openwrt/openwrt.git
6 years agocurl: apply CVE 2017-8816 and 2017-8817 security patches
Stijn Segers [Sun, 3 Dec 2017 11:09:20 +0000 (12:09 +0100)]
curl: apply CVE 2017-8816 and 2017-8817 security patches

This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01
Curl package.

Compile-tested on ar71xx, ramips and x86.

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
6 years agomt76: update to the latest version
Felix Fietkau [Fri, 17 Nov 2017 07:57:13 +0000 (08:57 +0100)]
mt76: update to the latest version

Significant performance/stability improvements for MT76x2 and MT7603.
Adds LED support.

Changes:

2895775 mt76x2: mcu: remove unused parameter in mt76x2_mcu_msg_alloc signature
1dae8f0 mt7603: mcu: remove unused parameter in mt7603_mcu_msg_alloc() signature
5e49aa9 Fix errors found by cppcheck
1b8c8a0 mt7603: add LED definition registers
4d83561 mt76x2: add LED register definitions
2f40e4a mt76x2: Support using PCI ID as chip ID
27c64bc mt76: add led support using mac80211 led framework
dfd64fc mt76x2: init: add ma80211 led callbacks
215edf1 mt7603: init: add ma80211 led callbacks
9d36ff2 mt76x2: Add PCI identifier for MT7602
0b7984e mt7603: remove unnecessary mcu register read function
f5498d2 debugfs: add support for changing the LED pin
8e453b3 mac80211: move DT led configuration to the "led" child node
8f1673a mt76x2: limit client WCID entries to 0-127
f9d9c22 mt76x2: clear drop flag for all WCIDs on init
0dd8b68 mt76x2: clear per-WCID tx rate lookup register
3e5afe7 mt76x2: add helper function for setting drop mask
941555b mt76x2: clear drop mask when sending a PS response
7dfb354 mt76: increase rx ring size for mt76x2
73902dc mt76x2: add rx statistics registers
fe79816 mt76x2: fix LNA gain register annotation
cc588c5 mt76x2: sync channel gain value with latest reference driver
60a4d67 mt76x2: implement dynamic AGC tuning based on false packet detection count
4bc9aa9 mt76x2: add more gain tuning based on the latest reference driver
0a0d16f mt76x2: sync tx power related values with reference driver
8c821aa mac80211: add missing include
82acc85 mt7603: add missing include required on newer kernels
2c1a77c mt76x2: fix transmission of encrypted management frames
0532315 mt76x2: increase OFDM SIFS time
1acde21 mt76x2: add channel argument to eeprom tx power functions
58364a2 mt76x2: initialize channel power limits
c2bd89e mt76x2: convert between per-chain tx power and combined output
e7eaa7c mt7603: rename mt7603_mac_reset to mt7603_pse_reset
ea4c2a1 mt7603: rename MT_PSE_RESET register
c86c3a0 mt7603: remove watchdog reset on interface stop
4490f93 mt7603: remove WARN_ON_ONCE for workaround checks
3075059 mt7603: simplify PSE reset
4ed7e07 mt7603: warn if PSE reset fails
7dc8db1 mt7603: clean up dma debug reads
41e6a04 mt7603: make mt7603_mac_watchdog_reset() static
dc7a351 mt7603: clear wtbl PS bit for powersave responses
123acf2 mt7603: set tx-skip flag for powersave clients
7dd2a9e mt7603: initialize wtbl ps flag on station add
86ddef3 mt76x2: remove some harmless WARN_ONs in tx status and rx path
e326bc2 mt7603: remove some harmless WARN_ONs in rx path

Signed-off-by: Felix Fietkau <nbd@nbd.name>
6 years agotools: patch various gnu tools for macOS 10.13
Ryan Mounce [Thu, 3 Aug 2017 11:07:58 +0000 (20:37 +0930)]
tools: patch various gnu tools for macOS 10.13

These host tools compile but may crash at runtime when building on
macOS 10.13 (High Sierra). Backport upstream gnulib patch until new
releases of affected tools.

https://lists.gnu.org/archive/html/bug-gnulib/2017-07/msg00056.html
https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=c41f233c4c38e84023a16339782ee306f03e7f59

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
6 years agosamba36: backport an upstream fix for an information leak (CVE-2017-15275)
Felix Fietkau [Mon, 4 Dec 2017 08:56:32 +0000 (09:56 +0100)]
samba36: backport an upstream fix for an information leak (CVE-2017-15275)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoramips: backport MT7628 pinmux fixes
Mathias Kresin [Sat, 18 Nov 2017 20:07:45 +0000 (21:07 +0100)]
ramips: backport MT7628 pinmux fixes

According to the datasheet the REFCLK pin is shared with GPIO#37 and
the PERST pin is shared with GPIO#36.

While at it fix a typo inside the pinmux setup code. The function is called
refclk and not reclk.

Update device tree source files accordingly.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: add missing reset button for Nexx WT1520
INAGAKI Hiroshi [Sat, 25 Nov 2017 16:42:50 +0000 (01:42 +0900)]
ramips: add missing reset button for Nexx WT1520

This commit adds missing the GPIO key used as reset button.
Nexx WT1520 has a GPIO key for factory reset, but it's not defined in
WT1520.dtsi and cannot use it.

Drop the UART (full) from the device tree source file, it was never
used for this board. Adjust the kernel bootargs accordingly.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
[add note about dropped UART (full) to the commit message]
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agowireguard: bump to snapshot 20171127
Kevin Darbyshire-Bryant [Mon, 27 Nov 2017 10:14:54 +0000 (10:14 +0000)]
wireguard: bump to snapshot 20171127

== Changes ==

 * compat: support timespec64 on old kernels
 * compat: support AVX512BW+VL by lying
 * compat: fix typo and ranges
 * compat: support 4.15's netlink and barrier changes
 * poly1305-avx512: requires AVX512F+VL+BW

 Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.

 * blake2s: AVX512F+VL implementation
 * blake2s: tweak avx512 code
 * blake2s: hmac space optimization

 Another terrific submission from Samuel Neves: we now have an implementation
 of Blake2s using AVX512, which is extremely fast.

