Commit Graph

57171 Commits

Author SHA1 Message Date
Nick Hainke
3cac52f9a1
ipq40xx: convert AVM FRITZ!Repeater 3000 to DSA
Convert the repeater to DSA.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-03 16:16:19 +02:00
Hauke Mehrtens
467aa08f8a
kernel: Activate CONFIG_SLAB_FREELIST_RANDOM
This activates CONFIG_SLAB_FREELIST_RANDOM.
This option make the free list less predictable. This makes it harder to
exploit heap based security vulnerabilities.

This adds a little bit more code to the kernel and a small additional
compute overhead.

This option is activated in Debian by default.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-05-03 15:13:26 +02:00
Paul Spooren
626f5f77f7
omap: mark source only
The target is currently broken with Kernel 5.15 and no one in sight to
fix it. Instead of stalling the next release indefinitely, make it
source only and see if someone steps up to fix it.

Signed-off-by: Paul Spooren <paul.spooren@rhebo.com>
2023-05-03 14:49:44 +02:00
Paul Spooren
c306385474
lantiq: mark source only
The target is currently broken with Kernel 5.15 and no one in sight to
fix it. Instead of stalling the next release indefinitely, make it
source only and see if someone steps up to fix it.

Signed-off-by: Paul Spooren <paul.spooren@rhebo.com>
2023-05-03 14:47:55 +02:00
Chukun Pan
6c9b526e84 uboot-mediatek: fixes build when nmbm enabled
The image_header_t typedef has been removed from
uboot v2023.01 [1], replaced with legacy struct.

[1] f3543e6944

Fixes: 3d5c542 ("uboot-mediatek: update to U-Boot 2023.01")
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2023-05-02 18:17:09 +01:00
Chukun Pan
ab8ead3e2d uboot-mediatek: fix CONFIG_TEXT_BASE variable
CONFIG_SYS_TEXT_BASE has been renamed to CONFIG_TEXT_BASE
in uboot v2023.01 [1], fixes all this variable.

[1] 984639039f

Fixes: 3d5c5427 ("uboot-mediatek: update to U-Boot 2023.01")
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2023-05-02 18:17:09 +01:00
Chukun Pan
5b0b464e49 uboot-mediatek: remove duplicate config in mt7986
Some config was written twice by mistake, fix it.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2023-05-02 18:17:09 +01:00
Felix Baumann
e38de40f8d ramips: mt7621: add support for Cudy X6 v2
Rename existing device to v1 and create common .dtsi
Difference to v1: 16MB Flash

Specifications:

SoC: MediaTek MT7621
RAM: 256 MB
Flash: 16 MB (SPI NOR, XM25QH128C on my device)
WiFi: MediaTek MT7915E
Switch: 1 WAN, 4 LAN (Gigabit)
Buttons: Reset, WPS
LEDs: Two Power LEDs (blue and red; together they form purple)
Power: DC 12V 1A center positive
Serial: 115200 8N1
        C440 - (3V3 - GND - RX - TX) - C41 | v1 and v2
               (P   - G   - R  - T)        | v2 labels them on the board
Installation:

Download and flash the manufacturer's built OpenWrt image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWrt image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings.

Recovery:

Loads only signed manufacture firmware due to bootloader RSA verification
Serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
Connect to any lan ethernet port
Power on the device while holding the reset button
Wait at least 8 seconds before releasing reset button for image to
download

MAC addresses as verified by OEM firmware:

use   address             source
LAN   f4:a4:54:86:75:a2   label
WAN   f4:a4:54:86:75:a3   label + 1
2g    f4:a4:54:86:75:a2   label
5g    f6:a4:54:b6:75:a2   label + LA-Bit set + 4th oktet increased

The label MAC address is found in bdinfo 0xde00.

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-05-02 18:24:52 +02:00
Jan Hoffmann
cf8d861978 realtek: hpe_1920-8g: add phy-handle for SFP ports
The switch driver actually expects every port to have a PHY handle, and
several branches in the code determine if a port is valid by checking
for a non-zero phy field.

