We are on Linux 5.4, so these patches for Linux 4.14 don't do anything.

97b95ef8b918 uci: update to the latest master

Replace the downstream UCI patch with a proper OpenWrt 21.02 backport.

The address of the vpn interface is calculated in the style of
modified EUI-64, based on a virtual mac address. This virtual mac
address consists of 0x00 as first byte and the other five bytes
are taken from the first bytes of md5sum(base64 encoded public key).

The algorithm was taken by the ffmuc, with a slight difference. ffmuc
calculated the result of md5sum(base64 encoded public key + '\n')
which was interpreted as accidential fault and therefore dropped.

Example:
- Public-Key: "gP3VJnTTvnQut+z4O+m0N9RgMyXbgyUbUkF3E3TKX2w="
- Address: "fe80::02ca:b8ff:fedc:2eb3"

The following interfaces are used for wireguard:
- wg_mesh  -> wireguard interface
- mesh-vpn -> vxlan iface on top of wg_mesh

If you use this new feature, make sure the NTP servers in your site
config are publicly reachable. This is necessary, since wireguard
requires correct time before the vpn connection is established.
Therefore gluon performs ntp time synchronisation via WAN before it
establishes the vpn connection. Therefore the NTP servers have to
be publicly reachable (and not only via mesh).

This mark prevents a multicast packet being flooded through the whole
mesh. The advantage of marking certain multicast packets via e.g.
ebtables instead of dropping is then the following:

This allows an administrator to let specific multicast packets pass as
long as they are forwarded to a limited number of nodes only and are
therefore creating no burdon to unrelated nodes.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

fec1aa6dfb mt76: update to the latest version
224fa47bf9 ramips: mark toggle input on EX6150 as a switch
3a05aa17db mac80211: Remove 357-mac80211-optimize-skb-resizing.patch
171d8bce0c ramips: remove factory image for TP-Link Archer C2 v1
2eb8444363 ath79: fix USB power GPIO for TP-Link TL-WR810N v1
d5a8e85878 wolfssl: Backport fix for CVE-2021-3336
cf5e5204d9 bcm63xx: sprom: override the PCI device ID
4465b44fc1 kernel: bump 4.14 to 4.14.219
4b9ade65ec bcm63xx: R5010UNv2: fix flash partitions for 16MB flash
ab9cb390be hostapd: fix P2P group information processing vulnerability
1e90091c5d opkg: update to latest git HEAD of branch openwrt-19.07
312c05611b kernel: bump 4.14 to 4.14.218
3100649458 wolfssl: enable HAVE_SECRET_CALLBACK
e9d2aa9dc6 wolfssl: Fix hostapd build with wolfssl 4.6.0
2044c01de8 wolfssl: Update to v4.6.0-stable
5ac0b2b431 mvebu: omnia: make initramfs image usable out of the box

a7a207e18b mt76: update to the latest version
1ce5008597 wireguard: Fix compile with kernel 4.14.217
2ecb22dc51 kernel: bump 4.14 to 4.14.217
11f4918ebb dnsmasq: backport fixes
9999c87d3a netifd: fix IPv6 routing loop on point-to-point links
250dbb3a60 odhcp6c: fix IPv6 routing loop on point-to-point links
d816c6cd31 kernel: bump 4.14 to 4.14.216
c21d59dc11 imagebuilder: pass IB=1 on checking requirements

[ Upstream commit 851d0a73c90e6c8c63fef106c6c1e73df7e05d9d ]

From: Joseph Huang <Joseph.Huang@garmin.com>

When enabling multicast snooping, bridge module deadlocks on multicast_lock
if 1) IPv6 is enabled, and 2) there is an existing querier on the same L2
network.

The deadlock was caused by the following sequence: While holding the lock,
br_multicast_open calls br_multicast_join_snoopers, which eventually causes
IP stack to (attempt to) send out a Listener Report (in igmp6_join_group).
Since the destination Ethernet address is a multicast address, br_dev_xmit
feeds the packet back to the bridge via br_multicast_rcv, which in turn
calls br_multicast_add_group, which then deadlocks on multicast_lock.

