OpenWrt v18.06.7: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.openwrt.org/feed/packages.git^b0df5d33652220a384593d7b52a8453b022b8f9b
+src-git packages https://git.openwrt.org/feed/packages.git^925068d4f8366240d2aeb2d69b3df12382320ec3
-src-git luci https://git.openwrt.org/project/luci.git^868abc1a564ca8366bbb018a967923cbdc5ee27a
+src-git luci https://git.openwrt.org/project/luci.git^41e2258d6dc1ebe8d3874ae6d6b13db49cff2c5c
-src-git routing https://git.openwrt.org/feed/routing.git^9fa2b249cc286176f07efe343fd9518b383462fc
+src-git routing https://git.openwrt.org/feed/routing.git^0e63ef9276bf41c0d4176127f9f047343b8ffe32
 src-git telephony https://git.openwrt.org/feed/telephony.git^8ecbdabc7c5cadbe571eb947f5cd333a5a785010

include/kernel-version.mk

@@ -2,11 +2,11 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.9 = .208
+LINUX_VERSION-4.9 = .211
-LINUX_VERSION-4.14 = .162
+LINUX_VERSION-4.14 = .167
 
-LINUX_KERNEL_HASH-4.9.208 = b7ad1c9841d671d026c55a4c91c77205f8b488ca5f980f838591c68662e0525a
+LINUX_KERNEL_HASH-4.9.211 = 2597608d5d974cfdc015eaf6a4197b36f19d722b8a309b57e741fb02e311b1be
-LINUX_KERNEL_HASH-4.14.162 = f65170224cd4359ce8b2793b492bd8127abdd0b91350484e001bce13f0c98b4b
+LINUX_KERNEL_HASH-4.14.167 = 2bb78fc7a902faf4f5dad47fdbc2f4bf3df3cf9b41f408e7260f36656659fe43
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))

include/version.mk

@@ -26,13 +26,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.6)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),18.06.7)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7957-d81a8a3e29)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r7976-ca47026b7d)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.6)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/releases/18.06.7)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.openwrt.org/releases/18.06.6"
+		default "http://downloads.openwrt.org/releases/18.06.7"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/kernel/lantiq/ltq-ptm/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ltq-ptm
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/ltq-ptm-$(BUILD_VARIANT)
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

package/kernel/lantiq/ltq-ptm/src/ifxmips_ptm_vdsl.c

@@ -334,6 +334,9 @@ static int ptm_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         dma_cache_wback((unsigned long)skb->data, skb->len);
     }
 
+    /* make the skb unowned */
+    skb_orphan(skb);
+
     *(struct sk_buff **)((unsigned int)skb->data - byteoff - sizeof(struct sk_buff *)) = skb;
     /*  write back to physical memory   */
     dma_cache_wback((unsigned long)skb->data - byteoff - sizeof(struct sk_buff *), skb->len + byteoff + sizeof(struct sk_buff *));

package/libs/libubox/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libubox
-PKG_RELEASE=2
+PKG_RELEASE=3
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/libubox.git

package/libs/libubox/patches/0001-blobmsg_json-fix-possible-uninitialized-struct-membe.patch

@@ -0,0 +1,39 @@
+From 2acfe84e4c871fb994c38c9f2508eb9ebd296b74 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 19 Nov 2019 17:34:25 +0100
+Subject: blobmsg_json: fix possible uninitialized struct member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+clang-10 analyzer reports following:
+
+ blobmsg_json.c:285:2: warning: The expression is an uninitialized value. The computed value will also be garbage
+         s->indent_level++;
+         ^~~~~~~~~~~~~~~~~
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -316,7 +316,7 @@ static void setup_strbuf(struct strbuf *
+ 
+ char *blobmsg_format_json_with_cb(struct blob_attr *attr, bool list, blobmsg_json_format_t cb, void *priv, int indent)
+ {
+-	struct strbuf s;
++	struct strbuf s = {0};
+ 	bool array;
+ 	char *ret;
+ 
+@@ -350,7 +350,7 @@ char *blobmsg_format_json_with_cb(struct
+ 
+ char *blobmsg_format_json_value_with_cb(struct blob_attr *attr, blobmsg_json_format_t cb, void *priv, int indent)
+ {
+-	struct strbuf s;
++	struct strbuf s = {0};
+ 	char *ret;
+ 
+ 	setup_strbuf(&s, attr, cb, priv, indent);

package/libs/libubox/patches/0002-jshn-fix-off-by-one-in-jshn_parse_file.patch

@@ -0,0 +1,39 @@
+From f27853d71a2cb99ec5de3881716a14611ada307c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 23 Nov 2019 22:48:25 +0100
+Subject: jshn: fix off by one in jshn_parse_file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error:
+
+ Invalid read of size 1
+   at 0x4C32D04: strlen
+   by 0x5043367: json_tokener_parse_ex
+   by 0x5045316: json_tokener_parse_verbose
+   by 0x504537D: json_tokener_parse
+   by 0x401AB1: jshn_parse (jshn.c:179)
+   by 0x40190D: jshn_parse_file (jshn.c:370)
+   by 0x40190D: main (jshn.c:434)
+ Address 0x5848c4c is 0 bytes after a block of size 1,036 alloc'd
+   at 0x4C2FB0F: malloc
+   by 0x4018E2: jshn_parse_file (jshn.c:357)
+   by 0x4018E2: main (jshn.c:434)
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ jshn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/jshn.c
++++ b/jshn.c
+@@ -384,7 +384,7 @@ int main(int argc, char **argv)
+ 				close(fd);
+ 				return 3;
+ 			}
+-			if (!(fbuf = malloc(sb.st_size))) {
++			if (!(fbuf = calloc(1, sb.st_size+1))) {
+ 				fprintf(stderr, "Error allocating memory for %s\n", optarg);
+ 				close(fd);
+ 				return 3;

package/libs/libubox/patches/0003-blob-refactor-attr-parsing-into-separate-function.patch

@@ -0,0 +1,97 @@
+From af2a074160e32692b570f8a3562b4370d38f34e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 13:53:27 +0100
+Subject: blob: refactor attr parsing into separate function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Making blob_parse easier to review.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 61 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 26 deletions(-)
+
+--- a/blob.c
++++ b/blob.c
+@@ -217,44 +217,53 @@ blob_check_type(const void *ptr, unsigne
+ 	return true;
+ }
+ 
+-int
+-blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++static int
++blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
+-	struct blob_attr *pos;
+ 	int found = 0;
+-	int rem;
++	int id = blob_id(attr);
++	size_t len = blob_len(attr);
+ 
+-	memset(data, 0, sizeof(struct blob_attr *) * max);
+-	blob_for_each_attr(pos, attr, rem) {
+-		int id = blob_id(pos);
+-		int len = blob_len(pos);
++	if (id >= max)
++		return 0;
+ 
+-		if (id >= max)
+-			continue;
++	if (info) {
++		int type = info[id].type;
+ 
+-		if (info) {
+-			int type = info[id].type;
++		if (type < BLOB_ATTR_LAST) {
++			if (!blob_check_type(blob_data(attr), len, type))
++				return 0;
++		}
+ 
+-			if (type < BLOB_ATTR_LAST) {
+-				if (!blob_check_type(blob_data(pos), len, type))
+-					continue;
+-			}
++		if (info[id].minlen && len < info[id].minlen)
++			return 0;
+ 
+-			if (info[id].minlen && len < info[id].minlen)
+-				continue;
++		if (info[id].maxlen && len > info[id].maxlen)
++			return 0;
+ 
+-			if (info[id].maxlen && len > info[id].maxlen)
+-				continue;
++		if (info[id].validate && !info[id].validate(&info[id], attr))
++			return 0;
++	}
+ 
+-			if (info[id].validate && !info[id].validate(&info[id], pos))
+-				continue;
+-		}
++	if (!data[id])
++		found++;
+ 
+-		if (!data[id])
+-			found++;
++	data[id] = attr;
++	return found;
++}
+ 
+-		data[id] = pos;
++int
++blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++{
++	struct blob_attr *pos;
++	int found = 0;
++	size_t rem;
++
++	memset(data, 0, sizeof(struct blob_attr *) * max);
++	blob_for_each_attr(pos, attr, rem) {
++		found += blob_parse_attr(pos, data, info, max);
+ 	}
++
+ 	return found;
+ }
+ 

package/libs/libubox/patches/0004-blob-introduce-blob_parse_untrusted.patch

@@ -0,0 +1,78 @@
+From b6a0a070f2e14808e835c2fcfa3820a55041902f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 14:11:45 +0100
+Subject: blob: introduce blob_parse_untrusted
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+blob_parse can be only used on trusted input as it has no possibility to
+check the length of the provided input buffer, which might lead to
+undefined behaviour and/or crashes when supplied with malformed,
+corrupted or otherwise specially crafted input.
+
+So this introduces blob_parse_untrusted variant which expects additional
+input buffer length argument and thus should be able to process also
+inputs from untrusted sources.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 24 ++++++++++++++++++++++++
+ blob.h |  7 +++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/blob.c
++++ b/blob.c
+@@ -253,6 +253,30 @@ blob_parse_attr(struct blob_attr *attr,
+ }
+ 
+ int
++blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
++{
++	struct blob_attr *pos;
++	size_t len = 0;
++	int found = 0;
++	size_t rem;
++
++	if (!attr || attr_len < sizeof(struct blob_attr))
++		return 0;
++
++	len = blob_raw_len(attr);
++	if (len != attr_len)
++		return 0;
++
++	memset(data, 0, sizeof(struct blob_attr *) * max);
++	blob_for_each_attr_len(pos, attr, len, rem) {
++		found += blob_parse_attr(pos, rem, data, info, max);
++	}
++
++	return found;
++}
++
++/* use only on trusted input, otherwise consider blob_parse_untrusted */
++int
+ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
+ 	struct blob_attr *pos;
+--- a/blob.h
++++ b/blob.h
+@@ -199,6 +199,7 @@ extern void blob_nest_end(struct blob_bu
+ extern struct blob_attr *blob_put(struct blob_buf *buf, int id, const void *ptr, unsigned int len);
+ extern bool blob_check_type(const void *ptr, unsigned int len, int type);
+ extern int blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max);
++extern int blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max);
+ extern struct blob_attr *blob_memdup(struct blob_attr *attr);
+ extern struct blob_attr *blob_put_raw(struct blob_buf *buf, const void *ptr, unsigned int len);
+ 
+@@ -254,5 +255,11 @@ blob_put_u64(struct blob_buf *buf, int i
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
++#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
++	for (rem = attr ? blob_len(attr) : 0, \
++	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
++	     rem >= sizeof(struct blob_attr) && rem < attr_len && (blob_pad_len(pos) <= rem) && \
++	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
++	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+ #endif