 * allowedips: optimize
 * allowedips: simplify
 * chacha20: directly assign constant and initial state

 Small performance tweaks.

 * tools: fix removing preshared keys
 * qemu: use netfilter.org https site
 * qemu: take shared lock for untarring

 Small bug fixes.

Remove myself from the maintainers list: we have enough and I'm happy to
carry on doing package bumps on ad-hoc basis without the 'official'
title.

Run-tested: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agokernel: bump 4.4 to 4.4.102
Etienne Haarsma [Sun, 26 Nov 2017 11:34:38 +0000 (12:34 +0100)]
kernel: bump 4.4 to 4.4.102

Refreshed all patches.

Removed upstream ramips patch: 0063-set-CM_GCR_BASE_CMDEFTGT_MEM-according-to-datasheet.patch

Compile-tested: ar71xx
Run-tested: ar71xx

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
Tested-by: Stijn Segers <francesco.borromini@inventati.org>
7 years agowireguard: bump to 20171122
Kevin Darbyshire-Bryant [Fri, 24 Nov 2017 10:28:13 +0000 (10:28 +0000)]
wireguard: bump to 20171122

Bump to latest WireGuard snapshot release:

ed479fa (tag: 0.0.20171122) version: bump snapshot
efd9db0 chacha20poly1305: poly cleans up its own state
5700b61 poly1305-x86_64: unclobber %rbp
314c172 global: switch from timeval to timespec
9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
6507a03 chacha20poly1305: add more test vectors, some of which are weird
6f136a3 compat: new kernels have netlink fixes
e4b3875 compat: stable finally backported fix
cc07250 qemu: use unprefixed strip when not cross-compiling
64f1a6d tools: tighten up strtoul parsing
c3a04fe device: uninitialize socket first in destruction
82e6e3b socket: only free socket after successful creation of new
df318d1 compat: fix compilation with PaX
d911cd9 curve25519-neon: compile in thumb mode
d355e57 compat: 3.16.50 got proper rt6_get_cookie
666ee61 qemu: update kernel
2420e18 allowedips: do not write out of bounds
185c324 selftest: allowedips: randomized test mutex update
3f6ed7e wg-quick: document localhost exception and v6 rule

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agoramips: fix Planex CS-QR10 device packages
Mathias Kresin [Sat, 18 Nov 2017 11:19:00 +0000 (12:19 +0100)]
ramips: fix Planex CS-QR10 device packages

Add kmod-sound-core, it is a dependency of kmod-sound-mt7620 and will
not be autoselected.

Remove kmod-i2c-core, it will be autoselected by kmod-i2c-ralink.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: fix DCH-M225 support
Mathias Kresin [Sat, 18 Nov 2017 10:59:22 +0000 (11:59 +0100)]
ramips: fix DCH-M225 support

Setting the pins of the uartf group to gpio+i2s at the time the i2c
driver loads is to late for the WPS gpio button.

The gpio-keys driver fails to load since the pin used by the WPS button
is not yet set to GPIO. The WPS button with the rfkill keycode is
essential for this wifi only board.

Add the missing sound and i2c kernel modules corresponding to the
device nodes.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agodnsmasq: load instance-specific conf-file if exists
Emerson Pinter [Wed, 15 Nov 2017 19:20:44 +0000 (17:20 -0200)]
dnsmasq: load instance-specific conf-file if exists

Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
but not used by dnsmasq.

Signed-off-by: Emerson Pinter <dev@pinter.com.br>
7 years agorpcd: update to version 2017-11-12
Daniel Golle [Fri, 17 Nov 2017 13:42:49 +0000 (14:42 +0100)]
rpcd: update to version 2017-11-12

a0231be8fbc61 fix memory leak in packagelist
4e483312b0216 sys: add packagelist method

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
7 years agobrcm47xx: fix switch port mapping on D-Link DIR-330
Antony Black [Thu, 2 Nov 2017 10:53:26 +0000 (13:53 +0300)]
brcm47xx: fix switch port mapping on D-Link DIR-330

D-Link DIR-330 is clone of ASUS WL500GP2, by default conf the WAN port is
eth1, it's not working cus eth1 not soldered and wan port function
performs 5th port of the switch.

Signed-off-by: Antony Black <gtrtfm@gmail.com>
7 years agowireguard: fix portability issue
Felix Fietkau [Sat, 11 Nov 2017 12:15:24 +0000 (13:15 +0100)]
wireguard: fix portability issue

Check if the compiler defines __linux__, instead of assuming that the
host OS is the same as the target OS.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agowireguard: move to kernel build directory
Felix Fietkau [Sat, 11 Nov 2017 12:01:50 +0000 (13:01 +0100)]
wireguard: move to kernel build directory

It builds a kernel module, so its build dir should be target specific

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agowireguard: bump to 0.0.20171111
Kevin Darbyshire-Bryant [Thu, 16 Nov 2017 19:09:33 +0000 (19:09 +0000)]
wireguard: bump to 0.0.20171111

edaad55 (tag: 0.0.20171111) version: bump snapshot
7a989b3 tools: allow for NULL keys everywhere
46f8cbc curve25519: reject deriving from NULL private keys
9b43542 tools: remove ioctl cruft
f6cea8e allowedips: rename from routingtable
23f553e wg-quick: allow for tabs in keys
ab9befb netlink: make sure we reserve space for NLMSG_DONE
73405c0 compat: 4.4.0 has strange ECN function
868be0c wg-quick: stat the correct enclosing folder of config file
ceb11ba qemu: bump kernel version
0a8e173 receive: hoist fpu outside of receive loop
bee188a qemu: more debugging
f1fdd8d device: wait for all peers to be freed before destroying
2188248 qemu: check for memory leaks
c77a34e netlink: plug memory leak
0ac8efd device: please lockdep
a51e196 global: revert checkpatch.pl changes
65c49d7 Kconfig: remove trailing whitespace

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agoprocd: update to latest git HEAD (fixes and improvements)
Hans Dedecker [Wed, 15 Nov 2017 21:07:06 +0000 (22:07 +0100)]
procd: update to latest git HEAD (fixes and improvements)

d9dc0e0 service: fix calls to blobmsg_parse()
5db8f70 procd: add missing new lines inside debug code
8d5d29c service: fix SERVICE_ATTR_NAME usage in service_handle_set

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoopenssl: update to 1.0.2m
Peter Wagner [Thu, 9 Nov 2017 23:35:35 +0000 (00:35 +0100)]
openssl: update to 1.0.2m

don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:

../libssl.so: undefined reference to `SSLv3_client_method'

Fixes CVE: CVE-2017-3735, CVE-2017-3736

Signed-off-by: Peter Wagner <tripolar@gmx.at>
7 years agobrcm47xx: fix switch port mapping on Asus RT-N12 and RT-N16 models
Jo-Philipp Wich [Wed, 19 Jul 2017 08:39:10 +0000 (10:39 +0200)]
brcm47xx: fix switch port mapping on Asus RT-N12 and RT-N16 models

On Asus RT-N12 and RT-N16 models, the WAN and LAN4 ports are swapped in the
initial switch configuration since the presets present in nvram appear to be
wrong.

