OpenWrt v18.06.8: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

.gitignore

@@ -16,6 +16,7 @@
 /overlay
 /package/feeds
 /package/openwrt-packages
+/*.patch
 key-build*
 *.orig
 *.rej

config/Config-build.in

@@ -34,6 +34,10 @@ menu "Global build settings"
 		bool "Cryptographically signed package lists"
 		default y
 
+	config SIGNATURE_CHECK
+		bool "Enable signature checking in opkg"
+		default SIGNED_PACKAGES
+
 	comment "General build options"
 
 	config DISPLAY_SUPPORT

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^7879bbdb4ba35888c096a85367f98efbc617ebec
-src-git luci https://git.openwrt.org/project/luci.git^4d6d8bc5b0d7ee71c7b29b12e7e0c2e1e86cb268
-src-git routing https://git.openwrt.org/feed/routing.git^7589804a56baac804421b492c93004c28a627abb
-src-git telephony https://git.openwrt.org/feed/telephony.git^16bad9e04dcff392e9a92eea005127c06dfebd9c
+src-git packages https://git.openwrt.org/feed/packages.git^c05ea69d6d4f503c9bf69fd3d5e551e21c434084
+src-git luci https://git.openwrt.org/project/luci.git^41e2258d6dc1ebe8d3874ae6d6b13db49cff2c5c
+src-git routing https://git.openwrt.org/feed/routing.git^0e63ef9276bf41c0d4176127f9f047343b8ffe32
+src-git telephony https://git.openwrt.org/feed/telephony.git^8ecbdabc7c5cadbe571eb947f5cd333a5a785010

include/kernel-version.mk

@@ -2,11 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.9 = .182
-LINUX_VERSION-4.14 = .128
+LINUX_VERSION-4.9 = .214
+LINUX_VERSION-4.14 = .171
 
-LINUX_KERNEL_HASH-4.9.182 = b16e12681a0638368479d73a9b1b8e9407c1ae4b7ae52fdf236d9e5657999695
-LINUX_KERNEL_HASH-4.14.128 = e93c2c754f1f9c610314b2fe9f27a9636ad3a7f43983469bb8e0f44a531f2913
+LINUX_KERNEL_HASH-4.9.214 = b47f093dac7034c7c4722e80042c05e4ef53c14a4f28aa992117a127d2b1e483
+LINUX_KERNEL_HASH-4.14.171 = 4fe02489e4b4a187eccf0ef87df6100534c9d485e76d876b1fa247c7635332a0
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/netfilter.mk

@@ -258,7 +258,11 @@ $(eval $(call nf_add,IPT_DEBUG,CONFIG_NETFILTER_XT_TARGET_TRACE, $(P_XT)xt_TRACE
 # tproxy
 
 $(eval $(call nf_add,IPT_TPROXY,CONFIG_NETFILTER_XT_MATCH_SOCKET, $(P_XT)xt_socket))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_SOCKET_IPV4, $(P_V4)nf_socket_ipv4, ge 4.10))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_SOCKET_IPV6, $(P_V6)nf_socket_ipv6, ge 4.10))
 $(eval $(call nf_add,IPT_TPROXY,CONFIG_NETFILTER_XT_TARGET_TPROXY, $(P_XT)xt_TPROXY))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_TPROXY_IPV4, $(P_V4)nf_tproxy_ipv4, ge 4.18))
+$(eval $(call nf_add,IPT_TPROXY,CONFIG_NF_TPROXY_IPV6, $(P_V6)nf_tproxy_ipv6, ge 4.18))
 
 # led
 $(eval $(call nf_add,IPT_LED,CONFIG_NETFILTER_XT_TARGET_LED, $(P_XT)xt_LED))

include/prereq-build.mk

@@ -141,10 +141,12 @@ $(eval $(call SetupHostCommand,wget,Please install GNU 'wget', \
 $(eval $(call SetupHostCommand,perl,Please install Perl 5.x, \
 	perl --version | grep "perl.*v5"))
 
+$(eval $(call CleanupPython3))
+
 $(eval $(call SetupHostCommand,python,Please install Python 2.x, \
-	python2.7 -V 2>&1 | grep Python, \
-	python2 -V 2>&1 | grep Python, \
-	python -V 2>&1 | grep Python))
+	python2.7 -V 2>&1 | grep 'Python 2.7', \
+	python2 -V 2>&1 | grep 'Python 2', \
+	python -V 2>&1 | grep 'Python 2'))
 
 $(eval $(call SetupHostCommand,git,Please install Git (git-core) >= 1.7.12.2, \
 	git --exec-path | xargs -I % -- grep -q -- --recursive %/git-submodule))

include/prereq.mk

@@ -66,6 +66,18 @@ define RequireHeader
   $$(eval $$(call Require,$(1),$(2)))
 endef
 
+define CleanupPython3
+  define Require/python3-cleanup
+	if [ -f "$(STAGING_DIR_HOST)/bin/python" ] && \
+		$(STAGING_DIR_HOST)/bin/python -V 2>&1 | \
+		grep -q 'Python 3'; then \
+			rm $(STAGING_DIR_HOST)/bin/python; \
+	fi
+  endef
+
+  $$(eval $$(call Require,python3-cleanup))
+endef
+
 define QuoteHostCommand
 '$(subst ','"'"',$(strip $(1)))'
 endef

include/version.mk

@@ -26,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.3)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.8)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7798-97ae9e0ccb)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7989-82fbd85747)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.3)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.8)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/Makefile

@@ -84,7 +84,11 @@ $(curdir)/index: FORCE
 		mkdir -p $$d; \
 		cd $$d || continue; \
 		$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages.manifest; \
-		grep -vE '^(Maintainer|LicenseFiles|Source|Require)' Packages.manifest > Packages && \
+		grep -vE '^(Maintainer|LicenseFiles|Source|Require)' Packages.manifest > Packages; \
+		case "$$(((64 + $$(stat -L -c%s Packages)) % 128))" in 110|111) \
+			$(call ERROR_MESSAGE,WARNING: Applying padding in $$d/Packages to workaround usign SHA-512 bug!); \
+			{ echo ""; echo ""; } >> Packages;; \
+		esac; \
 		gzip -9nc Packages > Packages.gz; \
 	); done
 ifdef CONFIG_SIGNED_PACKAGES

package/base-files/Makefile

@@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/version.mk
 include $(INCLUDE_DIR)/feeds.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=194.2
+PKG_RELEASE:=194.3
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/

package/base-files/files/bin/config_generate

@@ -85,12 +85,16 @@ generate_network() {
 		set network.$1.proto='none'
 	EOF
 
-	[ -n "$macaddr" ] && uci -q batch <<-EOF
-		delete network.$1_dev
-		set network.$1_dev='device'
-		set network.$1_dev.name='$ifname'
-		set network.$1_dev.macaddr='$macaddr'
+	if [ -n "$macaddr" ]; then
+		for name in $ifname; do
+			uci -q batch <<-EOF
+				delete network.$1_${name/./_}_dev
+				set network.$1_${name/./_}_dev='device'
+				set network.$1_${name/./_}_dev.name='$name'
+				set network.$1_${name/./_}_dev.macaddr='$macaddr'
 			EOF
+		done
+	fi
 
 	case "$protocol" in
 		static)

package/base-files/files/lib/functions/system.sh

@@ -4,7 +4,7 @@ get_mac_binary() {
 	local path="$1"
 	local offset="$2"
 
-	if [ -z "$path" ]; then
+	if ! [ -e "$path" ]; then
 		echo "get_mac_binary: file $path not found!" >&2
 		return
 	fi

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.3"
+		default "http://downloads.openwrt.org/releases/18.06.8"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/uboot-envtools/files/ar71xx

@@ -57,7 +57,10 @@ sr3200|\
 t830|\
 tube2h|\
 wam250|\
-wndr3700|\
+wnr1000-v2|\
+wnr2000-v3|\
+wnr2200|\
+wnr612-v2|\
 xd3200)
 	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x10000" "0x10000"
 	;;
@@ -91,6 +94,12 @@ qihoo-c301)
 wi2a-ac200i)
 	ubootenv_add_uci_config "/dev/mtd4" "0x0" "0x8000" "0x10000"
 	;;
+wndr3700)
+	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x20000" "0x10000"
+	;;
+wndr4300)
+	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x40000" "0x20000"
+	;;
 esac
 
 config_load ubootenv

package/kernel/i2c-gpio-custom/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=i2c-gpio-custom
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/i2c-gpio-custom/src/i2c-gpio-custom.c

@@ -51,7 +51,7 @@
 
 #define DRV_NAME	"i2c-gpio-custom"
 #define DRV_DESC	"Custom GPIO-based I2C driver"
-#define DRV_VERSION	"0.1.1"
+#define DRV_VERSION	"0.1.2"
 
 #define PFX		DRV_NAME ": "
 
@@ -96,7 +96,7 @@ static void i2c_gpio_custom_cleanup(void)
 
 	for (i = 0; i < nr_devices; i++)
 		if (devices[i])
-			platform_device_put(devices[i]);
+			platform_device_unregister(devices[i]);
 }
 
 static int __init i2c_gpio_custom_add_one(unsigned int id, unsigned int *params)

package/kernel/lantiq/ltq-ptm/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ltq-ptm
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/ltq-ptm-$(BUILD_VARIANT)
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

package/kernel/lantiq/ltq-ptm/src/ifxmips_ptm_vdsl.c

@@ -334,6 +334,9 @@ static int ptm_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         dma_cache_wback((unsigned long)skb->data, skb->len);
     }
 
+    /* make the skb unowned */
+    skb_orphan(skb);
+
     *(struct sk_buff **)((unsigned int)skb->data - byteoff - sizeof(struct sk_buff *)) = skb;
     /*  write back to physical memory   */
     dma_cache_wback((unsigned long)skb->data - byteoff - sizeof(struct sk_buff *), skb->len + byteoff + sizeof(struct sk_buff *));

package/kernel/linux/modules/netfilter.mk

@@ -554,6 +554,8 @@ define KernelPackage/ipt-tproxy
   TITLE:=Transparent proxying support
   DEPENDS+=+kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables
   KCONFIG:= \
+  	CONFIG_NF_SOCKET_IPV4 \
+  	CONFIG_NF_SOCKET_IPV6 \
   	CONFIG_NETFILTER_XT_MATCH_SOCKET \
   	CONFIG_NETFILTER_XT_TARGET_TPROXY
   FILES:= \

package/kernel/linux/modules/usb.mk

@@ -852,6 +852,7 @@ define KernelPackage/usb-serial-wwan
   TITLE:=Support for GSM and CDMA modems
   KCONFIG:=CONFIG_USB_SERIAL_WWAN
   FILES:=$(LINUX_DIR)/drivers/usb/serial/usb_wwan.ko
+  HIDDEN:=1
   AUTOLOAD:=$(call AutoProbe,usb_wwan)
   $(call AddDepends/usb-serial)
 endef
@@ -865,11 +866,10 @@ $(eval $(call KernelPackage,usb-serial-wwan))
 
 define KernelPackage/usb-serial-option
   TITLE:=Support for Option HSDPA modems
-  DEPENDS:=+kmod-usb-serial-wwan
   KCONFIG:=CONFIG_USB_SERIAL_OPTION
   FILES:=$(LINUX_DIR)/drivers/usb/serial/option.ko
   AUTOLOAD:=$(call AutoProbe,option)
-  $(call AddDepends/usb-serial)
+  $(call AddDepends/usb-serial,+kmod-usb-serial-wwan)
 endef
 
 define KernelPackage/usb-serial-option/description

package/kernel/mac80211/patches/370-backports-Adapt-to-changes-to-skb_get_hash_perturb.patch

@@ -0,0 +1,68 @@
+From e3c57dd949835419cee8d3b45db38de58bf6ebd5 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 18 Nov 2019 01:13:37 +0100
+Subject: [PATCH] backports: Adapt to changes to skb_get_hash_perturb()
+
+The skb_get_hash_perturb() function now takes a siphash_key_t instead of
+an u32. This was changed in commit 55667441c84f ("net/flow_dissector:
+switch to siphash"). Use the correct type in the fq header file
+depending on the kernel version.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ include/net/fq.h      | 8 ++++++++
+ include/net/fq_impl.h | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/include/net/fq.h
++++ b/include/net/fq.h
+@@ -70,7 +70,15 @@ struct fq {
+ 	struct list_head backlogs;
+ 	spinlock_t lock;
+ 	u32 flows_cnt;
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	siphash_key_t	perturbation;
++#else
+ 	u32 perturbation;
++#endif
+ 	u32 limit;
+ 	u32 memory_limit;
+ 	u32 memory_usage;
+--- a/include/net/fq_impl.h
++++ b/include/net/fq_impl.h
+@@ -118,7 +118,15 @@ static struct fq_flow *fq_flow_classify(
+ 
+ 	lockdep_assert_held(&fq->lock);
+ 
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	hash = skb_get_hash_perturb(skb, &fq->perturbation);
++#else
+ 	hash = skb_get_hash_perturb(skb, fq->perturbation);
++#endif
+ 	idx = reciprocal_scale(hash, fq->flows_cnt);
+ 	flow = &fq->flows[idx];
+ 
+@@ -307,7 +315,15 @@ static int fq_init(struct fq *fq, int fl
+ 	INIT_LIST_HEAD(&fq->backlogs);
+ 	spin_lock_init(&fq->lock);
+ 	fq->flows_cnt = max_t(u32, flows_cnt, 1);
++#if LINUX_VERSION_IS_GEQ(5,3,10) || \
++    LINUX_VERSION_IN_RANGE(4,19,83, 4,20,0) || \
++    LINUX_VERSION_IN_RANGE(4,14,153, 4,15,0) || \
++    LINUX_VERSION_IN_RANGE(4,9,200, 4,10,0) || \
++    LINUX_VERSION_IN_RANGE(4,4,200, 4,5,0)
++	get_random_bytes(&fq->perturbation, sizeof(fq->perturbation));
++#else
+ 	fq->perturbation = prandom_u32();
++#endif
+ 	fq->quantum = 300;
+ 	fq->limit = 8192;
+ 	fq->memory_limit = 16 << 20; /* 16 MBytes */

package/kernel/mac80211/patches/467-v5.4-brcmfmac-use-strlcpy-instead-of-strcpy.patch

@@ -0,0 +1,26 @@
+From bbfab331e3abd9fa8767eea6bf5c4684cdd4b934 Mon Sep 17 00:00:00 2001
+From: Neo Jou <neojou@gmail.com>
+Date: Tue, 21 May 2019 17:12:20 +0800
+Subject: [PATCH] brcmfmac: use strlcpy() instead of strcpy()
+
+The function strcpy() is inherently not safe. Though the function
+works without problems here, it would be better to use other safer
+function, e.g. strlcpy(), to replace strcpy() still.
+
+Signed-off-by: Neo Jou <neojou@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -269,7 +269,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 
+ 	/* query for 'ver' to get version info from firmware */
+ 	memset(buf, 0, sizeof(buf));
+-	strcpy(buf, "ver");
++	strlcpy(buf, "ver", sizeof(buf));
+ 	err = brcmf_fil_iovar_data_get(ifp, "ver", buf, sizeof(buf));
+ 	if (err < 0) {
+ 		bphy_err(drvr, "Retrieving version information failed, %d\n",

package/kernel/mac80211/patches/468-v5.4-0001-brcmfmac-add-160MHz-in-chandef_to_chanspec.patch

@@ -0,0 +1,56 @@
+From f491645f039420fb7e14283e21b90772571c807c Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 10:45:30 +0200
+Subject: [PATCH] brcmfmac: add 160MHz in chandef_to_chanspec()
+
+The function chandef_to_chanspec() was not handling 160MHz bandwidth
+resulting in wrong encoding of the channel. That resulting in firmware
+rejecting the provided channel specification.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c    | 21 ++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -287,8 +287,26 @@ static u16 chandef_to_chanspec(struct br
+ 		else
+ 			ch_inf.sb = BRCMU_CHAN_SB_UU;
+ 		break;
+-	case NL80211_CHAN_WIDTH_80P80:
+ 	case NL80211_CHAN_WIDTH_160:
++		ch_inf.bw = BRCMU_CHAN_BW_160;
++		if (primary_offset == -70)
++			ch_inf.sb = BRCMU_CHAN_SB_LLL;
++		else if (primary_offset == -50)
++			ch_inf.sb = BRCMU_CHAN_SB_LLU;
++		else if (primary_offset == -30)
++			ch_inf.sb = BRCMU_CHAN_SB_LUL;
++		else if (primary_offset == -10)
++			ch_inf.sb = BRCMU_CHAN_SB_LUU;
++		else if (primary_offset == 10)
++			ch_inf.sb = BRCMU_CHAN_SB_ULL;
++		else if (primary_offset == 30)
++			ch_inf.sb = BRCMU_CHAN_SB_ULU;
++		else if (primary_offset == 50)
++			ch_inf.sb = BRCMU_CHAN_SB_UUL;
++		else
++			ch_inf.sb = BRCMU_CHAN_SB_UUU;
++		break;
++	case NL80211_CHAN_WIDTH_80P80:
+ 	case NL80211_CHAN_WIDTH_5:
+ 	case NL80211_CHAN_WIDTH_10:
+ 	default:
+@@ -307,6 +325,7 @@ static u16 chandef_to_chanspec(struct br
+ 	}
+ 	d11inf->encchspec(&ch_inf);
+ 
++	brcmf_dbg(TRACE, "chanspec: 0x%x\n", ch_inf.chspec);
+ 	return ch_inf.chspec;
+ }
+ 

package/kernel/mac80211/patches/469-v5.4-0001-Revert-brcmfmac-fix-NULL-pointer-derefence-during-US.patch

@@ -0,0 +1,168 @@
+From a84a60ccdd65278485fb495f468a5ab91a75c649 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:06 +0200
+Subject: [PATCH] Revert "brcmfmac: fix NULL pointer derefence during USB
+ disconnect"
+
+This reverts commit 5cdb0ef6144f47440850553579aa923c20a63f23. Subsequent
+changes make rework the driver code fixing the issue differently.
+
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/bcdc.c  | 11 ++---------
+ .../wireless/broadcom/brcm80211/brcmfmac/bcdc.h  |  6 ++----
+ .../wireless/broadcom/brcm80211/brcmfmac/core.c  |  4 +---
+ .../broadcom/brcm80211/brcmfmac/fwsignal.c       | 16 ++++------------
+ .../broadcom/brcm80211/brcmfmac/fwsignal.h       |  3 +--
+ .../wireless/broadcom/brcm80211/brcmfmac/proto.c | 10 ++--------
+ .../wireless/broadcom/brcm80211/brcmfmac/proto.h |  3 +--
+ 7 files changed, 13 insertions(+), 40 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
+@@ -490,18 +490,11 @@ fail:
+ 	return -ENOMEM;
+ }
+ 
+-void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr)
+-{
+-	struct brcmf_bcdc *bcdc = drvr->proto->pd;
+-
+-	brcmf_fws_detach_pre_delif(bcdc->fws);
+-}
+-
+-void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr)
++void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr)
+ {
+ 	struct brcmf_bcdc *bcdc = drvr->proto->pd;
+ 
+ 	drvr->proto->pd = NULL;
+-	brcmf_fws_detach_post_delif(bcdc->fws);
++	brcmf_fws_detach(bcdc->fws);
+ 	kfree(bcdc);
+ }
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
+@@ -18,16 +18,14 @@
+ 
+ #ifdef CPTCFG_BRCMFMAC_PROTO_BCDC
+ int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr);
+-void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr);
+-void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr);
++void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr);
+ void brcmf_proto_bcdc_txflowblock(struct device *dev, bool state);
+ void brcmf_proto_bcdc_txcomplete(struct device *dev, struct sk_buff *txp,
+ 				 bool success);
+ struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr);
+ #else
+ static inline int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr) { return 0; }
+-static void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) {};
+-static inline void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) {}
++static inline void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) {}
+ #endif
+ 
+ #endif /* BRCMFMAC_BCDC_H */
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1344,8 +1344,6 @@ void brcmf_detach(struct device *dev)
+ 
+ 	brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
+ 
+-	brcmf_proto_detach_pre_delif(drvr);
+-
+ 	/* make sure primary interface removed last */
+ 	for (i = BRCMF_MAX_IFS-1; i > -1; i--)
+ 		brcmf_remove_interface(drvr->iflist[i], false);
+@@ -1355,7 +1353,7 @@ void brcmf_detach(struct device *dev)
+ 
+ 	brcmf_bus_stop(drvr->bus_if);
+ 
+-	brcmf_proto_detach_post_delif(drvr);
++	brcmf_proto_detach(drvr);
+ 
+ 	bus_if->drvr = NULL;
+ 	wiphy_free(drvr->wiphy);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -2416,25 +2416,17 @@ struct brcmf_fws_info *brcmf_fws_attach(
+ 	return fws;
+ 
+ fail:
+-	brcmf_fws_detach_pre_delif(fws);
+-	brcmf_fws_detach_post_delif(fws);
++	brcmf_fws_detach(fws);
+ 	return ERR_PTR(rc);
+ }
+ 
+-void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws)
++void brcmf_fws_detach(struct brcmf_fws_info *fws)
+ {
+ 	if (!fws)
+ 		return;
+-	if (fws->fws_wq) {
+-		destroy_workqueue(fws->fws_wq);
+-		fws->fws_wq = NULL;
+-	}
+-}
+ 
+-void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws)
+-{
+-	if (!fws)
+-		return;
++	if (fws->fws_wq)
++		destroy_workqueue(fws->fws_wq);
+ 
+ 	/* cleanup */
+ 	brcmf_fws_lock(fws);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
+@@ -19,8 +19,7 @@
+ #define FWSIGNAL_H_
+ 
+ struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr);
+-void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws);
+-void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws);
++void brcmf_fws_detach(struct brcmf_fws_info *fws);
+ void brcmf_fws_debugfs_create(struct brcmf_pub *drvr);
+ bool brcmf_fws_queue_skbs(struct brcmf_fws_info *fws);
+ bool brcmf_fws_fc_active(struct brcmf_fws_info *fws);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
+@@ -67,22 +67,16 @@ fail:
+ 	return -ENOMEM;
+ }
+ 
+-void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr)
++void brcmf_proto_detach(struct brcmf_pub *drvr)
+ {
+ 	brcmf_dbg(TRACE, "Enter\n");
+ 
+ 	if (drvr->proto) {
+ 		if (drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
+-			brcmf_proto_bcdc_detach_post_delif(drvr);
++			brcmf_proto_bcdc_detach(drvr);
+ 		else if (drvr->bus_if->proto_type == BRCMF_PROTO_MSGBUF)
+ 			brcmf_proto_msgbuf_detach(drvr);
+ 		kfree(drvr->proto);
+ 		drvr->proto = NULL;
+ 	}
+ }
+-
+-void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr)
+-{
+-	if (drvr->proto && drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
+-		brcmf_proto_bcdc_detach_pre_delif(drvr);
+-}
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
+@@ -54,8 +54,7 @@ struct brcmf_proto {
+ 
+ 
+ int brcmf_proto_attach(struct brcmf_pub *drvr);
+-void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr);
+-void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr);
++void brcmf_proto_detach(struct brcmf_pub *drvr);
+ 
+ static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws,
+ 				      struct sk_buff *skb,

package/kernel/mac80211/patches/469-v5.4-0002-brcmfmac-change-the-order-of-things-in-brcmf_detach.patch

