openwrt/staging/hauke.git
2 years agoOpenWrt v19.07.10: adjust config defaults v19.07.10
Hauke Mehrtens [Sun, 17 Apr 2022 17:35:25 +0000 (19:35 +0200)]
OpenWrt v19.07.10: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agowolfssl: bump to 5.2.0
Eneas U de Queiroz [Fri, 8 Apr 2022 13:27:25 +0000 (10:27 -0300)]
wolfssl: bump to 5.2.0

Fixes two high-severity vulnerabilities:

- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
  can be bypassed.  If a malicious client does not send the
  certificate_verify message a client can connect without presenting a
  certificate even if the server requires one.

- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
  v1.3 server can have its certificate heck bypassed. If the sig_algo in
  the certificate_verify message is different than the certificate
  message checking may be bypassed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [ABI version change]
(cherry picked from commit e89f3e85eb1c1d81294e5d430a91b0ba625e2ec0)
(cherry picked from commit 2393b09b5906014047a14a79c03292429afcf408)

2 years agomac80211: Update to version 4.19.237-1
Hauke Mehrtens [Mon, 11 Apr 2022 20:14:47 +0000 (22:14 +0200)]
mac80211: Update to version 4.19.237-1

This updates mac80211 to version 4.19.237-1 which is based on kernel
4.19.237.

This new release contains many fixes which were merged into the upstream
Linux kernel.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agokernel: generic: add missing symbol for arm64 spectre mitigation
Petr Štetiar [Wed, 6 Apr 2022 17:58:56 +0000 (19:58 +0200)]
kernel: generic: add missing symbol for arm64 spectre mitigation

Upstream in commit 3e3904125fcc ("arm64: Mitigate spectre style branch
history side channels") introduced new config symbol
MITIGATE_SPECTRE_BRANCH_HISTORY which I missed in commit d39a6c67dcb4
("kernel: bump 4.14 to 4.14.275") and buildworkers for arm64 targets
started complaining:

 Mitigate Spectre style attacks against branch history (MITIGATE_SPECTRE_BRANCH_HISTORY) [Y/n/?] (NEW) aborted!

Fixes: d39a6c67dcb4 ("kernel: bump 4.14 to 4.14.275")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agokernel: generic: reorder kernel config options
Petr Štetiar [Wed, 6 Apr 2022 17:56:07 +0000 (19:56 +0200)]
kernel: generic: reorder kernel config options

So it's sorted and tidy.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agoimagebuilder: fix broken image generation with external targets
Petr Štetiar [Thu, 24 Mar 2022 05:52:37 +0000 (06:52 +0100)]
imagebuilder: fix broken image generation with external targets

When using external targets there is a symlink being created for the
target under target/linux which then becomes dangling under Image
Builder. Fix it by dereferencing the possible symlink.

Tested on IB with external target, ipq40xx and mvebu.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 621f39d1f438bf95dbae667c575926fa16a6d797)
(cherry picked from commit ec9af870f3278f75549836b469baefa260e2ed41)
(cherry picked from commit 3008f1f441a41e162311cee1ccadfdaaec1581c1)

2 years agokernel: bump 4.14 to 4.14.275
Petr Štetiar [Tue, 5 Apr 2022 12:20:05 +0000 (14:20 +0200)]
kernel: bump 4.14 to 4.14.275

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agopatchelf: backport fix for rpath endianness
Petr Štetiar [Thu, 31 Mar 2022 07:44:25 +0000 (09:44 +0200)]
patchelf: backport fix for rpath endianness

This is backport of upstream fix introduced in commit e88d83c8b4e4
("patchelf: Check ELF endianness before writing new runpath") which
fixes broken rpath handling on big endian systems:

 $ patchelf --set-rpath '/opt/foo/bar' lxc4-start
 $ readelf -d lxc4-start
 ...
  0x1d000000 (<unknown>: 1d000000)        0x72f
 ...

Expected output, having following patch applied is:

 $ readelf -d lxc4-start
 ...
  0x0000001d (RUNPATH)                    Library runpath: [/opt/foo/bar]
 ...

Build and runtime tested on mvebu/turris-omnia, ipq40xx/glinet-b1300
and external target xrx500/nec-wx3000hp (MIPS BE).

Signed-off-by: Matthias Van Gestel <matthias.vangestel_ext@softathome.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agokernel: bump 4.14 to 4.14.274
Petr Štetiar [Mon, 28 Mar 2022 09:39:18 +0000 (11:39 +0200)]
kernel: bump 4.14 to 4.14.274

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agoath79: fix link for long cables with OCEDO Raccoon
David Bauer [Fri, 25 Mar 2022 21:58:34 +0000 (22:58 +0100)]
ath79: fix link for long cables with OCEDO Raccoon

The OCEDO Raccoon had significant packet-loss with cables longer than 50
meter. Disabling EEE restores normal operation.

Also change the ethernet config to reduce loss on sub-1G links.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 4551bfd91f31be5987727c77e58333fa06ba3acd)

2 years agokernel: bump 4.14 to 4.14.273
Petr Štetiar [Thu, 24 Mar 2022 09:48:59 +0000 (10:48 +0100)]
kernel: bump 4.14 to 4.14.273

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agozlib: backport security fix for a reproducible crash in compressor
Petr Štetiar [Thu, 24 Mar 2022 05:45:04 +0000 (06:45 +0100)]
zlib: backport security fix for a reproducible crash in compressor

Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.

Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.

