Commit Graph

42497 Commits

Author SHA1 Message Date
Sven Eckelmann
d6bbfc8b52 ipq40xx: essedma: Disable TCP segmentation offload for IPv6
It was noticed that the the whole MAC can hang when transferring data from
one ar40xx port (WAN ports) to the CPU and from the CPU back to another
ar40xx port (LAN ports). The CPU was doing only NATing in that process.

Usually, the problem first starts with a simple data corruption:

  $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.4.0-amd64-netinst.iso -O /dev/null
  ...
  Connecting to saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)|2001:6b0:19::138|:443... connected.
  ...
  Read  error at byte 48807936/352321536 (Decryption has failed.). Retrying.

But after a short while, the whole MAC will stop to react. No traffic can
be transported anymore from the CPU port from/to the AR40xx PHY/switch and
the MAC has to be resetted.

The whole problem can be avoided by disabling the TSO for IPv6 for this
ethernet MAC driver.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: John Crispin <john@phrozen.org>
(backported from commit 6785695056,
with updated commit message)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2020-06-13 17:41:57 +02:00
Christian Lamparter
b98bfd4e9b ca-certificates: update to version 20200601
This patch updates the ca-certificates and ca-bundle package.
This version changed the files directory again, to work/, so
PKG_BUILD_DIR was brought back.

A list of changes from Debian's change-log entry for 20200601 [0]:

  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.40.
    Closes: #956411, #955038
  * mozilla/blacklist.txt
    Add distrusted Symantec CA list to blacklist for explicit removal.
    Closes: #911289
    Blacklist expired root certificate, "AddTrust External Root"
    Closes: #961907
    The following certificate authorities were added (+):
    + "Certigna Root CA"
    + "emSign ECC Root CA - C3"
    + "emSign ECC Root CA - G3"
    + "emSign Root CA - C1"
    + "emSign Root CA - G1"
    + "Entrust Root Certification Authority - G4"
    + "GTS Root R1"
    + "GTS Root R2"
    + "GTS Root R3"
    + "GTS Root R4"
    + "Hongkong Post Root CA 3"
    + "UCA Extended Validation Root"
    + "UCA Global G2 Root"
    The following certificate authorities were removed (-):
    - "AddTrust External Root"
    - "Certinomis - Root CA"
    - "Certplus Class 2 Primary CA"
    - "Deutsche Telekom Root CA 2"
    - "GeoTrust Global CA"
    - "GeoTrust Primary Certification Authority"
    - "GeoTrust Primary Certification Authority - G2"
    - "GeoTrust Primary Certification Authority - G3"
    - "GeoTrust Universal CA"
    - "thawte Primary Root CA"
    - "thawte Primary Root CA - G2"
    - "thawte Primary Root CA - G3"
    - "VeriSign Class 3 Public Primary Certification Authority - G4"
    - "VeriSign Class 3 Public Primary Certification Authority - G5"
    - "VeriSign Universal Root Certification Authority"

[0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit f611b014a7)
2020-06-10 00:31:21 +02:00
Matthias Schiffer
b20a95f181
musl: fix locking synchronization bug
Import proposed upstream fix [2] for the critical locking
synchronization bug recently found in musl [1].

This affects all programs that are temporarily multithreaded, but then
return to single-threaded operation.

[1] https://www.openwall.com/lists/musl/2020/05/22/3
[2] https://www.openwall.com/lists/musl/2020/05/22/10

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 10c211031c)
2020-05-26 23:50:37 +02:00
Jo-Philipp Wich
ff6c312000 rpcd: update to latest openwrt-18.06 Git HEAD
7be1f17 file: exec: properly free memory on error
313964c file: avoid closing stdio descriptors in rpc_file_exec_run
cd09c5f file: patch process stdin to /dev/null
efbcedb file: remove unused members from struct rpc_file_exec_context
71b00ab file: rpc_file_exec_run: fix potential memory leak and integer overflow
c7bb956 plugin: fix double free in finish callback
16de3fa plugin: do not free method name separately
29c9c11 exec: properly free memory on rpc_exec() error
5cd4f4e plugin: exec: properly free memory on parse error
d80f70e plugin: fix leaking invoked method name for exec plugins
53a0952 session: deny access if password login is disabled
662d034 uci: reset uci_ptr flags when merging options during section add
dd46d6d uci: free configs list memory on return
abbc302 uci: reset uci_ptr flags when merging set operations

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-26 16:26:28 +02:00
Matthias Schiffer
aba01f7350
usign: update to latest git HEAD
f1f65026a941 Always pad fingerprints to 16 characters

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit e35e40ad82)
2020-05-24 17:03:43 +02:00
Hauke Mehrtens
2ed25124f6
usign: update to latest Git HEAD
f34a383 main: fix some resource leaks

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 81e93fff7d)
2020-05-24 17:03:35 +02:00
Hauke Mehrtens
6b1f2e6058 squashfs: Fix compile with GCC 10
Fixes the following build error with GCC 10:
	/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `swap'; mksquashfs.o:(.bss+0x1b2a88): first defined here
And a compile warning.