@@ -0,0 +1,67 @@
+From 14fcfd1cc0c05ea58f47dd693fdd13f25dfe995e Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:07 +0200
+Subject: [PATCH] brcmfmac: change the order of things in brcmf_detach()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When brcmf_detach() from the bus layer upon rmmod we can no longer
+communicate. Hence we will set the bus state to DOWN and cleanup
+the event and protocol layer. The network interfaces need to be
+deleted before brcmf_cfg80211_detach() because the latter does the
+wiphy_unregister() which issues a warning if there are still network
+devices linked to the wiphy instance.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Tested-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/core.c        | 27 ++++++++++---------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1337,25 +1337,26 @@ void brcmf_detach(struct device *dev)
+ 	unregister_inet6addr_notifier(&drvr->inet6addr_notifier);
+ #endif
+ 
+-	/* stop firmware event handling */
+-	brcmf_fweh_detach(drvr);
+-	if (drvr->config)
+-		brcmf_p2p_detach(&drvr->config->p2p);
+-
+ 	brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
+-
+-	/* make sure primary interface removed last */
+-	for (i = BRCMF_MAX_IFS-1; i > -1; i--)
+-		brcmf_remove_interface(drvr->iflist[i], false);
+-
+-	brcmf_cfg80211_detach(drvr->config);
+-	drvr->config = NULL;
+-
+ 	brcmf_bus_stop(drvr->bus_if);
+ 
++	brcmf_fweh_detach(drvr);
+ 	brcmf_proto_detach(drvr);
+ 
++	/* make sure primary interface removed last */
++	for (i = BRCMF_MAX_IFS - 1; i > -1; i--) {
++		if (drvr->iflist[i])
++			brcmf_del_if(drvr, drvr->iflist[i]->bsscfgidx, false);
++	}
++
++	if (drvr->config) {
++		brcmf_p2p_detach(&drvr->config->p2p);
++		brcmf_cfg80211_detach(drvr->config);
++		drvr->config = NULL;
++	}
++
+ 	bus_if->drvr = NULL;
++
+ 	wiphy_free(drvr->wiphy);
+ }
+ 

package/kernel/mac80211/patches/469-v5.4-0003-brcmfmac-avoid-firmware-command-in-brcmf_netdev_open.patch

@@ -0,0 +1,30 @@
+From c613085b74941024194e41b200601b9aa6ee388f Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:08 +0200
+Subject: [PATCH] brcmfmac: avoid firmware command in brcmf_netdev_open() when
+ bus is down
+
+No point in sending a firmware command when bus is down so make it
+conditional checking the state.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -589,7 +589,8 @@ static int brcmf_netdev_stop(struct net_
+ 
+ 	brcmf_cfg80211_down(ndev);
+ 
+-	brcmf_fil_iovar_data_set(ifp, "arp_hostip_clear", NULL, 0);
++	if (ifp->drvr->bus_if->state == BRCMF_BUS_UP)
++		brcmf_fil_iovar_data_set(ifp, "arp_hostip_clear", NULL, 0);
+ 
+ 	brcmf_net_setcarrier(ifp, false);
+ 

package/kernel/mac80211/patches/469-v5.4-0004-brcmfmac-clear-events-in-brcmf_fweh_detach-will-alwa.patch

@@ -0,0 +1,38 @@
+From c33330ac06fe863289643e7a13ecdb6a2502dad7 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:09 +0200
+Subject: [PATCH] brcmfmac: clear events in brcmf_fweh_detach() will always
+ fail
+
+Clearing firmware events in brcmf_fweh_detach() is always failing
+because it is called only upon driver remove and communication
+with firmware is no longer possible.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -314,16 +314,7 @@ void brcmf_fweh_attach(struct brcmf_pub
+ void brcmf_fweh_detach(struct brcmf_pub *drvr)
+ {
+ 	struct brcmf_fweh_info *fweh = &drvr->fweh;
+-	struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0);
+-	s8 eventmask[BRCMF_EVENTING_MASK_LEN];
+ 
+-	if (ifp) {
+-		/* clear all events */
+-		memset(eventmask, 0, BRCMF_EVENTING_MASK_LEN);
+-		(void)brcmf_fil_iovar_data_set(ifp, "event_msgs",
+-					       eventmask,
+-					       BRCMF_EVENTING_MASK_LEN);
+-	}
+ 	/* cancel the worker */
+ 	cancel_work_sync(&fweh->event_work);
+ 	WARN_ON(!list_empty(&fweh->event_q));

package/kernel/mac80211/patches/469-v5.4-0005-brcmfmac-avoid-firmware-commands-when-bus-is-down.patch

@@ -0,0 +1,79 @@
+From 1ac11ae949dd883854f4523ef8e3a32aabfd6256 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:10 +0200
+Subject: [PATCH] brcmfmac: avoid firmware commands when bus is down
+
+Upon rmmod a few attempts are made to inform firmware, but there is
+no point as the bus is down and these will fail. Avoid them to keep
+the logs clean.
+
+Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c    | 23 +++++++++++--------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -1297,17 +1297,21 @@ static void brcmf_link_down(struct brcmf
+ {
+ 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(vif->wdev.wiphy);
+ 	struct brcmf_pub *drvr = cfg->pub;
++	bool bus_up = drvr->bus_if->state == BRCMF_BUS_UP;
+ 	s32 err = 0;
+ 
+ 	brcmf_dbg(TRACE, "Enter\n");
+ 
+ 	if (test_and_clear_bit(BRCMF_VIF_STATUS_CONNECTED, &vif->sme_state)) {
+-		brcmf_dbg(INFO, "Call WLC_DISASSOC to stop excess roaming\n ");
+-		err = brcmf_fil_cmd_data_set(vif->ifp,
+-					     BRCMF_C_DISASSOC, NULL, 0);
+-		if (err) {
+-			bphy_err(drvr, "WLC_DISASSOC failed (%d)\n", err);
++		if (bus_up) {
++			brcmf_dbg(INFO, "Call WLC_DISASSOC to stop excess roaming\n");
++			err = brcmf_fil_cmd_data_set(vif->ifp,
++						     BRCMF_C_DISASSOC, NULL, 0);
++			if (err)
++				bphy_err(drvr, "WLC_DISASSOC failed (%d)\n",
++					 err);
+ 		}
++
+ 		if ((vif->wdev.iftype == NL80211_IFTYPE_STATION) ||
+ 		    (vif->wdev.iftype == NL80211_IFTYPE_P2P_CLIENT))
+ 			cfg80211_disconnected(vif->wdev.netdev, reason, NULL, 0,
+@@ -1317,7 +1321,8 @@ static void brcmf_link_down(struct brcmf
+ 	clear_bit(BRCMF_SCAN_STATUS_SUPPRESS, &cfg->scan_status);
+ 	brcmf_btcoex_set_mode(vif, BRCMF_BTCOEX_ENABLED, 0);
+ 	if (vif->profile.use_fwsup != BRCMF_PROFILE_FWSUP_NONE) {
+-		brcmf_set_pmk(vif->ifp, NULL, 0);
++		if (bus_up)
++			brcmf_set_pmk(vif->ifp, NULL, 0);
+ 		vif->profile.use_fwsup = BRCMF_PROFILE_FWSUP_NONE;
+ 	}
+ 	brcmf_dbg(TRACE, "Exit\n");
+@@ -5006,18 +5011,16 @@ static int brcmf_cfg80211_get_channel(st
+ 	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+ 	struct net_device *ndev = wdev->netdev;
+ 	struct brcmf_pub *drvr = cfg->pub;
+-	struct brcmf_if *ifp;
+ 	struct brcmu_chan ch;
+ 	enum nl80211_band band = 0;
+ 	enum nl80211_chan_width width = 0;
+ 	u32 chanspec;
+ 	int freq, err;
+ 
+-	if (!ndev)
++	if (!ndev || drvr->bus_if->state != BRCMF_BUS_UP)
+ 		return -ENODEV;
+-	ifp = netdev_priv(ndev);
+ 
+-	err = brcmf_fil_iovar_int_get(ifp, "chanspec", &chanspec);
++	err = brcmf_fil_iovar_int_get(netdev_priv(ndev), "chanspec", &chanspec);
+ 	if (err) {
+ 		bphy_err(drvr, "chanspec failed (%d)\n", err);
+ 		return err;

package/kernel/mac80211/patches/469-v5.4-0006-brcmfmac-simply-remove-flowring-if-bus-is-down.patch

@@ -0,0 +1,33 @@
+From e0bfb9601d4812719167cc4124a0d6db1e2f55e4 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:11 +0200
+Subject: [PATCH] brcmfmac: simply remove flowring if bus is down
+
+When the bus is down, eg. due to rmmod, there is no need to
+attempt to inform firmware about it.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -1408,6 +1408,13 @@ void brcmf_msgbuf_delete_flowring(struct
+ 	u8 ifidx;
+ 	int err;
+ 
++	/* no need to submit if firmware can not be reached */
++	if (drvr->bus_if->state != BRCMF_BUS_UP) {
++		brcmf_dbg(MSGBUF, "bus down, flowring will be removed\n");
++		brcmf_msgbuf_remove_flowring(msgbuf, flowid);
++		return;
++	}
++
+ 	commonring = msgbuf->commonrings[BRCMF_H2D_MSGRING_CONTROL_SUBMIT];
+ 	brcmf_commonring_lock(commonring);
+ 	ret_ptr = brcmf_commonring_reserve_for_write(commonring);

package/kernel/mac80211/patches/469-v5.4-0007-brcmfmac-remove-unnecessary-strlcpy-upon-obtaining-v.patch

@@ -0,0 +1,28 @@
+From 4b11c915f00caeef3292ed0429acc579b9da762a Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 11 Jul 2019 11:05:12 +0200
+Subject: [PATCH] brcmfmac: remove unnecessary strlcpy() upon obtaining "ver"
+ iovar
+
+Recently a strcpy() was replaced by strlcpy(). However, the strcpy()
+was not needed in the first place. So removing that line of code.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -269,7 +269,6 @@ int brcmf_c_preinit_dcmds(struct brcmf_i
+ 
+ 	/* query for 'ver' to get version info from firmware */
+ 	memset(buf, 0, sizeof(buf));
+-	strlcpy(buf, "ver", sizeof(buf));
+ 	err = brcmf_fil_iovar_data_get(ifp, "ver", buf, sizeof(buf));
+ 	if (err < 0) {
+ 		bphy_err(drvr, "Retrieving version information failed, %d\n",

package/kernel/mac80211/patches/470-v5.4-brcmfmac-don-t-net_ratelimit-CONSOLE-messages-on-fir.patch

@@ -0,0 +1,38 @@
+From e3b1d879ccda9ffd5332777bb1beeb2cc913faa8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 21 Jul 2019 21:52:17 +0200
+Subject: [PATCH] brcmfmac: don't net_ratelimit() CONSOLE messages on firmware
+ crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Firmware crash is a pretty rare event and can't happen too frequently as
+it has to be followed by a hardware reinitialization and config reload.
+It should be safe to don't use net_ratelimit() when it happens.
+
+For reporting & debugging purposes it's important to provide a complete
+log as the last lines are actually the most important. This change
+modifies brcmfmac to print all messages in an unlimited way in that
+specific case. With this change there should be finally a backtrace of
+firmware finally visible after a crash.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -804,7 +804,8 @@ static void brcmf_pcie_bus_console_read(
+ 		if (ch == '\n') {
+ 			console->log_str[console->log_idx] = 0;
+ 			if (error)
+-				brcmf_err(bus, "CONSOLE: %s", console->log_str);
++				__brcmf_err(bus, __func__, "CONSOLE: %s",
++					    console->log_str);
+ 			else
+ 				pr_debug("CONSOLE: %s", console->log_str);
+ 			console->log_idx = 0;

package/kernel/mac80211/patches/471-v5.4-brcmfmac-remove-set-but-not-used-variable-dtim_perio.patch

@@ -0,0 +1,54 @@
+From cddecd92d1ec2fd05ed1123455e7c6cf6906b5a5 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 24 Jul 2019 22:12:01 +0800
+Subject: [PATCH] brcmfmac: remove set but not used variable 'dtim_period'
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c: In function brcmf_update_bss_info:
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:2962:5: warning: variable dtim_period set but not used [-Wunused-but-set-variable]
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c: In function brcmf_update_bss_info:
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:2961:6: warning: variable beacon_interval set but not used [-Wunused-but-set-variable]
+
+They are never used so can be removed.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c   | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -2985,8 +2985,6 @@ static s32 brcmf_update_bss_info(struct
+ 	struct brcmf_pub *drvr = cfg->pub;
+ 	struct brcmf_bss_info_le *bi;
+ 	const struct brcmf_tlv *tim;
+-	u16 beacon_interval;
+-	u8 dtim_period;
+ 	size_t ie_len;
+ 	u8 *ie;
+ 	s32 err = 0;
+@@ -3010,12 +3008,9 @@ static s32 brcmf_update_bss_info(struct
+ 
+ 	ie = ((u8 *)bi) + le16_to_cpu(bi->ie_offset);
+ 	ie_len = le32_to_cpu(bi->ie_length);
+-	beacon_interval = le16_to_cpu(bi->beacon_period);
+ 
+ 	tim = brcmf_parse_tlvs(ie, ie_len, WLAN_EID_TIM);
+-	if (tim)
+-		dtim_period = tim->data[1];
+-	else {
++	if (!tim) {
+ 		/*
+ 		* active scan was done so we could not get dtim
+ 		* information out of probe response.
+@@ -3027,7 +3022,6 @@ static s32 brcmf_update_bss_info(struct
+ 			bphy_err(drvr, "wl dtim_assoc failed (%d)\n", err);
+ 			goto update_bss_info_out;
+ 		}
+-		dtim_period = (u8)var;
+ 	}
+ 
+ update_bss_info_out:

package/kernel/mac80211/patches/472-v5.4-brcmfmac-remove-redundant-assignment-to-pointer-hash.patch

@@ -0,0 +1,26 @@
+From 73c742bb9c9ba30871fdd5c730d5ca8b6712833a Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 9 Aug 2019 18:22:17 +0100
+Subject: [PATCH] brcmfmac: remove redundant assignment to pointer hash
+
+The pointer hash is being initialized with a value that is never read
+and is being re-assigned a little later on. The assignment is
+redundant and hence can be removed.
+
+Addresses-Coverity: ("Unused value")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -1478,7 +1478,6 @@ static int brcmf_msgbuf_stats_read(struc
+ 	seq_printf(seq, "\nh2d_flowrings: depth %u\n",
+ 		   BRCMF_H2D_TXFLOWRING_MAX_ITEM);
+ 	seq_puts(seq, "Active flowrings:\n");
+-	hash = msgbuf->flow->hash;
+ 	for (i = 0; i < msgbuf->flow->nrofrings; i++) {
+ 		if (!msgbuf->flow->rings[i])
+ 			continue;

package/kernel/mac80211/patches/473-v5.4-brcmfmac-replace-strncpy-by-strscpy.patch

@@ -0,0 +1,36 @@
+From 5f42b382ead278c1f6c3854765c97eb20491aa2a Mon Sep 17 00:00:00 2001
+From: Xulin Sun <xulin.sun@windriver.com>
+Date: Fri, 23 Aug 2019 15:47:08 +0800
+Subject: [PATCH] brcmfmac: replace strncpy() by strscpy()
+
+The strncpy() may truncate the copied string,
+replace it by the safer strscpy().
+
+To avoid below compile warning with gcc 8.2:
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:In function 'brcmf_vndr_ie':
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:4227:2:
+warning: 'strncpy' output truncated before terminating nul copying 3 bytes from a string of the same length [-Wstringop-truncation]
+  strncpy(iebuf, add_del_cmd, VNDR_IE_CMD_LEN - 1);
+  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Xulin Sun <xulin.sun@windriver.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4246,9 +4246,7 @@ next:
+ static u32
+ brcmf_vndr_ie(u8 *iebuf, s32 pktflag, u8 *ie_ptr, u32 ie_len, s8 *add_del_cmd)
+ {
+-
+-	strncpy(iebuf, add_del_cmd, VNDR_IE_CMD_LEN - 1);
+-	iebuf[VNDR_IE_CMD_LEN - 1] = '\0';
++	strscpy(iebuf, add_del_cmd, VNDR_IE_CMD_LEN);
+ 
+ 	put_unaligned_le32(1, &iebuf[VNDR_IE_COUNT_OFFSET]);
+ 

package/kernel/mac80211/patches/474-v5.4-brcmfmac-get-chip-s-default-RAM-info-during-PCIe-set.patch

@@ -1,19 +1,29 @@
+From 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
-Subject: [PATCH] brcmfmac: get RAM info right before downloading PCIe firmware
+Date: Thu, 29 Aug 2019 10:27:01 +0200
+Subject: [PATCH] brcmfmac: get chip's default RAM info during PCIe setup
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
-It's important as brcmf_chip_get_raminfo() also makes sure that memory
-is properly setup. Without it the firmware could report invalid RAM
-address like 0x04000001.
+Getting RAM info just once per driver's lifetime (during chip
+recognition) is not enough as it may get adjusted later (depending on
+the used firmware). Subsequent inits may load different firmwares so a
+full RAM recognition is required on every PCIe setup. This is especially
+important since implementing hardware reset on a firmware crash.
 
-During a normal brcmfmac lifetime brcmf_chip_get_raminfo() is called on
-probe by the brcmf_chip_recognition(). This change allows implementing
-further improvements like handling errors by resetting a device with
-the brcmf_pcie_reset_device() and redownloading a firmware afterwards.
+Moreover calling brcmf_chip_get_raminfo() makes sure that RAM core is
+up. It's important as having BCMA_CORE_SYS_MEM down on BCM4366 was
+resulting in firmware failing to initialize and following error:
+[   65.657546] brcmfmac 0000:01:00.0: brcmf_pcie_download_fw_nvram: Invalid shared RAM address 0x04000001
 
+This change makes brcmf_chip_get_raminfo() call during chip recognition
+redundant for PCIe devices but SDIO and USB still need it and it's a
+very small overhead anyway.
+
+Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
 Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 ---
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 6 ++++--
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h | 1 +
@@ -55,7 +65,7 @@ Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
  void brcmf_chip_detach(struct brcmf_chip *chip);
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -1779,6 +1779,12 @@ static void brcmf_pcie_setup(struct devi
+@@ -1780,6 +1780,12 @@ static void brcmf_pcie_setup(struct devi
  	nvram_len = fwreq->items[BRCMF_PCIE_FW_NVRAM].nv_data.len;
  	kfree(fwreq);
  

package/kernel/mac80211/patches/475-v5.4-0001-brcmfmac-add-stub-version-of-brcmf_debugfs_get_devdi.patch

@@ -0,0 +1,31 @@
+From cb34212b1c25f7656a315f956d72696777e88340 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 1 Sep 2019 13:34:35 +0200
+Subject: [PATCH] brcmfmac: add stub version of brcmf_debugfs_get_devdir()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case of compiling driver without DEBUG expose a stub function to make
+writing debug code much simpler (no extra conditions). This will allow
+e.g. using debugfs_create_file() without any magic if or #ifdef.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/debug.h
+@@ -132,6 +132,10 @@ int brcmf_debugfs_add_entry(struct brcmf
+ int brcmf_debug_create_memdump(struct brcmf_bus *bus, const void *data,
+ 			       size_t len);
+ #else
++static inline struct dentry *brcmf_debugfs_get_devdir(struct brcmf_pub *drvr)
++{
++	return ERR_PTR(-ENOENT);
++}
+ static inline
+ int brcmf_debugfs_add_entry(struct brcmf_pub *drvr, const char *fn,
+ 			    int (*read_fn)(struct seq_file *seq, void *data))

package/kernel/mac80211/patches/475-v5.4-0002-brcmfmac-add-reset-debugfs-entry-for-testing-reset.patch

@@ -0,0 +1,59 @@
+From 2f8c8e62cd50d72ac68de884a09c6f5a969a269c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 1 Sep 2019 13:34:36 +0200
+Subject: [PATCH] brcmfmac: add "reset" debugfs entry for testing reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a trivial debugfs entry for triggering reset just like in case
+of firmware crash. It works by writing 1 to it:
+echo 1 > reset
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/core.c        | 25 +++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1117,6 +1117,29 @@ static void brcmf_core_bus_reset(struct
+ 	brcmf_bus_reset(drvr->bus_if);
+ }
+ 
++static ssize_t bus_reset_write(struct file *file, const char __user *user_buf,
++			       size_t count, loff_t *ppos)
++{
++	struct brcmf_pub *drvr = file->private_data;
++	u8 value;
++
++	if (kstrtou8_from_user(user_buf, count, 0, &value))
++		return -EINVAL;
++
++	if (value != 1)
++		return -EINVAL;
++
++	schedule_work(&drvr->bus_reset);
++
++	return count;
++}
++
++static const struct file_operations bus_reset_fops = {
++	.open	= simple_open,
++	.llseek	= no_llseek,
++	.write	= bus_reset_write,
++};
++
+ static int brcmf_bus_started(struct brcmf_pub *drvr, struct cfg80211_ops *ops)
+ {
+ 	int ret = -1;
+@@ -1192,6 +1215,8 @@ static int brcmf_bus_started(struct brcm
+ 
+ 	/* populate debugfs */
+ 	brcmf_debugfs_add_entry(drvr, "revinfo", brcmf_revinfo_read);
++	debugfs_create_file("reset", 0600, brcmf_debugfs_get_devdir(drvr), drvr,
++			    &bus_reset_fops);
+ 	brcmf_feat_debugfs_create(drvr);
+ 	brcmf_proto_debugfs_create(drvr);
+ 

package/kernel/mac80211/patches/476-v5.4-brcmfmac-use-ph-to-print-small-buffer.patch

