Commit Graph

38326 Commits

Author SHA1 Message Date
Paul Wassi
c4b3829348 openssl: update to 1.0.2o
Fixes CVE-2018-0739

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2018-04-01 15:21:14 +02:00
Stijn Segers
bed0ee7cbf Kernel: bump 4.4 to 4.4.124 for 17.01
* Refreshed patches
 * Removed 087-Revert-led-core-Fix-brightness-setting-when-setting-.patch (applied upstream)

 Compile-tested on ar71xx, ramips/mt7621, x86/64
 Run-tested on ar71xx

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2018-04-01 15:21:14 +02:00
Rafał Miłecki
fad29d2c3d mac80211: brcmfmac: backport commit dropping IAPP packets by default
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-03-21 09:36:39 +01:00
Felix Fietkau
60f8d388c6 kernel: merge a pending fix for HFSC warnings/slowdowns (fixes FS#1136)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-11 09:30:28 +01:00
Hauke Mehrtens
f609913b5c mbedtls: update to version 2.7.0
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures

This release is also ABI incompatible with the previous one, but it is
API compatible.

Some functions used by a lot of other software was renamed and the old
function names are provided as a static inline now, but they are only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.

Also increase the PKG_RELEASE version to force a rebuild and update of
packages depending on mbedtls to handle the changed ABI.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-03-10 18:37:04 +01:00
Stefan Lippers-Hollmann
58a95f0f8f tools/e2fsprogs: fix building on a glibc 2.27 host
The e2fsprogs host build fails on a glibc 2.27 host with

make[6]: Entering directory 'build_dir/host/e2fsprogs-1.43.7/debugfs'
        CC create_inode.o
./../misc/create_inode.c:399:18: error: conflicting types for 'copy_file_range'
 static errcode_t copy_file_range(ext2_filsys fs, int fd, ext2_file_t e2_file,
                  ^~~~~~~~~~~~~~~
In file included from ./../misc/create_inode.c:19:0:
/usr/include/unistd.h:1110:9: note: previous declaration of 'copy_file_range' was here
 ssize_t copy_file_range (int __infd, __off64_t *__pinoff,
         ^~~~~~~~~~~~~~~

Backport upstream commit "misc: rename copy_file_range to
copy_file_chunk" 01551bdba16ab16512a01affe02ade32c41ede8a in order to
fix this.

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2018-03-10 18:37:03 +01:00
Matthias Schiffer
9bdea6a296
generic: revert broken LED core patch
At least on some devices, LEDs don't work anymore since kernel 4.4.120.
Revert the broken change.

See also: https://www.spinics.net/lists/stable/msg223656.html

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-03-08 22:23:57 +01:00
Matthias Schiffer
9b0a4bafbc
base-files: tune fragment queue thresholds for available system memory
The default fragment low/high thresholds are 3 and 4 MB. On devices with
only 32MB RAM, these settings may lead to OOM when many fragments that
cannot be reassembled are received. Decrease fragment low/high thresholds
to 384 and 512 kB on devices with less than 64 MB RAM.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-03-07 19:13:41 +01:00
Matthias Schiffer
b47094ce96
include/package-defaults.mk: fix default Build/Prepare with empty ./src
Copying ./src/* would fail when src exists, but is empty or only contains
hidden files.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-03-07 10:08:46 +01:00
Matthias Schiffer
75be005e8b
include/rootfs.mk: retain list of conffiles with CONFIG_CLEAN_IPKG
/usr/lib/opkg/status must not be removed completely, otherwise the
packages' conffile lists will be missing. Replace it with a reduced version
only containing the conffile entries.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-03-07 10:03:20 +01:00
Matthias Schiffer
696c6325a3
include/rootfs.mk: do not remove opkg prerm scripts during rootfs preparation
When a user removes a preinstalled opkg package, the package's prerm script
(and in particular our default_prerm) should run.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-03-07 10:03:01 +01:00
Matthias Schiffer
17c0362178
base-files: sysupgrade: do not rely on opkg to list changed conffiles
Many packages use the opkg conffiles field to list configuration files that
are to be retained on upgrades. Make this work on systems without opkg.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-03-07 10:01:14 +01:00
Stijn Segers
2ae9ebf374 kernel: bump 4.4 to 4.4.120 for 17.01
Bump the 4.4 kernel for the 17.01 release to 4.4.120. Refresh patches.