Signed-off-by: Jan Hoffmann <jan@3e8.eu>
2023-04-30 21:59:26 +02:00
Daniel Golle
3221128639 mediatek: no longer hard-code WAN PHY of Netgear WAX206
The RealTek 2.5G PHY providing the WAN port of the Netgear WAX206 has
previously been hard-coded in the device tree. Now that the PHY can be
probed correctly also via Clause-45 MDIO, use that instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-30 17:27:00 +01:00
Daniel Golle
28b3a5e6b5 generic: net: phy: realtek: detect early version of RTL8221B
Early versions (?) of the RTL8221B PHY cannot be identified in a regular
Clause-45 bus scan as the PHY doesn't report the implemented MMDs
correctly but returns 0 instead.
Implement custom identify function using the PKGID instead of iterating
over the implemented MMDs to work-around this problem.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-30 17:27:00 +01:00
John Audia
45f5115253 kernel: bump 5.15 to 5.15.109
Removed upstreamed:
	backport-5.15/743-v6.3-0005-net-dsa-b53-mmap-add-phy-ops.patch[1]

All other patches automatically rebased.

1. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.15.109&id=357fa038d93d0e9159a0f0d45bae0f8654e2ade5

Build system: x86_64
Build-tested: bcm2711/RPi4B, ramips/tplink_archer-a6-v3, filogic/xiaomi_redmi-router-ax6000-ubootmod
Run-tested: bcm2711/RPi4B, ramips/tplink_archer-a6-v3, filogic/xiaomi_redmi-router-ax6000-ubootmod

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-04-30 00:02:47 +02:00
John Audia
80c1105b03 kernel: bump 5.10 to 5.10.179
All patches automatically rebased.

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-04-30 00:01:12 +02:00
Mikhail Zhilkin
4a043dc9d4 ramips: add factory image for TP-Link EC330-G5u v1
This commit adds factory.bin image for TP-Link EC330-G5u v1. This allows
to install OpenWrt without connecting a serial cable (UART).

Installation using factory image
--------------------------------

Tested with "3.16.0 0.9.1 v6037.0 Build 191016 Rel.30619nb" TP-Link
firmware.

1.  Login to the router web interface (http://192.168.0.1/ by default) and
    save running config to "conf.bin" file
2.  Open configuration file in any TP-Link config editor (e.g.
    https://jahed.github.io/tp-link-config-editor/)
3.  Find "DeviceInfo" section and insert a new string "<Description
    val="Modem Router`telnetd -p 1023 -l login`" />" according to the
    following example:
       <DeviceInfo>
          ...
          <Description val="Modem Router`telnetd -p 1023 -l login`" />
          ...
       </DeviceInfo>
4.  Save configuration file and upload changed configuration using stock
    firmware interface
5.  Login using telnet to IP:192.168.0.1 (Username:admin, password:1234)
6.  Run "cat /proc/mtd | grep mtd7"
       a. If the result is 'mtd7: 03000000 00020000 "rootfs" 03400000',
          then install stock firmware using web interface to toggle booted
          firmware image from "os1" to "os0"
       b. If the result is 'mtd7: 03000000 00020000 "rootfs" 00400000',
          then all is ok, go to the next step
7.  Set up a tftp server with OpenWrt factory.bin image (IP:192.168.0.100
    in this example)
8.  Login using telnet to 192.168.0.1
9.  Download OpenWrt factory.bin image from the tftp server:
       cd /tmp
       tftp -g -r factory.bin 192.168.0.100
10. Write OpenWrt factory.bin image:
       dd if=/tmp/factory.bin of=/dev/mtdblock1
11. Power cycle the router

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2023-04-29 22:34:51 +02:00
Mikhail Zhilkin
15e21d373b ramips: TP-Link EC330-G5u v1: switch to mac-address-ascii
The TP-Link EC330-G5u v1 router has MAC address that stored in factory mtd
in ascii format. This commit makes the router use of "mac-address-ascii"
in dts.