@@ -0,0 +1,58 @@
+From 0e48b86d9a8f5c695bb02c9c02f6dc7d2ec8f2e2 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 4 Sep 2019 20:50:52 +0300
+Subject: [PATCH] brcmfmac: use %*ph to print small buffer
+
+Use %*ph format to print small buffer as hex string.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c     | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4224,10 +4224,8 @@ brcmf_parse_vndr_ies(const u8 *vndr_ie_b
+ 
+ 		vndr_ies->count++;
+ 
+-		brcmf_dbg(TRACE, "** OUI %02x %02x %02x, type 0x%02x\n",
+-			  parsed_info->vndrie.oui[0],
+-			  parsed_info->vndrie.oui[1],
+-			  parsed_info->vndrie.oui[2],
++		brcmf_dbg(TRACE, "** OUI %3ph, type 0x%02x\n",
++			  parsed_info->vndrie.oui,
+ 			  parsed_info->vndrie.oui_type);
+ 
+ 		if (vndr_ies->count >= VNDR_IE_PARSE_LIMIT)
+@@ -4351,12 +4349,10 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+ 		for (i = 0; i < old_vndr_ies.count; i++) {
+ 			vndrie_info = &old_vndr_ies.ie_info[i];
+ 
+-			brcmf_dbg(TRACE, "DEL ID : %d, Len: %d , OUI:%02x:%02x:%02x\n",
++			brcmf_dbg(TRACE, "DEL ID : %d, Len: %d , OUI:%3ph\n",
+ 				  vndrie_info->vndrie.id,
+ 				  vndrie_info->vndrie.len,
+-				  vndrie_info->vndrie.oui[0],
+-				  vndrie_info->vndrie.oui[1],
+-				  vndrie_info->vndrie.oui[2]);
++				  vndrie_info->vndrie.oui);
+ 
+ 			del_add_ie_buf_len = brcmf_vndr_ie(curr_ie_buf, pktflag,
+ 							   vndrie_info->ie_ptr,
+@@ -4388,12 +4384,10 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+ 			remained_buf_len -= (vndrie_info->ie_len +
+ 					     VNDR_IE_VSIE_OFFSET);
+ 
+-			brcmf_dbg(TRACE, "ADDED ID : %d, Len: %d, OUI:%02x:%02x:%02x\n",
++			brcmf_dbg(TRACE, "ADDED ID : %d, Len: %d, OUI:%3ph\n",
+ 				  vndrie_info->vndrie.id,
+ 				  vndrie_info->vndrie.len,
+-				  vndrie_info->vndrie.oui[0],
+-				  vndrie_info->vndrie.oui[1],
+-				  vndrie_info->vndrie.oui[2]);
++				  vndrie_info->vndrie.oui);
+ 
+ 			del_add_ie_buf_len = brcmf_vndr_ie(curr_ie_buf, pktflag,
+ 							   vndrie_info->ie_ptr,

package/kernel/mac80211/patches/477-v5.4-0001-brcmfmac-move-cfg80211_ops-pointer-to-another-struct.patch

@@ -0,0 +1,95 @@
+From ba76ff25ee64d5cfc86209d1fbb3c294b2c04412 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 3 Sep 2019 06:29:26 +0200
+Subject: [PATCH 1/3] brcmfmac: move "cfg80211_ops" pointer to another struct
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This moves "ops" pointer from "struct brcmf_cfg80211_info" to the
+"struct brcmf_pub". This movement makes it possible to allocate wiphy
+without attaching cfg80211 (brcmf_cfg80211_attach()). It's required for
+later separation of wiphy allocation and driver initialization.
+
+While at it fix also an unlikely memory leak in the brcmf_attach().
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c  | 1 -
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h  | 1 -
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c  | 9 ++++++---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h  | 1 +
+ 4 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -7186,7 +7186,6 @@ void brcmf_cfg80211_detach(struct brcmf_
+ 	brcmf_pno_detach(cfg);
+ 	brcmf_btcoex_detach(cfg);
+ 	wiphy_unregister(cfg->wiphy);
+-	kfree(cfg->ops);
+ 	wl_deinit_priv(cfg);
+ 	brcmf_free_wiphy(cfg->wiphy);
+ 	kfree(cfg);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+@@ -303,7 +303,6 @@ struct brcmf_cfg80211_wowl {
+  */
+ struct brcmf_cfg80211_info {
+ 	struct wiphy *wiphy;
+-	struct cfg80211_ops *ops;
+ 	struct brcmf_cfg80211_conf *conf;
+ 	struct brcmf_p2p_info p2p;
+ 	struct brcmf_btcoex_info *btcoex;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1254,12 +1254,15 @@ int brcmf_attach(struct device *dev, str
+ 		return -ENOMEM;
+ 
+ 	wiphy = wiphy_new(ops, sizeof(*drvr));
+-	if (!wiphy)
++	if (!wiphy) {
++		kfree(ops);
+ 		return -ENOMEM;
++	}
+ 
+ 	set_wiphy_dev(wiphy, dev);
+ 	drvr = wiphy_priv(wiphy);
+ 	drvr->wiphy = wiphy;
++	drvr->ops = ops;
+ 
+ 	for (i = 0; i < ARRAY_SIZE(drvr->if2bss); i++)
+ 		drvr->if2bss[i] = BRCMF_BSSIDX_INVALID;
+@@ -1292,12 +1295,10 @@ int brcmf_attach(struct device *dev, str
+ 		goto fail;
+ 	}
+ 
+-	drvr->config->ops = ops;
+ 	return 0;
+ 
+ fail:
+ 	brcmf_detach(dev);
+-	kfree(ops);
+ 
+ 	return ret;
+ }
+@@ -1383,6 +1384,8 @@ void brcmf_detach(struct device *dev)
+ 
+ 	bus_if->drvr = NULL;
+ 
++	kfree(drvr->ops);
++
+ 	wiphy_free(drvr->wiphy);
+ }
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+@@ -108,6 +108,7 @@ struct brcmf_pub {
+ 	struct brcmf_bus *bus_if;
+ 	struct brcmf_proto *proto;
+ 	struct wiphy *wiphy;
++	struct cfg80211_ops *ops;
+ 	struct brcmf_cfg80211_info *config;
+ 
+ 	/* Internal brcmf items */

package/kernel/mac80211/patches/477-v5.4-0002-brcmfmac-split-brcmf_attach-and-brcmf_detach-functio.patch

@@ -0,0 +1,255 @@
+From 450914c39f88d1adada26256360dea7050ff4e83 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 3 Sep 2019 06:29:27 +0200
+Subject: [PATCH 2/3] brcmfmac: split brcmf_attach() and brcmf_detach()
+ functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Move code allocating/freeing wiphy out of above functions. This will
+allow reinitializing the driver (e.g. on some error) without allocating
+a new wiphy.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/bus.h         |  4 ++-
+ .../broadcom/brcm80211/brcmfmac/core.c        | 33 ++++++++++++++----
+ .../broadcom/brcm80211/brcmfmac/pcie.c        | 13 +++++--
+ .../broadcom/brcm80211/brcmfmac/sdio.c        | 15 ++++++--
+ .../broadcom/brcm80211/brcmfmac/usb.c         | 34 +++++++++++++++----
+ 5 files changed, 80 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bus.h
+@@ -254,10 +254,12 @@ void brcmf_rx_frame(struct device *dev,
+ /* Receive async event packet from firmware. Callee disposes of rxp. */
+ void brcmf_rx_event(struct device *dev, struct sk_buff *rxp);
+ 
++int brcmf_alloc(struct device *dev, struct brcmf_mp_device *settings);
+ /* Indication from bus module regarding presence/insertion of dongle. */
+-int brcmf_attach(struct device *dev, struct brcmf_mp_device *settings);
++int brcmf_attach(struct device *dev);
+ /* Indication from bus module regarding removal/absence of dongle */
+ void brcmf_detach(struct device *dev);
++void brcmf_free(struct device *dev);
+ /* Indication from bus module that dongle should be reset */
+ void brcmf_dev_reset(struct device *dev);
+ /* Request from bus module to initiate a coredump */
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1239,13 +1239,11 @@ fail:
+ 	return ret;
+ }
+ 
+-int brcmf_attach(struct device *dev, struct brcmf_mp_device *settings)
++int brcmf_alloc(struct device *dev, struct brcmf_mp_device *settings)
+ {
+ 	struct wiphy *wiphy;
+ 	struct cfg80211_ops *ops;
+ 	struct brcmf_pub *drvr = NULL;
+-	int ret = 0;
+-	int i;
+ 
+ 	brcmf_dbg(TRACE, "Enter\n");
+ 
+@@ -1263,6 +1261,21 @@ int brcmf_attach(struct device *dev, str
+ 	drvr = wiphy_priv(wiphy);
+ 	drvr->wiphy = wiphy;
+ 	drvr->ops = ops;
++	drvr->bus_if = dev_get_drvdata(dev);
++	drvr->bus_if->drvr = drvr;
++	drvr->settings = settings;
++
++	return 0;
++}
++
++int brcmf_attach(struct device *dev)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(dev);
++	struct brcmf_pub *drvr = bus_if->drvr;
++	int ret = 0;
++	int i;
++
++	brcmf_dbg(TRACE, "Enter\n");
+ 
+ 	for (i = 0; i < ARRAY_SIZE(drvr->if2bss); i++)
+ 		drvr->if2bss[i] = BRCMF_BSSIDX_INVALID;
+@@ -1271,9 +1284,6 @@ int brcmf_attach(struct device *dev, str
+ 
+ 	/* Link to bus module */
+ 	drvr->hdrlen = 0;
+-	drvr->bus_if = dev_get_drvdata(dev);
+-	drvr->bus_if->drvr = drvr;
+-	drvr->settings = settings;
+ 
+ 	/* Attach and link in the protocol */
+ 	ret = brcmf_proto_attach(drvr);
+@@ -1289,7 +1299,7 @@ int brcmf_attach(struct device *dev, str
+ 	/* attach firmware event handler */
+ 	brcmf_fweh_attach(drvr);
+ 
+-	ret = brcmf_bus_started(drvr, ops);
++	ret = brcmf_bus_started(drvr, drvr->ops);
+ 	if (ret != 0) {
+ 		bphy_err(drvr, "dongle is not responding: err=%d\n", ret);
+ 		goto fail;
+@@ -1381,6 +1391,15 @@ void brcmf_detach(struct device *dev)
+ 		brcmf_cfg80211_detach(drvr->config);
+ 		drvr->config = NULL;
+ 	}
++}
++
++void brcmf_free(struct device *dev)
++{
++	struct brcmf_bus *bus_if = dev_get_drvdata(dev);
++	struct brcmf_pub *drvr = bus_if->drvr;
++
++	if (!drvr)
++		return;
+ 
+ 	bus_if->drvr = NULL;
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1440,6 +1440,7 @@ static int brcmf_pcie_reset(struct devic
+ 	brcmf_pcie_bus_console_read(devinfo, true);
+ 
+ 	brcmf_detach(dev);
++	brcmf_free(dev);
+ 
+ 	brcmf_pcie_release_irq(devinfo);
+ 	brcmf_pcie_release_scratchbuffers(devinfo);
+@@ -1834,11 +1835,18 @@ static void brcmf_pcie_setup(struct devi
+ 
+ 	brcmf_pcie_intr_enable(devinfo);
+ 	brcmf_pcie_hostready(devinfo);
+-	if (brcmf_attach(&devinfo->pdev->dev, devinfo->settings) == 0)
+-		return;
++
++	ret = brcmf_alloc(&devinfo->pdev->dev, devinfo->settings);
++	if (ret)
++		goto fail;
++	ret = brcmf_attach(&devinfo->pdev->dev);
++	if (ret)
++		goto fail;
+ 
+ 	brcmf_pcie_bus_console_read(devinfo, false);
+ 
++	return;
++
+ fail:
+ 	device_release_driver(dev);
+ }
+@@ -1981,6 +1989,7 @@ brcmf_pcie_remove(struct pci_dev *pdev)
+ 		brcmf_pcie_intr_disable(devinfo);
+ 
+ 	brcmf_detach(&pdev->dev);
++	brcmf_free(&pdev->dev);
+ 
+ 	kfree(bus->bus_priv.pcie);
+ 	kfree(bus->msgbuf->flowrings);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -4140,10 +4140,17 @@ static void brcmf_sdio_firmware_callback
+ 	sdiod->bus_if->chip = bus->ci->chip;
+ 	sdiod->bus_if->chiprev = bus->ci->chiprev;
+ 
++	err = brcmf_alloc(sdiod->dev, sdiod->settings);
++	if (err) {
++		brcmf_err("brcmf_alloc failed\n");
++		goto fail;
++	}
++
+ 	/* Attach to the common layer, reserve hdr space */
+-	err = brcmf_attach(sdiod->dev, sdiod->settings);
++	err = brcmf_attach(sdiod->dev);
+ 	if (err != 0) {
+ 		brcmf_err("brcmf_attach failed\n");
++		brcmf_free(sdiod->dev);
+ 		goto fail;
+ 	}
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -1191,8 +1191,12 @@ static void brcmf_usb_probe_phase2(struc
+ 	if (ret)
+ 		goto error;
+ 
++	ret = brcmf_alloc(devinfo->dev, devinfo->settings);
++	if (ret)
++		goto error;
++
+ 	/* Attach to the common driver interface */
+-	ret = brcmf_attach(devinfo->dev, devinfo->settings);
++	ret = brcmf_attach(devinfo->dev);
+ 	if (ret)
+ 		goto error;
+ 
+@@ -1264,7 +1268,10 @@ static int brcmf_usb_probe_cb(struct brc
+ 	}
+ 
+ 	if (!brcmf_usb_dlneeded(devinfo)) {
+-		ret = brcmf_attach(devinfo->dev, devinfo->settings);
++		ret = brcmf_alloc(devinfo->dev, devinfo->settings);
++		if (ret)
++			goto fail;
++		ret = brcmf_attach(devinfo->dev);
+ 		if (ret)
+ 			goto fail;
+ 		/* we are done */
+@@ -1292,6 +1299,7 @@ static int brcmf_usb_probe_cb(struct brc
+ 
+ fail:
+ 	/* Release resources in reverse order */
++	brcmf_free(devinfo->dev);
+ 	kfree(bus);
+ 	brcmf_usb_detach(devinfo);
+ 	return ret;
+@@ -1305,6 +1313,7 @@ brcmf_usb_disconnect_cb(struct brcmf_usb
+ 	brcmf_dbg(USB, "Enter, bus_pub %p\n", devinfo);
+ 
+ 	brcmf_detach(devinfo->dev);
++	brcmf_free(devinfo->dev);
+ 	kfree(devinfo->bus_pub.bus);
+ 	brcmf_usb_detach(devinfo);
+ }
+@@ -1449,10 +1458,12 @@ static int brcmf_usb_suspend(struct usb_
+ 
+ 	brcmf_dbg(USB, "Enter\n");
+ 	devinfo->bus_pub.state = BRCMFMAC_USB_STATE_SLEEP;
+-	if (devinfo->wowl_enabled)
++	if (devinfo->wowl_enabled) {
+ 		brcmf_cancel_all_urbs(devinfo);
+-	else
++	} else {
+ 		brcmf_detach(&usb->dev);
++		brcmf_free(&usb->dev);
++	}
+ 	return 0;
+ }
+ 
+@@ -1465,8 +1476,19 @@ static int brcmf_usb_resume(struct usb_i
+ 	struct brcmf_usbdev_info *devinfo = brcmf_usb_get_businfo(&usb->dev);
+ 
+ 	brcmf_dbg(USB, "Enter\n");
+-	if (!devinfo->wowl_enabled)
+-		return brcmf_attach(devinfo->dev, devinfo->settings);
++	if (!devinfo->wowl_enabled) {
++		int err;
++
++		err = brcmf_alloc(&usb->dev, devinfo->settings);
++		if (err)
++			return err;
++
++		err = brcmf_attach(devinfo->dev);
++		if (err) {
++			brcmf_free(devinfo->dev);
++			return err;
++		}
++	}
+ 
+ 	devinfo->bus_pub.state = BRCMFMAC_USB_STATE_UP;
+ 	brcmf_usb_rx_fill_all(devinfo);

package/kernel/mac80211/patches/477-v5.4-0003-brcmfmac-don-t-realloc-wiphy-during-PCIe-reset.patch

@@ -0,0 +1,51 @@
+From a1f5aac1765afbeace9581afa27da34085f68e1d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 3 Sep 2019 06:29:28 +0200
+Subject: [PATCH 3/3] brcmfmac: don't realloc wiphy during PCIe reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Providing a new wiphy on every PCIe reset was confusing and was causing
+configuration problems for some users (supplicant and authenticators).
+Sticking to the existing wiphy should make error recovery much simpler
+and more reliable.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1440,7 +1440,6 @@ static int brcmf_pcie_reset(struct devic
+ 	brcmf_pcie_bus_console_read(devinfo, true);
+ 
+ 	brcmf_detach(dev);
+-	brcmf_free(dev);
+ 
+ 	brcmf_pcie_release_irq(devinfo);
+ 	brcmf_pcie_release_scratchbuffers(devinfo);
+@@ -1836,9 +1835,6 @@ static void brcmf_pcie_setup(struct devi
+ 	brcmf_pcie_intr_enable(devinfo);
+ 	brcmf_pcie_hostready(devinfo);
+ 
+-	ret = brcmf_alloc(&devinfo->pdev->dev, devinfo->settings);
+-	if (ret)
+-		goto fail;
+ 	ret = brcmf_attach(&devinfo->pdev->dev);
+ 	if (ret)
+ 		goto fail;
+@@ -1941,6 +1937,10 @@ brcmf_pcie_probe(struct pci_dev *pdev, c
+ 	bus->wowl_supported = pci_pme_capable(pdev, PCI_D3hot);
+ 	dev_set_drvdata(&pdev->dev, bus);
+ 
++	ret = brcmf_alloc(&devinfo->pdev->dev, devinfo->settings);
++	if (ret)
++		goto fail_bus;
++
+ 	fwreq = brcmf_pcie_prepare_fw_request(devinfo);
+ 	if (!fwreq) {
+ 		ret = -ENOMEM;

package/kernel/mac80211/patches/501-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch

@@ -0,0 +1,54 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 18 Nov 2019 11:52:41 +0100
+Subject: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Keeping interrupts on could result in brcmfmac freeing some resources
+and then IRQ handlers trying to use them. That was obviously a straight
+path for crashing a kernel.
+
+Example:
+CPU0                           CPU1
+----                           ----
+brcmf_pcie_reset
+  brcmf_pcie_bus_console_read
+  brcmf_detach
+    ...
+    brcmf_fweh_detach
+    brcmf_proto_detach
+                               brcmf_pcie_isr_thread
+                                 ...
+                                 brcmf_proto_msgbuf_rx_trigger
+                                   ...
+                                   drvr->proto->pd
+    brcmf_pcie_release_irq
+
+[  363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038
+[  363.797339] pgd = c0004000
+[  363.800050] [00000038] *pgd=00000000
+[  363.803635] Internal error: Oops: 17 [#1] SMP ARM
+(...)
+[  364.029209] Backtrace:
+[  364.031725] [<bf243838>] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [<bf2471dc>] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac])
+[  364.043662]  r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800
+
+Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1437,6 +1437,8 @@ static int brcmf_pcie_reset(struct devic
+ 	struct brcmf_fw_request *fwreq;
+ 	int err;
+ 
++	brcmf_pcie_intr_disable(devinfo);
++
+ 	brcmf_pcie_bus_console_read(devinfo, true);
+ 
+ 	brcmf_detach(dev);

package/kernel/mac80211/patches/502-brcmfmac-remove-monitor-interface-when-detaching.patch

@@ -0,0 +1,30 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Mon, 18 Nov 2019 13:35:20 +0100
+Subject: [PATCH 5.5] brcmfmac: remove monitor interface when detaching
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a minor WARNING in the cfg80211:
+[  130.658034] ------------[ cut here ]------------
+[  130.662805] WARNING: CPU: 1 PID: 610 at net/wireless/core.c:954 wiphy_unregister+0xb4/0x198 [cfg80211]
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -1380,6 +1380,11 @@ void brcmf_detach(struct device *dev)
+ 	brcmf_fweh_detach(drvr);
+ 	brcmf_proto_detach(drvr);
+ 
++	if (drvr->mon_if) {
++		brcmf_net_detach(drvr->mon_if->ndev, false);
++		drvr->mon_if = NULL;
++	}
++
+ 	/* make sure primary interface removed last */
+ 	for (i = BRCMF_MAX_IFS - 1; i > -1; i--) {
+ 		if (drvr->iflist[i])

package/kernel/mac80211/patches/557-ath9k-dynack-introduce-ath_dynack_set_timeout-routin.patch

@@ -0,0 +1,94 @@
+From 4420866ef1b602682b009e0186fbb8aefd2125be Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Tue, 20 Aug 2019 18:20:19 +0200
+Subject: [PATCH 1/4] ath9k: dynack: introduce ath_dynack_set_timeout routine
+
+Introduce ath_dynack_set_timeout routine to configure slottime/ack/cts
+timeouts and remove duplicated code
+
+Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/dynack.c | 37 ++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
+index f112fa5b2eac..38dbe25919f7 100644
+--- a/drivers/net/wireless/ath/ath9k/dynack.c
++++ b/drivers/net/wireless/ath/ath9k/dynack.c
+@@ -78,6 +78,24 @@ static inline bool ath_dynack_bssidmask(struct ath_hw *ah, const u8 *mac)
+ 	return true;
+ }
+ 
++/**
++ * ath_dynack_set_timeout - configure timeouts/slottime registers
++ * @ah: ath hw
++ * @to: timeout value
++ *
++ */
++static void ath_dynack_set_timeout(struct ath_hw *ah, int to)
++{
++	struct ath_common *common = ath9k_hw_common(ah);
++	int slottime = (to - 3) / 2;
++
++	ath_dbg(common, DYNACK, "ACK timeout %u slottime %u\n",
++		to, slottime);
++	ath9k_hw_setslottime(ah, slottime);
++	ath9k_hw_set_ack_timeout(ah, to);
++	ath9k_hw_set_cts_timeout(ah, to);
++}
++
+ /**
+  * ath_dynack_compute_ackto - compute ACK timeout as the maximum STA timeout
+  * @ah: ath hw
+@@ -86,7 +104,6 @@ static inline bool ath_dynack_bssidmask(struct ath_hw *ah, const u8 *mac)
+  */
+ static void ath_dynack_compute_ackto(struct ath_hw *ah)
+ {
+-	struct ath_common *common = ath9k_hw_common(ah);
+ 	struct ath_dynack *da = &ah->dynack;
+ 	struct ath_node *an;
+ 	int to = 0;
+@@ -96,15 +113,8 @@ static void ath_dynack_compute_ackto(struct ath_hw *ah)
+ 			to = an->ackto;
+ 
+ 	if (to && da->ackto != to) {
+-		u32 slottime;
+-
+-		slottime = (to - 3) / 2;
++		ath_dynack_set_timeout(ah, to);
+ 		da->ackto = to;
+-		ath_dbg(common, DYNACK, "ACK timeout %u slottime %u\n",
+-			da->ackto, slottime);
+-		ath9k_hw_setslottime(ah, slottime);
+-		ath9k_hw_set_ack_timeout(ah, da->ackto);
+-		ath9k_hw_set_cts_timeout(ah, da->ackto);
+ 	}
+ }
+ 
+@@ -198,10 +208,7 @@ void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb,
+ 		    ieee80211_is_assoc_resp(hdr->frame_control) ||
+ 		    ieee80211_is_auth(hdr->frame_control)) {
+ 			ath_dbg(common, DYNACK, "late ack\n");
+-
+-			ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2);
+-			ath9k_hw_set_ack_timeout(ah, LATEACK_TO);
+-			ath9k_hw_set_cts_timeout(ah, LATEACK_TO);
++			ath_dynack_set_timeout(ah, LATEACK_TO);
+ 			if (sta) {
+ 				struct ath_node *an;
+ 
+@@ -340,9 +347,7 @@ void ath_dynack_reset(struct ath_hw *ah)
+ 	da->ack_rbf.h_rb = 0;
+ 
+ 	/* init acktimeout */
+-	ath9k_hw_setslottime(ah, (ackto - 3) / 2);
+-	ath9k_hw_set_ack_timeout(ah, ackto);
+-	ath9k_hw_set_cts_timeout(ah, ackto);
++	ath_dynack_set_timeout(ah, ackto);
+ }
+ EXPORT_SYMBOL(ath_dynack_reset);
+ 
+-- 
+2.17.1
+

package/kernel/mac80211/patches/558-ath9k-dynack-properly-set-last-timeout-timestamp-in-.patch

