kernel: bump 4.14 to 4.14.59

Drop patch that was superseded upstream:
ramips/0036-mtd-fix-cfi-cmdset-0002-erase-status-check.patch

Drop upstreamed patches:
- apm821xx/020-0001-crypto-crypto4xx-remove-bad-list_del.patch
- apm821xx/020-0011-crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_b.patch
- ath79/0011-MIPS-ath79-fix-register-address-in-ath79_ddr_wb_flus.patch
- brcm63xx/001-4.15-08-bcm63xx_enet-correct-clock-usage.patch
- brcm63xx/001-4.15-09-bcm63xx_enet-do-not-write-to-random-DMA-channel-on-B.patch
- generic/backport/080-net-convert-sock.sk_wmem_alloc-from-atomic_t-to-refc.patch
- generic/pending/170-usb-dwc2-Fix-DMA-alignment-to-start-at-allocated-boun.patch
- generic/pending/900-gen_stats-fix-netlink-stats-padding.patch

In 4.14.55, a patch was introduced that breaks ext4 images in some
cases. The newly introduced patch
backport-4.14/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch
addresses this breakage.

Fixes the following CVEs:
- CVE-2018-10876
- CVE-2018-10877
- CVE-2018-10879
- CVE-2018-10880
- CVE-2018-10881
- CVE-2018-10882
- CVE-2018-10883

Compile-tested: ath79, octeon, x86/64
Runtime-tested: ath79, octeon, x86/64

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

9 files changed, 16 insertions, 196 deletions

diff --git a/target/linux/generic/pending-4.14/0931-w1-gpio-fix-problem-with-platfom-data-in-w1-gpio.patch b/target/linux/generic/pending-4.14/0931-w1-gpio-fix-problem-with-platfom-data-in-w1-gpio.patch
index 5ce2bf87b9..0c4a13f9df 100644
--- a/target/linux/generic/pending-4.14/0931-w1-gpio-fix-problem-with-platfom-data-in-w1-gpio.patch
+++ b/target/linux/generic/pending-4.14/0931-w1-gpio-fix-problem-with-platfom-data-in-w1-gpio.patch
@@ -13,11 +13,9 @@ Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
  drivers/w1/masters/w1-gpio.c | 7 +++----
  1 file changed, 3 insertions(+), 4 deletions(-)
 
-diff --git a/drivers/w1/masters/w1-gpio.c b/drivers/w1/masters/w1-gpio.c
-index a90728ceec5a..7b80762941af 100644
 --- a/drivers/w1/masters/w1-gpio.c
 +++ b/drivers/w1/masters/w1-gpio.c
-@@ -112,17 +112,16 @@ static int w1_gpio_probe_dt(struct platform_device *pdev)
+@@ -112,17 +112,16 @@ static int w1_gpio_probe_dt(struct platf
  static int w1_gpio_probe(struct platform_device *pdev)
  {
  	struct w1_bus_master *master;
@@ -38,6 +36,3 @@ index a90728ceec5a..7b80762941af 100644
  	if (!pdata) {
  		dev_err(&pdev->dev, "No configuration data\n");
  		return -ENXIO;
--- 
-2.14.1
-
diff --git a/target/linux/generic/pending-4.14/102-MIPS-only-process-negative-stack-offsets-on-stack-tr.patch b/target/linux/generic/pending-4.14/102-MIPS-only-process-negative-stack-offsets-on-stack-tr.patch
index cc17053121..b3dc43ea68 100644
--- a/target/linux/generic/pending-4.14/102-MIPS-only-process-negative-stack-offsets-on-stack-tr.patch
+++ b/target/linux/generic/pending-4.14/102-MIPS-only-process-negative-stack-offsets-on-stack-tr.patch
@@ -46,7 +46,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/arch/mips/kernel/process.c
 +++ b/arch/mips/kernel/process.c
-@@ -357,6 +357,8 @@ static inline int is_sp_move_ins(union m
+@@ -358,6 +358,8 @@ static inline int is_sp_move_ins(union m
  
