CVE-2023-2650 fix
Remove upstreamed patches
Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
* Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree (CVE-2023-0464)
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Now that critical trips are defined for all thermal zones in the SOC DTSI
there is no need to duplicate them in AC and HK DTSI.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Kernel 6.1 has started actually enforcing the bindings requirment that
thermal zones must have associated trips described as well, otherwise they
will fail during probing with:
[ 0.865494] thermal_sys: Failed to find 'trips' node
[ 0.867254] thermal_sys: Failed to find trip points for thermal-sensor id=4
[ 0.872271] thermal_sys: Failed to find 'trips' node
[ 0.878898] thermal_sys: Failed to find trip points for thermal-sensor id=5
[ 0.884222] thermal_sys: Failed to find 'trips' node
[ 0.890775] thermal_sys: Failed to find trip points for thermal-sensor id=6
[ 0.896073] thermal_sys: Failed to find 'trips' node
[ 0.902668] thermal_sys: Failed to find trip points for thermal-sensor id=7
[ 0.907964] thermal_sys: Failed to find 'trips' node
[ 0.914569] thermal_sys: Failed to find trip points for thermal-sensor id=8
[ 0.921203] thermal_sys: Failed to find 'trips' node
[ 0.926469] thermal_sys: Failed to find trip points for thermal-sensor id=14
[ 0.931759] thermal_sys: Failed to find 'trips' node
[ 0.938703] thermal_sys: Failed to find trip points for thermal-sensor id=15
So, since CPUFreq support isnt yet upstream we can start by adding critical
trips to all of the thermal zones to protect the devices against severely
overheating.
Qualcomm has set the overheat trip at 120 C but lets be conservative and
set it at 110 C.
This patch has been sent upstream as well.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Move the Qualcomm SoC ID bindings that are used by the CPUFreq NVMEM
driver that was recently backported to generic from ipq807x as that series
depends on SoC ID bindings but they were forgotten.
Due to that IPQ806x builds would fail as the backport was still in ipq807x.
Fixes: d44279 ("generic: 6.1: backport Qualcomm CPUFreq NVMEM changes")
Signed-off-by: Robert Marko <robimarko@gmail.com>
Recent binutils will warn if there is no .note.GNU-stack section and will
interpret that as that stack is executable.
So, lets modify the upstream 6.1 fix as in 5.15 VDSO32 and VDSO64 are still
separate but later they were merged to resolve:
/external-toolchain/openwrt-toolchain-mpc85xx-p1020_gcc-12.3.0_musl.Linux-x86_64/toolchain-powerpc_8548_gcc-12.3.0_musl/bin/../lib/gcc/powerpc-openwrt-linux-musl/12.3.0/../../../../powerpc-openwrt-linux-musl/bin/ld: warning: arch/powerpc/kernel/vdso32/getcpu.o: missing .note.GNU-stack section implies executable stack
/external-toolchain/openwrt-toolchain-mpc85xx-p1020_gcc-12.3.0_musl.Linux-x86_64/toolchain-powerpc_8548_gcc-12.3.0_musl/bin/../lib/gcc/powerpc-openwrt-linux-musl/12.3.0/../../../../powerpc-openwrt-linux-musl/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
Signed-off-by: Robert Marko <robimarko@gmail.com>
The compilation warning was triggered by wrongly set FRAME_WARN to 1024
even for 64bit. This was recently fix by correctly setting the
FRAME_WARN to 2048 for 64bit systems.
The compilation warning would still be triggered on 32bit system but the
actual code is never reached as ARCH_USE_GNU_PROPERTY is only set on
arm64 arch.
Drop the patch as kmalloc cause perf regression as suggested by upstream
maintainers.
Fixes: fa79baf4a6 ("generic: copy backport, hack, pending patch and config from 5.15 to 6.1")
Fixes: 5913ea1ba2 ("generic: 5.15: add pending patch fixing binfmt compilation warning")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Instead of reference vlan and do strange subtraction, use the handy
struct_group() to create a virtual struct of the same size of the
members. This permits to have a more secure memset and fix compilation
warning in 6.1 where additional checks are done.
Fix compilation warning:
| inlined from 'psb6970_reset_switch' at drivers/net/phy/psb6970.c:275:2:
| ./include/linux/fortify-string.h:314:25: error: call to '__write_overflow_field'
| declared with attribute warning: detected write beyond size of field
| (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
| 314 | __write_overflow_field(p_size_field, size);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|cc1: all warnings being treated as errors
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Previously, CONFIG_LZ4_DECOMPRESS=y was selected by CONFIG_RD_LZ4 only.
