CAKE made it to kernel 4.19 and since OpenWrt now at kernel 4.19 we can
drop the out of tree cake package in base repository.
Add kmod-sched-cake to netsupport so package dependencies are still met.
Similarly CAKE is retained as an optional qdisc module to avoid base
scheduler package size implications.
Backport upstream patches from k5.1 to address some small bugs and
support fwmark usage.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This patch backports verbatim the commit from Linux 5.2-rc7 that fixes
the warnings about invalid lpm related parameters on hardware which
don't that.
This is the case for e.g. lantiq xrx200 targets.
Supported only in Linux 4.17 an later.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[refresh patches, fix commit title]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Refreshed all patches.
Fixes:
- CVE-2019-11479
- CVE-2019-11478
- CVE-2019-11477
Also fix a malformed patch issue caught during refresh.
It was caused by removing a whitespace without altering
the index values in a patch which alters a patch.
Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx
Fixes: cf65262492 ("kernel: bump 4.19 to 4.19.51")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Refreshed all patches.
Altered patches:
- 370-netfilter-nf_flow_table-fix-offloaded-connection-tim.patch
- 220-optimize_inlining.patch
- 640-netfilter-nf_flow_table-add-hardware-offload-support.patch
This patch also restores the initial implementation
of the ath79 perfcount IRQ issue. (78ee6b1a40)
It was wrongfully backported upstream initially and got reverted now.
Compile-tested on: cns3xxx, imx6
Runtime-tested on: cns3xxx, imx6
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
ctinfo is a new tc filter action module. It is designed to restore
information contained in firewall conntrack marks to other packet fields
and is typically used on packet ingress paths. At present it has two
independent sub-functions or operating modes, DSCP restoration mode &
skb mark restoration mode.
The DSCP restore mode:
This mode copies DSCP values that have been placed in the firewall
conntrack mark back into the IPv4/v6 diffserv fields of relevant
packets.
The DSCP restoration is intended for use and has been found useful for
restoring ingress classifications based on egress classifications across
links that bleach or otherwise change DSCP, typically home ISP Internet
links. Restoring DSCP on ingress on the WAN link allows qdiscs such as
but by no means limited to CAKE to shape inbound packets according to
policies that are easier to set & mark on egress.
Ingress classification is traditionally a challenging task since
iptables rules haven't yet run and tc filter/eBPF programs are pre-NAT
lookups, hence are unable to see internal IPv4 addresses as used on the
typical home masquerading gateway. Thus marking the connection in some
manner on egress for later restoration of classification on ingress is
easier to implement.
Parameters related to DSCP restore mode:
dscpmask - a 32 bit mask of 6 contiguous bits and indicate bits of the
conntrack mark field contain the DSCP value to be restored.
statemask - a 32 bit mask of (usually) 1 bit length, outside the area
specified by dscpmask. This represents a conditional operation flag
whereby the DSCP is only restored if the flag is set. This is useful to
implement a 'one shot' iptables based classification where the
'complicated' iptables rules are only run once to classify the
connection on initial (egress) packet and subsequent packets are all
marked/restored with the same DSCP. A mask of zero disables the
conditional behaviour ie. the conntrack mark DSCP bits are always
restored to the ip diffserv field (assuming the conntrack entry is found
& the skb is an ipv4/ipv6 type)
e.g. dscpmask 0xfc000000 statemask 0x01000000
|----0xFC----conntrack mark----000000---|
| Bits 31-26 | bit 25 | bit24 |~~~ Bit 0|
| DSCP | unused | flag |unused |
|-----------------------0x01---000000---|
| |
| |
---| Conditional flag
v only restore if set
|-ip diffserv-|
| 6 bits |
|-------------|
The skb mark restore mode (cpmark):
This mode copies the firewall conntrack mark to the skb's mark field.
It is completely the functional equivalent of the existing act_connmark
action with the additional feature of being able to apply a mask to the
restored value.
