openwrt/openwrt.git
6 months agokernel: nf_conntrack_rtcache: fix WARNING on forward path
Yousong Zhou [Sat, 23 Nov 2019 17:10:09 +0000 (17:10 +0000)]
kernel: nf_conntrack_rtcache: fix WARNING on forward path

Fixes b7c58a1ee ("kernel: nf_conntrack_rtcache: fix cleanup on netns
delete and rmmod")

Resolves FS#2624

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 1c5df850a07690451f2878a310c0ea67d0690836)

6 months agokernel: nf_conntrack_rtcache: fix cleanup on netns delete and rmmod
Yousong Zhou [Wed, 13 Nov 2019 17:03:12 +0000 (17:03 +0000)]
kernel: nf_conntrack_rtcache: fix cleanup on netns delete and rmmod

Fixes FS#1472, FS#2353, FS#2426

Fixes: b3f95490 ("kernel: generic: Add kernel 4.14 support")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b7c58a1eeba5be2e1f77ec05b417be9d87e26916)

6 months agokernel: Add missing configuration option
Hauke Mehrtens [Fri, 22 Nov 2019 19:13:55 +0000 (20:13 +0100)]
kernel: Add missing configuration option

This was found by the build bot.

Fixes: 6e2e5d1bf8d5 ("kernel: bump 4.14 to 4.14.155")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 103e49f62e72664ee0d5285007907a75960e8645)

6 months agokernel: bump 4.14 to 4.14.155
Koen Vandeputte [Thu, 21 Nov 2019 13:08:06 +0000 (14:08 +0100)]
kernel: bump 4.14 to 4.14.155

Refreshed all patches.

Altered patches:
- 707-dpaa-ethernet-support-layerscape.patch
- 421-rtc-initialize.patch

Remove upstreamed:
- 161-MIPS-BCM47XX-Enable-USB-power-on-Netgear-WNDR3400v3.patch

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
6 months agoar71xx: fix buttons for TP-Link TL-WDR4900 v2
Adrian Schmutzler [Thu, 14 Nov 2019 12:01:39 +0000 (13:01 +0100)]
ar71xx: fix buttons for TP-Link TL-WDR4900 v2

TP-Link TL-WDR4900 v2 only has one combined WPS/Reset button, so
don't set up an RFKILL for this device.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 25127f58b42d794bd47d56ea107f3dfc9cc4816c)

6 months agoar71xx: fix LED setup for TL-WDR4900 v2
Adrian Schmutzler [Thu, 14 Nov 2019 11:45:15 +0000 (12:45 +0100)]
ar71xx: fix LED setup for TL-WDR4900 v2

In ar71xx there is only one combined mach file for Archer C5/C7 and
TL-WDR4900 v2. This one uses the same LED struct for all devices,
defining "green" LEDs for them. However, WDR4900 uses blue front
LEDs, while only C5/C7 uses green ones. Despite, in base-files
WDR4900 is actually set up with "blue" for the mentioned LEDs.

Thus, this patch creates a separate LED struct for WDR4900, so the
LEDs can be set up correctly. Despite, the wlan5g LED is removed as
it is controlled by ath9k chip for WDR4900 (in contrast to C5/C7).

Note: While front LEDs are blue, USB LEDs (on the back) are green,
so colors are mixed intentionally for the WDR4900 v2.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 93f2bcc35e371ec0c4ceb76c06f90b898c726ba5)

6 months agoramips: set uImage name of WeVO 11AC NAS and W2914NS v2
Sungbo Eo [Mon, 7 Oct 2019 12:33:51 +0000 (21:33 +0900)]
ramips: set uImage name of WeVO 11AC NAS and W2914NS v2

The stock firmware and bootloader only accept uImage with names that
match certain patterns. This patch enables OpenWrt installation from
stock firmware without having to reflash the bootloader or access the
UART console.

Installation via web interface:
1.  Flash **initramfs** image through the stock web interface.
2.  Boot into OpenWrt and perform sysupgrade with sysupgrade image.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 19800ac095f6ddbba03ccab08e5197b1eec4a49e)
[backported]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
6 months agoar71xx: fix MAC address setup for TL-WDR4900 v2
Adrian Schmutzler [Thu, 14 Nov 2019 11:26:05 +0000 (12:26 +0100)]
ar71xx: fix MAC address setup for TL-WDR4900 v2

The MAC address setup of the TL-WDR4900 v2 is different from the
C5/C7. This aligns ar71xx with the setup in ath79:

wlan0 (5GHz) : -2
wlan1 (2.4GHz) : -1
eth1 (LAN) : 0
eth0 (WAN) : 1

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a9d3084b83bb2d0fa2c0b43bf2a0831b5ae1df13)

6 months agoar71xx: fix MAC addresses for Archer C5 v1, C7 v1/v2, WDR4900 v2
Adrian Schmutzler [Wed, 13 Nov 2019 14:05:29 +0000 (15:05 +0100)]
ar71xx: fix MAC addresses for Archer C5 v1, C7 v1/v2, WDR4900 v2

As discussed in 1d18a14a90c7 ("ath79: really fix TP-Link Archer C7
v2 MAC address"), stock firmware MAC address assignment is
actually as follows:

wlan0 (5GHz) : -1
wlan1 (2.4GHz) : 0
eth1 (LAN) : 0
eth0 (WAN) : 1

This has never been fixed for ar71xx, so let's do it now.
Note that with WDR4900 v2 even both wlan0 and wlan1 where assigned
to basemac-1 before ...

