Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 88fa1f7b1e07c4dda3a9e387a4094ad8a06fcf0c)
[ fix apply conflict, drop SCSI config and OF_SYSTEM_SETUP ]
References: PCF-2005
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Adapt fs kmods for building under kernel 6.6:
* Add kmod-fs-netfs as dependency for kmod-fs-9p
* Add kmod-fs-netfs as dependency for fs-smbfs-common as netfs is
required for cifs since 6.3
* Add new kmod-nls-ucs2-utils as dependency for smbfs/jfs as UCS2
support was split as new module since 6.6.
* Add kmod-lib-zlib-deflate and kmod-lib-zlib-inflate as
dependencies for kmod-pstore due to crypto API compression was
replaced with zlib_deflate library calls since 6.6
* Remove nfs_ssc.ko from kmod-fs-nfs-common. The nfs_ssc was no
longer a kernel module described by NFS_V4_2_SSC_HELPER since 5.13 [1]
Link:
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/Kconfig?id=d9092b4bb2109502eb8972021a3f74febc931a63
Signed-off-by: Weijie Gao <hackpascal@gmail.com>
(cherry picked from commit f9198480da)
[ adapt for changes after 6.1.36 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Adapt filesystem kmods for building under kernel 6.1:
* Depend on kernel not being 5.10 rather than only 5.15
* kmod-fs-9p depends on kmod-fs-netfs from 5.17 as they started using
netfs helpers
* Set new KConfig options to N
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 6dce5a7b58)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The duplicate sections are caused by a race condition at boot, when board.json
is not available. In that case, the final phy name cannot be resolved, and extra
sections referring to the path are created.
Fix this by making sure that wifi config is not being run before board.json
is created.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b993a00b82)
Crypto-aead doesn't provide geniv kernel modules on new kernel version
hence fix kernel package to account for that.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
A feed might provide the new wifi-scripts package that moved the wifi
script files to a dedicated package.
Add support for this by tweaking netifd package and check if
wifi-scripts is getting compiled. In such case, remove the netifd
file in favor of feed package.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
A feed might provide the new wifi-scripts package that moved the wifi
script files to a dedicated package.
Add support for this by tweaking base-files package and check if
wifi-scripts is getting compiled. In such case, remove the base-files
file in favor of feed package.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
devm_gpiod_get_from_of_node has been dropped in 6.6 in favor of the more
generic devm_fwnode_gpiod_get.
Add ifdef to allign to this new requirement in new kernel version.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* 61e46f860c93 Multi-AP: Move IE parameters into a struct for extensibility
* 0e2ca2e4e2ad Multi-AP: Use proper length for remaining buffer for the
* 0034112429d8 Multi-AP: Generation of Multi-AP Profile subelement
* 364cb7c9437f Multi-AP: Parse the Multi-AP element using a shared helper
* 420afbdbdff7 Multi-AP: Allow supported profile to be configured
* c3e528653766 Multi-AP: Parse Profile subelement
* 9a1512532e80 Multi-AP: Reject non-Multi-AP STA association on backhaul-only BSS
* 024d4bca1335 Multi-AP: WPS support for different Multi-AP profiles
* 69d086298972 Multi-AP: Add support for VLAN related information
* 210c2b4bd75e Multi-AP: Add hostapd config option to disallow certain profiles
Closes: PPM-2953, PCF-1476
Signed-off-by: Igor Plesser <i.plesser@inango-systems.com>
Signed-off-by: Maarten De Decker <maarten.dedecker@mind.be>
Signed-off-by: Petr Štetiar <petr.stetiar@prplfoundation.org>
Lxc automatically mounts sys and proc in the rootfs of the container. When an unprivileged container is created however, the sys and proc of the host should be mounted with option relatime. The procd of openwrt mounts these with option noatime. As a result, an unprivileged container cannot start.
remounting them allows starting of the containers:
mount -t sys sys -o remount,rw,nosuid,nodev,noexec,relatime /sys
mount -t proc proc -o remount,rw,nosuid,nodev,noexec,relatime /proc
The patch modifies procd to do this correctly from the start.
