This includes several improvements and fixes:
61db17e rules: fix device and chain usage for DSCP/MARK targets
7b844f4 zone: avoid duplicates in devices list
c2c72c6 firewall3: remove last remaining sprintf()
12f6f14 iptables: fix serializing multiple weekdays
00f27ab firewall3: fix duplicate defaults section detection
e8f2d8f ipsets: allow blank/commented lines with loadfile
8c2f9fa fw3: zones: limit zone names to 11 bytes
78d52a2 options: fix parsing of boolean attributes
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Building with MIPS16 was disabled in 2013 due to an issue with GCC TLS:
https://dev.archive.openwrt.org/ticket/13572. But after the problematic
GCC version was retired, this change wasn't revisited.
Re-enable MIPS16 builds to reduce average elfutils library sizes ~10%.
This was compile-tested on malta/mips32be and malta/mips32le, and linked
with iproute2 for run-testing. Package sizes follow:
Library MIPS16:=0 MIPS16:=1
------- --------- ---------
libelf1 43217 37492
libasm1 12481 11658
libdw1 229723 205793
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
NXP 74HC153 is a GPIO expander. Its original source cide sits in ar71xx
architecture tree. It has been slightly modified to get GPIO pin
configuration from the device tree rather than a MACH file.
Changes to the source file:
- Remove struct nxp_74hc153_config
- in nxp_74hc153_probe(), fetch GPIO configuration from device tree
- allow GPIO framework decide the base number by passing -1 to it
- remove support for kernel versions below 4.5.0
- add OF device compatibility string
Create a package for inclusion in image.
References: https://lore.kernel.org/linux-gpio/545111184.50061.1615922388276@ichabod.co-bxl/
Signed-off-by: Mauri Sandberg <sandberg@mailfence.com>
[added link to driver usptreaming work in progress]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Moved to packages repo because it was considered
non-essential for most router configurations.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.
This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Dependency tracking for kmod-sound-hda-core is fragile. Enabling some sound
codecs (Realtek, Conexant, Sigmatel) implicitly adds a kmod-ledtrig-audio
dependency, while an enabled kmod-ledtrig-audio can be picked up through
enabling others (e.g. kmod-sound-hda-intel), and the behaviour can change
across kernel versions.
As kmod-ledtrig-audio is under 2KB, make it an unconditional dependency.
Fixes: a374b8f190 ("kernel: 5.10: update sound modules")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
When $(FPIC) gets expanded on the command line (for instance
when setting environment variables for libtool, configure, or
make) we can't count on it not needing quoting (i.e. it could
contain multiple flags separated with spaces).
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Enable seccomp features on Aarch64.
3e88c6f jail/seccomp: add support for aarch64
c23d8bf trace: fix build on aarch64
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
With kernel 5.10, exfat is out of staging and in tree.
Added small hack to make it work with kernel 5.4 as well.
Added removed config options for 5.4 to generic config.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[Set CONFIG_EXFAT_ config options to default values]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This change was investigated previously [1] but not deemed necessary. With
the recent addition [2] of modern BPF loader support, however, tc gained
dependencies on libelf and libbpf, with a larger installation footprint.
Similar to ip-tiny/ip-full, split tc into tc-full and tc-tiny variants,
where the latter excludes the eBPF loader, uses a smaller executable, and
avoids libelf and libbpf package dependencies. Both variants provide the
'tc' virtual package, with tc-tiny as the default.
The previous tc package included a loadable module for iptables actions.
Separate this out into a common package, tc-mod-iptables, which both
variants depend on. Some package sizes on mips_24kc:
Before:
148343 tc_5.11.0-1_mips_24kc.ipk
After:
144833 tc-full_5.11.0-2_mips_24kc.ipk
138430 tc-tiny_5.11.0-2_mips_24kc.ipk (and no libelf or libbpf)
4115 tc-mod-iptables_5.11.0-2_mips_24kc.ipk
Also fix up some Makefile indentation.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447619962
[2] b048a305a3 ("iproute2: update to 5.11.0")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The link equalizer sch_teql.ko of package kmod-sched relies on a hotplug
script historically included in iproute2's tc package. In previous
discussion [1], consensus was the hotplug script is best located together
with the module in kmod-sched, but this change was deferred at the time.
Relocate the hotplug script now. This change also simplifies adding a tc
variant for minimal size with reduced functionality.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447923636
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This patch has been submitted upstream to fix an error reported by a few
users. One instance seen using gcc 10.2.0, binutils 2.35.1 and musl 1.1.24:
bpf_glue.c: In function 'get_libbpf_version':
bpf_glue.c:46:11: error: 'PATH_MAX' undeclared (first use in this function);
did you mean 'AF_MAX'?
