kernel: mtd: parser: cmdline: Fix parsing of part-names with colons

Some devices (especially QCA ones) are already using hardcoded partition
names with colons in it. The OpenMesh A62 for example provides following
mtd relevant information via cmdline:

  root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait

The change to split only on the last colon between mtd-id and partitions
will cause newpart to see following string for the first partition:

  KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive)

Such a partition list cannot be parsed and thus the device fails to boot.

Avoid this behavior by making sure that the start of the first part-name
("(") will also be the last byte the mtd-id split algorithm is using for
its colon search.

Fixes: 5d01d05608 ("kernel: Update kernel 4.14 to version 4.14.202")
Fixes: edda06c7b4 ("kernel: Update kernel 4.9 to version 4.9.240")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(backported from commit 223eec7e81)

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^925068d4f8366240d2aeb2d69b3df12382320ec3
-src-git luci https://git.openwrt.org/project/luci.git^41e2258d6dc1ebe8d3874ae6d6b13db49cff2c5c
-src-git routing https://git.openwrt.org/feed/routing.git^0e63ef9276bf41c0d4176127f9f047343b8ffe32
-src-git telephony https://git.openwrt.org/feed/telephony.git^8ecbdabc7c5cadbe571eb947f5cd333a5a785010
+src-git packages https://git.openwrt.org/feed/packages.git;openwrt-18.06
+src-git luci https://git.openwrt.org/project/luci.git;openwrt-18.06
+src-git routing https://git.openwrt.org/feed/routing.git;openwrt-18.06
+src-git telephony https://git.openwrt.org/feed/telephony.git;openwrt-18.06

include/kernel-version.mk

@@ -2,11 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.9 = .211
-LINUX_VERSION-4.14 = .167
+LINUX_VERSION-4.9 = .243
+LINUX_VERSION-4.14 = .206
 
-LINUX_KERNEL_HASH-4.9.211 = 2597608d5d974cfdc015eaf6a4197b36f19d722b8a309b57e741fb02e311b1be
-LINUX_KERNEL_HASH-4.14.167 = 2bb78fc7a902faf4f5dad47fdbc2f4bf3df3cf9b41f408e7260f36656659fe43
+LINUX_KERNEL_HASH-4.9.243 = d3aa189ca7fcc6e52d6c0333a0d7acd8789e9a492b32dbf9476e926ffaa73984
+LINUX_KERNEL_HASH-4.14.206 = 1c233efaa5063983293a02d4692acc9ced9c03e18857364855d4f612347086ac
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/prereq-build.mk

@@ -28,16 +28,9 @@ $(eval $(call TestHostCommand,proper-umask, \
 
 $(eval $(call SetupHostCommand,gcc, \
 	Please install the GNU C Compiler (gcc) 4.8 or later, \
-	$(CC) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
-	gcc -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
-	gcc48 --version | grep gcc, \
-	gcc49 --version | grep gcc, \
-	gcc5 --version | grep gcc, \
-	gcc6 --version | grep gcc, \
-	gcc7 --version | grep gcc, \
-	gcc8 --version | grep gcc, \
-	gcc9 --version | grep gcc, \
-	gcc --version | grep Apple.LLVM ))
+	$(CC) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?|10\.?)', \
+	gcc -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?|10\.?)', \
+	gcc --version | grep -E 'Apple.(LLVM|clang)' ))
 
 $(eval $(call TestHostCommand,working-gcc, \
 	\nPlease reinstall the GNU C Compiler (4.8 or later) - \
@@ -47,16 +40,9 @@ $(eval $(call TestHostCommand,working-gcc, \
 
 $(eval $(call SetupHostCommand,g++, \
 	Please install the GNU C++ Compiler (g++) 4.8 or later, \
-	$(CXX) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
-	g++ -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?)', \
-	g++48 --version | grep g++, \
-	g++49 --version | grep g++, \
-	g++5 --version | grep g++, \
-	g++6 --version | grep g++, \
-	g++7 --version | grep g++, \
-	g++8 --version | grep g++, \
-	g++9 --version | grep g++, \
-	g++ --version | grep Apple.LLVM ))
+	$(CXX) -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?|10\.?)', \
+	g++ -dumpversion | grep -E '^(4\.[8-9]|[5-9]\.?|10\.?)', \
+	g++ --version | grep -E 'Apple.(LLVM|clang)' ))
 
 $(eval $(call TestHostCommand,working-g++, \
 	\nPlease reinstall the GNU C++ Compiler (4.8 or later) - \

include/version.mk

@@ -26,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.7)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06-SNAPSHOT)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7976-ca47026b7d)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION))
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.7)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06-SNAPSHOT)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.7"
+		default "http://downloads.openwrt.org/releases/18.06-SNAPSHOT"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:
@@ -259,7 +259,7 @@ if VERSIONOPT
 	config VERSION_CODE_FILENAMES
 		bool
 		prompt "Revision code in filenames"
-		default n
+		default y
 		help
 			Enable this to include the revision identifier or the configured
 			version code into the firmware image, SDK- and Image Builder archive

package/boot/uboot-envtools/files/ar71xx

@@ -46,6 +46,7 @@ mr600v2|\
 mr900|\
 mr900v2|\
 n5q|\
+nbg6616|\
 nbg6716|\
 om5p|\
 om5p-ac|\

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-11-01
-PKG_RELEASE:=10
+PKG_RELEASE:=11
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_HASH:=8437ab7886b988c8152e7a4db30b7f41009e49a3b2cb863edd05da1ecd7eb05a
 

package/kernel/mac80211/patches/478-brcmfmac-add-DMI_PRODUCT_SKU-conditionally.patch

@@ -0,0 +1,22 @@
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -53,7 +53,9 @@ static const struct dmi_system_id dmi_pl
+ 		.matches = {
+ 			DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
+ 			DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++#if LINUX_VERSION_IS_GEQ(4,18,0)
+ 			DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T8"),
++#endif
+ 			/* also match on somewhat unique bios-version */
+ 			DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"),
+ 		},
+@@ -64,7 +66,9 @@ static const struct dmi_system_id dmi_pl
+ 		.matches = {
+ 			DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
+ 			DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++#if LINUX_VERSION_IS_GEQ(4,18,0)
+ 			DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T11"),
++#endif
+ 			/* also match on somewhat unique bios-version */
+ 			DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1.000"),
+ 		},

package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch

@@ -0,0 +1,42 @@
+From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 26 Mar 2020 15:51:35 +0100
+Subject: [PATCH] mac80211: mark station unauthorized before key removal
+
+commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream.
+
+If a station is still marked as authorized, mark it as no longer
+so before removing its keys. This allows frames transmitted to it
+to be rejected, providing additional protection against leaking
+plain text data during the disconnection flow.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/sta_info.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -3,6 +3,7 @@
+  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
+  * Copyright 2013-2014  Intel Mobile Communications GmbH
+  * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
++ * Copyright (C) 2018-2020 Intel Corporation
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str
+ 	might_sleep();
+ 	lockdep_assert_held(&local->sta_mtx);
+ 
++	while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
++		ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
++		WARN_ON_ONCE(ret);
++	}
++
+ 	/* now keys can no longer be reached */
+ 	ieee80211_free_sta_keys(local, sta);
+ 

package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch

@@ -0,0 +1,54 @@
+From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 26 Mar 2020 15:51:34 +0100
+Subject: [PATCH] mac80211: Check port authorization in the
+ ieee80211_tx_dequeue() case
+
+commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream.
+
+mac80211 used to check port authorization in the Data frame enqueue case
+when going through start_xmit(). However, that authorization status may
+change while the frame is waiting in a queue. Add a similar check in the
+dequeue case to avoid sending previously accepted frames after
+authorization change. This provides additional protection against
+potential leaking of frames after a station has been disconnected and
+the keys for it are being removed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3496,8 +3496,25 @@ begin:
+ 	tx.sdata = vif_to_sdata(info->control.vif);
+ 	tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control);
+ 
+-	if (txq->sta)
++	if (txq->sta) {
+ 		tx.sta = container_of(txq->sta, struct sta_info, sta);
++		/*
++		 * Drop unicast frames to unauthorised stations unless they are
++		 * EAPOL frames from the local station.
++		 */
++		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
++			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
++			     !is_multicast_ether_addr(hdr->addr1) &&
++			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
++			     (!(info->control.flags &
++				IEEE80211_TX_CTRL_PORT_CTRL_PROTO) ||
++			      !ether_addr_equal(tx.sdata->vif.addr,
++						hdr->addr2)))) {
++			I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
++			ieee80211_free_txskb(&local->hw, skb);
++			goto begin;
++		}
++	}
+ 
+ 	/*
+ 	 * The key can be removed while the packet was queued, so need to call

package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch

@@ -0,0 +1,34 @@
+From 8ad73f9e86bdb079043868e3543d302b57068b80 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sun, 29 Mar 2020 22:50:06 +0200
+Subject: [PATCH] mac80211: fix authentication with iwlwifi/mvm
+
+commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream.
+
+The original patch didn't copy the ieee80211_is_data() condition
+because on most drivers the management frames don't go through
+this path. However, they do on iwlwifi/mvm, so we do need to keep
+the condition here.
+
+Cc: stable@vger.kernel.org
+Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Woody Suwalski <terraluna977@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3502,7 +3502,8 @@ begin:
+ 		 * Drop unicast frames to unauthorised stations unless they are
+ 		 * EAPOL frames from the local station.
+ 		 */
+-		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
++		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
++			     !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
+ 			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
+ 			     !is_multicast_ether_addr(hdr->addr1) &&
+ 			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&

package/kernel/mac80211/patches/483-mac80211-fix-misplaced-while-instead-of-if.patch

@@ -0,0 +1,31 @@
+From 5981fe5b0529ba25d95f37d7faa434183ad618c5 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 3 Aug 2020 11:02:10 +0200
+Subject: [PATCH] mac80211: fix misplaced while instead of if
+
+This never was intended to be a 'while' loop, it should've
+just been an 'if' instead of 'while'. Fix this.
+
+I noticed this while applying another patch from Ben that
+intended to fix a busy loop at this spot.
+
+Cc: stable@vger.kernel.org
+Fixes: b16798f5b907 ("mac80211: mark station unauthorized before key removal")
+Reported-by: Ben Greear <greearb@candelatech.com>
+Link: https://lore.kernel.org/r/20200803110209.253009ae41ff.I3522aad099392b31d5cf2dcca34cbac7e5832dde@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ net/mac80211/sta_info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -977,7 +977,7 @@ static void __sta_info_destroy_part2(str
+ 	might_sleep();
+ 	lockdep_assert_held(&local->sta_mtx);
+ 
+-	while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
++	if (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
+ 		ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
+ 		WARN_ON_ONCE(ret);
+ 	}

package/libs/libjson-c/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=json-c
 PKG_VERSION:=0.12.1
-PKG_RELEASE:=2
+PKG_RELEASE:=2.1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-nodoc.tar.gz
 PKG_SOURCE_URL:=https://s3.amazonaws.com/json-c_releases/releases/

package/libs/libjson-c/patches/000-libm.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -43,12 +43,6 @@
+@@ -43,12 +43,6 @@ AC_FUNC_MEMCMP
  AC_FUNC_MALLOC
  AC_FUNC_REALLOC
  AC_CHECK_FUNCS(strcasecmp strdup strerror snprintf vsnprintf vasprintf open vsyslog strncasecmp setlocale)

package/libs/libjson-c/patches/001-Prevent-division-by-zero-in-linkhash.patch

@@ -0,0 +1,32 @@
+From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 4 May 2020 19:46:45 +0200
+Subject: [PATCH 2/2] Prevent division by zero in linkhash.
+
+If a linkhash with a size of zero is created, then modulo operations
+are prone to division by zero operations.
+
+Purely protective measure against bad usage.
+---
+ linkhash.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/linkhash.c
++++ b/linkhash.c
+@@ -10,6 +10,7 @@
+  *
+  */
+ 
++#include <assert.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+@@ -431,6 +432,8 @@ struct lh_table* lh_table_new(int size,
+ 	int i;
+ 	struct lh_table *t;
+ 
++  /* Allocate space for elements to avoid divisions by zero. */
++  assert(size > 0);
+ 	t = (struct lh_table*)calloc(1, sizeof(struct lh_table));
+ 	if(!t) lh_abort("lh_table_new: calloc failed\n");
+ 	t->count = 0;

package/libs/libjson-c/patches/002-Fix-integer-overflows.patch

@@ -0,0 +1,83 @@
+From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 4 May 2020 19:47:25 +0200
+Subject: [PATCH] Fix integer overflows.
+
+The data structures linkhash and printbuf are limited to 2 GB in size
+due to a signed integer being used to track their current size.
+
+If too much data is added, then size variable can overflow, which is
+an undefined behaviour in C programming language.
+
+Assuming that a signed int overflow just leads to a negative value,
+like it happens on many sytems (Linux i686/amd64 with gcc), then
+printbuf is vulnerable to an out of boundary write on 64 bit systems.
+---
+ linkhash.c |  7 +++++--
+ printbuf.c | 19 ++++++++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+--- a/linkhash.c
++++ b/linkhash.c
+@@ -498,7 +498,12 @@ int lh_table_insert(struct lh_table *t,
+ 	unsigned long h, n;
+ 
+ 	t->inserts++;
+-	if(t->count >= t->size * LH_LOAD_FACTOR) lh_table_resize(t, t->size * 2);
++	if(t->count >= t->size * LH_LOAD_FACTOR) {
++		/* Avoid signed integer overflow with large tables. */
++		int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2);
++		if (t->size != INT_MAX)
++			lh_table_resize(t, new_size);
++	}
+ 
+ 	h = t->hash_fn(k);
+ 	n = h % t->size;
+--- a/printbuf.c
++++ b/printbuf.c
+@@ -15,6 +15,7 @@
+ 
+ #include "config.h"
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -63,7 +64,16 @@ static int printbuf_extend(struct printb
+ 	if (p->size >= min_size)
+ 		return 0;
+ 
+-	new_size = json_max(p->size * 2, min_size + 8);
++	/* Prevent signed integer overflows with large buffers. */
++	if (min_size > INT_MAX - 8)
++		return -1;
++	if (p->size > INT_MAX / 2)
++		new_size = min_size + 8;
++	else {
++		new_size = p->size * 2;
++		if (new_size < min_size + 8)
++			new_size = min_size + 8;
++	}
+ #ifdef PRINTBUF_DEBUG
+ 	MC_DEBUG("printbuf_memappend: realloc "
+ 	  "bpos=%d min_size=%d old_size=%d new_size=%d\n",
+@@ -78,6 +88,9 @@ static int printbuf_extend(struct printb
+ 
+ int printbuf_memappend(struct printbuf *p, const char *buf, int size)
+ {
++  /* Prevent signed integer overflows with large buffers. */
++  if (size > INT_MAX - p->bpos - 1)
++    return -1;
+   if (p->size <= p->bpos + size + 1) {
+     if (printbuf_extend(p, p->bpos + size + 1) < 0)
+       return -1;
+@@ -94,6 +107,9 @@ int printbuf_memset(struct printbuf *pb,
+ 
+ 	if (offset == -1)
+ 		offset = pb->bpos;
++	/* Prevent signed integer overflows with large buffers. */
++	if (len > INT_MAX - offset)
++		return -1;
+ 	size_needed = offset + len;
+ 	if (pb->size < size_needed)
+ 	{

package/libs/libubox/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libubox
-PKG_RELEASE=3
+PKG_RELEASE=5
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/libubox.git

package/libs/libubox/patches/0017-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch

@@ -0,0 +1,33 @@
+From 75e300aeec25e032a9778bea34c713969960d1f0 Mon Sep 17 00:00:00 2001
+From: Chris Nisbet <nischris@gmail.com>
+Date: Wed, 12 Feb 2020 21:00:31 +1300
+Subject: [PATCH] blobmsg: fix wrong payload len passed from
+ blobmsg_check_array
+
+Fix incorrect use of blobmsg_len() on passed blobmsg to
+blobmsg_check_array_len() introduced in commit 379cd33d1992
+("fix wrong payload len passed from blobmsg_check_array") by using correct
+blob_len().
+
+By using blobmsg_len() a value too small was passed to blobmsg_check_array()
+which could lead to this function returning an error when there is none.
+
+Fixes: 379cd33d1992 ("fix wrong payload len passed from blobmsg_check_array")
+Signed-off-by: Chris Nisbet <nischris@gmail.com>
+[add fixes tag, rewrap commit message]
+Signed-off-by: Jo-Philipp Wich <jo@mein.io>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -120,7 +120,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blobmsg_len(attr));
++	return blobmsg_check_array_len(attr, type, blob_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)

package/libs/libubox/patches/0018-blobmsg-fix-attrs-iteration-in-the-blobmsg_check_arr.patch

@@ -0,0 +1,73 @@
+From 5e75160f48785464f9213c6bc8c72b9372c5318b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sat, 23 May 2020 13:18:51 +0200
+Subject: [PATCH] blobmsg: fix attrs iteration in the blobmsg_check_array_len()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Starting with 75e300aeec25 ("blobmsg: fix wrong payload len passed from
+blobmsg_check_array") blobmsg_check_array_len() gets *blob* length
+passed as argument. It cannot be used with __blobmsg_for_each_attr()
+which expects *data* length.
+
+Use blobmsg_for_each_attr() which calculates *data* length on its own.
+
+The same bug was already reported in the past and there was fix attempt
+in the commit cd75136b1342 ("blobmsg: fix wrong payload len passed from
+blobmsg_check_array"). That change made blobmsg_check_attr_len() calls
+fail however.
+
+This is hopefully the correct & complete fix:
+1. blobmsg_check_array_len() gets *blob* length
+2. It calls blobmsg_check_attr_len() which requires *blob* length
+3. It uses blobmsg_for_each_attr() which gets *data* length
+
+This fixes iterating over random memory treated as attrs. That was
+resulting in check failing randomly for totally correct blobs. It's
+critical e.g. for procd project with its instance_fill_array() failing
+and procd not starting services.
+
+Fixes: 75e300aeec25 ("blobmsg: fix wrong payload len passed from blobmsg_check_array")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ blobmsg.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -123,16 +123,18 @@ int blobmsg_check_array(const struct blo
+ 	return blobmsg_check_array_len(attr, type, blob_len(attr));
+ }
+ 
+-int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)
++int blobmsg_check_array_len(const struct blob_attr *attr, int type,
++			    size_t blob_len)
+ {
+ 	struct blob_attr *cur;
++	size_t rem;
+ 	bool name;
+ 	int size = 0;
+ 
+ 	if (type > BLOBMSG_TYPE_LAST)
+ 		return -1;
+ 
+-	if (!blobmsg_check_attr_len(attr, false, len))
++	if (!blobmsg_check_attr_len(attr, false, blob_len))
+ 		return -1;
+ 
+ 	switch (blobmsg_type(attr)) {
+@@ -146,11 +148,11 @@ int blobmsg_check_array_len(const struct
+ 		return -1;
+ 	}
+ 
+-	__blobmsg_for_each_attr(cur, attr, len) {
++	blobmsg_for_each_attr(cur, attr, rem) {
+ 		if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
+ 			return -1;
+ 
+-		if (!blobmsg_check_attr_len(cur, name, len))
++		if (!blobmsg_check_attr_len(cur, name, rem))
+ 			return -1;
+ 
+ 		size++;

package/libs/libubox/patches/0019-blobmsg-fix-length-in-blobmsg_check_array.patch

@@ -0,0 +1,26 @@
+From c2fc622b771f679e8f55060ac60cfe02b9a80995 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 25 May 2020 13:44:20 +0200
+Subject: [PATCH] blobmsg: fix length in blobmsg_check_array
+
+blobmsg_check_array_len expects the length of the full attribute buffer,
+not just the data length.
+Due to other missing length checks (fixed in the next commit), this did
+not show up as a test failure
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -120,7 +120,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blob_len(attr));
++	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type,

package/libs/libubox/patches/0020-blobmsg-simplify-and-fix-name-length-checks-in-blobm.patch

@@ -0,0 +1,47 @@
+From 639c29d19717616b809d9a1e9042461ab8024370 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 25 May 2020 14:49:35 +0200
+Subject: [PATCH] blobmsg: simplify and fix name length checks in
+ blobmsg_check_name
+
+blobmsg_hdr_valid_namelen was omitted when name==false
+The blob_len vs blobmsg_namelen changes were not taking into account
+potential padding between name and data
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+ blobmsg.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -54,8 +54,8 @@ static bool blobmsg_hdr_valid_namelen(co
+ 
+ static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
+ {
+-	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
++	uint16_t namelen;
+ 
+ 	hdr = blobmsg_hdr_from_blob(attr, len);
+ 	if (!hdr)
+@@ -64,16 +64,11 @@ static bool blobmsg_check_name(const str
+ 	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	if (name && !blobmsg_hdr_valid_namelen(hdr, len))
++	namelen = blobmsg_namelen(hdr);
++	if (blob_len(attr) < (size_t)blobmsg_hdrlen(namelen))
+ 		return false;
+ 
+-	if ((char *) hdr->name + blobmsg_namelen(hdr) + 1 > limit)
+-		return false;
+-
+-	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+-		return false;
+-
+-	if (hdr->name[blobmsg_namelen(hdr)] != 0)
++	if (hdr->name[namelen] != 0)
+ 		return false;
+ 
+ 	return true;

package/libs/libubox/patches/0021-blobmsg-fix-missing-length-checks.patch

@@ -0,0 +1,137 @@
+From 66195aee50424cbda0c2d858014e4cc58a2dc029 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 25 May 2020 12:40:04 +0200
+Subject: [PATCH] blobmsg: fix missing length checks
+
+blobmsg_check_attr_len was calling blobmsg_check_data for some, but not all
+attribute types. These checks was missing for arrays and tables.
+
+Additionally, the length check in blobmsg_check_data was a bit off, since
+it was comparing the blobmsg data length against the raw blob attr length.
+
+Fix this by checking the raw blob length against the buffer length in
+blobmsg_hdr_from_blob
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+ blobmsg.c | 66 +++++++++++++++++--------------------------------------
+ 1 file changed, 20 insertions(+), 46 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -36,31 +36,18 @@ bool blobmsg_check_attr(const struct blo
+ 	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
+ }
+ 
+-static const struct blobmsg_hdr* blobmsg_hdr_from_blob(const struct blob_attr *attr, size_t len)
+-{
+-	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
+-		return NULL;
+-
+-	return blob_data(attr);
+-}
+-
+-static bool blobmsg_hdr_valid_namelen(const struct blobmsg_hdr *hdr, size_t len)
+-{
+-	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr) + blobmsg_namelen(hdr) + 1)
+-		return false;
+-
+-	return true;
+-}
+-
+-static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
++static bool blobmsg_check_name(const struct blob_attr *attr, bool name)
+ {
+ 	const struct blobmsg_hdr *hdr;
+ 	uint16_t namelen;
+ 
+-	hdr = blobmsg_hdr_from_blob(attr, len);
+-	if (!hdr)
++	if (!blob_is_extended(attr))
++		return !name;
++
++	if (blob_len(attr) < sizeof(struct blobmsg_hdr))
+ 		return false;
+ 
++	hdr = (const struct blobmsg_hdr *)blob_data(attr);
+ 	if (name && !hdr->namelen)
+ 		return false;
+ 
+@@ -74,29 +61,20 @@ static bool blobmsg_check_name(const str
+ 	return true;
+ }
+ 
+-static const char* blobmsg_check_data(const struct blob_attr *attr, size_t len, size_t *data_len)
+-{
+-	char *limit = (char *) attr + len;
+-	const char *data;
+-
+-	*data_len = blobmsg_data_len(attr);
+-	if (*data_len > blob_raw_len(attr))
+-		return NULL;
+-
+-	data = blobmsg_data(attr);
+-	if (data + *data_len > limit)
+-		return NULL;
+-
+-	return data;
+-}
+-
+ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len)
+ {
+ 	const char *data;
+ 	size_t data_len;
+ 	int id;
+ 
+-	if (!blobmsg_check_name(attr, len, name))
++	if (len < sizeof(struct blob_attr))
++		return false;
++
++	data_len = blob_raw_len(attr);
++	if (data_len < sizeof(struct blob_attr) || data_len > len)
++		return false;
++
++	if (!blobmsg_check_name(attr, name))
+ 		return false;
+ 
+ 	id = blob_id(attr);
+@@ -106,9 +84,8 @@ bool blobmsg_check_attr_len(const struct
+ 	if (!blob_type[id])
+ 		return true;
+ 
+-	data = blobmsg_check_data(attr, len, &data_len);
+-	if (!data)
+-		return false;
++	data = blobmsg_data(attr);
++	data_len = blobmsg_data_len(attr);
+ 
+ 	return blob_check_type(data, data_len, blob_type[id]);
+ }
+@@ -212,13 +189,13 @@ int blobmsg_parse(const struct blobmsg_p
+ 	}
+ 
+ 	__blob_for_each_attr(attr, data, len) {
+-		hdr = blobmsg_hdr_from_blob(attr, len);
+-		if (!hdr)
++		if (!blobmsg_check_attr_len(attr, false, len))
+ 			return -1;
+ 
+-		if (!blobmsg_hdr_valid_namelen(hdr, len))
+-			return -1;
++		if (!blob_is_extended(attr))
++			continue;
+ 
++		hdr = blob_data(attr);
+ 		for (i = 0; i < policy_len; i++) {
+ 			if (!policy[i].name)
+ 				continue;
+@@ -230,9 +207,6 @@ int blobmsg_parse(const struct blobmsg_p
+ 			if (blobmsg_namelen(hdr) != pslen[i])
+ 				continue;
+ 
+-			if (!blobmsg_check_attr_len(attr, true, len))
+-				return -1;
+-
+ 			if (tb[i])
+ 				continue;
+ 

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.4
+PKG_VERSION:=2.16.8
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
-PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=5fdb9c43ab43fd9bcc3631508170b089ede7b86dd655253a93cb0ffeb42309f3
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -633,14 +633,14 @@
+@@ -692,14 +692,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -757,19 +757,19 @@
+@@ -816,19 +816,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -818,7 +818,7 @@
+@@ -899,7 +899,7 @@
   *
   * Comment this macro to disable deterministic ECDSA.
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -871,7 +871,7 @@
+@@ -952,7 +952,7 @@
   *             See dhm.h for more details.
   *
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -891,7 +891,7 @@
+@@ -972,7 +972,7 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -916,7 +916,7 @@
+@@ -997,7 +997,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1050,7 +1050,7 @@
+@@ -1131,7 +1131,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1074,7 +1074,7 @@
+@@ -1155,7 +1155,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1178,7 +1178,7 @@
+@@ -1259,7 +1259,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -109,7 +109,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1273,14 +1273,14 @@
+@@ -1354,14 +1354,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1296,7 +1296,7 @@
+@@ -1377,7 +1377,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1434,7 +1434,7 @@
+@@ -1515,7 +1515,7 @@
   *          configuration of this extension).
   *
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1609,7 +1609,7 @@
+@@ -1690,7 +1690,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1639,7 +1639,7 @@
+@@ -1720,7 +1720,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1698,7 +1698,7 @@
+@@ -1779,7 +1779,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2028,7 +2028,7 @@
+@@ -2109,7 +2109,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2094,7 +2094,7 @@
+@@ -2175,7 +2175,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2106,7 +2106,7 @@
+@@ -2187,7 +2187,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2115,7 +2115,7 @@
+@@ -2196,7 +2196,7 @@
   *
   * Module:  library/chacha20.c
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_CHACHAPOLY_C
-@@ -2126,7 +2126,7 @@
+@@ -2207,7 +2207,7 @@
   *
   * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -2185,7 +2185,7 @@
+@@ -2266,7 +2266,7 @@
   *
   * This module provides debugging functions.
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -2214,7 +2214,7 @@
+@@ -2295,7 +2295,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *            security risk. We recommend considering stronger ciphers instead.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2377,7 +2377,7 @@
+@@ -2458,7 +2458,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -243,7 +243,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2391,7 +2391,7 @@
+@@ -2472,7 +2472,7 @@
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
   */
@@ -252,7 +252,7 @@
  
  /**
   * \def MBEDTLS_NIST_KW_C
-@@ -2687,7 +2687,7 @@
+@@ -2768,7 +2768,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -261,7 +261,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2697,7 +2697,7 @@
+@@ -2778,7 +2778,7 @@
   * Module:  library/poly1305.c
   * Caller:  library/chachapoly.c
   */
@@ -270,7 +270,7 @@
  