After the change:
1. All MAC addresses are explicitly assigned in dts (the workarounds in
   network scripts are no longer needed);
2. gmac0 (eth0) MAC address is no longer random.

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2023-04-29 22:34:51 +02:00
Antonio Vázquez
c31319b669 ramips: lzma-loader: Refactor loader
* Delete unused lantiq makefile
* Delete redundant makefiles and unify them into the main makefile
* Refactor and unify board code into a single file
* Add support and review subtarget specific board support

Signed-off-by: Antonio Vázquez <antoniovazquezblanco@gmail.com>
2023-04-29 22:32:27 +02:00
Rani Hod
e4c7703d2a ramips: add support for D-Link DAP-1620 B1
The DAP-1620 rev B is a wall-plug AC1300 repeater.

Specifications:
- MT7621AT, 256 MiB RAM, 16 MiB SPI NOR
- MT7615DN 2x2 802.11n +2x2 802.11ac (DBDC)
- Ethernet: 1 port 10/100/1000
- Status LEDs (1x red+green)
- LED RSSI bargraph (2x green, 1x red+green)

Installation:
- Keep reset button pressed during plug-in
- Web Recovery Updater is at 192.168.0.50
- Upload factory.bin, confirm flashing
  (seems to work best with Chromium-based browsers)

Revert to OEM firmware:
- tail -c+117 DAP1620B1_FW212B03.bin | \
  openssl aes-256-cbc -d -md md5 -out decrypted.bin \
  -k 905503a4e0c3cd3c1ce062246de427a68962347e
- flash decrypted.bin via D-Link Web Recovery

Signed-off-by: Rani Hod <rani.hod@gmail.com>
2023-04-29 22:05:20 +02:00
Hauke Mehrtens
829a50d242 bcm27xx: Deactivate CONFIG_OABI_COMPAT
This deactivates the kernel option CONFIG_OABI_COMPAT.

The old arm OABI is not needed any more, we compile all applications for
the new ARM EABI.

This reduces the attack surface of the kernel syscall interface.

On all other targets CONFIG_OABI_COMPAT is already deactivated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 21:56:53 +02:00
Hauke Mehrtens
7815c55f7d kernel: Deactivate CONFIG_COMPAT
This deactivates the CONFIG_COMPAT kernel option.
With CONFIG_COMPAT the kernel will provide syscall interfaces for arm32
binaries in addition to the interfaces needed for arm64 binaries.

In OpenWrt the complete userspace is compiled for this specific
architecture and support for 32 bit ARM applications is not needed.
This reduces the size and the attack surface for the systems.

On all other targets CONFIG_COMPAT is already deactivated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 21:56:53 +02:00
Hauke Mehrtens
0fc3a4aa10 kernel: Deactivate CONFIG_LEGACY_PTYS
The legacy (BSD) PTY support could open security problems in a system,
We do not need them in OpenWrt, deactivate this option in all targets.

Debian also deactivates this option.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 21:56:53 +02:00
Hauke Mehrtens
ca5555d27e kernel: Activate CONFIG_ARM64_SW_TTBR0_PAN
This activates the CONFIG_ARM64_SW_TTBR0_PAN option for all arm64
kernels by default.

The CONFIG_ARM64_SW_TTBR0_PAN option prevents the kernel form accessing
user space memory directly. This makes it harder to exploit the kernel.

This is activated by default and was already activate on all other arm64
targets before.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 21:56:53 +02:00
Hauke Mehrtens
626b37d70a kernel: Activate CONFIG_HARDENED_USERCOPY for all targets
This activates CONFIG_HARDENED_USERCOPY for the remaining targets. This
adds additional checks in the copy_from_user() and copy_to_user()
functions.

