@ -234,7 +234,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  static void crypto4xx_ahash_done(struct crypto4xx_device *dev,
-@@ -650,8 +649,8 @@ static void crypto4xx_pd_done(struct cry
+@@ -646,8 +645,8 @@ static void crypto4xx_pd_done(struct cry
  	struct pd_uinfo *pd_uinfo = &dev->pdr_uinfo[idx];
  
  	switch (crypto_tfm_alg_type(pd_uinfo->async_req->tfm)) {
@@ -245,7 +245,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		break;
  	case CRYPTO_ALG_TYPE_AEAD:
  		crypto4xx_aead_done(dev, pd_uinfo, pd);
-@@ -945,15 +944,14 @@ static void crypto4xx_ctx_init(struct cr
+@@ -941,15 +940,14 @@ static void crypto4xx_ctx_init(struct cr
  	ctx->sa_len = 0;
  }
  
@@ -264,7 +264,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	return 0;
  }
  
-@@ -962,9 +960,11 @@ static void crypto4xx_common_exit(struct
+@@ -958,9 +956,11 @@ static void crypto4xx_common_exit(struct
  	crypto4xx_free_sa(ctx);
  }
  
@@ -278,7 +278,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  static int crypto4xx_aead_init(struct crypto_aead *tfm)
-@@ -1021,7 +1021,7 @@ static int crypto4xx_register_alg(struct
+@@ -1017,7 +1017,7 @@ static int crypto4xx_register_alg(struct
  			break;
  
  		default:
@@ -287,7 +287,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  			break;
  		}
  
-@@ -1050,7 +1050,7 @@ static void crypto4xx_unregister_alg(str
+@@ -1046,7 +1046,7 @@ static void crypto4xx_unregister_alg(str
  			break;
  
  		default:
@@ -296,7 +296,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		}
  		kfree(alg);
  	}
-@@ -1112,126 +1112,109 @@ static irqreturn_t crypto4xx_ce_interrup
+@@ -1108,126 +1108,109 @@ static irqreturn_t crypto4xx_ce_interrup
   */
  static struct crypto4xx_alg_common crypto4xx_alg[] = {
  	/* Crypto AES modes */

target/linux/apm821xx/patches-4.14/022-0005-crypto-crypto4xx-add-aes-ctr-support.patch

@@ -160,7 +160,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -950,6 +950,19 @@ static int crypto4xx_sk_init(struct cryp
+@@ -946,6 +946,19 @@ static int crypto4xx_sk_init(struct cryp
  	struct crypto4xx_alg *amcc_alg;
  	struct crypto4xx_ctx *ctx =  crypto_skcipher_ctx(sk);
  
@@ -180,7 +180,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	amcc_alg = container_of(alg, struct crypto4xx_alg, alg.u.cipher);
  	crypto4xx_ctx_init(amcc_alg, ctx);
  	return 0;
-@@ -965,6 +978,8 @@ static void crypto4xx_sk_exit(struct cry
+@@ -961,6 +974,8 @@ static void crypto4xx_sk_exit(struct cry
  	struct crypto4xx_ctx *ctx =  crypto_skcipher_ctx(sk);
  
  	crypto4xx_common_exit(ctx);
@@ -189,7 +189,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  }
  
  static int crypto4xx_aead_init(struct crypto_aead *tfm)
-@@ -1154,6 +1169,28 @@ static struct crypto4xx_alg_common crypt
+@@ -1150,6 +1165,28 @@ static struct crypto4xx_alg_common crypt
  		.init = crypto4xx_sk_init,
  		.exit = crypto4xx_sk_exit,
  	} },

target/linux/apm821xx/patches-4.14/022-0008-crypto-crypto4xx-put-temporary-dst-sg-into-request-c.patch

@@ -107,7 +107,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  /**
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -695,9 +695,9 @@ int crypto4xx_build_pd(struct crypto_asy
+@@ -691,9 +691,9 @@ int crypto4xx_build_pd(struct crypto_asy
  		       const __le32 *iv, const u32 iv_len,
  		       const struct dynamic_sa_ctl *req_sa,
  		       const unsigned int sa_len,
@@ -119,7 +119,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	struct crypto4xx_device *dev = ctx->dev;
  	struct dynamic_sa_ctl *sa;
  	struct ce_gd *gd;
-@@ -996,9 +996,9 @@ static int crypto4xx_aead_init(struct cr
+@@ -992,9 +992,9 @@ static int crypto4xx_aead_init(struct cr
  
  	amcc_alg = container_of(alg, struct crypto4xx_alg, alg.u.aead);
  	crypto4xx_ctx_init(amcc_alg, ctx);

target/linux/apm821xx/patches-4.14/023-0002-crypto-skcipher-remove-useless-setting-of-type-flags.patch