Add special casing for these models to detect_by_model() in order to ensure
a proper switch configuration.

Fixes FS#502.

(cherry picked from commit 96ed69101da254b0cb61a0dfc42bd48d27bfacb9
  and squashed with commit f2fdd68664cdf09075e6f18b20946e41a22284b2)

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agorpcd: update to the latest version from 2017-11-09
Rafał Miłecki [Thu, 9 Nov 2017 16:27:41 +0000 (17:27 +0100)]
rpcd: update to the latest version from 2017-11-09

9a8640183c031 plugin: use RTLD_LOCAL instead of RTLD_GLOBAL when loading library

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agomountd: bump to git HEAD version (optimization fixes)
Hans Dedecker [Thu, 9 Nov 2017 17:04:58 +0000 (18:04 +0100)]
mountd: bump to git HEAD version (optimization fixes)

7826ca5 mount: add mount with ignore=1 for unsupported filesystems
75e7412 mount: drop duplicated filesystem check from mount_add_list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agofunctions.sh: fix default_postinst function
Marko Ratkaj [Tue, 7 Nov 2017 05:48:09 +0000 (06:48 +0100)]
functions.sh: fix default_postinst function

When we run "opkg install" on a package that installs an uci-defaults
script, functions.sh will fail to evaluate that script in its
default_postinst function.

This happens because there is no "./" present and it searches for the
file in paths specified by the PATH variable. This would work on bash,
but it will not work on ash and some other shells like sh, zsh. This
applys to the ". filename" directive used in this case.

This patch will make the path relative to the /etc/uci-defaults
directory.

Fixes: FS#1021
Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
7 years agowireguard: version bump to 0.0.20171101
Kevin Darbyshire-Bryant [Fri, 3 Nov 2017 17:01:32 +0000 (17:01 +0000)]
wireguard: version bump to 0.0.20171101

Update wireguard to latest snapshot:

9fc5daf version: bump snapshot
748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
7be9894 timers: switch to kees' new timer_list functions
6be9a66 wg-quick: save all hooks on save
752e7af version: bump snapshot
2cd9642 wg-quick: fsync the temporary file before renaming
b139499 wg-quick: allow for saving existing interface
582c201 contrib: add reresolve-dns
8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
c138276 wg-quick: allow for the hatchet, but not by default
d03f2a0 global: use fewer BUG_ONs
6d681ce timers: guard entire setting in block
4bf32ca curve25519: only enable int128 if compiler support is sound
86e06a3 device: expand scope of destruct lock
e3661ab global: get rid of useless forward declarations
bedc77a device: only take reference if netns is different
7c07e22 wg-quick: remember to rewind DNS settings on failure
2352ec0 wg-quick: allow specifiying multiple hooks
573cb19 qemu: test using four cores
e09ec4d global: style nits
4d3deae qemu: work around ccache bugs
7491cd4 global: infuriating kernel iterator style
78e079c peer: store total number of peers instead of iterating
d4e2752 peer: get rid of peer_for_each magic
6cf12d1 compat: be sure to include header before testing
3ea08d8 qemu: allow for cross compilation
d467551 crypto/avx: make sure we can actually use ymm registers
c786c46 blake2: include headers for macros
328e386 global: accept decent check_patch.pl suggestions
a473592 compat: fix up stat calculation for udp tunnel
9d930f5 stats: more robust accounting
311ca62 selftest: initialize mutex in routingtable selftest
8a9a6d3 netns: use time-based test instead of quantity-based
e480068 netns: use read built-in instead of ncat hack for dmesg

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agoar71xx: fix LED config for DIR-869 A1
Florian Beier [Wed, 25 Oct 2017 18:12:24 +0000 (20:12 +0200)]
ar71xx: fix LED config for DIR-869 A1

This fixes the LED configuration for the D-Link DIR-869 A1. In order to
support the device I probed around using an initramfs image for the
UniFi AC. Pulling GPIO 15 to low enabled the LEDs while high disabled them.
GPIO 16 set to low meant that the color was white while pulling it to high
made the color change to orange. The past code was written based upon these
findings.
However, running a flashed image I now discovered that GPIO 15 controls the
orange LEDs while GPIO 16 controls the white ones and that both are active
when low. This means that the GPIOs were inverted and one active_low was set
wrong which this patch fixes.

Behavior of the LED front after this patch is applied:

cat /sys/devices/platform/leds-gpio/leds/d-link:white:status/brightness
0   -> white LEDs are OFF
255 -> white LEDs are ON

cat /sys/devices/platform/leds-gpio/leds/d-link:orange:status/brightness
0   -> orange LEDs are OFF
255 -> orange LEDs are ON

If the brightness of both is set to 255 the LED front will be white.
If the brightness of both is set to 0 the LED front will be off.