Runtime tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b3aa2909a79aeff20d594160b207a89dc807c033)
(cherry picked from commit 3965dda0fa70dc9408f1a2e55a3ddefde78bd50e)
(cherry picked from commit f65edc9b990c2bcc10c9e9fca29253adc6fe316d)

2 years agokernel: bump 4.14 to 4.14.272
Petr Štetiar [Wed, 16 Mar 2022 18:23:08 +0000 (19:23 +0100)]
kernel: bump 4.14 to 4.14.272

Added new config symbol `HARDEN_BRANCH_HISTORY` in order to harden
Spectre style attacks against branch history and fixed rejects in
following patches:

 * generic/hack-4.14/220-gc_sections.patch
 * generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch

Other patches refreshed automagically.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agoopenssl: bump to 1.1.1n
Martin Schiller [Wed, 16 Mar 2022 14:04:56 +0000 (15:04 +0100)]
openssl: bump to 1.1.1n

This is a bugfix release. Changelog:

  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
     forever for non-prime moduli. (CVE-2022-0778)

  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
     (RFC 5489) to the list of ciphersuites providing Perfect Forward
     Secrecy as required by SECLEVEL >= 3.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit e17c6ee62770005e398364ee5d955c9a8ab6f016)

2 years agobase-files: call "sync" after initial setup
Rafał Miłecki [Tue, 1 Mar 2022 17:46:27 +0000 (18:46 +0100)]
base-files: call "sync" after initial setup

OpenWrt uses a lot of (b)ash scripts for initial setup. This isn't the
best solution as they almost never consider syncing files / data. Still
this is what we have and we need to try living with it.

Without proper syncing OpenWrt can easily get into an inconsistent state
on power cut. It's because:
1. Actual (flash) inode and data writes are not synchronized
2. Data writeback can take up to 30 seconds (dirty_expire_centisecs)
3. ubifs adds extra 5 seconds (dirty_writeback_centisecs) "delay"

Some possible cases (examples) for new files:
1. Power cut during 5 seconds after write() can result in all data loss
2. Power cut happening between 5 and 35 seconds after write() can result
   in empty file (inode flushed after 5 seconds, data flush queued)

Above affects e.g. uci-defaults. After executing some migration script
it may get deleted (whited out) without generated data getting actually
written. Power cut will result in missing data and deleted file.

There are three ways of dealing with that:
1. Rewriting all user-space init to proper C with syncs
2. Trying bash hacks (like creating tmp files & moving them)
3. Adding sync and hoping for no power cut during critical section

This change introduces the last solution that is the simplest. It
reduces time during which things may go wrong from ~35 seconds to
probably less than a second. Of course it applies only to IO operations
performed before /etc/init.d/boot . It's probably the stage when the
most new files get created.

All later changes are usually done using smarter C apps (e.g. busybox or
uci) that creates tmp files and uses rename() that is expected to be
atomic.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
(cherry picked from commit 9851d4b6ce6e89d164a04803817625a9041b060a)

2 years agokernel: bump 4.14 to 4.14.269
Hauke Mehrtens [Sun, 6 Mar 2022 13:44:11 +0000 (13:44 +0000)]
kernel: bump 4.14 to 4.14.269

All patches refreshed automagically without conflicts.

Compile-tested: lantiq/xrx200, armvirt/64
Run-tested: lantiq/xrx200, armvirt/64

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agoimagebuilder: fix partition signature
Matthew Gyurgyik [Fri, 13 Nov 2020 19:21:29 +0000 (11:21 -0800)]
imagebuilder: fix partition signature

When building images with the imagebuilder, the partition signature
never changes. The signature is generated by hashing SOURCE_DATE_EPOCH
and LINUX_VERMAGIC which are undefined. Prepopulate these variables, as
done by the SDK.

Signed-off-by: Matthew Gyurgyik <matthew@gyurgyik.io>
(cherry picked from commit aab36200e7eb539afb18df74476132f4750a9f0b)

2 years agowolfssl: fix API breakage of SSL_get_verify_result
Petr Štetiar [Tue, 22 Feb 2022 19:00:28 +0000 (20:00 +0100)]
wolfssl: fix API breakage of SSL_get_verify_result

Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c)
(cherry picked from commit b99d7aecc83fd180f7a3c3efaae00845e7a73129)

2 years agoubus: backport fixes for UAF and other issues
Petr Štetiar [Mon, 21 Feb 2022 06:41:05 +0000 (07:41 +0100)]
ubus: backport fixes for UAF and other issues

Backporting following fixes:

 a72457b61df0 libubus: increase stack depth for processing obj msgs
 ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
 2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg

where at least commit 2099bb3ad997 ("libubus: use
list_empty/list_first_entry in ubus_process_pending_msg") fixes UAF
issue I've introduced in commit c5f2053dfcfd ("workaround possibly false
positive uses of memory after it is freed") while fixing another false
positive UAF reported[1] by clang's static analyzer.

Those fixes are being used in master/21.02 for about 6 months, so should
be tested enough and considered for backporting. I've runtested those
fixes on mvebu/turris-omnia and ipq40xx/glinet-b1300 devices.

1. https://openwrt.gitlab.io/-/project/ubus/-/jobs/2096090992/artifacts/build/scan/2022-02-15-150310-70-1/index.html

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agowolfssl: bump to 5.1.1-stable
Petr Štetiar [Thu, 17 Feb 2022 14:51:26 +0000 (15:51 +0100)]
wolfssl: bump to 5.1.1-stable

This is amalgamation of backported changes since 4.7.0-stable release:

 Sergey V. Lobanov (2):

  5b13b0b02c70 wolfssl: update to 5.1.1-stable
  7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support

 Andre Heider (3):

  3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
  249478ec4850 wolfssl: always build with --enable-reproducible-build
  4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

 Ivan Pavlov (1):

  16414718f9ae wolfssl: update to 4.8.1-stable

 David Bauer (1):

  f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng

 Christian Lamparter (1):

  86801bd3d806 wolfssl: fix Ed25519 typo in config prompt

The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:

 * OCSP request/response verification issue. (fixed in 4.8.0)
 * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1)
 * Issue with incorrectly validating a certificate (fixed in 5.0.0)
 * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0)
 * Client side session resumption issue (fixed in 5.1.0)
 * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
 * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2 years agoar71xx: fix MikroTik wAP detection
Thibaut VARÈNE [Tue, 5 Oct 2021 15:32:54 +0000 (17:32 +0200)]
ar71xx: fix MikroTik wAP detection

MikroTik released a 3rd revision of that board, virtually identical
to the previous one as far as software is concerned.