  /**
   * \def MBEDTLS_RIPEMD160_C
-@@ -2708,7 +2708,7 @@
+@@ -2789,7 +2789,7 @@
   * Caller:  library/md.c
   *
   */
@@ -279,7 +279,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2815,7 +2815,7 @@
+@@ -2896,7 +2896,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -288,7 +288,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2915,7 +2915,7 @@
+@@ -2996,7 +2996,7 @@
   *
   * This module provides run-time version information.
   */
@@ -297,7 +297,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -3025,7 +3025,7 @@
+@@ -3106,7 +3106,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

package/libs/mbedtls/patches/300-soversion-compatibility.patch

@@ -4,8 +4,8 @@
  
  if(USE_SHARED_MBEDTLS_LIBRARY)
      add_library(mbedcrypto SHARED ${src_crypto})
--    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.3 SOVERSION 3)
-+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.12.0 SOVERSION 1)
+-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.8 SOVERSION 3)
++    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.8 SOVERSION 1)
      target_link_libraries(mbedcrypto ${libs})
  
      add_library(mbedx509 SHARED ${src_x509})
@@ -13,8 +13,8 @@
      target_link_libraries(mbedx509 ${libs} mbedcrypto)
  
      add_library(mbedtls SHARED ${src_tls})
--    set_target_properties(mbedtls PROPERTIES VERSION 2.16.3 SOVERSION 12)
-+    set_target_properties(mbedtls PROPERTIES VERSION 2.12.0 SOVERSION 10)
+-    set_target_properties(mbedtls PROPERTIES VERSION 2.16.8 SOVERSION 12)
++    set_target_properties(mbedtls PROPERTIES VERSION 2.16.8 SOVERSION 10)
      target_link_libraries(mbedtls ${libs} mbedx509)
  
      install(TARGETS mbedtls mbedx509 mbedcrypto

package/network/config/firewall/Makefile

@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git

package/network/config/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch

@@ -0,0 +1,33 @@
+From c9f48cb3bd0e14fec8ad71c3baef7c280a390b4f Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 24 Jul 2020 12:52:59 +0800
+Subject: [PATCH] zones: apply tcp mss clamping also on ingress path
+
+Fixes FS#3231
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+Acked-by: Jo-Philipp Wich <jo@mein.io>
+(cherry picked from commit e9b90dfac2225927c035f6a76277b850c282dc9a)
+---
+ zones.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/zones.c b/zones.c
+index 505ab20..4656f88 100644
+--- a/zones.c
++++ b/zones.c
+@@ -553,6 +553,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ 			fw3_ipt_rule_target(r, "TCPMSS");
+ 			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
+ 			fw3_ipt_rule_replace(r, "FORWARD");
++
++			r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL);
++			fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
++			fw3_ipt_rule_addarg(r, false, "SYN", NULL);
++			fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name);
++			fw3_ipt_rule_target(r, "TCPMSS");
++			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
++			fw3_ipt_rule_replace(r, "FORWARD");
+ 		}
+ 	}
+ 	else if (handle->table == FW3_TABLE_RAW)

package/network/config/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch

@@ -0,0 +1,38 @@
+From 78d52a28c66ad0fd2af250038fdcf4239ad37bf2 Mon Sep 17 00:00:00 2001
+From: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+Date: Sat, 15 Aug 2020 13:50:27 +0900
+Subject: [PATCH] options: fix parsing of boolean attributes
+
+Boolean attributes were parsed the same way as string attributes,
+so a value of { "bool_attr": "true" } would be parsed correctly, but
+{ "bool_attr": true } (without quotes) was parsed as false.
+
+Fixes FS#3284
+
+Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+---
+ options.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/options.c
++++ b/options.c
+@@ -1170,6 +1170,9 @@ fw3_parse_blob_options(void *s, const st
+ 						if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+ 							snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+ 							v = buf;
++						} else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++							snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++							v = buf;
+ 						} else {
+ 							v = blobmsg_get_string(e);
+ 						}
+@@ -1189,6 +1192,9 @@ fw3_parse_blob_options(void *s, const st
+ 				if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+ 					snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+ 					v = buf;
++				} else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++					snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++					v = buf;
+ 				} else {
+ 					v = blobmsg_get_string(o);
+ 				}

package/network/services/hostapd/Makefile

@@ -88,9 +88,6 @@ DRIVER_MAKEOPTS= \
 	CONFIG_IEEE80211AC=$(HOSTAPD_IEEE80211AC) \
 	CONFIG_DRIVER_WEXT=$(CONFIG_DRIVER_WEXT_SUPPORT) \
 
-space :=
-space +=
-
 ifeq ($(LOCAL_VARIANT),full)
   DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_DRIVER_11W_SUPPORT)
 endif

package/network/services/ppp/Makefile

@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ppp
 PKG_VERSION:=2.4.7
-PKG_RELEASE:=12
+PKG_RELEASE:=13
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.samba.org/pub/ppp/

package/network/services/ppp/patches/700-radius-Prevent-buffer-overflow-in-rc_mksid.patch

@@ -0,0 +1,30 @@
+From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Sat, 4 Jan 2020 12:01:32 +1100
+Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()
+
+On some systems getpid() can return a value greater than 65535.
+Increase the size of buf[] to allow for this, and use slprintf()
+to make sure we never overflow it.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/plugins/radius/util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
+index 6f976a712951..740131e8377c 100644
+--- a/pppd/plugins/radius/util.c
++++ b/pppd/plugins/radius/util.c
+@@ -73,9 +73,9 @@ void rc_mdelay(int msecs)
+ char *
+ rc_mksid (void)
+ {
+-  static char buf[15];
++  static char buf[32];
+   static unsigned short int cnt = 0;
+-  sprintf (buf, "%08lX%04X%02hX",
++  slprintf(buf, sizeof(buf), "%08lX%04X%02hX",
+ 	   (unsigned long int) time (NULL),
+ 	   (unsigned int) getpid (),
+ 	   cnt & 0xFF);

package/network/services/ppp/patches/701-pppd-Fix-bounds-check-in-EAP-code.patch

@@ -0,0 +1,37 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname).  This fixes the check so we
+actually avoid overflowing the rhostname array.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f56a336..1b93db01aebd 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';

package/network/services/ppp/patches/702-pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch

@@ -0,0 +1,61 @@
+From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 16:31:42 +1100
+Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP
+
+This adds some basic checks to the subroutines of eap_input to check
+that we have requested or agreed to doing EAP authentication before
+doing any processing on the received packet.  The motivation is to
+make it harder for a malicious peer to disrupt the operation of pppd
+by sending unsolicited EAP packets.  Note that eap_success() already
+has a check that the EAP client state is reasonable, and does nothing
+(apart from possibly printing a debug message) if not.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 1b93db01aebd..082e95343120 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1328,6 +1328,12 @@ int len;
+ 	int fd;
+ #endif /* USE_SRP */
+ 
++	/*
++	 * Ignore requests if we're not open
++	 */
++	if (esp->es_client.ea_state <= eapClosed)
++		return;
++
+ 	/*
+ 	 * Note: we update es_client.ea_id *only if* a Response
+ 	 * message is being generated.  Otherwise, we leave it the
+@@ -1736,6 +1742,12 @@ int len;
+ 	u_char dig[SHA_DIGESTSIZE];
+ #endif /* USE_SRP */
+ 
++	/*
++	 * Ignore responses if we're not open
++	 */
++	if (esp->es_server.ea_state <= eapClosed)
++		return;
++
+ 	if (esp->es_server.ea_id != id) {
+ 		dbglog("EAP: discarding Response %d; expected ID %d", id,
+ 		    esp->es_server.ea_id);
+@@ -2047,6 +2059,12 @@ u_char *inp;
+ int id;
+ int len;
+ {
++	/*
++	 * Ignore failure messages if we're not open
++	 */
++	if (esp->es_client.ea_state <= eapClosed)
++		return;
++
+ 	if (!eap_client_active(esp)) {
+ 		dbglog("EAP unexpected failure message in state %s (%d)",
+ 		    eap_state_name(esp->es_client.ea_state),

package/network/services/relayd/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=relayd
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/relayd.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2016-02-07
-PKG_SOURCE_VERSION:=ad0b25ad74345d367c62311e14b279f5ccb8ef13
-PKG_MIRROR_HASH:=8818e9da8cc056961f21f1569e06e63b840965d1453dfcef70a8d84ea76f84d7
+PKG_SOURCE_DATE:=2020-04-25
+PKG_SOURCE_VERSION:=f4d759be54ceb37714e9a6ca320d5b50c95e9ce9
+PKG_MIRROR_HASH:=b1ff6e99072867be0975ba0be52ba9da3a876c8b8da893d68301e8238243a51e
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-2.0

package/network/services/uhttpd/Makefile

@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
-PKG_SOURCE_DATE:=2019-12-22
-PKG_SOURCE_VERSION:=5f9ae5738372aaa3a6be2f0a278933563d3f191a
-PKG_MIRROR_HASH:=16977c2d7e68f6db3241f874df625af9bd3bafa06fe4499ecb3561c825321e5d
+PKG_SOURCE_DATE:=2020-02-12
+PKG_SOURCE_VERSION:=2ee323c01079248baa9465969df9e25b5fb68cdf
+PKG_MIRROR_HASH:=ebec09286cf5f977cac893931a5a4f27ba891db88d5e44a9b0de9446ae431527
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=ISC
 

package/network/services/umdns/Makefile

@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/mdnsd.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2018-01-02
-PKG_SOURCE_VERSION:=78974417e182a3de8f78b7d73366ec0c98396b6c
-PKG_MIRROR_HASH:=a60f9eb9428ac3256cd7c3c6d4207c116cedf4d212b82e2f86c1bf7c7898fcbb
+PKG_SOURCE_DATE:=2020-04-25
+PKG_SOURCE_VERSION:=cdac0460ba50dc45735f0be2e19a5a8efc3dafe1
+PKG_MIRROR_HASH:=261cb929dfc03c1f293156cfdec8c2cd1541dcdc57ae42a323f9df5d26e6f7d2
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=LGPL-2.1
@@ -30,7 +30,7 @@ define Package/umdns
   DEPENDS:=+libubox +libubus +libblobmsg-json
 endef
 
-TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include
+TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include -Wno-address-of-packed-member
 
 define Package/umdns/conffiles
 /etc/config/umdns

package/network/services/wireguard/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016-2018 Jason A. Donenfeld <Jason@zx2c4.com>
+# Copyright (C) 2016-2019 Jason A. Donenfeld <Jason@zx2c4.com>
 # Copyright (C) 2016 Baptiste Jonglez <openwrt@bitsofnetworks.org>
 # Copyright (C) 2016-2017 Dan Luedtke <mail@danrl.com>
 #
@@ -11,17 +11,17 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=wireguard
 
-PKG_VERSION:=0.0.20190601
+PKG_VERSION:=1.0.20200611
 PKG_RELEASE:=1
 
-PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/
-PKG_HASH:=7528461824a0174bd7d4f15e68d8f0ce9a8ea318411502b80759438e8ef65568
+PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/
+PKG_HASH:=9b0478c3b1f3a7b488916e632e2fcbb1383bb1a2ef294489858ce2ba1da3246d
 
-PKG_LICENSE:=GPL-2.0 Apache-2.0
+PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
 
-PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/WireGuard-$(PKG_VERSION)
+PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/wireguard-linux-compat-$(PKG_VERSION)
 PKG_BUILD_PARALLEL:=1
 PKG_USE_MIPS16:=0
 
@@ -57,13 +57,8 @@ endef
 include $(INCLUDE_DIR)/kernel-defaults.mk
 include $(INCLUDE_DIR)/package-defaults.mk
 
-# Used by Build/Compile/Default
-MAKE_PATH:=src/tools
-MAKE_VARS += PLATFORM=linux
-
 define Build/Compile
 	$(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules
-	$(call Build/Compile/Default)
 endef
 
 define Package/wireguard/install
@@ -74,27 +69,6 @@ define Package/wireguard/description
   $(call Package/wireguard/Default/description)
 endef
 
-define Package/wireguard-tools
-  $(call Package/wireguard/Default)
-  TITLE:=WireGuard userspace control program (wg)
-  DEPENDS:=+libmnl +ip
-endef
-
-define Package/wireguard-tools/description
-  $(call Package/wireguard/Default/description)
-
-  This package provides the userspace control program for WireGuard,
-  `wg(8)`, a netifd protocol helper, and a re-resolve watchdog script.
-endef
-
-define Package/wireguard-tools/install
-	$(INSTALL_DIR) $(1)/usr/bin/
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/tools/wg $(1)/usr/bin/
-	$(INSTALL_BIN) ./files/wireguard_watchdog $(1)/usr/bin/
-	$(INSTALL_DIR) $(1)/lib/netifd/proto/
-	$(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/
-endef
-
 define KernelPackage/wireguard
   SECTION:=kernel
   CATEGORY:=Kernel modules
@@ -112,5 +86,4 @@ define KernelPackage/wireguard/description
 endef
 
 $(eval $(call BuildPackage,wireguard))
-$(eval $(call BuildPackage,wireguard-tools))
 $(eval $(call KernelPackage,wireguard))

package/network/utils/wireguard-tools/Makefile

@@ -0,0 +1,54 @@
+#
+# Copyright (C) 2016-2019 Jason A. Donenfeld <Jason@zx2c4.com>
+# Copyright (C) 2016 Baptiste Jonglez <openwrt@bitsofnetworks.org>
+# Copyright (C) 2016-2017 Dan Luedtke <mail@danrl.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=wireguard-tools
+
+PKG_VERSION:=1.0.20191226
+PKG_RELEASE:=1
+
+PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/
+PKG_HASH:=aa8af0fdc9872d369d8c890a84dbc2a2466b55795dccd5b47721b2d97644b04f
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=COPYING
+
+PKG_BUILD_PARALLEL:=1
+PKG_USE_MIPS16:=0
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/package-defaults.mk
+
+MAKE_PATH:=src
+MAKE_VARS += PLATFORM=linux
+
+define Package/wireguard-tools
+  $(call Package/wireguard/Default)
+  TITLE:=WireGuard userspace control program (wg)
+  DEPENDS:=+libmnl +ip
+endef
+
+define Package/wireguard-tools/description
+  $(call Package/wireguard/Default/description)
+
+  This package provides the userspace control program for WireGuard,
+  `wg(8)`, a netifd protocol helper, and a re-resolve watchdog script.
+endef
+
+define Package/wireguard-tools/install
+	$(INSTALL_DIR) $(1)/usr/bin/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wg $(1)/usr/bin/
+	$(INSTALL_BIN) ./files/wireguard_watchdog $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/lib/netifd/proto/
+	$(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/
+endef
+
+$(eval $(call BuildPackage,wireguard-tools))

package/system/ca-certificates/Makefile

@@ -7,14 +7,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ca-certificates
-PKG_VERSION:=20190110
+PKG_VERSION:=20200601
 PKG_RELEASE:=1
 PKG_MAINTAINER:=
 
 PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/c/ca-certificates
-PKG_HASH:=ee4bf0f4c6398005f5b5ca4e0b87b82837ac5c3b0280a1cb3a63c47555c3a675
-
+PKG_HASH:=43766d5a436519503dfd65ab83488ae33ab4d4ca3d0993797b58c92eb9ed4e63
+PKG_BUILD_DIR:=$(BUILD_DIR)/work
 PKG_INSTALL:=1
 
 include $(INCLUDE_DIR)/package.mk

package/system/fstools/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fstools
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/fstools.git

package/system/fstools/patches/000-fix-ntfs-uuid.patch

@@ -0,0 +1,56 @@
+From d05276dc1d6de119da518d62930b9a8ef55ef7e9 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 25 Oct 2019 10:48:47 +0000
+Subject: [PATCH] libblkid-tiny: ntfs: fix use-after-free
+
+The memory pointed to by ns can be reallocated when checking mft records
+
+Fixes FS#2129
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ libblkid-tiny/ntfs.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/libblkid-tiny/ntfs.c
++++ b/libblkid-tiny/ntfs.c
+@@ -88,6 +88,7 @@ static int probe_ntfs(blkid_probe pr, co
+ 
+ 	uint32_t sectors_per_cluster, mft_record_size;
+ 	uint16_t sector_size;
++	uint64_t volume_serial;
+ 	uint64_t nr_clusters, off; //, attr_off;
+ 	unsigned char *buf_mft;
+ 
+@@ -148,15 +149,16 @@ static int probe_ntfs(blkid_probe pr, co
+ 		return 1;
+ 
+ 
++	volume_serial = ns->volume_serial;
+ 	off = le64_to_cpu(ns->mft_cluster_location) * sector_size *
+ 		sectors_per_cluster;
+ 
+ 	DBG(LOWPROBE, ul_debug("NTFS: sector_size=%"PRIu16", mft_record_size=%"PRIu32", "
+ 			"sectors_per_cluster=%"PRIu32", nr_clusters=%"PRIu64" "
+-			"cluster_offset=%"PRIu64"",
++			"cluster_offset=%"PRIu64", volume_serial=%"PRIu64"",
+ 			sector_size, mft_record_size,
+ 			sectors_per_cluster, nr_clusters,
+-			off));
++			off, volume_serial));
+ 
+ 	buf_mft = blkid_probe_get_buffer(pr, off, mft_record_size);
+ 	if (!buf_mft)
+@@ -207,9 +209,9 @@ static int probe_ntfs(blkid_probe pr, co
+ #endif
+ 
+ 	blkid_probe_sprintf_uuid(pr,
+-			(unsigned char *) &ns->volume_serial,
+-			sizeof(ns->volume_serial),
+-			"%016" PRIX64, le64_to_cpu(ns->volume_serial));
++			(unsigned char *) &volume_serial,
++			sizeof(volume_serial),
++			"%016" PRIX64, le64_to_cpu(volume_serial));
+ 	return 0;
+ }
+ 

package/system/rpcd/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=rpcd
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/rpcd.git
-PKG_SOURCE_DATE:=2018-11-28
-PKG_SOURCE_VERSION:=3aa81d0dfae167eccc26203bd0c96f3e3450f253
+PKG_SOURCE_DATE:=2020-05-26
+PKG_SOURCE_VERSION:=7be1f17138f19d1d7a86e0c27b3662d3643ff296
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
-PKG_MIRROR_HASH:=1befc5e1793a687e7a37b4f4d611e5f95aef4b79ad4b288c4dcb4c74d212509b
+PKG_MIRROR_HASH:=b427b2be8ebd486edbc88f6e789d1890cbdda1b4f04dcfcc8751f568c3a82674
 
 PKG_LICENSE:=ISC
 PKG_LICENSE_FILES:=

package/system/uci/Makefile

@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=uci
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uci.git
 PKG_SOURCE_PROTO:=git

package/system/uci/patches/001-file-uci_parse_package-fix-heap-use-after-free.patch

@@ -0,0 +1,51 @@
+From a3e650911f5e6f67dcff09974df3775dfd615da6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 3 Oct 2020 01:29:21 +0200
+Subject: [PATCH] file: uci_parse_package: fix heap use after free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following issue which is caused by usage of pointer which pointed
+to a reallocated address:
+
+ ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000087 at pc 0x000000509aa7 bp 0x7ffd6b9c3c40 sp 0x7ffd6b9c3400
+ READ of size 2 at 0x619000000087 thread T0
+     #0 0x509aa6 in strdup (test-fuzz+0x509aa6)
+     #1 0x7fc36d2a1636 in uci_strdup util.c:60:8
+     #2 0x7fc36d29e1ac in uci_alloc_generic list.c:55:13
+     #3 0x7fc36d29e241 in uci_alloc_package list.c:253:6
+     #4 0x7fc36d2a0ba3 in uci_switch_config file.c:375:18
+     #5 0x7fc36d2a09b8 in uci_parse_package file.c:397:2
+     #6 0x7fc36d2a09b8 in uci_parse_line file.c:513:6
+     #7 0x7fc36d2a09b8 in uci_import file.c:681:4
+
+ 0x619000000087 is located 7 bytes inside of 1024-byte region [0x619000000080,0x619000000480)
+ freed by thread T0 here:
+     #0 0x51daa9 in realloc (test-fuzz+0x51daa9)
+     #1 0x7fc36d2a1612 in uci_realloc util.c:49:8
+
+ previously allocated by thread T0 here:
+     #0 0x51daa9 in realloc (test-fuzz+0x51daa9)
+     #1 0x7fc36d2a1612 in uci_realloc util.c:49:8
+
+Reported-by: Jeremy Galindo <jgalindo@datto.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ file.c                                             |   2 +-
+ ...sig-06,src-000079,time-22005942,op-ext_AO,pos-8 | Bin 0 -> 56 bytes
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+ create mode 100644 tests/fuzz/corpus/id-000000,sig-06,src-000079,time-22005942,op-ext_AO,pos-8
+
+--- a/file.c
++++ b/file.c
+@@ -387,8 +387,8 @@ static void uci_parse_package(struct uci
+ 	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+ 
+ 	ofs_name = next_arg(ctx, true, true, true);
+-	name = pctx_str(pctx, ofs_name);
+ 	assert_eol(ctx);
++	name = pctx_str(pctx, ofs_name);
+ 	if (single)
+ 		return;
+ 

package/system/uci/patches/002-file-Check-buffer-size-after-strtok.patch

@@ -0,0 +1,112 @@
+From eae126f66663e5c73e5d290b8e3134449489340f Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Sun, 4 Oct 2020 17:14:49 +0200
+Subject: [PATCH] file: Check buffer size after strtok()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a heap overflow in the parsing of the uci line.
+
+The line which is parsed and put into pctx->buf is null terminated and
+stored on the heap. In the uci_parse_line() function we use strtok() to
+split this string in multiple parts after divided by a space or tab.
+strtok() replaces these characters with a NULL byte. If the next byte is
+NULL we assume that this NULL byte was added by strtok() and try to
+parse the string after this NULL byte. If this NULL byte was not added
+by strtok(), but by fgets() to mark the end of the string we would read
+over this end of the string in uninitialized memory and later over the
+allocated buffer.
+
+Fix this problem by storing how long the line we read was and check if
+we would read over the end of the string here.
+
+This also adds the input which detected this crash to the corpus of the
+fuzzer.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+[fixed merge conflict in tests]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ file.c                                        | 19 ++++++++++++++++---
+ tests/cram/test-san_uci_import.t              |  1 +
+ tests/cram/test_uci_import.t                  |  1 +
+ .../2e18ecc3a759dedc9357b1298e9269eccc5c5a6b  |  1 +
+ uci_internal.h                                |  1 +
+ 5 files changed, 20 insertions(+), 3 deletions(-)
+ create mode 100644 tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b
+
+--- a/file.c
++++ b/file.c
+@@ -28,6 +28,7 @@
+ #include <glob.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <errno.h>
+ 
+ #include "uci.h"
+ #include "uci_internal.h"
+@@ -63,6 +64,7 @@ __private void uci_getln(struct uci_cont
+ 			return;
+ 
+ 		ofs += strlen(p);
++		pctx->buf_filled = ofs;
+ 		if (pctx->buf[ofs - 1] == '\n') {
+ 			pctx->line++;
+ 			return;
+@@ -120,6 +122,15 @@ static inline void addc(struct uci_conte
+ 	*pos_src += 1;
+ }
+ 
++static int uci_increase_pos(struct uci_parse_context *pctx, size_t add)
++{
++	if (pctx->pos + add > pctx->buf_filled)
++		return -EINVAL;
++
++	pctx->pos += add;
++	return 0;
++}
++
+ /*
+  * parse a double quoted string argument from the command line
+  */
+@@ -384,7 +395,8 @@ static void uci_parse_package(struct uci
+ 	char *name;
+ 
+ 	/* command string null-terminated by strtok */
+-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
++	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
++		uci_parse_error(ctx, "package without name");
+ 
+ 	ofs_name = next_arg(ctx, true, true, true);
+ 	assert_eol(ctx);
+@@ -416,7 +428,8 @@ static void uci_parse_config(struct uci_
+ 	}
+ 
+ 	/* command string null-terminated by strtok */
+-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
++	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
++		uci_parse_error(ctx, "config without name");
+ 
+ 	ofs_type = next_arg(ctx, true, false, false);
+ 	type = pctx_str(pctx, ofs_type);
+@@ -466,7 +479,8 @@ static void uci_parse_option(struct uci_
+ 		uci_parse_error(ctx, "option/list command found before the first section");
+ 
+ 	/* command string null-terminated by strtok */
+-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
++	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
++		uci_parse_error(ctx, "option without name");
+ 
+ 	ofs_name = next_arg(ctx, true, true, false);
+ 	ofs_value = next_arg(ctx, false, false, false);
+--- a/uci_internal.h
++++ b/uci_internal.h
+@@ -33,6 +33,7 @@ struct uci_parse_context
+ 	const char *name;
+ 	char *buf;
+ 	int bufsz;
++	size_t buf_filled;
+ 	int pos;
+ };
+ #define pctx_pos(pctx)		((pctx)->pos)

package/system/usign/Makefile

@@ -5,9 +5,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/usign.git
-PKG_SOURCE_DATE:=2019-08-06
-PKG_SOURCE_VERSION:=5a52b379902471cef495687547c7b568142f66d2
-PKG_MIRROR_HASH:=9779f6d6718a7f7cd3e28aa7feefc9b3f4b0c7a85cb58ff18afbeb6b4372177a
+PKG_SOURCE_DATE:=2020-05-23
+PKG_SOURCE_VERSION:=f1f65026a94137c91b5466b149ef3ea3f20091e9
+PKG_MIRROR_HASH:=3f6569a5e63fdfd032976ac0f79d736d3935101ac1b97fb370514b013c5e6bb6
 CMAKE_INSTALL:=1
 PKG_CHECK_FORMAT_SECURITY:=1
 PKG_USE_MIPS16:=0

package/utils/lua/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=lua
 PKG_VERSION:=5.1.5
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.lua.org/ftp/ \

package/utils/lua/patches-host/013-lnum-strtoul-parsing-fixes.patch

@@ -0,0 +1,48 @@
+diff --git a/src/lnum.c b/src/lnum.c
+index 1456b6a2ed23..b0632b04c2b7 100644
+--- a/src/lnum.c
++++ b/src/lnum.c
+@@ -127,6 +127,8 @@ static int luaO_str2i (const char *s, lua_Integer *res, char **endptr_ref) {
+ #else
+       return 0;  /* Reject the number */
+ #endif
++    } else if (v > LUA_INTEGER_MAX) {
++      return TK_NUMBER;
+     }
+   } else if ((v > LUA_INTEGER_MAX) || (*endptr && (!isspace(*endptr)))) {
+     return TK_NUMBER;	/* not in signed range, or has '.', 'e' etc. trailing */
+@@ -310,3 +312,13 @@ int try_unmint( lua_Integer *r, lua_Integer ib ) {
+   return 0;
+ }
+ 
++#ifdef LONG_OVERFLOW_LUA_INTEGER
++unsigned LUA_INTEGER lua_str2ul( const char *str, char **endptr, int base ) {
++  unsigned long v= strtoul(str, endptr, base);
++  if ( v > LUA_INTEGER_MAX ) {
++    errno= ERANGE;
++    v= ULONG_MAX;
++  }
++  return (unsigned LUA_INTEGER)v;
++}
++#endif
+diff --git a/src/lnum_config.h b/src/lnum_config.h
+index 19d7a4231a49..1092eead6629 100644
+--- a/src/lnum_config.h
++++ b/src/lnum_config.h
+@@ -141,7 +141,12 @@
+ #endif
+ 
+ #ifndef lua_str2ul
+-# define lua_str2ul (unsigned LUA_INTEGER)strtoul
++# if LONG_MAX > LUA_INTEGER_MAX
++#   define LONG_OVERFLOW_LUA_INTEGER
++    unsigned LUA_INTEGER lua_str2ul( const char *str, char **endptr, int base );
++# else
++#  define lua_str2ul (unsigned LUA_INTEGER)strtoul
++# endif
+ #endif
+ #ifndef LUA_INTEGER_MIN
+ # define LUA_INTEGER_MIN (-LUA_INTEGER_MAX -1)  /* -2^16|32 */
+-- 
+1.9.1
+

package/utils/lua/patches/013-lnum-strtoul-parsing-fixes.patch

@@ -0,0 +1,41 @@
+--- a/src/lnum.c
++++ b/src/lnum.c
+@@ -127,6 +127,8 @@ static int luaO_str2i (const char *s, lu
+ #else
+       return 0;  /* Reject the number */
+ #endif
++    } else if (v > LUA_INTEGER_MAX) {
++      return TK_NUMBER;
+     }
+   } else if ((v > LUA_INTEGER_MAX) || (*endptr && (!isspace(*endptr)))) {
+     return TK_NUMBER;	/* not in signed range, or has '.', 'e' etc. trailing */
+@@ -310,3 +312,13 @@ int try_unmint( lua_Integer *r, lua_Inte
+   return 0;
+ }
+ 
++#ifdef LONG_OVERFLOW_LUA_INTEGER
++unsigned LUA_INTEGER lua_str2ul( const char *str, char **endptr, int base ) {
++  unsigned long v= strtoul(str, endptr, base);
++  if ( v > LUA_INTEGER_MAX ) {
++    errno= ERANGE;
++    v= ULONG_MAX;
++  }
++  return (unsigned LUA_INTEGER)v;
++}
++#endif
+--- a/src/lnum_config.h
++++ b/src/lnum_config.h
+@@ -141,7 +141,12 @@
+ #endif
+ 
+ #ifndef lua_str2ul
+-# define lua_str2ul (unsigned LUA_INTEGER)strtoul
++# if LONG_MAX > LUA_INTEGER_MAX
++#   define LONG_OVERFLOW_LUA_INTEGER
++    unsigned LUA_INTEGER lua_str2ul( const char *str, char **endptr, int base );
++# else
++#  define lua_str2ul (unsigned LUA_INTEGER)strtoul
++# endif
+ #endif
+ #ifndef LUA_INTEGER_MIN
+ # define LUA_INTEGER_MIN (-LUA_INTEGER_MAX -1)  /* -2^16|32 */

scripts/getver.sh

@@ -26,7 +26,7 @@ try_git() {
 	*)
 		BRANCH="$(git rev-parse --abbrev-ref HEAD)"
 		ORIGIN="$(git rev-parse --verify --symbolic-full-name ${BRANCH}@{u} 2>/dev/null)"
-		[ -n "$ORIGIN" ] || ORIGIN="$(git rev-parse --verify --symbolic-full-name master@{u} 2>/dev/null)"
+		[ -n "$ORIGIN" ] || ORIGIN="$(git rev-parse --verify --symbolic-full-name openwrt-18.06@{u} 2>/dev/null)"
 		REV="$(git rev-list ${REBOOT}..$GET_REV | wc -l | awk '{print $1}')"
 
 		if [ -n "$ORIGIN" ]; then

target/linux/apm821xx/patches-4.14/023-0007-crypto-crypto4xx-Fix-wrong-ppc4xx_trng_probe-ppc4xx_.patch

