openwrt/staging/pepe2k.git
2 years agopkg-config: always use correct path for pkg-config.real
Leonardo Mörlein [Tue, 9 Aug 2022 19:54:04 +0000 (21:54 +0200)]
pkg-config: always use correct path for pkg-config.real

Before this commit, it was assumed that pkg-config.real is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. The command failed with

    Makefile:15: *** No libnl-tiny development libraries found!.  Stop.
    make[1]: Leaving directory

since pkg-config of the host system was used.

After the commit, the package is built sucessfully.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
(cherry picked from commit 37c0d15a8e9eb30920091bff1bf466640bc64dad)

2 years agokernel: kmod-phy-smsc: Add new PHY
Hauke Mehrtens [Sun, 7 Aug 2022 14:00:32 +0000 (16:00 +0200)]
kernel: kmod-phy-smsc: Add new PHY

This adds the SMSC PHY which is needed by the kmod-usb-net-smsc95xx
driver.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5b016a88f92f25dd7d32438bce3a469f343f4009)

2 years agokernel: kmod-phy-ax88796b: Add new PHY
Hauke Mehrtens [Sun, 7 Aug 2022 13:57:15 +0000 (15:57 +0200)]
kernel: kmod-phy-ax88796b: Add new PHY

This adds the AX88796B PHY which is needed by the kmod-usb-net-asix
driver.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 712ff388bcd0811256c07e8e1f4b92a007adaa7f)

2 years agokernel: kmod-ipt-ulog: Remove package
Hauke Mehrtens [Sun, 7 Aug 2022 12:31:59 +0000 (14:31 +0200)]
kernel: kmod-ipt-ulog: Remove package

The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb0325f07e79b9b4c58a7d280ba9999a39)

2 years agokernel: kmod-nft-nat6: Remove package
Hauke Mehrtens [Sun, 7 Aug 2022 12:06:14 +0000 (14:06 +0200)]
kernel: kmod-nft-nat6: Remove package

The nft NAT packages for IPv4 and IPv6 were merged into the common
packages with kernel 5.1. The kmod-nft-nat6 package was empty in our
build, remove it.

Multiple kernel configuration options were also removed, remove them
from our generic kernel configuration too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b75425370d8de747457c137463bc4d15f6f44d00)

2 years agokernel: ipt-ipset: Add ipset/ip_set_hash_ipmac.ko
Hauke Mehrtens [Fri, 29 Jul 2022 16:36:02 +0000 (18:36 +0200)]
kernel: ipt-ipset: Add ipset/ip_set_hash_ipmac.ko

Add the ipset/ip_set_hash_ipmac.ko file. The CONFIG_IP_SET_HASH_IPMAC
KConfig option is already set by the package.

Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 6a2e9f3da6d0f0f3ae382db1e77a65c2f0e67d24)

2 years agokernel: netsupport: kmod-sched: explicitly define included modules
Thomas Langer [Fri, 29 Jul 2022 16:35:57 +0000 (18:35 +0200)]
kernel: netsupport: kmod-sched: explicitly define included modules

Change SCHED_MODULES_EXTRA to an explicit list of modules
instead of taking everything that is not filtered out.
This removes the need of updating the filter each time an extra
sch_*, act_* or similar is added with an own kmod definition.

Signed-off-by: Thomas Langer <tlanger@maxlinear.com>
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 1b956e66ccafc962033260567c2f1e845f71683f)

2 years agokernel: netsupport: kmod-sched: Add kmod-lib-textsearch dependency
Hauke Mehrtens [Fri, 29 Jul 2022 16:35:56 +0000 (18:35 +0200)]
kernel: netsupport: kmod-sched: Add kmod-lib-textsearch dependency

The CONFIG_NET_EMATCH_TEXT configuration option depends on the
kmod-lib-textsearch package.

Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 3cc878a8d3e4d2d445bf2ee34883e9326bfa0bb2)

2 years agokernel: netsupport: kmod-sched: Remove sch_fq_codel and sch_fifo
Hauke Mehrtens [Fri, 29 Jul 2022 16:35:55 +0000 (18:35 +0200)]
kernel: netsupport: kmod-sched: Remove sch_fq_codel and sch_fifo

The sch_fq_codel.ko and the sch_fifo.ko are always compiled into the
kernel, they are activated in the generic kernel configuration. There is
no need to activate the build of these kernel modules in the kmod-sched*
packages.

Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 606e357bf824a314a0c6a147539974e99e8aabe1)

2 years agoarm-trusted-firmware-mediatek: skip bad blocks on SPI-NAND (SNFI)
Daniel Golle [Fri, 12 Aug 2022 20:16:00 +0000 (22:16 +0200)]
arm-trusted-firmware-mediatek: skip bad blocks on SPI-NAND (SNFI)

Add patch to skip bad blocks when reading from SPI-NAND. This is needed
in case erase block(s) early in the flash inside the FIP area are bad
and hence need to be skipped in order to be able to boot on such damaged
chips.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit c0109537d13650e3cfd4d4840c571a0d557b303a)

2 years agofstools: add uci fstab section to conffiles for package block-mount
Florian Eckert [Wed, 3 Aug 2022 07:54:06 +0000 (09:54 +0200)]
fstools: add uci fstab section to conffiles for package block-mount

The command 'opkg search /etc/config/fstab' does not return a package
name for this config file. In order to know to which package this config
file belongs to, a 'conffiles' entry was made for this file to package
'block-mount'.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 885f04b30556edddb9378c5e9eb561334e44ac7a)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agokernel: scale nf_conntrack_max more reasonably
Vincent Pelletier [Sat, 19 Feb 2022 02:06:23 +0000 (02:06 +0000)]
kernel: scale nf_conntrack_max more reasonably

Use the kernel's built-in formula for computing this value.
The value applied by OpenWRT's sysctl configuration file does not scale
with the available memory, under-using hardware capabilities.
Also, that formula also influences net.netfilter.nf_conntrack_buckets,
which should improve conntrack performance in average (fewer connections
per hashtable bucket).

Backport upstream commit for its effect on the number of connections per
hashtable bucket.

Apply a hack patch to set the RAM size divisor to a more reasonable value (2048,
down from 16384) for our use case, a typical router handling several thousands
of connections.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry picked from commit 15fbb916669dcdfcc706e9e75263ab63f9f27c00)

2 years agodnsmasq: fix jail_mount for serversfile
Bruno Victal [Fri, 15 Apr 2022 14:30:01 +0000 (15:30 +0100)]
dnsmasq: fix jail_mount for serversfile

Fix 'serversfile' option not being jail_mounted by the init script.

Signed-off-by: Bruno Victal <brunovictal@outlook.com>
(cherry picked from commit 0276fab64933dc42bad865974dc224e2672f99fe)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agoramips: Add Xiaomi Mi Router 4A 100M International
Nita Vesa [Fri, 29 Apr 2022 10:57:24 +0000 (13:57 +0300)]
ramips: Add Xiaomi Mi Router 4A 100M International

The international version of Mi Router 4A 100M is physically
identical to the non-international one, but appears to be
using a different partitioning scheme with the "overlay"
partition being 2MiB in size instead of 1MiB. This means
the following "firmware" partition starts at a different
address and the DTS needs to be adjusted for the firmware
to work.

Signed-off-by: Nita Vesa <werecatf@outlook.com>
(cherry picked from commit 1a8c74da709190e5157af9f5c2502b600f6273bb)
Signed-off-by: Tom Herbers <freifunk@tomherbers.de>
2 years agozlib: backport null dereference fix
Petr Štetiar [Tue, 9 Aug 2022 05:50:19 +0000 (07:50 +0200)]
zlib: backport null dereference fix

The curl developers found test case that crashed in their testing when
using zlib patched against CVE-2022-37434, same patch we've backported
in commit 7df6795d4c25 ("zlib: backport fix for heap-based buffer
over-read (CVE-2022-37434)"). So we need to backport following patch in
order to fix issue introduced in that previous CVE-2022-37434 fix.

