Mirko Parthey [Thu, 31 May 2018 13:24:31 +0000 (15:24 +0200)]
mtd: mark as nonshared to fix FS#484
Upstream commit:
46d7ced9d1e104693a9f995bfe8a6e28ac82b592
The mtd tool is built with different configurations depending on the
target. For example, brcm47xx adds the fixtrx subcommand, without which
an image fails when booting the second time.
Mark the mtd package as nonshared to really fix FS#484.
Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
John Crispin [Tue, 22 May 2018 18:44:34 +0000 (20:44 +0200)]
ustream-ssl: update to latest git HEAD
Upstream commit:
346d4c75eaa7a1d9bc8fcddc5db10a6aca95c005
5322f9d mbedtls: Fix setting allowed cipher suites
e8a1469 mbedtls: Add support for a session cache
Signed-off-by: John Crispin <john@phrozen.org>
John Crispin [Tue, 1 May 2018 09:11:16 +0000 (11:11 +0200)]
ustream-ssl: update to latest git HEAD
Upstream commit:
52ba5760b771d873fe21d260e3b53506663b6144
527e700 ustream-ssl: Remove RC4 from ciphersuite in server mode.
39a6ce2 ustream-ssl: Enable ECDHE with OpenSSL.
45ac930 remove polarssl support
Signed-off-by: John Crispin <john@phrozen.org>
Hauke Mehrtens [Mon, 21 May 2018 11:58:53 +0000 (13:58 +0200)]
mbedtls: Activate the session cache
Upstream commit:
f2c8f6dc3249b506b915741d12905402dfffe162
This make sit possible to store informations about a session and reuse
it later. When used by a server it increases the time to create a new
TLS session from about 1 second to less than 0.1 seconds.
The size of the ipkg file increased by about 800 Bytes.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 2 Jun 2018 10:07:35 +0000 (12:07 +0200)]
mbedtls: update mbedtls to version 2.7.3
This fixes some minor security problems and other bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Wed, 30 May 2018 19:39:51 +0000 (21:39 +0200)]
kernel: bump kernel 4.4 to 4.4.135 for 17.01
* Refreshed patches
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 2 Jun 2018 10:00:11 +0000 (12:00 +0200)]
ar71xx: Deactivate build of Netgear WNR2000v3
This devices always looses the settings after power loss, nothing is
been saved.
Deactivate building this image till this problem is fixed.
See FS#672
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Imre Kaloz [Thu, 15 Feb 2018 18:57:05 +0000 (19:57 +0100)]
mvebu: Add support for WRT3200ACM with new NAND flash
Newer Linksys boards might come with a Winbond W29N02GV which can be
configured in different ways. Make sure we configure it the same way as
the older chips so everything keeps working.
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Mirko Parthey [Tue, 22 May 2018 19:23:36 +0000 (21:23 +0200)]
brcm47xx: add switch port mapping to Asus WL-500W
Switch ports 0..3 are connected to external ports LAN{1..4} in sequence,
switch port 4 is not used, and switch port 5 is connected to the CPU.
The WAN port is attached to the CPU's second network interface; it has no
connection to the internal switch.
Reuse the "Dell TrueMobile 2300" entry, which describes the same mapping.
Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
Hans Dedecker [Sun, 27 May 2018 20:08:52 +0000 (22:08 +0200)]
odhcpd: fix managed address configuration setting
59339a7 router: fix managed address configuration setting
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Chris Blake [Fri, 31 Mar 2017 09:31:21 +0000 (04:31 -0500)]
apm821xx: Add default packages to NAND target
This moves core router packages to the NAND target, to ensure they are
applied to all images. This change is being done due to an issue found
when flashing the MX60W image, which came without these when built as a
multi image.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
(cherry picked from commit
d1c3a9485a90fff9bf7083faba4138e14dcdae7d)
Jason A. Donenfeld [Sat, 19 May 2018 03:55:58 +0000 (05:55 +0200)]
wireguard: bump to
20180519
* chacha20poly1305: add mips32 implementation
"The OpenWRT Commit" - this significantly speeds up performance on cheap
plastic MIPS routers, and presumably the remaining MIPS32r2 super computers
out there.
* timers: reinitialize state on init
* timers: round up instead of down in slack_time
* timers: remove slack_time
* timers: clear send_keepalive timer on sending handshake response
* timers: no need to clear keepalive in persistent keepalive
Andrew He and I have helped simplify the timers and remove some old warts,
making the whole system a bit easier to analyze.
* tools: fix errno propagation and messages
Error messages are now more coherent.
* device: remove allowedips before individual peers
This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with
many peers would grind when deleting the interface.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Kevin Darbyshire-Bryant [Thu, 17 May 2018 22:08:21 +0000 (23:08 +0100)]
wireguard: no longer need portability patch
Drop package/network/services/wireguard/patches/100-portability.patch
Instead pass 'PLATFORM=linux' to make since we are always building FOR
linux.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Wed, 16 May 2018 15:14:15 +0000 (16:14 +0100)]
wireguard: bump to
20180514
52be69b version: bump snapshot
4884b45 ncat-client-server: add wg-quick variant
a333551 wg-quick: add darwin implementation
f5bf84d compat: backport for OpenSUSE 15
fe1ae1b wg-quick: add wg symlink
ecc1c5f wg-quick: add android implementation
3e6bb79 tools: reorganize for multiplatform wg-quick
b289d12 allowedips: Fix graphviz output after endianness patch
Refresh cross compile compatibility patch
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Toke Høiland-Jørgensen [Sun, 13 May 2018 18:15:50 +0000 (20:15 +0200)]
wireguard: Add support for ip6prefix config option
This makes it easier to distribute prefixes over a wireguard tunnel
interface, by simply setting the ip6prefix option in uci (just like with
other protocols).
