oweals/openwrt.git
7 years agombedtls: Re-allow SHA1-signed certificates
Baptiste Jonglez [Sun, 30 Jul 2017 15:57:37 +0000 (17:57 +0200)]
mbedtls: Re-allow SHA1-signed certificates

Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
7 years agoramips: fix WHR-1166D WAN port
Mathias Kresin [Wed, 9 Aug 2017 18:17:43 +0000 (20:17 +0200)]
ramips: fix WHR-1166D WAN port

By adding the ICPlus IP1001 phy driver an already set RGMII delay mode
is reset during driver load.

Set the rgmii rx delay to fix corrupt/no packages in case the WAN port
negotiates to 1000MBit.

Fixes: FS#670

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agobase-files: don't setup network in preinit if failsafe is disabled
Rafał Miłecki [Mon, 7 Aug 2017 09:09:33 +0000 (11:09 +0200)]
base-files: don't setup network in preinit if failsafe is disabled

With failsafe disabled there is no point in early network setup. We
don't send announcement over UDP and there is no way to ssh to the
device.

A side effect of this is avoiding a possibly incorrect network config
(only with failsafe disabled). This problem is related to possible
changes made by user in /etc/config/network.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agodnsmasq: backport remove ping check of configured dhcp address
Hans Dedecker [Tue, 18 Jul 2017 20:55:29 +0000 (22:55 +0200)]
dnsmasq: backport remove ping check of configured dhcp address

Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoprocd: update to the latest git HEAD
Hans Dedecker [Tue, 8 Aug 2017 12:40:21 +0000 (14:40 +0200)]
procd: update to the latest git HEAD

66be6a2 watchdog: fix inline watchdog_get_magicclose function prototype

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoramips: ArcherC50v1: fix wlan2g MAC address
Thibaut VARENE [Fri, 4 Aug 2017 15:22:03 +0000 (17:22 +0200)]
ramips: ArcherC50v1: fix wlan2g MAC address

By default the wlan eprom contains the generic ralink MAC which is not
the vendor (TP-Link) one. Based on OFW bootlog, it appears that addresses
are decremented from the ethernet MAC.

This patch fixes the MAC address for wlan2g in line with OFW.

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
7 years agoramips: fix Omnima MiniEMBWiFi image
Mathias Kresin [Mon, 31 Jul 2017 18:21:12 +0000 (20:21 +0200)]
ramips: fix Omnima MiniEMBWiFi image

Reference the Omnima MiniEMBWiFi device tree source file in the image
build code. Otherwise the dts of the image processed before is used.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: build HuaWei HG255D image
Mathias Kresin [Mon, 31 Jul 2017 18:19:14 +0000 (20:19 +0200)]
ramips: build HuaWei HG255D image

The code to build an image was disabled some time ago for unknown
reasons albeit the image looks fine.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: add missing partitions
Mathias Kresin [Mon, 31 Jul 2017 16:00:35 +0000 (18:00 +0200)]
ramips: add missing partitions

The partitions were lost during migration to device tree.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoprocd: update to latest git HEAD
John Crispin [Tue, 1 Aug 2017 05:02:26 +0000 (07:02 +0200)]
procd: update to latest git HEAD

3e68cdf procd: Do not leak pipe file descriptors to children

Signed-off-by: John Crispin <john@phrozen.org>
7 years agoralink: fix rcu_sched stalls on mt7621
John Crispin [Tue, 1 Aug 2017 04:53:38 +0000 (06:53 +0200)]
ralink: fix rcu_sched stalls on mt7621

there were 2 bugs
*) core1 came up with a bad bogo mips, looks like the clock needed time to stabilize
*) HPT frequency was not set making r4k timers not come up properly

Backport of 9551d91b1d6 "ralink: fix rcu_sched stalls on mt7621".

Signed-off-by: John Crispin <john@phrozen.org>
7 years agoramips: Archer C50v1: fix power led
Thibaut VARENE [Sat, 29 Jul 2017 09:32:44 +0000 (11:32 +0200)]
ramips: Archer C50v1: fix power led

01_leds had a workaround for the power led to compensate for the
inverted GPIO state. This patch was missing from my previous commit.

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
[add the power led default-state which was omitted in the last commit
by me]
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: Archer C50v1: fix switch port numbering
Thibaut VARENE [Fri, 28 Jul 2017 20:36:52 +0000 (22:36 +0200)]
ramips: Archer C50v1: fix switch port numbering

Luci shows switch ports in wrong order on that device.
This patch fixes switch port numbering and matches them to the device
silkscreen.

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
7 years agoramips: Archer C50v1: fix LEDs active levels
Thibaut VARENE [Fri, 28 Jul 2017 21:26:40 +0000 (23:26 +0200)]
ramips: Archer C50v1: fix LEDs active levels

All LEDs GPIOs are active low on this device.

