Fixes the following security vulnerabilities:
CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.
CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.
CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.
CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.31
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
CONFIG_SG_POOL symbol is selected only by CONFIG_SCSI, since the last
one is disabled by default then disable CONFIG_SG_POOL by default too.
And explicitly enable it only for platforms that use CONFIG_SCSI.
Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
This change add IPQ40xx AP-DK04.1-C1 board image support,
enables ubi image for IPQ40xx AP-DK04.1-C1 board and also
add sysupgrage support for AP-DK04.1-C1 and generates a
sysupgrade.tar image.
Testing:
*Tested on IPQ40xx AP-DK04.1-C1:
a. NAND boot
b. ubi sysupgrade
Signed-off-by: Ram Chandra Jangir <rjangir@codeaurora.org>
This change adds QPIC BAM dma and NAND driver node's in IPQ4019
device tree, also enable this for AP-DK04.1 based boards.
Signed-off-by: Ram Chandra Jangir <rjangir@codeaurora.org>
This change adds support for below:
- Bam transaction which will be used for any NAND request.
- Reset function for NAND BAM transaction
- Add support for additional CSRs.
Signed-off-by: Ram Chandra Jangir <rjangir@codeaurora.org>
The existing qcom_nand driver supports ADM DMA which is mainly
required for ipq806x family based boards,
IPQ40xx based boards uses BAM DMA in NAND driver, so this patch
adds BAM DMA support with compatible string as qcom,ebi2-nandc-bam.
Signed-off-by: Ram Chandra Jangir <rjangir@codeaurora.org>
GPIO_PULL bits configurations in TLMM_GPIO_CFG register
differs for IPQ40xx from rest of the other qcom SoC's.
This change add support to configure the msm_gpio_pull
bits for ipq40xx, It is required to fix the proper
configurations of gpio-pull bits for nand pins mux.
Signed-off-by: Ram Chandra Jangir <rjangir@codeaurora.org>
The device tree is at /proc/device-tree/ without a base subdir.
Fixes: da472e5b30 ("treewide: access device tree from userspace via /proc/")
Signed-off-by: Mathias Kresin <dev@kresin.me>
Access the device tree via /proc/device-tree/ is the documented way to
access the properties. Everything else might not work in future.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Do not assign the CPU port twice, this confuses LuCI and possible other
programs relying on topology information in board.json.
Ref: https://github.com/openwrt/luci/issues/1086
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Without patch unloading the dwc3-of-simple module went stuck after
successfully removing hcd.1 during the hcd.0 removal:
root@LEDE:/# rmmod dwc3-of-simple
[ 21.391846] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 21.391931] usb usb4: USB disconnect, device number 1
[ 21.397038] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 21.401111] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 21.406685] usb usb3: USB disconnect, device number 1
[ 21.412848] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 21.417248] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 21.422521] usb usb2: USB disconnect, device number 1
followed by nothing.
Sometimes a stall CPU was detected, or a kernel panic,
or a reboot occurred after a couple of minutes.
At the same time unloading the dwc3 module followed by dwc3-of-simple
module was working repeatedly.
root@LEDE:/# rmmod dwc3
[ 53.827328] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 53.827412] usb usb4: USB disconnect, device number 1
[ 53.832630] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 53.836452] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 53.842314] usb usb3: USB disconnect, device number 1
[ 53.848412] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 53.852542] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 53.857882] usb usb2: USB disconnect, device number 1
[ 53.863956] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
[ 53.867875] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 53.873696] usb usb1: USB disconnect, device number 1
[ 53.879742] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered
root@LEDE:/# rmmod dwc3-of-simple
root@LEDE:/#
For the non-working case, the code was stuck in a readl() in
http://lxr.free-electrons.com/source/drivers/usb/host/xhci.c#L91
because
http://lxr.free-electrons.com/source/drivers/usb/dwc3/dwc3-of-simple.c#L126
was disabling the wrong clocks when removing hcd.1 (it was disabling
the clock of hcd.0). That's why the readl() went stuck when removing
hcd.0
The patch however addresses the clock assignment from the Netgear R7500
dts file and backs off the previous attempt.
