This feature has been unused for years, and its scope is too limited to be
actually useful.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Symbol CONFIG_INITRAMFS_FORCE allows to ignore the value passed by the
bootloader.
By default, all symbols containing INITRAMFS are wiped from the final
config and then re-added conditionally.
Add support for this symbol, as the build will stop otherwise
questioning the user about this option:
* Restart config...
*
*
* General setup
*
Cross-compiler tool prefix (CROSS_COMPILE) []
Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n
...
Initial RAM filesystem and RAM disk (initramfs/initrd) support
(BLK_DEV_INITRD) [Y/n/?] y
Initramfs source file(s) (INITRAMFS_SOURCE) []
Ignore the initramfs passed by the bootloader (INITRAMFS_FORCE)
[N/y/?] (NEW)
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Combined Extended Images V1 can be created easily via the new image
commands using
IMAGE/sysupgrade.bin/squashfs := append-rootfs | pad-rootfs | combined-ext-image
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
When generating per-device rootfs directories, the ./etc/opkg/ directory
is moved away prior to calling opkg install, opkg remove and rootfs_prepare.
After the opkg invocations and the rootfs_prepare macro call, the saved opkg
config directory is supposed to be moved back to its previous ./etc/opkg
location.
The mv command however can fail to properly restore the directory under
certain circumstances, e.g. when the prior opkg or files/ overlay copy
operations caused a new ./etc/opkg/ directory to be created.
In this case, the backed up directory (named target-dir-$hash.opkg) will be
moved into the preexisting ./etc/opkg/ directory instead, causing the opkg
configuration to be located in a wrong path on the final rootfs, e.g. in
/etc/opkg/target-dir-$hash.opkg/distfeeds.conf instead of
/etc/opkg/distfeeds.conf.
Solve this problem by replacing the naive "mv" command with a recursive
"cp -T" invocation which causes the backed up directory tree to get merged
with the destination directory in case it already exists.
Also perform the rootfs_prepare macro call after restoring the opkg
configuration, to allow users to override it again by using the files/
overlay mechanism.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce a name-agnostic PROJECT_GIT variable poiting to
https://git.openwrt.org/ and declare LEDE_GIT and OPENWRT_GIT
as aliases to it.
After some transition time we can drop this alias variables.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Rename unwinder config symbols to match upstream changes.
Refresh patches.
Update patch that no longer applies: 202-reduce_module_size.patch
Also enable CONFIG_PAGE_TABLE_ISOLATION. This feature was backported
from 4.15 to the 4.14 stable series. It is enabled by default, so enable
it in OpenWrt as well.
Compile-tested on x86/64.
Runtime-tested on x86/64.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Some packages, e.g. busybox, explicitly remove old .configured stamps
before attempting configuration, rather than after the actual configuration
step. This seems like a good idea, as there will be no stamp left if
configuration fails. Change generic rules to work like this, so package-
specific rules can be dropped.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Kernel 4.14 has the version number 4.14 and not 4.14.0. This was
different in some older Linux kernel versions, This change makes it
possible to use kernel 4.14 without any minor version.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds initial support for kernel 4.14 based on the patches for
kernel 4.9.
In the configuration I deactivated some of the new possible security
features like:
CONFIG_REFCOUNT_FULL
CONFIG_SLAB_FREELIST_HARDENED
CONFIG_SOFTLOCKUP_DETECTOR
CONFIG_WARN_ALL_UNSEEDED_RANDOM
And these overlay FS options are also deactivated:
CONFIG_OVERLAY_FS_INDEX
CONFIG_OVERLAY_FS_REDIRECT_DIR
I activated this:
CONFIG_FORTIFY_SOURCE
CONFIG_POSIX_TIMERS
CONFIG_SLAB_MERGE_DEFAULT
CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED
I am not sure if I did the porting correct for the following patches:
target/linux/generic/backport-4.14/020-backport_netfilter_rtcache.patch
target/linux/generic/hack-4.14/220-gc_sections.patch
target/linux/generic/hack-4.14/321-powerpc_crtsavres_prereq.patch
target/linux/generic/pending-4.14/305-mips_module_reloc.patch
target/linux/generic/pending-4.14/611-netfilter_match_bypass_default_table.patch
target/linux/generic/pending-4.14/680-NET-skip-GRO-for-foreign-MAC-addresses.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- use %d instead of %n for opkg feed identifiers
- remove %n / %N references from version files
Fixes bf5cef47b3 merge: release/banner: drop release name and update banner.