Obviously, routing etc needs to be setup properly for things to work; this
just adds the config option so the prefix can be assigned to other
interfaces.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Kevin Darbyshire-Bryant [Sun, 13 May 2018 19:05:15 +0000 (20:05 +0100)]
wireguard: bump to 0.0.
20180513
6b4a340 version: bump snapshot
faa2103 compat: don't clear header bits on RHEL
4014532 compat: handle RHEL 7.5's recent backports
66589bc queueing: preserve pfmemalloc header bit
37f114a chacha20poly1305: make gcc 8.1 happy
926caae socket: use skb_put_data
724d979 wg-quick: preliminary support for go implementation
c454c26 allowedips: simplify arithmetic
71d44be allowedips: produce better assembly with unsigned arithmetic
5e3532e allowedips: use native endian on lookup
856f105 allowedips: add selftest for allowedips_walk_by_peer
41df6d2 embeddable-wg-library: zero attribute padding
9a1bea6 keygen-html: add zip file example
f182b1a qemu: retry on 404 in wget for kernel.org race
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Fri, 20 Apr 2018 10:14:29 +0000 (10:14 +0000)]
wireguard: bump to
20180420
7cc2668 version: bump snapshot
860c7c7 poly1305: do not place constants in different sections
5f1e4ca compat: remove unused dev_recursion_level backport
7e4b991 blake2s: remove unused helper
13225fc send: simplify skb_padding with nice macro
a1525bf send: account for route-based MTU
bbb2fde wg-quick: account for specified fwmark in auto routing mode
c452105 qemu: bump default version
dbe5223 version: bump snapshot
1d3ef31 chacha20poly1305: put magic constant behind macro
cdc164c chacha20poly1305: add self tests from wycheproof
1060e54 curve25519: add self tests from wycheproof
0e1e127 wg-quick.8: fix typo
2b06b8e curve25519: precomp const correctness
8102664 curve25519: memzero in batches
1f54c43 curve25519: use cmov instead of xor for cswap
fa5326f curve25519: use precomp implementation instead of sandy2x
9b19328 compat: support OpenSUSE 15
3102d28 compat: silence warning on frankenkernels
8f64c61 compat: stable kernels are now receiving
b87b619
62127f9 wg-quick: hide errors on save
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Jason A. Donenfeld [Mon, 5 Mar 2018 10:31:53 +0000 (11:31 +0100)]
wireguard: bump to
20180304
7c0d711 version: bump snapshot
b6a5cc0 contrib: add extract-handshakes kprobe example
37dc953 wg-quick: if resolvconf/run/iface exists, use it
1f9be19 wg-quick: if resolvconf/interface-order exists, use it
4d2d395 noise: align static_identity keys
14395d2 compat: use correct -include path
38c6d8f noise: fix function prototype
302d0c0 global: in gnu code, use un-underscored asm
ff4e06b messages: MESSAGE_TOTAL is unused
ea81962 crypto: read only after init
e35f409 Kconfig: require DST_CACHE explicitly
9d5baf7 Revert "contrib: keygen-html: rewrite in pure javascript"
6e09a46 contrib: keygen-html: rewrite in pure javascript
e0af0f4 compat: workaround netlink refcount bug
ec65415 contrib: embedded-wg-library: add key generation functions
06099b8 allowedips: fix comment style
ce04251 contrib: embedded-wg-library: add ability to add and del interfaces
7403191 queueing: skb_reset: mark as xnet
Changes:
* queueing: skb_reset: mark as xnet
This allows cgroups to classify packets.
* contrib: embedded-wg-library: add ability to add and del interfaces
* contrib: embedded-wg-library: add key generation functions
The embeddable library gains a few extra tricks, for people implementing
plugins for various network managers.
* crypto: read only after init
* allowedips: fix comment style
* messages: MESSAGE_TOTAL is unused
* global: in gnu code, use un-underscored asm
* noise: fix function prototype
Small cleanups.
* compat: workaround netlink refcount bug
An upstream refcounting bug meant that in certain situations it became
impossible to unload the module. So, we work around it in the compat code. The
problem has been fixed in 4.16.
* contrib: keygen-html: rewrite in pure javascript
* Revert "contrib: keygen-html: rewrite in pure javascript"
We nearly moved away from emscripten'ing the fiat32 code, but the resultant
floating point javascript was just too terrifying.
* Kconfig: require DST_CACHE explicitly
Required for certain frankenkernels.
* compat: use correct -include path
Fixes certain out-of-tree build systems.
* noise: align static_identity keys
Gives us better alignment of private keys.
* wg-quick: if resolvconf/interface-order exists, use it
* wg-quick: if resolvconf/run/iface exists, use it
Better compatibility with Debian's resolvconf.
* contrib: add extract-handshakes kprobe example
Small utility for extracting ephemeral key data from the kernel's memory.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (git log --oneline description)
Kevin Darbyshire-Bryant [Sat, 3 Feb 2018 11:08:27 +0000 (11:08 +0000)]
wireguard: bump to
20180202
Bump to latest wireguard release snapshot:
2675814 version: bump snapshot
381d703 qemu: update base versions
c3fbd9d curve25519: break more things with more test cases
93fa0d9 curve25519: replace fiat64 with faster hacl64
6177bdd curve25519: replace hacl64 with fiat64
b9bf37d curve25519: verify that specialized basepoint implementations are correct
bd3f0d8 tools: dedup secret normalization
1f87434 chacha20poly1305: better buffer alignment
78959ed chacha20poly1305: use existing rol32 function
494cdea tools: fread doesn't change errno
ab89bdc device: let udev know what kind of device we are
62e8720 qemu: disable AVX-512 in userland
6342bf7 qemu: disable PIE for compilation
e23e451 contrib: keygen-html: share curve25519 implementation with kernel
6b28fa6 tools: share curve25519 implementations with kernel
c80cbfa poly1305: add poly-specific self-tests
10a2edf curve25519-fiat32: uninline certain functions
No patch refresh required.
Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 25 Jan 2018 17:20:51 +0000 (17:20 +0000)]
wireguard: bump to
20180118
Bump to latest wireguard release snapshot:
9a93a3d version: bump snapshot
7bc0579 contrib: keygen-html: update curve25519 implementation
ffc13a3 tools: import new curve25519 implementations
0ae7356 curve25519: wire up new impls and remove donna
f90e36b curve25519: resolve symbol clash between fe types
505bc05 curve25519: import 64-bit hacl-star implementation
8c02050 curve25519: import 32-bit fiat-crypto implementation
96157fd curve25519: modularize implementation
4830fc7 poly1305: remove indirect calls
bfd1a5e tools: plug memleak in config error path
09bf49b external-tests: add python implementation
b4d5801 wg-quick: ifnames have max len of 15
6fcd86c socket: check for null socket before fishing out sport
ddb8270 global: year bump
399d766 receive: treat packet checking as irrelevant for timers
No patch refresh required.
Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Etienne Haarsma [Mon, 21 May 2018 08:36:58 +0000 (10:36 +0200)]
kernel: bump kernel 4.4 to 4.4.132 for 17.01
* Refreshed patches
Compile-tested: ar71xx
Run-tested: ar71xx
Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
Rafał Miłecki [Mon, 14 May 2018 08:29:20 +0000 (10:29 +0200)]
rpcd: update to lastest HEAD
All these changes are important enough to have them in the 17.01.
8206219 uci: fix memory leak in rpc_uci_replace_savedir()
10f7878 exec: close stdout and stderr streams on child signal
92d0d75 uci: use correct sort index when reordering sections
66a9bad uci: fix memory leak in rpc_uci_apply_timeout()
2423162 uci: switch to proper save directory on apply/rollback
edd37f8 uci: add rpc_uci_replace_savedir() helper
eb09f3a session: ignore non-string username attribute upon restore
3d400c7 session: support reclaiming pending apply session
f0f6f81 session: remove redundant key attribute to rpc_session_set()
6994c87 uci: fix session delta isolation
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Sat, 12 May 2018 21:34:43 +0000 (23:34 +0200)]
kernel: use accepted version of bcm47xxpart fix commit
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
404508001e9f2bbf09fc4c4027cf16b8720124db)
Rafał Miłecki [Sat, 12 May 2018 13:39:12 +0000 (15:39 +0200)]
bcm53xx: backport the first bunch of 4.18 BCM5301X patches
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Piotr Dymacz [Wed, 9 May 2018 18:04:01 +0000 (20:04 +0200)]
ar71xx: fix and improve ALFA Network Tube2H support
Fix ART offset (make it universal for 8/16 MB versions of the board) and
while at it, include also GPIO setup for h/w watchdog (EM6324QYSP5B).
Fixes: FS#1532
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Etienne Haarsma [Sat, 5 May 2018 16:50:42 +0000 (18:50 +0200)]
kernel: bump kernel 4.4 to 4.4.131 for 17.01
* Refreshed patches
Compile-tested: ar71xx
Run-tested: ar71xx
Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
Felix Fietkau [Mon, 30 Apr 2018 12:03:28 +0000 (14:03 +0200)]
kernel: add missing in6_dev_put_clear call to an ipv6 network patch
Fixes "unregister_netdevice: waiting for lo to become free. Usage count = 1"
messages which started appearing since the update to 4.4.103. That
problem was exposed by upstream commit
76da0704507bb ("ipv6: only call
ip6_route_dev_notify() once for NETDEV_UNREGISTER") backported to 4.4.x
branch in
2417da3f4d6bc.
Fixes: 2b664499cd622 ("kernel: bump 4.4 to 4.4.103 for 17.01")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
58f7b5b96c301176d639540df4723c798af2a999)
Etienne Haarsma [Sat, 28 Apr 2018 19:51:24 +0000 (21:51 +0200)]
kernel: bump kernel 4.4 to 4.4.129 for 17.01
* Refreshed patches
Compile-tested: ar71xx
Run-tested: ar71xx
Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
Kevin Darbyshire-Bryant [Fri, 9 Jun 2017 12:29:48 +0000 (13:29 +0100)]
gcc: gcc 6.3.0 fix comparison between pointer and integer
Fix FS#832
/source/build_dir/toolchain-mips_74kc_gcc-6.3.0_musl/gcc-6.3.0/gcc/ubsan.c:
In function 'bool ubsan_use_new_style_p(location_t)':
/source/build_dir/toolchain-mips_74kc_gcc-6.3.0_musl/gcc-6.3.0/gcc/ubsan.c:1474:23:
error: ISO C++ forbids comparison between pointer and integer
[-fpermissive]
|| xloc.file == '\0' || xloc.file[0] == '\xff'
^~~~
make[5]: *** [Makefile:1085: ubsan.o] Error 1
https://www.viva64.com/en/b/0425/#ID0EMGCI
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
(cherry picked from commit
22e2b402aee17684781ae705a91fb3645299de9c)
Matthias Schiffer [Thu, 26 Apr 2018 18:04:48 +0000 (20:04 +0200)]
ar71xx: Ubiquiti Airmax M: add relocate-kernel to invalidate cache
Some Ubiquiti U-boot versions, in particular the "U-Boot 1.1.4.2-s956
(Jun 10 2015 - 10:54:50)" found with AirOS 5.6, do not correctly flush the
caches for the whole kernel address range after decompressing the kernel
image, leading to hard to debug boot failures, depending on kernel version
and configuration.
As a workaround, prepend the relocate-kernels loader, which will invalidate
the caches after moving the kernel to the correct load address.
Reported-by: Andreas Ziegler <dev@andreas-ziegler.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Rafał Miłecki [Mon, 23 Apr 2018 13:28:54 +0000 (15:28 +0200)]
brcm47xx: backport upstream patches for Netgear WNR1000 V3
This includes fix for reading NVRAM content.
