Commit Graph

2115 Commits

Author SHA1 Message Date
Alin Nastac
c86490605c netfilter: add iptables-mod-rpfilter package
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
(cherry picked from commit d8748e537f)
2017-12-13 16:23:38 +01:00
Sergey Ryazanov
bb9eb2c96e build: new fixes for symlinked .config handling
When running "make {config|defconfig|oldconfig}" with symlinked .config
(e.g. to env/.config) it renames symlink to .config.old, creates new
.config file, and writes the updated configuration into it.

This breaks the desired workflow when changes in the configuration can
be checked using "scripts/env diff" and commited using "scripts/env
save". Since the env/.config file is not updated.

The things become even worse when working with feeds, since feeds script
quite often silently invokes "make {oldconfig|defconfig}" and breaks the
symlink.

Fix this issue by exporting KCONFIG_OVERWRITECONFIG=1, which forces
mconf to overwrite the .config content, instead of renaming it and
creating a new file. This variable is set only if .config is a symlink,
otherwise the variable is not exported and the old behaviour is
preserved.

This change uses the same behaviour as "make menucofig", which has
already been fixed in commit 5bf98b1acc.

Also make a tiny cosmetic update to the "make menuconfig" target code
layout to make it look like other config handling targets.

Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
(cherry picked from commit e06d8f0f6f)
2017-12-13 15:27:36 +01:00
Felix Fietkau
4607007a86 build: allow val.% targets to bypass the prepare steps
Significantly reduces time spent processing those targets and should
also silence some log clutter which could confuse buildbot

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit ddbb036bbb)
2017-12-13 15:27:16 +01:00
Daniel Engberg
3e7f191008 include/packages-defaults.mk: Remove LARGEFILE option
Remove LARGEFILE option, support was removed back in 2011 (OpenWrt rev 25208).

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit edda8ecd79)
2017-12-13 15:19:04 +01:00
Rafał Miłecki
9ce30f7175 kernel: move initramfs's init script out of base-files
Keeping it in base-files was resulting in adding it to the base-files
package. This file is meant to be included manually for initramfs
images only.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit f6433eede7)
2017-12-13 15:00:42 +01:00
Philip Prindeville
c8a0f3aa29 target.mk: check that CPU_TYPE has known CPU_CFLAGS mapping
If someone creates a target and indicates a CPU_TYPE, but there's
no corresponding support for that CPU_TYPE's flags in include/target.mk
then that should probably be indicated rather than silently ignored.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit d3bc11857a)
2017-12-13 15:00:21 +01:00
Felix Fietkau
0aafbf6c00 build: fix STAMP_PREPARED with quilt
quilt.mk needs to be included first, to ensure that STAMP_PREPARED does
not include the hash if quilt is used.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 89118da865)
2017-12-13 14:56:57 +01:00
Felix Fietkau
acd481470c build: get rid of FIND_L from host.mk
This was added for Mac OS X many years ago, but recent versions also
support find -L

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit be206eba3a)
2017-12-13 14:32:21 +01:00
Thomas Reifferscheid
11cd6077ba build: unsilence move command
The @ sign in front of the "mv" command was significantly suppressing
output to stdout. When reviewing the make/build logs it was tricking
me a whole lot and it mad me lose time. Removing the @ sign will get
stdout and logs right about what happened when.

Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
(cherry picked from commit 1d49b534f5)
2017-12-13 14:31:36 +01:00
Felix Fietkau
903a404663 build: skip headers install and config on make target/linux/prepare
This simplifies working with quilt on the kernel tree

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit dce6eeccc0)
2017-12-13 14:27:44 +01:00
Felix Fietkau
a7fc27edce build: make Host/Install/Default use Host/Compile/Default with an extra argument
Allows parallelizing compile steps that might be necessary during install

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit fe1e3622a2)
2017-12-13 14:24:59 +01:00
Etienne Haarsma
2b664499cd kernel: bump 4.4 to 4.4.103 for 17.01
Refreshed all patches.

