link: https://lore.kernel.org/all/2024091842-CVE-2024-46760-1eb3@gregkh
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: usb: schedule rx work after everything is set up
Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.
The stack trace looks like this:
rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe
So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.
Fix this by moving the first usb_submit_urb after everything
is set up.
For me, this bug manifested as:
[ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.
The Linux kernel CVE team has assigned CVE-2024-46760 to this issue.
Affected and fixed versions
===========================
Fixed in 6.6.51 with commit c83d464b82a8
Fixed in 6.10.10 with commit 25eaef533bf3
Fixed in 6.11 with commit adc539784c98
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-46760
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/realtek/rtw88/usb.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c83d464b82a8ad62ec9077637f75d73fe955635ahttps://git.kernel.org/stable/c/25eaef533bf3ccc6fee5067aac16f41f280e343ehttps://git.kernel.org/stable/c/adc539784c98a7cc602cbf557debfc2e7b9be8b3
Signed-off-by: Antonio Flores <antflores627@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16420
Signed-off-by: Robert Marko <robimarko@gmail.com>
Specification is similar to other devices of the MT Stuart series:
* Mediatek MT7988D (3x Cortex-A73, up to 1.8 GHz clock speed)
* 8 GiB eMMC
* 2 GiB DDR4 RAM
* 2500M/1000M/100M LAN port
* 10000M/5000M/2500M/1000M/100M/10M WAN port
* MT7992 Tri-band (2.4G, 5G, 6G) 2T2R+3T3R+3T3R 802.11be Wi-Fi
* Renesas DA14531MOD Bluetooth
* 2 buttons (Reset, Mesh/WPS)
* uC-controlled RGB LED via I2C
* 2x LED for the 2.5G port, 3x LED for the 10G port
* 3.3V-level 115200 baud UART console via 4-pin Dupont connector
exposed at the bottom of the device
* USB-C PD power input
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
850cc271083d qosify: add support for keeping stats
1501e0935175 bpf_skb_utils.h: add missing include to fix build against newer kernel headers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The previous host installation fix accidentally moved the rpath settings
out of CMAKE_HOST_OPTIONS and into CMAKE_OPTIONS.
Fixes: ae42ecaad4 ("ucode: fix host installation")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit adds support for netis N6 WiFi 6 router.
Specification
-------------
- SoC : MediaTek MT7621AT, MIPS, 880 MHz
- RAM : 256 MiB
- Flash : NAND 128 MiB (ESMT PSU1GA30DT)
- WLAN : MT7905DAN + MT7975DN
- 2.4 GHz : b/g/n/ax, 574 Mbps, MIMO 2x2
- 5 GHz : a/n/ac/ax, 1201 Mbps, MIMO 2x2
- Ethernet : 10/100/1000 Mbps x5 (1x WAN, 4x LAN)
- USB : 1x 3.0
- UART : 3.3V, 115200n8
- Buttons : 1x Reset
1x WPS
- LEDs : 1x Power (green)
1x System (green)
1x WAN (green)
1x WiFi 2.4 GHz (green), controlled by phy
1x WiFi 5 GHz (green), controlled by phy
1x WPS (green)
1x USB (green)
5x ethernet leds (green), controlled by switch
- Power : 12 VDC, 1.5 A
Installation
------------
1. Update the router using stock firmware web interface and OpenWrt
factory.bin image.
Recovery and return to stock
----------------------------
1. Assign your PC a static IP 192.168.1.2 and connect to the router using
the ethernet cable;
2. Power off the router;
3. Press Reset button, power on the router and wait until ethernet led
start blinking;
4. Release the button;
5. Open http://192.168.1.1/ (N6 System Recovery Mode) in your browser;
6. Upload OpenWrt factory.bin (or stock firmware *.bin) image and proceed
with upgrade.
