git.openwrt.org Git - openwrt/staging/yousong.git/log

openssl: add patches for performance

Add x86_64 vpaes_ctr32_encrypt_blocks for vpaes optimization. The patch is
from BoringSSL

Integrate vpaes 2x optimization.

Revert the removal of bsaes. It has better throughput than vpaes even
when the later has 2x optimization

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

ar71xx: fix ZyXEL NBG6616 wifi switch

The device uses a rf-kill switch instead of a button. Furthermore the
GPIO is active high.

Signed-off-by: Christoph Krapp <achterin@googlemail.com>
(cherry picked from commit 0af656e978f1adac4061516d9d2e661e101ba64c)

tools/cmake: fix typo in parallel make patch

The variable in the case argument was mistyped, so the case always
checked against an empty string and never matched.

Fix the variable name. Add a PKG_RELEASE to Makefile so we can bump it.

Fixes: d6de31310cc1 ("cmake: restore parallel build support for bootstrap")
Signed-off-by: Piotr Stefaniak <pstef@freebsd.org>
[add commit message, add PKG_RELEASE, fix commit title, add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit e27fbae63c3436ce5588ca06b78ea88c7a316fee)

mac80211: Update to 4.19.137-1

b43 and b43legacy now support ieee80211w, hardware crypto will be
deactivated in such cases.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

kernel: update kernel 4.14 to version 4.14.193

Compile and runtime tested on lantiq/xrx200 and ipq40xx.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

scripts: Add Buildbot dump-target-info.pl script

The script comes from buildbot.git[0] and is used to print available
targets and architectures, which are then build.

As the buildbot clones openwrt.git anyway, the script might as well live
here to be used for other cases as well, e.g. determining what
architectures are available when building Docker containers or show
developers an overview which architectures are used by which target.

It's called with either the parameter `architectures` or `targets`,
showing architectures followed by supported targets or targets, followed
by the supported architectures:

$ ./scripts/dump-target-info.pl architectures
aarch64_cortex-a53 bcm27xx/bcm2710 mediatek/mt7622 mvebu/cortexa53 sunxi/cortexa53
aarch64_cortex-a72 bcm27xx/bcm2711 mvebu/cortexa72
...

$ ./scripts/dump-target-info.pl targets
apm821xx/nand powerpc_464fp
apm821xx/sata powerpc_464fp
...

In the future the the script could be removed from the buildbot
repository and maintained only here.

Rename `dumpinfo.pl` to `dump-target-info.pl` to improve verbosity of
filename.

[0]: https://git.openwrt.org/?p=buildbot.git;a=blob;f=scripts/dumpinfo.pl;h=aa97f8d60379076a41b968402e9337cea824ece5;hb=HEAD

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 656b562aff36d92b0e8586833b59896a55b8a993)

uboot-envtools: ar71xx: add ZyXEL NBG6616 uboot env support

This adds support for ZyXEL NBG6616 uboot-env access

Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[add "ar71xx" to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit eb95ca3b5c8b33e3212896f906922eba5f72abb3)

ar71xx: change u-boot-env to read-write for ZyXEL NBG6616

As the ath79 port of this device uses a combined kernel + root
partition the uboot bootcmd variable needs to be changed. As using
cli/luci is more convenient than opening up the case and using a uart
connection, lets unlock the uboot-env partition for write access.

Signed-off-by: Christoph Krapp <achterin@googlemail.com>
(cherry picked from commit 982c1f6e42c5b3e0f23eedd825a317a2872aa37b)

hostapd: add wpad-basic-wolfssl variant

Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c487cf8e94cbdf582dfc3c2bdaab913a146a2100)

hostapd: reorganize config selection hierarchy for WPA3

The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.

This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.

It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.

The patch is supposed to be cosmetic. However, the improvement
for readers and the maintained consistency with master qualify
this for backporting.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c4dd7fc23bfcf3b3f1a838668bb070edc9db5d4b)

ramips: correct WizFi630S pin mappings

WizFi630S had some pins changed in the release version of the board.
The run led, wps button and a slide switch where affected.
This patch is correcting this.
i2c is removed as it is sharing a pin with the run (system) led.
uart2 is enabled as it is also enabled in the OEM firmware.

Signed-off-by: Tobias Welz <tw@wiznet.eu>
(backported from commit d0b229f553a814b22c16976e40a197f892c0c0df)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

ramips: enable flashing WizFi630S via OEM firmware

WIZnet WizFi630s board name is written slightly different it its OEM
OpenWrt firmware. This causes an incompatibility warning during flashing
with sysupgrade. This patch is adding the vendor board name to the
supported devices list to avoid this warning. For initial flashing you
can use sysupgrade via command line or luci beside of TFTP.
Do not keep the OEM configuration during sysupgrade.

Signed-off-by: Tobias Welz <tw@wiznet.eu>
(cherry picked from commit 816973f42aa47d910d3e35c2f8f8eb9d67416396)

ramips: remove doublet entry in WizFi630S dts file

&wmac entry in WIZnet WizFi630S dts file was existing two times.
This is removing one of them.

Signed-off-by: Tobias Welz <tw@wiznet.eu>
(cherry picked from commit b735bbcb1876196f33f044ed07325f8959a8967f)

ramips: disable unused phy ports of WizFi630S

WIZnet WizFi630S is using only 3 of the phy ports. The unused phy ports
draw unnecessarily power. This is disabling the unused phy ports.

Signed-off-by: Tobias Welz <tw@wiznet.eu>
(cherry picked from commit 36d4c2272ec65490232e70d45b945b9f467b78f0)

mvebu: fix LAN/WAN port assignment on ClearFog Base/Pro

The comments in code already describe the intended lan / wan assignment:
lan: switch
wan: standalone ethernet and sfp

Update the interface handles to match the comments, as observed with
OpenWRT-19.07-rc2 on a Clearfog Pro Rev 2.0.

This also matches the effective assignment on master, while the actual
interface names (ethX) are different due to the reassignment in
06_set_iface_mac, which is included in 19.07 but was dropped for master.

Signed-off-by: Josua Mayer <josua.mayer@jm0.eu>
[extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

ar71xx: restore support for boot console with arbitrary baud rates

Commit 1bfbf2de6df9 ("ar71xx: serial: core: add support for boot console
with arbitrary baud rates") added support for arbitrary baud rates which
enabled 250000 baud rate for Yun. But the patch was not ported to kernel
4.9, and since then the kernel set its baud rate to 9600. This commit ports
the patch to kernel 4.14, thereby restoring the serial console of Yun.

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit c90db26e051e4f0e7cd32333b3bd8c94a13d599a)

ath79: restore support for boot console with arbitrary baud rates

The Arduino Yun uses a baud rate of 250000 by default. The serial is
going over the Atmel ATmega and is used to connect to this chip.
Without this patch Linux wants to switch the console to 9600 Baud.

