librecmc/librecmc.git
4 years agomac80211: Update to version 4.19.120
Hauke Mehrtens [Mon, 4 May 2020 20:39:52 +0000 (22:39 +0200)]
mac80211: Update to version 4.19.120

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
4 years agodante: Fix compile with glibc
Hauke Mehrtens [Sat, 18 Apr 2020 15:50:03 +0000 (17:50 +0200)]
dante: Fix compile with glibc

When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.

This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.

This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1

Fixes: aaf46a8fe23e ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ce1798e915181e6c1f3ba735b254b37b84261303)

4 years agoperf: build with NO_LIBCAP=1
Yangbo Lu [Tue, 14 Apr 2020 07:24:50 +0000 (15:24 +0800)]
perf: build with NO_LIBCAP=1

Build with NO_LIBCAP=1. This is to resolve build issue.

Package perf is missing dependencies for the following libraries:
libcap.so.2

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
(cherry picked from commit 80f128d2aa7586ce068bbc24badc46ffab2edd4a)

4 years agokernel: backport fix for non-regular inodes on f2fs
Matt Merhar [Sun, 19 Apr 2020 21:12:03 +0000 (17:12 -0400)]
kernel: backport fix for non-regular inodes on f2fs

Upstream commit dda9f4b9ca ("f2fs: fix to skip verifying block address
for non-regular inode").

On 4.14, attempting to perform operations on a non-regular inode
residing on an f2fs filesystem, such rm-ing a device node, would fail
and lead to a warning / call trace in dmesg. This fix was already
applied to other kernels upstream - including 4.19, from which the patch
was taken.

More info at https://bugzilla.kernel.org/show_bug.cgi?id=202495.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
(cherry picked from commit ee500186a5617dfe80f4b762fd6bd0c38af93d49)

4 years agoBump kernel to 4.14.179
RISCi_ATOM [Thu, 7 May 2020 18:13:46 +0000 (14:13 -0400)]
Bump kernel to 4.14.179

4 years agowpad-wolfssl: fix crypto_bignum_sub()
Antonio Quartulli [Tue, 28 Apr 2020 10:06:58 +0000 (12:06 +0200)]
wpad-wolfssl: fix crypto_bignum_sub()

Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.

This missing fix was discovered while testing SAE over a mesh interface.

With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.

Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4b3b8ec81cd1965d0bd548fa31db491295b83354)

4 years agomac80211: backport fix for an no-ack tx status issue
Felix Fietkau [Sat, 18 Jan 2020 17:41:08 +0000 (18:41 +0100)]
mac80211: backport fix for an no-ack tx status issue

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit e0ab33ea496f371a0683b18d5555d651f8df1f5e)

4 years agohostapd: unconditionally enable ap/mesh for wpa-cli
Felix Fietkau [Tue, 28 Jan 2020 13:12:08 +0000 (14:12 +0100)]
hostapd: unconditionally enable ap/mesh for wpa-cli

Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 03e9e4ba9ea8f00ff7c6f076f2cdc322e18cd3a4)

4 years agohostapd: cleanup IBSS-RSN
Daniel Golle [Thu, 16 Jan 2020 08:13:51 +0000 (10:13 +0200)]
hostapd: cleanup IBSS-RSN

set noscan also for IBSS and remove redundant/obsolete variable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 702c70264b388c2b47e171843f297f43c71b86b9)

4 years agowireless-regdb: backport three upstream fixes
Petr Štetiar [Sat, 25 Apr 2020 12:56:20 +0000 (14:56 +0200)]
wireless-regdb: backport three upstream fixes

Another release is overdue for quite some time, so I'm backporting three
fixes from upstream which I plan to backport into 19.07 as well.

Ref: FS#2880
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 76a0ddf1308782a4da2693978955aee9cf631862)

4 years agocurl: backport fix for CVE-2019-15601
Petr Štetiar [Fri, 1 May 2020 08:12:11 +0000 (10:12 +0200)]
curl: backport fix for CVE-2019-15601

On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.

Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agowireguard: bump to 1.0.20200429
RISCi_ATOM [Thu, 30 Apr 2020 17:23:50 +0000 (13:23 -0400)]
wireguard: bump to 1.0.20200429

* compat: support latest suse 15.1 and 15.2
* compat: support RHEL 7.8's faulty siphash backport
* compat: error out if bc is missing
* compat: backport hsiphash_1u32 for tests

We now have improved support for RHEL 7.8, SUSE 15.[12], and Ubuntu 16.04.

* compat: include sch_generic.h header for skb_reset_tc

A fix for a compiler error on kernels with weird configs.

* compat: import latest fixes for ptr_ring
* compat: don't assume READ_ONCE barriers on old kernels
* compat: kvmalloc_array is not required anyway

ptr_ring.h from upstream was imported, with compat modifications, to our
compat layer, to receive the latest fixes.

* compat: prefix icmp[v6]_ndo_send with __compat

Some distros that backported icmp[v6]_ndo_send still try to build the compat
module in some corner case circumstances, resulting in errors.  Work around
this with the usual __compat games.

* compat: ip6_dst_lookup_flow was backported to 3.16.83
* compat: ip6_dst_lookup_flow was backported to 4.19.119

Greg and Ben backported the ip6_dst_lookup_flow patches to stable kernels,
causing breaking in our compat module, which these changes fix.

* git: add gitattributes so tarball doesn't have gitignore files

Distros won't need to clean this up manually now.

* crypto: do not export symbols

These don't do anything and only increased file size.

* queueing: cleanup ptr_ring in error path of packet_queue_init

Sultan Alsawaf reported a memory leak on an error path.

* main: mark as in-tree

Now that we're upstream, there's no need to set the taint flag.

* receive: use tunnel helpers for decapsulating ECN markings

ECN markings are now decapsulated using RFC6040 instead of the old RFC3168.