The fix is to move the call br_multicast_join_snoopers outside of the
critical section. This works since br_multicast_join_snoopers only deals
with IP and does not modify any multicast data structures of the bridge,
so there's no need to hold the lock.

Steps to reproduce:
1. sysctl net.ipv6.conf.all.force_mld_version=1
2. have another querier
3. ip link set dev bridge type bridge mcast_snooping 0 && \
   ip link set dev bridge type bridge mcast_snooping 1 < deadlock >

A typical call trace looks like the following:

[  936.251495]  _raw_spin_lock+0x5c/0x68
[  936.255221]  br_multicast_add_group+0x40/0x170 [bridge]
[  936.260491]  br_multicast_rcv+0x7ac/0xe30 [bridge]
[  936.265322]  br_dev_xmit+0x140/0x368 [bridge]
[  936.269689]  dev_hard_start_xmit+0x94/0x158
[  936.273876]  __dev_queue_xmit+0x5ac/0x7f8
[  936.277890]  dev_queue_xmit+0x10/0x18
[  936.281563]  neigh_resolve_output+0xec/0x198
[  936.285845]  ip6_finish_output2+0x240/0x710
[  936.290039]  __ip6_finish_output+0x130/0x170
[  936.294318]  ip6_output+0x6c/0x1c8
[  936.297731]  NF_HOOK.constprop.0+0xd8/0xe8
[  936.301834]  igmp6_send+0x358/0x558
[  936.305326]  igmp6_join_group.part.0+0x30/0xf0
[  936.309774]  igmp6_group_added+0xfc/0x110
[  936.313787]  __ipv6_dev_mc_inc+0x1a4/0x290
[  936.317885]  ipv6_dev_mc_inc+0x10/0x18
[  936.321677]  br_multicast_open+0xbc/0x110 [bridge]
[  936.326506]  br_multicast_toggle+0xec/0x140 [bridge]

Fixes: 4effd28c1245 ("bridge: join all-snoopers multicast address")
Signed-off-by: Joseph Huang <Joseph.Huang@garmin.com>
Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Link: https://lore.kernel.org/r/20201204235628.50653-1-Joseph.Huang@garmin.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[linus.luessing@c0d3.blue: backported to 4.4]

This device is a dual 5GHz device. It is recommended to manually change the
radio of the first device to the lower 5GHz channels and the second radio
to the upper 5GHz channels

Fixes commit fb8cd562 ("modules: update OpenWrt")

This reverts commit 94736703.

Bumping the packages feed fixes the xtables-addons build.

During the update of openwrt-19.07 in 435c5196 a breaking change was
introduced. Let's revert it for now so the master branch builds again.

Gluon v2020.2.x uses fastd v19, so we keep that in a separate patch. The
fastd memory leak fix from v18 is not removed in this patch anymore, as
the fix is needed for v19 as well.

The v20 and v21 patches are squashed into one, as they aren't backports
anymore after the rebase onto current openwrt-19.07.