Fixes: FS#408

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a021268032fb64afdce7bafa91c7c7bf44fa6ff2)

6 months agoipq40xx: fix build error
Koen Vandeputte [Wed, 20 Nov 2019 07:45:27 +0000 (08:45 +0100)]
ipq40xx: fix build error

Add missing brace which was accidentally omitted

Fixes: 6d6026021390 ("kernel: bump 4.14 to 4.14.154")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
6 months agokernel: bump 4.14 to 4.14.154
Koen Vandeputte [Mon, 18 Nov 2019 09:24:38 +0000 (10:24 +0100)]
kernel: bump 4.14 to 4.14.154

Refreshed all patches.

Altered patches:
- 902-debloat_proc.patch
- 040-dmaengine-qcom-bam-Process-multiple-pending-descript.patch

Remove upstreamed:
- 303-spi-nor-enable-4B-opcodes-for-mx66l51235l.patch

New symbols:
X86_INTEL_MPX
X86_INTEL_MEMORY_PROTECTION_KEYS
X86_INTEL_TSX_MODE_OFF
X86_INTEL_TSX_MODE_ON
X86_INTEL_TSX_MODE_AUTO
SGL_ALLOC

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
6 months agokernel: bump 4.9 to 4.9.202
Koen Vandeputte [Mon, 18 Nov 2019 09:22:09 +0000 (10:22 +0100)]
kernel: bump 4.9 to 4.9.202

Refreshed all patches.

Altered patches:
- 902-debloat_proc.patch
- 817-usb-support-layerscape.patch

New symbols:
X86_INTEL_MEMORY_PROTECTION_KEYS
X86_INTEL_TSX_MODE_OFF
X86_INTEL_TSX_MODE_ON
X86_INTEL_TSX_MODE_AUTO

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
6 months agoar71xx: fix WLAN LED names for Archer C7
Tomislav Požega [Thu, 18 Jul 2019 19:37:39 +0000 (21:37 +0200)]
ar71xx: fix WLAN LED names for Archer C7

Update WLAN LED colour identifier for both interfaces on Archer C7

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
(cherry picked from commit 65762cdd2223d759f5836214143888e32ce5766b)
[backported to 18.06]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
6 months agoar71xx: fix system LED names on Archer C5/C7
Tomislav Požega [Thu, 18 Jul 2019 15:59:37 +0000 (17:59 +0200)]
ar71xx: fix system LED names on Archer C5/C7

Move system LED board definitions of Archer C5/C7 to reflect
actual system LED colour used

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
(cherry picked from commit a73934fc9ad05207e79a3e58abc3d14eee28b6f2)

6 months agomac80211: brcmfmac: fix PCIe reset crash and WARNING
Rafał Miłecki [Mon, 18 Nov 2019 13:45:59 +0000 (14:45 +0100)]
mac80211: brcmfmac: fix PCIe reset crash and WARNING

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit cde8c2f2fba019c4cd3b9f6ad463ff86cc783061)

6 months agoramips: assign correct key-code to wps buttons
Christian Lamparter [Sat, 16 Nov 2019 21:37:51 +0000 (22:37 +0100)]
ramips: assign correct key-code to wps buttons

The two ASUS WL-330N and WL-330N3G had the reset keycode
assigned to the WPS button. This patch changes both devices
to use KEY_WPS_BUTTON in the hopes that this fixes unwanted
restarts/ unexpected behavior from the users point of view.

[dropped RG21S]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit ad65d9d7b264d6d17293c59469e770905d2f785a)

6 months agoramips: rt3833: fix build breakage
Petr Štetiar [Fri, 15 Nov 2019 06:47:51 +0000 (07:47 +0100)]
ramips: rt3833: fix build breakage

Commit 60f41c6c9ef6 ("ramips: add usb-ledtrig-usbport to DEVICE_PACKAGES
of CY-SWR1100") added stray | during backport which caused build
breakage on the buildbots:

 bash: -c: line 0: syntax error near unexpected token `|'
 bash: -c: line 0: `echo kmod-usb-core kmod-usb-ledtrig-usbport kmod-usb-ohci kmod-usb2 swconfig | | mkhash md5 | head -c 8'

Fixes: 60f41c6c9ef6 ("ramips: add usb-ledtrig-usbport to DEVICE_PACKAGES of CY-SWR1100")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit a1ff175dbf807925a0bae537935455bd1aa44a98)

6 months agoramips: add usb-ledtrig-usbport to DEVICE_PACKAGES of CY-SWR1100
Sungbo Eo [Wed, 13 Nov 2019 14:23:17 +0000 (23:23 +0900)]
ramips: add usb-ledtrig-usbport to DEVICE_PACKAGES of CY-SWR1100

CY-SWR1100 has a USB LED but kmod-usb-ledtrig-usbport is missing
in default images. This commit adds it.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[changed commit title, backported to 19.07]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 261c746631d2bf311a6b62a6d3bacce6fde90976)

6 months agoramips: fix MAC address setup for Samsung CY-SWR1100
Sungbo Eo [Wed, 13 Nov 2019 14:22:54 +0000 (23:22 +0900)]
ramips: fix MAC address setup for Samsung CY-SWR1100

Ethernet MAC address setup has been broken since c3e420f28cf1. Restore
original setting.

Fixes: c3e420f28cf1 ("ramips: Add support for D-Link DCH-M225")

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 7231c1edd99217c6baa8d7d5d841d75ad9de26f1)
[backported due to base-files split]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
6 months agogitignore: ignore patches in OpenWrt root directory
Adrian Schmutzler [Tue, 5 Nov 2019 12:05:29 +0000 (13:05 +0100)]
gitignore: ignore patches in OpenWrt root directory

This will have GIT ignore patches in root directory, as created
when using "git format-patch".

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 2c5413559880c54c5eec980121febfe6c7cd287a)

6 months agoar71xx: fix tl-wdr3320-v2 upgrade
南浦月 [Thu, 19 Sep 2019 09:41:01 +0000 (17:41 +0800)]
ar71xx: fix tl-wdr3320-v2 upgrade

Fix the error that tl-wdr3320-v2 can't upgrade firmware via web
interface by using magic_ver="0200" for this device.