(cherry picked from commit
b1f5dd34ed84b295a67934a64d2ab309db65b65e)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Matthias Schiffer [Tue, 17 Apr 2018 09:19:20 +0000 (11:19 +0200)]
base-files: /lib/functions.sh: ignore errors in insert_modules
Package postinst will pass even names of builtin modules to insert_modules,
leading to postinst failing with error 255. This has been fixed in master
in r5279, but for lede-17.01 this minimal change is preferable.
Fixes FS#645, FS#893.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Rafał Miłecki [Mon, 16 Apr 2018 17:59:56 +0000 (19:59 +0200)]
fstools: update to latest lede-17.01 branch
6609e98 libfstools: add "const" to char pointer arguments in mount_move()
95c07d5 libfstools: fix foreachdir() to pass dir with a trailing slash
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Stijn Segers [Tue, 3 Apr 2018 18:25:20 +0000 (20:25 +0200)]
kernel: bump kernel 4.4 to 4.4.126 for 17.01
* Refreshed patches
Compile-tested: ar71xx, ramips/mt7621, x86/64
Run-tested: ar71xx
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Hauke Mehrtens [Sat, 14 Apr 2018 12:33:46 +0000 (14:33 +0200)]
mbedtls: change libmbedcrypto.so soversion back to 0
mbedtls changed in version 2.7.0 and 2.7.2 the soversion of the
libmbedcrypto.so library, use the old version again to be able to use
the new library with binaries compiled against the old mbedtls library.
Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.
Go back to libmbedcrypto.so.0 and make the system rebuild the binaries
which were rebuild for 2.7.0 again.
This should make the libmbedcrypto.so library be compatible with the old
version shipped with 17.01.
Fixes: 3ca1438ae0 ("mbedtls: update to version 2.7.2")
Fixes: f609913b5c ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Rafał Miłecki [Thu, 12 Apr 2018 06:25:17 +0000 (08:25 +0200)]
kernel: mtd: bcm47xxpart: improve handling TRX partition size
This is important fix for flash parsing in some corner cases. In case
of TRX subpartition with rootfs being aligned to the flash block size it
was incorrectly registered twice. Detecting & registering it as a
standalone partition was resulting in an incorrect "firmware" partition
size and possibly broken sysupgrade.
It wasn't noticed before because "rootfs" alignment depends on a kernel
size. It can happen though - depending on the configuration and the
kernel size.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
f5195e72c0fcf2949f7d6296a5db081eb58f8e32)
Matthias Schiffer [Tue, 10 Apr 2018 16:06:20 +0000 (18:06 +0200)]
ar71xx: sysupgrade: improve CPE/WBS 210/510 validation, add new metadata offset
Previously, tplink_pharos_check_image() would accept any image with ELF
magic and only non-printable data in the support-list, as in this case the
while-read loop would not run at all. Add the new support-list offset and
ensure an image is only accepted when the model string is actually found.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Rafał Miłecki [Thu, 5 Apr 2018 09:08:27 +0000 (11:08 +0200)]
kernel: backport commit reverting genirq patch causing regressions
Switching from kernel 4.4.120 to 4.4.124 introduced a regression in
the genirq code. It was caused by a commit
9d0273bb1c4b6 ("genirq: Use
irqd_get_trigger_type to compare the trigger type for shared IRQs").
On bcm53xx it breaks serial console and results in a flood of:
[ 22.078829] genirq: Flags mismatch irq 18.
00000080 (serial) vs.
00000080 (gpio)
[ 22.086432] genirq: Flags mismatch irq 18.
00000080 (serial) vs.
00000080 (gpio)
[ 22.601150] genirq: Flags mismatch irq 18.
00000080 (serial) vs.
00000080 (gpio)
[ 22.608845] genirq: Flags mismatch irq 18.
00000080 (serial) vs.
00000080 (gpio)
Later in the upstream "linux-4.4.y" branch that commit was reverted and
it was followed by a 4.4.126 release. Until we switch from 4.4.124 to
4.4.126 (or newer), let's backport that reverting commit.
Fixes: bed0ee7cbfaa5 ("Kernel: bump 4.4 to 4.4.124 for 17.01")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Zoltan HERPAI [Tue, 20 Mar 2018 13:02:20 +0000 (14:02 +0100)]
intel-microcode: update to
20180312
- Update microcode for 24 CPU types
- Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for:
Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake,
Coffee Lake
- Missing production updates:
- Broadwell-E/EX Xeons (sig 0x406f1)
- Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell,
Gemini Lake, Denverton
- New Microcodes:
- sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140
- sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
(cherry picked from commit
3db9d6e57def2912314c7ce0bc0c282f313ed654)
Rafał Miłecki [Tue, 3 Apr 2018 13:16:33 +0000 (15:16 +0200)]
brcm47xx: add Luxul XAP-1500 and XWR-1750 WiFi LEDs
(cherry picked from commit
16efb0c1c6c7702e694aef8f297b57b7c10b98c1)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Tue, 3 Apr 2018 11:11:20 +0000 (13:11 +0200)]
mac80211: brcmfmac: add support for BCM4366E chipset
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Hauke Mehrtens [Sun, 1 Apr 2018 13:10:30 +0000 (15:10 +0200)]
mbedtls: update to version 2.7.2
This fixes some minor security problems.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Paul Wassi [Fri, 30 Mar 2018 06:15:00 +0000 (08:15 +0200)]
openssl: update to 1.0.2o
Fixes CVE-2018-0739
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Stijn Segers [Wed, 28 Mar 2018 17:51:52 +0000 (19:51 +0200)]
Kernel: bump 4.4 to 4.4.124 for 17.01
* Refreshed patches
* Removed 087-Revert-led-core-Fix-brightness-setting-when-setting-.patch (applied upstream)
Compile-tested on ar71xx, ramips/mt7621, x86/64
Run-tested on ar71xx
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Rafał Miłecki [Wed, 21 Mar 2018 08:35:55 +0000 (09:35 +0100)]
mac80211: brcmfmac: backport commit dropping IAPP packets by default
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Felix Fietkau [Sat, 10 Mar 2018 09:09:07 +0000 (10:09 +0100)]
kernel: merge a pending fix for HFSC warnings/slowdowns (fixes FS#1136)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Hauke Mehrtens [Sun, 4 Mar 2018 19:38:00 +0000 (20:38 +0100)]
mbedtls: update to version 2.7.0
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures
This release is also ABI incompatible with the previous one, but it is
API compatible.