a2673dc53 fastd: fix buffer leak when receiving invalid packets
51bf00834 logrotate: update to version 3.17.0
8715cef64 logrotate: update to 3.16.0
acb77d5be python3: Update to 3.7.9, refresh/remove backported patches
4af889f20 travelmate: bugfix single radio mode
cb3bab180 netdata: update to version 1.26.0
70bb0b4c8 bind: update to version 9.16.7
d05698fae freeradius3: move "release_" from PKG_VERSION
93360e625 freeradius3: add meta-package for default modules
2f7338b62 python-urllib3: update to version 1.25.10 (security fix)
50a67ed74 nextdns: Update to version 1.8.6
b48575ef4 chrony: update to 3.5.1
35e6986a0 nextdns: mark /etc/config/nextdns as configuration file
418e3b294 simple-adblock: config update file fix
9ac587ca8 libuv: update to 1.40.0
613d21085 nano: update to 5.3
992746571 btrfs-progs: update to version 5.7
cedba1ca2 btrfs-progs: update to version 5.6
25b2751f8 python-pytz: update to 2019.03
f3b424139 adblock: refresh blocklist sources
ec628b10d syslog-ng: bump version in config file
d0a74afad syslog-ng: tweak shell code of network_localhost little bit
f705a5a93 python-sentry-sdk: Update to version 0.12.3
2976a5a0e haproxy: Update HAProxy to v2.0.18
eec7bd646 tor: update to version 0.4.4.5
91af4cf72 mariadb: Update to the latest version from 10.2 branch
9461ae47a Werkzeug: Update to version 0.16.0
f9d9ae8c8 Flask: update to version 1.1.2
4a833e3a8 Flask: Update to version 1.1.1
a4534f160 gstreamer1: enable build options necessary for most applications
8a71cdd6a python-ifaddr: update to version 0.1.7
05ea7dfc6 nextdns: Update to version 1.8.5
9069ad925 ipmitool: fix CVE-2020-5208
826fc8921 nextdns: Update to version 1.8.4
ac7f78285 openconnect: updated to 8.10 to address CVE-2020-12823
3f0e26637 python-zeroconf: update to version 0.28.0
fe7ceaa65 python-zeroconf: update to version 0.24.4
49459505e mwan3: fix typo in mwan3_set_sticky_iptables
cae961784 ocserv: include ocserv-worker
2af61c9a4 vpnbypass: README update, code cleanup
b00feac4b ocserv: updated to 1.1.1
c614914da miniupnpd: add miniupnpd ipv6_disable option, #11971 close
70e57317b simple-adblock: add config auto-update feature
94866d76a collectd: update to 5.12.0
b60fa2de9 collectd: update PKG_RELEASE
aeefbbe34 collectd: remove quotation on interval this is an number
b0ad32a3e collectd: move include line
fbe7abcd5 collectd: update PKG_RELEASE
f53b79ced collectd: fix ubi data source type
67a403bfe collectd: add ubi uci and plugin info
37335cf65 collectd: enable ubi plugin

Some newer MT7628 based routers (notably the TP-Link Archer C50 v4) are
shipped with a chip-id of 0x7600 in the on-flash EEPROM. Add this as a
possible valid ID.

This fixes unstable WiFi on some units of the TP-Link Archer C50 v4.

Implement a configurable MLD Querier wake-up calls "feature" which
works around a widely spread Android bug in connection with IGMP/MLD
snooping.

Currently there are mobile devices (e.g. Android) which are not able
to receive and respond to MLD Queries reliably because the Wifi driver
filters a lot of ICMPv6 when the device is asleep - including
MLD. This in turn breaks IPv6 communication when MLD Snooping is
enabled. However there is one ICMPv6 type which is allowed to pass and
which can be used to wake up the mobile device: ICMPv6 Echo Requests.

If this bridge is the selected MLD Querier then setting
"multicast_wakeupcall" to a number n greater than 0 will send n
ICMPv6 Echo Requests to each host behind this port to wake
them up with each MLD Query. Upon receiving a matching ICMPv6 Echo
Reply an MLD Query with a unicast ethernet destination will be sent
to the specific host(s).

Link: https://issuetracker.google.com/issues/149630944
Link: https://github.com/freifunk-gluon/gluon/issues/1832



Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

Fixes commit bf36c5b2 ("modules: bump OpenWrt")

This backports two fixes related to operation on DFS-required
channels.

When a DFS-required channel was selected as the regular
(non-outdoor-mode) 5 GHz channel, hostapd would switch to a non-DFS
channel as OpenWrt did not pass a chanlist of allowed ACS channels.