package/libs/libubox/patches/0005-blob-fix-OOB-access-in-blob_check_type.patch

@@ -0,0 +1,78 @@
+From 7425d421340594f50c717ff7129b6ee71280a447 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 9 Dec 2019 15:27:16 +0100
+Subject: blob: fix OOB access in blob_check_type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by fuzzer:
+
+ ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
+ The signal is caused by a READ memory access.
+     #0 in blob_check_type blob.c:214:43
+     #1 in blob_parse_attr blob.c:234:9
+     #2 in blob_parse_untrusted blob.c:272:12
+     #3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
+     #4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2
+
+Caused by following line:
+
+	if (type == BLOB_ATTR_STRING && data[len - 1] != 0)
+
+where len was pointing outside of the data buffer.
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/blob.c
++++ b/blob.c
+@@ -218,20 +218,33 @@ blob_check_type(const void *ptr, unsigne
+ }
+ 
+ static int
+-blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
++blob_parse_attr(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
+ {
++	int id;
++	size_t len;
+ 	int found = 0;
+-	int id = blob_id(attr);
+-	size_t len = blob_len(attr);
++	size_t data_len;
+ 
++	if (!attr || attr_len < sizeof(struct blob_attr))
++		return 0;
++
++	id = blob_id(attr);
+ 	if (id >= max)
+ 		return 0;
+ 
++	len = blob_raw_len(attr);
++	if (len > attr_len || len < sizeof(struct blob_attr))
++		return 0;
++
++	data_len = blob_len(attr);
++	if (data_len > len)
++		return 0;
++
+ 	if (info) {
+ 		int type = info[id].type;
+ 
+ 		if (type < BLOB_ATTR_LAST) {
+-			if (!blob_check_type(blob_data(attr), len, type))
++			if (!blob_check_type(blob_data(attr), data_len, type))
+ 				return 0;
+ 		}
+ 
+@@ -285,7 +298,7 @@ blob_parse(struct blob_attr *attr, struc
+ 
+ 	memset(data, 0, sizeof(struct blob_attr *) * max);
+ 	blob_for_each_attr(pos, attr, rem) {
+-		found += blob_parse_attr(pos, data, info, max);
++		found += blob_parse_attr(pos, rem, data, info, max);
+ 	}
+ 
+ 	return found;

package/libs/libubox/patches/0006-blobmsg-fix-heap-buffer-overflow-in-blobmsg_parse.patch

@@ -0,0 +1,32 @@
+From 0773eef13674964d890420673d2501342979d8bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 10 Dec 2019 12:02:40 +0100
+Subject: blobmsg: fix heap buffer overflow in blobmsg_parse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error found by the fuzzer:
+
+ ==29774==ERROR: AddressSanitizer: heap-buffer-overflow
+ READ of size 1 at 0x6020004f1c56 thread T0
+     #0 strcmp sanitizer_common_interceptors.inc:442:3
+     #1 blobmsg_parse blobmsg.c:168:8
+
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -52,6 +52,9 @@ bool blobmsg_check_attr(const struct blo
+ 
+ 	id = blob_id(attr);
+ 	len = blobmsg_data_len(attr);
++	if (len > blob_raw_len(attr))
++		return false;
++
+ 	data = blobmsg_data(attr);
+ 
+ 	if (id > BLOBMSG_TYPE_LAST)

package/libs/libubox/patches/0007-Ensure-blob_attr-length-check-does-not-perform-out-o.patch

@@ -0,0 +1,51 @@
+From cec3ed2550073abbfe0f1f6131c44f90c9d05aa8 Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Wed, 28 Nov 2018 13:39:29 +0100
+Subject: Ensure blob_attr length check does not perform out of bounds reads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before there might have been as little as one single byte left which
+would result in 3 bytes of blob_attr->id_len being out of bounds.
+
+Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[line wrapped < 72 chars]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blob.h    | 4 ++--
+ blobmsg.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/blob.h
++++ b/blob.h
+@@ -243,7 +243,7 @@ blob_put_u64(struct blob_buf *buf, int i
+ 
+ #define __blob_for_each_attr(pos, attr, rem) \
+ 	for (pos = (struct blob_attr *) attr; \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+@@ -251,7 +251,7 @@ blob_put_u64(struct blob_buf *buf, int i
+ #define blob_for_each_attr(pos, attr, rem) \
+ 	for (rem = attr ? blob_len(attr) : 0, \
+ 	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -266,7 +266,7 @@ int blobmsg_printf(struct blob_buf *buf,
+ #define blobmsg_for_each_attr(pos, attr, rem) \
+ 	for (rem = attr ? blobmsg_data_len(attr) : 0, \
+ 	     pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
+-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 

package/libs/libubox/patches/0008-Replace-use-of-blobmsg_check_attr-by-blobmsg_check_a.patch

@@ -0,0 +1,132 @@
+From 8b6a401638317906b6d9039417c1c19ea8cfeab0 Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Tue, 13 Nov 2018 04:16:12 +0100
+Subject: Replace use of blobmsg_check_attr by blobmsg_check_attr_len
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+blobmsg_check_attr_len adds a length limit specifying the max offset
+from attr that can be read safely.
+
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[rebased and reworked, line wrapped commit message, _safe -> _len]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 59 +++++++++++++++++++++++++++++++++++++++++++------------
+ blobmsg.h |  2 ++
+ 2 files changed, 48 insertions(+), 13 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -33,37 +33,70 @@ blobmsg_namelen(const struct blobmsg_hdr
+ 
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
+ {
++	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
++}
++
++static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
++{
++	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
+-	const char *data;
+-	int id, len;
+ 
+-	if (blob_len(attr) < sizeof(struct blobmsg_hdr))
++	hdr = blob_data(attr);
++	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	hdr = (void *) attr->data;
+-	if (!hdr->namelen && name)
++	if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
+ 		return false;
+ 
+-	if (blobmsg_namelen(hdr) > blob_len(attr) - sizeof(struct blobmsg_hdr))
++	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+ 		return false;
+ 
+ 	if (hdr->name[blobmsg_namelen(hdr)] != 0)
+ 		return false;
+ 
+-	id = blob_id(attr);
+-	len = blobmsg_data_len(attr);
+-	if (len > blob_raw_len(attr))
+-		return false;
++	return true;
++}
++
++static const char* blobmsg_check_data(const struct blob_attr *attr, size_t len, size_t *data_len)
++{
++	char *limit = (char *) attr + len;
++	const char *data;
++
++	*data_len = blobmsg_data_len(attr);
++	if (*data_len > blob_raw_len(attr))
++		return NULL;
+ 
+ 	data = blobmsg_data(attr);
++	if (data + *data_len > limit)
++		return NULL;
+ 
++	return data;
++}
++
++bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len)
++{
++	const char *data;
++	size_t data_len;
++	int id;
++
++	if (len < sizeof(struct blob_attr))
++		return false;
++
++	if (!blobmsg_check_name(attr, len, name))
++		return false;
++
++	id = blob_id(attr);
+ 	if (id > BLOBMSG_TYPE_LAST)
+ 		return false;
+ 
+ 	if (!blob_type[id])
+ 		return true;
+ 
+-	return blob_check_type(data, len, blob_type[id]);
++	data = blobmsg_check_data(attr, len, &data_len);
++	if (!data)
++		return false;
++
++	return blob_check_type(data, data_len, blob_type[id]);
+ }
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+@@ -114,7 +147,7 @@ int blobmsg_parse_array(const struct blo
+ 		    blob_id(attr) != policy[i].type)
+ 			continue;
+ 
+-		if (!blobmsg_check_attr(attr, false))
++		if (!blobmsg_check_attr_len(attr, false, len))
+ 			return -1;
+ 
+ 		if (tb[i])
+@@ -161,7 +194,7 @@ int blobmsg_parse(const struct blobmsg_p
+ 			if (blobmsg_namelen(hdr) != pslen[i])
+ 				continue;
+ 
+-			if (!blobmsg_check_attr(attr, true))
++			if (!blobmsg_check_attr_len(attr, true, len))
+ 				return -1;
+ 
+ 			if (tb[i])
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -107,6 +107,8 @@ static inline int blobmsg_len(const stru
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
+ 
++bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len);
++
+ /*
+  * blobmsg_check_array: validate array/table and return size
+  *

package/libs/libubox/patches/0009-blobmsg-add-_len-variants-for-all-attribute-checking.patch

@@ -0,0 +1,157 @@
+From ad29d0304983e283d4aec4ee5462942eaf5c03ac Mon Sep 17 00:00:00 2001
+From: Tobias Schramm <tobleminer@gmail.com>
+Date: Thu, 15 Nov 2018 03:42:48 +0100
+Subject: blobmsg: add _len variants for all attribute checking methods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduce _len variants of blobmsg attribute checking functions which
+aims to provide safer implementation as those functions should limit all
+memory accesses performed on the blob to the range [attr, attr + len]
+(upper bound non inclusive) and thus should be suited for checking of
+untrusted blob attributes.
+
+While at it add some comments in order to make it clear.
+
+Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
+[_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 21 ++++++++++++++++++---
+ blobmsg.h | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 72 insertions(+), 4 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -101,11 +101,21 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
++	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
++}
++
++int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)
++{
+ 	struct blob_attr *cur;
+ 	bool name;
+-	int rem;
+ 	int size = 0;
+ 
++	if (type > BLOBMSG_TYPE_LAST)
++		return -1;
++
++	if (!blobmsg_check_attr_len(attr, false, len))
++		return -1;
++
+ 	switch (blobmsg_type(attr)) {
+ 	case BLOBMSG_TYPE_TABLE:
+ 		name = true;
+@@ -117,11 +127,11 @@ int blobmsg_check_array(const struct blo
+ 		return -1;
+ 	}
+ 
+-	blobmsg_for_each_attr(cur, attr, rem) {
++	__blobmsg_for_each_attr(cur, attr, len) {
+ 		if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
+ 			return -1;
+ 
+-		if (!blobmsg_check_attr(cur, name))
++		if (!blobmsg_check_attr_len(cur, name, len))
+ 			return -1;
+ 
+ 		size++;
+@@ -135,6 +145,11 @@ bool blobmsg_check_attr_list(const struc
+ 	return blobmsg_check_array(attr, type) >= 0;
+ }
+ 
++bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len)
++{
++	return blobmsg_check_array_len(attr, type, len) >= 0;
++}
++
+ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
+ 			struct blob_attr **tb, void *data, unsigned int len)
+ {
+--- a/blobmsg.h
++++ b/blobmsg.h
+@@ -104,19 +104,66 @@ static inline int blobmsg_len(const stru
+ 	return blobmsg_data_len(attr);
+ }
+ 
++/*
++ * blobmsg_check_attr: validate a list of attributes
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
++ */
+ bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+-bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
+ 
++/*
++ * blobmsg_check_attr_len: validate a list of attributes
++ *
++ * This method should be safer implementation of blobmsg_check_attr.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
+ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len);
+ 
+ /*
++ * blobmsg_check_attr_list: validate a list of attributes
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
++ */
++bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
++
++/*
++ * blobmsg_check_attr_list_len: validate a list of untrusted attributes
++ *
++ * This method should be safer implementation of blobmsg_check_attr_list.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
++bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len);
++
++/*
+  * blobmsg_check_array: validate array/table and return size
+  *
+  * Checks if all elements of an array or table are valid and have
+  * the specified type. Returns the number of elements in the array
++ *
++ * This method may be used with trusted data only. Providing
++ * malformed blobs will cause out of bounds memory access.
+  */
+ int blobmsg_check_array(const struct blob_attr *attr, int type);
+ 
++/*
++ * blobmsg_check_array_len: validate untrusted array/table and return size
++ *
++ * Checks if all elements of an array or table are valid and have
++ * the specified type. Returns the number of elements in the array.
++ *
++ * This method should be safer implementation of blobmsg_check_array.
++ * It will limit all memory access performed on the blob to the
++ * range [attr, attr + len] (upper bound non inclusive) and is
++ * thus suited for checking of untrusted blob attributes.
++ */
++int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len);
++
+ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
+                   struct blob_attr **tb, void *data, unsigned int len);
+ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
+@@ -271,5 +318,11 @@ int blobmsg_printf(struct blob_buf *buf,
+ 	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
+ 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
++
++#define __blobmsg_for_each_attr(pos, attr, rem) \
++	for (pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
++	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
++	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
++	     rem -= blob_pad_len(pos), pos = blob_next(pos))
+ 
+ #endif

package/libs/libubox/patches/0010-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch

@@ -0,0 +1,39 @@
+From 44d9e85ef058fbb9981d53218cafdc451afa5535 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 25 Dec 2019 10:27:59 +0100
+Subject: blobmsg: fix array out of bounds GCC 10 warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following warning reported by GCC 10.0.0 20191203:
+
+ blobmsg.c:234:2: error: 'strcpy' offset 6 from the object at 'attr' is out of the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
+   234 |  strcpy((char *) hdr->name, (const char *)name);
+       |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ In file included from blobmsg.c:16:
+ blobmsg.h:42:10: note: subobject 'name' declared here
+    42 |  uint8_t name[];
+       |          ^~~~
+
+Reported-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -246,7 +246,10 @@ blobmsg_new(struct blob_buf *buf, int ty
+ 	attr->id_len |= be32_to_cpu(BLOB_ATTR_EXTENDED);
+ 	hdr = blob_data(attr);
+ 	hdr->namelen = cpu_to_be16(namelen);
+-	strcpy((char *) hdr->name, (const char *)name);
++
++	memcpy(hdr->name, name, namelen);
++	hdr->name[namelen] = '\0';
++
+ 	pad_end = *data = blobmsg_data(attr);
+ 	pad_start = (char *) &hdr->name[namelen];
+ 	if (pad_start < pad_end)

package/libs/libubox/patches/0011-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch

@@ -0,0 +1,38 @@
+From d0f05d5e6873b30315127d47abbf4ac9f3c8bfb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 28 Dec 2019 19:00:39 +0100
+Subject: blobmsg: fix wrong payload len passed from blobmsg_check_array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix incorrect use of blob_raw_len() on passed blobmsg to
+blobmsg_check_array_len()  introduced in commit b0e21553ae8c ("blobmsg:
+add _len variants for all attribute checking methods") by using correct
+blobmsg_len().
+
+This wrong (higher) length was then for example causing issues in
+procd's instance_config_parse_command() where blobmsg_check_attr_list()
+was failing sanity checking of service command, thus resulting in the
+startup failures of some services like collectd, nlbwmon and samba4.
+
+Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020840.html
+Fixes: b0e21553ae8c ("blobmsg: add _len variants for all attribute checking methods")
+Reported-by: Hannu Nyman <hannu.nyman@welho.com>
+Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -101,7 +101,7 @@ bool blobmsg_check_attr_len(const struct
+ 
+ int blobmsg_check_array(const struct blob_attr *attr, int type)
+ {
+-	return blobmsg_check_array_len(attr, type, blob_raw_len(attr));
++	return blobmsg_check_array_len(attr, type, blobmsg_len(attr));
+ }
+ 
+ int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len)

package/libs/libubox/patches/0012-jshn-prefer-snprintf-usage.patch

@@ -0,0 +1,61 @@
+From 31778937b4153492955495e550435c8bbf7cfde8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 08:55:34 +0100
+Subject: jshn: prefer snprintf usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ jshn.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/jshn.c
++++ b/jshn.c
+@@ -68,7 +68,7 @@ static int add_json_array(struct array_l
+ 	int ret;
+ 
+ 	for (i = 0, len = array_list_length(a); i < len; i++) {
+-		sprintf(seq, "%d", i);
++		snprintf(seq, sizeof(seq), "%d", i);
+ 		ret = add_json_element(seq, array_list_get_idx(a, i));
+ 		if (ret)
+ 			return ret;
+@@ -197,25 +197,27 @@ static char *getenv_avl(const char *key)
+ static char *get_keys(const char *prefix)
+ {
+ 	char *keys;
++	size_t len = var_prefix_len + strlen(prefix) + sizeof("K_") + 1;
+ 
+-	keys = alloca(var_prefix_len + strlen(prefix) + sizeof("K_") + 1);
+-	sprintf(keys, "%sK_%s", var_prefix, prefix);
++	keys = alloca(len);
++	snprintf(keys, len, "%sK_%s", var_prefix, prefix);
+ 	return getenv_avl(keys);
+ }
+ 
+ static void get_var(const char *prefix, const char **name, char **var, char **type)
+ {
+ 	char *tmpname, *varname;
++	size_t len = var_prefix_len + strlen(prefix) + 1 + strlen(*name) + 1 + sizeof("T_");
+ 
+-	tmpname = alloca(var_prefix_len + strlen(prefix) + 1 + strlen(*name) + 1 + sizeof("T_"));
++	tmpname = alloca(len);
+ 
+-	sprintf(tmpname, "%s%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%s%s_%s", var_prefix, prefix, *name);
+ 	*var = getenv_avl(tmpname);
+ 
+-	sprintf(tmpname, "%sT_%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%sT_%s_%s", var_prefix, prefix, *name);
+ 	*type = getenv_avl(tmpname);
+ 
+-	sprintf(tmpname, "%sN_%s_%s", var_prefix, prefix, *name);
++	snprintf(tmpname, len, "%sN_%s_%s", var_prefix, prefix, *name);
+ 	varname = getenv_avl(tmpname);
+ 	if (varname)
+ 		*name = varname;

package/libs/libubox/patches/0013-blobmsg-blobmsg_vprintf-prefer-vsnprintf.patch

@@ -0,0 +1,38 @@
+From 935bb933e4a74de7326a4373340fd50655712334 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 08:57:05 +0100
+Subject: blobmsg: blobmsg_vprintf: prefer vsnprintf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry and while at it add handling of possible
+*printf() failures.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -296,10 +296,17 @@ blobmsg_vprintf(struct blob_buf *buf, co
+ 	len = vsnprintf(&cbuf, sizeof(cbuf), format, arg2);
+ 	va_end(arg2);
+ 
++	if (len < 0)
++		return -1;
++
+ 	sbuf = blobmsg_alloc_string_buffer(buf, name, len + 1);
+ 	if (!sbuf)
+ 		return -1;
+-	ret = vsprintf(sbuf, format, arg);
++
++	ret = vsnprintf(sbuf, len + 1, format, arg);
++	if (ret < 0)
++		return -1;
++
+ 	blobmsg_add_string_buffer(buf);
+ 
+ 	return ret;

package/libs/libubox/patches/0014-blobmsg_json-fix-int16-serialization.patch

@@ -0,0 +1,41 @@
+From 1cc755d7c3989b399bf0c60535a858d22819ca27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sun, 12 Jan 2020 22:40:18 +0100
+Subject: blobmsg_json: fix int16 serialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+int16 blobmsg type is currently being serialized as uint16_t due to
+missing cast during JSON output.
+
+Following blobmsg content:
+
+ bar-min: -32768 (i16)
+ bar-max: 32767 (i16)
+
+Produces following JSON:
+
+ { "bar-min":32768,"bar-max":32767 }
+
+Whereas one would expect:
+
+ { "bar-min":-32768,"bar-max":32767 }
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -250,7 +250,7 @@ static void blobmsg_format_element(struc
+ 		sprintf(buf, "%s", *(uint8_t *)data ? "true" : "false");
+ 		break;
+ 	case BLOBMSG_TYPE_INT16:
+-		sprintf(buf, "%d", be16_to_cpu(*(uint16_t *)data));
++		sprintf(buf, "%d", (int16_t) be16_to_cpu(*(uint16_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT32:
+ 		sprintf(buf, "%d", (int32_t) be32_to_cpu(*(uint32_t *)data));

package/libs/libubox/patches/0015-blobmsg_json-prefer-snprintf-usage.patch

@@ -0,0 +1,66 @@
+From 0e330ec3662795aea42ac36ecf7a9f32a249c36d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Tue, 14 Jan 2020 09:05:02 +0100
+Subject: blobmsg_json: prefer snprintf usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Better safe than sorry and while at it prefer use of PRId16 and PRId32
+formatting constants as well.
+
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg_json.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/blobmsg_json.c
++++ b/blobmsg_json.c
+@@ -203,7 +203,7 @@ static void blobmsg_format_string(struct
+ 		buf[1] = escape;
+ 
+ 		if (escape == 'u') {
+-			sprintf(buf + 4, "%02x", (unsigned char) *p);
++			snprintf(buf + 4, sizeof(buf) - 4, "%02x", (unsigned char) *p);
+ 			len = 6;
+ 		} else {
+ 			len = 2;
+@@ -220,7 +220,7 @@ static void blobmsg_format_json_list(str
+ static void blobmsg_format_element(struct strbuf *s, struct blob_attr *attr, bool without_name, bool head)
+ {
+ 	const char *data_str;
+-	char buf[32];
++	char buf[317];
+ 	void *data;
+ 	int len;
+ 
+@@ -244,22 +244,22 @@ static void blobmsg_format_element(struc
+ 	data_str = buf;
+ 	switch(blob_id(attr)) {
+ 	case BLOBMSG_TYPE_UNSPEC:
+-		sprintf(buf, "null");
++		snprintf(buf, sizeof(buf), "null");
+ 		break;
+ 	case BLOBMSG_TYPE_BOOL:
+-		sprintf(buf, "%s", *(uint8_t *)data ? "true" : "false");
++		snprintf(buf, sizeof(buf), "%s", *(uint8_t *)data ? "true" : "false");
+ 		break;
+ 	case BLOBMSG_TYPE_INT16:
+-		sprintf(buf, "%d", (int16_t) be16_to_cpu(*(uint16_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId16, (int16_t) be16_to_cpu(*(uint16_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT32:
+-		sprintf(buf, "%d", (int32_t) be32_to_cpu(*(uint32_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId32, (int32_t) be32_to_cpu(*(uint32_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_INT64:
+-		sprintf(buf, "%" PRId64, (int64_t) be64_to_cpu(*(uint64_t *)data));
++		snprintf(buf, sizeof(buf), "%" PRId64, (int64_t) be64_to_cpu(*(uint64_t *)data));
+ 		break;
+ 	case BLOBMSG_TYPE_DOUBLE:
+-		sprintf(buf, "%lf", blobmsg_get_double(attr));
++		snprintf(buf, sizeof(buf), "%lf", blobmsg_get_double(attr));
+ 		break;
+ 	case BLOBMSG_TYPE_STRING:
+ 		blobmsg_format_string(s, data);

package/libs/libubox/patches/0016-blobmsg-blobmsg_parse-and-blobmsg_parse_array-oob-re.patch