Signed-off-by: Florian Beier <beier.florian@gmail.com>
7 years agoipq806x: nbg6817: sync MAC addresses to the upstream values
Stefan Lippers-Hollmann [Mon, 30 Oct 2017 03:28:34 +0000 (04:28 +0100)]
ipq806x: nbg6817: sync MAC addresses to the upstream values

The ZyXEL NBG6817 calculates all MAC addresses based on the ethaddr
value stored in the U-Boot environment (0:APPSBLENV). No MAC addresses
are stored in the ART partition and the generated MAC addresses for the
wlan interfaces alternate randomly between 12:34:56:78:90:12 and
00:03:7f:12:34:56.

interface   new/ OEM MAC old MAC

wlan-2.4g (phy1): ethaddr undefined
wlan-5g   (phy0): ethaddr + 1 undefined
lan             : ethaddr + 2 ethaddr
wan             : ethaddr + 3 ethaddr + 1

This patch defines stable MAC addresses for the wlan interfaces for
the first time instead of generating them at random. The previously
defined values for lan/ wan are changed to follow the settings of the
OEM firmware.

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
7 years agoipq806x: nbg6817: add kmod-fs-ext4 to device packages
Stefan Lippers-Hollmann [Thu, 19 Oct 2017 19:40:26 +0000 (21:40 +0200)]
ipq806x: nbg6817: add kmod-fs-ext4 to device packages

The ZyXEL NBG6817 uses an eMMC flash for the rootfs, which is split
into the readonly squashfs and ext4 for the overlay. This adds the
required package to the device packages to allow mounting the overlay
by default.

/dev/root on /rom type squashfs (ro,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
/dev/loop0 on /overlay type ext4 (rw,noatime,data=ordered)
overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/work)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
mountd(pid1040) on /tmp/run/blockd type autofs (rw,relatime,fd=7,pgrp=1,timeout=30,minproto=5,maxproto=5,indirect)

Before this commit, the ext4 based overlayfs could not be mounted,
which left only the tmpfs based/ volatile  emergency overlay in place.

Fixes: https://forum.lede-project.org/t/zyxel-nbg6817-flashing-from-oem/768
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
7 years agouclient: update to the latest version, fixes fetch of multiple files
Felix Fietkau [Thu, 2 Nov 2017 21:53:12 +0000 (22:53 +0100)]
uclient: update to the latest version, fixes fetch of multiple files

4b87d83 uclient-fetch: fix overloading of output_file variable

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoramips: fix Youku-YK1 support
Edmunt Pienkowsky [Sat, 21 Oct 2017 09:07:43 +0000 (11:07 +0200)]
ramips: fix Youku-YK1 support

Remove the ephy-pins from the ethernet device tree node. The ephy-pins
are useed to controll the ePHY LEDs and this board doesn't have these.
Instead one of the ePHY pins is used in GPIO mode to control the WAN
LED.

Use the switch LED trigger to control the WAN LED. Move the power LED
handling to diag.sh to show the boot status via this LED.

Add the missing kernel packages for USB and microSD card reader to the
default package selection.

Fix the maximum image size value. The board has a 32MByte flash chip.

Fixes: FS#1055
Signed-off-by: Edmunt Pienkowsky <roed@onet.eu>
[make the commit message more verbose, remove GPIO pinmux for pins not
used as GPIOs]
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agotools/squashfs4: include sysmacros.h explicitly
Alex Maclean [Mon, 23 Oct 2017 12:48:19 +0000 (13:48 +0100)]
tools/squashfs4: include sysmacros.h explicitly

glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1017
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
[refresh patches]
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agotools/squashfs: include sysmacros.h explicitly
Alex Maclean [Mon, 23 Oct 2017 12:47:55 +0000 (13:47 +0100)]
tools/squashfs: include sysmacros.h explicitly

glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1018
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
7 years agotools/mtd-utils: include sysmacros.h explicitly
Alex Maclean [Mon, 23 Oct 2017 12:47:33 +0000 (13:47 +0100)]
tools/mtd-utils: include sysmacros.h explicitly

glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1015
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
[refresh patches]
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agotools/findutils: include sysmacros.h explicitly
Alex Maclean [Mon, 23 Oct 2017 12:43:43 +0000 (13:43 +0100)]
tools/findutils: include sysmacros.h explicitly

glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1016
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
7 years agodnsmasq: restore ability to include/exclude raw device names
Jo-Philipp Wich [Mon, 10 Jul 2017 08:53:29 +0000 (10:53 +0200)]
dnsmasq: restore ability to include/exclude raw device names

Commit 5cd88f4 "dnsmasq: remove use of uci state for getting network ifname"
broke the ability to specify unmanaged network device names for inclusion
and exclusion in the uci configuration.

Restore support for raw device names by falling back to the input value
when "network_get_device" yields no result.

Fixes FS#876.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a89c36b50875e61c790113d3adee10621575788a)

7 years agolantiq: add missing default lan interface
Mathias Kresin [Wed, 25 Oct 2017 06:32:00 +0000 (08:32 +0200)]
lantiq: add missing default lan interface

With removing the boards from the the default case to fix the xDSL WAN
MAC-Address, the setting for the default LAN interface wasn't added.

Fixes: 92a12c434ca3 ("lantiq: fix avm fritz box mac addresses")
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoipq806x: fix Zyxel NBG6817 WiFi button
Tolga Cakir [Tue, 24 Oct 2017 20:03:33 +0000 (22:03 +0200)]
ipq806x: fix Zyxel NBG6817 WiFi button

Zyxel NBG6817 features a WiFi button, which becomes functional by setting
correct GPIO. It is a switch-type button, so it emits KEY_RFKILL on each ON
and OFF state. This is achieved by setting input-type to EV_SW.

Signed-off-by: Tolga Cakir <tolga@cevel.net>
7 years agoramips: fix default usb support for nexx wt3020-8M
Alberto Bursi [Sat, 21 Oct 2017 21:53:49 +0000 (23:53 +0200)]
ramips: fix default usb support for nexx wt3020-8M

the nexx wt3020-8M has a usb 2.0 port,
add usb 2.0 support packages to its default package list.

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
7 years agoopkg: bump to 2017-10-23 (lede-17.01)
Matthias Schiffer [Mon, 23 Oct 2017 21:48:25 +0000 (23:48 +0200)]
opkg: bump to 2017-10-23 (lede-17.01)

A lede-17.01 branch for bugfix backports has been added to the opkg-lede
repo.

c6caf07 pkg_parse: fix segfault when parsing descriptions with leading newlines
5bb5fd5 opkg: add --no-check-certificate argument
7a96972 libbb: xreadlink: fix memory leak on failure case
3f13edd pkg_run_script: use pkg->dest in half installed case

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agolantiq: ARV752DPW22: fix wireless mac address
Mathias Kresin [Wed, 18 Oct 2017 04:59:38 +0000 (06:59 +0200)]
lantiq: ARV752DPW22: fix wireless mac address

The ARV752DPW22 has the same generic mac address in the EEPROM as it
was already noticed for other lantiq boards using a ralink wireless.