With this patch Linux will use the configured baud rate and not a
default one specified in uart_register_driver().

This has been added for ath79 4.19 and 5.4 in master as part of
fc59b2f79b50 ("ath79: add support for Arduino Yun"), this backports
it separately to 4.14.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

ar71xx: enable ethernet LED of Arduino Yun

Commit 05d73a2a7379 enabled GPIO on ethernet LED, but proper LED setup was
not added then. This commit fixes it by reverting the change on the LED.

Fixes: 05d73a2a7379 ("ar71xx: Arduino Yun board 'WLAN RST' button support")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit a5e404d1923d135d335e4ece83f87e6e891396e2)

ar71xx: fix sysupgrade for Arduino Yun

Commit bb46b635df48 changed its partition scheme, but sysupgrade image
validation still uses the old format. This commit fixes it so that
force flag is not needed for sysupgrade.

Fixes: bb46b635df48 ("ar71xx: move Arduino Yun to generic building code")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 58dc1d0637425cfe023192466e6212009332b677)

Revert "ar71xx: fix Arduino Yun enabling of level shifters outputs"

This reverts commit 077253dd666a30ae5231c3748222d4b5b138593d.

The output enable pins should be disabled by default, and only enabled when
used. Otherwise unwanted conflicts might occur between MCU and SoC pins.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 43896dc0b005adfb512c027a27781c971440d415)

ramips: add kmod-usb-dwc2 to ZyXEL Keenetic image

ZyXEL Keenetic has a USB port. Thus, DWC2 USB controller driver should
be in the default image for this device.

Fixes: a7cbf59e0e04 ("ramips: add new device ZyXEL Keenetic as kn")
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
[fixed whitespace issue]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(backported from commit 0a182fcba6d9cb2cf74cae9114ea4770ef928f75)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

ramips: remove patches for USB-dwc2

In FS#2738 we can see that patch first introduced in
e8ebcff ("ramips: add a explicit reset to dwc2")
breaks USB functionality since 18.06. Thus, this patch should be removed.

Removed:
- 0032-USB-dwc2-add-device_reset.patch

Fixes: FS#2738
Fixes: FS#2964
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
(cherry picked from commit ab841b4393a4077a5819da1da040ab9a89e3b69d)

hostapd: improve TITLE for packages

For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.

Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.

While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 917980fd8a6589d6911797211f1871016f527f8c)

mediatek: mt7623: fix sysupgrade from vendor OpenWrt on UniElec U7623

This board ships with an ancient 14.07-based OpenWrt using block2mtd, and
the MBR partition table contains nonsense.

It is possible to sysupgrade to an upstream OpenWrt image, but the
legacy layout of the OpenWrt images start at 0xA00 in the eMMC, with
a raw uImage. The legacy OpenWrt image doesn't "own" the beginning
of the device, including the MBR and U-Boot.

This means that when a user upgrades to upstream OpenWrt, it doesn't
boot because it can't find the right partitions. So hard-code them on
the kernel's command line using CONFIG_CMDLINE_PARTITION (for block).

Additionally, the vendor firmware doesn't cope with images larger than
about 36MiB, because it only overwrites the contents of its "firmware"
MTD partition. The current layout of the legacy image wastes a lot of
space, allowing over 32MiB for the kernel and another 10MiB for the FAT
recovery file system which is only created as 3MiB. So pull those in
to allow 4¾ MiB for the kernel, 3MiB for recovery, and then we have over
20MiB for the root file system.

This doesn't affect the new images which ship with a full eMMC image
including a different MBR layout and a partition for U-Boot, because
our modern U-Boot can actually pass the command line to the kernel, and
the built-in one doesn't get used anyway.

Tested by upgrading from vendor OpenWrt to the current legacy image,
from legacy to itself, to the previous legacy layout, and then to
finally the full-system image.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 6eb63019afef89404899f2cb65fb4c16e00aa0ed)

mediatek: mt7623: add explicit console= to U7623 kernel

The bootloader for legacy builds can't set it, so we end up unable to
log in on the serial port.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit ea9ef8c9451a08aa4dbb6efcbe5f20d9b788ebd2)

curl: patch CVE-2020-8169

Affected versions: curl 7.62.0 to and including 7.70.0
https://curl.haxx.se/docs/CVE-2020-8169.html

Run tested on Omnia with OpenWrt 19.07

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>

make_ext4fs: Update to version 2020-01-05

5c201be Add LDFLAGS when building libsparse.a
ec17045 make_ext4fs: fix build on musl systems

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 271d0c825ba5821160e4a516497796fa342c2eff)

make-ext4fs: update to HEAD of 2017-05-29 - eebda1

Update make-ext4fs to commit eebda1d55d9701ace2700d7ae461697fadf52d1f

git log --pretty=oneline --abbrev-commit 484903e4..eebda1d5

eebda1d make_ext4: Add strict prototypes.
bb9cf91 make_ext4fs: Remove off64_t in favor of standard off_t

Created with the help of the make-package-update-commit.sh script.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit ac2f341036c18acee2b4f69e819cffeaacc2e824)

firewall: backport patch for mss clamping in both directions

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

ath79: correctly define WiFi switch for TL-WR841ND v8

The TL-WR841ND v8 feature a WiFi switch instead of a button.
This adds the corresponding input-type to prevent booting into
failsafe regularly.

This has been defined correctly in ar71xx, but was overlooked
when migrating to ath79. In contrast, the TL-WR842ND v2, which
has the key set up as switch in ar71xx, actually has a button.
The TL-MR3420 v2 has a button as well and is set up correctly
for both targets. (Information based on TP-Link user guide)

Note:

While looking into this, I found that support PR for TL-MR3420 v2
switched reset button to ACTIVE_HIGH. However, the other two
device still use ACTIVE_LOW. This seems strange, but I cannot
verify it lacking the affected devices.

Fixes: FS#2733
Fixes: 9601d94138de ("add support for TP-Link TL-WR841N/ND v8")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(backported from commit 5e86877f36b0d95127dcef8ed3abf78ecd78061d)

bcm47xx: fix switch setup for Linksys WRT610N v2

WRT610N V2 is not detected by the initial network configuration script.
The switch remains unconfigured and wlan/lan vlans are not created.

This adds the correct setup for the device.

Fixes: FS#1869
Suggested-by: Alessandro Radicati
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a2fee73e270305c4cb086055cc30e97f65e6f58b)

tplink-safeloader: expand support list for TP-Link CPE210 v3

This adds new strings to the support list for the TP-Link CPE210 v3
that are supposed to work with the existing setup.

Without it, the factory image won't be accepted by the vendor UI on
these newer revisions.

Tested on a CPE210 v3.20 (EU).