@@ -0,0 +1,110 @@
+From 6289e2d29883d5d9510b6a15c18c597478967a42 Mon Sep 17 00:00:00 2001
+From: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
+Date: Sun, 12 Jan 2020 12:26:18 +0100
+Subject: blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
+out of bounds read happens because blob_attr and blobmsg_hdr have
+flexible array members, whose size is 0 in the corresponding sizeofs.
+For example the __blob_for_each_attr macro checks whether rem >=
+sizeof(struct blob_attr). However, what LibFuzzer discovered was,
+if the input data was only 4 bytes, the data would be casted to blob_attr,
+and later on blob_data(attr) would be called even though attr->data was empty.
+The same issue could appear with data larger than 4 bytes, where data
+wasn't empty, but contained only the start of the blobmsg_hdr struct,
+and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
+blobmsg_parse and blobmsg_array_parse with LibFuzzer.
+
+CC: Luka Perkov <luka.perkov@sartura.hr>
+Reviewed-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
+[refactored some checks, added fuzz inputs, adjusted unit test results]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ blobmsg.c | 40 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 32 insertions(+), 8 deletions(-)
+
+--- a/blobmsg.c
++++ b/blobmsg.c
+@@ -36,16 +36,38 @@ bool blobmsg_check_attr(const struct blo
+ 	return blobmsg_check_attr_len(attr, name, blob_raw_len(attr));
+ }
+ 
++static const struct blobmsg_hdr* blobmsg_hdr_from_blob(const struct blob_attr *attr, size_t len)
++{
++	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
++		return NULL;
++
++	return blob_data(attr);
++}
++
++static bool blobmsg_hdr_valid_namelen(const struct blobmsg_hdr *hdr, size_t len)
++{
++	if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr) + blobmsg_namelen(hdr) + 1)
++		return false;
++
++	return true;
++}
++
+ static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
+ {
+ 	char *limit = (char *) attr + len;
+ 	const struct blobmsg_hdr *hdr;
+ 
+-	hdr = blob_data(attr);
++	hdr = blobmsg_hdr_from_blob(attr, len);
++	if (!hdr)
++		return false;
++
+ 	if (name && !hdr->namelen)
+ 		return false;
+ 
+-	if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
++	if (name && !blobmsg_hdr_valid_namelen(hdr, len))
++		return false;
++
++	if ((char *) hdr->name + blobmsg_namelen(hdr) + 1 > limit)
+ 		return false;
+ 
+ 	if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
+@@ -79,9 +101,6 @@ bool blobmsg_check_attr_len(const struct
+ 	size_t data_len;
+ 	int id;
+ 
+-	if (len < sizeof(struct blob_attr))
+-		return false;
+-
+ 	if (!blobmsg_check_name(attr, len, name))
+ 		return false;
+ 
+@@ -176,11 +195,10 @@ int blobmsg_parse_array(const struct blo
+ 	return 0;
+ }
+ 
+-
+ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
+                   struct blob_attr **tb, void *data, unsigned int len)
+ {
+-	struct blobmsg_hdr *hdr;
++	const struct blobmsg_hdr *hdr;
+ 	struct blob_attr *attr;
+ 	uint8_t *pslen;
+ 	int i;
+@@ -197,7 +215,13 @@ int blobmsg_parse(const struct blobmsg_p
+ 	}
+ 
+ 	__blob_for_each_attr(attr, data, len) {
+-		hdr = blob_data(attr);
++		hdr = blobmsg_hdr_from_blob(attr, len);
++		if (!hdr)
++			return -1;
++
++		if (!blobmsg_hdr_valid_namelen(hdr, len))
++			return -1;
++
+ 		for (i = 0; i < policy_len; i++) {
+ 			if (!policy[i].name)
+ 				continue;

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.3
+PKG_VERSION:=2.16.4
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=fd01fe4b289116df7781d05e1ef712b6c98823c5334f4a27404f13a8d066ef6a
+PKG_HASH:=5fdb9c43ab43fd9bcc3631508170b089ede7b86dd655253a93cb0ffeb42309f3
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -750,19 +750,19 @@
+@@ -757,19 +757,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -811,7 +811,7 @@
+@@ -818,7 +818,7 @@
   *
   * Comment this macro to disable deterministic ECDSA.
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -864,7 +864,7 @@
+@@ -871,7 +871,7 @@
   *             See dhm.h for more details.
   *
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -884,7 +884,7 @@
+@@ -891,7 +891,7 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -909,7 +909,7 @@
+@@ -916,7 +916,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1043,7 +1043,7 @@
+@@ -1050,7 +1050,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1067,7 +1067,7 @@
+@@ -1074,7 +1074,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1171,7 +1171,7 @@
+@@ -1178,7 +1178,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -109,7 +109,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1266,14 +1266,14 @@
+@@ -1273,14 +1273,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1289,7 +1289,7 @@
+@@ -1296,7 +1296,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1427,7 +1427,7 @@
+@@ -1434,7 +1434,7 @@
   *          configuration of this extension).
   *
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1602,7 +1602,7 @@
+@@ -1609,7 +1609,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1632,7 +1632,7 @@
+@@ -1639,7 +1639,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1691,7 +1691,7 @@
+@@ -1698,7 +1698,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2021,7 +2021,7 @@
+@@ -2028,7 +2028,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2087,7 +2087,7 @@
+@@ -2094,7 +2094,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2099,7 +2099,7 @@
+@@ -2106,7 +2106,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2108,7 +2108,7 @@
+@@ -2115,7 +2115,7 @@
   *
   * Module:  library/chacha20.c
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_CHACHAPOLY_C
-@@ -2119,7 +2119,7 @@
+@@ -2126,7 +2126,7 @@
   *
   * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -2174,7 +2174,7 @@
+@@ -2185,7 +2185,7 @@
   *
   * This module provides debugging functions.
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -2203,7 +2203,7 @@
+@@ -2214,7 +2214,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *            security risk. We recommend considering stronger ciphers instead.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2366,7 +2366,7 @@
+@@ -2377,7 +2377,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -243,7 +243,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2380,7 +2380,7 @@
+@@ -2391,7 +2391,7 @@
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
   */
@@ -252,7 +252,7 @@
  
  /**
   * \def MBEDTLS_NIST_KW_C
-@@ -2676,7 +2676,7 @@
+@@ -2687,7 +2687,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -261,7 +261,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2686,7 +2686,7 @@
+@@ -2697,7 +2697,7 @@
   * Module:  library/poly1305.c
   * Caller:  library/chachapoly.c
   */
@@ -270,7 +270,7 @@
  
  /**
   * \def MBEDTLS_RIPEMD160_C
-@@ -2697,7 +2697,7 @@
+@@ -2708,7 +2708,7 @@
   * Caller:  library/md.c
   *
   */
@@ -279,7 +279,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2804,7 +2804,7 @@
+@@ -2815,7 +2815,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -288,7 +288,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2904,7 +2904,7 @@
+@@ -2915,7 +2915,7 @@
   *
   * This module provides run-time version information.
   */
@@ -297,7 +297,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -3014,7 +3014,7 @@
+@@ -3025,7 +3025,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

package/network/utils/ethtool/Makefile

@@ -23,7 +23,7 @@ PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 
-PKG_CONFIG_DEPENDS:=ETHTOOL_PRETTY_DUMP
+PKG_CONFIG_DEPENDS:=CONFIG_ETHTOOL_PRETTY_DUMP
 
 include $(INCLUDE_DIR)/package.mk
 

package/system/opkg/Makefile

@@ -14,9 +14,9 @@ PKG_FLAGS:=essential
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://git.openwrt.org/project/opkg-lede.git
-PKG_SOURCE_DATE:=2019-06-14
+PKG_SOURCE_DATE:=2020-01-25
-PKG_SOURCE_VERSION:=dcbc142e51f5f5f2fb9e4e44657e013d3c36a52b
+PKG_SOURCE_VERSION:=c09fe2098718807ddbca13ee36e3e38801822946
-PKG_MIRROR_HASH:=fca7e71dd06f0d5ee0af0d0a493d641d4d5d7e403d64c67879a462a020aa2299
+PKG_MIRROR_HASH:=b2fba519fb3bf2da2e325a33eee951b85c7c1886e48ebaac3892435a71ae33d5
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING

target/linux/ar71xx/patches-4.9/910-unaligned_access_hacks.patch

@@ -795,7 +795,7 @@
  
 --- a/net/ipv4/tcp_input.c
 +++ b/net/ipv4/tcp_input.c
-@@ -3926,14 +3926,16 @@ static bool tcp_parse_aligned_timestamp(
+@@ -3934,14 +3934,16 @@ static bool tcp_parse_aligned_timestamp(
  {
  	const __be32 *ptr = (const __be32 *)(th + 1);
  

target/linux/brcm2708/patches-4.9/950-0031-Add-dwc_otg-driver.patch

@@ -696,7 +696,7 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
  }
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
-@@ -5095,7 +5095,7 @@ static void port_event(struct usb_hub *h
+@@ -5096,7 +5096,7 @@ static void port_event(struct usb_hub *h
  	if (portchange & USB_PORT_STAT_C_OVERCURRENT) {
  		u16 status = 0, unused;
  

target/linux/brcm47xx/base-files/etc/board.d/01_network

@@ -166,11 +166,17 @@ configure_by_model() {
 		;;
 
 	"Asus RT-N16"* | \
-	"Linksys E3000 V1")
+	"Linksys E3000 V1" | \
+	"Netgear WNR3500 V2")
 		ucidef_add_switch "switch0" \
 			"0:wan" "1:lan:4" "2:lan:3" "3:lan:2" "4:lan:1" "8@eth0"
 		;;
 
+	"Netgear WN2500RP V1")
+		ucidef_add_switch "switch0" \
+			"0:lan:4" "1:lan:3" "2:lan:2" "3:lan:1" "5@eth0"
+		;;
+
 	*)
 		configure_by_boardtype "$boardtype" "$boardnum"
 		;;

target/linux/generic/backport-4.14/030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch

@@ -30,7 +30,7 @@ Signed-off-by: Johan Hovold <johan@kernel.org>
 
 --- a/drivers/usb/serial/option.c
 +++ b/drivers/usb/serial/option.c
-@@ -1968,7 +1968,8 @@ static const struct usb_device_id option
+@@ -1981,7 +1981,8 @@ static const struct usb_device_id option
  	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d01, 0xff) },			/* D-Link DWM-156 (variant) */
  	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d02, 0xff) },
  	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d03, 0xff) },

target/linux/generic/backport-4.14/303-v4.16-netfilter-nf_tables-remove-multihook-chains-and-fami.patch

@@ -264,7 +264,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  		nft_chain_release_hook(&hook);
  	}
-@@ -5156,10 +5144,9 @@ static int nf_tables_commit(struct net *
+@@ -5162,10 +5150,9 @@ static int nf_tables_commit(struct net *
  		case NFT_MSG_DELCHAIN:
  			list_del_rcu(&trans->ctx.chain->list);
  			nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
@@ -278,7 +278,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			break;
  		case NFT_MSG_NEWRULE:
  			nft_clear(trans->ctx.net, nft_trans_rule(trans));
-@@ -5296,10 +5283,9 @@ static int nf_tables_abort(struct net *n
+@@ -5302,10 +5289,9 @@ static int nf_tables_abort(struct net *n
  			} else {
  				trans->ctx.table->use--;
  				list_del_rcu(&trans->ctx.chain->list);
@@ -292,7 +292,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			}
  			break;
  		case NFT_MSG_DELCHAIN:
-@@ -5402,7 +5388,7 @@ int nft_chain_validate_hooks(const struc
+@@ -5408,7 +5394,7 @@ int nft_chain_validate_hooks(const struc
  	if (nft_is_base_chain(chain)) {
  		basechain = nft_base_chain(chain);
  
