Commit Graph

38182 Commits

Author SHA1 Message Date
Jo-Philipp Wich
367b4563b4 dnsmasq: restore ability to include/exclude raw device names
Commit 5cd88f4 "dnsmasq: remove use of uci state for getting network ifname"
broke the ability to specify unmanaged network device names for inclusion
and exclusion in the uci configuration.

Restore support for raw device names by falling back to the input value
when "network_get_device" yields no result.

Fixes FS#876.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a89c36b508)
2017-10-25 09:57:58 +02:00
Mathias Kresin
ee6fa8d839 lantiq: add missing default lan interface
With removing the boards from the the default case to fix the xDSL WAN
MAC-Address, the setting for the default LAN interface wasn't added.

Fixes: 92a12c434c ("lantiq: fix avm fritz box mac addresses")

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 08:45:53 +02:00
Tolga Cakir
2bee675d33 ipq806x: fix Zyxel NBG6817 WiFi button
Zyxel NBG6817 features a WiFi button, which becomes functional by setting
correct GPIO. It is a switch-type button, so it emits KEY_RFKILL on each ON
and OFF state. This is achieved by setting input-type to EV_SW.

Signed-off-by: Tolga Cakir <tolga@cevel.net>
2017-10-24 22:46:25 +02:00
Alberto Bursi
f5935f78a1 ramips: fix default usb support for nexx wt3020-8M
the nexx wt3020-8M has a usb 2.0 port,
add usb 2.0 support packages to its default package list.

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-10-24 20:36:08 +02:00
Matthias Schiffer
0780e12483
opkg: bump to 2017-10-23 (lede-17.01)
A lede-17.01 branch for bugfix backports has been added to the opkg-lede
repo.

c6caf07 pkg_parse: fix segfault when parsing descriptions with leading newlines
5bb5fd5 opkg: add --no-check-certificate argument
7a96972 libbb: xreadlink: fix memory leak on failure case
3f13edd pkg_run_script: use pkg->dest in half installed case

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-10-23 23:48:25 +02:00
Mathias Kresin
98c003e3da lantiq: ARV752DPW22: fix wireless mac address
The ARV752DPW22 has the same generic mac address in the EEPROM as it
was already noticed for other lantiq boards using a ralink wireless.

Use the base mac address from the boardconfig partition as it is done
by the stock firmware.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-18 22:14:25 +02:00
Mathias Kresin
50db9a4004 lantiq: ARV752DPW22: set correct wireless led trigger
The ARV752DPW22 has a ralink based wireless and can not use the ath9k
only phy0tpt trigger.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-18 22:14:25 +02:00
Kevin Darbyshire-Bryant
373fa54d35 kernel: bump 4.4 to 4.4.93 for 17.01
Refresh patches.
Compile-tested for ar71xx - Archer C7 v2
Runtime-tested on  ar71xx - Archer C7 v2

Fixes CVE-2017-15265.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
[remove 2nd CVE as it was fixed in mac80211 in commit bff16304b0]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 19:58:02 +03:00
Hans Dedecker
586a721d3f mountd: bump to git HEAD version (fixes SIGSEV crashes)
6efeb19 autofs: register SIGTERM for gracefull exit
01bb2b0 mount: fix SIGSEV crashes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-18 14:19:56 +02:00
Stijn Tintel
cdb2684dce LEDE v17.01.4: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Stijn Tintel
444add156f LEDE v17.01.4: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Jason A. Donenfeld
79f57e422d wireguard: version bump to 0.0.20171017
This is a simple version bump. Changes:

  * noise: handshake constants can be read-only after init
  * noise: no need to take the RCU lock if we're not dereferencing
  * send: improve dead packet control flow
  * receive: improve control flow
  * socket: eliminate dead code
  * device: our use of queues means this check is worthless
  * device: no need to take lock for integer comparison
  * blake2s: modernize API and have faster _final
  * compat: support READ_ONCE
  * compat: just make ro_after_init read_mostly

  Assorted cleanups to the module, including nice things like marking our
  precomputations as const.