References: https://github.com/curl/curl/issues/9271
Fixes: 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f443e9de7003c00a935b9ea12f168e09e83b48cd)

2 years agozlib: bump PKG_RELEASE after CVE fix
Petr Štetiar [Mon, 8 Aug 2022 07:55:33 +0000 (09:55 +0200)]
zlib: bump PKG_RELEASE after CVE fix

Fixing missed bump of PKG_RELEASE while backporting commit 7561eab8e86e
("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
as package in master is using AUTORELEASE.

Fixes: 7561eab8e86e ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agozlib: backport fix for heap-based buffer over-read (CVE-2022-37434)
Petr Štetiar [Sat, 6 Aug 2022 12:55:07 +0000 (14:55 +0200)]
zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field. NOTE: only
applications that call inflateGetHeader are affected. Some common
applications bundle the affected zlib source code but may be unable to
call inflateGetHeader.

Fixes: CVE-2022-37434
References: https://github.com/ivd38/zlib_overflow
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 7df6795d4c25447683fd4b4a4813bebcddaea547)

2 years agoodhcpd: update to git HEAD
Hans Dedecker [Tue, 22 Mar 2022 21:00:24 +0000 (22:00 +0100)]
odhcpd: update to git HEAD

860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 73c6d8fd046298face0e8aea8e52cc0faca67324)

2 years agouboot-mvebu: update to v2022.07
Andre Heider [Mon, 11 Jul 2022 17:49:21 +0000 (19:49 +0200)]
uboot-mvebu: update to v2022.07

- Release announcement:
https://lore.kernel.org/u-boot/20220711134339.GV1146598@bill-the-cat/

- Changes between 2022.04 and 2022.07:
https://source.denx.de/u-boot/u-boot/-/compare/v2022.04...v2022.07?from_project_id=531

Remove one upstreamed patch and add patch to fix issue with sunxi tool
as it uses function from newer version libressl (3.5.0).

Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [Turris Omnia]
(cherry picked from commit 24bf6813bad98a8eba5430ed5e4da89d54797274)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[Improve commit message]

2 years agorealtek: Fix typo in Kconfig prompt
Olliver Schinagl [Thu, 4 Aug 2022 14:09:00 +0000 (16:09 +0200)]
realtek: Fix typo in Kconfig prompt

As the symbol RTL930x shows, the bool enables the RTL930x platform, not
the RTL839x one.

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
(slightly changed commit subject)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 943905b0b6ee59fb7eaf3611960c0ec87ed61bbc)

2 years agoramips: support fw_printenv for Netgear WAX202
Wenli Looi [Mon, 1 Aug 2022 03:22:32 +0000 (03:22 +0000)]
ramips: support fw_printenv for Netgear WAX202

Config partition contains uboot env for the first 0x20000 bytes.
The rest of the partition contains other data including the device MAC
address and the password printed on the label.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit 0bfe1cfbb13c58d909951cab9fac8910ccbe74f3)

2 years agoumdns: add missing syscall to seccomp filter
Chen Minqiang [Sat, 30 Jul 2022 21:04:58 +0000 (05:04 +0800)]
umdns: add missing syscall to seccomp filter

There is some syscall missing:
'getdents64'
'getrandom'
'statx'
'newfstatat'

Found with:
'mkdir /etc/umdns; ln -s /tmp/1.json /etc/umdns/; utrace /usr/sbin/umdns'

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
(cherry picked from commit 31cca8f8d3f6218965812c46de35ba30c4ba83ab)

2 years agoramips: Add support command fw_setsys for Xiaomi routers
Oleg S [Tue, 19 Jul 2022 12:06:50 +0000 (15:06 +0300)]
ramips: Add support command fw_setsys for Xiaomi routers

The system parameters are contained in the Bdata partition.
To use the fw_setsys command, you need to create a file
fw_sys.config.
This file is created after calling the functions
ubootenv_add_uci_sys_config and ubootenv_add_app_config.

Signed-off-by: Oleg S <remittor@gmail.com>
[ wrapped commit description to 72 char ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 6c7e337c80f92693c2ca628a4a56aeaec4cc3ca8)

2 years agoltq-vdsl-app: Fix counter overflow resulting in negative values
Roland Barenbrug [Wed, 29 Jun 2022 11:09:25 +0000 (13:09 +0200)]
ltq-vdsl-app: Fix counter overflow resulting in negative values

The re-transmit counters can overflow the 32 bit representation resulting
in negative values being displayed. Background being that the numbers are
treated at some point as signed INT rather than unsigned INT.
Change the counters from 32 bit to 64 bit, should provide sufficient room
to avoid any overflow. Not the nicest solution but it works

Fixes: #10077
Signed-off-by: Roland Barenbrug <roland@treslong.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
(cherry picked from commit 456b9029d764e69f390ee26bca24883b12eb83c2)

2 years agokernel: silence refresh warning
Christian Lamparter [Fri, 5 Aug 2022 10:42:09 +0000 (12:42 +0200)]
kernel: silence refresh warning

|Warning: trailing whitespace in line 66 of drivers/mtd/parsers/Kconfig

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit d6801e0d3f8b0e764fef3d698edf74b3758667ec)

2 years agox86: add missing Lex 3I380NX network detection
Paul Spooren [Tue, 19 Jul 2022 13:24:59 +0000 (15:24 +0200)]
x86: add missing Lex 3I380NX network detection

The Lex 3I380NX industrial PC has 4 ethernet controllers on board
which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems
DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks
as CLK_CRITICAL and they will not get turned off.

This commit is nearly redundant to 3d0818f5eba8 ("platform/x86:
pmc_atom: Add Lex 3I380D industrial PC to critclk_systems DMI table")
but for the 3I380NX device.

The original vendor firmware is only available using the WaybackMachine:
http://www.lex.com.tw/products/3I380NX.html

Signed-off-by: Michael Schöne <michael.schoene@rhebo.com>
Signed-off-by: Paul Spooren <paul.spooren@rhebo.com>
(Hans broader version for more Lex Baytrail systems)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 8019410f566377d958e2bd23673d168742ab2f44)

2 years agolantiq: fix lan port 3+4 phy-mode settings for Fritzbox 3390
Daniel Kestrel [Fri, 5 Aug 2022 08:35:07 +0000 (10:35 +0200)]
lantiq: fix lan port 3+4 phy-mode settings for Fritzbox 3390

There are forum reports that 2 LAN ports are still not working,
the phy-mode settings are adjusted to fix the problem.

Fixes: #10371
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
(cherry picked from commit 8756a047874bf688138a81898b6973f196cd1d36)

2 years agoipq40xx: fix RUTX10 Wi-Fi woes
Kasparas Elzbutas [Mon, 18 Jul 2022 07:05:33 +0000 (10:05 +0300)]
ipq40xx: fix RUTX10 Wi-Fi woes

This partially reverts:
commit cfc13c44595d ("ipq40xx: utilize nvmem-cells for macs & (pre-)calibration data")

U-Boot on these devices mangles the device tree,
so nvmem-cell type calibration doesn't work.

Fixes: cfc13c44595d ("ipq40xx: utilize nvmem-cells for macs & (pre-)calibration data")
Signed-off-by: Kasparas Elzbutas <elzkas@gmail.com>
(added reference to commit, rewrote commit message)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2 years agolibmnl: fix build when bash is not located at /bin/bash
Mark Mentovai [Sun, 10 Jul 2022 23:43:05 +0000 (19:43 -0400)]
libmnl: fix build when bash is not located at /bin/bash

This fixes the libmnl build on macOS, which ships with an outdated bash
at /bin/bash. During the OpenWrt build, a modern host bash is built and
made available at staging_dir/host/bin/bash, which is present before
/bin/bash in the build's PATH.

This is similar to 8f7ce3aa6dda, presently appearing at
package/kernel/mac80211/patches/build/001-fix_build.patch.

