Merge pull request #2624 from freifunk-gluon/backport-2594-to-v2021.1.x

When running "fastd -v" fails, line may be NULL, causing a segfault in
strncmp.

(cherry picked from commit 8dd0f32c18)

.github/workflows/lint.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Install Dependencies
-        run: sudo apt install lua-check
+        run: sudo apt-get -y update && sudo apt-get -y install lua-check
       - name: Install example site
         run: ln -s ./docs/site-example ./site
       - name: Lint Lua code
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Install Dependencies
-        run: sudo apt install shellcheck
+        run: sudo apt-get -y update && sudo apt-get -y install shellcheck
       - name: Install example site
         run: ln -s ./docs/site-example ./site
       - name: Lint shell code

LICENSE

@@ -1,7 +1,7 @@
 The code of Project Gluon may be distributed under the following terms, unless
 noted otherwise in individual files or subtrees.
 
-Copyright (c) 2013-2021, Project Gluon
+Copyright (c) 2013-2022, Project Gluon
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -19,8 +19,9 @@ escape = '$(subst ','\'',$(1))'
 GLUON_SITEDIR ?= site
 $(eval $(call mkabspath,GLUON_SITEDIR))
 
-$(GLUON_SITEDIR)/site.mk:
-	$(error No site configuration was found. Please check out a site configuration to $(GLUON_SITEDIR))
+ifeq ($(realpath $(GLUON_SITEDIR)/site.mk),)
+$(error No site configuration was found. Please check out a site configuration to $(GLUON_SITEDIR))
+endif
 
 include $(GLUON_SITEDIR)/site.mk
 
@@ -176,6 +177,10 @@ config: $(LUA) FORCE
 	$(GLUON_ENV) $(LUA) scripts/target_config_check.lua
 
 
+container: FORCE
+	@scripts/container.sh
+
+
 all: config
 	+@
 	$(GLUON_ENV) $(LUA) scripts/clean_output.lua

README.md

@@ -21,7 +21,7 @@ the future development of Gluon.
 
 Please refrain from using the `master` branch for anything else but development purposes!
 Use the most recent release instead. You can list all releases by running `git tag`
-and switch to one by running `git checkout v2021.1 && make update`.
+and switch to one by running `git checkout v2021.1.2 && make update`.
 
 If you're using the autoupdater, do not autoupdate nodes with anything but releases.
 If you upgrade using random master commits the nodes *will break* eventually.

docs/conf.py

@@ -20,11 +20,11 @@
 # -- Project information -----------------------------------------------------
 
 project = 'Gluon'
-copyright = '2015-2021, Project Gluon'
+copyright = '2015-2022, Project Gluon'
 author = 'Project Gluon'
 
 # The short X.Y version
-version = '2021.1'
+version = '2021.1.2'
 # The full version, including alpha/beta/rc tags
 release = version
 

docs/index.rst

@@ -78,60 +78,7 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
    :caption: Releases
    :maxdepth: 1
 
-   releases/v2021.1
-   releases/v2020.2.3
-   releases/v2020.2.2
-   releases/v2020.2.1
-   releases/v2020.2
-   releases/v2020.1.4
-   releases/v2020.1.3
-   releases/v2020.1.2
-   releases/v2020.1.1
-   releases/v2020.1
-   releases/v2019.1.3
-   releases/v2019.1.2
-   releases/v2019.1.1
-   releases/v2019.1
-   releases/v2018.2.4
-   releases/v2018.2.3
-   releases/v2018.2.2
-   releases/v2018.2.1
-   releases/v2018.2
-   releases/v2018.1.4
-   releases/v2018.1.3
-   releases/v2018.1.2
-   releases/v2018.1.1
-   releases/v2018.1
-   releases/v2017.1.8
-   releases/v2017.1.7
-   releases/v2017.1.6
-   releases/v2017.1.5
-   releases/v2017.1.4
-   releases/v2017.1.3
-   releases/v2017.1.2
-   releases/v2017.1.1
-   releases/v2017.1
-   releases/v2016.2.7
-   releases/v2016.2.6
-   releases/v2016.2.5
-   releases/v2016.2.4
-   releases/v2016.2.3
-   releases/v2016.2.2
-   releases/v2016.2.1
-   releases/v2016.2
-   releases/v2016.1.6
-   releases/v2016.1.5
-   releases/v2016.1.4
-   releases/v2016.1.3
-   releases/v2016.1.2
-   releases/v2016.1.1
-   releases/v2016.1
-   releases/v2015.1.2
-   releases/v2015.1.1
-   releases/v2015.1
-   releases/v2014.4
-   releases/v2014.3.1
-   releases/v2014.3
+   releases/index
 
