Fixes the following security vulnerabilities:
CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.
CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.
CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.
CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If nand chip has no NAND_NO_SUBPAGE_WRITE flag on its options
ubifs can't use it mtd devices and the kernel crashes with error:
__nand_correct_data: uncorrectable ECC error
Signed-off-by: Sergey Sergeev <adron@yapic.net>
This fixes wrong GPIO numbers for LEDs and button in Wallys DR344 board
and sets color of all LEDs to green as the mass production boards have
only green one.
Actually, DR344 has 6 GPIO-connected LEDs and one button:
- GPIO11: status
- GPIO12: sig1
- GPIO13: sig2
- GPIO14: sig3
- GPIO15: sig4
- GPIO16: reset button
- GPIO17: lan
WAN LED is connected directly with AR8035 PHY.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This aligns default network interfaces configuration with vendor
firmware: GE (eth0) -> wan, FE (eth1) -> lan.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
GMAC0 interface of AR9344 SOC in Wallys DR344 board is connected with
AR8035, not with AR8327. Without this fix, GE interface doesn't work at
all or shows high packet loss ratio.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
EnGenius ENS202EXT is an outdoor wireless access point with
2-port 10/100 switch, detachable antennas and proprietery PoE.
The device is based on Qualcomm/Atheros AR9341 v1.
Specifications:
- 535/400/200 MHz (CPU/DDR/AHB)
- 64 MB of RAM
- 16 MB of FLASH
- UART (J1) header on PCB (unpopulated)
- 2x 10/100 Mbps Ethernet
- 2.4 GHz, up to 26dBm
- 2x external, detachable antennas
- 7x LED, 1x button
Flash instructions:
You have three options:
- Use the vendor firmware upgrade page on the web interface and give
it the factory.img. This is the easiest way to go about it.
- If you have serial access during u-boot, interrupt the normal boot
(any key before timeout) and run 'run failsafe_boot'; this will bring
you to a minimal openwrt luci image on ip 192.168.1.1 useful if you've
bricked the normal firmware.
- Use the vendor's management cli, which can be accessed via telnet
with the same credentials as the web login (default admin:admin), then
issue the following commands:
*** Hi admin, welcome to use cli(V-1.6.7) ***
---========= Commands Help =========---
stat -- Status
sys -- System
wless2 -- 2.4G-Wireless
mgmt -- Management
tree -- Tree
help -- Help
reboot -- Reboot
ens202ext>mgmt
Management
---========= Commands Help =========---
admin -- Administration
mvlan -- Management VLAN settings
snmp -- SNMP settings
backup -- Backup/Restore settings
autorb -- Auto reboot settings
fwgrade -- Firmware upgrade
time -- Time settings
wifisch -- Wifi schedule
log -- Log
diag -- Diagnostics
disc -- Device Discovery
logout -- Logout
help -- Help
exit -- Exit
ens202ext/mgmt>fwgrade
Management --> Firmware upgrade
---========= Commands Help =========---
fwup -- Firmware upgrade
help -- Help
exit -- Exit
ens202ext/mgmt/fwgrade>fwup http://web.server/lede-ar71xx-generic-ens202ext-squashfs-factory.bin
Signed-off-by: Marty Plummer <ntzrmtthihu777@gmail.com>
You can flash via tftp recovery (serve factory image as /mr6400_tp_recovery.bin
on 192.168.0.66/24, connect to any ethernet port and power on device while
holding the reset button). Flashing via OEM web interface does not work.
Hardware Specification (v1.0 EU):
- SoC: QCA9531
- Flash: Winbond W25Q64FV (8MiB)
- RAM: EtronTech EM6AB160TSE-5G (64MiB)
- Wireless: SoC platform only (2.4GHz b/g/n, 2x internal antenna)
- Ethernet: 2NIC (3x100M + 1x100M)
- WWAN: TP-LINK LTE MODULE (2x external detachable antenna)
- Power: DC 12V 1A
Signed-off-by: Filip Moc <lede@moc6.cz>
This change is required to make the GBit switch work on my Mikrotik Routerboard RB2011UiAS-RM, and I assume that the other RB2011 variants are exactly the same in terms of the switch. I have tested the board without and with the patch and confirm that the GBit ports are not supported at all (i.e. no communication works) with the current version in trunk and that everything works with the patch applied. The test box has been running for a few days with the patch applied, and does not show any performance problems in a test setting. I have not used it with LEDE in production so far, but with a previous turnk version of OpenWRT for many years - with the same patch applied. I therefore have good indication that it is stable.
For the record, the switch chip on my test box is identified as
switch0: Atheros AR8327 rev. 4 switch registered on ag71xx-mdio.0
The value 0x6f000000 has been taken from the table at https://wiki.openwrt.org/toh/mikrotik/rb2011uias with the previous discussion thread still online at https://lists.openwrt.org/pipermail/openwrt-devel/2014-December/029949.html.