Upstream commit : f57230c4e6ee5af36d22bc0bef0bf7adc583c5b0

4 years agorelayd: bump to version 2020-04-25
Kevin Darbyshire-Bryant [Sat, 25 Apr 2020 09:27:22 +0000 (10:27 +0100)]
relayd: bump to version 2020-04-25

f4d759b dhcp.c: further improve validation

Further improve input validation for CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e275d6f5d6b3edd7f0fa0440da43c45a)

4 years agoumdns: update to version 2020-04-25
Kevin Darbyshire-Bryant [Sat, 25 Apr 2020 09:30:08 +0000 (10:30 +0100)]
umdns: update to version 2020-04-25

cdac046 dns.c: fix input validation fix

Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.

Improve CVE-2020-11750 fix

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed0786be97eda879e5f6681994e4de53d74)

4 years agodnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)
Henrique de Moraes Holschuh [Sun, 1 Mar 2020 03:08:43 +0000 (00:08 -0300)]
dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)

Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 556b8581a15c855b2de0efbea6b625ab16cc9daf)

4 years agolibpcap: fix build breakage with very high number of simultaneous jobs
Petr Štetiar [Sat, 25 Apr 2020 11:59:19 +0000 (13:59 +0200)]
libpcap: fix build breakage with very high number of simultaneous jobs

Building libpcap with high number (64) of simultaneous jobs fails:

 In file included from ./fmtutils.c:42:0:
 ./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined
   #define _BSD_SOURCE

 <command-line>:0:0: note: this is the location of the previous definition
 ./gencode.c:67:10: fatal error: grammar.h: No such file or directory
  #include "grammar.h"
           ^~~~~~~~~~~
 compilation terminated.
 Makefile:99: recipe for target 'gencode_pic.o' failed

So fix this by less intrusive way by disabling the parallel builds for
this package.

Ref: FS#3010
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoChange AR71XX support to and link to Supported Hardware page
RISCi_ATOM [Mon, 27 Apr 2020 21:52:53 +0000 (17:52 -0400)]
Change AR71XX support to  and link to Supported Hardware page

4 years agoopenssl: bump to 1.1.1g
Petr Štetiar [Tue, 21 Apr 2020 20:51:20 +0000 (22:51 +0200)]
openssl: bump to 1.1.1g

Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.

Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3773ae127ac83766028f767ac744e87a7ddcaf50)

4 years agorelayd: bump to version 2020-04-20
Kevin Darbyshire-Bryant [Mon, 20 Apr 2020 08:08:20 +0000 (09:08 +0100)]
relayd: bump to version 2020-04-20

796da66 dhcp.c: improve input validation & length checks

Addresses CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit be172e663f318ec364c13f795df025bbcce9ac18)

4 years agoumdns: update to version 2020-04-20
Kevin Darbyshire-Bryant [Mon, 20 Apr 2020 08:03:52 +0000 (09:03 +0100)]
umdns: update to version 2020-04-20

e74a3f9 dns.c: improve input validation

Addresses CVE-2020-11750

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 533da61ac63079f218a9946cd8e347b880c33dc0)

4 years agoumdns: update to the version 2020-04-05
Kevin Darbyshire-Bryant [Sun, 5 Apr 2020 08:14:43 +0000 (09:14 +0100)]
umdns: update to the version 2020-04-05

ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50ef6d056b25a96ce6c77de0b0d53c1a1)
(cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)

4 years agoumdns: suppress address-of-packed-member warning
Kevin Darbyshire-Bryant [Sat, 4 Apr 2020 08:20:08 +0000 (09:20 +0100)]
umdns: suppress address-of-packed-member warning

gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:

dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]

261 |  uint16_t *swap = (uint16_t *) q;

Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f014719a994e2e538b2cb6376a189cd39de)
(cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)

4 years agobinutils: add ALTERNATIVES for strings (FS#3001)
Hans Dedecker [Sat, 18 Apr 2020 08:34:10 +0000 (10:34 +0200)]
binutils: add ALTERNATIVES for strings (FS#3001)

Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 5f126c541a743e2ff5d8f406128d477ab5a509b4)

4 years agombedtls: update to 2.16.6
Magnus Kroken [Thu, 16 Apr 2020 15:47:47 +0000 (17:47 +0200)]
mbedtls: update to 2.16.6

Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters

Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d4eaf65e90bb167aa7818eacc08c633)

4 years agokernel: bump 4.14 to 4.14.176
RISCi_ATOM [Sat, 18 Apr 2020 20:38:06 +0000 (16:38 -0400)]
kernel: bump 4.14 to 4.14.176

Upstreamed:
- 600-ipv6-addrconf-call-ipv6_mc_up-for-non-Ethernet-inter.patch

Fixes:
- CVE-2020-8647
- CVE-2020-8648 (potentially)
- CVE-2020-8649

Upstream ref. : 0232f57e1af6580542c0ed1ce1d76c7cd4084613

4 years agombedtls: update to version 2.16.5
Josef Schlehofer [Sat, 22 Feb 2020 22:03:36 +0000 (23:03 +0100)]
mbedtls: update to version 2.16.5

Changelog:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 36af1967f5fcfc889594a8af0f92f873f445d249)

4 years agoopenssl: bump to 1.1.1f
Eneas U de Queiroz [Tue, 31 Mar 2020 20:51:45 +0000 (17:51 -0300)]
openssl: bump to 1.1.1f

There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
  newly generated RSA modules
- the patch reversing EOF detection we had already applied.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit af5ccfbac74b859801cf174460fb8dbf9ed9e181)

4 years agoFix README.md links
RISCi_ATOM [Fri, 3 Apr 2020 11:06:17 +0000 (07:06 -0400)]
Fix README.md links

4 years agoFix image links in docs/*
RISCi_ATOM [Fri, 3 Apr 2020 11:04:13 +0000 (07:04 -0400)]
Fix image links in docs/*

4 years agoBump tor to 0.4.2.7 v1.5.1 v1.5.1-20200401
RISCi_ATOM [Tue, 31 Mar 2020 20:17:57 +0000 (16:17 -0400)]
Bump tor to 0.4.2.7

Fixes CVE-2020-10592 and init scripts.