Now unloading and repeated module loading is working just fine.
root@LEDE:/# rmmod dwc3-of-simple
[ 24.089679] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 24.089765] usb usb4: USB disconnect, device number 1
[ 24.094856] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 24.098963] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 24.104522] usb usb3: USB disconnect, device number 1
[ 24.111194] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 24.115086] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 24.120396] usb usb2: USB disconnect, device number 1
[ 24.126503] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
[ 24.130347] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 24.135948] usb usb1: USB disconnect, device number 1
[ 24.142085] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered
root@LEDE:/#
Fixes: dwc3-of-simple module unloading for Netgear R7500
Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
The patch follows the qualcomm code comments setting
SSUSB_CTRL_TEST_POWERDOWN to 0x1 and is testing and clearing the
bit during USB superspeed PHY init. According to Andy Gross it
needs to be BIT(26).
Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
Acked-by: Andy Gross <andy.gross@linaro.org>
Use the stateless 4-byte op codes for this flash chip to fix reboot
hangs on SoCs expecting the flash chip in 3-byte mode.
Fixes: FS#179
Signed-off-by: Mathias Kresin <dev@kresin.me>
Split the fritz-tools into subpackages. fritz_tffs_read is usefull for
all Fritz boards where fritz-cal_extract is only required for the
Fritz 4040 at the moment.
Rename the tffs related binary to the more catchy name fritz_tffs and
move the whole package to utilities since the package doesn't really
provide a firmware file.
Make the fritz-tools available for all targets and build them shared.
The tffs is used by avm on lantiq and ar71xx as well.
Tested-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Without patch unloading the dwc3-of-simple module went stuck after
successfully removing hcd.1 during the hcd.0 removal:
root@LEDE:/# rmmod dwc3-of-simple
[ 21.391846] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 21.391931] usb usb4: USB disconnect, device number 1
[ 21.397038] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 21.401111] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 21.406685] usb usb3: USB disconnect, device number 1
[ 21.412848] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 21.417248] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 21.422521] usb usb2: USB disconnect, device number 1
followed by nothing.
Sometimes a stall CPU was detected, or a kernel panic,
or a reboot occurred after a couple of minutes.
At the same time unloading the dwc3 module followed by dwc3-of-simple
module was working repeatedly.
root@LEDE:/# rmmod dwc3
[ 53.827328] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 53.827412] usb usb4: USB disconnect, device number 1
[ 53.832630] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 53.836452] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 53.842314] usb usb3: USB disconnect, device number 1
[ 53.848412] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 53.852542] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 53.857882] usb usb2: USB disconnect, device number 1
[ 53.863956] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
[ 53.867875] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 53.873696] usb usb1: USB disconnect, device number 1
[ 53.879742] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered
root@LEDE:/# rmmod dwc3-of-simple
root@LEDE:/#
For the non-working case, the code was stuck in a readl() in
http://lxr.free-electrons.com/source/drivers/usb/host/xhci.c#L91
because
http://lxr.free-electrons.com/source/drivers/usb/dwc3/dwc3-of-simple.c#L126
was disabling the wrong clocks when removing hcd.1 (it was disabling
the clock of hcd.0). That's why the readl() went stuck when removing
hcd.0
The patch however addresses the clock assignment from the .dtsi
file. Most probably it went into openwrt here:
https://dev.openwrt.org/browser/trunk/target/linux/ipq806x/patches-3.18/101-ARM-qcom-add-USB-nodes-to-ipq806x-ap148.patch?rev=45261
copied from Qualcomms attempt here: https://lkml.org/lkml/2015/11/20/116
Now unloading and repeated module loading is working just fine,
no matter if you'd remove dwc3-of-simple or dwc3.
root@LEDE:/# rmmod dwc3-of-simple
[ 24.089679] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 24.089765] usb usb4: USB disconnect, device number 1
[ 24.094856] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 24.098963] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 24.104522] usb usb3: USB disconnect, device number 1
[ 24.111194] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 24.115086] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 24.120396] usb usb2: USB disconnect, device number 1
[ 24.126503] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
[ 24.130347] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 24.135948] usb usb1: USB disconnect, device number 1
[ 24.142085] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered
root@LEDE:/#
Fixes: dwc3-of-simple module unloading
Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
Allow module unloading by fixing a mistake.
qcom_dwc3_phy_write_readback() is expecting (phy, offset, mask, value)
while the mistake was calling it with (phy, offset, value, mask)
The patch is swapping value and mask.