Fixes FS#1213.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Replace in router DEFAULT_PACKAGES odhcpd by odhcpd-ipv6only as
such there's no DHCPv4 server functionality overlap with dnsmasq
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Build dependency: Please install the GNU C Compiler (gcc) 4.8 or later cc
-dumpversion | grep -E '(4\.[8-9]|5\.[0-9]|6\.[0-9]|7\.[0-9])'
Build dependency: Please install the GNU C++ Compiler (g++) 4.8 or later
g++ -dumpversion | grep -E '(4\.[8-9]|5\.[0-9]|6\.[0-9]|7\.[0-9])'
Prerequisite check failed. Use FORCE=1 to override.
On my Fedora 26 machine gcc and g++ -dumpversion returns a whole number
'7' failing the regex introduced in commit:
b78de6207f
This change makes minor versions optional in the build dependency regex
for gcc and g++ whenever any minor version would be accepted and the
whole number version is sufficient as a dependency check. For versions
4.* a minor version is still required.
Signed-off-by: Justin Kilpatrick <jkilpatr@redhat.com>
Only test for supported versions of GCC
The version bump requirement for GCC is because gdb doesn't build with older
versions.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
At the moment, license information can only be specified on a
"per source package" level while other metadata fields (e.g. maintainer)
can be given for each binary package. Apply the same logic for license
fields as well. This can be used e.g. in cases where a library is
distributed under some license while related tools are distributed
under a different one.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
If PKG_BUILD_DIR contains symlinks, the generated Module.symvers will
contain the resolved paths, not the virtual path with the symlink name.
This breaks the filter for the module's own symbols, so to fix this
ensure we also grep for the resolved path.
Reported-by: Roman Yeryomin <roman@advem.lv>
Tested-by: Roman Yeryomin <roman@advem.lv>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Let the generic postinstall script invoke "kmodloader" when the just
installed package contains any /etc/module.d/ entries.
This allows us to skip the explicit "insert_module()" calls in the
package postinstall.
Due to the removed insert_module calls we do not need to assemble a
complete list of modules per package anymore, which allows for vast
simplification of the package generation code.
While we're at it, also support specifying default parameters for
modules using either the MODPARAM or MODPARAM.modulename variables
in KernelPackage.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
mpc85xx uses this for firmware image files, since the dtb data is not
directly part of the kernel image. This causes build failures in the
image builder.
Fix this by adding a separate build step that runs this call earlier,
reusing the generated file for any calls from kernel or image build
commands.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add xconfig target to include/toplevel.mk, so that ``make xconfig`` can
be invoked from $TOPDIR to use Qt based configuration tool to prepare
.config file.
The qconf related sources are taken from linux 4.9.13 archive.
Signed-off-by: Alif M. Ahmad <alive4ever@live.com>
The creation was accidentally moved to the wrong hook, fix it by moving
it to the pre hook.
Fixes: e5e5c3f5fd ("build: ensure PKG_INFO_DIR exists before trying to use it")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
PKG_INFO_DIR is only created at the finish step of the first package
build, but kernel modules now use it at the start. Doing a parallel build
could cause a kernel module to be the first package, breaking the build.
Fix this by ensuring the directory exists.
Fixes: 2e496876c6 ("kernel: collect module symvers for external modules")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Collect module symvers for all external modules to make them available
for modpost. This fixes dependencies for most external modules.