  	if (ip->i_format.opcode == addiu_op ||
  	    ip->i_format.opcode == daddiu_op) {
diff --git a/target/linux/generic/pending-4.14/150-bridge_allow_receiption_on_disabled_port.patch b/target/linux/generic/pending-4.14/150-bridge_allow_receiption_on_disabled_port.patch
index 03267310a0..9fcffdee06 100644
--- a/target/linux/generic/pending-4.14/150-bridge_allow_receiption_on_disabled_port.patch
+++ b/target/linux/generic/pending-4.14/150-bridge_allow_receiption_on_disabled_port.patch
@@ -15,7 +15,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -238,7 +238,8 @@ static int br_handle_local_finish(struct
+@@ -239,7 +239,8 @@ static int br_handle_local_finish(struct
  {
  	struct net_bridge_port *p = br_port_get_rcu(skb->dev);
  
@@ -25,7 +25,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  	BR_INPUT_SKB_CB(skb)->brdev = p->br->dev;
  	br_pass_frame_up(skb);
-@@ -326,6 +327,15 @@ rx_handler_result_t br_handle_frame(stru
+@@ -327,6 +328,15 @@ rx_handler_result_t br_handle_frame(stru
  
  forward:
  	switch (p->state) {
diff --git a/target/linux/generic/pending-4.14/170-usb-dwc2-Fix-DMA-alignment-to-start-at-allocated-boun.patch b/target/linux/generic/pending-4.14/170-usb-dwc2-Fix-DMA-alignment-to-start-at-allocated-boun.patch
deleted file mode 100644
index 49b33d514f..0000000000
--- a/target/linux/generic/pending-4.14/170-usb-dwc2-Fix-DMA-alignment-to-start-at-allocated-boun.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 028c9191bdf88f120f65626920a6a679170fcc3e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Antti=20Sepp=C3=A4l=C3=A4?= <a.seppala@gmail.com>
-Date: Thu, 5 Jul 2018 11:37:03 +0300
-Subject: [PATCH 1/2] usb: dwc2: Fix DMA alignment to start at allocated
- boundary
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The commit 3bc04e28a030 ("usb: dwc2: host: Get aligned DMA in a more
-supported way") introduced a common way to align DMA allocations.
-The code in the commit aligns the struct dma_aligned_buffer but the
-actual DMA address pointed by data[0] gets aligned to an offset from
-the allocated boundary by the kmalloc_ptr and the old_xfer_buffer
-pointers.
-
-This is against the recommendation in Documentation/DMA-API.txt which
-states:
-
-  Therefore, it is recommended that driver writers who don't take
-  special care to determine the cache line size at run time only map
-  virtual regions that begin and end on page boundaries (which are
-  guaranteed also to be cache line boundaries).
-
-The effect of this is that architectures with non-coherent DMA caches
-may run into memory corruption or kernel crashes with Unhandled
-kernel unaligned accesses exceptions.
-
-Fix the alignment by positioning the DMA area in front of the allocation
-and use memory at the end of the area for storing the orginal
-transfer_buffer pointer. This may have the added benefit of increased
-performance as the DMA area is now fully aligned on all architectures.
-
-Tested with Lantiq xRX200 (MIPS) and RPi Model B Rev 2 (ARM).
-
-Fixes: 3bc04e28a030 ("usb: dwc2: host: Get aligned DMA in a more
-supported way")
-
-Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
----
- drivers/usb/dwc2/hcd.c | 44 +++++++++++++++++++++++---------------------
- 1 file changed, 23 insertions(+), 21 deletions(-)
-