One definite improvement from the older OpenWRT trunk version I have been running in production and current LEDE trunk is that the SFP interface can be kept in the default configuration without excessive kernel messages about it constantly going up and down. I have not yet tested an actual SFP module, though.
Performance seems to be reasonable. Routing between two GBit ports on that switch separated by different VLANs with the default firewall ruleset (and one additional rule two allow traffic between the VLANs), but without NAT, iperf3 results are:
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 508 MBytes 426 Mbits/sec 102 sender
[ 4] 0.00-10.00 sec 506 MBytes 425 Mbits/sec receiver
With a connection going through NAT (also 2 ports on the same GBit switch, same ruleset, but NAT active), routing performance drops to around 250 MBit/s.
(Note that RouterOS achieves beyond 900 MBit/s on the same hardware with the default rule set and the FastTrack rule active even for NAT, see https://wiki.mikrotik.com/index.php?title=Manual:IP/Fasttrack and http://www.mikrotik.com/download/share/FastTrack.pdf).
Summarizing, I strongly recommend to apply this patch in trunk, so that the GBit switch chip rev. 4 can be supported upstream in the next LEDE release (hopefully soon).
Signed-off-by: René Mayrhofer <rene@mayrhofer.eu.org>
changes the image version from hardcoded OpenWrt to
$VERSION_DIST. AirOS shows a notification with the image version
during a firmware upgrade.
fixes#582
Signed-off-by: Matthias Fritzsche <txt.file@txtfile.eu>
Refresh patches. A number of patches have landed upstream & hence are no
longer required locally:
062-[1-6]-MIPS-* series
042-0004-mtd-bcm47xxpart-fix-parsing-first-block
Reintroduced lantiq/patches-4.4/0050-MIPS-Lantiq-Fix-cascaded-IRQ-setup
as it was incorrectly included upstream thus dropped from LEDE.
As it has now been reverted upstream it needs to be included again for
LEDE.
Run tested ar71xx Archer C7 v2 and lantiq.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[update from 4.4.68 to 4.4.69]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Teltonika RUT900 is a Router with LTE dual SIM, WiFi, 4x Ethernet
ports, I/O, RS232, RS485, GPS.
The device ist based on a Atheros AR9344 rev 3,
Specifications:
- 560/450/225 MHz (CPU/DDR/AHB)
- 128 MB of RAM
- 16 MB of FLASH
- Serial Console header on a Card Board edge connector
- 4x 10/100 Mbps Ethernet (3x LAN, 1x WAN)
- 2.4 GHz Wifi
- 2x external, detachable Wifi antennas
- LTE Modem Huawei ME909u-521 (Also other Modem seen)
- 2x LTE antennas
- 1x GPS antenna
- 7x LED, 1x button
- 1x USB Connector
- 1x Serial RS232
- 1x Serial RS485
- 1x MicroSD Card
The GPL sources of the device are available at www.teltonika.lt/gpl/
and are based on OpenWRT Barrier Breaker (14.07)
Running from tftp:
The Router starts into the uboot Webupdater if the Button ist pressed
more than 3 seconds, if no Network cable is attached it starts the
uboot serial console, from there the router loads the firmware image
via tftpboot from 192.168.1.2:firmware.bin (the router has the
192.168.1.1). With bootm the loaded image will be booted.
Signed-off-by: Steffen Weinreich <steve@weinreich.org>
This adds support for Aerohive AP-121 access point.
Specification:
- SoC: Atheros AR9344-BC2A at 560MHz
- WiFi 1: 2.4GHz Atheros AR9340? - SoC
- WiFi 2: 5.0GHz Atheros AR9382-AL1A
- Memory: 128MB from 2x Nanya NT5TU32M16DG-AC
- SPI: 1MB Macronix MX25L8006E
- NAND: 128MB Hynix H27U1G8F2BTR-BC
- Ethernet: Atheros AR8035-A
- USB: 1x 2.0
- TPM: Atmel SC3204
Flashing:
1. Hook into UART (9600 baud) and enter U-Boot. You may need to enter
a password of administrator or AhNf?d@ta06 if prompted.
