OpenWrt v19.07.10: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

feeds.conf.default

@@ -1,5 +1,5 @@
-src-git packages https://git.openwrt.org/feed/packages.git^8129d30e3653d84f28b3c6c8f4e37163e602f544
-src-git luci https://git.openwrt.org/project/luci.git^36e5c1c24baace19ce5acda58bdd3ffddd5a7169
-src-git routing https://git.openwrt.org/feed/routing.git^a30ac2558ead4da96560d97168f0a9fa585ca627
-src-git telephony https://git.openwrt.org/feed/telephony.git^5ae3a58b26182701d4ac8a4413d34a7d4ae23529
+src-git packages https://git.openwrt.org/feed/packages.git^1c5e4c80f49bfddaee1998636fd8efe915fee7fc
+src-git luci https://git.openwrt.org/project/luci.git^786ebc9c014efed4df0d67b140b2348a58d99f5b
+src-git routing https://git.openwrt.org/feed/routing.git^33254957df8d148631a98c49a5b623f996d8d6fc
+src-git telephony https://git.openwrt.org/feed/telephony.git^c6bff940c0d3e73eac0d8ec62bf1e86f1c3cbefe
 src-git freifunk https://github.com/freifunk/openwrt-packages.git^944ff29d953a0de7e7fcca7b0907f7d7486b7b4c

include/kernel-version.mk

@@ -6,9 +6,9 @@ ifdef CONFIG_TESTING_KERNEL
   KERNEL_PATCHVER:=$(KERNEL_TESTING_PATCHVER)
 endif
 
-LINUX_VERSION-4.14 = .267
+LINUX_VERSION-4.14 = .275
 
-LINUX_KERNEL_HASH-4.14.267 = 8c343f885cfe25a51a8d40595afe5268ce09eaf8f531f9546ecf20831924188e
+LINUX_KERNEL_HASH-4.14.275 = 100a9960fb2d8e079c9feeef640715a7fb749ed728a57e427f9e2443212e58f9
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/version.mk

@@ -26,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),19.07.9)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),19.07.10)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r11405-2a3558b0de)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r11427-9ce6aa9d8d)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/19.07.9)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/19.07.10)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/base-files/files/etc/init.d/boot

@@ -45,6 +45,7 @@ boot() {
 
 	/bin/config_generate
 	uci_apply_defaults
+	sync
 	
 	# temporary hack until configd exists
 	/sbin/reload_config

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/19.07.9"
+		default "http://downloads.openwrt.org/releases/19.07.10"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/kernel/mac80211/Makefile

@@ -10,10 +10,10 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=mac80211
 
-PKG_VERSION:=4.19.221-1
+PKG_VERSION:=4.19.237-1
 PKG_RELEASE:=1
-PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v4.19.221/
-PKG_HASH:=343f54b21ddda4bc79c0457a7fa88356d430b802f86194abc20fe09c12559b05
+PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v4.19.237/
+PKG_HASH:=e40ce1f4b707d5b1b5da3f4470f1ccf4f565602323424c89d956069df701bffd
 
 PKG_SOURCE:=backports-$(PKG_VERSION).tar.xz
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/backports-$(PKG_VERSION)

package/kernel/mac80211/patches/subsys/210-ap_scan.patch

@@ -1,6 +1,6 @@
 --- a/net/mac80211/cfg.c
 +++ b/net/mac80211/cfg.c
-@@ -2192,7 +2192,7 @@ static int ieee80211_scan(struct wiphy *
+@@ -2189,7 +2189,7 @@ static int ieee80211_scan(struct wiphy *
  		 * the  frames sent while scanning on other channel will be
  		 * lost)
  		 */

package/kernel/mac80211/patches/subsys/350-mac80211-add-hdrlen-to-ieee80211_tx_data.patch

@@ -75,7 +75,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  		rcu_read_unlock();
 --- a/net/mac80211/util.c
 +++ b/net/mac80211/util.c
-@@ -1396,6 +1396,7 @@ void ieee80211_send_auth(struct ieee8021
+@@ -1398,6 +1398,7 @@ void ieee80211_send_auth(struct ieee8021
  	struct ieee80211_local *local = sdata->local;
  	struct sk_buff *skb;
  	struct ieee80211_mgmt *mgmt;
@@ -83,7 +83,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	int err;
  
  	/* 24 + 6 = header + auth_algo + auth_transaction + status_code */
-@@ -1419,8 +1420,10 @@ void ieee80211_send_auth(struct ieee8021
+@@ -1421,8 +1422,10 @@ void ieee80211_send_auth(struct ieee8021
  		skb_put_data(skb, extra, extra_len);
  
  	if (auth_alg == WLAN_AUTH_SHARED_KEY && transaction == 3) {

package/kernel/mac80211/patches/subsys/365-mac80211-IBSS-send-deauth-when-expiring-inactive-STA.patch

@@ -78,7 +78,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  	}
  
  	/* flush out frame - make sure the deauth was actually sent */
-@@ -4374,7 +4375,7 @@ void ieee80211_mgd_quiesce(struct ieee80
+@@ -4381,7 +4382,7 @@ void ieee80211_mgd_quiesce(struct ieee80
  		 * cfg80211 won't know and won't actually abort those attempts,
  		 * thus we need to do that ourselves.
  		 */
@@ -87,7 +87,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  					       IEEE80211_STYPE_DEAUTH,
  					       WLAN_REASON_DEAUTH_LEAVING,
  					       false, frame_buf);
-@@ -5354,7 +5355,7 @@ int ieee80211_mgd_deauth(struct ieee8021
+@@ -5361,7 +5362,7 @@ int ieee80211_mgd_deauth(struct ieee8021
  			   ieee80211_get_reason_code_string(req->reason_code));
  
  		drv_mgd_prepare_tx(sdata->local, sdata, 0);
@@ -96,7 +96,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  					       IEEE80211_STYPE_DEAUTH,
  					       req->reason_code, tx,
  					       frame_buf);
-@@ -5374,7 +5375,7 @@ int ieee80211_mgd_deauth(struct ieee8021
+@@ -5381,7 +5382,7 @@ int ieee80211_mgd_deauth(struct ieee8021
  			   ieee80211_get_reason_code_string(req->reason_code));
  
  		drv_mgd_prepare_tx(sdata->local, sdata, 0);
@@ -107,7 +107,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  					       frame_buf);
 --- a/net/mac80211/util.c
 +++ b/net/mac80211/util.c
-@@ -1433,7 +1433,8 @@ void ieee80211_send_auth(struct ieee8021
+@@ -1435,7 +1435,8 @@ void ieee80211_send_auth(struct ieee8021
  }
  
  void ieee80211_send_deauth_disassoc(struct ieee80211_sub_if_data *sdata,
@@ -117,7 +117,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  				    bool send_frame, u8 *frame_buf)
  {
  	struct ieee80211_local *local = sdata->local;
-@@ -1444,7 +1445,7 @@ void ieee80211_send_deauth_disassoc(stru
+@@ -1446,7 +1447,7 @@ void ieee80211_send_deauth_disassoc(stru
  	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | stype);
  	mgmt->duration = 0; /* initialize only */
  	mgmt->seq_ctrl = 0; /* initialize only */

package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch

@@ -57,7 +57,7 @@
  	__NL80211_ATTR_AFTER_LAST,
 --- a/net/mac80211/cfg.c
 +++ b/net/mac80211/cfg.c
-@@ -2460,6 +2460,19 @@ static int ieee80211_get_tx_power(struct
+@@ -2457,6 +2457,19 @@ static int ieee80211_get_tx_power(struct
  	return 0;
  }
  
@@ -77,7 +77,7 @@
  static int ieee80211_set_wds_peer(struct wiphy *wiphy, struct net_device *dev,
  				  const u8 *addr)
  {
-@@ -3849,6 +3862,7 @@ const struct cfg80211_ops mac80211_confi
+@@ -3846,6 +3859,7 @@ const struct cfg80211_ops mac80211_confi
  	.set_wiphy_params = ieee80211_set_wiphy_params,
  	.set_tx_power = ieee80211_set_tx_power,
  	.get_tx_power = ieee80211_get_tx_power,

package/libs/openssl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=m
+PKG_BUGFIX:=n
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
+PKG_HASH:=40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE

package/libs/wolfssl/Config.in

@@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS
 	default y
 
 config WOLFSSL_HAS_ECC25519
-	bool "Include ECC Curve 22519 support"
+	bool "Include ECC Curve 25519 support"
 	default n
 
+config WOLFSSL_ALT_NAMES
+	bool "Include SAN (Subject Alternative Name) support"
+	default y
+
 config WOLFSSL_HAS_DEVCRYPTO
 	bool
 

package/libs/wolfssl/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
+PKG_VERSION:=5.2.0-stable
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=409b4646c5f54f642de0e9f3544c3b83de7238134f5b1ff93fb44527bf119d05
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
@@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\
 	CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
 	CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
 	CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
-	CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS
+	CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -44,7 +44,7 @@ define Package/libwolfssl
   MENU:=1
   PROVIDES:=libcyassl
   DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
-  ABI_VERSION:=24
+  ABI_VERSION:=32
 endef
 
 define Package/libwolfssl/description
@@ -56,13 +56,24 @@ define Package/libwolfssl/config
 	source "$(SOURCE)/Config.in"
 endef
 
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer
+TARGET_CFLAGS += \
+	$(FPIC) \
+	-fomit-frame-pointer \
+	-flto \
+	-DFP_MAX_BITS=8192 \
+	$(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
+
+TARGET_LDFLAGS += -flto
 
 # --enable-stunnel needed for OpenSSL API compatibility bits
 CONFIGURE_ARGS += \
+	--enable-reproducible-build \
+	--enable-opensslall \
 	--enable-opensslextra \
 	--enable-sni \
 	--enable-stunnel \
+	--enable-altcertchains \
+	--disable-crypttests \
 	--disable-examples \
 	--disable-jobserver \
 	--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
@@ -88,7 +99,7 @@ endif
 
 ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
 CONFIGURE_ARGS += \
-	--enable-wpas --enable-sha512 --enable-fortress --enable-fastmath
+	--enable-wpas --enable-fortress --enable-fastmath
 endif
 
 define Build/InstallDev

package/libs/wolfssl/patches/100-disable-hardening-check.patch

@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2338,7 +2338,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */

package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch

@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index 144c857e4..de7f6b45a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -32,7 +32,7 @@ AC_ARG_PROGRAM
+ 
+ AC_CONFIG_HEADERS([config.h:config.in])
+ 
+-LT_PREREQ([2.4.2])
++LT_PREREQ([2.4])
+ LT_INIT([disable-static win32-dll])
+ 
+ #shared library versioning

package/libs/wolfssl/patches/200-ecc-rng.patch

@@ -0,0 +1,50 @@
+Since commit 6467de5a8840 ("Randomize z ordinates in scalar
+mult when timing resistant") wolfssl requires a RNG for an EC
+key when the hardened built option is selected.
+
+wc_ecc_set_rng is only available when built hardened, so there
+is no safe way to install the RNG to the key regardless whether
+or not wolfssl is compiled hardened.
+
+Always export wc_ecc_set_rng so tools such as hostapd can install
+RNG regardless of the built settings for wolfssl.
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -11655,21 +11655,21 @@ void wc_ecc_fp_free(void)
+ 
+ #endif /* FP_ECC */
+ 
+-#ifdef ECC_TIMING_RESISTANT
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
+ {
+     int err = 0;
+ 
++#ifdef ECC_TIMING_RESISTANT
+     if (key == NULL) {
+         err = BAD_FUNC_ARG;
+     }
+     else {
+         key->rng = rng;
+     }
++#endif
+ 
+     return err;
+ }
+-#endif
+ 
+ #ifdef HAVE_ECC_ENCRYPT
+ 
+--- a/wolfssl/wolfcrypt/ecc.h
++++ b/wolfssl/wolfcrypt/ecc.h
+@@ -650,10 +650,8 @@ WOLFSSL_API
+ void wc_ecc_fp_free(void);
+ WOLFSSL_LOCAL
+ void wc_ecc_fp_init(void);
+-#ifdef ECC_TIMING_RESISTANT
+ WOLFSSL_API
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+-#endif
+ 
+ WOLFSSL_API
+ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);

package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch

@@ -0,0 +1,24 @@
+From 87e43dd63ba429297e439f2dfd1ee8b45981e18b Mon Sep 17 00:00:00 2001
+From: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Date: Sat, 12 Feb 2022 00:34:24 +0100
+Subject: [PATCH] Reported in ZD13631
+
+`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain
+
+References: https://github.com/wolfSSL/wolfssl/issues/4879
+---
+ src/internal.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -12342,6 +12342,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte*
+                             }
+ 
+                             ret = 0; /* clear errors and continue */
++                    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
++                            ssl->peerVerifyRet = 0;
++                    #endif
+                             args->verifyErr = 0;
+                         }
+ 

package/libs/zlib/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=zlib
 PKG_VERSION:=1.2.11
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@SF/libpng http://www.zlib.net

package/libs/zlib/patches/006-fix-compressor-crash-on-certain-inputs.patch

@@ -0,0 +1,343 @@
+From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 17 Apr 2018 22:09:22 -0700
+Subject: [PATCH] Fix a bug that can crash deflate on some input when using
+ Z_FIXED.
+
+This bug was reported by Danilo Ramos of Eideticom, Inc. It has
+lain in wait 13 years before being found! The bug was introduced
+in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
+option forces the use of fixed Huffman codes. For rare inputs with
+a large number of distant matches, the pending buffer into which
+the compressed data is written can overwrite the distance symbol
+table which it overlays. That results in corrupted output due to
+invalid distances, and can result in out-of-bound accesses,
+crashing the application.
+
+The fix here combines the distance buffer and literal/length
+buffers into a single symbol buffer. Now three bytes of pending
+buffer space are opened up for each literal or length/distance
+pair consumed, instead of the previous two bytes. This assures
+that the pending buffer cannot overwrite the symbol table, since
+the maximum fixed code compressed length/distance is 31 bits, and
+since there are four bytes of pending space for every three bytes
+of symbol space.
+---
+ deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
+ deflate.h | 25 +++++++++----------
+ trees.c   | 50 +++++++++++--------------------------
+ 3 files changed, 79 insertions(+), 70 deletions(-)
+
+diff --git a/deflate.c b/deflate.c
+index 425babc00..19cba873a 100644
+--- a/deflate.c
++++ b/deflate.c
+@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+     int wrap = 1;
+     static const char my_version[] = ZLIB_VERSION;
+ 
+-    ushf *overlay;
+-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+-     * output size for (length,distance) codes is <= 24 bits.
+-     */
+-
+     if (version == Z_NULL || version[0] != my_version[0] ||
+         stream_size != sizeof(z_stream)) {
+         return Z_VERSION_ERROR;
+@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+ 
+     s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+ 
+-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+-    s->pending_buf = (uchf *) overlay;
+-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
++    /* We overlay pending_buf and sym_buf. This works since the average size
++     * for length/distance pairs over any compressed block is assured to be 31
++     * bits or less.
++     *
++     * Analysis: The longest fixed codes are a length code of 8 bits plus 5
++     * extra bits, for lengths 131 to 257. The longest fixed distance codes are
++     * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
++     * possible fixed-codes length/distance pair is then 31 bits total.
++     *
++     * sym_buf starts one-fourth of the way into pending_buf. So there are
++     * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
++     * in sym_buf is three bytes -- two for the distance and one for the
++     * literal/length. As each symbol is consumed, the pointer to the next
++     * sym_buf value to read moves forward three bytes. From that symbol, up to
++     * 31 bits are written to pending_buf. The closest the written pending_buf
++     * bits gets to the next sym_buf symbol to read is just before the last
++     * code is written. At that time, 31*(n-2) bits have been written, just
++     * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
++     * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
++     * symbols are written.) The closest the writing gets to what is unread is
++     * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
++     * can range from 128 to 32768.
++     *
++     * Therefore, at a minimum, there are 142 bits of space between what is
++     * written and what is read in the overlain buffers, so the symbols cannot
++     * be overwritten by the compressed data. That space is actually 139 bits,
++     * due to the three-bit fixed-code block header.
++     *
++     * That covers the case where either Z_FIXED is specified, forcing fixed
++     * codes, or when the use of fixed codes is chosen, because that choice
++     * results in a smaller compressed block than dynamic codes. That latter
++     * condition then assures that the above analysis also covers all dynamic
++     * blocks. A dynamic-code block will only be chosen to be emitted if it has
++     * fewer bits than a fixed-code block would for the same set of symbols.
++     * Therefore its average symbol length is assured to be less than 31. So
++     * the compressed data for a dynamic block also cannot overwrite the
++     * symbols from which it is being constructed.
++     */
++
++    s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
++    s->pending_buf_size = (ulg)s->lit_bufsize * 4;
+ 
+     if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+         s->pending_buf == Z_NULL) {
+@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+         deflateEnd (strm);
+         return Z_MEM_ERROR;
+     }
+-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
++    s->sym_buf = s->pending_buf + s->lit_bufsize;
++    s->sym_end = (s->lit_bufsize - 1) * 3;
++    /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
++     * on 16 bit machines and because stored blocks are restricted to
++     * 64K-1 bytes.
++     */
+ 
+     s->level = level;
+     s->strategy = strategy;
+@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
+ 
+     if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
+     s = strm->state;
+-    if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
++    if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
+         return Z_BUF_ERROR;
+     do {
+         put = Buf_size - s->bi_valid;
+@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
+ #else
+     deflate_state *ds;
+     deflate_state *ss;
+-    ushf *overlay;
+ 
+ 
+     if (deflateStateCheck(source) || dest == Z_NULL) {
+@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
+     ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+     ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+     ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+-    ds->pending_buf = (uchf *) overlay;
++    ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
+ 
+     if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+         ds->pending_buf == Z_NULL) {
+@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
+     zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+ 
+     ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
++    ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
+ 
+     ds->l_desc.dyn_tree = ds->dyn_ltree;
+     ds->d_desc.dyn_tree = ds->dyn_dtree;
+@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+diff --git a/deflate.h b/deflate.h
+index 23ecdd312..d4cf1a98b 100644
+--- a/deflate.h
++++ b/deflate.h
+@@ -217,7 +217,7 @@ typedef struct internal_state {
+     /* Depth of each subtree used as tie breaker for trees of equal frequency
+      */
+ 
+-    uchf *l_buf;          /* buffer for literals or lengths */
++    uchf *sym_buf;        /* buffer for distances and literals/lengths */
+ 
+     uInt  lit_bufsize;
+     /* Size of match buffer for literals/lengths.  There are 4 reasons for
+@@ -239,13 +239,8 @@ typedef struct internal_state {
+      *   - I can't count above 4
+      */
+ 
+-    uInt last_lit;      /* running index in l_buf */
+-
+-    ushf *d_buf;
+-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+-     * the same number of elements. To use different lengths, an extra flag
+-     * array would be necessary.
+-     */
++    uInt sym_next;      /* running index in sym_buf */
++    uInt sym_end;       /* symbol table full when sym_next reaches this */
+ 
+     ulg opt_len;        /* bit length of current block with optimal trees */
+     ulg static_len;     /* bit length of current block with static trees */
+@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
+ 
+ # define _tr_tally_lit(s, c, flush) \
+   { uch cc = (c); \
+-    s->d_buf[s->last_lit] = 0; \
+-    s->l_buf[s->last_lit++] = cc; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = cc; \
+     s->dyn_ltree[cc].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+    }
+ # define _tr_tally_dist(s, distance, length, flush) \
+   { uch len = (uch)(length); \
+     ush dist = (ush)(distance); \
+-    s->d_buf[s->last_lit] = dist; \
+-    s->l_buf[s->last_lit++] = len; \
++    s->sym_buf[s->sym_next++] = dist; \
++    s->sym_buf[s->sym_next++] = dist >> 8; \
++    s->sym_buf[s->sym_next++] = len; \
+     dist--; \
+     s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+     s->dyn_dtree[d_code(dist)].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+   }
+ #else
+ # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+diff --git a/trees.c b/trees.c
+index 4f4a65011..decaeb7c3 100644
+--- a/trees.c
++++ b/trees.c
+@@ -416,7 +416,7 @@ local void init_block(s)
+ 
+     s->dyn_ltree[END_BLOCK].Freq = 1;
+     s->opt_len = s->static_len = 0L;
+-    s->last_lit = s->matches = 0;
++    s->sym_next = s->matches = 0;
+ }
+ 
+ #define SMALLEST 1
+@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
+ 
+         Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+                 opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+-                s->last_lit));
++                s->sym_next / 3));
+ 
+         if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+ 
+@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+     unsigned dist;  /* distance of matched string */
+     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+ {
+-    s->d_buf[s->last_lit] = (ush)dist;
+-    s->l_buf[s->last_lit++] = (uch)lc;
++    s->sym_buf[s->sym_next++] = dist;
++    s->sym_buf[s->sym_next++] = dist >> 8;
++    s->sym_buf[s->sym_next++] = lc;
+     if (dist == 0) {
+         /* lc is the unmatched char */
+         s->dyn_ltree[lc].Freq++;
+@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+         s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+         s->dyn_dtree[d_code(dist)].Freq++;
+     }
+-
+-#ifdef TRUNCATE_BLOCK
+-    /* Try to guess if it is profitable to stop the current block here */
+-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+-        /* Compute an upper bound for the compressed length */
+-        ulg out_length = (ulg)s->last_lit*8L;
+-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+-        int dcode;
+-        for (dcode = 0; dcode < D_CODES; dcode++) {
+-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+-                (5L+extra_dbits[dcode]);
+-        }
+-        out_length >>= 3;
+-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+-               s->last_lit, in_length, out_length,
+-               100L - out_length*100L/in_length));
+-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+-    }
+-#endif
+-    return (s->last_lit == s->lit_bufsize-1);
+-    /* We avoid equality with lit_bufsize because of wraparound at 64K
+-     * on 16 bit machines and because stored blocks are restricted to
+-     * 64K-1 bytes.
+-     */
++    return (s->sym_next == s->sym_end);
+ }
+ 
+ /* ===========================================================================
+@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
+ {
+     unsigned dist;      /* distance of matched string */
+     int lc;             /* match length or unmatched char (if dist == 0) */
+-    unsigned lx = 0;    /* running index in l_buf */
++    unsigned sx = 0;    /* running index in sym_buf */
+     unsigned code;      /* the code to send */
+     int extra;          /* number of extra bits to send */
+ 
+-    if (s->last_lit != 0) do {
+-        dist = s->d_buf[lx];
+-        lc = s->l_buf[lx++];
++    if (s->sym_next != 0) do {
++        dist = s->sym_buf[sx++] & 0xff;
++        dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
++        lc = s->sym_buf[sx++];
+         if (dist == 0) {
+             send_code(s, lc, ltree); /* send a literal byte */
+             Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
+             }
+         } /* literal or match pair ? */
+ 
+-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+-        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
+-               "pendingBuf overflow");
++        /* Check that the overlay between pending_buf and sym_buf is ok: */
++        Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
+ 
+-    } while (lx < s->last_lit);
++    } while (sx < s->sym_next);
+ 
+     send_code(s, END_BLOCK, ltree);
+ }