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [wixed typo]
2 years agoOpenWrt v19.07.9: revert to branch defaults
Hauke Mehrtens [Thu, 17 Feb 2022 18:43:38 +0000 (19:43 +0100)]
OpenWrt v19.07.9: revert to branch defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agoOpenWrt v19.07.9: adjust config defaults v19.07.9
Hauke Mehrtens [Thu, 17 Feb 2022 18:43:34 +0000 (19:43 +0100)]
OpenWrt v19.07.9: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agokernel: bump 4.14 to 4.14.267
Petr Štetiar [Wed, 16 Feb 2022 16:50:59 +0000 (17:50 +0100)]
kernel: bump 4.14 to 4.14.267

All patches refreshed automagically without conflicts, but test builds
choked on new BPF_UNPRIV_DEFAULT_OFF kernel config symbol introduced in
upstream commit e69f08ba23a3 ("bpf: Add kconfig knob for disabling
unpriv bpf by default").

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agokernel: bump 4.14 to 4.14.266
Hauke Mehrtens [Sun, 13 Feb 2022 18:15:03 +0000 (19:15 +0100)]
kernel: bump 4.14 to 4.14.266

All patches refreshed automagically without conflicts.

Compile-tested: lantiq/xrx200
Run-tested: lantiq/xrx200

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agohostapd: Apply SAE/EAP-pwd side-channel attack update 2
Hauke Mehrtens [Sat, 12 Feb 2022 19:37:12 +0000 (20:37 +0100)]
hostapd: Apply SAE/EAP-pwd side-channel attack update 2

This fixes some recent security problems in hostapd.
See here for details: https://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agombedtls: Update to version 2.16.12
Hauke Mehrtens [Sat, 29 Jan 2022 10:56:27 +0000 (11:56 +0100)]
mbedtls: Update to version 2.16.12

This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice. CVE-2021-44732

The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 57f38e2c827e3be71d8b1709073e366afe011985)

2 years agombedtls: update to 2.16.11
Rosen Penev [Tue, 13 Jul 2021 20:27:09 +0000 (13:27 -0700)]
mbedtls: update to 2.16.11

Switched to AUTORELEASE to avoid manual increments.

Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fcfd741eb83520e496eb09de5f8b2f2b62792a80)

2 years agotcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
Hauke Mehrtens [Sun, 26 Dec 2021 22:38:52 +0000 (23:38 +0100)]
tcpdump: libpcap: Remove www.us.tcpdump.org mirror

The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[rebased for OpenWrt 21.02 branch]
(cherry picked from commit 4dddb7ca3669e93d4da2b1ca43b8bc22bd007e48)

2 years agotcpdump: Fix CVE-2018-16301
Hauke Mehrtens [Sat, 12 Feb 2022 22:13:47 +0000 (23:13 +0100)]
tcpdump: Fix CVE-2018-16301

This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8f5875c4e221453932f217a82f8c3092cacba3e5)
(cherry picked from commit 59e7ae8d65ab9a9315608a69565f6a4247d3b1ac)

2 years agokernel: bump 4.14 to 4.14.265
Petr Štetiar [Thu, 10 Feb 2022 12:27:06 +0000 (13:27 +0100)]
kernel: bump 4.14 to 4.14.265

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agobuild: store SOURCE_DATE_EPOCH in JSON info files
Paul Spooren [Sun, 1 Nov 2020 21:53:39 +0000 (11:53 -1000)]
build: store SOURCE_DATE_EPOCH in JSON info files

The source date epoch is the only reproducible date close to the actual
build date. It can be used for tooling like the firmware wizard to show
the image age.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 165f0b00cdd2f763c1d478c2f58c535fc19b13bd)
[store source_date_epoch as integer]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2 years agokernel: bump 4.14 to 4.14.264
Petr Štetiar [Mon, 31 Jan 2022 10:52:40 +0000 (11:52 +0100)]
kernel: bump 4.14 to 4.14.264

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agokernel: bump 4.14 to 4.14.262
Petr Štetiar [Tue, 18 Jan 2022 13:50:02 +0000 (14:50 +0100)]
kernel: bump 4.14 to 4.14.262

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agoopenssl: bump to 1.1.1m
Eneas U de Queiroz [Mon, 10 Jan 2022 19:37:47 +0000 (16:37 -0300)]
openssl: bump to 1.1.1m

This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2)

2 years agokernel: bump 4.14 to 4.14.261
Petr Štetiar [Thu, 6 Jan 2022 14:31:19 +0000 (15:31 +0100)]
kernel: bump 4.14 to 4.14.261

All patches refreshed automagically without conflicts.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agokernel: bump 4.14 to 4.14.259
Petr Štetiar [Thu, 23 Dec 2021 10:37:55 +0000 (11:37 +0100)]
kernel: bump 4.14 to 4.14.259

All patches refreshed automagically without conflicts, but upstream in
commit 48c2461f28fe ("ARM: 8800/1: use choice for kernel unwinders")
added new config options UNWINDER_ARM and UNWINDER_FRAME_POINTER so we
need to adjust default configs as well.

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agokernel: bump 4.14 to 4.14.258
Petr Štetiar [Sun, 12 Dec 2021 07:19:37 +0000 (08:19 +0100)]
kernel: bump 4.14 to 4.14.258

Rebased patches:

 * generic: 273-batman-adv-Convert-packet.h-to-uapi-header.patch
 * ipq806x: 0065-arm-override-compiler-flags.patch
 * mvebu: 513-arm64-dts-marvell-armada37xx-Add-emmc-sdio-pinctrl-d.patch

Removed patches:

 Fixed upstream:

   * ar71xx: 821-serial-core-add-support-for-boot-console-with-arbitr.patch
   * ath79: 921-serial-core-add-support-for-boot-console-with-arbitr.patch
     - in 4.14.256 via 9112e7ef87149b3d8093e7446d784117f6e18d69

   * mvebu: 527-PCI-aardvark-allow-to-specify-link-capability.patch
     - in 4.14.257 via 62a3dc9b65a2b24800fc4267b8cf590fad135034

   * mvebu: 524-PCI-aardvark-set-host-and-device-to-the-same-MAX-payload-size.patch
     - should be hopefully fixed by the bunch of changes in .256 and .257

Run tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.