Use the base mac address from the boardconfig partition as it is done
by the stock firmware.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agolantiq: ARV752DPW22: set correct wireless led trigger
Mathias Kresin [Mon, 16 Oct 2017 20:36:35 +0000 (22:36 +0200)]
lantiq: ARV752DPW22: set correct wireless led trigger

The ARV752DPW22 has a ralink based wireless and can not use the ath9k
only phy0tpt trigger.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agokernel: bump 4.4 to 4.4.93 for 17.01
Kevin Darbyshire-Bryant [Wed, 18 Oct 2017 15:17:28 +0000 (16:17 +0100)]
kernel: bump 4.4 to 4.4.93 for 17.01

Refresh patches.
Compile-tested for ar71xx - Archer C7 v2
Runtime-tested on  ar71xx - Archer C7 v2

Fixes CVE-2017-15265.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
[remove 2nd CVE as it was fixed in mac80211 in commit bff16304b0bf]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agomountd: bump to git HEAD version (fixes SIGSEV crashes)
Hans Dedecker [Wed, 18 Oct 2017 12:17:48 +0000 (14:17 +0200)]
mountd: bump to git HEAD version (fixes SIGSEV crashes)

6efeb19 autofs: register SIGTERM for gracefull exit
01bb2b0 mount: fix SIGSEV crashes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoLEDE v17.01.4: revert to branch defaults
Stijn Tintel [Wed, 18 Oct 2017 08:54:32 +0000 (11:54 +0300)]
LEDE v17.01.4: revert to branch defaults

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agoLEDE v17.01.4: adjust config defaults v17.01.4
Stijn Tintel [Wed, 18 Oct 2017 08:54:32 +0000 (11:54 +0300)]
LEDE v17.01.4: adjust config defaults

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agowireguard: version bump to 0.0.20171017
Jason A. Donenfeld [Tue, 17 Oct 2017 17:34:20 +0000 (19:34 +0200)]
wireguard: version bump to 0.0.20171017

This is a simple version bump. Changes:

  * noise: handshake constants can be read-only after init
  * noise: no need to take the RCU lock if we're not dereferencing
  * send: improve dead packet control flow
  * receive: improve control flow
  * socket: eliminate dead code
  * device: our use of queues means this check is worthless
  * device: no need to take lock for integer comparison
  * blake2s: modernize API and have faster _final
  * compat: support READ_ONCE
  * compat: just make ro_after_init read_mostly

  Assorted cleanups to the module, including nice things like marking our
  precomputations as const.

  * Makefile: even prettier output
  * Makefile: do not clean before cloc
  * selftest: better test index for rate limiter
  * netns: disable accept_dad for all interfaces

  Fixes in our testing and build infrastructure. Now works on the 4.14 rc
  series.

  * qemu: add build-only target
  * qemu: work on ubuntu toolchain
  * qemu: add more debugging options to main makefile
  * qemu: simplify shutdown
  * qemu: open /dev/console if we're started early
  * qemu: phase out bitbanging
  * qemu: always create directory before untarring
  * qemu: newer packages
  * qemu: put hvc directive into configuration

  This is the beginning of working out a cross building test suite, so we do
  several tricks to be less platform independent.

  * tools: encoding: be more paranoid
  * tools: retry resolution except when fatal
  * tools: don't insist on having a private key
  * tools: add pass example to wg-quick man page
  * tools: style
  * tools: newline after warning
  * tools: account for padding being in zero attribute

  Several important tools fixes, one of which suppresses a needless warning.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit f6c4a9c045797d9be12310eebc6341050fd260ce)

7 years agohostapd: add wpa_disable_eapol_key_retries option
Stijn Tintel [Tue, 17 Oct 2017 13:35:03 +0000 (16:35 +0300)]
hostapd: add wpa_disable_eapol_key_retries option

Commit b6c3931ad6554357a108127797c8d7097a93f18f introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.

Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5f97c9372da3229350184fb263c97d9ea8944c5)

7 years agohostapd: backport extra changes related to KRACK
Stijn Tintel [Tue, 17 Oct 2017 14:54:59 +0000 (17:54 +0300)]
hostapd: backport extra changes related to KRACK

While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html

Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so
that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch
applies without having to rework it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agomac80211: backport kernel fix for CVE-2017-13080
Stijn Tintel [Mon, 16 Oct 2017 22:49:58 +0000 (01:49 +0300)]
mac80211: backport kernel fix for CVE-2017-13080

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2f701194c29da50bfda968a83c6609843f74a7f4)

7 years agox86: partly revert cabf775
Jo-Philipp Wich [Mon, 16 Oct 2017 15:21:43 +0000 (17:21 +0200)]
x86: partly revert cabf775

The subtarget cleanups made in cabf775 "x86: Refresh subtargets kernel config"
removed some important symbol disable statements, so revert the changes to the
subtarget configs for now.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agomac80211: Update wireless-regdb to master-2017-03-07
Ryan Mounce [Tue, 7 Mar 2017 13:41:42 +0000 (00:11 +1030)]
mac80211: Update wireless-regdb to master-2017-03-07

The short log of changes since the 2016-06-10 release is below.

Jouni Malinen (1):
      wireless-regdb: Remove DFS requirement for India (IN)

Ryan Mounce (1):
      wireless-regdb: Update rules for Australia (AU) and add 60GHz rules

Seth Forshee (2):
      wireless-regdb: Update 5 GHz rules for Canada
      wireless-regdb: update regulatory.bin based on preceding changes

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
(cherry picked from commit 8b12e62e9cd6ba2e3bb2e7f2555180df0173c7c6)

7 years agowireguard: add wireguard to base packages
Jason A. Donenfeld [Fri, 13 Oct 2017 15:05:18 +0000 (17:05 +0200)]
wireguard: add wireguard to base packages

Move wireguard from openwrt/packages to base a package.