package/system/ubus/Makefile

@@ -5,9 +5,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/ubus.git
-PKG_SOURCE_DATE:=2021-07-01
-PKG_SOURCE_VERSION:=38c7fdd8991366cd2f9ccbc47625f9b51b1d318a
-PKG_MIRROR_HASH:=5ff9baa2ba3c7b2b53a477ed2a0f3dd8828051389f3d759cf5a694fbccc4c05b
+PKG_SOURCE_DATE:=2022-02-21
+PKG_SOURCE_VERSION:=b32a0e17b37847e8357b53a358d1311bfc3ad5d2
+PKG_MIRROR_HASH:=fddf17b1faeb2ab09a3bed2e301a9cc83cb6ceb69af57cd58dc2132b58276f8b
 PKG_ABI_VERSION:=20210603
 CMAKE_INSTALL:=1
 

target/imagebuilder/Makefile

@@ -57,7 +57,7 @@ else
 	find $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' -exec $(CP) {} $(PKG_BUILD_DIR)/packages/ \;
 endif
 
-	$(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
+	$(CP) -L $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
 	if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
 		$(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \
 	fi
@@ -77,6 +77,8 @@ endif
 		$(CP) -L $(LINUX_DIR)/arch/$(LINUX_KARCH)/boot/dts/* $(IB_DTSDIR); \
 	fi
 	$(SED) 's,^# REVISION:=.*,REVISION:=$(REVISION),g' $(PKG_BUILD_DIR)/include/version.mk
+	$(SED) 's,^# SOURCE_DATE_EPOCH:=.*,SOURCE_DATE_EPOCH:=$(SOURCE_DATE_EPOCH),g' $(PKG_BUILD_DIR)/include/version.mk
+	$(SED) '/LINUX_VERMAGIC:=/ { s,unknown,$(LINUX_VERMAGIC),g }' $(PKG_BUILD_DIR)/include/kernel.mk
 	find $(PKG_BUILD_DIR) -name CVS -o -name .git -o -name .svn \
 	  | $(XARGS) rm -rf
 	$(INSTALL_DIR) $(IB_IDIR)

target/linux/ar71xx/base-files/lib/ar71xx.sh

@@ -542,7 +542,8 @@ mikrotik_board_detect() {
 	*"SXT Lite5")
 		name="rb-sxt5n"
 		;;
-	*"wAP 2nD r2")
+	*"wAP 2nD r2"|\
+	*"wAP 2nD r3")
 		name="rb-wap-2nd"
 		;;
 	*"wAP R-2nD"|\

target/linux/ar71xx/patches-4.14/310-lib-add-rle-decompression.patch

@@ -1,6 +1,6 @@
 --- a/lib/Kconfig
 +++ b/lib/Kconfig
-@@ -265,6 +265,9 @@ config LZMA_COMPRESS
+@@ -264,6 +264,9 @@ config LZMA_COMPRESS
  config LZMA_DECOMPRESS
      tristate
  

target/linux/ar71xx/patches-4.14/910-unaligned_access_hacks.patch

@@ -312,7 +312,7 @@
  #endif /* _LINUX_TYPES_H */
 --- a/net/ipv4/af_inet.c
 +++ b/net/ipv4/af_inet.c
-@@ -1352,8 +1352,8 @@ struct sk_buff **inet_gro_receive(struct
+@@ -1355,8 +1355,8 @@ struct sk_buff **inet_gro_receive(struct
  	if (unlikely(ip_fast_csum((u8 *)iph, 5)))
  		goto out_unlock;
  
@@ -576,7 +576,7 @@
  			goto next_ht;
 --- a/net/ipv6/ip6_offload.c
 +++ b/net/ipv6/ip6_offload.c
-@@ -221,7 +221,7 @@ static struct sk_buff **ipv6_gro_receive
+@@ -223,7 +223,7 @@ static struct sk_buff **ipv6_gro_receive
  			continue;
  
  		iph2 = (struct ipv6hdr *)(p->data + off);

target/linux/ath79/dts/ar9344_ocedo_raccoon.dts

@@ -163,16 +163,27 @@
 	phy0: ethernet-phy@0 {
 		reg = <0>;
 		phy-mode = "rgmii";
+		eee-broken-100tx;
+		eee-broken-1000t;
 	};
 };
 
 &eth0 {
 	status = "okay";
 
-	pll-data = <0x06000000 0x00000101 0x00001313>;
+	pll-data = <0x02000000 0x00000101 0x00001313>;
 
 	mtd-mac-address = <&art 0x0>;
 
 	phy-mode = "rgmii";
 	phy-handle = <&phy0>;
+
+	gmac-config {
+		device = <&gmac>;
+		rgmii-gmac0 = <1>;
+		rxdv-delay = <3>;
+		rxd-delay = <3>;
+		txen-delay = <0>;
+		txd-delay = <0>;
+	};
 };

target/linux/ath79/patches-4.14/910-unaligned_access_hacks.patch

@@ -303,7 +303,7 @@
  #endif /* _LINUX_TYPES_H */
 --- a/net/ipv4/af_inet.c
 +++ b/net/ipv4/af_inet.c
-@@ -1352,8 +1352,8 @@ struct sk_buff **inet_gro_receive(struct
+@@ -1355,8 +1355,8 @@ struct sk_buff **inet_gro_receive(struct
  	if (unlikely(ip_fast_csum((u8 *)iph, 5)))
  		goto out_unlock;
  
@@ -556,7 +556,7 @@
  			goto next_ht;
 --- a/net/ipv6/ip6_offload.c
 +++ b/net/ipv6/ip6_offload.c
-@@ -221,7 +221,7 @@ static struct sk_buff **ipv6_gro_receive
+@@ -223,7 +223,7 @@ static struct sk_buff **ipv6_gro_receive
  			continue;
  
  		iph2 = (struct ipv6hdr *)(p->data + off);

target/linux/bcm53xx/patches-4.14/905-BCM53573-minor-hacks.patch

@@ -61,7 +61,7 @@ Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
  #include <linux/clockchips.h>
  #include <linux/clocksource.h>
  #include <linux/interrupt.h>
-@@ -845,6 +846,16 @@ static void arch_timer_of_configure_rate
+@@ -860,6 +861,16 @@ static void arch_timer_of_configure_rate
  	if (of_property_read_u32(np, "clock-frequency", &arch_timer_rate))
  		arch_timer_rate = rate;
  

target/linux/brcm2708/patches-4.14/950-0033-i2c-bcm2835-Add-debug-support.patch

@@ -37,7 +37,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
 
 --- a/drivers/i2c/busses/i2c-bcm2835.c
 +++ b/drivers/i2c/busses/i2c-bcm2835.c
-@@ -56,6 +56,18 @@
+@@ -61,6 +61,18 @@
  #define BCM2835_I2C_CDIV_MIN	0x0002
  #define BCM2835_I2C_CDIV_MAX	0xFFFE
  