Signed-off-by: 南浦月 <nanpuyue@gmail.com>
[commit message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 0ff2385a92c0a31769fce954b7bd571d6114dbc8)

6 months agoar71xx: update uboot-envtools for Netgear WNR routers
Michal Cieslakiewicz [Wed, 6 Nov 2019 09:43:14 +0000 (10:43 +0100)]
ar71xx: update uboot-envtools for Netgear WNR routers

Boards added: WNR1000v2, WNR2000v3, WNR2200, WNR612v2, WNDR4300.
Boards changed: WNDR3700 (u-boot env size is 2 sectors not 1).

Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
(cherry picked from commit 11052900494ec8216b9b39ba0b24d5e036f4d323)

6 months agokernel: bump 4.14 to 4.14.152
Koen Vandeputte [Wed, 6 Nov 2019 16:21:09 +0000 (17:21 +0100)]
kernel: bump 4.14 to 4.14.152

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
6 months agokernel: bump 4.9 to 4.9.199
Koen Vandeputte [Wed, 6 Nov 2019 16:15:39 +0000 (17:15 +0100)]
kernel: bump 4.9 to 4.9.199

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
6 months agosdk: fix GCC and Python dangling symlinks
Petr Štetiar [Thu, 8 Aug 2019 19:16:02 +0000 (21:16 +0200)]
sdk: fix GCC and Python dangling symlinks

Force prereq again in SDK in order to fix GCC and Python dangling
symlinks:

 staging_dir/host/bin/g++ -> /builder/ath79_generic/ccache_cxx.sh
 staging_dir/host/bin/gcc -> /builder/ath79_generic/ccache_cc.sh
 staging_dir/host/bin/python -> /usr/bin/python3.5
 staging_dir/host/bin/python3 -> /usr/bin/python3.5

Ref: FS#2424
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 200f2666fb1c8d9d128824dc5586e0e66386971f)

6 months agobuild: cleanup possibly dangling Python 3 host symlink
Etienne Champetier [Fri, 8 Nov 2019 14:58:01 +0000 (06:58 -0800)]
build: cleanup possibly dangling Python 3 host symlink

When switching from master branch to 19.07 or older, we need to ensure
that Python symlink in staging bin directory points to Python 2.

We can't rely completly just on SetupHostCommand as its executed only in
cases when the $(STAGING_DIR_HOST)/bin/python doesn't already exist, so
we need to remove it before running SetupHostCommand.

This is a cherry-pick of 3b68fb57c938af3948ae4c2da61501183fbef649
with python3 instead of python2

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 799de7c641ffa98323929a20a8d92c7cc4ebb251)

6 months agobuild: fixup python SetupHostCommand to use python2
Etienne Champetier [Thu, 31 Oct 2019 10:54:59 +0000 (03:54 -0700)]
build: fixup python SetupHostCommand to use python2

Here is a way to break your build env without this patch:
1) have python point to python3, and no python2
2) start the build, SetupHostCommand will create a symlink
./staging_dir/host/bin/python -> /usr/bin/python
3) build fails on scons because it can't find any python2
4) install python2 and restart the build
5) the build fails on wireless-regdb compile because python is python3 instead of python

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 785d4f3efded4a5094ee8e1ce4535dd0933b956d)

6 months agoOpenWrt v18.06.5: revert to branch defaults
Jo-Philipp Wich [Fri, 8 Nov 2019 19:32:31 +0000 (20:32 +0100)]
OpenWrt v18.06.5: revert to branch defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 months agoOpenWrt v18.06.5: adjust config defaults v18.06.5
Jo-Philipp Wich [Fri, 8 Nov 2019 19:32:24 +0000 (20:32 +0100)]
OpenWrt v18.06.5: adjust config defaults

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 months agoustream-ssl: backport fix for CVE-2019-5101, CVE-2019-5102
Jo-Philipp Wich [Tue, 5 Nov 2019 14:07:55 +0000 (15:07 +0100)]
ustream-ssl: backport fix for CVE-2019-5101, CVE-2019-5102

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c5d5cdb759adc890ce6699117b7119acf280ce77)

7 months agokernel: bump 4.14 to 4.14.151
Koen Vandeputte [Wed, 30 Oct 2019 11:58:55 +0000 (12:58 +0100)]
kernel: bump 4.14 to 4.14.151

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.9 to 4.9.198
Koen Vandeputte [Wed, 30 Oct 2019 11:55:28 +0000 (12:55 +0100)]
kernel: bump 4.9 to 4.9.198

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agoscripts/ubinize-image.sh: fix buildbot breakage
Petr Štetiar [Sat, 27 Jul 2019 05:47:10 +0000 (07:47 +0200)]
scripts/ubinize-image.sh: fix buildbot breakage

New Docker based buildslaves install just bare minimum of packages, thus
not having bsdmainutils package installed which provides `hexdump`
utility, leading to the following build breakage on buildbots:

 ubinize-image.sh: 12: /builder/scripts/ubinize-image.sh: hexdump: not found

So this patch simply replaces `hexdump` with `od` utility provided by
coreutils package, which should be likely available.

Co-authored-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit c6d41c320c795b0bb9a9350c7d4b1ce55f25769a)

7 months agokernel: mark kmod-usb-serial-wwan as hidden
Yousong Zhou [Wed, 30 Oct 2019 12:41:34 +0000 (12:41 +0000)]
kernel: mark kmod-usb-serial-wwan as hidden

The kconfig symbol is an invisible one since its introduction.  It is
not supposed to be enabled on its own.