@@ -0,0 +1,32 @@
+From e5b56ce50eab31d24df6a70cf025db3acc4aa3ac Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Tue, 20 Aug 2019 18:20:20 +0200
+Subject: [PATCH 2/4] ath9k: dynack: properly set last timeout timestamp in
+ ath_dynack_reset
+
+Add compute timeout to last computation timestamp in
+ath_dynack_reset in order to not run ath_dynack_compute_ackto
+immediately
+
+Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/dynack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
+index 38dbe25919f7..398ea872751f 100644
+--- a/drivers/net/wireless/ath/ath9k/dynack.c
++++ b/drivers/net/wireless/ath/ath9k/dynack.c
+@@ -338,7 +338,7 @@ void ath_dynack_reset(struct ath_hw *ah)
+ 	u32 ackto = 9 + 16 + 64;
+ 	struct ath_dynack *da = &ah->dynack;
+ 
+-	da->lto = jiffies;
++	da->lto = jiffies + COMPUTE_TO;
+ 	da->ackto = ackto;
+ 
+ 	da->st_rbf.t_rb = 0;
+-- 
+2.17.1
+

package/kernel/mac80211/patches/559-ath9k-dynack-set-max-timeout-according-to-channel-wi.patch

@@ -0,0 +1,96 @@
+From 3f737abb7d53cc80d619a3b4a30b6fa63cdc8df7 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Tue, 20 Aug 2019 18:20:21 +0200
+Subject: [PATCH 3/4] ath9k: dynack: set max timeout according to channel width
+
+Compute maximum configurable ackimeout/ctstimeout according to channel
+width (clockrate)
+
+Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/dynack.c | 38 +++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
+index 398ea872751f..fe9181533de3 100644
+--- a/drivers/net/wireless/ath/ath9k/dynack.c
++++ b/drivers/net/wireless/ath/ath9k/dynack.c
+@@ -20,11 +20,30 @@
+ 
+ #define COMPUTE_TO		(5 * HZ)
+ #define LATEACK_DELAY		(10 * HZ)
+-#define LATEACK_TO		256
+-#define MAX_DELAY		300
+ #define EWMA_LEVEL		96
+ #define EWMA_DIV		128
+ 
++/**
++ * ath_dynack_get_max_to - set max timeout according to channel width
++ * @ah: ath hw
++ *
++ */
++static u32 ath_dynack_get_max_to(struct ath_hw *ah)
++{
++	const struct ath9k_channel *chan = ah->curchan;
++
++	if (!chan)
++		return 300;
++
++	if (IS_CHAN_HT40(chan))
++		return 300;
++	if (IS_CHAN_HALF_RATE(chan))
++		return 750;
++	if (IS_CHAN_QUARTER_RATE(chan))
++		return 1500;
++	return 600;
++}
++
+ /**
+  * ath_dynack_ewma - EWMA (Exponentially Weighted Moving Average) calculation
+  *
+@@ -126,15 +145,16 @@ static void ath_dynack_compute_ackto(struct ath_hw *ah)
+  */
+ static void ath_dynack_compute_to(struct ath_hw *ah)
+ {
+-	u32 ackto, ack_ts;
+-	u8 *dst, *src;
++	struct ath_dynack *da = &ah->dynack;
++	u32 ackto, ack_ts, max_to;
+ 	struct ieee80211_sta *sta;
+-	struct ath_node *an;
+ 	struct ts_info *st_ts;
+-	struct ath_dynack *da = &ah->dynack;
++	struct ath_node *an;
++	u8 *dst, *src;
+ 
+ 	rcu_read_lock();
+ 
++	max_to = ath_dynack_get_max_to(ah);
+ 	while (da->st_rbf.h_rb != da->st_rbf.t_rb &&
+ 	       da->ack_rbf.h_rb != da->ack_rbf.t_rb) {
+ 		ack_ts = da->ack_rbf.tstamp[da->ack_rbf.h_rb];
+@@ -150,7 +170,7 @@ static void ath_dynack_compute_to(struct ath_hw *ah)
+ 		if (ack_ts > st_ts->tstamp + st_ts->dur) {
+ 			ackto = ack_ts - st_ts->tstamp - st_ts->dur;
+ 
+-			if (ackto < MAX_DELAY) {
++			if (ackto < max_to) {
+ 				sta = ieee80211_find_sta_by_ifaddr(ah->hw, dst,
+ 								   src);
+ 				if (sta) {
+@@ -207,8 +227,10 @@ void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb,
+ 		if (ieee80211_is_assoc_req(hdr->frame_control) ||
+ 		    ieee80211_is_assoc_resp(hdr->frame_control) ||
+ 		    ieee80211_is_auth(hdr->frame_control)) {
++			u32 max_to = ath_dynack_get_max_to(ah);
++
+ 			ath_dbg(common, DYNACK, "late ack\n");
+-			ath_dynack_set_timeout(ah, LATEACK_TO);
++			ath_dynack_set_timeout(ah, max_to);
+ 			if (sta) {
+ 				struct ath_node *an;
+ 
+-- 
+2.17.1
+

package/kernel/mac80211/patches/560-ath9k-dynack-set-ackto-to-max-timeout-in-ath_dynack_.patch

@@ -0,0 +1,78 @@
+From cc783bfa67e87d2e6206f7626b7bbb74d5c5f269 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Tue, 20 Aug 2019 18:20:22 +0200
+Subject: [PATCH 4/4] ath9k: dynack: set ackto to max timeout in
+ ath_dynack_reset
+
+Initialize acktimeout to the maximum configurable value in
+ath_dynack_reset in order to not disconnect long distance static links
+enabling dynack and even to take care of possible errors configuring
+a static timeout. Moreover initialize station timeout value to the current
+acktimeout value
+
+Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/dynack.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
+index fe9181533de3..f786be04d0ac 100644
+--- a/drivers/net/wireless/ath/ath9k/dynack.c
++++ b/drivers/net/wireless/ath/ath9k/dynack.c
+@@ -321,11 +321,9 @@ EXPORT_SYMBOL(ath_dynack_sample_ack_ts);
+  */
+ void ath_dynack_node_init(struct ath_hw *ah, struct ath_node *an)
+ {
+-	/* ackto = slottime + sifs + air delay */
+-	u32 ackto = 9 + 16 + 64;
+ 	struct ath_dynack *da = &ah->dynack;
+ 
+-	an->ackto = ackto;
++	an->ackto = da->ackto;
+ 
+ 	spin_lock(&da->qlock);
+ 	list_add_tail(&an->list, &da->nodes);
+@@ -356,20 +354,26 @@ EXPORT_SYMBOL(ath_dynack_node_deinit);
+  */
+ void ath_dynack_reset(struct ath_hw *ah)
+ {
+-	/* ackto = slottime + sifs + air delay */
+-	u32 ackto = 9 + 16 + 64;
+ 	struct ath_dynack *da = &ah->dynack;
++	struct ath_node *an;
++
++	spin_lock_bh(&da->qlock);
+ 
+ 	da->lto = jiffies + COMPUTE_TO;
+-	da->ackto = ackto;
+ 
+ 	da->st_rbf.t_rb = 0;
+ 	da->st_rbf.h_rb = 0;
+ 	da->ack_rbf.t_rb = 0;
+ 	da->ack_rbf.h_rb = 0;
+ 
++	da->ackto = ath_dynack_get_max_to(ah);
++	list_for_each_entry(an, &da->nodes, list)
++		an->ackto = da->ackto;
++
+ 	/* init acktimeout */
+-	ath_dynack_set_timeout(ah, ackto);
++	ath_dynack_set_timeout(ah, da->ackto);
++
++	spin_unlock_bh(&da->qlock);
+ }
+ EXPORT_SYMBOL(ath_dynack_reset);
+ 
+@@ -386,6 +390,8 @@ void ath_dynack_init(struct ath_hw *ah)
+ 
+ 	spin_lock_init(&da->qlock);
+ 	INIT_LIST_HEAD(&da->nodes);
++	/* ackto = slottime + sifs + air delay */
++	da->ackto = 9 + 16 + 64;
+ 
+ 	ah->hw->wiphy->features |= NL80211_FEATURE_ACKTO_ESTIMATION;
+ }
+-- 
+2.17.1
+

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch

@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1434,6 +1434,7 @@ int __init brcmf_core_init(void)
+@@ -1486,6 +1486,7 @@ int __init brcmf_core_init(void)
  {
  	if (!schedule_work(&brcmf_driver_work))
  		return -EBUSY;

package/kernel/mac80211/patches/861-brcmfmac-workaround-bug-with-some-inconsistent-BSSes.patch

@@ -10,7 +10,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -620,8 +620,36 @@ static struct wireless_dev *brcmf_cfg802
+@@ -639,8 +639,36 @@ static struct wireless_dev *brcmf_cfg802
  	struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
  	struct brcmf_pub *drvr = cfg->pub;
  	struct wireless_dev *wdev;

package/kernel/mac80211/patches/862-brcmfmac-Disable-power-management.patch

@@ -14,7 +14,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.org>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -2774,6 +2774,10 @@ brcmf_cfg80211_set_power_mgmt(struct wip
+@@ -2798,6 +2798,10 @@ brcmf_cfg80211_set_power_mgmt(struct wip
  	 * preference in cfg struct to apply this to
  	 * FW later while initializing the dongle
  	 */

package/kernel/w1-gpio-custom/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=w1-gpio-custom
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 include $(INCLUDE_DIR)/package.mk
 

package/kernel/w1-gpio-custom/src/w1-gpio-custom.c

@@ -47,7 +47,7 @@
 
 #define DRV_NAME	"w1-gpio-custom"
 #define DRV_DESC	"Custom GPIO-based W1 driver"
-#define DRV_VERSION	"0.1.1"
+#define DRV_VERSION	"0.1.2"
 
 #define PFX		DRV_NAME ": "
 
@@ -86,7 +86,7 @@ static void w1_gpio_custom_cleanup(void)
 
 	for (i = 0; i < nr_devices; i++)
 		if (devices[i])
-			platform_device_put(devices[i]);
+			platform_device_unregister(devices[i]);
 }
 
 static int __init w1_gpio_custom_add_one(unsigned int id, unsigned int *params)

package/libs/libbsd/Makefile

@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libbsd
 PKG_VERSION:=0.8.7
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_HASH:=f548f10e5af5a08b1e22889ce84315b1ebe41505b015c9596bad03fd13a12b31

package/libs/libbsd/patches/010-fix-arc.patch

@@ -0,0 +1,30 @@
+From f60b6777cc2047f9845de2c88cf092b045c160c0 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Fri, 17 May 2019 01:44:56 +0000
+Subject: [PATCH] local-elf: Add ARC support
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+---
+ src/local-elf.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/local-elf.h b/src/local-elf.h
+index 83ca253..b90baf3 100644
+--- a/src/local-elf.h
++++ b/src/local-elf.h
+@@ -53,6 +53,12 @@
+ #endif
+ #define ELF_TARG_DATA	ELFDATA2LSB
+ 
++#elif defined (__arc__)
++
++#define ELF_TARG_MACH   EM_ARC
++#define ELF_TARG_CLASS  ELFCLASS32
++#define ELF_TARG_DATA   ELFDATA2LSB
++
+ #elif defined(__arm__)
+ 
+ #define ELF_TARG_MACH	EM_ARM
+-- 
+2.18.1
+

package/libs/libpcap/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libpcap
-PKG_VERSION:=1.8.1
+PKG_VERSION:=1.9.1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.us.tcpdump.org/release/ \
         http://www.tcpdump.org/release/
-PKG_HASH:=673dbc69fdc3f5a86fb5759ab19899039a8e5e6c631749e48dcd9c6f0c83541e
+PKG_HASH:=635237637c5b619bcceba91900666b64d56ecb7be63f298f601ec786ce087094
 PKG_FIXUP:=patch-libtool
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>

package/libs/libpcap/patches/001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch

@@ -1,41 +0,0 @@
-From 64aa033a061c43fc15c711f2490ae41d23b868c3 Mon Sep 17 00:00:00 2001
-From: Fabio Berton <fabio.berton@ossystems.com.br>
-Date: Thu, 17 Nov 2016 09:44:42 -0200
-Subject: [PATCH 1/2] Fix compiler_state_t.ai usage when INET6 is not defined
-Organization: O.S. Systems Software LTDA.
-
-Fix error:
-
-/
-| ../libpcap-1.8.1/gencode.c: In function 'pcap_compile':
-| ../libpcap-1.8.1/gencode.c:693:8: error: 'compiler_state_t
-| {aka struct _compiler_state}' has no member named 'ai'
-|   cstate.ai = NULL;
-\
-
-Upstream-Status: Submitted [1]
-
-[1] https://github.com/the-tcpdump-group/libpcap/pull/541
-
-Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
----
- gencode.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/gencode.c b/gencode.c
-index a887f27..e103c70 100644
---- a/gencode.c
-+++ b/gencode.c
-@@ -690,7 +690,9 @@ pcap_compile(pcap_t *p, struct bpf_program *program,
- 	}
- 	initchunks(&cstate);
- 	cstate.no_optimize = 0;
-+#ifdef INET6
- 	cstate.ai = NULL;
-+#endif
- 	cstate.ic.root = NULL;
- 	cstate.ic.cur_mark = 0;
- 	cstate.bpf_pcap = p;
--- 
-2.1.4
-

package/libs/libpcap/patches/002-Add-missing-compiler_state_t-parameter.patch

@@ -1,67 +0,0 @@
-From 50ec0a088d5924a8305b2d70dcba71b0942dee1a Mon Sep 17 00:00:00 2001
-From: Fabio Berton <fabio.berton@ossystems.com.br>
-Date: Thu, 17 Nov 2016 09:47:29 -0200
-Subject: [PATCH 2/2] Add missing compiler_state_t parameter
-Organization: O.S. Systems Software LTDA.
-
-Fix error:
-
-/
-|../libpcap-1.8.1/gencode.c: In function 'gen_gateway':
-|../libpcap-1.8.1/gencode.c:4914:13: error: 'cstate' undeclared
-| (first use in this function)
-|    bpf_error(cstate, "direction applied to 'gateway'");
-\
-
-Upstream-Status: Submitted [1]
-
-[1] https://github.com/the-tcpdump-group/libpcap/pull/541
-
-Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
----
- gencode.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/gencode.c b/gencode.c
-index e103c70..f07c0be 100644
---- a/gencode.c
-+++ b/gencode.c
-@@ -523,7 +523,7 @@ static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
-     struct in6_addr *, int, int, int);
- #endif
- #ifndef INET6
--static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
-+static struct block *gen_gateway(compiler_state_t *, const u_char *, bpf_u_int32 **, int, int);
- #endif
- static struct block *gen_ipfrag(compiler_state_t *);
- static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
-@@ -4904,11 +4904,12 @@ gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
- 
- #ifndef INET6
- static struct block *
--gen_gateway(eaddr, alist, proto, dir)
--	const u_char *eaddr;
--	bpf_u_int32 **alist;
--	int proto;
--	int dir;
-+gen_gateway(cstate, eaddr, alist, proto, dir)
-+    compiler_state_t *cstate;
-+    const u_char *eaddr;
-+    bpf_u_int32 **alist;
-+    int proto;
-+    int dir;
- {
- 	struct block *b0, *b1, *tmp;
- 
-@@ -6472,7 +6473,7 @@ gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
- 		alist = pcap_nametoaddr(name);
- 		if (alist == NULL || *alist == NULL)
- 			bpf_error(cstate, "unknown host '%s'", name);
--		b = gen_gateway(eaddr, alist, proto, dir);
-+		b = gen_gateway(cstate, eaddr, alist, proto, dir);
- 		free(eaddr);
- 		return b;
- #else
--- 
-2.1.4
-

package/libs/libpcap/patches/100-debian_shared_lib.patch

@@ -3,7 +3,7 @@ build a shared library.
 
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -38,6 +38,13 @@ mandir = @mandir@
+@@ -40,6 +40,13 @@ mandir = @mandir@
  srcdir = @srcdir@
  VPATH = @srcdir@
  
@@ -17,17 +17,17 @@ build a shared library.
  #
  # You shouldn't need to edit anything below.
  #
-@@ -62,7 +69,8 @@ DEPENDENCY_CFLAG = @DEPENDENCY_CFLAG@
- PROG=libpcap
+@@ -69,7 +76,8 @@ INSTALL_RPCAPD=@INSTALL_RPCAPD@
+ EXTRA_NETWORK_LIBS=@EXTRA_NETWORK_LIBS@
  
- # Standard CFLAGS
--FULL_CFLAGS = $(CCOPT) $(INCLS) $(DEFS) $(CFLAGS)
-+FULL_CFLAGS = $(CCOPT) $(INCLS) $(DEFS) $(CFLAGS) $(CPPFLAGS)
+ # Standard CFLAGS for building members of a shared library
+-FULL_CFLAGS = $(CCOPT) @V_LIB_CCOPT_FAT@ $(SHLIB_CCOPT) $(INCLS) $(DEFS) $(CFLAGS)
++FULL_CFLAGS = $(CCOPT) @V_LIB_CCOPT_FAT@ $(SHLIB_CCOPT) $(INCLS) $(DEFS) $(CFLAGS) $(CPPFLAGS)
 +CFLAGS_SHARED = -shared -Wl,-soname,$(SHAREDLIB)
  
  INSTALL = @INSTALL@
  INSTALL_PROGRAM = @INSTALL_PROGRAM@
-@@ -77,7 +85,11 @@ YACC = @YACC@
+@@ -84,7 +92,11 @@ YACC = @YACC@
  # problem if you don't own the file but can write to the directory.
  .c.o:
  	@rm -f $@
@@ -38,9 +38,9 @@ build a shared library.
 +	@rm -f $@
 +	$(CC) -fPIC $(FULL_CFLAGS) -c -o $@ $(srcdir)/$*.c
  
- PSRC =	pcap-@V_PCAP@.c @USB_SRC@ @BT_SRC@ @BT_MONITOR_SRC@ @NETFILTER_SRC@ @DBUS_SRC@
+ PSRC =	pcap-@V_PCAP@.c @USB_SRC@ @BT_SRC@ @BT_MONITOR_SRC@ @NETFILTER_SRC@ @DBUS_SRC@ @NETMAP_SRC@ @RDMA_SRC@
  FSRC =  @V_FINDALLDEVS@
-@@ -93,6 +105,7 @@ SRC =	$(PSRC) $(FSRC) $(CSRC) $(SSRC) $(
+@@ -101,6 +113,7 @@ SRC =	$(PSRC) $(FSRC) $(CSRC) $(SSRC) $(
  # We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot
  # hack the extra indirection
  OBJ =	$(PSRC:.c=.o) $(FSRC:.c=.o) $(CSRC:.c=.o) $(SSRC:.c=.o) $(GENSRC:.c=.o) $(LIBOBJS)
@@ -48,16 +48,16 @@ build a shared library.
  PUBHDR = \
  	pcap.h \
  	pcap-bpf.h \
-@@ -157,7 +170,7 @@ TAGFILES = \
+@@ -155,7 +168,7 @@ TAGFILES = \
  
- CLEANFILES = $(OBJ) libpcap.* $(TESTS) \
+ CLEANFILES = $(OBJ) libpcap.a libpcap.so.`cat $(srcdir)/VERSION` \
  	$(PROG)-`cat $(srcdir)/VERSION`.tar.gz $(GENSRC) $(GENHDR) \
--	lex.yy.c pcap-config
-+	lex.yy.c pcap-config $(OBJ_PIC)
+-	lex.yy.c pcap-config libpcap.pc
++	lex.yy.c pcap-config libpcap.pc $(OBJ_PIC)
  
  MAN1 = pcap-config.1
  
-@@ -365,7 +378,7 @@ libpcap.a: $(OBJ)
+@@ -392,7 +405,7 @@ libpcap.a: $(OBJ)
  	$(AR) rc $@ $(OBJ) $(ADDLARCHIVEOBJS)
  	$(RANLIB) $@
  
@@ -66,7 +66,7 @@ build a shared library.
  
  libpcap.so: $(OBJ)
  	@rm -f $@
-@@ -443,6 +456,12 @@ libpcap.shareda: $(OBJ)
+@@ -468,6 +481,12 @@ libpcap.shareda: $(OBJ)
  #
  libpcap.none:
  
@@ -79,44 +79,37 @@ build a shared library.
  scanner.c: $(srcdir)/scanner.l
  	$(LEX) -P pcap_ --header-file=scanner.h --nounput -o scanner.c $<
  scanner.h: scanner.c
-@@ -455,6 +474,9 @@ scanner.h: scanner.c
+@@ -480,6 +499,9 @@ scanner.h: scanner.c
  scanner.o: scanner.c grammar.h
  	$(CC) $(FULL_CFLAGS) -c scanner.c
  