@@ -1,39 +0,0 @@
-From 6e88098ca43a3d80ae86908f7badba683c8a0d84 Mon Sep 17 00:00:00 2001
-From: Corentin Labbe <clabbe@baylibre.com>
-Date: Wed, 23 Jan 2019 11:24:18 +0000
-Subject: [PATCH 07/15] crypto: crypto4xx - Fix wrong
- ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
-
-When building without CONFIG_HW_RANDOM_PPC4XX, I hit the following build failure:
-drivers/crypto/amcc/crypto4xx_core.c: In function 'crypto4xx_probe':
-drivers/crypto/amcc/crypto4xx_core.c:1407:20: error: passing argument 1 of 'ppc4xx_trng_probe' from incompatible pointer type [-Werror=incompatible-pointer-types]
-In file included from drivers/crypto/amcc/crypto4xx_core.c:50:0:
-drivers/crypto/amcc/crypto4xx_trng.h:28:20: note: expected 'struct crypto4xx_device *' but argument is of type 'struct crypto4xx_core_device *'
-drivers/crypto/amcc/crypto4xx_core.c: In function 'crypto4xx_remove':
-drivers/crypto/amcc/crypto4xx_core.c:1434:21: error: passing argument 1 of 'ppc4xx_trng_remove' from incompatible pointer type [-Werror=incompatible-pointer-types]
-In file included from drivers/crypto/amcc/crypto4xx_core.c:50:0:
-drivers/crypto/amcc/crypto4xx_trng.h:30:20: note: expected 'struct crypto4xx_device *' but argument is of type 'struct crypto4xx_core_device *'
-
-This patch fix the needed argument of ppc4xx_trng_probe()/ppc4xx_trng_remove() in that case.
-
-Fixes: 5343e674f32f ("crypto4xx: integrate ppc4xx-rng into crypto4xx")
-Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- drivers/crypto/amcc/crypto4xx_trng.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/crypto/amcc/crypto4xx_trng.h
-+++ b/drivers/crypto/amcc/crypto4xx_trng.h
-@@ -26,9 +26,9 @@ void ppc4xx_trng_probe(struct crypto4xx_
- void ppc4xx_trng_remove(struct crypto4xx_core_device *core_dev);
- #else
- static inline void ppc4xx_trng_probe(
--	struct crypto4xx_device *dev __maybe_unused) { }
-+	struct crypto4xx_core_device *dev __maybe_unused) { }
- static inline void ppc4xx_trng_remove(
--	struct crypto4xx_device *dev __maybe_unused) { }
-+	struct crypto4xx_core_device *dev __maybe_unused) { }
- #endif
- 
- #endif

target/linux/apm821xx/patches-4.14/301-fix-memory-map-wndr4700.patch

@@ -1,6 +1,6 @@
 --- a/arch/powerpc/platforms/4xx/pci.c
 +++ b/arch/powerpc/platforms/4xx/pci.c
-@@ -1905,9 +1905,9 @@ static void __init ppc4xx_configure_pcie
+@@ -1903,9 +1903,9 @@ static void __init ppc4xx_configure_pcie
  		 * if it works
  		 */
  		out_le32(mbase + PECFG_PIM0LAL, 0x00000000);

target/linux/apm821xx/patches-4.14/801-usb-xhci-add-firmware-loader-for-uPD720201-and-uPD72.patch

@@ -44,7 +44,7 @@ Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  
  #include "xhci.h"
  #include "xhci-trace.h"
-@@ -266,6 +268,458 @@ static void xhci_pme_acpi_rtd3_enable(st
+@@ -276,6 +278,458 @@ static void xhci_pme_acpi_rtd3_enable(st
  static void xhci_pme_acpi_rtd3_enable(struct pci_dev *dev) { }
  #endif /* CONFIG_ACPI */
  
@@ -503,7 +503,7 @@ Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  /* called during probe() after chip reset completes */
  static int xhci_pci_setup(struct usb_hcd *hcd)
  {
-@@ -301,6 +755,22 @@ static int xhci_pci_probe(struct pci_dev
+@@ -314,6 +768,22 @@ static int xhci_pci_probe(struct pci_dev
  	struct hc_driver *driver;
  	struct usb_hcd *hcd;
  
@@ -526,7 +526,7 @@ Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  	driver = (struct hc_driver *)id->driver_data;
  
  	/* For some HW implementation, a XHCI reset is just not enough... */
-@@ -365,6 +835,16 @@ static void xhci_pci_remove(struct pci_d
+@@ -375,6 +845,16 @@ static void xhci_pci_remove(struct pci_d
  {
  	struct xhci_hcd *xhci;
  

target/linux/apm821xx/patches-4.14/802-usb-xhci-force-msi-renesas-xhci.patch

@@ -13,7 +13,7 @@ produce a noisy warning.
 
 --- a/drivers/usb/host/xhci-pci.c
 +++ b/drivers/usb/host/xhci-pci.c
-@@ -219,7 +219,7 @@ static void xhci_pci_quirks(struct devic
+@@ -225,7 +225,7 @@ static void xhci_pci_quirks(struct devic
  		xhci->quirks |= XHCI_TRUST_TX_LENGTH;
  	if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
  			pdev->device == 0x0015)

target/linux/ar7/patches-4.9/300-add-ac49x-platform.patch

@@ -46,7 +46,7 @@
  
  config ATH25
  	bool "Atheros AR231x/AR531x SoC support"
-@@ -1007,6 +1007,7 @@ config MIPS_PARAVIRT
+@@ -1008,6 +1008,7 @@ config MIPS_PARAVIRT
  endchoice
  
  source "arch/mips/alchemy/Kconfig"

target/linux/ar71xx/base-files/etc/board.d/02_network

@@ -237,6 +237,8 @@ ar71xx_setup_interfaces()
 			"0@eth1" "2:lan" "3:lan" "4:lan" "5:lan" "6@eth0" "1:wan"
 		;;
 	archer-c25-v1|\
+	archer-c60-v1|\
+	archer-c60-v2|\
 	rb-750-r2|\
 	rb-750p-pbr2|\
 	rb-750up-r2|\
@@ -253,12 +255,6 @@ ar71xx_setup_interfaces()
 		ucidef_add_switch "switch0" \
 			"0@eth1" "1:lan:1" "2:lan:4" "3:lan:3" "4:lan:2"
 		;;
-	archer-c60-v1|\
-	archer-c60-v2)
-		ucidef_set_interfaces_lan_wan "eth1.1" "eth0"
-		ucidef_add_switch "switch0" \
-			"0@eth1" "1:lan:1" "2:lan:2" "3:lan:3" "4:lan:4"
-		;;
 	arduino-yun|\
 	dir-505-a1|\
 	tl-wa801nd-v3)

target/linux/ar71xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata

@@ -178,7 +178,7 @@ case "$FIRMWARE" in
 		ath10kcal_extract "art" 20480 12064
 		ln -sf /lib/firmware/ath10k/pre-cal-pci-0000\:00\:00.0.bin \
 			/lib/firmware/ath10k/QCA9888/hw2.0/board.bin
-		ath10kcal_patch_mac $(macaddr_add $(cat /sys/class/net/eth0/address) -1)
+		ath10kcal_patch_mac $(macaddr_add $(cat /sys/class/net/eth1/address) -1)
 		;;
 	cf-e385ac)
 		ath10kcal_extract "art" 20480 12064

target/linux/ar71xx/base-files/etc/hotplug.d/ieee80211/10_fix_wifi_mac

@@ -14,8 +14,7 @@ board=$(board_name)
 case "$board" in
 	archer-c58-v1|\
 	archer-c59-v1|\
-	archer-c60-v1|\
-	archer-c60-v2)
+	archer-c60-v1)
 		echo $(macaddr_add $(mtd_get_mac_binary mac 8)  $(($PHYNBR - 1)) ) > /sys${DEVPATH}/macaddress
 		;;
 	*)

target/linux/ar71xx/base-files/lib/upgrade/platform.sh

@@ -216,6 +216,7 @@ platform_check_image() {
 	archer-c60-v2|\
 	archer-c7-v4|\
 	archer-c7-v5|\
+	arduino-yun|\
 	bullet-m|\
 	c-55|\
 	carambola2|\
@@ -343,7 +344,6 @@ platform_check_image() {
 	ap152|\
 	ap91-5g|\
 	ap96|\
-	arduino-yun|\
 	bhr-4grv2|\
 	bxu2000n-2-a1|\
 	db120|\

target/linux/ar71xx/files/arch/mips/ath79/mach-archer-c60-v1.c

@@ -157,8 +157,8 @@ static void __init archer_c60_v1_setup(void)
 	ath79_register_mdio(0, 0x0);
 	ath79_register_mdio(1, 0x0);
 
-	ath79_init_mac(ath79_eth0_data.mac_addr, mac, 0);
-	ath79_init_mac(ath79_eth1_data.mac_addr, mac, 1);
+	ath79_init_mac(ath79_eth1_data.mac_addr, mac, 0);
+	ath79_init_mac(ath79_eth0_data.mac_addr, mac, 1);
 
 	/* WAN port */
 	ath79_eth0_data.phy_if_mode = PHY_INTERFACE_MODE_MII;
@@ -199,8 +199,8 @@ static void __init archer_c60_v2_setup(void)
 	ath79_register_mdio(0, 0x0);
 	ath79_register_mdio(1, 0x0);
 
-	ath79_init_mac(ath79_eth0_data.mac_addr, mac, 0);
-	ath79_init_mac(ath79_eth1_data.mac_addr, mac, 1);
+	ath79_init_mac(ath79_eth1_data.mac_addr, mac, 0);
+	ath79_init_mac(ath79_eth0_data.mac_addr, mac, 1);
 
 	/* WAN port */
 	ath79_eth0_data.phy_if_mode = PHY_INTERFACE_MODE_MII;

target/linux/ar71xx/files/arch/mips/ath79/mach-arduino-yun.c

@@ -117,8 +117,7 @@ static void __init ds_setup(void)
 	ath79_gpio_function_disable(AR933X_GPIO_FUNC_ETH_SWITCH_LED0_EN |
 								AR933X_GPIO_FUNC_ETH_SWITCH_LED1_EN |
 								AR933X_GPIO_FUNC_ETH_SWITCH_LED2_EN |
-								AR933X_GPIO_FUNC_ETH_SWITCH_LED3_EN |
-								AR933X_GPIO_FUNC_ETH_SWITCH_LED4_EN);
+								AR933X_GPIO_FUNC_ETH_SWITCH_LED3_EN);
 
 	//Disable the Function for some pins to have GPIO functionality active
 	// GPIO6-7-8 and GPIO11

target/linux/ar71xx/files/arch/mips/ath79/mach-ew-dorin.c

@@ -47,7 +47,7 @@ static struct gpio_keys_button dorin_gpio_keys[] __initdata = {
 		.code		= KEY_WPS_BUTTON,
 		.debounce_interval = DORIN_KEYS_DEBOUNCE_INTERVAL,
 		.gpio		= DORIN_GPIO_BTN_JUMPSTART,
-		.active_low	= 1,
+		.active_low	= 0,
 	},
 	{
 		.desc		= "reset button",

target/linux/ar71xx/files/arch/mips/ath79/mach-nbg6716.c

@@ -198,11 +198,11 @@ static struct gpio_keys_button nbg6616_gpio_keys[] __initdata = {
 	},
 	{
 		.desc		= "RFKILL button",
-		.type		= EV_KEY,
+		.type		= EV_SW,
 		.code		= KEY_RFKILL,
 		.debounce_interval = NBG6716_KEYS_DEBOUNCE_INTERVAL,
 		.gpio		= NBG6716_GPIO_BTN_RFKILL,
-		.active_low	= 1,
+		.active_low	= 0,
 	},
 	{
 		.desc		= "WPS button",

target/linux/ar71xx/files/arch/mips/ath79/routerboot.c

@@ -206,10 +206,7 @@ __rb_get_wlan_data(u16 id)
 		u8 *erd_data;
 		u16 erd_len;
 
-		if (id == 0)
-			goto err_free;
-
-		err = routerboot_find_tag(tag, tag_len, id,
+		err = routerboot_find_tag(tag, tag_len, 0x1,
 					  &erd_data, &erd_len);
 		if (err) {
 			pr_err("no ERD data found for id %u\n", id);
@@ -224,9 +221,6 @@ __rb_get_wlan_data(u16 id)
 			goto err_free;
 		}
 	} else {
-		if (id != 0)
-			goto err_free;
-
 		err = rle_decode((char *) tag, tag_len, buf, RB_ART_SIZE,
 				 &src_done, &dst_done);
 		if (err) {

target/linux/ar71xx/files/drivers/mtd/nand/ar934x_nfc.c

@@ -1562,7 +1562,7 @@ ar934x_nfc_remove(struct platform_device *pdev)
 	nfc = platform_get_drvdata(pdev);
 	if (nfc) {
 		mtd = ar934x_nfc_to_mtd(nfc);
-		nand_release(mtd);
+		nand_release(&nfc->nand_chip);
 		ar934x_nfc_free_buf(nfc);
 		free_irq(nfc->irq, nfc);
 	}

target/linux/ar71xx/files/drivers/mtd/nand/rb4xx_nand.c

@@ -331,7 +331,7 @@ static int rb4xx_nand_probe(struct platform_device *pdev)
 	return 0;
 
 err_release_nand:
-	nand_release(mtd);
+	nand_release(&info->chip);
 err_set_drvdata:
 	platform_set_drvdata(pdev, NULL);
 err_free_info:
@@ -352,7 +352,7 @@ static int rb4xx_nand_remove(struct platform_device *pdev)
 {
 	struct rb4xx_nand_info *info = platform_get_drvdata(pdev);
 
-	nand_release(rbinfo_to_mtd(info));
+	nand_release(&info->chip);
 	platform_set_drvdata(pdev, NULL);
 	kfree(info);
 	gpio_free(RB4XX_NAND_GPIO_NCE);

target/linux/ar71xx/files/drivers/mtd/nand/rb750_nand.c

@@ -389,7 +389,7 @@ static int rb750_nand_probe(struct platform_device *pdev)
 	return 0;
 
 err_release_nand:
-	nand_release(mtd);
+	nand_release(&info->chip);
 err_set_drvdata:
 	platform_set_drvdata(pdev, NULL);
 err_free_info:
@@ -401,7 +401,7 @@ static int rb750_nand_remove(struct platform_device *pdev)
 {
 	struct rb750_nand_info *info = platform_get_drvdata(pdev);
 