Parameters related to skb mark restore mode:
mask - a 32 bit mask applied to the firewall conntrack mark to mask out
bits unwanted for restoration. This can be useful where the conntrack
mark is being used for different purposes by different applications. If
not specified and by default the whole mark field is copied (i.e.
default mask of 0xffffffff)
e.g. mask 0x00ffffff to mask out the top 8 bits being used by the
aforementioned DSCP restore mode.
|----0x00----conntrack mark----ffffff---|
| Bits 31-24 | |
| DSCP & flag| some value here |
|---------------------------------------|
|
|
v
|------------skb mark-------------------|
| | |
| zeroed | |
|---------------------------------------|
Overall parameters:
zone - conntrack zone
control - action related control (reclassify | pipe | drop | continue |
ok | goto chain <CHAIN_INDEX>)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Make suitable adjustments for backporting to 4.14 & 4.19
and add to SCHED_MODULES_FILTER
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This reverts commit 7c50182e0c.
Produces build error:
Package kmod-sched is missing dependencies for the following libraries:
nf_conntrack.ko
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
ctinfo is a new tc filter action module. It is designed to restore
information contained in firewall conntrack marks to other packet fields
and is typically used on packet ingress paths. At present it has two
independent sub-functions or operating modes, DSCP restoration mode &
skb mark restoration mode.
The DSCP restore mode:
This mode copies DSCP values that have been placed in the firewall
conntrack mark back into the IPv4/v6 diffserv fields of relevant
packets.
The DSCP restoration is intended for use and has been found useful for
restoring ingress classifications based on egress classifications across
links that bleach or otherwise change DSCP, typically home ISP Internet
links. Restoring DSCP on ingress on the WAN link allows qdiscs such as
but by no means limited to CAKE to shape inbound packets according to
policies that are easier to set & mark on egress.
Ingress classification is traditionally a challenging task since
iptables rules haven't yet run and tc filter/eBPF programs are pre-NAT
lookups, hence are unable to see internal IPv4 addresses as used on the
typical home masquerading gateway. Thus marking the connection in some
manner on egress for later restoration of classification on ingress is
easier to implement.
Parameters related to DSCP restore mode:
dscpmask - a 32 bit mask of 6 contiguous bits and indicate bits of the
conntrack mark field contain the DSCP value to be restored.
statemask - a 32 bit mask of (usually) 1 bit length, outside the area
specified by dscpmask. This represents a conditional operation flag
whereby the DSCP is only restored if the flag is set. This is useful to
implement a 'one shot' iptables based classification where the
'complicated' iptables rules are only run once to classify the
connection on initial (egress) packet and subsequent packets are all
marked/restored with the same DSCP. A mask of zero disables the
conditional behaviour ie. the conntrack mark DSCP bits are always
restored to the ip diffserv field (assuming the conntrack entry is found
& the skb is an ipv4/ipv6 type)
e.g. dscpmask 0xfc000000 statemask 0x01000000
|----0xFC----conntrack mark----000000---|
| Bits 31-26 | bit 25 | bit24 |~~~ Bit 0|
| DSCP | unused | flag |unused |
|-----------------------0x01---000000---|
| |
| |
---| Conditional flag
v only restore if set
|-ip diffserv-|
| 6 bits |
|-------------|
The skb mark restore mode (cpmark):
This mode copies the firewall conntrack mark to the skb's mark field.
It is completely the functional equivalent of the existing act_connmark
action with the additional feature of being able to apply a mask to the
restored value.
Parameters related to skb mark restore mode:
mask - a 32 bit mask applied to the firewall conntrack mark to mask out
bits unwanted for restoration. This can be useful where the conntrack
mark is being used for different purposes by different applications. If
not specified and by default the whole mark field is copied (i.e.
default mask of 0xffffffff)
e.g. mask 0x00ffffff to mask out the top 8 bits being used by the
aforementioned DSCP restore mode.
|----0x00----conntrack mark----ffffff---|
| Bits 31-24 | |
| DSCP & flag| some value here |
|---------------------------------------|
|
|
v
|------------skb mark-------------------|
| | |
| zeroed | |
|---------------------------------------|
Overall parameters:
zone - conntrack zone
control - action related control (reclassify | pipe | drop | continue |
ok | goto chain <CHAIN_INDEX>)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Make suitable adjustments for backporting to 4.14 & 4.19
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This patch backports verbatim the commits from Linux 5.0 and 5.1
that implemented support for GigaDevice SPI NAND A and E variants.