 +scanner_pic.o: scanner.c grammar.h
 +	$(CC) -fPIC $(FULL_CFLAGS) -o $@ -c scanner.c
 +
- pcap.o: pcap_version.h
- 
  grammar.c: $(srcdir)/grammar.y
-@@ -472,9 +494,16 @@ grammar.o: grammar.c
+ 	$(YACC) -p pcap_ -o grammar.c -d $<
+ grammar.h: grammar.c
+@@ -492,6 +514,9 @@ grammar.h: grammar.c
+ grammar.o: grammar.c scanner.h
+ 	$(CC) $(FULL_CFLAGS) -c grammar.c
+ 
++grammar_pic.o: grammar.c scanner.h
++	$(CC) -fPIC $(FULL_CFLAGS) -o $@ -c grammar.c
++
  gencode.o: $(srcdir)/gencode.c grammar.h scanner.h
  	$(CC) $(FULL_CFLAGS) -c $(srcdir)/gencode.c
  
-+grammar_pic.o: grammar.c
-+	@rm -f $@
-+	$(CC) -fPIC $(FULL_CFLAGS) -Dyylval=pcap_lval -o $@ -c grammar.c
-+
- version.o: version.c
- 	$(CC) $(FULL_CFLAGS) -c version.c
- 
-+version_pic.o: version.c
-+	$(CC) -fPIC $(FULL_CFLAGS) -c version.c -o $@
-+
- snprintf.o: $(srcdir)/missing/snprintf.c
- 	$(CC) $(FULL_CFLAGS) -o $@ -c $(srcdir)/missing/snprintf.c
- 
-@@ -501,6 +530,9 @@ bpf_filter.c: $(srcdir)/bpf/net/bpf_filt
- bpf_filter.o: bpf_filter.c
- 	$(CC) $(FULL_CFLAGS) -c bpf_filter.c
+@@ -539,6 +564,9 @@ pcap-config: $(srcdir)/pcap-config.in ./
+ 	mv $@.tmp $@
+ 	chmod a+x $@
  
 +bpf_filter_pic.o: bpf_filter.c
 +	$(CC) -fPIC $(FULL_CFLAGS) -c bpf_filter.c -o $@
 +
  #
- # Generate the pcap-config script.
+ # Remote pcap daemon.
  #
-@@ -623,14 +655,11 @@ install: install-shared install-archive
+@@ -632,14 +660,11 @@ install: install-shared install-archive
  		    $(DESTDIR)$(mandir)/man@MAN_MISC_INFO@/`echo $$i | sed 's/.manmisc.in/.@MAN_MISC_INFO@/'`; done
  
  install-shared: install-shared-$(DYEXT)
@@ -136,27 +129,27 @@ build a shared library.
  	    (mkdir -p $(DESTDIR)$(libdir); chmod 755 $(DESTDIR)$(libdir))
 --- a/aclocal.m4
 +++ b/aclocal.m4
-@@ -470,7 +470,7 @@ AC_DEFUN(AC_LBL_SHLIBS_INIT,
+@@ -507,7 +507,7 @@ AC_DEFUN(AC_LBL_SHLIBS_INIT,
  			esac
  			;;
  		    esac
--		    V_CCOPT="$V_CCOPT $PIC_OPT"
-+		    V_CCOPT="$V_CCOPT"
+-		    V_SHLIB_CCOPT="$V_SHLIB_CCOPT $PIC_OPT"
++		    V_SHLIB_CCOPT="$V_SHLIB_CCOPT"
  		    V_SONAME_OPT="-Wl,-soname,"
  		    V_RPATH_OPT="-Wl,-rpath,"
  		    ;;
-@@ -533,7 +533,7 @@ AC_DEFUN(AC_LBL_SHLIBS_INIT,
+@@ -570,7 +570,7 @@ AC_DEFUN(AC_LBL_SHLIBS_INIT,
  		    #
  		    # "cc" is GCC.
  		    #
--		    V_CCOPT="$V_CCOPT -fpic"
-+		    V_CCOPT="$V_CCOPT"
+-		    V_SHLIB_CCOPT="$V_SHLIB_CCOPT -fpic"
++		    V_SHLIB_CCOPT="$V_SHLIB_CCOPT"
  		    V_SHLIB_CMD="\$(CC)"
  		    V_SHLIB_OPT="-shared"
  		    V_SONAME_OPT="-Wl,-soname,"
 --- a/pcap-config.in
 +++ b/pcap-config.in
-@@ -36,16 +36,6 @@ do
+@@ -41,16 +41,6 @@ do
  	esac
  	shift
  done

package/libs/libpcap/patches/102-makefile_disable_manpages.patch

@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -589,70 +589,12 @@ install: install-shared install-archive
+@@ -588,14 +588,6 @@ install: install-shared install-archive
  	    (mkdir -p $(DESTDIR)$(includedir); chmod 755 $(DESTDIR)$(includedir))
  	[ -d $(DESTDIR)$(includedir)/pcap ] || \
  	    (mkdir -p $(DESTDIR)$(includedir)/pcap; chmod 755 $(DESTDIR)$(includedir)/pcap)
@@ -15,9 +15,10 @@
  	for i in $(PUBHDR); do \
  		$(INSTALL_DATA) $(srcdir)/$$i \
  		    $(DESTDIR)$(includedir)/$$i; done
- 	[ -d $(DESTDIR)$(bindir) ] || \
- 	    (mkdir -p $(DESTDIR)$(bindir); chmod 755 $(DESTDIR)$(bindir))
- 	$(INSTALL_PROGRAM) pcap-config $(DESTDIR)$(bindir)/pcap-config
+@@ -605,59 +597,6 @@ install: install-shared install-archive
+ 	[ -d $(DESTDIR)$(libdir)/pkgconfig ] || \
+ 	    (mkdir -p $(DESTDIR)$(libdir)/pkgconfig; chmod 755 $(DESTDIR)$(libdir)/pkgconfig)
+ 	$(INSTALL_DATA) libpcap.pc $(DESTDIR)$(libdir)/pkgconfig/libpcap.pc
 -	for i in $(MAN1); do \
 -		$(INSTALL_DATA) $(srcdir)/$$i \
 -		    $(DESTDIR)$(mandir)/man1/$$i; done
@@ -31,6 +32,9 @@
 -	rm -f pcap_datalink_val_to_description.3pcap && \
 -	$(LN_S) pcap_datalink_val_to_name.3pcap \
 -		 pcap_datalink_val_to_description.3pcap && \
+-	rm -f pcap_datalink_val_to_description_or_dlt.3pcap && \
+-	$(LN_S) pcap_datalink_val_to_name.3pcap \
+-		 pcap_datalink_val_to_description_or_dlt.3pcap && \
 -	rm -f pcap_dump_fopen.3pcap && \
 -	$(LN_S) pcap_dump_open.3pcap pcap_dump_fopen.3pcap && \
 -	rm -f pcap_freealldevs.3pcap && \

package/libs/libpcap/patches/103-makefile_flex_workaround.patch

@@ -3,12 +3,12 @@
 
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -56,7 +56,7 @@ LN_S = @LN_S@
- MKDEP = @MKDEP@
+@@ -59,7 +59,7 @@ MKDEP = @MKDEP@
  CCOPT = @V_CCOPT@
+ SHLIB_CCOPT = @V_SHLIB_CCOPT@
  INCLS = -I. @V_INCLS@
--DEFS = -DBUILDING_PCAP @DEFS@ @V_DEFS@
-+DEFS = -DBUILDING_PCAP -D_BSD_SOURCE @DEFS@ @V_DEFS@
+-DEFS = -DBUILDING_PCAP -Dpcap_EXPORTS @DEFS@ @V_DEFS@
++DEFS = -DBUILDING_PCAP -D_BSD_SOURCE -Dpcap_EXPORTS @DEFS@ @V_DEFS@
  ADDLOBJS = @ADDLOBJS@
  ADDLARCHIVEOBJS = @ADDLARCHIVEOBJS@
  LIBS = @LIBS@

package/libs/libpcap/patches/201-space_optimization.patch

@@ -1,6 +1,6 @@
 --- a/pcap-common.c
 +++ b/pcap-common.c
-@@ -1447,14 +1447,23 @@ swap_pseudo_headers(int linktype, struct
+@@ -1570,14 +1570,23 @@ swap_pseudo_headers(int linktype, struct
  		break;
  
  	case DLT_USB_LINUX:

package/libs/libpcap/patches/202-protocol_api.patch

@@ -1,142 +0,0 @@
-This API extension is used by ead (Emergency Access Daemon)
-
---- a/pcap-linux.c
-+++ b/pcap-linux.c
-@@ -425,7 +425,7 @@ static int	iface_get_id(int fd, const ch
- static int	iface_get_mtu(int fd, const char *device, char *ebuf);
- static int 	iface_get_arptype(int fd, const char *device, char *ebuf);
- #ifdef HAVE_PF_PACKET_SOCKETS
--static int 	iface_bind(int fd, int ifindex, char *ebuf);
-+static int 	iface_bind(int fd, int ifindex, char *ebuf, unsigned short proto);
- #ifdef IW_MODE_MONITOR
- static int	has_wext(int sock_fd, const char *device, char *ebuf);
- #endif /* IW_MODE_MONITOR */
-@@ -1059,7 +1059,7 @@ pcap_can_set_rfmon_linux(pcap_t *handle)
- 	 * (We assume that if we have Wireless Extensions support
- 	 * we also have PF_PACKET support.)
- 	 */
--	sock_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
-+	sock_fd = socket(PF_PACKET, SOCK_RAW, p->opt.proto);
- 	if (sock_fd == -1) {
- 		(void)pcap_snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
- 		    "socket: %s", pcap_strerror(errno));
-@@ -1456,6 +1456,9 @@ pcap_activate_linux(pcap_t *handle)
- 	handle->read_op = pcap_read_linux;
- 	handle->stats_op = pcap_stats_linux;
- 
-+	if (handle->opt.proto < 0)
-+		handle->opt.proto = (int) htons(ETH_P_ALL);
-+
- 	/*
- 	 * The "any" device is a special device which causes us not
- 	 * to bind to a particular device and thus to look at all
-@@ -3335,8 +3338,8 @@ activate_new(pcap_t *handle)
- 	 * try a SOCK_RAW socket for the raw interface.
- 	 */
- 	sock_fd = is_any_device ?
--		socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) :
--		socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
-+		socket(PF_PACKET, SOCK_DGRAM, handle->opt.proto) :
-+		socket(PF_PACKET, SOCK_RAW, handle->opt.proto);
- 
- 	if (sock_fd == -1) {
- 		if (errno == EINVAL || errno == EAFNOSUPPORT) {
-@@ -3454,7 +3457,7 @@ activate_new(pcap_t *handle)
- 				return PCAP_ERROR;
- 			}
- 			sock_fd = socket(PF_PACKET, SOCK_DGRAM,
--			    htons(ETH_P_ALL));
-+			    handle->opt.proto);
- 			if (sock_fd == -1) {
- 				pcap_snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
- 				    "socket: %s", pcap_strerror(errno));
-@@ -3518,7 +3521,7 @@ activate_new(pcap_t *handle)
- 		}
- 
- 		if ((err = iface_bind(sock_fd, handlep->ifindex,
--		    handle->errbuf)) != 1) {
-+		    handle->errbuf, handle->opt.proto)) != 1) {
- 		    	close(sock_fd);
- 			if (err < 0)
- 				return err;
-@@ -5271,7 +5274,7 @@ iface_get_id(int fd, const char *device,
-  *  or a PCAP_ERROR_ value on a hard error.
-  */
- static int
--iface_bind(int fd, int ifindex, char *ebuf)
-+iface_bind(int fd, int ifindex, char *ebuf, unsigned short proto)
- {
- 	struct sockaddr_ll	sll;
- 	int			err;
-@@ -5280,7 +5283,7 @@ iface_bind(int fd, int ifindex, char *eb
- 	memset(&sll, 0, sizeof(sll));
- 	sll.sll_family		= AF_PACKET;
- 	sll.sll_ifindex		= ifindex;
--	sll.sll_protocol	= htons(ETH_P_ALL);
-+	sll.sll_protocol	= proto;
- 
- 	if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
- 		if (errno == ENETDOWN) {
-@@ -6325,7 +6328,7 @@ activate_old(pcap_t *handle)
- 
- 	/* Open the socket */
- 
--	handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
-+	handle->fd = socket(PF_INET, SOCK_PACKET, handle->opt.proto);
- 	if (handle->fd == -1) {
- 		pcap_snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
- 			 "socket: %s", pcap_strerror(errno));
---- a/pcap.c
-+++ b/pcap.c
-@@ -578,6 +578,7 @@ pcap_create_common(char *ebuf, size_t si
- 	p->opt.promisc = 0;
- 	p->opt.rfmon = 0;
- 	p->opt.immediate = 0;
-+	p->opt.proto = -1;
- 	p->opt.tstamp_type = -1;	/* default to not setting time stamp type */
- 	p->opt.tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO;
- 
-@@ -771,6 +772,15 @@ pcap_get_tstamp_precision(pcap_t *p)
- }
- 
- int
-+pcap_set_protocol(pcap_t *p, unsigned short proto)
-+{
-+	if (pcap_check_activated(p))
-+		return PCAP_ERROR_ACTIVATED;
-+	p->opt.proto = proto;
-+	return 0;
-+}
-+
-+int
- pcap_activate(pcap_t *p)
- {
- 	int status;
---- a/pcap/pcap.h
-+++ b/pcap/pcap.h
-@@ -68,6 +68,7 @@ extern "C" {
- #define PCAP_VERSION_MINOR 4
- 
- #define PCAP_ERRBUF_SIZE 256
-+#define HAS_PROTO_EXTENSION
- 
- /*
-  * Compatibility for systems that have a bpf.h that
-@@ -287,6 +288,7 @@ PCAP_API int	pcap_set_timeout(pcap_t *,
- PCAP_API int	pcap_set_tstamp_type(pcap_t *, int);
- PCAP_API int	pcap_set_immediate_mode(pcap_t *, int);
- PCAP_API int	pcap_set_buffer_size(pcap_t *, int);
-+PCAP_API int	pcap_set_protocol(pcap_t *, unsigned short);
- PCAP_API int	pcap_set_tstamp_precision(pcap_t *, int);
- PCAP_API int	pcap_get_tstamp_precision(pcap_t *);
- PCAP_API int	pcap_activate(pcap_t *);
---- a/pcap-int.h
-+++ b/pcap-int.h
-@@ -111,6 +111,7 @@ struct pcap_opt {
- 	char	*device;
- 	int	timeout;	/* timeout for buffering */
- 	u_int	buffer_size;
-+	int	proto;		/* protocol for packet socket (linux) */
- 	int	promisc;
- 	int	rfmon;		/* monitor mode */
- 	int	immediate;	/* immediate mode - deliver packets as soon as they arrive */

package/libs/libpcap/patches/204-usb-bus-path.patch

@@ -2,7 +2,7 @@ Fix USB bus path; /proc/bus/usb is deprecated.
 
 --- a/pcap-usb-linux.c
 +++ b/pcap-usb-linux.c
-@@ -71,7 +71,7 @@
+@@ -73,7 +73,7 @@
  #define USB_TEXT_DIR_OLD "/sys/kernel/debug/usbmon"
  #define USB_TEXT_DIR "/sys/kernel/debug/usb/usbmon"
  #define SYS_USB_BUS_DIR "/sys/bus/usb/devices"

package/libs/libubox/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libubox
-PKG_RELEASE=2
+PKG_RELEASE=4
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/libubox.git

package/libs/libubox/patches/0001-blobmsg_json-fix-possible-uninitialized-struct-membe.patch

@@ -0,0 +1,39 @@
+From 2acfe84e4c871fb994c38c9f2508eb9ebd296b74 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 19 Nov 2019 17:34:25 +0100
+Subject: blobmsg_json: fix possible uninitialized struct member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+clang-10 analyzer reports following:
+
+ blobmsg_json.c:285:2: warning: The expression is an uninitialized value. The computed value will also be garbage
+         s->indent_level++;
+         ^~~~~~~~~~~~~~~~~
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -316,7 +316,7 @@ static void setup_strbuf(struct strbuf *
+ 
+ char *blobmsg_format_json_with_cb(struct blob_attr *attr, bool list, blobmsg_json_format_t cb, void *priv, int indent)
+ {
+-	struct strbuf s;
++	struct strbuf s = {0};
+ 	bool array;
+ 	char *ret;
+ 
+@@ -350,7 +350,7 @@ char *blobmsg_format_json_with_cb(struct
+ 
+ char *blobmsg_format_json_value_with_cb(struct blob_attr *attr, blobmsg_json_format_t cb, void *priv, int indent)
+ {
+-	struct strbuf s;
++	struct strbuf s = {0};
+ 	char *ret;
+ 
+ 	setup_strbuf(&s, attr, cb, priv, indent);

package/libs/libubox/patches/0002-jshn-fix-off-by-one-in-jshn_parse_file.patch

@@ -0,0 +1,39 @@
+From f27853d71a2cb99ec5de3881716a14611ada307c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 23 Nov 2019 22:48:25 +0100
+Subject: jshn: fix off by one in jshn_parse_file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error:
+
+ Invalid read of size 1
+   at 0x4C32D04: strlen
+   by 0x5043367: json_tokener_parse_ex
+   by 0x5045316: json_tokener_parse_verbose
+   by 0x504537D: json_tokener_parse
+   by 0x401AB1: jshn_parse (jshn.c:179)
+   by 0x40190D: jshn_parse_file (jshn.c:370)
+   by 0x40190D: main (jshn.c:434)
+ Address 0x5848c4c is 0 bytes after a block of size 1,036 alloc'd
+   at 0x4C2FB0F: malloc
+   by 0x4018E2: jshn_parse_file (jshn.c:357)
+   by 0x4018E2: main (jshn.c:434)
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ jshn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/jshn.c
++++ b/jshn.c
+@@ -384,7 +384,7 @@ int main(int argc, char **argv)
+ 				close(fd);
+ 				return 3;
+ 			}
+-			if (!(fbuf = malloc(sb.st_size))) {
++			if (!(fbuf = calloc(1, sb.st_size+1))) {
+ 				fprintf(stderr, "Error allocating memory for %s\n", optarg);
+ 				close(fd);
+ 				return 3;

package/libs/libubox/patches/0003-blob-refactor-attr-parsing-into-separate-function.patch

@@ -0,0 +1,97 @@
+From af2a074160e32692b570f8a3562b4370d38f34e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 13:53:27 +0100
+Subject: blob: refactor attr parsing into separate function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Making blob_parse easier to review.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 61 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 26 deletions(-)
+
+--- a/blob.c
++++ b/blob.c
+@@ -217,44 +217,53 @@ blob_check_type(const void *ptr, unsigne
+ 	return true;
+ }
+ 
+-int
+-blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++static int
++blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
+-	struct blob_attr *pos;
+ 	int found = 0;
+-	int rem;
++	int id = blob_id(attr);
++	size_t len = blob_len(attr);
+ 
+-	memset(data, 0, sizeof(struct blob_attr *) * max);
+-	blob_for_each_attr(pos, attr, rem) {
+-		int id = blob_id(pos);
+-		int len = blob_len(pos);
++	if (id >= max)
++		return 0;
+ 
+-		if (id >= max)
+-			continue;
++	if (info) {
++		int type = info[id].type;
+ 
+-		if (info) {
+-			int type = info[id].type;
++		if (type < BLOB_ATTR_LAST) {
++			if (!blob_check_type(blob_data(attr), len, type))
++				return 0;
++		}
+ 
+-			if (type < BLOB_ATTR_LAST) {
+-				if (!blob_check_type(blob_data(pos), len, type))
+-					continue;
+-			}
++		if (info[id].minlen && len < info[id].minlen)
++			return 0;
+ 
+-			if (info[id].minlen && len < info[id].minlen)
+-				continue;
++		if (info[id].maxlen && len > info[id].maxlen)
++			return 0;
+ 
+-			if (info[id].maxlen && len > info[id].maxlen)
+-				continue;
++		if (info[id].validate && !info[id].validate(&info[id], attr))
++			return 0;
++	}
+ 
+-			if (info[id].validate && !info[id].validate(&info[id], pos))
+-				continue;
+-		}
++	if (!data[id])
++		found++;
+ 
+-		if (!data[id])
+-			found++;
++	data[id] = attr;
++	return found;
++}
+ 
+-		data[id] = pos;
++int
++blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++{
++	struct blob_attr *pos;
++	int found = 0;
++	size_t rem;
++
++	memset(data, 0, sizeof(struct blob_attr *) * max);
++	blob_for_each_attr(pos, attr, rem) {
++		found += blob_parse_attr(pos, data, info, max);
+ 	}
++
+ 	return found;
+ }
+ 

package/libs/libubox/patches/0004-blob-introduce-blob_parse_untrusted.patch

@@ -0,0 +1,78 @@
+From b6a0a070f2e14808e835c2fcfa3820a55041902f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 14:11:45 +0100
+Subject: blob: introduce blob_parse_untrusted
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+blob_parse can be only used on trusted input as it has no possibility to
+check the length of the provided input buffer, which might lead to
+undefined behaviour and/or crashes when supplied with malformed,
+corrupted or otherwise specially crafted input.
+
+So this introduces blob_parse_untrusted variant which expects additional
+input buffer length argument and thus should be able to process also
+inputs from untrusted sources.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 24 ++++++++++++++++++++++++
+ blob.h |  7 +++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/blob.c
++++ b/blob.c
+@@ -253,6 +253,30 @@ blob_parse_attr(struct blob_attr *attr,
+ }
+ 
+ int
++blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
++{
++	struct blob_attr *pos;
++	size_t len = 0;
++	int found = 0;
++	size_t rem;
++
++	if (!attr || attr_len < sizeof(struct blob_attr))
++		return 0;
++
++	len = blob_raw_len(attr);
++	if (len != attr_len)
++		return 0;
++
++	memset(data, 0, sizeof(struct blob_attr *) * max);
++	blob_for_each_attr_len(pos, attr, len, rem) {
++		found += blob_parse_attr(pos, rem, data, info, max);
++	}
++
++	return found;
++}
++
++/* use only on trusted input, otherwise consider blob_parse_untrusted */
++int
+ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
+ 	struct blob_attr *pos;
+--- a/blob.h
++++ b/blob.h
+@@ -199,6 +199,7 @@ extern void blob_nest_end(struct blob_bu
+ extern struct blob_attr *blob_put(struct blob_buf *buf, int id, const void *ptr, unsigned int len);
+ extern bool blob_check_type(const void *ptr, unsigned int len, int type);
+ extern int blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max);
++extern int blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max);
+ extern struct blob_attr *blob_memdup(struct blob_attr *attr);
+ extern struct blob_attr *blob_put_raw(struct blob_buf *buf, const void *ptr, unsigned int len);
+ 
+@@ -254,5 +255,11 @@ blob_put_u64(struct blob_buf *buf, int i
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
++#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
++	for (rem = attr ? blob_len(attr) : 0, \
++	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
++	     rem >= sizeof(struct blob_attr) && rem < attr_len && (blob_pad_len(pos) <= rem) && \
++	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
++	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+ #endif

package/libs/libubox/patches/0005-blob-fix-OOB-access-in-blob_check_type.patch

@@ -0,0 +1,78 @@
+From 7425d421340594f50c717ff7129b6ee71280a447 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 15:27:16 +0100
+Subject: blob: fix OOB access in blob_check_type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by fuzzer:
+
+ ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
+ The signal is caused by a READ memory access.
+     #0 in blob_check_type blob.c:214:43
+     #1 in blob_parse_attr blob.c:234:9
+     #2 in blob_parse_untrusted blob.c:272:12
+     #3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
+     #4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2
+
+Caused by following line:
+
+	if (type == BLOB_ATTR_STRING && data[len - 1] != 0)
+
+where len was pointing outside of the data buffer.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/blob.c
++++ b/blob.c
+@@ -218,20 +218,33 @@ blob_check_type(const void *ptr, unsigne
+ }
+ 
+ static int
+-blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++blob_parse_attr(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
++	int id;
++	size_t len;
+ 	int found = 0;
+-	int id = blob_id(attr);
+-	size_t len = blob_len(attr);
++	size_t data_len;
+ 
++	if (!attr || attr_len < sizeof(struct blob_attr))
++		return 0;
++
++	id = blob_id(attr);
+ 	if (id >= max)
+ 		return 0;
+ 
++	len = blob_raw_len(attr);
++	if (len > attr_len || len < sizeof(struct blob_attr))
++		return 0;
++
++	data_len = blob_len(attr);
++	if (data_len > len)
++		return 0;
++
+ 	if (info) {
+ 		int type = info[id].type;
+ 
+ 		if (type < BLOB_ATTR_LAST) {
+-			if (!blob_check_type(blob_data(attr), len, type))
++			if (!blob_check_type(blob_data(attr), data_len, type))
+ 				return 0;
+ 		}
+ 
+@@ -285,7 +298,7 @@ blob_parse(struct blob_attr *attr, struc
+ 
+ 	memset(data, 0, sizeof(struct blob_attr *) * max);
+ 	blob_for_each_attr(pos, attr, rem) {
+-		found += blob_parse_attr(pos, data, info, max);
++		found += blob_parse_attr(pos, rem, data, info, max);
+ 	}
+ 
+ 	return found;

package/libs/libubox/patches/0006-blobmsg-fix-heap-buffer-overflow-in-blobmsg_parse.patch