-	nand_release(rbinfo_to_mtd(info));
+	nand_release(&info->chip);
 	platform_set_drvdata(pdev, NULL);
 	kfree(info);
 

target/linux/ar71xx/files/drivers/mtd/nand/rb91x_nand.c

@@ -430,7 +430,7 @@ static int rb91x_nand_probe(struct platform_device *pdev)
 	return 0;
 
 err_release_nand:
-	nand_release(mtd);
+	nand_release(&rbni->chip);
 	return ret;
 }
 
@@ -438,7 +438,7 @@ static int rb91x_nand_remove(struct platform_device *pdev)
 {
 	struct rb91x_nand_info *info = platform_get_drvdata(pdev);
 
-	nand_release(rbinfo_to_mtd(info));
+	nand_release(&info->chip);
 
 	return 0;
 }

target/linux/ar71xx/image/generic.mk

@@ -1084,7 +1084,7 @@ define Device/NBG6616
   BOARDNAME := NBG6616
   KERNEL_SIZE := 2048k
   IMAGE_SIZE := 15323k
-  MTDPARTS := spi0.0:192k(u-boot)ro,64k(env)ro,64k(RFdata)ro,384k(zyxel_rfsd),384k(romd),64k(header),2048k(kernel),13184k(rootfs),15232k@0x120000(firmware)
+  MTDPARTS := spi0.0:192k(u-boot)ro,64k(env),64k(RFdata)ro,384k(zyxel_rfsd),384k(romd),64k(header),2048k(kernel),13184k(rootfs),15232k@0x120000(firmware)
   CMDLINE += mem=128M
   IMAGES := sysupgrade.bin
   KERNEL := kernel-bin | patch-cmdline | lzma | uImage lzma | jffs2 boot/vmlinux.lzma.uImage

target/linux/ar71xx/patches-4.9/403-mtd_fix_cfi_cmdset_0002_status_check.patch

@@ -1,6 +1,6 @@
 --- a/drivers/mtd/chips/cfi_cmdset_0002.c
 +++ b/drivers/mtd/chips/cfi_cmdset_0002.c
-@@ -1637,7 +1637,7 @@ static int __xipram do_write_oneword(str
+@@ -1636,7 +1636,7 @@ static int __xipram do_write_oneword(str
  		}
  
  		if (chip_good(map, adr, datum))
@@ -9,7 +9,7 @@
  
  		/* Latency issues. Drop the lock, wait a while and retry */
  		UDELAY(map, chip, adr, 1);
-@@ -1654,6 +1654,8 @@ static int __xipram do_write_oneword(str
+@@ -1653,6 +1653,8 @@ static int __xipram do_write_oneword(str
  			goto retry;
  		}
  	}
@@ -18,7 +18,7 @@
  	xip_enable(map, chip, adr);
   op_done:
  	if (mode == FL_OTP_WRITE)
-@@ -2232,7 +2234,6 @@ static int cfi_amdstd_panic_write(struct
+@@ -2235,7 +2237,6 @@ static int cfi_amdstd_panic_write(struct
  	return 0;
  }
  
@@ -26,7 +26,7 @@
  /*
   * Handle devices with one erase region, that only implement
   * the chip erase command.
-@@ -2300,7 +2301,7 @@ static int __xipram do_erase_chip(struct
+@@ -2303,7 +2304,7 @@ static int __xipram do_erase_chip(struct
  		}
  
  		if (chip_good(map, adr, map_word_ff(map)))
@@ -35,7 +35,7 @@
  
  		if (time_after(jiffies, timeo)) {
  			printk(KERN_WARNING "MTD %s(): software timeout\n",
-@@ -2324,6 +2325,7 @@ static int __xipram do_erase_chip(struct
+@@ -2327,6 +2328,7 @@ static int __xipram do_erase_chip(struct
  		}
  	}
  
@@ -43,7 +43,7 @@
  	chip->state = FL_READY;
  	xip_enable(map, chip, adr);
  	DISABLE_VPP(map);
-@@ -2397,7 +2399,7 @@ static int __xipram do_erase_oneblock(st
+@@ -2400,7 +2402,7 @@ static int __xipram do_erase_oneblock(st
  
  		if (chip_good(map, adr, map_word_ff(map))) {
  			xip_enable(map, chip, adr);
@@ -52,7 +52,7 @@
  		}
  
  		if (time_after(jiffies, timeo)) {
-@@ -2423,6 +2425,7 @@ static int __xipram do_erase_oneblock(st
+@@ -2426,6 +2428,7 @@ static int __xipram do_erase_oneblock(st
  		}
  	}
  

target/linux/ar71xx/patches-4.9/411-mtd-cfi_cmdset_0002-force-word-write.patch

@@ -35,7 +35,7 @@
  
  /* Atmel chips don't use the same PRI format as AMD chips */
  static void fixup_convert_atmel_pri(struct mtd_info *mtd)
-@@ -1796,6 +1800,7 @@ static int cfi_amdstd_write_words(struct
+@@ -1795,6 +1799,7 @@ static int cfi_amdstd_write_words(struct
  /*
   * FIXME: interleaved mode not tested, and probably not supported!
   */
@@ -43,7 +43,7 @@
  static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip,
  				    unsigned long adr, const u_char *buf,
  				    int len)
-@@ -1924,7 +1929,6 @@ static int __xipram do_write_buffer(stru
+@@ -1927,7 +1932,6 @@ static int __xipram do_write_buffer(stru
  	return ret;
  }
  
@@ -51,7 +51,7 @@
  static int cfi_amdstd_write_buffers(struct mtd_info *mtd, loff_t to, size_t len,
  				    size_t *retlen, const u_char *buf)
  {
-@@ -1999,6 +2003,7 @@ static int cfi_amdstd_write_buffers(stru
+@@ -2002,6 +2006,7 @@ static int cfi_amdstd_write_buffers(stru
  
  	return 0;
  }

target/linux/ar71xx/patches-4.9/450-gpio-nxp-74hc153-gpio-chip-driver.patch

@@ -1,6 +1,6 @@
 --- a/drivers/gpio/Kconfig
 +++ b/drivers/gpio/Kconfig
-@@ -1214,4 +1214,12 @@ config GPIO_VIPERBOARD
+@@ -1215,4 +1215,12 @@ config GPIO_VIPERBOARD
  
  endmenu
  

target/linux/ar71xx/patches-4.9/451-gpio-74x164-improve-platform-device-support.patch

@@ -109,7 +109,7 @@
 +#endif
 --- a/drivers/gpio/Kconfig
 +++ b/drivers/gpio/Kconfig
-@@ -1155,7 +1155,6 @@ menu "SPI GPIO expanders"
+@@ -1156,7 +1156,6 @@ menu "SPI GPIO expanders"
  
  config GPIO_74X164
  	tristate "74x164 serial-in/parallel-out 8-bits shift register"

target/linux/ar71xx/patches-4.9/452-gpio-add-gpio-latch-driver.patch

@@ -1,6 +1,6 @@
 --- a/drivers/gpio/Kconfig
 +++ b/drivers/gpio/Kconfig
-@@ -1221,4 +1221,9 @@ config GPIO_NXP_74HC153
+@@ -1222,4 +1222,9 @@ config GPIO_NXP_74HC153
  	  Platform driver for NXP 74HC153 Dual 4-input Multiplexer. This
  	  provides a GPIO interface supporting input mode only.
  

target/linux/ar71xx/patches-4.9/490-usb-ehci-add-quirks-for-qca-socs.patch

@@ -1,6 +1,6 @@
 --- a/drivers/usb/host/ehci-hcd.c
 +++ b/drivers/usb/host/ehci-hcd.c
-@@ -252,6 +252,37 @@ int ehci_reset(struct ehci_hcd *ehci)
+@@ -253,6 +253,37 @@ int ehci_reset(struct ehci_hcd *ehci)
  	command |= CMD_RESET;
  	dbg_cmd (ehci, "reset", command);
  	ehci_writel(ehci, command, &ehci->regs->command);

target/linux/ar71xx/patches-4.9/500-MIPS-fw-myloader.patch

@@ -10,7 +10,7 @@
  
 --- a/arch/mips/Kconfig
 +++ b/arch/mips/Kconfig
-@@ -1152,6 +1152,9 @@ config MIPS_MSC
+@@ -1153,6 +1153,9 @@ config MIPS_MSC
  config MIPS_NILE4
  	bool
  

target/linux/ar71xx/patches-4.9/910-unaligned_access_hacks.patch

@@ -267,7 +267,7 @@
  		case IPV6_2292HOPOPTS:
 --- a/net/ipv6/ip6_gre.c
 +++ b/net/ipv6/ip6_gre.c
-@@ -397,7 +397,7 @@ static void ip6gre_err(struct sk_buff *s
+@@ -400,7 +400,7 @@ static void ip6gre_err(struct sk_buff *s
  		return;
  	ipv6h = (const struct ipv6hdr *)skb->data;
  	greh = (const struct gre_base_hdr *)(skb->data + offset);
@@ -316,7 +316,7 @@
  	for (p = *head; p; p = p->next) {
 --- a/net/ipv4/route.c
 +++ b/net/ipv4/route.c
-@@ -461,7 +461,7 @@ static struct neighbour *ipv4_neigh_look
+@@ -460,7 +460,7 @@ static struct neighbour *ipv4_neigh_look
  	else if (skb)
  		pkey = &ip_hdr(skb)->daddr;
  
@@ -795,7 +795,7 @@
  
 --- a/net/ipv4/tcp_input.c
 +++ b/net/ipv4/tcp_input.c
-@@ -3934,14 +3934,16 @@ static bool tcp_parse_aligned_timestamp(
+@@ -3935,14 +3935,16 @@ static bool tcp_parse_aligned_timestamp(
  {
  	const __be32 *ptr = (const __be32 *)(th + 1);
  
@@ -869,7 +869,7 @@
   * No flags defined yet.
 --- a/net/core/utils.c
 +++ b/net/core/utils.c
-@@ -321,8 +321,14 @@ void inet_proto_csum_replace16(__sum16 *
+@@ -338,8 +338,14 @@ void inet_proto_csum_replace16(__sum16 *
  			       bool pseudohdr)
  {
  	__be32 diff[] = {
@@ -888,7 +888,7 @@
  		*sum = csum_fold(csum_partial(diff, sizeof(diff),
 --- a/drivers/net/vxlan.c
 +++ b/drivers/net/vxlan.c
-@@ -1800,15 +1800,15 @@ static int vxlan_build_skb(struct sk_buf
+@@ -1808,15 +1808,15 @@ static int vxlan_build_skb(struct sk_buf
  		goto out_free;
  
  	vxh = (struct vxlanhdr *) __skb_push(skb, sizeof(*vxh));

target/linux/armvirt/config-4.14

@@ -39,6 +39,7 @@ CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_RNG2=y
 CONFIG_CRYPTO_WORKQUEUE=y
 CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_DMADEVICES=y
 CONFIG_DTC=y
 CONFIG_EDAC_SUPPORT=y
 CONFIG_EXT4_FS=y

target/linux/ath25/patches-4.14/130-watchdog.patch

@@ -212,7 +212,7 @@
 +MODULE_ALIAS("platform:" DRIVER_NAME);
 --- a/drivers/watchdog/Kconfig
 +++ b/drivers/watchdog/Kconfig
-@@ -1646,6 +1646,13 @@ config PIC32_DMT
+@@ -1647,6 +1647,13 @@ config PIC32_DMT
  	  To compile this driver as a loadable module, choose M here.
  	  The module will be called pic32-dmt.
  

target/linux/bcm53xx/patches-4.14/400-mtd-spi-nor-detect-JEDEC-incompatible-w25q128-using-.patch

@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/mtd/spi-nor/spi-nor.c
 +++ b/drivers/mtd/spi-nor/spi-nor.c
-@@ -1220,6 +1220,18 @@ static const struct flash_info *spi_nor_
+@@ -1225,6 +1225,18 @@ static const struct flash_info *spi_nor_
  	}
  	dev_err(nor->dev, "unrecognized JEDEC id bytes: %02x, %02x, %02x\n",
  		id[0], id[1], id[2]);

target/linux/brcm2708/patches-4.9/950-0001-smsx95xx-fix-crimes-against-truesize.patch

@@ -25,7 +25,7 @@ Signed-off-by: Steve Glendinning <steve.glendinning@smsc.com>
  static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
  					    u32 *data, int in_pm)
  {
-@@ -1961,7 +1965,8 @@ static int smsc95xx_rx_fixup(struct usbn
+@@ -1968,7 +1972,8 @@ static int smsc95xx_rx_fixup(struct usbn
  				if (dev->net->features & NETIF_F_RXCSUM)
  					smsc95xx_rx_csum_offload(skb);
  				skb_trim(skb, skb->len - 4); /* remove fcs */
@@ -35,7 +35,7 @@ Signed-off-by: Steve Glendinning <steve.glendinning@smsc.com>
  
  				return 1;
  			}
-@@ -1979,7 +1984,8 @@ static int smsc95xx_rx_fixup(struct usbn
+@@ -1986,7 +1991,8 @@ static int smsc95xx_rx_fixup(struct usbn
  			if (dev->net->features & NETIF_F_RXCSUM)
  				smsc95xx_rx_csum_offload(ax_skb);
  			skb_trim(ax_skb, ax_skb->len - 4); /* remove fcs */

target/linux/brcm2708/patches-4.9/950-0010-serial-8250-Don-t-crash-when-nr_uarts-is-0.patch

@@ -9,7 +9,7 @@ Subject: [PATCH] serial: 8250: Don't crash when nr_uarts is 0
 
 --- a/drivers/tty/serial/8250/8250_core.c
 +++ b/drivers/tty/serial/8250/8250_core.c
-@@ -509,6 +509,8 @@ static void __init serial8250_isa_init_p
+@@ -508,6 +508,8 @@ static void __init serial8250_isa_init_p
  
  	if (nr_uarts > UART_NR)
  		nr_uarts = UART_NR;

target/linux/brcm2708/patches-4.9/950-0021-clk-bcm2835-Mark-GPIO-clocks-enabled-at-boot-as-crit.patch

@@ -19,7 +19,7 @@ Signed-off-by: Eric Anholt <eric@anholt.net>
 
 --- a/drivers/clk/bcm/clk-bcm2835.c
 +++ b/drivers/clk/bcm/clk-bcm2835.c
-@@ -1268,6 +1268,15 @@ static struct clk_hw *bcm2835_register_c
+@@ -1270,6 +1270,15 @@ static struct clk_hw *bcm2835_register_c
  	init.name = data->name;
  	init.flags = data->flags | CLK_IGNORE_UNUSED;
  

target/linux/brcm2708/patches-4.9/950-0026-Register-the-clocks-early-during-the-boot-process.patch

