OpenWrt 23.05.0-rc2 Changelog

This changelog lists all commits done in OpenWrt since the v23.05.0-rc1 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 23.05.0-rc2 release.

See also the release notes that provide a more accessible overview of the main changes in 23.05.0-rc2.

b059aaf build: export GIT_CEILING_DIRECTORIES for package builds (+2)
d05d886 image: improve uImage.FIT device tree overlay support (+22,-8)
4bb75f6 image: introduce DEVICE_DTC_FLAGS and DEVICE_DTCO_FLAGS (+22,-9)
948dc51 treewide: add ORIG_PATH variable (+9)
c7bd7a9 prereq-build: fix inconsistent value of $PATH (+3,-4)
43b92ff prereq-build: do not replace binaries with symlinks (+4)
e972e4f prereq-build: replace relative symlinks only if broken (+5)
ea22a1f host-build: add support for a stampfile per installed binary (+4,-3)
f489858 grub2: enable EFI for armvirt (+41,-10)
ddb8845 scripts: gen_image_generic: allow the partition types to be set (+3,-1)
04d2f8f build: use 128MiB as the boot/kernel partition size on armvirt target (+1)
0bedcbb build: enable vmdk/vmware images for arm64 target (+2,-2)
a6afb3a config: change references from armvirt to armsr (+5,-5)
ded67a3 scripts: qemustart: change armvirt references to armsr (+9,-9)
c05c069 u-boot.mk: add support for config customization (+3)
341e312 generic: groundwork for RISC-V (+41)
68bc059 kernel: bump 5.15 to 5.15.115 (+140,-473)
1de5f74 kernel: bump 5.15 to 5.15.116 (+18,-18)
1b6f2af kernel: bump 5.15 to 5.15.117 (+36,-384)
63942b5 scripts: sercomm-kernel-header.py: improve compatibility (+3,-3)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

f307129 tools/findutils: define list of installed programs (+2)
0928545 tools/coreutils: rename list of installed programs (+4,-6)
0f30f47 firmware-utils: ptgen: add SiFive-related GUID types (+38)

948dc51 treewide: add ORIG_PATH variable (+9)

38f8f56 sdk: Expose CCACHE_DIR option (+7)
948dc51 treewide: add ORIG_PATH variable (+9)

948dc51 treewide: add ORIG_PATH variable (+9)
7390068 toolchain: gcc: backport inline subword atomic support for riscv (+6.2K,-3)

76cabb9 kernel: Backport mvneta crash fix to 5.15 (+567,-12)
b99b89d netfilter: fix typo in kmod-nft-dup-inet (+1,-1)
417b76b generic: drop useless binfmt patch fixing compilation warning (-94)
11677aa kernel: backport libcap workaround for BPF selftests (+433)
dc77819 generic: use only first element in bootconf for uImage.FIT (+15,-7)
7d48684 kernel: use struct group to wipe psb6970 volatile priv data (+9,-7)
ee7a223 kernel: fix wrong detection of Linux-Testing-Version in makefile DUMP (+9)
b1114c1 kernel: add mdio-bus-mux support (+15)
fc87a8f generic: b53: rename exported symbols to avoid upstream conflict (+21,-21)
4d13a09 kernel: modules: fix mdio-bus-mux description (+1,-1)
963ce69 kernel: kmod-amazon-ena: move to top level netdevices (+15,-18)
23a828f kernel: netdevices: change armvirt references to armsr (+4,-4)
753be38 kernel: mtd: bcm-wfi: add cferam name support (+14,-2)
68bc059 kernel: bump 5.15 to 5.15.115 (+140,-473)
8197901 kernel: add CONFIG_DRM_RCAR_USE_LVDS is not set (+1)
1de5f74 kernel: bump 5.15 to 5.15.116 (+18,-18)
1b6f2af kernel: bump 5.15 to 5.15.117 (+36,-384)
09322f3 kernel: remove bridge offload hack (-846)
2cef1c3 netfilter: fix typo in nf-socket and nf-tproxy kconfig (+2,-2)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

ecfcc47 uboot-rockchip: add Orange Pi R1 Plus support (+821)
3b8564f uboot-rockchip: add Orange Pi R1 Plus LTS support (+499)
5f3c584 uboot-mediatek: adapt BPi-R3 and BPi-R64 to new device tree overlay (+40,-20)
41af35c ipq807x: add initial support for prpl Foundation Haze board (+336,-1)
f489858 grub2: enable EFI for armvirt (+41,-10)
4b48f8a grub2: change armvirt reference to armsr (+1,-1)
848759c uboot-armsr: add support for QEMU armv7/armv8 (+104,-6)
08247ff opensbi: add package for RISC-V (+63)
a11f2e6 uboot-sifiveu: add bootloader package for SiFive Ux40 boards (+566)
8a07469 ramips: Add support for Beeline SmartBox TURBO+ (+320,-9)
b6f2c58 ath79: add support for Aruba AP-115 (+261)
cd17d8d filogic: add support for Netgear WAX220 (+324)