Signed-off-by: Mark Mentovai <mark@mentovai.com>
(cherry picked from commit beeb49740bb4f68aadf92095984a2d1f9a488956)

2 years agoOpenWrt v22.03.0-rc6: revert to branch defaults
Hauke Mehrtens [Sun, 31 Jul 2022 22:05:33 +0000 (00:05 +0200)]
OpenWrt v22.03.0-rc6: revert to branch defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agoOpenWrt v22.03.0-rc6: adjust config defaults v22.03.0-rc6
Hauke Mehrtens [Sun, 31 Jul 2022 22:05:27 +0000 (00:05 +0200)]
OpenWrt v22.03.0-rc6: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agomac80211: Update to version 5.15.58-1
Hauke Mehrtens [Sat, 30 Jul 2022 23:24:00 +0000 (01:24 +0200)]
mac80211: Update to version 5.15.58-1

This updates mac80211 to version 5.15.58-1 which is based on kernel
5.15.58.
The removed patches were applied upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3aa18f71f9c8a5447bdd2deda4e681175338164f)

2 years agowolfssl: fix math library build
John Audia [Thu, 21 Jul 2022 19:59:30 +0000 (15:59 -0400)]
wolfssl: fix math library build

Apply upstream patch[1] to fix breakage around math libraries.
This can likely be removed when 5.5.0-stable is tagged and released.

Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B

1. https://github.com/wolfSSL/wolfssl/pull/5390

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit c2aa816f28e0fe2f6f77d0c6da4eba19ea8db4ea)

2 years agoodhcp6c: update to latest git HEAD
Dávid Benko [Fri, 29 Jul 2022 12:55:21 +0000 (14:55 +0200)]
odhcp6c: update to latest git HEAD

9212bfc odhcp6c: fix IA discard when T1 > 0 and T2 = 0

Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev>
(cherry picked from commit f9209086264a5c5c55f1eb3cbd2399cf47e29f22)

2 years agofirewall3: update file hash
Michael Pratt [Tue, 12 Jul 2022 00:35:38 +0000 (20:35 -0400)]
firewall3: update file hash

the hash and timestamp of the remote copy of the archive
has changed since last bump
meaning the remote archive copy was recreated

Signed-off-by: Michael Pratt <mcpratt@pm.me>
(cherry picked from commit ba7da7368086d0721da7cd4d627209dffda5c1d6)

2 years agouboot-at91: fix build on buildbots
Claudiu Beznea [Wed, 13 Jul 2022 06:19:33 +0000 (09:19 +0300)]
uboot-at91: fix build on buildbots

Buidbots are throwing the following compile error:

In file included from tools/aisimage.c:9:
include/image.h:1133:12: fatal error: openssl/evp.h: No such file or directory
            ^~~~~~~~~~~~~~~
compilation terminated.

Fix it by passing `UBOOT_MAKE_FLAGS` variable to make.

Suggested-by: Petr Štetiar <ynezz@true.cz>
Fixes: 6d5611af2813 ("uboot-at91: update to linux4sam-2022.04")
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit 95a24b54792ccf072c029edad495deb529383478)

2 years agouboot-at91: update to linux4sam-2022.04
Claudiu Beznea [Wed, 29 Jun 2022 11:17:17 +0000 (14:17 +0300)]
uboot-at91: update to linux4sam-2022.04

Update uboot-at91 to linux4sam-2022.04. As linux4sam-2022.04 is based on
U-Boot v2022.01 which contains commit
93b196532254 ("Makefile: Only build dtc if needed") removed also the DTC
variable passed to MAKE to force the compilation of DTC.

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit 6d5611af2813e5f06fbf9b400ef0fe642f16c566)

2 years agoat91bootstrap: update at91bootstrap v4 targets to v4.0.3
Claudiu Beznea [Wed, 29 Jun 2022 11:13:27 +0000 (14:13 +0300)]
at91bootstrap: update at91bootstrap v4 targets to v4.0.3

Update AT91Bootstrap v4 capable targets to v4.0.3.

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit 859f5f9aec23c96ec3151175c349ffdbe6b108ef)

2 years agowolfssl: make shared again
Jo-Philipp Wich [Sun, 24 Jul 2022 11:23:36 +0000 (13:23 +0200)]
wolfssl: make shared again

Disable the usage of target specific CPU crypto instructions by default
to allow the package being shared again. Since WolfSSL does not offer
a stable ABI or a long term support version suitable for OpenWrt release
timeframes, we're forced to frequently update it which is greatly
complicated by the package being nonshared.

People who want or need CPU crypto instruction support can enable it in
menuconfig while building custom images for the few platforms that support
them.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 0063e3421de4575e088bb428e758751931bbe6fd)

2 years agokernel: bump 5.10 to 5.10.134
John Audia [Fri, 29 Jul 2022 16:25:26 +0000 (12:25 -0400)]
kernel: bump 5.10 to 5.10.134

All patches automatically rebased.

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 7be62b1187bb7e21bcdaadfc3d47713a91f05898)

2 years agox86: update defconfig for 5.10.133
John Audia [Mon, 25 Jul 2022 14:16:43 +0000 (10:16 -0400)]
x86: update defconfig for 5.10.133

Add some new/missing symbols relating to speculative execution mitigations[1].

1. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/diff/arch/x86/Kconfig?id=v5.10.133&id2=v5.10.132

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 56760c0b1316a0e379ff141b895c2929f0dace8d)

2 years agokernel: bump 5.10 to 5.10.133
John Audia [Mon, 25 Jul 2022 13:21:12 +0000 (09:21 -0400)]
kernel: bump 5.10 to 5.10.133

All patches automatically rebased.

Build system: x86_64
Build-tested: ipq806x/R7800

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 913f160ac6c4dcf69ec0eb805c8a1cee809ace45)

2 years agokernel: bump 5.10 to 5.10.132
John Audia [Thu, 21 Jul 2022 20:19:32 +0000 (16:19 -0400)]
kernel: bump 5.10 to 5.10.132

All patches automatically rebased.

The following patch was replaced by a similar version upstream:
 bcm27xx/patches-5.10/950-0036-tty-amba-pl011-Add-un-throttle-support.patch

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 7d3c0928de191b203dd5b27ddf208698d08639e3)

2 years agoocteon: add SUPPORTED_DEVICES to er/erlite
Paul Spooren [Tue, 7 Jun 2022 11:26:43 +0000 (13:26 +0200)]
octeon: add SUPPORTED_DEVICES to er/erlite

Using the BOARD_NAME variable results for both er and erlite devices to
identify themselfs as `er` and `erlite` (via `ubus call system board`).

This is problematic when devices search for firmware upgrades since the
OpenWrt profile is actually called `ubnt_edgerouter` and
`ubnt_edgerouter-lite`.

By adding the `SUPPORTED_DEVICE` a mapping is created to point devices
called `er` or `erlite` to the corresponding profile.

FIXES: https://github.com/openwrt/asu/issues/348

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 2a07270180ed0e295d854d6e9e59c78c40549efc)

2 years agouboot-bcm4908: include SoC in output files
Rafał Miłecki [Wed, 20 Jul 2022 11:47:06 +0000 (13:47 +0200)]
uboot-bcm4908: include SoC in output files

This fixes problem of overwriting BCM4908 U-Boot and DTB files by
BCM4912 ones. That bug didn't allow booting BCM4908 devices.

Fixes: f4c2dab544ec2 ("uboot-bcm4908: add BCM4912 build")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit a8e1e30543239e85ff5dc220368164b66cf73fba)

2 years agobcm4908: build bootfs image per-SoC
Rafał Miłecki [Wed, 20 Jul 2022 11:47:05 +0000 (13:47 +0200)]
bcm4908: build bootfs image per-SoC

In theory we could have just 1 bootfs image for all devices as each
device has its own entry in the "configurations" node. It doesn't work
well with default configuration though.

If something goes wrong U-Boot SPL can be interrupted (by pressing A) to
enter its minimalistic menu. It allows ignoring boardid. In such case
bootfs default configuration is used.

For above reason each SoC family (BCM4908, BCM4912) should have its own
bootfs built. It allows each of them to have working default
configuration.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 6ae2f7ff4737ec8dbec026fc6c02f7d1850b521c)

2 years agolantiq: fix network port GPIO settings for Fritzbox 3390
Daniel Kestrel [Fri, 22 Jul 2022 19:01:49 +0000 (21:01 +0200)]
lantiq: fix network port GPIO settings for Fritzbox 3390

There are forum reports that 2 LAN ports are not working, the
GPIO settings are adjusted to fix the problem.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
(cherry picked from commit 0f301b0b1d7ca4b5fe290a72f0434525405f5a26)

2 years agoipq806x: Archer VR2600: fix switch ports numbering
Christian Lamparter [Tue, 19 Jul 2022 17:46:38 +0000 (19:46 +0200)]
ipq806x: Archer VR2600: fix switch ports numbering

The order of LAN ports shown in Luci is reversed compared to what is
written on the case of the device.  Fix the order so that they match.