Ref: https://forum.openwrt.org/t/build-for-cpe210-v3-20/68000

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 4a2380a1e778a8f8e0bfb0a00f2996ed0aab58d8)

lantiq/xrx200: make WLAN button responsive on Fritzbox 7360 & 7362

Pressing the 'WLAN' button should enable/disable wireless activity.
Currently, the button is mapped to the KEY_WLAN, which will not
have this effect.
This patch changes the mapping of the WLAN button, so a button
press will emit an action for the 'rfkill' key instead of 'wlan'.
Apparently, this is what stock OpenWRT expects.

This fix is analogous to the preceding patch for Fritzbox 3370.

Signed-off-by: Dustin Gathmann <dzsoftware@posteo.org>
(cherry picked from commit d5a148f5c8f6d6dee7041fd348bd0f52839d0f4e)

lantiq/xrx200: fix WLAN button actions for Fritzbox 3370

The WLAN button actions are reversed, i.e. pressing the button emits a
'released' action, and vice versa.
This can easily be checked by adding
logger -t button_action "$BUTTON $ACTION"
as the second line of /etc/rc.button/rfkill, and using logread to read
the events (assuming the preceding patch has been applied).
Defining the GPIO as ACTIVE_LOW corrects this behavior.

Signed-off-by: Dustin Gathmann <dzsoftware@posteo.org>
(cherry picked from commit 0ee30adb46a87583badd85b69e4ccd7942786374)

lantiq/xrx200: make WLAN button responsive on Fritzbox 3370

Pressing the 'WLAN' button should enable/disable wireless activity.
However, on the Fritzbox 3370 this doesn't have an effect.
This patch changes the mapping of the physical WLAN button, so a button
press will emit an action for the 'rfkill' key instead of 'wlan'.
Apparently, this is what stock OpenWRT expects, and also what is
implemented for most other devices.

Signed-off-by: Dustin Gathmann <dzsoftware@posteo.org>
(cherry picked from commit a53bf63756ef2a266ae5f3b3507eeb7382b4cdc9)

vxlan: bump and change to PKG_RELEASE

Bumping package version has been overlooked in a previous commit.

While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)

Fixes: 0453c3866feb ("vxlan: fix udp checksum control")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit b29d620ed2521fe6fda40ddafe6cb0f1d70e4503)

vxlan: fix udp checksum control

So far, passing "rxcsum" and "txcsum" had no effect.

Fixes: 95ab18e0124e ("vxlan: add options to enable and disable UDP
checksums")

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 0453c3866feb701160bbab4ecf9762c5a3038503)

ipq40xx: fix ethernet vlan double tagging

As the the SoC uses implicit vlan tagging for dual MAC support, the
offload feature breaks when using double tagging.

This is backport of 9da2b567605b0964d921b9ca4f0c9886db4f636d from trunk.
As the layout of the files has changed a cherry-pick was not possible.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: John Crispin <john@phrozen.org>

build,json: fix compatibility with Python 3.5

The f-string feature was introduced in Python 3.6. As Buildbots may run
on Debian 9, which comes per default with Python 3.5, this would cause
an issue. Instead of f-strings use the *legacy* `.format()` function.

Signed-off-by: Paul Spooren <mail@aparcar.org>

build: fix compatibility with python 3.6

On a system python3 is linked to python3.6, fail to perform json_overview_image_info
and got `TypeError: __init__() got an unexpected keyword argument 'capture_output'`.
This patch emulate the behaviour on python 3.7+.

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
(cherry picked from commit 3caad5150c2011a7dac462acaa06d0e69f8ed005)

build,json: fix build failure in case no data is found

Only collect arch_packages if actually generating any output.

Fixes: commit f09b9319 ("build,json: store arch_packages in profiles.json"(
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 3b0f698760ae3a62173a28f18e9e1e3adef9c492)

build,json: store arch_packages in profiles.json

The `arch_packages` contains the supported package architecture.

Previously it was necessary to parse the `Packages` index for the line
`Architecture:`, requiring both an additional parser and file download.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit f09b9319c666e343763c7618878a503ad7eb7531)

build: store default/device packages in JSON

With this commit the `profiles.json` contain both the target specific
`default_packages` as well as the device specific `device_packages` as a
array of strings.

This information is required for downstream projects like the various
web-based interactive firmware generators.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 263f7e5bbd119ebed1f514c16f659a2e2a2b132c)

imagebuilder: Remove json_info_files/ before build

The folder `json_info_files` contains multiple JSON files which describe
created firmware images. The folder is not removed between builds as the
ImageBuilder does not use `image.mk`.

Not removing the JSON files result in a merged `profiles.json` file
containing entries for outdated or non-existing images.

This commit adds the `json_info_files/` cleanup step to the ImageBuilder
Makefile.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 941ec28b355ea690b5682d2bf8175aa513379997)

kirkwood: support for button in Pogoplug V4

Pogoplug V4 has a reset button on a GPIO pin.
To use it, kmod-gpio-button-hotplug package needs to be installed.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 91472dc2ce051d255eecb7fbba3484de917fa65d)

lantiq: dts: Move the &usb_vbus nodes out of &gpio

Move the USB VBUS regulator nodes out of the GPIO controller node. This
fixes a problem where the "regulator-fixed" driver wasn't probed for
these regulators because the GPIO driver doesn't scan the child-nodes
and based on the dt-bindings documentation it's not supposed to.

This fixed the following error reported by Luca Olivetti:
  ...
  dwc2 1e101000.usb: DWC OTG Controller
  dwc2 1e101000.usb: new USB bus registered, assigned bus number 1
  dwc2 1e101000.usb: irq 62, io mem 0x1e101000
  dwc2 1e101000.usb: startup error -517
  dwc2 1e101000.usb: USB bus 1 deregistered
  dwc2 1e101000.usb: dwc2_hcd_init() FAILED, returning -517

Fixes: FS#1634
Cc: Luca Olivetti <luca@ventoso.org>
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[backported from 982468de35d499f85470b7b547d2b27cea53bae0]
Signed-off-by: Luca Olivetti <luca@ventoso.org>

ar71xx: Fix mikrotik NAND compile problem

This fixes the following compile error:
drivers/mtd/nand/rb91x_nand.c: In function 'rb91x_nand_remove':
drivers/mtd/nand/rb91x_nand.c:445:16: error: 'rbni' undeclared (first use in this function)
nand_release(&rbni->chip);

Fixes: 9cad70044f75 ("kernel: fix nand_release() usage.")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 66e04abbb6d0dec8642be5deb2fca4bba470f8ac)

ar71xx: Fix mikrotik NAND compile problem

There is one closing bracket too much.

Fixes: 9cad70044f75 ("kernel: fix nand_release() usage.")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 014d3f593acea13ee6aa002d858f182806ed43f0)

armvirt,x86: fix build breakage of crypto ccp module

Upstream in commit f9f8f0c24203 ("crypto: ccp -- don't "select"
CONFIG_DMADEVICES") removed dependency on CONFIG_DMADEVICES symbol which
leads to build breakage of ccp crypto module, so fix this by adding that
symbol back in the kernel config.

