Jan Pavlinec [Wed, 25 Nov 2020 01:04:00 +0000 (02:04 +0100)]
tcpdump: patch CVE-2020-8037
This PR backports upstream fix for CVE-2020-8037. This fix is only
relevant for tcpdump package, tcpdump-mini is not affeted by this issue.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
5bb3cc749ee0d08d82acda3c084ff759f3829a91)
Sven Eckelmann [Sun, 22 Nov 2020 00:17:35 +0000 (01:17 +0100)]
kernel: mtd: parser: cmdline: Fix parsing of part-names with colons
Some devices (especially QCA ones) are already using hardcoded partition
names with colons in it. The OpenMesh A62 for example provides following
mtd relevant information via cmdline:
root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait
The change to split only on the last colon between mtd-id and partitions
will cause newpart to see following string for the first partition:
KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive)
Such a partition list cannot be parsed and thus the device fails to boot.
Avoid this behavior by making sure that the start of the first part-name
("(") will also be the last byte the mtd-id split algorithm is using for
its colon search.
Fixes:
9c718b5478ac ("kernel: bump 4.14 to 4.14.200")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(backported from commit
223eec7e81f8506592fc89cf79a2f14360f5c57b)
Petr Štetiar [Fri, 20 Nov 2020 12:13:27 +0000 (13:13 +0100)]
musl: handle wcsnrtombs destination buffer overflow (CVE-2020-28928)
The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffera.
This function is not used internally in musl and is not widely used,
but does appear in some applications. The non-input-limiting form
wcsrtombs is not affected.
All users of musl 1.2.1 and prior versions should apply the attached
patch, which replaces the overly complex and erroneous implementation.
The upcoming 1.2.2 release will adopt this new implementation.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
4d4ef1058c0f10aa2fa4070cd6b9db4d48b94148)
Petr Štetiar [Tue, 24 Nov 2020 08:21:12 +0000 (09:21 +0100)]
ar71xx,ath79: refresh 910-unaligned_access_hacks.patch
Commit
c9c7b4b3945c ("kernel: add netfilter-actual-sk patch") has
touched net/ipv6/netfilter/ip6table_mangle.c which in turn has affected
910-unaligned_access_hacks.patch so the patch needs to be refreshed.
Fixes:
c9c7b4b3945c ("kernel: add netfilter-actual-sk patch")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Aaron Goodman [Sun, 15 Nov 2020 04:51:38 +0000 (23:51 -0500)]
kernel: add netfilter-actual-sk patch
Backport of linux kernel commit
46d6c5a to 4.14 kernel.
netfilter: use actual socket sk rather than skb sk when routing harder
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Jo-Philipp Wich [Fri, 20 Nov 2020 21:50:57 +0000 (22:50 +0100)]
uhttpd: update to 19.07 Git HEAD
3abcc89 client: fix spurious keepalive connection timeouts
Fixes: FS#3443
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
RISCi_ATOM [Fri, 27 Nov 2020 19:32:38 +0000 (14:32 -0500)]
kernel : bump to 4.14.209
Alberto Bursi [Tue, 17 Nov 2020 07:58:40 +0000 (08:58 +0100)]
wireguard-tools: fix category/description in menuconfig
wireguard-tools is trying to import the menuconfig section
from the wireguard package, but since it's not anymore in
the same makefile this seems to fail and wireguard-tools
ends up in "extra packages" category instead with other
odds and ends.
Same for the description, it's trying to import it from the
wireguard package but it fails so it only shows the line
written in this makefile.
remove the broken imports and add manually the entries
and description they were supposed to load
Fixes:
ea980fb9c6de ("wireguard: bump to
20191226")
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
[fix trailing whitespaces, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Jason A. Donenfeld [Thu, 12 Nov 2020 09:14:18 +0000 (10:14 +0100)]
wireguard: bump to 1.0.
20201112
* noise: take lock when removing handshake entry from table
This is a defense in depth patch backported from upstream to account for any
future issues with list node lifecycles.
* netns: check that route_me_harder packets use the right sk
A test for an issue that goes back to before Linux's git history began. I've
fixed this upstream, but it doesn't look possible to put it into the compat
layer, as it's a core networking problem. But we still test for it in the
netns test and warn on broken kernels.
* qemu: drop build support for rhel 8.2
We now test 8.3+.
* compat: SYM_FUNC_{START,END} were backported to 5.4
* qemu: bump default testing version
The real motivation for this version bump: 5.4.76 made a change that broke our
compat layer.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Hauke Mehrtens [Tue, 27 Oct 2020 23:16:38 +0000 (00:16 +0100)]
uci: Backport security fixes
This packports two security fixes from master.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
f9005d4f80dee3dcc257d4613cbc46668faad094)
Hauke Mehrtens [Wed, 30 Sep 2020 21:19:02 +0000 (23:19 +0200)]
firewall: options: fix parsing of boolean attributes
Boolean attributes were parsed the same way as string attributes,
so a value of { "bool_attr": "true" } would be parsed correctly, but
{ "bool_attr": true } (without quotes) was parsed as false.