@@ -22,7 +22,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1132,8 +1132,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1128,8 +1128,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_name = "cbc(aes)",
  			.cra_driver_name = "cbc-aes-ppc4xx",
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
@@ -32,7 +32,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
  			.cra_blocksize = AES_BLOCK_SIZE,
  			.cra_ctxsize = sizeof(struct crypto4xx_ctx),
-@@ -1153,8 +1152,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1149,8 +1148,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_name = "cfb(aes)",
  			.cra_driver_name = "cfb-aes-ppc4xx",
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
@@ -42,7 +42,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
  			.cra_blocksize = AES_BLOCK_SIZE,
  			.cra_ctxsize = sizeof(struct crypto4xx_ctx),
-@@ -1174,8 +1172,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1170,8 +1168,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_name = "ctr(aes)",
  			.cra_driver_name = "ctr-aes-ppc4xx",
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
@@ -52,7 +52,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				CRYPTO_ALG_ASYNC |
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
  			.cra_blocksize = AES_BLOCK_SIZE,
-@@ -1196,8 +1193,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1192,8 +1189,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_name = "rfc3686(ctr(aes))",
  			.cra_driver_name = "rfc3686-ctr-aes-ppc4xx",
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
@@ -62,7 +62,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
  			.cra_blocksize = AES_BLOCK_SIZE,
  			.cra_ctxsize = sizeof(struct crypto4xx_ctx),
-@@ -1217,8 +1213,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1213,8 +1209,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_name = "ecb(aes)",
  			.cra_driver_name = "ecb-aes-ppc4xx",
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
@@ -72,7 +72,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
  			.cra_blocksize = AES_BLOCK_SIZE,
  			.cra_ctxsize = sizeof(struct crypto4xx_ctx),
-@@ -1237,8 +1232,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1233,8 +1228,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_name = "ofb(aes)",
  			.cra_driver_name = "ofb-aes-ppc4xx",
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,

target/linux/apm821xx/patches-4.14/023-0004-crypto4xx_core-don-t-abuse-__dma_sync_page.patch

@@ -19,7 +19,7 @@ Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -596,7 +596,7 @@ static void crypto4xx_aead_done(struct c
+@@ -592,7 +592,7 @@ static void crypto4xx_aead_done(struct c
  					  pd->pd_ctl_len.bf.pkt_len,
  					  dst);
  	} else {

target/linux/apm821xx/patches-4.14/023-0006-crypto-crypto4xx-add-prng-crypto-support.patch

@@ -31,7 +31,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  #include <crypto/internal/skcipher.h>
  #include "crypto4xx_reg_def.h"
  #include "crypto4xx_core.h"
-@@ -1035,6 +1037,10 @@ static int crypto4xx_register_alg(struct
+@@ -1031,6 +1033,10 @@ static int crypto4xx_register_alg(struct
  			rc = crypto_register_ahash(&alg->alg.u.hash);
  			break;
  
@@ -42,7 +42,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		default:
  			rc = crypto_register_skcipher(&alg->alg.u.cipher);
  			break;
-@@ -1064,6 +1070,10 @@ static void crypto4xx_unregister_alg(str
+@@ -1060,6 +1066,10 @@ static void crypto4xx_unregister_alg(str
  			crypto_unregister_aead(&alg->alg.u.aead);
  			break;
  
@@ -53,7 +53,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		default:
  			crypto_unregister_skcipher(&alg->alg.u.cipher);
  		}
-@@ -1122,6 +1132,69 @@ static irqreturn_t crypto4xx_ce_interrup
+@@ -1118,6 +1128,69 @@ static irqreturn_t crypto4xx_ce_interrup
  		PPC4XX_TMO_ERR_INT);
  }
  
@@ -123,7 +123,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  /**
   * Supported Crypto Algorithms
   */
-@@ -1291,6 +1364,18 @@ static struct crypto4xx_alg_common crypt
+@@ -1287,6 +1360,18 @@ static struct crypto4xx_alg_common crypt
  			.cra_module	= THIS_MODULE,
  		},
  	} },
@@ -142,7 +142,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  };
  
  /**
-@@ -1360,6 +1445,7 @@ static int crypto4xx_probe(struct platfo
+@@ -1356,6 +1441,7 @@ static int crypto4xx_probe(struct platfo
  	core_dev->dev->core_dev = core_dev;
  	core_dev->dev->is_revb = is_revb;
  	core_dev->device = dev;
@@ -150,7 +150,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  	spin_lock_init(&core_dev->lock);
  	INIT_LIST_HEAD(&core_dev->dev->alg_list);
  	ratelimit_default_init(&core_dev->dev->aead_ratelimit);
-@@ -1439,6 +1525,7 @@ static int crypto4xx_remove(struct platf
+@@ -1435,6 +1521,7 @@ static int crypto4xx_remove(struct platf
  	tasklet_kill(&core_dev->tasklet);
  	/* Un-register with Linux CryptoAPI */
  	crypto4xx_unregister_alg(core_dev->dev);

target/linux/apm821xx/patches-4.14/023-0007-crypto-crypto4xx-Fix-wrong-ppc4xx_trng_probe-ppc4xx_.patch