  * Makefile: even prettier output
  * Makefile: do not clean before cloc
  * selftest: better test index for rate limiter
  * netns: disable accept_dad for all interfaces

  Fixes in our testing and build infrastructure. Now works on the 4.14 rc
  series.

  * qemu: add build-only target
  * qemu: work on ubuntu toolchain
  * qemu: add more debugging options to main makefile
  * qemu: simplify shutdown
  * qemu: open /dev/console if we're started early
  * qemu: phase out bitbanging
  * qemu: always create directory before untarring
  * qemu: newer packages
  * qemu: put hvc directive into configuration

  This is the beginning of working out a cross building test suite, so we do
  several tricks to be less platform independent.

  * tools: encoding: be more paranoid
  * tools: retry resolution except when fatal
  * tools: don't insist on having a private key
  * tools: add pass example to wg-quick man page
  * tools: style
  * tools: newline after warning
  * tools: account for padding being in zero attribute

  Several important tools fixes, one of which suppresses a needless warning.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit f6c4a9c045)
2017-10-17 20:46:20 +03:00
Stijn Tintel
d501786ff2 hostapd: add wpa_disable_eapol_key_retries option
Commit b6c3931ad6 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.

Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5f97c9372)
2017-10-17 17:59:45 +03:00
Stijn Tintel
b6c3931ad6 hostapd: backport extra changes related to KRACK
While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html

Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so
that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch
applies without having to rework it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-17 17:54:59 +03:00
Stijn Tintel
a5e1f7f5ef mac80211: backport kernel fix for CVE-2017-13080
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2f701194c2)
2017-10-17 01:57:05 +03:00
Jo-Philipp Wich
46e29bd078 x86: partly revert cabf775
The subtarget cleanups made in cabf775 "x86: Refresh subtargets kernel config"
removed some important symbol disable statements, so revert the changes to the
subtarget configs for now.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-10-16 17:21:43 +02:00
Ryan Mounce
707305a19d mac80211: Update wireless-regdb to master-2017-03-07
The short log of changes since the 2016-06-10 release is below.

Jouni Malinen (1):
      wireless-regdb: Remove DFS requirement for India (IN)

Ryan Mounce (1):
      wireless-regdb: Update rules for Australia (AU) and add 60GHz rules

Seth Forshee (2):
      wireless-regdb: Update 5 GHz rules for Canada
      wireless-regdb: update regulatory.bin based on preceding changes

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
(cherry picked from commit 8b12e62e9c)
2017-10-16 14:22:18 +03:00
Jason A. Donenfeld
907d8703f4 wireguard: add wireguard to base packages
Move wireguard from openwrt/packages to base a package.

This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.

WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 699c6fcc31)
2017-10-16 14:03:39 +03:00
Felix Fietkau
bff16304b0 brcmfmac: backport length check in brcmf_cfg80211_escan_handler()
Fixes CVE-2017-0786

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 13:02:04 +02:00
Stijn Tintel
fa0b5fce1f kernel: bump 4.4 to 4.4.92
Refresh patches.

Fixes the following CVEs:
- CVE-2017-1000252
- CVE-2017-12153
- CVE-2017-12154

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-16 13:35:06 +03:00
Felix Fietkau
e6fd17d04c ramips: fix compile warning in MT7621 NAND driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00
Felix Fietkau
2e9f3c6225 ramips: fix typo in MT7621 NAND driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00
Felix Fietkau
63c17142c8 hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Backport of bbda81ce30

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00
Baptiste Jonglez
cdd093b539 x86/64: add xen DomU support
Xen support for x86/generic was added in 296772f9.  This commit also
enables it for x86/64.

This was successfully tested with Xen 4.5.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-10-16 09:44:19 +02:00
Baptiste Jonglez
cabf775e64 x86: Refresh subtargets kernel config
This was done by simply running `make kernel_menuconfig CONFIG_TARGET=subtarget`
and then saving without changing any option.