Fixes: FS#3104, FS#3119
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1bbc1aa884)
2020-05-24 14:43:25 +02:00
Kevin Darbyshire-Bryant
7b3ada8c6d build: prereq: tidy gcc version checks
There is a restriction in the number of parameters(10)  that may be passed to
the SetupHostCommand macro so continually adding explicit gcc'n' version
checks ends up breaking the compiler check for the later versions and
oddballs like Darwin as was done in 835d1c68a0 which added gcc10.

Drop all the explicitly specified gcc version checks.  If a suitable gcc
compiler is not found, it may be specified at the dependency checking
stage after which that version will be symlinked into the build staging
host directory.

eg. 'CC=gccfoo CXX=g++foo make prereq'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 1fb3c003d6)
2020-05-24 14:43:08 +02:00
Robert Marko
e1d4612e0a build: add GCC 10 version detection
Lets add GCC 10 detection to the build system as distributions like Fedora 32 have started shipping with it.
Some tools like mtd-utils need work to compile under GCC10, but that will be next step.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit 835d1c68a0)
2020-05-24 14:43:07 +02:00
Felix Fietkau
401fe1a599 build: adjust gcc/g++ version checks for newer apple compilers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 46a129194d)
2020-05-24 14:42:52 +02:00
Adrian Schmutzler
6ee6496d07 ramips: drop non-existant ralink,port-map for Ravpower WD03
The property "ralink,port-map" has been obsolete long before
this device was added, and the device is a one-port anyway.
Just remove it.

Fixes: 5ef79af4f8 ("ramips: add support for Ravpower WD03")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c00b2df6c8)
2020-05-19 11:36:53 +02:00
Álvaro Fernández Rojas
a7e915975f bcm63xx: mask interrupts on init
Fixes BCM6348/BCM6358 hangs while booting:
https://bugs.openwrt.org/index.php?do=details&task_id=2202

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 13c33f3f12)
2020-05-18 11:06:05 +02:00
Álvaro Fernández Rojas
8e2201ea50 bcm63xx: ext_intc: fix warning
In file included from ./arch/mips/include/asm/io.h:34,
                 from ./arch/mips/include/asm/mmiowb.h:5,
                 from ./include/linux/spinlock.h:60,
                 from ./include/linux/irq.h:14,
                 from drivers/irqchip/irq-bcm6345-ext.c:10:
drivers/irqchip/irq-bcm6345-ext.c: In function 'bcm6345_ext_intc_of_init':
./arch/mips/include/asm/mach-bcm63xx/ioremap.h:48:9: warning: 'base' may be used uninitialized in this function [-Wmaybe-uninitialized]
  return is_bcm63xx_internal_registers((unsigned long)addr);
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/irqchip/irq-bcm6345-ext.c:255:16: note: 'base' was declared here
  void __iomem *base;
                ^~~~

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 29c3bb5f41)
2020-05-18 10:55:06 +02:00
Álvaro Fernández Rojas
183e9843e1 bcm63xx: periph_intc: fix warning
drivers/irqchip/irq-bcm6345-periph.c: In function 'bcm6345_periph_irq_handle':
drivers/irqchip/irq-bcm6345-periph.c:55:21: warning: 'block' may be used uninitialized in this function [-Wmaybe-uninitialized]
  struct intc_block *block;
                     ^~~~~

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit f2f2cf07a6)
2020-05-18 10:55:06 +02:00
Álvaro Fernández Rojas
a9eebf69f3 bcm63xx: redboot: fix warning
drivers/mtd/parsers/redboot.c: In function 'parse_redboot_partitions':
drivers/mtd/parsers/redboot.c:194:59: warning: suggest parentheses around '-' in operand of '&' [-Wparentheses]
     fis_origin = (buf[i].flash_base & (master->size << 1) - 1);
                                       ~~~~~~~~~~~~~~~~~~~~^~~

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit f314cbe54b)
2020-05-18 10:55:06 +02:00
Álvaro Fernández Rojas
b9daff610e bcm63xx: bcm6362: fix pinctrl bug
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit ee6bf7e865)
2020-05-18 10:55:06 +02:00
Álvaro Fernández Rojas
488751e1e5 bcm63xx: refresh kernel config
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2020-05-18 10:55:06 +02:00
Magnus Kroken
b37a1e428a mbedtls: update to 2.16.6
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters

Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d)
2020-05-16 21:25:55 +02:00
Josef Schlehofer
d3af501317 mbedtls: update to version 2.16.5
Changelog:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 36af1967f5)
2020-05-16 21:25:25 +02:00
Robert Marko
15d73a26b6 libjson-c: backport security fixes
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592

Addresses CVE-2020-12762

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE, rebase patches on top of json-c 0.12]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit bc0288b768)
2020-05-16 21:18:50 +02:00
Koen Vandeputte
7b49c0b48a kernel: bump 4.14 to 4.14.180
Refreshed all patches.