@@ -13,7 +13,7 @@ Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
 
 --- a/drivers/clk/bcm/clk-bcm2835.c
 +++ b/drivers/clk/bcm/clk-bcm2835.c
-@@ -1909,8 +1909,15 @@ static int bcm2835_clk_probe(struct plat
+@@ -1911,8 +1911,15 @@ static int bcm2835_clk_probe(struct plat
  	if (ret)
  		return ret;
  
@@ -30,7 +30,7 @@ Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
  }
  
  static const struct of_device_id bcm2835_clk_of_match[] = {
-@@ -1927,7 +1934,11 @@ static struct platform_driver bcm2835_cl
+@@ -1929,7 +1936,11 @@ static struct platform_driver bcm2835_cl
  	.probe          = bcm2835_clk_probe,
  };
  

target/linux/brcm2708/patches-4.9/950-0028-kbuild-Ignore-dtco-targets-when-filtering-symbols.patch

@@ -9,7 +9,7 @@ Subject: [PATCH] kbuild: Ignore dtco targets when filtering symbols
 
 --- a/scripts/Kbuild.include
 +++ b/scripts/Kbuild.include
-@@ -294,7 +294,7 @@ ksym_dep_filter =
+@@ -295,7 +295,7 @@ ksym_dep_filter =
  	    $(CPP) $(call flags_nodeps,c_flags) -D__KSYM_DEPS__ $< ;;        \
  	  as_*_S|cpp_s_S)                                                    \
  	    $(CPP) $(call flags_nodeps,a_flags) -D__KSYM_DEPS__ $< ;;        \

target/linux/brcm2708/patches-4.9/950-0031-Add-dwc_otg-driver.patch

@@ -696,7 +696,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  }
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
-@@ -5096,7 +5096,7 @@ static void port_event(struct usb_hub *h
+@@ -5109,7 +5109,7 @@ static void port_event(struct usb_hub *h
  	if (portchange & USB_PORT_STAT_C_OVERCURRENT) {
  		u16 status = 0, unused;
  

target/linux/brcm2708/patches-4.9/950-0044-Add-SMI-NAND-driver.patch

@@ -312,7 +312,7 @@ Signed-off-by: Luke Wren <wren6991@gmail.com>
 +	if (!ret)
 +		return 0;
 +
-+	nand_release(mtd);
++	nand_release(this);
 +	return -EINVAL;
 +}
 +
@@ -320,7 +320,7 @@ Signed-off-by: Luke Wren <wren6991@gmail.com>
 +{
 +	struct bcm2835_smi_nand_host *host = platform_get_drvdata(pdev);
 +
-+	nand_release(&host->mtd);
++	nand_release(&host->nand_chip);
 +
 +	return 0;
 +}

target/linux/brcm2708/patches-4.9/950-0053-scripts-dtc-Update-to-upstream-version-1.4.1.patch

@@ -174,7 +174,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
 --- a/scripts/dtc/dtc-lexer.l
 +++ b/scripts/dtc/dtc-lexer.l
-@@ -121,6 +121,11 @@ static void lexical_error(const char *fm
+@@ -120,6 +120,11 @@ static void lexical_error(const char *fm
  			return DT_V1;
  		}
  
@@ -629,7 +629,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
      } ;
  
  static yy_state_type yy_last_accepting_state;
-@@ -662,7 +664,7 @@ static int dts_version = 1;
+@@ -661,7 +663,7 @@ static int dts_version = 1;
  static void push_input_file(const char *filename);
  static bool pop_input_file(void);
  static void lexical_error(const char *fmt, ...);
@@ -638,7 +638,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
  #define INITIAL 0
  #define BYTESTRING 1
-@@ -704,7 +706,7 @@ FILE *yyget_out (void );
+@@ -703,7 +705,7 @@ FILE *yyget_out (void );
  
  void yyset_out  (FILE * out_str  );
  
@@ -647,7 +647,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
  char *yyget_text (void );
  
-@@ -853,6 +855,10 @@ YY_DECL
+@@ -852,6 +854,10 @@ YY_DECL
  	register char *yy_cp, *yy_bp;
  	register int yy_act;
      
@@ -658,7 +658,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  	if ( !(yy_init) )
  		{
  		(yy_init) = 1;
-@@ -879,11 +885,6 @@ YY_DECL
+@@ -878,11 +884,6 @@ YY_DECL
  		yy_load_buffer_state( );
  		}
  
@@ -670,7 +670,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  	while ( 1 )		/* loops until end-of-file is reached */
  		{
  		yy_cp = (yy_c_buf_p);
-@@ -901,7 +902,7 @@ YY_DECL
+@@ -900,7 +901,7 @@ YY_DECL
  yy_match:
  		do
  			{
@@ -679,7 +679,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  			if ( yy_accept[yy_current_state] )
  				{
  				(yy_last_accepting_state) = yy_current_state;
-@@ -910,13 +911,13 @@ yy_match:
+@@ -909,13 +910,13 @@ yy_match:
  			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
  				{
  				yy_current_state = (int) yy_def[yy_current_state];
@@ -695,7 +695,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  		yy_cp = (yy_last_accepting_cpos);
  		yy_current_state = (yy_last_accepting_state);
  
-@@ -951,39 +952,31 @@ case 2:
+@@ -950,39 +951,31 @@ case 2:
  YY_RULE_SETUP
  #line 75 "dtc-lexer.l"
  {
@@ -749,7 +749,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			if (!pop_input_file()) {
  				yyterminate();
-@@ -993,7 +986,7 @@ case YY_STATE_EOF(V1):
+@@ -992,7 +985,7 @@ case YY_STATE_EOF(V1):
  case 3:
  /* rule 3 can match eol */
  YY_RULE_SETUP
@@ -758,7 +758,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("String: %s\n", yytext);
  			yylval.data = data_copy_escape_string(yytext+1,
-@@ -1003,7 +996,7 @@ YY_RULE_SETUP
+@@ -1002,7 +995,7 @@ YY_RULE_SETUP
  	YY_BREAK
  case 4:
  YY_RULE_SETUP
@@ -767,7 +767,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("Keyword: /dts-v1/\n");
  			dts_version = 1;
-@@ -1013,25 +1006,33 @@ YY_RULE_SETUP
+@@ -1012,25 +1005,33 @@ YY_RULE_SETUP
  	YY_BREAK
  case 5:
  YY_RULE_SETUP
@@ -806,7 +806,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("Keyword: /delete-property/\n");
  			DPRINT("<PROPNODENAME>\n");
-@@ -1039,9 +1040,9 @@ YY_RULE_SETUP
+@@ -1038,9 +1039,9 @@ YY_RULE_SETUP
  			return DT_DEL_PROP;
  		}
  	YY_BREAK
@@ -818,7 +818,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("Keyword: /delete-node/\n");
  			DPRINT("<PROPNODENAME>\n");
-@@ -1049,9 +1050,9 @@ YY_RULE_SETUP
+@@ -1048,9 +1049,9 @@ YY_RULE_SETUP
  			return DT_DEL_NODE;
  		}
  	YY_BREAK
@@ -830,7 +830,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("Label: %s\n", yytext);
  			yylval.labelref = xstrdup(yytext);
-@@ -1059,9 +1060,9 @@ YY_RULE_SETUP
+@@ -1058,9 +1059,9 @@ YY_RULE_SETUP
  			return DT_LABEL;
  		}
  	YY_BREAK
@@ -842,7 +842,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			char *e;
  			DPRINT("Integer Literal: '%s'\n", yytext);
-@@ -1069,10 +1070,7 @@ YY_RULE_SETUP
+@@ -1068,10 +1069,7 @@ YY_RULE_SETUP
  			errno = 0;
  			yylval.integer = strtoull(yytext, &e, 0);
  
@@ -854,7 +854,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
  			if (errno == ERANGE)
  				lexical_error("Integer literal '%s' out of range",
-@@ -1084,10 +1082,10 @@ YY_RULE_SETUP
+@@ -1083,10 +1081,10 @@ YY_RULE_SETUP
  			return DT_LITERAL;
  		}
  	YY_BREAK
@@ -868,7 +868,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			struct data d;
  			DPRINT("Character literal: %s\n", yytext);
-@@ -1109,18 +1107,18 @@ YY_RULE_SETUP
+@@ -1108,18 +1106,18 @@ YY_RULE_SETUP
  			return DT_CHAR_LITERAL;
  		}
  	YY_BREAK
@@ -891,7 +891,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {	/* new-style path reference */
  			yytext[yyleng-1] = '\0';
  			DPRINT("Ref: %s\n", yytext+2);
-@@ -1128,27 +1126,27 @@ YY_RULE_SETUP
+@@ -1127,27 +1125,27 @@ YY_RULE_SETUP
  			return DT_REF;
  		}
  	YY_BREAK
@@ -925,7 +925,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("PropNodeName: %s\n", yytext);
  			yylval.propnodename = xstrdup((yytext[0] == '\\') ?
-@@ -1157,75 +1155,75 @@ YY_RULE_SETUP
+@@ -1156,75 +1154,75 @@ YY_RULE_SETUP
  			return DT_PROPNODENAME;
  		}
  	YY_BREAK
@@ -1030,7 +1030,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
  			DPRINT("Char: %c (\\x%02x)\n", yytext[0],
  				(unsigned)yytext[0]);
-@@ -1241,12 +1239,12 @@ YY_RULE_SETUP
+@@ -1240,12 +1238,12 @@ YY_RULE_SETUP
  			return yytext[0];
  		}
  	YY_BREAK
@@ -1046,7 +1046,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
  	case YY_END_OF_BUFFER:
  		{
-@@ -1376,7 +1374,6 @@ ECHO;
+@@ -1375,7 +1373,6 @@ ECHO;
  			"fatal flex scanner internal error--no action found" );
  	} /* end of action switch */
  		} /* end of scanning one token */
@@ -1054,7 +1054,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  } /* end of yylex */
  
  /* yy_get_next_buffer - try to read in a new buffer
-@@ -1432,21 +1429,21 @@ static int yy_get_next_buffer (void)
+@@ -1431,21 +1428,21 @@ static int yy_get_next_buffer (void)
  
  	else
  		{
@@ -1079,7 +1079,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
  				if ( new_size <= 0 )
  					b->yy_buf_size += b->yy_buf_size / 8;
-@@ -1477,7 +1474,7 @@ static int yy_get_next_buffer (void)
+@@ -1476,7 +1473,7 @@ static int yy_get_next_buffer (void)
  
  		/* Read in more data. */
  		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
@@ -1088,7 +1088,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  
  		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
  		}
-@@ -1539,7 +1536,7 @@ static int yy_get_next_buffer (void)
+@@ -1538,7 +1535,7 @@ static int yy_get_next_buffer (void)
  		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
  			{
  			yy_current_state = (int) yy_def[yy_current_state];
@@ -1097,7 +1097,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  				yy_c = yy_meta[(unsigned int) yy_c];
  			}
  		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-@@ -1567,13 +1564,13 @@ static int yy_get_next_buffer (void)
+@@ -1566,13 +1563,13 @@ static int yy_get_next_buffer (void)
  	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
  		{
  		yy_current_state = (int) yy_def[yy_current_state];
@@ -1114,7 +1114,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  }
  
  #ifndef YY_NO_INPUT
-@@ -1600,7 +1597,7 @@ static int yy_get_next_buffer (void)
+@@ -1599,7 +1596,7 @@ static int yy_get_next_buffer (void)
  
  		else
  			{ /* need more input */
@@ -1123,7 +1123,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  			++(yy_c_buf_p);
  
  			switch ( yy_get_next_buffer(  ) )
-@@ -1874,7 +1871,7 @@ void yypop_buffer_state (void)
+@@ -1873,7 +1870,7 @@ void yypop_buffer_state (void)
   */
  static void yyensure_buffer_stack (void)
  {
@@ -1132,7 +1132,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
      
  	if (!(yy_buffer_stack)) {
  
-@@ -1971,12 +1968,12 @@ YY_BUFFER_STATE yy_scan_string (yyconst
+@@ -1970,12 +1967,12 @@ YY_BUFFER_STATE yy_scan_string (yyconst
   * 
   * @return the newly allocated buffer state object.
   */
@@ -1147,7 +1147,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
      
  	/* Get memory for full buffer, including space for trailing EOB's. */
  	n = _yybytes_len + 2;
-@@ -2058,7 +2055,7 @@ FILE *yyget_out  (void)
+@@ -2057,7 +2054,7 @@ FILE *yyget_out  (void)
  /** Get the length of the current token.
   * 
   */
@@ -1156,7 +1156,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  {
          return yyleng;
  }
-@@ -2206,7 +2203,7 @@ void yyfree (void * ptr )
+@@ -2205,7 +2202,7 @@ void yyfree (void * ptr )
  
  #define YYTABLES_NAME "yytables"
  

target/linux/brcm2708/patches-4.9/950-0063-Improve-__copy_to_user-and-__copy_from_user-performa.patch

@@ -279,7 +279,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
 -ENDPROC(arm_copy_from_user)
 +ENDPROC(__copy_from_user_std)
  
- 	.pushsection .fixup,"ax"
+ 	.pushsection .text.fixup,"ax"
  	.align 0
 --- /dev/null
 +++ b/arch/arm/lib/exports_rpi.c

target/linux/brcm2708/patches-4.9/950-0087-amba_pl011-Don-t-use-DT-aliases-for-numbering.patch

@@ -14,7 +14,7 @@ use the same logic.
 