---- a/drivers/usb/dwc2/hcd.c
-+++ b/drivers/usb/dwc2/hcd.c
-@@ -2628,34 +2628,29 @@ static void dwc2_hc_init_xfer(struct dwc
- 
- #define DWC2_USB_DMA_ALIGN 4
- 
--struct dma_aligned_buffer {
--	void *kmalloc_ptr;
--	void *old_xfer_buffer;
--	u8 data[0];
--};
--
- static void dwc2_free_dma_aligned_buffer(struct urb *urb)
- {
--	struct dma_aligned_buffer *temp;
-+	void *stored_xfer_buffer;
- 
- 	if (!(urb->transfer_flags & URB_ALIGNED_TEMP_BUFFER))
- 		return;
- 
--	temp = container_of(urb->transfer_buffer,
--			    struct dma_aligned_buffer, data);
-+	/* Restore urb->transfer_buffer from the end of the allocated area */
-+	memcpy(&stored_xfer_buffer, urb->transfer_buffer +
-+	       urb->transfer_buffer_length, sizeof(urb->transfer_buffer));
- 
- 	if (usb_urb_dir_in(urb))
--		memcpy(temp->old_xfer_buffer, temp->data,
-+		memcpy(stored_xfer_buffer, urb->transfer_buffer,
- 		       urb->transfer_buffer_length);
--	urb->transfer_buffer = temp->old_xfer_buffer;
--	kfree(temp->kmalloc_ptr);
-+	kfree(urb->transfer_buffer);
-+	urb->transfer_buffer = stored_xfer_buffer;
- 
- 	urb->transfer_flags &= ~URB_ALIGNED_TEMP_BUFFER;
- }
- 
- static int dwc2_alloc_dma_aligned_buffer(struct urb *urb, gfp_t mem_flags)
- {
--	struct dma_aligned_buffer *temp, *kmalloc_ptr;
-+	void *kmalloc_ptr;
- 	size_t kmalloc_size;
- 
- 	if (urb->num_sgs || urb->sg ||
-@@ -2663,22 +2658,29 @@ static int dwc2_alloc_dma_aligned_buffer
- 	    !((uintptr_t)urb->transfer_buffer & (DWC2_USB_DMA_ALIGN - 1)))
- 		return 0;
- 
--	/* Allocate a buffer with enough padding for alignment */
-+	/*
-+	 * Allocate a buffer with enough padding for original transfer_buffer
-+	 * pointer. This allocation is guaranteed to be aligned properly for
-+	 * DMA
-+	 */
- 	kmalloc_size = urb->transfer_buffer_length +
--		sizeof(struct dma_aligned_buffer) + DWC2_USB_DMA_ALIGN - 1;
-+		sizeof(urb->transfer_buffer);
- 
- 	kmalloc_ptr = kmalloc(kmalloc_size, mem_flags);
- 	if (!kmalloc_ptr)
- 		return -ENOMEM;
- 
--	/* Position our struct dma_aligned_buffer such that data is aligned */
--	temp = PTR_ALIGN(kmalloc_ptr + 1, DWC2_USB_DMA_ALIGN) - 1;
--	temp->kmalloc_ptr = kmalloc_ptr;
--	temp->old_xfer_buffer = urb->transfer_buffer;
-+	/*
-+	 * Position value of original urb->transfer_buffer pointer to the end
-+	 * of allocation for later referencing
-+	 */
-+	memcpy(kmalloc_ptr + urb->transfer_buffer_length,
-+	       &urb->transfer_buffer, sizeof(urb->transfer_buffer));
-+
- 	if (usb_urb_dir_out(urb))
--		memcpy(temp->data, urb->transfer_buffer,
-+		memcpy(kmalloc_ptr, urb->transfer_buffer,
- 		       urb->transfer_buffer_length);
--	urb->transfer_buffer = temp->data;
-+	urb->transfer_buffer = kmalloc_ptr;
- 
- 	urb->transfer_flags |= URB_ALIGNED_TEMP_BUFFER;
- 
diff --git a/target/linux/generic/pending-4.14/201-extra_optimization.patch b/target/linux/generic/pending-4.14/201-extra_optimization.patch
index 445c0bd87d..b40f01d41f 100644
--- a/target/linux/generic/pending-4.14/201-extra_optimization.patch
+++ b/target/linux/generic/pending-4.14/201-extra_optimization.patch
@@ -14,7 +14,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/Makefile
 +++ b/Makefile
-@@ -645,12 +645,12 @@ KBUILD_CFLAGS	+= $(call cc-disable-warni
+@@ -646,12 +646,12 @@ KBUILD_CFLAGS	+= $(call cc-disable-warni
  
  ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
  KBUILD_CFLAGS	+= $(call cc-option,-Oz,-Os)
diff --git a/target/linux/generic/pending-4.14/610-netfilter_match_bypass_default_checks.patch b/target/linux/generic/pending-4.14/610-netfilter_match_bypass_default_checks.patch
index 3611879609..2541230ff5 100644
--- a/target/linux/generic/pending-4.14/610-netfilter_match_bypass_default_checks.patch
+++ b/target/linux/generic/pending-4.14/610-netfilter_match_bypass_default_checks.patch
@@ -68,7 +68,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
  		return -ENOMEM;
  
-@@ -817,6 +845,7 @@ copy_entries_to_user(unsigned int total_
+@@ -818,6 +846,7 @@ copy_entries_to_user(unsigned int total_
  	const struct xt_table_info *private = table->private;
  	int ret = 0;
  	const void *loc_cpu_entry;
@@ -76,7 +76,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  	counters = alloc_counters(table);
  	if (IS_ERR(counters))
-@@ -844,6 +873,14 @@ copy_entries_to_user(unsigned int total_
+@@ -845,6 +874,14 @@ copy_entries_to_user(unsigned int total_
  			goto free_counters;
  		}
  
@@ -91,7 +91,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  		for (i = sizeof(struct ipt_entry);
  		     i < e->target_offset;
  		     i += m->u.match_size) {
-@@ -1226,12 +1263,15 @@ compat_copy_entry_to_user(struct ipt_ent
+@@ -1227,12 +1264,15 @@ compat_copy_entry_to_user(struct ipt_ent
  	compat_uint_t origsize;
  	const struct xt_entry_match *ematch;
  	int ret = 0;
diff --git a/target/linux/generic/pending-4.14/630-packet_socket_type.patch b/target/linux/generic/pending-4.14/630-packet_socket_type.patch
index e1736214f5..82e2c51afd 100644
--- a/target/linux/generic/pending-4.14/630-packet_socket_type.patch
+++ b/target/linux/generic/pending-4.14/630-packet_socket_type.patch
@@ -87,7 +87,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	if (!net_eq(dev_net(dev), sock_net(sk)))
  		goto drop;
  
-@@ -3262,6 +3264,7 @@ static int packet_create(struct net *net
+@@ -3260,6 +3262,7 @@ static int packet_create(struct net *net
  	mutex_init(&po->pg_vec_lock);
  	po->rollover = NULL;
  	po->prot_hook.func = packet_rcv;
@@ -95,7 +95,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  	if (sock->type == SOCK_PACKET)
  		po->prot_hook.func = packet_rcv_spkt;
-@@ -3875,6 +3878,16 @@ packet_setsockopt(struct socket *sock, i
+@@ -3873,6 +3876,16 @@ packet_setsockopt(struct socket *sock, i
  		po->xmit = val ? packet_direct_xmit : dev_queue_xmit;
  		return 0;
  	}
@@ -112,7 +112,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	default:
  		return -ENOPROTOOPT;
  	}
-@@ -3927,6 +3940,13 @@ static int packet_getsockopt(struct sock
+@@ -3925,6 +3938,13 @@ static int packet_getsockopt(struct sock
  	case PACKET_VNET_HDR:
  		val = po->has_vnet_hdr;
  		break;
diff --git a/target/linux/generic/pending-4.14/834-ledtrig-libata.patch b/target/linux/generic/pending-4.14/834-ledtrig-libata.patch
index 280536e1e6..2eec024b72 100644
--- a/target/linux/generic/pending-4.14/834-ledtrig-libata.patch
+++ b/target/linux/generic/pending-4.14/834-ledtrig-libata.patch
@@ -65,7 +65,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  /**
   *	ata_build_rw_tf - Build ATA taskfile for given read/write request
   *	@tf: Target ATA taskfile
-@@ -5117,6 +5130,9 @@ struct ata_queued_cmd *ata_qc_new_init(s
+@@ -5120,6 +5133,9 @@ struct ata_queued_cmd *ata_qc_new_init(s
  		if (tag < 0)
  			return NULL;
  	}
@@ -75,7 +75,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  
  	qc = __ata_qc_from_tag(ap, tag);
  	qc->tag = tag;
-@@ -6018,6 +6034,9 @@ struct ata_port *ata_port_alloc(struct a
+@@ -6021,6 +6037,9 @@ struct ata_port *ata_port_alloc(struct a
  	ap->stats.unhandled_irq = 1;
  	ap->stats.idle_irq = 1;
  #endif
@@ -85,7 +85,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  	ata_sff_port_init(ap);
  
