Hauke Mehrtens [Mon, 15 Jun 2026 23:39:41 +0000 (01:39 +0200)]
uhttpd: update to Git HEAD (2026-06-16)
ae015e099986 client: reject unhandled Transfer-Encoding values b78f51847879 client: close connection on invalid chunk length 7b1bec45826b ubus: close connection on POST body parse error
Hauke Mehrtens [Fri, 12 Jun 2026 22:34:46 +0000 (00:34 +0200)]
ead: fix integer underflow in handle_send_a()
handle_send_a() computed the SRP "A" parameter length as
len = ntohl(msg->len) - sizeof(struct ead_msg_number);
sizeof(struct ead_msg_number) is 1, and the subtraction is evaluated in
unsigned arithmetic. A packet with msg->len == 0 therefore wraps the
result to a huge value which, assigned to the signed int len, becomes -1.
The following bounds check is signed:
if (len > MAXPARAMLEN + 1)
return false;
so -1 passes, and memcpy(A.data, number->data, len) runs with len cast to
size_t (~SIZE_MAX) against the 257-byte abuf, crashing the daemon.
Neither parse_message() nor handle_packet() validate msg->len (only the
captured packet length), so an unauthenticated attacker on the local
segment can reach this path and crash ead with a single crafted packet.
Validate the claimed length in unsigned arithmetic before the subtraction
and bound it on both sides. Doing the upper-bound check unsigned as well
also closes a 32-bit-only variant where sizeof(ead_packet) + msg->len
overflows in handle_packet(), letting a large msg->len reach the same
negative-len path.
Hauke Mehrtens [Fri, 12 Jun 2026 23:17:23 +0000 (01:17 +0200)]
fritz-tools: fix out-of-bounds memset in TFFS segment expansion
When growing the segment array in find_entry(), the memset() that zeroes
the newly allocated slots computed the destination with redundant sizeof
scaling:
segments is a typed pointer, so pointer arithmetic already scales by the
element size. Multiplying the offset by sizeof again advances the
destination by num_segments * sizeof^2 bytes, landing far outside the
realloc()'d buffer and zeroing unrelated heap memory whenever a TFFS
entry spans multiple segments that require array expansion.
Drop the redundant multiplication so the memset targets segments[num_segments].
This is a robustness fix for malformed/corrupt TFFS content; the parser
only reads the on-device nand-tffs MTD partition as root, so it is not
considered security relevant.
Rosen Penev [Sat, 13 Jun 2026 18:30:18 +0000 (11:30 -0700)]
mac80211: backport ath9k memset fixes from upstream
Backport two upstream commits that replace memset() on coherent DMA
descriptor rings with explicit WRITE_ONCE() status word stores.
On 32-bit PowerPC platforms like apm821xx, coherent DMA memory may be
mapped uncached. The optimized memset() path can use dcbz there, which
triggers alignment warnings and spams the kernel log.
Carlo Szelinsky [Tue, 9 Jun 2026 20:58:59 +0000 (22:58 +0200)]
realtek: add hasivo-mcu sensor driver
Add a temperature/fan sensor (hwmon) driver for the Hasivo / Horaco
management MCU as a second child of the hasivo MCU MFD (alongside the
watchdog). It exposes the CPU and system temperatures and a 3-state fan
control (auto / force-on / force-off), read/written through the parent's
shared syscon regmap.
The register protocol was reverse-engineered from the stock 'imi' firmware
and verified on hardware. The fan-status register (0xFB) reflects the MCU's
effective drive state, not actual rotation (a blocked fan still reads
force-on), so no fanN_alarm is exposed. pwm1 echoes the commanded state so
a write reads back consistently, and falls back to the live drive state in
automatic mode. The register map is shared across boards.
Carlo Szelinsky [Sun, 7 Jun 2026 17:56:51 +0000 (19:56 +0200)]
realtek: convert hasivo-mcu-wdt to a hasivo-mcu-mfd child
The watchdog and the temperature/fan hwmon are the same management MCU at
a single I2C address (0x6f). Linux binds one driver per I2C client, so the
watchdog cannot keep owning the address directly if the hwmon is to live
on the same chip. Convert it from a standalone i2c_driver into a
platform_driver child of the hasivo MCU MFD that reaches the chip through
the parent's shared regmap (syscon), and depend on kmod-mfd-hasivo-stc8.