Resolves FS#1821

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 4bf9bec361699e1c033460964158531adf15d7ee)

7 months agokernel: add missing symbol
Koen Vandeputte [Mon, 28 Oct 2019 14:55:11 +0000 (15:55 +0100)]
kernel: add missing symbol

Discovered during layerscape compile-testing

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.14 to 4.14.150
Koen Vandeputte [Mon, 28 Oct 2019 13:40:43 +0000 (14:40 +0100)]
kernel: bump 4.14 to 4.14.150

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.9 to 4.9.197
Koen Vandeputte [Mon, 28 Oct 2019 13:24:03 +0000 (14:24 +0100)]
kernel: bump 4.9 to 4.9.197

Refreshed all patches.

Altered patches:
- 804-crypto-support-layerscape.patch

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Compiling target layerscape before this patch shows that it's broken.
Fixing it is out-of-scope for bumping the kernel and will
be done in a later patch.

The altered patch is a sample change which leaves the target
exactly as it was before this bump.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agobrcm2708: Add feature flag rootfs-part
Daniel F. Dickinson [Thu, 27 Dec 2018 03:33:57 +0000 (22:33 -0500)]
brcm2708: Add feature flag rootfs-part

Even with squashfs brcm2708 requires ROOTFS_PART_SIZE because the overlay
exists as a loopback device on the space not used by squashfs in the root
partition. Also for ext4 (the other fs option) ROOTFS_PART_SIZE is required,
so use feature flag rootfs-part to enable it.

Fixes FS#2166

Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
(cherry picked from commit 3bb44f42990a75e66972016cde75bed6a3f09ef9)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 months agoiptables: bump PKG_RELEASE
Yousong Zhou [Thu, 24 Oct 2019 10:34:06 +0000 (10:34 +0000)]
iptables: bump PKG_RELEASE

Package content changed with the previous two cherry-picks

  dff0b2104d kernel: netfilter: Add nf_tproxy_ipv{4,6} and nf_socket_ipv{4,6}
  a2fe698a40 kernel: Added required dependencies for socket match.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 months agokernel: Added required dependencies for socket match.
Oldřich Jedlička [Tue, 29 Jan 2019 21:25:33 +0000 (22:25 +0100)]
kernel: Added required dependencies for socket match.

This applies to kernel 4.10 and newer.

See https://github.com/torvalds/linux/commit/8db4c5be88f62ffd7a552f70687a10c614dc697b

The above commit added to kernel 4.10 added new dependency
for building the NETFILTER_XT_MATCH_SOCKET (xt_socket.ko)
module. The NF_SOCKET_IPVx options (both of them) need to
be enabled in order to build the NETFILTER_XT_MATCH_SOCKET
module. Without the change the module is not built.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
(cherry picked from commit 66e875a07033cdcfd8c4a16940d4acfe63c60202)
(required for fixing FS#2531)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 months agokernel: netfilter: Add nf_tproxy_ipv{4,6} and nf_socket_ipv{4,6}
Hauke Mehrtens [Sun, 18 Nov 2018 17:15:56 +0000 (18:15 +0100)]
kernel: netfilter: Add nf_tproxy_ipv{4,6} and nf_socket_ipv{4,6}

The nf_socket.ko module was split in commit 8db4c5be88f ("netfilter:
move socket lookup infrastructure to nf_socket_ipv{4,6}.c") into a
common, n IPv4 and an IPv6 part.
The nf_tproxy.ko module was split in commit 45ca4e0cf27 ("netfilter:
Libify xt_TPROXY") into a common, an IPv4 and an IPv6 part.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 89806545cc1711f4e33c1c2ac5265aec4afe8078)
(required for fixing FS#2531)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 months agotcpdump: update to 4.9.3
DENG Qingfang [Sat, 12 Oct 2019 16:29:13 +0000 (00:29 +0800)]
tcpdump: update to 4.9.3

Fixed CVEs:
CVE-2017-16808
CVE-2018-10103
CVE-2018-10105
CVE-2018-14461
CVE-2018-14462
CVE-2018-14463
CVE-2018-14464
CVE-2018-14465
CVE-2018-14466
CVE-2018-14467
CVE-2018-14468
CVE-2018-14469
CVE-2018-14470
CVE-2018-14879
CVE-2018-14880
CVE-2018-14881
CVE-2018-14882
CVE-2018-16227
CVE-2018-16228
CVE-2018-16229
CVE-2018-16230
CVE-2018-16300
CVE-2018-16301
CVE-2018-16451
CVE-2018-16452
CVE-2019-15166
CVE-2019-15167

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
(cherry picked from commit 394273c066b8f4317b77f3ede216cfcdd45250c1)

7 months agolibpcap: update to 1.9.1
DENG Qingfang [Sat, 12 Oct 2019 16:28:32 +0000 (00:28 +0800)]
libpcap: update to 1.9.1

Fixed CVEs:
CVE-2018-16301
CVE-2019-15161
CVE-2019-15162
CVE-2019-15163
CVE-2019-15164
CVE-2019-15165

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
(cherry picked from commit 44f11353de044834a442d3192b66579b99305720)

7 months agolibpcap: update to 1.9.0
Syrone Wong [Thu, 26 Jul 2018 14:46:38 +0000 (22:46 +0800)]
libpcap: update to 1.9.0

001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch dropped due to upstream
002-Add-missing-compiler_state_t-parameter.patch dropped due to upstream

202-protocol_api.patch dropped due to implemented upstream by another way
upstream commit: https://github.com/the-tcpdump-group/libpcap/commit/55c690f6f834b4762697d7a134de439c9096c921
and renamed via: https://github.com/the-tcpdump-group/libpcap/commit/697b1f7e9b1d6f5a5be04f821d7c5dc62458bb3b

ead is the only user who use the protocol api, we have to use the new api since libpcap 1.9.0

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
7 months agokernel: bump 4.14 to 4.14.149
Koen Vandeputte [Mon, 14 Oct 2019 12:30:25 +0000 (14:30 +0200)]
kernel: bump 4.14 to 4.14.149

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.14 to 4.14.148
Koen Vandeputte [Tue, 8 Oct 2019 13:04:58 +0000 (15:04 +0200)]
kernel: bump 4.14 to 4.14.148

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.9 to 4.9.196
Koen Vandeputte [Tue, 8 Oct 2019 13:01:15 +0000 (15:01 +0200)]
kernel: bump 4.9 to 4.9.196

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.14 to 4.14.147
Koen Vandeputte [Mon, 7 Oct 2019 11:10:45 +0000 (13:10 +0200)]
kernel: bump 4.14 to 4.14.147

Refreshed all patches.