Fixes: f4985a22ca1b ("kernel: Update kernel 4.14 to version 4.14.187")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 472b8fc91bbab0530d72e9780a482bacc1bbe5f7)

nghttp2: bump to 1.41.0

8f7b008b Update bash_completion
83086ba9 Update manual pages
c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr
3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20
881c060d Update AUTHORS
f8da73bd Earlier check for settings flood
336a98fe Implement max settings option
ef415836 Revert "Add missing connection error handling"
979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2
b7d16101 Add missing connection error handling
cd53bd81 Merge pull request #1460 from gportay/patch-1
e5625b8c Fix doc
c663349f integration: Add PROXY protocol v2 tests
854e9fe3 nghttpx: Always call init_forwarded_for
c60ea227 Update doc
49cd8e6e nghttpx: Add PROXY-protocol v2 support
3b17a659 Merge pull request #1453 from Leo-Neat/master
600fcdf5 Merge pull request #1455 from xjtian/long_serials
4922bb41 static_cast size parameter in StringRef constructor to size_t
aad86975 Fix get_x509_serial for long serial numbers
dc7a7df6 Adding CIFuzz
b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue
ffb49c6c Merge pull request #1435 from geoffhill/master
2ec58551 Fix receiving stream data stall
459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp
a4c1fed5 Bump llhttp to 2.0.4
866eadb5 Enable session_create_idle_stream test, fix errors
5e13274b Fix typo
e0d7f7de h2load: Allow port in --connect-to
df575f96 h2load: add --connect-to option
1fff7379 clang-format-9
b40c6c86 Merge pull request #1418 from vszakats/patch-1
9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional
2d5f7659 Bump up version number to 1.41.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Note this is cherry-pick from master. It fixes CVE-2020-11080
and https://github.com/nxhack/openwrt-node-packages/issues/679

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>

kernel: fix nand_release() usage.

nand_release() takes nand_chip since commit 5bcfcbfc4019 ("mtd: rawnand:
Pass a nand_chip object to nand_release()")

Fixes: f4985a22ca1b ("kernel: Update kernel 4.14 to version 4.14.187")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

wireguard: bump to 1.0.20200611

This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f,
which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14.
This breaks the older WireGuard version currently in 19.07.

For reference, the compilation error is the one below:

build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'?
#define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst

Changelogs below taken from the official release announcements.

== Changes since v1.0.20200506 ==

  This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
  pushed to net.git about 45 minutes ago.

  * qemu: use newer iproute2 for gcc-10
  * qemu: add -fcommon for compiling ping with gcc-10

  These enable the test suite to compile with gcc-10.

  * noise: read preshared key while taking lock

  Matt noticed a benign data race when porting the Linux code to OpenBSD.

  * queueing: preserve flow hash across packet scrubbing
  * noise: separate receive counter from send counter

  WireGuard now works with fq_codel, cake, and other qdiscs that make use of
  skb->hash. This should significantly improve latency spikes related to
  buffer bloat. Here's a before and after graph from some data Toke measured:
  https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png

  * compat: support RHEL 8 as 8.2, drop 8.1 support
  * compat: support CentOS 8 explicitly
  * compat: RHEL7 backported the skb hash renamings

  The usual RHEL churn.

  * compat: backport renamed/missing skb hash members

  The new support for fq_codel and friends meant more backporting work.

  * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4

== Changes since v1.0.20200611 ==

  * qemu: always use cbuild gcc rather than system gcc
  * qemu: remove -Werror in order to build ancient kernels better
  * qemu: patch kernels that rely on ancient make
  * qemu: force 2MB pages for binutils 2.31
  * qemu: use cbuild gcc for avx512 exclusion
  * qemu: add extra fill in idt handler for newer binutils
  * qemu: support fetching kernels for arbitrary URLs
  * qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection
  * qemu: work around broken centos8 kernel
  * qemu: mark per_cpu_load_addr as static for gcc-10

  Our qemu test suite can now handle more kernels and more compilers. Scroll
  down to the bottom of https://www.wireguard.com/build-status/ to see the
  expanded array of kernels we now test against, including some distro kernels.

  * compat: widen breadth of integer constants
  * compat: widen breadth of memzero_explicit backport
  * compat: backport skb_scrub_packet to 3.11
  * compat: widen breadth of prandom_u32_max backport
  * compat: narrow the breadth of iptunnel_xmit backport
  * compat: backport iptunnel_xmit to 3.11

  With the expanded qemu test suite, it was possible to expand our list of
  mainline kernels, so the backport compat layer is now more precise.

  * compat: ubuntu appears to have backported ipv6_dst_lookup_flow
  * compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow

  Ubuntu kernels changed recently, so this ensures we can compile with the
  latest Ubuntu releases.

  * compat: remove stale suse support

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
(cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)

kernel: Update kernel 4.14 to version 4.14.187

Fixes:
- CVE-2020-10757

Run tested: ath79, ipq40xx
Build tested: ath79, ipq40xx

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

mac80211: fix use of local variable

mac80211_get_addr is called from mac80211_generate_mac, where the local variable
initialisation id="${macidx:-0}" suggests that macidx is not always defined.
Probably, idx was supposed to be used instead of $(($macidx + 1)).

Fixes: 4d99db168cf7 ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set")
Signed-off-by: Leon M. George <leon@georgemail.eu>
(cherry picked from commit 8f95220bcb554b1b668114e5264ebce4028c5f93)

scripts: JSON merge don't crash if no JSON found

The JSON `WORK_DIR` ($(KDIR)/json_info_files) is only created if the new
image generation methods from `image.mk` are used. However some targets
like `armvirt` do not use it yet, so the folder is never created.

The `json_overview_image_info.py` script used to raise an error if the
given `WORK_DIR` isn't a folder, however it should just notify about
missing JSON files.

This patch removes the Python assert and exists with code 0 even if no
JSON files were found, as this is not necessarily an error but simply
not yet implemented. Using `glob` on an not existing `Path` results in
an empty list, therefore the for loop won't run.

Signed-off-by: Paul Spooren <mail@aparcar.org>
CC: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 14cbd8fb2dd8c81bad06d3c3bb45213685c19c98)

build: refactor JSON info files to `profiles.json`

JSON info files contain machine readable information of built profiles
and resulting images. These files were added in commit 881ed09ee6e2
("build: create JSON files containing image info").

They are useful for firmware wizards and script checking for
reproducibility.

Currently all JSON files are stored next to the built images, resulting
in up to 168 individual files for the ath79/generic target.

This patch refactors the JSON creation to store individual per image
(not per profile) files in $(BUILD_DIR)/json_info_files and create an
single overview file called `profiles.json` in the target directory.

Storing per image files and not per profile solves the problem of
parallel file writes. If a profiles sysupgrade and factory image are
finished at the same time both processes would write to the same JSON
file, resulting in randomly broken outputs.