This was not activated for ARCHS38 before because of a bug in the Linux
kernel 5.4 till 5.14, which as fixed and is described here:
https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/15

I do not know why this was deactivated for mt7629 and rockchip.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 21:56:53 +02:00
Andreas Böhler
28df7f7ff2 ramips: mt7621: add support for ZyXEL WSM20
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL
based on the MT7621 CPU.

Specifications
==============

SoC: MediaTek MT7621AT (880MHz)
RAM: 256MiB
Flash: 128MiB NAND
Wireless: 802.11ax (2x2 MT7915E DBDC)
Ethernet: 4x 10/100/1000 (MT7530)
Button: 1x WPS, 1x Reset, 1x LED On/Off
LED: 7 LEDs (3x white, 2x red, 2x green)

MAC address assignment
======================

The MAC address assignment follows stock: The label MAC address is the LAN
MAC address, the WAN address is read from flash.

The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC
+ 2.

Installation (web interface)
============================

The device is cloud-managed, but there is a hidden local firmware upgrade
page in the OEM web interface. The device has to be registered in the
cloud in order to be able to access this page.

The system has a dual firmware design, there is no way to tell which
firmware is currently booted. Therefore, an -initramfs version is flashed
first.

1. Log into the OEM web GUI
2. Access the hidden upgrade page by navigating to
   https://192.168.212.1/gui/#/main/debug/firmwareupgrade
3. Upload the -initramfs-kernel.bin file and flash it
4. Wait for OpenWrt to boot and log in via SSH
5. Transfer the sysupgrade file via SCP
6. Run sysupgrade to install the image
7. Reboot and enjoy

NB: If the initramfs version was installed in RAS2, the sysupgrade script
sets the boot number to the first partition. A backup has to be performed
manually in case the OEM firwmare should be kept.

Installation (UART method)
==========================

The UART method is more difficult, as the boot loader does not have a
timeout set. A semi-working stock firmware is required to configure it:

1. Attach UART
2. Boot the stock firmware until the message about failsafe mode appears
3. Enter failsafe mode by pressing "f" and "Enter"
4. Type "mount_root"
5. Run "fw_setenv bootmenu_delay 3"
6. Reboot, U-Boot now presents a menu
7. The -initramfs-kernel.bin image can be flashed using the menu
8. Run the regular sysupgrade for a permanent installation

Changing the partition to boot is a bit cumbersome in U-Boot, as there is
no menu to select it. It can only be checked using mstc_bootnum. To change
it, issue the following commands in U-Boot:

   nand read 1800000 53c0000 800
   mw.b 1800004 1 1
   nand erase 53c0000 800
   nand write 1800000 53c0000 800

This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to
change to the second slot.

Back to stock
=============

It is possible to flash back to stock, but a OEM firmware upgrade is
required. ZyXEL does not provide the link on its website, but the link
can be acquired from the OEM web GUI by analyzing the transferred JSON
objects.

It is then a matter of writing the firmware to Kernel2 and setting the
boot partition to FW2:

   mtd write zyxel.bin Kernel2
   echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc

Signed-off-by: Andreas Böhler <dev@aboehler.at>
Credits to forum users Annick and SirLouen for their initial work on this
device
2023-04-29 21:53:34 +02:00
Lech Perczak
d256ab7309 umbim: include MBIM-provided DNS servers also with DHCP mode
In MBIM interfaces, DNS servers may be provided out-of-band regardless
whether DHCP is used for configuration, or not. Move the DNS
configuration outside "if" blocks to support that.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
aa7873a9e6 umbim: extract common code from static and dhcp(v6) setup procedure
Beginnings and endings of sub-interface creation procedure were
literally duplicates - extract them outside if "if" blocks