This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.

WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 699c6fcc314225f79156a26db418e15bbc6bf10f)

7 years agobrcmfmac: backport length check in brcmf_cfg80211_escan_handler()
Felix Fietkau [Mon, 16 Oct 2017 10:46:58 +0000 (12:46 +0200)]
brcmfmac: backport length check in brcmf_cfg80211_escan_handler()

Fixes CVE-2017-0786

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agokernel: bump 4.4 to 4.4.92
Stijn Tintel [Mon, 16 Oct 2017 10:32:51 +0000 (13:32 +0300)]
kernel: bump 4.4 to 4.4.92

Refresh patches.

Fixes the following CVEs:
- CVE-2017-1000252
- CVE-2017-12153
- CVE-2017-12154

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agoramips: fix compile warning in MT7621 NAND driver
Felix Fietkau [Mon, 16 Oct 2017 10:07:31 +0000 (12:07 +0200)]
ramips: fix compile warning in MT7621 NAND driver

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoramips: fix typo in MT7621 NAND driver
Felix Fietkau [Mon, 16 Oct 2017 10:15:08 +0000 (12:15 +0200)]
ramips: fix typo in MT7621 NAND driver

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agohostapd: merge fixes for WPA packet number reuse with replayed messages and key reins...
Felix Fietkau [Mon, 16 Oct 2017 10:05:09 +0000 (12:05 +0200)]
hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation

Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Backport of bbda81ce3077dfade2a43a39f772cfec2e82a9a5

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agox86/64: add xen DomU support
Baptiste Jonglez [Sat, 15 Jul 2017 20:57:56 +0000 (22:57 +0200)]
x86/64: add xen DomU support

Xen support for x86/generic was added in 296772f9.  This commit also
enables it for x86/64.

This was successfully tested with Xen 4.5.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
7 years agox86: Refresh subtargets kernel config
Baptiste Jonglez [Sat, 15 Jul 2017 20:57:55 +0000 (22:57 +0200)]
x86: Refresh subtargets kernel config

This was done by simply running `make kernel_menuconfig CONFIG_TARGET=subtarget`
and then saving without changing any option.

Having consistent kernel config is important to avoid surprises, such
as the issue fixed with 6f0367c9 (where Xen support was silently
disabled when building the kernel, although it was present in the
initial config)

As far as I understand the build system, this shouldn't have any
user-visible impact, because the build system already merges the
various kernel configs during build.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
7 years agox86: Fix xen serial console by removing conflicting PATA driver
Baptiste Jonglez [Sat, 15 Jul 2017 20:57:54 +0000 (22:57 +0200)]
x86: Fix xen serial console by removing conflicting PATA driver

The Xen serial console has been broken since the xen_domu subtarget
was merged in the generic x86 subtarget (commits 296772f9 and b36e24f3).

The reason for the broken serial console seems to be an IRQ conflict
between the serial console driver and the PATA_LEGACY driver:

[    1.330125] genirq: Flags mismatch irq 8. 00000000 (hvc_console) vs. 00000000 (platform[pata_legacy.4])
[    1.330134] hvc_open: request_irq failed with rc -16.
[    1.330148] Warning: unable to open an initial console.

Just drop the PATA_LEGACY driver from the x86/generic and x86_64
subtargets, since this driver is marked experimental and only supports
very old ISA devices anyway.  It is still included in the x86/legacy
subtarget where it rightfully belongs.

Fixes: FS#787
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
7 years agox86/generic: use HIGHMEM64G instead of HIGHMEM4G to fix PAE and Xen
Baptiste Jonglez [Sat, 15 Jul 2017 20:57:53 +0000 (22:57 +0200)]
x86/generic: use HIGHMEM64G instead of HIGHMEM4G to fix PAE and Xen

This is a backport of 641a65fd062987a456216cc4fa91ff2910528261 in master.

This change re-enables PAE for the 32-bit x86 subtarget, which is
interesting in its own right but also necessary for Xen support.

Commit af1d1ebd ("x86: enable 4G high memory support for generic (32bit)
subtarget") inadvertently disabled both PAE and Xen support.

Fixes: FS#908
Cc: Daniel Golle <daniel@makrotopia.org>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
7 years agokernel: add fix for bgmac with B50212E B1 PHY
Rafał Miłecki [Fri, 13 Oct 2017 12:06:18 +0000 (14:06 +0200)]
kernel: add fix for bgmac with B50212E B1 PHY

This PHY requires some extra programming to work reliably with all
devices. Backport upstream fix for it.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agomt76: sync with version 878456caf60d from master
Felix Fietkau [Thu, 12 Oct 2017 09:49:00 +0000 (11:49 +0200)]
mt76: sync with version 878456caf60d from master

Backport required DT changes from commit dabdd123c90c.
Significantly improves stability and performance for MT76x2 and MT7603

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agobcm53xx: backport DTS changes up to the first 4.15 queued commits
Rafał Miłecki [Tue, 10 Oct 2017 07:19:10 +0000 (09:19 +0200)]
bcm53xx: backport DTS changes up to the first 4.15 queued commits

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agoar71xx: add rssileds to WA850RE v1 image
Mathias Kresin [Sat, 7 Oct 2017 14:54:19 +0000 (16:54 +0200)]
ar71xx: add rssileds to WA850RE v1 image

A default rssileds config exists for the TP-Link WA850RE v1 but the
rssiled package is not included by default.

The compressed 17.01.3 image size increases by 3302 bytes which should
be tolerable even for a 4MB flash board.

Fixes: FS#1043
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agotoolchain/gdb: update to version 8.0.1
Ryan Mounce [Sun, 6 Aug 2017 04:52:18 +0000 (14:22 +0930)]
toolchain/gdb: update to version 8.0.1

Fixes CVE-2017-9778.