@@ -56,7 +56,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  struct bcm2835_i2c_dev {
  	struct device *dev;
  	void __iomem *regs;
-@@ -69,8 +81,78 @@ struct bcm2835_i2c_dev {
+@@ -74,8 +86,78 @@ struct bcm2835_i2c_dev {
  	u32 msg_err;
  	u8 *msg_buf;
  	size_t msg_buf_remaining;
@@ -135,7 +135,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  static inline void bcm2835_i2c_writel(struct bcm2835_i2c_dev *i2c_dev,
  				      u32 reg, u32 val)
  {
-@@ -189,6 +271,7 @@ static void bcm2835_i2c_start_transfer(s
+@@ -194,6 +276,7 @@ static void bcm2835_i2c_start_transfer(s
  	bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_A, msg->addr);
  	bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_DLEN, msg->len);
  	bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, c);
@@ -143,7 +143,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  }
  
  static void bcm2835_i2c_finish_transfer(struct bcm2835_i2c_dev *i2c_dev)
-@@ -215,6 +298,7 @@ static irqreturn_t bcm2835_i2c_isr(int t
+@@ -220,6 +303,7 @@ static irqreturn_t bcm2835_i2c_isr(int t
  	u32 val, err;
  
  	val = bcm2835_i2c_readl(i2c_dev, BCM2835_I2C_S);
@@ -151,7 +151,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  
  	err = val & (BCM2835_I2C_S_CLKT | BCM2835_I2C_S_ERR);
  	if (err) {
-@@ -281,6 +365,13 @@ static int bcm2835_i2c_xfer(struct i2c_a
+@@ -286,6 +370,13 @@ static int bcm2835_i2c_xfer(struct i2c_a
  	unsigned long time_left;
  	int i, ret;
  
@@ -165,7 +165,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  	for (i = 0; i < (num - 1); i++)
  		if (msgs[i].flags & I2C_M_RD) {
  			dev_warn_once(i2c_dev->dev,
-@@ -301,6 +392,11 @@ static int bcm2835_i2c_xfer(struct i2c_a
+@@ -306,6 +397,11 @@ static int bcm2835_i2c_xfer(struct i2c_a
  	time_left = wait_for_completion_timeout(&i2c_dev->completion,
  						adap->timeout);
  
@@ -177,7 +177,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  	bcm2835_i2c_finish_transfer(i2c_dev);
  
  	if (!time_left) {
-@@ -313,7 +409,9 @@ static int bcm2835_i2c_xfer(struct i2c_a
+@@ -318,7 +414,9 @@ static int bcm2835_i2c_xfer(struct i2c_a
  	if (!i2c_dev->msg_err)
  		return num;
  

target/linux/cns3xxx/patches-4.14/010-arm_introduce-dma-fiq-irq-broadcast.patch

@@ -20,7 +20,7 @@
  #endif
 --- a/arch/arm/mm/Kconfig
 +++ b/arch/arm/mm/Kconfig
-@@ -922,6 +922,17 @@ config DMA_CACHE_RWFO
+@@ -933,6 +933,17 @@ config DMA_CACHE_RWFO
  	  in hardware, other workarounds are needed (e.g. cache
  	  maintenance broadcasting in software via FIQ).
  

target/linux/cns3xxx/patches-4.14/040-fiq_support.patch

@@ -29,7 +29,7 @@
   */
 --- a/arch/arm/mm/Kconfig
 +++ b/arch/arm/mm/Kconfig
-@@ -905,7 +905,7 @@ config VDSO
+@@ -916,7 +916,7 @@ config VDSO
  
  config DMA_CACHE_RWFO
  	bool "Enable read/write for ownership DMA cache maintenance"

target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch

@@ -55,7 +55,7 @@ Cc: Kir Kolyshkin <kir@openvz.org>
  	rwlock_t		sk_callback_lock;
 --- a/net/core/sock.c
 +++ b/net/core/sock.c
-@@ -2791,6 +2791,7 @@ void sock_init_data(struct socket *sock,
+@@ -2788,6 +2788,7 @@ void sock_init_data(struct socket *sock,
  
  	sk->sk_max_pacing_rate = ~0U;
  	sk->sk_pacing_rate = ~0U;

target/linux/generic/backport-4.14/030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch

@@ -30,7 +30,7 @@ Signed-off-by: Johan Hovold <johan@kernel.org>
 
 --- a/drivers/usb/serial/option.c
 +++ b/drivers/usb/serial/option.c
-@@ -2060,7 +2060,8 @@ static const struct usb_device_id option
+@@ -2072,7 +2072,8 @@ static const struct usb_device_id option
  	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d01, 0xff) },			/* D-Link DWM-156 (variant) */
  	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d02, 0xff) },
  	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d03, 0xff) },

target/linux/generic/backport-4.14/290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch

@@ -22,7 +22,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 
 --- a/net/netfilter/core.c
 +++ b/net/netfilter/core.c
-@@ -395,63 +395,10 @@ EXPORT_SYMBOL(nf_register_net_hooks);
+@@ -396,63 +396,10 @@ EXPORT_SYMBOL(nf_register_net_hooks);
  void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
  			     unsigned int hookcount)
  {

target/linux/generic/backport-4.14/291-v4.16-netfilter-core-remove-synchronize_net-call-if-nfqueu.patch

@@ -32,7 +32,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh);
 --- a/net/netfilter/core.c
 +++ b/net/netfilter/core.c
-@@ -341,7 +341,6 @@ void nf_unregister_net_hook(struct net *
+@@ -342,7 +342,6 @@ void nf_unregister_net_hook(struct net *
  {
  	struct nf_hook_entries __rcu **pp;
  	struct nf_hook_entries *p;
@@ -40,7 +40,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	pp = nf_hook_entry_head(net, reg);
  	if (!pp)
-@@ -364,10 +363,7 @@ void nf_unregister_net_hook(struct net *
+@@ -365,10 +364,7 @@ void nf_unregister_net_hook(struct net *
  
  	synchronize_net();
  
@@ -65,7 +65,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  int __init netfilter_log_init(void);
 --- a/net/netfilter/nf_queue.c
 +++ b/net/netfilter/nf_queue.c
-@@ -96,18 +96,15 @@ void nf_queue_entry_get_refs(struct nf_q
+@@ -109,18 +109,15 @@ bool nf_queue_entry_get_refs(struct nf_q
  }
  EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs);
  
@@ -88,7 +88,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
 --- a/net/netfilter/nfnetlink_queue.c
 +++ b/net/netfilter/nfnetlink_queue.c
-@@ -942,23 +942,18 @@ static struct notifier_block nfqnl_dev_n
+@@ -948,23 +948,18 @@ static struct notifier_block nfqnl_dev_n
  	.notifier_call	= nfqnl_rcv_dev_event,
  };
  

target/linux/generic/backport-4.14/292-v4.16-netfilter-core-free-hooks-with-call_rcu.patch

@@ -107,7 +107,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static unsigned int accept_all(void *priv,
  			       struct sk_buff *skb,
  			       const struct nf_hook_state *state)
-@@ -291,9 +316,8 @@ int nf_register_net_hook(struct net *net
+@@ -292,9 +317,8 @@ int nf_register_net_hook(struct net *net
  #ifdef HAVE_JUMP_LABEL
  	static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
  #endif
@@ -118,7 +118,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	return 0;
  }
  EXPORT_SYMBOL(nf_register_net_hook);
-@@ -361,10 +385,8 @@ void nf_unregister_net_hook(struct net *
+@@ -362,10 +386,8 @@ void nf_unregister_net_hook(struct net *
  	if (!p)
  		return;
  

target/linux/generic/backport-4.14/293-v4.16-netfilter-reduce-size-of-hook-entry-point-locations.patch

@@ -129,7 +129,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  #ifdef CONFIG_NETFILTER_INGRESS
  	if (reg->hooknum == NF_NETDEV_INGRESS) {
-@@ -534,14 +549,21 @@ void (*nf_nat_decode_session_hook)(struc
+@@ -535,14 +550,21 @@ void (*nf_nat_decode_session_hook)(struc
  EXPORT_SYMBOL(nf_nat_decode_session_hook);
  #endif
  
@@ -159,7 +159,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
 --- a/net/netfilter/nf_queue.c
 +++ b/net/netfilter/nf_queue.c
-@@ -206,6 +206,23 @@ repeat:
+@@ -223,6 +223,23 @@ repeat:
  	return NF_ACCEPT;
  }
  
@@ -183,7 +183,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  /* Caller must hold rcu read-side lock */
  void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
  {
-@@ -221,12 +238,12 @@ void nf_reinject(struct nf_queue_entry *
+@@ -238,12 +255,12 @@ void nf_reinject(struct nf_queue_entry *
  	net = entry->state.net;
  	pf = entry->state.pf;
  

target/linux/generic/backport-4.14/294-v4.16-netfilter-reduce-hook-array-sizes-to-what-is-needed.patch

@@ -64,7 +64,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		return net->nf.hooks_decnet + reg->hooknum;
  	default:
  		WARN_ON_ONCE(1);
-@@ -549,21 +559,21 @@ void (*nf_nat_decode_session_hook)(struc
+@@ -550,21 +560,21 @@ void (*nf_nat_decode_session_hook)(struc
  EXPORT_SYMBOL(nf_nat_decode_session_hook);
  #endif
  

target/linux/generic/backport-4.14/295-v4.16-netfilter-don-t-allocate-space-for-decnet-hooks-unle.patch

@@ -55,7 +55,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	default:
  		WARN_ON_ONCE(1);
  		return NULL;
-@@ -573,7 +575,9 @@ static int __net_init netfilter_net_init
+@@ -574,7 +576,9 @@ static int __net_init netfilter_net_init
  	__netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6));
  	__netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp));
  	__netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge));

target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch

@@ -137,7 +137,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	case NFPROTO_IPV4:
  		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum))
  			return NULL;
-@@ -573,8 +577,12 @@ static int __net_init netfilter_net_init
+@@ -574,8 +578,12 @@ static int __net_init netfilter_net_init
  {
  	__netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4));
  	__netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6));
@@ -152,7 +152,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  #endif
 --- a/net/netfilter/nf_queue.c
 +++ b/net/netfilter/nf_queue.c
-@@ -209,8 +209,10 @@ repeat:
+@@ -226,8 +226,10 @@ repeat:
  static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
  {
  	switch (pf) {

target/linux/generic/backport-4.14/297-v4.16-netfilter-core-pass-hook-number-family-and-device-to.patch

@@ -87,7 +87,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (!pp)
  		return -EINVAL;
  
-@@ -397,7 +399,7 @@ void nf_unregister_net_hook(struct net *
+@@ -398,7 +400,7 @@ void nf_unregister_net_hook(struct net *
  	struct nf_hook_entries __rcu **pp;
  	struct nf_hook_entries *p;
  

target/linux/generic/backport-4.14/298-v4.16-netfilter-core-add-nf_remove_net_hook.patch