2. Once in U-Boot, download and flash LEDE factory image over tftp:
dhcp;
setenv serverip tftp-server-ip;
tftpboot 0x81000000 lede-ar71xx-nand-hiveap-121-squashfs-factory.bin;
nand erase 0x800000 0x800000;
nand write 0x81000000 0x800000 0x800000;
reset;
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
[minor text changes in commit subject and description, fixed
alphabetical order in etc/diag.sh, use only model name in lib/ar71xx.sh,
fixed code style issues in mach-hiveap-121.c, ubinized factory image]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Rambutan is a Wifi module based on QCA9550/9557
http://www.8devices.com/products/rambutan
This commit adds basic support for Rambutan development kit
Specification:
- 720/600/200 MHz (CPU/DDR/AHB)
- 128 MB of DDR2 RAM
- 128 MB of NAND Flash
- 1x 100Mbps Ethernet
- 1x 1000Mbps Ethernet (PHY on dev-kit)
- 1x Wifi radio 2x2 MIMO, dualband 2.4 and 5 GHz
- 2x U.FL connectors on module, chip antennas on dev-kit
- 1x miniPCIe slot
- 1x USB2.0 host socket + 1x USB2.0 pins on 2.54mm header
Flash instructions:
Stock firmware is OpenWrt, so use:
sysupgrade -n /tmp/lede-ar71xx-nand-rambutan-squashfs-sysupgrade.tar
or upgarde from GUI (don't save config)
Use factory image to flash from U-Boot:
tftpboot 80060000 lede-ar71xx-nand-rambutan-squashfs-factory.ubi
nand erase.part ubi
nand write 80060000 ubi ${filesize}
Signed-off-by: Mantas Pucka <mantas@8devices.com>
[split support in uboot-envtools package into a separate commit,
fixed alphabetical order in lib/preinit/05_set_iface_mac_ar71xx]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This adds the build option for the new UniFi AC Mesh.
It is a direct hardware copy from the AC Lite.
- SoC: QCA9563-AL3A (775Mhz)
- RAM: 128MiB
- Flash: 16MiB - dual firmware partitions!
- LAN: 1 1000M - POE
- Wireless:
2.4G: QCA9563
5G: UniFi Chip, QCA988X compatible
Thanks to Frank Dietz for testing.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
[wrapped too long lines in mach-ubnt-unifiac.c]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This fixes switch port mapping for: TL-WR841N/ND v8, TL-MR3420 v2 and
TL-WR941N/ND v5. All of them share the same Atheros ap123 reference
design.
The order of switch ports (shown in "swconfig dev eth1 show") is CPU,
LAN 4, LAN 1, LAN 2, LAN 3.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
[included 2 more devices]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The patch 523-MIPS-ath79-OTP-support only supports the OTP offsets for
AR933x chips, which has changed on newer platforms such as the AR934x.
The follwoing change is to add support for reading the OTP on the
AR934x. Tested on an Aerohive AP-121.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Fix a '==' that should be a '=' in a test condition. Busybox fortunately
doesn't care.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Since 192f0a3db8 ("ath9k: unset the default LED pin if used by
platform leds") the default ath9k wireless LED is not set as soon as
any pin of the ath ath9k gpio controller is used.
All touched boards have leds defined which are using the gpio pins
exposed by the ath9k driver but rely on a default set wireless led
trigger.
Add the wireless leds were missing and setup the wireless phy trigger
in userspace.
Signed-off-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Instead of renaming the default wireless led attached to the wireless
chip, add a new led using the platform leds with the phy0tpt trigger
set in userspace.
When switching ar71xx to device tree, the same can be done by using the
build in GPIO controller and without adding new bindings.
Drop the now unused platform code.
Signed-off-by: Mathias Kresin <dev@kresin.me>
There are currently several supported TP-Link devices without specified
version number in image name and/or DEVICE_TITLE (e.g. WBS210, WBS510,
TL-WR810N, TL-WA7510N, TL-WPA8630), but vendor website shows that there
are already more than one version of them on the market.
For devices like Archer C5, which second version is based on a total
different platform, missing version number in DEVICE_TITLE (used in
menuconfig) might be misleading for users.
To make it less confusing for users and easier to maintain in future,
include version number in image name and DEVICE_TITLE for all TP-Link
devices, even if there is only one version of device at the moment.
Also, keep DEVICE_TITLE in same format for all TP-Link devices.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Acked-by: John Crispin <john@phrozen.org>
Kernel/hardware support for this board has been implemented since
Chaos Calmer. This set of patches is to get the board identified in
userland. This will allow support for things like sysupgrade,
configuring initial LED state, configuring initial switch state, etc.
Signed-off-by: Ron Angeles <ronangeles@gmail.com>
This router has the same hardware as TP-LINK TL-WR841N/ND v11 (same FCC
ID, same TFTP image name...).
If the stock firmware web interface doesn't accept LEDE factory image,
it can be flashed via the U-Boot TFTP recovery mode, by long-pressing
the reset button after power on.
The TFTP image name is wr841nv11_tp_recovery.bin (yes, v11, not v12).