Compile-tested on: cns3xxx, imx6
Compile-tested on: cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
7 months agokernel: bump 4.9 to 4.9.195
Koen Vandeputte [Mon, 7 Oct 2019 11:06:05 +0000 (13:06 +0200)]
kernel: bump 4.9 to 4.9.195

Refreshed all patches.

Altered patches:
- 403-mtd_fix_cfi_cmdset_0002_status_check.patch

Compile-tested on: ar71xx
Compile-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agoapm821xx: fix fan control on highest step
Christian Lamparter [Sat, 28 Sep 2019 12:31:16 +0000 (14:31 +0200)]
apm821xx: fix fan control on highest step

This patch removes a typo (extra "0") so that the 'cpu-alert6'
step is triggered once the system reaches 85°C.

Note: Unless the WNDR4700 is placed in an hot oven, the
hardware-monitor will never reach this value.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
8 months agobrcm47xx: sysupgrade: fix device model detection
Rafał Miłecki [Thu, 26 Sep 2019 04:45:11 +0000 (06:45 +0200)]
brcm47xx: sysupgrade: fix device model detection

$(board_name) was providing content on "boardtype" (and optionally
"boardnum") NVRAM values. That function requires & expects more specific
and detailed model name extracted from the /proc/cpuinfo.

Fixes: f12a32630ff5 ("treewide: use the generic board_name function")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
8 months agokernel: bump 4.14 to 4.14.146
Koen Vandeputte [Tue, 24 Sep 2019 09:07:18 +0000 (11:07 +0200)]
kernel: bump 4.14 to 4.14.146

Refreshed all patches.

Fixes:
- CVE-2019-14814
- CVE-2019-14815
- CVE-2019-14816
- CVE-2019-14821

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agokernel: bump 4.9 to 4.9.194
Koen Vandeputte [Tue, 24 Sep 2019 08:59:28 +0000 (10:59 +0200)]
kernel: bump 4.9 to 4.9.194

Refreshed all patches.

Fixes:
- CVE-2019-14814
- CVE-2019-14815
- CVE-2019-14816
- CVE-2019-14821

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agohostapd: Fix AP mode PMF disconnection protection bypass
Hauke Mehrtens [Fri, 20 Sep 2019 20:20:16 +0000 (22:20 +0200)]
hostapd: Fix AP mode PMF disconnection protection bypass

This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit a6981604b30bc1ddc1713b368fe853d89c2ba40d)

8 months agohostapd: SAE/EAP-pwd side-channel attack update
Hauke Mehrtens [Sun, 8 Sep 2019 21:53:18 +0000 (23:53 +0200)]
hostapd: SAE/EAP-pwd side-channel attack update

Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7bed9bf10fc8d05df34c7efc66e8b4ade37a1a0c)

8 months agombedtls: update to 2.16.3
Magnus Kroken [Wed, 18 Sep 2019 19:22:16 +0000 (21:22 +0200)]
mbedtls: update to 2.16.3

Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 49d96ffc5c47e40b7f3d99a91a42ea8a54a38bd9)

8 months agombedtls: Update to version 2.16.2
Josef Schlehofer [Tue, 18 Jun 2019 22:31:03 +0000 (00:31 +0200)]
mbedtls: Update to version 2.16.2

Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
(cherry picked from commit a2f54f6d5d98211e9c58420eed8c67f4fca83665)

8 months agoopenssl: bump to 1.0.2t, add maintainer
Eneas U de Queiroz [Tue, 17 Sep 2019 19:01:24 +0000 (16:01 -0300)]
openssl: bump to 1.0.2t, add maintainer

This version fixes 3 low-severity vulnerabilities:

- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
                 CMS_decrypt_set1_pkey

Patches were refreshed, and Eneas U de Queiroz added as maintainer.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
8 months agokernel: bump 4.14 to 4.14.145
Koen Vandeputte [Fri, 20 Sep 2019 13:09:54 +0000 (15:09 +0200)]
kernel: bump 4.14 to 4.14.145

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agokernel: bump 4.14 to 4.14.144
Koen Vandeputte [Wed, 18 Sep 2019 13:07:31 +0000 (15:07 +0200)]
kernel: bump 4.14 to 4.14.144

Refreshed all patches.

Fixes:
- CVE-2019-15030

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agokernel: bump 4.9 to 4.9.193
Koen Vandeputte [Wed, 18 Sep 2019 13:05:34 +0000 (15:05 +0200)]
kernel: bump 4.9 to 4.9.193

Refreshed all patches.

Fixes:
- CVE-2019-15030

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agomac80211: brcmfmac: backport the last 5.4 changes
Rafał Miłecki [Mon, 16 Sep 2019 06:04:27 +0000 (08:04 +0200)]
mac80211: brcmfmac: backport the last 5.4 changes

This makes brcmfmac use the same wiphy after PCIe reset to help user
space handle corner cases (e.g. firmware crash).