Compile-tested: ar71xx, ramips/mt7621, x86/64
Run-tested: ar71xx, x86/64

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2018-03-04 20:36:43 +01:00
Zoltan HERPAI
571d3def6b x86: add preinit hook to reload microcode
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2018-03-04 17:37:15 +01:00
Zoltan HERPAI
681aaaf719 firmware: add microcode package for Intel
Compiling the Intel microcode package results in a
microcode.bin and a microcode-64.bin. As we can
decide based on the subtarget which should be used,
we'll only split the required .bin file with
iucode-tool.

x64 will get the intel-microcode-64.bin
All other variants will get intel-microcode.bin

The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2018-03-04 17:37:15 +01:00
Zoltan HERPAI
c6314ee06f firmware: add microcode package for AMD
Use the Debian repository for sourcing the ucode files.

Current (20171205) includes support for fam17h CPUs already.

The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2018-03-04 17:37:15 +01:00
Zoltan HERPAI
222521d593 tools: add iucode-tool
Add tool to "compile" Intel microcode files. The tool will be
compiled for host (to split the microcode.dat) and for target
(to forcibly reload the microcode if required).

Instead of using the large microcode.bin/microcode-64.bin, the
splitted ucode files (separate for CPU families) will be
installed.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2018-03-04 17:37:15 +01:00
Zoltan HERPAI
f7a6b6724a x86: enable microcode loading for Intel and AMD
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2018-03-04 17:37:15 +01:00
Hans Dedecker
dfe620cb93 odhcpd: fix interop with wide DHCPv6 client (FS#1377)
aedc154 dhcpv6-ia: don't always send reconf accept option (FS#1377)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-02 16:36:53 +01:00
Rafał Miłecki
18c999a6ff base-files: fix off-by-one in counting seconds for factory reset
There was a mismatch between indicating factory reset and code actually
starting it. After 5 seconds status LED started blinking rapidly letting
user know it's ready to release reset button. In practice button had to
stay pressed for another second in order to relly start the process.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-03-01 08:06:00 +01:00
Matteo Scordino
92ea65b36a sunxi: disable LPAE to allow kernel to run on A13
Fixes issue FS#1355.
LPAE extensions are enabled, but the A13 does not support them.
The result is the boot process stopping at "Starting kernel ..."

Fixes: 468735c3a2 ("target: sunxi: enable kvm support")
Signed-off-by: Matteo Scordino <matteo.scordino@gmail.com>
2018-02-27 19:38:12 +01:00
Rafał Miłecki
7dcbe0e22d bcm53xx: fix fallback code for picking status LED
Looking for a wrong LED file name was stopping this code from find any
LED. This affects devices with only a red/amber power LED.

Fixes: 3aaee1ba02 ("bcm53xx: failsafe support")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-02-27 17:01:48 +01:00
Rafał Miłecki
4db583b9c2 mountd: update to the latest version from 2018-02-26
This significantly improves mountd stability & reliability by:
1) Sending hotplug.d event when appropriate
2) Properly unmounting
3) Handling corner cases when unmounting fails
4) Improving log messages

5f2c419 mount: drop duplicated includes
aaf2743 mount: call hotplug-call with ACTION=remove before trying to unmount
97da4ed mount: try lazy unmount if normal one fails
1b62489 mount: create not working symlink when unmounting fails
e77dc6d mount: reorder deleting code in the mount_enum_drives()
76766ae mount: rename tmp variables in the mount_add_list()
04b897f mount: drop duplicated rmdir() call from the mount_enum_drives()
a27ea3f mount: drop duplicated unlink() call from the mount_dev_del()
bf7cc33 mount: fix/improve unmounting log messages
36f9197 mount: fix removing mount point if it's expired
ed4270f mount: struct mount: replace "mounted" and "ignore" fileds with a "status"
1af9ca2 mount: change mount_dev_del() argument to struct mount *
7c8fea8 mount: rename /proc/mount parser to mount_update_mount_list()
7aadd1c mount: improve handling mounts table size

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-02-26 11:49:29 +01:00
Matthias Schiffer
01d7a5d7de
perf: restrict libunwind dependency to archs that actually support libunwind
Allow building perf on uncommon targets again.

Depending on the kernel version, not all of these archs will actually use
libunwind in perf. Still, it seems simpler and less error-prone to use the
same list that is defined in the libunwind package.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-02-25 17:07:32 +01:00
Matthias Schiffer
b345cc2489
libunwind: fix build with musl on PPC
Works around two incompatiblities between glibc and (POSIX-compliant) musl:

- missing register definitions from asm/ptrace.h
- non-POSIX-compliant ucontext_t on PPC32 with glibc

Compile tested on mpc85xx.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-02-25 17:05:15 +01:00
Koen Vandeputte
788312ca59 uqmi: ensure CID is a numeric value before proceeding
The current implementation only checked if uqmi itself executed
correctly which is also the case when the returned value is actually
an error.