@@ -13,7 +13,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 
 --- a/net/netfilter/core.c
 +++ b/net/netfilter/core.c
-@@ -356,7 +356,7 @@ int nf_register_net_hook(struct net *net
+@@ -357,7 +357,7 @@ int nf_register_net_hook(struct net *net
  EXPORT_SYMBOL(nf_register_net_hook);
  
  /*
@@ -22,7 +22,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
   *
   * @oldp: current address of hook blob
   * @unreg: hook to unregister
-@@ -364,8 +364,8 @@ EXPORT_SYMBOL(nf_register_net_hook);
+@@ -365,8 +365,8 @@ EXPORT_SYMBOL(nf_register_net_hook);
   * This cannot fail, hook unregistration must always succeed.
   * Therefore replace the to-be-removed hook with a dummy hook.
   */
@@ -33,7 +33,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  {
  	struct nf_hook_ops **orig_ops;
  	bool found = false;
-@@ -411,7 +411,7 @@ void nf_unregister_net_hook(struct net *
+@@ -412,7 +412,7 @@ void nf_unregister_net_hook(struct net *
  		return;
  	}
  

target/linux/generic/backport-4.14/298-v4.16-netfilter-core-pass-family-as-parameter-to-nf_remove.patch

@@ -13,7 +13,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 
 --- a/net/netfilter/core.c
 +++ b/net/netfilter/core.c
-@@ -365,7 +365,7 @@ EXPORT_SYMBOL(nf_register_net_hook);
+@@ -366,7 +366,7 @@ EXPORT_SYMBOL(nf_register_net_hook);
   * Therefore replace the to-be-removed hook with a dummy hook.
   */
  static void nf_remove_net_hook(struct nf_hook_entries *old,
@@ -22,7 +22,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  {
  	struct nf_hook_ops **orig_ops;
  	bool found = false;
-@@ -383,14 +383,14 @@ static void nf_remove_net_hook(struct nf
+@@ -384,14 +384,14 @@ static void nf_remove_net_hook(struct nf
  
  	if (found) {
  #ifdef CONFIG_NETFILTER_INGRESS
@@ -40,7 +40,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	}
  }
  
-@@ -411,7 +411,7 @@ void nf_unregister_net_hook(struct net *
+@@ -412,7 +412,7 @@ void nf_unregister_net_hook(struct net *
  		return;
  	}
  

target/linux/generic/backport-4.14/299-v4.16-netfilter-core-support-for-NFPROTO_INET-hook-registr.patch

@@ -39,9 +39,9 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (!pp)
  		return -EINVAL;
  
-@@ -343,17 +344,16 @@ int nf_register_net_hook(struct net *net
+@@ -344,17 +345,16 @@ int nf_register_net_hook(struct net *net
+ 		return PTR_ERR(new_hooks);
  
- 	hooks_validate(new_hooks);
  #ifdef CONFIG_NETFILTER_INGRESS
 -	if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
 +	if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
@@ -59,7 +59,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  /*
   * nf_remove_net_hook - remove a hook from blob
-@@ -394,12 +394,13 @@ static void nf_remove_net_hook(struct nf
+@@ -395,12 +395,13 @@ static void nf_remove_net_hook(struct nf
  	}
  }
  
@@ -75,7 +75,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (!pp)
  		return;
  
-@@ -411,7 +412,7 @@ void nf_unregister_net_hook(struct net *
+@@ -412,7 +413,7 @@ void nf_unregister_net_hook(struct net *
  		return;
  	}
  
@@ -84,7 +84,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	p = __nf_hook_entries_try_shrink(pp);
  	mutex_unlock(&nf_hook_mutex);
-@@ -421,8 +422,42 @@ void nf_unregister_net_hook(struct net *
+@@ -422,8 +423,42 @@ void nf_unregister_net_hook(struct net *
  	nf_queue_nf_hook_drop(net);
  	nf_hook_entries_free(p);
  }

target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch

@@ -176,7 +176,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  #include <linux/netfilter_bridge.h>
  #include <linux/seq_file.h>
  #include <linux/rcupdate.h>
-@@ -108,6 +110,35 @@ void nf_queue_nf_hook_drop(struct net *n
+@@ -121,6 +123,35 @@ void nf_queue_nf_hook_drop(struct net *n
  }
  EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop);
  
@@ -212,12 +212,11 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
  		      const struct nf_hook_entries *entries,
  		      unsigned int index, unsigned int queuenum)
-@@ -148,7 +179,16 @@ static int __nf_queue(struct sk_buff *sk
- 	};
+@@ -165,7 +196,15 @@ static int __nf_queue(struct sk_buff *sk
+ 		return -ENOTCONN;
+ 	}
  
- 	nf_queue_entry_get_refs(entry);
 -	afinfo->saveroute(skb, entry);
-+
 +	switch (entry->state.pf) {
 +	case AF_INET:
 +		nf_ip_saveroute(skb, entry);

target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch

@@ -171,7 +171,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
 --- a/net/netfilter/nf_queue.c
 +++ b/net/netfilter/nf_queue.c
-@@ -271,7 +271,6 @@ void nf_reinject(struct nf_queue_entry *
+@@ -287,7 +287,6 @@ void nf_reinject(struct nf_queue_entry *
  	const struct nf_hook_entry *hook_entry;
  	const struct nf_hook_entries *hooks;
  	struct sk_buff *skb = entry->skb;
@@ -179,7 +179,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	const struct net *net;
  	unsigned int i;
  	int err;
-@@ -298,8 +297,7 @@ void nf_reinject(struct nf_queue_entry *
+@@ -314,8 +313,7 @@ void nf_reinject(struct nf_queue_entry *
  		verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state);
  
  	if (verdict == NF_ACCEPT) {

target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch

@@ -48,7 +48,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  #include <net/protocol.h>
  #include <net/netfilter/nf_queue.h>
  #include <net/dst.h>
-@@ -145,9 +147,9 @@ static int __nf_queue(struct sk_buff *sk
+@@ -158,9 +160,9 @@ static int __nf_queue(struct sk_buff *sk
  {
  	int status = -ENOENT;
  	struct nf_queue_entry *entry = NULL;
@@ -59,7 +59,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	/* QUEUE == DROP if no one is waiting, to be safe. */
  	qh = rcu_dereference(net->nf.queue_handler);
-@@ -156,11 +158,19 @@ static int __nf_queue(struct sk_buff *sk
+@@ -169,11 +171,19 @@ static int __nf_queue(struct sk_buff *sk
  		goto err;
  	}
  
@@ -83,7 +83,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (!entry) {
  		status = -ENOMEM;
  		goto err;
-@@ -175,7 +185,7 @@ static int __nf_queue(struct sk_buff *sk
+@@ -188,7 +198,7 @@ static int __nf_queue(struct sk_buff *sk
  		.skb	= skb,
  		.state	= *state,
  		.hook_index = index,
@@ -91,4 +91,4 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 +		.size	= sizeof(*entry) + route_key_size,
  	};
  
- 	nf_queue_entry_get_refs(entry);
+ 	if (!nf_queue_entry_get_refs(entry)) {

target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch

@@ -62,7 +62,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static struct pernet_operations nfnl_log_net_ops = {
 --- a/net/netfilter/nfnetlink_queue.c
 +++ b/net/netfilter/nfnetlink_queue.c
-@@ -1511,10 +1511,15 @@ static int __net_init nfnl_queue_net_ini
+@@ -1517,10 +1517,15 @@ static int __net_init nfnl_queue_net_ini
  
  static void __net_exit nfnl_queue_net_exit(struct net *net)
  {

target/linux/generic/config-4.14

@@ -731,9 +731,9 @@ CONFIG_CC_STACKPROTECTOR_NONE=y
 # CONFIG_CDROM_PKTCDVD is not set
 # CONFIG_CEPH_FS is not set
 # CONFIG_CEPH_LIB is not set
-# CONFIG_CFQ_GROUP_IOSCHED is not set
 # CONFIG_CFG80211 is not set
 # CONFIG_CFG80211_CERTIFICATION_ONUS is not set
+# CONFIG_CFQ_GROUP_IOSCHED is not set
 # CONFIG_CGROUPS is not set
 # CONFIG_CGROUP_BPF is not set
 # CONFIG_CGROUP_DEBUG is not set
@@ -1603,6 +1603,7 @@ CONFIG_GENERIC_NET_UTILS=y
 # CONFIG_HAPPYMEAL is not set
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
+CONFIG_HARDEN_BRANCH_HISTORY=y
 # CONFIG_HARDLOCKUP_DETECTOR is not set
 # CONFIG_HAVE_AOUT is not set
 CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
@@ -2653,8 +2654,8 @@ CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
 # CONFIG_MICROSEMI_PHY is not set
 # CONFIG_MIGRATION is not set
 CONFIG_MII=y
-# CONFIG_MIKROTIK_RB532 is not set
 # CONFIG_MIKROTIK is not set
+# CONFIG_MIKROTIK_RB532 is not set
 # CONFIG_MINIX_FS is not set
 # CONFIG_MINIX_FS_NATIVE_ENDIAN is not set
 # CONFIG_MINIX_SUBPARTITION is not set
@@ -2677,6 +2678,7 @@ CONFIG_MISC_FILESYSTEMS=y
 # CONFIG_MISDN_NETJET is not set
 # CONFIG_MISDN_SPEEDFAX is not set
 # CONFIG_MISDN_W6692 is not set
+CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y
 # CONFIG_MKISS is not set
 # CONFIG_MLX4_CORE is not set
 # CONFIG_MLX4_EN is not set

target/linux/generic/hack-4.14/220-gc_sections.patch

@@ -67,7 +67,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  # but it is being used too early to link to meaningful stack_chk logic.
 --- a/arch/arm/kernel/vmlinux.lds.S
 +++ b/arch/arm/kernel/vmlinux.lds.S
-@@ -18,7 +18,7 @@
+@@ -31,7 +31,7 @@
  #define PROC_INFO							\
  	. = ALIGN(4);							\
  	VMLINUX_SYMBOL(__proc_info_begin) = .;				\
@@ -76,7 +76,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  	VMLINUX_SYMBOL(__proc_info_end) = .;
  
  #define HYPERVISOR_TEXT							\
-@@ -29,11 +29,11 @@
+@@ -42,11 +42,11 @@
  #define IDMAP_TEXT							\
  	ALIGN_FUNCTION();						\
  	VMLINUX_SYMBOL(__idmap_text_start) = .;				\
@@ -90,7 +90,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  	VMLINUX_SYMBOL(__hyp_idmap_text_end) = .;
  