Add the mandatory activate/deactivate bring-up hooks to rtpcs_sds_ops
and let rtpcs_pcs_config() drive the full sequence around the variant
configuration:
The per-variant calls that were open-coded at the start and end of the
setup_serdes() functions are removed in favour of these indirections.
RTL839X never powered the SerDes down/up, so it gets no-op stubs to
satisfy the contract for now. Execution order is preserved for all
variants.
Jonas Jelonek [Sat, 6 Jun 2026 21:51:47 +0000 (21:51 +0000)]
realtek: pcs: add post_config sds_ops hook
Some variants need finalization that must run only after the SerDes is
powered up: RTL838X performs a one-shot switch queue reset on first
start, RTL930X runs RX calibration and the TX config. So far this lived
at the tail of the variant setup_serdes() functions.
Add an optional post_config hook to rtpcs_sds_ops and call it from
rtpcs_pcs_config() right after setup_serdes(), then relocate the
RTL838X and RTL930X tail work into it. As activate() still runs at the
end of setup_serdes() here, the execution order is unchanged.
Jonas Jelonek [Thu, 11 Jun 2026 20:05:28 +0000 (20:05 +0000)]
realtek: pcs: rtl930x: apply tx config before activation
In RTL930x setup, tx config was called at then end of the procedure
after configuration and calibration ran. This is still a leftover from
the old code located in DSA/PHY. However, applying TX configuration like
amplification factors, etc. doesn't make sense after calibration, it
should run before. Moreover the call was commented with "leave loopback
mode" which is just wrong and doesn't describe what the function does.
Fix this misery.
Testing on device with different interface modes shows no difference so
far, especially no negative effects.
Ryan Leung [Sat, 6 Jun 2026 11:19:46 +0000 (19:19 +0800)]
mediatek: wavlink wl-wn536ax6 rev a: add "network" LED trigger
Currently the "WiFi" LED indicator light is triggered only by activity on the 5 GHz PHY.
Change it to be triggered by WLAN activity on either Wi-Fi PHY, matching stock behaviour, by using
`kmod-ledtrig-network` added in 2aa1185fb05e ('leds: add "network" LED trigger (lan/wan/wlan)').
Ryan Leung [Sat, 6 Jun 2026 11:19:24 +0000 (19:19 +0800)]
mediatek: wavlink wl-wn536ax6 rev a: fix WLAN 5GHz MAC address
The second WLAN MAC address in the "Factory" partition at 0x0a is not the same as the
WLAN 5GHz BSSID observed when using the manufacturer's stock firmware, which is derived from
the 2.4GHz/label MAC address by setting bits 26 and 7 (Locally Administered).
While at it, also fix alphabetical ordering of some other device names.
Fixes: 1748ce829537 ("mediatek: add support for WAVLINK WL-WN536AX6 Rev a") Signed-off-by: Ryan Leung <untilscour@protonmail.com> Link: https://github.com/openwrt/openwrt/pull/23682 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Ryan Leung [Sat, 6 Jun 2026 11:19:12 +0000 (19:19 +0800)]
mediatek: wavlink wl-wn536ax6 rev a: change nvmem layout for MAC addresses
Currently the WAN MAC address is read from the first (LAN) MAC address in the "HW" partition and
then incremented by 1 instead of being read directly from the second MAC address.
Change to reading the two MAC addresses (LAN/WAN) directly from "Factory" partition.
Fixes: 1748ce829537 ("mediatek: add support for WAVLINK WL-WN536AX6 Rev a") Signed-off-by: Ryan Leung <untilscour@protonmail.com> Link: https://github.com/openwrt/openwrt/pull/23682 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Ryan Leung [Sat, 6 Jun 2026 11:18:45 +0000 (19:18 +0800)]
mediatek: wavlink wl-wn536ax6 rev a: enable nmbm bad block management
Enable nmbm bad block management with up to 8 MiB reserved. The manufacturer's stock device tree
contains the property `compatible = "generic,nmbm";` in node `nmbm_spim_nand` and
manufacturer's stock bootlog contains "nmbm nmbm_spim_nand: NMBM has been successfully attached"
Fixes: 1748ce829537 ("mediatek: add support for WAVLINK WL-WN536AX6 Rev a") Signed-off-by: Ryan Leung <untilscour@protonmail.com> Link: https://github.com/openwrt/openwrt/pull/23682 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Qingfang Deng [Thu, 21 May 2026 01:53:46 +0000 (09:53 +0800)]
kernel: modules: mppe: clean up
Remove kmod-crypto-arc4 and kmod-crypto-ecb from depends, as it no
longer uses skcipher API for encryption.