Having consistent kernel config is important to avoid surprises, such
as the issue fixed with 6f0367c9 (where Xen support was silently
disabled when building the kernel, although it was present in the
initial config)

As far as I understand the build system, this shouldn't have any
user-visible impact, because the build system already merges the
various kernel configs during build.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-10-16 09:43:43 +02:00
Baptiste Jonglez
da0219ed9f x86: Fix xen serial console by removing conflicting PATA driver
The Xen serial console has been broken since the xen_domu subtarget
was merged in the generic x86 subtarget (commits 296772f9 and b36e24f3).

The reason for the broken serial console seems to be an IRQ conflict
between the serial console driver and the PATA_LEGACY driver:

[    1.330125] genirq: Flags mismatch irq 8. 00000000 (hvc_console) vs. 00000000 (platform[pata_legacy.4])
[    1.330134] hvc_open: request_irq failed with rc -16.
[    1.330148] Warning: unable to open an initial console.

Just drop the PATA_LEGACY driver from the x86/generic and x86_64
subtargets, since this driver is marked experimental and only supports
very old ISA devices anyway.  It is still included in the x86/legacy
subtarget where it rightfully belongs.

Fixes: FS#787

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-10-16 09:43:35 +02:00
Baptiste Jonglez
f52b404aee x86/generic: use HIGHMEM64G instead of HIGHMEM4G to fix PAE and Xen
This is a backport of 641a65fd06 in master.

This change re-enables PAE for the 32-bit x86 subtarget, which is
interesting in its own right but also necessary for Xen support.

Commit af1d1ebd ("x86: enable 4G high memory support for generic (32bit)
subtarget") inadvertently disabled both PAE and Xen support.

Fixes: FS#908

Cc: Daniel Golle <daniel@makrotopia.org>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-10-16 09:40:26 +02:00
Rafał Miłecki
8ad1b09c6d kernel: add fix for bgmac with B50212E B1 PHY
This PHY requires some extra programming to work reliably with all
devices. Backport upstream fix for it.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-10-13 14:14:45 +02:00
Felix Fietkau
c1023c8075 mt76: sync with version 878456caf6 from master
Backport required DT changes from commit dabdd123c9.
Significantly improves stability and performance for MT76x2 and MT7603

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 11:56:25 +02:00
Rafał Miłecki
baa8eaaba6 bcm53xx: backport DTS changes up to the first 4.15 queued commits
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-10-10 10:24:49 +02:00
Mathias Kresin
94aa2b8af0 ar71xx: add rssileds to WA850RE v1 image
A default rssileds config exists for the TP-Link WA850RE v1 but the
rssiled package is not included by default.

The compressed 17.01.3 image size increases by 3302 bytes which should
be tolerable even for a 4MB flash board.

Fixes: FS#1043

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-07 17:05:57 +02:00
Ryan Mounce
f67c22e0c2 toolchain/gdb: update to version 8.0.1
Fixes CVE-2017-9778.

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[reference fixed CVE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-05 21:38:54 +02:00
Felix Fietkau
067221360e cmake: fix build error with Xcode 9 on macOS 12
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Felix Fietkau
a999f91ca3 gcc: fix build error with macOS + Xcode 9
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Felix Fietkau
2ce9c84a92 build: add a darwin sitefile to deal with macOS 10.12 + Xcode 9 build errors
Certain functions are available in system headers, but only work on
macOS 10.13

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Thibaut VARENE
f9a849ca84 ramips: mt7620: do not pad sysupgrade Archer images
The current makefile unnecessarily pads sysupgrade image for Archer devices.

