openwrt/openwrt.git
14 months agox86: geode: fix hwrng register accesses
Jonas Gorski [Sat, 9 Sep 2023 10:44:42 +0000 (12:44 +0200)]
x86: geode: fix hwrng register accesses

When the membase and pci_dev pointer were moved to a new struct in priv,
the actual membase users were left untouched, and they started reading
out arbitrary memory behind the struct instead of registers. This
unfortunately turned the RNG into a constant number generator, depending
on the content of what was at that offset.

To fix this, update geode_rng_data_{read,present}() to also get the
membase via amd_geode_priv, and properly read from the right addresses
again.

Closes #13417.

Reported-by: Timur I. Davletshin <timur.davletshin@gmail.com>
Tested-by: Timur I. Davletshin <timur.davletshin@gmail.com>
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
(cherry picked from commit 09d13cd8d87cc50fde67bbe81c6cca4b799b2724)

15 months agourngd: update to the latest master
Rafał Miłecki [Tue, 25 Jul 2023 07:51:35 +0000 (09:51 +0200)]
urngd: update to the latest master

7aefb47 jitterentropy-rngd: update to the v1.2.0

What's interesting about jitterentropy-rngd v1.2.0 release is that it
bumps its copy of jitterentropy-library from v2.2.0 to the v3.0.0. That
bump includes a relevant commit 3130cd9 ("replace LSFR with SHA-3 256").

When initializing entropy jent calculates time delta. Time values are
obtained using clock_gettime() + CLOCK_REALTIME. There is no guarantee
from CLOCK_REALTIME of unique values and slow devices often return
duplicated ones.

A switch from jent_lfsr_time() to jent_hash_time() resulted in many less
cases of zero delta and avoids ECOARSETIME.

Long story short: on some system this fixes:
[    6.722725] urngd: jent-rng init failed, err: 2

This is important change for BCM53573 which doesn't include hwrng and
seems to have arch_timer running at 36,8 Hz.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c74b5e09e692839b39c8325b5f8dc5f2a3b3896c)

16 months agobcm53xx: backport more DT changes queued for v6.6
Rafał Miłecki [Sat, 29 Jul 2023 15:02:28 +0000 (17:02 +0200)]
bcm53xx: backport more DT changes queued for v6.6

Those sort out BCM53573 Ethernet info finally.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit ca8868a51127f6081a524d47eab937b90af0bf05)

16 months agobcm53xx: add BCM53573 Ethernet fix sent upstream for v6.6
Rafał Miłecki [Sun, 23 Jul 2023 20:41:18 +0000 (22:41 +0200)]
bcm53xx: add BCM53573 Ethernet fix sent upstream for v6.6

It seems that DSA-based b53 driver never worked with BCM53573 SoCs and
BCM53125.

In case of swconfig-based b53 this fixes a regression. Switching bgmac
from using mdiobus_register() to of_mdiobus_register() resulted in MDIO
device (BCM53125) having of_node set (see of_mdiobus_register_phy()).
That made downstream b53 driver read invalid data from DT and broke
Ethernet support.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 79fd3e62b4910731c13692b2daa2083e0f95c023)

16 months agosdk: rename README + update Makefile
Tomasz Maciej Nowak [Tue, 11 Jul 2023 14:09:49 +0000 (16:09 +0200)]
sdk: rename README + update Makefile

'help' target fails not finding a file, so follow up on a change[2] made
as a fix for main README[1].

1. d0113711a31f ("README: port to 21st century")
2. 751486b31fd9 ("build: fix README.md reference after rename")

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 2d5f7035cf45801158bed6f5d0ac0de0002c1810)
(cherry picked from commit e9911f10e482f3174f745a36c0c9fd7964758caf)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
16 months agoib: split out processing user provided packages
Tomasz Maciej Nowak [Tue, 11 Jul 2023 14:06:21 +0000 (16:06 +0200)]
ib: split out processing user provided packages

Some device recipes remove default target packages. If user tries to add
them back they will be ignored, since packages list is processed in one
go. Process the device recipe packages first and do user ones later, so
additions won't get filtered out.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit e40b9a7fa002154e85459791101a0444d99dfb86)

16 months agobcm53xx: backport DT changes queued for v6.6
Rafał Miłecki [Fri, 14 Jul 2023 10:35:26 +0000 (12:35 +0200)]
bcm53xx: backport DT changes queued for v6.6

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 37ff916af789911fdefb802ce9903e866eb82435)

16 months agobcm53xx: backport DT changes from v6.5
Rafał Miłecki [Tue, 11 Jul 2023 08:30:08 +0000 (10:30 +0200)]
bcm53xx: backport DT changes from v6.5

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8674b41c0d84f09e14bf8ebe08e1d6dc6ac5fa64)

16 months agokernel: bgmac: fix regressed support for BCM53573 SoCs
Rafał Miłecki [Mon, 10 Jul 2023 09:38:23 +0000 (11:38 +0200)]
kernel: bgmac: fix regressed support for BCM53573 SoCs

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d54f3b2cfdbd34aa61ca67fd590eebfdf3db51cf)

16 months agokernel: fix bgmac support for BCM5358
Rafał Miłecki [Mon, 27 Feb 2023 09:46:14 +0000 (09:46 +0000)]
kernel: fix bgmac support for BCM5358

Fix two long-standing regressions.

Fixes: https://github.com/openwrt/openwrt/issues/8278
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 5e48c534f7c6b3a861f4a2dbb81d7bfcd9606f61)

16 months agobcm47xx: fix bgmac regression present in 5.4 kernel
Rafał Miłecki [Mon, 8 Nov 2021 14:55:40 +0000 (15:55 +0100)]
bcm47xx: fix bgmac regression present in 5.4 kernel

This fixes:
[    2.548098] bgmac_bcma bcma0:1: Failed to register fixed PHY device
[    2.554584] bgmac_bcma bcma0:1: Cannot connect to phy
and downstream (swconfig-based) b53 driver failing to load.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 6cdac994012003065a7040ceba3186f80db3cdbe)

16 months agokernel: backport bgmac upstream commits from 5.15 / for 5.16
Rafał Miłecki [Thu, 7 Oct 2021 09:29:52 +0000 (11:29 +0200)]
kernel: backport bgmac upstream commits from 5.15 / for 5.16

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit fd71ef34b75c81646d17d21d80dc3a5b5e2e6bb8)