Remove the non-existent CONFIG_PPP_MPPE_MPPC symbol.
In previous versions of OpenWrt, ethernet was partially working,
sometimes depending on initialization state left by bootloader.
Since the switch to NSS drivers, it is completely broken.
- swap GMAC to PHY address mapping
- use rgmii internal delay
- drop `fixed-link` rates
- add pinctrl settings for rgmii0
- declare reset GPIO 51 (used for both PHYs)
- disable hibernation
Paul Spooren [Fri, 12 Jun 2026 14:49:44 +0000 (16:49 +0200)]
build: fixup version.date creation for source archives
Published sources archives may contain a mixture of MTIMEs, so taking the time
of the first file found varies based on filesystem order. To fix this, sort all
MTIMEs and take the latest.
Since piping into a file directly creates that file, we also need to
specifically tell `find` to ignore `version.date`.
Furthermore, move this prior to the ./src copy step, since for some packages,
the OpenWrt build system ships extra ./src files, which would introduce the
wrong timestamps again.
generic: mxl862xx: allow CPU/SerDes ports to probe on firmware < 1.0.84
The firmware-version gate in mxl862xx_phylink_get_caps() leaves
config->supported_interfaces empty for the CPU/SerDes ports (9, 13) when
the switch runs firmware older than 1.0.84. phylink rejects an empty
supported_interfaces bitmap, so the switch fails to probe at all:
mxl862xx mdio-bus:10: switch ready after 2480ms, firmware 1.0.70 (build 70)
mxl862xx mdio-bus:10: phylink: error: empty supported_interfaces
error creating PHYLINK: -22
mxl862xx mdio-bus:10: probe with driver mxl862xx failed with error -22
This regresses boards still shipping the older vendor firmware (e.g. the
BananaPi BPi-R4 Pro 8X, which ships 1.0.70) where all LAN ports disappear.
Ungate only the CPU/SerDes ports (9, 13) so the switch probes and the user
can update the firmware; ports 10..12 and 14..16 stay gated as they are
genuinely unsupported by the old firmware.
Tested on a BPi-R4 Pro 8X with switch firmware 1.0.70 (kernel 6.18); the
6.12 patch receives the identical change for parity.
Michał Kępień [Fri, 12 Jun 2026 07:28:03 +0000 (09:28 +0200)]
ath79: mikrotik: also compile AG71XX_LEGACY as a module
Commit 9091c9f8cbd9 ("ath79: mikrotik: compile SWCONFIG and AR8216_PHY
as modules") caused the hybrid PHY/MDIO ar8xxx driver to be built as a
module instead of built-in. On at least MikroTik RouterBOARD 951G-2HnD,
this prevents the kernel from binding the correct PHY driver at boot
because the ar8xxx driver is not yet available when the MDIO bus is
probed:
- before:
ag71xx-legacy 19000000.eth: invalid MAC address, using random address
switch0: Atheros AR8327 rev. 4 switch registered on mdio.0
ag71xx-legacy 19000000.eth: connected to PHY at mdio.0:00 [uid=004dd034, driver=Atheros AR8216/AR8236/AR8316]
eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: rgmii
- after:
ag71xx-legacy 19000000.eth: invalid MAC address, using random address
ag71xx-legacy 19000000.eth: connected to PHY at mdio.0:00 [uid=004dd034, driver=Generic PHY]
eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: rgmii
As the PHY is already bound to the fallback "Generic PHY" driver when
the ar8xxx module is loaded, the switch remains non-functional and the
router has no network connectivity.
Fix by also compiling the MAC driver (ag71xx-legacy) as a module,
deferring switch initialization until control is transferred to
userspace during boot. The configured module autoload priorities
(ar8xxx: 43, ag71xx-legacy: 50) ensure that the ar8xxx driver is loaded
before ag71xx-legacy.
Fixes: https://github.com/openwrt/openwrt/issues/23739 Fixes: 9091c9f8cbd9 ("ath79: mikrotik: compile SWCONFIG and AR8216_PHY as modules") Suggested-by: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Michał Kępień <openwrt@kempniu.pl> Link: https://github.com/openwrt/openwrt/pull/23748 Signed-off-by: Robert Marko <robimarko@gmail.com>
Jonas Jelonek [Thu, 11 Jun 2026 22:05:16 +0000 (22:05 +0000)]
realtek: pcs: rtl838x: drop redundant reset writes
Sometimes redundancy is so obvious that one likely misses it. Trying to
bring all SerDes setup into a unified shape, one thinks twice if
something is really needed or not.