 --- a/drivers/tty/serial/amba-pl011.c
 +++ b/drivers/tty/serial/amba-pl011.c
-@@ -2515,7 +2515,12 @@ static int pl011_setup_port(struct devic
+@@ -2514,7 +2514,12 @@ static int pl011_setup_port(struct devic
  	if (IS_ERR(base))
  		return PTR_ERR(base);
  

target/linux/brcm2708/patches-4.9/950-0090-OF-DT-Overlay-configfs-interface.patch

@@ -88,8 +88,8 @@ Signed-off-by: Slawomir Stepien <sst@poczta.fm>
 +make sense for developers (since it avoids problems with namespaces).
 --- a/drivers/of/Kconfig
 +++ b/drivers/of/Kconfig
-@@ -112,4 +112,11 @@ config OF_OVERLAY
- config OF_NUMA
+@@ -116,4 +116,11 @@ config OF_DMA_DEFAULT_COHERENT
+ 	# arches should select this if DMA is coherent by default for OF devices
  	bool
  
 +config OF_CONFIGFS

target/linux/brcm2708/patches-4.9/950-0152-clk-bcm-Support-rate-change-propagation-on-bcm2835-c.patch

@@ -108,7 +108,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  		if (rate > best_rate && rate <= req->rate) {
  			best_parent = parent;
  			best_prate = prate;
-@@ -1277,6 +1329,13 @@ static struct clk_hw *bcm2835_register_c
+@@ -1279,6 +1331,13 @@ static struct clk_hw *bcm2835_register_c
  	if ((cprman_read(cprman, data->ctl_reg) & CM_ENABLE) == 0)
  		init.flags &= ~CLK_IS_CRITICAL;
  

target/linux/brcm2708/patches-4.9/950-0153-clk-bcm-Allow-rate-change-propagation-to-PLLH_AUX-on.patch

@@ -19,7 +19,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
 
 --- a/drivers/clk/bcm/clk-bcm2835.c
 +++ b/drivers/clk/bcm/clk-bcm2835.c
-@@ -1876,7 +1876,12 @@ static const struct bcm2835_clk_desc clk
+@@ -1878,7 +1878,12 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_VECCTL,
  		.div_reg = CM_VECDIV,
  		.int_bits = 4,

target/linux/brcm2708/patches-4.9/950-0155-clk-bcm2835-Don-t-rate-change-PLLs-on-behalf-of-DSI-.patch

@@ -31,7 +31,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  };
  
  struct bcm2835_clock_data {
-@@ -1258,7 +1259,7 @@ bcm2835_register_pll_divider(struct bcm2
+@@ -1260,7 +1261,7 @@ bcm2835_register_pll_divider(struct bcm2
  	init.num_parents = 1;
  	init.name = divider_name;
  	init.ops = &bcm2835_pll_divider_clk_ops;
@@ -40,7 +40,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	divider = devm_kzalloc(cprman->dev, sizeof(*divider), GFP_KERNEL);
  	if (!divider)
-@@ -1481,7 +1482,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1483,7 +1484,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLA_CORE,
  		.load_mask = CM_PLLA_LOADCORE,
  		.hold_mask = CM_PLLA_HOLDCORE,
@@ -50,7 +50,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLA_PER]	= REGISTER_PLL_DIV(
  		.name = "plla_per",
  		.source_pll = "plla",
-@@ -1489,7 +1491,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1491,7 +1493,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLA_PER,
  		.load_mask = CM_PLLA_LOADPER,
  		.hold_mask = CM_PLLA_HOLDPER,
@@ -60,7 +60,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLA_DSI0]	= REGISTER_PLL_DIV(
  		.name = "plla_dsi0",
  		.source_pll = "plla",
-@@ -1505,7 +1508,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1507,7 +1510,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLA_CCP2,
  		.load_mask = CM_PLLA_LOADCCP2,
  		.hold_mask = CM_PLLA_HOLDCCP2,
@@ -70,7 +70,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* PLLB is used for the ARM's clock. */
  	[BCM2835_PLLB]		= REGISTER_PLL(
-@@ -1529,7 +1533,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1531,7 +1535,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLB_ARM,
  		.load_mask = CM_PLLB_LOADARM,
  		.hold_mask = CM_PLLB_HOLDARM,
@@ -80,7 +80,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/*
  	 * PLLC is the core PLL, used to drive the core VPU clock.
-@@ -1558,7 +1563,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1560,7 +1565,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLC_CORE0,
  		.load_mask = CM_PLLC_LOADCORE0,
  		.hold_mask = CM_PLLC_HOLDCORE0,
@@ -90,7 +90,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLC_CORE1]	= REGISTER_PLL_DIV(
  		.name = "pllc_core1",
  		.source_pll = "pllc",
-@@ -1566,7 +1572,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1568,7 +1574,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLC_CORE1,
  		.load_mask = CM_PLLC_LOADCORE1,
  		.hold_mask = CM_PLLC_HOLDCORE1,
@@ -100,7 +100,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLC_CORE2]	= REGISTER_PLL_DIV(
  		.name = "pllc_core2",
  		.source_pll = "pllc",
-@@ -1574,7 +1581,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1576,7 +1583,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLC_CORE2,
  		.load_mask = CM_PLLC_LOADCORE2,
  		.hold_mask = CM_PLLC_HOLDCORE2,
@@ -110,7 +110,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLC_PER]	= REGISTER_PLL_DIV(
  		.name = "pllc_per",
  		.source_pll = "pllc",
-@@ -1582,7 +1590,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1584,7 +1592,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLC_PER,
  		.load_mask = CM_PLLC_LOADPER,
  		.hold_mask = CM_PLLC_HOLDPER,
@@ -120,7 +120,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/*
  	 * PLLD is the display PLL, used to drive DSI display panels.
-@@ -1611,7 +1620,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1613,7 +1622,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLD_CORE,
  		.load_mask = CM_PLLD_LOADCORE,
  		.hold_mask = CM_PLLD_HOLDCORE,
@@ -130,7 +130,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLD_PER]	= REGISTER_PLL_DIV(
  		.name = "plld_per",
  		.source_pll = "plld",
-@@ -1619,7 +1629,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1621,7 +1631,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLD_PER,
  		.load_mask = CM_PLLD_LOADPER,
  		.hold_mask = CM_PLLD_HOLDPER,
@@ -140,7 +140,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLD_DSI0]	= REGISTER_PLL_DIV(
  		.name = "plld_dsi0",
  		.source_pll = "plld",
-@@ -1664,7 +1675,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1666,7 +1677,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLH_RCAL,
  		.load_mask = CM_PLLH_LOADRCAL,
  		.hold_mask = 0,
@@ -150,7 +150,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLH_AUX]	= REGISTER_PLL_DIV(
  		.name = "pllh_aux",
  		.source_pll = "pllh",
-@@ -1672,7 +1684,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1674,7 +1686,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLH_AUX,
  		.load_mask = CM_PLLH_LOADAUX,
  		.hold_mask = 0,
@@ -160,7 +160,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_PLLH_PIX]	= REGISTER_PLL_DIV(
  		.name = "pllh_pix",
  		.source_pll = "pllh",
-@@ -1680,7 +1693,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1682,7 +1695,8 @@ static const struct bcm2835_clk_desc clk
  		.a2w_reg = A2W_PLLH_PIX,
  		.load_mask = CM_PLLH_LOADPIX,
  		.hold_mask = 0,

target/linux/brcm2708/patches-4.9/950-0156-clk-bcm2835-Register-the-DSI0-DSI1-pixel-clocks.patch

@@ -109,7 +109,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	init.num_parents = 1;
  	init.name = data->name;
  	init.ops = &bcm2835_pll_clk_ops;
-@@ -1301,18 +1330,22 @@ static struct clk_hw *bcm2835_register_c
+@@ -1303,18 +1332,22 @@ static struct clk_hw *bcm2835_register_c
  	struct bcm2835_clock *clock;
  	struct clk_init_data init;
  	const char *parents[1 << CM_SRC_BITS];
@@ -139,7 +139,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	}
  
  	memset(&init, 0, sizeof(init));
-@@ -1448,6 +1481,47 @@ static const char *const bcm2835_clock_v
+@@ -1450,6 +1483,47 @@ static const char *const bcm2835_clock_v
  	__VA_ARGS__)
  
  /*
@@ -187,7 +187,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
   * the real definition of all the pll, pll_dividers and clocks
   * these make use of the above REGISTER_* macros
   */
-@@ -1910,6 +1984,18 @@ static const struct bcm2835_clk_desc clk
+@@ -1912,6 +1986,18 @@ static const struct bcm2835_clk_desc clk
  		.div_reg = CM_DSI1EDIV,
  		.int_bits = 4,
  		.frac_bits = 8),
@@ -206,7 +206,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* the gates */
  
-@@ -1968,8 +2054,19 @@ static int bcm2835_clk_probe(struct plat
+@@ -1970,8 +2056,19 @@ static int bcm2835_clk_probe(struct plat
  	if (IS_ERR(cprman->regs))
  		return PTR_ERR(cprman->regs);
  

target/linux/brcm2708/patches-4.9/950-0157-clk-bcm2835-Add-leaf-clock-measurement-support-disab.patch

@@ -125,7 +125,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	return 0;
  }
  
-@@ -1780,7 +1850,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1782,7 +1852,8 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_OTPCTL,
  		.div_reg = CM_OTPDIV,
  		.int_bits = 4,
@@ -135,7 +135,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	/*
  	 * Used for a 1Mhz clock for the system clocksource, and also used
  	 * bythe watchdog timer and the camera pulse generator.
-@@ -1814,13 +1885,15 @@ static const struct bcm2835_clk_desc clk
+@@ -1816,13 +1887,15 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_H264CTL,
  		.div_reg = CM_H264DIV,
  		.int_bits = 4,
@@ -153,7 +153,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/*
  	 * Secondary SDRAM clock.  Used for low-voltage modes when the PLL
-@@ -1831,13 +1904,15 @@ static const struct bcm2835_clk_desc clk
+@@ -1833,13 +1906,15 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_SDCCTL,
  		.div_reg = CM_SDCDIV,
  		.int_bits = 6,
@@ -171,7 +171,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	/*
  	 * VPU clock.  This doesn't have an enable bit, since it drives
  	 * the bus for everything else, and is special so it doesn't need
-@@ -1851,7 +1926,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1853,7 +1928,8 @@ static const struct bcm2835_clk_desc clk
  		.int_bits = 12,
  		.frac_bits = 8,
  		.flags = CLK_IS_CRITICAL,
@@ -181,7 +181,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* clocks with per parent mux */
  	[BCM2835_CLOCK_AVEO]	= REGISTER_PER_CLK(
-@@ -1859,19 +1935,22 @@ static const struct bcm2835_clk_desc clk
+@@ -1861,19 +1937,22 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_AVEOCTL,
  		.div_reg = CM_AVEODIV,
  		.int_bits = 4,
@@ -207,7 +207,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_CLOCK_DFT]	= REGISTER_PER_CLK(
  		.name = "dft",
  		.ctl_reg = CM_DFTCTL,
-@@ -1883,7 +1962,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1885,7 +1964,8 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_DPICTL,
  		.div_reg = CM_DPIDIV,
  		.int_bits = 4,
@@ -217,7 +217,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* Arasan EMMC clock */
  	[BCM2835_CLOCK_EMMC]	= REGISTER_PER_CLK(
-@@ -1891,7 +1971,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1893,7 +1973,8 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_EMMCCTL,
  		.div_reg = CM_EMMCDIV,
  		.int_bits = 4,
@@ -227,7 +227,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* General purpose (GPIO) clocks */
  	[BCM2835_CLOCK_GP0]	= REGISTER_PER_CLK(
-@@ -1900,7 +1981,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1902,7 +1983,8 @@ static const struct bcm2835_clk_desc clk
  		.div_reg = CM_GP0DIV,
  		.int_bits = 12,
  		.frac_bits = 12,
@@ -237,7 +237,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_CLOCK_GP1]	= REGISTER_PER_CLK(
  		.name = "gp1",
  		.ctl_reg = CM_GP1CTL,
-@@ -1908,7 +1990,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1910,7 +1992,8 @@ static const struct bcm2835_clk_desc clk
  		.int_bits = 12,
  		.frac_bits = 12,
  		.flags = CLK_IS_CRITICAL,
@@ -247,7 +247,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  	[BCM2835_CLOCK_GP2]	= REGISTER_PER_CLK(
  		.name = "gp2",
  		.ctl_reg = CM_GP2CTL,
-@@ -1923,40 +2006,46 @@ static const struct bcm2835_clk_desc clk
+@@ -1925,40 +2008,46 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_HSMCTL,
  		.div_reg = CM_HSMDIV,
  		.int_bits = 4,
@@ -300,7 +300,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* TV encoder clock.  Only operating frequency is 108Mhz.  */
  	[BCM2835_CLOCK_VEC]	= REGISTER_PER_CLK(
-@@ -1969,7 +2058,8 @@ static const struct bcm2835_clk_desc clk
+@@ -1971,7 +2060,8 @@ static const struct bcm2835_clk_desc clk
  		 * Allow rate change propagation only on PLLH_AUX which is
  		 * assigned index 7 in the parent array.
  		 */
@@ -310,7 +310,7 @@ Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
  
  	/* dsi clocks */
  	[BCM2835_CLOCK_DSI0E]	= REGISTER_PER_CLK(
-@@ -1977,25 +2067,29 @@ static const struct bcm2835_clk_desc clk
+@@ -1979,25 +2069,29 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_DSI0ECTL,
  		.div_reg = CM_DSI0EDIV,
  		.int_bits = 4,

target/linux/brcm2708/patches-4.9/950-0185-clk-bcm2835-Mark-used-PLLs-and-dividers-CRITICAL.patch

@@ -14,7 +14,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
 
 --- a/drivers/clk/bcm/clk-bcm2835.c
 +++ b/drivers/clk/bcm/clk-bcm2835.c
-@@ -1372,6 +1372,11 @@ bcm2835_register_pll_divider(struct bcm2
+@@ -1374,6 +1374,11 @@ bcm2835_register_pll_divider(struct bcm2
  	divider->div.hw.init = &init;
  	divider->div.table = NULL;
  

target/linux/brcm2708/patches-4.9/950-0186-clk-bcm2835-Add-claim-clocks-property.patch

@@ -67,7 +67,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  	pll = kzalloc(sizeof(*pll), GFP_KERNEL);
  	if (!pll)
  		return NULL;
-@@ -1373,8 +1378,10 @@ bcm2835_register_pll_divider(struct bcm2
+@@ -1375,8 +1380,10 @@ bcm2835_register_pll_divider(struct bcm2
  	divider->div.table = NULL;
  
  	if (!(cprman_read(cprman, data->cm_reg) & data->hold_mask)) {
@@ -80,7 +80,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  	}
  
  	divider->cprman = cprman;
-@@ -2110,6 +2117,8 @@ static const struct bcm2835_clk_desc clk
+@@ -2112,6 +2119,8 @@ static const struct bcm2835_clk_desc clk
  		.ctl_reg = CM_PERIICTL),
  };
  
@@ -89,7 +89,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  /*
   * Permanently take a reference on the parent of the SDRAM clock.
   *
-@@ -2129,6 +2138,19 @@ static int bcm2835_mark_sdc_parent_criti
+@@ -2131,6 +2140,19 @@ static int bcm2835_mark_sdc_parent_criti
  	return clk_prepare_enable(parent);
  }
  
@@ -109,7 +109,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  static int bcm2835_clk_probe(struct platform_device *pdev)
  {
  	struct device *dev = &pdev->dev;
-@@ -2138,6 +2160,7 @@ static int bcm2835_clk_probe(struct plat
+@@ -2140,6 +2162,7 @@ static int bcm2835_clk_probe(struct plat
  	const struct bcm2835_clk_desc *desc;
  	const size_t asize = ARRAY_SIZE(clk_desc_array);
  	size_t i;
@@ -117,7 +117,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
  	int ret;
  
  	cprman = devm_kzalloc(dev, sizeof(*cprman) +
-@@ -2153,6 +2176,13 @@ static int bcm2835_clk_probe(struct plat
+@@ -2155,6 +2178,13 @@ static int bcm2835_clk_probe(struct plat
  	if (IS_ERR(cprman->regs))
  		return PTR_ERR(cprman->regs);