4 years agoBump libreCMC version to v1.5.1
RISCi_ATOM [Tue, 31 Mar 2020 05:29:23 +0000 (01:29 -0400)]
Bump libreCMC version to v1.5.1

4 years agoBump Wireguard to 1.0.20200330 / *-tools 1.0.20200319
RISCi_ATOM [Tue, 31 Mar 2020 03:46:47 +0000 (23:46 -0400)]
Bump Wireguard to 1.0.20200330 / *-tools 1.0.20200319

4 years agolibpcap: Update shared-lib patch from Debian to fix linking problems
Hauke Mehrtens [Fri, 20 Mar 2020 18:07:31 +0000 (19:07 +0100)]
libpcap: Update shared-lib patch from Debian to fix linking problems

This updates the shared-lib patch to the recent version from debian
found here:
https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff

This patch makes it include missing/strlcpy.o to the shared library
which is needed for OpenWrt glibc builds, otherwise there is an
undefined symbol and tcpdump and other builds are failing.

Fixes: 44f11353de04 ("libpcap: update to 1.9.1")
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
4 years agoreadline: needs host depend on ncurses to build
Jan Kardell [Fri, 20 Mar 2020 13:32:23 +0000 (14:32 +0100)]
readline: needs host depend on ncurses to build

We must ensure that host ncurses is build before host readline.

Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit ecef29b29463e7549779e90739e61f8729ccaf09)

4 years agotools: squashfskit4: fix build with GCC10
Robert Marko [Thu, 19 Mar 2020 11:22:07 +0000 (12:22 +0100)]
tools: squashfskit4: fix build with GCC10

In order to build squashfskit with GCC10, this backport from upstream is needed.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
[increase PKG_RELEASE]
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit be4ed1db18e68cc57f03788b4529afbbf629411c)

4 years agosquashfskit4/Makefile: introduce PKG_RELEASE=1
Alexander Couzens [Sun, 22 Mar 2020 01:03:19 +0000 (02:03 +0100)]
squashfskit4/Makefile: introduce PKG_RELEASE=1

When adding patches, the PKG_RELEASE should be increased.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit 1f4020a293476d5e34461a655cb9f6540cefeea2)

4 years agobuild: prereq: tidy gcc version checks
Kevin Darbyshire-Bryant [Tue, 24 Mar 2020 11:05:27 +0000 (11:05 +0000)]
build: prereq: tidy gcc version checks

There is a restriction in the number of parameters(10)  that may be passed to
the SetupHostCommand macro so continually adding explicit gcc'n' version
checks ends up breaking the compiler check for the later versions and
oddballs like Darwin as was done in 835d1c68a0 which added gcc10.

Drop all the explicitly specified gcc version checks.  If a suitable gcc
compiler is not found, it may be specified at the dependency checking
stage after which that version will be symlinked into the build staging
host directory.

eg. 'CC=gccfoo CXX=g++foo make prereq'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 1fb3c003d68d3feaf797e8b64edccc9fa622d250)

4 years agobuild: add GCC 10 version detection
Robert Marko [Wed, 18 Mar 2020 18:39:43 +0000 (19:39 +0100)]
build: add GCC 10 version detection

Lets add GCC 10 detection to the build system as distributions like Fedora 32 have started shipping with it.
Some tools like mtd-utils need work to compile under GCC10, but that will be next step.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit 835d1c68a0f036c8b0d837a48b5a05fdfb2e8218)

4 years agovpnc-script: enable reconnect
RISCi_ATOM [Mon, 30 Mar 2020 04:36:50 +0000 (00:36 -0400)]
vpnc-script: enable reconnect

Based upon upstream package feed commit : 80ab3fdc49f965782dcf667e727a7111942a9560

4 years agomac80211: Update to version 4.19.112
Hauke Mehrtens [Sat, 21 Mar 2020 19:24:00 +0000 (20:24 +0100)]
mac80211: Update to version 4.19.112

The removed patches are all integrated in the upstream version now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
4 years agoprocd: turn error into debug message for missing ujail binary
Petr Štetiar [Sat, 28 Mar 2020 12:42:05 +0000 (13:42 +0100)]
procd: turn error into debug message for missing ujail binary

Since commit 557f11b3a20f ("instance: provide error feedback if ujail
binary is missing") worrying log spam of the form "unable to find
/sbin/jail ..." may be encountered.

This corresponds with the changes done in the upstream commit
bcb86554f1b4 ("instance: add 'requirejail' attribute").

Ref: https://forum.openwrt.org/t/openwrt-19-07-2-service-release/57066
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agodnsmasq: add 'scriptarp' option
Jordan Sokolic [Thu, 19 Mar 2020 12:23:22 +0000 (14:23 +0200)]
dnsmasq: add 'scriptarp' option

Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.

Also enable --script-arp if has_handlers returns true.

Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
4 years agoopenssl: revert EOF detection change in 1.1.1
Eneas U de Queiroz [Fri, 27 Mar 2020 02:20:08 +0000 (23:20 -0300)]
openssl: revert EOF detection change in 1.1.1

This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e.  It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443

Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read().  Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0.  The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct.  Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.

The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6b942e3180afda0dc0fd8ac506527f1)

4 years agoopenssl: update to 1.1.1e
Eneas U de Queiroz [Thu, 19 Mar 2020 19:12:15 +0000 (16:12 -0300)]
openssl: update to 1.1.1e

This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit dcef8d6093cd54aa990a5ae0099a16e88a18dfbd)

4 years agowireguard: bump to 0.0.20200318
Jason A. Donenfeld [Sat, 21 Mar 2020 02:12:53 +0000 (20:12 -0600)]
wireguard: bump to 0.0.20200318

WireGuard had a brief professional security audit. The auditors didn't find
any vulnerabilities, but they did suggest one defense-in-depth suggestion to
protect against potential API misuse down the road, mentioned below. This
compat snapshot corresponds with the patches I just pushed to Dave for
5.6-rc7.

* curve25519-x86_64: avoid use of r12

This buys us 100 extra cycles, which isn't much, but it winds up being even
faster on PaX kernels, which use r12 as a RAP register.

* wireguard: queueing: account for skb->protocol==0

This is the defense-in-depth change. We deal with skb->protocol==0 just fine,
but the advice to deal explicitly with it seems like a good idea.

* receive: remove dead code from default packet type case

A default case of a particular switch statement should never be hit, so
instead of printing a pretty debug message there, we full-on WARN(), so that
we get bug reports.