Removed upstream ramips patches:
0101-MIPS-ralink-Fix-MT7628-pinmux.patch
0102--MIPS-ralink-Fix-typo-in-mt7628-pinmux-function.patch

Compile-tested: ar71xx
Run-tested: ar71xx

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
2017-12-12 11:10:47 +01:00
Etienne Haarsma
7f3dab2fc3 kernel: bump 4.4 to 4.4.102
Refreshed all patches.

Removed upstream ramips patch: 0063-set-CM_GCR_BASE_CMDEFTGT_MEM-according-to-datasheet.patch

Compile-tested: ar71xx
Run-tested: ar71xx

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
Tested-by: Stijn Segers <francesco.borromini@inventati.org>
2017-11-26 15:10:36 +01:00
Kevin Darbyshire-Bryant
373fa54d35 kernel: bump 4.4 to 4.4.93 for 17.01
Refresh patches.
Compile-tested for ar71xx - Archer C7 v2
Runtime-tested on  ar71xx - Archer C7 v2

Fixes CVE-2017-15265.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
[remove 2nd CVE as it was fixed in mac80211 in commit bff16304b0]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 19:58:02 +03:00
Stijn Tintel
cdb2684dce LEDE v17.01.4: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Stijn Tintel
444add156f LEDE v17.01.4: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Stijn Tintel
fa0b5fce1f kernel: bump 4.4 to 4.4.92
Refresh patches.

Fixes the following CVEs:
- CVE-2017-1000252
- CVE-2017-12153
- CVE-2017-12154

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-16 13:35:06 +03:00
Felix Fietkau
2ce9c84a92 build: add a darwin sitefile to deal with macOS 10.12 + Xcode 9 build errors
Certain functions are available in system headers, but only work on
macOS 10.13

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Stijn Tintel
ee32de4426 LEDE v17.01.3: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:55 +03:00
Stijn Tintel
df54a8f583 LEDE v17.01.3: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:53 +03:00
Hauke Mehrtens
720b0e2e2d kernel: update 4.4 to 4.4.89
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 13:58:00 +02:00
Kevin Darbyshire-Bryant
ab305e147e kernel: update 4.4 to 4.4.87
Fixes CVE-2017-11600

No patch refresh required

Compile & run tested: ar71xx - Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-08 21:53:16 +02:00
Kevin Darbyshire-Bryant
ca53effdd6 kernel: update 4.4 to 4.4.86
Refresh patches

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-04 14:41:56 +02:00
Kevin Darbyshire-Bryant
4a1b87aba4 kernel: update 4.4 to 4.4.83
Refresh patches.
Minor update 704-phy-no-genphy-soft-reset.patch which was partially
accepted upstream.
Compile-tested on ar71xx.
Runtime-tested on ar71xx.

Fixes the following vulnerabilities:
- CVE-2017-7533 (4.4.80)
- CVE-2017-1000111 (4.4.82)
- CVE-2017-1000112 (4.4.82)

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-08-17 19:47:27 +02:00
Hauke Mehrtens
69acb2533a kernel: update kernel 4.4 to version 4.4.79
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-07-28 23:49:35 +02:00
Mathias Kresin
f6907dcc79 image: fix ar71xx legacy images
If TARGET_PER_DEVICE_ROOTFS and DEVICE_PACKAGES are used for ar71xx
legacy images:

- an already jffs2 padded squashfs rootfs is overwritten
  with an unpadded/raw one.

- the squashfs-raw and squashfs-64k rootfs are not replaced by the
  ones including the DEVICE_PACKAGES

Call Image/Build/squashfs after the DEVICE_PACKAGES are added to the
base squashfs rootfs to fix the issues.