Some functions used by a lot of other software was renamed and the old
function names are provided as a static inline now, but they are only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.
Also increase the PKG_RELEASE version to force a rebuild and update of
packages depending on mbedtls to handle the changed ABI.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Stefan Lippers-Hollmann [Sun, 4 Mar 2018 21:57:04 +0000 (22:57 +0100)]
tools/e2fsprogs: fix building on a glibc 2.27 host
The e2fsprogs host build fails on a glibc 2.27 host with
make[6]: Entering directory 'build_dir/host/e2fsprogs-1.43.7/debugfs'
CC create_inode.o
./../misc/create_inode.c:399:18: error: conflicting types for 'copy_file_range'
static errcode_t copy_file_range(ext2_filsys fs, int fd, ext2_file_t e2_file,
^~~~~~~~~~~~~~~
In file included from ./../misc/create_inode.c:19:0:
/usr/include/unistd.h:1110:9: note: previous declaration of 'copy_file_range' was here
ssize_t copy_file_range (int __infd, __off64_t *__pinoff,
^~~~~~~~~~~~~~~
Backport upstream commit "misc: rename copy_file_range to
copy_file_chunk"
01551bdba16ab16512a01affe02ade32c41ede8a in order to
fix this.
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Matthias Schiffer [Thu, 8 Mar 2018 21:23:57 +0000 (22:23 +0100)]
generic: revert broken LED core patch
At least on some devices, LEDs don't work anymore since kernel 4.4.120.
Revert the broken change.
See also: https://www.spinics.net/lists/stable/msg223656.html
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Mon, 5 Mar 2018 08:13:53 +0000 (09:13 +0100)]
base-files: tune fragment queue thresholds for available system memory
The default fragment low/high thresholds are 3 and 4 MB. On devices with
only 32MB RAM, these settings may lead to OOM when many fragments that
cannot be reassembled are received. Decrease fragment low/high thresholds
to 384 and 512 kB on devices with less than 64 MB RAM.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Tue, 6 Mar 2018 20:55:01 +0000 (21:55 +0100)]
include/package-defaults.mk: fix default Build/Prepare with empty ./src
Copying ./src/* would fail when src exists, but is empty or only contains
hidden files.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Tue, 6 Mar 2018 13:29:46 +0000 (14:29 +0100)]
include/rootfs.mk: retain list of conffiles with CONFIG_CLEAN_IPKG
/usr/lib/opkg/status must not be removed completely, otherwise the
packages' conffile lists will be missing. Replace it with a reduced version
only containing the conffile entries.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Tue, 6 Mar 2018 07:49:14 +0000 (08:49 +0100)]
include/rootfs.mk: do not remove opkg prerm scripts during rootfs preparation
When a user removes a preinstalled opkg package, the package's prerm script
(and in particular our default_prerm) should run.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Tue, 6 Mar 2018 07:25:32 +0000 (08:25 +0100)]
base-files: sysupgrade: do not rely on opkg to list changed conffiles
Many packages use the opkg conffiles field to list configuration files that
are to be retained on upgrades. Make this work on systems without opkg.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Stijn Segers [Sun, 4 Mar 2018 16:12:45 +0000 (17:12 +0100)]
kernel: bump 4.4 to 4.4.120 for 17.01
Bump the 4.4 kernel for the 17.01 release to 4.4.120. Refresh patches.
Compile-tested: ar71xx, ramips/mt7621, x86/64
Run-tested: ar71xx, x86/64
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Zoltan HERPAI [Sat, 10 Feb 2018 18:16:37 +0000 (19:16 +0100)]
x86: add preinit hook to reload microcode
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan HERPAI [Sat, 10 Feb 2018 20:19:41 +0000 (21:19 +0100)]
firmware: add microcode package for Intel
Compiling the Intel microcode package results in a
microcode.bin and a microcode-64.bin. As we can
decide based on the subtarget which should be used,
we'll only split the required .bin file with
iucode-tool.
x64 will get the intel-microcode-64.bin
All other variants will get intel-microcode.bin
The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan HERPAI [Sat, 10 Feb 2018 18:06:56 +0000 (19:06 +0100)]
firmware: add microcode package for AMD
Use the Debian repository for sourcing the ucode files.
Current (
20171205) includes support for fam17h CPUs already.
The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan HERPAI [Sun, 11 Feb 2018 11:30:07 +0000 (12:30 +0100)]
tools: add iucode-tool
Add tool to "compile" Intel microcode files. The tool will be
compiled for host (to split the microcode.dat) and for target
(to forcibly reload the microcode if required).
Instead of using the large microcode.bin/microcode-64.bin, the
splitted ucode files (separate for CPU families) will be
installed.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan HERPAI [Sun, 25 Feb 2018 21:13:26 +0000 (22:13 +0100)]
x86: enable microcode loading for Intel and AMD
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Hans Dedecker [Fri, 2 Mar 2018 15:35:54 +0000 (16:35 +0100)]
odhcpd: fix interop with wide DHCPv6 client (FS#1377)
aedc154 dhcpv6-ia: don't always send reconf accept option (FS#1377)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Rafał Miłecki [Tue, 27 Feb 2018 15:44:25 +0000 (16:44 +0100)]
base-files: fix off-by-one in counting seconds for factory reset
There was a mismatch between indicating factory reset and code actually
starting it. After 5 seconds status LED started blinking rapidly letting
user know it's ready to release reset button. In practice button had to
stay pressed for another second in order to relly start the process.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Matteo Scordino [Thu, 22 Feb 2018 15:35:17 +0000 (15:35 +0000)]
sunxi: disable LPAE to allow kernel to run on A13
Fixes issue FS#1355.