Supported only in Linux 4.19 and later as based on the upstream
drivers/mtd/nand/spi/ framework.
mtd-spinand-add-support-for-GigaDevice-GD5FxGQ4xA.patch
commit c93c613214ac (5.0)
mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UExxG.patch
commit c40c7a990a46 (5.1)
Run-tested-on: GL.iNet AR750S
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Please note that modified code isn't currently being compiled with
kernels 4.19+ due to the dropped CONFIG_NF_CONNTRACK_IPV6 in upstream
Linux. That requires a separated fix.
This fixes:
net/netfilter/nf_conntrack_rtcache.c: In function 'nf_rtcache_get_cookie':
net/netfilter/nf_conntrack_rtcache.c:82:11: error: 'const struct rt6_info' has no member named 'rt6i_node'; did you mean 'rt6i_idev'?
if (rt->rt6i_node)
^~~~~~~~~
rt6i_idev
IPv6 structs were reworked in upstream kernel by:
commit a64efe142f5e ("net/ipv6: introduce fib6_info struct and helpers")
commit 77634cc67dc1 ("net/ipv6: Remove unused code and variables for rt6_info")
commit 93c2fb253d17 ("net/ipv6: Rename fib6_info struct elements")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
The PCIe DWC host controller is now using MSI
(Message-signaled-interrupts) by default.
While ath9k itself does support MSI here, a lot of wlan adapters do not.
Avoid non-functioning cards by simply continue to disable MSI for now.
This can be done by appending "pci=nomsi" to the boot cmdline.
Also an extra fix needs to be backported which avoids MSI initialization
which prevented legacy IRQ's init from taking over.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Andrey has reported on OpenWrt's bug tracking system[1], that he
currently can't use ar93xx_uart as pure serial UART without console
(CONFIG_SERIAL_8250_CONSOLE and CONFIG_SERIAL_AR933X_CONSOLE undefined),
because compilation ends with following error:
ar933x_uart.c: In function 'ar933x_uart_console_write':
ar933x_uart.c:550:14: error: 'struct uart_port' has no
member named 'sysrq'
1. https://bugs.openwrt.org/index.php?do=details&task_id=2152
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This fixes a possible unbalanced dev_hold():
> iw dev bar del
[ 237.355366] unregister_netdevice: waiting for bar to become free. Usage count = 1
[ 247.435362] unregister_netdevice: waiting for bar to become free. Usage count = 1
[ 257.545366] unregister_netdevice: waiting for bar to become free. Usage count = 1
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
upstream commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors")
reimplemented cns3xxx_pci_read_config() using pci_generic_config_read32(),
which preserved the property of only doing 32-bit reads.
It also replaced cns3xxx_pci_write_config() with pci_generic_config_write(),
so it changed writes from always being 32 bits to being the actual size,
which works just fine.
Due to:
- The documentation does not mention that only 32 bit access is allowed.
- Writes are already executed using the actual size
- Extensive testing shows that 8b, 16b and 32b reads work as intended
It makes perfectly sense to also swap 32 bit reading in favor of actual size.
also backport this patch to kernel 4.19
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
This patch replaces the current hack with a better
version of the RFC patch has been accepted upstream.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Backport upstream patch:
Commit 65cab850f0ee ("net: Allow class-e address assignment via ifconfig
ioctl") modified the IN_BADCLASS macro a bit, but unfortunatly one too
many '(' characters were added to the line, making any code that used
it, not build properly.
Also, the macro now compares an unsigned with a signed value, which
isn't ok, so fix that up by making both types match properly.