  	return ap;
-@@ -6039,6 +6058,12 @@ static void ata_host_release(struct devi
+@@ -6042,6 +6061,12 @@ static void ata_host_release(struct devi
  
  		kfree(ap->pmp_link);
  		kfree(ap->slave_link);
@@ -98,7 +98,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  		kfree(ap);
  		host->ports[i] = NULL;
  	}
-@@ -6485,7 +6510,23 @@ int ata_host_register(struct ata_host *h
+@@ -6488,7 +6513,23 @@ int ata_host_register(struct ata_host *h
  		host->ports[i]->print_id = atomic_inc_return(&ata_print_id);
  		host->ports[i]->local_port_no = i + 1;
  	}
@@ -134,7 +134,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  
  /*
   * Define if arch has non-standard setup.  This is a _PCI_ standard
-@@ -889,6 +892,12 @@ struct ata_port {
+@@ -890,6 +893,12 @@ struct ata_port {
  #ifdef CONFIG_ATA_ACPI
  	struct ata_acpi_gtm	__acpi_init_gtm; /* use ata_acpi_init_gtm() */
  #endif
diff --git a/target/linux/generic/pending-4.14/900-gen_stats-fix-netlink-stats-padding.patch b/target/linux/generic/pending-4.14/900-gen_stats-fix-netlink-stats-padding.patch
deleted file mode 100644
index f5ceecca93..0000000000
--- a/target/linux/generic/pending-4.14/900-gen_stats-fix-netlink-stats-padding.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-The gen_stats facility will add a header for the toplevel nlattr of type
-TCA_STATS2 that contains all stats added by qdisc callbacks. A reference
-to this header is stored in the gnet_dump struct, and when all the
-per-qdisc callbacks have finished adding their stats, the length of the
-containing header will be adjusted to the right value.
-
-However, on architectures that need padding (i.e., that don't set
-CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS), the padding nlattr is added
-before the stats, which means that the stored pointer will point to the
-padding, and so when the header is fixed up, the result is just a very
-big padding nlattr. Because most qdiscs also supply the legacy TCA_STATS
-struct, this problem has been mostly invisible, but we exposed it with
-the netlink attribute-based statistics in CAKE.
-
-Fix the issue by fixing up the stored pointer if it points to a padding
-nlattr.
-
-Tested-by: Pete Heist <pete@heistp.net>
-Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
-Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
----
- net/core/gen_stats.c |   16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
---- a/net/core/gen_stats.c
-+++ b/net/core/gen_stats.c
-@@ -77,8 +77,20 @@ gnet_stats_start_copy_compat(struct sk_b
- 		d->lock = lock;
- 		spin_lock_bh(lock);
- 	}
--	if (d->tail)
--		return gnet_stats_copy(d, type, NULL, 0, padattr);
-+	if (d->tail) {
-+		int ret = gnet_stats_copy(d, type, NULL, 0, padattr);
-+
-+		/* The initial attribute added in gnet_stats_copy() may be
-+		 * preceded by a padding attribute, in which case d->tail will
-+		 * end up pointing at the padding instead of the real attribute.
-+		 * Fix this so gnet_stats_finish_copy() adjusts the length of
-+		 * the right attribute.
-+		 */
-+		if (ret == 0 && d->tail->nla_type == padattr)
-+			d->tail = (struct nlattr *)((char *)d->tail +
-+						    NLA_ALIGN(d->tail->nla_len));
-+		return ret;
-+	}
- 
- 	return 0;
- }