This contains a fix for:
CVE-2024-45157:
Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Removed because they are upstream:
generic/pending-5.15/110-v6.3-0001-spidev-Add-Silicon-Labs-EM3581-device-compatible.patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=bff165a3993683daddf3f00563960e7675966f91
Adapt kernel configuration for newly added option
CONFIG_ARM64_ERRATUM_3194386.
The leddev_list_lock attribute changed from rwlock_t to spinlock_t in:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=590304b798a3b89e716b6b564f8ad14bc9373d93
Ubiquiti has a set of UniFi 802.11ax (Wi-Fi 6) AP devices. All models
include "U6" in their names and also have code names with no special
characters (including spaces).
Use proper full names for those devices. Names in OpenWrt/DTS code may
need updating too but it can be handled later.
Cc: Elbert Mai <code@elbertmai.com> Cc: Daniel Golle <daniel@makrotopia.org> Cc: Henrik Riomar <henrik.riomar@gmail.com> Cc: David Bauer <mail@david-bauer.net> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 74879140a1aa0b8a8c237e0b67e94c3508e2e249)
base-files: fix merge of passwd/shadow/group lines with trailing colons
Empty trailing fields get lost when the lines are split and merged again
at colons, resulting in unparsable entries. Only use the split fields for
matching against the other file, but emit the original line unchanged
to fix the issue.
Fixes: de7ca7dafadf ("base-files: merge /etc/passwd et al at sysupgrade config restore") Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 9bbaa6f2c0419739fb85d48d0f527cb1622946ee)
Another instance of files in build_dir symlinking to staging_dir. While
the symlinks do not currently cause any bugs in the libtool package,
such symlinks were found to make the build more fragile, as writing to
the symlink may accidentally modify the shared file in staging_dir. Pass
--copy to bootstrap to disable the symlinking.
include: autotools: do not symlink files in autoreconf
In Gluon's Github Actions CI, we were occasionally seeing bizarre build
errors that looked like a config.sub file had been corrupted, or changed
while it was being executed.
The cause turned out to be an interaction of the symlinks created by
autoreconf (pointing from individual tools' build dirs into
`staging_dir/host/share/automake-1.16`) and OpenWrt's host-build.mk,
which replaced config.guess and config.sub *after* autoreconf. The
result was that the replacement of these files ended up following the
symlinks and writing the files in `staging_dir/host/share/automake-1.16`
instead of a package's build dir. This could cause other packages' builds
to fail if they were currently executing the scripts while they were
being written.
To fix this, disable autoreconf's symlinking feature, so that modifying
these files in a package's build directory can't accidentally affect the
staged versions.
Sarah Maedel [Wed, 28 Aug 2024 09:27:05 +0000 (11:27 +0200)]
hostapd: fix anqp_3gpp_cell_net list delimiter
This patch fixes the list delimiter between 3GPP networks
passed to hostapd.
> list iw_anqp_3gpp_cell_net '262,001'
> list iw_anqp_3gpp_cell_net '262,002'
When passing a list of "iw_anqp_3gpp_cell_net" parameters via UCI,
hostapd would crash at startup:
> daemon.err hostapd: Line 73: Invalid anqp_3gpp_cell_net: 262,001:262,002
Using a semicolon as a delimiter, hostapd will start as expected.
Tianling Shen [Wed, 7 Aug 2024 18:53:51 +0000 (02:53 +0800)]
mediatek: increase phy assert time for jdcloud re-cp-03
According to RTL8221B's datasheet, the PHY requires at least 10ms
for assert and 68ms (recommended) for de-assert. So increase the
assert/de-assert time to 15ms and 68ms respectively.
Bjørn Mork [Tue, 28 Mar 2023 11:32:29 +0000 (13:32 +0200)]
kernel: ubootenv-nvram: driver for RAM backed environments
The vendor U-Boot implementaion on Telenor branded ZyXEL EX5700
devices does not store its environment on flash. It is instead
kept in a memory region. This is persistent over reboots, but
not over power cycling.