@@ -301,7 +301,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			return 0;
  
  		return -EOPNOTSUPP;
-@@ -5884,8 +5870,7 @@ int __nft_release_basechain(struct nft_c
+@@ -5890,8 +5876,7 @@ int __nft_release_basechain(struct nft_c
  
  	BUG_ON(!nft_is_base_chain(ctx->chain));
  
@@ -311,7 +311,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
  		list_del(&rule->list);
  		ctx->chain->use--;
-@@ -5914,8 +5899,7 @@ static void __nft_release_afinfo(struct
+@@ -5920,8 +5905,7 @@ static void __nft_release_afinfo(struct
  
  	list_for_each_entry_safe(table, nt, &afi->tables, list) {
  		list_for_each_entry(chain, &table->chains, list)

target/linux/generic/backport-4.14/321-v4.16-netfilter-nf_tables-add-flow-table-netlink-frontend.patch

@@ -292,7 +292,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
  		err = nft_delobj(ctx, obj);
  		if (err < 0)
-@@ -4856,6 +4900,605 @@ static void nf_tables_obj_notify(const s
+@@ -4862,6 +4906,605 @@ static void nf_tables_obj_notify(const s
  		       ctx->afi->family, ctx->report, GFP_KERNEL);
  }
  
@@ -898,7 +898,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
  				   u32 portid, u32 seq)
  {
-@@ -4886,6 +5529,49 @@ nla_put_failure:
+@@ -4892,6 +5535,49 @@ nla_put_failure:
  	return -EMSGSIZE;
  }
  
@@ -948,7 +948,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
  				 int event)
  {
-@@ -5038,6 +5724,21 @@ static const struct nfnl_callback nf_tab
+@@ -5044,6 +5730,21 @@ static const struct nfnl_callback nf_tab
  		.attr_count	= NFTA_OBJ_MAX,
  		.policy		= nft_obj_policy,
  	},
@@ -970,7 +970,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  };
  
  static void nft_chain_commit_update(struct nft_trans *trans)
-@@ -5086,6 +5787,9 @@ static void nf_tables_commit_release(str
+@@ -5092,6 +5793,9 @@ static void nf_tables_commit_release(str
  	case NFT_MSG_DELOBJ:
  		nft_obj_destroy(nft_trans_obj(trans));
  		break;
@@ -980,7 +980,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	}
  	kfree(trans);
  }
-@@ -5205,6 +5909,21 @@ static int nf_tables_commit(struct net *
+@@ -5211,6 +5915,21 @@ static int nf_tables_commit(struct net *
  			nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
  					     NFT_MSG_DELOBJ);
  			break;
@@ -1002,7 +1002,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  	}
  
-@@ -5242,6 +5961,9 @@ static void nf_tables_abort_release(stru
+@@ -5248,6 +5967,9 @@ static void nf_tables_abort_release(stru
  	case NFT_MSG_NEWOBJ:
  		nft_obj_destroy(nft_trans_obj(trans));
  		break;
@@ -1012,7 +1012,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	}
  	kfree(trans);
  }
-@@ -5333,6 +6055,17 @@ static int nf_tables_abort(struct net *n
+@@ -5339,6 +6061,17 @@ static int nf_tables_abort(struct net *n
  			nft_clear(trans->ctx.net, nft_trans_obj(trans));
  			nft_trans_destroy(trans);
  			break;
@@ -1030,7 +1030,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  	}
  
-@@ -5883,6 +6616,7 @@ EXPORT_SYMBOL_GPL(__nft_release_basechai
+@@ -5889,6 +6622,7 @@ EXPORT_SYMBOL_GPL(__nft_release_basechai
  /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
  static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
  {
@@ -1038,7 +1038,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	struct nft_table *table, *nt;
  	struct nft_chain *chain, *nc;
  	struct nft_object *obj, *ne;
-@@ -5896,6 +6630,9 @@ static void __nft_release_afinfo(struct
+@@ -5902,6 +6636,9 @@ static void __nft_release_afinfo(struct
  	list_for_each_entry_safe(table, nt, &afi->tables, list) {
  		list_for_each_entry(chain, &table->chains, list)
  			nf_tables_unregister_hook(net, table, chain);
@@ -1048,7 +1048,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		/* No packets are walking on these chains anymore. */
  		ctx.table = table;
  		list_for_each_entry(chain, &table->chains, list) {
-@@ -5906,6 +6643,11 @@ static void __nft_release_afinfo(struct
+@@ -5912,6 +6649,11 @@ static void __nft_release_afinfo(struct
  				nf_tables_rule_release(&ctx, rule);
  			}
  		}
@@ -1060,7 +1060,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		list_for_each_entry_safe(set, ns, &table->sets, list) {
  			list_del(&set->list);
  			table->use--;
-@@ -5949,6 +6691,8 @@ static int __init nf_tables_module_init(
+@@ -5955,6 +6697,8 @@ static int __init nf_tables_module_init(
  	if (err < 0)
  		goto err3;
  
@@ -1069,7 +1069,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
  	return register_pernet_subsys(&nf_tables_net_ops);
  err3:
-@@ -5963,6 +6707,7 @@ static void __exit nf_tables_module_exit
+@@ -5969,6 +6713,7 @@ static void __exit nf_tables_module_exit
  {
  	unregister_pernet_subsys(&nf_tables_net_ops);
  	nfnetlink_subsys_unregister(&nf_tables_subsys);

target/linux/generic/backport-4.14/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch

@@ -82,7 +82,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
  
  	type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
-@@ -5008,7 +5005,7 @@ static int nf_tables_flowtable_parse_hoo
+@@ -5014,7 +5011,7 @@ static int nf_tables_flowtable_parse_hoo
  		return -EINVAL;
  
  	hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));

target/linux/generic/backport-4.14/328-v4.16-netfilter-nf_tables-fix-a-typo-in-nf_tables_getflowt.patch

@@ -11,7 +11,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -5432,7 +5432,7 @@ static int nf_tables_getflowtable(struct
+@@ -5438,7 +5438,7 @@ static int nf_tables_getflowtable(struct
  
  	flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
  					       genmask);

target/linux/generic/backport-4.14/331-v4.16-netfilter-nf_tables-no-need-for-struct-nft_af_info-t.patch

@@ -62,7 +62,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		if (ret >= 0) {
  			ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
  			nft_trans_table_enable(trans) = true;
-@@ -5813,7 +5806,6 @@ static int nf_tables_commit(struct net *
+@@ -5819,7 +5812,6 @@ static int nf_tables_commit(struct net *
  			if (nft_trans_table_update(trans)) {
  				if (!nft_trans_table_enable(trans)) {
  					nf_tables_table_disable(net,
@@ -70,7 +70,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  								trans->ctx.table);
  					trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
  				}
-@@ -5977,7 +5969,6 @@ static int nf_tables_abort(struct net *n
+@@ -5983,7 +5975,6 @@ static int nf_tables_abort(struct net *n
  			if (nft_trans_table_update(trans)) {
  				if (nft_trans_table_enable(trans)) {
  					nf_tables_table_disable(net,

target/linux/generic/backport-4.14/334-v4.15-netfilter-nf_tables-fix-potential-NULL-ptr-deref-in-.patch

@@ -15,7 +15,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -5351,8 +5351,10 @@ static int nf_tables_dump_flowtable_done
+@@ -5357,8 +5357,10 @@ static int nf_tables_dump_flowtable_done
  	if (!filter)
  		return 0;
  

target/linux/generic/backport-4.14/335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch

@@ -859,7 +859,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	nfmsg->version		= NFNETLINK_V0;
  	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
  
-@@ -3996,7 +3982,7 @@ static int nft_add_set_elem(struct nft_c
+@@ -4002,7 +3988,7 @@ static int nft_add_set_elem(struct nft_c
  		list_for_each_entry(binding, &set->bindings, list) {
  			struct nft_ctx bind_ctx = {
  				.net	= ctx->net,
@@ -868,7 +868,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  				.table	= ctx->table,
  				.chain	= (struct nft_chain *)binding->chain,
  			};
-@@ -4548,7 +4534,8 @@ static int nf_tables_newobj(struct net *
+@@ -4554,7 +4540,8 @@ static int nf_tables_newobj(struct net *
  	if (IS_ERR(afi))
  		return PTR_ERR(afi);
  
@@ -878,7 +878,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -4566,7 +4553,7 @@ static int nf_tables_newobj(struct net *
+@@ -4572,7 +4559,7 @@ static int nf_tables_newobj(struct net *
  		return 0;
  	}
  
@@ -887,7 +887,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	type = nft_obj_type_get(objtype);
  	if (IS_ERR(type))
-@@ -4643,7 +4630,6 @@ struct nft_obj_filter {
+@@ -4649,7 +4636,6 @@ struct nft_obj_filter {
  static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
  {
  	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
@@ -895,7 +895,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	const struct nft_table *table;
  	unsigned int idx = 0, s_idx = cb->args[0];
  	struct nft_obj_filter *filter = cb->data;
-@@ -4658,38 +4644,37 @@ static int nf_tables_dump_obj(struct sk_
+@@ -4664,38 +4650,37 @@ static int nf_tables_dump_obj(struct sk_
  	rcu_read_lock();
  	cb->seq = net->nft.base_seq;
  
@@ -960,7 +960,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  	}
  done:
-@@ -4776,7 +4761,8 @@ static int nf_tables_getobj(struct net *
+@@ -4782,7 +4767,8 @@ static int nf_tables_getobj(struct net *
  	if (IS_ERR(afi))
  		return PTR_ERR(afi);
  
@@ -970,7 +970,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -4836,7 +4822,8 @@ static int nf_tables_delobj(struct net *
+@@ -4842,7 +4828,8 @@ static int nf_tables_delobj(struct net *
  	if (IS_ERR(afi))
  		return PTR_ERR(afi);
  
@@ -980,7 +980,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -4847,7 +4834,7 @@ static int nf_tables_delobj(struct net *
+@@ -4853,7 +4840,7 @@ static int nf_tables_delobj(struct net *
  	if (obj->use > 0)
  		return -EBUSY;
  
@@ -989,7 +989,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	return nft_delobj(&ctx, obj);
  }
-@@ -4885,7 +4872,7 @@ static void nf_tables_obj_notify(const s
+@@ -4891,7 +4878,7 @@ static void nf_tables_obj_notify(const s
  				 struct nft_object *obj, int event)
  {
  	nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
@@ -998,7 +998,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  }
  