@@ -1,39 +0,0 @@
-From 6e88098ca43a3d80ae86908f7badba683c8a0d84 Mon Sep 17 00:00:00 2001
-From: Corentin Labbe <clabbe@baylibre.com>
-Date: Wed, 23 Jan 2019 11:24:18 +0000
-Subject: [PATCH 07/15] crypto: crypto4xx - Fix wrong
- ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
-
-When building without CONFIG_HW_RANDOM_PPC4XX, I hit the following build failure:
-drivers/crypto/amcc/crypto4xx_core.c: In function 'crypto4xx_probe':
-drivers/crypto/amcc/crypto4xx_core.c:1407:20: error: passing argument 1 of 'ppc4xx_trng_probe' from incompatible pointer type [-Werror=incompatible-pointer-types]
-In file included from drivers/crypto/amcc/crypto4xx_core.c:50:0:
-drivers/crypto/amcc/crypto4xx_trng.h:28:20: note: expected 'struct crypto4xx_device *' but argument is of type 'struct crypto4xx_core_device *'
-drivers/crypto/amcc/crypto4xx_core.c: In function 'crypto4xx_remove':
-drivers/crypto/amcc/crypto4xx_core.c:1434:21: error: passing argument 1 of 'ppc4xx_trng_remove' from incompatible pointer type [-Werror=incompatible-pointer-types]
-In file included from drivers/crypto/amcc/crypto4xx_core.c:50:0:
-drivers/crypto/amcc/crypto4xx_trng.h:30:20: note: expected 'struct crypto4xx_device *' but argument is of type 'struct crypto4xx_core_device *'
-
-This patch fix the needed argument of ppc4xx_trng_probe()/ppc4xx_trng_remove() in that case.
-
-Fixes: 5343e674f32f ("crypto4xx: integrate ppc4xx-rng into crypto4xx")
-Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- drivers/crypto/amcc/crypto4xx_trng.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/crypto/amcc/crypto4xx_trng.h
-+++ b/drivers/crypto/amcc/crypto4xx_trng.h
-@@ -26,9 +26,9 @@ void ppc4xx_trng_probe(struct crypto4xx_
- void ppc4xx_trng_remove(struct crypto4xx_core_device *core_dev);
- #else
- static inline void ppc4xx_trng_probe(
--	struct crypto4xx_device *dev __maybe_unused) { }
-+	struct crypto4xx_core_device *dev __maybe_unused) { }
- static inline void ppc4xx_trng_remove(
--	struct crypto4xx_device *dev __maybe_unused) { }
-+	struct crypto4xx_core_device *dev __maybe_unused) { }
- #endif
- 
- #endif

target/linux/apm821xx/patches-4.14/023-0013-crypto-crypto4xx-fix-AES-CTR-blocksize-value.patch

@@ -40,7 +40,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1248,7 +1248,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1244,7 +1244,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_flags = CRYPTO_ALG_NEED_FALLBACK |
  				CRYPTO_ALG_ASYNC |
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
@@ -49,7 +49,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  			.cra_ctxsize = sizeof(struct crypto4xx_ctx),
  			.cra_module = THIS_MODULE,
  		},
-@@ -1268,7 +1268,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1264,7 +1264,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
  			.cra_flags = CRYPTO_ALG_ASYNC |
  				CRYPTO_ALG_KERN_DRIVER_ONLY,

target/linux/apm821xx/patches-4.14/023-0014-crypto-crypto4xx-fix-blocksize-for-cfb-and-ofb.patch

@@ -24,7 +24,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1227,7 +1227,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1223,7 +1223,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
  			.cra_flags = CRYPTO_ALG_ASYNC |
  				CRYPTO_ALG_KERN_DRIVER_ONLY,
@@ -33,7 +33,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  			.cra_ctxsize = sizeof(struct crypto4xx_ctx),
  			.cra_module = THIS_MODULE,
  		},
-@@ -1307,7 +1307,7 @@ static struct crypto4xx_alg_common crypt
+@@ -1303,7 +1303,7 @@ static struct crypto4xx_alg_common crypt
  			.cra_priority = CRYPTO4XX_CRYPTO_PRIORITY,
  			.cra_flags = CRYPTO_ALG_ASYNC |
  				CRYPTO_ALG_KERN_DRIVER_ONLY,

target/linux/apm821xx/patches-4.14/023-0015-crypto-crypto4xx-block-ciphers-should-only-accept-co.patch