Issue: LCMFT-338 for unprivileged lxc containers, proc and sys should be mounted with relatime
Signed-off-by: Matthias FRANCK <matthias.franck@softathome.com>
This is a partial backport of upstream
commit 795a5dd452 ("kernel: bump 5.15 to 5.15.124").
Upstream kernel moved the vxlan module into its own directory
in kernel version 5.15.124 and commit 77396fa9096a
("vxlan: move to its own directory").
This was adapted in OpenWrt in commit 795a5dd452
("kernel: bump 5.15 to 5.15.124") but not
backported into prplOS, so lets fix it now.
Fixes: https://prplfoundationcloud.atlassian.net/browse/PPW-246
Signed-off-by: Maximilien Baumann <maximilien.baumann@orange.com>
(cherry picked from commit 81c1172c36)
(cherry picked from commit 795a5dd452)
The file contains the the /usr/lib path from the toolchain directory and
not from the target directory. The /usr/lib directory for the toolchain
is empty and the shared library is not in the specified paths. On RISCV
the linker of util-linux was finding the libncursesw.so in my host
system, tried to link against it and failed. Fix the .pc file.
Fixes: #15942
Co-authored-by: Thomas Weißschuh <thomas@t-8ch.de>
Link: https://github.com/openwrt/openwrt/pull/16018
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 91573ac145)
Link: https://github.com/openwrt/openwrt/pull/16390
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 461102d99c)
This updates mac80211 to version 6.1.110-1. This code is based on Linux
6.1.110 and contains all fixes included in the upstream wireless
subsystem from that kernel version. This includes many bugfixes and also
some security fixes.
The removed patches are already integrated in upstream Linux 6.1.110.
The following patches were integrated in upstream Linux:
subsys/311-v6.2-wifi-mac80211-fix-and-simplify-unencrypted-drop-chec.patch
subsys/312-v6.3-wifi-cfg80211-move-A-MSDU-check-in-ieee80211_data_to.patch
subsys/313-v6.3-wifi-cfg80211-factor-out-bridge-tunnel-RFC1042-heade.patch
subsys/314-v6.3-wifi-mac80211-remove-mesh-forwarding-congestion-chec.patch
subsys/315-v6.3-wifi-mac80211-fix-receiving-A-MSDU-frames-on-mesh-in.patch
subsys/316-v6.3-wifi-mac80211-add-a-workaround-for-receiving-non-sta.patch
subsys/321-mac80211-fix-mesh-forwarding.patch
subsys/322-wifi-mac80211-fix-mesh-path-discovery-based-on-unica.patch
subsys/329-wifi-mac80211-fix-receiving-mesh-packets-in-forwardi.patch
subsys/339-wifi-cfg80211-fix-receving-mesh-packets-without-RFC1.patch
subsys/350-v6.3-wifi-mac80211-Allow-NSS-change-only-up-to-capability.patch
subsys/351-v6.9-wifi-mac80211-track-capability-opmode-NSS-separately.patch
Link: https://github.com/openwrt/openwrt/pull/16368
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7e42fdcafe)
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
* Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535)
Added github releases url as source mirror
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16332
(cherry picked from commit 62d3773bf1)
Link: https://github.com/openwrt/openwrt/pull/16346
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 4fa16c1e24)
This contains a fix for:
CVE-2024-45157:
Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Link: https://github.com/openwrt/openwrt/pull/16367
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit a0ebff651d)
The path for linking libucode.so was not specified for the ucode binary.
This breaks execution of ucode in the host context.
Signed-off-by: David Bauer <david.bauer@uniberg.com>
(cherry picked from commit ae42ecaad4)
(cherry picked from commit cc938b18a8)
Empty trailing fields get lost when the lines are split and merged again
at colons, resulting in unparsable entries. Only use the split fields for
matching against the other file, but emit the original line unchanged
to fix the issue.