Fixes: #10275
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 69ea671320c936e72f554348475eeebcab383b42)

2 years agolayerscape: update PKG_HASH / PKG_MIRROR_HASH
Christian Lamparter [Fri, 15 Jul 2022 19:07:42 +0000 (21:07 +0200)]
layerscape: update PKG_HASH / PKG_MIRROR_HASH

The change of the PKG_VERSION caused the hash of the package to
change. This is because the PKG_VERSION is present in the
internal directory structure of the archive.

Fixes: 038d5bdab117 ("layerscape: use semantic versions for LSDK")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit e879cccaa21563a7cdf47797b18fb86723720158)
(cherry picked from commit d4391ef073825f5817cdbcc3fc215311f1bbb461)

2 years agosdk: add spidev-test to the bundle of userspace sources
Christian Lamparter [Fri, 15 Jul 2022 23:34:44 +0000 (01:34 +0200)]
sdk: add spidev-test to the bundle of userspace sources

moves and extends the current facilities, which have been
added some time ago for the the usbip utility, to support
more utilites that are shipped with the Linux kernel tree
to the SDK.

this allows to drop all the hand-waving and code for
failed previous attempts to mitigate the SDK build failures.

Fixes: bdaaf66e28bd ("utils/spidev_test: build package directly from Linux")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit b479db9062b721776be44b976961a1031c1344ea)

2 years agorealtek: correct egress frame port verification
Sander Vanheule [Sun, 19 Jun 2022 08:29:35 +0000 (10:29 +0200)]
realtek: correct egress frame port verification

Destination switch ports for outgoing frame can range from 0 to
CPU_PORT-1.

Refactor the code to only generate egress frame CPU headers when a valid
destination port number is available, and make the code a bit more
consistent between different switch generations. Change the dest_port
argument's type to 'unsigned int', since only positive values are valid.

This fixes the issue where egress frames on switch port 0 did not
receive a VLAN tag, because they are sent out without a CPU header.
Also fixes a potential issue with invalid (negative) egress port numbers
on RTL93xx switches.

Reported-by: Arınç ÜNAL <arinc.unal@xeront.com>
Suggested-by: Birger Koblitz <mail@birger-koblitz.de>
Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 1773264a0c6da099af7f36046f95f0126d6de1eb)

2 years agorealtek: correct egress frame priority assignment
Sander Vanheule [Sun, 19 Jun 2022 10:38:49 +0000 (12:38 +0200)]
realtek: correct egress frame priority assignment

Priority values passed to the egress (TX) frame header initialiser are
invalid when smaller than 0, and should not be assigned to the frame.
Queue assignment is then left to the switch core logic.

Current code for RTL83xx forces the passed priority value to be
positive, by always masking it to the lower bits, resulting in the
priority always being set and enabled. RTL93xx code doesn't even check
the value and unconditionally assigns the (32 bit) value to the (5 bit)
QID field without masking.

Fix priority assignment by only setting the AS_QID/AS_PRI flag when a
valid value is passed, and properly mask the value to not overflow the
QID/PRI field.

For RTL839x, also assign the priority to the right part of the frame
header. Counting from the leftmost bit, AS_PRI and PRI are in bits 36
and 37-39. The means they should be assigned to the third 16 bit value,
containing bits 32-47.

Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 0b35a08a057848d909156604c4391a5d9f1d97e5)

2 years agorealtek: fix egress L2 learning on rtl839x
Sander Vanheule [Tue, 28 Jun 2022 19:15:00 +0000 (21:15 +0200)]
realtek: fix egress L2 learning on rtl839x

The flag to enable L2 address learning on egress frames is in CPU header
bit 40, with bit 0 being the leftmost bit of the header. This
corresponds to BIT(7) in the third 16-bit value of the header.

Correctly set L2LEARNING by fixing the off-by-one error.

Fixes: 9eab76c84e31 ("realtek: Improve TX CPU-Tag usage")
Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit d6165ea75baea4f9039f3a378d55219c74b932a7)

2 years agorealtek: fix egress port mask on rtl839x
Sander Vanheule [Tue, 28 Jun 2022 19:14:03 +0000 (21:14 +0200)]
realtek: fix egress port mask on rtl839x

The flag to enable the outgoing port mask is in CPU header bit 43, with
bit 0 being the leftmost bit of the header. This corresponds to BIT(4)
in the third 16-bit value of the header.

Correctly set AS_DPM by fixing the off-by-one error.

Fixes: 9eab76c84e31 ("realtek: Improve TX CPU-Tag usage")
Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit d9516cacb087fed7716b34b1e02ce956bb6c27f1)

2 years agoramips: add support for Netgear WAX202
Wenli Looi [Sat, 2 Jul 2022 20:18:59 +0000 (20:18 +0000)]
ramips: add support for Netgear WAX202

Netgear WAX202 is an 802.11ax (Wi-Fi 6) router.

Specifications:
* SoC: MT7621A
* RAM: 512 MiB NT5CC256M16ER-EK
* Flash: NAND 128 MiB F59L1G81MB-25T
* Wi-Fi:
  * MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 4x 1GbE
  * Switch: SoC built-in
* USB: None
* UART: 115200 baud (labeled on board)

Load addresses (same as ipTIME AX2004M):
* stock
  * 0x80010000: FIT image
  * 0x81001000: kernel image -> entry
* OpenWrt
  * 0x80010000: FIT image
  * 0x82000000: uncompressed kernel+relocate image
  * 0x80001000: relocated kernel image -> entry

Installation:
* Flash the factory image through the stock web interface, or TFTP to
  the bootloader. NMRP can be used to TFTP without opening the case.
* Note that the bootloader accepts both encrypted and unencrypted
  images, while the stock web interface only accepts encrypted ones.

Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.

References in WAX202 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar

* openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts
  DTS file for this device.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit 0f068e7c4a83bcbf20c4e52a5f8a3f1fe2af2246)

2 years agoimage: add support for Netgear encrypted image
Wenli Looi [Sat, 2 Jul 2022 20:16:21 +0000 (20:16 +0000)]
image: add support for Netgear encrypted image

Netgear encrypted image is used in various devices including WAX202,
WAX206, and EX6400v3. This image format also requires a dummy squashfs4
image which is added here as well.

References in WAX202 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar

* openwrt/bootloader/u-boot-mt7621-2018.09-gitb178829-20200526/board/ralink/common/dual_image.c
  Bootloader code that verifies the presence of a squashfs4 image, thus
  a dummy image is added here.

* openwrt/tools/imgencoder/src/gj_enc.c
  Contains code that generates the encrypted image. There is support for
  adding an RSA signature, but it does not look like the signature is
  verified by the stock firmware or bootloader.

* openwrt/tools/imgencoder/src/imagekey.h
  Contains the encryption key and IV. It appears the same key/IV is used
  for other Netgear devices including WAX206 and EX6400v3.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit efca76ffce5cf464e82d8269d79877f442209a0a)

2 years agowolfssl: Do not activate HW acceleration on armvirt by default
Hauke Mehrtens [Mon, 18 Jul 2022 21:06:00 +0000 (23:06 +0200)]
wolfssl: Do not activate HW acceleration on armvirt by default

The armvirt target is also used to run OpenWrt in lxc on other targets
like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the
wolfssl binray is only working when the CPU supports the hardware crypto
extension.

Some targets like the Raspberry Pi do not support the ARM CPU crypto
extension, compile wolfssl without it by default. It is still possible
to activate it in custom builds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d1b5d17d03c844ad578bb53b90ea17377bdc5eee)

2 years agolibpcap: fix PKG_CONFIG_DEPENDS for rpcapd
Jianhui Zhao [Wed, 6 Jul 2022 06:23:31 +0000 (14:23 +0800)]
libpcap: fix PKG_CONFIG_DEPENDS for rpcapd

This fix allows trigger a rerun of Build/Configure when
rpcapd was selected.