Some target like x86/64 do not use the image code yet, resulting in
missing JSON files. If no JSON info files were created, no
`profiles.json` files is created as it would be empty anyway.

As before, this creation is enabled by default only if `BUILDBOT` is set.

Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64.

Signed-off-by: Paul Spooren <mail@aparcar.org>
[json_info_files dir handling in Make, if case refactoring]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(backported from commit 07449f692ce4c4525e946401f4c3ed0cbbc8c4df)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

build: image: fix build breakage of some images

Commit 881ed09ee6e2 ("build: create JSON files containing image info")
has removed the crucial empty new line from the image copy step
resulting in the following errors during make function expansion:

GZ_SUFFIX :=
bash: GZ_SUFFIX: command not found
Makefile:86: recipe for target 'openwrt-ath79-generic-tplink_archer-c7-v5-squashfs-sysupgrade.bin' failed

Fixes: 881ed09ee6e2 ("build: create JSON files containing image info")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 0fb23d67f00a18c3f9e712ca97cfc34b38071f4a)

build: create JSON files containing image info

The JSON info files contain details about the created firmware images
per device and are stored next to the created images.

The JSON files are stored as "$(IMAGE_PREFIX).json" and contain some
device/image meta data as well as a list of created firmware images.

An example of openwrt-ramips-rt305x-aztech_hw550-3g.json

    {
      "id": "aztech_hw550-3g",
      "image_prefix": "openwrt-ramips-rt305x-aztech_hw550-3g",
      "images": [
        {
          "name": "openwrt-ramips-rt305x-aztech_hw550-3g-squashfs-sysupgrade.bin",
          "sha256": "db2b34b0ec4a83d9bf612cf66fab0dc3722b191cb9bedf111e5627a4298baf20",
          "type": "sysupgrade"
        }
      ],
      "metadata_version": 1,
      "supported_devices": [
        "aztech,hw550-3g",
        "hw550-3g"
      ],
      "target": "ramips/rt305x",
      "titles": [
        {
          "model": "HW550-3G",
          "vendor": "Aztech"
        },
        {
          "model": "ALL0239-3G",
          "vendor": "Allnet"
        }
      ],
      "version_commit": "r10920+123-0cc87b3bac",
      "version_number": "SNAPSHOT"
    }

Signed-off-by: Paul Spooren <mail@aparcar.org>
(backported from commit 881ed09ee6e23f6c224184bb7493253c4624fb9f)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

ath79: do not build TP-Link tiny images by default

For quite some time, the tiny (4M flash) TP-Link sysupgrade and
factory images cannot be built anymore by the buildbots, just
the initramfs-kernel.bin files are still there.

Disable these images for the buildbots and don't waste build
resources.

Note that these devices still build fine with default settings,
just not with the additional packages and config symbols for
the buildbots.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

mediatek: fix IPv4-only corner case and commit in 99-net-ps

The uci config section network.globals set up in /bin/config_generate
will only be created if /proc/sys/net/ipv6 exists.

Correspondingly, lacking IPv6 support, the command
uci set network.globals.packet_steering=1
will fail with "uci: Invalid argument" as the network.globals config
has not been set up.

Fix that by adding the setup there as well.

While at it, limit the uci commit to the network config file.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 636b62e8e232951154ac4ccd7972fda3f8de0379)

bcm63xx: DGND3700v1: fix port order

Fix the switch LAN labels for the DGND3700v1/DGND3800B router,
the order is reversed.

Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
[cut out of bigger patch, adjust commit title/message accordingly]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 583b3e40254076693eb5227a9d9ae49eb2b0bcbf)

ramips: increase SPI frequency for ELECOM WRC-GST devices

Increase the SPI frequency for ELECOM WRC-1900GST and WRC-2533GST
to 40 MHz by updating the common DTSI file.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
[WRC-1900GST]
Acked-by: NOGUCHI Hiroshi <drvlabo@gmail.com>
[split patch, adjust commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit b5ae70d0530d1a733816f921ae0fe4dd58251fbb)

mvebu: fix default EU regdomain for Linksys WRT AC devices

The mwlwifi driver sets the default country code for EU (fi-
rmware region code 0x30) certified devices to FR (France),
not DE (Germany). Whilst this is a trivial fix, novice users
may not know how mwlwifi negatively reacts to a non-matching
country code and may leave the setting alone. Especially si-
nce it is under the advanced settings section in LuCI.

Relevant mwlwifi driver code:
https://github.com/kaloz/mwlwifi/commit/0a550312ddb5a9e00e8d602d5571598f25a78158

The mwlwifi driver readme states "Please don't change country
code and let mwlwifi set it for you." However, OpenWrt's current
behaviour does not adhere to this with its default, 'just flashed
from factory' setting for EU devices.

Signed-off-by: Jose Olivera <oliverajeo@gmail.com>
[rebase, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d0e8b8310f7079ccf250f7eddbdf8b9d319c274d)

libnetfilter-queue: fix package title and description

The original text was copy/pasted from some other package.
Adjust the package title and description to match the description
on the publishers page.

Signed-off-by: Catalin Patulea <catalinp@google.com>
[slightly adjust content and commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 492a6594b97e765a2a93fadbe23534ae94f710fa)

base-files: remove urandom-seed definition

urandom-seed has a separate Makefile, we can safely remove the definition here.

Fixes: 27bfde9c9f78 ("base-files: move urandom seed bits into separate package")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 46a6586c83e029446ea35b02a328e5f7935d4a9f)

ath79: drop and consolidate redundant chosen/bootargs

In ath79, for several SoCs the console bootargs are defined to the
very same value in every device's DTS. Consolidate these definitions
in the SoC dtsi files and drop further redundant definitions elsewhere.

The only device without any bootargs set has been OpenMesh OM5P-AC V2.
This will now inherit the setting from qca955x.dtsi

While this is a cosmetic change, backporting it to 19.07 will be a
major help for anyone doing backports of device support. Without it,
every backporter would have to remember to manually add the chosen node
to the device's DTS.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 635f111148c3f7ccb0ecc92863a3b1a142f6ebeb)

ath79: add support for TP-Link TL-WA801ND v3/v4

This ports support for these devices from ar71xx.

Specification:

- System-On-Chip: Qualcomm Atheros QCA9533
- CPU/Speed: v3: 560 MHz, v4: 650 MHz
- Flash: 4096 KiB
- RAM: 32 MiB
- Ethernet: 1 port @ 100M
- Wireless: SoC-integrated: QCA9533 2.4GHz 802.11bgn

In contrast to the implementation in ar71xx (reset and WiFi button),
the device actually features reset and WPS buttons.

Flashing instructions:

Upload the ...-factory.bin file via OEM web interface.

TFTP Recovery:

1. Set PC to fixed IP address 192.168.0.66
2. Download *-factory.bin image and rename it to
wa801ndv3_tp_recovery.bin
3. Start a tftp server with the image file in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.