Fixes FS#3284
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
7f676b5ed6a2bcd6786a0fcb6a6db3ddfeedf795)
Felix Fietkau [Thu, 17 Sep 2020 10:09:23 +0000 (12:09 +0200)]
mac80211: do not allow bigger VHT MPDUs than the hardware supports
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
caf727767ab5c8f8d884ef458c74726a8e610d96)
[Refreshed patch]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Chuanhong Guo [Mon, 21 Sep 2020 06:57:44 +0000 (14:57 +0800)]
ath79: ar8216: make switch register access atomic
reg accesses on integrated ar8229 sometimes fails. As a result, phy read
got incorrect port status and wan link goes down and up mysteriously.
After comparing ar8216 with the old driver, these local_irq_save/restore
calls are the only meaningful differences I could find and it does fix
the issue.
The same changes were added in svn r26856 by Gabor Juhos:
ar71xx: ag71xx: make switch register access atomic
As I can't find the underlying problem either, this hack is broght
back to fix the unstable link issue.
This hack is only suitable for ath79 mdio and may easily break the
driver on other platform. Limit it to ath79-only as a target patch.
Fixes: FS#2216
Fixes: FS#3226
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
(cherry picked from commit
86fdc8abed5992a74078b000b5ff9da723b6f46b)
RISCi_ATOM [Thu, 22 Oct 2020 13:27:00 +0000 (09:27 -0400)]
kernel : Bump to 4.14.202
Hauke Mehrtens [Sat, 4 Jul 2020 18:36:16 +0000 (20:36 +0200)]
kernel: fix nand_release() usage.
nand_release() takes nand_chip since commit
5bcfcbfc4019 ("mtd: rawnand:
Pass a nand_chip object to nand_release()")
Fixes:
f4985a22ca1b ("kernel: Update kernel 4.14 to version 4.14.187")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Wed, 30 Sep 2020 20:39:00 +0000 (16:39 -0400)]
librecmc: Bump version to v1.5.3
Yousong Zhou [Sun, 26 Jul 2020 10:22:53 +0000 (18:22 +0800)]
firewall: backport patch for mss clamping in both directions
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Jo-Philipp Wich [Fri, 22 Nov 2019 17:53:03 +0000 (18:53 +0100)]
firewall: update to latest Git HEAD
8174814 utils: persist effective extra_src and extra_dest options in state file
72a486f zones: fix emitting match rules for zones with only "extra" options
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit
482114d3f78df2a19904cc8edf7d9adcfdbb8625)
Magnus Kroken [Fri, 24 Jul 2020 12:15:17 +0000 (14:15 +0200)]
busybox: delete redundant patch
This problem has been fixed in upstream commit
6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly)
adds the same definition a second time.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit
4165232c45df224f32a94f43b9938d13d643b2a8)
Magnus Kroken [Tue, 1 Sep 2020 20:28:25 +0000 (22:28 +0200)]
mbedtls: update to 2.16.8
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.
* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Hauke Mehrtens [Tue, 1 Sep 2020 12:50:52 +0000 (14:50 +0200)]
wolfssl: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk 391.545
new:
libwolfssl24_4.5.0-stable-2_mips_24kc.ipk 387.439
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Paul Spooren [Sat, 29 Aug 2020 08:20:18 +0000 (22:20 -1000)]
wolfssl: add certgen config option
The option allows to generate certificates.
Signed-off-by: Paul Spooren <mail@aparcar.org>
RISCi_ATOM [Tue, 29 Sep 2020 16:59:33 +0000 (12:59 -0400)]
luci: Add support for wolfssl as an alternative to mbedtls.
Upstream is moving towards using wolfssl as the default libssl and
this change allows for users to use wolfssl with luci.
* Adds wolfssl variant of px5g
* Adds luci-ssl-wolfssl pkg
Jason A. Donenfeld [Tue, 8 Sep 2020 16:30:01 +0000 (18:30 +0200)]
wireguard-tools: bump to 1.0.
20200827
* ipc: split into separate files per-platform
This is in preparation for FreeBSD support, which I had hoped to have this
release, but we're still waiting on some tooling fixes, so hopefully next
wg(8) will support that. Either way, the code base is now a lot more amenable
to adding more kernel platform support.
* man: wg-quick: use syncconf instead of addconf for strip example
Simple documentation fix.
* pubkey: isblank is a subset of isspace
* ctype: use non-locale-specific ctype.h
In addition to ensuring that isalpha() and such isn't locale-specific, we also
make these constant time, even though we're never distinguishing between bits
of a secret using them. From that perspective, though, this is markedly better
than the locale-specific table lookups in glibc, even though base64 characters
span two cache lines and valid private keys must hit both. This may be useful
for other projects too: https://git.zx2c4.com/wireguard-tools/tree/src/ctype.h
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Eneas U de Queiroz [Mon, 28 Sep 2020 10:46:33 +0000 (07:46 -0300)]
openssl: bump to 1.1.1h
This is a bug-fix release. Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
475838de1a33d49d1a0b81aad374a8db6dd2b3c8)
Rozhuk Ivan [Sat, 16 Nov 2019 02:10:05 +0000 (05:10 +0300)]
comgt: fix hotplug event handling
Hotplug manager send: "remove" -> "add" -> "bind" events,
script interpret bind as "not add" = "remove" and mark device
as unavailable.
Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit
4821ff064b735c320ae2625a739018d1fc7d6457)
Fixes: FS#3351
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
RISCi_ATOM [Mon, 28 Sep 2020 22:06:31 +0000 (18:06 -0400)]
kernel : bump to 4.14.199
Jason A. Donenfeld [Tue, 8 Sep 2020 16:28:30 +0000 (18:28 +0200)]
wireguard: bump to 1.0.
20200908
* compat: backport kfree_sensitive and switch to it
* netlink: consistently use NLA_POLICY_EXACT_LEN()
* netlink: consistently use NLA_POLICY_MIN_LEN()
* compat: backport NLA policy macros
Backports from upstream changes.
* peerlookup: take lock before checking hash in replace operation
A fix for a race condition caught by syzkaller.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Hauke Mehrtens [Thu, 27 Aug 2020 10:09:58 +0000 (12:09 +0200)]
hostapd: Fix compile errors after wolfssl update
This fixes the following compile errors after the wolfssl 4.5.0 update:
LD wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
type = GEN_EMAIL;
^~~~~~~~~
ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
type = GEN_DNS;
^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
type = GEN_URI;
^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
if (gen->type != GEN_EMAIL &&
^~~~~~~~~
ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
gen->type != GEN_DNS &&
^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
gen->type != GEN_URI)
^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed
Fixes:
00722a720c77 ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Thu, 27 Aug 2020 15:45:28 +0000 (11:45 -0400)]
curl: Bump to 7.72.0
* Removes previous CVE patches.
* Uses wolfssl as the default.
Hauke Mehrtens [Mon, 24 Aug 2020 10:11:29 +0000 (12:11 +0200)]
wolfssl: Update to version 4.5.0
This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
channel attacks are present.
* Leak of private key in the case that PEM format private keys are
bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
processed and returned to the application.
Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/
Fix a build error on big endian systems by backporting a pull request:
https://github.com/wolfSSL/wolfssl/pull/3255
The size of the ipk increases on mips BE by 1.4%
old:
libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246
new:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Eneas U de Queiroz [Tue, 26 May 2020 13:45:22 +0000 (10:45 -0300)]
wolfssl: use -fomit-frame-pointer to fix asm error
32-bit x86 fail to compile fast-math feature when compiled with frame
pointer, which uses a register used in a couple of inline asm functions.
Previous versions of wolfssl had this by default. Keeping an extra
register available may increase performance, so it's being restored for
all architectures.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Fri, 1 May 2020 15:06:48 +0000 (12:06 -0300)]
wolfssl: update to 4.4.0-stable
This version adds many bugfixes, including a couple of security
vulnerabilities:
- For fast math (enabled by wpa_supplicant option), use a constant time
modular inverse when mapping to affine when operation involves a
private key - keygen, calc shared secret, sign.
- Change constant time and cache resistant ECC mulmod. Ensure points
being operated on change to make constant time.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
RISCi_ATOM [Mon, 14 Sep 2020 20:44:06 +0000 (16:44 -0400)]
kernel: Bump to 4.14.198
RISCi_ATOM [Fri, 4 Sep 2020 18:53:33 +0000 (14:53 -0400)]
kernel: Bump to 4.14.196
RISCi_ATOM [Thu, 27 Aug 2020 02:59:48 +0000 (22:59 -0400)]
kernel: Bump to 4.14.195
RISCi_ATOM [Mon, 24 Aug 2020 17:19:44 +0000 (13:19 -0400)]
kernel: Bump to 4.14.194
RISCi_ATOM [Sun, 9 Aug 2020 00:39:17 +0000 (20:39 -0400)]
kernel: Bump to 4.14.193
RISCi_ATOM [Tue, 4 Aug 2020 20:58:18 +0000 (16:58 -0400)]
kernel: Bump kernel to 4.14.191
Remove:
* mvebu/patches-4.14/526-PCI-aardvark-disable-LOS-state-by-default.patch
* Normal refresh
RISCi_ATOM [Fri, 10 Jul 2020 19:10:07 +0000 (15:10 -0400)]
kernel: Bump to 4.14.187
RISCi_ATOM [Mon, 10 Aug 2020 15:50:51 +0000 (11:50 -0400)]
mac80211: Update to 4.19.137-1
Hauke Mehrtens [Sat, 29 Aug 2020 17:23:57 +0000 (19:23 +0200)]
mac80211: Fix potential endless loop
Backport a fix from kernel 5.8.3.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
ca5ee6eba34593ec9f8b5b195c94cf6c3f6ff914)
Jason A. Donenfeld [Thu, 6 Aug 2020 18:38:16 +0000 (14:38 -0400)]
wireguard: bump to 1.0.
20200729
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta
This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.
* compat: allow override of depmod basedir
When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.