Example:
Before:
root@LEDE:/# modinfo mt76
module: /lib/modules/4.4.74/mt76.ko
license: Dual BSD/GPL
depends:
After:
root@LEDE:/# modinfo mt76
module: /lib/modules/4.4.74/mt76.ko
license: Dual BSD/GPL
depends: mac80211,cfg80211
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
During the initial configuration phases, we have not set-up the kernel
source directory, which would lead to such messages:
cat:
/local/users/fainelli/openwrt/trunk/build_dir/target-x86_64_musl/linux-uml/linux-4.9.58/include/config/kernel.release:
No such file or directory
Just silence it, since it does not create a functional problem.
Fixes: 8e0e0e7d8b ("include: Determine MODULES_DIR correctly for external/git kernels")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
The kernel calls both ppc64 and ppc32 "powerpc", so we need to fixup
LINUX_KARCH when building with ARCH=powerpc64.
Signed-off-by: Florian Larysch <fl@n621.de>
Starting with commit d5d332d3f7e8 ("devicetree: Move include prefixes
from arch to separate directory") included in 4.12 and newer relocated
the dt-bindings directory, so account for that while passing CPPFLAGS
before DTC runs.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
No patch refresh required.
Compile-tested for ar71xx - Archer C7 v2
Runtime-tested on ar71xx - Archer C7 v2
Fixes the following CVEs:
- CVE-2017-15265
- CVE-2017-0786
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Refresh patches.
Compile-tested on brcm2708/bcm2708, octeon and x86/64.
Runtime-tested on brcm2708/bcm2708, octeon and x86/64.
Fixes the following CVEs:
- CVE-2017-1000252
- CVE-2017-12153
- CVE-2017-12154
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This patch adds all the board-specific values currently hardcoded
in mktplinkfw2.c back to the respective device declarations in the
makefiles.
The rationale is to avoid modifying the source code every time a
new board or board variant is added.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Refresh patches.
Compile-tested on octeon and x86/64.
Runtime-tested on octeon and x86/64.
Fixes the following CVEs:
- CVE-2017-14106
- CVE-2017-14497
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Since $(DownloadMethod/unknown) is being invoked in the expansion of
$(call locked ...) anyway, you can't have an @ because the shell
doesn't know what to do with it.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Refresh patches.
Compile-tested on ipq8065/nbg6817 and x86/64.
Runtime-tested on ipq8065/nbg6817 and x86/64.
Fixes CVE-2017-1000251.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
[adapt qcom_nandc.c patches to match upstream changes, test ipq8065/nbg6817]
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Delete a bunch of fixes that are already included.
Refresh patches.
Compile-tested on malta/mipsel
Runtime-tested on malta/mipsel
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Refresh patches.
Compile-tested on octeon and x86/64.
Runtime-tested on octeon and x86/64.
Fixes CVE-2017-11600.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Refresh patches.
Compile-tested on ramips/mt7621 and x86/64.
Runtime-tested on ramips/mt7621 and x86/64.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Refresh patches.
Adapt 704-phy-no-genphy-soft-reset.patch.
Remove brcm2708/950-0005-mm-Remove-the-PFN-busy-warning.patch.
Compile-tested on brcm2708/bcm2708 and x86/64.
Runtime-tested on brcm2708/bcm2708 and x86/64.
Fixes the following vulnerabilities:
- CVE-2017-7533
- CVE-2017-1000111
- CVE-2017-1000112
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
We will need "mktplinkfw-combined" command also in the "ramips" target
for new MediaTek based TP-Link devices, with "safeloader" image type.
Also, rename the command to "tplink-v1-header", use "VERSION_DIST"
variable instead of "OpenWrt" and allow passing additional parameters.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This change currently causes some issues with loading out of tree kernel modules
so revert that commit for now.