17 months agobcm63xx: fix NETGEAR DGND3700v2 boot loop
Álvaro Fernández Rojas [Wed, 14 Jun 2023 21:27:29 +0000 (23:27 +0200)]
bcm63xx: fix NETGEAR DGND3700v2 boot loop

The DGND3700v2 renames the cferam bootloader from cferam to cfeXXX, where XXX
is the number of firmware upgrades performed by the bootloader. Other bcm63xx
devices rename cferam.000 to cferam.XXX, but this device is special because
the cferam name isn't changed on the first firmware flashing but it's changed
on the subsequent ones.
Therefore, we need to look for "cfe" instead of "cferam" to properly detect
the cferam partition and fix the bootlop.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit cdfcac6e246de9f237d1425e498db3f34ddebbaf)

17 months agokernel: mtd: bcm-wfi: add cferam name support
Álvaro Fernández Rojas [Wed, 14 Jun 2023 21:21:34 +0000 (23:21 +0200)]
kernel: mtd: bcm-wfi: add cferam name support

Some devices rename cferam bootloader using specific patterns and don't follow
broadcom standards for renaming cferam files. This requires supporting
different cferam file names.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 8813edd8d9695d4e3939fdaa3c530c682f91de11)

18 months agobuild: generate index.json
Paul Spooren [Tue, 9 May 2023 19:39:58 +0000 (21:39 +0200)]
build: generate index.json

The index.json file lies next to Packages index files and contains a
json dict with the package architecture and a dict of package names and
versions.

This can be used for downstream project to know what packages in which
versions are available.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 218ce40cd738f3373438aab82467807a8707fb9c)

19 months agoOpenWrt v21.02.7: revert to branch defaults
Hauke Mehrtens [Thu, 27 Apr 2023 21:08:18 +0000 (23:08 +0200)]
OpenWrt v21.02.7: revert to branch defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
19 months agoOpenWrt v21.02.7: adjust config defaults v21.02.7
Hauke Mehrtens [Thu, 27 Apr 2023 21:08:10 +0000 (23:08 +0200)]
OpenWrt v21.02.7: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
19 months agoopenssl: fix CVE-2023-464 and CVE-2023-465
Eneas U de Queiroz [Tue, 4 Apr 2023 18:39:56 +0000 (15:39 -0300)]
openssl: fix CVE-2023-464 and CVE-2023-465

Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
19 months agokernel: backport fix for recently introduced UBI bug
Daniel Golle [Sat, 15 Apr 2023 00:35:17 +0000 (01:35 +0100)]
kernel: backport fix for recently introduced UBI bug

Import commit "ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size" which did not yet make it to stable upstream Linux trees.

Fixes: #12232
Fixes: #12339
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit aad34818b50029e07ed9221ae46f9770d6e29785)

19 months agouclient: update to Git version 2023-04-13
Matthias Schiffer [Thu, 13 Apr 2023 18:51:05 +0000 (20:51 +0200)]
uclient: update to Git version 2023-04-13

007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 4f1c2e8deef10e9ca34ceff5a096e62aaa668e90)

19 months agoOpenWrt v21.02.6: revert to branch defaults
Daniel Golle [Sun, 9 Apr 2023 22:38:42 +0000 (23:38 +0100)]
OpenWrt v21.02.6: revert to branch defaults

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
19 months agoOpenWrt v21.02.6: adjust config defaults v21.02.6
Daniel Golle [Sun, 9 Apr 2023 22:38:36 +0000 (23:38 +0100)]
OpenWrt v21.02.6: adjust config defaults

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
19 months agoimagebuilder: allow to specific ROOTFS_PARTSIZE
Paul Spooren [Sun, 12 Mar 2023 15:56:41 +0000 (16:56 +0100)]
imagebuilder: allow to specific ROOTFS_PARTSIZE

Setting this options modifies the rootfs size of created images. When
installing a large number of packages it may become necessary to
increase the size to have enough storage.

This option is only useful for supported devices, i.e. with an attached
SD Card or installed on a hard drive.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 7b7edd25a571568438c886529d3443054e02f55f)

20 months agokernel: remove obsolete netfilter tcp window size check bypass patch
Felix Fietkau [Thu, 30 Mar 2023 12:18:04 +0000 (14:18 +0200)]
kernel: remove obsolete netfilter tcp window size check bypass patch

On any currently supported hardware, the performance impact should not
matter anymore.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 75e78bcaab847557ce1782eb2dea9dff9a029171)

20 months agomac80211, mt76: add fixes for recently discovered security issues
Felix Fietkau [Wed, 29 Mar 2023 15:54:19 +0000 (17:54 +0200)]
mac80211, mt76: add fixes for recently discovered security issues

Fixes CVE-2022-47522

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d54c91bd9ab3c54ee06923eafbd67047816a37e4)

20 months agoipq40xx: Linksys MR8300: fix the USB port power
Daniel González Cabanelas [Thu, 16 Feb 2023 22:04:20 +0000 (23:04 +0100)]
ipq40xx: Linksys MR8300: fix the USB port power

The USB port on the MR8300 randomly fails to feed bus-powered devices.

This is caused by a misconfigured pinmux. The GPIO68 should be used to
enable the USB power (active low), but it's inside the NAND pinmux.

This GPIO pin was found in the original firmware at a startup script in
both MR8300 and EA8300. Therefore apply the fix for both boards.

Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ed64c3323590e3c9fa8b423bf37689023a7a101f)
Signed-off-by: Steffen Scheib <steffen@scheib.me>
20 months agokernel: bump 5.4 to 5.4.238
Hauke Mehrtens [Mon, 27 Mar 2023 14:44:54 +0000 (16:44 +0200)]
kernel: bump 5.4 to 5.4.238

Compile-tested: armvirt/64, lantiq/xrx200
Run-tested: armvirt/64, lantiq/xrx200

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
20 months agolantiq: ltq-tapi: add kernel 5.10 compatiblity
Mathias Kresin [Sun, 27 Dec 2020 16:25:25 +0000 (17:25 +0100)]
lantiq: ltq-tapi: add kernel 5.10 compatiblity

Due to SCHED_FIFO being a broken scheduler model, all users of
sched_setscheduler() are converted to sched_set_fifo_low() upstream and
sched_setscheduler() is no longer exported.

