CVE-2023-2650 fix
Remove upstreamed patches
Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
* Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree (CVE-2023-0464)
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 6348850f10)
Release Notes:
https://valgrind.org/docs/manual/dist.news.html
This improves support for the memory allocator used in musl libc 1.2.2
and later which is currently used by OpenWrt.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d85013460d)
Build and package kernel self-tests used for BPF testing, program and JIT
development. This package, together with the existing 'kmod-bpf-test', was
extensively used for past upstream Linux JIT submissions [1].
Currently this includes only 'test_verifier'; building 'test_progs' will
fail due to known endian limitations with bpftool skeletons.
[1]:https://lore.kernel.org/bpf/cover.1633392335.git.Tony.Ambardar@gmail.com
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 3886ea9b87)
Recent libcap versions (>= 2.60) cause problems with BPF kselftests, so
backport an upstream patch that replaces libcap and drops the dependency.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 04981c716a)
Set net.core.bpf_jit_kallsyms=1 in /etc/sysctl.d/10-default.conf.
For privileged users, this exports addresses of JIT-compiled programs to
appear in /proc/kallsyms when present, allowing their use for debugging
and in traces.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit b3aaede2a7)
The OrangePi R1 Plus LTS is a minor variant of OrangePi R1 Plus with
the on-board NIC chip changed from rtl8211e to yt8531c, and otherwise
identical to OrangePi R1 Plus.
Tested-by: Volkan Yetik <no3iverson@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 32d5921b8b)
[Removed patches for kernel 6.1]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Add support for the Xunlong Orange Pi R1 Plus LTS.
Manually generated of-platdata files to avoid swig dependency.
Tested-by: Volkan Yetik <no3iverson@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 37fed89166)
Orange Pi R1 Plus is a Rockchip RK3328 based SBC by Xunlong.
This device is similar to the NanoPi R2S, and has a 16MB
SPI NOR (mx25l12805d). The reset button is changed to
directly reset the power supply, another detail is that
both network ports have independent MAC addresses.
Note: booting from SPI is currently unsupported, you have to install
the image on a SD card.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit ab641efe69)
[Removed patches for kernel 6.1]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Add support for the Xunlong Orange Pi R1 Plus.
Manually generated of-platdata files to avoid swig dependency.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 043f8a4f5e)
The compilation warning was triggered by wrongly set FRAME_WARN to 1024
even for 64bit. This was recently fix by correctly setting the
FRAME_WARN to 2048 for 64bit systems.
The compilation warning would still be triggered on 32bit system but the
actual code is never reached as ARCH_USE_GNU_PROPERTY is only set on
arm64 arch.
Drop the patch as kmalloc cause perf regression as suggested by upstream
maintainers.
Fixes: fa79baf4a6 ("generic: copy backport, hack, pending patch and config from 5.15 to 6.1")
Fixes: 5913ea1ba2 ("generic: 5.15: add pending patch fixing binfmt compilation warning")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 62338f4162)
Previously, CONFIG_LZ4_DECOMPRESS=y was selected by CONFIG_RD_LZ4 only.
When building kernel for initramfs, CONFIG_RD_LZ4 will be unset by
Kernel/SetInitramfs if the chosen compression method is not lz4, then
CONFIG_LZ4_DECOMPRESS will become a *module* in the newly generated
kernel config.
However, the newly added module won't be built after
38c150612c, so packaging kmod-lib-lz4
fails due to missing lz4_decompress.ko.
CONFIG_CRYPTO_LZ4=y makes CONFIG_LZ4_DECOMPRESS=y being selected w/o
CONFIG_RD_LZ4, so that the modules of the default kernel and initramfs
kernel are consistent.
Fixes: #12766
Fixes: 38c150612c ("build: revert 54070a1 (all kernels are >= 5.10)")
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
(cherry picked from commit cc87f6629b)
The device already has LED push button (KEY_LIGHTS_TOGGLE)
and exported GPIO control "led-light". This commit adds
button handler script for switching on/off all device LEDs.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit d955b41275)
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:
> uci: Parse error (invalid command) at line 3, byte 0
```
config engine 'devcrypto'
option enabled '1'
engine 'devcrypto'
option enabled '1'
option builtin '1'
```
Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.
Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit a0d7193425)
Support newer IOMMU_V2 on AMD platforms, useful for DPDK and KVM.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit 1eb02ce325)
Backport Russell King's series [1]
net: mvneta: reduce size of TSO header allocation
to pending-5.15 to fix random crashes on Turris Omnia.
This also backports two patches that are dependencies to this series:
net: mvneta: Delete unused variable
net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit()
[1] https://lore.kernel.org/netdev/ZCsbJ4nG+So%2Fn9qY@shell.armlinux.org.uk/
Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (squashed)
(cherry picked from commit 7b31c2e9ed)
it was reported that this flag caused the mx60
not to boot anymore.
Fixes: f095822699 ("apm821xx: convert legacy nand partition layou")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
commit 0c45ad41e1 changes ipq806x usb kmod name
from usb-phy-qcom-dwc3 to phy-qcom-ipq806x-usb, so
use new name.
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
(cherry picked from commit 9314744350)
It's only used on devices in mt7621 and mt7622 subtargets, so no reason
to compile it for others.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit e81298463e)
The MR600v2 does not find its rootfs if it is neither directly after the
kernel or aligned to an erase block boundary (64k).
This aligns the rootfs to 0x10000 allowing the device to boot again. Based
on investigation by forum user relghuar.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
(cherry picked from commit 46b51e9e99)
Fix the PKG_MIRROR_HASH value for netifd.
Fixes: d2ecaaca34 ("netifd: update to version 2023-05-31")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 21f713d5ab)
Contains following changes:
* bridge: bridge_dump_info: add dumping of bridge attributes
* bridge: make it more clear why the config was applied
* cmake: fix build by reordering the cflags definitions
* treewide: fix multiple compiler warnings
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit d2ecaaca34)
This fixes a well known "LZMA ERROR 1" error, reported previously on
numerous of similar devices.
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
(cherry picked from commit 29a5cb7a8b)
As the CCACHE option is already exposed, it would be helpful to also
make the ccache directory easily customizable.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 897691fdce)
A package may run git as part of its build process, and if the package
source code is not from a git checkout, then git may traverse up the
directory tree to find buildroot's repository directory (.git).
For instance, Poetry Core, a Python build backend, will read the
contents of .gitignore for paths to exclude when creating a Python
package. If it finds buildroot's .gitignore file, then Poetry Core will
exclude all of the package's files[1].
This exports GIT_CEILING_DIRECTORIES for both package and host builds so
that git will not traverse beyond $(BUILD_DIR)/$(BUILD_DIR_HOST).
[1]: https://github.com/python-poetry/poetry/issues/5547
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit f597f34f3a)
This set the CONFIG_FRAME_WARN option depending on some target settings.
It will use the default from the upstream kernel and not the hard coded
value of 1024 now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 16a20512d8)
Currently, e2600ac-c1 cannot be built as the kernel is larger than the defined KERNEL_SIZE,
however, there is no bootloader limit for the kernel size so remove KERNEL_SIZE completely.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ improve commit title, fix merge conflict ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b764268acb)
Convert E2600ac c2 to DSA and enable it.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0dca52cf59)
Convert E2600ac c1 to DSA and enable it.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 7f2ecab0f4)
The set_spi_clock_speed() function is not used, this causes a compile
warning which results in a build error with -WError.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2d5f3b3c4c)
Add kmod-nft-dup-inet package to allow packet duplication in ip/ip6/inet nftables family
Signed-off-by: Michał Kwiatek <michal@kwiatek.it>
(cherry picked from commit a7e9445975)
This partially reverts commit 7fae1e5677
as it should be no longer necessary to do a full clone since commit
48ed07bc0b ("treewide: replace AUTORELEASE with real PKG_RELEASE").
Suggested-by: Thibaut VARÈNE <hacks@slashdirt.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 11bb5337b8)
[adjusted to 23.05]
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
read_page() need to return maximum number of bitflips instead of the
accumulated number. Change takes from upstream mt7621 u-boot [1].
