This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Do not put the apex images into the kernel build directory as this directory
might get removed after kernel updates while the apex packages InstallDev
recipe is not getting re-executed because it is still considered current,
leading to image build failures later on due to missing images.
To ensure that built bootloader images persist over kernel version updates in
the buildroot, put them into the new STAGING_DIR_IMAGE directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Do not put the u-boot images into the kernel build directory as this directory
might get removed after kernel updates while the u-boot packages InstallDev
recipe is not getting re-executed because it is still considered current,
leading to image build failures later on due to missing images.
To ensure that built bootloader images persist over kernel version updates in
the buildroot, put them into the new STAGING_DIR_IMAGE directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Do not put the u-boot images into the kernel build directory as this directory
might get removed after kernel updates while the u-boot packages InstallDev
recipe is not getting re-executed because it is still considered current,
leading to image build failures later on due to missing images.
To ensure that built bootloader images persist over kernel version updates in
the buildroot, put them into the new STAGING_DIR_IMAGE directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Do not put the u-boot images into the kernel build directory as this directory
might get removed after kernel updates while the u-boot packages InstallDev
recipe is not getting re-executed because it is still considered current,
leading to image build failures later on due to missing images.
To ensure that built bootloader images persist over kernel version updates in
the buildroot, put them into the new STAGING_DIR_IMAGE directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Do not put the u-boot and ucode images into the kernel build directory as this
directory might get removed after kernel updates while the u-boot packages
InstallDev recipe is not getting re-executed because it is still considered
current, leading to image build failures later on due to missing images.
To ensure that built bootloader images persist over kernel version updates in
the buildroot, put them into the new STAGING_DIR_IMAGE directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Do not put the u-boot images into the kernel build directory as this directory
might get removed after kernel updates while the u-boot packages InstallDev
recipe is not getting re-executed because it is still considered current,
leading to image build failures later on due to missing u-boot images.
To ensure that built bootloader images persist over kernel version updates in
the buildroot, put them into the new STAGING_DIR_IMAGE directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This adds support for the PCB LEDs and Reset Button found on the PC
Engines APU2/APU3 embedded boards.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Updates to openvpn.init were included in early OpenVPN 2.4 patch
series, but got lost along the way and were never merged.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
HTB and TBF are the basic traffic shapers used by sqm-scripts. Moving
these into kmod-sched-core enables sqm-scripts to downgrade its
dependency from kmod-sched to kmod-sched-core, potentially making it
useful on devices with smaller flash sizes.
This adds around 30k to the size of kmod-sched-core (20k for sch_htb.ko
and 10k for sch_tbf.ko).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This adds support for the SuperIO chip nct5104d found on the PC Engines
APU boards, which allows for a handful of additional ports, such as 2x
additional UART pinouts, enabling an external watchdog (no driver for
this functionality yet), and 16 GPIO pins. More info can be found at
https://pcengines.ch/ht_gpio.htm
Thanks to @feckert for helping package this.
Cc: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
The name will appear in shell prompt and LuCI page title. Uppercase
letters seem to be more vigorous
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Update ubox to latest Git head in order to import the following fixes:
14839f0 kmodloader: make insert_module() idempotent
6e3c6dc kmodloader: add module alias awareness
9371411 kmodloader: fix out-of-bound access when parsing .modinfo
a62c946 kmodloader: modprobe: skip possible command line arguments
46a4b5f kmodloader: log to kmsg when loading directories of modules
eacc426 kmodloader: remove redundant glob wildcard char
8488bb5 ubox: Initialize conditionally uninitialized variable
db070f1 ubox: Fix some memory leaks
acc48b5 kmodloader: Fix typo in error message
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This is how other Linux distributions are doing and kernel
modprobe_path[] of request_module() also has a default value of
/sbin/modprobe
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
A given signal-name is now converted to the corresonding number. In general
it's good style to use names (readability) and it's more portable: signal
numbers can be architecture-dependent, so we are more safe giving names.
A real world example is signal 10, which is BUS on ramips and USR1 on PPC.
All users of 'procd_send_signal' must change their code to reflect this.
Signed-off-by: Bastian Bittorf <bb@npl.de>
When relying on x.509 certs for auth and / or encryption of traffic you can't
use package openvpn-nossl.
Just have your package depend on openvpn-crypto to have SSL-encryption and
X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use
virtual packge openvpn, which is provided by all OpenVPN-variants.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other
wps related uci options.
Signed-off-by: Steven Honson <steven@honson.id.au>
The author of the upstream mwlwifi edited the history of the previous commit.
This commit not only fixes the updated hash but also sends in the latest
commits he made to the code which are mainly testing.
Signed-off-by: Gabe Rodriguez <lifehacksback@gmail.com>
Clarify opkg's messages related to downloads:
* more visible error message for package list download failure
* separate error message for signature file download error
* if wget returns 4, signal the network error more clearly
* remove '.' from end of filenames and URLs
* try signature check only if the package list was downloaded ok.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The radio would stop communicating completely. This issue was easiest to
trigger on AR913x devices, e.g. the TP-Link TL-WR1043ND, but other
hardware was occasionally affected as well.