The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 31f3f797004ad318a1de88ec9cfdece523ee46d9)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
20 months agoltq-atm/ltq-ptm: add kernel 5.10 compatiblity
Mathias Kresin [Sun, 27 Dec 2020 18:42:24 +0000 (19:42 +0100)]
ltq-atm/ltq-ptm: add kernel 5.10 compatiblity

The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

The stuck queue is now passed to ndo_tx_timeout callback but not used so
far.

Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 804c541446ab8e3fab11dba5d8fe07807af7fac5)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
20 months agokernel: tcindex classifier has been retired
John Audia [Sat, 11 Mar 2023 15:42:26 +0000 (10:42 -0500)]
kernel: tcindex classifier has been retired

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sched?h=v5.4.235&id=7a6fb69bbcb21e9ce13bdf18c008c268874f0480

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit fbfec3286e8bfce3a78749b7bcb67e658665f197)

20 months agokernel: bump 5.4 to 5.4.234
Hauke Mehrtens [Mon, 27 Mar 2023 00:17:03 +0000 (02:17 +0200)]
kernel: bump 5.4 to 5.4.234

Compile-tested: armvirt/64, lantiq/xrx200
Run-tested: armvirt/64

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
20 months agobcm4908: include usbport trigger
Rafał Miłecki [Thu, 16 Mar 2023 21:01:51 +0000 (22:01 +0100)]
bcm4908: include usbport trigger

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit cb2661844a5d54d44230ee564d4f17605a794a49)

20 months agobcm4908: backport v6.4 pending DTS changes
Rafał Miłecki [Thu, 16 Mar 2023 19:28:47 +0000 (20:28 +0100)]
bcm4908: backport v6.4 pending DTS changes

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit ffaabee9b8d9da7c15a50f52897ae5f70b40b4e7)

21 months agoca-certificates: fix python3-cryptography woes in certdata2pem.py
Christian Lamparter [Wed, 1 Dec 2021 14:01:23 +0000 (15:01 +0100)]
ca-certificates: fix python3-cryptography woes in certdata2pem.py

This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.

|Traceback (most recent call last):
|  File "certdata2pem.py", line 125, in <module>
|    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1

...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
|  File "/certdata2pem.py", line 31, in <module>
|    from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'

More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."

Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 25bc66eb40ea2c062940778fba601032b2579734)

21 months agoca-certicficates: Update to version 20211016
Christian Lamparter [Sun, 28 Nov 2021 01:31:54 +0000 (02:31 +0100)]
ca-certicficates: Update to version 20211016

Update the ca-certificates and ca-bundle package from version 20210119 to
version 20211016.

Debian change-log entry [1]:
|[...]
|[ Julien Cristau ]
|* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
|    bundle to version 2.50
|    The following certificate authorities were added (+):
|    + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
|    + "GlobalSign Root R46"
|    + "GlobalSign Root E46"
|    + "GLOBALTRUST 2020"
|    + "ANF Secure Server Root CA"
|    + "Certum EC-384 CA"
|    + "Certum Trusted Root CA"
|    The following certificate authorities were removed (-):
|    - "QuoVadis Root CA"
|    - "Sonera Class 2 Root CA"
|    - "GeoTrust Primary Certification Authority - G2"
|    - "VeriSign Universal Root Certification Authority"
|    - "Chambers of Commerce Root - 2008"
|    - "Global Chambersign Root - 2008"
|    - "Trustis FPS Root CA"
|    - "Staat der Nederlanden Root CA - G3"
|  * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|[...]

[1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 7c99085bd69742f66207d61e9f2da5ec4f8f9d2f)

21 months agokernel: support "linux,default-trigger" in leds-bcm63138
Rafał Miłecki [Wed, 1 Mar 2023 07:52:26 +0000 (08:52 +0100)]
kernel: support "linux,default-trigger" in leds-bcm63138

This driver is backported from the v6.0 which deals with
"linux,default-trigger" in leds core. For kernel 5.4 we need
leds-bcm63138 to read trigger on its own.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
21 months agomac80211: Update to version 5.10.168-1
Hauke Mehrtens [Sun, 29 Jan 2023 18:05:52 +0000 (19:05 +0100)]
mac80211: Update to version 5.10.168-1

This update mac80211 to version 5.10.168-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
21 months agokernel: bump 5.4 to 5.4.231
Hauke Mehrtens [Sun, 12 Feb 2023 23:56:17 +0000 (00:56 +0100)]
kernel: bump 5.4 to 5.4.231

Compile-tested: x86/64
Run-tested: x86/64

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
21 months agoopenssl: bump to 1.1.1t
John Audia [Tue, 7 Feb 2023 19:56:52 +0000 (14:56 -0500)]
openssl: bump to 1.1.1t

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358a149a17411657b12103ccebfbdb11b)

The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 21.02, so it doesn't have to be removed.

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
21 months agosunxi: fix wifi connection for Banana Pi M2 Berry
Josef Schlehofer [Sat, 1 May 2021 06:51:12 +0000 (08:51 +0200)]
sunxi: fix wifi connection for Banana Pi M2 Berry

fixes the problem that the banana pi m2 berry cannot connect to wifi and cannot be used as an access point

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit ff2bb16730f629d54bde8ba85c75d8614741e3fd)
Signed-off-by: LizenzFass78851 <82592556+LizenzFass78851@users.noreply.github.com>
21 months agompc85xx: Drop pci aliases to avoid domain changes
Martin Kennedy [Tue, 30 Aug 2022 00:47:24 +0000 (20:47 -0400)]
mpc85xx: Drop pci aliases to avoid domain changes

As of upstream Linux commit 0fe1e96fef0a ("powerpc/pci: Prefer PCI
domain assignment via DT 'linux,pci-domain' and alias"), the PCIe
domain address is no longer numbered by the lowest 16 bits of the PCI
register address after a fallthrough. Instead of the fallthrough, the
enumeration process accepts the alias ID (as determined by
`of_alias_scan()`). This causes e.g.:

9000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
9000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...

to become

0000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
0000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...

... which then causes the sysfs path of the netdev to change,
invalidating the `wifi_device.path`s enumerated in
`/etc/config/wireless`.

One other solution might be to migrate the uci configuration, as was
done for mvebu in commit 0bd5aa89fcf2 ("mvebu: Migrate uci config to
new PCIe path"). However, there are concerns that the sysfs path will
change once again once some upstream patches[^2][^3] are merged and
backported (and `CONFIG_PPC_PCI_BUS_NUM_DOMAIN_DEPENDENT` is enabled).