@@ -107,7 +107,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  static int crypto4xx_sk_setup_fallback(struct crypto4xx_ctx *ctx,
 --- a/drivers/crypto/amcc/crypto4xx_core.c
 +++ b/drivers/crypto/amcc/crypto4xx_core.c
-@@ -1215,8 +1215,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1211,8 +1211,8 @@ static struct crypto4xx_alg_common crypt
  		.max_keysize = AES_MAX_KEY_SIZE,
  		.ivsize	= AES_IV_SIZE,
  		.setkey = crypto4xx_setkey_aes_cbc,
@@ -118,7 +118,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.init = crypto4xx_sk_init,
  		.exit = crypto4xx_sk_exit,
  	} },
-@@ -1235,8 +1235,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1231,8 +1231,8 @@ static struct crypto4xx_alg_common crypt
  		.max_keysize = AES_MAX_KEY_SIZE,
  		.ivsize	= AES_IV_SIZE,
  		.setkey	= crypto4xx_setkey_aes_cfb,
@@ -129,7 +129,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.init = crypto4xx_sk_init,
  		.exit = crypto4xx_sk_exit,
  	} },
-@@ -1295,8 +1295,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1291,8 +1291,8 @@ static struct crypto4xx_alg_common crypt
  		.min_keysize = AES_MIN_KEY_SIZE,
  		.max_keysize = AES_MAX_KEY_SIZE,
  		.setkey	= crypto4xx_setkey_aes_ecb,
@@ -140,7 +140,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  		.init = crypto4xx_sk_init,
  		.exit = crypto4xx_sk_exit,
  	} },
-@@ -1315,8 +1315,8 @@ static struct crypto4xx_alg_common crypt
+@@ -1311,8 +1311,8 @@ static struct crypto4xx_alg_common crypt
  		.max_keysize = AES_MAX_KEY_SIZE,
  		.ivsize	= AES_IV_SIZE,
  		.setkey	= crypto4xx_setkey_aes_ofb,

target/linux/apm821xx/patches-4.14/302-dw-dma-hprot-fix-and-equal-priortiy.patch

@@ -1,15 +1,15 @@
 --- a/drivers/dma/dw/core.c
 +++ b/drivers/dma/dw/core.c
-@@ -167,6 +167,8 @@ static void dwc_initialize_chan_dw(struc
- 	cfghi |= DWC_CFGH_DST_PER(dwc->dws.dst_id);
+@@ -169,6 +169,8 @@ static void dwc_initialize_chan_dw(struc
  	cfghi |= DWC_CFGH_SRC_PER(dwc->dws.src_id);
+ 	cfghi |= DWC_CFGH_PROTCTL(dw->pdata->protctl);
  
 +	cfghi |= DWC_CFGH_PROTCTL(3); /* bufferable + privileged access */
 +
  	/* Set polarity of handshake interface */
  	cfglo |= hs_polarity ? DWC_CFGL_HS_DST_POL | DWC_CFGL_HS_SRC_POL : 0;
  
-@@ -1293,11 +1295,8 @@ int dw_dma_probe(struct dw_dma_chip *chi
+@@ -1295,11 +1297,8 @@ int dw_dma_probe(struct dw_dma_chip *chi
  		else
  			list_add(&dwc->chan.device_node, &dw->dma.channels);
  

target/linux/ar7/patches-4.9/300-add-ac49x-platform.patch

@@ -46,7 +46,7 @@
  
  config ATH25
  	bool "Atheros AR231x/AR531x SoC support"
-@@ -1006,6 +1006,7 @@ config MIPS_PARAVIRT
+@@ -1007,6 +1007,7 @@ config MIPS_PARAVIRT
  endchoice
  
  source "arch/mips/alchemy/Kconfig"

target/linux/ar71xx/base-files/etc/board.d/01_leds

@@ -124,8 +124,8 @@ archer-c5|\
 archer-c7)
 	ucidef_set_led_usbdev "usb1" "USB1" "tp-link:green:usb1" "1-1"
 	ucidef_set_led_usbdev "usb2" "USB2" "tp-link:green:usb2" "2-1"
-	ucidef_set_led_wlan "wlan2g" "WLAN2G" "tp-link:blue:wlan2g" "phy1tpt"
-	ucidef_set_led_wlan "wlan5g" "WLAN5G" "tp-link:blue:wlan5g" "phy0tpt"
+	ucidef_set_led_wlan "wlan2g" "WLAN2G" "tp-link:green:wlan2g" "phy1tpt"
+	ucidef_set_led_wlan "wlan5g" "WLAN5G" "tp-link:green:wlan5g" "phy0tpt"
 	;;
 archer-c58-v1|\
 archer-c59-v1|\

target/linux/ar71xx/base-files/etc/board.d/02_network

@@ -605,6 +605,10 @@ ar71xx_setup_macs()
 	fritz300e)
 		lan_mac=$(fritz_tffs -n maca -i $(find_mtd_part "tffs (1)"))
 		;;
+	tl-wdr4300)
+		base_mac=$(mtd_get_mac_binary u-boot 0x1fc00)
+		wan_mac=$(macaddr_add "$base_mac" 1)
+		;;
 	tl-wr1043n-v5|\
 	tl-wr1043nd-v4)
 		lan_mac=$(mtd_get_mac_binary product-info 8)