Fixes: CVE-2021-3640
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agomac80211: Update to version 4.19.221
Hauke Mehrtens [Sun, 12 Dec 2021 20:43:21 +0000 (21:43 +0100)]
mac80211: Update to version 4.19.221

The following patch was backported from upstream before and is not
needed any more:
  package/kernel/mac80211/patches/ath/980-ath10k-fix-max-antenna-gain-unit.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agoiproute2: m_xt.so depends on dynsyms.list
Roman Yeryomin [Fri, 3 Sep 2021 14:31:11 +0000 (17:31 +0300)]
iproute2: m_xt.so depends on dynsyms.list

When doing parallel build on a fast machine with bottleneck in i/o,
m_xt.so may start linking faster than dynsyms.list gets populated,
resulting in error:

ld:dynsyms.list:0: syntax error in dynamic list

Fix this by adding dynsyms.list as make dependency to m_xt.so
Described also here:
https://bugs.openwrt.org/index.php?do=details&task_id=3353

Change from v1:
- add dynsysms.list dependancy only when shared libs are enabled

Signed-off-by: Roman Yeryomin <roman@advem.lv>
Fixes: FS#3353
(cherry-picked from commit edd53df16843a0a6380920ed17b88bfe7d26d71b)

2 years agouboot-lantiq: danube: fix hanging lzma kernel uncompression #2
Mathias Kresin [Sat, 27 Nov 2021 20:43:40 +0000 (21:43 +0100)]
uboot-lantiq: danube: fix hanging lzma kernel uncompression #2

Follow up to commit 8fb714edd6e4340729e271139164a0163b027d68. Managed to
hit the very same issue again while playing with the NOR SPL builds.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2 years agouboot-lantiq: danube: fix hanging lzma kernel uncompression
Mathias Kresin [Fri, 5 Nov 2021 09:41:26 +0000 (10:41 +0100)]
uboot-lantiq: danube: fix hanging lzma kernel uncompression

At least since gcc 7.3.0 (OpenWrt 18.06) lwr/lwl are used in the
assembly of LzmaProps_Decode. While the decission made by the compiler
looks perfect fine, it triggers some obscure hang on lantiq danube-s
v1.5 with MX29LV640EB NOR flash chips.

Only if the offset 1 is used, the hang can be observed. Using any other
offset works fine:

  lwl s0,0(a1) - s0 == 0x6d000080
  lwl s0,1(a1) - hangs
  lwl s0,2(a1) - s0 == 0x0080xxxx
  lwl s0,3(a1) - s0 == 0x80xxxxxx

It isn't clear whether it is a limitation of the flash chip, the EBU or
something else.

Force 8bit reads to prevent gcc optimizing the read with lwr/lwl
instructions.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2 years agowireless-regdb: update to version 2021.08.28
Christian Lamparter [Sat, 23 Oct 2021 16:08:51 +0000 (18:08 +0200)]
wireless-regdb: update to version 2021.08.28

e983a25 Update regulatory rules for Ecuador (EC)
a0bcb88 wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
cdf854d wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
86cba52 wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
6fa2384 wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
9839e1e wireless-regdb: recent FCC report and order allows 5850-5895 immediately
42dfaf4 wireless-regdb: update 5725-5850 MHz rule for GB

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit dbb4c47798b17112cb1eed2a309cdefd33b5f193)

2 years agowireless-regdb: update to version 2021.04.21
Felix Fietkau [Fri, 21 May 2021 12:29:31 +0000 (14:29 +0200)]
wireless-regdb: update to version 2021.04.21

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d76535c45e6e970b212744781431e152e90c1ce6)

2 years agotools/m4: update to 1.4.19
Rosen Penev [Thu, 4 Mar 2021 02:00:26 +0000 (18:00 -0800)]
tools/m4: update to 1.4.19

Remove upstreamed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fc9682ed3961e098ace708ca1ca41c2239a4e2ee)

2 years agokernel: bump 4.14 to 4.14.254
Hauke Mehrtens [Sat, 6 Nov 2021 18:43:08 +0000 (18:43 +0000)]
kernel: bump 4.14 to 4.14.254

All updated automatically.

Compile-tested on: malta/le, lantiq/xrx200
Runtime-tested on: malta/le, lantiq/xrx200

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoar71xx: mikrotik: rb91x: fix 10M ethernet link speed
Koen Vandeputte [Tue, 12 Oct 2021 09:02:30 +0000 (11:02 +0200)]
ar71xx: mikrotik: rb91x: fix 10M ethernet link speed

Extensive testing on the board showed that ethernet does
not work when forced to 10Mbps.

Trial-and-error revealed that the correct PLL value
should be altered to 0x00001313 (iso 0x00001616)

The change is done for this specific board only as I do not have
other boards using this specific SoC.

The board now works correctly in 1000, 100 and 10 Mode

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
3 years agouboot-lantiq: fix sha1.h header clash when system libmd installed
Alan Swanson [Fri, 1 Oct 2021 15:46:32 +0000 (16:46 +0100)]
uboot-lantiq: fix sha1.h header clash when system libmd installed

Backport of u-boot commit "includes: move openssl headers to include/u-boot"
https://github.com/u-boot/u-boot/commit/2b9912e6a7df7b1f60beb7942bd0e6fa5f9d0167

Fixes: FS#3955
Signed-off-by: Alan Swanson <reiver@improbability.net>
(cherry picked from commit 8db641049292035604f0e1fb788608fdea879eca)

3 years agokernel: bump 4.14 to 4.14.248
Hauke Mehrtens [Sat, 2 Oct 2021 11:38:04 +0000 (13:38 +0200)]
kernel: bump 4.14 to 4.14.248

All updated automatically.

