git.openwrt.org Git - openwrt/staging/dedeckeh.git/log

bcm53xx: include wpad-mini only on devices with (supported) wireless

Don't include wpad-mini when it's useless just like we don't include
useless wireless drivers.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

firmware-utils: fix dgn3500sum compiler warnings

The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.

While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.

Signed-off-by: Mathias Kresin <dev@kresin.me>

ca-certificates: Update to version 20161130+nmu1

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

openvpn: update to 2.4.3

Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>

mbedtls: update to 2.5.1

Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>

bcm53xx: enable Northstar thermal driver

It allows monitoring CPU temp and will shutdown system on critical
value.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

kernel: backport Broadcom thermal drivers

This includes driver for Northstar and for Raspberry Pi.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

Revert "dnsmasq: don't point --resolv-file to default location unconditionally"

This reverts commit 78edfff5303533dc52a1ac64ad745acc0a8a743e.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

dropbear: fix service trigger syntax error

The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

ramips: fix Phicomm K1S(PSG1208) pinmux

Use gpio function for pins with LEDs.

Signed-off-by: 小桥 <29551030@qq.com>

LEDE v17.01.2: revert to branch defaults

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>

LEDE v17.01.2: adjust config defaults

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>

build: ensure that flock is available for make download

It ensures that make download can parallelize downloads, even when some
packages download the same files (e.g. gcc/initial, gcc/final)

Signed-off-by: Felix Fietkau <nbd@nbd.name>

include/toplevel: set env GIT_ASKPASS=/bin/true

When git-https request a service (e.g. github) which ask for credentials
git will pass this request to the user resulting download.pl to wait for
user input. Set GIT_ASKPASS to stop asking.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>

base-files: network.sh: fix a number of IPv6 logic flaws

* Change network_get_subnet6() to sensibly guess a suitable prefix

  Attempt to return the first non-linklocal, non-ula range, then attempt
  to return the first non-linklocal range and finally fall back to the
  previous behaviour of simply returning the first found item.

* Fix network_get_ipaddrs_all()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
  to build a single list of all interface addresses.

* Fix network_get_subnets6()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
  field to figure out the proper network address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

mwlwifi: update to version 10.3.4.0 / 2017-06-06

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

automake: import upstream fix for perl 5.26

Build broke as distributions now include Perl 5.26 and automake
triggered an "Unescaped left brace in regex" error.
Import upstream commit 13f00eb449 to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

base-files: network.sh: properly report local IPv6 addresses

Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.

Fixes FS#829.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

kernel: update kernel 4.4 to 4.4.71

Fixes the following security vulnerabilities:

CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.

CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.

CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.

CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

Add missing APU1 reference to x86 board.d

x86 board.d only contains a case for the APU2, not the APU1. This
causes, for example, network configuration not to be created correctly.
Even though the APU1 seems to reaching EOL, there a still a lot of them
out there.

The APU1 and APU2 is configured in the same way and this patch should
also be considered for stable, as the error also exists there.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>

base-files: always set proto passed to _ucidef_set_interface()

Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.

It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.

The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.

Signed-off-by: Mathias Kresin <dev@kresin.me>

lantiq: fix broadcasts and vlans in two iface mode

The two phy operation mode where one phy is assigned to an interface
without lantiq,* device tree property and the other phy is assigned to
an interface with the lantiq,wan device property was broken with the
multicast package leaks between vlans fixes.

Move the multicast packages relevant portmap settings to the condition
which handles multicast packages for better readability.

Replace the priv->port_map based port_map only for the interface which
has the lantiq,switch device tree property set, to allow tagged
multicast packages in two phy mode where the lantiq,switch device tree
property isn't used.

Signed-off-by: Mathias Kresin <dev@kresin.me>

lantiq: select kmod-mt7603 instead of kmod-mt76 for WBMR-300HPD

Signed-off-by: Felix Fietkau <nbd@nbd.name>

lantiq: use the P2812HNUF* wan port as wan

The port is labeled as wan and was only used as lan port because of the
"tx ring full" issues fixed with 8f02f7c.