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit f39f4b2f6d4300995270f635261b07197e8cf61e)

8 months agoar71xx: fix potential IRQ misses during dispatch for qca953x
Koen Vandeputte [Wed, 11 Sep 2019 10:51:12 +0000 (12:51 +0200)]
ar71xx: fix potential IRQ misses during dispatch for qca953x

If both interrupts are set in the current implementation
only the 1st will be handled and the 2nd will be skipped
due to the "if else" condition.

Fix this by using the same approach as done for QCA955x
just below it.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agoar71xx: Fix potentially missed IRQ handling during dispatch
Koen Vandeputte [Wed, 11 Sep 2019 10:29:53 +0000 (12:29 +0200)]
ar71xx: Fix potentially missed IRQ handling during dispatch

If both interrupts are set in the current implementation
only the 1st will be handled and the 2nd will be skipped
due to the "if else" condition.

Fix this by using the same approach as done for QCA955x
just below it.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agokernel: bump 4.14 to 4.14.143
Koen Vandeputte [Wed, 11 Sep 2019 09:49:14 +0000 (11:49 +0200)]
kernel: bump 4.14 to 4.14.143

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agokernel: bump 4.9 to 4.9.192
Koen Vandeputte [Wed, 11 Sep 2019 09:23:15 +0000 (11:23 +0200)]
kernel: bump 4.9 to 4.9.192

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agotools: mkimage: fix __u64 typedef conflict with new glibc
Yousong Zhou [Wed, 11 Sep 2019 13:25:17 +0000 (13:25 +0000)]
tools: mkimage: fix __u64 typedef conflict with new glibc

Including "sys/stat.h" from newer glibc will cause __u64 from linux uapi
header to be included, causing compilation failure for u-boot tools
USE_HOSTCC

Remove typedef for __u64 in include/compiler.h to fix the issue.  It should be
safe because as of u-boot-2018.03, no ref to __u64 is found under u-boot tools/
directory

Error message snippet follows

  HOSTCC  tools/mkenvimage.o
In file included from /usr/include/asm-generic/types.h:7,
 from /usr/include/asm/types.h:5,
 from /usr/include/linux/types.h:5,
 from /usr/include/linux/stat.h:5,
 from /usr/include/bits/statx.h:30,
 from /usr/include/sys/stat.h:446,
 from tools/mkenvimage.c:21:
/usr/include/asm-generic/int-ll64.h:31:42: error: conflicting types for '__u64'
   31 | __extension__ typedef unsigned long long __u64;
      |                                          ^~~~~
In file included from <command-line>:
././include/compiler.h:69:18: note: previous declaration of '__u64' was here
   69 | typedef uint64_t __u64;
      |                  ^~~~~
make[5]: *** [scripts/Makefile.host:116: tools/mkenvimage.o] Error 1

Ref: https://forum.openwrt.org/t/compile-error-19-07/44423
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1699194
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
8 months agokernel: bump 4.14 to 4.14.142
Koen Vandeputte [Mon, 9 Sep 2019 11:07:58 +0000 (13:07 +0200)]
kernel: bump 4.14 to 4.14.142

Refreshed all patches.

Remove upstreamed:
- 0032-usb-host-fotg2-restart-hcd-after-port-reset.patch

Compile-tested on: cns3xxx, imx6
Runtime-tested on: cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agokernel: bump 4.9 to 4.9.191
Koen Vandeputte [Mon, 9 Sep 2019 10:43:30 +0000 (12:43 +0200)]
kernel: bump 4.9 to 4.9.191

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
8 months agoramips: fix duplicate network setup for dlink, dir-615-h1
Adrian Schmutzler [Sat, 7 Sep 2019 15:06:51 +0000 (17:06 +0200)]
ramips: fix duplicate network setup for dlink, dir-615-h1

In 555ca422d1cb ("ramips: fix D-Link DIR-615 H1 switch port
mapping"), port setup for dir-615-h1 was changed without removing
the old one. This was working as the new one was triggered earlier
than the old one.

(In the meantine, changed sorting during ramips rename patches
actually inversed that order.)

Anyway, just remove the wrong case now.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit e35e4a996e26f17b69d200505ecea78af96a2704)

8 months agoramips: fix D-Link DIR-615 H1 switch port mapping
Mirko Parthey [Sat, 7 Sep 2019 15:06:50 +0000 (17:06 +0200)]
ramips: fix D-Link DIR-615 H1 switch port mapping

Reuse a device-specific switch port mapping which also applies to the
D-Link DIR-615 H1.

Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
[cherry-pick/rebase]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 555ca422d1cbc2db354c0ed03d1a79650f590859)

8 months agoramips: remove duplicate case for MAC setup of freestation5
Adrian Schmutzler [Sat, 7 Sep 2019 15:06:49 +0000 (17:06 +0200)]
ramips: remove duplicate case for MAC setup of freestation5

ARC FreeStation5 is present twice in MAC address setup.

>From older commits/changes, it is not possible to reconstruct
the correct choice only by reading the annotations.

Thus, remove the second case and keep the first one, so behavior
stays the same (as nobody seems to have complained about it).

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit ad4eb2241b33b05b0942a3fa7ed2e53fb6e84386)

8 months agomac80211: brcmfmac: backport more kernel 5.4 changes
Rafał Miłecki [Mon, 9 Sep 2019 07:37:53 +0000 (09:37 +0200)]
mac80211: brcmfmac: backport more kernel 5.4 changes

Patch getting RAM info got upstreamed. A debugging fs entry for testing
reset feature was added.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 681acdcc54d2e59135bb706c38bed942f74ccf74)

9 months agobzip2: Fix CVE-2019-12900
Josef Schlehofer [Sun, 1 Sep 2019 18:34:01 +0000 (20:34 +0200)]
bzip2: Fix CVE-2019-12900

More details about this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
9 months agoar71xx: WNR2200: remove redundant GPIO for WLAN LED
Michal Cieslakiewicz [Fri, 2 Aug 2019 15:12:34 +0000 (17:12 +0200)]
ar71xx: WNR2200: remove redundant GPIO for WLAN LED

Without this patch, an extra entry appears for AR9287 GPIO
that duplicates WLAN LED but in fact drives nothing:

gpiochip1: GPIOs 502-511, ath9k-phy0:
 gpio-502 (                    |netgear:blue:wlan   ) out hi
 gpio-503 (                    |netgear:amber:test  ) out hi
 gpio-504 (                    |netgear:green:power ) out lo
 gpio-505 (                    |rfkill              ) in  hi
 gpio-507 (                    |wps                 ) in  hi
 gpio-508 (                    |reset               ) in  hi
 gpio-510 (                    |ath9k-phy0          ) out hi <===!

