aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRafał Miłecki <rafal@milecki.pl>2019-06-16 21:44:51 +0200
committerRafał Miłecki <rafal@milecki.pl>2019-06-16 22:30:49 +0200
commitaf50ce32c5ce41a357b3423d098a40360bfed25e (patch)
tree91c4bcfaa27ea2b5196d8f9841791e53d6061991
parentd92713d2cfd64fda16a0545b529c8c291300a5f6 (diff)
downloadupstream-af50ce32c5ce41a357b3423d098a40360bfed25e.tar.gz
upstream-af50ce32c5ce41a357b3423d098a40360bfed25e.tar.bz2
upstream-af50ce32c5ce41a357b3423d098a40360bfed25e.zip
mac80211: brcmfmac: backport important fixes from kernel 5.2
1) Crash/Oops fixes 2) One-line patch for BCM43456 support 3) Fix communication with some specific FullMAC firmwares 4) Potential fix for "Invalid packet id" errors 5) Important helper for reporting FullMAC firmware crashes Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 2cd234d96bd772119363a77a35bffa6a4931613e)
-rw-r--r--package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch123
-rw-r--r--package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch35
-rw-r--r--package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch35
-rw-r--r--package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch39
-rw-r--r--package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch50
-rw-r--r--package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch49
-rw-r--r--package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch90
-rw-r--r--package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch2
-rw-r--r--package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch2
9 files changed, 423 insertions, 2 deletions
diff --git a/package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch b/package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch
new file mode 100644
index 0000000000..4e8f728ad7
--- /dev/null
+++ b/package/kernel/mac80211/patches/343-v5.2-brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch
@@ -0,0 +1,123 @@
+From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:01 +0000
+Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB
+ disconnect
+
+Fix a race which leads to an Oops with NULL pointer dereference. The
+dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
+net_device structure of interface with index 0 via if2bss mapping. This
+shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
+but it's not synchronised with USB disconnect and there is a race: after
+the check the bus can be marked down and the mapping for interface 0 may be
+gone.
+
+Solve this by modifying disconnect handling so that the removal of mapping
+of ifidx to brcmf_if structure happens after netdev removal (which is
+synchronous with brcmf_netdev_open() thanks to rtln being locked in
+devinet_ioctl()). This assures brcmf_netdev_open() returns before the
+mapping is removed during disconnect.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = bcae2612
+[00000008] *pgd=8be73831
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
+iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
+nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
+u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
+usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
+udc_core [last unloaded: brcmutil]
+CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
+LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
+pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013
+sp : eca99d28 ip : 00000000 fp : ee9c6c00
+r10: 00000036 r9 : 00000000 r8 : ece4002c
+r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968
+r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 7ca0c04a DAC: 00000051
+Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
+Stack: (0xeca99d28 to 0xeca9a000)
+9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
+9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
+9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
+9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
+9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
+9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
+9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
+9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
+9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
+9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
+9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
+9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
+9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
+9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
+9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
+9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
+9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
+9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
+9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
+9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
+9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
+[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
+[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
+[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
+[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
+[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
+[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
+[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
+[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
+[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
+[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xeca99fa8 to 0xeca99ff0)
+9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
+Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
+---[ end trace 5cbac2333f3ac5df ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -838,17 +838,17 @@ static void brcmf_del_if(struct brcmf_pu
+ bool rtnl_locked)
+ {
+ struct brcmf_if *ifp;
++ int ifidx;
+
+ ifp = drvr->iflist[bsscfgidx];
+- drvr->iflist[bsscfgidx] = NULL;
+ if (!ifp) {
+ bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx);