  #ifdef CONFIG_HOTPLUG_CPU
-@@ -106,7 +106,7 @@ SECTIONS
+@@ -119,7 +119,7 @@ SECTIONS
  		_stext = .;		/* Text and read-only data	*/
  			IDMAP_TEXT
  			__exception_text_start = .;
@@ -99,7 +99,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  			__exception_text_end = .;
  			IRQENTRY_TEXT
  			SOFTIRQENTRY_TEXT
-@@ -135,7 +135,7 @@ SECTIONS
+@@ -148,7 +148,7 @@ SECTIONS
  	__ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
  		__start___ex_table = .;
  #ifdef CONFIG_MMU
@@ -108,7 +108,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  #endif
  		__stop___ex_table = .;
  	}
-@@ -147,12 +147,12 @@ SECTIONS
+@@ -160,12 +160,12 @@ SECTIONS
  	. = ALIGN(8);
  	.ARM.unwind_idx : {
  		__start_unwind_idx = .;
@@ -123,24 +123,33 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  		__stop_unwind_tab = .;
  	}
  #endif
-@@ -172,14 +172,14 @@ SECTIONS
- 	 */
- 	__vectors_start = .;
- 	.vectors 0xffff0000 : AT(__vectors_start) {
--		*(.vectors)
-+		KEEP(*(.vectors))
+@@ -186,13 +186,13 @@ SECTIONS
+ 	__vectors_lma = .;
+ 	OVERLAY 0xffff0000 : NOCROSSREFS AT(__vectors_lma) {
+ 		.vectors {
+-			*(.vectors)
++			KEEP(*(.vectors))
+ 		}
+ 		.vectors.bhb.loop8 {
+-			*(.vectors.bhb.loop8)
++			KEEP(*(.vectors.bhb.loop8))
+ 		}
+ 		.vectors.bhb.bpiall {
+-			*(.vectors.bhb.bpiall)
++			KEEP(*(.vectors.bhb.bpiall))
+ 		}
  	}
- 	. = __vectors_start + SIZEOF(.vectors);
- 	__vectors_end = .;
+ 	ARM_LMA(__vectors, .vectors);
+@@ -204,7 +204,7 @@ SECTIONS
  
- 	__stubs_start = .;
- 	.stubs ADDR(.vectors) + 0x1000 : AT(__stubs_start) {
+ 	__stubs_lma = .;
+ 	.stubs ADDR(.vectors) + 0x1000 : AT(__stubs_lma) {
 -		*(.stubs)
 +		KEEP(*(.stubs))
  	}
- 	. = __stubs_start + SIZEOF(.stubs);
- 	__stubs_end = .;
-@@ -195,24 +195,24 @@ SECTIONS
+ 	ARM_LMA(__stubs, .stubs);
+ 	. = __stubs_lma + SIZEOF(.stubs);
+@@ -220,24 +220,24 @@ SECTIONS
  	}
  	.init.arch.info : {
  		__arch_info_begin = .;

target/linux/generic/hack-4.14/251-sound_kconfig.patch

@@ -92,7 +92,7 @@ Signed-off-by: John Crispin <john@phrozen.org>
  	bool
 --- a/lib/Kconfig
 +++ b/lib/Kconfig
-@@ -358,16 +358,16 @@ config BCH_CONST_T
+@@ -357,16 +357,16 @@ config BCH_CONST_T
  # Textsearch support is select'ed if needed
  #
  config TEXTSEARCH

target/linux/generic/hack-4.14/902-debloat_proc.patch

@@ -327,7 +327,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
 --- a/net/core/sock.c
 +++ b/net/core/sock.c
-@@ -3430,6 +3430,8 @@ static __net_initdata struct pernet_oper
+@@ -3427,6 +3427,8 @@ static __net_initdata struct pernet_oper
  
  static int __init proto_init(void)
  {

target/linux/generic/hack-4.14/930-crashlog.patch

@@ -318,7 +318,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  #include <asm/sections.h>
  #include <linux/io.h>
-@@ -447,6 +448,8 @@ static void __init_memblock memblock_ins
+@@ -453,6 +454,8 @@ static void __init_memblock memblock_ins
  	memblock_set_region_node(rgn, nid);
  	type->cnt++;
  	type->total_size += size;
@@ -327,7 +327,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  }
  
  /**
-@@ -486,6 +489,8 @@ int __init_memblock memblock_add_range(s
+@@ -492,6 +495,8 @@ int __init_memblock memblock_add_range(s
  		type->regions[0].flags = flags;
  		memblock_set_region_node(&type->regions[0], nid);
  		type->total_size = size;

target/linux/generic/pending-4.14/530-jffs2_make_lzma_available.patch

@@ -1087,7 +1087,7 @@ Signed-off-by: Alexandros C. Couloumbis <alex@ozo.com>
  #define JFFS2_NODE_ACCURATE 0x2000
 --- a/lib/Kconfig
 +++ b/lib/Kconfig
-@@ -259,6 +259,12 @@ config ZSTD_DECOMPRESS
+@@ -258,6 +258,12 @@ config ZSTD_DECOMPRESS
  
  source "lib/xz/Kconfig"
  

target/linux/generic/pending-4.14/630-packet_socket_type.patch

@@ -87,7 +87,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	if (!net_eq(dev_net(dev), sock_net(sk)))
  		goto drop;
  
-@@ -3329,6 +3331,7 @@ static int packet_create(struct net *net
+@@ -3332,6 +3334,7 @@ static int packet_create(struct net *net
  	mutex_init(&po->pg_vec_lock);
  	po->rollover = NULL;
  	po->prot_hook.func = packet_rcv;
@@ -95,7 +95,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  	if (sock->type == SOCK_PACKET)
  		po->prot_hook.func = packet_rcv_spkt;
-@@ -3955,6 +3958,16 @@ packet_setsockopt(struct socket *sock, i
+@@ -3964,6 +3967,16 @@ packet_setsockopt(struct socket *sock, i
  		po->xmit = val ? packet_direct_xmit : dev_queue_xmit;
  		return 0;
  	}
@@ -112,7 +112,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	default:
  		return -ENOPROTOOPT;
  	}
-@@ -4007,6 +4020,13 @@ static int packet_getsockopt(struct sock
+@@ -4016,6 +4029,13 @@ static int packet_getsockopt(struct sock
  	case PACKET_VNET_HDR:
  		val = po->has_vnet_hdr;
  		break;

target/linux/generic/pending-4.14/834-ledtrig-libata.patch

@@ -65,7 +65,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  /**
   *	ata_build_rw_tf - Build ATA taskfile for given read/write request
   *	@tf: Target ATA taskfile
-@@ -5159,6 +5172,9 @@ struct ata_queued_cmd *ata_qc_new_init(s
+@@ -5160,6 +5173,9 @@ struct ata_queued_cmd *ata_qc_new_init(s
  		if (tag < 0)
  			return NULL;
  	}
@@ -75,7 +75,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  
  	qc = __ata_qc_from_tag(ap, tag);
  	qc->tag = tag;
-@@ -6062,6 +6078,9 @@ struct ata_port *ata_port_alloc(struct a
+@@ -6063,6 +6079,9 @@ struct ata_port *ata_port_alloc(struct a
  	ap->stats.unhandled_irq = 1;
  	ap->stats.idle_irq = 1;
  #endif
@@ -85,7 +85,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  	ata_sff_port_init(ap);
  
  	return ap;
-@@ -6083,6 +6102,12 @@ static void ata_host_release(struct devi
+@@ -6084,6 +6103,12 @@ static void ata_host_release(struct devi
  
  		kfree(ap->pmp_link);
  		kfree(ap->slave_link);
@@ -98,7 +98,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  		kfree(ap);
  		host->ports[i] = NULL;
  	}
-@@ -6529,7 +6554,23 @@ int ata_host_register(struct ata_host *h
+@@ -6530,7 +6555,23 @@ int ata_host_register(struct ata_host *h
  		host->ports[i]->print_id = atomic_inc_return(&ata_print_id);
  		host->ports[i]->local_port_no = i + 1;
  	}

target/linux/layerscape/patches-4.14/301-arch-support-layerscape.patch

@@ -214,7 +214,7 @@ Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
   * address space as memory. Needed when the kernel wants to execute
 --- a/arch/arm/mm/mmu.c
 +++ b/arch/arm/mm/mmu.c
-@@ -315,6 +315,13 @@ static struct mem_type mem_types[] __ro_
+@@ -317,6 +317,13 @@ static struct mem_type mem_types[] __ro_
  		.prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
  		.domain    = DOMAIN_KERNEL,
  	},
@@ -228,7 +228,7 @@ Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
  	[MT_ROM] = {
  		.prot_sect = PMD_TYPE_SECT,
  		.domain    = DOMAIN_KERNEL,
-@@ -651,6 +658,7 @@ static void __init build_mem_type_table(
+@@ -653,6 +660,7 @@ static void __init build_mem_type_table(
  	}
  	kern_pgprot |= PTE_EXT_AF;
  	vecs_pgprot |= PTE_EXT_AF;
@@ -236,7 +236,7 @@ Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
  
  	/*
  	 * Set PXN for user mappings
-@@ -679,6 +687,7 @@ static void __init build_mem_type_table(
+@@ -681,6 +689,7 @@ static void __init build_mem_type_table(
  	mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot;
  	mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd;
  	mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot;

target/linux/layerscape/patches-4.14/805-qe-support-layerscape.patch

@@ -1482,7 +1482,7 @@ Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
  
  #undef DEBUG
  
-@@ -61,16 +59,16 @@ void __par_io_config_pin(struct qe_pio_r
+@@ -63,16 +61,16 @@ void __par_io_config_pin(struct qe_pio_r
  	pin_mask1bit = (u32) (1 << (QE_PIO_PINS - (pin + 1)));
  
  	/* Set open drain, if required */
@@ -1504,7 +1504,7 @@ Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
  
  	/* get all bits mask for 2 bit per port */
  	pin_mask2bits = (u32) (0x3 << (QE_PIO_PINS -
-@@ -82,34 +80,30 @@ void __par_io_config_pin(struct qe_pio_r
+@@ -84,34 +82,30 @@ void __par_io_config_pin(struct qe_pio_r
  