Reported-by: Christopher Ferris <cferris@google.com>
Fixes: 65cab850f0ee ("net: Allow class-e address assignment via ifconfig ioctl")
Cc: Dave Taht <dave.taht@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This patch applies cleanly, so it doesn't cause errors while rebasing
patches. It results in redifinition of inode_still_linked, causing build
to fail when ubifs is enabled. Drop the patch.
Fixes: a37098a2d0 ("kernel: bump 4.19 to 4.19.16")
Reported-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Backport https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=adcc81f148d733b7e8e641300c5590a2cdc13bf3
"Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.
Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().
This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.
A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.
Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")"
Without patch:
cat /proc/self/maps
00400000-0047a000 r-xp 00000000 1f:03 1823 /bin/busybox
00489000-0048a000 r-xp 00079000 1f:03 1823 /bin/busybox
0048a000-0048b000 rwxp 0007a000 1f:03 1823 /bin/busybox
77ec8000-77eed000 r-xp 00000000 1f:03 2296 /lib/libgcc_s.so.1
77eed000-77eee000 rwxp 00015000 1f:03 2296 /lib/libgcc_s.so.1
77eee000-77f81000 r-xp 00000000 1f:03 2470 /lib/libc.so
77f90000-77f92000 rwxp 00092000 1f:03 2470 /lib/libc.so
77f92000-77f94000 rwxp 00000000 00:00 0
7f946000-7f967000 rw-p 00000000 00:00 0 [stack]
7fefb000-7fefc000 rwxp 00000000 00:00 0
7ffac000-7ffad000 r--p 00000000 00:00 0 [vvar]
7ffad000-7ffae000 r-xp 00000000 00:00 0 [vdso]
Patch applied:
cat /proc/self/maps
00400000-0047a000 r-xp 00000000 1f:03 1825 /bin/busybox
00489000-0048a000 r-xp 00079000 1f:03 1825 /bin/busybox
0048a000-0048b000 rwxp 0007a000 1f:03 1825 /bin/busybox
77ed0000-77ef5000 r-xp 00000000 1f:03 2298 /lib/libgcc_s.so.1
77ef5000-77ef6000 rwxp 00015000 1f:03 2298 /lib/libgcc_s.so.1
77ef6000-77f89000 r-xp 00000000 1f:03 2474 /lib/libc.so
77f98000-77f9a000 rwxp 00092000 1f:03 2474 /lib/libc.so
77f9a000-77f9c000 rwxp 00000000 00:00 0
7fbed000-7fc0e000 rw-p 00000000 00:00 0 [stack]
7fefb000-7fefc000 r-xp 00000000 00:00 0
7fff6000-7fff7000 r--p 00000000 00:00 0 [vvar]
7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso]
Note lack of write permission to 7fefb000-7fefc000
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Originally, cns3xxx used it's own functions for mapping, reading and writing registers.
Upstream commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors")
removed the internal PCI config write function in favor of the generic one:
cns3xxx_pci_write_config() --> pci_generic_config_write()
cns3xxx_pci_write_config() expected aligned addresses, being produced by cns3xxx_pci_map_bus()
while the generic one pci_generic_config_write() actually expects the real address
as both the function and hardware are capable of byte-aligned writes.
This currently leads to pci_generic_config_write() writing
to the wrong registers on some ocasions.
First issue seen due to this:
- driver ath9k gets loaded
- The driver wants to write value 0xA8 to register PCI_LATENCY_TIMER, located at 0x0D
- cns3xxx_pci_map_bus() aligns the address to 0x0C
- pci_generic_config_write() effectively writes 0xA8 into register 0x0C (CACHE_LINE_SIZE)
This seems to cause some slight instability when certain PCI devices are used.
Another issue example caused by this this is the PCI bus numbering,
where the primary bus is higher than the secondary, which is impossible.