When building kernel for initramfs, CONFIG_RD_LZ4 will be unset by
Kernel/SetInitramfs if the chosen compression method is not lz4, then
CONFIG_LZ4_DECOMPRESS will become a *module* in the newly generated
kernel config.
However, the newly added module won't be built after
38c150612c, so packaging kmod-lib-lz4
fails due to missing lz4_decompress.ko.
CONFIG_CRYPTO_LZ4=y makes CONFIG_LZ4_DECOMPRESS=y being selected w/o
CONFIG_RD_LZ4, so that the modules of the default kernel and initramfs
kernel are consistent.
Fixes: #12766
Fixes: 38c150612c ("build: revert 54070a1 (all kernels are >= 5.10)")
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
The device already has LED push button (KEY_LIGHTS_TOGGLE)
and exported GPIO control "led-light". This commit adds
button handler script for switching on/off all device LEDs.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Most of the CPUFreq NVMEM patches have been upstreamed in an improved way.
IPQ8074 support itself is being reviewed upstream currently.
Upstreamed patches have been moved to generic backports so that ipq806x can
use them as well, so lets just use the latest version of IPQ8074 support
that is being reviewed upstream.
Runtime tested on Qnap 301W (IPQ8072A) and Xiaomi AX3600 (IPQ8071A).
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, IPQ807x is using CPUFreq NVMEM for dealing with different SoC
SKU-s having different frequency limits, and we are keeping the patches
for it in ipq807x target.
However, we managed to upstream a big cleanup of the driver in order to
make it possible for other SMEM based targets to be added to CPUFreq NVMEM.
IPQ806x will be using CPUFreq NVMEM and depends on these changes as well,
so lets put them in generic backport to avoid code duplication.
This replaces the older patches in ipq807x.
Signed-off-by: Robert Marko <robimarko@gmail.com>
One is never to write to dev->addr directly. In 6.1 it will be a const and
with the newly enabled WERROR, we get a failing grade.
Lets fix this ahead of time.
Ref: adeef3e321
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
MDT loader fix for remoteproc was already merged, so mark it as a backport
with the future 6.5 kernel version.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Refresh the kernel config as multiple options were disabled in the generic
config since 6.1 was added to ipq807x.
Signed-off-by: Robert Marko <robimarko@gmail.com>
We are running out of 00xx numbers to put backports into, so lets just
renumber all of the upstreamed patches back to 0000 and onwards.
Signed-off-by: Robert Marko <robimarko@gmail.com>
The MT7986 RFB was intended to use device tree overlays and for that
reason modified DTC_FLAGS. zyxel_ex5601-t0-stock later on probably
copied it from there. Both boards do not actually use device tree
overlays, so remove setting DTC_FLAGS from both.
The BPi-R3 does use device tree overlays, use DEVICE_DTC_FLAGS to give
it an extra 4kb of padding for overlays to be applied.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Handle compiling device tree overlay blobs separate to allow for
overlays being compiled with different parameters, mostly to safe
space.
Allow defining DEVICE_DTC_FLAGS and DEVICE_DTCO_FLAGS as per-device
parameters to be passed to dtc. Previously some boards directly used
DTC_FLAGS in their build recipe which then also affected other boards.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Backport initial LEDs hw control support. Currently this is limited to
only rx/tx and link events for the netdev trigger but the API got
accepted and the additional modes are working on and will be backported
later.
Refresh every patch and add the additional config flag for QCA8K new
LEDs support.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
If the board comes up with OpenWrt that means that the bootloader is
recent enough and knows about the new device tree overlays.
Using /etc/board.d/ is not enough in this case because it doesn't
overwrite existing configuration which may exist (and is fine to exist)
if the user updated with 'sysupgrade -F *.itb' and has kept
configuration. They would still need to manually set compat_version
even though the fact that the bootloader env has been updated can be
implied by the fact that the system has started.