Signed-off-by: Mathias Kresin <dev@kresin.me>

lantiq: xrx200: use vlan for ethernet wan port

Using the lantiq,wan device tree property for one interface node and
the lantiq,switch device tree property for another interface node at
the same time was never intended/isn't supported at the moment.

The property is meant to be used in two phy operation mode where one
phy is assigned to an interface without lantiq,* device tree property
and the other phy is assigned to an interface with the lantiq,wan
device property to have two netdevs.

If both properties are used at the same time, the lantiq,wan interface
is shown as independent netdev but not able to operate independent. The
port needs to be managed via swconfig. These dependency is not obvious
and fooled already a lot of users.

Add a default WAN vlan for xrx200 devices having an ethernet WAN port
and remove the lantiq,wan device tree property. Leave it up to the user
to set the ethernet WAN port as default WAN interface or to use this
port as additional LAN port.

Signed-off-by: Mathias Kresin <dev@kresin.me>

x86: disable X2APIC support for legacy subtargets

Explicitely disable X2APIC support on legacy targets since the targeted
processor types do not support it anyway there.

Fixes FS#285.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

umdns: remove superfluous include in init script

The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

dnsmasq: bump to 2.77

This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

dnsmasq: make tftp root if not existing

If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>

dnsmasq: use logical interface name for dhcp relay config

The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>

dnsmasq: don't point --resolv-file to default location unconditionally

If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]

ar71xx: fix Wallys DR344 GPIO-connected LEDs and button

This fixes wrong GPIO numbers for LEDs and button in Wallys DR344 board
and sets color of all LEDs to green as the mass production boards have
only green one.

Actually, DR344 has 6 GPIO-connected LEDs and one button:

- GPIO11: status
- GPIO12: sig1
- GPIO13: sig2
- GPIO14: sig3
- GPIO15: sig4
- GPIO16: reset button
- GPIO17: lan

WAN LED is connected directly with AR8035 PHY.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

ar71xx: set GE interface as wan by default in Wallys DR344

This aligns default network interfaces configuration with vendor
firmware: GE (eth0) -> wan, FE (eth1) -> lan.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

ar71xx: fix GE interface support in Wallys DR344

GMAC0 interface of AR9344 SOC in Wallys DR344 board is connected with
AR8035, not with AR8327. Without this fix, GE interface doesn't work at
all or shows high packet loss ratio.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

toolchain/gdb: update to version 7.12.1

Update gdb to version 7.12.1.

GDB 7.12.1 brings the following fixes and enhancements over GDB 7.12:

   * PR tdep/20682 (aarch64 regression: gdb.cp/nextoverthrow.exp)
   * PR server/20733 (Failed to build aarch64_be-linux-gnu GDBserver)
   * PR tdep/20953 (GDB crashes after "set architecture rl78")
   * PR tdep/20954 (GDB crashes if "set architecture rx")
   * PR tdep/20955 (GDB internal error in cris-tdep.c)
   * PR build/20712 (gdb 7.12+ doesn't build as C++ on Solaris)
   * PR breakpoint/20653 (string_to_explicit_location has some weird code)
   * PR build/20753 (MinGW compilation errors due to strcasecmp)
   * PR gdb/20977 (GDB exception handling is broken on i686-w64-mingw32)
   * PR python/21048 (backtrace is broken on i686)
   * PR sim/20808 (mips sim build fails due to undefined SD/CPU variables)
   * PR sim/20809 (mips sim build fails for r3900 cpus)
   * PR gdb/20939 (GDB aborts

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>

usbmode: update usb-modeswitch-data to 20170205

add support for new hardware

Signed-off-by: Julian Labus <julian@labus-online.de>

usbmode: update to latest version

453da8e convert-modeswitch.pl: fix message indices

Signed-off-by: Julian Labus <julian@labus-online.de>

usbmode: Update to latest HEAD

Brings the following changes:

22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>

samba: bump PKG_RELEASE

The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

firewall: resync with master

Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

mac80211, hostapd: always explicitly set beacon interval

One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

hostapd: add legacy_rates option to disable 802.11b data rates.

Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]

ipq806x: fix Netgear X4 R7500 ath10k firmware selection

Netgear X4 R7500 comes with a QCA988X. Select a firmware that matches
the ath10k chipset

Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>

treewide: select ath10k firmware explicit

Do not rely on the default firmware selected by ath10k.

Signed-off-by: Mathias Kresin <dev@kresin.me>

ath10k-firmware: do not select the qca988x by default

Do not select the qca988x by default as soon as kmod-ath10k is
selected. We do support more ath10k chips than the qca988x in the
meantime, so this dependency doesn't make sense any longer.

Signed-off-by: Mathias Kresin <dev@kresin.me>

build: fix possible issue with kmod package having multiple AutoLoad's

This commit contains the following changes

- Use local shell var where appliable
- The $(sort $$$$$$$$mods) call will have no expected effect
- Avoid EEXIST when creating symlinks in /etc/modules-boot.d/
- Avoid duplicate arguments for insert_modules() in postinst-pkg

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

kernel: update kernel 4.4 to 4.4.70

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

kernel: fix autoloading arch-specific modules

Fixes FS#745

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

backlight-pwm: fix module description

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

kernel: update kernel 4.4 to 4.4.69

Bump the 17.01 tree kernel to 4.4.69. Trunk 4.4 and 17.01 4.4 have diverged, talked this
through with jow, he was okay with a clean diff against 17.01 and not a backported trunk
patch.

The following patches were applied upstream:

* 062-[1-6]-MIPS-* series
* 042-0004-mtd-bcm47xxpart-fix-parsing-first-block

Reintroduced lantiq/patches-4.4/0050-MIPS-Lantiq-Fix-cascaded-IRQ-setup, as
it was incorrectly included upstream thus dropped from LEDE, but subsequently
reverted upstream. Thanks to Kevin Darbyshire-Bryant for pointing me to it.

Compile-tested on: ar71xx, ramips/mt7621, x86/64.

Run-tested on: ar71xx, ramips/mt7621, x86/64.

Signed-off-by: Stijn Segers <francesco.borromini@inventati.org>

binutils: fix build with host gcc < 4.9

binutils 2.27 checks if the target compiler supports -Wstack-
usage=262144, and also uses this setting for the host compiler. If the
host compiler is gcc < 4.9 binutils build will fail. This backports 2
commits which are fixing this problem for binutils 2.28.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

util-linux: fix build with uclibc

Fix build of scriptreplay with uClibc.
Some parts of the libm detection were backported to 2.29.2, but some
parts were missing, which are added here. This patch is needed when
libm is a separate library, this is not needed for LEDE master, because
libm is there integrated in the libc for uClibc and musl.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>

dropbear: bump to 2017.75

- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

samba: fix CVE-2017-7494

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 3f0d3d12da77d8833a725f99f6fa08640678a1ae)

umdns: update to the version 2017-05-22

This includes following changes:
0e8b948 Support specifying instance name in JSON file
49fdb9f Support PTR queries for a specific service
26ce7dc Allow filtering with instance name in service_reply
920c62a Store instance name in the struct service
ff09d9a Rename service_name function to the service_instance_name
64f78f1 Rename mdns_hostname variable to the umdns_host_label

Previous package update pulled commit 70c66fbbcde86 ("Fix sending
replies to PTR questions") which introduced a regression which this
update fixes.

Fixes: 474c31a20d834 ("umdns: update to the version 2017-03-21")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

bcm53xx: add support for TP-LINK Archer C5 V2

This model also contains few partitions non-discoverable partitions we
need to "protect". Othen than that it uses non-deprecated serial entry
in DTS that doesn't work with LEDE so we need to workaround it as well.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

firmware-utils: tplink-safeloader: add support for Archer C5 V2

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

fstools: backport regression fix for volume_identify

This fixes regression when volume_identify didn't identify volume on
subsequent calls.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

imagebuilder: fix bundling of DTS sources

Refer to LINUX_KARCH instead of ARCH when bundling DTS files in the image
builder tarball.