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
Specification:
- SoC: Qualcomm Atheros QCA9563 (775 MHz, MIPS 74Kc)
- RAM: 128 MiB
- Storage: 16MB NOR flash
- Wireless: Built into QCA9563 (Dragonfly), PHY modes b/g/n, 3x3 MIMO
- Ethernet: 2x1G
Tested and working:
- ethernet / switch / lan / wan
- 2.4GHz SoC wifi
- PCIe
- leds
- buzzer
Ramload:
- tftpboot 0x84000000 lede-ar71xx-generic-wpj563-16M-initramfs-uImage.bin
- bootm 0x84000000
Install:
- tftpboot 0x80500000 lede-ar71xx-generic-wpj563-16M-squashfs-sysupgrade.bin
- erase 0x9f030000 +$filesize
- erase 0x9f680000 +1
- cp.b $fileaddr 0x9f030000 $filesize
Erasing 0x9f680000 is required because uboot defines
"bootcmd=bootm 0x9f680000 || bootm 0x9f030000", so it first tries to boot
the higher address. I think the 16 mb flash are intended to be used as
8+8mb for a fallback image. In my hardware only the lower address has a
bootable image. But to make sure future hardware will boot lede too, I
erase one block, so uboot will skip this address.
Signed-off-by: Christian Mehlis <christian@m3hlis.de>
P&W (full name: Shenzhen Progress&Win Technologies) R602N (could be also
labeled as R602F, R602, etc.) is a simple N300 router with 5-port
10/100 Mbps switch, non-detachable antennas and USB.
CPE505 is an outdoor CPE with PoE support and detachable antennas.
Both devices are based on Qualcomm/Atheros QCA9531 v2.
Common specification:
- 650/597/216 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 16 MB of FLASH
- UART (J2) header on PCB
R602N specification:
- 5x 10/100 Mbps Ethernet
- 1x USB 2.0
- 2T2R 2.4 GHz with external LNA and PA (SE2576L), up to 28 dBm
- 2x external, non-detachable antennas
- 7x LED, 1x button
CPE505N specification:
- 2x 10/100 Mbps Ethernet (both ports support passive PoE 12-24 V)
- 2T2R 2.4 GHz with external LNA and PA (SKY65174-21), up to 30 dBm
- 2x external, detachable antennas (RP-SMA connectors)
- 1x RGB LED, 2x LEDs (in RJ45 sockets), 1x button
Flash instructions:
It seems that there are many different versions of the firmware which
these devices are shipped with. The generic/standard one is based on
some modified OpenWrt and LEDE firmware can be flashed directly from
vendor's webgui or with sysupgrade (root password is "admin123").
Before flashing, make sure (use "fw_printenv") that the kernel load
address in your device is set to "0x9f050000" (bootcmd variable is
"bootm 0x9f050000"). If your device uses different load address, you
should first change it, under vendor's firmware, with command:
fw_setenv bootcmd "bootm 0x9f050000 || bootm OLD_ADDRESS"
Where OLD_ADDRESS is previous kernel load address (in CPE505 version
I got access to, it was "0x9fe80000"). This will allow you to use
both the vendor's and LEDE firmware.
If version of your device contains empty U-Boot environment (you will
get information about this after issuing "fw_printenv"), you should
use U-Boot, serial line access and TFTP to perform firmware upgrade:
1. tftp 0x80060000 lede-ar71xx-generic-...-squashfs-sysupgrade.bin
2. erase 0x9f050000 +$filesize
3. cp.b $fileaddr 0x9f050000 $filesize
4. setenv bootcmd "bootm 0x9f050000 || bootm OLD_ADDRESS"
5. saveenv && reset
These devices contain also web recovery mode inside U-Boot. It can be
started with pressing the reset button for around 3 seconds just after
the device powerup. Web recovery panel is available on "192.168.10.9"
and to be able to use it, IP on your PC must be set to "192.168.10.10".
Make sure to change kernel load address before using recovery mode or
the U-Boot will not be able to load LEDE firmware.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This patch adds initial support for the MikroTik RouterBOARD hAP ac
(RB962UiGS-5HacT2HnT).
All functions are supported except:
-SFP cage (eth1) is not working
-WLAN LEDs are not working
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
This patch adds support for the MikroTik RouterBOARD hAP ac lite
(RB952Ui-5ac2nD).
The hAP ac lite is nearly identical to the hAP, with an added QCA9887
5GHz radio. The 2.4GHz radio ID is also changed in the hAP ac lite.
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
When the device name doesn't already contain "RouterBOARD", this patch adds
this string to the machine name.
Most NOR devices already have "RouterBOARD" in their hardware-stored device name,
but not all of them.
This patch also makes the code more robust against buffer overflows.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
The Netgear WNDR4300, equipped with an Atheros AR8327 Gigabit Switch,
has two LEDs on each port for monitoring LAN activity, but it currently
only uses one. Fix the configuration to use both.
The patch provides this new configuration:
- green LED: 1 Gbps link, 4Hz blink frequency
- amber LED: 10/100 Mbps link. 4Hz for 100Mbps, 2Hz for 10Mbps
Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