LPAE extensions are enabled, but the A13 does not support them.
The result is the boot process stopping at "Starting kernel ..."
Fixes: 468735c3a2f7 ("target: sunxi: enable kvm support")
Signed-off-by: Matteo Scordino <matteo.scordino@gmail.com>
Rafał Miłecki [Tue, 27 Feb 2018 15:49:31 +0000 (16:49 +0100)]
bcm53xx: fix fallback code for picking status LED
Looking for a wrong LED file name was stopping this code from find any
LED. This affects devices with only a red/amber power LED.
Fixes: 3aaee1ba023ac ("bcm53xx: failsafe support")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Mon, 26 Feb 2018 10:33:49 +0000 (11:33 +0100)]
mountd: update to the latest version from 2018-02-26
This significantly improves mountd stability & reliability by:
1) Sending hotplug.d event when appropriate
2) Properly unmounting
3) Handling corner cases when unmounting fails
4) Improving log messages
5f2c419 mount: drop duplicated includes
aaf2743 mount: call hotplug-call with ACTION=remove before trying to unmount
97da4ed mount: try lazy unmount if normal one fails
1b62489 mount: create not working symlink when unmounting fails
e77dc6d mount: reorder deleting code in the mount_enum_drives()
76766ae mount: rename tmp variables in the mount_add_list()
04b897f mount: drop duplicated rmdir() call from the mount_enum_drives()
a27ea3f mount: drop duplicated unlink() call from the mount_dev_del()
bf7cc33 mount: fix/improve unmounting log messages
36f9197 mount: fix removing mount point if it's expired
ed4270f mount: struct mount: replace "mounted" and "ignore" fileds with a "status"
1af9ca2 mount: change mount_dev_del() argument to struct mount *
7c8fea8 mount: rename /proc/mount parser to mount_update_mount_list()
7aadd1c mount: improve handling mounts table size
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Matthias Schiffer [Fri, 23 Feb 2018 15:17:57 +0000 (16:17 +0100)]
perf: restrict libunwind dependency to archs that actually support libunwind
Allow building perf on uncommon targets again.
Depending on the kernel version, not all of these archs will actually use
libunwind in perf. Still, it seems simpler and less error-prone to use the
same list that is defined in the libunwind package.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Fri, 23 Feb 2018 15:17:57 +0000 (16:17 +0100)]
libunwind: fix build with musl on PPC
Works around two incompatiblities between glibc and (POSIX-compliant) musl:
- missing register definitions from asm/ptrace.h
- non-POSIX-compliant ucontext_t on PPC32 with glibc
Compile tested on mpc85xx.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Koen Vandeputte [Mon, 19 Feb 2018 10:02:45 +0000 (11:02 +0100)]
uqmi: ensure CID is a numeric value before proceeding
The current implementation only checked if uqmi itself executed
correctly which is also the case when the returned value is actually
an error.
Rework this, checking that CID is a numeric value, which can only
be true if uqmi itself also executed correctly.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Stijn Segers [Sun, 18 Feb 2018 20:48:09 +0000 (21:48 +0100)]
kernel: update 17.01 kernel to 4.4.116
This bumps the 4.4. kernel in LEDE 17.01 to 4.4.116.
More Meltdown & Spectre mitigation.
* Refresh patches.
* Refresh x86/config for RETPOLINE.
* Deleted 8049-PCI-layerscape-Add-fsl-ls2085a-pcie-compatible-ID.patch (accepted upstream)
* Deleted 8050-PCI-layerscape-Fix-MSG-TLP-drop-setting.patch (accepted upstream)
* 650-pppoe_header_pad.patch does not apply anymore (code was replaced).
Bumps from 4.4.113 to 4.4.115 were handled by Kevin Darbyshire-Bryant.
Compile-tested on: ar71xx, ramips/mt7621, x86/64
Run-tested on: ar71xx, ramips/mt7621, x86/64
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Koen Vandeputte [Thu, 15 Feb 2018 14:16:03 +0000 (15:16 +0100)]
uqmi: use built-in command for data-link verification
uqmi contains a command for directly querying the modem if there
is a valid data connection, so let's use it.
This avoids the cases were all previous tests are succesful, but the
actual data link is not up for some reasons, leading to states were we
thought the link was up when it actually wasn't ..
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Koen Vandeputte [Thu, 15 Feb 2018 14:16:02 +0000 (15:16 +0100)]
uqmi: use correct value for connection checking
Originally, the implementation only checked if uqmi command
execution succeeded properly without actually checking it's returned data.
This lead to a pass, even when the returned data was indicating an error.
Rework the verification to actually check the returned data,
which can only be correct if the uqmi command itself also executed correctly.
On command execution success, value "pdh_" is a pure numeric value.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Koen Vandeputte [Thu, 15 Feb 2018 14:16:01 +0000 (15:16 +0100)]
uqmi: use general method for state cleaning
Debugging shows that using the general method properly cleans on each
run, while the method specifying the client-ID shows "No effect"
even while in connected state.
Fixes several connectivity issues seen on specific modems.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Koen Vandeputte [Thu, 15 Feb 2018 14:16:00 +0000 (15:16 +0100)]
uqmi: silence error on pin verification
If a device only supports the 2nd verification method (uim),
the first method will fail as expected reporting an error:
"Command not supported"
Silence both separate methods and only report an error regarding
pin verification if both fail.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Koen Vandeputte [Thu, 15 Feb 2018 14:15:59 +0000 (15:15 +0100)]
uqmi: fix raw-ip mode for newer lte modems
Some newer LTE modems, like the MC7455 or EC25-E do not support
"802.3" mode, and will stay in "raw-ip" regardless of the mode being
set.