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[reference fixed CVE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agocmake: fix build error with Xcode 9 on macOS 12
Felix Fietkau [Thu, 5 Oct 2017 18:44:52 +0000 (20:44 +0200)]
cmake: fix build error with Xcode 9 on macOS 12

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agogcc: fix build error with macOS + Xcode 9
Felix Fietkau [Thu, 5 Oct 2017 17:46:48 +0000 (19:46 +0200)]
gcc: fix build error with macOS + Xcode 9

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agobuild: add a darwin sitefile to deal with macOS 10.12 + Xcode 9 build errors
Felix Fietkau [Thu, 5 Oct 2017 17:45:44 +0000 (19:45 +0200)]
build: add a darwin sitefile to deal with macOS 10.12 + Xcode 9 build errors

Certain functions are available in system headers, but only work on
macOS 10.13

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoramips: mt7620: do not pad sysupgrade Archer images
Thibaut VARENE [Wed, 2 Aug 2017 14:28:16 +0000 (16:28 +0200)]
ramips: mt7620: do not pad sysupgrade Archer images

The current makefile unnecessarily pads sysupgrade image for Archer devices.

This has three implications:
1. higher risk of OOM when uploading the binary image to the device
2. much slower upgrade due to time wasted erasing and writing padding
3. grows image beyond available flash size if metadata are appended

This is already fixed in master, albeit in a completely different way (the
whole target have been reworked)

Fixes: FS#1025, FS#1039
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
7 years agoLEDE v17.01.3: revert to branch defaults
Stijn Tintel [Tue, 3 Oct 2017 12:10:55 +0000 (15:10 +0300)]
LEDE v17.01.3: revert to branch defaults

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agoLEDE v17.01.3: adjust config defaults v17.01.3
Stijn Tintel [Tue, 3 Oct 2017 12:10:53 +0000 (15:10 +0300)]
LEDE v17.01.3: adjust config defaults

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agouhttp: update to latest version
Adrian Panella [Tue, 12 Sep 2017 18:29:09 +0000 (13:29 -0500)]
uhttp: update to latest version

3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash

Signed-off-by: Adrian Panella <ianchi74@outlook.com>
7 years agoodhcpd: don't enable server mode on non-static lan port
Karl Palsson [Fri, 1 Sep 2017 11:22:11 +0000 (11:22 +0000)]
odhcpd: don't enable server mode on non-static lan port

Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"

This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.

Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoodhcpd: backport fixes from master branch (FS#402, FS#524)
Hans Dedecker [Mon, 2 Oct 2017 16:41:34 +0000 (18:41 +0200)]
odhcpd: backport fixes from master branch (FS#402, FS#524)

336212c config: fix dhcpv4 server being started
336212c dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agodnsmasq: bump to v2.78
Kevin Darbyshire-Bryant [Mon, 2 Oct 2017 14:28:32 +0000 (15:28 +0100)]
dnsmasq: bump to v2.78

Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agobase-files: create /etc/config/ directory
Hauke Mehrtens [Sat, 30 Sep 2017 11:50:44 +0000 (13:50 +0200)]
base-files: create /etc/config/ directory

The /bin/config_generate script and some other scripts are assuming the
/etc/config directory exists in the image. This is true in case for
example the package firewall, dropbear or dnsmasq are included, which
are adding the files under /etc/config/. Without any of these package
the system will not boot up fully because the /etc/config/ directory is
missing and some init scripts just fail.

Make sure all images with the base-files contain a /etc/config/
directory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>
7 years agosunxi: clean up modules definitions
Matthias Schiffer [Thu, 4 May 2017 05:00:06 +0000 (07:00 +0200)]
sunxi: clean up modules definitions

Module definitions for kmod-wdt-sunxi and kmod-eeprom-sunxi are removed
(wdt-sunxi was builtin anyways; nvmem-sunxi, which is the new name of
eeprom-sunxi is changed to builtin). As kmod-eeprom-sunxi was specified
in DEFAULT_PACKAGES, but not available on kernel 4.4, it was breaking the
image builder.

Support for kmod-sunxi-ir is added for kernel 4.4 (it is unclear why it
was disable before, it builds fine with with kernel 4.4).

Condtionals only relevant for pre-4.4 kernels are removed from modules.mk,
as sunxi does't support older kernels anymore.

Fixes FS#755.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agoltq-vdsl-mei: revert disable optimized firmware download
Mathias Kresin [Fri, 29 Sep 2017 06:45:13 +0000 (08:45 +0200)]
ltq-vdsl-mei: revert disable optimized firmware download

This reverts commit b428f45c062dc8ca8c2f35f491fa467dc5b85519.

If the optimized firmware download is disabled, the xdsl subsystem
hangs in the "idle request" state after physically disconnecting and
reconnecting the xdsl modem from the line.

It might fix the failing line init on boot as well.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agocurl: fix security problems
Hauke Mehrtens [Sat, 30 Sep 2017 13:23:07 +0000 (15:23 +0200)]
curl: fix security problems

This fixes the following security problems:
 * CVE-2017-1000100 TFTP sends more than buffer size
 * CVE-2017-1000101 URL globbing out of bounds read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agombedtls: update to 2.6.0 CVE-2017-14032
Kevin Darbyshire-Bryant [Fri, 1 Sep 2017 18:04:29 +0000 (19:04 +0100)]
mbedtls: update to 2.6.0 CVE-2017-14032

Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
7 years agogeneric: drop 704-phy-no-genphy-soft-reset.patch
Florian Fainelli [Sat, 16 Sep 2017 22:16:09 +0000 (15:16 -0700)]
generic: drop 704-phy-no-genphy-soft-reset.patch

4.4.80+ contains 71a165f6397df07a06ce643de5c2dbae29bd3cfb, 4.9.41+ contains
6c78197e4a69c19e61dfe904fdc661b2aee8ec20 which are all backports of upstream
commit 0878fff1f42c18e448ab5b8b4f6a3eb32365b5b6 ("net: phy: Do not perform
software reset for Generic PHY").