The dual partition failsafe system used by the vendor U-Boot
requires the OS to modify a variable in this memory environment.
This driver allows the ordinary uboot-envtools to access a
memory region like it was a partition on NOR flash.
The specific vendor U-Boot adds a "no-map" /reserved-memory
section and a top level /ubootenv node pointing to the memory
environment. The driver uses this device specific fact to
locate the region. The matching and probing code will likely
have to be adjusted for any other devices to be supported.
Rany Hany [Wed, 31 Jul 2024 17:16:55 +0000 (17:16 +0000)]
hostapd: fix SAE H2E security vulnerability
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
Paul Spooren [Thu, 6 Jun 2024 17:28:52 +0000 (19:28 +0200)]
build: include tests/Makefile if available
Testing OpenWrt is important, and there is a test suite in the making.
For maximum convenience and minimal CI over-usage, make it simple to run
tests locally. The main Makefile now attempts to include
`tests/Makefile` and silently fails if it doesn't.
While the test suite[1] is still young, it provides good examples of how
to test things around OpenWrt: starting with shell scripts using
`bats`[2], followed by QEMU tests, and finally real device tests using
LabGrid[3]. This could lead to the creation of the best OpenWrt version
yet.
Please consult the `openwrt-tests.git` README.md for details on the
setup. Once installed you may run commands like the following:
* make tests/shell # run shell tests
* make tests/x86-64 # run and test x86/64 in QEMU
This fixes multiple security problems:
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.
Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.
mediatek: filogic: prevent faulty mac address assignment
The vendor U-Boot on the Cudy M3000 and the Yuncore AX835 assign random
mac addresses on boot and set the 'local-mac-address' property which
prevents Openwrt from assigning the correct address from evmem.
This patch removes the alias for ethernet0 so that U-Boot doesn't add the
property, removes the workaround from 02_network, and adds back the nvmem
definition for the M3000.
Solder on UART:
- remove rubber ring on the bottom
- remove screws
- pull up the cylinder, maybe help by push on an ethernet socket with a screwdriver
- remove the (3) screws holding the board in the frame
- remove the board from the frame to get to the screws for the silver, flat heat shield
- remove the (3) screws holding the heat shield
- solder UART pins to the back of the board
- make sure to have the pins point out on side with the black, finned heat spread
- the markings for the pins are going to be below the silver heat shield
- Vcc is not needed
If you don't intend on using the UART outside of the installation process, you might not
want to solder:
- carefully scrape off the thin layer of epoxy on the holes (not the copper)
- place your pin header with the UART attached in the holes
- the pins, starting with the one closest to the socket:
- Vcc (not required)
- GND
- RX
- TX
- either wedge the header or hold it with your fingers so that the pins stay in contact with the board
Installation (UART):
- attach an Ethernet cable to the 1Gbps port (black) on the router
- hold the reset button while powering the router
- press CTRL-C or wait for the timeout to get to the U-Boot prompt
- prepare a TFTP server on the network to supply ..-initramfs-kernel.bin
- use 'tftpboot' in the U-Boot shell to pull the image
- boot the image using 'bootm'
- push the ..-sysupgrade to the router using your preferred method
- perform the upgrade with 'sysupgrade -n'
There is a recovery mechanism that involves fetching a file called 'recovery.bin' but that is not understood yet.