In this case, the driver must be informed that it should handle all
packets in raw mode. [1]
This commit fixes connectivity issues for these devices.
Before:
[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending discover
udhcpc: sending discover
After:
[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending select for 100.66.245.226
udhcpc: lease of 100.66.245.226 obtained, lease time 7200
udhcpc: ifconfig wwan0 100.66.245.226 netmask 255.255.255.252 broadcast
+
udhcpc: setting default routers: 100.66.245.225
[1] https://lists.freedesktop.org/archives/libqmi-
devel/2017-January/002064.html
Tested on cns3xxx using a Sierra Wireless MC7455 LTE-A
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[bumped PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Alexandru Ardelean [Thu, 15 Feb 2018 14:15:58 +0000 (15:15 +0100)]
net: uqmi: fix blocking in endless loops when unplugging device
If you unplug a QMI device, the /dev/cdc-wdmX device
disappears but uqmi will continue to poll it endlessly.
Then, when you plug it back, you have 2 uqmi processes,
and that's bad, because 2 processes talking QMI to the
same device [and the same time] doesn't seem to work well.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Koen Vandeputte [Thu, 15 Feb 2018 14:15:57 +0000 (15:15 +0100)]
kernel: refresh patches
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Koen Vandeputte [Thu, 15 Feb 2018 14:15:56 +0000 (15:15 +0100)]
kernel: backport raw-ip mode for newer QMI LTE modems
Backport support for raw-ip mode including all known fixes afterwards.
Newer LTE modems only tend to support this mode, which was only
introduced in kernel 4.5.
Also backport support for the Quectel EC2x LTE modem series which is
a very popular device.
No custom changes were needed in order to apply these patches.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Daniel Golle [Fri, 2 Feb 2018 00:57:46 +0000 (01:57 +0100)]
base-files: don't evaluate block-device uevent
Backport commits fixing the detection of GPT partition names during
preinit and sysupgrade, closing a shell-injection vulnerability.
da52dd0c83 ("base-files: quote values when evaluating uevent")
267873ac9b ("base-files: don't evaluate block-device uevent")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Jo-Philipp Wich [Thu, 15 Feb 2018 09:47:04 +0000 (10:47 +0100)]
ramips: backport mt7530/762x switch fixes
dc7a1e8555 ("ramips: fix reporting effective VLAN ID on MT7621 switches")
341b1427fc ("ramips: properly map pvid for vlans with remapped vid on mt7530/762x switches")
bb4002c79d ("ramips: don't clobber vlans with remapped vid on mt7530/762x switches")
Fixes FS#991, FS#1147, FS#1341
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Maxim Gorbachyov [Fri, 12 Jan 2018 17:54:41 +0000 (20:54 +0300)]
perf: use libunwind
Without libunwind perf does not show userspace stack frames.
Tested on mvebu.
Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
Maxim Gorbachyov [Fri, 12 Jan 2018 17:42:20 +0000 (20:42 +0300)]
libunwind: enable build for arm
Tested with perf on mvebu.
Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
David Bauer [Tue, 6 Feb 2018 18:44:36 +0000 (19:44 +0100)]
ar71xx: remove bs-partition ro-flag for UniFi AC
This removes the read-only flag from the bs (bootselect) partition
on UniFi AC devices. This allows to correct the indicator from which
partition the device is booting its kernel from.
See also:
- https://github.com/freifunk-gluon/gluon/issues/1301
- https://bugs.lede-project.org/index.php?do=details&task_id=662
Signed-off-by: David Bauer <mail@david-bauer.net>
Hans Dedecker [Fri, 9 Feb 2018 08:21:36 +0000 (09:21 +0100)]
procd: update to latest git HEAD
9a4036f trace: add missing limits.h include
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Matthias Schiffer [Sat, 3 Feb 2018 13:12:05 +0000 (14:12 +0100)]
ar71xx: /lib/ar71xx.sh: add model detection for TP-Link TL-WR810N
Properly report the revision in /tmp/sysinfo/model.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Yousong Zhou [Fri, 26 Jan 2018 06:40:25 +0000 (14:40 +0800)]
iptables: make kmod-ipt-debug part of default ALL build
The iptables TRACE target is only available in raw table that's why the
dependency was moved from iptables-mod-trace into kmod-ipt-debug
Fixes FS#1219
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Martin Wetterwald [Thu, 12 Jan 2017 14:06:00 +0000 (15:06 +0100)]
iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
Darren Tucker [Sat, 20 Jan 2018 06:26:06 +0000 (14:26 +0800)]
curl: fix libcurl/mbedtls async interface
When using mbedtls, curl's nonblocking interface will report a request
as done immediately after the socket is written to and never read from
the connection. This will result in a HTTP status code of 0 and zero
length replies. Cherry-pick the patch from curl 7.53.0 to fix this
(https://github.com/curl/curl/commit/
b993d2cc).
Fixes https://bugs.openwrt.org/index.php?do=details&task_id=1285.
Signed-off-by: Darren Tucker <dtucker@dtucker.net>
Kevin Darbyshire-Bryant [Thu, 18 Jan 2018 13:46:13 +0000 (13:46 +0000)]
kernel: bump 4.4 to 4.4.112 for 17.01
Refresh patches.