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
(cherry picked from commit 6902af4f3075154b5d1de207452a8a5668f95203)

2 years agowolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DH
Pascal Ernster [Wed, 20 Jan 2021 01:01:37 +0000 (02:01 +0100)]
wolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DH

Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is
enabled, resulting in an "Anonymous suite requires DH" error when trying
to compile wolfssl.

Signed-off-by: Pascal Ernster <git@hardfalcon.net>
Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 21825af2dad0070affc2444ff56dc84a976945a2)

2 years agokernel: Refresh kernel patches
Hauke Mehrtens [Tue, 19 Jul 2022 18:32:02 +0000 (18:32 +0000)]
kernel: Refresh kernel patches

No manual changes needed.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agokernel: bump 5.10 to 5.10.131
John Audia [Fri, 15 Jul 2022 21:56:32 +0000 (17:56 -0400)]
kernel: bump 5.10 to 5.10.131

All patches automatically rebased.

Signed-off-by: John Audia <therealgraysky@proton.me>
2 years agokernel: bump 5.10 to 5.10.130
John Audia [Tue, 12 Jul 2022 15:51:28 +0000 (11:51 -0400)]
kernel: bump 5.10 to 5.10.130

All patches automatically rebased.

Build system: x86_64
Build-tested: ipq806x/R7800

Signed-off-by: John Audia <therealgraysky@proton.me>
2 years agokernel: bump 5.10 to 5.10.129
John Audia [Mon, 11 Jul 2022 15:04:30 +0000 (11:04 -0400)]
kernel: bump 5.10 to 5.10.129

All patches automatically rebased.

Build system: x86_64
Build-tested: ipq806x/R7800

Signed-off-by: John Audia <therealgraysky@proton.me>
2 years agokernel: bump 5.10 to 5.10.128
John Audia [Mon, 11 Jul 2022 13:23:19 +0000 (09:23 -0400)]
kernel: bump 5.10 to 5.10.128

No patches needed to be rebased, just updated checksums

Signed-off-by: John Audia <therealgraysky@proton.me>
2 years agofirewall3: bump to latest git HEAD
Rui Salvaterra [Fri, 25 Feb 2022 13:54:36 +0000 (13:54 +0000)]
firewall3: bump to latest git HEAD

4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+"
50979cc firewall3: remove unnecessary fw3_has_table

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry-picked from commit 435d7a052bf1b6a3a01cb3ad6cda6ba4b25b1879)
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2 years agomt7622: remove 300 MHz from dts
John Audia [Wed, 6 Jul 2022 15:49:50 +0000 (11:49 -0400)]
mt7622: remove 300 MHz from dts

Due to the bug described here[1], remove the 300 MHz clock to avoid a low
voltage condition that can cause a hang when rebooting the RT3200/E8450.

This solution is probably better than the script-based work-around[2].

1. https://forum.openwrt.org/t/belkin-rt3200-linksys-e8450-wifi-ax-discussion/94302/1490
2. https://github.com/openwrt/openwrt/pull/5025

Signed-off-by: John Audia <therealgraysky@proton.me>
Tested-by: Rui Salvaterra <rsalvaterra@gmail.com>
Tested-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit d0d6b8e1833c587d0c50cac4f6324aa93b0bc8fc)
[ fix the conflict by apply the patch to kernel 5.10 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2 years agobcm4908: use upstream-accepted watchdog patches
Rafał Miłecki [Mon, 18 Jul 2022 13:44:32 +0000 (15:44 +0200)]
bcm4908: use upstream-accepted watchdog patches

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 864fdf2bf3f4b5c71e57a27c514672b966580148)

2 years agobcm4908: backport latest DT patches
Rafał Miłecki [Mon, 18 Jul 2022 13:11:02 +0000 (15:11 +0200)]
bcm4908: backport latest DT patches

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 001856fa51eaa704a254955138f76907eb02c2b4)

2 years agokernel: update leds-bcm63138 driver
Rafał Miłecki [Mon, 18 Jul 2022 13:06:11 +0000 (15:06 +0200)]
kernel: update leds-bcm63138 driver

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit bb2a2b1dbe9c03d2abbb6989b6c4041e765543b0)

2 years agokernel: backport LEDs driver for BCMBCA devices
Rafał Miłecki [Mon, 18 Jul 2022 06:13:50 +0000 (08:13 +0200)]
kernel: backport LEDs driver for BCMBCA devices

This includes BCM63xx and BCM4908 families.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d9ab1e56d8d16182bd292f393c012d7e6873ed89)

2 years agoopkg: update to 2022-02-24
Josef Schlehofer [Wed, 15 Jun 2022 14:31:12 +0000 (16:31 +0200)]
opkg: update to 2022-02-24

Changes:
9c44557 opkg_remove: avoid remove pkg repeatly with option --force-removal-of-dependent-packages
2edcfad libopkg: set 'const' attribute for argv

This should fix the CI error in the packages repository, which happens with perl.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit e21fea92891fbdfb4eb14e9fe836530b6225cb1f)

2 years agofirmware: intel-microcode: update to 20220510
Christian Lamparter [Sat, 25 Jun 2022 21:24:40 +0000 (23:24 +0200)]
firmware: intel-microcode: update to 20220510

Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>:

 * New upstream microcode datafile 20220419
  * Fixes errata APLI-11 in Atom E3900 series processors
  * Updated Microcodes:
    sig 0x000506ca, pf_mask 0x03, 2021-11-16, rev 0x0028, size 16384

 * New upstream microcode datafile 20220510
  * Fixes INTEL-SA-000617, CVE-2022-21151:
    Processor optimization removal or modification of security-critical
    code may allow an authenticated user to potentially enable information
    disclosure via local access (closes: #1010947)
  * Fixes several errata (functional issues) on Xeon Scalable, Atom C3000,
    Atom E3900
  * New Microcodes:
    sig 0x00090672, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
    sig 0x00090675, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
    sig 0x000906a3, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992
    sig 0x000906a4, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992
    sig 0x000b06f2, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
    sig 0x000b06f5, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
  * Updated Microcodes:
    sig 0x00030679, pf_mask 0x0f, 2019-07-10, rev 0x090d, size 52224
    sig 0x000406e3, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 106496
    sig 0x00050653, pf_mask 0x97, 2021-11-13, rev 0x100015d, size 34816
    sig 0x00050654, pf_mask 0xb7, 2021-11-13, rev 0x2006d05, size 43008
    sig 0x00050656, pf_mask 0xbf, 2021-12-10, rev 0x4003302, size 37888
    sig 0x00050657, pf_mask 0xbf, 2021-12-10, rev 0x5003302, size 37888
    sig 0x0005065b, pf_mask 0xbf, 2021-11-19, rev 0x7002501, size 29696
    sig 0x000506c9, pf_mask 0x03, 2021-11-16, rev 0x0048, size 17408
    sig 0x000506e3, pf_mask 0x36, 2021-11-12, rev 0x00f0, size 109568
    sig 0x000506f1, pf_mask 0x01, 2021-12-02, rev 0x0038, size 11264
    sig 0x000606a6, pf_mask 0x87, 2022-03-30, rev 0xd000363, size 294912
    sig 0x000706a1, pf_mask 0x01, 2021-11-22, rev 0x003a, size 75776
    sig 0x000706a8, pf_mask 0x01, 2021-11-22, rev 0x001e, size 75776
    sig 0x000706e5, pf_mask 0x80, 2022-03-09, rev 0x00b0, size 112640
    sig 0x000806a1, pf_mask 0x10, 2022-03-26, rev 0x0031, size 34816
    sig 0x000806c1, pf_mask 0x80, 2022-02-01, rev 0x00a4, size 109568
    sig 0x000806c2, pf_mask 0xc2, 2021-12-07, rev 0x0026, size 97280
    sig 0x000806d1, pf_mask 0xc2, 2021-12-07, rev 0x003e, size 102400
    sig 0x000806e9, pf_mask 0x10, 2021-11-12, rev 0x00f0, size 105472
    sig 0x000806e9, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472
    sig 0x000806ea, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472
    sig 0x000806eb, pf_mask 0xd0, 2021-11-15, rev 0x00f0, size 105472
    sig 0x000806ec, pf_mask 0x94, 2021-11-17, rev 0x00f0, size 105472
    sig 0x00090661, pf_mask 0x01, 2022-02-03, rev 0x0016, size 20480
    sig 0x000906c0, pf_mask 0x01, 2022-02-19, rev 0x24000023, size 20480
    sig 0x000906e9, pf_mask 0x2a, 2021-11-12, rev 0x00f0, size 108544
    sig 0x000906ea, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448
    sig 0x000906eb, pf_mask 0x02, 2021-11-12, rev 0x00f0, size 105472
    sig 0x000906ec, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448
    sig 0x000906ed, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 104448
    sig 0x000a0652, pf_mask 0x20, 2021-11-16, rev 0x00f0, size 96256
    sig 0x000a0653, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 97280
    sig 0x000a0655, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 96256
    sig 0x000a0660, pf_mask 0x80, 2021-11-15, rev 0x00f0, size 96256
    sig 0x000a0661, pf_mask 0x80, 2021-11-16, rev 0x00f0, size 96256
    sig 0x000a0671, pf_mask 0x02, 2022-03-09, rev 0x0053, size 103424