* noise: error out precomputed DH during handshake rather than config

All peer keys will now be addable, even if they're low order. However, no
handshake messages will be produced successfully. This is a more consistent
behavior with other low order keys, where the handshake just won't complete if
they're being used anywhere.

* send: use normaler alignment formula from upstream

We're trying to keep a minimal delta with upstream for the compat backport.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agokernel: backport out-of-memory fix for non-Ethernet devices
Rafał Miłecki [Wed, 11 Mar 2020 07:39:29 +0000 (08:39 +0100)]
kernel: backport out-of-memory fix for non-Ethernet devices

Doing up & down on non-Ethernet devices (e.g. monitor mode interface)
was consuming memory.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit ec8e8e2ef0826d82b4dfbd567a073b31dc27b764)

4 years agoBump kernel to 4.14.174
RISCi_ATOM [Mon, 16 Mar 2020 20:56:24 +0000 (16:56 -0400)]
Bump kernel to 4.14.174

4 years agohostapd: remove erroneous $(space) redefinition
Jo-Philipp Wich [Sat, 8 Feb 2020 10:34:41 +0000 (11:34 +0100)]
hostapd: remove erroneous $(space) redefinition

The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.

Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.

Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 766e778226f5d4c6ec49ce22b101a5dbd4306644)

4 years agoath79: add gpio4 pinmux on TL-WR841N/ND v8, WR842N v2, MR3420 v2
Adrian Schmutzler [Thu, 30 Jan 2020 13:59:25 +0000 (14:59 +0100)]
ath79: add gpio4 pinmux on TL-WR841N/ND v8, WR842N v2, MR3420 v2

This adds a pinmux to the shared DTSI for TP-Link TL-WR841N/ND v8,
TL-WR842N v2 and TL-MR3420 v2. It is supposed to be the equivalent
of:

/* config gpio4 as normal gpio function */
ath79_gpio_output_select(TL_MR3420V2_GPIO_USB_POWER,AR934X_GPIO_OUT_GPIO);

This allows to enable USB power on these devices.

While at it, move the jtag_disable_pins to &gpio node and remove the
redundant status=okay there.

Tested on TP-Link TL-WR842N v2.

Fixes: FS#2753

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Armin Fuerst <armin@fuerst.priv.at>
[backport: change individual DTS files, no mr3420-v2 present]
(backported from commit 18c95c9d6ebea5cef1254ee917bff8aba993666d)

4 years agoath79: phy-ar7200-usb: adapt old behavior of arch/mips/ath79/dev-usb.c
Johann Neuhauser [Thu, 19 Dec 2019 12:07:17 +0000 (13:07 +0100)]
ath79: phy-ar7200-usb: adapt old behavior of arch/mips/ath79/dev-usb.c

[ Upstream commit 6cca6fffa06b1996f9bcc280f766e8ba4fa97d45 ]

Do not put usb-phy into reset if clearing the usb-phy reset or
setting the suspend_override has failed.

Reorder (de)asserts like in arch/mips/ath79/dev-usb.c.

Add an optional reset_control "usb-phy-analog", which is needed for
ar934x SoCs like in the old mach-driver arch/mips/ath79/dev-usb.c.

Tested-By: Lech Perczak <lech.perczak@gmail.com> [TL-WDR4300]
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
[added reference to upstream commit, Tested-by]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoath79: ar934x: use reset for usb-phy-analog
Johann Neuhauser [Thu, 19 Dec 2019 12:11:26 +0000 (13:11 +0100)]
ath79: ar934x: use reset for usb-phy-analog

This was already available on ar71xx, but is missing on ath79.
This solves the slow usb speed on TP-Link WDR3600/WDR4300 and similar,
as reported in Flyspray [0], OpenWRT Forum [1] and GitHub PR [2].

[0] https://bugs.openwrt.org/index.php?do=details&task_id=2567
[1] https://forum.openwrt.org/t/usb-wdr4300-low-speed-on-external-storage/46794
[2] https://github.com/openwrt/openwrt/pull/964

Tested-By: Lech Perczak <lech.perczak@gmail.com> [TL-WDR4300]
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
(cherry picked from commit bda6b6144dbe3e12d128b500821799ef472de4cb)

4 years agouhttpd: update to latest Git HEAD
Jo-Philipp Wich [Wed, 12 Feb 2020 17:00:42 +0000 (18:00 +0100)]
uhttpd: update to latest Git HEAD

2ee323c file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 04069fde19e86af7728111814afadf780bf08018)

4 years agoBump kernel to 4.14.171 and refresh patches
RISCi_ATOM [Thu, 27 Feb 2020 21:28:18 +0000 (16:28 -0500)]
Bump kernel to 4.14.171 and refresh patches

4 years agoppp: backport security fixes
Petr Štetiar [Thu, 20 Feb 2020 08:03:54 +0000 (09:03 +0100)]
ppp: backport security fixes

8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee)

4 years agoBump Wireguard to 0.0.20200215
RISCi_ATOM [Sat, 15 Feb 2020 13:54:24 +0000 (08:54 -0500)]
Bump Wireguard to 0.0.20200215

4 years agoBump wireguard to 0.0.20200214
RISCi_ATOM [Fri, 14 Feb 2020 15:57:30 +0000 (10:57 -0500)]
Bump wireguard to 0.0.20200214

4 years agowireguard: bump to 0.0.20200205
Jason A. Donenfeld [Wed, 5 Feb 2020 13:46:46 +0000 (14:46 +0100)]
wireguard: bump to 0.0.20200205

* compat: support building for RHEL-8.2
* compat: remove RHEL-7.6 workaround

Bleeding edge RHEL users should be content now (which includes the actual
RedHat employees I've been talking to about getting this into the RHEL kernel
itself). Also, we remove old hacks for versions we no longer support anyway.

* allowedips: remove previously added list item when OOM fail
* noise: reject peers with low order public keys

With this now being upstream, we benefit from increased fuzzing coverage of
the code, uncovering these two bugs.