Changes: 2a768c4 wireless-regdb: Update regulatory rules for Mongolia (MN) on 6GHz 04875d9 wireless-regdb: Update regulatory rules for Saudi Arabia (SA) on 6GHz b7bced8 wireless-regdb: Update regulatory rules for South Africa (ZA) on 6GHz 7bc8615 wireless-regdb: Update regulatory info for Thailand (TH) on 6GHz f901fa9 wireless-regdb: Update regulatory info for Malaysia (MY) for 2022 d72d288 wireless-regdb: Update regulatory info for Morocco (MA) on 6GHz 414face wireless-regdb: Update regulatory info for Chile (CL) on 6GHz 1156a08 wireless-regdb: Update regulatory info for Mexico (MX) on 6GHz cc6cf7c wireless-regdb: Update regulatory info for Iceland (IS) on 6GHz ce03cc0 wireless-regdb: Update regulatory info for Mauritius(MU) on 6GHz 7e37778 wireless-regdb: Update regulatory info for Argentina (AR) on 6GHz 56f3a43 wireless-regdb: Update regulatory info for United Arab Emirates (AE) on 6GHz 3cb8b91 wireless-regdb: Update regulatory info for Colombia (CO) on 6GHz 3682ce5 wireless-regdb: Update regulatory info for Costa Rica (CR) for 2021 dd4ffe7 wireless-regdb: Update regulatory info for Dominican Republic (DO) on 6GHz f8ef7da wireless-regdb: Update regulatory info for Liechtenstein (LI) on 6GHz a9ecabe wireless-regdb: Update regulatory info for Jordan (JO) for 2022 5a9fdad wireless-regdb: Update regulatory info for Kenya (KE) for 2022 19326c3 wireless-regdb: Update regulatory info for Macao (MO) for 2024 4838054 wireless-regdb: update regulatory database based on preceding changes
Shiji Yang [Sun, 7 Jul 2024 16:05:14 +0000 (00:05 +0800)]
ramips: limit max spi clock frequency to 50 MHz
In the past few years, we have received several reports about SPI
Flash not working properly. This is caused by excessively fast
clock frequency. It's really annoying to fix them one by one. Let's
reduce these aggressive frequencies to 50 MHz. This is a safe and
suggested value in the vendor SDK.
Florian Eckert [Wed, 13 Mar 2024 12:21:34 +0000 (13:21 +0100)]
linux-firmware: add LICENSE_FILES and LICENSE file handling
The firmware blobs have all different licenses from the different
manufacturers of the binary blobs. This information is contained in the
upstream 'linux-firmware' repositroy.
This commit extends the package handling so that this information can be
added as an additional argument during packages generation.
Felix Fietkau [Fri, 19 Jan 2024 13:48:05 +0000 (14:48 +0100)]
mediatek: fix WED + wifi reset
The WLAN + WED reset sequence relies on being able to receive interrupts from
the card, in order to synchronize individual steps with the firmware.
When WED is stopped, leave interrupts running and rely on the driver turning
off unwanted ones.
WED DMA also needs to be disabled before resetting.
Daniel Golle [Tue, 28 May 2024 22:48:16 +0000 (23:48 +0100)]
generic: move accepted patches for mtk_eth_soc to backport-5.15
In preparation to update mtk_eth_soc move accepted patches from mediatek
target to backport folder, so other patches on top can be applied more
easily.
image: exclude initramfs-images dependency with IB
Exclude initramfs-images dependency with IB as the target is not defined
in such context.
Fixes: cc6a0abcabf7 ("image: make images and artifacts dependent of initramfs") Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit e5d23b5aa5346de30befc2b05000a3967ca5b460)
image: make images and artifacts dependent of initramfs
There is currently a BIG bug in how the images dependency is handled and
recent Per Device Rootfs made this more clear and less statistical.
There is currently no dependency between images/artifacts build with
initramfs build. This cause whatever additional image that depends on an
initramfs image to fail as it might happen that image and initramfs
build are called at the same time and the additional image is called
before initramfs build has finished.
Each image-command assume the source image to be taken from the /bin
directory but that is only copied from the /tmp directory only at the
end of the process.
Artifacts currently depends on image with the use of the
BOARD-NAME-images Makefile target, but this is not the case for
initramfs that also define a -images Makefile target but that is not
accounted in images (that might depend on some initramfs images)
To actually fix this, introduce a new Makefile target, -initramfs-images
and make image and artifacts build to depend on this. Since initramfs
images are optional, this dependency is actived only when initramfs
image are built.