For the RTL838x case, the single writes for take/release reset were still
an outlier. Looking closer at them one can see that the same bits are all
covered already in deactivate/activate. So before, they have been put
into the desired state but those outlier writes mess with them again.
[0, 3, 0x7146/0x7106] just deals with the SOFT_RST bit that is already
covered by rtpcs_838x_sds_reset.
[0, 0, 0xc00] touches multiple bits, amongst the EN_RX/EN_TX bits
already covered in deactivate/active. Moreover, it potentially forces
other bits into a state causing broken functionality, e.g.
INV_HSI/INV_HSO which deal with the polarity. This has no effect right
no right now but might be a latent issue in the future.
Also move the reset call down to the end of the function, doing a
soft/RX reset after every configuration is done. This is likely what the
SDK also intended, and mirrors the 839x behavior.
Jonas Jelonek [Thu, 11 Jun 2026 18:40:32 +0000 (18:40 +0000)]
realtek: pcs: rtl838x: replace literal with macro
Replace 0 with MII_BMCR because in this context, it maps cleanly to
normal PHY register structure. BMCR_PDOWN is already used there to show
which bits are set.
Jonas Jelonek [Sat, 6 Jun 2026 21:03:07 +0000 (21:03 +0000)]
realtek: pcs: rtl838x: merge and simplify patching
Reduce the per-SerDes patching to a per-mode patching since they share a
lot of similarities, especially for QSGMII.
For fiber patching, the differences are bigger. This takes an approach
to merge the sequences completely despite applying some settings which
weren't applied before on one of the SerDes. Testing and SerDes dumps
showed no or minimal differences, and no practical effect on
functionality. A look at the SerDes register documentation we have shows
reordering the writes isn't problematic because most of the bits aren't
any trigger bits.
With all its users gone, we can now drop also the workaround SDS macro.
Jonas Jelonek [Thu, 11 Jun 2026 08:28:27 +0000 (08:28 +0000)]
realtek: pcs: rtl838x: carve out writes for SerDes 0/1
For an attempt to simplify and reduce patching, carve out two special
writes for SerDes 0/1. While their exact purpose isn't fully known, they
need to match to make QSGMII on those two SerDes work. In order to be
able to merge the per-SerDes QSGMII patching sequences, carve them out
to the patching function one level above.
Jonas Jelonek [Sat, 6 Jun 2026 19:17:32 +0000 (19:17 +0000)]
realtek: pcs: rtl838x: set mode after patching
In order to have a unified SerDes setup sequence, align RTL838x to all
other variants. Set the mode after patching has been applied. Testing on
devices showed the order is rather irrelevant.
Jonas Jelonek [Wed, 22 Apr 2026 13:54:15 +0000 (13:54 +0000)]
realtek: pcs: rtl838x: fold lane enables and fiber path into {de,}activate
Expand the 838x deactivate/activate helpers to also cover the analog lane
enables (REG0 EN_RX/EN_TX) and the fiber path power-down (FIB_REG0
CFG_FIB_PDOWN), which are operational-state concerns rather than reset
concerns:
- _deactivate: clear EN_RX/EN_TX and set CFG_FIB_PDOWN in addition to
block-level power off.
- _activate: clear CFG_FIB_PDOWN and set EN_RX/EN_TX before block-level
power on. The pulse-start EN=0 is omitted since _deactivate already
established EN=0 and nothing in between touches REG0[1:0].
Shrink rtpcs_838x_sds_reset() accordingly: it now owns only the SOFT_RST
toggle, making it a pure digital reset primitive. The stale "SerDes %d
reset" dev_info was dropped along with the analog/fiber writes.
Behavioural note: the EN and FIB_PDOWN writes now happen *after* the
SOFT_RST release inside rtpcs_838x_sds_reset(), rather than before it as
in the old combined sds_reset. This creates a brief window where the
SerDes is out of digital reset with lanes still disabled, before
activate re-enables them. Consistent with the new
power_off/deactivate -> configure -> reset -> activate/power_on phase
structure, but diverges from the SDK ordering (EN pulse before SOFT_RST
release). Testing on real hardware shows no difference.
