procd: update to 021ece8
Use /dev/console for serial console if exists

Using BSS coloring is one way of improving performance on 802.11ax
radios, currently its only enabled by users adding he_bss_color to their
wireless UCI config.

This made sense as one could easily get BSS color collision as BSS color
range is 1-63.

Hostapd now has a way of dealing with BSS color collisions so we can just
assign a integer in the 1-63 range randomly if one is not set by users.

Signed-off-by: Robert Marko <robimarko@gmail.com>

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 37ff916a)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8674b41c)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d54f3b2c)

Fix two long-standing regressions.

Fixes: https://github.com/openwrt/openwrt/issues/8278


Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 5e48c534)

This fixes:
[    2.548098] bgmac_bcma bcma0:1: Failed to register fixed PHY device
[    2.554584] bgmac_bcma bcma0:1: Cannot connect to phy
and downstream (swconfig-based) b53 driver failing to load.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 6cdac994)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit fd71ef34)

The DGND3700v2 renames the cferam bootloader from cferam to cfeXXX, where XXX
is the number of firmware upgrades performed by the bootloader. Other bcm63xx
devices rename cferam.000 to cferam.XXX, but this device is special because
the cferam name isn't changed on the first firmware flashing but it's changed
on the subsequent ones.
Therefore, we need to look for "cfe" instead of "cferam" to properly detect
the cferam partition and fix the bootlop.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit cdfcac6e)

Some devices rename cferam bootloader using specific patterns and don't follow
broadcom standards for renaming cferam files. This requires supporting
different cferam file names.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 8813edd8)

The index.json file lies next to Packages index files and contains a
json dict with the package architecture and a dict of package names and
versions.

This can be used for downstream project to know what packages in which
versions are available.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 218ce40c)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>

Import commit "ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size" which did not yet make it to stable upstream Linux trees.

Fixes: #12232
Fixes: #12339
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit aad34818)

007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 4f1c2e8d)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

Setting this options modifies the rootfs size of created images. When
installing a large number of packages it may become necessary to
increase the size to have enough storage.

This option is only useful for supported devices, i.e. with an attached
SD Card or installed on a hard drive.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 7b7edd25)

On any currently supported hardware, the performance impact should not
matter anymore.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 75e78bca)

Fixes CVE-2022-47522

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d54c91bd)

The USB port on the MR8300 randomly fails to feed bus-powered devices.

This is caused by a misconfigured pinmux. The GPIO68 should be used to
enable the USB power (active low), but it's inside the NAND pinmux.

This GPIO pin was found in the original firmware at a startup script in
both MR8300 and EA8300. Therefore apply the fix for both boards.

Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ed64c332)
Signed-off-by: Steffen Scheib <steffen@scheib.me>

Compile-tested: armvirt/64, lantiq/xrx200
Run-tested: armvirt/64, lantiq/xrx200

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

Due to SCHED_FIFO being a broken scheduler model, all users of
sched_setscheduler() are converted to sched_set_fifo_low() upstream and
sched_setscheduler() is no longer exported.

The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 31f3f797)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>