Compile-tested on: lantiq/xrx200, armvirt/64
Runtime-tested on: lantiq/xrx200, armvirt/64

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agomac80211: Update to backports-4.19.207-1
Hauke Mehrtens [Tue, 14 Sep 2021 21:44:19 +0000 (23:44 +0200)]
mac80211: Update to backports-4.19.207-1

Refresh all patches.

This contains fixes for CVE-2020-3702

1. These patches (ath, ath9k, mac80211)  were included in kernel
versions since 4.14.245 and 4.19.205. They fix security vulnerability
CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2].

Thank you Josef Schlehofer for reporting this problem.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702
[2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agosdk: fix missing include directories
Petr Štetiar [Sun, 1 Nov 2020 16:31:40 +0000 (17:31 +0100)]
sdk: fix missing include directories

It's not possible to compile some applications which are using
`-Werror=missing-include-dirs` compiler flags with the SDK as some
target directories are missing in the SDK tarball:

 cc1: error: staging_dir/target/usr/include: No such file or directory [-Werror=missing-include-dirs]
 cc1: error: staging_dir/target/include: No such file or directory [-Werror=missing-include-dirs]

Fix this by adding the missing directories in the SDK.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ec0ec0428e12b6a7cdad40fbe98d375ea15b45c5)

3 years agouboot-zynq: fix dtc compilation on host gcc 10
Luis Araneda [Sun, 2 Aug 2020 23:34:42 +0000 (19:34 -0400)]
uboot-zynq: fix dtc compilation on host gcc 10

gcc 10 defaults to -fno-common, which causes an error
when linking.

Back-port the following Linux kernel commit to fix it:
e33a814e772c (scripts/dtc: Remove redundant YYLOC global declaration)

Tested on an Arch Linux host with gcc 10.1.0

Signed-off-by: Luis Araneda <luaraneda@gmail.com>
(cherry picked from commit 8b870418f18d86761247633e57560ffa1c2485d0)

3 years agouboot-tegra: Fix build with GCC-10 as host compiler
Sven Eckelmann [Sat, 11 Sep 2021 19:03:34 +0000 (21:03 +0200)]
uboot-tegra: Fix build with GCC-10 as host compiler

The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
3 years agouboot-mvebu: Fix build with GCC-10 as host compiler
Sven Eckelmann [Sat, 11 Sep 2021 19:03:34 +0000 (21:03 +0200)]
uboot-mvebu: Fix build with GCC-10 as host compiler

The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
3 years agouboot-layerscape: fix dtc compilation on host gcc 10
Hauke Mehrtens [Sun, 8 Aug 2021 22:03:43 +0000 (00:03 +0200)]
uboot-layerscape: fix dtc compilation on host gcc 10

Backport a patch from upstream U-Boot to fix the compile with host GCC 10.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8d143784cb8fafccdbcdc0bd5d1aa47d3d676f70)

3 years agouboot-kirkwood: Fix build with GCC-10 as host compiler
Sven Eckelmann [Sat, 11 Sep 2021 19:03:34 +0000 (21:03 +0200)]
uboot-kirkwood: Fix build with GCC-10 as host compiler

The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
3 years agouboot-sunxi: Fix build with GCC-10 as host compiler
Sven Eckelmann [Sat, 11 Sep 2021 19:03:34 +0000 (21:03 +0200)]
uboot-sunxi: Fix build with GCC-10 as host compiler

The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
3 years agokernel: bump 4.14 to 4.14.245
David Bauer [Sun, 29 Aug 2021 22:46:33 +0000 (00:46 +0200)]
kernel: bump 4.14 to 4.14.245

Compile-tested: ath79-generic
Run-tested: ath79-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
3 years agoopenssl: bump to 1.1.1l
Eneas U de Queiroz [Thu, 26 Aug 2021 17:38:07 +0000 (14:38 -0300)]
openssl: bump to 1.1.1l

This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
    Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
    Severity: Medium

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
3 years agoopenssl: use --cross-compile-prefix in Configure
Eneas U de Queiroz [Thu, 26 Aug 2021 17:38:06 +0000 (14:38 -0300)]
openssl: use --cross-compile-prefix in Configure

This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines.  It avoids errors, if the host 'gcc' is
handled by clang:

mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9)

3 years agokernel: bump to 4.14.244
David Bauer [Thu, 19 Aug 2021 19:30:01 +0000 (21:30 +0200)]
kernel: bump to 4.14.244

Compile-tested: ath79-generic ipq40xx-generic
Run-tested: ipq40xx-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
3 years agokernel: bump to 4.14.243
David Bauer [Thu, 12 Aug 2021 21:33:05 +0000 (23:33 +0200)]
kernel: bump to 4.14.243

Compile-tested: x86-64
Run-tested: x86-64

Signed-off-by: David Bauer <mail@david-bauer.net>
3 years agoOpenWrt v19.07.8: revert to branch defaults
Hauke Mehrtens [Sun, 1 Aug 2021 16:46:20 +0000 (18:46 +0200)]
OpenWrt v19.07.8: revert to branch defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoOpenWrt v19.07.8: adjust config defaults v19.07.8
Hauke Mehrtens [Sun, 1 Aug 2021 16:45:59 +0000 (18:45 +0200)]
OpenWrt v19.07.8: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoubus: update to version 2021-07-01
Petr Štetiar [Thu, 1 Jul 2021 12:05:18 +0000 (14:05 +0200)]
ubus: update to version 2021-07-01

This update cherry picks following fix:

 * ubusd: fix tx_queue linked list usage

Signed-off-by: Petr Štetiar <ynezz@true.cz>
3 years agoubus: update to version 2021-06-03
Petr Štetiar [Thu, 3 Jun 2021 07:49:58 +0000 (09:49 +0200)]
ubus: update to version 2021-06-03