This has three implications:
1. higher risk of OOM when uploading the binary image to the device
2. much slower upgrade due to time wasted erasing and writing padding
3. grows image beyond available flash size if metadata are appended

This is already fixed in master, albeit in a completely different way (the
whole target have been reworked)

Fixes: FS#1025, FS#1039

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
2017-10-04 22:22:56 +02:00
Stijn Tintel
ee32de4426 LEDE v17.01.3: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:55 +03:00
Stijn Tintel
df54a8f583 LEDE v17.01.3: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:53 +03:00
Adrian Panella
d0bf257c46 uhttp: update to latest version
3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash

Signed-off-by: Adrian Panella <ianchi74@outlook.com>
2017-10-03 13:03:27 +02:00
Karl Palsson
783465d783 odhcpd: don't enable server mode on non-static lan port
Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"

This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.

Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-02 18:51:17 +02:00
Hans Dedecker
c92c1894a5 odhcpd: backport fixes from master branch (FS#402, FS#524)
336212c config: fix dhcpv4 server being started
336212c dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-02 18:46:24 +02:00
Kevin Darbyshire-Bryant
4b4a4af814 dnsmasq: bump to v2.78
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-10-02 18:36:21 +02:00
Hauke Mehrtens
b8357e87d7 base-files: create /etc/config/ directory
The /bin/config_generate script and some other scripts are assuming the
/etc/config directory exists in the image. This is true in case for
example the package firewall, dropbear or dnsmasq are included, which
are adding the files under /etc/config/. Without any of these package
the system will not boot up fully because the /etc/config/ directory is
missing and some init scripts just fail.

Make sure all images with the base-files contain a /etc/config/
directory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>
2017-10-01 10:52:14 +02:00
Matthias Schiffer
3350137bd3 sunxi: clean up modules definitions
Module definitions for kmod-wdt-sunxi and kmod-eeprom-sunxi are removed
(wdt-sunxi was builtin anyways; nvmem-sunxi, which is the new name of
eeprom-sunxi is changed to builtin). As kmod-eeprom-sunxi was specified
in DEFAULT_PACKAGES, but not available on kernel 4.4, it was breaking the
image builder.

Support for kmod-sunxi-ir is added for kernel 4.4 (it is unclear why it
was disable before, it builds fine with with kernel 4.4).

Condtionals only relevant for pre-4.4 kernels are removed from modules.mk,
as sunxi does't support older kernels anymore.

Fixes FS#755.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-10-01 10:04:12 +02:00
Mathias Kresin
a881323cb2 ltq-vdsl-mei: revert disable optimized firmware download
This reverts commit b428f45c06.

If the optimized firmware download is disabled, the xdsl subsystem
hangs in the "idle request" state after physically disconnecting and
reconnecting the xdsl modem from the line.

It might fix the failing line init on boot as well.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-09-30 20:37:33 +02:00
Hauke Mehrtens
f483a35f08 curl: fix security problems
This fixes the following security problems:
 * CVE-2017-1000100 TFTP sends more than buffer size
 * CVE-2017-1000101 URL globbing out of bounds read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 15:27:29 +02:00
Kevin Darbyshire-Bryant
e232c6754d mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
2017-09-30 15:24:52 +02:00
Florian Fainelli
37e1bd27d0 generic: drop 704-phy-no-genphy-soft-reset.patch
4.4.80+ contains 71a165f6397df07a06ce643de5c2dbae29bd3cfb, 4.9.41+ contains
6c78197e4a69c19e61dfe904fdc661b2aee8ec20 which are all backports of upstream
commit 0878fff1f42c18e448ab5b8b4f6a3eb32365b5b6 ("net: phy: Do not perform
software reset for Generic PHY").

Our local patch is no longer needed, all this patch was doing was utilizing
gen10g_soft_reset which does nothing either, so just keep the code unchanged.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-09-30 13:58:03 +02:00
Hauke Mehrtens
720b0e2e2d kernel: update 4.4 to 4.4.89
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 13:58:00 +02:00
Mathias Kresin
b428f45c06 ltq-vdsl-mei: disable optimized firmware download
With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and
enabled by default. As soon as the optimized firmware download is
enabled, a watchdog based reboot is trigger between 24h to 48h of
uptime if the board isn't connected to a xdsl line.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-09-28 07:22:58 +02:00