46 | char buf[PATH_MAX], *s;
| ^~~~~~~~
| AF_MAX
Reported-by: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Update file paths for kmod-sound-hda-intel and reflect new dependency of
kmod-sound-hda-core on kmod-ledtrig-audio.
Reported-by: Javier Marcet <javier@marcet.info>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Add conditional dependency on kmod-of-mdio due to mdio_devres.c code:
#if IS_ENABLED(CONFIG_OF_MDIO)
...
EXPORT_SYMBOL(devm_of_mdiobus_register);
#endif /* CONFIG_OF_MDIO */
Fixes: 95a3741d17 ("kernel: support new mdio_devres.ko module in 5.10")
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
kdump was removed in 7acd257ae67b4ca94f8c23cb8bda0ee0709b9216
gdb can be used as an alternative.
Remove autoreconf. It's not needed as the configure files are already
generated.
Remove upstreamed patch.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message
Package ppp is missing dependencies for the following libraries:
libpcap.so.1
The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.
Signed-off-by: Eike Ritter <git@rittere.co.uk>
This fixes writing to the U-Boot environment by making the partition
writable and setting the correct flash sector size of 128K.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Allow selecting either SATA or PCIE functionality using uImage.FIT
configurations and device-tree overlays.
By default, PCIE1 is selected (as it has been before this change).
To select SATA instead, you can do this now:
fw_setenv bootconf config-mt7622-bananapi-bpi-r64-sata
and reboot.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Commit b5b0796a13 added an uint32_t to mtd.h without including stdint, which
results in a compilation error for those files not including stdint.h.
In file included from imagetag.c:36:
mtd.h:15:8: error: unknown type name 'uint32_t'
extern uint32_t opt_trxmagic;
^~~~~~~~
imagetag.c: In function 'trx_fixup':
imagetag.c:180:10: warning: unused variable 'res' [-Wunused-variable]
ssize_t res;
^~~
imagetag.c:177:14: warning: unused variable 'scan' [-Wunused-variable]
void *ptr, *scan;
^~~~
imagetag.c: In function 'trx_check':
imagetag.c:246:27: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
struct bcm_tag *tag = (const struct bcm_tag *) buf;
^
make[3]: *** [<builtin>: imagetag.o] Error 1
Fixes: b5b0796a13 ("mtd: add option for TRX magic to fixtrx")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This adds support for the Buffalo WSR-2533DHP2.
The device uses the Broadcom TRX image format with a special magic. To
be able to boot the images or load them they have to be wrapped with
different headers depending how it is loaded.
There are multiple ways to install OpenWrt on this device.
Boot ramdisk from U-Boot
----------------------------
This will load the image and not write it into the flash.
1. Stop boot menu with "space" key
2. Select "System Load Linux to SDRAM via TFTP."
3. Load this image:
openwrt-mediatek-mt7622-buffalo_wsr-2533dhp2-initramfs-kernel.bin
4. The system boots the image
Write to flash from U-Boot
-----------------------------
This will load the image over tftp and directly write it into the flash.
1. Stop boot menu with "space" key
2. Select "System Load Linux Kernel then write to Flash via TFTP."
3. Load this image:
openwrt-mediatek-mt7622-buffalo_wsr-2533dhp2-squashfs-factory-uboot.bin
4. The system writes this image into the flash and boots into it.
Write to flash from Web UI
-----------------------------
This will load the image over over the Web UI and write it into the flash
1. Open the Web UI
2. Go to "管理" -> "ファームウェア更新"
3. Select "ローカルファイル指定" and click "更新実行"
4. Load this image:
openwrt-mediatek-mt7622-buffalo_wsr-2533dhp2-squashfs-factory.bin
5. The system writes this image into the flash and boots into it.
Specifications
-------------------
* SoC: MT7622 (4x4 2.4 GHz Wifi)
* Wifi: MT7615 (4x4 5 GHz Wifi)
* Flash: Winbond W29N01HZ 128MB SLC NAND
* RAM 256MB
* Ethernet: Realtek RTL8367S (5 x 1GBit/s, SoC via 2.5GBit/s)
Co-Developed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Buffalo uses the TRX header with a different magic and even changes this
magic with different devices. This change allows to specify the header
to use as a command line argument.
This is needed for the Buffalo WSR-2533DHP2 based on mt7622.
Co-Developed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