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
e4db21b413 umbim: handle MTU configuration
Allow setting interface MTU through UCI. If this is not set,
use MBIM-provided MTU, if provided through control channel.
If separate MTUs are provided for IPv4 and IPv6, apply larger of them.
This is very unlikely and possible only for IPv4v6 dual-stack configuration.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
2bfbc2dbd8 umbim: delegate RFC7278 IPv6 prefixes from OOB config
Delegate prefixes received through MBIM control channel the same way, as
would be done through DHCP, according to RFC7278.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
9808b09b91 umbim: drop IP configuration parsing using 'eval'
Finally, when new helper is in use, drop old IP configuration parser.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
c13a1b412b umbim: support multiple-valued configuration fields
MBIM supports multiple values for IP address and DNS server, and such
configuration is available through output of MBIM. Use new helper
method to support adding multiple addresses and DNS servers to static
interfaces for both IPv4 and IPv6.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
f01fff63fb umbim: add "_proto_mbim_get_field" helper
Add a new helper to extract IP configuration from umbim output. This is
required to extract fields which can possibly have multiple values,
namely IP addresses and DNS servers, and get rid of primitive parser
using 'eval' builtin without support for this.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
5f873df8d4 umbim: log output of 'config' step
Display full configuration obtained using MBIM control channel in the
log, from umbim output verbatim, for easier troubleshooting, and in
preparation for parser refactoring.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:05 +02:00
Lech Perczak
9ddbcd73d8 umbim: pass ipXtable to child interfaces
Inspired by commti e51aa699f7, allow setting specific routing tables
via ip4table and ip6table options, by passing them on child interfaces
created by MBIM protocol handler.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
e2655e0a6b umbim: respect 'Enable IPv6 negotiation' option
Don't bring IPv6 part of interface up if it's disabled,
or system does not support it.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
ca8df8a992 umbim: use static config by default, fallback to DHCP
Finally, inspired by ModemManager's logic, make static configuration
obtained through MBIM control channel, preferred.
If IP configuration is not available this way, fallback to DHCP(v6) if
enabled, else do not create a sub-interface for unavailable IP type.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
464d81fe4a umbim: separate DHCPv6 configuration from DHCP(v4)
Now, that sub-interface setup is split by IP type, and separate checks
are performed for DHCP selection, it is possible to control DHCP on v4
an v6 sub-interfaces instantly. Add "dhcpv6" variable, akin to QMI
option, to control behaviour of DHCPv6 separately from IPv4 option,
which is required for some mobile operators.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
03692dee73 umbim: restructure IPv4/IPv6 handling
Check whether interface is configured per IP type, not per DHCP. This is
preparation to allow fallback to DHCP if static IP configuration is not
available, which is the default option for MBIM modems

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
c1e0d07744 umbim: inherit firewall zone membership from parent interface
Fix an issue where subinterfaces were not added to the same
firewall zone as their parent.
Inspired by 64bb88841f.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
c84bf89b3a umbim: inherit "peerdns" option from parent interface
MBIM protocol handler should intherit "peerdns" options from parent
interface on sub-interfaces, otherwise upstream DNS servers are applied
regardless of configuration.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
9bb4b9a968 umbim: use IP configuration provided by MBIM by default
Previously, DHCP was used. According to MBIM Specification v1.0 errata 1 [1],
section 10.5.20, MBIM_CID_IP_CONFIGURATION,
if MBIM information element containing IP configuration is available,
host shall use it, and fall back to in-band mechanisms to acquire it therwise -
therefore make static configuration the default.

[1] https://www.usb.org/document-library/mobile-broadband-interface-model-v10-errata-1-and-adopters-agreement