MAC addresses
-------------
+---------+-------------------+
| | MAC example |
+---------+-------------------+
| LAN | dc:xx:xx:49:xx:04 |
| WAN | dc:xx:xx:49:xx:05 |
| WLAN 2g | dc:xx:xx:19:xx:06 |
| WLAN 5g | dc:xx:xx:79:xx:06 |
+---------+-------------------+
The WLAN MAC prototype was found in 'Factory', 0x4
The LAN MAC was found in 'Factory', 0x7ef20
The WAN MAC was found in 'Factory', 0x7ef26
Known issue
-----------
2.4 GHz WLAN doesn't start with mt76 driver.
Probable reason:
Original Netis N6 EEPROM contains wrong MT_EE_WIFI_CONF value (0xd2).
Other routers with the same WLAN hardware (e.g., Routerich AX1800)
have MT_EE_WIFI_CONF = 0x92.
Workaround (already included in this commit):
Extract EEPROM to a file at the first time boot and change
MT_EE_WIFI_CONF (offset 0x190) value from 0xd2 to 0x92. See
/etc/hotplug.d/firmware/11-mt76-caldata for details.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16322
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
bcc091d session: Fix crash when the UCI option 'password' or 'username' is missing
9f4b86e rpcd: iwinfo: add IEEE 802.11be support
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add support for 802.11be (HE) radios.
4b7c47c iwinfo: sync with upstream nl80211.h
268a662 iwinfo: add basic IEEE 802.11be support
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The busybox built with mips16 enabled has broken seq command.
Disassembling shows that the call to hard-float strtod in mips16
code is generated without the __call_stub_fp:
```
0x00406d6f <+118>: lw v0,32(sp)
0x00406d71 <+120>: sll s0,2
0x00406d73 <+122>: addu s0,v0,s0
0x00406d75 <+124>: lw a0,-4(s0)
0x00406d79 <+128>: jal 0x44ebc1 <strtod@mips16plt>
0x00406d7d <+132>: addiu a1,sp,84
0x00406d7f <+134>: sw v0,64(sp)
0x00406d81 <+136>: lw v0,0(s1)
0x00406d83 <+138>: sw v1,68(sp)
```
As a result, strtod returns the result in float point registers
while the calling mips16 code expect the result in v0/v1.
Disable mips16 on hard-float targets for now. The built .ipk goes
from 213316 bytes to 251419 bytes.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Remove upstreamed from 2.11 release:
060-nl80211-fix-crash-when-adding-an-interface-fails.patch
Rebase all other patches
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
Release 2.11 has been quite a few new features and fixes since the 2.10
release. The following ChangeLog entries highlight some of the main
changes:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
...and many more
Remove upstreamed patches:
023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
040-mesh-allow-processing-authentication-frames-in-block.patch
181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
210-build-de-duplicate-_DIRS-before-calling-mkdir.patch
253-qos_map_set_without_interworking.patch
751-qos_map_ignore_when_unsupported.patch
800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
Other patches has been updated.
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
Specifications:
- Device: DNA Valokuitu Plus EX400
- SoC: MT7621A
- Flash: 256MB NAND
- RAM: 256MB
- Ethernet: Built-in, 2 x 1GbE
- Wifi: MT7603 2.4 GHz, MT7615 5 GHz (4x internal antennas)
- USB: 1x 3.0
- LED: 1x green/red, 1x green
- Buttons: Reset
MAC addresses:
- LAN: u-boot 'ethaddr' (label)
- WAN: label + 1
- 2.4 GHz: label + 6
- 5 GHz: label + 7
Serial:
There is a black block connector next to the red ethernet connector. It
is accessible also through holes in the casing.
Pinout (TTL 3.3V)
+---+---+
|Tx |Rx |
+---+---+
|Vcc|Gnd|
+---+---+
Firmware:
The vendor firmware is a fork of OpenWrt (Reboot) with a kernel version
4.4.93. The flash is arranged as below and there is a dual boot
mechanism alternating between rootfs_0 and rootfs_1.
+-------+------+------+-----------+-----------+
| | env1 | env2 | rootfs_0 | rootfs_1 |
| +------+------+-----------+-----------+
| | UBI volumes |
+-------+-------------------------------------+
|U-Boot | UBI |
+-------+-------------------------------------+
|mtd0 | mtd1 |
+-------+-------------------------------------+
| NAND |
+---------------------------------------------+
In OpenWrt rootfs_0 will be used as a boot partition that will contain the
kernel and the dtb. The squashfs rootfs and overlay are standard OpenWrt
behaviour.