WAN and POWER states were inverted. Add default state for power.

Tested on Archer C50v1.

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
7 years agoramips: fix Mercury MAC1200R v2.0 board name
Mathias Kresin [Fri, 28 Jul 2017 17:22:55 +0000 (19:22 +0200)]
ramips: fix Mercury MAC1200R v2.0 board name

With d2b6bf141662 ("ramips: fix image validation errors") the board
name was changed to fix an image validation error. But this change
wasn't applied to all other files using the board name, which broke
sysupgrade.

Revert this change and use the former board name in the metadata
instead.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agobrcm63xx: add NULL clock fix send upstream
Mathias Kresin [Fri, 28 Jul 2017 18:09:53 +0000 (20:09 +0200)]
brcm63xx: add NULL clock fix send upstream

Make the behaviour of clk_get_rate consistent with common clk's
clk_get_rate by accepting NULL clocks as parameter. Some device
drivers rely on this, and will cause an OOPS otherwise.

Fixes: FS#735

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: add NULL clock fix send upstream
Mathias Kresin [Fri, 28 Jul 2017 17:38:04 +0000 (19:38 +0200)]
ramips: add NULL clock fix send upstream

Make the behaviour of clk_get_rate consistent with common clk's
clk_get_rate by accepting NULL clocks as parameter. Some device
drivers rely on this, and will cause an OOPS otherwise.

Fixes: FS#735

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoar7: add NULL clock fix send upstream
Mathias Kresin [Fri, 28 Jul 2017 17:05:33 +0000 (19:05 +0200)]
ar7: add NULL clock fix send upstream

Make the behaviour of clk_get_rate consistent with common clk's
clk_get_rate by accepting NULL clocks as parameter. Some device
drivers rely on this, and will cause an OOPS otherwise.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agocurl: fix CVE-2017-7407 and CVE-2017-7468
Hauke Mehrtens [Sun, 23 Jul 2017 14:08:47 +0000 (16:08 +0200)]
curl: fix CVE-2017-7407 and CVE-2017-7468

This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agokernel: update kernel 4.4 to version 4.4.79
Hauke Mehrtens [Sun, 23 Jul 2017 13:00:22 +0000 (15:00 +0200)]
kernel: update kernel 4.4 to version 4.4.79

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agoramips: DIR-860L-B1 fix switch port numbering
Thibaut VARENE [Tue, 25 Jul 2017 10:29:14 +0000 (12:29 +0200)]
ramips: DIR-860L-B1 fix switch port numbering

Luci shows switch ports in inverted order on that device.
This patch fixes switch port numbering and matches them to the device
silkscreen.

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
7 years agokernel: netfilter: fix nf-nathelper(-extra) description
Uwe Arnold [Thu, 20 Jul 2017 18:04:26 +0000 (20:04 +0200)]
kernel: netfilter: fix nf-nathelper(-extra) description

The tftp and irc netfilter modules are provided by nf-nathelper-extra
and not by nf-nathelper.

Signed-off-by: Uwe Arnold <donvipre@gmail.com>
[move the irc module as well]
Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoramips: fix wps button gpio for DWR-512
Giuseppe Lippolis [Tue, 18 Jul 2017 20:55:53 +0000 (22:55 +0200)]
ramips: fix wps button gpio for DWR-512

The WPS button is at GPIO#7.

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
7 years agoramips: DTS: VoCore2 improvements/fixes
Paul Wassi [Sat, 22 Jul 2017 09:15:55 +0000 (11:15 +0200)]
ramips: DTS: VoCore2 improvements/fixes

The VoCore2 features 128MB of RAM, therefore set
memory in DTS to 128*1024*1024 = 0x8000000
The board's LED is connected to GND, set it to
ACTIVE_HIGH here.
Make serial console working again on kernel 4.9 by
change of pinmux configuration.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
7 years agoar71xx: fix switch port mapping for TP-Link TL-WR74xN/D series
Piotr Dymacz [Fri, 14 Jul 2017 13:14:29 +0000 (15:14 +0200)]
ar71xx: fix switch port mapping for TP-Link TL-WR74xN/D series

Backport of ad8c315: "ar71xx: fix switch port mapping for TP-Link
TL-WR74xN/D series".

Fixes FS#843

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
7 years agouboot-envtools: add support for ALFA Network AP121F
Piotr Dymacz [Fri, 31 Mar 2017 11:43:06 +0000 (13:43 +0200)]
uboot-envtools: add support for ALFA Network AP121F

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
7 years agoar71xx: add support for ALFA Network AP121F
Piotr Dymacz [Fri, 31 Mar 2017 11:37:31 +0000 (13:37 +0200)]
ar71xx: add support for ALFA Network AP121F

ALFA Network AP121F is a pocket-size router dedicated for VPN/TOR users.
Device is based on Atheros AR9331 WiSoC and is running a custom version
(updated from OpenWrt CC to LEDE 17.01 release) of NetAidKit firmware.