While we're at it, also dereference symbolic links when copying as some
kernel architectures contain symbolic links in their DTS directories.

This fixes aarch64 imagebuilders such as brcm2708/bcm2710 ones in particular
as the kernel refers to "aarch64" as "arm64" internally.

Ref: https://forum.lede-project.org/t/lede-image-builder-problem/3680

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

image.mk: Generate cpiogz with root-owned files

Some files (e.g. /etc/dropbear) need to be owned by root. Add cpio
option to ensure that.

Other image types (at least targz and squashfs) already have this.

Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>

ramips: add om-watchdog to rut5xx DEVICE_PACKAGES

Add om-watchdog as default package for rut5xx.

Signed-off-by: Steffen Weinreich <steve@weinreich.org>

om-watchdog: add support for Teltonika RUT5xx (ramips)

Add rut5xx GPIO PIN selection to om-package startup script.

Testet on a RUT500 device, the timeout value of the hardware watchdog
is about 280 sec.

Signed-off-by: Steffen Weinreich <steve@weinreich.org>
[split into two commits, bump PKG_RELEASE]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

om-watchdog: cosmetic code style fixes

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

om-watchdog: cleanup Makefile

Drop redundant Build/Prepare, empty lines and duplicated Build/Compile.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

ar71xx: enable nand-utils in the mikrotik subtarget to ensure it makes it to initramfs

Without it, sysupgrade from initramfs to nand fails

Signed-off-by: Felix Fietkau <nbd@nbd.name>

openvpn: update to v2.4.2

Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.

CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over

Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

openvpn: add myself as maintainer

Signed-off-by: Felix Fietkau <nbd@nbd.name>

OpenVPN: Update to 2.4.1

Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>

openvpn: add extra respawn parameters

This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.

When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.

With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>

openvpn: move list of params and bools to a separate file

So that future patches for addition/removal of them can be more
readable

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

ramips: fixup-mac-address: add missing include

Add missing include of ramips.sh in order to import the missing
ramips_board_name() procedure.

Fixes FS#774.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

dnsmasq: support dhcp_option config as a list

Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

bcm53xx: backport DT patches for serial, thermal and MDIO

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

ramips: add factory firmware for Tp-Link C20i/C50

TP-Link firmware doesn't accept sysupgrade.bin with metadata.

Signed-off-by: Henryk Heisig <hyniu@o2.pl>

brcm63xx: fix invalid Asmax AR 1004g DTS reference

Build profile for Asmax AR 1004g refers to an invalid DTS "rg100a". The
correct DTS for this device is "ar1004g".

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>

lantiq: fix avm fritz box mac addresses

It has been shown that the Fritz boxes have the correct mac address set
in the wireless calibration data/eeeprom. Use this mac address as base
for the ethernet and xdsl interface increment/decrement the address to
match the values stored in the tffs.

Signed-off-by: Mathias Kresin <dev@kresin.me>

ramips: enable ramdisk for mt7621

Fixes #758

Signed-off-by: Paul Spooren <paul@spooren.de>

ipq806x: fix EA8500 switch configuration

Do not assign the CPU port twice, this confuses LuCI and possible other
programs relying on topology information in board.json.

Ref: https://github.com/openwrt/luci/issues/1086

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

base-files: implement ucidef_set_hostname(), ucidef_set_ntpserver()

Commit 2036ae4 (base-files: support hostname and ntp servers through board.d)
was supposed to implement these procedures but lacked the required changes
to uci-defaults.sh.

Add the missing procedures now to fix config generation on targets relying
on hostname or NTP server presetting.

Fixes FS#754.

Reported-by: Cristian Morales Vega <cristian@samknows.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

mac80211: rt2800: fix mt7620 E2 channel registers

update RF register 47 and 54 values according to vendor driver

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]

mac80211: rt2800: fix mt7620 vco calibration registers

Use register values from init LNA function instead of the ones from
restore LNA function. Apply register values based on rx path
configuration.