+-------+------+------+-----------+--------+------------+
| | env1 | env2 | rootfs_0 | rootfs | rootfs_data|
| +------+------+-----------+--------+------------+
| | UBI volumes |
+-------+-----------------------------------------------+
|U-Boot | UBI |
+-------+-----------------------------------------------+
|mtd0 | mtd1 |
+-------+-----------------------------------------------+
| NAND |
+-------------------------------------------------------+
U-boot:
With proper serial access booting can be halted to U-boot by pressing any
key. TFTP and flash writes are available, but only the first one has been
tested.
NOTE: Recovery mode can be accessed by holding down the reset button while
powering on the device. The led 'Update' will show a solid green light
once ready. A web server will be running at 192.168.1.1:80 and it will
allow flashing a firmware package. You can cycle between rootfs_0 and
rootfs_1 by pressing the reset button once.
Root password:
With the vendor web UI create a backup of your settings and download the
archive to your computer. Within the archive in the file
/etc/shadow replace the password hash for root with that of a password you
know. Restore the configuration with the vendor web UI and you will have
changed the root password.
SSH access:
You might need to enable the SSH service for LAN interface as by default
it's enabled for WAN only.
Installing OpenWrt:
With the vendor web UI install the OpenWrt factory image. Alternatively,
ssh to the device and use sysupgrade -n from cli.
Finalize by installing the OpenWrt sysupgrade image to get a fully
functioning system.
Reverting to the vendor firmware:
Boot with OpenWrt initramfs image
- Remove volumes rootfs_0, rootfs and rootfs_data and create vendor
volumes.
ubirmvol /dev/ubi0 -n 2
ubirmvol /dev/ubi0 -n 3
ubirmvol /dev/ubi0 -n 4
ubimkvol /dev/ubi0 -N rootfs_0 -S 990
ubimkvol /dev/ubi0 -N rootfs_1 -S 990
Power off and enter to the U-boot recovery to install the vendor
firmware.
Known issues:
- MACs for wifi are stored in currently unknown place but it seems
to persist over power-off. They might be stored on the chip.
Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
[rmilecki: try NVMEM for MACs]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
- specify CC target explicitly
- define KBUILD_SYM32=n to select "native" build format (if building with 64-bit arch)
- rewrap lines (for good)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15702
Signed-off-by: Robert Marko <robimarko@gmail.com>
The path for linking libucode.so was not specified for the ucode binary.
This breaks execution of ucode in the host context.
Signed-off-by: David Bauer <david.bauer@uniberg.com>
move nanopc-t6 recipes above rock 5b.
Fixes: 9482341a47 ("rockchip: add support for nanopc t6")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Link: https://github.com/openwrt/openwrt/pull/16340
Signed-off-by: Robert Marko <robimarko@gmail.com>
Specifications:
* SoC: Qualcomm IPQ8072A (64-bit Quad-core Arm Cortex-A53 @ 2200MHz)
* Memory: 2x ESMT M15T4G16256A-DEBG2G (1 GiB DDR3-1866 13-13-13)
* Serial Port: 3v3 TTL 115200n8
* Wi-Fi: QCN5054 (4x4 5 GHz 802.11ax)
* Wi-Fi: QCN5024 (4x4 2.4 GHz 802.11b/g/n/ax)
* Ethernet: QCA8081 (10/100/1000/2.5GBASE-T)
* Flash: Winbond W29N01HZSINF (128 MiB)
* LEDs: 1x Blue Status (GPIO 42 Active High)
* Buttons: 1x Reset (GPIO 50 Active Low)
Installation Instructions (Serial+TFTP):
1. Solder 4 pin header to JP1 and bridge pads of R58 and R62.
2. Connect 3V3 TTL port to TX, RX, and GND, which are positions 1, 2,
and 3 respectively. Be sure to crossover TX and RX.
3. Copy RAM firmware image
openwrt-qualcommax-ipq807x-tplink_eap660hd-v1-initramfs-uImage.itb
to TFTP server root, available at 192.168.10.1.