Specification:

- 400/400/200 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR1)
- 16 MB of FLASH (SPI NOR)
- 1x 10/100 Mbps Ethernet
- 1T1R 2.4 GHz
- 1x microSD (optional, on separate PCB)
- 3x LED, 1x button, 1x switch
- UART header on PCB

Flash instruction (under U-Boot web recovery mode):

1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with RJ45 port, press the reset button, power up device,
   wait for first blink of all LEDs (indicates network setup), then keep
   button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
7 years agoimage: fix ar71xx legacy images
Mathias Kresin [Fri, 14 Jul 2017 17:35:02 +0000 (19:35 +0200)]
image: fix ar71xx legacy images

If TARGET_PER_DEVICE_ROOTFS and DEVICE_PACKAGES are used for ar71xx
legacy images:

- an already jffs2 padded squashfs rootfs is overwritten
  with an unpadded/raw one.

- the squashfs-raw and squashfs-64k rootfs are not replaced by the
  ones including the DEVICE_PACKAGES

Call Image/Build/squashfs after the DEVICE_PACKAGES are added to the
base squashfs rootfs to fix the issues.

Fixes: FS#904

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoimx6: fix DualLite/Solo GW551X board detection
Mathias Kresin [Mon, 15 May 2017 16:21:39 +0000 (18:21 +0200)]
imx6: fix DualLite/Solo GW551X board detection

The model name is a different one in the device tree source file.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoprocd: backport kernel watchdog start/stop support
Hans Dedecker [Thu, 13 Jul 2017 19:54:59 +0000 (21:54 +0200)]
procd: backport kernel watchdog start/stop support

4dbf57a watchdog: add support for starting/stopping kernel watchdog

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agox86: add missing kernel config symbols to Geode target
Jo-Philipp Wich [Wed, 12 Jul 2017 23:25:10 +0000 (01:25 +0200)]
x86: add missing kernel config symbols to Geode target

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agox86: enable ACPI support for the Geode subtarget
Jo-Philipp Wich [Wed, 12 Jul 2017 20:38:39 +0000 (22:38 +0200)]
x86: enable ACPI support for the Geode subtarget

Backport of 9b940fe "x86: enable ACPI support for the Geode subtarget".

Fixes FS#577.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agodnsmasq: backport patch fixing DNS failover (FS#841)
Hans Dedecker [Wed, 28 Jun 2017 08:15:38 +0000 (10:15 +0200)]
dnsmasq: backport patch fixing DNS failover (FS#841)

Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoar71xx: set US region code for TP-Link TL-WR710N v1 image
Matthias Schiffer [Wed, 12 Jul 2017 17:22:51 +0000 (19:22 +0200)]
ar71xx: set US region code for TP-Link TL-WR710N v1 image

Non-US versions of the TP-Link TL-WR710N v1 don't have a region code so
far, so we can just set US unconditionally.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agofstools: backport fixes from master branch
Daniel Golle [Tue, 11 Jul 2017 21:30:10 +0000 (23:30 +0200)]
fstools: backport fixes from master branch

The following changes are backported from the master branch

bdcb075 libfstools: fix matching device name
(f038a61 on master)

ef2d438 fstools: use -Wno-format-truncation instead of -Wno-error=format-truncation
(c43ae11 on master)

d361923 build: disable the format-truncation warning error to fix gcc 7 build errors
(a19f2b3 on master)

cddc830 libfstools: silence mkfs.{ext4,f2fs}
(88d48d5 on master)

be5004c libfstools: add basic documentation of mount functions
(92b4c2c on master)

34d36c2 add missing includes
(7d78836 on master)

A previously added hotfix was replaced by a git commit, hence the patch
file is removed and we got instead

45c2a6f libfstools: fix multiple volume_identify usages with the same volume
(633a8d0 on master)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
7 years agomtd-utils: use source package name for lzo in PKG_BUILD_DEPENDS
Matthias Schiffer [Sat, 8 Jul 2017 20:51:34 +0000 (22:51 +0200)]
mtd-utils: use source package name for lzo in PKG_BUILD_DEPENDS

PKG_BUILD_DEPENDS should always refer to source package names.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agoramips: fix Xiaomi MiWiFi Nano firmware partition size
Mathias Kresin [Thu, 23 Mar 2017 19:30:25 +0000 (20:30 +0100)]
ramips: fix Xiaomi MiWiFi Nano firmware partition size

Even the commit message of the patch adding support for the MiWiFi Nano
says that a 16 MB flash chip is used. Extend the firmware partition to
make use of all available flash space.