Without the patch unloading the dwc3 module was showing a
write to QSCRATCH failed and repeated module loading was
failing:
root@LEDE:/# rmmod dwc3
[ 19.167998] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 19.168084] usb usb4: USB disconnect, device number 1
[ 19.173371] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 19.177134] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 19.182960] usb usb3: USB disconnect, device number 1
[ 19.189023] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 19.192989] qcom-dwc3-usb-phy 110f8830.phy: write: 8000000 to QSCRATCH: 0 FAILED
[ 19.199064] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 19.205912] usb usb2: USB disconnect, device number 1
[ 19.211611] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
[ 19.215905] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 19.221751] usb usb1: USB disconnect, device number 1
[ 19.227307] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered
[ 19.231795] qcom-dwc3-usb-phy 100f8830.phy: write: 8000000 to QSCRATCH: 0 FAILED
root@LEDE:/# modprobe dwc3
[ 29.583343] phy phy-100f8830.phy.4: phy init failed --> -110
[ 29.583399] dwc3 10000000.dwc3: failed to initialize core
[ 29.588169] dwc3: probe of 10000000.dwc3 failed with error -110
[ 29.652943] phy phy-110f8830.phy.2: phy init failed --> -110
[ 29.652988] dwc3 11000000.dwc3: failed to initialize core
[ 29.657735] dwc3: probe of 11000000.dwc3 failed with error -110
root@LEDE:/#
With patch repeated module unloading and loading is working good:
root@LEDE:/# rmmod dwc3
[ 22.622214] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 22.622298] usb usb4: USB disconnect, device number 1
[ 22.627401] xhci-hcd xhci-hcd.1.auto: USB bus 4 deregistered
[ 22.631492] xhci-hcd xhci-hcd.1.auto: remove, state 1
[ 22.637054] usb usb3: USB disconnect, device number 1
[ 22.643721] xhci-hcd xhci-hcd.1.auto: USB bus 3 deregistered
[ 22.647421] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 22.652910] usb usb2: USB disconnect, device number 1
[ 22.659219] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
[ 22.662768] xhci-hcd xhci-hcd.0.auto: remove, state 1
[ 22.668604] usb usb1: USB disconnect, device number 1
[ 22.674803] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered
root@LEDE:/# modprobe dwc3
[ 25.404592] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
[ 25.404694] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1
[ 25.409444] xhci-hcd xhci-hcd.0.auto: hcc params 0x0228f065 hci version 0x100 quirks 0x00010010
[ 25.416589] xhci-hcd xhci-hcd.0.auto: irq 168, io mem 0x10000000
[ 25.426509] hub 1-0:1.0: USB hub found
[ 25.431626] hub 1-0:1.0: 1 port detected
[ 25.435472] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
[ 25.439206] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2
[ 25.444573] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 25.452926] hub 2-0:1.0: USB hub found
[ 25.460420] hub 2-0:1.0: 1 port detected
[ 25.525037] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 25.525099] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 3
[ 25.529750] xhci-hcd xhci-hcd.1.auto: hcc params 0x0228f065 hci version 0x100 quirks 0x00010010
[ 25.537002] xhci-hcd xhci-hcd.1.auto: irq 169, io mem 0x11000000
[ 25.546583] hub 3-0:1.0: USB hub found
[ 25.551997] hub 3-0:1.0: 1 port detected
[ 25.555734] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 25.559621] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 4
[ 25.564942] usb usb4: We don't know the algorithms for LPM for this host, disabling LPM.
[ 25.573063] hub 4-0:1.0: USB hub found
[ 25.580842] hub 4-0:1.0: 1 port detected
root@LEDE:/#
Fixes: dwc3 module unloading
Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
Makes use of the syscon tcsr and enables both USB ports. Cleans up
qcom-ipq8064.dtsi from previous attempts.
Fixes FS#497
Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
Current driver shows temp in full degrees while other apps await it
to be in millidegrees.