TFTP recovery has only been tested with v3, and the Wiki states
that the procedure won't work for v4, which cannot be verified
or falsified at the moment.

Tested by Tim Ward (see forum):
https://forum.openwrt.org/t/ath79-support-for-tp-link-tl-wa901nd-v3-v4-v5/61246/13

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 9a477b833ab2aea96b9eee55acb5f9e7b01b36d8)

uclient: update to 19.07 Git HEAD

51e16eb uclient-fetch: add option to read POST data from file
99aebe3 uclient: Add string error function

Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

Revert "uclient: Update to version 2020-06-17"

This reverts commit 0c910d845941b1df9c78a5039c1658e676c409be.

We cannot use uclient Git HEAD as-is on 19.07 due to an older
version of the ustream-ssl API.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

uclient: Update to version 2020-06-17

fef6d3d uclient: Add string error function
af585db uclient-fetch: support specifying advertised TLS ciphers
c660986 uclient-fetch: add option to read POST data from file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry-squashed from commits 05145ffbefc71a94c1692dfb8ac440bc67974ded
                              98017228ddd5ce41a63da20b78f5d2e30c87c494
                              dd166960f48580bf6d4a8dde071b96832bfd9e1f
                              8e98613f4da82628cdb490c8202b56dc989e088b)

bcm63xx: a226m-fwb: fix linux partition offset

The Pirelli A226M-FWB has a wrong linux partition offset, caused
by a copy-paste error. As of result of this, OpenWrt is currently
broken in this unit.

Fix it.

While at it, also use generic node names and fix the addresses
there as well.

Fixes: a27d59bb4274 ("brcm63xx: switch to new partition layout
specification")

Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
[also fix/update node names, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d64d5ed1425f4397d093c8777ca03f70ff1ee90c)

ipq40xx: essedma: Disable TCP segmentation offload for IPv6

It was noticed that the the whole MAC can hang when transferring data from
one ar40xx port (WAN ports) to the CPU and from the CPU back to another
ar40xx port (LAN ports). The CPU was doing only NATing in that process.

Usually, the problem first starts with a simple data corruption:

  $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.4.0-amd64-netinst.iso -O /dev/null
  ...
  Connecting to saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)|2001:6b0:19::138|:443... connected.
  ...
  Read  error at byte 48807936/352321536 (Decryption has failed.). Retrying.

But after a short while, the whole MAC will stop to react. No traffic can
be transported anymore from the CPU port from/to the AR40xx PHY/switch and
the MAC has to be resetted.

The whole problem can be avoided by disabling IPv6 TSO for this ethernet
MAC driver.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: John Crispin <john@phrozen.org>
(backported from commit 678569505623e50bbbbc344c7e820fb315b79ede, with
updated commit message)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>

ath79: wndr3700 series: fix wifi range & throughput

This patch adds ar71xx's GPIO setup for the 2.4GHz and 5GHz antennae
demultiplexer:

| 158         /* 2.4 GHz uses the first fixed antenna group (1, 0, 1, 0) */
| 159         ap9x_pci_setup_wmac_gpio(0, (0xf << 6), (0xa << 6));
| 160
| 161         /* 5 GHz uses the second fixed antenna group (0, 1, 1, 0) */
| 162         ap9x_pci_setup_wmac_gpio(1, (0xf << 6), (0x6 << 6));

This should restore the range and throughput of the 2.4GHz radio
on all the derived wndr3700 variants and versions with the AR7161 SoC.
A special case is the 5GHz radio. The original wndr3700(v1) will
benefit from this change. However the wndr3700v2 and later revisions
were unaffected by the missing bits, as there is no demultiplexer
present in the later designs.

This patch uses gpio-hogs within the device-tree for all
wndr3700/wndr3800/wndrmac variants.

Notes:

Based on the PCB pictures, the WNDR3700(v1) really had eight
independent antennae. Four antennae for each radio and all of
those were printed on the circut board.

The WNDR3700v2 and later have just six antennae. Four of those
are printed on the circuit board and serve the 2.4GHz radio.
Whereas the remaining two are special 5GHz Rayspan Patch Antennae
which are directly connected to the 5GHz radio.

Hannu Nyman dug pretty deep and unearthed a treasure of information
regarding the history of how these values came to be in the OpenWrt
archives: <https://dev.archive.openwrt.org/ticket/6533.html>.

Mark Mentovai came across the fixed antenna group when he was looking
into the driver:

    fixed_antenna_group 1, (0, 1, 0, 1)
    fixed_antenna_group 2, (0, 1, 1, 0)
    fixed_antenna_group 3, (1, 0, 0, 1)
    fixed_antenna_group 4, (1, 0, 1, 0)

Fixes: FS#3088
Reported-by: Luca Bensi
Reported-by: Maciej Mazur
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Debugged-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 61307544d1f1ab81a2eb3a200164456c59308d81)

ca-certificates: update to version 20200601

This patch updates the ca-certificates and ca-bundle package.
This version changed the files directory again, to work/, so
PKG_BUILD_DIR was brought back.

A list of changes from Debian's change-log entry for 20200601 [0]:

  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.40.
Closes: #956411, #955038
  * mozilla/blacklist.txt
    Add distrusted Symantec CA list to blacklist for explicit removal.
Closes: #911289
    Blacklist expired root certificate, "AddTrust External Root"
Closes: #961907
    The following certificate authorities were added (+):
    + "Certigna Root CA"
    + "emSign ECC Root CA - C3"
    + "emSign ECC Root CA - G3"
    + "emSign Root CA - C1"
    + "emSign Root CA - G1"
    + "Entrust Root Certification Authority - G4"
    + "GTS Root R1"
    + "GTS Root R2"
    + "GTS Root R3"
    + "GTS Root R4"
    + "Hongkong Post Root CA 3"
    + "UCA Extended Validation Root"
    + "UCA Global G2 Root"
    The following certificate authorities were removed (-):
    - "AddTrust External Root"
    - "Certinomis - Root CA"
    - "Certplus Class 2 Primary CA"
    - "Deutsche Telekom Root CA 2"
    - "GeoTrust Global CA"
    - "GeoTrust Primary Certification Authority"
    - "GeoTrust Primary Certification Authority - G2"
    - "GeoTrust Primary Certification Authority - G3"
    - "GeoTrust Universal CA"
    - "thawte Primary Root CA"
    - "thawte Primary Root CA - G2"
    - "thawte Primary Root CA - G3"
    - "VeriSign Class 3 Public Primary Certification Authority - G4"
    - "VeriSign Class 3 Public Primary Certification Authority - G5"
    - "VeriSign Universal Root Certification Authority"

[0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit f611b014a713d82d7c7da4c171f3aa04a8984063)

oxnas: build with 8021Q VLAN support

CONFIG_VLAN_8021Q was explicitely disabled in oxnas kernel config.
Don't do that, so VLANs can be used on the target.