Fixes: FS#622

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agobuild: fix kmod package build on non-GNU systems
Felix Fietkau [Mon, 29 May 2017 12:26:36 +0000 (14:26 +0200)]
build: fix kmod package build on non-GNU systems

BSD paste requires a filename argument, and it accepts - to use stdin as
intended.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoar71xx: Fix UBIFS work on Mikrotik RB95x devices
Sergey Sergeev [Wed, 31 May 2017 08:00:01 +0000 (11:00 +0300)]
ar71xx: Fix UBIFS work on Mikrotik RB95x devices

If nand chip has no NAND_NO_SUBPAGE_WRITE flag on its options
ubifs can't use it mtd devices and the kernel crashes with error:
__nand_correct_data: uncorrectable ECC error

Signed-off-by: Sergey Sergeev <adron@yapic.net>
7 years agolantiq: use img file extension for DGN3500 factory images
Mathias Kresin [Wed, 28 Jun 2017 21:36:37 +0000 (23:36 +0200)]
lantiq: use img file extension for DGN3500 factory images

The Netgear UI in basic mode refuses the upgrade file if the the
fileextension is not img. The expert/advanced mode accepts any
fileextension. Use img to make it work in any case.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agodnsmasq: backport tweak ICMP ping logic for DHCPv4
Hans Dedecker [Mon, 26 Jun 2017 08:23:08 +0000 (10:23 +0200)]
dnsmasq: backport tweak ICMP ping logic for DHCPv4

Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agodhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Hans Dedecker [Thu, 29 Jun 2017 07:41:59 +0000 (09:41 +0200)]
dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoprocd: backport fixes from master branch
Daniel Golle [Wed, 28 Jun 2017 00:01:07 +0000 (02:01 +0200)]
procd: backport fixes from master branch

The following commits have been cherry-picked into the lede-17.01
branch of procd, listed here in git-log-order ie. with head first:

89918c8 system: introduce new attribute board_name
(79bbe6d and 453116e on master branch)

8297c38 preinit: define _GNU_SOURCE
(e5b963a on master branch)

8fd57dd upgraded: cmake: Find and include uloop.h
(e5ff8ca on master branch)

6b0da20 hotplug: fix a memory leak in handle_button_complete()
(f367ec6 on master branch)

558ffb5 service/service_stopped(): fix a use-after-free
(796ba3b on master branch)

22f89e1 upgraded: define __GNU_SOURCE
(e7bb2c8 on master branch)

6e8ea8b rcS: add missing fcntl.h include
(992b796 on master branch)

cd5225d procd/rcS: Use /dev/null as stdin
(d42b21e on master branch)

5131bec procd: Log initscript output prefixed with script name
(1247db1 on master branch)

225b18d procd: Don't use syslog before its initialization
(8d720b2 on master branch)

889442c procd: Add missing \n in debug message
(2555474 on master branch)

2716228 procd: service gets deleted when its last instance is freed
(8f218f5 on master branch)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
7 years agokernel: update kernel 4.4 to 4.4.74
Stijn Tintel [Tue, 27 Jun 2017 08:26:38 +0000 (10:26 +0200)]
kernel: update kernel 4.4 to 4.4.74

Refresh patches.
Compile-tested on ar71xx, octeon.
Runtime-tested on ar71xx, octeon.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agoipq806x: fixup thermal patches
Stijn Tintel [Tue, 27 Jun 2017 08:05:04 +0000 (10:05 +0200)]
ipq806x: fixup thermal patches

Fix conflict with thermal patches added in
c03d4317a6bc891cb4a5e89cbdd77f37c23aff86.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agobase-files: fix PKG_CONFIG_DEPENDS to include version.mk entries
Rafał Miłecki [Fri, 16 Jun 2017 11:23:22 +0000 (13:23 +0200)]
base-files: fix PKG_CONFIG_DEPENDS to include version.mk entries

Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agobcm53xx: include wpad-mini only on devices with (supported) wireless
Rafał Miłecki [Mon, 22 May 2017 10:50:53 +0000 (12:50 +0200)]
bcm53xx: include wpad-mini only on devices with (supported) wireless

Don't include wpad-mini when it's useless just like we don't include
useless wireless drivers.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agofirmware-utils: fix dgn3500sum compiler warnings
Mathias Kresin [Mon, 26 Jun 2017 17:22:52 +0000 (19:22 +0200)]
firmware-utils: fix dgn3500sum compiler warnings

The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.