Initially the driver represents termal data in millidegrees but then
it gets divided by TSENS_FACTOR. So lets just set it to '1'.
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
Netgear X4 R7500 comes with a QCA988X. Select a firmware that matches
the ath10k chipset
Signed-off-by: Thomas Reifferscheid <thomas@reifferscheid.org>
This patch adds support for AVM FRITZ!Box 4040.
hardware highlights:
SOC: IPQ4018 / QCA Dakota
CPU: Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7
DRAM: 256 MiB Nanya NT5CC128M16IP
FLASH: 32 MiB MXIC MX25L25635FMI
ETH: Qualcomm Atheros QCA8075 Gigabit Switch (4 x LAN, 1 x WAN)
USB: 1 x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
1 x 2.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1: Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2
WLAN2: Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2
INPUT: one WLAN and one WPS button
LEDS: Power, WAN/Internet, WIFI, INFO (red and amber) and LAN.
Serial:
WARNING: The serial port needs a TTL/RS-232 v3.3 level converter!
The Serial setting is 115200-8-N-1. The SoC's serial port is right
next to the MXIC FLASH chip. The board has a unpopulated 1x4 0.1"
header for it. Use a multimeter to figure out the pinout!
This board currently needs an additional u-boot image in order to boot
properly. Booting with EVA isn't possible ATM.
Install Procedure:
0. It's highly recommended to connect to the serial port.
The serial settings are listed above.
1. install a u-boot image for AVM Fritz!Box 4040
(see <https://github.com/chunkeey/FritzBox-4040-UBOOT/releases> and
<https://github.com/chunkeey/FritzBox-4040-UBOOT/blob/master/upload-to-f4040.sh>)
2. upload the initramfs.itb image via tftp (u-boot listens to
192.168.1.1 - use binary transfer mode!)
3. connect to the FB4040 and use sysupgrade sysupgrade.bin
to install the image.
Works:
- Switch and Ethernet (99%)
- Buttons (WLAN, WPS)
- FLASH (1 x 32MiB NOR Chip)
- WLAN2G and WLAN5G
- CPUFREQ scaling
- PRNG
- serial
- Crypto Accelerator
- sysupgrade (Read the flash instructions to avoid bricking)
- full LEDE Install (Read the flash instructions to avoid bricking)
- LEDs (Power, WAN, Info (red and amber), LAN)
The LEDs are connected to the QCA8075 LED ports.
The AR40xx driver contains a gpio-controller to
handle these special "GPIOs".
- USB Both 3.0 and 2.0 ports
- many packages from other ARMv7 boards
(This does include the RaspberryPi Model 2!)
- ...
Not planned:
- WAN<->LAN short-cut
- Qualcomm Secure Execution Environment
- ...
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John Crispin <john@phrozen.org>
Add back support for the independent_clocks definition that has been
removed between kernel 4.4 and 4.9 by upstream commits
eb96924acddc709db58221c210ca05cd9effb1df and
e86eee6bc2aaa6b3637f6497b26beee09a91bde9
* extend the new cpufreq_dt_platform_data definition in cpufreq-dt.h
* revert the removal of its usage in cpufreq-dt.c
* use new cpufreq-dt.h in qcom-cpufreq.c
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
For IPQ806x targets, TZ protects the registers that are used to
configure the routing of interrupts to a target processor.
To resolve this, this patch uses scm call to route GPIO interrupts
to application processor. Also the scm call interface is changed.
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
At the moment as a workaround definition for scm firmware in DT is used as if it is
apq8064 board. This leads to incomplete scm firmware initialization and as a result
cpuidle driver fails to configure.
By design unlike other qcom boards ipq do not use clocks to connect to scm.
Considering this we're removing from DT and scm driver clocks for ipq boards.
As a result cpuidle does not produce errors about failed configuration anymore.
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
The available amount of coherent DMA memory is very limited. On Linux
4.4 this issue was worked around by increasing the pool size.
It turns out that using coherent memory here is completely unnecessary.
This change reworks the driver code to use kzalloc+dma_map_single
instead.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Do not patch upstream files, overwrite them entirely. The upstream files
are buggy for a number of devices and this significantly simplifies the
patch structure
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: John Crispin <john@phrozen.org>