The pin pointed above is default LED GPIO (8) for AR9287.
For WNR2200 it is not connected anywhere - pin 0 drives blue WLAN
LED instead - but initialization code is missing that information.

This fix calls ap9x_pci_setup_wmac_led_pin() function at device
setup, forcing WLAN LED pin to be 0 and removing redundant entry.

Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
9 months agokernel: bump 4.14 to 4.14.141
Koen Vandeputte [Thu, 29 Aug 2019 09:00:17 +0000 (11:00 +0200)]
kernel: bump 4.14 to 4.14.141

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agoath9k: backport dynack improvements
Koen Vandeputte [Wed, 28 Aug 2019 10:12:41 +0000 (12:12 +0200)]
ath9k: backport dynack improvements

Close cooperation with Lorenzo Bianconi resulted
in these patches which fix all remaining seen issues
when using dynack.

Fix link losses when:
- Late Ack's are not seen or not present
- switching from too low static coverage class to dynack on a live link

These are fixed by setting the Ack Timeout/Slottime to
the max possible value for the currently used channel width when
a new station has been discovered.

When traffic flows, dynack is able to adjust to optimal values
within a few packets received (typically < 1 second)

These changes have been thoroughly tested on ~60 offshore devices
all interconnected using mesh over IBSS and dynack enabled on all.

Distances between devices varied from <100m up to ~35km

[move patches to correct folder + renumber]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
(cherry picked from commit f6e8ba0238fe349b7529357793e2fb18635819ed)

9 months agokernel: bump 4.14 to 4.14.140
Koen Vandeputte [Tue, 27 Aug 2019 10:32:17 +0000 (12:32 +0200)]
kernel: bump 4.14 to 4.14.140

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agokernel: bump 4.9 to 4.9.190
Koen Vandeputte [Tue, 27 Aug 2019 10:31:51 +0000 (12:31 +0200)]
kernel: bump 4.9 to 4.9.190

Refreshed all patches.

Fixes:
- CVE-2019-3900

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agokernel: bump 4.14 to 4.14.139
Koen Vandeputte [Fri, 16 Aug 2019 10:05:22 +0000 (12:05 +0200)]
kernel: bump 4.14 to 4.14.139

Refreshed all patches.

Also add a missing symbol for x86 which got used now in this bump.
- ISCSI_IBFT

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agomusl: Fix CVE-2019-14697
Hauke Mehrtens [Sun, 18 Aug 2019 21:24:43 +0000 (23:24 +0200)]
musl: Fix CVE-2019-14697

musl libc through 1.1.23 has an x87 floating-point stack adjustment
imbalance, related to the math/i386/ directory. In some cases, use of
this library could introduce out-of-bounds writes that are not present
in an application's source code.

This problem only affects x86 and no other architectures.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit c262daf308e0f0bd93bb5c5ee6238773935079ee)

9 months agoiptables: patch CVE-2019-11360 (security fix)
Jan Pavlinec [Thu, 15 Aug 2019 10:51:52 +0000 (12:51 +0200)]
iptables: patch CVE-2019-11360 (security fix)

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
9 months agomusl: ldso/dlsym: fix mips returning undef dlsym
Luiz Angelo Daros de Luca [Tue, 13 Aug 2019 06:01:07 +0000 (03:01 -0300)]
musl: ldso/dlsym: fix mips returning undef dlsym

This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.

Backporting upstream fix which now uses the same logic for relocation
time and dlsym.

Fixes openwrt/packages#9297

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
9 months agowolfssl: fixes for CVE-2018-16870 & CVE-2019-13628
Eneas U de Queiroz [Mon, 5 Aug 2019 17:45:41 +0000 (14:45 -0300)]
wolfssl: fixes for CVE-2018-16870 & CVE-2019-13628

CVE-2018-16870: medium-severity, new variant of the Bleichenbacher
attack to perform downgrade attacks against TLS, which may lead to
leakage of sensible data. Backported from 3.15.7.

CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack. Backported from 4.1.0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
9 months agokernel: bump 4.14 to 4.14.138
Koen Vandeputte [Mon, 12 Aug 2019 08:45:33 +0000 (10:45 +0200)]
kernel: bump 4.14 to 4.14.138

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agokernel: bump 4.9 to 4.9.189
Koen Vandeputte [Mon, 12 Aug 2019 08:11:14 +0000 (10:11 +0200)]
kernel: bump 4.9 to 4.9.189

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agoxfsprogs: Replace valloc with posix_memalign
Rosen Penev [Mon, 6 May 2019 21:57:18 +0000 (14:57 -0700)]
xfsprogs: Replace valloc with posix_memalign

Fixes compilation under uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit e49b6bb61828b8b903db0ef48113b4065a215c63)

9 months agolibbsd: Fix compilation under ARC
Rosen Penev [Wed, 1 May 2019 17:04:45 +0000 (10:04 -0700)]
libbsd: Fix compilation under ARC

The 8 year old file does not have any ARC definitions.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 395bef4bbacc0dd1cca72907529539194504be27)