+ return;
+ }
+ brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
+ ifp->ifidx);
+- if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
+- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
++ ifidx = ifp->ifidx;
++
+ if (ifp->ndev) {
+ if (bsscfgidx == 0) {
+ if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
+@@ -876,6 +876,10 @@ static void brcmf_del_if(struct brcmf_pu
+ brcmf_p2p_ifp_removed(ifp, rtnl_locked);
+ kfree(ifp);
+ }
++
++ drvr->iflist[bsscfgidx] = NULL;
++ if (drvr->if2bss[ifidx] == bsscfgidx)
++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
+ }
+
+ void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
diff --git a/package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch b/package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch
new file mode 100644
index 0000000000..00759d1118
--- /dev/null
+++ b/package/kernel/mac80211/patches/344-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch
@@ -0,0 +1,35 @@
+From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5436,6 +5436,8 @@ static s32 brcmf_get_assoc_ies(struct br
+ conn_info->req_ie =
+ kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->req_ie)
++ conn_info->req_ie_len = 0;
+ } else {
+ conn_info->req_ie_len = 0;
+ conn_info->req_ie = NULL;
+@@ -5452,6 +5454,8 @@ static s32 brcmf_get_assoc_ies(struct br
+ conn_info->resp_ie =
+ kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->resp_ie)
++ conn_info->resp_ie_len = 0;
+ } else {
+ conn_info->resp_ie_len = 0;
+ conn_info->resp_ie = NULL;
diff --git a/package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch b/package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch
new file mode 100644
index 0000000000..4183f977cd
--- /dev/null
+++ b/package/kernel/mac80211/patches/345-v5.2-brcmfmac-Loading-the-correct-firmware-for-brcm43456.patch
@@ -0,0 +1,35 @@
+From e3062e05e1cfe378bb9b3fa0bef46711372bcf13 Mon Sep 17 00:00:00 2001
+From: Ondrej Jirman <megous@megous.com>
+Date: Sat, 6 Apr 2019 01:45:13 +0200
+Subject: [PATCH] brcmfmac: Loading the correct firmware for brcm43456
+
+SDIO based brcm43456 is currently misdetected as brcm43455 and the wrong
+firmware name is used. Correct the detection and load the correct
+firmware file. Chiprev for brcm43456 is "9".
+
+Signed-off-by: Ondrej Jirman <megous@megous.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -616,6 +616,7 @@ BRCMF_FW_NVRAM_DEF(43430A0, "brcmfmac434
+ /* Note the names are not postfixed with a1 for backward compatibility */
+ BRCMF_FW_NVRAM_DEF(43430A1, "brcmfmac43430-sdio.bin", "brcmfmac43430-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(43455, "brcmfmac43455-sdio.bin", "brcmfmac43455-sdio.txt");
++BRCMF_FW_NVRAM_DEF(43456, "brcmfmac43456-sdio.bin", "brcmfmac43456-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4354, "brcmfmac4354-sdio.bin", "brcmfmac4354-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4356, "brcmfmac4356-sdio.bin", "brcmfmac4356-sdio.txt");
+ BRCMF_FW_NVRAM_DEF(4373, "brcmfmac4373-sdio.bin", "brcmfmac4373-sdio.txt");
+@@ -635,7 +636,8 @@ static struct brcmf_firmware_mapping brc
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4339_CHIP_ID, 0xFFFFFFFF, 4339),
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0x00000001, 43430A0),
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_43430_CHIP_ID, 0xFFFFFFFE, 43430A1),
+- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFFC0, 43455),
++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0x00000200, 43456),
++ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4345_CHIP_ID, 0xFFFFFDC0, 43455),
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4354_CHIP_ID, 0xFFFFFFFF, 4354),
+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4356_CHIP_ID, 0xFFFFFFFF, 4356),
+ BRCMF_FW_NVRAM_ENTRY(CY_CC_4373_CHIP_ID, 0xFFFFFFFF, 4373)
diff --git a/package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch b/package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch
new file mode 100644
index 0000000000..180c62079a
--- /dev/null
+++ b/package/kernel/mac80211/patches/346-v5.2-brcmfmac-send-mailbox-interrupt-twice-for-specific-h.patch
@@ -0,0 +1,39 @@
+From 9ef77fbedad9ea8895cd5d7fb7aee16071f527dc Mon Sep 17 00:00:00 2001
+From: Wright Feng <Wright.Feng@cypress.com>
+Date: Fri, 26 Apr 2019 03:12:32 +0000
+Subject: [PATCH] brcmfmac: send mailbox interrupt twice for specific hardware
+ device
+
+For PCIE wireless device with core revision less than 14, device may miss
+PCIE to System Backplane Interrupt via PCIEtoSBMailbox. So add sending
+mail box interrupt twice as a hardware workaround.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -671,6 +671,7 @@ static int
+ brcmf_pcie_send_mb_data(struct brcmf_pciedev_info *devinfo, u32 htod_mb_data)
+ {
+ struct brcmf_pcie_shared_info *shared;
++ struct brcmf_core *core;
+ u32 addr;
+ u32 cur_htod_mb_data;
+ u32 i;
+@@ -694,7 +695,11 @@ brcmf_pcie_send_mb_data(struct brcmf_pci
+
+ brcmf_pcie_write_tcm32(devinfo, addr, htod_mb_data);
+ pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
+- pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
++
++ /* Send mailbox interrupt twice as a hardware workaround */
++ core = brcmf_chip_get_core(devinfo->ci, BCMA_CORE_PCIE2);
++ if (core->rev <= 13)
++ pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_SBMBX, 1);
+
+ return 0;
+ }
diff --git a/package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch b/package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch
new file mode 100644
index 0000000000..b4d56c34bc
--- /dev/null
+++ b/package/kernel/mac80211/patches/347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch
@@ -0,0 +1,50 @@
+From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 12:52:18 +0300
+Subject: [PATCH] brcm80211: potential NULL dereference in
+ brcmf_cfg80211_vndr_cmds_dcmd_handler()
+
+If "ret_len" is negative then it could lead to a NULL dereference.
