Commit Graph

42294 Commits

Author SHA1 Message Date
Jo-Philipp Wich
0a4a82a431 config: introduce separate CONFIG_SIGNATURE_CHECK option
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.

This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.

Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.

As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f565f276e2)
2019-08-07 07:54:27 +02:00
Jo-Philipp Wich
8a83892662 packages: apply usign padding workarounds to package indexes if needed
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.

While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.

Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e1f588e446)
2019-08-07 07:23:51 +02:00
Jo-Philipp Wich
0bce1d0db9 usign: update to latest Git HEAD
This update fixes usign signature verification on files with certain
file sizes triggering a bug in the shipped SHA-512 implementation.

5a52b37 sha512: fix bad hardcoded constant in sha512_final()
3e6648b README: replace unicode character
716c3f2 README: add reference to OpenBSD signify
86d3668 README: provide reference for ed25519 algorithm
939ec35 usign: main.c: describe necessary arguments for -G

Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 991dd5a893)
2019-08-06 20:59:09 +02:00
Koen Vandeputte
958411aa61 kernel: bump 4.14 to 4.14.136
Refreshed all patches.

Altered patches:
- 306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch

Remove upstreamed:
- 505-arm64-dts-marvell-Fix-A37xx-UART0-register-size

Fixes:
- CVE-2019-13648
- CVE-2019-10207

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-08-06 11:56:18 +02:00
Koen Vandeputte
2807f84b62 kernel: bump 4.9 to 4.9.187
Refreshed all patches.

Altered patches:
- 021-bridge-multicast-to-unicast.patch

Remove upstreamed:
- 001-um-Allow-building-and-running-on-older-hosts.patch
- 003-um-Fix-check-for-_xstate-for-older-hosts.patch

Fixes:
- CVE-2019-10207
- CVE-2019-13648

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-08-06 11:56:18 +02:00
Leon M. George
7e4ce0c655 ar71xx: wpj531: fix SIG1/RSS1 LED GPIO
In commit 6c937df749 ("ar71xx: wpj531: fix GPIOs for LED") wrong GPIO
13 for SIG1/RSS1 LED was commited, the correct GPIO number for this LED
is 12.

It's listed in "Hardware Guide - wpj531 7A06 (02/07/2019)" as GPIO12/RSS1
on the LED header and same GPIO 12 is used in the vendor's SDK as well.

Fixes: 6c937df749 ("ar71xx: wpj531: fix GPIOs for LED")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit subject/message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit c070662980)
2019-08-04 22:39:57 +02:00
David Bauer
b7e7d220e7 ar71xx: fix HiveAP 121 PLL for 1000M
The Aerohive HiveAP 121 has the wrong PLL value set for Gigabit speeds,
leading to packet-loss. 10M and 100M work fine.

This commit sets the Gigabit Ethernet PLL value to the correct value,
fixing packet loss.

Confirmed with iperf and floodping.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit cb49e46a8a)
2019-08-01 21:33:59 +02:00
Koen Vandeputte
df53824f46 kernel: bump 4.14 to 4.14.134
Refreshed all patches.

Fixes:
- CVE-2019-3846
- CVE-2019-3900

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-07-31 16:54:50 +02:00
Koen Vandeputte
76d1e8a0c2 kernel: bump 4.9 to 4.9.186
Refreshed all patches.

Fixes:
- CVE-2019-3846

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-07-31 16:54:50 +02:00
Koen Vandeputte
ef9c13fb5d imx6: bump SDMA firmware to 3.5
- add uart rom script address in header of sdma firmware to support
  the uart driver of latest kernel working well while old firmware
  assume ram script used for uart driver as NXP internal legacy
  kernel.
- add multi-fifo SAI/PDM scripts.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 819b6345a206ad182dd3c2d786a3d7f04e33f751)
2019-07-31 16:54:50 +02:00
Koen Vandeputte
41e3f12e00 imx6: bump sdma firmware to 3.4
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit fa8d5ad21b)
2019-07-31 16:54:50 +02:00
Rafał Miłecki
f51e2d031e mac80211: brcm: improve brcmfmac debugging of firmware crashes
This provides a complete console messages dump.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-07-28 16:21:04 +02:00
Rafał Miłecki
95745e26b3 mac80211: brcm: update brcmfmac 5.4 patches
Use commits from wireless-drivers-next.git.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-07-28 16:13:53 +02:00
Eneas U de Queiroz
65a405382b omcproxy: fix compilation on little-endian CPUs
Don't use cpu_to_be32 outside of a function.