The most critical issue was a race condition in disabling/enabling IRQs
between the IRQ handler and the IRQ processing tasklet
Signed-off-by: Felix Fietkau <nbd@nbd.name>
All SPL variants are lzo compressed. The lzop binary is used for
compression but is not available in tools.
Additionally at least the NAND SPL support is broken and doesn't create
working bootloaders.
The fb3370 SPI NOR SPL enabled u-boot isn't required for LEDE since the
LEDE images are targeting the pre-installed EVA bootloader.
Mark these u-boot variants as well as the SPL variants for the
reference boards as broken till the lzma issues are fixed upstream and
we can use lzma instead of lzo compression.
Signed-off-by: Mathias Kresin <dev@kresin.me>
If only a single opkg control file exists (which can happen with
CONFIG_CLEAN_IPKG), grep would not print the file name by default. Instead
of forcing it using -H, we just switch to -l (print only file names) and
get rid of the cut.
Add -s to suppress an error message when no control files exist.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
There was a bug in brcmfmac patch that could result in treating random
memory as source of country codes.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This reverts commit c296ba834d.
According to several reports, the issues with the airtime fairness
changes are gone in current versions.
It's time to re-apply the patch now.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
accessing the u-boot's envs on this device is required to read the mac address.
These are the envs of the new u-boot, not of the stock one.
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
Instead of referencing u-boot packages from device profiles and having a
-all metapackage, make the u-boot packages hidden (they don't install to
bin/ anyway), and name the files in KERNEL_BUILD_DIR appropriately
Signed-off-by: Felix Fietkau <nbd@nbd.name>
this commit allows to make a standalone u-boot for nsa310b.
While both first-stage and second-stage u-boot work fine if
installed to flash or loaded with kwboot,
I could not get stock u-boot nor bodhi's u-boot to chainload
any second stage u-boot (I also tried with dockstar's uboot
that works fine on this device if loaded with kwboot).
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
The subtarget on which the driver still depends was removed with
dee8986b95 because it was unmaintained
for a long time.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.
Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.
By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:
libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`
Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add PROVIDES:=openvpn to the default recipe in order to let all build variants
provide a virtual openvpn package.
The advantage of this approach is that downstream packages can depend on just
"openvpn" without having to require a specific flavor.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The last two parameters passed between user space tc and kernel space
sched-cake were transposed due to a merge mistake in a parameter header
file.
As such, using a packet overhead figure was likely to set cake to wash
packet DSCP values. Similarly, the DSCP wash flag was used as an offset
to the displayed packet overhead value.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
- Adds support for passing file descriptors in ubus invoke requests
- Fixes clearing pending timers on ubus_shutdown()
- Fixes checking the amount of written data in ubusd
- Fixes an ubusd crash when trying to subscribe to system objects
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Changes the platform to use the Chipidea driver instead of the
generic USB host driver which has support for both host and
device modes (selected on boot).
The changes in 930-chipidea-pullup.patch are already in mainline.
I'll upstream 920-usb-chipidea-AR933x-platform-support.patch once I
can test the changes with a newer kernel.
Signed-off-by: Svetoslav Neykov <svetoslav@neykov.name>
Commit 131db36 "build: remove separate /install step for host builds" dropped
the package/*/host/install targets in favor to performing the install steps
within the compile target instead.
Adjust package/Makefile accordingly in order to prevent a missing
staging_dir/host/bin/opkg when staging package archives into the rootfs.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This is used to save space on buildbot instances.
If any part of a package needs to be rebuild, the whole package is
rebuilt from scratch. Stamp files are preserved to allow dependency
checks to work
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Knowing the package architecture at runtime can be useful, e.g. to
configure opkg repository URLs. The value of ARCH_PACKAGES ("%A" in
VERSION_SED) as added to openwrt_release (as DISTRIB_ARCH) and os-release
(as LEDE_ARCH).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Currently system log is always included as a part of ubox. Add logd as a
seperate package and add it to default packages list.
Signed-off-by: Andrej Vlasic <andrej.vlasic@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
opkg doesn't have BUILD_VARIANTs anymore, so the previously defined
PKG_BUILD_DIR would lead to a weird 'opkg-' path component.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This allows some basic region switching on Netgear R8000. More devices &
codes may be added. Ideally it should be converted into DT info & patch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This makes use of cfg80211 feature backported & described in
188626f17c ("mac80211: backport cfg80211 support for
ieee80211-freq-limit DT property").
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes build failure for kmod-can-c-can-platform which depends on
kmod-regmap for kernel 4.1 and 4.4.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This patch updates the QCA988X firmware to the latest revision
firmware-5.bin_10.2.4-1.0-00016
found in the official ath10k-firmware repository.
Tested on TP-Link Archer C7 v2.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.
Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use ubus process signalling instead of 'kill pidof dnsmasq' for
SIGHUP signalling to dnsmasq when ntp says time is valid.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>