Instead, remove the aliases and allow the fallthrough to continue for
now. We will provide a migration in a later release.

This was first reported as a Github issue[^1].

[^1]: https://github.com/openwrt/openwrt/issues/10530
[^2]: https://lore.kernel.org/linuxppc-dev/20220706104308.5390-1-pali@kernel.org/t/#u
[^3]: https://lore.kernel.org/linuxppc-dev/20220706101043.4867-1-pali@kernel.org/

Fixes: #10530
Tested-by: Martin Kennedy <hurricos@gmail.com>
[Tested on the Aerohive HiveAP 330 and Extreme Networks WS-AP3825i]
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
(cherry picked from commit 7f4b4c29f3489697dca7495216460d0ed5023e02)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
22 months agokernel: bump 5.4 to 5.4.230
Hauke Mehrtens [Sat, 28 Jan 2023 18:09:19 +0000 (19:09 +0100)]
kernel: bump 5.4 to 5.4.230

Compile-tested: x86/64
Run-tested: x86/64

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
22 months agokernel: Reorder configuration
Hauke Mehrtens [Sat, 28 Jan 2023 18:25:32 +0000 (19:25 +0100)]
kernel: Reorder configuration

This was done by running these commands:
./scripts/kconfig.pl '+' target/linux/generic/config-5.4 /dev/null > target/linux/generic/config-5.4-new
mv target/linux/generic/config-5.4-new target/linux/generic/config-5.4

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
22 months agokernel: expose (unhide) CONFIG_ASN1 as ksmbd requirement
Rafał Miłecki [Mon, 23 Jan 2023 12:23:29 +0000 (13:23 +0100)]
kernel: expose (unhide) CONFIG_ASN1 as ksmbd requirement

OpenWrt provides kmod-asn1-decoder for CONFIG_ASN1 but selecting it
doesn't really work as expected. Kernel symbol is hidden and can be
actually selected only as a dependency. That works well for in-kernel
stuff but fails for external modules requiring ASN1 like ksmbd.

Modify kernel Kconfig to make CONFIG_ASN1 always selectable. It's
required to satisfy ksmbd dependencies cleanly (without hack like
selecting unrelated modules).

Link: http://lists.openwrt.org/pipermail/openwrt-devel/2023-January/040298.html
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
22 months agoscripts/dl_github_archieve.py: fix generating unreproducible tar
Christian Marangi [Thu, 12 Jan 2023 13:46:58 +0000 (14:46 +0100)]
scripts/dl_github_archieve.py: fix generating unreproducible tar

Allign dl_github_archieve.py to 8252511dc0b5a71e9e64b96f233a27ad73e28b7f
change. On supported system the sigid bit is applied to files and tar
archieve that on tar creation. This cause unreproducible tar for these
system and these bit should be dropped to produce reproducible tar.

Add the missing option following the command options used in other
scripts.

Fixes: 75ab064d2b38 ("build: download code from github using archive API")
Suggested-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 5f1758ef14575df4e86896526b1c2035c231899e)

22 months agoopkg: add patch to avoid remove package repeatly with force
Josef Schlehofer [Mon, 12 Dec 2022 22:08:05 +0000 (23:08 +0100)]
opkg: add patch to avoid remove package repeatly with force

This patch was taken from the OpenWrt-devel mailing list:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg59794.html

It is included already in OpenWrt master branch and OpenWrt 22.03
release as it was included in opkg-lede repository:
https://git.openwrt.org/?p=project/opkg-lede.git;a=commit;h=9c44557a776da993c2ab80cfac4dbd8d59807d01

However, it is not included in OpenWrt 21.02, where the same issue is
happening.

Fixes: CI for https://github.com/openwrt/packages/pull/20074
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
22 months agokernel: add kmod-nvme package
Daniel Golle [Tue, 26 Jul 2022 08:17:07 +0000 (10:17 +0200)]
kernel: add kmod-nvme package

Add driver for NVM Express block devices, ie. PCIe connected SSDs.

Targets which allow booting from NVMe (x86, maybe some mvebu boards come
to mind) should have it built-in, so rootfs can be mounted from there.
For targets without NVMe support in bootloader or BIOS/firmware it's
sufficient to provide the kernel module package.

On targets having the NVMe driver built-in the resulting kmod package
is an empty dummy. In any case, depending on or installing kmod-nvme
results in driver support being available (either because it was already
built-in or because the relevant kernel modules are added and loaded).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit dbe53352e38d20bb5245158b19d4ff810c209548)

22 months agonetfilter: remove no-op kconfig symbols
Rui Salvaterra [Wed, 28 Apr 2021 12:54:17 +0000 (13:54 +0100)]
netfilter: remove no-op kconfig symbols

These have long been obsolete. For reference, here's the Linux version where
each symbol has been dropped:

CONFIG_IP6_NF_QUEUE - 3.5
CONFIG_IP6_NF_TARGET_LOG - 3.4
CONFIG_IP_NF_MATCH_DSCP - 2.6.19
CONFIG_NF_CONNTRACK_IPV4 - 4.19
CONFIG_NF_CONNTRACK_IPV6 - 4.19
CONFIG_NF_CONNTRACK_RTCACHE - out-of-tree, superseded by flow offloading

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry picked from commit d7956c57284624f4bc7b905d192c81e1d34576fe)

22 months agokernel: kmod-isdn4linux: Remove package
Hauke Mehrtens [Sun, 7 Aug 2022 13:13:36 +0000 (15:13 +0200)]
kernel: kmod-isdn4linux: Remove package

The isdn4linux drivers and subsystem was removed in kernel 5.3, remove
the kernel package also from OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db55dea5fc047190af188f07018e99b0c7a4bdde)

22 months agokernel: kmod-ipt-ulog: Remove package
Hauke Mehrtens [Sun, 7 Aug 2022 12:31:59 +0000 (14:31 +0200)]
kernel: kmod-ipt-ulog: Remove package

The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb0325f07e79b9b4c58a7d280ba9999a39)

22 months agokernel: kmod-w1-slave-ds2760: Remove package
Hauke Mehrtens [Sun, 7 Aug 2022 11:32:31 +0000 (13:32 +0200)]
kernel: kmod-w1-slave-ds2760: Remove package

The w1_ds2760.ko driver was merged into the ds2760_battery.ko driver.
The driver was removed and this package was never build any more.
This happened with kernel 4.19.