When hostapd is given a single channel for the chanlist or there's no
available channel left (all allowed channels are in the no-occupancy
period), hostapd prints "no DFS channels left, waiting for NOP to
finish" to the syslog but never stopped transmitting on this channel,
still sending out beacon frames and allowing client data transfer.

When the GTK is offloaded, MT7610 won't transmit any multicast frames.
This is most likely due to a bug in the offloading datapath. MT7612 is
not affected.

Disable GTK offloading for now. It can be re-enabled once the bug in the
offloading path is fixed.

Signed-off-by: David Bauer <mail@david-bauer.net>

This gives us WPA3 support out of the box without having to manually disable
hardware crypto. The driver will fall back to software crypto if the connection
requires management frame protection.

THis allows us to use WPA3 features (Private-WiFi SAE & OWE) on
ramips-mt7620.

b515edb775 ipq40xx: essedma: Disable TCP segmentation offload for IPv6
f7f15f8033 ath79: wndr3700 series: fix wifi range & throughput
1f5cbd6be7 ca-certificates: update to version 20200601
fa72f2646a oxnas: build with 8021Q VLAN support
e752fc1ff9 ath79: add support for TP-Link TL-WR802N V1 and V2
6488d2f7cc ath79: update WA/XC devices UBNT_VERSION to 8.5.3
fb79e5d9fe ipq806x: EA8500 fix boot partition detection
e36bdd5dc5 ath79: fix LEDs for GL.inet GL-AR150
21454a772b ar71xx: fix reset key for TP-Link TL-WR802N V1/V2
a32b0ec4cf generic: fix flow table hw offload

Closes #2055

When the GTK is offloaded, MT7610 won't transmit any multicast frames.
This is most likely due to a bug in the offloading datapath. MT7612 is
not affected.

Disable GTK offloading for now. It can be re-enabled once the bug in the
offloading path is fixed.

Signed-off-by: David Bauer <mail@david-bauer.net>

This gives us WPA3 support out of the box without having to manually disable
hardware crypto. The driver will fall back to software crypto if the connection
requires management frame protection.

THis allows us to use WPA3 features (Private-WiFi SAE & OWE) on
ramips-mt7620.

83b714a27f musl: fix locking synchronization bug
f99b1d1d92 rpcd: update to latest openwrt-19.07 Git HEAD
92bd395b04 Revert "rpcd: update to latest Git HEAD"
adf5d753ef rpcd: update to latest Git HEAD
9b48375c7e libubox: update to the latest version
a4e8eca03e libubox: update to the latest master
498f1f4f5d ramips: gsw_mt7621: disable PORT 5 MAC RX/TX flow control by default
d8d1956a80 hostapd: backport wolfssl bignum fixes
ab7e9754df ucert: update to latest git HEAD
bc0c2db2a3 brcm47xx: disable Netgear WNR2000 v2 by default
059db419d7 squashfs: Fix compile with GCC 10
97b522a1f9 usign: update to latest git HEAD
942262f9c8 usign: update to latest Git HEAD
6a89098935 ath79: add support for TP-Link TL-WA901ND v4 and v5
a6f70f2e97 ath79: add support for TP-Link TL-WA701ND/730RE/801ND/901ND v1
8c6c488e9e ath79: add support for TP-Link TL-WR940N v6
36d4140517 ath79: add support for TP-Link TL-WA830RE v1
7187826b8b ath79: reorganize DTSI for ar7240 TP-Link devices
d4092eac1f ath79: migrate TP-Link TL-MR3420v2 to ath79
24cfd961d9 ath79: add support for TP9343-based TP-Link TL-WR94x devices
7de43d66ff generic: platform/mikrotik: disambiguate SPDX-License-Identifier
84154574c8 ramips: drop non-existant ralink,port-map for Ravpower WD03
af667c73c5 bcm63xx: mask interrupts on init
d1ce73677c bcm63xx: periph_intc: report effective affinity
1d40c8a9f2 bcm63xx: ext_intc: fix warning
65f2fae911 bcm63xx: periph_intc: fix warning
b2c9f82eb4 bcm63xx: redboot: fix warning
a2a3ac9f51 bcm63xx: bcm6362: fix pinctrl bug
6c96ecf3b4 bcm63xx: refresh kernel config
c3e3802a8e OpenWrt v19.07.3: revert to branch defaults
f3f38f40da OpenWrt v19.07.3: adjust config defaults
85e04e9f46 generic: platform/mikrotik: fix LZOR support
4cd9ae41c5 libjson-c: backport security fixes
6ffd4d8a4d ar71xx: remove hard-coded folder name from Mikrotik RB upgrade
d2ee15ef76 fstools: blockd: fix segfault triggered by non-autofs mounts
4cd44e5dc7 ar71xx: mikrotik: mach-rbspi.c remove wlan id
3fecb06fb1 ar71xx: mikrotik: bypass id check in __rb_get_wlan_data()
b36aa168d8 ar71xx: mikrotik: ath10k: use new sysfs driver
fa2369e59b generic: platform/mikrotik: support LZOR encoding
612b64e6c4 ar71xx: enable mikrotik platform driver
511859de9b generic: mikrotik platform build bits
ddae86cc69 generic: routerboot sysfs platform driver
2efcfb1d1a kernel: bump 4.14 to 4.14.180
ecea10f2b9 ath79: dts: add missing 'serial0' alias for TP-Link TL-MR3040v2