  /*
-@@ -5075,7 +5062,7 @@ void nft_flow_table_iterate(struct net *
+@@ -5081,7 +5068,7 @@ void nft_flow_table_iterate(struct net *
  
  	rcu_read_lock();
  	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
@@ -1007,7 +1007,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
  				iter(&flowtable->data, data);
  			}
-@@ -5123,7 +5110,8 @@ static int nf_tables_newflowtable(struct
+@@ -5129,7 +5116,8 @@ static int nf_tables_newflowtable(struct
  	if (IS_ERR(afi))
  		return PTR_ERR(afi);
  
@@ -1017,7 +1017,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -5140,7 +5128,7 @@ static int nf_tables_newflowtable(struct
+@@ -5146,7 +5134,7 @@ static int nf_tables_newflowtable(struct
  		return 0;
  	}
  
@@ -1026,7 +1026,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
  	if (!flowtable)
-@@ -5221,7 +5209,8 @@ static int nf_tables_delflowtable(struct
+@@ -5227,7 +5215,8 @@ static int nf_tables_delflowtable(struct
  	if (IS_ERR(afi))
  		return PTR_ERR(afi);
  
@@ -1036,7 +1036,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -5232,7 +5221,7 @@ static int nf_tables_delflowtable(struct
+@@ -5238,7 +5227,7 @@ static int nf_tables_delflowtable(struct
  	if (flowtable->use > 0)
  		return -EBUSY;
  
@@ -1045,7 +1045,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	return nft_delflowtable(&ctx, flowtable);
  }
-@@ -5301,40 +5290,37 @@ static int nf_tables_dump_flowtable(stru
+@@ -5307,40 +5296,37 @@ static int nf_tables_dump_flowtable(stru
  	struct net *net = sock_net(skb->sk);
  	int family = nfmsg->nfgen_family;
  	struct nft_flowtable *flowtable;
@@ -1107,7 +1107,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  	}
  done:
-@@ -5419,7 +5405,8 @@ static int nf_tables_getflowtable(struct
+@@ -5425,7 +5411,8 @@ static int nf_tables_getflowtable(struct
  	if (IS_ERR(afi))
  		return PTR_ERR(afi);
  
@@ -1117,7 +1117,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -5462,7 +5449,7 @@ static void nf_tables_flowtable_notify(s
+@@ -5468,7 +5455,7 @@ static void nf_tables_flowtable_notify(s
  
  	err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
  					    ctx->seq, event, 0,
@@ -1126,7 +1126,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (err < 0) {
  		kfree_skb(skb);
  		goto err;
-@@ -5540,17 +5527,14 @@ static int nf_tables_flowtable_event(str
+@@ -5546,17 +5533,14 @@ static int nf_tables_flowtable_event(str
  	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
  	struct nft_flowtable *flowtable;
  	struct nft_table *table;
@@ -1147,7 +1147,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  	}
  	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
-@@ -6576,6 +6560,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump);
+@@ -6582,6 +6566,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump);
  static int __net_init nf_tables_init_net(struct net *net)
  {
  	INIT_LIST_HEAD(&net->nft.af_info);
@@ -1155,7 +1155,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	INIT_LIST_HEAD(&net->nft.commit_list);
  	net->nft.base_seq = 1;
  	return 0;
-@@ -6612,10 +6597,10 @@ static void __nft_release_afinfo(struct
+@@ -6618,10 +6603,10 @@ static void __nft_release_afinfo(struct
  	struct nft_set *set, *ns;
  	struct nft_ctx ctx = {
  		.net	= net,

target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch

@@ -21,7 +21,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static struct pernet_operations clusterip_net_ops = {
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -6566,6 +6566,12 @@ static int __net_init nf_tables_init_net
+@@ -6572,6 +6572,12 @@ static int __net_init nf_tables_init_net
  	return 0;
  }
  
@@ -34,7 +34,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  int __nft_release_basechain(struct nft_ctx *ctx)
  {
  	struct nft_rule *rule, *nr;
-@@ -6643,6 +6649,7 @@ static void __nft_release_afinfo(struct
+@@ -6649,6 +6655,7 @@ static void __nft_release_afinfo(struct
  
  static struct pernet_operations nf_tables_net_ops = {
  	.init	= nf_tables_init_net,

target/linux/generic/backport-4.14/337-v4.16-netfilter-nf_tables-get-rid-of-pernet-families.patch

@@ -364,7 +364,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		if (afi->family == family)
  			return afi;
  	}
-@@ -5057,15 +5055,12 @@ void nft_flow_table_iterate(struct net *
+@@ -5063,15 +5061,12 @@ void nft_flow_table_iterate(struct net *
  			    void *data)
  {
  	struct nft_flowtable *flowtable;
@@ -383,7 +383,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		}
  	}
  	rcu_read_unlock();
-@@ -6557,21 +6552,6 @@ int nft_data_dump(struct sk_buff *skb, i
+@@ -6563,21 +6558,6 @@ int nft_data_dump(struct sk_buff *skb, i
  }
  EXPORT_SYMBOL_GPL(nft_data_dump);
  
@@ -405,7 +405,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  int __nft_release_basechain(struct nft_ctx *ctx)
  {
  	struct nft_rule *rule, *nr;
-@@ -6592,8 +6572,7 @@ int __nft_release_basechain(struct nft_c
+@@ -6598,8 +6578,7 @@ int __nft_release_basechain(struct nft_c
  }
  EXPORT_SYMBOL_GPL(__nft_release_basechain);
  
@@ -415,7 +415,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  {
  	struct nft_flowtable *flowtable, *nf;
  	struct nft_table *table, *nt;
-@@ -6603,10 +6582,11 @@ static void __nft_release_afinfo(struct
+@@ -6609,10 +6588,11 @@ static void __nft_release_afinfo(struct
  	struct nft_set *set, *ns;
  	struct nft_ctx ctx = {
  		.net	= net,
@@ -428,7 +428,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		list_for_each_entry(chain, &table->chains, list)
  			nf_tables_unregister_hook(net, table, chain);
  		list_for_each_entry(flowtable, &table->flowtables, list)
-@@ -6647,6 +6627,21 @@ static void __nft_release_afinfo(struct
+@@ -6653,6 +6633,21 @@ static void __nft_release_afinfo(struct
  	}
  }
  

target/linux/generic/backport-4.14/338-v4.16-netfilter-nf_tables-get-rid-of-struct-nft_af_info-ab.patch

@@ -817,7 +817,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	nfmsg->version      = NFNETLINK_V0;
  	nfmsg->res_id	    = htons(net->nft.base_seq & 0xffff);
  
-@@ -4516,7 +4383,6 @@ static int nf_tables_newobj(struct net *
+@@ -4522,7 +4389,6 @@ static int nf_tables_newobj(struct net *
  	const struct nft_object_type *type;
  	u8 genmask = nft_genmask_next(net);
  	int family = nfmsg->nfgen_family;
@@ -825,7 +825,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	struct nft_table *table;
  	struct nft_object *obj;
  	struct nft_ctx ctx;
-@@ -4528,11 +4394,7 @@ static int nf_tables_newobj(struct net *
+@@ -4534,11 +4400,7 @@ static int nf_tables_newobj(struct net *
  	    !nla[NFTA_OBJ_DATA])
  		return -EINVAL;
  
@@ -838,7 +838,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  				       genmask);
  	if (IS_ERR(table))
  		return PTR_ERR(table);
-@@ -4551,7 +4413,7 @@ static int nf_tables_newobj(struct net *
+@@ -4557,7 +4419,7 @@ static int nf_tables_newobj(struct net *
  		return 0;
  	}
  
@@ -847,7 +847,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	type = nft_obj_type_get(objtype);
  	if (IS_ERR(type))
-@@ -4643,7 +4505,7 @@ static int nf_tables_dump_obj(struct sk_
+@@ -4649,7 +4511,7 @@ static int nf_tables_dump_obj(struct sk_
  	cb->seq = net->nft.base_seq;
  
  	list_for_each_entry_rcu(table, &net->nft.tables, list) {
@@ -856,7 +856,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			continue;
  
  		list_for_each_entry_rcu(obj, &table->objects, list) {
-@@ -4666,7 +4528,7 @@ static int nf_tables_dump_obj(struct sk_
+@@ -4672,7 +4534,7 @@ static int nf_tables_dump_obj(struct sk_
  						    cb->nlh->nlmsg_seq,
  						    NFT_MSG_NEWOBJ,
  						    NLM_F_MULTI | NLM_F_APPEND,
@@ -865,7 +865,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  						    obj, reset) < 0)
  				goto done;
  
-@@ -4724,7 +4586,6 @@ static int nf_tables_getobj(struct net *
+@@ -4730,7 +4592,6 @@ static int nf_tables_getobj(struct net *
  	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
  	u8 genmask = nft_genmask_cur(net);
  	int family = nfmsg->nfgen_family;
@@ -873,7 +873,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	const struct nft_table *table;
  	struct nft_object *obj;
  	struct sk_buff *skb2;
-@@ -4755,11 +4616,7 @@ static int nf_tables_getobj(struct net *
+@@ -4761,11 +4622,7 @@ static int nf_tables_getobj(struct net *
  	    !nla[NFTA_OBJ_TYPE])
  		return -EINVAL;
  
@@ -886,7 +886,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  				       genmask);
  	if (IS_ERR(table))
  		return PTR_ERR(table);
-@@ -4806,7 +4663,6 @@ static int nf_tables_delobj(struct net *
+@@ -4812,7 +4669,6 @@ static int nf_tables_delobj(struct net *
  	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
  	u8 genmask = nft_genmask_next(net);
  	int family = nfmsg->nfgen_family;
@@ -894,7 +894,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	struct nft_table *table;
  	struct nft_object *obj;
  	struct nft_ctx ctx;
-@@ -4816,11 +4672,7 @@ static int nf_tables_delobj(struct net *
+@@ -4822,11 +4678,7 @@ static int nf_tables_delobj(struct net *
  	    !nla[NFTA_OBJ_NAME])
  		return -EINVAL;
  
@@ -907,7 +907,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  				       genmask);
  	if (IS_ERR(table))
  		return PTR_ERR(table);
-@@ -4832,7 +4684,7 @@ static int nf_tables_delobj(struct net *
+@@ -4838,7 +4690,7 @@ static int nf_tables_delobj(struct net *
  	if (obj->use > 0)
  		return -EBUSY;
  
@@ -916,7 +916,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	return nft_delobj(&ctx, obj);
  }
-@@ -5017,33 +4869,31 @@ err1:
+@@ -5023,33 +4875,31 @@ err1:
  	return err;
  }
  
@@ -956,7 +956,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			return ERR_PTR(-EAGAIN);
  	}
  #endif
-@@ -5091,7 +4941,6 @@ static int nf_tables_newflowtable(struct
+@@ -5097,7 +4947,6 @@ static int nf_tables_newflowtable(struct
  	u8 genmask = nft_genmask_next(net);
  	int family = nfmsg->nfgen_family;
  	struct nft_flowtable *flowtable;
@@ -964,7 +964,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	struct nft_table *table;
  	struct nft_ctx ctx;
  	int err, i, k;
-@@ -5101,12 +4950,8 @@ static int nf_tables_newflowtable(struct
+@@ -5107,12 +4956,8 @@ static int nf_tables_newflowtable(struct
  	    !nla[NFTA_FLOWTABLE_HOOK])
  		return -EINVAL;
  