Remove this unused package.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5808973d141f488e06efe4749dbf651565fd5510)

22 months agokenrel: kmod-rtc-pt7c4338: Remove package
Hauke Mehrtens [Sun, 7 Aug 2022 12:42:01 +0000 (14:42 +0200)]
kenrel: kmod-rtc-pt7c4338: Remove package

The rtc-pt7c4338.ko was never upstream under this name, the driver was
removed from OpenWrt some years ago, remove the kmod-rtc-pt7c4338
package too.

Fixes: 74d00a8c3849 ("kernel: split patches folder up into backport, pending and hack folders")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5ccf4dcf8864c1d940b65067d8c6f7c4e5858ae2)

22 months agokernel: build crypto md5/sha1/sha256 modules for powerpc
Josef Schlehofer [Tue, 30 Aug 2022 07:02:32 +0000 (09:02 +0200)]
kernel: build crypto md5/sha1/sha256 modules for powerpc

This builds and enables kernel optimized modules for mpc85xx target:
- CONFIG_CRYPTO_MD5_PPC [1]
- CONFIG_CRYPTO_SHA1_PPC_SPE [2]
- CONFIG_CRYPTO_SHA256_PPC_SPE [3]

Where it was possible, then use Signal Processing Engine, because
CONFIG_SPE is already enabled in mpc85xx config.

[1] https://cateee.net/lkddb/web-lkddb/CRYPTO_MD5_PPC.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA1_PPC.html
[3] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA256_PPC_SPE.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 3a702f8733ff371f30e9e3ba1e1aed5f4686b6b4)

22 months agokernel: fix typo for tegra crypto-sha1 module
Josef Schlehofer [Tue, 30 Aug 2022 06:51:37 +0000 (08:51 +0200)]
kernel: fix typo for tegra crypto-sha1 module

Fixes: e889489bedfd2830411bd0cf6564b8272aa9c254 ("kernel: build
arm/neon-optimized sha1/512 modules")

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit f8f9d6901c6a7c85e6b18fba665175646fb53ec7)

22 months agoCI: build: fix external toolchain use with release tag tests
Christian Marangi [Wed, 4 Jan 2023 18:26:16 +0000 (19:26 +0100)]
CI: build: fix external toolchain use with release tag tests

When a new tag for a release is created, the just checkout repo from
github actions will already have such tag locally created.

This will result in git fetch --tags failing with error rejecting the
remote tag with (would clobber existing tag).

Add -f option to overwrite any local tags and always fetch them from
remote.

Fixes: e24a1e6f6d7f ("CI: build: add support for external toolchains from stable branch")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit f655923b362e9f2d70672eee9c1fa82550a145a6)

23 months agolayerscape: fix felix DSA driver compilation
Rafał Miłecki [Tue, 3 Jan 2023 07:34:43 +0000 (07:34 +0000)]
layerscape: fix felix DSA driver compilation

It isn't used at the moment but let's fix it anyway.

This fixes:
  CC      drivers/net/dsa/ocelot/felix.o
drivers/net/dsa/ocelot/felix.c:646:22: error: initialization of 'enum dsa_tag_protocol (*)(struct dsa_switch *, int,  enum dsa_tag_protocol)' from incompatible pointer type 'enum dsa_tag_protocol (*)(struct dsa_switch *, int)' [-Werror=incompatible-pointer-types]
  .get_tag_protocol = felix_get_tag_protocol,
                      ^~~~~~~~~~~~~~~~~~~~~~

for users enabling CONFIG_NET_DSA_MSCC_FELIX.

Fixes: 1f5024aa73fc ("kernel: backport b53/bcm_sf2 changes from v5.6")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
23 months agorealtek: update rtl83xx switch driver to the updated DSA API
Rafał Miłecki [Mon, 2 Jan 2023 16:26:56 +0000 (17:26 +0100)]
realtek: update rtl83xx switch driver to the updated DSA API

This fixes:
  CC      drivers/net/dsa/rtl83xx/dsa.o
drivers/net/dsa/rtl83xx/dsa.c:1274:22: error: initialization of 'enum dsa_tag_protocol (*)(struct dsa_switch *, int,  enum dsa_tag_protocol)' from incompatible pointer type 'enum dsa_tag_protocol (*)(struct dsa_switch *, int)' [-Werror=incompatible-pointer-types]
  .get_tag_protocol = rtl83xx_get_tag_protocol,
                      ^~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/dsa/rtl83xx/dsa.c:1274:22: note: (near initialization for 'rtl83xx_switch_ops.get_tag_protocol')
drivers/net/dsa/rtl83xx/dsa.c:1316:22: error: initialization of 'enum dsa_tag_protocol (*)(struct dsa_switch *, int,  enum dsa_tag_protocol)' from incompatible pointer type 'enum dsa_tag_protocol (*)(struct dsa_switch *, int)' [-Werror=incompatible-pointer-types]
  .get_tag_protocol = rtl83xx_get_tag_protocol,
                      ^~~~~~~~~~~~~~~~~~~~~~~~

Fixes: 1f5024aa73fc ("kernel: backport b53/bcm_sf2 changes from v5.6")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
23 months agorampis: fix Reference to non-existent node for GB-PC2
Arınç ÜNAL [Sat, 31 Dec 2022 12:41:53 +0000 (13:41 +0100)]
rampis: fix Reference to non-existent node for GB-PC2

Fix cannot build: Reference to non-existent node or label
"macaddr_factory_e000" dtb compilation error.

The cherry-pick had to be reworked to use the old mtd-mac-address way as
openwrt-21.02 still wasn't migrated to nvmem implementation.

Fixes: d604032c2a50 ("ramips: fix GB-PC1 and GB-PC2 device support")
Fixes: #11654
Fixes: #11385
Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
[ rework commit message, add more fixes tag ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
23 months agodnsmasq: Backport DHCPv6 server fix (CVE-2022-0934)
Hauke Mehrtens [Tue, 1 Nov 2022 14:17:03 +0000 (15:17 +0100)]
dnsmasq: Backport DHCPv6 server fix (CVE-2022-0934)

This backports a commit from upstream dnsmasq to fix CVE-2022-0934.

CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 002a99eccd75fb653163bae0a1132bd4f494e7ad)

23 months agogeneric: 5.4: refresh kernel patches
Christian Marangi [Fri, 16 Dec 2022 21:34:12 +0000 (22:34 +0100)]
generic: 5.4: refresh kernel patches

Refresh kernel patches due to new spi nor patch.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
23 months agogeneric: add support for EON EN25QX128A spi nor flash
Christian Marangi [Fri, 14 Oct 2022 19:00:39 +0000 (21:00 +0200)]
generic: add support for EON EN25QX128A spi nor flash

Add support for EON EN25QX128A spi nor flash with no flags as it does
support SFDP parsing.

Fixes: #9442
Tested-by: Szabolcs Hubai <szab.hu@gmail.com> [ramips/mt7621: xiaomi_mi-router-4a-gigabit]
(cherry picked from commit d7876daf6552a9f39bd5e0bf50b554e9406ec275)
[ apply the same patch to 5.4 kernel ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
23 months agotools/mkimage: fix build on MacOS arm64
Sergey V. Lobanov [Thu, 2 Dec 2021 16:02:23 +0000 (19:02 +0300)]
tools/mkimage: fix build on MacOS arm64

Fixed -no-pie compilation warning on MacOS
Fixed errors related to using absolute addressing on MacOS arm64

Based on upstream patch from Jessica Clarke and suggestions from Ronny Kotzschmar

Link to original patch and discussion:
https://github.com/u-boot/u-boot/commit/3b142045e8a7f0ab17b6099e9226296af45967d0

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
(cherry picked from commit 8261b85844a0018c6c79e10c1abb581aca102e45)

23 months agoCI: kernel: don't checkout and install feeds
Christian Marangi [Wed, 7 Dec 2022 17:12:31 +0000 (18:12 +0100)]
CI: kernel: don't checkout and install feeds

We don't need to checkout feed and install feeds for kernel tests. This
saves up to 2 minutes for each target kernel build test.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 925e2a155ee4d4cc792fbf68aa9666e32a1f649b)

23 months agoCI: build: skip sdk adapt to external toolchain on cache hit
Christian Marangi [Wed, 7 Dec 2022 17:09:18 +0000 (18:09 +0100)]
CI: build: skip sdk adapt to external toolchain on cache hit

On cache hit, skip sdk adapt to external toolchain. This is needed because we
cache the already extracted sdk and that is already adapted to be used
as external toolchain.

Rerunning the adap step will result in the test to fail for missing file
as the file are already got wrapped to the external toolchain format.

Fixes: 42f0ab028e2e ("CI: build: fix use of sdk as toolchain")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 99eaedfe3966b1ca812e8a962197cf91286247f7)

23 months agokernel: backport b53/bcm_sf2 changes from v5.8
Rafał Miłecki [Wed, 7 Dec 2022 08:57:47 +0000 (09:57 +0100)]
kernel: backport b53/bcm_sf2 changes from v5.8

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
23 months agokernel: backport b53/bcm_sf2 changes from v5.7
Rafał Miłecki [Wed, 7 Dec 2022 08:48:32 +0000 (09:48 +0100)]
kernel: backport b53/bcm_sf2 changes from v5.7

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
23 months agokernel: backport b53/bcm_sf2 changes from v5.6
Rafał Miłecki [Wed, 7 Dec 2022 08:37:08 +0000 (09:37 +0100)]
kernel: backport b53/bcm_sf2 changes from v5.6

This b53 backport significantly stabilizes switch traffic performance.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
23 months agokernel: backport b53/bcm_sf2 changes from v5.5
Rafał Miłecki [Wed, 7 Dec 2022 08:26:11 +0000 (09:26 +0100)]
kernel: backport b53/bcm_sf2 changes from v5.5

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
23 months agocmake: update to version 3.19.8
Adam Konrad [Sun, 27 Nov 2022 04:23:20 +0000 (22:23 -0600)]
cmake: update to version 3.19.8

Updating CMake to latest patched version 3.19.8 which is fixing issue with ccache.

Related issue: https://github.com/openwrt/openwrt/issues/8555

Compile-tested: arm64

Signed-off-by: Adam Konrad <git@adamkonrad.com>
23 months agoCI: build: fix use of sdk as toolchain
Christian Marangi [Mon, 5 Dec 2022 22:23:04 +0000 (23:23 +0100)]
CI: build: fix use of sdk as toolchain

The toolchain included in a sdk have a different format than an external
toolchain tar.

Since sdk is a more integrated setup doesn't use and include wrapper bin
that use the external toolchain config and use an alternative and more
standard way to include all the toolchain headers.

External toolchain use wrapper.sh to append the configured include
header when each tool is called.

Fix the sdk toolchain by reverting their own sdk wrapper scripts and to
simulate an external toolchain build copying what is done in the
toolchain target makefile.

This handle compilation error and warning caused by not using fortify
header on building packages.

Fixes: 006e52545d14 ("CI: build: add support to fallback to sdk for external toolchain")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 42f0ab028e2eae0d4e7acf9db7fd68b256f23503)

23 months agotoolchain: Select USE_SSTRIP with external musl toolchain
Hauke Mehrtens [Sun, 11 Sep 2022 22:29:00 +0000 (00:29 +0200)]
toolchain: Select USE_SSTRIP with external musl toolchain

When we use the internal toolchain USE_SSTRIP will be selected by
default for musl libc and USE_STRIP when glibc is used. Do the same when
an external toolchain is used. USE_GLIBC will also be set for external
toolchain builds based on the EXTERNAL_TOOLCHAIN_LIBC_USE_GLIBC setting.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 9403810c020cca136149973a3929bf77a1f501aa)

23 months agosdk: expose binary strip settings
David Bauer [Fri, 20 Nov 2020 02:03:54 +0000 (03:03 +0100)]
sdk: expose binary strip settings

Expose the SDK options for binary stripping to the menuconfig. This
way, packages can easily be built with debug symbols using the SDK.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit bb817bb4b8b0b546a70e45bd907ebfeea2370dcd)

23 months agoCI: trigger check also on build and check-kernel-patches workflow change
Christian Marangi [Sun, 4 Dec 2022 19:58:11 +0000 (20:58 +0100)]
CI: trigger check also on build and check-kernel-patches workflow change

Since kernel and packages workflow now use a shared build workflow, they
also need to react on changes on these shared workflow.