Fixes: FS#904

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-07-14 23:36:50 +02:00
Felix Fietkau
27da508749 build: fix kmod package build on non-GNU systems
BSD paste requires a filename argument, and it accepts - to use stdin as
intended.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-07-05 12:49:21 +02:00
Stijn Tintel
8d3d7f6b52 kernel: update kernel 4.4 to 4.4.74
Refresh patches.
Compile-tested on ar71xx, octeon.
Runtime-tested on ar71xx, octeon.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-27 15:00:35 +02:00
Alexander Couzens
a6b5ddfd9b LEDE v17.01.2: revert to branch defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:07 +02:00
Alexander Couzens
2da512ecf4 LEDE v17.01.2: adjust config defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:02 +02:00
Felix Fietkau
65eec8bd5f build: ensure that flock is available for make download
It ensures that make download can parallelize downloads, even when some
packages download the same files (e.g. gcc/initial, gcc/final)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-06-08 23:02:37 +02:00
Alexander Couzens
4053c4f0fe include/toplevel: set env GIT_ASKPASS=/bin/true
When git-https request a service (e.g. github) which ask for credentials
git will pass this request to the user resulting download.pl to wait for
user input. Set GIT_ASKPASS to stop asking.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-08 23:02:37 +02:00
Jo-Philipp Wich
4fbd072624 kernel: update kernel 4.4 to 4.4.71
Fixes the following security vulnerabilities:

CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.

CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.

CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.

CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-07 21:24:41 +02:00
Yousong Zhou
a44d7bfb63 build: fix possible issue with kmod package having multiple AutoLoad's
This commit contains the following changes

 - Use local shell var where appliable
 - The $(sort $$$$$$$$mods) call will have no expected effect
 - Avoid EEXIST when creating symlinks in /etc/modules-boot.d/
 - Avoid duplicate arguments for insert_modules() in postinst-pkg

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-27 15:04:32 +08:00
Hauke Mehrtens
e02b12c4cf kernel: update kernel 4.4 to 4.4.70
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-05-27 00:43:02 +02:00
Stijn Segers
215c1d05b8 kernel: update kernel 4.4 to 4.4.69
Bump the 17.01 tree kernel to 4.4.69. Trunk 4.4 and 17.01 4.4 have diverged, talked this
through with jow, he was okay with a clean diff against 17.01 and not a backported trunk
patch.

The following patches were applied upstream:

* 062-[1-6]-MIPS-* series
* 042-0004-mtd-bcm47xxpart-fix-parsing-first-block

Reintroduced lantiq/patches-4.4/0050-MIPS-Lantiq-Fix-cascaded-IRQ-setup, as
it was incorrectly included upstream thus dropped from LEDE, but subsequently
reverted upstream. Thanks to Kevin Darbyshire-Bryant for pointing me to it.

  Compile-tested on: ar71xx, ramips/mt7621, x86/64.

  Run-tested on: ar71xx, ramips/mt7621, x86/64.

Signed-off-by: Stijn Segers <francesco.borromini@inventati.org>
2017-05-24 22:47:01 +02:00
Michal Sojka
dbaaeae428 image.mk: Generate cpiogz with root-owned files
Some files (e.g. /etc/dropbear) need to be owned by root. Add cpio
option to ensure that.

Other image types (at least targz and squashfs) already have this.

Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
2017-05-16 17:38:08 +02:00
Sergey Ryazanov
37cf921352 build: fix symlinked .config handling
When running "make menuconfig" with symlinked .config (e.g. to
env/.config) it renames symlink to .config.old, creates new .config file
and writes updated configuration here.

This breaks the desired workflow when changes in the configuration could
be checked using "scripts/env diff" and commited with
"scripts/env save". Since the env/.config file is not updated.

Fix this issue by exporting KCONFIG_OVERWRITECONFIG=1, which forces
mconf to overwrite the .config content, instead of renaming it and
creating a new file. This variable is set only if .config is a symlink,
otherwise the variable is not exported and the old behaviour is
preserved.

Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
2017-05-02 16:11:09 +02:00
Jo-Philipp Wich
6ca5ccc620 kernel: update kernel 4.4 to 4.4.61
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-15 17:20:51 +02:00
Felix Fietkau
53fcaed1f7 image.mk: force kernel rebuild on every run
DTS dependencies are not processed correctly so makes it safer against
poentially stale builds

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-05 10:08:22 +02:00
Hauke Mehrtens
0dcc4d239d kernel: update kernel 4.4 to 4.4.59
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-04-02 14:37:49 +02:00
Kevin Darbyshire-Bryant
09a8183ce8 kernel: update kernel 4.4 to 4.4.52
Bump kernel from 4.4.50 to 4.4.52

Refresh patches

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-03-03 18:18:49 +01:00
Felix Fietkau
f6d94b0dd6 cmake: skip build system check on compile
cmake checks the build system and its variables on its own to detect if
the makefiles need to be regenerated.
Unfortunately this can invalidate overrides passed in the
Build/Configure step. On non-Linux systems this breaks the build when
switching between targets of the same package architecture.