While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoca-certificates: Update to version 20161130+nmu1
Christian Schoenebeck [Mon, 19 Jun 2017 18:56:17 +0000 (20:56 +0200)]
ca-certificates: Update to version 20161130+nmu1

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
7 years agoopenvpn: update to 2.4.3
Magnus Kroken [Thu, 22 Jun 2017 21:01:01 +0000 (23:01 +0200)]
openvpn: update to 2.4.3

Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
7 years agombedtls: update to 2.5.1
Magnus Kroken [Wed, 21 Jun 2017 19:05:09 +0000 (21:05 +0200)]
mbedtls: update to 2.5.1

Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
7 years agobcm53xx: enable Northstar thermal driver
Rafał Miłecki [Thu, 20 Apr 2017 20:27:19 +0000 (22:27 +0200)]
bcm53xx: enable Northstar thermal driver

It allows monitoring CPU temp and will shutdown system on critical
value.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agokernel: backport Broadcom thermal drivers
Rafał Miłecki [Fri, 14 Apr 2017 16:18:36 +0000 (18:18 +0200)]
kernel: backport Broadcom thermal drivers

This includes driver for Northstar and for Raspberry Pi.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years agoRevert "dnsmasq: don't point --resolv-file to default location unconditionally"
Hans Dedecker [Mon, 19 Jun 2017 20:05:21 +0000 (22:05 +0200)]
Revert "dnsmasq: don't point --resolv-file to default location unconditionally"

This reverts commit 78edfff5303533dc52a1ac64ad745acc0a8a743e.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agodropbear: fix service trigger syntax error
Kevin Darbyshire-Bryant [Thu, 15 Jun 2017 11:58:25 +0000 (12:58 +0100)]
dropbear: fix service trigger syntax error

The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
7 years agoramips: fix Phicomm K1S(PSG1208) pinmux
小桥 [Sun, 5 Mar 2017 07:53:40 +0000 (15:53 +0800)]
ramips: fix Phicomm K1S(PSG1208) pinmux

Use gpio function for pins with LEDs.

Signed-off-by: 小桥 <29551030@qq.com>
7 years agoLEDE v17.01.2: revert to branch defaults
Alexander Couzens [Sat, 10 Jun 2017 11:08:07 +0000 (13:08 +0200)]
LEDE v17.01.2: revert to branch defaults

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
7 years agoLEDE v17.01.2: adjust config defaults v17.01.2
Alexander Couzens [Sat, 10 Jun 2017 11:08:02 +0000 (13:08 +0200)]
LEDE v17.01.2: adjust config defaults

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
7 years agobuild: ensure that flock is available for make download
Felix Fietkau [Thu, 8 Jun 2017 09:05:05 +0000 (11:05 +0200)]
build: ensure that flock is available for make download

It ensures that make download can parallelize downloads, even when some
packages download the same files (e.g. gcc/initial, gcc/final)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoinclude/toplevel: set env GIT_ASKPASS=/bin/true
Alexander Couzens [Wed, 7 Jun 2017 21:56:19 +0000 (23:56 +0200)]
include/toplevel: set env GIT_ASKPASS=/bin/true

When git-https request a service (e.g. github) which ask for credentials
git will pass this request to the user resulting download.pl to wait for
user input. Set GIT_ASKPASS to stop asking.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
7 years agobase-files: network.sh: fix a number of IPv6 logic flaws
Jo-Philipp Wich [Thu, 8 Jun 2017 17:27:46 +0000 (19:27 +0200)]
base-files: network.sh: fix a number of IPv6 logic flaws

* Change network_get_subnet6() to sensibly guess a suitable prefix

  Attempt to return the first non-linklocal, non-ula range, then attempt
  to return the first non-linklocal range and finally fall back to the
  previous behaviour of simply returning the first found item.

* Fix network_get_ipaddrs_all()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
  to build a single list of all interface addresses.

* Fix network_get_subnets6()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
  field to figure out the proper network address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agomwlwifi: update to version 10.3.4.0 / 2017-06-06
Jo-Philipp Wich [Thu, 8 Jun 2017 17:54:53 +0000 (19:54 +0200)]
mwlwifi: update to version 10.3.4.0 / 2017-06-06

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoautomake: import upstream fix for perl 5.26
Daniel Golle [Wed, 7 Jun 2017 17:39:33 +0000 (19:39 +0200)]
automake: import upstream fix for perl 5.26

Build broke as distributions now include Perl 5.26 and automake
triggered an "Unescaped left brace in regex" error.
Import upstream commit 13f00eb449 to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
7 years agobase-files: network.sh: properly report local IPv6 addresses
Jo-Philipp Wich [Thu, 8 Jun 2017 10:02:36 +0000 (12:02 +0200)]
base-files: network.sh: properly report local IPv6 addresses

Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.