 License
 -------

docs/releases/index.rst

@@ -0,0 +1,119 @@
+Release Notes
+=============
+
+.. toctree::
+   :caption: Gluon 2021.1
+   :maxdepth: 2
+
+   v2021.1.2
+   v2021.1.1
+   v2021.1
+
+.. toctree::
+   :caption: Gluon 2020.2
+   :maxdepth: 2
+
+   v2020.2.3
+   v2020.2.2
+   v2020.2.1
+   v2020.2
+
+.. toctree::
+   :caption: Gluon 2020.1
+   :maxdepth: 2
+
+   v2020.1.4
+   v2020.1.3
+   v2020.1.2
+   v2020.1.1
+   v2020.1
+
+.. toctree::
+   :caption: Gluon 2019.1
+   :maxdepth: 2
+
+   v2019.1.3
+   v2019.1.2
+   v2019.1.1
+   v2019.1
+
+.. toctree::
+   :caption: Gluon 2018.2
+   :maxdepth: 2
+
+   v2018.2.4
+   v2018.2.3
+   v2018.2.2
+   v2018.2.1
+   v2018.2
+
+.. toctree::
+   :caption: Gluon 2018.1
+   :maxdepth: 2
+
+   v2018.1.4
+   v2018.1.3
+   v2018.1.2
+   v2018.1.1
+   v2018.1
+
+.. toctree::
+   :caption: Gluon 2017.1
+   :maxdepth: 2
+
+   v2017.1.8
+   v2017.1.7
+   v2017.1.6
+   v2017.1.5
+   v2017.1.4
+   v2017.1.3
+   v2017.1.2
+   v2017.1.1
+   v2017.1
+
+.. toctree::
+   :caption: Gluon 2016.2
+   :maxdepth: 2
+
+   v2016.2.7
+   v2016.2.6
+   v2016.2.5
+   v2016.2.4
+   v2016.2.3
+   v2016.2.2
+   v2016.2.1
+   v2016.2
+
+.. toctree::
+   :caption: Gluon 2016.1
+   :maxdepth: 2
+
+   v2016.1.6
+   v2016.1.5
+   v2016.1.4
+   v2016.1.3
+   v2016.1.2
+   v2016.1.1
+   v2016.1
+
+.. toctree::
+   :caption: Gluon 2015.1
+   :maxdepth: 2
+
+   v2015.1.2
+   v2015.1.1
+   v2015.1
+
+.. toctree::
+   :caption: Gluon 2014.4
+   :maxdepth: 2
+
+   v2014.4
+
+.. toctree::
+   :caption: Gluon 2014.3
+   :maxdepth: 2
+
+   v2014.3.1
+   v2014.3
+

docs/releases/v2021.1.1.rst

@@ -0,0 +1,63 @@
+Gluon 2021.1.1
+==============
+
+Important notes
+---------------
+
+Upgrades to v2021.1 and later releases are only supported from releases v2018.2 and later. This is due to migrations that have been removed to simplify maintenance.
+
+
+Added hardware support
+----------------------
+
+
+ath79-generic
+~~~~~~~~~~~~~
+
+* Joy-IT
+
+    - JT-OR750i
+
+
+ramips-mt76x8
+~~~~~~~~~~~~~
+
+* Xiaomi
+
+    - Mi Router 4A (100M Edition)
+
+
+Bugfixes
+--------
+
+- Missing bandwith limit settings resulted in a respondd crash for v2021.1.
+
+- The Tunneldigger VPN provider was not registered with the Gluon VPN backend, resulting in broken Tunneldigger configurations.
+
+- Disabling Radio interfaces in v2021.1 could lead to nullpointer dereferences in the respondd airtime module, as the survey returns no data in this case.
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/releases/v2021.1.2.rst