@@ -0,0 +1,32 @@
+From 0773eef13674964d890420673d2501342979d8bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 10 Dec 2019 12:02:40 +0100
+Subject: blobmsg: fix heap buffer overflow in blobmsg_parse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error found by the fuzzer:
+
+ ==29774==ERROR: AddressSanitizer: heap-buffer-overflow
+ READ of size 1 at 0x6020004f1c56 thread T0
+     #0 strcmp sanitizer_common_interceptors.inc:442:3
+     #1 blobmsg_parse blobmsg.c:168:8
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -52,6 +52,9 @@ bool blobmsg_check_attr(const struct blo
+ 
+ 	id = blob_id(attr);
+ 	len = blobmsg_data_len(attr);
++	if (len > blob_raw_len(attr))
++		return false;
++
+ 	data = blobmsg_data(attr);
+ 
+ 	if (id > BLOBMSG_TYPE_LAST)

package/libs/libubox/patches/0007-Ensure-blob_attr-length-check-does-not-perform-out-o.patch

@@ -0,0 +1,51 @@
+From cec3ed2550073abbfe0f1f6131c44f90c9d05aa8 Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Wed, 28 Nov 2018 13:39:29 +0100
+Subject: Ensure blob_attr length check does not perform out of bounds reads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before there might have been as little as one single byte left which
+would result in 3 bytes of blob_attr->id_len being out of bounds.
+
+Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[line wrapped < 72 chars]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.h    | 4 ++--
+ blobmsg.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/blob.h
++++ b/blob.h
+@@ -243,7 +243,7 @@ blob_put_u64(struct blob_buf *buf, int i
+ 
+ #define __blob_for_each_attr(pos, attr, rem) \
+ 	for (pos = (struct blob_attr *) attr; \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+@@ -251,7 +251,7 @@ blob_put_u64(struct blob_buf *buf, int i
+ #define blob_for_each_attr(pos, attr, rem) \
+ 	for (rem = attr ? blob_len(attr) : 0, \
+ 	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -266,7 +266,7 @@ int blobmsg_printf(struct blob_buf *buf,
+ #define blobmsg_for_each_attr(pos, attr, rem) \
+ 	for (rem = attr ? blobmsg_data_len(attr) : 0, \
+ 	     pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 

package/libs/libubox/patches/0008-Replace-use-of-blobmsg_check_attr-by-blobmsg_check_a.patch

@@ -0,0 +1,132 @@
+From 8b6a401638317906b6d9039417c1c19ea8cfeab0 Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Tue, 13 Nov 2018 04:16:12 +0100
+Subject: Replace use of blobmsg_check_attr by blobmsg_check_attr_len
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+blobmsg_check_attr_len adds a length limit specifying the max offset
+from attr that can be read safely.
+
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[rebased and reworked, line wrapped commit message, _safe -> _len]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 59 +++++++++++++++++++++++++++++++++++++++++++------------
+ blobmsg.h |  2 ++
+ 2 files changed, 48 insertions(+), 13 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -33,37 +33,70 @@ blobmsg_namelen(const struct blobmsg_hdr
+ 
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
+ {
++	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
++}
++
++static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
++{
++	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
+-	const char *data;
+-	int id, len;
+ 
+-	if (blob_len(attr) < sizeof(struct blobmsg_hdr))
++	hdr = blob_data(attr);
++	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	hdr = (void *) attr->data;
+-	if (!hdr->namelen && name)
++	if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
+ 		return false;
+ 
+-	if (blobmsg_namelen(hdr) > blob_len(attr) - sizeof(struct blobmsg_hdr))
++	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+ 		return false;
+ 
+ 	if (hdr->name[blobmsg_namelen(hdr)] != 0)
+ 		return false;
+ 
+-	id = blob_id(attr);
+-	len = blobmsg_data_len(attr);
+-	if (len > blob_raw_len(attr))
+-		return false;
++	return true;
++}
++
++static const char* blobmsg_check_data(const struct blob_attr *attr, size_t len, size_t *data_len)
++{
++	char *limit = (char *) attr + len;
++	const char *data;
++
++	*data_len = blobmsg_data_len(attr);
++	if (*data_len > blob_raw_len(attr))
++		return NULL;
+ 
+ 	data = blobmsg_data(attr);
++	if (data + *data_len > limit)
++		return NULL;
+ 
++	return data;
++}
++
++bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len)
++{
++	const char *data;
++	size_t data_len;
++	int id;
++
++	if (len < sizeof(struct blob_attr))
++		return false;
++
++	if (!blobmsg_check_name(attr, len, name))
++		return false;
++
++	id = blob_id(attr);
+ 	if (id > BLOBMSG_TYPE_LAST)
+ 		return false;
+ 
+ 	if (!blob_type[id])
+ 		return true;
+ 
+-	return blob_check_type(data, len, blob_type[id]);
++	data = blobmsg_check_data(attr, len, &data_len);
++	if (!data)
++		return false;
++
++	return blob_check_type(data, data_len, blob_type[id]);
+ }
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+@@ -114,7 +147,7 @@ int blobmsg_parse_array(const struct blo
+ 		    blob_id(attr) != policy[i].type)
+ 			continue;
+ 
+-		if (!blobmsg_check_attr(attr, false))
++		if (!blobmsg_check_attr_len(attr, false, len))
+ 			return -1;
+ 
+ 		if (tb[i])
+@@ -161,7 +194,7 @@ int blobmsg_parse(const struct blobmsg_p
+ 			if (blobmsg_namelen(hdr) != pslen[i])
+ 				continue;
+ 
+-			if (!blobmsg_check_attr(attr, true))
++			if (!blobmsg_check_attr_len(attr, true, len))
+ 				return -1;
+ 
+ 			if (tb[i])
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -107,6 +107,8 @@ static inline int blobmsg_len(const stru
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
+ 
++bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len);
++
+ /*
+  * blobmsg_check_array: validate array/table and return size
+  *

package/libs/libubox/patches/0009-blobmsg-add-_len-variants-for-all-attribute-checking.patch

@@ -0,0 +1,157 @@
+From ad29d0304983e283d4aec4ee5462942eaf5c03ac Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Thu, 15 Nov 2018 03:42:48 +0100
+Subject: blobmsg: add _len variants for all attribute checking methods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduce _len variants of blobmsg attribute checking functions which
+aims to provide safer implementation as those functions should limit all
+memory accesses performed on the blob to the range [attr, attr + len]
+(upper bound non inclusive) and thus should be suited for checking of
+untrusted blob attributes.
+
+While at it add some comments in order to make it clear.
+
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 21 ++++++++++++++++++---
+ blobmsg.h | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 72 insertions(+), 4 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -101,11 +101,21 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
++	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
++}
++
++int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)
++{
+ 	struct blob_attr *cur;
+ 	bool name;
+-	int rem;
+ 	int size = 0;
+ 
++	if (type > BLOBMSG_TYPE_LAST)
++		return -1;
++
++	if (!blobmsg_check_attr_len(attr, false, len))
++		return -1;
++
+ 	switch (blobmsg_type(attr)) {
+ 	case BLOBMSG_TYPE_TABLE:
+ 		name = true;
+@@ -117,11 +127,11 @@ int blobmsg_check_array(const struct blo
+ 		return -1;
+ 	}
+ 
+-	blobmsg_for_each_attr(cur, attr, rem) {
++	__blobmsg_for_each_attr(cur, attr, len) {
+ 		if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
+ 			return -1;
+ 
+-		if (!blobmsg_check_attr(cur, name))
++		if (!blobmsg_check_attr_len(cur, name, len))
+ 			return -1;
+ 
+ 		size++;
+@@ -135,6 +145,11 @@ bool blobmsg_check_attr_list(const struc
+ 	return blobmsg_check_array(attr, type) >= 0;
+ }
+ 
++bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len)
++{
++	return blobmsg_check_array_len(attr, type, len) >= 0;
++}
++
+ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
+ 			struct blob_attr **tb, void *data, unsigned int len)
+ {
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -104,19 +104,66 @@ static inline int blobmsg_len(const stru
+ 	return blobmsg_data_len(attr);
+ }
+ 
++/*
++ * blobmsg_check_attr: validate a list of attributes
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
++ */
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+-bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
+ 
++/*
++ * blobmsg_check_attr_len: validate a list of attributes
++ *
++ * This method should be safer implementation of blobmsg_check_attr.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
+ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len);
+ 
+ /*
++ * blobmsg_check_attr_list: validate a list of attributes
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
++ */
++bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
++
++/*
++ * blobmsg_check_attr_list_len: validate a list of untrusted attributes
++ *
++ * This method should be safer implementation of blobmsg_check_attr_list.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
++bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len);
++
++/*
+  * blobmsg_check_array: validate array/table and return size
+  *
+  * Checks if all elements of an array or table are valid and have
+  * the specified type. Returns the number of elements in the array
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
+  */
+ int blobmsg_check_array(const struct blob_attr *attr, int type);
+ 
++/*
++ * blobmsg_check_array_len: validate untrusted array/table and return size
++ *
++ * Checks if all elements of an array or table are valid and have
++ * the specified type. Returns the number of elements in the array.
++ *
++ * This method should be safer implementation of blobmsg_check_array.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
++int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len);
++
+ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
+                   struct blob_attr **tb, void *data, unsigned int len);
+ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
+@@ -271,5 +318,11 @@ int blobmsg_printf(struct blob_buf *buf,
+ 	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
++
++#define __blobmsg_for_each_attr(pos, attr, rem) \
++	for (pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
++	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
++	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+ #endif

package/libs/libubox/patches/0010-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch

@@ -0,0 +1,39 @@
+From 44d9e85ef058fbb9981d53218cafdc451afa5535 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 25 Dec 2019 10:27:59 +0100
+Subject: blobmsg: fix array out of bounds GCC 10 warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following warning reported by GCC 10.0.0 20191203:
+
+ blobmsg.c:234:2: error: 'strcpy' offset 6 from the object at 'attr' is out of the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
+   234 |  strcpy((char *) hdr->name, (const char *)name);
+       |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ In file included from blobmsg.c:16:
+ blobmsg.h:42:10: note: subobject 'name' declared here
+    42 |  uint8_t name[];
+       |          ^~~~
+
+Reported-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -246,7 +246,10 @@ blobmsg_new(struct blob_buf *buf, int ty
+ 	attr->id_len |= be32_to_cpu(BLOB_ATTR_EXTENDED);
+ 	hdr = blob_data(attr);
+ 	hdr->namelen = cpu_to_be16(namelen);
+-	strcpy((char *) hdr->name, (const char *)name);
++
++	memcpy(hdr->name, name, namelen);
++	hdr->name[namelen] = '\0';
++
+ 	pad_end = *data = blobmsg_data(attr);
+ 	pad_start = (char *) &hdr->name[namelen];
+ 	if (pad_start < pad_end)

package/libs/libubox/patches/0011-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch

@@ -0,0 +1,38 @@
+From d0f05d5e6873b30315127d47abbf4ac9f3c8bfb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 28 Dec 2019 19:00:39 +0100
+Subject: blobmsg: fix wrong payload len passed from blobmsg_check_array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix incorrect use of blob_raw_len() on passed blobmsg to
+blobmsg_check_array_len()  introduced in commit b0e21553ae8c ("blobmsg:
+add _len variants for all attribute checking methods") by using correct
+blobmsg_len().
+
+This wrong (higher) length was then for example causing issues in
+procd's instance_config_parse_command() where blobmsg_check_attr_list()
+was failing sanity checking of service command, thus resulting in the
+startup failures of some services like collectd, nlbwmon and samba4.
+
+Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020840.html
+Fixes: b0e21553ae8c ("blobmsg: add _len variants for all attribute checking methods")
+Reported-by: Hannu Nyman <hannu.nyman@welho.com>
+Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -101,7 +101,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
++	return blobmsg_check_array_len(attr, type, blobmsg_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)

package/libs/libubox/patches/0012-jshn-prefer-snprintf-usage.patch

@@ -0,0 +1,61 @@
+From 31778937b4153492955495e550435c8bbf7cfde8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 08:55:34 +0100
+Subject: jshn: prefer snprintf usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ jshn.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/jshn.c
++++ b/jshn.c
+@@ -68,7 +68,7 @@ static int add_json_array(struct array_l
+ 	int ret;
+ 
+ 	for (i = 0, len = array_list_length(a); i < len; i++) {
+-		sprintf(seq, "%d", i);
++		snprintf(seq, sizeof(seq), "%d", i);
+ 		ret = add_json_element(seq, array_list_get_idx(a, i));
+ 		if (ret)
+ 			return ret;
+@@ -197,25 +197,27 @@ static char *getenv_avl(const char *key)
+ static char *get_keys(const char *prefix)
+ {
+ 	char *keys;
++	size_t len = var_prefix_len + strlen(prefix) + sizeof("K_") + 1;
+ 
+-	keys = alloca(var_prefix_len + strlen(prefix) + sizeof("K_") + 1);
+-	sprintf(keys, "%sK_%s", var_prefix, prefix);
++	keys = alloca(len);
++	snprintf(keys, len, "%sK_%s", var_prefix, prefix);
+ 	return getenv_avl(keys);
+ }
+ 
+ static void get_var(const char *prefix, const char **name, char **var, char **type)
+ {
+ 	char *tmpname, *varname;
++	size_t len = var_prefix_len + strlen(prefix) + 1 + strlen(*name) + 1 + sizeof("T_");
+ 
+-	tmpname = alloca(var_prefix_len + strlen(prefix) + 1 + strlen(*name) + 1 + sizeof("T_"));
++	tmpname = alloca(len);
+ 
+-	sprintf(tmpname, "%s%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%s%s_%s", var_prefix, prefix, *name);
+ 	*var = getenv_avl(tmpname);
+ 
+-	sprintf(tmpname, "%sT_%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%sT_%s_%s", var_prefix, prefix, *name);
+ 	*type = getenv_avl(tmpname);
+ 
+-	sprintf(tmpname, "%sN_%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%sN_%s_%s", var_prefix, prefix, *name);
+ 	varname = getenv_avl(tmpname);
+ 	if (varname)
+ 		*name = varname;

package/libs/libubox/patches/0013-blobmsg-blobmsg_vprintf-prefer-vsnprintf.patch

@@ -0,0 +1,38 @@
+From 935bb933e4a74de7326a4373340fd50655712334 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 08:57:05 +0100
+Subject: blobmsg: blobmsg_vprintf: prefer vsnprintf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry and while at it add handling of possible
+*printf() failures.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -296,10 +296,17 @@ blobmsg_vprintf(struct blob_buf *buf, co
+ 	len = vsnprintf(&cbuf, sizeof(cbuf), format, arg2);
+ 	va_end(arg2);
+ 
++	if (len < 0)
++		return -1;
++
+ 	sbuf = blobmsg_alloc_string_buffer(buf, name, len + 1);
+ 	if (!sbuf)
+ 		return -1;
+-	ret = vsprintf(sbuf, format, arg);
++
++	ret = vsnprintf(sbuf, len + 1, format, arg);
++	if (ret < 0)
++		return -1;
++
+ 	blobmsg_add_string_buffer(buf);
+ 
+ 	return ret;

package/libs/libubox/patches/0014-blobmsg_json-fix-int16-serialization.patch

@@ -0,0 +1,41 @@
+From 1cc755d7c3989b399bf0c60535a858d22819ca27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sun, 12 Jan 2020 22:40:18 +0100
+Subject: blobmsg_json: fix int16 serialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+int16 blobmsg type is currently being serialized as uint16_t due to
+missing cast during JSON output.
+
+Following blobmsg content:
+
+ bar-min: -32768 (i16)
+ bar-max: 32767 (i16)
+
+Produces following JSON:
+
+ { "bar-min":32768,"bar-max":32767 }
+
+Whereas one would expect:
+
+ { "bar-min":-32768,"bar-max":32767 }
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -250,7 +250,7 @@ static void blobmsg_format_element(struc
+ 		sprintf(buf, "%s", *(uint8_t *)data ? "true" : "false");
+ 		break;
+ 	case BLOBMSG_TYPE_INT16:
+-		sprintf(buf, "%d", be16_to_cpu(*(uint16_t *)data));
++		sprintf(buf, "%d", (int16_t) be16_to_cpu(*(uint16_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT32:
+ 		sprintf(buf, "%d", (int32_t) be32_to_cpu(*(uint32_t *)data));

package/libs/libubox/patches/0015-blobmsg_json-prefer-snprintf-usage.patch

@@ -0,0 +1,66 @@
+From 0e330ec3662795aea42ac36ecf7a9f32a249c36d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 09:05:02 +0100
+Subject: blobmsg_json: prefer snprintf usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry and while at it prefer use of PRId16 and PRId32
+formatting constants as well.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -203,7 +203,7 @@ static void blobmsg_format_string(struct
+ 		buf[1] = escape;
+ 
+ 		if (escape == 'u') {
+-			sprintf(buf + 4, "%02x", (unsigned char) *p);
++			snprintf(buf + 4, sizeof(buf) - 4, "%02x", (unsigned char) *p);
+ 			len = 6;
+ 		} else {
+ 			len = 2;
+@@ -220,7 +220,7 @@ static void blobmsg_format_json_list(str
+ static void blobmsg_format_element(struct strbuf *s, struct blob_attr *attr, bool without_name, bool head)
+ {
+ 	const char *data_str;
+-	char buf[32];
++	char buf[317];
+ 	void *data;
+ 	int len;
+ 
+@@ -244,22 +244,22 @@ static void blobmsg_format_element(struc
+ 	data_str = buf;
+ 	switch(blob_id(attr)) {
+ 	case BLOBMSG_TYPE_UNSPEC:
+-		sprintf(buf, "null");
++		snprintf(buf, sizeof(buf), "null");
+ 		break;
+ 	case BLOBMSG_TYPE_BOOL:
+-		sprintf(buf, "%s", *(uint8_t *)data ? "true" : "false");
++		snprintf(buf, sizeof(buf), "%s", *(uint8_t *)data ? "true" : "false");
+ 		break;
+ 	case BLOBMSG_TYPE_INT16:
+-		sprintf(buf, "%d", (int16_t) be16_to_cpu(*(uint16_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId16, (int16_t) be16_to_cpu(*(uint16_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT32:
+-		sprintf(buf, "%d", (int32_t) be32_to_cpu(*(uint32_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId32, (int32_t) be32_to_cpu(*(uint32_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT64:
+-		sprintf(buf, "%" PRId64, (int64_t) be64_to_cpu(*(uint64_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId64, (int64_t) be64_to_cpu(*(uint64_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_DOUBLE:
+-		sprintf(buf, "%lf", blobmsg_get_double(attr));
++		snprintf(buf, sizeof(buf), "%lf", blobmsg_get_double(attr));
+ 		break;
+ 	case BLOBMSG_TYPE_STRING:
+ 		blobmsg_format_string(s, data);

package/libs/libubox/patches/0016-blobmsg-blobmsg_parse-and-blobmsg_parse_array-oob-re.patch