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 2747a94f0977b36c4c29cc4596879b9127cfaf5f)

2 years agoopenssl: bump to 1.1.1q
Dustin Lundquist [Wed, 6 Jul 2022 16:08:52 +0000 (09:08 -0700)]
openssl: bump to 1.1.1q

Changes between 1.1.1p and 1.1.1q [5 Jul 2022]

  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
     implementation would not encrypt the entirety of the data under some
     circumstances.  This could reveal sixteen bytes of data that was
     preexisting in the memory that wasn't written.  In the special case of
     "in place" encryption, sixteen bytes of the plaintext would be revealed.

     Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
     they are both unaffected.
     (CVE-2022-2097)
     [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]

Signed-off-by: Dustin Lundquist <dustin@null-ptr.net>
(cherry picked from commit 3899f68b54b31de4b4fef4f575f7ea56dc93d965)

2 years agowolfssl: bump to 5.4.0
Eneas U de Queiroz [Fri, 15 Jul 2022 19:09:58 +0000 (16:09 -0300)]
wolfssl: bump to 5.4.0

This version fixes two vulnerabilities:
-CVE-2022-34293[high]: Potential for DTLS DoS attack
-[medium]: Ciphertext side channel attack on ECC and DH operations.

The patch fixing x86 aesni build has been merged upstream.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 9710fe70a68e0a004b1906db192d7a6c8f810ac5)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2 years agoath79: bsap18x0: pad rootfs image
Tomasz Maciej Nowak [Mon, 4 Jul 2022 12:23:06 +0000 (14:23 +0200)]
ath79: bsap18x0: pad rootfs image

This image is supposed to be written with help of bootloader to the
flash, but as it stands, it's not aligned to block size and RedBoot will
happily create non-aligned partition size in FIS directory. This could
lead to kernel to mark the partition as read-only, therefore pad the
image to block erase size boundary.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 9decd2a8436d2bb6b5f436268c92a6e6728486ce)

2 years agoath79: ja76pf2: use nvmem cells to specify MAC addresses
Tomasz Maciej Nowak [Mon, 4 Jul 2022 12:23:05 +0000 (14:23 +0200)]
ath79: ja76pf2: use nvmem cells to specify MAC addresses

The bootloader on this board hid the partition containig MAC addresses
and prevented adding this space to FIS directory, therefore those had to
be stored in RedBoot configuration as aliases to be able to assigne them
to proper interfaces. Now that fixed partition size are used instead of
redboot-fis parser, the partition containig MAC addresses could be
specified, and with marking it as nvmem cell, we can assign them without
userspace involvement.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit b52719b71a3337e5ae840c7a50fe41ebdc070f4e)

2 years agoath79: move image check for devices with RedBoot
Tomasz Maciej Nowak [Mon, 4 Jul 2022 12:23:04 +0000 (14:23 +0200)]
ath79: move image check for devices with RedBoot

Don't comence the switch to RAMFS when the image format is wrong. This
led to rebooting the device, which could lead to false impression that
upgrade succeded.
Being here, factor out the code responsible for upgrading RedBoot
devices to separate file.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 5897c52e78e3cd3846db083d48dd9d6b47ff3a08)

2 years agoath79: switch some RedBoot based devices to OKLI loader
Tomasz Maciej Nowak [Mon, 4 Jul 2022 12:23:03 +0000 (14:23 +0200)]
ath79: switch some RedBoot based devices to OKLI loader

After the kernel has switched version to 5.10, JA76PF2 and
RouterStations lost the capability to sysupgrade the OpenWrt version.
The cause is the lack of porting the patches responsible for partial
flash erase block writing and these boards FIS directory and RedBoot
config partitions share the same erase block. Because of that the FIS
directory can't be updated to accommodate kernel/rootfs partition size
changes. This could be remedied by bootloader update, but it is very
intrusive and could potentially lead to non-trivial recovery procedure,
if something went wrong. The less difficult option is to use OpenWrt
kernel loader, which will let us use static partition sizes and employ
mtd splitter to dynamically adjust kernel and rootfs partition sizes.
On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify
FIS directory, the loader will be written to kernel partition, while the
kernel+rootfs to rootfs partition.

The caveats are:
* image format changes, no possible upgrade from ar71xx target images
* downgrade to any older OpenWrt version will require TFTP recovery or
  usage of bootloader command line interface

To downgrade to 19.07 or 21.02, or to upgrade if one is already on
OpenWrt with kernel 5.10, for RouterStations use TFTP recovery
procedure. For JA76PF2 use instructions from this commit message:
commit 0cc87b3bacee ("ath79: image: disable sysupgrade images for routerstations and ja76pf2"),
replacing kernel image with loader (loader.bin suffix) and rootfs
image with firmware (firmware.bin suffix).

Fixes: b10d6044599d ("kernel: add linux 5.10 support")
Fixes: 15aa53d7ee65 ("ath79: switch to Kernel 5.10")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(mkubntimage was moved to generic-ubnt.mk)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 5c142aad7bc018fe000789740a486c49973035b8)

2 years agorockchip: reliably distribute net interrupts
Ronny Kotzschmar [Wed, 6 Jul 2022 13:14:21 +0000 (15:14 +0200)]
rockchip: reliably distribute net interrupts

On the NanoPI R4S it takes an average of 3..5 seconds for the network devices
to appear in '/proc/interrupts'.
Wait up to 10 seconds to ensure that the distribution of the interrupts
really happens.

Signed-off-by: Ronny Kotzschmar <ro.ok@me.com>
(cherry picked from commit 9b00e9795660f53caf1f4f5fd932bbbebd2eeeb1)

2 years agowolfssl: re-enable AES-NI by default for x86_64
Eneas U de Queiroz [Wed, 6 Jul 2022 20:55:58 +0000 (17:55 -0300)]
wolfssl: re-enable AES-NI by default for x86_64

Apply an upstream patch that removes unnecessary CFLAGs, avoiding
generation of incompatible code.

Commit 0bd536723303ccd178e289690d073740c928bb34 is reverted so the
accelerated version builds by default on x86_64.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 639419ec4fd1501a9b9857cea96474271ef737b1)

2 years agomac80211: fix AQL issue with multicast traffic
Felix Fietkau [Wed, 13 Jul 2022 05:52:04 +0000 (07:52 +0200)]
mac80211: fix AQL issue with multicast traffic

Exclude multicast from pending AQL budget

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 9f1d6223289b5571ddc77c0e5327ab51137199d9)

2 years agorealtek: build sane factory images for DGS-1210 models
Markus Stockhausen [Wed, 6 Jul 2022 11:43:23 +0000 (13:43 +0200)]
realtek: build sane factory images for DGS-1210 models

During upload of firmware images the WebUI and CLI patch process
extracts a version information from the uploaded file and stores it
onto the jffs2 partition. To be precise it is written into the
flash.txt or flash2.txt files depending on the selected target image.
This data is not used anywhere else. The current OpenWrt factory
image misses this label. Therefore version information shows only
garbage. Fix this.