Fixes FS#829.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agokernel: update kernel 4.4 to 4.4.71
Jo-Philipp Wich [Wed, 7 Jun 2017 19:24:41 +0000 (21:24 +0200)]
kernel: update kernel 4.4 to 4.4.71

Fixes the following security vulnerabilities:

CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.

CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.

CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.

CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoAdd missing APU1 reference to x86 board.d
Kristian Evensen [Mon, 5 Jun 2017 08:24:02 +0000 (10:24 +0200)]
Add missing APU1 reference to x86 board.d

x86 board.d only contains a case for the APU2, not the APU1. This
causes, for example, network configuration not to be created correctly.
Even though the APU1 seems to reaching EOL, there a still a lot of them
out there.

The APU1 and APU2 is configured in the same way and this patch should
also be considered for stable, as the error also exists there.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
7 years agobase-files: always set proto passed to _ucidef_set_interface()
Mathias Kresin [Wed, 15 Feb 2017 07:39:05 +0000 (08:39 +0100)]
base-files: always set proto passed to _ucidef_set_interface()

Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.

It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.

The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agolantiq: fix broadcasts and vlans in two iface mode
Mathias Kresin [Fri, 24 Feb 2017 08:19:49 +0000 (09:19 +0100)]
lantiq: fix broadcasts and vlans in two iface mode

The two phy operation mode where one phy is assigned to an interface
without lantiq,* device tree property and the other phy is assigned to
an interface with the lantiq,wan device property was broken with the
multicast package leaks between vlans fixes.

Move the multicast packages relevant portmap settings to the condition
which handles multicast packages for better readability.

Replace the priv->port_map based port_map only for the interface which
has the lantiq,switch device tree property set, to allow tagged
multicast packages in two phy mode where the lantiq,switch device tree
property isn't used.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agolantiq: select kmod-mt7603 instead of kmod-mt76 for WBMR-300HPD
Felix Fietkau [Sun, 26 Feb 2017 14:00:54 +0000 (15:00 +0100)]
lantiq: select kmod-mt7603 instead of kmod-mt76 for WBMR-300HPD

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agolantiq: use the P2812HNUF* wan port as wan
Mathias Kresin [Sat, 11 Mar 2017 12:23:01 +0000 (13:23 +0100)]
lantiq: use the P2812HNUF* wan port as wan

The port is labeled as wan and was only used as lan port because of the
"tx ring full" issues fixed with 8f02f7c.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agolantiq: xrx200: use vlan for ethernet wan port
Mathias Kresin [Sat, 10 Sep 2016 09:05:56 +0000 (11:05 +0200)]
lantiq: xrx200: use vlan for ethernet wan port

Using the lantiq,wan device tree property for one interface node and
the lantiq,switch device tree property for another interface node at
the same time was never intended/isn't supported at the moment.

The property is meant to be used in two phy operation mode where one
phy is assigned to an interface without lantiq,* device tree property
and the other phy is assigned to an interface with the lantiq,wan
device property to have two netdevs.

If both properties are used at the same time, the lantiq,wan interface
is shown as independent netdev but not able to operate independent. The
port needs to be managed via swconfig. These dependency is not obvious
and fooled already a lot of users.

Add a default WAN vlan for xrx200 devices having an ethernet WAN port
and remove the lantiq,wan device tree property. Leave it up to the user
to set the ethernet WAN port as default WAN interface or to use this
port as additional LAN port.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agox86: disable X2APIC support for legacy subtargets
Jo-Philipp Wich [Thu, 1 Jun 2017 23:47:47 +0000 (01:47 +0200)]
x86: disable X2APIC support for legacy subtargets

Explicitely disable X2APIC support on legacy targets since the targeted
processor types do not support it anyway there.

Fixes FS#285.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoumdns: remove superfluous include in init script
Jo-Philipp Wich [Thu, 1 Jun 2017 23:26:20 +0000 (01:26 +0200)]
umdns: remove superfluous include in init script

The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agodnsmasq: bump to 2.77
Jo-Philipp Wich [Thu, 1 Jun 2017 22:12:34 +0000 (00:12 +0200)]
dnsmasq: bump to 2.77

This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agodnsmasq: make tftp root if not existing
Alberto Bursi [Tue, 2 May 2017 17:31:17 +0000 (19:31 +0200)]
dnsmasq: make tftp root if not existing

If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
7 years agodnsmasq: use logical interface name for dhcp relay config
Karl Vogel [Wed, 29 Mar 2017 09:39:35 +0000 (11:39 +0200)]
dnsmasq: use logical interface name for dhcp relay config

The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
7 years agodnsmasq: don't point --resolv-file to default location unconditionally
Philip Prindeville [Tue, 14 Mar 2017 18:58:37 +0000 (12:58 -0600)]
dnsmasq: don't point --resolv-file to default location unconditionally

If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
7 years agoar71xx: fix Wallys DR344 GPIO-connected LEDs and button
Piotr Dymacz [Mon, 29 May 2017 19:32:11 +0000 (21:32 +0200)]
ar71xx: fix Wallys DR344 GPIO-connected LEDs and button

This fixes wrong GPIO numbers for LEDs and button in Wallys DR344 board
and sets color of all LEDs to green as the mass production boards have
only green one.