@@ -0,0 +1,110 @@
+From 6289e2d29883d5d9510b6a15c18c597478967a42 Mon Sep 17 00:00:00 2001
+From: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
+Date: Sun, 12 Jan 2020 12:26:18 +0100
+Subject: blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
+out of bounds read happens because blob_attr and blobmsg_hdr have
+flexible array members, whose size is 0 in the corresponding sizeofs.
+For example the __blob_for_each_attr macro checks whether rem >=
+sizeof(struct blob_attr). However, what LibFuzzer discovered was,
+if the input data was only 4 bytes, the data would be casted to blob_attr,
+and later on blob_data(attr) would be called even though attr->data was empty.
+The same issue could appear with data larger than 4 bytes, where data
+wasn't empty, but contained only the start of the blobmsg_hdr struct,
+and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
+blobmsg_parse and blobmsg_array_parse with LibFuzzer.
+
+CC: Luka Perkov <luka.perkov@sartura.hr>
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
+[refactored some checks, added fuzz inputs, adjusted unit test results]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 40 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 32 insertions(+), 8 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -36,16 +36,38 @@ bool blobmsg_check_attr(const struct blo
+ 	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
+ }
+ 
++static const struct blobmsg_hdr* blobmsg_hdr_from_blob(const struct blob_attr *attr, size_t len)
++{
++	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
++		return NULL;
++
++	return blob_data(attr);
++}
++
++static bool blobmsg_hdr_valid_namelen(const struct blobmsg_hdr *hdr, size_t len)
++{
++	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr) + blobmsg_namelen(hdr) + 1)
++		return false;
++
++	return true;
++}
++
+ static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
+ {
+ 	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
+ 
+-	hdr = blob_data(attr);
++	hdr = blobmsg_hdr_from_blob(attr, len);
++	if (!hdr)
++		return false;
++
+ 	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
++	if (name && !blobmsg_hdr_valid_namelen(hdr, len))
++		return false;
++
++	if ((char *) hdr->name + blobmsg_namelen(hdr) + 1 > limit)
+ 		return false;
+ 
+ 	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+@@ -79,9 +101,6 @@ bool blobmsg_check_attr_len(const struct
+ 	size_t data_len;
+ 	int id;
+ 
+-	if (len < sizeof(struct blob_attr))
+-		return false;
+-
+ 	if (!blobmsg_check_name(attr, len, name))
+ 		return false;
+ 
+@@ -176,11 +195,10 @@ int blobmsg_parse_array(const struct blo
+ 	return 0;
+ }
+ 
+-
+ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
+                   struct blob_attr **tb, void *data, unsigned int len)
+ {
+-	struct blobmsg_hdr *hdr;
++	const struct blobmsg_hdr *hdr;
+ 	struct blob_attr *attr;
+ 	uint8_t *pslen;
+ 	int i;
+@@ -197,7 +215,13 @@ int blobmsg_parse(const struct blobmsg_p
+ 	}
+ 
+ 	__blob_for_each_attr(attr, data, len) {
+-		hdr = blob_data(attr);
++		hdr = blobmsg_hdr_from_blob(attr, len);
++		if (!hdr)
++			return -1;
++
++		if (!blobmsg_hdr_valid_namelen(hdr, len))
++			return -1;
++
+ 		for (i = 0; i < policy_len; i++) {
+ 			if (!policy[i].name)
+ 				continue;

package/libs/libubox/patches/0017-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch

@@ -0,0 +1,33 @@
+From 75e300aeec25e032a9778bea34c713969960d1f0 Mon Sep 17 00:00:00 2001
+From: Chris Nisbet <nischris@gmail.com>
+Date: Wed, 12 Feb 2020 21:00:31 +1300
+Subject: [PATCH] blobmsg: fix wrong payload len passed from
+ blobmsg_check_array
+
+Fix incorrect use of blobmsg_len() on passed blobmsg to
+blobmsg_check_array_len() introduced in commit 379cd33d1992
+("fix wrong payload len passed from blobmsg_check_array") by using correct
+blob_len().
+
+By using blobmsg_len() a value too small was passed to blobmsg_check_array()
+which could lead to this function returning an error when there is none.
+
+Fixes: 379cd33d1992 ("fix wrong payload len passed from blobmsg_check_array")
+Signed-off-by: Chris Nisbet <nischris@gmail.com>
+[add fixes tag, rewrap commit message]
+Signed-off-by: Jo-Philipp Wich <jo@mein.io>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -120,7 +120,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blobmsg_len(attr));
++	return blobmsg_check_array_len(attr, type, blob_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.1
+PKG_VERSION:=2.16.4
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=7ab76eaefab0b02f26ca889230d553facb2598f3a8f077886c41ec1801d2131a
+PKG_HASH:=5fdb9c43ab43fd9bcc3631508170b089ede7b86dd655253a93cb0ffeb42309f3
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -599,14 +599,14 @@
+@@ -633,14 +633,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -716,19 +716,19 @@
+@@ -757,19 +757,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -777,7 +777,7 @@
+@@ -818,7 +818,7 @@
   *
   * Comment this macro to disable deterministic ECDSA.
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -830,7 +830,7 @@
+@@ -871,7 +871,7 @@
   *             See dhm.h for more details.
   *
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -850,7 +850,7 @@
+@@ -891,7 +891,7 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -875,7 +875,7 @@
+@@ -916,7 +916,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1009,7 +1009,7 @@
+@@ -1050,7 +1050,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1033,7 +1033,7 @@
+@@ -1074,7 +1074,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1137,7 +1137,7 @@
+@@ -1178,7 +1178,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -109,7 +109,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1232,14 +1232,14 @@
+@@ -1273,14 +1273,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1255,7 +1255,7 @@
+@@ -1296,7 +1296,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1393,7 +1393,7 @@
+@@ -1434,7 +1434,7 @@
   *          configuration of this extension).
   *
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1568,7 +1568,7 @@
+@@ -1609,7 +1609,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1598,7 +1598,7 @@
+@@ -1639,7 +1639,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1657,7 +1657,7 @@
+@@ -1698,7 +1698,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1987,7 +1987,7 @@
+@@ -2028,7 +2028,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2053,7 +2053,7 @@
+@@ -2094,7 +2094,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2065,7 +2065,7 @@
+@@ -2106,7 +2106,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2074,7 +2074,7 @@
+@@ -2115,7 +2115,7 @@
   *
   * Module:  library/chacha20.c
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_CHACHAPOLY_C
-@@ -2085,7 +2085,7 @@
+@@ -2126,7 +2126,7 @@
   *
   * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -2140,7 +2140,7 @@
+@@ -2185,7 +2185,7 @@
   *
   * This module provides debugging functions.
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -2169,7 +2169,7 @@
+@@ -2214,7 +2214,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *            security risk. We recommend considering stronger ciphers instead.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2332,7 +2332,7 @@
+@@ -2377,7 +2377,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -243,7 +243,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2346,7 +2346,7 @@
+@@ -2391,7 +2391,7 @@
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
   */
@@ -252,7 +252,7 @@
  
  /**
   * \def MBEDTLS_NIST_KW_C
-@@ -2642,7 +2642,7 @@
+@@ -2687,7 +2687,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -261,7 +261,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2652,7 +2652,7 @@
+@@ -2697,7 +2697,7 @@
   * Module:  library/poly1305.c
   * Caller:  library/chachapoly.c
   */
@@ -270,7 +270,7 @@
  
  /**
   * \def MBEDTLS_RIPEMD160_C
-@@ -2663,7 +2663,7 @@
+@@ -2708,7 +2708,7 @@
   * Caller:  library/md.c
   *
   */
@@ -279,7 +279,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2770,7 +2770,7 @@
+@@ -2815,7 +2815,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -288,7 +288,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2870,7 +2870,7 @@
+@@ -2915,7 +2915,7 @@
   *
   * This module provides run-time version information.
   */
@@ -297,7 +297,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -2980,7 +2980,7 @@
+@@ -3025,7 +3025,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

package/libs/mbedtls/patches/300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch

@@ -1,27 +0,0 @@
-From 7aff5a70f3580426865b6c86437a3e47546d13f7 Mon Sep 17 00:00:00 2001
-From: Hauke Mehrtens <hauke@hauke-m.de>
-Date: Sun, 16 Dec 2018 13:02:49 +0100
-Subject: [PATCH] bn_mul.h: Use optimized MULADDC code only on ARM >= 6
-
-The optimized code uses umaal which was only introduced with ARMv6 and
-is not available on older versions.
-This broke compilation with arm926ej-s CPU for me.
-
-Fixes: 16b1bd89326 ("bn_mul.h: add ARM DSP optimized MULADDC code")
-Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
----
- include/mbedtls/bn_mul.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/include/mbedtls/bn_mul.h
-+++ b/include/mbedtls/bn_mul.h
-@@ -644,7 +644,8 @@
-            "r6", "r7", "r8", "r9", "cc"         \
-          );
- 
--#elif defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
-+#elif defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1) && \
-+      __TARGET_ARCH_ARM >= 6
- 
- #define MULADDC_INIT                            \
-     asm(

package/libs/mbedtls/patches/300-soversion-compatibility.patch

@@ -4,7 +4,7 @@
  
  if(USE_SHARED_MBEDTLS_LIBRARY)
      add_library(mbedcrypto SHARED ${src_crypto})
--    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.1 SOVERSION 3)
+-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.3 SOVERSION 3)
 +    set_target_properties(mbedcrypto PROPERTIES VERSION 2.12.0 SOVERSION 1)
      target_link_libraries(mbedcrypto ${libs})
  
@@ -13,7 +13,7 @@
      target_link_libraries(mbedx509 ${libs} mbedcrypto)
  
      add_library(mbedtls SHARED ${src_tls})
--    set_target_properties(mbedtls PROPERTIES VERSION 2.16.1 SOVERSION 12)
+-    set_target_properties(mbedtls PROPERTIES VERSION 2.16.3 SOVERSION 12)
 +    set_target_properties(mbedtls PROPERTIES VERSION 2.12.0 SOVERSION 10)
      target_link_libraries(mbedtls ${libs} mbedx509)
  
@@ -30,5 +30,5 @@
 -SOEXT_CRYPTO=so.3
 +SOEXT_CRYPTO=so.1
  
- # Set AR_DASH= (empty string) to use an ar implentation that does not accept
+ # Set AR_DASH= (empty string) to use an ar implementation that does not accept
  # the - prefix for command line options (e.g. llvm-ar)

package/libs/openssl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.0.2
-PKG_BUGFIX:=s
+PKG_BUGFIX:=u
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -24,10 +24,11 @@ PKG_SOURCE_URL:= \
 	http://gd.tuwien.ac.at/infosys/security/openssl/source/ \
 	http://www.openssl.org/source/ \
 	http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=cabd5c9492825ce5bd23f3c3aeed6a97f8142f606d893df216411f07d1abab96
+PKG_HASH:=ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
+PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
 PKG_CPE_ID:=cpe:/a:openssl:openssl
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_ENGINE_CRYPTO \

package/libs/openssl/patches/150-no_engines.patch

@@ -1,6 +1,6 @@
 --- a/Configure
 +++ b/Configure
-@@ -2144,6 +2144,11 @@ EOF
+@@ -2145,6 +2145,11 @@ EOF
  	close(OUT);
    }
    

package/libs/toolchain/Makefile

@@ -7,7 +7,7 @@
 
 include $(TOPDIR)/rules.mk
 PKG_NAME:=toolchain
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-3.0-with-GCC-exception

package/libs/ustream-ssl/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ustream-ssl
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git

package/libs/ustream-ssl/patches/0001-ustream-ssl-skip-writing-pending-data.patch

@@ -0,0 +1,56 @@
+From c9b6668215a27f2346d5eedd6f29cc720985b448 Mon Sep 17 00:00:00 2001
+From: Jo-Philipp Wich <jo@mein.io>
+Date: Wed, 11 Sep 2019 21:09:59 +0200
+Subject: [PATCH] ustream-ssl: skip writing pending data if .eof is true after
+ connect
+
+Check the .eof member of the underlying ustream after the call to
+__ustream_ssl_connect() since existing users of the library appear
+to set the eof flag as a way to signal connection termination upon
+failing certificate verification.
+
+This is a stop-gap measure to address TALOS-2019-0893 but a proper
+API redesign is required to give applications proper control over
+whether certificate failures are to be ignored or not and the default
+implementation without custom callbacks should always terminate on
+verification failures.
+
+Signed-off-by: Jo-Philipp Wich <jo@mein.io>
+---
+ ustream-ssl.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/ustream-ssl.c b/ustream-ssl.c
+index e6b084b..47f66d6 100644
+--- a/ustream-ssl.c
++++ b/ustream-ssl.c
+@@ -40,6 +40,26 @@ static void ustream_ssl_check_conn(struct ustream_ssl *us)
+ 		return;
+ 
+ 	if (__ustream_ssl_connect(us) == U_SSL_OK) {
++
++		/* __ustream_ssl_connect() will also return U_SSL_OK when certificate
++		 * verification failed!
++		 *
++		 * Applications may register a custom .notify_verify_error callback in the
++		 * struct ustream_ssl which is called upon verification failures, but there
++		 * is no straight forward way for the callback to terminate the connection
++		 * initiation right away, e.g. through a true or false return value.
++		 *
++		 * Instead, existing implementations appear to set .eof field of the underlying
++		 * ustream in the hope that this inhibits further operations on the stream.
++		 *
++		 * Declare this informal behaviour "official" and check for the state of the
++		 * .eof member after __ustream_ssl_connect() returned, and do not write the
++		 * pending data if it is set to true.
++		 */
++
++		if (us->stream.eof)
++			return;
++
+ 		us->connected = true;
+ 		if (us->notify_connected)
+ 			us->notify_connected(us);
+-- 
+2.20.1
+

package/libs/wolfssl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=3.15.3-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
 # PKG_SOURCE_URL:=https://www.wolfssl.com/
@@ -21,7 +21,8 @@ PKG_INSTALL:=1
 PKG_USE_MIPS16:=0
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+
-PKG_CPE_ID:=cpe:/a:yassl:cyassl
+PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
+PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl
 