Rework this, checking that CID is a numeric value, which can only
be true if uqmi itself also executed correctly.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-20 10:50:37 +01:00
Stijn Segers
b934aa2f21 kernel: update 17.01 kernel to 4.4.116
This bumps the 4.4. kernel in LEDE 17.01 to 4.4.116.
More Meltdown & Spectre mitigation.

* Refresh patches.
* Refresh x86/config for RETPOLINE.
* Deleted 8049-PCI-layerscape-Add-fsl-ls2085a-pcie-compatible-ID.patch (accepted upstream)
* Deleted 8050-PCI-layerscape-Fix-MSG-TLP-drop-setting.patch (accepted upstream)
* 650-pppoe_header_pad.patch does not apply anymore (code was replaced).

Bumps from 4.4.113 to 4.4.115 were handled by Kevin Darbyshire-Bryant.

Compile-tested on: ar71xx, ramips/mt7621, x86/64
Run-tested on: ar71xx, ramips/mt7621, x86/64

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2018-02-20 08:34:14 +01:00
Koen Vandeputte
b3b16c8ce5 uqmi: use built-in command for data-link verification
uqmi contains a command for directly querying the modem if there
is a valid data connection, so let's use it.

This avoids the cases were all previous tests are succesful, but the
actual data link is not up for some reasons, leading to states were we
thought the link was up when it actually wasn't ..

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-18 09:35:01 +01:00
Koen Vandeputte
e9eb219e5a uqmi: use correct value for connection checking
Originally, the implementation only checked if uqmi command
execution succeeded properly without actually checking it's returned data.

This lead to a pass, even when the returned data was indicating an error.

Rework the verification to actually check the returned data,
which can only be correct if the uqmi command itself also executed correctly.

On command execution success, value "pdh_" is a pure numeric value.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-18 09:34:32 +01:00
Koen Vandeputte
5661ac1de4 uqmi: use general method for state cleaning
Debugging shows that using the general method properly cleans on each
run, while the method specifying the client-ID shows "No effect"
even while in connected state.

Fixes several connectivity issues seen on specific modems.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-18 09:34:32 +01:00
Koen Vandeputte
7c259fb980 uqmi: silence error on pin verification
If a device only supports the 2nd verification method (uim),
the first method will fail as expected reporting an error:

"Command not supported"

Silence both separate methods and only report an error regarding
pin verification if both fail.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-18 09:34:32 +01:00
Koen Vandeputte
046222dfaf uqmi: fix raw-ip mode for newer lte modems
Some newer LTE modems, like the MC7455 or EC25-E do not support
"802.3" mode, and will stay in "raw-ip" regardless of the mode being
set.

In this case, the driver must be informed that it should handle all
packets in raw mode. [1]

This commit fixes connectivity issues for these devices.

Before:

[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending discover
udhcpc: sending discover

After:

[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending select for 100.66.245.226
udhcpc: lease of 100.66.245.226 obtained, lease time 7200
udhcpc: ifconfig wwan0 100.66.245.226 netmask 255.255.255.252 broadcast
+
udhcpc: setting default routers: 100.66.245.225

[1] https://lists.freedesktop.org/archives/libqmi-
devel/2017-January/002064.html

Tested on cns3xxx using a Sierra Wireless MC7455 LTE-A

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[bumped PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-18 09:34:32 +01:00
Alexandru Ardelean
0393009ec8 net: uqmi: fix blocking in endless loops when unplugging device
If you unplug a QMI device, the /dev/cdc-wdmX device
disappears but uqmi will continue to poll it endlessly.

Then, when you plug it back, you have 2 uqmi processes,
and that's bad, because 2 processes talking QMI to the
same device [and the same time] doesn't seem to work well.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2018-02-18 09:34:32 +01:00
Koen Vandeputte
31ae7381b8 kernel: refresh patches
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-18 09:34:32 +01:00
Koen Vandeputte
3b227103e6 kernel: backport raw-ip mode for newer QMI LTE modems
Backport support for raw-ip mode including all known fixes afterwards.

Newer LTE modems only tend to support this mode, which was only
introduced in kernel 4.5.

Also backport support for the Quectel EC2x LTE modem series which is
a very popular device.