+
+The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
+then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
+brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
+Most of the functions in that call tree check whether the buffer we pass
+is NULL but there are at least a couple places which don't such as
+brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
+from the buffer so it would result in a NULL dereference.
+
+The fix is to change the types so that "ret_len" can't be negative. (If
+we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
+issue).
+
+Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
+ struct brcmf_if *ifp;
+ const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
+ struct sk_buff *reply;
+- int ret, payload, ret_len;
++ unsigned int payload, ret_len;
+ void *dcmd_buf = NULL, *wr_pointer;
+ u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
++ int ret;
+
+ if (len < sizeof(*cmdhdr)) {
+ brcmf_err("vendor command too short: %d\n", len);
+@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
+ brcmf_err("oversize return buffer %d\n", ret_len);
+ ret_len = BRCMF_DCMD_MAXLEN;
+ }
+- payload = max(ret_len, len) + 1;
++ payload = max_t(unsigned int, ret_len, len) + 1;
+ dcmd_buf = vzalloc(payload);
+ if (NULL == dcmd_buf)
+ return -ENOMEM;
diff --git a/package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch b/package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch
new file mode 100644
index 0000000000..ee4521ff71
--- /dev/null
+++ b/package/kernel/mac80211/patches/348-v5.2-brcmfmac-set-txflow-request-id-from-1-to-pktids-arra.patch
@@ -0,0 +1,49 @@
+From 2d91c8ad068a5cad4d9e7ece8dc811a697c7176a Mon Sep 17 00:00:00 2001
+From: Wright Feng <Wright.Feng@cypress.com>
+Date: Fri, 26 Apr 2019 03:41:46 +0000
+Subject: [PATCH] brcmfmac: set txflow request id from 1 to pktids array size
+
+Some PCIE firmwares drop txstatus if pktid is 0 and make packet held in
+host side and never be released. If that packet type is 802.1x, the
+pend_8021x_cnt value will be always greater than 0 and show "Timed out
+waiting for no pending 802.1x packets" error message when sending key to
+dongle every time.
+
+To be compatible with all firmwares, host should set txflow request id
+from 1 instead of from 0.
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *de
+ struct brcmf_msgbuf_pktid *pktid;
+ struct sk_buff *skb;
+
+- if (idx >= pktids->array_size) {
++ if (idx < 0 || idx >= pktids->array_size) {
+ brcmf_err("Invalid packet id %d (max %d)\n", idx,
+ pktids->array_size);
+ return NULL;
+@@ -745,7 +745,7 @@ static void brcmf_msgbuf_txflow(struct b
+ tx_msghdr = (struct msgbuf_tx_msghdr *)ret_ptr;
+
+ tx_msghdr->msg.msgtype = MSGBUF_TYPE_TX_POST;
+- tx_msghdr->msg.request_id = cpu_to_le32(pktid);
++ tx_msghdr->msg.request_id = cpu_to_le32(pktid + 1);
+ tx_msghdr->msg.ifidx = brcmf_flowring_ifidx_get(flow, flowid);
+ tx_msghdr->flags = BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3;
+ tx_msghdr->flags |= (skb->priority & 0x07) <<
+@@ -882,7 +882,7 @@ brcmf_msgbuf_process_txstatus(struct brc
+ u16 flowid;
+
+ tx_status = (struct msgbuf_tx_status *)buf;
+- idx = le32_to_cpu(tx_status->msg.request_id);
++ idx = le32_to_cpu(tx_status->msg.request_id) - 1;
+ flowid = le16_to_cpu(tx_status->compl_hdr.flow_ring_id);
+ flowid -= BRCMF_H2D_MSGRING_FLOWRING_IDSTART;
+ skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
diff --git a/package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch b/package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch
new file mode 100644
index 0000000000..e8312fa31e
--- /dev/null
+++ b/package/kernel/mac80211/patches/349-v5.2-brcmfmac-print-firmware-messages-after-a-firmware-cr.patch
@@ -0,0 +1,90 @@
+From 47dd82e3d25e85a7c7c4e4b0eac9d297d1e5e2d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 28 Apr 2019 23:38:26 +0200
+Subject: [PATCH] brcmfmac: print firmware messages after a firmware crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Normally firmware messages are printed with debugging enabled only. It's
+a good idea as firmware may print a lot of messages that normal users
+don't need to care about.