This update cherry picks following changes:

 * cmake: add a possibility to set library version
 * ubusd: protect against too-short messages
 * ubusd: add per-client tx queue limit
 * ubusd: convert tx_queue to linked list
 * lua: avoid truncation of large numeric values

Fixes: FS#1525
Signed-off-by: Petr Štetiar <ynezz@true.cz>
3 years agoubus: backport SOVERSION support
Petr Štetiar [Thu, 29 Jul 2021 19:49:18 +0000 (21:49 +0200)]
ubus: backport SOVERSION support

Add a support for setting of new `ABIVERSION` CMake define which allows
to control the SOVERSION used for the built shared library. This is
needed for downstream packaging to properly track breaking ABI changes
when updating to newer versions of the library.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(backported from commit 8edb1797d55d259c6eda18c89784f152328436fc)

3 years agokernel: bump 4.14 to 4.14.241
David Bauer [Wed, 28 Jul 2021 14:09:27 +0000 (16:09 +0200)]
kernel: bump 4.14 to 4.14.241

Refreshed all patches

Compile-tested: ath79-generic brcm2708-bcm2708
Run-tested: ath79-generic brcm2708-bcm2708

Signed-off-by: David Bauer <mail@david-bauer.net>
3 years agoath10k-ct: add security fixes
Michael Yartys [Thu, 3 Jun 2021 21:50:12 +0000 (23:50 +0200)]
ath10k-ct: add security fixes

This rebases -ct changes on top of upstream stable kernel's latest code.
Including the wifi security fixes that recently went in.

Removed upstreamed 203-ath10k-Limit-available-channels-via-DT-ieee80211-fre.patch
and refreshed patches.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport]
(backported from commit 2e10ed925e1e07c28570731a429efa5e7de3b826)

3 years agobase-files: fix /tmp/TZ when zoneinfo not installed
Paul Spooren [Thu, 24 Jun 2021 17:42:53 +0000 (07:42 -1000)]
base-files: fix /tmp/TZ when zoneinfo not installed

The zoneinfo packages are not installed per default so neither
/tmp/localtime nor /tmp/TZ is generated.

This patch mostly reverts the previous fix and instead incooperates a
solution suggested by Jo.

Fixes "base-files: fix zoneinfo support " 8af62ed

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 56bdb6bb9781f8a0bbec5fc3075b9d2b8d12f9a8)

3 years agobase-files: fix zoneinfo support
Rosen Penev [Sat, 10 Apr 2021 00:22:48 +0000 (17:22 -0700)]
base-files: fix zoneinfo support

The system init script currently sets /tmp/localinfo when zoneinfo is
populated. However, zoneinfo has spaces in it whereas the actual files
have _ instead of spaces. This made the if condition never return true.

Example failure when removing the if condition:

/tmp/localtime -> /usr/share/zoneinfo/America/Los Angeles

This file does not exist. America/Los_Angeles does.

Ran through shfmt -w -ci -bn -sr -s

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 8af62ede189aa504135db05474d34c9f8a1ed35d)

3 years agomac80211: distance config: allow "auto" as a value
Ali MJ Al-Nasrawy [Wed, 18 Sep 2019 17:14:42 +0000 (20:14 +0300)]
mac80211: distance config: allow "auto" as a value

The user can now enable the ACK timeout estimation algorithm (dynack)
for drivers that support it.
It is also expected that the distance config accepts the same values as:
$ iw phyX set distance XXX

Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
(cherry picked from commit a8a1ef856871dc8403ea9c0a3bb347c7120b0e65)

3 years agogitignore: add .ccache folder
Koen Vandeputte [Mon, 7 Jun 2021 09:20:35 +0000 (11:20 +0200)]
gitignore: add .ccache folder

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
3 years agokernel: bump 4.14 to 4.14.236
Koen Vandeputte [Mon, 14 Jun 2021 09:43:36 +0000 (11:43 +0200)]
kernel: bump 4.14 to 4.14.236

Refreshed all patches.

Fixes:
- CVE-2021-3564

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
3 years agomac80211: Update to backports version 4.19.193-test1
Hauke Mehrtens [Sat, 5 Jun 2021 22:36:57 +0000 (00:36 +0200)]
mac80211: Update to backports version 4.19.193-test1

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agokernel: bump 4.14 to 4.14.235
Hauke Mehrtens [Fri, 4 Jun 2021 23:06:28 +0000 (01:06 +0200)]
kernel: bump 4.14 to 4.14.235

Manually rebased
  ramips/patches-5.4/0048-asoc-add-mt7620-support.patch

All others updated automatically.

Compile-tested on: ath79/generic, ramips/mt7621
Runtime-tested on: ath79/generic

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoubox: fix init script validation of log_ip option
Jo-Philipp Wich [Fri, 28 May 2021 13:23:14 +0000 (15:23 +0200)]
ubox: fix init script validation of log_ip option

The underlying logread process uses usock() to handle remote connections
which is able to handle both hostnames and IP addresses.

Ref: https://github.com/openwrt/luci/issues/5077
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit ec83fb9ced138b7945135adffb9ff0ba63b695ec)

3 years agotools/mklibs: Fix compile with GCC 11
Hauke Mehrtens [Sun, 16 May 2021 21:49:48 +0000 (23:49 +0200)]
tools/mklibs: Fix compile with GCC 11

GCC 11 defaults to C++17, but mklibs does not compile when using the
C++17 standard. This patch switches back to the gnu++98 version like
done in master commit 9437012b9ee4 ("tools/mklibs: update to 0.1.44 and
convert to Python 3")

This fixes the following compile error message:
elf.hpp:52:56: error: ISO C++17 does not allow dynamic exception specifications
   52 |       const section &get_section(unsigned int i) const throw (std::out_of_range) { return *sections.at(i); };

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoopenwrt-keyring: Only copy sign key for 19.07 and 21.02
Hauke Mehrtens [Sun, 16 May 2021 13:31:49 +0000 (15:31 +0200)]
openwrt-keyring: Only copy sign key for 19.07 and 21.02

Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the OpenWrt 19.07
feeds and the 21.02 feeds to allow checking the next release.