Remove upstreamed patches:
target/linux/generic/patches-4.4/030-2-smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
target/linux/generic/patches-4.4/030-3-cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skb.patch
target/linux/generic/patches-4.4/030-4-sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch
target/linux/generic/patches-4.4/030-5-lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
CVEs completely or partially addressed:
CVE-2017-5715
CVE-2017-5753
CVE-2017-17741
CVE-2017-
1000410
Compile-tested: ar71xx Archer C7 v2
Run-tested: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Sat, 20 Jan 2018 08:46:28 +0000 (08:46 +0000)]
dnsmasq: backport validation fix in dnssec security fix
A DNSSEC validation error was introduced in the fix for CVE-2017-15107
Backport the upstream fix to the fix (a simple typo)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(backported from commit
adaf1cbcc8b253ea807dbe0416b4b04c33dceadf)
Kevin Darbyshire-Bryant [Fri, 19 Jan 2018 17:15:41 +0000 (17:15 +0000)]
dnsmasq: backport dnssec security fix for 17.01
CVE-2017-15107
An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example
!.example.org NSEC zz.example.org
is fine.
The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.
This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Hans Dedecker [Wed, 17 Jan 2018 12:57:30 +0000 (13:57 +0100)]
mountd: bump to git HEAD version
c54e5c6 mount: check if block was mounted before cleaning it up
e31565a mount: remove directory if mounting fails
0f4f20b mount: call hotplug mount scripts only on success
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Kevin Darbyshire-Bryant [Wed, 10 Jan 2018 16:01:00 +0000 (16:01 +0000)]
kernel: bump 4.4 to 4.4.111 for 17.01
Refresh patches
Tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Mon, 8 Jan 2018 13:00:07 +0000 (13:00 +0000)]
kmod-sched-cake: bump to latest cake bake for 17.01
More important bug fix:
402f05c Use full-rate mtu_time in all tins. Fixes an issue where some
cake tins experienced excessive latency since
49776da (dynamically
adjust target)
Minor bug fixes:
31277c2 Avoid unsigned comparison against zero. Fix compiler warning,
no known impact.
8cf5278 ack_filter: fix TCP flag check. A very contrived case may have
lead to dropping a SYN packet that should not be dropped.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Stijn Segers [Sat, 13 Jan 2018 16:18:21 +0000 (17:18 +0100)]
ar71xx: Netgear WNR2000v4: do not include USB packages [17.01]
The Netgear WNR2000v4 does not have a USB port. Hence, including USB packages into the default images is useless.
It looks like the WNR2000v4 definition in master is OK.
v2 fixes the silly typo in the patch title (WNR2000v4 instead of WNR200v4)
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Jo-Philipp Wich [Wed, 10 Jan 2018 19:17:48 +0000 (20:17 +0100)]
build: fix restoring /etc/opkg with PER_DEVICE_ROOTFS
When generating per-device rootfs directories, the ./etc/opkg/ directory
is moved away prior to calling opkg install, opkg remove and rootfs_prepare.
After the opkg invocations and the rootfs_prepare macro call, the saved opkg
config directory is supposed to be moved back to its previous ./etc/opkg
location.
The mv command however can fail to properly restore the directory under
certain circumstances, e.g. when the prior opkg or files/ overlay copy
operations caused a new ./etc/opkg/ directory to be created.
In this case, the backed up directory (named target-dir-$hash.opkg) will be
moved into the preexisting ./etc/opkg/ directory instead, causing the opkg
configuration to be located in a wrong path on the final rootfs, e.g. in
/etc/opkg/target-dir-$hash.opkg/distfeeds.conf instead of
/etc/opkg/distfeeds.conf.
Solve this problem by replacing the naive "mv" command with a recursive
"cp -T" invocation which causes the backed up directory tree to get merged
with the destination directory in case it already exists.
Also perform the rootfs_prepare macro call after restoring the opkg
configuration, to allow users to override it again by using the files/
overlay mechanism.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit
ab1785b1b2559c9f2d09d4d3ce43e11f4b828616)
Chuanhong Guo [Fri, 29 Dec 2017 04:35:32 +0000 (12:35 +0800)]
ramips: fix lenovo newifi-y1 switch and LED config
There are 3 ethernet ports on Y1. LAN1 on port1, LAN2 on port0 and WAN on
port4.
Use a standalone switch configuration to match this and use the switch
trigger so that LAN LED could indicate the connetction status for both
lan ports correctly.
This patch also drop the internet led configuration, because there is a
WAN led for port4 and eth0.2 isn't always used as WAN.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Mathias Kresin [Sat, 30 Dec 2017 09:19:18 +0000 (10:19 +0100)]
ramips: firewrt: indicate boot status via LED
Add the Firefly FireWRT gree power LED to diag.sh to indicate the boot
status via the power LED.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Vittorio Gambaletta [Sat, 25 Mar 2017 17:08:02 +0000 (18:08 +0100)]
ag71xx: Fix rx ring buffer stall on small packets flood on qca956x and qca953x.
Backported from Code Aurora QSDK
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
Henryk Heisig [Fri, 6 Jan 2017 20:21:11 +0000 (21:21 +0100)]
ar71xx: QCA956X: add missing register
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Jo-Philipp Wich [Mon, 8 Jan 2018 13:35:21 +0000 (14:35 +0100)]
mvebu: fix mvneta build with Linux 4.4.110
Kernel 4.4.109 added pp->link, pp->duplex and pp->speed setters to
mvneta_port_disable() which the mvneta patchset failed to patch out after
rebasing, leading to the following build error:
CC drivers/net/ethernet/marvell/mvneta.o
drivers/net/ethernet/marvell/mvneta.c: In function 'mvneta_port_disable':
drivers/net/ethernet/marvell/mvneta.c:1199:4: error: 'struct mvneta_port' has no member named 'link'
pp->link = 0;
^
drivers/net/ethernet/marvell/mvneta.c:1200:4: error: 'struct mvneta_port' has no member named 'duplex'
pp->duplex = -1;
^
drivers/net/ethernet/marvell/mvneta.c:1201:4: error: 'struct mvneta_port' has no member named 'speed'
pp->speed = 0;
^
Fix the issue by rebasing 134-net-mvneta-convert-to-phylink.patch to remove
these struct member accesses as well.
Fixes: 7f5a040359 ("kernel: update kernel 4.4 to version 4.4.110")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>