No custom changes were needed in order to apply these patches.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-18 09:34:32 +01:00
Daniel Golle
f60be72077 base-files: don't evaluate block-device uevent
Backport commits fixing the detection of GPT partition names during
preinit and sysupgrade, closing a shell-injection vulnerability.

da52dd0c83 ("base-files: quote values when evaluating uevent")
267873ac9b ("base-files: don't evaluate block-device uevent")

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-02-15 14:39:47 +01:00
Jo-Philipp Wich
623cdc4ffe ramips: backport mt7530/762x switch fixes
dc7a1e8555 ("ramips: fix reporting effective VLAN ID on MT7621 switches")
341b1427fc ("ramips: properly map pvid for vlans with remapped vid on mt7530/762x switches")
bb4002c79d ("ramips: don't clobber vlans with remapped vid on mt7530/762x switches")

Fixes FS#991, FS#1147, FS#1341

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-15 10:48:02 +01:00
Maxim Gorbachyov
b15d54e659 perf: use libunwind
Without libunwind perf does not show userspace stack frames.
Tested on mvebu.

Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
2018-02-13 12:37:52 +01:00
Maxim Gorbachyov
566ff9e6ee libunwind: enable build for arm
Tested with perf on mvebu.

Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
2018-02-13 12:37:52 +01:00
David Bauer
2e26bdfeca
ar71xx: remove bs-partition ro-flag for UniFi AC
This removes the read-only flag from the bs (bootselect) partition
on UniFi AC devices. This allows to correct the indicator from which
partition the device is booting its kernel from.

See also:
 - https://github.com/freifunk-gluon/gluon/issues/1301
 - https://bugs.lede-project.org/index.php?do=details&task_id=662

Signed-off-by: David Bauer <mail@david-bauer.net>
2018-02-11 19:07:43 +01:00
Hans Dedecker
28483d4ab2 procd: update to latest git HEAD
9a4036f trace: add missing limits.h include

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-09 09:22:45 +01:00
Matthias Schiffer
b1205a9211
ar71xx: /lib/ar71xx.sh: add model detection for TP-Link TL-WR810N
Properly report the revision in /tmp/sysinfo/model.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-02-03 14:14:35 +01:00
Yousong Zhou
fbeae9d891 iptables: make kmod-ipt-debug part of default ALL build
The iptables TRACE target is only available in raw table that's why the
dependency was moved from iptables-mod-trace into kmod-ipt-debug

Fixes FS#1219

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-26 15:37:28 +08:00
Martin Wetterwald
6ea9a702c5 iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.

The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.

But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.

I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!

https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661

Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
                  and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
2018-01-26 15:32:46 +08:00
Darren Tucker
00fa1e4108 curl: fix libcurl/mbedtls async interface
When using mbedtls, curl's nonblocking interface will report a request
as done immediately after the socket is written to and never read from
the connection.  This will result in a HTTP status code of 0 and zero
length replies.  Cherry-pick the patch from curl 7.53.0 to fix this
(https://github.com/curl/curl/commit/b993d2cc).

Fixes https://bugs.openwrt.org/index.php?do=details&task_id=1285.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>
2018-01-24 09:25:32 +01:00
Kevin Darbyshire-Bryant
d5278cc48b kernel: bump 4.4 to 4.4.112 for 17.01
Refresh patches.
Remove upstreamed patches:

target/linux/generic/patches-4.4/030-2-smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
target/linux/generic/patches-4.4/030-3-cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skb.patch
target/linux/generic/patches-4.4/030-4-sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch
target/linux/generic/patches-4.4/030-5-lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch

CVEs completely or partially addressed:

CVE-2017-5715
CVE-2017-5753
CVE-2017-17741
CVE-2017-1000410

Compile-tested: ar71xx Archer C7 v2
Run-tested: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-22 08:49:06 +01:00
Kevin Darbyshire-Bryant
2ae0741f3b dnsmasq: backport validation fix in dnssec security fix
A DNSSEC validation error was introduced in the fix for CVE-2017-15107

Backport the upstream fix to the fix (a simple typo)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(backported from commit adaf1cbcc8)
2018-01-20 14:25:52 +01:00
Kevin Darbyshire-Bryant
58d60bd283 dnsmasq: backport dnssec security fix for 17.01
CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org  and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-19 22:04:15 +01:00
Hans Dedecker
d626aa005b mountd: bump to git HEAD version
c54e5c6 mount: check if block was mounted before cleaning it up
e31565a mount: remove directory if mounting fails
0f4f20b mount: call hotplug mount scripts only on success

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-17 13:58:36 +01:00
Kevin Darbyshire-Bryant
f0336975be kernel: bump 4.4 to 4.4.111 for 17.01
Refresh patches

Tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-17 10:35:08 +01:00