Fixes: dcc34574ef ("oxnas: bring in new oxnas target")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit fd0cc72d9ceba6d4dc315c7f0e52d6513023f669)

ath79: add support for TP-Link TL-WR802N V1 and V2

Specification:
- SoC: Qualcomm Atheros QCA9533 (560 MHz, MIPS 24Kc)
- RAM: 32 MiB
- Storage: 4 MiB of Flash on board
- Wireless: Built into QCA9533 (Honey Bee), PHY modes b/g/n
- Ethernet: 1x100M (port0)

Installation through OEM Web Interface:
- Connect to TL-WR802N by Ethernet or Wi-Fi
- Go to web interface:
  [V1] http://192.168.0.1
  [V2] http://192.168.0.254
  Default user is "admin" & password is "admin".
  On V2, there is no DHCP server running by default, so remember to set
  IP manually.
- Go to "System Tools -> Firmware Upgrade"
- Browse for firmware:
  [V1] "*.factory.bin"
  [V2] "*.factory-us.bin" or  "*.factory-eu.bin" for eu model
  Web interface may complain if filename is too long. In such case,
  rename .bin to something shorter.
- Click upgrade

Installation through tftp:
Note: T_OUT, T_IN and GND on the board must be connected to USB TTL
      Serial Configuration 115200 8n1

- Boot the TL-WR802N
- When "Autobooting in 1 seconds" appears type "tpl" followed by enter
- Connect to the board Ethernet port
    (IPADDR: 192.168.1.1, ServerIP: 192.168.1.10)
- tftpboot 0x80000000 <Firmware Image Name>
- Record the result of "printenv bootcmd"
- Enter "erase <Result of 'printenv bootcmd'> +0x3c0000"
    (e.g erase 0x9f020000 +0x3c0000)
- Enter "cp.b 0x80000000 <Result of 'printenv bootcmd'> 0x3c0000"
    (e.g cp.b 0x80000000 0x9f020000 0x3c0000)
- Enter "bootm <Result of 'printenv bootcmd'>"
    (e.g bootm 0x9f020000)

Notes:

When porting from ar71xx target to ath79, I found out that on V2,
reset button is on GPIO12 and active low, instead of GPIO11 and
active high. By cross-flashing V1 firmware to V2, I confirmed
the same is true for V1.
Also according to manual of V1, this one also has green
LED instead of blue - both of those issues were fixed accordingly.

The MAC address assignment has been checked with OEM firmware.

Installation manual based on ar71xx support by Thomas Roberts

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[slightly adjust commit message, add MAC address comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 7e513136c63108bf55b38be4d2b65aa00b0d2b26)

ath79: update WA/XC devices UBNT_VERSION to 8.5.3

Ubiquiti WA devices with newer hw version 2011K require UBNT_VERSION
to be at least 8.5.3, otherwise the image is rejected:

   New ver: WA.ar934x.v8.5.0-42.OpenWrt-r10947-65030d81f3
   Versions: New(525568) 8.5.0, Required(525571) 8.5.3
   Invalid version 'WA.ar934x.v8.5.0-42.OpenWrt-r10947-65030d81f3'

For consistency, also increase version number for XC devices.

Tested-by: Pedro <pedrowrt@cas.cat>
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit 95caa3436d98dac3709e550765f3f86d11a99782)

ipq806x: EA8500 fix boot partition detection

Remove extraneous code that disabled boot partition detection.

Fixes: b3770eaca39f ("mtd: base-files: Unify dual-firmware devices (Linksys)")
Signed-off-by: Samantha Collard <sammyrc34@gmail.com>
(cherry picked from commit 0f910a8c4c03d92e399dd79dbc5d707eb03b22df)

ath79: fix LEDs for GL.inet GL-AR150

Since the wireless LED was used for boot and set up with a DT
trigger, the WiFi indication hasn't worked on ath79 at all.

In addition, a look into the manual revealed that the OEM
configuration is as follows:

LED 1 (green): power
LED 2 (green): configurable
LED 3 (red): wireless

So, let's just keep the WiFi trigger and convert the rest to its
"intended" use.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 705fe43522c756962589b360141d4c398363ce1c)

ar71xx: fix reset key for TP-Link TL-WR802N V1/V2

During porting support for this router to ath79 target
it was discovered that GPIO mapping was incorrect (GPIO11 active high).
Correct mapping for both V1 and V2 is GPIO12 active low.

Default configuration from GPL source for V2 explicitly states this, and
this was confirmed experimentally on ath79 by looking on
/sys/kernel/debug/gpio. Correctness of this was also validated for V1 by
cross-flashing vendor firmware for V1 on V2 hardware, in which reset
button also worked.

Fix it.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[slightly adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit f841e706403b1a111cbb6dc5930b7886307bf633)

generic: fix flow table hw offload

Make the driver work with recent upstream changes.

Fixes: FS#2632
Ref: https://github.com/openwrt/openwrt/pull/2815
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 6786dc26a205da55ec2d9771693cdfb99e756e59)

ar71xx: correct button type for TL-MR3020 mode slider

The TP-Link TL-MR3020 has a three-state mode slider which was previously
integrated as a button (EV_KEY). This led to spurious activations of
failsafe mode.

Set the type for the button to switch (EV_SW), to avoid unintended
activations of failsafe mode.

Related: commit 27f3f493de06 ("gpio-button-hotplug: unify polled and
interrupt code")

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit b017a016cc0cd26f84a7e6b8de3dc02dc101e888)

ar71xx: fix splitting firmware partition for TL-WR902AC v1

The -O option for the tplink-v1-header was missing for the TP-Link
TL-WR902AC v1, while safeloader and MTDPARTS where set up with a
single firmware partition.

This led to bootloops after using sysupgrade.

Fixes: FS#3118
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a7b07f8ba880895f0d235a63729dd189cb2410a7)

qos-scripts: fix interface resolving

Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.

Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 559b3384666bbc6e4e9e6d86cf54bd88d30b341f)

broadcom-wl: don't inherit lock descriptor in nas process

Add a local hack to prevent the Broadcom WPA authenticator process from
inheriting the lock descriptor 1000 used to prevent concurrent executions
of the init script.

Without this fix, repeated invocations of /etc/init.d/network, e.g. for
obtaining the enabled state, would hang forever.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a03d6d2fab13c478a0f6cfc3082bec141f2adcf1)

musl: fix locking synchronization bug

Import proposed upstream fix [2] for the critical locking
synchronization bug recently found in musl [1].

This affects all programs that are temporarily multithreaded, but then
return to single-threaded operation.