@@ -978,7 +978,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -5123,7 +4968,7 @@ static int nf_tables_newflowtable(struct
+@@ -5129,7 +4974,7 @@ static int nf_tables_newflowtable(struct
  		return 0;
  	}
  
@@ -987,7 +987,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
  	if (!flowtable)
-@@ -5136,7 +4981,7 @@ static int nf_tables_newflowtable(struct
+@@ -5142,7 +4987,7 @@ static int nf_tables_newflowtable(struct
  		goto err1;
  	}
  
@@ -996,7 +996,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(type)) {
  		err = PTR_ERR(type);
  		goto err2;
-@@ -5196,16 +5041,11 @@ static int nf_tables_delflowtable(struct
+@@ -5202,16 +5047,11 @@ static int nf_tables_delflowtable(struct
  	u8 genmask = nft_genmask_next(net);
  	int family = nfmsg->nfgen_family;
  	struct nft_flowtable *flowtable;
@@ -1014,7 +1014,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -5216,7 +5056,7 @@ static int nf_tables_delflowtable(struct
+@@ -5222,7 +5062,7 @@ static int nf_tables_delflowtable(struct
  	if (flowtable->use > 0)
  		return -EBUSY;
  
@@ -1023,7 +1023,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	return nft_delflowtable(&ctx, flowtable);
  }
-@@ -5291,7 +5131,7 @@ static int nf_tables_dump_flowtable(stru
+@@ -5297,7 +5137,7 @@ static int nf_tables_dump_flowtable(stru
  	cb->seq = net->nft.base_seq;
  
  	list_for_each_entry_rcu(table, &net->nft.tables, list) {
@@ -1032,7 +1032,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  			continue;
  
  		list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
-@@ -5310,7 +5150,7 @@ static int nf_tables_dump_flowtable(stru
+@@ -5316,7 +5156,7 @@ static int nf_tables_dump_flowtable(stru
  							  cb->nlh->nlmsg_seq,
  							  NFT_MSG_NEWFLOWTABLE,
  							  NLM_F_MULTI | NLM_F_APPEND,
@@ -1041,7 +1041,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  				goto done;
  
  			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
-@@ -5370,7 +5210,6 @@ static int nf_tables_getflowtable(struct
+@@ -5376,7 +5216,6 @@ static int nf_tables_getflowtable(struct
  	u8 genmask = nft_genmask_cur(net);
  	int family = nfmsg->nfgen_family;
  	struct nft_flowtable *flowtable;
@@ -1049,7 +1049,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	const struct nft_table *table;
  	struct sk_buff *skb2;
  	int err;
-@@ -5396,12 +5235,8 @@ static int nf_tables_getflowtable(struct
+@@ -5402,12 +5241,8 @@ static int nf_tables_getflowtable(struct
  	if (!nla[NFTA_FLOWTABLE_NAME])
  		return -EINVAL;
  
@@ -1063,7 +1063,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
-@@ -6572,7 +6407,7 @@ int __nft_release_basechain(struct nft_c
+@@ -6578,7 +6413,7 @@ int __nft_release_basechain(struct nft_c
  }
  EXPORT_SYMBOL_GPL(__nft_release_basechain);
  
@@ -1072,7 +1072,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  {
  	struct nft_flowtable *flowtable, *nf;
  	struct nft_table *table, *nt;
-@@ -6585,7 +6420,7 @@ static void __nft_release_afinfo(struct
+@@ -6591,7 +6426,7 @@ static void __nft_release_afinfo(struct
  	};
  
  	list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
@@ -1081,7 +1081,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  		list_for_each_entry(chain, &table->chains, list)
  			nf_tables_unregister_hook(net, table, chain);
-@@ -6637,7 +6472,7 @@ static int __net_init nf_tables_init_net
+@@ -6643,7 +6478,7 @@ static int __net_init nf_tables_init_net
  
  static void __net_exit nf_tables_exit_net(struct net *net)
  {

target/linux/generic/backport-4.14/339-v4.16-netfilter-nft_flow_offload-wait-for-garbage-collecto.patch

@@ -17,7 +17,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -4907,13 +4907,13 @@ void nft_flow_table_iterate(struct net *
+@@ -4913,13 +4913,13 @@ void nft_flow_table_iterate(struct net *
  	struct nft_flowtable *flowtable;
  	const struct nft_table *table;
  

target/linux/generic/backport-4.14/342-v4.16-netfilter-nf_tables-fix-flowtable-free.patch

@@ -118,7 +118,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  };
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -5292,17 +5292,12 @@ err:
+@@ -5298,17 +5298,12 @@ err:
  	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
  }
  

target/linux/generic/backport-4.14/344-v4.16-netfilter-nf_tables-allocate-handle-and-delete-objec.patch

@@ -327,7 +327,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(set))
  		return PTR_ERR(set);
  
-@@ -4271,6 +4343,21 @@ struct nft_object *nf_tables_obj_lookup(
+@@ -4277,6 +4349,21 @@ struct nft_object *nf_tables_obj_lookup(
  }
  EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
  
@@ -349,7 +349,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
  	[NFTA_OBJ_TABLE]	= { .type = NLA_STRING,
  				    .len = NFT_TABLE_MAXNAMELEN - 1 },
-@@ -4278,6 +4365,7 @@ static const struct nla_policy nft_obj_p
+@@ -4284,6 +4371,7 @@ static const struct nla_policy nft_obj_p
  				    .len = NFT_OBJ_MAXNAMELEN - 1 },
  	[NFTA_OBJ_TYPE]		= { .type = NLA_U32 },
  	[NFTA_OBJ_DATA]		= { .type = NLA_NESTED },
@@ -357,7 +357,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  };
  
  static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
-@@ -4425,6 +4513,8 @@ static int nf_tables_newobj(struct net *
+@@ -4431,6 +4519,8 @@ static int nf_tables_newobj(struct net *
  		goto err1;
  	}
  	obj->table = table;
@@ -366,7 +366,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
  	if (!obj->name) {
  		err = -ENOMEM;
-@@ -4471,7 +4561,9 @@ static int nf_tables_fill_obj_info(struc
+@@ -4477,7 +4567,9 @@ static int nf_tables_fill_obj_info(struc
  	    nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
  	    nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
  	    nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
@@ -377,7 +377,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		goto nla_put_failure;
  
  	nlmsg_end(skb, nlh);
-@@ -4669,7 +4761,7 @@ static int nf_tables_delobj(struct net *
+@@ -4675,7 +4767,7 @@ static int nf_tables_delobj(struct net *
  	u32 objtype;
  
  	if (!nla[NFTA_OBJ_TYPE] ||
@@ -386,7 +386,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  		return -EINVAL;
  
  	table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
-@@ -4678,7 +4770,12 @@ static int nf_tables_delobj(struct net *
+@@ -4684,7 +4776,12 @@ static int nf_tables_delobj(struct net *
  		return PTR_ERR(table);
  
  	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
@@ -400,7 +400,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(obj))
  		return PTR_ERR(obj);
  	if (obj->use > 0)
-@@ -4750,6 +4847,7 @@ static const struct nla_policy nft_flowt
+@@ -4756,6 +4853,7 @@ static const struct nla_policy nft_flowt
  	[NFTA_FLOWTABLE_NAME]		= { .type = NLA_STRING,
  					    .len = NFT_NAME_MAXLEN - 1 },
  	[NFTA_FLOWTABLE_HOOK]		= { .type = NLA_NESTED },
@@ -408,7 +408,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  };
  
  struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
-@@ -4767,6 +4865,20 @@ struct nft_flowtable *nf_tables_flowtabl
+@@ -4773,6 +4871,20 @@ struct nft_flowtable *nf_tables_flowtabl
  }
  EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
  
@@ -429,7 +429,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  #define NFT_FLOWTABLE_DEVICE_MAX	8
  
  static int nf_tables_parse_devices(const struct nft_ctx *ctx,
-@@ -4975,6 +5087,8 @@ static int nf_tables_newflowtable(struct
+@@ -4981,6 +5093,8 @@ static int nf_tables_newflowtable(struct
  		return -ENOMEM;
  
  	flowtable->table = table;
@@ -438,7 +438,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
  	if (!flowtable->name) {
  		err = -ENOMEM;
-@@ -5049,8 +5163,14 @@ static int nf_tables_delflowtable(struct
+@@ -5055,8 +5169,14 @@ static int nf_tables_delflowtable(struct
  	if (IS_ERR(table))
  		return PTR_ERR(table);
  
@@ -455,7 +455,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (IS_ERR(flowtable))
                  return PTR_ERR(flowtable);
  	if (flowtable->use > 0)
-@@ -5083,7 +5203,9 @@ static int nf_tables_fill_flowtable_info
+@@ -5089,7 +5209,9 @@ static int nf_tables_fill_flowtable_info
  
  	if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
  	    nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||

target/linux/generic/backport-4.14/357-v4.18-netfilter-nf_flow_table-move-init-code-to-nf_flow_ta.patch

@@ -236,7 +236,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	.owner		= THIS_MODULE,
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -5102,40 +5102,38 @@ static int nf_tables_newflowtable(struct
+@@ -5108,40 +5108,38 @@ static int nf_tables_newflowtable(struct
  	}
  
  	flowtable->data.type = type;
@@ -285,7 +285,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  err3:
  	module_put(type->owner);
  err2:
-@@ -5416,10 +5414,8 @@ err:
+@@ -5422,10 +5420,8 @@ err:
  
  static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
  {

target/linux/generic/backport-4.14/358-v4.18-netfilter-nf_flow_table-fix-priv-pointer-for-netdev-.patch

@@ -11,7 +11,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -4968,7 +4968,7 @@ static int nf_tables_flowtable_parse_hoo
+@@ -4974,7 +4974,7 @@ static int nf_tables_flowtable_parse_hoo
  		flowtable->ops[i].pf		= NFPROTO_NETDEV;
  		flowtable->ops[i].hooknum	= hooknum;
  		flowtable->ops[i].priority	= priority;

target/linux/generic/backport-4.14/359-v4.18-netfilter-nf_flow_table-track-flow-tables-in-nf_flow.patch

@@ -88,7 +88,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	WARN_ON(!nf_flow_offload_gc_step(flow_table));
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -5012,23 +5012,6 @@ static const struct nf_flowtable_type *n
+@@ -5018,23 +5018,6 @@ static const struct nf_flowtable_type *n
  	return ERR_PTR(-ENOENT);
  }
  

target/linux/generic/backport-4.9/022-net-add-devm-version-of-alloc_etherdev_mqs-function.patch