d9244a1b5b generic: ar8216: fix unknown packet flooding for ar8229/ar8236
429e4490c4 libpcap: fix library packaging issues
e678cb1595 kernel: bump 4.14 to 4.14.179
8fa4ed9ef7 fstools: update to the latest version
5c6dfb5bc0 fstools: update to the latest version
607809dcdc mac80211: Update to version 4.19.120
96d280cc37 scripts/download: add sources CDN as first mirror
55ccb04046 upgs: Remove extra _DEFAULT_SOURCE definition
ee480c50c1 dante: Fix compile with glibc
5f0e25d966 perf: build with NO_LIBCAP=1
005adba939 mac80211: ath10k: increase rx buffer size to 2048
0974d59b5f kernel: backport fix for non-regular inodes on f2fs
f40947a8c0 ath79: indicate boot/failsafe/upgrade for NanoBeam/Nanostation AC
65cf72d5d2 ath79: add SUPPORTED_DEVICES based on ar71xx for some devices
f9ef0c5705 kernel: bump 4.14 to 4.14.178
2df0ea042d wpad-wolfssl: fix crypto_bignum_sub()
ec6cb33452 mac80211: backport fix for an no-ack tx status issue
f141cdd200 hostapd: unconditionally enable ap/mesh for wpa-cli
54b6683390 wireless-regdb: backport three upstream fixes
55591e63bc curl: backport fix for CVE-2019-15601
35ea808b97 uboot-kirkwood: fix ethernet and usb

Compile-tested: all targets

This patch fixes a regression introduced in kernel v4.14. While the
commit message only mentions a performance penalty, the issue is
suspected to be the cause of spurious data bus errors on MIPS CPUs
(ar71xx target).

Fixes: #1982

Before, only frames with a maximum size of 1528 bytes could be
transmitted between two 802.11s nodes.

For batman-adv for instance, which adds its own header to each frame,
we typically need an MTU of at least 1532 bytes to be able to transmit
without fragmentation.

This patch now increases the maxmimum frame size from 1528 to 1656
bytes.

Tested with two ath10k devices in 802.11s mode, as well as with
batman-adv on top of 802.11s with forwarding disabled.

Fix originally found and developed by Ben Greear.

f97d2351e2c1 ath79: remove ath10k drivers from Archer C7 v1 profile
7c321e00dd19 kernel: nf_conntrack_rtcache: fix WARNING on rmmod
2a2f9ffe81ce kernel: nf_conntrack_rtcache: fix WARNING on forward path