Fixes: de7ca7dafa ("base-files: merge /etc/passwd et al at sysupgrade config restore")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 9bbaa6f2c0)
(cherry picked from commit 5773538c90)
This patch fixes the list delimiter between 3GPP networks
passed to hostapd.
> list iw_anqp_3gpp_cell_net '262,001'
> list iw_anqp_3gpp_cell_net '262,002'
When passing a list of "iw_anqp_3gpp_cell_net" parameters via UCI,
hostapd would crash at startup:
> daemon.err hostapd: Line 73: Invalid anqp_3gpp_cell_net: 262,001:262,002
Using a semicolon as a delimiter, hostapd will start as expected.
Signed-off-by: Sarah Maedel <git@tbspace.de>
(cherry picked from commit 8de185a176)
(cherry picked from commit 5a8588e360)
Like other Ethernet drivers, print link speed and duplex mode
when the interface is up. Formatting output at the same time.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from 5d2a008670)
(cherry picked from commit bd79a16674)
Like other Ethernet drivers, print link speed and duplex mode
when the interface is up. Formatting output at the same time.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from a57a3e5cc5)
(cherry picked from commit 4d33716f96)
Like other Ethernet drivers, print link speed and duplex mode
when the interface is up. Formatting output at the same time.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from 2f846a3315)
(cherry picked from commit 561d534adb)
Like other Ethernet drivers, print link speed and duplex mode
when the interface is up. Formatting output at the same time.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from fe0240f27e)
(cherry picked from commit fe8c1fdd24)
This log is noisy and useless, just ignore it.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from 8d9893ff34)
(cherry picked from commit 403af43fd4)
This log is noisy and useless, just ignore it.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from 2fd0102cc3)
(cherry picked from commit 6a877053dd)
Instead of enabling RSS support, let's introduce a variant and let users
choose between both variants since it can cause network issues.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from bfeef9b3d7)
(cherry picked from commit c615bcf438)
r8126 is an out of tree driver provided by Realtek for RTL8126 devices.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from 54623c6a1d)
(cherry picked from commit a79157f257)
Instead of enabling RSS support, let's introduce a variant and let users
choose between both variants since it can cause network issues.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from f063f4620c)
(cherry picked from commit 4d0dc5e15e)
r8125 is an out of tree driver provided by Realtek for RTL8125 devices.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from ddb4070c96)
(cherry picked from commit 68d5ed7526)
r8168 is an out of tree driver provided by Realtek for RTL8168 devices.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
((cherry picked from commit 1565eeda4e)
(cherry picked from commit 7d6366dcd7)
r8101 is an out of tree driver provided by Realtek for RTL8101 devices.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit b72c4b5386)
(cherry picked from commit d1de7d3c92)
The vendor U-Boot implementaion on Telenor branded ZyXEL EX5700
devices does not store its environment on flash. It is instead
kept in a memory region. This is persistent over reboots, but
not over power cycling.
The dual partition failsafe system used by the vendor U-Boot
requires the OS to modify a variable in this memory environment.
This driver allows the ordinary uboot-envtools to access a
memory region like it was a partition on NOR flash.
The specific vendor U-Boot adds a "no-map" /reserved-memory
section and a top level /ubootenv node pointing to the memory
environment. The driver uses this device specific fact to
locate the region. The matching and probing code will likely
have to be adjusted for any other devices to be supported.
Example partial device tree:
/ {
..
ubootenv {
memory-region = <&uenv>;
compatible = "ubootenv";
};
..
reserved-memory {
..
uenv: ubootenv@7ffe8000 {
no-map;
reg = <0 0x7ffe8000 0 0x4000>;
};
Signed-off-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit b2e810f495)
(cherry picked from commit c241885687)
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db7f70fe61)
(cherry picked from commit e4625c37c4)
This fixes multiple security problems:
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.
Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.
Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3a0232ffd3)
(cherry picked from commit 84b000e5d0)