With this change we correctly enforce the build order:
- Initramfs Images (optional)
- Images
- Artifacts
Normal installation:
- Upload the sysupgrade image via the default web interface
Installation with U-Boot and TFTP:
- Requires a TFTP server which provides the sysupgrade image
- Requires a connection to the serial port of the device, rate 57600
Arınç ÜNAL [Sat, 17 Jun 2023 18:59:26 +0000 (21:59 +0300)]
ramips: add wan2 support for MQmaker WiTi
The PHY of the wan2 port on MQmaker WiTi is wired to the second MAC of the
SoC. Rename the wan interface to wan1 and define it under the switch node,
effectively disabling the PHY muxing of the MT7530 switch's phy4.
Define the PHY of the wan2 port and adjust the gmac1 node accordingly. Now
that the PHY muxing feature is not being used anymore, the wan2 port can be
used to achieve 2 Gbps total bandwidth to the CPU.
1. Use a PC to browse to http://192.168.0.1.
2. Go to the System section and open the Firmware Update section.
3. Under the Local Update at the right, click on the CHOOSE FILE...
4. When a modal window appears, choose the firmware file and click on
the Open.
5. Next click on the UPDATE FIRMWARE button and upload the firmware image.
Wait for the router to flash and reboot.
OEM installation using the TFTP method (need level converter):
1. Download the latest firmware image.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the firmware
image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect the PC
to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address 192.168.0.180
and subnet mask 255.255.255.0.
5. Connect serial port (57600 8N1) and turn on the router.
6. Then interrupt "U-Boot Boot Menu" by hitting 2 key (select "2: Load
system code then write to Flash via TFTP.").
7. Press Y key when show "Warning!! Erase Linux in Flash then burn new
one. Are you sure? (Y/N)"
Input device IP (192.168.0.1) ==:192.168.0.1
Input server IP (192.168.0.180) ==:192.168.0.180
Input Linux Kernel filename () ==:firmware_name
The router should download the firmware via TFTP and complete flashing in
a few minutes.
After flashing is complete, use the PC to browse to http://192.168.1.1 or
ssh to proceed with the configuration.
Roland Reinl [Sun, 24 Dec 2023 13:42:23 +0000 (14:42 +0100)]
filogic: Add support for D-Link AQUILA PRO AI M30
Specification:
- MT7981 CPU using 2.4GHz and 5GHz WiFi (both AX)
- MT7531 switch
- 512MB RAM
- 128MB NAND flash with two UBI partitions with identical size
- 1 multi color LED (red, green, blue, white) connected via GCA230718
- 3 buttons (WPS, reset, LED on/off)
- 1 1Gbit WAN port
- 4 1Gbit LAN ports
Disassembly:
- There are four screws at the bottom: 2 under the rubber feets, 2 under the label.
- After removing the screws, the white plastic part can be shifted out of the blue part.
- Be careful because the antennas are mounted on the side and the top of the white part.
Serial Interface
- The serial interface can be connected to the 4 pin holes on the side of the board.
- Pins (from front to rear):
- 3.3V
- RX
- TX
- GND
- Settings: 115200, 8N1
MAC addresses:
- WAN MAC is stored in partition "Odm" at offset 0x81
- LAN (as printed on the device) is WAN MAC + 1
- WLAN MAC (2.4 GHz) is WAN MAC + 2
- WLAN MAC (5GHz) is WAN MAC + 3
Flashing via Recovery Web Interface:
- The recovery web interface always flashes to the currently active partition.
- If OpenWrt is flahsed to the second partition, it will not boot.
- Ensure that you have an OEM image available (encrypted and decrypted version). Decryption is described in the end.
- Set your IP address to 192.168.200.10, subnetmask 255.255.255.0
- Press the reset button while powering on the device
- Keep the reset button pressed until the LED blinks red
- Open a Chromium based and goto http://192.168.200.1 (recovery web interface)
- Download openwrt-mediatek-filogic-dlink_aquila-pro-ai-m30-a1-squashfs-recovery.bin
- The recovery web interface always reports successful flashing, even if it fails
- After flashing, the recovery web interface will try to forward the browser to 192.168.0.1 (can be ignored)
- If OpenWrt was flashed to the first partition, OpenWrt will boot (The status LED will start blinking white and stay white in the end). In this case you're done and can use OpenWrt.