1e4f9db ubnt-ledbar: depend on mediatek and ramips subtargets (+1,-1)
a48d0bd openssl: fix uci config for built-in engines (+3,-10)
436e477 kselftests-bpf: add kernel BPF tests (+63)
c78ba8a valgrind: update to 3.21.0 (+25,-13)
e1d5949 openssl: update to 3.0.9 (+4,-294)
f3ec4a2 restool: update source.codeaurora.org repository link (+1,-1)
bc6bf2a unetd: update to the latest version (+3,-3)
⇒ 412d030 network: prevent adding endpoint routes for addresses on the network (+81,-1)
⇒ faaf9ce utils: fix ipv4 checksum issue (+1,-1)
⇒ 0e1c2fa pex-msg: fix memory leak on fread fail in pex_msg_update_request_init (+3,-1)
⇒ 51be0ed host: fix crash parsing gateway when no endpoint is specified (+1,-1)
⇒ ca17601 wg-linux: add support for splitting netlink messages for allowed ips (+32,-12)
⇒ 7d3986b wg-linux: increase default messages size (+10,-1)
03455e7 qca-nss-dp: fix oops in nss_dp_probe (+3,-2)
e9ea571 wolfssl: change armvirt reference to armsr (+2,-2)
cd650f1 openssl: add linux-riscv64 into the targets list (+5,-1)
e9d2ff8 openssl: passing cflags to configure (+2,-1)

774ca0c ls-dpl: update source.codeaurora.org repository link (+1,-1)
793b9cd ipq-wifi: bump to latest git HEAD (+5,-3)
⇒ 77775d2 ipq8074: add Netgear SXK80 ()
⇒ 6388ba9 ipq8074: update regdb for Netgear SXK80 BDF ()
⇒ c888dd0 qca-wireless: ipq40xx: Add BDFs for Eero Cento ()
⇒ a4cd21f ipq8074: add Compex WPQ873 BDF ()
⇒ 0f73d32 ipq8074: update RegDB in new submitted BDF ()
7e6403a ipq-wifi: update to version 2023-06-03 (+5,-3)
⇒ 47d5229 Add BDFs for prpl Foundation Haze board ()
⇒ a1897c8 qca-wireless: ipq40xx: add BDFs for ZTE MF287+ ()
⇒ a63bfab ipq8074: update RegDB in new submitted BDF ()
⇒ 5b055ab qcn9074: update RegDB in new submitted BDF ()
⇒ 40c4a35 Revert "ipq8074: update RegDB in new submitted BDF" ()
⇒ cd9c30c ipq8074: update RegDB in new submitted BDF ()

081dfcf base-files: enable BPF JIT kallsyms by default (+1)
25f6252 base-files: upgrade: nand: add JFFS2 cleanmarkers support (+10,-2)

42976b1 netifd: update to version 2023-05-31 (+3,-3)
⇒ fb1add3 bridge: remove stray newline from device status vlan port list (+1,-1)
⇒ 1fe1d4f treewide: fix multiple compiler warnings (+30,-25)
⇒ 9d68f39 cmake: fix build by reordering the cflags definitions (+2,-1)
⇒ 9ba4229 bridge: make it more clear why the config was applied (+10,-4)
⇒ 38cbdc1 bridge: bridge_dump_info: add dumping of bridge attributes (+26)
3bdefae netifd: Fix PKG_MIRROR_HASH (+1,-1)
bb03069 netifd: update to the latest version (+3,-3)
⇒ ec9dba7 system-linux: fix memory leak in system_bridge_vlan_check (-3)
02a37de odhcpd: bump to latest git HEAD (+3,-3)
⇒ c6bff6f router: Add PREF64 (RFC 8781) support (+97,-1)
⇒ 5211264 odhcpd: add support for dhcpv6_pd_min_len parameter (+43)

c653104 libubox: update to the latest version (+3,-3)
⇒ b09b316 blobmsg: add blobmsg_parse_attr function (+7)
⇒ eac92a4 blobmsg: add blobmsg_parse_array_attr (+8,-1)
⇒ ef5e8e3 usock: fix poll return code check (+1,-4)
⇒ 6fc29d1 jshn.sh: Add pretty-printing to json_dump (+11,-1)
⇒ 5893cf7 blobmsg: Don't do at run-time what can be done at compile-time (+3,-3)
⇒ 362951a uloop: fix uloop_run_timeout (+4,-5)
⇒ 75a3b87 uloop: add support for integrating with a different event loop (+32,-13)
106c83a uhttpd: update to latest git HEAD (+3,-3)
⇒ 34a8a74 uhttpd/file: fix string out of buffer range on uh_defer_script (+2,-2)