+
+However, on firmware crash, it may be very helpful to log all recent
+messages. There is almost always a backtrace available as well as rought
+info on the latest actions/state.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/pcie.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -760,15 +760,22 @@ static void brcmf_pcie_bus_console_init(
+ console->base_addr, console->buf_addr, console->bufsize);
+ }
+
+-
+-static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo)
++/**
++ * brcmf_pcie_bus_console_read - reads firmware messages
++ *
++ * @error: specifies if error has occurred (prints messages unconditionally)
++ */
++static void brcmf_pcie_bus_console_read(struct brcmf_pciedev_info *devinfo,
++ bool error)
+ {
++ struct pci_dev *pdev = devinfo->pdev;
++ struct brcmf_bus *bus = dev_get_drvdata(&pdev->dev);
+ struct brcmf_pcie_console *console;
+ u32 addr;
+ u8 ch;
+ u32 newidx;
+
+- if (!BRCMF_FWCON_ON())
++ if (!error && !BRCMF_FWCON_ON())
+ return;
+
+ console = &devinfo->shared.console;
+@@ -792,7 +799,10 @@ static void brcmf_pcie_bus_console_read(
+ }
+ if (ch == '\n') {
+ console->log_str[console->log_idx] = 0;
+- pr_debug("CONSOLE: %s", console->log_str);
++ if (error)
++ brcmf_err(bus, "CONSOLE: %s", console->log_str);
++ else
++ pr_debug("CONSOLE: %s", console->log_str);
+ console->log_idx = 0;
+ }
+ }
+@@ -847,7 +857,7 @@ static irqreturn_t brcmf_pcie_isr_thread
+ &devinfo->pdev->dev);
+ }
+ }
+- brcmf_pcie_bus_console_read(devinfo);
++ brcmf_pcie_bus_console_read(devinfo, false);
+ if (devinfo->state == BRCMFMAC_PCIE_STATE_UP)
+ brcmf_pcie_intr_enable(devinfo);
+ devinfo->in_irq = false;
+@@ -1398,6 +1408,8 @@ static int brcmf_pcie_reset(struct devic
+ u16 bus_nr;
+ int err;
+
++ brcmf_pcie_bus_console_read(devinfo, true);
++
+ brcmf_detach(dev);
+
+ brcmf_pcie_release_irq(devinfo);
+@@ -1799,7 +1811,7 @@ static void brcmf_pcie_setup(struct devi
+ if (brcmf_pcie_attach_bus(devinfo) == 0)
+ return;
+
+- brcmf_pcie_bus_console_read(devinfo);
++ brcmf_pcie_bus_console_read(devinfo, false);
+
+ fail:
+ device_release_driver(dev);
diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
index e8e2afff7b..a2e36a0b08 100644
--- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
+++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
@@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1385,6 +1385,7 @@ int __init brcmf_core_init(void)
+@@ -1411,6 +1411,7 @@ int __init brcmf_core_init(void)
{
if (!schedule_work(&brcmf_driver_work))
return -EBUSY;
diff --git a/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch b/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch
index 6fabad6f18..17a9168bed 100644
--- a/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch
+++ b/package/kernel/mac80211/patches/865-brcmfmac-get-RAM-info-right-before-downloading-PCIe-.patch
@@ -55,7 +55,7 @@ Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
void brcmf_chip_detach(struct brcmf_chip *chip);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -1702,6 +1702,12 @@ static void brcmf_pcie_setup(struct devi
+@@ -1761,6 +1761,12 @@ static void brcmf_pcie_setup(struct devi
brcmf_pcie_attach(devinfo);