* netns: ensure non-addition of peers with failed precomputation
* netns: tie socket waiting to target pid

An added test to our test suite for the above and a small fix for high-load CI
scenarios.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agowireguard: bump to 0.0.20200128
Jason A. Donenfeld [Tue, 28 Jan 2020 15:55:16 +0000 (16:55 +0100)]
wireguard: bump to 0.0.20200128

This fixes a few small oversights for the 5.5 compat layer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agowireguard: bump to 0.0.20200121
RISCi_ATOM [Wed, 5 Feb 2020 13:57:33 +0000 (08:57 -0500)]
wireguard: bump to 0.0.20200121

* Makefile: strip prefixed v from version.h

This fixes a mistake in dmesg output and when parsing the sysfs entry in the
filesystem.

* device: skb_list_walk_safe moved upstream

This is a 5.6 change, which we won't support here, but it does make the code
cleaner, so we make this change to keep things in sync.

* curve25519: x86_64: replace with formally verified implementation

This comes from INRIA's HACL*/Vale. It implements the same algorithm and
implementation strategy as the code it replaces, only this code has been
formally verified, sans the base point multiplication, which uses code
similar to prior, only it uses the formally verified field arithmetic
alongside reproducable ladder generation steps. This doesn't have a
pure-bmi2 version, which means haswell no longer benefits, but the
increased (doubled) code complexity is not worth it for a single
generation of chips that's already old.

Performance-wise, this is around 1% slower on older microarchitectures,
and slightly faster on newer microarchitectures, mainly 10nm ones or
backports of 10nm to 14nm. This implementation is "everest" below:

Xeon E5-2680 v4 (Broadwell)

armfazh: 133340 cycles per call
everest: 133436 cycles per call

Xeon Gold 5120 (Sky Lake Server)

armfazh: 112636 cycles per call
everest: 113906 cycles per call

Core i5-6300U (Sky Lake Client)

armfazh: 116810 cycles per call
everest: 117916 cycles per call

Core i7-7600U (Kaby Lake)

armfazh: 119523 cycles per call
everest: 119040 cycles per call

Core i7-8750H (Coffee Lake)

armfazh: 113914 cycles per call
everest: 113650 cycles per call

Core i9-9880H (Coffee Lake Refresh)

armfazh: 112616 cycles per call
everest: 114082 cycles per call

Core i3-8121U (Cannon Lake)

armfazh: 113202 cycles per call
everest: 111382 cycles per call

Core i7-8265U (Whiskey Lake)

armfazh: 127307 cycles per call
everest: 127697 cycles per call

Core i7-8550U (Kaby Lake Refresh)

armfazh: 127522 cycles per call
everest: 127083 cycles per call

Xeon Platinum 8275CL (Cascade Lake)

armfazh: 114380 cycles per call
everest: 114656 cycles per call

Achieving these kind of results with formally verified code is quite
remarkable, especialy considering that performance is favorable for
newer chips.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agoUpdate image links to reflect ar71xx -> ath79 change
RISCi_ATOM [Tue, 4 Feb 2020 18:07:38 +0000 (13:07 -0500)]
Update image links to reflect ar71xx -> ath79 change

4 years agoMark v1.5.0a v1.5.0a
RISCi_ATOM [Sat, 1 Feb 2020 02:55:09 +0000 (21:55 -0500)]
Mark v1.5.0a

4 years agoUpdate Tor to 0.4.2.6
RISCi_ATOM [Sat, 1 Feb 2020 02:54:42 +0000 (21:54 -0500)]
Update Tor to 0.4.2.6

4 years agoopkg: update to latest Git HEAD
RISCi_ATOM [Sat, 1 Feb 2020 02:15:47 +0000 (21:15 -0500)]
opkg: update to latest Git HEAD

80d161e opkg: Fix -Wformat-overflow warning
c09fe20 libopkg: fix skipping of leading whitespace when parsing checksums

Fixes: CVE-2020-7982
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c69c20c6670081d1eaab000734d89de57eb64148)

4 years agoFix default repository URL in base-files
RISCi_ATOM [Fri, 31 Jan 2020 14:02:07 +0000 (09:02 -0500)]
Fix default repository URL in base-files

4 years agoFix git url in urngd
RISCi_ATOM [Tue, 28 Jan 2020 05:35:44 +0000 (00:35 -0500)]
Fix git url in urngd

4 years agomac80211: Update to version 4.19.98
RISCi_ATOM [Tue, 28 Jan 2020 05:33:55 +0000 (00:33 -0500)]
mac80211: Update to version 4.19.98
The removed patches are all integrated in the upstream version now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Cherry-Picked from upstream : f84981f6f8a404f6d0261b8250bc3875d6518ad0

4 years agombedtls: update to 2.16.4
Magnus Kroken [Sat, 25 Jan 2020 17:33:41 +0000 (18:33 +0100)]
mbedtls: update to 2.16.4

Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.

Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

Fixes:
 * CVE-2019-18222: Side channel attack on ECDSA

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 6e96fd90471a49185bcfe9dcb4844d444674ecab)

4 years agoprocd: update to version 2020-01-24
Petr Štetiar [Fri, 24 Jan 2020 07:34:10 +0000 (08:34 +0100)]
procd: update to version 2020-01-24

Get only fix backports from openwr-19.07 procd branch:

 31e4b2dfdbd7 state: fix reboot causing shutdown inside LXC container
 557f11b3a20f instance: provide error feedback if ujail binary is missing
 0a11aa405d3f instance: Fix instance_config_move_strdup() function
 44dd9419812b instance: fix typo in error message
 153820c76471 instance: fix pidfile and seccomp attributes double free

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agohostapd: fix faulty WMM IE parameters with ETSI regulatory domains
Felix Fietkau [Thu, 23 Jan 2020 13:51:58 +0000 (14:51 +0100)]
hostapd: fix faulty WMM IE parameters with ETSI regulatory domains

hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agolibubox: update to version 2020-01-20
Petr Štetiar [Mon, 20 Jan 2020 15:22:07 +0000 (16:22 +0100)]
libubox: update to version 2020-01-20