4743756 apm821xx: mx60: drop nand-is-boot-medium (-2)
04ddeb8 apm821xx: switch over from DTB_SIZE to DEVICE_DTC_FLAGS (+19,-34)

7198185 armsr: rename from armvirt (+38,-34)
848759c uboot-armsr: add support for QEMU armv7/armv8 (+104,-6)

7c223a8 armvirt: add EFI support (+393,-19)
3f72d24 armvirt: disable LD dead code elimination on ARM32 (+23)
649d3a7 armvirt: update README with new image names (+40,-8)
84f566b armvirt: set kernel partition as the EFI system partition (+1,-1)
b0e724e armvirt: remove model name override (-13)
0bedcbb build: enable vmdk/vmware images for arm64 target (+2,-2)
23ca9a1 armvirt: add ACPI support (+140,-1)
182fb97 armvirt: add 5.15 patches for NXP DPAA2 platform (+108)
f1a02ba armvirt: add options and driver modules for NXP Layerscape DPAA2 platform (+157,-5)
2bec445 armvirt: 64: add support for other SystemReady-compatible vendors (+308,-3)
3eb2543 armvirt: 64: Add NXP i.MX 8M Mini/Nano/Quad/Plus EVK support (+155,-3)
a80eeec armvirt: 64: Add storage support for qemu-sbsa platform (+4)
a86b74c armvirt: 64: add Marvell (formerly Cavium) ThunderX series network driver (+20,-2)
bbd1676 armvirt: 64: add Allwinner A3/A83T/A64 (sun8i family) Ethernet (+12,-1)
4177b69 armvirt: package and select Rockchip DWMAC Ethernet driver (+13,-2)
067f252 armvirt: config changes required for framebuffer console (+13)
bacc385 armvirt: base-files: add tty0 to inittab (+1)
86b5022 armvirt: 64: disable CONFIG_SMC91X (+1,-1)
7198185 armsr: rename from armvirt (+38,-34)

51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

1de5f74 kernel: bump 5.15 to 5.15.116 (+18,-18)
1b6f2af kernel: bump 5.15 to 5.15.117 (+36,-384)
b6f2c58 ath79: add support for Aruba AP-115 (+261)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

1de5f74 kernel: bump 5.15 to 5.15.116 (+18,-18)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

3506efe bcm63xx: fix NETGEAR DGND3700v2 boot loop (+1)
e6acfe0 bcm63xx: switch to standard nand_do_upgrade (+2,-37)
dee8ca6 bcm63xx: fix the Home Hub 2a power LED (+1,-1)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

8a77ffc bmips: bump LZMA Loader address (+1,-1)
725319a bmips: add support for Observa VH4032N (+269,-2)
f25afae bmips: add support for Netgear DGND3700 v1, DGND3800B (+334)
13579e6 bmips: add support for Netgear EVG2000 (+260,-1)
0ea4866 bmips: dts: improve and align device tree files (+40,-71)
b6c9312 bmips: image: rename Device/bcm63xx_netgear (+4,-4)
bb1f3eb bmips: dgnd3700v1/dgnd3800b: add missing kmod-leds-gpio (+4,-2)
0880d5d bmips: add support for Comtrend VR-3025un (+200)
cfdcf4b bmips: add support for Comtrend WAP-5813n (+249)
8f1251a bmips: add support for Comtrend AR-5381u (+205)
18a85ec bmips: fix NETGEAR DGND3700v2 boot loop (+1)
70afa8e bmips: switch to standard nand_do_upgrade (+4,-45)
40966d6 bmips: add support for Actiontec R1000H (+241)
b8bbe0d bmips: bump LOADER_ENTRY to RAM + 16M (+1,-1)
3d66e7f bmips: add support for Sercomm AD1018 (+353)
b073d6c bmips: dts: dgnd3700: fix WAN port (+1,-1)
66e1bef bmips: add support for Comtrend VG-8050 (+258)
6d37705 bmips: fix DMA RAC flush (+84)
43746c4 bmips: enable the data Read Ahead Cache for BMIPS4350 (+42)
ac68321 bmips: add support for NuCom R5010UNv2 (+234,-2)
aa256ab bmips: add support for Arcadyan AR7516 (+208)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

0c15f45 ipq40xx: convert Buffalo WTR-M2133HP to DSA (+31,-2)
b1b829a ipq40xx: meraki-mr33, meraki-mr74: disable image generation (+2)

ea11b6e ipq806x: use new package name for NEC WG2600HP3 (+1,-1)
11ad38f Revert "ipq806x: disable cache and fabric devfreq driver to improve stability" (+2,-2)
6f9495b ipq806x: set PERFORMANCE as the default cpufreq governor (+2,-2)