* compat: add missing headers for ip_tunnel_parse_protocol
This fixes compilation with some unusual configurations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
RISCi_ATOM [Mon, 3 Aug 2020 17:12:34 +0000 (13:12 -0400)]
tor: update to version 0.4.3.6 (security fix)
Applicable CVEs:
* CVE-2020-15572
Notes:
* Removes libssp hack : Upstream pkg. feed:
0df6c58f82f0b84ca08696d9d0760d425ce11917
Leon M. George [Thu, 30 Apr 2020 08:26:36 +0000 (10:26 +0200)]
mac80211: fix use of local variable
mac80211_get_addr is called from mac80211_generate_mac, where the local variable
initialisation id="${macidx:-0}" suggests that macidx is not always defined.
Probably, idx was supposed to be used instead of $(($macidx + 1)).
Fixes:
4d99db168cf7 ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set")
Signed-off-by: Leon M. George <leon@georgemail.eu>
(cherry picked from commit
8f95220bcb554b1b668114e5264ebce4028c5f93)
Hans Dedecker [Sat, 6 Jun 2020 12:00:37 +0000 (14:00 +0200)]
nghttp2: bump to 1.41.0
8f7b008b Update bash_completion
83086ba9 Update manual pages
c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr
3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20
881c060d Update AUTHORS
f8da73bd Earlier check for settings flood
336a98fe Implement max settings option
ef415836 Revert "Add missing connection error handling"
979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2
b7d16101 Add missing connection error handling
cd53bd81 Merge pull request #1460 from gportay/patch-1
e5625b8c Fix doc
c663349f integration: Add PROXY protocol v2 tests
854e9fe3 nghttpx: Always call init_forwarded_for
c60ea227 Update doc
49cd8e6e nghttpx: Add PROXY-protocol v2 support
3b17a659 Merge pull request #1453 from Leo-Neat/master
600fcdf5 Merge pull request #1455 from xjtian/long_serials
4922bb41 static_cast size parameter in StringRef constructor to size_t
aad86975 Fix get_x509_serial for long serial numbers
dc7a7df6 Adding CIFuzz
b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue
ffb49c6c Merge pull request #1435 from geoffhill/master
2ec58551 Fix receiving stream data stall
459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp
a4c1fed5 Bump llhttp to 2.0.4
866eadb5 Enable session_create_idle_stream test, fix errors
5e13274b Fix typo
e0d7f7de h2load: Allow port in --connect-to
df575f96 h2load: add --connect-to option
1fff7379 clang-format-9
b40c6c86 Merge pull request #1418 from vszakats/patch-1
9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional
2d5f7659 Bump up version number to 1.41.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Note this is cherry-pick from master. It fixes CVE-2020-11080
and https://github.com/nxhack/openwrt-node-packages/issues/679
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
Magnus Kroken [Mon, 27 Jul 2020 14:36:42 +0000 (10:36 -0400)]
mbedtls: update to 2.16.7
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).
Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Jan Pavlinec [Wed, 29 Jul 2020 12:24:38 +0000 (14:24 +0200)]
curl: patch CVE-2020-8169
Affected versions: curl 7.62.0 to and including 7.70.0
https://curl.haxx.se/docs/CVE-2020-8169.html
Run tested on Omnia with OpenWrt 19.07
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
RISCi_ATOM [Mon, 29 Jun 2020 17:00:05 +0000 (13:00 -0400)]
Merge branch 'v1.5' into LTS : v1.5.2
RISCi_ATOM [Fri, 26 Jun 2020 01:53:32 +0000 (21:53 -0400)]
Bump version to v1.5.2
RISCi_ATOM [Fri, 26 Jun 2020 01:26:28 +0000 (21:26 -0400)]
mvebu: Add basic support for WRT1900AC (v1) and Turris Omnia (pre 2019)
This adds basic support for the WRT1900AC and Turris Omnia. In order
to continue to use these as wifi routers, some or all of the wifi
modules will need to be replaced, preferably with an ath9k based
chipset. Keep in mind that not all ath9k chipsets work well in
AP mode.
WRT1900AC:
* The original issue with this router, in addition to the non-free
wifi, was an init / learning blob needed for the DDR3 memory. This
issue was resolved in 2015, but there were some stability issues.
* The Marvell wifi chipset is not supported and will need to be
removed or replaced.
* RISCi_ATOM was not able to successfully flash upstream u-boot.
It's most likely a configuration or build issue.
* libreCMC can be installed from the stock firmware web-ui using
the *-factory.img.
Turris Omnnia:
* The ath10k wifi chipset will need to be removed.
* Full support is not ready yet; it works with some hacks.
* Upstream u-boot can be built and flashed; the libreCMC
toolchain was used to build it.
Taken from upstrem openwrt-19.07 @
153392e209c5110448db9e1e7ce9a3566f124b37
RISCi_ATOM [Fri, 26 Jun 2020 00:20:26 +0000 (20:20 -0400)]
wireguard: bump to 1.0.