 43a103ff17ee blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
 5c0faaf4f5e2 tests: prefer dynamically allocated buffers
 1ffa41535369 blobmsg_json: prefer snprintf usage
 132ecb563da7 blobmsg: blobmsg_vprintf: prefer vsnprintf
 a2aab30fc918 jshn: prefer snprintf usage
 b0886a37f39a cmake: add a possibility to set library version
 a36ee96618a9 blobmsg: blobmsg_add_json_element() 64-bit values
 f0da3a4283b7 blobmsg_json: fix int16 serialization
 20a070f08139 tests: blobmsg/json: add more test cases
 379cd33d1992 tests: include json script shunit2 based testing

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 5c73bb12c82c078d8a93cb896348b41598ed9e19)

4 years agofstools: backport fix from version 2020-01-18
Petr Štetiar [Sat, 18 Jan 2020 13:49:11 +0000 (14:49 +0100)]
fstools: backport fix from version 2020-01-18

Contains only the FS#2735 fix:

 189b41b6b487 libblkid-tiny: fix f2fs labels by increasing label buffer

Commit adding new feature wasn't backported (needs patched kernel anyway):

 f5c7c1813f52 fstools: Add support to read-only MTD partitions (eg. recovery images)

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 63000bfaf7163d97ac6feb343c7587e3d339e65e)

4 years agourngd: update to version 2020-01-21
Petr Štetiar [Tue, 21 Jan 2020 16:03:21 +0000 (17:03 +0100)]
urngd: update to version 2020-01-21

c7f7b6b65b82 Tag version 1.0.2
236b7a0aef21 Fix blocked entropy generation

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3d8edd9bb4759f56df4482b3ed9c7fc26ed86028)

4 years agourngd: update to latest Git head
Petr Štetiar [Mon, 21 Oct 2019 08:37:51 +0000 (10:37 +0200)]
urngd: update to latest Git head

 * 40f939d57c67 Tag version 1.0.1
 * 9e758e6e6aec jitterentropy-rngd: update to version v1.1.0 + clang compile fix
 * 193586a25adc Fix wrong types in format strings used in debug build
 * d474977bb611 Add initial GitLab CI support

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ed67b137c748365d7a3be886a2f5309c3bc44c48)

4 years agoBump kernel to 4.14.168 and refresh patches
RISCi_ATOM [Tue, 28 Jan 2020 05:00:40 +0000 (00:00 -0500)]
Bump kernel to 4.14.168 and refresh patches

4 years agoRevert to previous sqm-scripts version for luci compatiblity
RISCi_ATOM [Thu, 23 Jan 2020 18:51:10 +0000 (13:51 -0500)]
Revert to previous sqm-scripts version for luci compatiblity

4 years agoAdd sqm-scripts* back to base
RISCi_ATOM [Thu, 23 Jan 2020 07:15:15 +0000 (02:15 -0500)]
Add sqm-scripts* back to base

4 years agoFix tpe-{r1100,r1200} u-boot environment bugs
RISCi_ATOM [Fri, 17 Jan 2020 05:32:32 +0000 (00:32 -0500)]
Fix tpe-{r1100,r1200} u-boot environment bugs

4 years agoAdd xl2tpd to base
RISCi_ATOM [Fri, 17 Jan 2020 05:29:42 +0000 (00:29 -0500)]
Add xl2tpd to base

4 years agowireguard: skip peer config if public key of the peer is not defined
Florian Eckert [Thu, 5 Dec 2019 10:33:38 +0000 (11:33 +0100)]
wireguard: skip peer config if public key of the peer is not defined

If a config section of a peer does not have a public key defined, the
whole interface does not start. The following log is shown

daemon.notice netifd: test (21071): Line unrecognized: `PublicKey='
daemon.notice netifd: test (21071): Configuration parsing erro

The command 'wg show' does only show the interface name.

With this change we skip the peer for this interface and emit a log
message. So the other peers get configured.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years agocryptodev-linux: remove DEFAULT redefinition
Eneas U de Queiroz [Wed, 15 Jan 2020 18:28:05 +0000 (15:28 -0300)]
cryptodev-linux: remove DEFAULT redefinition

The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building
the package, and users from downloading it, since they use 'ALL_KMODS=y'
but 'ALL' is not set.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 9b25f833eb840527d07c47930de2c769115844f3)

4 years agomac80211: fix a page refcounting issue leading to leaks/crashes in rx A-MSDU decap
Felix Fietkau [Mon, 13 Jan 2020 18:43:40 +0000 (19:43 +0100)]
mac80211: fix a page refcounting issue leading to leaks/crashes in rx A-MSDU decap

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 9501469e1146c6d76b7dde6391479314897ba4d8)

4 years agomac80211: fix sta TID stats leak on a few nl80211 calls
Felix Fietkau [Mon, 13 Jan 2020 18:43:20 +0000 (19:43 +0100)]
mac80211: fix sta TID stats leak on a few nl80211 calls

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit d5b3024139089e38f57bd1827273d7fba8497635)

4 years agoucert: update to version 2019-12-19
Petr Štetiar [Thu, 19 Dec 2019 12:25:03 +0000 (13:25 +0100)]
ucert: update to version 2019-12-19

14a279411cff fix certificate blob parsing vulnerability by using blob_parse_untrusted
19a7225ac018 fix leaking memory in cert_dump_blob
9dba44ddd4f5 fix possibly garbage value returned in cert_process_revoker
4462ff9dedfa add cram based unit tests
5fe64b5606aa cmake: split usign bits into static library
5d7626a2b6d8 cmake: reindent the file
e284ed941972 cmake: enable hardening compiler flags and fix the reported issues
7e5390666347 add initial GitLab CI support
fa0bf4ef45b1 cmake: add proper include and library dependencies

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 2544cb1ba377149a8663c7ac4a625d5399993e33)

4 years agoethtool: fix PKG_CONFIG_DEPENDS
Matthias Schiffer [Tue, 7 Jan 2020 19:53:31 +0000 (20:53 +0100)]
ethtool: fix PKG_CONFIG_DEPENDS

Add missing CONFIG_ prefix.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 41c19dd542973dbc1336ecceaa32777506933cdf)

4 years agodnsmasq: Fix potential dnsmasq crash with TCP
Hauke Mehrtens [Mon, 6 Jan 2020 15:21:25 +0000 (16:21 +0100)]
dnsmasq: Fix potential dnsmasq crash with TCP

This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.