target/linux/ar71xx/base-files/etc/diag.sh

@@ -83,8 +83,6 @@ get_status_led() {
 	tl-wr902ac-v1)
 		status_led="$board:green:power"
 		;;
-	archer-c5|\
-	archer-c7|\
 	tl-mr10u|\
 	tl-mr12u|\
 	tl-mr13u|\
@@ -444,6 +442,8 @@ get_status_led() {
 	tl-mr6400)
 		status_led="tp-link:white:power"
 		;;
+	archer-c5|\
+	archer-c7|\
 	tl-mr3220|\
 	tl-mr3220-v2|\
 	tl-mr3420|\

target/linux/ar71xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata

@@ -141,7 +141,7 @@ case "$FIRMWARE" in
 	archer-c5|\
 	archer-c7)
 		ath10kcal_extract "art" 20480 2116
-		ath10kcal_patch_mac $(macaddr_add $(cat /sys/class/net/eth1/address) -2)
+		ath10kcal_patch_mac $(macaddr_add $(cat /sys/class/net/eth1/address) -1)
 		;;
 	nbg6616|\
 	nbg6716)

target/linux/ar71xx/base-files/lib/ar71xx.sh

@@ -393,6 +393,152 @@ tplink_pharos_v2_get_model_string() {
 	dd if=$part bs=1 skip=4360 count=64 2>/dev/null | tr -d '\r\0' | head -n 1
 }
 