Fixed:
- CVE-2020-12114
- CVE-2020-11669

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-05-12 12:45:57 +02:00
Koen Vandeputte
5faccaf025 kernel: bump 4.9 to 4.9.223
Refreshed all patches.

Fixes:
- CVE-2020-12114

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-05-12 12:45:57 +02:00
Jason A. Donenfeld
2a9c2c0721 wireguard: bump to 1.0.20200506
* compat: timeconst.h is a generated artifact

Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.

* compat: use bash instead of bc for HZ-->USEC calculation

This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.

* socket: remove errant restriction on looping to self

It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.

* send: cond_resched() when processing tx ringbuffers

Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.

* selftests: initalize ipv6 members to NULL to squelch clang warning

This fixes a worthless warning from clang.

* send/receive: use explicit unlikely branch instead of implicit coalescing

Some code readibility cleanups.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 4f6343ffe7)
2020-05-07 13:55:37 +02:00
Jason A. Donenfeld
d5118bb511 wireguard: bump to 20191226
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit ea980fb9c6)
2020-05-07 13:54:56 +02:00
Kevin Darbyshire-Bryant
1a30fe1621 relayd: bump to version 2020-04-25
f4d759b dhcp.c: further improve validation

Further improve input validation for CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e2)
2020-05-04 16:24:35 +01:00
Kevin Darbyshire-Bryant
b65550e0db relayd: bump to version 2020-04-20
796da66 dhcp.c: improve input validation & length checks

Addresses CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit be172e663f)
2020-05-04 16:24:35 +01:00
Kevin Darbyshire-Bryant
77063bb76e umdns: update to version 2020-04-25
cdac046 dns.c: fix input validation fix

Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.

Improve CVE-2020-11750 fix

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed078)
2020-05-04 16:22:39 +01:00
Kevin Darbyshire-Bryant
b076243426 umdns: update to version 2020-04-20
e74a3f9 dns.c: improve input validation

Addresses CVE-2020-11750

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 533da61ac6)
2020-05-04 16:22:39 +01:00
Kevin Darbyshire-Bryant
cffd5aeb69 umdns: update to the version 2020-04-05
ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50e)
2020-05-04 16:22:39 +01:00
Kevin Darbyshire-Bryant
7ebc51a57f umdns: suppress address-of-packed-member warning
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:

dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]

261 |  uint16_t *swap = (uint16_t *) q;

Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f0147)
2020-05-04 16:22:39 +01:00
Sungbo Eo
f77708d4a5 ramips: remove unnecessary DEVICE_PACKAGES for Belkin F7C027
kmod-usb-dwc2 and kmod-usb-ledtrig-usbport are not target default packages, and
Belkin F7C027 does not have a USB port anyway. Just drop it.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 1dedad2a00)
2020-04-27 22:41:06 +02:00
Sungbo Eo
2051edf381 oxnas: move service file to correct place
This service file has been misplaced from the very beginning.

Fixes: dcc34574ef ("oxnas: bring in new oxnas target")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 01961f163d)
2020-04-27 22:40:55 +02:00
Koen Vandeputte
1f0679f54d kernel: bump 4.14 to 4.14.176
Refreshed all patches.

Remove upstreamed:
- 0001-net-thunderx-workaround-BGX-TX-Underflow-issue.patch
- 600-ipv6-addrconf-call-ipv6_mc_up-for-non-Ethernet-inter.patch

Fixes:
- CVE-2020-8647
- CVE-2020-8648 (potentially)
- CVE-2020-8649

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-04-16 13:24:54 +02:00
Koen Vandeputte
82c8170cd0 kernel: bump 4.9 to 4.9.219
Refreshed all patches.

Altered patches:
- 0026-NET-multi-phy-support.patch

Fixes:
- CVE-2020-8647
- CVE-2020-8648 (Potentially)
- CVE-2020-8649

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-04-16 13:24:54 +02:00
Koen Vandeputte
489fc23535 kernel: add missing symbol for Kernel 4.14
Reported by Buildbot:

x86 instruction decoder selftest (X86_DECODER_SELFTEST) [N/y/?] (NEW) aborted!