Actually, DR344 has 6 GPIO-connected LEDs and one button:

- GPIO11: status
- GPIO12: sig1
- GPIO13: sig2
- GPIO14: sig3
- GPIO15: sig4
- GPIO16: reset button
- GPIO17: lan

WAN LED is connected directly with AR8035 PHY.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
7 years agoar71xx: set GE interface as wan by default in Wallys DR344
Piotr Dymacz [Mon, 29 May 2017 19:25:03 +0000 (21:25 +0200)]
ar71xx: set GE interface as wan by default in Wallys DR344

This aligns default network interfaces configuration with vendor
firmware: GE (eth0) -> wan, FE (eth1) -> lan.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
7 years agoar71xx: fix GE interface support in Wallys DR344
Piotr Dymacz [Mon, 29 May 2017 17:18:52 +0000 (19:18 +0200)]
ar71xx: fix GE interface support in Wallys DR344

GMAC0 interface of AR9344 SOC in Wallys DR344 board is connected with
AR8035, not with AR8327. Without this fix, GE interface doesn't work at
all or shows high packet loss ratio.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
7 years agotoolchain/gdb: update to version 7.12.1
Etienne Haarsma [Sun, 5 Feb 2017 12:37:52 +0000 (13:37 +0100)]
toolchain/gdb: update to version 7.12.1

Update gdb to version 7.12.1.

GDB 7.12.1 brings the following fixes and enhancements over GDB 7.12:

   * PR tdep/20682 (aarch64 regression: gdb.cp/nextoverthrow.exp)
   * PR server/20733 (Failed to build aarch64_be-linux-gnu GDBserver)
   * PR tdep/20953 (GDB crashes after "set architecture rl78")
   * PR tdep/20954 (GDB crashes if "set architecture rx")
   * PR tdep/20955 (GDB internal error in cris-tdep.c)
   * PR build/20712 (gdb 7.12+ doesn't build as C++ on Solaris)
   * PR breakpoint/20653 (string_to_explicit_location has some weird code)
   * PR build/20753 (MinGW compilation errors due to strcasecmp)
   * PR gdb/20977 (GDB exception handling is broken on i686-w64-mingw32)
   * PR python/21048 (backtrace is broken on i686)
   * PR sim/20808 (mips sim build fails due to undefined SD/CPU variables)
   * PR sim/20809 (mips sim build fails for r3900 cpus)
   * PR gdb/20939 (GDB aborts

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
7 years agousbmode: update usb-modeswitch-data to 20170205
Julian Labus [Wed, 24 May 2017 14:32:17 +0000 (16:32 +0200)]
usbmode: update usb-modeswitch-data to 20170205

add support for new hardware

Signed-off-by: Julian Labus <julian@labus-online.de>
7 years agousbmode: update to latest version
Julian Labus [Wed, 24 May 2017 14:32:16 +0000 (16:32 +0200)]
usbmode: update to latest version

453da8e convert-modeswitch.pl: fix message indices

Signed-off-by: Julian Labus <julian@labus-online.de>
7 years agousbmode: Update to latest HEAD
Florian Fainelli [Sun, 12 Feb 2017 21:59:50 +0000 (13:59 -0800)]
usbmode: Update to latest HEAD

Brings the following changes:

22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
7 years agosamba: bump PKG_RELEASE
Jo-Philipp Wich [Sat, 27 May 2017 10:15:06 +0000 (12:15 +0200)]
samba: bump PKG_RELEASE

The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agofirewall: resync with master
Jo-Philipp Wich [Sun, 19 Feb 2017 18:04:09 +0000 (19:04 +0100)]
firewall: resync with master

Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agomac80211, hostapd: always explicitly set beacon interval
Matthias Schiffer [Sat, 13 May 2017 14:17:44 +0000 (16:17 +0200)]
mac80211, hostapd: always explicitly set beacon interval

One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agohostapd: add legacy_rates option to disable 802.11b data rates.
Nick Lowe [Mon, 27 Mar 2017 09:50:23 +0000 (10:50 +0100)]
hostapd: add legacy_rates option to disable 802.11b data rates.

Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
7 years agoipq806x: fix Netgear X4 R7500 ath10k firmware selection
Thomas Reifferscheid [Fri, 17 Mar 2017 13:01:34 +0000 (14:01 +0100)]
ipq806x: fix Netgear X4 R7500 ath10k firmware selection

Netgear X4 R7500 comes with a QCA988X. Select a firmware that matches
the ath10k chipset

Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
7 years agotreewide: select ath10k firmware explicit
Mathias Kresin [Fri, 17 Mar 2017 18:36:06 +0000 (19:36 +0100)]
treewide: select ath10k firmware explicit

Do not rely on the default firmware selected by ath10k.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agoath10k-firmware: do not select the qca988x by default
Mathias Kresin [Fri, 17 Mar 2017 18:54:55 +0000 (19:54 +0100)]
ath10k-firmware: do not select the qca988x by default

Do not select the qca988x by default as soon as kmod-ath10k is
selected. We do support more ath10k chips than the qca988x in the
meantime, so this dependency doesn't make sense any longer.

Signed-off-by: Mathias Kresin <dev@kresin.me>
7 years agobuild: fix possible issue with kmod package having multiple AutoLoad's
Yousong Zhou [Sat, 27 May 2017 02:22:02 +0000 (10:22 +0800)]
build: fix possible issue with kmod package having multiple AutoLoad's

This commit contains the following changes

 - Use local shell var where appliable
 - The $(sort $$$$$$$$mods) call will have no expected effect
 - Avoid EEXIST when creating symlinks in /etc/modules-boot.d/
 - Avoid duplicate arguments for insert_modules() in postinst-pkg

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 years agokernel: update kernel 4.4 to 4.4.70
Hauke Mehrtens [Fri, 26 May 2017 22:18:01 +0000 (00:18 +0200)]
kernel: update kernel 4.4 to 4.4.70

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agokernel: fix autoloading arch-specific modules
Yousong Zhou [Thu, 25 May 2017 06:41:34 +0000 (14:41 +0800)]
kernel: fix autoloading arch-specific modules

Fixes FS#745

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 years agobacklight-pwm: fix module description
Yousong Zhou [Thu, 25 May 2017 06:40:36 +0000 (14:40 +0800)]
backlight-pwm: fix module description

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 years agokernel: update kernel 4.4 to 4.4.69
Stijn Segers [Wed, 24 May 2017 20:39:28 +0000 (22:39 +0200)]
kernel: update kernel 4.4 to 4.4.69

Bump the 17.01 tree kernel to 4.4.69. Trunk 4.4 and 17.01 4.4 have diverged, talked this
through with jow, he was okay with a clean diff against 17.01 and not a backported trunk
patch.

The following patches were applied upstream:

* 062-[1-6]-MIPS-* series
* 042-0004-mtd-bcm47xxpart-fix-parsing-first-block

Reintroduced lantiq/patches-4.4/0050-MIPS-Lantiq-Fix-cascaded-IRQ-setup, as
it was incorrectly included upstream thus dropped from LEDE, but subsequently
reverted upstream. Thanks to Kevin Darbyshire-Bryant for pointing me to it.

  Compile-tested on: ar71xx, ramips/mt7621, x86/64.

  Run-tested on: ar71xx, ramips/mt7621, x86/64.

Signed-off-by: Stijn Segers <francesco.borromini@inventati.org>
7 years agobinutils: fix build with host gcc < 4.9
Hauke Mehrtens [Sun, 2 Apr 2017 15:40:43 +0000 (17:40 +0200)]
binutils: fix build with host gcc < 4.9

binutils 2.27 checks if the target compiler supports -Wstack-
usage=262144, and also uses this setting for the host compiler. If the
host compiler is gcc < 4.9 binutils build will fail. This backports 2
commits which are fixing this problem for binutils 2.28.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agoutil-linux: fix build with uclibc
Hauke Mehrtens [Thu, 13 Apr 2017 16:07:05 +0000 (18:07 +0200)]
util-linux: fix build with uclibc

Fix build of scriptreplay with uClibc.
Some parts of the libm detection were backported to 2.29.2, but some
parts were missing, which are added here. This patch is needed when
libm is a separate library, this is not needed for LEDE master, because
libm is there integrated in the libc for uClibc and musl.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
7 years agodropbear: bump to 2017.75
Kevin Darbyshire-Bryant [Sat, 20 May 2017 11:54:11 +0000 (12:54 +0100)]
dropbear: bump to 2017.75

- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
7 years agosamba: fix CVE-2017-7494
Stijn Tintel [Wed, 24 May 2017 12:44:03 +0000 (14:44 +0200)]
samba: fix CVE-2017-7494

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 3f0d3d12da77d8833a725f99f6fa08640678a1ae)