- If OpenWrt was flashed to the second partition, OpenWrt won't boot (The status LED will stay red forever). In this case, the following steps are reuqired:
- Start the web recovery interface again and flash the **decrypted OEM image**. This will be flashed to the second partition as well. The OEM firmware web interface is afterwards accessible via http://192.168.200.1.
- Now flash the **encrypted OEM image** via OEM firmware web interface. In this case, the new firmware is flashed to the first partition. After flashing and the following reboot, the OEM firmware web interface should still be accessible via http://192.168.200.1.
- Start the web recovery interface again and flash the OpenWrt recovery image. Now it will be flashed to the first partition, OpenWrt will boot correctly afterwards and is accessible via 192.168.1.1.
Flashing via U-Boot:
- Open the case, connect to the UART console
- Set your IP address to 192.168.200.2, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router
- Run a tftp server which provides openwrt-mediatek-filogic-dlink_aquila-pro-ai-m30-a1-initramfs-kernel.bin.
- Power on the device and select "7. Load image" in the U-Boot menu
- Enter image file, tftp server IP and device IP (if they differ from the default).
- TFTP download to RAM will start. After a few seconds OpenWrt initramfs should start
- The initramfs is accessible via 192.168.1.1, change your IP address accordingly (or use multiple IP addresses on your interface)
- Perform a sysupgrade using openwrt-mediatek-filogic-dlink_aquila-pro-ai-m30-a1-squashfs-sysupgrade.bin
- Reboot the device. OpenWrt should start from flash now
Revert back to stock using the Recovery Web Interface:
- Set your IP address to 192.168.200.2, subnetmask 255.255.255.0
- Press the reset button while powering on the device
- Keep the reset button pressed until the LED blinks red
- Open a Chromium based and goto http://192.168.200.1 (recovery web interface)
- Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below.
Decrypting a D-Link firmware image:
- Download https://github.com/RolandoMagico/firmware-utils/blob/M32/src/m32-firmware-util.c
- Compile a binary from the downloaded file, e.g. gcc m32-firmware-util.c -lcrypto -o m32-firmware-util
- Run ./m32-firmware-util M30 --DecryptFactoryImage <OriginalFirmware> <OutputFile>
- Example for firmware M30A1_FW101B05: ./m32-firmware-util M30 --DecryptFactoryImage M30A1_FW101B05\(0725091522\).bin M30A1_FW101B05\(0725091522\)_decrypted.bin
Flashing via OEM web interface is not possible, as it will change the active partition and OpenWrt is only running on the first UBI partition.
Controlling the LEDs:
- The LEDs are controlled by a chip called "GCA230718" which is connected to the main CPU via I2C (address 0x40)
- I didn't find any documentation or driver for it, so the information below is purely based on my investigations
- If there is already I driver for it, please tell me. Maybe I didn't search enough
- I implemented a kernel module (leds-gca230718) to access the LEDs via DTS
- The LED controller supports PWM for brightness control and ramp control for smooth blinking. This is not implemented in the driver
- The LED controller supports toggling (on -> off -> on -> off) where the brightness of the LEDs can be set individually for each on cycle
- Until now, only simple active/inactive control is implemented (like when the LEDs would have been connected via GPIO)
- Controlling the LEDs requires three sequences sent to the chip. Each sequence consists of
- A reset command (0x81 0xE4) written to register 0x00
- A control command (for example 0x0C 0x02 0x01 0x00 0x00 0x00 0xFF 0x01 0x00 0x00 0x00 0xFF 0x87 written to register 0x03)
- The reset command is always the same
- In the control command
- byte 0 is always the same
- byte 1 (0x02 in the example above) must be changed in every sequence: 0x02 -> 0x01 -> 0x03)
- byte 2 is set to 0x01 which disables toggling. 0x02 would be LED toggling without ramp control, 0x03 would be toggling with ramp control
- byte 3 to 6 define the brightness values for the LEDs (R,G,B,W) for the first on cycle when toggling
- byte 7 defines the toggling frequency (if toggling enabled)
- byte 8 to 11 define the brightness values for the LEDs (R,G,B,W) for the second on cycle when toggling
- byte 12 is constant 0x87
Comparison to M32/R32:
- The algorithms for decrypting the OEM firmware are the same for M30/M32/R32, only the keys differ
- The keys are available in the GPL sources for the M32
- The M32/R32 contained raw data in the firmware images (kernel, rootfs), the R30 uses a sysupgrade tar instead
- Creation of the recovery image is quite similar, only the header start string changes. So mostly takeover from M32/R32 for that.