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
356a6f0eee umbim: detect actual connection IP type
Current implementation needlessly creates both IPv4 and IPv6
sub-interfaces for single-stack IP types. Limit this only to selected IP
type. While at that, ensure that IP type is also passed to umbim during
"connect" phase. In addition, detect the actual established connection
type returned by umbim and set up subinterfaces according to that,
not to requested configuration. While at that, allow empty IP type explicitly,
interpreted as "any" according to MBIM specification.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
da84eddedb umbim: fail connect step immediately
Subsequent calls to 'umbim connect' do not have any effect if a failure
occured, and in such case an infinite loop without timeout is created,
leading to possibility of interface stuck at connecting forever.
Drop this loop, and issue MBIM disconnect properly, so netifd can
restart from scratch.
This issue can be observed with Sierra EM7455 at changing APN, which
causes network re-registration by default, and a MBIM transaction
timeout, which is resolved on next interface bringup by netifd.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Lech Perczak
0be14c622b umbim: connect session for only the selected PDP type
Previous implementation automatically set up connections for both IPv4
and IPv6, even if one of them isn't supported. Respect the "pdptype"
option in the same way, as it is done for QMI or NCM, and only start the
respective PDN sessions, if set.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Martin Schiller
512bb17f3e umbim: add support for non-dhcp mode
There are mbim compatible wwan modules available which do not support
the dhcp autoconfiguration. (e.g. gemalto Cinterion ELS81)

This adds the possibility to get the configuration parameters from mbim.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Nick Hainke
ec6bcda8e4 tools/patchelf: update to 0.18.0
Release Notes:
https://github.com/NixOS/patchelf/releases/tag/0.18.0

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-29 17:37:45 +02:00
Nick Hainke
4c54ec74fc tools/coreutils: update to 9.3
Update to latest bugfix release.

Remove upstreamed patches:
- 001-copy-fix-reflink-auto-to-fallback-in-more-cases.patch
- 002-date-diagnose-f-read-errors.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-29 17:36:20 +02:00
Michał Kępień
626c84340d kernel: mtk_bmt: refactor to avoid deep recursion
A Linksys E8450 (mt7622) device running current master has recently
started crashing:

    [    0.562900] mtk-ecc 1100e000.ecc: probed
    [    0.570254] spi-nand spi2.0: Fidelix SPI NAND was found.
    [    0.575576] spi-nand spi2.0: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
    [    0.583780] mtk-snand 1100d000.spi: ECC strength: 4 bits per 512 bytes
    [    0.682930] Insufficient stack space to handle exception!
    [    0.682939] ESR: 0x0000000096000047 -- DABT (current EL)
    [    0.682946] FAR: 0xffffffc008c47fe0
    [    0.682948] Task stack:     [0xffffffc008c48000..0xffffffc008c4c000]
    [    0.682951] IRQ stack:      [0xffffffc008008000..0xffffffc00800c000]
    [    0.682954] Overflow stack: [0xffffff801feb00a0..0xffffff801feb10a0]
    [    0.682959] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G S                5.15.107 #0
    [    0.682966] Hardware name: Linksys E8450 (DT)
    [    0.682969] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [    0.682975] pc : dequeue_entity+0x0/0x250
    [    0.682988] lr : dequeue_task_fair+0x98/0x290
    [    0.682992] sp : ffffffc008c48030
    [    0.682994] x29: ffffffc008c48030 x28: 0000000000000001 x27: ffffff801feb6380
    [    0.683004] x26: 0000000000000001 x25: ffffff801feb6300 x24: ffffff8000068000
    [    0.683011] x23: 0000000000000001 x22: 0000000000000009 x21: 0000000000000000
    [    0.683017] x20: ffffff801feb6380 x19: ffffff8000068080 x18: 0000000017a740a6
    [    0.683024] x17: ffffffc008bae748 x16: ffffffc008bae6d8 x15: ffffffffffffffff
    [    0.683031] x14: ffffffffffffffff x13: 0000000000000000 x12: 0000000f00000101
    [    0.683038] x11: 0000000000000449 x10: 0000000000000127 x9 : 0000000000000000
    [    0.683044] x8 : 0000000000000125 x7 : 0000000000116da1 x6 : 0000000000116da1
    [    0.683051] x5 : 00000000001165a1 x4 : ffffff801feb6e00 x3 : 0000000000000000
    [    0.683058] x2 : 0000000000000009 x1 : ffffff8000068080 x0 : ffffff801feb6380
    [    0.683066] Kernel panic - not syncing: kernel stack overflow
    [    0.683069] SMP: stopping secondary CPUs
    [    1.648361] SMP: failed to stop secondary CPUs 0-1
    [    1.648366] Kernel Offset: disabled
    [    1.648368] CPU features: 0x00003000,00000802
    [    1.648372] Memory Limit: none

Several factors contributed to this issue:

 1. The mtk_bmt driver recursively calls its scan_bmt() helper function
    during device initialization, while looking for a valid block
    mapping table (BMT).