145d485 ipq807x: image: factor out common eMMC bits (+12,-9)
f8d26ec ipq807x: image: cleanup unused variables (-3)
41af35c ipq807x: add initial support for prpl Foundation Haze board (+336,-1)
1e7fa53 ipq807x: image: fix eMMC flashing/recovery from within initramfs (+2,-2)

51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

16d06a1 layerscape: 5.15: update source.codeaurora.org ppfe driver reference (+1,-1)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

c4c14e9 mediatek: use cpufreq fix suggested by MediaTek (+53,-29)
4494791 mediatek: use existing I2C clock names (+1,-56)
d46e13d mediatek: convert mt7986a-zyxel-ex5601-t0-stock.dts to UNIX (+560,-560)
bca0403 mediatek: use updated device tree overlay mechanism for BPi-R64 (+19,-2)
a65ec9f mediatek: sync MT7986 device trees with upstream (+994,-1.0K)
49bd38f mediatek: set new compat version if booted on R64 and R3 (+20)
703a551 mediatek: use DEVICE_DTC_FLAGS for BPi-R64 (+1)
e827f8f mediatek: use DEVICE_DTC_FLAGS and drop DTC_FLAGS where not needed (+1,-3)
1b6f2af kernel: bump 5.15 to 5.15.117 (+36,-384)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)
cd17d8d filogic: add support for Netgear WAX220 (+324)

76cabb9 kernel: Backport mvneta crash fix to 5.15 (+567,-12)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

2804fff oxnas: Enable CONFIG_CRYPTO_LZ4 (+3)

b42ee4d ramips: fix lzma-loader for ASIARF boards (+2)
0c885c1 ramips: tplink,mr600v2: fix image generation for sysupgrade image (+3)
91221d9 ramips: enable LED button for TP-Link EC330-G5u v1 (+16)
bc7362f ramips: fix first boot network configuration for TOZED ZLT S12 PRO (+1)
df34f71 ramips: fix button definitions for Zyxel WSM20 (+2,-2)
8b20b8f ramips: mt7621-dts: move wan port to gmac1 YunCore FAP-640 (+20,-7)
1de5f74 kernel: bump 5.15 to 5.15.116 (+18,-18)
8a07469 ramips: Add support for Beeline SmartBox TURBO+ (+320,-9)
0a63e72 ramips: mt7621: add support for Zbtlink ZBT-WG1608 (32M) (+29,-1)
fca03ea ramips: fix lan leds for Wavlink WL-WN535K1 (+5,-5)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

61c1b9a realtek: Add missing headers (+8)
e7aae81 realtek: eth: Do not write directly to dev->addr (+13,-11)
51c397c kernel: bump 5.15 to 5.15.118 (+50,-50)

c11115b rockchip: add Orange Pi R1 Plus support (+505,-3)
3f3586a rockchip: add Orange Pi R1 Plus LTS support (+88,-4)
a46e5ce rockchip: fix setup network config for nanopi r2c (+1)

4a281a7 sifiveu: add new target for SiFive U-based boards (+1.3K)
1b6f2af kernel: bump 5.15 to 5.15.117 (+36,-384)

ef1effd x86/64: Enable IOMMU_V2 support for later CPUs (+1,-1)
963ce69 kernel: kmod-amazon-ena: move to top level netdevices (+15,-18)

7198185 armsr: rename from armvirt (+38,-34)

7198185 armsr: rename from armvirt (+38,-34)

802e99a mac80211: backport EMA beacon support (+374,-2)
7baa157 mac80211: ath11k: sync with ath-next (+2.7K,-8)
e962f86 mac80211: always use mac80211 loss detection (+36)

8d557d4 CI: change armvirt reference to armsr (+2,-2)
55993f1 CI: labeler: add sifiveu target (+4)

Description: arm_mpcore: SDK fails to compile kmod-lib-lz4
Link: https://github.com/openwrt/openwrt/issues/12766
Commits:
2804fff oxnas: Enable CONFIG_CRYPTO_LZ4 (+3)

Description: openssl fails to compile for mips64_octeonplus
Link: https://github.com/openwrt/openwrt/issues/12866
Commits:
e9d2ff8 openssl: passing cflags to configure (+2,-1)

Description: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464
Commits:
e1d5949 openssl: update to 3.0.9 (+4,-294)

Description: Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465
Commits:
e1d5949 openssl: update to 3.0.9 (+4,-294)

Description: The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0466
Commits:
e1d5949 openssl: update to 3.0.9 (+4,-294)

Description: Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1255
Commits:
e1d5949 openssl: update to 3.0.9 (+4,-294)

Description: Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650
Commits:
e1d5949 openssl: update to 3.0.9 (+4,-294)