9 months agonftables: Fix compilation with uClibc-ng
Rosen Penev [Wed, 1 May 2019 17:08:10 +0000 (10:08 -0700)]
nftables: Fix compilation with uClibc-ng

Missing header for va_list.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
(cherry picked from commit 2f977974714468e1a0ee20e4cce233da63d06dd0)

9 months agotools/patch: apply upstream patch for cve-2019-13638
Russell Senior [Sun, 11 Aug 2019 20:57:08 +0000 (13:57 -0700)]
tools/patch: apply upstream patch for cve-2019-13638

GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed style

diff payload with shell metacharacters. The ed editor does not need to be
present on the vulnerable system. This is different from CVE-2018-1000156.

https://nvd.nist.gov/vuln/detail/CVE-2019-13638

Signed-off-by: Russell Senior <russell@personaltelco.net>
(cherry picked from commit bcfd1d76852974170780dbe368e6194dbb0e123e)

9 months agotools/patch: apply upstream patch for CVE-2019-13636
Russell Senior [Mon, 29 Jul 2019 19:09:09 +0000 (12:09 -0700)]
tools/patch: apply upstream patch for CVE-2019-13636

In GNU patch through 2.7.6, the following of symlinks is mishandled in
certain cases other than input files. This affects inp.c and util.c.

https://nvd.nist.gov/vuln/detail/CVE-2019-13636

Signed-off-by: Russell Senior <russell@personaltelco.net>
(cherry picked from commit 995bcc532943639f3df36dbcaa361f9167f9f4d5)

9 months agokernel: bump 4.14 to 4.14.137
Koen Vandeputte [Wed, 7 Aug 2019 12:25:32 +0000 (14:25 +0200)]
kernel: bump 4.14 to 4.14.137

Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agokernel: bump 4.9 to 4.9.188
Koen Vandeputte [Wed, 7 Aug 2019 11:54:26 +0000 (13:54 +0200)]
kernel: bump 4.9 to 4.9.188

Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agoconfig: introduce separate CONFIG_SIGNATURE_CHECK option
Jo-Philipp Wich [Tue, 6 Aug 2019 19:22:27 +0000 (21:22 +0200)]
config: introduce separate CONFIG_SIGNATURE_CHECK option

Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.

This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.

Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.

As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f565f276e2c06ac8f3176e0b16d6f2d40cd653d4)

9 months agopackages: apply usign padding workarounds to package indexes if needed
Jo-Philipp Wich [Wed, 7 Aug 2019 05:15:07 +0000 (07:15 +0200)]
packages: apply usign padding workarounds to package indexes if needed

Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.

While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.

Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e1f588e446c7ceb696b644b37aeab9b3476e2a57)

9 months agousign: update to latest Git HEAD
Jo-Philipp Wich [Tue, 6 Aug 2019 18:55:39 +0000 (20:55 +0200)]
usign: update to latest Git HEAD

This update fixes usign signature verification on files with certain
file sizes triggering a bug in the shipped SHA-512 implementation.

5a52b37 sha512: fix bad hardcoded constant in sha512_final()
3e6648b README: replace unicode character
716c3f2 README: add reference to OpenBSD signify
86d3668 README: provide reference for ed25519 algorithm
939ec35 usign: main.c: describe necessary arguments for -G

Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 991dd5a89340367920315a3fd0390a7423e6b34a)

9 months agokernel: bump 4.14 to 4.14.136
Koen Vandeputte [Mon, 5 Aug 2019 10:21:47 +0000 (12:21 +0200)]
kernel: bump 4.14 to 4.14.136

Refreshed all patches.

Altered patches:
- 306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch

Remove upstreamed:
- 505-arm64-dts-marvell-Fix-A37xx-UART0-register-size

Fixes:
- CVE-2019-13648
- CVE-2019-10207

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
9 months agokernel: bump 4.9 to 4.9.187
Koen Vandeputte [Mon, 5 Aug 2019 09:06:09 +0000 (11:06 +0200)]
kernel: bump 4.9 to 4.9.187

Refreshed all patches.

Altered patches:
- 021-bridge-multicast-to-unicast.patch

Remove upstreamed:
- 001-um-Allow-building-and-running-on-older-hosts.patch
- 003-um-Fix-check-for-_xstate-for-older-hosts.patch

Fixes:
- CVE-2019-10207
- CVE-2019-13648

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
10 months agoar71xx: wpj531: fix SIG1/RSS1 LED GPIO
Leon M. George [Fri, 26 Jul 2019 18:21:26 +0000 (20:21 +0200)]
ar71xx: wpj531: fix SIG1/RSS1 LED GPIO

In commit 6c937df749c7 ("ar71xx: wpj531: fix GPIOs for LED") wrong GPIO
13 for SIG1/RSS1 LED was commited, the correct GPIO number for this LED
is 12.

It's listed in "Hardware Guide - wpj531 7A06 (02/07/2019)" as GPIO12/RSS1
on the LED header and same GPIO 12 is used in the vendor's SDK as well.

Fixes: 6c937df749c7 ("ar71xx: wpj531: fix GPIOs for LED")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit subject/message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit c070662980047838004b83f7af59e7015d3c7922)

10 months agoar71xx: fix HiveAP 121 PLL for 1000M
David Bauer [Tue, 30 Jul 2019 17:16:21 +0000 (19:16 +0200)]
ar71xx: fix HiveAP 121 PLL for 1000M

The Aerohive HiveAP 121 has the wrong PLL value set for Gigabit speeds,
leading to packet-loss. 10M and 100M work fine.

This commit sets the Gigabit Ethernet PLL value to the correct value,
fixing packet loss.

Confirmed with iperf and floodping.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit cb49e46a8a4526d86270ced3ba3aa90225ca82d7)