* @read_page: function to read a page according to the ECC generator
* requirements; returns maximum number of bitflips
* corrected in any single ECC step, -EIO hw error
[1] https://lore.kernel.org/all/cover.1653015383.git.weijie.gao@mediatek.com/
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit 2fbb91d73f)
Management Complex (MC) userspace support is required for userspace
helpers working with DPAA2 objects exported by the Management Complex BUS.
Without it, there is the error:
```
root@OpenWrt:/# ls-addni dpmac.1
error: Did not find a device file
Restool wrapper scripts only support the latest major MC version
that currently is MC10.x. Use with caution.
error: Did not find a device file
```
This patch fixes it.
Suggested-by: Alexandra Alth <alexandra@alth.de>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cherry picked from commit d04d6a82da)
At this moment loadaddr in most layerscape boards are configured to
0x81000000. 5.15 kernel on some boards is bigger than 5.10 and it cause error:
Loading kernel from FIT Image at 81000000 ...
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.15.112
Created: 2023-05-21 17:39:35 UTC
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x810000ec
Data Size: 7513944 Bytes = 7.2 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x80000000
Entry Point: 0x80000000
Hash algo: crc32
Hash value: 6fd69550
Hash algo: sha1
Hash value: ee34c753ffb615e199a428762824ad4a0aaef90a
Verifying Hash Integrity ... crc32+ sha1+ OK
Loading fdt from FIT Image at 81000000 ...
Using 'config-1' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt fsl_ls1088a-rdb-sdboot device tree blob
Created: 2023-05-21 17:39:35 UTC
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x8172a98c
Data Size: 19794 Bytes = 19.3 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: 59792ba3
Hash algo: sha1
Hash value: 135585a49f86cd85acea559b78b0098ae99d5e12
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x8172a98c
Uncompressing Kernel Image
ERROR: new format image overwritten - must RESET the board to recover
resetting ...
This patch changes loadaddr to 0x88000000 (like LS1012A-FRDM board) to
avoid overlapping for bigger images (like initramfs) too.
Tested-by: Alexandra Alth <alexandra@alth.de> [LS1088ARDB]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cherry picked from commit 0822040671)
The USXGMII driver in SDK was heavily refactored, some bugs have been
fixed and it has switched to use phylink_pcs. Follow up with changes
in SDK driver and sync our on-top-of-mainline driver with the SDK
driver.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ba58245e83)
Use renamed build step names for all boards which were not handled by
commit c620409d58 ("mediatek: filogic: add uboot build for mt7981")
and now breaking the build.
Fixes: c620409d58 ("mediatek: filogic: add uboot build for mt7981")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 037ce27244)
Hardware specification:
SoC: MediaTek MT7981B 2x A53
Flash: ESMT F50L1G41LB 128MB
RAM: MT5CC128M16JR-EK 256MB
Ethernet: 4x 10/100/1000 Mbps
Switch: MediaTek MT7531AE
WiFi: MediaTek MT7976C
Button: Reset, WPS
Power: DC 12V 1A
Flash instructions:
1. Attach UART, boot the stock firmware until
the message about failsafe mode appears.
2. Enter failsafe mode by pressing "f" and "Enter"
3. Type "mount_root", then run
"fw_setenv bootmenu_delay 3"
4. Back up all mtd partitions before flashing.
5. Reboot, U-Boot now presents a menu.
6. Connect to your PC via the Gigabit port of the router,
set a static ip on the ethernet interface of your PC.
(ip 192.168.1.254, gateway 192.168.1.1)
7. Select "Upgrade ATF BL2", then use this file:
openwrt-mediatek-filogic-qihoo_360t7-preloader.bin
8. Select "Upgrade ATF FIP", then use this file:
openwrt-mediatek-filogic-qihoo_360t7-bl31-uboot.fip
9. Download the initramfs image, and type "reset",
waiting for tftp recovery to complete.
a. After openwrt boots up, perform sysupgrade.
Note:
1. Since NMBM is disabled, we must back up all partitions.
2. Flash instructions is based on commit 28df7f7.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit dc2d4d7393)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The vendor uboot will verify firmware at boot.
So add a custom uboot build for this device.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit c51eb17730)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add new build option BOARD_QFN/BOARD_BGA.
This option is only useful for MT7981 device.
MT7981A/B: BOARD_BGA, MT7981C: BOARD_QFN.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 602cb4f325)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>