Reverts commit 34c01e68b5. Fixes FS#919.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Builtin modules are always present, and trying to load them will cause
modprobe to spew errors when installing the empty kmod packages.
Fix this by never generating any postinst module install instructions
for builtin modules.
Fixes#842.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
If TARGET_PER_DEVICE_ROOTFS and DEVICE_PACKAGES are used for ar71xx
legacy images:
- an already jffs2 padded squashfs rootfs is overwritten
with an unpadded/raw one.
- the squashfs-raw and squashfs-64k rootfs are not replaced by the
ones including the DEVICE_PACKAGES
Call Image/Build/squashfs after the DEVICE_PACKAGES are added to the
base squashfs rootfs to fix the issues.
Fixes: FS#904
Signed-off-by: Mathias Kresin <dev@kresin.me>
- Refreshed all patches
- Removed upstreamed
- Adapted 4 patches:
473-fix-marvell-phy-initialization-issues.patch
-----------------------------------------------
Removed hunk 5 which got upstreamed
403-net-phy-avoid-setting-unsupported-EEE-advertisments.patch
404-net-phy-restart-phy-autonegotiation-after-EEE-advert.patch
--------------------------------------------------------------
Adapted these 2 RFC patches, merging the delta's from an upstream commit
(see below) which made it before these 2.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-
stable.git/commit/?h=v4.9.36&id=97ace183074d306942b903a148aebd5d061758f0
180-usb-xhci-add-support-for-performing-fake-doorbell.patch
-----------------------------------------------------------
- Moved fake_doorbell bitmask due to new item
Compile tested on: cns3xxx, imx6
Run tested on: cns3xxx, imx6
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
There are already two targets (lantiq, ramips) which use mktplinkfw2
tool for creating images. This de-duplicates code, introduces two new
build commands: tplink-v2-header, tplink-v2-image and makes use of
them in place of old, (sub)target specific ones.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
- Refreshed all patches
- Adapted 1 (0031-mtd-add-SMEM-parser-for-QCOM-platforms.patch)
Compile tested on: brcm2708, cns3xxx, imx6
Run tested on: brcm2708, cns3xxx, imx6
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[Compile and run tested on brcm2708]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Specifications:
* SoC: AR7242 (Virian 400MHz)
* RAM: 64 MB DDR (W9751G6JB-25)
* Flash: 16MB SPI flash (S25FL129PIF)
* WiFi: AR9382 (2.4/5GHz) + 2x SE2595L
* LAN: 1x1000M (PEF7071V)
To install LEDE via EVA bootloader, a FTP connection need to be
established to 192.168.178.1 within the first seconds after power on:
ftp> quote USER adam2
ftp> quote PASS adam2
ftp> binary
ftp> debug
ftp> passive
ftp> quote MEDIA FLSH
ftp> put lede-ar71xx-generic-fritz300e-squashfs-sysupgrade.bin mtd1
Signed-off-by: Mathias Kresin <dev@kresin.me>
When an external kernel tree is used the version should not get
modified by the LEDE build scripts. This was added by Florian some time
ago.
The commit 0aed054bec ("build: add KERNEL_MAKE and
KERNEL_MAKE_FLAGS variables and move to kernel.mk") breaks this feature
introduced in b6746a6ffb ("include: Do not alter KERNELRELEASE for
external/git kernels").
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When git-https request a service (e.g. github) which ask for credentials
git will pass this request to the user resulting download.pl to wait for
user input. Set GIT_ASKPASS to stop asking.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
It ensures that make download can parallelize downloads, even when some
packages download the same files (e.g. gcc/initial, gcc/final)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Fixes the following security vulnerabilities:
CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.
CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.
CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.
CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.31
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The previous commit f4a4f324cb ("kernel: update kernel 4.4 to
4.4.71") missed the line which changes the kernel version, add it now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fixes the following security vulnerabilities:
CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.
CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.
CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.
CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71
Signed-off-by: Jo-Philipp Wich <jo@mein.io>