20200623
RISCi_ATOM [Thu, 25 Jun 2020 01:53:24 +0000 (21:53 -0400)]
kernel: Bump to 4.14.185
Jo-Philipp Wich [Wed, 17 Jun 2020 20:21:29 +0000 (22:21 +0200)]
uclient: update to 19.07 Git HEAD
51e16eb uclient-fetch: add option to read POST data from file
99aebe3 uclient: Add string error function
Fixes:
0c910d8459 ("uclient: Update to version 2020-06-17")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Christian Lamparter [Sun, 7 Jun 2020 20:57:46 +0000 (22:57 +0200)]
ath79: wndr3700 series: fix wifi range & throughput
This patch adds ar71xx's GPIO setup for the 2.4GHz and 5GHz antennae
demultiplexer:
| 158 /* 2.4 GHz uses the first fixed antenna group (1, 0, 1, 0) */
| 159 ap9x_pci_setup_wmac_gpio(0, (0xf << 6), (0xa << 6));
| 160
| 161 /* 5 GHz uses the second fixed antenna group (0, 1, 1, 0) */
| 162 ap9x_pci_setup_wmac_gpio(1, (0xf << 6), (0x6 << 6));
This should restore the range and throughput of the 2.4GHz radio
on all the derived wndr3700 variants and versions with the AR7161 SoC.
A special case is the 5GHz radio. The original wndr3700(v1) will
benefit from this change. However the wndr3700v2 and later revisions
were unaffected by the missing bits, as there is no demultiplexer
present in the later designs.
This patch uses gpio-hogs within the device-tree for all
wndr3700/wndr3800/wndrmac variants.
Notes:
Based on the PCB pictures, the WNDR3700(v1) really had eight
independent antennae. Four antennae for each radio and all of
those were printed on the circut board.
The WNDR3700v2 and later have just six antennae. Four of those
are printed on the circuit board and serve the 2.4GHz radio.
Whereas the remaining two are special 5GHz Rayspan Patch Antennae
which are directly connected to the 5GHz radio.
Hannu Nyman dug pretty deep and unearthed a treasure of information
regarding the history of how these values came to be in the OpenWrt
archives: <https://dev.archive.openwrt.org/ticket/6533.html>.
Mark Mentovai came across the fixed antenna group when he was looking
into the driver:
fixed_antenna_group 1, (0, 1, 0, 1)
fixed_antenna_group 2, (0, 1, 1, 0)
fixed_antenna_group 3, (1, 0, 0, 1)
fixed_antenna_group 4, (1, 0, 1, 0)
Fixes: FS#3088
Reported-by: Luca Bensi
Reported-by: Maciej Mazur
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Debugged-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit
61307544d1f1ab81a2eb3a200164456c59308d81)
Christian Lamparter [Sun, 7 Jun 2020 15:22:02 +0000 (17:22 +0200)]
ca-certificates: update to version
20200601
This patch updates the ca-certificates and ca-bundle package.
This version changed the files directory again, to work/, so
PKG_BUILD_DIR was brought back.
A list of changes from Debian's change-log entry for
20200601 [0]:
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.40.
Closes: #956411, #955038
* mozilla/blacklist.txt
Add distrusted Symantec CA list to blacklist for explicit removal.
Closes: #911289
Blacklist expired root certificate, "AddTrust External Root"
Closes: #961907
The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"
The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"
[0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit
f611b014a713d82d7c7da4c171f3aa04a8984063)
RISCi_ATOM [Fri, 12 Jun 2020 20:02:45 +0000 (16:02 -0400)]
build: Switch to Python3
Petr Štetiar [Sat, 27 Jul 2019 22:33:32 +0000 (00:33 +0200)]
scons: move to packages feed
This patch removes scons host build tool, as commit
7087efd72a8d
("scons: move host build tool to a proper place") in the packages feed
has moved scons into the new home.
There are currently no packages in the master tree which would need
scons, yet scons is build always as part of host tools, just in order to
satisfy host build dependency of few packages in the packages feeds.
Ref: https://github.com/openwrt/packages/pull/9584
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Lech Perczak [Fri, 29 May 2020 19:56:18 +0000 (21:56 +0200)]
ar71xx: fix reset key for TP-Link TL-WR802N V1/V2
During porting support for this router to ath79 target
it was discovered that GPIO mapping was incorrect (GPIO11 active high).
Correct mapping for both V1 and V2 is GPIO12 active low.
Default configuration from GPL source for V2 explicitly states this, and
this was confirmed experimentally on ath79 by looking on
/sys/kernel/debug/gpio. Correctness of this was also validated for V1 by
cross-flashing vendor firmware for V1 on V2 hardware, in which reset
button also worked.
Fix it.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[slightly adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit
f841e706403b1a111cbb6dc5930b7886307bf633)
John Crispin [Mon, 6 Apr 2020 05:04:38 +0000 (07:04 +0200)]
generic: fix flow table hw offload
Make the driver work with recent upstream changes.
Fixes: FS#2632
Ref: https://github.com/openwrt/openwrt/pull/2815
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit
6786dc26a205da55ec2d9771693cdfb99e756e59)
David Bauer [Sat, 30 May 2020 14:24:03 +0000 (16:24 +0200)]
ar71xx: correct button type for TL-MR3020 mode slider
The TP-Link TL-MR3020 has a three-state mode slider which was previously
integrated as a button (EV_KEY). This led to spurious activations of
failsafe mode.