Fix this and add these shared workflow to the event paths to check.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 644175c29ca11e0a008c58c82986045f738f5c6f)

23 months agoCI: build: fix matching for openwrt release branch for toolchain parsing
Christian Marangi [Sun, 4 Dec 2022 19:36:11 +0000 (20:36 +0100)]
CI: build: fix matching for openwrt release branch for toolchain parsing

The current match logic doesn't handle test for push events related to
stable release (example openwrt-22.03) but only fork with the related
prefix (example openwrt-22.03-fixup)

Fix wrong matching and while at it also add extra checks to other
matching (check if the branch name actually start with the requested
prefix)

Fixes: e24a1e6f6d7f ("CI: build: add support for external toolchains from stable branch")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit e3cf2b84e5f8708ca17d931ef60746516c8a2fe4)

23 months agoCI: fix matching for openwrt release branch for container selection
Christian Marangi [Sun, 4 Dec 2022 19:28:28 +0000 (20:28 +0100)]
CI: fix matching for openwrt release branch for container selection

The current match logic doesn't handle test for push events related to
stable release (example openwrt-22.03) but only fork with the related
prefix (example openwrt-22.03-fixup)

Fix wrong matching and while at it also add extra checks to other
matching (check if the branch name actually start with the requested
prefix)

Fixes: abe8a4824210 ("CI: build: add support for per branch tools container")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 65c3d19c4b28ccac0d08d916de0ffa4c0e7b3dc2)

2 years agoCI: labeler: fix wrong label for pr targeting stable branch
Christian Marangi [Thu, 1 Dec 2022 00:46:03 +0000 (01:46 +0100)]
CI: labeler: fix wrong label for pr targeting stable branch

The label used for stable branch is in the form of
release/[0-9][0-9].[0-9][0-9]
Currently we apply the name of the target branch as the label, fix this
and correctly use the current label.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit af8bc8e51b6daef65c497522b67a1dd9d0cdab84)

2 years agoCI: add support to tag pr targeting stable branch
Christian Marangi [Tue, 29 Nov 2022 18:53:23 +0000 (19:53 +0100)]
CI: add support to tag pr targeting stable branch

Add support to tag pr targeting stable branch matching the simple regex
of openwrt-[0-9][0-9].[0-9][0-9]. The tag that will be added will match
the pr target branch.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b67d284e93ee052e3ea3abb5d3dae55723ce0353)

2 years agokernel: split kernel version to dedicated files
Ansuel Smith [Mon, 10 Jan 2022 16:02:30 +0000 (17:02 +0100)]
kernel: split kernel version to dedicated files

Move the kernel versions and hash to dedicated files.
This makes kernel bump quicker and fix some annoying
problem with rebasing when multiple kernel bump are proposed.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[Rebased on top of current master]
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry picked from commit 0765466a42f46f7357e260866a4284ed567bb7ad)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[Rebased on top of current openwrt-21.02]

2 years agobuild: handle directory with whitespace in AUTOREMOVE clean
Christian Marangi [Wed, 7 Sep 2022 21:50:36 +0000 (23:50 +0200)]
build: handle directory with whitespace in AUTOREMOVE clean

Package with whitespace in their build directory are not correctly
removed when CONFIG_AUTOREMOVE is enabled. This is caused by xargs that
use whitespace as delimiters. To handle this use \0 as the delimiter and
set find to use \0 as the delimiter.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit dccee21792b89031bcd801030de403f195d80278)

2 years agoCI: build: add support to fallback to sdk for external toolchain
Christian Marangi [Mon, 28 Nov 2022 15:12:13 +0000 (16:12 +0100)]
CI: build: add support to fallback to sdk for external toolchain

Add support to use sdk as external toolchain if the packaged external
toolchain tar is not found on openwrt servers for build shared workflow.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b59ac2a7d0ff427419e86bd38dea3d8910dd7926)

2 years agoCI: build: add support for external toolchains from stable branch
Christian Marangi [Mon, 28 Nov 2022 11:44:01 +0000 (12:44 +0100)]
CI: build: add support for external toolchains from stable branch

Add support to use external toolchains from stable branch if we are
testing commit targeting stable openwrt branch in kernel and packages
workflow.

With pr the target branch is parsed and the right toolchain is used.

To use the stable toolchain for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9]- (example openwrt-21.02-fixup)

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit e24a1e6f6d7f08fb766eb11b8008f8fc5b72d072)

2 years agoCI: build: add support for per branch tools container
Christian Marangi [Sun, 27 Nov 2022 18:53:08 +0000 (19:53 +0100)]
CI: build: add support for per branch tools container

Add support in build shared workflow for per branch tools container.

With pr the target branch is parsed and the right container is used.

To use the stable container for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9]- (example openwrt-21.02-fixup)

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit abe8a4824210966e0899724bf4561a89216a1e36)

2 years agoCI: tools: support per branch tools container
Christian Marangi [Sun, 27 Nov 2022 18:45:38 +0000 (19:45 +0100)]
CI: tools: support per branch tools container

Add support to push per branch container tools.
For anything not official stick to latest tag that correspond to test
run from master.

If we are testing something for one of the openwrt stable branch, parse
the branch name or the tag and push dedicated tools containers.

To use the stable container for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9] (example openwrt-21.02-fixup)

Any branch that will match this pattern openwrt-[0-9][0-9].[0-9][0-9]
will refresh the tools container with the matching tag.
(example branch openwrt-22.03 -> tools:openwrt-22.03)
(example branch openwrt-22.03-test -> tools:openwrt-22.03)

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 75550771ae76fbcab4160e10b73287f918727384)

2 years agoCI: Build all boards and testing kernel
Hauke Mehrtens [Sat, 3 Dec 2022 02:04:40 +0000 (03:04 +0100)]
CI: Build all boards and testing kernel

This adds options to build all boards of a selected target and an
additional option to build the testing kernel instead of the normal
kernel. This can be used by other trigger work flows.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cf361b85097216538dfac5ad7b22050390b0bc67)

2 years agoCI: Allow building with internal toolchain
Hauke Mehrtens [Sat, 5 Nov 2022 13:27:11 +0000 (14:27 +0100)]
CI: Allow building with internal toolchain

This adds an option to build with internal toolchain. This can be used
to build targets which are currently not build by the OpenWrt build bots
and which needs their own toolchain build for every build.