Our local patch is no longer needed, all this patch was doing was utilizing
gen10g_soft_reset which does nothing either, so just keep the code unchanged.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
7 years agokernel: update 4.4 to 4.4.89
Hauke Mehrtens [Sat, 30 Sep 2017 11:38:39 +0000 (13:38 +0200)]
kernel: update 4.4 to 4.4.89

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agoltq-vdsl-mei: disable optimized firmware download
Mathias Kresin [Wed, 27 Sep 2017 04:52:43 +0000 (06:52 +0200)]
ltq-vdsl-mei: disable optimized firmware download

With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and
enabled by default. As soon as the optimized firmware download is
enabled, a watchdog based reboot is trigger between 24h to 48h of
uptime if the board isn't connected to a xdsl line.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoltq-vdsl: fix PM thread suspend and resume handling
Martin Schiller [Tue, 26 Sep 2017 05:56:55 +0000 (07:56 +0200)]
ltq-vdsl: fix PM thread suspend and resume handling

This is a backport form drv_dsl_cpe_api-4.18.10 and fixes some PM
thread handling issues which lead to high system load and watchdog
trigger within 1h of uptime for boards not connected to a xdsl line.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
7 years agoopenvpn: add "extra-certs" option
Sven Roederer [Tue, 5 Sep 2017 16:27:02 +0000 (18:27 +0200)]
openvpn: add "extra-certs" option

This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 years agolantiq: fix missing otg_cap on danube platform
Daniel Gonzalez Cabanelas [Sat, 29 Jul 2017 12:54:15 +0000 (14:54 +0200)]
lantiq: fix missing otg_cap on danube platform

USB doesn't work in some danube boards because otg_cap
is missing since previous changes made on the USB-dwc2
lantiq driver. Fix it.

Tested on the ARV7518PW router.

Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
7 years agotcpdump: noop commit to refer CVEs fixed in 4.9.2
Stijn Tintel [Sun, 17 Sep 2017 22:26:44 +0000 (01:26 +0300)]
tcpdump: noop commit to refer CVEs fixed in 4.9.2

When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.

The following CVEs were fixed in 21014d9708d586becbd62da571effadb488da9fc:

CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2375e279a7cb462d62fd6028cb3fbd56217222de)

7 years agotcpdump: bump to 4.9.2
Stijn Tintel [Sun, 10 Sep 2017 19:27:26 +0000 (21:27 +0200)]
tcpdump: bump to 4.9.2

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 21014d9708d586becbd62da571effadb488da9fc)

7 years agoutils/tcpdump: Rework URLs
Daniel Engberg [Wed, 22 Mar 2017 07:01:04 +0000 (08:01 +0100)]
utils/tcpdump: Rework URLs

Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit fd95397ee33a34704771de2ab26a5910b1a88c6f)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Conflicts:
package/network/utils/tcpdump/Makefile

7 years agobase-files: fix wan6 interface config generation for pppoe
Hans Dedecker [Mon, 18 Sep 2017 07:18:36 +0000 (09:18 +0200)]
base-files: fix wan6 interface config generation for pppoe

Setting ipv6 to auto in case of a pppoe interface will trigger the
creation of a dynamic wan_6 interface meaning two IPv6 interfaces
(wan6 and wan_6) will be active on top of the pppoe interface.
This leads to unpredictable behavior in the network; therefore set
ipv6 to 1 which will prevent the dynamic creation of the wan_6
interface.
Further alias the wan6 interface on top of the wan interface for pppoe
as the wan6 interface can only be started when the link local address is
ready. In case of pppoe the link local address is negotiated during the
Internet Protocol Control Protocol when the PPP link is setup meaning
all the IP address info is only available when the wan interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoipq806x: Archer C2600: fix switch ports numbering
Baptiste Jonglez [Wed, 23 Aug 2017 21:44:52 +0000 (23:44 +0200)]
ipq806x: Archer C2600: fix switch ports numbering

The order of LAN ports shown in Luci is reversed compared to what is
written on the case of the device.  Fix the order so that they match.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
7 years agotreewide: fix shellscript syntax errors/typos
Lorenzo Santina [Mon, 11 Sep 2017 13:27:53 +0000 (15:27 +0200)]
treewide: fix shellscript syntax errors/typos

Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
7 years agoramips: fix hg255d LED status support
David Yang [Sat, 9 Sep 2017 13:16:11 +0000 (21:16 +0800)]
ramips: fix hg255d LED status support

Use the green power LED for boot status indication.

Source: https://my.oschina.net/osbin/blog/278782 Para 3

Signed-off-by: David Yang <mmyangfl@gmail.com>
7 years agoar71xx: fix MAC addresses on TP-Link TL-WR1043ND v4
Matthias Schiffer [Mon, 11 Sep 2017 17:41:41 +0000 (19:41 +0200)]
ar71xx: fix MAC addresses on TP-Link TL-WR1043ND v4

The addresses were read from the 'config' partition, which would not always
contain the addresses at the same offsets, depending on the stock firmware
version used before flashing LEDE. Change this to get the addresses from
the 'product-info' partition, which is read-only.

Reported-and-tested-by: Andreas Ziegler <ml@andreas-ziegler.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agohostapd: fix iapp_interface option
Lorenzo Santina [Sat, 9 Sep 2017 14:40:57 +0000 (16:40 +0200)]
hostapd: fix iapp_interface option

ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option

Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
7 years agokernel: update 4.4 to 4.4.87
Kevin Darbyshire-Bryant [Thu, 7 Sep 2017 14:47:21 +0000 (15:47 +0100)]
kernel: update 4.4 to 4.4.87

Fixes CVE-2017-11600

No patch refresh required

Compile & run tested: ar71xx - Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agodnsmasq: backport arcount edns0 fix
Kevin Darbyshire-Bryant [Fri, 8 Sep 2017 07:56:34 +0000 (08:56 +0100)]
dnsmasq: backport arcount edns0 fix

Don't return arcount=1 if EDNS0 RR won't fit in the packet.

Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7 years agodnsmasq: backport official fix for CVE-2017-13704
Kevin Darbyshire-Bryant [Thu, 7 Sep 2017 02:58:23 +0000 (03:58 +0100)]
dnsmasq: backport official fix for CVE-2017-13704

Remove LEDE partial fix for CVE-2017-13704.

Backport official fix from upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
7 years agouclient: update to 2017-09-06
Matthias Schiffer [Wed, 6 Sep 2017 13:44:14 +0000 (15:44 +0200)]
uclient: update to 2017-09-06

24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agokernel: update 4.4 to 4.4.86
Kevin Darbyshire-Bryant [Mon, 4 Sep 2017 11:50:01 +0000 (12:50 +0100)]
kernel: update 4.4 to 4.4.86

Refresh patches

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>