- Turned out that the bytes at offset 0x0E and 0x0F in the recovery image header are the checksum over the data area
- This checksum was not checked in the recovery web interface of M32/R32 devices, but is now active in R30
- I adapted the recovery image creation to also calculate the checksum over the data area
- The recovery image header for M30 contains addresses which don't match the memory layout in the DTS. The same addresses are also present in the OEM images
- The recovery web interface either calculates the correct addresses from it or has it's own logic to determine where which information must be written
Roland Reinl [Tue, 26 Dec 2023 07:31:15 +0000 (08:31 +0100)]
filogic: Add LED driver for GCA230718
Add basic support for the LED driver for GCA230718.
- I didn't find any documentation or driver for it, so the information below is purely based on my investigations
- If there is already I driver for it, please tell me. Maybe I didn't search enough
- I implemented a kernel module (leds-gca230718) to access the LEDs via DTS
- The LED controller supports PWM for brightness control and ramp control for smooth blinking. This is not implemented in the driver
- The LED controller supports toggling (on -> off -> on -> off) where the brightness of the LEDs can be set individually for each on cycle
- Until now, only simple active/inactive control is implemented (like when the LEDs would have been connected via GPIO)
- Controlling the LEDs requires three sequences sent to the chip. Each sequence consists of
- A reset command (0x81 0xE4) written to register 0x00
- A control command (for example 0x0C 0x02 0x01 0x00 0x00 0x00 0xFF 0x01 0x00 0x00 0x00 0xFF 0x87 written to register 0x03)
- The reset command is always the same
- In the control command
- byte 0 is always the same
- byte 1 (0x02 in the example above) must be changed in every sequence: 0x02 -> 0x01 -> 0x03)
- byte 2 is set to 0x01 which disables toggling. 0x02 would be LED toggling without ramp control, 0x03 would be toggling with ramp control
- byte 3 to 6 define the brightness values for the LEDs (R,G,B,W) for the first on cycle when toggling
- byte 7 defines the toggling frequency (if toggling enabled)
- byte 8 to 11 define the brightness values for the LEDs (R,G,B,W) for the second on cycle when toggling
- byte 12 is constant 0x87
Bjørn Mork [Thu, 18 May 2023 09:56:35 +0000 (11:56 +0200)]
mediatek: filogic: set wan label in preinit
Implement the functionality of
target/linux/ramips/patches-5.15/700-net-ethernet-mediatek-support-net-labels.patch
in userspace, since the driver patch has been rejected as a generic solution:
https://github.com/openwrt/openwrt/pull/11435
Removed because they are upstream:
mediatek/patches-5.15/702-v5.17-net-mdio-add-helpers-to-extract-clause-45-regad-and-.patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=a03c3a34692f8400a85ec1cc2b058c6880bb7e7b
Jordan Woyak [Tue, 26 Mar 2024 01:56:06 +0000 (20:56 -0500)]
config: Enable ext4 journaling by default.
Not having a journal by default is a major "gotcha".
Because openwrt does not fsck on boot, a power loss without journaling
can result in a dirty filesystem that openwrt will mount as read-only
which requires intervention to restore the router to working order.
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.