If one of the other keys would be compromised this would not affect
users of 19.07 release builds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoopenwrt-keyring: add OpenWrt 21.02 GPG/usign keys
Petr Štetiar [Sat, 20 Feb 2021 14:56:19 +0000 (15:56 +0100)]
openwrt-keyring: add OpenWrt 21.02 GPG/usign keys

49283916005d usign: add 21.02 release build pubkey
bc4d80f064f2 gpg: add OpenWrt 21.02 signing key

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 1bf6d70e60fdb45d81a8f10b90904cef38c73f70)

3 years agogeneric: platform/mikrotik: release mtd device after use
Koen Vandeputte [Wed, 12 May 2021 09:41:26 +0000 (11:41 +0200)]
generic: platform/mikrotik: release mtd device after use

The code uses get_mtd_device_nm() which must be followed by a call to
put_mtd_device() once the handle is no longer used.

This fixes spurious shutdown console messages such as:
[   83.099037] Removing MTD device #1 (hard_config) with use count 1

Reported-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
[Backported from master]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
3 years agokernel: bump 4.14 to 4.14.232
Koen Vandeputte [Mon, 10 May 2021 12:25:40 +0000 (14:25 +0200)]
kernel: bump 4.14 to 4.14.232

Refreshed all patches.

Fixes:
- CVE-2021-23133

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
3 years agoExtend checks on build prerequisites for building OpenWRT core
Bas Mevissen [Mon, 19 Apr 2021 23:08:19 +0000 (01:08 +0200)]
Extend checks on build prerequisites for building OpenWRT core

OpenWRT requires a number of Perl modules to be installed. It wasn't checking on all of them.
This patch adds checks for Perl FindBin, File::Copy, File::Compare and Thread::Queue modules.

Failing to install these, will have the build break at some point. By adding these to the
prereq-build.mk script, they are checked on forehand.

Tested on a Fedora 33 and 34 (beta) that was freshly installed. Fedora appears to
break up Perl modules into small packages that need to be installed for the build to succeed.

Signed-off-by: Bas Mevissen <abuse@basmevissen.nl>
(cherry picked from commit f68c9474acf9a65b5a9538db8e45c173462487e3)

3 years agoprereq-build: test for perl's Data::Dumper
Rosen Penev [Mon, 30 Mar 2020 01:13:56 +0000 (18:13 -0700)]
prereq-build: test for perl's Data::Dumper

Required for installation of autoconf:

make[5]: Entering directory `/openwrt/build_dir/host/autoconf-2.69'
Making all in bin
make[6]: Entering directory `/openwrt/build_dir/host/autoconf-2.69/bin'
autom4te_perllibdir='..'/lib AUTOM4TE_CFG='../lib/autom4te.cfg'
../bin/autom4te -B '..'/lib -B '..'/lib         --language M4sh --cache
 '' --melt ./autoconf.as -o autoconf.in

Can't locate Data/Dumper.pm in @INC (@INC contains: ../lib
/usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
../lib/Autom4te/C4che.pm line 33.
BEGIN failed--compilation aborted at ../lib/Autom4te/C4che.pm line 33.
Compilation failed in require at ../bin/autom4te line 40.
BEGIN failed--compilation aborted at ../bin/autom4te line 40.
make[6]: *** [autoconf.in] Error 2

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit dc467eac38f2447b652b6680cf4af75b05fd6cd2)

3 years agotplink-safeloader: fix C7v5 factory flashing from vendor fw > v1.1.x
Petr Štetiar [Fri, 9 Apr 2021 12:52:05 +0000 (14:52 +0200)]
tplink-safeloader: fix C7v5 factory flashing from vendor fw > v1.1.x

Currently it's not possible to flash factory images on devices shipped
with vendor firmware versions 1.1.0 Build 20201120 rel. 50406 (published
2020-12-22):

 (curFw_ver, newFw_ver) == (1.1, 1.0) [NM_Error](nm_checkSoftVer) 00848: Firmwave not supports, check failed.
 [NM_Error](nm_checkUpdateContent) 01084: software version dismatched
 [NM_Error](nm_buildUpgradeStruct) 01188: checkUpdateContent failed.

They've even following note in release notes:

 Note: You will be unable to downgrade to the previous firmware version
       after updating this firmware.

This version check in vendor firmware is implemented in
/usr/bin/nvrammanager binary likely as following C code[1]:

 sscanf(buf, "%d.%d.%*s",&upd_fw_major, &upd_fw_minor);
 ...
 if (((int)upd_fw_major < (int)cur_fw_major) ||
     ((ret = 1, cur_fw_major == upd_fw_major && (upd_fw_minor < (int)cur_fw_minor)))) {
       ret = 0;
       printf("[NM_Error](%s) %05d: Firmwave not supports, check failed.\r\n\r\n","nm_checkSoftVer" ,0x350);
 }
 ...
 return ret;

So in order to fix this and make it future proof it should be enough to
ship our factory firmware images with major version 7 (lucky number).

Tested on latest firmware version 1.1.2 Build 20210125 rel.37999:

 Firmwave supports, check OK.
  (curFw_ver, newFw_ver) == (1.1, 7.0) check firmware ok!

Flashing back to vendor firmware
c7v5_us-up-ver1-1-2-P1[20210125-rel37999]_2021-01-25_10.33.55.bin works
as well:

 U-Boot 1.1.4-gbec22107-dirty (Nov 18 2020 - 18:19:12)
 ...
 Firmware downloaded... filesize = 0xeeae77 fileaddr = 0x80060000.
 Firmware Recovery file length : 15642231
 Firmware process id 2.
 handle_fw_cloud 146
 Image verify OK!
 Firmware file Verify ok!
 product-info:product_name:Archer C7
 product_ver:5.0.0
 special_id:55530000
 [Error]sysmgr_cfg_checkSupportList(): 1023 @ specialId 45550000 NOT Match.
 Firmware supports, check OK.
 Firmware Recovery check ok!