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]

mac80211: rt2x00: fix MT7620 LNA gain and VCO-after-ALC

This should fix issues with bad RX as well as AP not coming up and/or
scanning failing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

mac80211: rt2x00: import upstream changes and rebase our patches

Some of our local patches have been accepted upstream. And there are
some more relevant changes (mostly for rt2800usb). Import them and
rebase our remaining local patches on top.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

rt2x00: mt7620: make fixes requested upstream

Introduce RT6352 instead of matching against RF7620.
Clean up channel setting rfvals.
Port bandwidth filter calibration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

rt2x00: mt7620: yet another beauty session

So here is another round of improvements for MT7620 WiFi.

This commit fixes a few significant issues related to TX_PWR_CFG_x and
TX_ALC and also makes the code more readable by adding register
descriptions for things added for MT7620 and use the usual bit-field
access macros and the now defined macros instead of plain bit-ops and
magic numbers.

Properly describe EEPROM_TARGET_POWER at word 0x68 (== byte 0xD0) and
thereby fix internal TXALC which would otherwise just read
out-of-bounds of the EEPROM map.

Split-out tx-power/ALC related stuff into an additional function.
Fix VCO calibration, it was carried out properly in the channel
switching but incomplete in the actual VCO calibration function.
Also there is no need to trigger VCO calibration in channel switching,
the VCO calibration function is already being called at this point.
Remove it from channel switching function to avoid redundant code.

The TX power calibration differs significantly from all other
Mediatek/Ralink chips: They finally allow 0.5dB steps stored as 8-bit
values for (almost) each bitrate -- and promptly ran out of space and
for some reason didn't want to change the EEPROM layout. The hence
opted for a scheme of sharing values for some adjecent bitrates and
a highly over-complicated (or obfuscated?) way to populate the
TX_PWR_CFG_x registers with the values stored in the EEPROM.
The code here now looks much less complicated than what you see in the
vendor's driver, however, it does the exact same thing:
bGpwrdeltaMinus is a constant and always TRUE, hence half of the
code was dead. Gpwrdelta is always 0 (rather than using the value read
from the EEPROM). What remains is some very grotesque effort to avoid
0x20, probably some hardware bug related to some misunderstanding of
what a singed 8-bit value is (imagine: if it was a signed 6-bit value
then someone could believe that 0x20 == 0x0). And then they didn't
clean it up once they later on anandonned that whole story of having a
constant offset for 40 MHz channels and just set the offset to be
constant 0 -- there is no effort for avoiding 0x20 for the 20 MHz
values stored in the EEPROM, hence that's probably just a forbidden
value in the EEPROM specs and won't appear anyway...
Anyway, the whole thing felt like solving some college math test
where in the end everything cancels out and the result equals 0 ;)
To make sure that channel bandwidth power compensation really doesn't
need to be taken care of, output a warning when the corresponding
value stored in the EEPROM is non-zero.

Also there is no apparent reason to refrain from initializing RFCSR
register 13, it doesn't fail what-so-ever.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

mac80211: add rt2x00 debug symbols to PKG_CONFIG_DEPENDS

Chaning these symbols require a recompilation of the modules, so make the
system aware of it.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>

ath9k: fix power limits on init

The tx power applied by set_txpower is limited by the CTL (conformance
test limit) entries in the EEPROM. These can change based on the user
configured regulatory domain.
Depending on the EEPROM data this can cause the tx power to become too
limited, if the original regdomain CTLs impose lowr limits than the CTLs
of the user configured regdomain.

To fix this issue, set the initial channel limits without any CTL
restrictions and only apply the CTL at run time when setting the channel
and the real tx power.