Set the type for the button to switch (EV_SW), to avoid unintended
activations of failsafe mode.
Related: commit
27f3f493de06 ("gpio-button-hotplug: unify polled and
interrupt code")
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
b017a016cc0cd26f84a7e6b8de3dc02dc101e888)
Jo-Philipp Wich [Fri, 29 May 2020 08:34:58 +0000 (10:34 +0200)]
qos-scripts: fix interface resolving
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.
Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit
559b3384666bbc6e4e9e6d86cf54bd88d30b341f)
Matthias Schiffer [Sat, 23 May 2020 19:16:44 +0000 (21:16 +0200)]
musl: fix locking synchronization bug
Import proposed upstream fix [2] for the critical locking
synchronization bug recently found in musl [1].
This affects all programs that are temporarily multithreaded, but then
return to single-threaded operation.
[1] https://www.openwall.com/lists/musl/2020/05/22/3
[2] https://www.openwall.com/lists/musl/2020/05/22/10
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
10c211031ccd4703230493025a5a3b9d6fcad2f2)
Felix Fietkau [Tue, 26 May 2020 08:45:06 +0000 (10:45 +0200)]
libubox: update to the latest version
86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
b371182d2450b3c4f15cbe790351d92a2a7b5a67)
Rafał Miłecki [Sun, 24 May 2020 14:30:02 +0000 (16:30 +0200)]
libubox: update to the latest master
5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)
Jo-Philipp Wich [Thu, 27 Feb 2020 21:03:18 +0000 (22:03 +0100)]
libubox: update to latest Git HEAD
7da6643 tests: blobmsg: add test case
75e300a blobmsg: fix wrong payload len passed from blobmsg_check_array
Fixes: FS#2833
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit
955634b473284847e3c8281a6ac85655329d8b06)
Jo-Philipp Wich [Tue, 26 May 2020 15:29:09 +0000 (17:29 +0200)]
rpcd: update to latest openwrt-19.07 Git HEAD
67c8a3f uci: reset uci_ptr flags when merging options during section add
970ce1a session: deny access if password login is disabled
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jason A. Donenfeld [Wed, 20 May 2020 01:39:08 +0000 (19:39 -0600)]
wireguard-tools: bump to 1.0.
20200513
* ipc: add support for openbsd kernel implementation
* ipc: cleanup openbsd support
* wg-quick: add support for openbsd kernel implementation
* wg-quick: cleanup openbsd support
Very exciting! wg(8) and wg-quick(8) now support the kernel implementation for
OpenBSD. OpenBSD is the second kernel, after Linux, to receive full fledged
and supported WireGuard kernel support. We'll probably send our patch set up
to the list during this next week. `ifconfig wg0 create` to make an interface,
and `wg ...` like usual to configure WireGuard aspects of it, like usual.
* wg-quick: support dns search domains
If DNS= has a non-IP in it, it is now treated as a search domain in
resolv.conf. This new feature will be rolling out across our various GUI
clients in the next week or so.
* Makefile: simplify silent cleaning
* ipc: remove extra space
* git: add gitattributes so tarball doesn't have gitignore files
* terminal: specialize color_mode to stdout only
Small cleanups.
* highlighter: insist on 256-bit keys, not 257-bit or 258-bit
The highlighter's key checker is now stricter with base64 validation.
* wg-quick: android: support application whitelist
Android users can now have an application whitelist instead of application
blacklist.
* systemd: add wg-quick.target
This enables all wg-quick at .services to be restarted or managed as a unit via
wg-quick.target.
* Makefile: remember to install all systemd units
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Jason A. Donenfeld [Thu, 21 May 2020 04:43:08 +0000 (22:43 -0600)]
wireguard: bump to 1.0.
20200520
This version has the various slew of bug fixes and compat fixes and
such, but the most interesting thing from an OpenWRT perspective is that
WireGuard now plays nicely with cake and fq_codel. I'll be very
interested to hear from OpenWRT users whether this makes a measurable
difference. Usual set of full changes follows.
This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.
* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10
These enable the test suite to compile with gcc-10.
* noise: read preshared key while taking lock
Matt noticed a benign data race when porting the Linux code to OpenBSD.
* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter
WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png
* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings
The usual RHEL churn.
* compat: backport renamed/missing skb hash members
The new support for fq_codel and friends meant more backporting work.
* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4
The main motivation for releasing this now: three stable kernels were released
at the same time, with a patch that necessitated updating in our compat layer.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel Golle [Sat, 16 May 2020 21:23:41 +0000 (23:23 +0200)]
hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
631c437a91c20df678b25dcc34fe23636116a35a)
Matthias Schiffer [Sun, 24 May 2020 15:01:36 +0000 (17:01 +0200)]
ucert: update to latest git HEAD
00b921d80ac0 Do not print line number in debug messages
96c42c5ed320 Fix length checks in cert_load()
fe06b4b836b3 usign-exec: improve usign -F output handling
19f9e1917e1b usign-exec: return code fixes
077feb5b5824 usign-exec: close writing end of pipe early in parent process
7ec4bb764e1e usign-exec: remove redundant return statements
5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17]
112488bbbccc usign-exec: do not close stdin and stderr before exec
38dcb1a6f121 usign-exec: fix exec error handling
a9be4fb17df2 usign-exec: simplify usign execv calls
854d93e2326a Introduce read_file() helper, improve error reporting
afc86f352bf7 Fix return code of write_file()
fdff10852326 stdout/stderr improvements
dddb2aa8124d ci: fix unit test failures by enabling full ucert build
5f206bcfe5c2 ci: enable unit testing
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Hauke Mehrtens [Sun, 24 May 2020 10:23:31 +0000 (12:23 +0200)]
squashfs: Fix compile with GCC 10
Fixes the following build error with GCC 10:
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `swap'; mksquashfs.o:(.bss+0x1b2a88): first defined here
And a compile warning.
Fixes: FS#3104, FS#3119
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
1bbc1aa884902fd05cc579b53d68b2ba0b18683f)
Matthias Schiffer [Sat, 23 May 2020 11:38:12 +0000 (13:38 +0200)]
usign: update to latest git HEAD
f1f65026a941 Always pad fingerprints to 16 characters
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
e35e40ad824eab9d51cdd690fb747e576e01412f)
Hauke Mehrtens [Fri, 20 Sep 2019 23:05:42 +0000 (01:05 +0200)]
usign: update to latest Git HEAD
f34a383 main: fix some resource leaks
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
81e93fff7d867851f2fedd966a931336d4092686)
Robert Marko [Tue, 12 May 2020 20:18:33 +0000 (22:18 +0200)]
libjson-c: backport security fixes
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592
Addresses CVE-2020-12762
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE, rebase patches on top of json-c 0.12]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit
bc0288b76816578f5aeccb2abd679f82bfc5738e)
Daniel Golle [Tue, 12 May 2020 09:48:50 +0000 (10:48 +0100)]
fstools: blockd: fix segfault triggered by non-autofs mounts
Program received signal SIGSEGV, Segmentation fault.
main_autofs (argv=<optimized out>, argc=<optimized out>)
at fstools-2020-05-06-
eec16e2f/block.c:1193
1193: if (!m->autofs && (mp = find_mount_point(pr->dev))) {
Fixes:
3b9e4d6d4c4f ("fstools: update to the latest version")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
b181294b02499e41b6b6fa24163f59c9ee4988ed)
RISCi_ATOM [Thu, 21 May 2020 16:58:12 +0000 (12:58 -0400)]
kernel: Bump 4.14 to 4.14.180
Lech Perczak [Thu, 7 May 2020 22:41:36 +0000 (00:41 +0200)]
ath79: dts: add missing 'serial0' alias for TP-Link TL-MR3040v2
Out of all devices currently supported based on AR9331 chipset,
this one had the 'serial0' alias missing. Add it to fix setting of
/dev/console and login shell on the onboard UART.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit
94f344997769a9a18e2d73574d9d17785828955d)
RISCi_ATOM [Mon, 11 May 2020 04:49:25 +0000 (00:49 -0400)]
odhcpd: Fix PKG_MIRROR_HASH
fixes:
8d16c4e ("odhcpd: fix PKG_SOURCE_DATE")
Jo-Philipp Wich [Thu, 7 May 2020 20:47:47 +0000 (22:47 +0200)]
opkg: update to latest Git HEAD
f2166a8 libopkg: implement lightweight package listing logic
cf4554d libopkg: support passing callbacks to feed parsing functions
2a0210f opkg-cl: don't read feeds on opkg update
b6f1967 libopkg: use xsystem() to spawn opkg-key
60b9af2 file_util.c: refactor and fix checksum_hex2bin()
206ebae file_util.c: fix possible bad memory access in file_read_line_alloc()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit
79da9d78b98e1cd4574a37e2c4c5f8315b91563d)
RISCi_ATOM [Thu, 7 May 2020 19:25:23 +0000 (15:25 -0400)]
wireguard: bump to 1.0.
20200506
* compat: timeconst.h is a generated artifact
Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.
* compat: use bash instead of bc for HZ-->USEC calculation
This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.
* socket: remove errant restriction on looping to self
It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.
* send: cond_resched() when processing tx ringbuffers
Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.
* selftests: initalize ipv6 members to NULL to squelch clang warning
This fixes a worthless warning from clang.