Fix this by forcibly disabling the build system check and relying on the
LEDE build system to take care of these things

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-21 16:16:25 +01:00
Jo-Philipp Wich
06f3b91902 kernel: update kernel 4.4 to version 4.4.50
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-02-20 16:02:54 +01:00
Stijn Tintel
054ce1624c kernel: update kernel 4.4 to version 4.4.47
Refresh patches for all targets that support kernel 4.4.
Compile-tested on all targets that use kernel 4.4 and aren't marked
broken, except arc770 and arch38 due to broken toolchain.

Runtime-tested on ar71xx, octeon, ramips and x86/64.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit d2c4041f02)

Conflicts:
	include/kernel-version.mk
	target/linux/ramips/patches-4.4/997-ralink-Introduce-fw_passed_dtb-to-arch-mips-ralink.patch
2017-02-06 20:13:06 +01:00
Koen Vandeputte
b786a5ffc3 kernel: bump to 4.4.46
Refreshed patches for all supported targets.

Compile-tested on ar71xx, cns3xxx, imx6, mt7621, oxnas and x86/64.
Run-tested on ar71xx, cns3xxx, imx6 and mt7621.

Tested-by: Stijn Segers <francesco.borromini@inventati.org>
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 3becadd56c)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-02-06 20:13:06 +01:00
Koen Vandeputte
c656cbc56b kernel: bump to 4.4.45
Refreshed patches for all supported targets.

Compiled & tested on cns3xxx & imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 4d1515070b)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

Conflicts:
	target/linux/ar71xx/patches-4.4/920-usb-chipidea-AR933x-platform-support.patch
2017-02-06 20:13:06 +01:00
Stijn Segers
ee3067c588 Kernel: bump to 4.4.44
Bump kernel to 4.4.44. Compile-tested on ar71xx, ramips/mt7621 and x86/64.

.44 has been run-tested on the 17.01 branch here on ar71xx and mt7621.

Signed-off-by: Stijn Segers <francesco.borromini@inventati.org>
(cherry picked from commit 20996edd68)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

Conflicts:
	target/linux/ar71xx/patches-4.4/920-usb-chipidea-AR933x-platform-support.patch
	target/linux/ar71xx/patches-4.4/930-chipidea-pullup.patch
2017-02-06 20:13:06 +01:00
Florian Fainelli
4d561b3a30 package-ipkg: Do not fail build without base-files
If the base-files package is not selected, we will fail executing the
very first postinst script:

make[3]: Leaving directory `/local/users/fainelli/openwrt/trunk'
cp -fpR
/local/users/fainelli/openwrt/trunk/build_dir/target-arm_xscale_musl-1.1.15_eabi/root-orion
/local/users/fainelli/openwrt/trunk/build_dir/target-arm_xscale_musl-1.1.15_eabi/root.orig-orion
./usr/lib/opkg/info/busybox.postinst: line 3:
/local/users/fainelli/openwrt/trunk/build_dir/target-arm_xscale_musl-1.1.15_eabi/root-orion/lib/functions.sh:
No such file or directory
./usr/lib/opkg/info/busybox.postinst: line 4: default_postinst: command
not found
postinst script ./usr/lib/opkg/info/busybox.postinst has failed with
exit code 127
make[2]: *** [package/install] Error 1

Check for the existence of lib/functions.sh, and if it does not exist,
just bail out gracefully.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-02-01 16:07:30 +01:00
Jo-Philipp Wich
e5bc7bff85 build: properly pass CPP and CXX flags in HOST_MAKE_VARS
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-02-01 16:03:57 +01:00