1. https://gist.github.com/ynezz/2e0583647d863386a66c3d231541b6d1

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit e6d66375cbbb54e0e82a67030e385a5486273766)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
3 years agomac80211: Update to backports version 4.19.189-1
Hauke Mehrtens [Sun, 2 May 2021 21:20:40 +0000 (23:20 +0200)]
mac80211: Update to backports version 4.19.189-1

The removed patches were applied upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agodropbear: Fix CVE-2020-36254
Hauke Mehrtens [Sun, 2 May 2021 15:35:16 +0000 (17:35 +0200)]
dropbear: Fix CVE-2020-36254

This backports a fix from dropbear 2020.81.
CVE-2020-36254 description:
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agoramips: backport unlocked mdiobus accessors
David Bauer [Sun, 2 May 2021 22:08:38 +0000 (00:08 +0200)]
ramips: backport unlocked mdiobus accessors

Commit 718e97c5c843 ("ramips: mt7530 swconfig: fix race condition in
register access") backports a fix which depends on unlocked MMD
accessors, however these were not yet included in Kernel 4.14 and they
were not backported yet.

Fixes commit 718e97c5c843 ("ramips: mt7530 swconfig: fix race condition in register access")

Signed-off-by: David Bauer <mail@david-bauer.net>
3 years agoopenvpn: update to 2.4.11
Magnus Kroken [Wed, 21 Apr 2021 20:10:58 +0000 (22:10 +0200)]
openvpn: update to 2.4.11

Fixes two related security vulnerabilities (CVE-2020-15078) which under
very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.

This release also includes other bug fixes and improvements.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
3 years agoopenvpn: update to 2.4.9
Magnus Kroken [Wed, 21 Apr 2021 20:10:57 +0000 (22:10 +0200)]
openvpn: update to 2.4.9

This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit d7e98bd7c5316f95cc11635371a39c6c0e18b9a7)

3 years agoopenvpn: update to 2.4.8
Magnus Kroken [Wed, 21 Apr 2021 20:10:56 +0000 (22:10 +0200)]
openvpn: update to 2.4.8

Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9)

3 years agoramips: mt7530 swconfig: fix race condition in register access
DENG Qingfang [Mon, 26 Apr 2021 04:20:24 +0000 (12:20 +0800)]
ramips: mt7530 swconfig: fix race condition in register access

[ Upstream commit f99c9cd9c4d4c49a676d678327546fd41690fe2a ]

The mt7530_{r,w}32 operation over MDIO uses 3 mdiobus operations and
does not hold a lock, which causes a race condition when multiple
threads try to access a register, they may get unexpected results.

To avoid this, handle the MDIO lock manually, and use the unlocked
__mdiobus_{read,write} in the critical section.

This fixes the "Ghost VLAN" artifact[1] in MT7530/7621 when the VLAN
operation and the swconfig LED link status poll race between each other.

[1] https://forum.openwrt.org/t/mysterious-vlan-ids-on-mt7621-device/64495

Signed-off-by: DENG Qingfang <dqfext@gmail.com>
(cherry picked from commit f99c9cd9c4d4c49a676d678327546fd41690fe2a)

3 years agoppp/pppoe-discovery: fix -W option
Martin Schiller [Wed, 14 Apr 2021 12:34:56 +0000 (14:34 +0200)]
ppp/pppoe-discovery: fix -W option

This patch is already included in ppp-2.4.9 which is used in openwrt
master.

Backport this patch to openwrt-19.07.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
3 years agokernel: bump 4.14 to 4.14.231
Koen Vandeputte [Thu, 22 Apr 2021 16:48:08 +0000 (18:48 +0200)]
kernel: bump 4.14 to 4.14.231

Refreshed all patches.

Fixes:
- CVE-2020-25672
- CVE-2020-25671
- CVE-2020-25670

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
3 years agokernel: bump 4.14 to 4.14.230
Koen Vandeputte [Mon, 12 Apr 2021 09:38:51 +0000 (11:38 +0200)]
kernel: bump 4.14 to 4.14.230

Refreshed all patches.

Remove upstreamed:
- 840-can-flexcan-flexcan_chip_freeze-fix-chip-freeze-for-.patch

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
3 years agomac80211: backport upstream fixes
Koen Vandeputte [Fri, 2 Apr 2021 10:21:24 +0000 (12:21 +0200)]
mac80211: backport upstream fixes

Refreshed all patches.
Includes all fixes up to 4.19.184

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
3 years agokernel: backport fix for flexcan bug
Koen Vandeputte [Fri, 9 Apr 2021 13:14:37 +0000 (15:14 +0200)]
kernel: backport fix for flexcan bug

This patch fixes a DIV/0 error which was introduced in 4.14.225
This patch was forgotten in upstream <= 4.14 and is now queued for
future release.

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
3 years agokernel: bump 4.14 to 4.14.229
Koen Vandeputte [Fri, 9 Apr 2021 08:09:24 +0000 (10:09 +0200)]
kernel: bump 4.14 to 4.14.229

Refreshed all patches.

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
3 years agokernel: bump 4.14 to 4.14.228
Koen Vandeputte [Fri, 2 Apr 2021 09:46:03 +0000 (11:46 +0200)]
kernel: bump 4.14 to 4.14.228

Refreshed all patches.

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
3 years agokernel: bump 4.14 to 4.14.227
Koen Vandeputte [Mon, 29 Mar 2021 09:43:31 +0000 (11:43 +0200)]
kernel: bump 4.14 to 4.14.227

Refreshed all patches.

Altered patches:
- 809-flexcan-support-layerscape.patch

Compile-tested on: ar71xx, cns3xxx, imx6, layerscape, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>