+mikrotik_board_detect() {
+	local machine="$1"
+
+	case "$machine" in
+	*"2011iL")
+		name="rb-2011il"
+		;;
+	*"2011iLS")
+		name="rb-2011ils"
+		;;
+	*"2011L")
+		name="rb-2011l"
+		;;
+	*"2011UAS")
+		name="rb-2011uas"
+		;;
+	*"2011UAS-2HnD")
+		name="rb-2011uas-2hnd"
+		;;
+	*"2011UiAS")
+		name="rb-2011uias"
+		;;
+	*"2011UiAS-2HnD")
+		name="rb-2011uias-2hnd"
+		;;
+	*"411/A/AH")
+		name="rb-411"
+		;;
+	*"411U")
+		name="rb-411u"
+		;;
+	*"433/AH")
+		name="rb-433"
+		;;
+	*"433UAH")
+		name="rb-433u"
+		;;
+	*"435G")
+		name="rb-435g"
+		;;
+	*"450")
+		name="rb-450"
+		;;
+	*"450G")
+		name="rb-450g"
+		;;
+	*"493/AH")
+		name="rb-493"
+		;;
+	*"493G")
+		name="rb-493g"
+		;;
+	*"750")
+		name="rb-750"
+		;;
+	*"750 r2"|\
+	*"750r2")
+		name="rb-750-r2"
+		;;
+	*"750GL")
+		name="rb-750gl"
+		;;
+	*"750P r2")
+		name="rb-750p-pbr2"
+		;;
+	*"750UP r2"|\
+	*"750UPr2")
+		name="rb-750up-r2"
+		;;
+	*"751")
+		name="rb-751"
+		;;
+	*"751G")
+		name="rb-751g"
+		;;
+	*"911-2Hn")
+		name="rb-911-2hn"
+		;;
+	*"911-5Hn")
+		name="rb-911-5hn"
+		;;
+	*"911G-2HPnD")
+		name="rb-911g-2hpnd"
+		;;
+	*"911G-5HPacD")
+		name="rb-911g-5hpacd"
+		;;
+	*"911G-5HPnD")
+		name="rb-911g-5hpnd"
+		;;
+	*"912UAG-2HPnD")
+		name="rb-912uag-2hpnd"
+		;;
+	*"912UAG-5HPnD")
+		name="rb-912uag-5hpnd"
+		;;
+	*"921GS-5HPacD r2")
+		name="rb-921gs-5hpacd-r2"
+		;;
+	*"941-2nD")
+		name="rb-941-2nd"
+		;;
+	*"951G-2HnD")
+		name="rb-951g-2hnd"
+		;;
+	*"951Ui-2HnD")
+		name="rb-951ui-2hnd"
+		;;
+	*"951Ui-2nD")
+		name="rb-951ui-2nd"
+		;;
+	*"952Ui-5ac2nD")
+		name="rb-952ui-5ac2nd"
+		;;
+	*"962UiGS-5HacT2HnT")
+		name="rb-962uigs-5hact2hnt"
+		;;
+	*"LHG 5nD")
+		name="rb-lhg-5nd"
+		;;
+	*"mAP 2nD"|\
+	*"mAP2nD")
+		name="rb-map-2nd"
+		;;
+	*"mAP L-2nD"|\
+	*"mAPL-2nD")
+		name="rb-mapl-2nd"
+		;;
+	*"SXT Lite2")
+		name="rb-sxt2n"
+		;;
+	*"SXT Lite5")
+		name="rb-sxt5n"
+		;;
+	*"wAP 2nD r2")
+		name="rb-wap-2nd"
+		;;
+	*"wAP G-5HacT2HnD"|\
+	*"wAPG-5HacT2HnD")
+		name="rb-wapg-5hact2hnd"
+		;;
+	esac
+
+	echo "$name"
+}
+
 ar71xx_board_detect() {
 	local machine
 	local name
@@ -819,6 +965,10 @@ ar71xx_board_detect() {
 	*"MAC1200R")
 		name="mc-mac1200r"
 		;;
+	"MikroTik"*|\
+	"Mikrotik"*)
+		name=$(mikrotik_board_detect "$machine")
+		;;
 	*"MiniBox V1.0")
 		name="minibox-v1"
 		;;
@@ -980,138 +1130,6 @@ ar71xx_board_detect() {
 	*"Rocket M XW")
 		name="rocket-m-xw"
 		;;
-	*"RouterBOARD 2011iL")
-		name="rb-2011il"
-		;;
-	*"RouterBOARD 2011iLS")
-		name="rb-2011ils"
-		;;
-	*"RouterBOARD 2011L")
-		name="rb-2011l"
-		;;
-	*"RouterBOARD 2011UAS")
-		name="rb-2011uas"
-		;;
-	*"RouterBOARD 2011UAS-2HnD")
-		name="rb-2011uas-2hnd"
-		;;
-	*"RouterBOARD 2011UiAS")
-		name="rb-2011uias"
-		;;
-	*"RouterBOARD 2011UiAS-2HnD")
-		name="rb-2011uias-2hnd"
-		;;
-	*"RouterBOARD 411/A/AH")
-		name="rb-411"
-		;;
-	*"RouterBOARD 411U")
-		name="rb-411u"
-		;;
-	*"RouterBOARD 433/AH")
-		name="rb-433"
-		;;
-	*"RouterBOARD 433UAH")
-		name="rb-433u"
-		;;
-	*"RouterBOARD 435G")
-		name="rb-435g"
-		;;
-	*"RouterBOARD 450")
-		name="rb-450"
-		;;
-	*"RouterBOARD 450G")
-		name="rb-450g"
-		;;
-	*"RouterBOARD 493/AH")
-		name="rb-493"
-		;;
-	*"RouterBOARD 493G")
-		name="rb-493g"
-		;;
-	*"RouterBOARD 750")
-		name="rb-750"
-		;;
-	*"RouterBOARD 750 r2")
-		name="rb-750-r2"
-		;;
-	*"RouterBOARD 750GL")
-		name="rb-750gl"
-		;;
-	*"RouterBOARD 750P r2")
-		name="rb-750p-pbr2"
-		;;
-	*"RouterBOARD 750UP r2")
-		name="rb-750up-r2"
-		;;
-	*"RouterBOARD 751")
-		name="rb-751"
-		;;
-	*"RouterBOARD 751G")
-		name="rb-751g"
-		;;
-	*"RouterBOARD 911-2Hn")
-		name="rb-911-2hn"
-		;;
-	*"RouterBOARD 911-5Hn")
-		name="rb-911-5hn"
-		;;
-	*"RouterBOARD 911G-2HPnD")
-		name="rb-911g-2hpnd"
-		;;
-	*"RouterBOARD 911G-5HPacD")
-		name="rb-911g-5hpacd"
-		;;
-	*"RouterBOARD 911G-5HPnD")
-		name="rb-911g-5hpnd"
-		;;
-	*"RouterBOARD 912UAG-2HPnD")
-		name="rb-912uag-2hpnd"
-		;;
-	*"RouterBOARD 912UAG-5HPnD")
-		name="rb-912uag-5hpnd"
-		;;
-	*"RouterBOARD 921GS-5HPacD r2")
-		name="rb-921gs-5hpacd-r2"
-		;;
-	*"RouterBOARD 941-2nD")
-		name="rb-941-2nd"
-		;;
-	*"RouterBOARD 951G-2HnD")
-		name="rb-951g-2hnd"
-		;;
-	*"RouterBOARD 951Ui-2HnD")
-		name="rb-951ui-2hnd"
-		;;
-	*"RouterBOARD 951Ui-2nD")
-		name="rb-951ui-2nd"
-		;;
-	*"RouterBOARD 952Ui-5ac2nD")
-		name="rb-952ui-5ac2nd"
-		;;
-	*"RouterBOARD 962UiGS-5HacT2HnT")
-		name="rb-962uigs-5hact2hnt"
-		;;
-	*"RouterBOARD LHG 5nD")
-		name="rb-lhg-5nd"
-		;;
-	*"RouterBOARD mAP 2nD")
-		name="rb-map-2nd"
-		;;
-	*"RouterBOARD mAP L-2nD")
-		name="rb-mapl-2nd"
-		;;
-	*"RouterBOARD SXT Lite2")
-		name="rb-sxt2n"
-		;;
-	*"RouterBOARD SXT Lite5")
-		name="rb-sxt5n"
-		;;
-	*"RouterBOARD wAP 2nD r2")
-		name="rb-wap-2nd"
-		;;
-	*"RouterBOARD wAP G-5HacT2HnD")
-		name="rb-wapg-5hact2hnd"
-		;;
 	*"RouterStation")
 		name="routerstation"
 		;;