 2. Commit fa4dc86e98 ("kernel: backport MEMREAD ioctl"):

      - increased the size of some stack-allocated structures (like
	struct mtd_oob_ops, used in bbt_nand_read(), which is indirectly
	called from scan_bmt()),

      - increased the stack size for some functions (for example,
	spinand_mtd_read(), which is indirectly called from scan_bmt(),
	now uses an extra stack-allocated struct mtd_ecc_stats).

 3. OpenWrt currently compiles the kernel with the
    -fno-optimize-sibling-calls flag, which prevents tail-call
    optimization.

Collectively, all of these factors caused stack usage in the mtk_bmt
driver to grow excessively large, triggering stack overflows.

Recursion is not really necessary in scan_bmt() as it simply iterates
over flash memory blocks in reverse order, looking for a valid BMT.
Refactor the logic contained in the scan_bmt() and read_bmt() functions
in target/linux/generic/files/drivers/mtd/nand/mtk_bmt_v2.c so that deep
recursion is prevented (and therefore also any potential stack overflows
it may cause).

Link: https://lists.openwrt.org/pipermail/openwrt-devel/2023-April/040872.html
Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-04-29 12:58:48 +02:00
Hauke Mehrtens
1f41b6bb83 kernel: Activate CONFIG_SCHED_STACK_END_CHECK
This activates the CONFIG_SCHED_STACK_END_CHECK option.

The kernel will check if the kernel stack overflowed in the schedule()
function. This just adds a very small computational overhead.

This option is activated in Debian by default.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 12:40:10 +02:00
Hauke Mehrtens
ff536eca58 kernel: Activate CONFIG_SLAB_FREELIST_HARDENED
This activates some extra checks in SLAB or SLUB to make it harder to
execute kernel heap exploits. This adds a minor performance
degradation which I haven't measured-.

Many mainstream Linux distributions also activate this option.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 12:38:09 +02:00
Hauke Mehrtens
2bab7d273e kernel: Initialize RNG using CPU RNG and bootloader
This activates the following kernel options by default:
* CONFIG_RANDOM_TRUST_CPU
* CONFIG_RANDOM_TRUST_BOOTLOADER

With these option Linux will also use data from the CPU RNG e.g. RDRAND
and the bootloader to initialize the Linux RNG if such sources are
available.
These random bits are used in addition to the other sources, no other
sources are getting deactivated. I read that the Chacha mixer isn't
vulnerable to injected entropy, so this should not be a problem even if
these sources might inject bad random data.

The Linux kernel suggests to activate both options, Debian also
activates them. This does not increase kernel code size.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-29 12:35:44 +02:00
Eneas U de Queiroz
1c5cafa3eb openssl: fix low-severity CVE-2023-1255
This applies commit 02ac9c94 to fix this OpenSSL Security Advisory
issued on 20th April 2023[1]:

Input buffer over-read in AES-XTS implementation on 64 bit ARM
(CVE-2023-1255)
==============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit
ARM platform contains a bug that could cause it to read past the input
buffer, leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64
bit ARM platform can crash in rare circumstances. The AES-XTS algorithm
is usually used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform
will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the
memory after the ciphertext buffer is unmapped, this will trigger a
crash which results in a denial of service.

If an attacker can control the size and location of the ciphertext
buffer being decrypted by an application using AES-XTS on 64 bit ARM,
the application is affected. This is fairly unlikely making this issue a
Low severity one.

1. https://www.openssl.org/news/secadv/20230420.txt

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-29 12:33:44 +02:00