Fixes: 4eba86820f ("kernel: bump 4.14 to 4.14.169")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[rebased onto 18.06]
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-04-15 11:17:11 +02:00
Alexey Dobrovolsky
027950fc78 ramips: use full 8MB flash on ZyXEL Keenetic
ZyXEL Keenetic has 8MB flash, but OpenWrt uses only 4MB.
This commit fixes the problem.

WikiDevi page [1] says that ZyXEL Keenetic has FLA1: 8 MiB, there is
an article with specs [2] (in Russian).

[1] https://wikidevi.wi-cat.ru/ZyXEL_Keenetic
[2] https://3dnews.ru/608774/page-2.html

Fixes: FS#2487
Fixes: a7cbf59e0e ("ramips: add new device ZyXEL Keenetic as kn")

Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
(cherry picked from commit fea232ae8f)
2020-04-12 13:48:31 +02:00
Adrian Schmutzler
ad01cb514d Revert "ar71xx: use status led for GL.iNet GL-AR750S"
This reverts commit c3c6cc95ee.

The GL.iNet GL-AR750S is not supported in 18.06.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-03-26 22:23:47 +01:00
Jan Alexander
c3c6cc95ee ar71xx: use status led for GL.iNet GL-AR750S
Use power led for device status.

The status led behavior has already been fixed in af28d8a539
("ath79: add support for GL.iNet GL-AR750S") when porting the
device to ath79. This fixes it for ar71xx as well.

Signed-off-by: Jan Alexander <jan@nalx.net>
[minor commit title/message adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d394c354ee)
2020-03-26 20:01:19 +01:00
Adrian Schmutzler
10c04b4ca3 ar71xx: fix port order on TP-Link Archer C60 v1/v2
The labels on the LAN ports of the TP-Link Archer C60 v1/v2 are
actually inverted compared to the ports of the internal switch.

Add this information to 02_network.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 14a07fa1f0)
2020-03-14 14:43:09 +01:00
Adrian Schmutzler
983125007e ar71xx: remove wrong MAC address adjustment for Archer C60 v2
The adjustment of the MAC address for Archer C60 v2 in 10_fix_wifi_mac
is broken since a "mac" partition is not set up for this device on
ar71xx. Instead, the MAC address is already patched correctly in
11-ath10k-caldata.

Remove the useless adjustment.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit cbdc919024)
2020-03-14 14:42:41 +01:00
Adrian Schmutzler
302170d383 ar71xx: fix swapped LAN/WAN MAC address for Archer C60 v1/v2
The MAC addresses for lan/wan are swapped compared to the vendor
firmware. This adjusts to vendor configuration, which is:

lan   *:7b   label
wan   *:7c   label+1
2.4g  *:7b   label
5g    *:7a   label-1

Only one address is stored in <&mac 0x8>, corresponding to the label.

This has been checked on revisions v1, v2 and v3.

Since ar71xx calculates the ath10k MAC address based on the ethernet
addresses, the number there is adjusted, too.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 14eb54938b)
2020-03-14 14:41:35 +01:00
Catrinel Catrinescu
3ef8465cb8 ar71xx: ew-dorin, fix the trigger level for WPS button
Because the WPS button had the wrong trigger level,
the failsafe mode was triggered quite often,
after this commit:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=27f3f493de

Signed-off-by: Catrinel Catrinescu <cc@80211.de>
(cherry picked from commit 3e03b7ac4a)
2020-03-11 11:27:12 +01:00
Rafał Miłecki
08ad7a314d kernel: backport out-of-memory fix for non-Ethernet devices
Doing up & down on non-Ethernet devices (e.g. monitor mode interface)
was consuming memory.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit ec8e8e2ef0)
2020-03-11 08:56:02 +01:00
Koen Vandeputte
e38f355569 kernel: bump 4.14 to 4.14.172
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-03-09 20:45:11 +01:00
Koen Vandeputte
4c14dbf5db kernel: bump 4.9 to 4.9.215
Refreshed all patches.

Compile-tested on: ar71xx
Runtime-tested on: ar71xx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-03-09 20:45:11 +01:00
Jo-Philipp Wich
e884357fa9 OpenWrt v18.06.8: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-27 22:32:58 +01:00
Jo-Philipp Wich
c3bd1321de OpenWrt v18.06.8: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-27 22:32:54 +01:00
Jo-Philipp Wich
82fbd85747 libubox: backport blobmsg_check_array() fix
Fixes: FS#2833
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 955634b473)
2020-02-27 22:25:59 +01:00
Petr Štetiar
4c1779ac2c ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
Fixes: CVE-2020-8597
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:42:06 +01:00
Jo-Philipp Wich
cd262f59cb Revert "ppp: backport security fixes"
This reverts commit cc78f934a9 since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:41:48 +01:00