Before:
00:00.0 PCI bridge: Cavium, Inc. Device 3400 (rev 01) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 255
Bus: primary=02, secondary=01, subordinate=ff, sec-latency=0
After fix:
00:00.0 PCI bridge: Cavium, Inc. Device 3400 (rev 01) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 255
Bus: primary=00, secondary=01, subordinate=02, sec-latency=0
And very likely some more ..
Fix all by omitting the alignment being done in the mapping function.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Backort upstream patch which preserves oif of IPv6 link scoped packets.
The outgoing interface of IPv6 link scope packets can be changed by the
function ip6_route_me_harder. This is unwanted behavior for link local
packets and multicast packets as the outgoing interface is fixed and must
not be altered as it can break neighbor discovery and multicast listener
discovery.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Backport net: Allow class-e address assignment via ifconfig ioctl
While most distributions long ago switched to the iproute2 suite
of utilities, which allow class-e (240.0.0.0/4) address assignment,
distributions relying on busybox, toybox and other forms of
ifconfig cannot assign class-e addresses without this kernel patch.
While CIDR has been obsolete for 2 decades, and a survey of all the
open source code in the world shows the IN_whatever macros are also
obsolete... rather than obsolete CIDR from this ioctl entirely, this
patch merely enables class-e assignment, sanely.
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=65cab850f0eeaa9180bd2e10a231964f33743edf
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Disable Marvell's hardware level MAC learning because it breaks station roaming.
When enabled it drops all frames that arrive from a MAC address
that is on a different port at learning table.
Problem description:
Multiple APs with inter-AP roaming connected to different ports,
when station moves from one AP on one port to another AP on another port,
traffic flow breaks down because the learning table is not updated.
Signed-off-by: Anderson Luiz Alves <alacn1@gmail.com>
[Replaced with upstream version, move to generic]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This makes the patches which were just copied in the previous commit
apply on top of kernel 4.19.
The patches in the backports-4.19 folder were checked if they are really
in kernel 4.19 based on the title and only removed if they were found in
the upstream kernel.
The following additional patches form the pending folder went into
upstream Linux 4.19:
pending-4.19/171-usb-dwc2-Fix-inefficient-copy-of-unaligned-buffers.patch
pending-4.19/190-2-5-e1000e-Fix-wrong-comment-related-to-link-detection.patch
pending-4.19/478-mtd-spi-nor-Add-support-for-XM25QH64A-and-XM25QH128A.patch
pending-4.19/479-mtd-spi-nor-add-eon-en25qh32.patch
pending-4.19/950-tty-serial-exar-generalize-rs485-setup.patch
pending-4.19/340-MIPS-mm-remove-mips_dma_mapping_error.patch
Bigger changes were introduced to the m25p80 spi nor driver, as far as I
saw it in the new code, it now has the functionality provided in this
patch:
pending-4.19/450-mtd-m25p80-allow-fallback-from-spi_flash_read-to-reg.patch
Part of this patch went upstream independent of OpenWrt:
hack-4.19/220-gc_sections.patch
This patch was reworked to match the changes done upstream.
The MIPS DMA API changed a lot, this patch was rewritten to match the
new DMA handling:
pending-4.19/341-MIPS-mm-remove-no-op-dma_map_ops-where-possible.patch
I did bigger manual changes to the following patches and I am not 100% sure if they are all correct:
pending-4.19/0931-w1-gpio-fix-problem-with-platfom-data-in-w1-gpio.patch
pending-4.19/411-mtd-partial_eraseblock_write.patch
pending-4.19/600-netfilter_conntrack_flush.patch
pending-4.19/611-netfilter_match_bypass_default_table.patch
pending-4.19/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch
hack-4.19/211-host_tools_portability.patch
hack-4.19/221-module_exports.patch
hack-4.19/321-powerpc_crtsavres_prereq.patch
hack-4.19/902-debloat_proc.patch
This is based on patchset from Marko Ratkaj <marko.ratkaj@sartura.hr>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This just copies the files from the kernel 4.14 specific folders into
the kernel 4.19 specific folder, no changes are done to the files in
this commit.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>