Hence we can always set compat_version=1.1 for those two boards using
uci-defaults.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Sync device tree files for MT7986 boards with what landed in upstream
Linux tree to easy maintainance and also allow for a smooth update to
Linux 6.1.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update bootloader environment for BPi-R3 and BPi-R64 to adapt to new
device tree overlay mechanism now that support for multiple device
tree overlays has been added.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Now that it is possible to load several device tree overlays by
appending their config names to bootconf the uImage.FIT partition
parser need to discard everything after the first '#' character in
bootconf when looking up the config node to be used.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Instead of generating full config nodes incl. kernel, generate minimal
config nodes for device tree overlays to be applied to the main config.
In this way, multiple device tree overlays can be applied more easily.
While at it change filenames to upstream style, ie. use dtso and dtbo
suffix for device tree overlays.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This reverts commit 5d2de00555.
I received multiple reports that in various configurations this FW version
is not stable and crashes, so lets revert to 01385 revision which works.
Fixes#12815
Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixes tag]
As the CCACHE option is already exposed, it would be helpful to also
make the ccache directory easily customizable.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Rename the list of programs installed by coreutils
to PKG_PROGRAMS, which will create a stampfile for each
through a new feature in host-build.mk.
Also, cleanup a bit to save lines
regarding the usage of this list.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Define the variable PKG_PROGRAMS for the list
of programs installed by findutils,
which will create a stampfile for each
through a new feature in host-build.mk.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some individual build items install a group of programs
instead of a program matching the name of the build item.
Add support for installing stampfiles for each of the
programs installed by that build item,
which will allow more control and awareness
of what is installed by the rest of the build system,
if, for example, prereq symlink checks are looking
for the same program which is built already.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some programs installed to staging_dir/host/bin
also install some symlinks to itself
for an alternative name.
Some of those new symlinks are overwriting
symlinks that were installed by prereq stage.
If prereq stage were to somehow be run again,
it should not be overwriting symlinks
that point to programs that are already built.
To filter that out, catch all symlinks
after first catching all symlinks
that have an absolute target
after all other cases in the case statement,
make sure it is not broken, and if so exit successfully.
Suggested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some programs, like bash and patch, are checked by prereq stage
and have a symlink installed, but then is later built from source.
Now that the prereq-build checks are not successful
just by finding the file alone, it is possible for
a new symlink to overwrite the installed binary.
If a normal file is found in staging_dir/host/bin,
let the check look for the associated stampfile, and if found,
skip creation of a symlink and exit successfully.
Suggested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
This reverts commit 7855378fcd.
The return "exit 1" was intentional and actually just
makes the symlink checks much more strict.
This new level of strictness added to the checks revealed
what was a confusing regression with prereq stage that
already existed but was not presenting itself
because of the simple way that checks used to be done before.
Either way, reverting to "exit 0" was a nice workaround
until the true root cause was discovered, so as to not interfere
with others' pull requests and builds in the meantime.
It turns out that this problem was the inconsistent value of $PATH
between different commands within the SetupHostCommand recipe,
now fixed in the parent commit, using the variable created
in the parent of the parent commit.
Ref: f75204036c ("prereq-build: allow host command symlinks to update")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
In the recipe SetupHostCommand for checking
and creating symlinks, $PATH was only overridden
for one of several commands.
This causes the symlinks to be included
in the paths to pick a program from
when the check was repeated, because
staging_dir/host/bin was included in $PATH,
but only *sometimes*.
When the check ran again, the command succeded
with a $PATH including the symlink,
(eval "$$$$$$$$cmd")
while the path to the program was evaluated
with a $PATH NOT including the symlink,
(bin=...)
causing the symlink to be relinked incorrectly,
instead of passing as exactly the same.
Coincidentally, this was only a problem
if the symlink targeted the alternative
program with a different name.
By overriding the value of $PATH at the invocation of Make,
it will apply to the entire environment of the checks.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Add a variable that stores the original value of $PATH
in the host system's shell, before Make alters it.
This can be useful for when it is necessary
to ignore symlinks and programs made by the build system.
Define this new variable before all instances of
'export PATH:=' or similar.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Currently kernel crashes when of_phy_connect has issues:
Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000308
...
pc : phy_attached_print+0x28/0x1b0
lr : phy_attached_info+0x14/0x20
...
Call trace:
phy_attached_print+0x28/0x1b0
phy_attached_info+0x14/0x20
nss_dp_adjust_link+0x544/0x6c4 [qca_nss_dp]
of_phy_connect returns either pointer or NULL, so can't be checked with
IS_ERR macro.
Signed-off-by: Petr Štetiar <ynezz@true.cz>