Signed-off-by: Felix Fietkau <nbd@nbd.name>

ath: do not apply broken power limits with ATH_USER_REGD

If a device uses the default EEPROM code, typically only the main CTLs
are valid, and they do not apply properly when switching to a different
regulatory domain. If the regdomain deviates from the EEPROM one, force
the world roaming regdomain to ensure that power limits are sane

Signed-off-by: Felix Fietkau <nbd@nbd.name>

odhcpd: update to version 2017-04-28 (FS#595)

9268ca6 ndp: don't trigger IPv6 ping when neighbor entry is invalid
2b3355f ndp: fix adding proxy neighbor entries
7dff5b4 ndp: fix wrong interface name in syslog message
a54afb5 dhcpv6-ia: Fix segfault when writing DHCPv4 leases in state file
c0e9dbf ubus: don't segfault when there're no leases

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

odhcpd: update to version 2017-04-21

570069d ubus: rework dumping IPv6 and IPv4 leases
4e579c4 dhcpv6-ia: simplify logic to write statefile and dhcpv6 logging

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

build: fix symlinked .config handling

When running "make menuconfig" with symlinked .config (e.g. to
env/.config) it renames symlink to .config.old, creates new .config file
and writes updated configuration here.

This breaks the desired workflow when changes in the configuration could
be checked using "scripts/env diff" and commited with
"scripts/env save". Since the env/.config file is not updated.

Fix this issue by exporting KCONFIG_OVERWRITECONFIG=1, which forces
mconf to overwrite the .config content, instead of renaming it and
creating a new file. This variable is set only if .config is a symlink,
otherwise the variable is not exported and the old behaviour is
preserved.

Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>

ramips: WN3000RPv3: do not setup switch

The WN3000RPv3 is a repeater with a single ethernet port. Setting up the
switch, even to disable it, is unnecessary and possibly confusing.

Configure LAN as eth0 instead.

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>

brcm63xx: Add Observa VH4032N support

Add support for the Observa Telecom VH4032N router.

This is another BCM6368 router, 128 MB RAM, 32MB flash and 3 USB
host ports.

The wifi chip is an onboard Broadcom BCM43222.

Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
[jonas.gorski: use gpio-hog instead of abusing ephy-reset]
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>

cns3xxx: use proper macro's for ID handling

Compiled & tested on cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>

ramips: add support for Sanlinking D240

The Sanlinking Technologies D240
(http://www.sanlinking.com/en/29-dual-4g-wifi-router.html) is basically the same
device as the ZBT WE826, so adding support for it in LEDE is straight forward.
The differences is that the D240 has two mini-PCIe slots (instead of one), blue
LEDs and supports PoE.

Specification:
* CPU: MT7620A
* 1x 10/100Mbps POE (802.3af/802.3at) Ethernet, 4x 10/100Mbps.
* 16 MB Flash.
* 128 MB RAM.
* 1x USB 2.0 port.
* 2x mini-PCIe slots.
* 2x SIM slots.
* 1x 2.4Ghz WIFI.
* 1x button.

Wifi, USB, switch and both mini-PCIe slots are working. I have not been able to
test the SD card reader.

The device comes pre-installed with an older version of OpenWRT, including Luci.
In order to install LEDE, you need to follow the existing procedure for updating
OpenWRT/LEDE using Luci. I.e., you need to access the UI and update the firmware
using the sysupgrade-image. Remember to select that you do not want to keep
existing settings. The default router address is 192.168.10.1 and
username/password admin/root (at least on my devices).

If you brick the device, the procedure for recovery is the same as for the
WE826. Please see the wiki page for that device for instructions.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>

ar71xx: select ATH79_NVRAM only by boards actually use it

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>

ramips: fix Sercomm NA930 compatible string

The Sercomm NA930 is not a mt7620a evaluation board and shouldn't use
the eval board compatible string.

Signed-off-by: Mathias Kresin <dev@kresin.me>

ramips: remove Planex CS-QR10 sound device tree node

The comptible string is neither added by any LEDE patch nor exists in
in the kernel. Drop the sound node which was obviously added
accidentally with 9195d8da ("ramips: DTS rework").

Signed-off-by: Mathias Kresin <dev@kresin.me>

ramips: cleanup SPI flash device tree properties usage

Use only the jedec,spi-nor compatible string. Everything else either
never worked or is only support to keep compatibility.

Remove the linux,modalias property. It is obsolete since kernel 4.4.

Signed-off-by: Mathias Kresin <dev@kresin.me>

ramips: remove DT pcie nodes for GL-MT300A/N

These devices don't have a secondary wifi chip

Signed-off-by: Felix Fietkau <nbd@nbd.name>