4. Connect PoE ethernet cable to the RJ45 port and hold Ctrl+B in the
serial console (115200 baud) until autoboot is halted.
5. Run the following commands in the U-boot prompt:
# tftpboot 0x44000000 openwrt-qualcommax-ipq807x-tplink_eap660hd-v1-initramfs-uImage.itb
# bootm
You may need to type Ctrl+C and Enter before running these commands
to clear invisible characters from the buffer.
6. Run the following command in a terminal to copy the sysupgrade image
to be installed (check IP address):
$ scp openwrt-qualcommax-ipq807x-tplink_eap660hd-v1-squashfs-sysupgrade.bin root@192.168.1.1:/tmp/
7. Activate the OpenWrt serial console and run the following commands:
# cd /tmp
# sysupgrade -n openwrt-qualcommax-ipq807x-tplink_eap660hd-v1-squashfs-sysupgrade.bin
8. The AP will reboot and OpenWrt will be successfully installed.
Signed-off-by: George Witt <george.witt@nltsproject.org>
Link: https://github.com/openwrt/openwrt/pull/15832
Signed-off-by: Robert Marko <robimarko@gmail.com>
GCC errors on returning int in void function now.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16348
Signed-off-by: Robert Marko <robimarko@gmail.com>
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
* Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535)
Added github releases url as source mirror
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16332
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Adds u-boot config for access to system env variables on this board
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16312
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
If the user has ip-tiny or ip-full installed there is no need to depend on
BusyBox having any form of `ip` or `ip link` applets.
Signed-off-by: Christian Svensson <blue@cmd.nu>
Link: https://github.com/openwrt/openwrt/pull/16062
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Include hotfix suggested by Sebastian Gottschall to fix bug introduced
with APuP patchset
Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: 0c3001a69e
Link: https://github.com/openwrt/openwrt/pull/16298
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Instead of avoiding returning, propagate error so that the kernel
infrastructure can handle it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16262
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Instead of ignoring errors, let the linux infrastructure handle it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16262
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Besides probing BPF information in running system, bpftool is also used in
generating skeleton, dumping BTF, etc. that is widely used in modern BPF
development. Make it available as a host tool so that we can use it in
package build.
Tested build targeting malta/le on Arch Linux x86_64. bpftools currently
does not support processing cross-endian BPF objects, so big-endian host
is needed to build for big-endian targets using bpftools.
Signed-off-by: Eric Long <i@hack3r.moe>
Link: https://github.com/openwrt/openwrt/pull/16122
Signed-off-by: Robert Marko <robimarko@gmail.com>
480551a3adc4 interface: add support for disabling renew on topology change
b7b294266781 device: add more debugging code
595094f5c213 device: do not pull device present state from hotplug events
4e11e52e9b98 main: add messages to udebug regardless of their log level
091d063f4a9d wireless: handle link updates even if devices are present already
a8e90853c936 interface: improve hotplug handling reliability
cdb41673ceea device: remove redundant newlines from debug messages
cd2a7964f2c0 device: revert to explicit device_set_present calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Try to do a clean disconnection via L3 request before the connection is
stopped.
Because this might take up to 6 seconds (the driver does 3 attempts with
a timeout of 2 seconds each), a termination timeout needs to be defined
in the init script.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Move the code for disconnection on exit to a separate function, and also
call it in the code paths for SIGINT and the "quit" CLI command.
While at it, make the patch description a bit clearer.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Move the code for disconnection on exit to a separate function, and also
call it in the code path for the "quit" CLI command.
While at it, make the patch description a bit clearer.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Use the correct return value in error message.
Fixes: 6e4c9738be ("ltq-vdsl-vr11-app: add version 4.23.1 for vr11 targets")
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Use the correct return value in error message.
Fixes: 1daaef31b3 ("ltq-vdsl-app: disconnect when service is stopped")
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Empty trailing fields get lost when the lines are split and merged again
at colons, resulting in unparsable entries. Only use the split fields for
matching against the other file, but emit the original line unchanged
to fix the issue.
Fixes: de7ca7dafa ("base-files: merge /etc/passwd et al at sysupgrade config restore")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>