In file included from /omcproxy-2017-02-14-1fe6f48f/src/omcproxy.h:51:0,
                 from omcproxy-2017-02-14-1fe6f48f/src/mrib.c:39:
omcproxy-2017-02-14-1fe6f48f/src/mrib.c:57:34: error: braced-group within expression allowed only inside a function
 static uint32_t ipv4_rtr_alert = cpu_to_be32(0x94040000);
                                  ^
cc1: warning: unrecognized command line option '-Wno-gnu'

Ref: https://downloads.openwrt.org/releases/faillogs-18.06/arm_cortex-a9_vfpv3/base/omcproxy/compile.txt
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[more verbose commit message]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit cb4d00d184)
2019-07-23 19:29:54 +02:00
Jo-Philipp Wich
a68be42f99 scripts: ipkg-make-index.sh: dereference symbolic links
Use `stat -L` instead of `ls -l` to follow symbolic links when obtaining
the file size of .ipk archives.

Without this change, the size of the symlink, not the size of the target
file is encoded in the package index file.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit ece5cab743)
Fixes: e6af9c017b ("opkg: bump to version 2019-06-14")
[ rmilecki: this has to be backported due to the recent opkg update and
  cb6640381808 ("libopkg: check for file size mismatches") to fix false
  "opkg_install_pkg: Package size mismatch" errors ]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-07-22 09:46:49 +02:00
Rafał Miłecki
8231f67218 mac80211: brcmfmac: backport fixes from kernel 5.4
This fixes:
1) Crash during USB disconnect
2) Crash in brcmf_txfinalize() on rmmod with packets queued
3) Some errors in exit path

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-07-22 07:11:56 +02:00
Yousong Zhou
627bb0b8dc busybox: strip off ALTERNATIVES spec
Now that busybox is a known alternatives provider by opkg, we remove the
ALTERNATIVES spec and add a note to make the implicit situation clear

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry-picked from 62be427067)
2019-07-12 07:52:38 +00:00
Yousong Zhou
e6af9c017b opkg: bump to version 2019-06-14
Changelog

  dcbc142 alternatives: remove duplicate 'const' specifier
  21b7bd7 alternatives: special-case busybox as alternatives provider
  d4ba162 libopkg: only perform size check when information is available
  cb66403 libopkg: check for file size mismatches

Opkg starting from this version special-cases busybox as alternatives
provider.  There should be no need to add entries to ALTERNATIVES of
busybox package

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-07-12 07:52:38 +00:00
Adrian Schmutzler
33e7beeb31 base-files: Fix path check in get_mac_binary
Logic was inverted when changing from string check to file check.
Fix it.

Fixes: 8592602d0a ("base-files: Really check path in get_mac_binary")
Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 6ed3349308)
2019-07-09 23:08:57 +02:00
Koen Vandeputte
687977bfc9 kernel: bump 4.14 to 4.14.132
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-07-09 17:00:59 +02:00
Adrian Schmutzler
6ee6c97ded base-files: Really check path in get_mac_binary
Currently, path argument is only checked for being not empty.

This changes behavior to actually check whether path exists.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-07-05 22:30:46 +02:00
Jason A. Donenfeld
aced9de9a4 wireguard: bump to 0.0.20190601
There was an issue with the backport compat layer in yesterday's snapshot,
causing issues on certain (mostly Atom) Intel chips on kernels older than
4.2, due to the use of xgetbv without checking cpu flags for xsave support.
This manifested itself simply at module load time. Indeed it's somewhat tricky
to support 33 different kernel versions (3.10+), plus weird distro
frankenkernels.

If OpenWRT doesn't support < 4.2, you probably don't need to apply this.
But it also can't hurt, and probably best to stay updated.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 593b487538)
2019-07-01 22:13:23 +02:00
Mathias Kresin
3bbd16da46 ramips: fix mt7620 pinmux for second SPI
The mt7620 doesn't have a pinmux group named spi_cs1. The cs1 is part
of the "spi refclk" group. The function "spi refclk" enables the second
chip select.

On reset, the pins of the "spi refclk" group are used as reference
clock and GPIO.

Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 3601c3de23)
2019-07-01 21:56:58 +02:00
Jo-Philipp Wich
b84f761d91 OpenWrt v18.06.4: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-30 12:16:44 +02:00
Jo-Philipp Wich
f6429577c5 OpenWrt v18.06.4: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-30 12:16:40 +02:00
Koen Vandeputte
ef686b7292 uqmi: bump to latest git HEAD
1965c7139374 uqmi: add explicit check for message type when expecting a response
01944dd7089b uqmi_add_command: fixed command argument assignment

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 47986dc6ea1d643cd348501da09cd2e3ee2f9ee1)
2019-06-27 14:18:52 +02:00
Jo-Philipp Wich
3dc740257b uqmi: inherit firewall zone membership to virtual sub interfaces
Fix an issue where subinterfaces were not added to the same
firewall zone as their parent.

Fixes: FS#2122
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 64bb88841f)
2019-06-27 14:18:52 +02:00
Daniel Golle
a2c22b8776 uqmi: fix PIN_STATUS_FAILED error with MC7455 WCDMA/LTE modem
Apparently this modem replies differently to attempted --get-pin-status
which makes the script fail if a pincode is set. Fix this.

Manufacturer: Sierra Wireless, Incorporated
Model: MC7455
Revision: SWI9X30C_02.24.05.06 r7040 CARMD-EV-FRMWR2 2017/05/19 06:23:09

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0b373bf4d6)
2019-06-27 14:18:52 +02:00
Koen Vandeputte
d5ff0897cb kernel: bump 4.14 to 4.14.131
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-27 14:18:52 +02:00
Koen Vandeputte
18266fc6c0 kernel: bump 4.9 to 4.9.184
Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-27 14:18:52 +02:00
Koen Vandeputte
5e771160b8 kernel: bump 4.14 to 4.14.130
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-25 16:50:37 +02:00
Koen Vandeputte
9c6fb1d67a kernel: bump 4.14 to 4.14.129
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-24 16:44:13 +02:00
Koen Vandeputte
6c1bef833d kernel: bump 4.9 to 4.9.183
Refreshed all patches.

Remove upstreamed:
- 010-revert-staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-24 16:44:13 +02:00
Jo-Philipp Wich
467adaf6c5 OpenWrt v18.06.3: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-21 14:26:23 +02:00
Jo-Philipp Wich
4382d4ce19 OpenWrt v18.06.3: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-21 14:26:22 +02:00
Karel Kočí
97ae9e0ccb fstools: block-mount: fix restart of fstab service
Restarting service causes file-systems to be unmounted without being
mounted back. When this service was obsoleted it should have been
implemented in a way that all actions are ignored. Up to this commit
default handler was called when restart was requested. This default
handler just simply calls stop and start. That means that stop called
unmount but start just printed that this service is obsoleted.

This instead implements restart that just prints same message like start
does. It just calls start in reality. This makes restart unavailable for
call.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
(cherry picked from commit 3ead9e7b74)
2019-06-21 14:17:25 +02:00
Petr Štetiar
25fc20db8b fstools: update to the latest master branch
ff1ded6 libfstools: Fix overflow of F2FS_MINSIZE constant
bc2c876 libfstools: Print error in case of loop blkdev failure

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 1e55171a12)
2019-06-21 14:17:23 +02:00
Matthias Badaire
fc39d5fc45 fstools: media change detection (eg:sdcard) using kernel polling
Linux kernel has a polling mechanism that can be activated by changing
the parameter /sys/module/block/parameters/events_dfl_poll_msecs which
is deactivated by default or the /sys/block/[device]/events_poll_msecs
for one device.

This patch set the events_poll_msecs when a disk is inserted.
Once the media disk change event is sent by the kernel then we force a
re-read of the devices using /sbin/block info.

With this patch, insertion and ejection of sd card will automatically
generate partition devices in /dev.