 PKG_CONFIG_DEPENDS:=\
 	CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \

package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch

@@ -0,0 +1,562 @@
+From 278d54d95de9fa80b4ac9f6dd0f900841114ca8c Mon Sep 17 00:00:00 2001
+From: Sean Parkinson <sean@wolfssl.com>
+Date: Mon, 27 Aug 2018 10:16:40 +1000
+Subject: [PATCH] Make RsaUnPad constant time when Block Type 2 message
+
+(cherry picked from commit ab03f9291b040269ae21d33b9f01529ed8311728)
+[cherry-pick changes]
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -24766,26 +24766,22 @@ static int DoSessionTicket(WOLFSSL* ssl,
+                          * indistinguishable from correctly formatted RSA blocks
+                          */
+ 
+-                        ret = args->lastErr;
+                         args->lastErr = 0; /* reset */
+ 
+                         /* build PreMasterSecret */
+                         ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
+                         ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
+-                        if (ret == 0 && args->sigSz == SECRET_LEN &&
+-                                                         args->output != NULL) {
++                        if (args->output != NULL) {
+                             XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
+-                                &args->output[VERSION_SZ],
+-                                SECRET_LEN - VERSION_SZ);
++                                    &args->output[VERSION_SZ],
++                                    SECRET_LEN - VERSION_SZ);
+                         }
+-                        else {
+-                            /* preMasterSecret has RNG and version set */
+-                            /* return proper length and ignore error */
+-                            /* error will be caught as decryption error */
+-                            args->sigSz = SECRET_LEN;
+-                            ret = 0;
+-                        }
+-
++                        /* preMasterSecret has RNG and version set
++                         * return proper length and ignore error
++                         * error will be caught as decryption error
++                         */
++                        args->sigSz = SECRET_LEN;
++                        ret = 0;
+                         break;
+                     } /* rsa_kea */
+                 #endif /* !NO_RSA */
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -1136,12 +1136,12 @@ static int Hmac_UpdateFinal_CT(Hmac* hma
+             else if (k < maxLen)
+                 b = in[k - WOLFSSL_TLS_HMAC_INNER_SZ];
+ 
+-            b = ctMaskSel(atEoc, b, 0x80);
++            b = ctMaskSel(atEoc, 0x80, b);
+             b &= ~pastEoc;
+             b &= ~isOutBlock | isEocBlock;
+ 
+             if (j >= blockSz - 8) {
+-                b = ctMaskSel(isOutBlock, b, lenBytes[j - (blockSz - 8)]);
++                b = ctMaskSel(isOutBlock, lenBytes[j - (blockSz - 8)], b);
+             }
+ 
+             hashBlock[j] = b;
+--- a/wolfcrypt/src/integer.c
++++ b/wolfcrypt/src/integer.c
+@@ -321,6 +321,17 @@ int mp_to_unsigned_bin (mp_int * a, unsi
+   return res;
+ }
+ 
++int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c)
++{
++    int i, len;
++
++    len = mp_unsigned_bin_size(a);
++
++    /* pad front w/ zeros to match length */
++    for (i = 0; i < c - len; i++)
++        b[i] = 0x00;
++    return mp_to_unsigned_bin(a, b + i);
++}
+ 
+ /* creates "a" then copies b into it */
+ int mp_init_copy (mp_int * a, mp_int * b)
+--- a/wolfcrypt/src/misc.c
++++ b/wolfcrypt/src/misc.c
+@@ -341,10 +341,22 @@ STATIC INLINE byte ctMaskEq(int a, int b
+     return 0 - (a == b);
+ }
+ 
+-/* Constant time - select b when mask is set and a otherwise. */
++/* Constant time - mask set when a != b. */
++STATIC INLINE byte ctMaskNotEq(int a, int b)
++{
++    return 0 - (a != b);
++}
++
++/* Constant time - select a when mask is set and b otherwise. */
+ STATIC INLINE byte ctMaskSel(byte m, byte a, byte b)
+ {
+-    return (a & ~m) | (b & m);
++    return (b & ~m) | (a & m);
++}
++
++/* Constant time - select integer a when mask is set and integer b otherwise. */
++STATIC INLINE int ctMaskSelInt(byte m, int a, int b)
++{
++    return (b & (~(int)(char)m)) | (a & ((int)(char)m));
+ }
+ 
+ /* Constant time - bit set when a <= b. */
+--- a/wolfcrypt/src/rsa.c
++++ b/wolfcrypt/src/rsa.c
+@@ -989,10 +989,8 @@ static int RsaUnPad_OAEP(byte *pkcsBlock
+     ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
+     ret += pkcsBlock[0]     ^ 0x00; /* Y, the first value, should be 0 */
+ 
+-    if (ret != 0) {
+-        WOLFSSL_MSG("RsaUnPad_OAEP: Padding Error");
+-        return BAD_PADDING_E;
+-    }
++    /* Return 0 data length on error. */
++    idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen);
+ 
+     /* adjust pointer to correct location in array and return size of M */
+     *output = (byte*)(pkcsBlock + idx);
+@@ -1078,48 +1076,60 @@ static int RsaUnPad_PSS(byte *pkcsBlock,
+ /* UnPad plaintext, set start to *output, return length of plaintext,
+  * < 0 on error */
+ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
+-                                               byte **output, byte padValue)
++                    byte **output, byte padValue)
+ {
+-    word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0;
+-    word32 invalid = 0;
+-    word32 i = 1;
+-    word32 outputLen;
++    int    ret;
++    word32 i;
++    byte   invalid = 0;
+ 
+     if (output == NULL || pkcsBlockLen == 0) {
+         return BAD_FUNC_ARG;
+     }
+ 
+-    if (pkcsBlock[0] != 0x0) { /* skip past zero */
+-        invalid = 1;
+-    }
+-    pkcsBlock++; pkcsBlockLen--;
++    if (padValue == RSA_BLOCK_TYPE_1) {
++        /* First byte must be 0x00 and Second byte, block type, 0x01 */
++        if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
++            WOLFSSL_MSG("RsaUnPad error, invalid formatting");
++            return RSA_PAD_E;
++        }
+ 
+-    /* Require block type padValue */
+-    invalid = (pkcsBlock[0] != padValue) || invalid;
++        /* check the padding until we find the separator */
++        for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { }
+ 
+-    /* verify the padding until we find the separator */
+-    if (padValue == RSA_BLOCK_TYPE_1) {
+-        while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */}
+-    }
+-    else {
+-        while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */}
+-    }
++        /* Minimum of 11 bytes of pre-message data and must have separator. */
++        if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
++            WOLFSSL_MSG("RsaUnPad error, bad formatting");
++            return RSA_PAD_E;
++        }
+ 
+-    if (!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) {
+-        WOLFSSL_MSG("RsaUnPad error, bad formatting");
+-        return RSA_PAD_E;
++        *output = (byte *)(pkcsBlock + i);
++        ret = pkcsBlockLen - i;
+     }
++    else {
++        word32 j;
++        byte   pastSep = 0;
+ 
+-    outputLen = pkcsBlockLen - i;
+-    invalid = (outputLen > maxOutputLen) || invalid;
++        /* Decrypted with private key - unpad must be constant time. */
++        for (i = 0, j = 2; j < pkcsBlockLen; j++) {
++           /* Update i if not passed the separator and at separator. */
++           i |= (~pastSep) & ctMaskEq(pkcsBlock[j], 0x00) & (j + 1);
++           pastSep |= ctMaskEq(pkcsBlock[j], 0x00);
++        }
++
++        /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
++        invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
++        /* Must have seen separator. */
++        invalid |= ~pastSep;
++        /* First byte must be 0x00. */
++        invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
++        /* Check against expected block type: padValue */
++        invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
+ 
+-    if (invalid) {
+-        WOLFSSL_MSG("RsaUnPad error, invalid formatting");
+-        return RSA_PAD_E;
++        *output = (byte *)(pkcsBlock + i);
++        ret = ((int)~invalid) & (pkcsBlockLen - i);
+     }
+ 
+-    *output = (byte *)(pkcsBlock + i);
+-    return outputLen;
++    return ret;
+ }
+ 
+ /* helper function to direct unpadding
+@@ -1249,7 +1259,7 @@ static int wc_RsaFunctionSync(const byte
+     mp_int rnd, rndi;
+ #endif
+     int    ret = 0;
+-    word32 keyLen, len;
++    word32 keyLen;
+ #endif
+ 
+ #ifdef WOLFSSL_HAVE_SP_RSA
+@@ -1308,6 +1318,7 @@ static int wc_RsaFunctionSync(const byte
+     }
+ #endif
+ 
++#ifndef TEST_UNPAD_CONSTANT_TIME
+     if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
+         ERROR_OUT(MP_READ_E);
+ 
+@@ -1418,21 +1429,18 @@ static int wc_RsaFunctionSync(const byte
+         ERROR_OUT(RSA_BUFFER_E);
+     }
+ 
+-    len = mp_unsigned_bin_size(&tmp);
+-
+-    /* pad front w/ zeros to match key length */
+-    while (len < keyLen) {
+-        *out++ = 0x00;
+-        len++;
+-    }
+-
+     *outLen = keyLen;
+-
+-    /* convert */
+-    if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
++    if (mp_to_unsigned_bin_len(&tmp, out, keyLen) != MP_OKAY)
+         ERROR_OUT(MP_TO_E);
+ 
+ done:
++#else
++    (void)type;
++    (void)key;
++    (void)keyLen;
++    XMEMCPY(out, in, inLen);
++    *outLen = inLen;
++#endif
+     mp_clear(&tmp);
+ #ifdef WC_RSA_BLINDING
+     if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
+@@ -1633,6 +1641,7 @@ int wc_RsaFunction(const byte* in, word3
+     }
+ #endif
+ 
++#ifndef TEST_UNPAD_CONSTANT_TIME
+ #ifndef NO_RSA_BOUNDS_CHECK
+     if (type == RSA_PRIVATE_DECRYPT &&
+         key->state == RSA_STATE_DECRYPT_EXPTMOD) {
+@@ -1667,6 +1676,7 @@ int wc_RsaFunction(const byte* in, word3
+             return ret;
+     }
+ #endif /* NO_RSA_BOUNDS_CHECK */
++#endif
+ 
+ #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+     if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+@@ -1880,7 +1890,8 @@ static int RsaPrivateDecryptEx(byte* in,
+ 
+         /* if not doing this inline then allocate a buffer for it */
+         if (outPtr == NULL) {
+-            key->data = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
++            key->data = (byte*)XMALLOC(inLen, key->heap,
++                                                      DYNAMIC_TYPE_WOLF_BIGINT);
+             key->dataIsAlloc = 1;
+             if (key->data == NULL) {
+                 ret = MEMORY_E;
+@@ -1909,20 +1920,29 @@ static int RsaPrivateDecryptEx(byte* in,
+         ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
+                              hash, mgf, label, labelSz, saltLen,
+                              mp_count_bits(&key->n), key->heap);
+-        if (ret > 0 && ret <= (int)outLen && pad != NULL) {
++        if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
++            ret = RSA_BUFFER_E;
++        else if (ret >= 0 && pad != NULL) {
++            char c;
++
+             /* only copy output if not inline */
+             if (outPtr == NULL) {
+-                XMEMCPY(out, pad, ret);
++                word32 i, j;
++                int start = (int)((size_t)pad - (size_t)key->data);
++
++                for (i = 0, j = 0; j < key->dataLen; j++) {
++                    out[i] = key->data[j];
++                    c  = ctMaskGTE(j, start);
++                    c &= ctMaskLT(i, outLen);
++                    /* 0 - no add, -1 add */
++                    i += -c;
++                }
+             }
+-            else {
++            else
+                 *outPtr = pad;
+-            }
+-        }
+-        else if (ret >= 0) {
+-            ret = RSA_BUFFER_E;
+-        }
+-        if (ret < 0) {
+-            break;
++
++            ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
++            ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
+         }
+ 
+         key->state = RSA_STATE_DECRYPT_RES;
+@@ -1934,12 +1954,14 @@ static int RsaPrivateDecryptEx(byte* in,
+             defined(HAVE_CAVIUM)
+         if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+                                                    pad_type != WC_RSA_PSS_PAD) {
+-            /* convert result */
+-            byte* dataLen = (byte*)&key->dataLen;
+-            ret = (dataLen[0] << 8) | (dataLen[1]);
++            if (ret > 0) {
++                /* convert result */
++                byte* dataLen = (byte*)&key->dataLen;
++                ret = (dataLen[0] << 8) | (dataLen[1]);
+ 
+-            if (outPtr)
+-                *outPtr = in;
++                if (outPtr)
++                    *outPtr = in;
++            }
+         }
+     #endif
+         break;
+--- a/wolfcrypt/src/sp_int.c
++++ b/wolfcrypt/src/sp_int.c
+@@ -286,7 +286,8 @@ int sp_leading_bit(sp_int* a)
+  * The array must be large enough for encoded number - use mp_unsigned_bin_size
+  * to calculate the number of bytes required.
+  *
+- * a  SP integer.
++ * a    SP integer.
++ * out  Array to put encoding into.
+  * returns MP_OKAY always.
+  */
+ int sp_to_unsigned_bin(sp_int* a, byte* out)
+@@ -305,6 +306,31 @@ int sp_to_unsigned_bin(sp_int* a, byte*
+     return MP_OKAY;
+ }
+ 
++/* Convert the big number to an array of bytes in big-endian format.
++ * The array must be large enough for encoded number - use mp_unsigned_bin_size
++ * to calculate the number of bytes required.
++ * Front-pads the output array with zeros make number the size of the array.
++ *
++ * a      SP integer.
++ * out    Array to put encoding into.
++ * outSz  Size of the array.
++ * returns MP_OKAY always.
++ */
++int sp_to_unsigned_bin_len(sp_int* a, byte* out, int outSz)
++{
++    int i, j, b;
++
++    j = outSz - 1;
++    for (i=0; j>=0; i++) {
++        for (b = 0; b < SP_WORD_SIZE; b += 8) {
++            out[j--] = a->dp[i] >> b;
++            if (j < 0)
++                break;
++        }
++    }
++
++    return MP_OKAY;
++}
+ /* Ensure the data in the big number is zeroed.
+  *
+  * a  SP integer.
+--- a/wolfcrypt/src/tfm.c
++++ b/wolfcrypt/src/tfm.c
+@@ -1964,6 +1964,48 @@ void fp_to_unsigned_bin(fp_int *a, unsig
+   fp_reverse (b, x);
+ }
+ 
++int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c)
++{
++#if DIGIT_BIT == 64 || DIGIT_BIT == 32
++  int i, j, x;
++
++  for (x=c-1,j=0,i=0; x >= 0; x--) {
++     b[x] = (unsigned char)(a->dp[i] >> j);
++     j += 8;
++     i += j == DIGIT_BIT;
++     j &= DIGIT_BIT - 1;
++  }
++
++  return FP_OKAY;
++#else
++  int     x;
++#ifndef WOLFSSL_SMALL_STACK
++   fp_int t[1];
++#else
++   fp_int *t;
++#endif
++
++#ifdef WOLFSSL_SMALL_STACK
++   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
++   if (t == NULL)
++       return FP_MEM;
++#endif
++
++  fp_init_copy(t, a);
++
++  for (x = 0; x < c; x++) {
++      b[x] = (unsigned char) (t->dp[0] & 255);
++      fp_div_2d (t, 8, t, NULL);
++  }
++  fp_reverse (b, x);
++
++#ifdef WOLFSSL_SMALL_STACK
++  XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
++#endif
++  return FP_OKAY;
++#endif
++}
++
+ int fp_unsigned_bin_size(fp_int *a)
+ {
+   int     size = fp_count_bits (a);
+@@ -2435,6 +2477,10 @@ int mp_to_unsigned_bin (mp_int * a, unsi
+   return MP_OKAY;
+ }
+ 
++int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c)
++{
++  return fp_to_unsigned_bin_len(a, b, c);
++}
+ /* reads a unsigned char array, assumes the msb is stored first [big endian] */
+ int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c)
+ {
+--- a/wolfssl/wolfcrypt/integer.h
++++ b/wolfssl/wolfcrypt/integer.h
+@@ -277,6 +277,7 @@ MP_API int  mp_unsigned_bin_size(mp_int
+ MP_API int  mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c);
+ MP_API int  mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b);
+ MP_API int  mp_to_unsigned_bin (mp_int * a, unsigned char *b);
++MP_API int  mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c);
+ MP_API int  mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y);
+ /* end functions needed by Rsa */
+ 
+--- a/wolfssl/wolfcrypt/misc.h
++++ b/wolfssl/wolfcrypt/misc.h
+@@ -97,7 +97,9 @@ WOLFSSL_LOCAL byte ctMaskGTE(int a, int
+ WOLFSSL_LOCAL byte ctMaskLT(int a, int b);
+ WOLFSSL_LOCAL byte ctMaskLTE(int a, int b);
+ WOLFSSL_LOCAL byte ctMaskEq(int a, int b);
++WOLFSSL_LOCAL byte ctMaskNotEq(int a, int b);
+ WOLFSSL_LOCAL byte ctMaskSel(byte m, byte a, byte b);
++WOLFSSL_LOCAL int  ctMaskSelInt(byte m, int a, int b);
+ WOLFSSL_LOCAL byte ctSetLTE(int a, int b);
+ 
+ #endif /* NO_INLINE */
+--- a/wolfssl/wolfcrypt/sp_int.h
++++ b/wolfssl/wolfcrypt/sp_int.h
+@@ -119,7 +119,8 @@ MP_API int sp_read_radix(sp_int* a, cons
+ MP_API int sp_cmp(sp_int* a, sp_int* b);
+ MP_API int sp_count_bits(sp_int* a);
+ MP_API int sp_leading_bit(sp_int* a);
+-MP_API int sp_to_unsigned_bin(sp_int* a, byte* in);
++MP_API int sp_to_unsigned_bin(sp_int* a, byte* out);
++MP_API int sp_to_unsigned_bin_len(sp_int* a, byte* out, int outSz);
+ MP_API void sp_forcezero(sp_int* a);
+ MP_API int sp_copy(sp_int* a, sp_int* b);
+ MP_API int sp_set(sp_int* a, sp_int_digit d);
+@@ -156,30 +157,31 @@ typedef sp_digit mp_digit;
+ 
+ #define mp_free(a)
+ 
+-#define mp_init                 sp_init
+-#define mp_init_multi           sp_init_multi
+-#define mp_clear                sp_clear
+-#define mp_read_unsigned_bin    sp_read_unsigned_bin
+-#define mp_unsigned_bin_size    sp_unsigned_bin_size
+-#define mp_read_radix           sp_read_radix
+-#define mp_cmp                  sp_cmp
+-#define mp_count_bits           sp_count_bits
+-#define mp_leading_bit          sp_leading_bit
+-#define mp_to_unsigned_bin      sp_to_unsigned_bin
+-#define mp_forcezero            sp_forcezero
+-#define mp_copy                 sp_copy
+-#define mp_set                  sp_set
+-#define mp_iszero               sp_iszero
+-#define mp_clamp                sp_clamp
+-#define mp_grow                 sp_grow
+-#define mp_sub_d                sp_sub_d
+-#define mp_cmp_d                sp_cmp_d
+-#define mp_mod                  sp_mod
+-#define mp_zero                 sp_zero
+-#define mp_add_d                sp_add_d
+-#define mp_lshd                 sp_lshd
+-#define mp_add                  sp_add
+-#define mp_isodd                sp_isodd
++#define mp_init                     sp_init
++#define mp_init_multi               sp_init_multi
++#define mp_clear                    sp_clear
++#define mp_read_unsigned_bin        sp_read_unsigned_bin
++#define mp_unsigned_bin_size        sp_unsigned_bin_size
++#define mp_read_radix               sp_read_radix
++#define mp_cmp                      sp_cmp
++#define mp_count_bits               sp_count_bits
++#define mp_leading_bit              sp_leading_bit
++#define mp_to_unsigned_bin          sp_to_unsigned_bin
++#define mp_to_unsigned_bin_len      sp_to_unsigned_bin_len
++#define mp_forcezero                sp_forcezero
++#define mp_copy                     sp_copy
++#define mp_set                      sp_set
++#define mp_iszero                   sp_iszero
++#define mp_clamp                    sp_clamp
++#define mp_grow                     sp_grow
++#define mp_sub_d                    sp_sub_d
++#define mp_cmp_d                    sp_cmp_d
++#define mp_mod                      sp_mod
++#define mp_zero                     sp_zero
++#define mp_add_d                    sp_add_d
++#define mp_lshd                     sp_lshd
++#define mp_add                      sp_add
++#define mp_isodd                    sp_isodd
+ 
+ #define MP_INT_DEFINED
+ 
+--- a/wolfssl/wolfcrypt/tfm.h
++++ b/wolfssl/wolfcrypt/tfm.h
+@@ -563,6 +563,7 @@ int fp_leading_bit(fp_int *a);
+ int fp_unsigned_bin_size(fp_int *a);
+ void fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c);
+ void fp_to_unsigned_bin(fp_int *a, unsigned char *b);
++int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c);
+ int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b);
+ 
+ /*int fp_signed_bin_size(fp_int *a);*/
+@@ -686,6 +687,7 @@ MP_API int  mp_unsigned_bin_size(mp_int
+ MP_API int  mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c);
+ MP_API int  mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b);
+ MP_API int  mp_to_unsigned_bin (mp_int * a, unsigned char *b);
++MP_API int  mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c);
+ 
+ MP_API int  mp_sub_d(fp_int *a, fp_digit b, fp_int *c);
+ MP_API int  mp_copy(fp_int* a, fp_int* b);

package/libs/wolfssl/patches/020-Improve-nonce-use-in-ECC-mulmod.patch

@@ -0,0 +1,98 @@
+From ba4d612892bf6e3aae9cca7edce2a6d6b43e3e22 Mon Sep 17 00:00:00 2001
+From: Sean Parkinson <sean@wolfssl.com>
+Date: Wed, 17 Jul 2019 08:26:02 +1000
+Subject: [PATCH] Improve nonce use in ECC mulmod
+
+(cherry picked from commit 483f6a5acd9808b405306661c121aa6407464dc2)
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -2039,7 +2039,7 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_poin
+    #define M_POINTS 8
+    int           first = 1, bitbuf = 0, bitcpy = 0, j;
+ #else
+-   #define M_POINTS 3
++   #define M_POINTS 4
+ #endif
+ 
+    ecc_point     *tG, *M[M_POINTS];
+@@ -2253,7 +2253,9 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_poin
+    mode   = 0;
+    bitcnt = 1;
+    buf    = 0;
+-   digidx = get_digit_count(k) - 1;
++   digidx = get_digit_count(modulus) - 1;
++   /* The order MAY be 1 bit longer than the modulus. */
++   digidx += (modulus->dp[digidx] >> (DIGIT_BIT-1));
+ 
+    /* perform ops */
+    if (err == MP_OKAY) {
+@@ -2272,25 +2274,53 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_poin
+            i = (buf >> (DIGIT_BIT - 1)) & 1;
+            buf <<= 1;
+ 
+-           if (mode == 0 && i == 0) {
++           if (mode == 0) {
++               mode = i;
+                /* timing resistant - dummy operations */
+                if (err == MP_OKAY)
+-                   err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus,
++                   err = ecc_projective_add_point(M[1], M[2], M[2], a, modulus,
+                                                   mp);
++#ifdef WC_NO_CACHE_RESISTANT
+                if (err == MP_OKAY)
+-                   err = ecc_projective_dbl_point(M[1], M[2], a, modulus, mp);
+-               if (err == MP_OKAY)
+-                   continue;
+-           }
+-
+-           if (mode == 0 && i == 1) {
+-               mode = 1;
+-               /* timing resistant - dummy operations */
+-               if (err == MP_OKAY)
+-                   err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus,
+-                                                  mp);
+-               if (err == MP_OKAY)
+-                   err = ecc_projective_dbl_point(M[1], M[2], a, modulus, mp);
++                   err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
++#else
++               /* instead of using M[i] for double, which leaks key bit to cache
++                * monitor, use M[2] as temp, make sure address calc is constant,
++                * keep M[0] and M[1] in cache */
++              if (err == MP_OKAY)
++                  err = mp_copy((mp_int*)
++                             ( ((wolfssl_word)M[0]->x & wc_off_on_addr[i^1]) +
++                               ((wolfssl_word)M[1]->x & wc_off_on_addr[i])),
++                             M[2]->x);
++              if (err == MP_OKAY)
++                  err = mp_copy((mp_int*)
++                             ( ((wolfssl_word)M[0]->y & wc_off_on_addr[i^1]) +
++                               ((wolfssl_word)M[1]->y & wc_off_on_addr[i])),
++                             M[2]->y);
++              if (err == MP_OKAY)
++                  err = mp_copy((mp_int*)
++                             ( ((wolfssl_word)M[0]->z & wc_off_on_addr[i^1]) +
++                               ((wolfssl_word)M[1]->z & wc_off_on_addr[i])),
++                             M[2]->z);
++              if (err == MP_OKAY)
++                  err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
++              /* copy M[2] back to M[i] */
++              if (err == MP_OKAY)
++                  err = mp_copy(M[2]->x,
++                             (mp_int*)
++                             ( ((wolfssl_word)M[0]->x & wc_off_on_addr[i^1]) +
++                               ((wolfssl_word)M[1]->x & wc_off_on_addr[i])) );
++              if (err == MP_OKAY)
++                  err = mp_copy(M[2]->y,
++                             (mp_int*)
++                             ( ((wolfssl_word)M[0]->y & wc_off_on_addr[i^1]) +
++                               ((wolfssl_word)M[1]->y & wc_off_on_addr[i])) );
++              if (err == MP_OKAY)
++                  err = mp_copy(M[2]->z,
++                             (mp_int*)
++                             ( ((wolfssl_word)M[0]->z & wc_off_on_addr[i^1]) +
++                               ((wolfssl_word)M[1]->z & wc_off_on_addr[i])) );
++#endif
+                if (err == MP_OKAY)
+                    continue;
+            }

package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch

@@ -1,7 +1,7 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4140,7 +4140,6 @@ AC_CONFIG_FILES([support/wolfssl.pc])
- AC_CONFIG_FILES([rpm/spec])
+@@ -4198,7 +4198,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta
+ AC_CONFIG_FILES([Makefile wolfssl/version.h wolfssl/options.h cyassl/options.h support/wolfssl.pc rpm/spec])
  
  AX_CREATE_GENERIC_CONFIG
 -AX_AM_JOBSERVER([yes])

package/network/config/netifd/files/lib/netifd/proto/dhcp.sh

@@ -46,6 +46,8 @@ proto_dhcp_setup() {
 	json_for_each_item proto_dhcp_add_sendopts sendopts dhcpopts
 
 	[ -z "$hostname" ] && hostname="$(cat /proc/sys/kernel/hostname)"
+	[ "$hostname" = "*" ] && hostname=
+
 	[ "$defaultreqopts" = 0 ] && defaultreqopts="-o" || defaultreqopts=
 	[ "$broadcast" = 1 ] && broadcast="-B" || broadcast=
 	[ "$release" = 1 ] && release="-R" || release=

package/network/services/hostapd/Makefile

@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=6
+PKG_RELEASE:=8
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git
@@ -88,9 +88,6 @@ DRIVER_MAKEOPTS= \
 	CONFIG_IEEE80211AC=$(HOSTAPD_IEEE80211AC) \
 	CONFIG_DRIVER_WEXT=$(CONFIG_DRIVER_WEXT_SUPPORT) \
 
-space :=
-space +=
-
 ifeq ($(LOCAL_VARIANT),full)
   DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_DRIVER_11W_SUPPORT)
 endif

package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch

@@ -0,0 +1,40 @@
+From 92e1b96c26a84e503847bdd22ebadf697c4031ad Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Apr 2019 17:20:57 +0300
+Subject: EAP-pwd: Disallow ECC groups with a prime under 256 bits
+
+Based on the SAE implementation guidance update to not allow ECC groups
+with a prime that is under 256 bits, reject groups 25, 26, and 27 in
+EAP-pwd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -85,10 +85,23 @@ static int eap_pwd_kdf(const u8 *key, si
+ }
+ 
+ 
++static int eap_pwd_suitable_group(u16 num)
++{
++	/* Do not allow ECC groups with prime under 256 bits based on guidance
++	 * for the similar design in SAE. */
++	return num == 19 || num == 20 || num == 21 ||
++		num == 28 || num == 29 || num == 30;
++}
++
++
+ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ {
+ 	EAP_PWD_group *grp;
+ 
++	if (!eap_pwd_suitable_group(num)) {
++		wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
++		return NULL;
++	}
+ 	grp = os_zalloc(sizeof(EAP_PWD_group));
+ 	if (!grp)
+ 		return NULL;

package/network/services/hostapd/patches/066-0000-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch

@@ -0,0 +1,54 @@
+From db54db11aec763b6fc74715c36e0f9de0d65e206 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 8 Apr 2019 18:01:07 +0300
+Subject: SAE: Reject unsuitable groups based on REVmd changes
+
+The rules defining which DH groups are suitable for SAE use were
+accepted into IEEE 802.11 REVmd based on this document:
+https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
+
+Enforce those rules in production builds of wpa_supplicant and hostapd.
+CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
+implemented groups to maintain testing coverage.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -18,10 +18,33 @@
+ #include "sae.h"
+ 
+ 
++static int sae_suitable_group(int group)
++{
++#ifdef CONFIG_TESTING_OPTIONS
++	/* Allow all groups for testing purposes in non-production builds. */
++	return 1;
++#else /* CONFIG_TESTING_OPTIONS */
++	/* Enforce REVmd rules on which SAE groups are suitable for production
++	 * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
++	 * defined over a prime field whose prime is >= 256 bits. Furthermore,
++	 * ECC groups defined over a characteristic 2 finite field and ECC
++	 * groups with a co-factor greater than 1 are not suitable. */
++	return group == 19 || group == 20 || group == 21 ||
++		group == 28 || group == 29 || group == 30 ||
++		group == 15 || group == 16 || group == 17 || group == 18;
++#endif /* CONFIG_TESTING_OPTIONS */
++}
++
++
+ int sae_set_group(struct sae_data *sae, int group)
+ {
+ 	struct sae_temporary_data *tmp;
+ 
++	if (!sae_suitable_group(group)) {
++		wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
++		return -1;
++	}
++
+ 	sae_clear_data(sae);
+ 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
+ 	if (tmp == NULL)

package/network/services/hostapd/patches/066-0001-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch

@@ -0,0 +1,26 @@
+From e43f08991f00820c1f711ca254021d5f83b5cd7d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 18:52:34 +0300
+Subject: [PATCH 1/6] SAE: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 8e14b030e558d23f65d761895c07089404e61cf1)
+---
+ src/common/sae.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -317,7 +317,7 @@ static int sae_test_pwd_seed_ecc(struct
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ 			pwd_value, sae->tmp->prime_len);
+ 
+-	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
++	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
+ 		return 0;
+ 
+ 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);

package/network/services/hostapd/patches/066-0002-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch

@@ -0,0 +1,65 @@
+From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:07:05 +0300
+Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c)
+---
+ src/eap_common/eap_pwd_common.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_gro
+ 	u8 qnr_bin[MAX_ECC_PRIME_LEN];
+ 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+ 	u8 x_bin[MAX_ECC_PRIME_LEN];
++	u8 prime_bin[MAX_ECC_PRIME_LEN];
+ 	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ 	struct crypto_hash *hash;
+ 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+@@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_gro
+ 	os_memset(x_bin, 0, sizeof(x_bin));
+ 
+ 	prime = crypto_ec_get_prime(grp->group);
++	primebitlen = crypto_ec_prime_len_bits(grp->group);
++	primebytelen = crypto_ec_prime_len(grp->group);
++	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++				 primebytelen) < 0)
++		return -1;
+ 	cofactor = crypto_bignum_init();
+ 	grp->pwe = crypto_ec_point_init(grp->group);
+ 	tmp1 = crypto_bignum_init();
+@@ -176,8 +182,6 @@ int compute_password_element(EAP_PWD_gro
+ 			   "curve");
+ 		goto fail;
+ 	}
+-	primebitlen = crypto_ec_prime_len_bits(grp->group);
+-	primebytelen = crypto_ec_prime_len(grp->group);
+ 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+ 			   "buffer");
+@@ -243,6 +247,8 @@ int compute_password_element(EAP_PWD_gro
+ 		if (primebitlen % 8)
+ 			buf_shift_right(prfbuf, primebytelen,
+ 					8 - primebitlen % 8);
++		if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
++			continue;
+ 
+ 		crypto_bignum_deinit(x_candidate, 1);
+ 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -252,9 +258,6 @@ int compute_password_element(EAP_PWD_gro
+ 			goto fail;
+ 		}
+ 
+-		if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+-			continue;
+-
+ 		wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
+ 				prfbuf, primebytelen);
+ 		const_time_select_bin(found, x_bin, prfbuf, primebytelen,