Before:
DGS-1210-20> show firmware information
IMAGE ONE:
Version      : xfo/QE~WQD"A\Scxq...
Size         : 5505185 Bytes

After:
DGS-1210-20> show firmware information
IMAGE ONE:
Version      : OpenWrt
Size         : 5505200 Bytes

Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
(cherry picked from commit fae3ac3560459320a88be86b31c572c4bca42645)

2 years agorealtek: build factory images for all DGS-1210 models
Markus Stockhausen [Wed, 6 Jul 2022 11:41:51 +0000 (13:41 +0200)]
realtek: build factory images for all DGS-1210 models

Currently we build factory images only for DGS-1210-28 model. Relax
that constraint and take care about all models. Tested on DGS-1210-20
and should work on other models too because of common flash layout.

Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
(cherry picked from commit 2b49ec3a28ad09446f48f1f830a42bdfe3bce9be)

2 years agorealtek: rename u-boot-env2 to board-name
Luiz Angelo Daros de Luca [Mon, 4 Jul 2022 17:11:26 +0000 (14:11 -0300)]
realtek: rename u-boot-env2 to board-name

Some realtek boards have two u-boot-env partitions. However, in the
DGS-1210 series, the mtdblock2 partition is not a valid u-boot env
and simply contains the board/device name, followed by nulls.

00000000  44 47 53 2d 31 32 31 30  2d 32 38 2d 46 31 00 00 |DGS-1210-28-F1..|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 |................|
*
00040000

00000000  44 47 53 2d 31 32 31 30  2d 35 32 2d 46 31 00 00 |DGS-1210-52-F1..|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 |................|
*
00040000

The misleading u-boot-env2 name also confuses uboot-envtools.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 8b798dbb39856463878efb07ddef87ce2e522ceb)

2 years agoscripts: fix CAMEO tag generator
Sander Vanheule [Tue, 5 Jul 2022 08:16:08 +0000 (10:16 +0200)]
scripts: fix CAMEO tag generator

What should have been only cosmetic changes, ended up in breaking the
script. Rename UIMAGE_CRC_SLICE back to (the original) UIMAGE_CRC_OFF.

Fixes issue #10204 "cameo-tag.py broken"

Reported-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Fixes: f9e840b65700 ("scripts: add CAMEO tag generator")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit ebfe66e494e57f4b421f1190d6bff1d361db1b3d)

2 years agorealtek: build DGS-1210 images with CAMEO tag
Markus Stockhausen [Tue, 5 Jul 2022 06:46:59 +0000 (08:46 +0200)]
realtek: build DGS-1210 images with CAMEO tag

From now on we will insert CAMEO tags into sysupgrade images for
DGS-1210 devices. This will make the "OS:...FAILED" and "FS:...FAILED"
messages go away.

Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
(cherry picked from commit e763c4c89fc5569d7264ff60837eb4aff69a0bfb)

2 years agoscripts: add CAMEO tag generator
Markus Stockhausen [Tue, 5 Jul 2022 06:46:21 +0000 (08:46 +0200)]
scripts: add CAMEO tag generator

This script inserts CAMEO tags into an uImage to make U-Boot
of DGS-1210 switches happy.

Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Suggested-by: Sander Vanheule <sander@svanheule.net> # Mutual checksum algorithm
[commit title prefix, trailing whitespace, OpenWrt capitalisation, move
CRC calculation comment, use UIMAGE_NAME_*, remove parentheses for
return, use f-string instead of str()]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit f9e840b65700e1cdff6d066d39c163bac936d046)

2 years agorealtek: add DGS-1210-28 factory image
Luiz Angelo Daros de Luca [Thu, 23 Jun 2022 20:50:03 +0000 (17:50 -0300)]
realtek: add DGS-1210-28 factory image

DGS-1210 switches support dual image, with each image composed of a
kernel and a rootfs partition. For image1, kernel and rootfs are in
sequence. The current OpenWrt image (written using a serial console),
uses those partitions together as the firmware partition, ignoring the
partition division. The current OEM u-boot fails to validate image1 but
it will only trigger firmware recovery if both image1 and image2 fail,
and it does not switch the boot image in case one of them fails the
check.

The OEM factory image is composed of concatenated blocks of data, each
one prefixed with a 0x40-byte cameo header. A normal OEM firmware will
have two of these blocks (kernel, rootfs). The OEM firmware only checks
the header before writing unconditionally the data (except the header)
to the correspoding partition.

The OpenWrt factory image mimics the OEM image by cutting the
kernel+rootfs firmware at the exact size of the OEM kernel partition
and packing it as "the kernel partition" and the rest of the kernel and
the rootfs as "the rootfs partition". It will only work if written to
image1 because image2 has a sysinfo partition between kernel2 and
rootfs2, cutting the kernel code in the middle.

Steps to install:

1) switch to image2 (containing an OEM image), using web or these CLI
   commands:
   - config firmware image_id 2 boot_up
   - reboot
2) flash the factory_image1.bin to image1. OEM web (v6.30.016)
   is crashing for any upload (ssh keys, firmware), even applying OEM
   firmwares. These CLI commands can upload a new firmware to the other
   image location (not used to boot):
   - download firmware_fromTFTP <tftpserver> factory_image1.bin
   - config firmware image_id 1 boot_up
   - reboot

To debrick the device, you'll need serial access. If you want to
recover to an OpenWrt, you can replay the serial installation
instructions. For returning to the original firmware, press ESC during
the boot to trigger the emergency firmware recovery procedure. After
that, use D-Link Network Assistant v2.0.2.4 to flash a new firmware.

The device documentation does describe that holding RESET for 12s
trigger the firmware recovery. However, the latest shipped U-Boot
"2011.12.(2.1.5.67086)-Candidate1" from "Aug 24 2021 - 17:33:09" cannot
trigger that from a cold boot. In fact, any U-Boot procedure that relies
on the RESET button, like reset settings, will only work if started from
a running original firmware. That, in practice, cancels the benefit of
having two images and a firmware recovery procedure (if you are not
consider dual-booting OpenWrt).

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 1005dc0a64587e954364ff3a64bbb38b2ca371cd)

2 years agoscripts: add cameo image header generator
Luiz Angelo Daros de Luca [Fri, 24 Jun 2022 19:05:16 +0000 (16:05 -0300)]
scripts: add cameo image header generator

The cameo header is a 0x40-byte header used by D-Link DGS 1210 switches
and Apresia ApresiaLightGS series. cameo-imghdr.py is a clean-room
reimplementation of imghdr present in the DGS-1210-28-GPL package.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[fix board_version argument's help text]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 2fd66e058b0804b9c561d8d6858363fdf5bd7aea)

2 years agobcm53xx: use -falign-functions=32 for kernel compilation
Rafał Miłecki [Sun, 3 Jul 2022 11:22:00 +0000 (13:22 +0200)]
bcm53xx: use -falign-functions=32 for kernel compilation

Northstar SoCs have pretty small CPU caches and their performance is
heavily affected by cache hits & misses. It means that all kind of
random code changes can affect performance as they often reorganize
(change alignment & possibly reorder) kernel symbols.

It was discussed in ARM / net mailinglists:
1. ARM router NAT performance affected by random/unrelated commits [1] [2]
2. Optimizing kernel compilation / alignments for network performance [3] [4]

It seems that -falign-functions can be used as a partial workaround. It
doesn't solve all cases (e.g. documented watchdog one [5]) but it surely
helps with many of them.

A complete long term solution may be PGO (profile-guided optimization)
but it isn't available at this point.