@@ -32,7 +32,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  int eth_gro_complete(struct sk_buff *skb, int nhoff);
 --- a/net/ethernet/eth.c
 +++ b/net/ethernet/eth.c
-@@ -391,6 +391,34 @@ struct net_device *alloc_etherdev_mqs(in
+@@ -396,6 +396,34 @@ struct net_device *alloc_etherdev_mqs(in
  }
  EXPORT_SYMBOL(alloc_etherdev_mqs);
  

target/linux/generic/backport-4.9/090-net-generalize-napi_complete_done.patch

@@ -1095,7 +1095,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  		dma_intr_ena = smsc9420_reg_read(pd, DMAC_INTR_ENA);
 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
 +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
-@@ -2700,7 +2700,7 @@ static int stmmac_poll(struct napi_struc
+@@ -2702,7 +2702,7 @@ static int stmmac_poll(struct napi_struc
  
  	work_done = stmmac_rx(priv, budget);
  	if (work_done < budget) {

target/linux/generic/hack-4.9/911-kobject_add_broadcast_uevent.patch

@@ -20,7 +20,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  #ifdef CONFIG_UEVENT_HELPER
  /* path to the userspace helper executed on an event */
  extern char uevent_helper[];
-@@ -239,4 +241,7 @@ int add_uevent_var(struct kobj_uevent_en
+@@ -241,4 +243,7 @@ int add_uevent_var(struct kobj_uevent_en
  int kobject_action_type(const char *buf, size_t count,
  			enum kobject_action *type);
  

target/linux/generic/pending-4.14/640-netfilter-nf_flow_table-add-hardware-offload-support.patch

@@ -506,7 +506,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 +MODULE_ALIAS("nf-flow-table-hw");
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -4955,6 +4955,14 @@ static int nf_tables_flowtable_parse_hoo
+@@ -4961,6 +4961,14 @@ static int nf_tables_flowtable_parse_hoo
  	if (err < 0)
  		goto err1;
  
@@ -521,7 +521,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
  	if (!ops) {
  		err = -ENOMEM;
-@@ -5085,10 +5093,19 @@ static int nf_tables_newflowtable(struct
+@@ -5091,10 +5099,19 @@ static int nf_tables_newflowtable(struct
  	}
  
  	flowtable->data.type = type;
@@ -541,7 +541,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
  					     flowtable);
  	if (err < 0)
-@@ -5186,7 +5203,8 @@ static int nf_tables_fill_flowtable_info
+@@ -5192,7 +5209,8 @@ static int nf_tables_fill_flowtable_info
  	    nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
  	    nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
  	    nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),

target/linux/generic/pending-4.14/642-net-8021q-support-hardware-flow-table-offload.patch

@@ -20,7 +20,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  #include "vlan.h"
  #include "vlanproc.h"
-@@ -768,6 +772,27 @@ static int vlan_dev_get_iflink(const str
+@@ -769,6 +773,27 @@ static int vlan_dev_get_iflink(const str
  	return real_dev->ifindex;
  }
  
@@ -48,7 +48,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  static const struct ethtool_ops vlan_ethtool_ops = {
  	.get_link_ksettings	= vlan_ethtool_get_link_ksettings,
  	.get_drvinfo	        = vlan_ethtool_get_drvinfo,
-@@ -805,6 +830,9 @@ static const struct net_device_ops vlan_
+@@ -806,6 +831,9 @@ static const struct net_device_ops vlan_
  	.ndo_fix_features	= vlan_dev_fix_features,
  	.ndo_get_lock_subclass  = vlan_dev_get_lock_subclass,
  	.ndo_get_iflink		= vlan_dev_get_iflink,

target/linux/ixp4xx/patches-4.9/160-delayed_uart_io.patch

@@ -26,7 +26,7 @@
  	case UPIO_MEM:
  	case UPIO_MEM16:
  	case UPIO_MEM32:
-@@ -2931,6 +2932,7 @@ int uart_match_port(struct uart_port *po
+@@ -2932,6 +2933,7 @@ int uart_match_port(struct uart_port *po
  	case UPIO_HUB6:
  		return (port1->iobase == port2->iobase) &&
  		       (port1->hub6   == port2->hub6);

target/linux/kirkwood/base-files/etc/board.d/01_leds

@@ -43,8 +43,8 @@ case "$board" in
 "zyxel,nsa325")
 	ucidef_set_led_default "health" "health" "nsa325:green:sys" "1"
 	ucidef_set_led_usbhost "usb" "USB" "nsa325:green:usb"
-	ucidef_set_led_ataport "hdd1" "HDD1" "nsa325:green:sata1" "1"
+	ucidef_set_led_ataport "hdd1" "HDD1" "nsa325:green:hdd1" "1"
-	ucidef_set_led_ataport "hdd2" "HDD2" "nsa325:green:sata2" "2"
+	ucidef_set_led_ataport "hdd2" "HDD2" "nsa325:green:hdd2" "2"
 	;;
 esac
 

target/linux/layerscape/patches-4.9/301-arch-support-layerscape.patch

@@ -345,7 +345,7 @@ Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
  #define PROT_SECT_NORMAL	(PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL))
 --- a/arch/arm64/include/asm/pgtable.h
 +++ b/arch/arm64/include/asm/pgtable.h
-@@ -370,6 +370,11 @@ static inline int pmd_protnone(pmd_t pmd
+@@ -367,6 +367,11 @@ static inline int pmd_protnone(pmd_t pmd
  	__pgprot_modify(prot, PTE_ATTRINDX_MASK, PTE_ATTRINDX(MT_DEVICE_nGnRnE) | PTE_PXN | PTE_UXN)
  #define pgprot_writecombine(prot) \
  	__pgprot_modify(prot, PTE_ATTRINDX_MASK, PTE_ATTRINDX(MT_NORMAL_NC) | PTE_PXN | PTE_UXN)

target/linux/layerscape/patches-4.9/810-iommu-support-layerscape.patch

@@ -1360,7 +1360,7 @@ Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
  
  	return ret;
  }
-@@ -563,6 +714,19 @@ struct iommu_group *iommu_group_get(stru
+@@ -564,6 +715,19 @@ struct iommu_group *iommu_group_get(stru
  EXPORT_SYMBOL_GPL(iommu_group_get);
  
  /**
@@ -1380,7 +1380,7 @@ Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
   * iommu_group_put - Decrement group reference
   * @group: the group to use
   *
-@@ -845,10 +1009,19 @@ struct iommu_group *iommu_group_get_for_
+@@ -846,10 +1010,19 @@ struct iommu_group *iommu_group_get_for_
  	 * IOMMU driver.
  	 */
  	if (!group->default_domain) {
@@ -1403,7 +1403,7 @@ Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
  	}
  
  	ret = iommu_group_add_device(group, dev);
-@@ -1557,20 +1730,38 @@ int iommu_domain_set_attr(struct iommu_d
+@@ -1558,20 +1731,38 @@ int iommu_domain_set_attr(struct iommu_d
  }
  EXPORT_SYMBOL_GPL(iommu_domain_set_attr);
  

target/linux/layerscape/patches-4.9/817-usb-support-layerscape.patch

@@ -87,7 +87,7 @@ Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
  			pkt_len = le32_to_cpu(rx_desc->opts1) & RX_LEN_MASK;
  			if (pkt_len < ETH_ZLEN)
  				break;
-@@ -4516,6 +4521,7 @@ static struct usb_device_id rtl8152_tabl
+@@ -4519,6 +4524,7 @@ static struct usb_device_id rtl8152_tabl
  	{REALTEK_USB_DEVICE(VENDOR_ID_LENOVO,  0x304f)},
  	{REALTEK_USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041)},
  	{REALTEK_USB_DEVICE(VENDOR_ID_NVIDIA,  0x09ff)},
@@ -156,7 +156,7 @@ Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
  	int ret;
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
-@@ -4454,6 +4454,14 @@ hub_port_init(struct usb_hub *hub, struc
+@@ -4455,6 +4455,14 @@ hub_port_init(struct usb_hub *hub, struc
  	else
  		speed = usb_speed_string(udev->speed);
  

target/linux/ramips/base-files/etc/board.d/02_network

@@ -88,7 +88,6 @@ ramips_setup_interfaces()
 	ew1200|\
 	firewrt|\
 	hc5661a|\
-	hc5962|\
 	hlk-rm04|\
 	k2p|\
 	kn|\
@@ -285,6 +284,10 @@ ramips_setup_interfaces()
 		ucidef_add_switch "switch0" \
 			"1:lan" "2:lan" "3:lan" "4:lan" "5:lan" "0:wan" "6@eth0"
 		;;
+	hc5962)
+		ucidef_add_switch "switch0" \
+			"1:lan" "2:lan" "3:lan" "4:wan" "6@eth0"
+		;;
 	kn_rf)
 		ucidef_add_switch "switch0" \
 			"0:wan" "1:lan" "2:lan" "3:lan" "4:lan" "6@eth0"

target/linux/sunxi/patches-4.14/002-net-stmmac-dwmac-sun8i-Handle-integrated-external-MD.patch

@@ -329,7 +329,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  	}
  
  	if (!of_property_read_u32(node, "allwinner,tx-delay-ps", &val)) {
-@@ -747,81 +896,21 @@ static void sun8i_dwmac_unset_syscon(str
+@@ -750,81 +899,21 @@ static void sun8i_dwmac_unset_syscon(str
  	regmap_write(gmac->regmap, SYSCON_EMAC_REG, reg);
  }
  
@@ -420,7 +420,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  
  	clk_disable_unprepare(gmac->tx_clk);
  
-@@ -850,7 +939,7 @@ static struct mac_device_info *sun8i_dwm
+@@ -853,7 +942,7 @@ static struct mac_device_info *sun8i_dwm
  	if (!mac)
  		return NULL;
  
@@ -429,7 +429,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  	if (ret)
  		return NULL;
  
-@@ -892,6 +981,8 @@ static int sun8i_dwmac_probe(struct plat
+@@ -895,6 +984,8 @@ static int sun8i_dwmac_probe(struct plat
  	struct sunxi_priv_data *gmac;
  	struct device *dev = &pdev->dev;
  	int ret;
@@ -438,7 +438,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  
  	ret = stmmac_get_platform_resources(pdev, &stmmac_res);
  	if (ret)
-@@ -935,29 +1026,6 @@ static int sun8i_dwmac_probe(struct plat
+@@ -938,29 +1029,6 @@ static int sun8i_dwmac_probe(struct plat
  	}
  
  	plat_dat->interface = of_get_phy_mode(dev->of_node);
@@ -468,7 +468,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  
  	/* platform data specifying hardware features and callbacks.
  	 * hardware features were copied from Allwinner drivers.
-@@ -976,9 +1044,34 @@ static int sun8i_dwmac_probe(struct plat
+@@ -979,9 +1047,34 @@ static int sun8i_dwmac_probe(struct plat
  
  	ret = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
  	if (ret)

target/linux/sunxi/patches-4.14/003-net-stmmac-sun8i-Restore-the-compatibles.patch

@@ -18,7 +18,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
 
 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
 +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
-@@ -1075,6 +1075,14 @@ return ret;
+@@ -1078,6 +1078,14 @@ return ret;
  }
  
  static const struct of_device_id sun8i_dwmac_match[] = {

tools/expat/Makefile

@@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=expat
 PKG_CPE_ID:=cpe:/a:libexpat:expat
-PKG_VERSION:=2.2.5
+PKG_VERSION:=2.2.9
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_HASH:=d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6
+PKG_HASH:=f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237
 PKG_SOURCE_URL:=@SF/expat
 
 HOST_BUILD_PARALLEL:=1

version

@@ -1 +1 @@
-r7957-d81a8a3e29
+r7976-ca47026b7d

version.date

@@ -1 +1 @@
-1578251167
+1580313965