target/linux/ar71xx/base-files/lib/upgrade/platform.sh

@@ -495,7 +495,7 @@ platform_check_image() {
 		local magic_ver="0100"
 
 		case "$board" in
-		tl-wdr6500-v2)
+		tl-wdr3320-v2|tl-wdr6500-v2)
 			magic_ver="0200"
 			;;
 		esac

target/linux/ar71xx/files/arch/mips/ath79/mach-archer-c7.c

@@ -105,6 +105,34 @@ static struct gpio_led archer_c7_leds_gpio[] __initdata = {
 	},
 };
 
+static struct gpio_led wdr4900_leds_gpio[] __initdata = {
+	{
+		.name		= "tp-link:blue:qss",
+		.gpio		= ARCHER_C7_GPIO_LED_QSS,
+		.active_low	= 1,
+	},
+	{
+		.name		= "tp-link:blue:system",
+		.gpio		= ARCHER_C7_GPIO_LED_SYSTEM,
+		.active_low	= 1,
+	},
+	{
+		.name		= "tp-link:blue:wlan2g",
+		.gpio		= ARCHER_C7_GPIO_LED_WLAN2G,
+		.active_low	= 1,
+	},
+	{
+		.name		= "tp-link:green:usb1",
+		.gpio		= ARCHER_C7_GPIO_LED_USB1,
+		.active_low	= 1,
+	},
+	{
+		.name		= "tp-link:green:usb2",
+		.gpio		= ARCHER_C7_GPIO_LED_USB2,
+		.active_low	= 1,
+	},
+};
+
 static struct gpio_keys_button archer_c7_gpio_keys[] __initdata = {
 	{
 		.desc		= "Reset button",
@@ -141,6 +169,17 @@ static struct gpio_keys_button archer_c7_v2_gpio_keys[] __initdata = {
 	},
 };
 
+static struct gpio_keys_button wdr4900_gpio_keys[] __initdata = {
+	{
+		.desc		= "Reset button",
+		.type		= EV_KEY,
+		.code		= KEY_WPS_BUTTON,
+		.debounce_interval = ARCHER_C7_KEYS_DEBOUNCE_INTERVAL,
+		.gpio		= ARCHER_C7_GPIO_BTN_RESET,
+		.active_low	= 1,
+	},
+};
+
 static const struct ar8327_led_info archer_c7_leds_ar8327[] = {
 	AR8327_LED_INFO(PHY0_0, HW, "tp-link:blue:wan"),
 	AR8327_LED_INFO(PHY1_0, HW, "tp-link:blue:lan1"),
@@ -207,20 +246,20 @@ static void __init common_setup(bool pcie_slot)
 	u8 *mac = (u8 *) KSEG1ADDR(0x1f01fc00);
 	u8 *art = (u8 *) KSEG1ADDR(0x1fff0000);
 	u8 tmpmac[ETH_ALEN];
+	u8 tmpmac2[ETH_ALEN];
 
 	ath79_register_m25p80(&archer_c7_flash_data);
-	ath79_register_leds_gpio(-1, ARRAY_SIZE(archer_c7_leds_gpio),
-				 archer_c7_leds_gpio);
-
-	ath79_init_mac(tmpmac, mac, -1);
-	ath79_register_wmac(art + ARCHER_C7_WMAC_CALDATA_OFFSET, tmpmac);
 
 	if (pcie_slot) {
+		ath79_register_wmac(art + ARCHER_C7_WMAC_CALDATA_OFFSET, mac);
 		ath79_register_pci();
 	} else {
 		ath79_init_mac(tmpmac, mac, -1);
+		ath79_register_wmac(art + ARCHER_C7_WMAC_CALDATA_OFFSET, tmpmac);
+
+		ath79_init_mac(tmpmac2, mac, -2);
 		ap9x_pci_setup_wmac_led_pin(0, 0);
-		ap91_pci_init(art + ARCHER_C7_PCIE_CALDATA_OFFSET, tmpmac);
+		ap91_pci_init(art + ARCHER_C7_PCIE_CALDATA_OFFSET, tmpmac2);
 	}
 
 	mdiobus_register_board_info(archer_c7_mdio0_info,
@@ -261,6 +300,8 @@ static void __init archer_c5_setup(void)
 	ath79_register_gpio_keys_polled(-1, ARCHER_C7_KEYS_POLL_INTERVAL,
 					ARRAY_SIZE(archer_c7_gpio_keys),
 					archer_c7_gpio_keys);
+	ath79_register_leds_gpio(-1, ARRAY_SIZE(archer_c7_leds_gpio),
+				 archer_c7_leds_gpio);
 	common_setup(true);
 }
 