Backport several fixes and enhancements for the rtl8365mb DSA driver
from upstream.
The backport includes the following changes:
- Fix for rtl8_4 tag (from v7.1)
- VLAN and Forwarding offload (from v7.2)
Before this backport, all bridge forwarding was handled by the CPU,
causing a significant performance drop between LAN ports, similar
to standard WAN/LAN routing. Enabling hardware forwarding offload
alleviates CPU overhead and restores line-rate switching performance.
Shine [Sun, 31 May 2026 13:16:09 +0000 (15:16 +0200)]
scripts: dhcp/dhcpv6: handling of invalid client ID values
Verify and clean up client ID and global DUID config values before use, in
order to prevent DHCP client malfunction and loss of IPv4 and/or IPv6
connectivity.
- Accept common separators in the string (colon, dash, spaces/tabs, lf)
- Ignore invalid values (non-hex or odd-numbered length)
- Log a warning for invalid settings
The fall back mechanism is as follows:
If a (user-configured) network.<ifname>.clientid setting is found invalid,
ignore and fall back to using network.globals.dhcp_default_duid. In case
that's also invalid (e.g. has been tampered with), don't pass a client
ID to updhc/odhcpc. In that case, udhcpc/odhcpc will use their defaults,
which currently is the i/f MAC address resp. the i/f DUID-LL.
Only error handling is introduced, no behavior change for valid settings.
Paul Spooren [Wed, 10 Jun 2026 14:21:40 +0000 (16:21 +0200)]
package: nftables backport of reproducible builds patches
Building `nftables` twice results in slightly different binaries and since
it's including in the OpenWrt default firmware, breaks reproducibility of
shipped artifacts.
Enabling autoreconf, since the patches introduce a `nftvbersion.h.in` file.
This commit backports patches netfilter to fix this:
Paul Spooren [Wed, 10 Jun 2026 15:18:37 +0000 (17:18 +0200)]
package: make APK embedded help gzip reproducible
APK compresses it's helptext using LUA and require `zlib`, which isn't
available on the Buildbots. It thens falls back to `gzip`, which embeds the
MTIME, making the binary itself unreproducible.
This commits adds a downstream patch to run `gzip` with `-n`, setting the time
to 0.
Rosen Penev [Thu, 4 Dec 2025 03:15:05 +0000 (19:15 -0800)]
ath79: fix label-mac-device
It appears 683-of_net-add-mac-address-to-of-tree.patch relies on the
mac-address nvmem property being present. These nodes don't need it as
they take it from the eeprom but label-mac-device needs it.
1. Attach to serial console using a Cisco cable, 115200 8n1
2. Power on the switch and rapidly press Esc to interrupt U-Boot
3. Initialize the RJ45 ports by running `rtk network on`
4. Serve the initramfs-kernel.bin image on TFTP, IP 192.168.1.111
5. Use any RJ45 port to connect to your TFTP server
6. Run `tftpboot 0x81000000 initramfs-kernel.bin; bootm`
7. Use `mtd dump` or `dd` to backup the original firmware at `mtd5` first
8. Run sysupgrade to flash sysupgrade.bin into the switch and reboot
Restoring original firmware
-----------------------------
Vendor does not provide firmware images, so you should have made a backup.
Use `mtd write` to restore your backed up copy into the `mtd5` partition.
MAC Address
------------
All interfaces are assigned the same MAC address, from the U-Boot env
`ethaddr`. This MAC address is also printed on the device label.
Thomas Richard [Sat, 18 Apr 2026 12:37:33 +0000 (14:37 +0200)]
stm32: 6.18: disable some unnecessary options
The COMMON_CLK_STM32MP215 option is for clock support on MP215 platforms,
and PINCTRL_STM32_HDP is for Hardware Debug Port pin control. They can be
safely removed.
Thomas Richard [Mon, 18 May 2026 08:36:04 +0000 (10:36 +0200)]
stm32: fix return value of phy_power_on() in dwmac-stm32 driver
Patch 700-net-stmmac-dwmac-stm32-add-support-of-phy-supply-pro.patch
introduces phy-supply support in dwmac-stm32 driver. But the phy_power_on()
function always returns 0 even if it failed to drive the regulator. So fix
phy_power_on() to return an error if something wrong happened.
projects / thirdparty / openwrt.git / log