Signed-off-by: Matthias Badaire <mbadaire@gmail.com>
[rewrap commit message, fix bashisms, fix non-matching condition,
 bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

(cherry picked from commit cf8483cb4f)
2019-06-21 14:17:22 +02:00
Hauke Mehrtens
b463a13881 hostapd: fix multiple security problems
This fixes the following security problems:
* CVE-2019-9494:  cache attack against SAE
* CVE-2019-9495:  cache attack against EAP-pwd
* CVE-2019-9496:  SAE confirm missing state validation in hostapd/AP
* CVE-2019-9497:  EAP-pwd server not checking for reflection attack)
* CVE-2019-9498:  EAP-pwd server missing commit validation for scalar/element
* CVE-2019-9499:  EAP-pwd peer missing commit validation for scalar/element
* CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment

Most of these problems are not relevant for normal users, SAE is only
used in ieee80211s mesh mode and EAP-pwd is normally not activated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-06-21 10:29:23 +02:00
Matthias Schiffer
fc1dae5be7
brcm2708: Revert "staging: vc04_services: prevent integer overflow in create_pagelist()"
The bump to 4.9.181 broke build for bcm2708 and bcm2709. Revert the
offending patch.

The same revert is also queued for the next upstream 4.9.y release.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2019-06-20 23:46:01 +02:00
Linus Walleij
84aba5796e gemini: 4.14: Fix up DNS-313 compatible string
It's a simple typo in the DNS file, which was pretty serious.
No scripts were working properly. Fix it up.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[integrate into openwrt target]
2019-06-20 17:42:17 +02:00
Robinson Wu
9656f49ea0 base-files: fix uci led oneshot/timer trigger
This patch adds a missing type property which prevented
the creation of oneshot and timer led triggers when they
are specified in the /etc/board.d/01_leds files.

i.e.:

ucidef_set_led_timer "system" "system" "zhuotk:green:system" "1000" "1000"

Fixes: b06a286a48 ("base-files: cleanup led functions in uci-defaults.sh")
Signed-off-by: Robinson Wu <wurobinson@qq.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[also fix oneshot as well]
2019-06-20 17:41:42 +02:00
Koen Vandeputte
bd0c3988e7 kernel: bump 4.14 to 4.14.128
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-20 15:51:03 +02:00
Koen Vandeputte
2999c342aa kernel: bump 4.14 to 4.14.127
Refreshed all patches.

Fixes:

- CVE-2019-11479
- CVE-2019-11478
- CVE-2019-11477

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-18 15:49:37 +02:00
Koen Vandeputte
9de2f4d4ce kernel: bump 4.9 to 4.9.182
Refreshed all patches.

Fixes:

- CVE-2019-11479
- CVE-2019-11478
- CVE-2019-11477

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-18 15:49:37 +02:00
Petr Štetiar
5fe809d718 Revert "ipq806x: fix EA8500 switch control"
There is a problem with the EA8500, the switch will not work after soft
reboot, the only way to get it working again is to power cycle it
manually.

There are probably several issues in the play, it's quite hard to fix it
without having access to the actual device, so I don't see any other
option now, then revert the offending commit.

Ref: PR#2047
Fixes: FS#2168 ("Switch no longer work after restart on Linksys EA8500")
Reported-by: Adam <424778940z@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-06-18 15:34:44 +02:00
Koen Vandeputte
e493230e84 kernel: bump 4.14 to 4.14.126
Refreshed all patches.

Compile-tested on: cns3xxx, imx6
Runtime-tested on: cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-18 11:44:19 +02:00
George Amanakis
c449130bb2 mvebu: fixes commit f63a1caf22
err_free_stats has been deprecated. Replace with err_netdev.

Compile-tested on: mvebu
Runtime-tested on: mvebu

Fixes: f63a1caf22 ("kernel: bump 4.14 to 4.14.125")
Signed-off-by: George Amanakis <gamanakis@gmail.com>
[altered hashes]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-18 11:44:19 +02:00
Rafał Miłecki
6fa6f74e37 kernel: backport 4.18 patch adding DMI_PRODUCT_SKU
It's needed for applying some hardware quirks. This fixes:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c:60:20: error: 'DMI_PRODUCT_SKU' undeclared here (not in a function); did you mean 'DMI_PRODUCT_UUID'?
    DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "T8"),

Fixes: 2cd234d96b ("mac80211: brcm: backport remaining brcmfmac 5.2 patches")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 4d11c4c378)
2019-06-17 07:23:25 +02:00
Rafał Miłecki
2cd234d96b mac80211: brcmfmac: backport important fixes from kernel 5.2
1) Crash/Oops fixes
2) One-line patch for BCM43456 support
3) Fix communication with some specific FullMAC firmwares
4) Potential fix for "Invalid packet id" errors
5) Important helper for reporting FullMAC firmware crashes

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-06-16 21:51:50 +02:00