@@ -272,6 +313,8 @@ static void __init archer_c7_setup(void)
 	ath79_register_gpio_keys_polled(-1, ARCHER_C7_KEYS_POLL_INTERVAL,
 					ARRAY_SIZE(archer_c7_gpio_keys),
 					archer_c7_gpio_keys);
+	ath79_register_leds_gpio(-1, ARRAY_SIZE(archer_c7_leds_gpio),
+				 archer_c7_leds_gpio);
 	common_setup(true);
 }
 
@@ -283,6 +326,8 @@ static void __init archer_c7_v2_setup(void)
 	ath79_register_gpio_keys_polled(-1, ARCHER_C7_KEYS_POLL_INTERVAL,
 					ARRAY_SIZE(archer_c7_v2_gpio_keys),
 					archer_c7_v2_gpio_keys);
+	ath79_register_leds_gpio(-1, ARRAY_SIZE(archer_c7_leds_gpio),
+				 archer_c7_leds_gpio);
 	common_setup(true);
 }
 
@@ -292,8 +337,10 @@ MIPS_MACHINE(ATH79_MACH_ARCHER_C7_V2, "ARCHER-C7-V2", "TP-LINK Archer C7",
 static void __init tl_wdr4900_v2_setup(void)
 {
 	ath79_register_gpio_keys_polled(-1, ARCHER_C7_KEYS_POLL_INTERVAL,
-					ARRAY_SIZE(archer_c7_gpio_keys),
-					archer_c7_gpio_keys);
+					ARRAY_SIZE(wdr4900_gpio_keys),
+					wdr4900_gpio_keys);
+	ath79_register_leds_gpio(-1, ARRAY_SIZE(wdr4900_leds_gpio),
+				 wdr4900_leds_gpio);
 	common_setup(false);
 }
 

target/linux/ar71xx/files/arch/mips/ath79/mach-tl-wdr4300.c

@@ -183,7 +183,7 @@ static void __init wdr4300_setup(void)
 
 	ath79_register_mdio(0, 0x0);
 
-	ath79_init_mac(ath79_eth0_data.mac_addr, mac, -2);
+	ath79_init_mac(ath79_eth0_data.mac_addr, mac, 0);
 
 	/* GMAC0 is connected to an AR8327N switch */
 	ath79_eth0_data.phy_if_mode = PHY_INTERFACE_MODE_RGMII;

target/linux/ar71xx/patches-4.9/450-gpio-nxp-74hc153-gpio-chip-driver.patch

@@ -1,6 +1,6 @@
 --- a/drivers/gpio/Kconfig
 +++ b/drivers/gpio/Kconfig
-@@ -1214,4 +1214,12 @@ config GPIO_VIPERBOARD
+@@ -1215,4 +1215,12 @@ config GPIO_VIPERBOARD
  
  endmenu
  

target/linux/ar71xx/patches-4.9/451-gpio-74x164-improve-platform-device-support.patch

@@ -109,7 +109,7 @@
 +#endif
 --- a/drivers/gpio/Kconfig
 +++ b/drivers/gpio/Kconfig
-@@ -1155,7 +1155,6 @@ menu "SPI GPIO expanders"
+@@ -1156,7 +1156,6 @@ menu "SPI GPIO expanders"
  
  config GPIO_74X164
  	tristate "74x164 serial-in/parallel-out 8-bits shift register"

target/linux/ar71xx/patches-4.9/452-gpio-add-gpio-latch-driver.patch

@@ -1,6 +1,6 @@
 --- a/drivers/gpio/Kconfig
 +++ b/drivers/gpio/Kconfig
-@@ -1221,4 +1221,9 @@ config GPIO_NXP_74HC153
+@@ -1222,4 +1222,9 @@ config GPIO_NXP_74HC153
  	  Platform driver for NXP 74HC153 Dual 4-input Multiplexer. This
  	  provides a GPIO interface supporting input mode only.
  

target/linux/ar71xx/patches-4.9/500-MIPS-fw-myloader.patch

@@ -10,7 +10,7 @@
  
 --- a/arch/mips/Kconfig
 +++ b/arch/mips/Kconfig
-@@ -1151,6 +1151,9 @@ config MIPS_MSC
+@@ -1152,6 +1152,9 @@ config MIPS_MSC
  config MIPS_NILE4
  	bool