Thomas Winkler [Fri, 10 Nov 2023 21:48:59 +0000 (22:48 +0100)]
base-files: fix uid/gid auto-enumeration to avoid 16-bit limit
uid/gid range should be limited to 16bit unsigned integer range to
avoid "wraparound" issues with permissions where jffs2
is employed for storage and chown 65536 (first auto-created user)
becomes equivalent to chown 0
Hauke Mehrtens [Fri, 31 May 2024 12:39:51 +0000 (14:39 +0200)]
tegra: Activate CONFIG_SND_DRIVERS
The option CONFIG_SND_DRIVERS is activated by default in the generic
configuration, do not deactivate it for tegra. This fixes the build of
the kmod-sound-dummy package on tegra.
Daniel Golle [Mon, 10 Jun 2024 22:39:36 +0000 (23:39 +0100)]
mt76: mt7996: select required kernel and hostap options
Select DRIVER_11AX_SUPPORT and KERNEL_RELAY also for kmod-mt7996 to
prevent build failure if only this driver is selected during build and
end up with (most) required hostap features (IEEE 802.11be rates are not
yet supported).
* New upstream microcode datafile 20240514
* Mitigations for INTEL-SA-01051 (CVE-2023-45733)
Hardware logic contains race conditions in some Intel Processors may
allow an authenticated user to potentially enable partial information
disclosure via local access.
* Mitigations for INTEL-SA-01052 (CVE-2023-46103)
Sequence of processor instructions leads to unexpected behavior in
Intel Core Ultra Processors may allow an authenticated user to
potentially enable denial of service via local access.
* Mitigations for INTEL-SA-01036 (CVE-2023-45745, CVE-2023-47855)
Improper input validation in some Intel TDX module software before
version 1.5.05.46.698 may allow a privileged user to potentially enable
escalation of privilege via local access.
* Fix for unspecified functional issues on 4th gen and 5th gen Xeon
Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
Core i3 N-series processors.
* Updated microcodes:
sig 0x000806f8, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0, size 581632
sig 0x000806f7, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
sig 0x000806f6, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
sig 0x000806f5, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
sig 0x000806f4, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
sig 0x000806f8, pf_mask 0x10, 2024-02-05, rev 0x2c000390, size 614400
sig 0x000806f6, pf_mask 0x10, 2024-02-05, rev 0x2c000390
sig 0x000806f5, pf_mask 0x10, 2024-02-05, rev 0x2c000390
sig 0x000806f4, pf_mask 0x10, 2024-02-05, rev 0x2c000390
sig 0x00090672, pf_mask 0x07, 2023-12-05, rev 0x0035, size 224256
sig 0x00090675, pf_mask 0x07, 2023-12-05, rev 0x0035
sig 0x000b06f2, pf_mask 0x07, 2023-12-05, rev 0x0035
sig 0x000b06f5, pf_mask 0x07, 2023-12-05, rev 0x0035
sig 0x000906a3, pf_mask 0x80, 2023-12-05, rev 0x0433, size 222208
sig 0x000906a4, pf_mask 0x80, 2023-12-05, rev 0x0433
sig 0x000906a4, pf_mask 0x40, 2023-12-07, rev 0x0007, size 119808
sig 0x000b0671, pf_mask 0x32, 2024-01-25, rev 0x0123, size 215040
sig 0x000b06e0, pf_mask 0x11, 2023-12-07, rev 0x0017, size 138240
sig 0x000c06f2, pf_mask 0x87, 2024-02-05, rev 0x21000230, size 552960
sig 0x000c06f1, pf_mask 0x87, 2024-02-05, rev 0x21000230
* source: update symlinks to reflect id of the latest release, 20240514
-- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 16 May 2024 21:40:52 -0300
Hauke Mehrtens [Sat, 29 Jun 2024 15:54:49 +0000 (17:54 +0200)]
kernel: Fix kmod-lib-lz4 packaging
The kernel provides two variants of the lz4 compression a normal version
and a high compression mode version. The old kmod-lib-lz4 package
contained the normal version plus one part of the lz4hc version. There
was already code which selected the kmod-lib-lz4hc package which did
not exists.
I split this into 3 packages. kmod-lib-lz4 and kmod-lib-lz4hc for the
normal the and high compression algorithm which contain the specific
code and the kmod-lib-lz4-decompress which contains the common
decompressor.
projects / thirdparty / openwrt.git / log