I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra  = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 414d0541381d432e69190f394dfe2a6e8122d6bb)

4 years agoca-certificates: provide ca-certs by both ca-certificates and ca-bundle
Maxim Storchak [Wed, 25 Dec 2019 15:46:27 +0000 (17:46 +0200)]
ca-certificates: provide ca-certs by both ca-certificates and ca-bundle

- both packages provide ca-certs
- make ca-bundle the default provider

This should allow easy transition between these two forms of CA certificates storage

Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
(cherry picked from commit dd299805ad18472a8245b4524a25e4381e166057)

4 years agofstools: update to latest Git HEAD
Jo-Philipp Wich [Sun, 5 Jan 2020 17:40:22 +0000 (18:40 +0100)]
fstools: update to latest Git HEAD

823faa0 block: re-discover mtd devices on extroot mount retry

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 22a178e89282c7bd5bb181fc5c2c5cb6ff2403c8)

4 years agoprocd: update to version 2020-01-04
Petr Štetiar [Wed, 1 Jan 2020 11:43:45 +0000 (12:43 +0100)]
procd: update to version 2020-01-04

Contains following changes:

 a5af33ce9a16 instance: strdup string attributes
 d2e8bf6ef7cf system: watchdog_set: fix misleading indentation
 9814807bd71c system: sysupgrade: fix possibly misleading error
 c7a2db3c1eb6 system: sysupgrade: rework firmware validation
 ea45c4a0f07c system: fix failing image validation due to EINTR
 4fde95506243 cmake: fix lookup of external libraries
 5ed190aae1b3 jail: remove accidentally added lines
 52c5c1980ba3 jail: set user and group inside jail
 3aa051b44177 system: sysupgrade: close input side of pipe before reading
 f47622e89c4d instance: Warn about unexpected number of parameters
 564ecdfd9cc4 instance: ujail: Fix allocated size for no_new_privs parameter
 7fb2e1dfa221 procd: simplify code in procd_inittab_run
 4a127c3c60af procd: replace exit(-1) with exit(EXIT_FAILURE)
 bc0a73eaad58 procd: add upgraded binary to .gitignore
 ba4c4dbbbd65 procd: add start-console support
 3e39fe539490 procd: shift arguments for askfirst only once
 5d6282906baf procd: skip respawn in case device disappeared
 d27949f12fd7 procd: guard fork_worker calls
 258aa04328a2 procd: Add cached and available to memory table
 8e9fb51fa66e procd: Switch to nanosleep
 c844ace9729a system: Fix possible integer overflows

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoubus: update to version 2019-12-27
Petr Štetiar [Sat, 28 Dec 2019 07:00:47 +0000 (08:00 +0100)]
ubus: update to version 2019-12-27

Contains following changes:

 041c9d1c052b ubusd/libubus-io: fix socket descriptor passing
 8f2292478c57 ci: enable unit testing
 a1523d76b016 fix blob parsing vulnerability by using blob_parse_untrusted
 c60583743ccf ubus_monitor: workaround possibly false positive uses of memory after it is freed
 dac6c7c575ac ubusd_monitor: fix possible null pointer dereference
 060dfbb26da3 ubus_common: remove duplicate ARRAY_SIZE and add missing include
 c5f2053dfcfd workaround possibly false positive uses of memory after it is freed
 72be8e93f07d lua: ubus_lua_do_subscribe: fix copy&paste error
 a995b1e68129 lua: workaround false positive dereference of null pointer
 08f17c87a000 add fuzzer and cram based unit tests
 c413be9b376c refactor ubusd.c into reusable ubusd_library
 afd47189e864 examples: remove dead increments
 b2e544238672 add initial GitLab CI support
 058f4e9526ed libubus: fix incompatible pointer types assigment
 d2e026a33df8 iron out all extra compiler warnings
 5d7ca8309d0a ubusd/libubus-io: fix variable sized struct position warning
 d61282db5640 ubusd: fix comparison of integers of different signs
 90fb16234c22 cmake: enable extra compiler checks
 2e051f628996 ubus: Support static builds
 588baa3cd784 ubusd: retry sending messages on EINTR
 76ea27a62774 libubus: attempt to receive data before calling poll
 4daab27d004f libubus: do not abort recv_retry before completing a message

and bumps ABI_VERSION to 20191227.

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agolibubox: update to version 2019-12-28
Petr Štetiar [Sat, 28 Dec 2019 20:22:04 +0000 (21:22 +0100)]
libubox: update to version 2019-12-28

Contains following changes:

 cd75136b1342 blobmsg: fix wrong payload len passed from blobmsg_check_array
 eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning
 86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data
 586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods
 b0e21553ae8c blobmsg: add _len variants for all attribute checking methods
 cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len
 143303149c8b Ensure blob_attr length check does not perform out of bounds reads
 f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse
 4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
 2df6d35e3299 tests: add test cases for blobmsg parsing
 8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes
 478597b9f9ae blob: fix OOB access in blob_check_type
 325418a7a3c0 tests: use blob_parse_untrusted variant
 0b24e24b93e1 blob: introduce blob_parse_untrusted
 6d27336e4a8b blob: refactor attr parsing into separate function
 833d25797b16 test: fuzz: add blob_parse crashes
 09ee90f8d6ed tests: add test cases for blob parsing
 436d6363a10b tests: add libFuzzer based tests
 bf680707acfd tests: add unit tests covered with Clang sanitizers
 f804578847de cmake: add more hardening compiler flags
 46f8268b4b5b blobmsg/ulog: fix format string compiler warnings
 eb216a952407 cmake: use extra compiler warnings only on gcc6+
 07413cce72e1 tests: jshn: add more test cases
 26586dae43a8 jshn: fix missing usage for -p and -o arguments
 8e832a771d3a jshn: fix off by one in jshn_parse_file
 cb698e35409b jshn: jshn_parse: fix leaks of memory pointed to by 'obj'
 c42f11cc7c0f jshn: main: fix leak of memory pointed to by 'vars'
 93848ec96dc5 jshn: refactor main into smaller pieces
 9b6ede0e5312 avl: guard against theoretical null pointer dereference
 c008294a8323 blobmsg_json: fix possible uninitialized struct member
 0003ea9c45cc base64: fix possible null pointer dereference
 8baeeea1f52d add assert.h component
 b0a5cd8a28bf add cram based unit tests
 1fefb7c4d7f9 add initial GitLab CI support
 c955464d7a9b enable extra compiler checks
 6228df9de91d iron out all extra compiler warnings

and bumps ABI_VERSION to 20191228.