  	/* clear and set 2 bits mask */
  	if (pin > (QE_PIO_PINS / 2) - 1) {
@@ -1549,7 +1549,7 @@ Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
  	}
  }
  EXPORT_SYMBOL(__par_io_config_pin);
-@@ -137,12 +131,12 @@ int par_io_data_set(u8 port, u8 pin, u8
+@@ -139,12 +133,12 @@ int par_io_data_set(u8 port, u8 pin, u8
  	/* calculate pin location */
  	pin_mask = (u32) (1 << (QE_PIO_PINS - 1 - pin));
  

target/linux/layerscape/patches-4.14/807-usb-support-layerscape.patch

@@ -528,7 +528,7 @@ Signed-off-by: Zhao Chenhui <chenhui.zhao@freescale.com>
  		reg &= ~DWC3_DCTL_INITU2ENA;
 --- a/drivers/usb/dwc3/gadget.c
 +++ b/drivers/usb/dwc3/gadget.c
-@@ -3257,6 +3257,7 @@ int dwc3_gadget_init(struct dwc3 *dwc)
+@@ -3259,6 +3259,7 @@ int dwc3_gadget_init(struct dwc3 *dwc)
  {
  	int ret;
  	int irq;
@@ -536,7 +536,7 @@ Signed-off-by: Zhao Chenhui <chenhui.zhao@freescale.com>
  
  	irq = dwc3_gadget_get_irq(dwc);
  	if (irq < 0) {
-@@ -3335,6 +3336,12 @@ int dwc3_gadget_init(struct dwc3 *dwc)
+@@ -3337,6 +3338,12 @@ int dwc3_gadget_init(struct dwc3 *dwc)
  
  	dwc3_gadget_set_speed(&dwc->gadget, dwc->maximum_speed);
  
@@ -1340,7 +1340,7 @@ Signed-off-by: Zhao Chenhui <chenhui.zhao@freescale.com>
  		while (ep_ring->dequeue != td->last_trb)
 --- a/drivers/usb/host/xhci.c
 +++ b/drivers/usb/host/xhci.c
-@@ -1615,13 +1615,38 @@ static int xhci_urb_dequeue(struct usb_h
+@@ -1625,13 +1625,38 @@ static int xhci_urb_dequeue(struct usb_h
  			ret = -ENOMEM;
  			goto done;
  		}

target/linux/layerscape/patches-4.14/823-pm-support-layerscape.patch

@@ -25,7 +25,7 @@ Signed-off-by: Zhao Chenhui <chenhui.zhao@nxp.com>
 
 --- a/drivers/firmware/psci.c
 +++ b/drivers/firmware/psci.c
-@@ -437,8 +437,18 @@ CPUIDLE_METHOD_OF_DECLARE(psci, "psci",
+@@ -452,8 +452,18 @@ CPUIDLE_METHOD_OF_DECLARE(psci, "psci",
  
  static int psci_system_suspend(unsigned long unused)
  {
@@ -46,7 +46,7 @@ Signed-off-by: Zhao Chenhui <chenhui.zhao@nxp.com>
  }
  
  static int psci_system_suspend_enter(suspend_state_t state)
-@@ -562,6 +572,8 @@ static void __init psci_0_2_set_function
+@@ -577,6 +587,8 @@ static void __init psci_0_2_set_function
  	arm_pm_restart = psci_sys_reset;
  
  	pm_power_off = psci_sys_poweroff;

target/linux/oxnas/patches-4.14/999-libata-hacks.patch

@@ -15,7 +15,7 @@
  	/* initialize internal qc */
  
  	/* XXX: Tag 0 is used for drivers with legacy EH as some
-@@ -5166,6 +5174,9 @@ struct ata_queued_cmd *ata_qc_new_init(s
+@@ -5167,6 +5175,9 @@ struct ata_queued_cmd *ata_qc_new_init(s
  	if (unlikely(ap->pflags & ATA_PFLAG_FROZEN))
  		return NULL;
  
@@ -25,7 +25,7 @@
  	/* libsas case */
  	if (ap->flags & ATA_FLAG_SAS_HOST) {
  		tag = ata_sas_allocate_tag(ap);
-@@ -5211,6 +5222,8 @@ void ata_qc_free(struct ata_queued_cmd *
+@@ -5212,6 +5223,8 @@ void ata_qc_free(struct ata_queued_cmd *
  		qc->tag = ATA_TAG_POISON;
  		if (ap->flags & ATA_FLAG_SAS_HOST)
  			ata_sas_free_tag(tag, ap);

target/linux/sunxi/patches-4.14/031-arm64-Implement-arch_counter_get_cntpct-to-read-the-.patch

@@ -84,7 +84,7 @@ Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
  static u64 notrace arm64_858921_read_cntvct_el0(void)
  {
  	u64 old, new;
-@@ -346,6 +365,7 @@ static const struct arch_timer_erratum_w
+@@ -353,6 +372,7 @@ static const struct arch_timer_erratum_w
  		.desc = "Freescale erratum a005858",
  		.read_cntp_tval_el0 = fsl_a008585_read_cntp_tval_el0,
  		.read_cntv_tval_el0 = fsl_a008585_read_cntv_tval_el0,
@@ -92,7 +92,7 @@ Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
  		.read_cntvct_el0 = fsl_a008585_read_cntvct_el0,
  		.set_next_event_phys = erratum_set_next_event_tval_phys,
  		.set_next_event_virt = erratum_set_next_event_tval_virt,
-@@ -358,6 +378,7 @@ static const struct arch_timer_erratum_w
+@@ -365,6 +385,7 @@ static const struct arch_timer_erratum_w
  		.desc = "HiSilicon erratum 161010101",
  		.read_cntp_tval_el0 = hisi_161010101_read_cntp_tval_el0,
  		.read_cntv_tval_el0 = hisi_161010101_read_cntv_tval_el0,
@@ -100,7 +100,7 @@ Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
  		.read_cntvct_el0 = hisi_161010101_read_cntvct_el0,
  		.set_next_event_phys = erratum_set_next_event_tval_phys,
  		.set_next_event_virt = erratum_set_next_event_tval_virt,
-@@ -368,6 +389,7 @@ static const struct arch_timer_erratum_w
+@@ -375,6 +396,7 @@ static const struct arch_timer_erratum_w
  		.desc = "HiSilicon erratum 161010101",
  		.read_cntp_tval_el0 = hisi_161010101_read_cntp_tval_el0,
  		.read_cntv_tval_el0 = hisi_161010101_read_cntv_tval_el0,
@@ -108,7 +108,7 @@ Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
  		.read_cntvct_el0 = hisi_161010101_read_cntvct_el0,
  		.set_next_event_phys = erratum_set_next_event_tval_phys,
  		.set_next_event_virt = erratum_set_next_event_tval_virt,
-@@ -378,6 +400,7 @@ static const struct arch_timer_erratum_w
+@@ -385,6 +407,7 @@ static const struct arch_timer_erratum_w
  		.match_type = ate_match_local_cap_id,
  		.id = (void *)ARM64_WORKAROUND_858921,
  		.desc = "ARM erratum 858921",

target/linux/sunxi/patches-4.14/100-clocksource-drivers-arch_timer-Workaround-for-Allwin.patch

@@ -173,7 +173,7 @@ Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
  	select TIMER_OF if OF
 --- a/drivers/clocksource/arm_arch_timer.c
 +++ b/drivers/clocksource/arm_arch_timer.c
-@@ -317,6 +317,48 @@ static u64 notrace arm64_858921_read_cnt
+@@ -324,6 +324,48 @@ static u64 notrace arm64_1188873_read_cn
  }
  #endif
  
@@ -222,8 +222,8 @@ Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
  #ifdef CONFIG_ARM_ARCH_TIMER_OOL_WORKAROUND
  DEFINE_PER_CPU(const struct arch_timer_erratum_workaround *,
  	       timer_unstable_counter_workaround);
-@@ -404,6 +446,19 @@ static const struct arch_timer_erratum_w
- 		.read_cntvct_el0 = arm64_858921_read_cntvct_el0,
+@@ -419,6 +461,19 @@ static const struct arch_timer_erratum_w
+ 		.read_cntvct_el0 = arm64_1188873_read_cntvct_el0,
  	},
  #endif
 +#ifdef CONFIG_SUN50I_ERRATUM_UNKNOWN1

tools/patchelf/patches/0001-patchelf-Check-ELF-endianness-before-writing-new-run.patch

@@ -0,0 +1,41 @@
+From 9c9efd0525ac1e11f83029b8df5303a47ab6fe56 Mon Sep 17 00:00:00 2001
+From: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
+Date: Mon, 25 Jun 2018 13:50:46 -0500
+Subject: [PATCH] patchelf: Check ELF endianness before writing new runpath
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ upstream commit e88d83c8b4e42a3358a90b781a5a98efa279ff15 ]
+
+This commit modifies the way fields are written in the dynamic
+section in order to account the architecture of the target ELF
+file. Instead of copying the raw data, use the helper functions
+to convert endianness.
+
+Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz> [version 0.9 backport]
+---
+ src/patchelf.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/patchelf.cc b/src/patchelf.cc
+index 136098fbeeda..383c78a46ee4 100644
+--- a/src/patchelf.cc
++++ b/src/patchelf.cc
+@@ -1171,13 +1171,13 @@ void ElfFile<ElfFileParamNames>::modifyRPath(RPathOp op, string newRPath)
+     debug("new rpath is `%s'\n", newRPath.c_str());
+ 
+     if (!forceRPath && dynRPath && !dynRunPath) { /* convert DT_RPATH to DT_RUNPATH */
+-        dynRPath->d_tag = DT_RUNPATH;
++        wri(dynRPath->d_tag, DT_RUNPATH);
+         dynRunPath = dynRPath;
+         dynRPath = 0;
+     }
+ 
+     if (forceRPath && dynRPath && dynRunPath) { /* convert DT_RUNPATH to DT_RPATH */
+-        dynRunPath->d_tag = DT_IGNORE;
++        wri(dynRunPath->d_tag, DT_IGNORE);
+     }
+ 
+     if (newRPath.size() <= rpathSize) {

tools/zlib/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=zlib
 PKG_VERSION:=1.2.11
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@SF/libpng http://www.zlib.net