[1] https://lkml.org/lkml/2019/5/21/349
[2] https://www.spinics.net/lists/linux-block/msg40624.html
[3] https://lore.kernel.org/linux-arm-kernel/066fc320-dc04-11a4-476e-b0d11f3b17e6@gmail.com/T/
[4] https://www.spinics.net/lists/netdev/msg816103.html
[5] http://lists.openwrt.org/pipermail/openwrt-devel/2022-July/038989.html

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit abc5b28db164dc2d807750cb2baae91e288c84a9)

2 years agobcm53xx: enable & setup packet steering
Rafał Miłecki [Fri, 10 Jun 2022 08:51:23 +0000 (10:51 +0200)]
bcm53xx: enable & setup packet steering

Packet steering can improve NAT masquarade performance on Northstar by
40-50%. It makes reaching 940-942 Mb/s possible on BCM4708 (and
obviously BCM47094 too). Add scripts setting up the most optimal
Northstar setup.

Below are testing results for running iperf TCP traffic from LAN to WAN.
They were used to pick up golden values.

┌──────────┬──────────┬────────────────────┬────────────────────┐
│   eth0   │  br-lan  │ flow_offloading=0  │ flow_offloading=1  │
│          │          ├─────────┬──────────┼─────────┬──────────┤
│ rps_cpus │ rps_cpus │ BCM4708 │ BCM47094 │ BCM4708 │ BCM47094 │
├──────────┼──────────┼─────────┼──────────┼─────────┼──────────┤
│        0 │        0 │     387 │      671 │     707 │      941 │
│        0 │        1 │     343 │      576 │     705 │      941 │
│        0 │        2 │   ✓ 574 │    ✓ 941 │     704 │      940 │
│        1 │        0 │     320 │      549 │     561 │      941 │
│        1 │        1 │     327 │      551 │     553 │      941 │
│        1 │        2 │     523 │    ✓ 940 │     559 │      940 │
│        2 │        0 │     383 │      652 │   ✓ 940 │      941 │
│        2 │        1 │     448 │      754 │   ✓ 942 │      941 │
│        2 │        2 │     404 │      655 │   ✓ 941 │      941 │
└──────────┴──────────┴─────────┴──────────┴─────────┴──────────┘

Above tests were performed with all eth0 interrupts handled by CPU0.
Setting "echo 2 > /proc/irq/38/smp_affinity" was tested on BCM4708 but
it didn't increased speeds (just required different steering):

┌──────────┬──────────┬───────────┐
│   eth0   │  br-lan  │ flow_offl │
│   rx-0   │   rx-0   │ oading=0  │
│ rps_cpus │ rps_cpus │  BCM4708  │
├──────────┼──────────┼───────────┤
│        0 │        0 │       384 │
│        0 │        1 │     ✓ 574 │
│        0 │        2 │       348 │
│        1 │        0 │       383 │
│        1 │        1 │       412 │
│        1 │        2 │       448 │
│        2 │        0 │       321 │
│        2 │        1 │       520 │
│        2 │        2 │       327 │
└──────────┴──────────┴───────────┘

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit fcbd39689ebfef20c62fe3882d51f3af765e8028)

2 years agobcm53xx: disable GRO by default at kernel level
Rafał Miłecki [Mon, 20 Jun 2022 08:21:20 +0000 (10:21 +0200)]
bcm53xx: disable GRO by default at kernel level

This improves NAT masquarade network performance.

An alternative to kernel change would be runtime setup but that requires
ethtool and identifying relevant network interface and all related
switch ports interfaces.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 82d0dd8f8aa11249944fe39cd0d75a1524ec22ec)

2 years agobcm53xx: revert bgmac back to the old limited max frame size
Rafał Miłecki [Fri, 10 Jun 2022 12:02:19 +0000 (14:02 +0200)]
bcm53xx: revert bgmac back to the old limited max frame size

Bumping max frame size has significantly affected network performance.
It was done by upstream commit that first appeared in the 5.7 release.

This change bumps NAT masquarade speed from 196 Mb/s to 383 Mb/s for the
BCM4708 SoC.

Ref: f55f1dbaad33 ("bcm53xx: switch to the kernel 5.10")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 230c9da963aad9e1a2f8f128c30067ccad2efef8)

2 years agokernel: drop patch adding hardcoded kernel compilation flags
Rafał Miłecki [Wed, 15 Jun 2022 10:36:37 +0000 (12:36 +0200)]
kernel: drop patch adding hardcoded kernel compilation flags

1. KCFLAGS should be used for custom flags
2. Optimization flags are arch / SoC specific
3. -fno-reorder-blocks may *worsen* network performace on some SoCs
4. Usage of flags was *reversed* since 5.4 and noone reported that

If we really need custom flags then CONFIG_KERNEL_CFLAGS should get
default value adjusted properly (per target).

Ref: 4e0c54bc5bc8 ("kernel: add support for kernel 5.4")
Link: http://lists.openwrt.org/pipermail/openwrt-devel/2022-June/038853.html
Link: https://patchwork.ozlabs.org/project/openwrt/patch/20190409093046.13401-1-zajec5@gmail.com/
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 22168ae68101b95d03741b0e9e8ad20b8a5ae5b7)

2 years agokernel: support setting extra CFLAGS for kernel compilation
Rafał Miłecki [Wed, 15 Jun 2022 10:36:36 +0000 (12:36 +0200)]
kernel: support setting extra CFLAGS for kernel compilation

They may be used e.g. to optimize kernel size or performance.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 907d7d747243044f86588f0d82993e8c106cb02c)

2 years agokernel: use KCFLAGS for passing EXTRA_OPTIMIZATION flags
Rafał Miłecki [Wed, 15 Jun 2022 08:41:37 +0000 (10:41 +0200)]
kernel: use KCFLAGS for passing EXTRA_OPTIMIZATION flags

This uses kernel's generic variable and doesn't require patching it with
a custom Makefile change. It's expected *not* to change any behaviour.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 1d42af720c6b6dcfcdd0b89bce386fca1607dcb3)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 24e27bec9a6df1511a504cf04cd9578a23e74657)

2 years agoOpenWrt v22.03.0-rc5: revert to branch defaults
Hauke Mehrtens [Wed, 6 Jul 2022 21:01:51 +0000 (23:01 +0200)]
OpenWrt v22.03.0-rc5: revert to branch defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agoOpenWrt v22.03.0-rc5: adjust config defaults v22.03.0-rc5
Hauke Mehrtens [Wed, 6 Jul 2022 21:01:47 +0000 (23:01 +0200)]
OpenWrt v22.03.0-rc5: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agokernel: Add missing mediatek configuration options
Hauke Mehrtens [Wed, 6 Jul 2022 18:32:11 +0000 (20:32 +0200)]
kernel: Add missing mediatek configuration options

When building the mediatek/mt7629 target in OpenWrt 22.03 the kernel
does not have a configuration option for CONFIG_CRYPTO_DEV_MEDIATEK. Add
this option to the generic kernel configuration and also add two other
configuration options which are removed when we refresh the mt7629
kernel configuration.

Fixes: 2bea35cb55d7 ("mediatek: remove crypto-hw-mtk package")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit dcc0fe24ea216d32300c0f01c8879e586d89cc1e)

2 years agoopenssl: bump to 1.1.1p
Andre Heider [Thu, 23 Jun 2022 07:08:07 +0000 (09:08 +0200)]
openssl: bump to 1.1.1p

Changes between 1.1.1o and 1.1.1p [21 Jun 2022]

  *) In addition to the c_rehash shell command injection identified in
     CVE-2022-1292, further bugs where the c_rehash script does not
     properly sanitise shell metacharacters to prevent command injection have been
     fixed.

     When the CVE-2022-1292 was fixed it was not discovered that there
     are other places in the script where the file names of certificates
     being hashed were possibly passed to a command executed through the shell.

     This script is distributed by some operating systems in a manner where
     it is automatically executed.  On such operating systems, an attacker
     could execute arbitrary commands with the privileges of the script.

     Use of the c_rehash script is considered obsolete and should be replaced
     by the OpenSSL rehash command line tool.
     (CVE-2022-2068)
     [Daniel Fiala, Tomáš Mráz]

  *) When OpenSSL TLS client is connecting without any supported elliptic
     curves and TLS-1.3 protocol is disabled the connection will no longer fail
     if a ciphersuite that does not use a key exchange based on elliptic
     curves can be negotiated.
     [Tomáš Mráz]

Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit eb7d2abbf06f0a3fe700df5dc6b57ee90016f1f1)