[1] https://www.openwall.com/lists/musl/2020/05/22/3
[2] https://www.openwall.com/lists/musl/2020/05/22/10

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 10c211031ccd4703230493025a5a3b9d6fcad2f2)

rpcd: update to latest openwrt-19.07 Git HEAD

67c8a3f uci: reset uci_ptr flags when merging options during section add
970ce1a session: deny access if password login is disabled

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

Revert "rpcd: update to latest Git HEAD"

This reverts commit adf5d753eff2385063555da8bd4323e69311752a.

Reverting this commit because it relies on a changed libiwinfo API.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

rpcd: update to latest Git HEAD

078bb57 uci: reset uci_ptr flags when merging options during section add
3df62bc session: deny access if password login is disabled
efe51f4 iwinfo: add current hw and ht mode to info call

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

libubox: update to the latest version

86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b371182d2450b3c4f15cbe790351d92a2a7b5a67)

libubox: update to the latest master

5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)

ramips: gsw_mt7621: disable PORT 5 MAC RX/TX flow control by default

Looking at the current upstream driver implementation, it seems like the
TX/RX flow control is enabled only if the flow control pause option is
resolved from the device/link partner advertisements (or otherwise set).

On the other hand, our current in-tree driver force enables TX/RX
flow control by default, thus possibly leading to TX timeouts if the
other end sends pause frames (which are not properly handled?):

WARNING: CPU: 3 PID: 0 at net/sched/sch_generic.c:320 dev_watchdog+0x1ac/0x324
NETDEV WATCHDOG: eth0 (mtk_soc_eth): transmit queue 0 timed out

Disabling the flow control on PORT 5 MAC seems to fix this issues as the
pause frames are then filtered out. While at it, I'm removing the if
condition completely as suggested, since this code is run only on mt7621
SoC, so there is no need to check for the silicon revisions.

Ref: https://lists.openwrt.org/pipermail/openwrt-devel/2017-November/009882.html
Ref: https://forum.openwrt.org/t/mtk-soc-eth-watchdog-timeout-after-r11573/50000/12
Suggested-by: Felix Fietkau <nbd@nbd.name>
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit c8f8e59816eca49d776562d2d302bf990a87faf0)

hostapd: backport wolfssl bignum fixes

crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 631c437a91c20df678b25dcc34fe23636116a35a)

ucert: update to latest git HEAD

00b921d80ac0 Do not print line number in debug messages
96c42c5ed320 Fix length checks in cert_load()
fe06b4b836b3 usign-exec: improve usign -F output handling
19f9e1917e1b usign-exec: return code fixes
077feb5b5824 usign-exec: close writing end of pipe early in parent process
7ec4bb764e1e usign-exec: remove redundant return statements
5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17]
112488bbbccc usign-exec: do not close stdin and stderr before exec
38dcb1a6f121 usign-exec: fix exec error handling
a9be4fb17df2 usign-exec: simplify usign execv calls
854d93e2326a Introduce read_file() helper, improve error reporting
afc86f352bf7 Fix return code of write_file()
fdff10852326 stdout/stderr improvements
dddb2aa8124d ci: fix unit test failures by enabling full ucert build
5f206bcfe5c2 ci: enable unit testing

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

brcm47xx: disable Netgear WNR2000 v2 by default

Disable the Netgear WNR2000 v2 image by default as the device has
insufficient flash space for release build images.

Ref: https://forum.openwrt.org/t/devices-too-big-to-save-overlay/18161/72
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
[drop change on netgear-wnr3500l-v1-na]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>

squashfs: Fix compile with GCC 10

Fixes the following build error with GCC 10:
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `swap'; mksquashfs.o:(.bss+0x1b2a88): first defined here
And a compile warning.

Fixes: FS#3104, FS#3119
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1bbc1aa884902fd05cc579b53d68b2ba0b18683f)

usign: update to latest git HEAD

f1f65026a941 Always pad fingerprints to 16 characters

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit e35e40ad824eab9d51cdd690fb747e576e01412f)

usign: update to latest Git HEAD

f34a383 main: fix some resource leaks

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 81e93fff7d867851f2fedd966a931336d4092686)

ath79: add support for TP-Link TL-WA901ND v4 and v5

This ports support for the TL-WA901ND v4 and v5 from ar71xx to ath79.
They are similar to the TP9343-based TL-WR940N v3/v4 and TL-WR941ND v6.

Specifications:
  SoC: TP9343
  Flash/RAM: 4/32 MiB
  CPU: 750 MHz
  WiFi: 2.4 GHz b/g/n
  Ethernet: 1 port (100M)

Flashing instructions:
  Upload the factory image via the vendor firmware upgrade option.

Flash instruction (TFTP):
  1. Set PC to fixed ip address 192.168.0.66
  2. Download *-factory.bin image and rename it to * (see below)
  3. Start a tftp server with the image file in its root directory
  4. Turn off the router
  5. Press and hold Reset button
  6. Turn on router with the reset button pressed and wait ~15 seconds
  7. Release the reset button and after a short time
     the firmware should be transferred from the tftp server
  8. Wait ~30 second to complete recovery.

  * The image name for TFTP recovery is wa901ndv4_tp_recovery.bin for
  both variants.

In ar71xx, a MAC address with offset 1 was used for ethernet port.
That's probably wrong, but this commit sticks to it until we know
the correct value.

Like in ar71xx, this builds the default factory.bin with EU country
code.

Thanks to Leonardo Weiss for testing on the v5.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(backported from commit 4a61a88f9006f70444e00699f76551c75f73c14e)

ath79: add support for TP-Link TL-WA701ND/730RE/801ND/901ND v1

This adds support for the various clones of the TL-WA830RE recently
supported in fb99ac6807f2 ("ath79: add support for TP-Link TL-WA830RE v1"):

- tplink,tl-wa701nd-v1
- tplink,tl-wa730re-v1
- tplink,tl-wa801nd-v1
- tplink,tl-wa830re-v1 (already supported)
- tplink,tl-wa901nd-v1

Since these devices are 100%-clones in ar71xx, this patch adds all
of them without run-testing (as this has been done for TL-WA830RE v1).

Specifications:
- SOC: Atheros AR7240
- CPU: 400MHz
- Flash: 4 MiB (Spansion S25FL032P)
- RAM: 32 MiB (Zentel A3S56D40FTP-G5)
- WLAN: Atheros AR9280 bgn 2x2
- Ethernet: 1 port (100M)

Flash instructions:
- install from u-boot with tftp (requires serial access)
  > setenv ipaddr a.b.c.d
  > setenv serverip e.f.g.h
  > tftpboot 0x80000000 \
      openwrt-ath79-tiny-tplink_tl-waxxxxx-v1-squashfs-factory.bin
  > erase 0x9f020000 +0x3c0000
  > cp.b 0x80000000 0x9f020000 0x3c0000
  > bootm 0x9f020000
- flash factory image from OEM WebUI
- sysupgrade from ar71xx image

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(backported from commit 2f1cc5c3d5e35d6aa76e794e3d5b4f5856cd38bc)