tools/zlib/patches/006-fix-compressor-crash-on-certain-inputs.patch

@@ -0,0 +1,343 @@
+From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 17 Apr 2018 22:09:22 -0700
+Subject: [PATCH] Fix a bug that can crash deflate on some input when using
+ Z_FIXED.
+
+This bug was reported by Danilo Ramos of Eideticom, Inc. It has
+lain in wait 13 years before being found! The bug was introduced
+in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
+option forces the use of fixed Huffman codes. For rare inputs with
+a large number of distant matches, the pending buffer into which
+the compressed data is written can overwrite the distance symbol
+table which it overlays. That results in corrupted output due to
+invalid distances, and can result in out-of-bound accesses,
+crashing the application.
+
+The fix here combines the distance buffer and literal/length
+buffers into a single symbol buffer. Now three bytes of pending
+buffer space are opened up for each literal or length/distance
+pair consumed, instead of the previous two bytes. This assures
+that the pending buffer cannot overwrite the symbol table, since
+the maximum fixed code compressed length/distance is 31 bits, and
+since there are four bytes of pending space for every three bytes
+of symbol space.
+---
+ deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
+ deflate.h | 25 +++++++++----------
+ trees.c   | 50 +++++++++++--------------------------
+ 3 files changed, 79 insertions(+), 70 deletions(-)
+
+diff --git a/deflate.c b/deflate.c
+index 425babc00..19cba873a 100644
+--- a/deflate.c
++++ b/deflate.c
+@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+     int wrap = 1;
+     static const char my_version[] = ZLIB_VERSION;
+ 
+-    ushf *overlay;
+-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+-     * output size for (length,distance) codes is <= 24 bits.
+-     */
+-
+     if (version == Z_NULL || version[0] != my_version[0] ||
+         stream_size != sizeof(z_stream)) {
+         return Z_VERSION_ERROR;
+@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+ 
+     s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+ 
+-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+-    s->pending_buf = (uchf *) overlay;
+-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
++    /* We overlay pending_buf and sym_buf. This works since the average size
++     * for length/distance pairs over any compressed block is assured to be 31
++     * bits or less.
++     *
++     * Analysis: The longest fixed codes are a length code of 8 bits plus 5
++     * extra bits, for lengths 131 to 257. The longest fixed distance codes are
++     * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
++     * possible fixed-codes length/distance pair is then 31 bits total.
++     *
++     * sym_buf starts one-fourth of the way into pending_buf. So there are
++     * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
++     * in sym_buf is three bytes -- two for the distance and one for the
++     * literal/length. As each symbol is consumed, the pointer to the next
++     * sym_buf value to read moves forward three bytes. From that symbol, up to
++     * 31 bits are written to pending_buf. The closest the written pending_buf
++     * bits gets to the next sym_buf symbol to read is just before the last
++     * code is written. At that time, 31*(n-2) bits have been written, just
++     * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
++     * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
++     * symbols are written.) The closest the writing gets to what is unread is
++     * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
++     * can range from 128 to 32768.
++     *
++     * Therefore, at a minimum, there are 142 bits of space between what is
++     * written and what is read in the overlain buffers, so the symbols cannot
++     * be overwritten by the compressed data. That space is actually 139 bits,
++     * due to the three-bit fixed-code block header.
++     *
++     * That covers the case where either Z_FIXED is specified, forcing fixed
++     * codes, or when the use of fixed codes is chosen, because that choice
++     * results in a smaller compressed block than dynamic codes. That latter
++     * condition then assures that the above analysis also covers all dynamic
++     * blocks. A dynamic-code block will only be chosen to be emitted if it has
++     * fewer bits than a fixed-code block would for the same set of symbols.
++     * Therefore its average symbol length is assured to be less than 31. So
++     * the compressed data for a dynamic block also cannot overwrite the
++     * symbols from which it is being constructed.
++     */
++
++    s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
++    s->pending_buf_size = (ulg)s->lit_bufsize * 4;
+ 
+     if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+         s->pending_buf == Z_NULL) {
+@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+         deflateEnd (strm);
+         return Z_MEM_ERROR;
+     }
+-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
++    s->sym_buf = s->pending_buf + s->lit_bufsize;
++    s->sym_end = (s->lit_bufsize - 1) * 3;
++    /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
++     * on 16 bit machines and because stored blocks are restricted to
++     * 64K-1 bytes.
++     */
+ 
+     s->level = level;
+     s->strategy = strategy;
+@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
+ 
+     if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
+     s = strm->state;
+-    if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
++    if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
+         return Z_BUF_ERROR;
+     do {
+         put = Buf_size - s->bi_valid;
+@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
+ #else
+     deflate_state *ds;
+     deflate_state *ss;
+-    ushf *overlay;
+ 
+ 
+     if (deflateStateCheck(source) || dest == Z_NULL) {
+@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
+     ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+     ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+     ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+-    ds->pending_buf = (uchf *) overlay;
++    ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
+ 
+     if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+         ds->pending_buf == Z_NULL) {
+@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
+     zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+ 
+     ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
++    ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
+ 
+     ds->l_desc.dyn_tree = ds->dyn_ltree;
+     ds->d_desc.dyn_tree = ds->dyn_dtree;
+@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+diff --git a/deflate.h b/deflate.h
+index 23ecdd312..d4cf1a98b 100644
+--- a/deflate.h
++++ b/deflate.h
+@@ -217,7 +217,7 @@ typedef struct internal_state {
+     /* Depth of each subtree used as tie breaker for trees of equal frequency
+      */
+ 
+-    uchf *l_buf;          /* buffer for literals or lengths */
++    uchf *sym_buf;        /* buffer for distances and literals/lengths */
+ 
+     uInt  lit_bufsize;
+     /* Size of match buffer for literals/lengths.  There are 4 reasons for
+@@ -239,13 +239,8 @@ typedef struct internal_state {
+      *   - I can't count above 4
+      */
+ 
+-    uInt last_lit;      /* running index in l_buf */
+-
+-    ushf *d_buf;
+-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+-     * the same number of elements. To use different lengths, an extra flag
+-     * array would be necessary.
+-     */
++    uInt sym_next;      /* running index in sym_buf */
++    uInt sym_end;       /* symbol table full when sym_next reaches this */
+ 
+     ulg opt_len;        /* bit length of current block with optimal trees */
+     ulg static_len;     /* bit length of current block with static trees */
+@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
+ 
+ # define _tr_tally_lit(s, c, flush) \
+   { uch cc = (c); \
+-    s->d_buf[s->last_lit] = 0; \
+-    s->l_buf[s->last_lit++] = cc; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = cc; \
+     s->dyn_ltree[cc].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+    }
+ # define _tr_tally_dist(s, distance, length, flush) \
+   { uch len = (uch)(length); \
+     ush dist = (ush)(distance); \
+-    s->d_buf[s->last_lit] = dist; \
+-    s->l_buf[s->last_lit++] = len; \
++    s->sym_buf[s->sym_next++] = dist; \
++    s->sym_buf[s->sym_next++] = dist >> 8; \
++    s->sym_buf[s->sym_next++] = len; \
+     dist--; \
+     s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+     s->dyn_dtree[d_code(dist)].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+   }
+ #else
+ # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+diff --git a/trees.c b/trees.c
+index 4f4a65011..decaeb7c3 100644
+--- a/trees.c
++++ b/trees.c
+@@ -416,7 +416,7 @@ local void init_block(s)
+ 
+     s->dyn_ltree[END_BLOCK].Freq = 1;
+     s->opt_len = s->static_len = 0L;
+-    s->last_lit = s->matches = 0;
++    s->sym_next = s->matches = 0;
+ }
+ 
+ #define SMALLEST 1
+@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
+ 
+         Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+                 opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+-                s->last_lit));
++                s->sym_next / 3));
+ 
+         if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+ 
+@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+     unsigned dist;  /* distance of matched string */
+     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+ {
+-    s->d_buf[s->last_lit] = (ush)dist;
+-    s->l_buf[s->last_lit++] = (uch)lc;
++    s->sym_buf[s->sym_next++] = dist;
++    s->sym_buf[s->sym_next++] = dist >> 8;
++    s->sym_buf[s->sym_next++] = lc;
+     if (dist == 0) {
+         /* lc is the unmatched char */
+         s->dyn_ltree[lc].Freq++;
+@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+         s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+         s->dyn_dtree[d_code(dist)].Freq++;
+     }
+-
+-#ifdef TRUNCATE_BLOCK
+-    /* Try to guess if it is profitable to stop the current block here */
+-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+-        /* Compute an upper bound for the compressed length */
+-        ulg out_length = (ulg)s->last_lit*8L;
+-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+-        int dcode;
+-        for (dcode = 0; dcode < D_CODES; dcode++) {
+-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+-                (5L+extra_dbits[dcode]);
+-        }
+-        out_length >>= 3;
+-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+-               s->last_lit, in_length, out_length,
+-               100L - out_length*100L/in_length));
+-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+-    }
+-#endif
+-    return (s->last_lit == s->lit_bufsize-1);
+-    /* We avoid equality with lit_bufsize because of wraparound at 64K
+-     * on 16 bit machines and because stored blocks are restricted to
+-     * 64K-1 bytes.
+-     */
++    return (s->sym_next == s->sym_end);
+ }
+ 
+ /* ===========================================================================
+@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
+ {
+     unsigned dist;      /* distance of matched string */
+     int lc;             /* match length or unmatched char (if dist == 0) */
+-    unsigned lx = 0;    /* running index in l_buf */
++    unsigned sx = 0;    /* running index in sym_buf */
+     unsigned code;      /* the code to send */
+     int extra;          /* number of extra bits to send */
+ 
+-    if (s->last_lit != 0) do {
+-        dist = s->d_buf[lx];
+-        lc = s->l_buf[lx++];
++    if (s->sym_next != 0) do {
++        dist = s->sym_buf[sx++] & 0xff;
++        dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
++        lc = s->sym_buf[sx++];
+         if (dist == 0) {
+             send_code(s, lc, ltree); /* send a literal byte */
+             Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
+             }
+         } /* literal or match pair ? */
+ 
+-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+-        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
+-               "pendingBuf overflow");
++        /* Check that the overlay between pending_buf and sym_buf is ok: */
++        Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
+ 
+-    } while (lx < s->last_lit);
++    } while (sx < s->sym_next);
+ 
+     send_code(s, END_BLOCK, ltree);
+ }

version

@@ -1 +1 @@
-r11405-2a3558b0de
+r11427-9ce6aa9d8d

version.date

@@ -1 +1 @@
-1645044479
+1650114812