Building the toolchain takes about 30 minutes compared to using the
external toolchain which takes some seconds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 08f5283392674fe874c7f441128319263ce0d171)

2 years agoCI: Extract the OpenWrt building to own sub workflow
Hauke Mehrtens [Tue, 1 Nov 2022 18:10:01 +0000 (19:10 +0100)]
CI: Extract the OpenWrt building to own sub workflow

Extract the building of OpenWrt into an own workflow which is then
triggered by the kernel.yml and packages.yml workflow with different
inputs. This allows us to share much of the code of the workflow.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7c406a5f0837b0bfc293b723932695176a8ef6fe)

2 years agoCI: Simplify if conditions
Hauke Mehrtens [Sat, 5 Nov 2022 13:38:35 +0000 (14:38 +0100)]
CI: Simplify if conditions

There is no need to put a ${{ }} around the if conditions.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ce343653c2618e1d335662b924c382c0192b7b46)

2 years agometa: drop issue_template
Jo-Philipp Wich [Wed, 9 Feb 2022 16:26:58 +0000 (17:26 +0100)]
meta: drop issue_template

The contents do not apply anymore now that the switch to Github issue
has been decided.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 64125ed1d0067f0648f2669b29b59a77ece3bf10)

2 years agoCI: packages.yml: Fix usage of pre-build tools
Hauke Mehrtens [Wed, 2 Nov 2022 21:17:51 +0000 (22:17 +0100)]
CI: packages.yml: Fix usage of pre-build tools

Activate CONFIG_AUTOREMOVE to match the settings used to build the
pre-build tools. This has to match the pre-build tools to not rebuild
them.

This prevents the tools being rebuild in packages.yml.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 6645a019f88e2e6930fe63d1a51046a8e72445a0)

2 years agoCI: packages: Add github CI job to build all packages
Hauke Mehrtens [Sun, 7 Aug 2022 16:46:11 +0000 (18:46 +0200)]
CI: packages: Add github CI job to build all packages

This will build OpenWrt for MIPS malta BE and x86 64 Bit with all
packages and kernel modules activated. It is triggered when something
changes in the build system or when a package definition is changed.
This task probably needs 90 minutes to execute, but I hope that it
will find build problems in pull requests early.

This intentionally does not activate the feeds, because building them
too would take too long. We only build x86/64 and malta/be to save
resources.

I would like to detect build problems when a package is changed. We
often had build breaks when a package version was increased sometime
even in other packages which used it as a dependency.

This is based on the .github/workflows/packages.yml workflow.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b99d3778863d6ba67ee1ebda6fd42413062c6480)

2 years agoCI: kernel: fix deprecation of set-output
Christian Marangi [Fri, 21 Oct 2022 14:09:19 +0000 (16:09 +0200)]
CI: kernel: fix deprecation of set-output

From [0], github deprecated set-output with a better approach of
appending variables to $GITHUB_OUTPUT

[0] https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 6d4bcadaa343cb969f370631a5ed5338306c056e)

2 years agoci: kernel: trigger build check on changes in kernel.mk as well
Petr Štetiar [Wed, 19 Oct 2022 21:02:43 +0000 (23:02 +0200)]
ci: kernel: trigger build check on changes in kernel.mk as well

So we can QA more parts of kernel build process.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 5e31c82bb506bff9c60c4d01791bea7a29e4a020)

2 years agoCI: kernel: check if patch are refreshed for each target
Christian Marangi [Sat, 15 Oct 2022 08:56:46 +0000 (10:56 +0200)]
CI: kernel: check if patch are refreshed for each target

Enforce refreshed patch for each target with kernel pr tests.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 689cfaeb7c37d7199f6e552bf32b0f996ea3040a)

2 years agoCI: labeler: target major version of labeler action
Christian Marangi [Wed, 12 Oct 2022 14:49:46 +0000 (16:49 +0200)]
CI: labeler: target major version of labeler action

Target major version of labeler to include minor fixes and use always
the latest major version with included fixes.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 5fb7232bc0592cb2e1818fa47dfaecc291c8514e)

2 years agoCI: bump actions/download,upload-artifact action to v3
Christian Marangi [Wed, 12 Oct 2022 14:48:46 +0000 (16:48 +0200)]
CI: bump actions/download,upload-artifact action to v3

Bump actions/download,upload-artifact action to v3 on every workflow
to mute node deprecation warning.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 77b24012db1d696ca87c03fa1bb8bdf2606119e7)

2 years agoCI: bump actions/checkout action to v3
Christian Marangi [Wed, 12 Oct 2022 13:24:11 +0000 (15:24 +0200)]
CI: bump actions/checkout action to v3

Bump actions/checkout action to v3 on every workflow to mute node
deprecation warning.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 87c69d73bb4021bf3a26217b3a652ce262637b1e)

2 years agoCI: kernel: generate ccache cache on kernel push
Christian Marangi [Sat, 8 Oct 2022 17:25:54 +0000 (19:25 +0200)]
CI: kernel: generate ccache cache on kernel push

To actually use ccache cache on kernel test from pr, the kernel workflow
has to be run first from a push action.

This will permit as a side effect to test merged commits and catch commit
that may cause regression in kernel compilation even outside the github
system.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 23e946d1aded1fc21125704c0819146d5772d72b)

2 years agoCI: kernel: use ccache to speedup workflow
Christian Marangi [Tue, 4 Oct 2022 16:43:38 +0000 (18:43 +0200)]
CI: kernel: use ccache to speedup workflow

Use ccache to speedup kernel compilation.
Ccache dir is cached across each build test. To refresh ccache directory
we generate an hash of the kernel include files, that includes the
kernel versions of every kernel supported and the kernel compile
includes.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 137ba15e6ef31534a2002a02e69b774232f0b040)

2 years agoCI: tools: compile tools with ccache support for tools container
Christian Marangi [Tue, 4 Oct 2022 16:38:57 +0000 (18:38 +0200)]
CI: tools: compile tools with ccache support for tools container

Enable ccache support for tools container, useful to speedup other
workflow even more.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 2781e3839e7f4f6132a2737ee9f988f40fa58d99)

2 years agoCI: Add workaround for github uppercase usernames
Edward Chow [Mon, 3 Oct 2022 11:39:58 +0000 (19:39 +0800)]
CI: Add workaround for github uppercase usernames

The workflow defined in tools.yml and kernel.yml used to fail on
forked repositories of contributers whose github username contains
uppercase letters.

A workaround mentioned in
https://github.com/orgs/community/discussions/27086 and
https://stackoverflow.com/questions/70326569/ is applied.

Signed-off-by: Edward Chow <equu@openmail.cc>
(cherry picked from commit c27b43956407f3adc3cc2693792acd6b40a01877)