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoUpgrade Tor to 0.4.2.5
RISCi_ATOM [Thu, 16 Jan 2020 17:11:25 +0000 (12:11 -0500)]
Upgrade Tor to 0.4.2.5

4 years agokernel: bump to 4.14.165 and refresh patches
RISCi_ATOM [Wed, 15 Jan 2020 18:55:39 +0000 (13:55 -0500)]
kernel: bump to 4.14.165 and refresh patches

4 years agowireguard-tools: bump to 1.0.20200102 v1.5.0-20200110
Jason A. Donenfeld [Wed, 8 Jan 2020 22:37:41 +0000 (17:37 -0500)]
wireguard-tools: bump to 1.0.20200102

* systemd: update documentation URL
* global: bump copyright

Usual house keeping.

* Makefile: DEBUG_TOOLS -> DEBUG and document
* Makefile: port static analysis check
* dns-hatchet: adjust path for new repo layout
* Makefile: rework automatic version.h mangling

These are some important-ish cleanups for downstream package maintainers that
should make packaging this a lot smoother.

* man: add documentation about removing explicit listen-port

Documentation improvement.

* wg-quick: linux: quote ifname for nft

This should fix issues with weirdly named ifnames and odd versions of nft(8).

* fuzz: find bugs in the config syntax parser
* fuzz: find bugs when parsing uapi input

These are two fuzzers that have been laying around without a repo for a while.
Perhaps somebody with enough compute power will find bugs with them.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agowireguard: bump to 0.0.20200105
Jason A. Donenfeld [Wed, 8 Jan 2020 22:37:40 +0000 (17:37 -0500)]
wireguard: bump to 0.0.20200105

* socket: mark skbs as not on list when receiving via gro

Certain drivers will pass gro skbs to udp, at which point the udp driver
simply iterates through them and passes them off to encap_rcv, which is
where we pick up. At the moment, we're not attempting to coalesce these
into bundles, but we also don't want to wind up having cascaded lists of
skbs treated separately. The right behavior here, then, is to just mark
each incoming one as not on a list. This can be seen in practice, for
example, with Qualcomm's rmnet_perf driver. This lead to crashes on
OnePlus devices and possibly other Qualcomm 4.14 devices. But I fear
that it could lead to issues on other drivers on weird OpenWRT routers.

This commit is upstream in net-next as:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=736775d06bac60d7a353e405398b48b2bd8b1e54

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agowireguard: bump to 20191226
Jason A. Donenfeld [Fri, 27 Dec 2019 14:41:12 +0000 (15:41 +0100)]
wireguard: bump to 20191226

As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agowireguard: bump to 20191219
Kevin Darbyshire-Bryant [Tue, 24 Dec 2019 20:43:20 +0000 (20:43 +0000)]
wireguard: bump to 20191219

edad0d6 version: bump snapshot
0e38a3c compat: ipv6_dst_lookup_flow was backported to 5.3 and 5.4
2e52c41 wg-quick: linux: use already configured addresses instead of in-memory
3721521 tools: adjust wg.8 syntax for consistency in COMMANDS section
21a1498 wg-quick: linux: try both iptables(8) and nft(8) on teardown

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
4 years agowireguard: bump to 0.0.20191212
Kevin Darbyshire-Bryant [Tue, 17 Dec 2019 14:10:13 +0000 (14:10 +0000)]
wireguard: bump to 0.0.20191212

1ec6ece version: bump snapshot
e13de91 main: remove unused include <linux/version.h>
72eb17c wg-quick: linux: support older nft(8)
1d8e978 global: fix up spelling
e02713e wg-quick: linux: add support for nft and prefer it
b4e3a83 compat: support building for RHEL-8.1 instead of RHEL-8.0
f29e3ac socket: convert to ipv6_dst_lookup_flow for 5.5

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
4 years agowireguard: bump to 0.0.20191205
Jason A. Donenfeld [Thu, 5 Dec 2019 10:59:41 +0000 (11:59 +0100)]
wireguard: bump to 0.0.20191205

* wg-quick: linux: suppress error when finding unused table

This fixes a spurious warning messages seen with recent versions of iproute2
and kernels.

* wg-quick: linux: ensure postdown hooks execute
* wg-quick: linux: have remove_iptables return true
* wg-quick: linux: iptables-* -w is not widely supported

Adding in iptables had some hiccups. For the record, I'm very unhappy about
having to put any firewalling code into wg-quick(8). We'll of course need to
support nftables too at some point if this continues. I'm investigating with
upstream the possibility of adding a sysctl to patch the issue that iptables
is handling now, so hopefully at somepoint down the line we'll be able to shed
this dependency once again.

* send: use kfree_skb_list
* device: prepare skb_list_walk_safe for upstreaming
* send: avoid touching skb->{next,prev} directly

Suggestions from LKML.

* ipc: make sure userspace communication frees wgdevice

Free things properly on error paths.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agobase-files: sysupgrade: exit if the firmware download failed
Petr Štetiar [Tue, 31 Dec 2019 09:34:29 +0000 (10:34 +0100)]
base-files: sysupgrade: exit if the firmware download failed

Sysupgrade process shouldn't continue if the firmware image couldn't be
downloaded.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020940.html
Reported-by: Petr Novák <petrn@me.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit cf3da66d2ce11a30ae2993b56276ade10c9bddb9)

4 years agowolfssl: bump to 4.3.0-stable
Eneas U de Queiroz [Thu, 26 Dec 2019 18:11:31 +0000 (15:11 -0300)]
wolfssl: bump to 4.3.0-stable

This update fixes many bugs, and six security vulnerabilities, including
CVE-2019-18840.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d5ede68f8b67f8fa2b4102b90e5dd3722172299a)