* send/receive: use explicit unlikely branch instead of implicit coalescing
Some code readibility cleanups.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit
4f6343f)
(upstream commit :
81f3f6540e66e21be877b99e6524ff91bcea1805)
Hans Dedecker [Thu, 7 May 2020 05:59:40 +0000 (07:59 +0200)]
odhcpd: fix PKG_SOURCE_DATE
Fixes:
5e8b50da15 (odhcpd : fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056))
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Hans Dedecker [Wed, 6 May 2020 19:20:09 +0000 (21:20 +0200)]
odhcpd: fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056)
49e4949 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Jo-Philipp Wich [Wed, 6 May 2020 17:46:48 +0000 (19:46 +0200)]
ustream-ssl: update to 19.07 Git HEAD
40b563b ustream-openssl: clear error stack before SSL_read/SSL_write
30cebb4 ustream-ssl: mbedtls: fix ssl client verification
77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 6 May 2020 17:42:11 +0000 (19:42 +0200)]
uhttpd: update to 19.07 Git HEAD
975dce2 client: allow keep-alive for POST requests
d062f85 file: poke ustream after starting deferred program
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Rafał Miłecki [Wed, 6 May 2020 15:49:59 +0000 (17:49 +0200)]
fstools: update to the latest version
eec16e2 blockd: add optional "device" parameter to "info" ubus method
9ab936d block(d): always call hotplug.d "mount" scripts from blockd
4963db4 blockd: use uloop_process for calling /sbin/hotplug-call mount
cddd902 Truncate FAT filesystem label until 1st occurance of a blank (0x20)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
c3a43753b984657d1b65c666f776856cdf3af61d)
Felix Fietkau [Thu, 9 Apr 2020 12:25:51 +0000 (14:25 +0200)]
fstools: update to the latest version
84965b92f635 blockd: print symlink error code and string message
62c578c22f9d blockd: report "target" path as "mount" for autofs available mounts
d1f1f2b38fa1 block: remove mount target file if it's a link
830441d790d6 blockd: remove symlink linkpath file if it's a dir or link
c80f7002114f libfstools/mtd: attempt to read from OOB data if empty space is found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
b7d6e80feea21aac80d5bd25dc3a0dd5b148fec9)
Hauke Mehrtens [Mon, 4 May 2020 20:39:52 +0000 (22:39 +0200)]
mac80211: Update to version 4.19.120
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 18 Apr 2020 15:50:03 +0000 (17:50 +0200)]
dante: Fix compile with glibc
When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.
This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1
Fixes:
aaf46a8fe23e ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
ce1798e915181e6c1f3ba735b254b37b84261303)
Yangbo Lu [Tue, 14 Apr 2020 07:24:50 +0000 (15:24 +0800)]
perf: build with NO_LIBCAP=1
Build with NO_LIBCAP=1. This is to resolve build issue.
Package perf is missing dependencies for the following libraries:
libcap.so.2
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
(cherry picked from commit
80f128d2aa7586ce068bbc24badc46ffab2edd4a)
Matt Merhar [Sun, 19 Apr 2020 21:12:03 +0000 (17:12 -0400)]
kernel: backport fix for non-regular inodes on f2fs
Upstream commit
dda9f4b9ca ("f2fs: fix to skip verifying block address
for non-regular inode").
On 4.14, attempting to perform operations on a non-regular inode
residing on an f2fs filesystem, such rm-ing a device node, would fail
and lead to a warning / call trace in dmesg. This fix was already
applied to other kernels upstream - including 4.19, from which the patch
was taken.
More info at https://bugzilla.kernel.org/show_bug.cgi?id=202495.
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
(cherry picked from commit
ee500186a5617dfe80f4b762fd6bd0c38af93d49)
RISCi_ATOM [Thu, 7 May 2020 18:13:46 +0000 (14:13 -0400)]
Bump kernel to 4.14.179
Antonio Quartulli [Tue, 28 Apr 2020 10:06:58 +0000 (12:06 +0200)]
wpad-wolfssl: fix crypto_bignum_sub()
Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.
This missing fix was discovered while testing SAE over a mesh interface.
With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.
Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
4b3b8ec81cd1965d0bd548fa31db491295b83354)
Felix Fietkau [Sat, 18 Jan 2020 17:41:08 +0000 (18:41 +0100)]
mac80211: backport fix for an no-ack tx status issue
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
e0ab33ea496f371a0683b18d5555d651f8df1f5e)
Felix Fietkau [Tue, 28 Jan 2020 13:12:08 +0000 (14:12 +0100)]
hostapd: unconditionally enable ap/mesh for wpa-cli
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
03e9e4ba9ea8f00ff7c6f076f2cdc322e18cd3a4)
Daniel Golle [Thu, 16 Jan 2020 08:13:51 +0000 (10:13 +0200)]
hostapd: cleanup IBSS-RSN
set noscan also for IBSS and remove redundant/obsolete variable.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
702c70264b388c2b47e171843f297f43c71b86b9)
Petr Štetiar [Sat, 25 Apr 2020 12:56:20 +0000 (14:56 +0200)]
wireless-regdb: backport three upstream fixes
Another release is overdue for quite some time, so I'm backporting three
fixes from upstream which I plan to backport into 19.07 as well.
Ref: FS#2880
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
76a0ddf1308782a4da2693978955aee9cf631862)
Petr Štetiar [Fri, 1 May 2020 08:12:11 +0000 (10:12 +0200)]
curl: backport fix for CVE-2019-15601
On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.
Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
RISCI_ATOM [Wed, 6 May 2020 05:45:43 +0000 (05:45 +0000)]
Merge branch 'LTS' of jahway603/libreCMC into LTS
jahway603 [Wed, 6 May 2020 04:42:50 +0000 (00:42 -0400)]
updated TL_WR1043ND.md & included v5 spec