@@ -0,0 +1,131 @@
+Gluon 2021.1.2
+==============
+
+Important notes
+---------------
+
+This release fixes a **critical security vulnerability** in Gluon's
+autoupdater.
+
+Upgrades to v2021.1 and later releases are only supported from releases v2018.2
+and later. Migration code for upgrades from older versions has been removed to
+simplify maintenance.
+
+
+Updates
+-------
+
+- The Linux kernel was updated to version 4.14.275
+- The mac80211 wireless driver stack was updated to a version based on kernel
+  4.19.237
+
+Various minor package updates are not listed here and can be found in the commit
+log.
+
+
+Bugfixes
+--------
+
+* **[SECURITY]** Autoupdater: Fix signature verification
+
+  A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
+  allows forgery of cryptographic signatures. This vulnerability can be
+  exploited to create a manifest accepted by the autoupdater without knowledge
+  of the signers' private keys. By intercepting nodes' connections to the update
+  server, such a manifest allows to distribute malicious firmware updates.
+
+  This is a **critical** vulnerability. All nodes with autoupdater must be
+  updated. Requiring multiple signatures for an update does *not* mitigate the
+  issue.
+
+  As a temporary workaround, the issue can be mitigated on individual nodes by
+  disabling the autoupdater via config mode or using the following commands::
+
+    uci set autoupdater.settings.enabled=0
+    uci commit autoupdater
+
+  A fixed firmware should be installed manually before enabling the autoupdater
+  again.
+
+  See security advisory `GHSA-qhcg-9ffp-78pw
+  <https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
+  for further information on this vulnerability.
+
+* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
+
+  The Config Mode was not validating the *Origin* header of POST requests.
+  This allowed arbitrary websites to modify   configuration (including SSH keys)
+  on a Gluon node in Config Mode reachable from a user's browser by sending POST
+  requests with form data to 192.168.1.1.
+
+  The impact of this issue is considered low, as nodes are only vulnerable while
+  in Config Mode.
+
+* Config Mode: Fix occasionally hanging page load after submitting the
+  configuration wizard causing the reboot message and VPN key not to be
+  displayed
+
+* Config Mode (OSM): Update default OpenLayers source URL
+
+  The OSM feature of the Config Mode was broken when the default source URL was
+  used for OpenLayers, as the old URL has become unavailable. The default was
+  updated to a URL that should not become unavailable again.
+
+* Config Mode (OSM): Fix error when using ``"`` character in attribution text
+
+* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
+  interfaces
+
+  Several improvements were made to the error handling of the
+  *respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
+  2021.1) was removed again.
+
+* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
+
+* Fix occasional build failure in "perl" package with high number of threads
+  (``-j32`` or higher)
+
+
+Other improvements
+------------------
+
+* Several improvements were made to the status page:
+
+  - WLAN channel display does not require the *respondd-module-airtime* package
+    anymore
+  - The "gateway nexthop" label now links to the status page of the nexthop node
+  - The timeout to retrieve information from neighbour nodes was increased,
+    making the display of the name
+    of overloaded, slow or otherwise badly reachable nodes more likely to
+    succeed
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
+  soft-bricked state due to bad blocks on the NAND flash which the NAND driver
+  before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page.
+    (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
+    account for the new throughput metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are
+  unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is
+  modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected
+  (like VMware when promiscuous mode is disallowed).

docs/releases/v2021.1.rst

@@ -57,8 +57,9 @@ Major changes
 Multicast optimizations (batman-adv)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-In this release, we reenable the multicast optimizations, that have gone through another round of bug squashing upstream. This reduces layer 2 overhead, especially for IPv6 neighbor discovery, because multicast traffic will be converted to unicast traffic when the number of subscribers does not exceed 16. This is beneficial as we would previously drop multicast traffic that wasn't explicitly allowed but now can allow multicast traffic if it wouldn't result in broadcast.
+In this release, we reenable the multicast optimizations, that have gone through another round of bug squashing upstream. With this feature batman-adv will distribute IPv6 link-local multicast packets via individual unicast packets instead of flooding them through the whole mesh as long as the number of subscribed nodes does not exceed 16. This reduces layer 2 overhead, especially for IPv6 Neighbor Discovery.
 
+We also relaxed the firewall for IPv6 multicast packets: Instead of always dropping non-essential multicast packets we now allow all IPv6 link-local multicast packets to pass when the destination group has up to 16 subscribers
 
 Status page
 ~~~~~~~~~~~

docs/site-example/site.conf

@@ -1,4 +1,4 @@
--- This is an example site configuration for Gluon v2021.1
+-- This is an example site configuration for Gluon v2021.1.2
 --
 -- Take a look at the documentation located at
 -- https://gluon.readthedocs.io/ for details.

docs/user/getting_started.rst

@@ -8,7 +8,7 @@ Gluon's releases are managed using `Git tags`_. If you are just getting
 started with Gluon we recommend to use the latest stable release of Gluon.
 
 Take a look at the `list of gluon releases`_ and notice the latest release,
-e.g. *v2021.1*. Always get Gluon using git and don't try to download it
+e.g. *v2021.1.2*. Always get Gluon using git and don't try to download it
 as a Zip archive as the archive will be missing version information.
 
 Please keep in mind that there is no "default Gluon" build; a site configuration
@@ -40,11 +40,17 @@ freshly installed Debian Stretch system the following packages are required:
 * `time` (built-in `time` doesn't work)
 
 
+We also provide a container environment that already tracks all these dependencies. It quickly gets you up and running, if you already have either Docker or Podman installed locally.
+
+::
+
+   ./scripts/container.sh
+
 Building the images
 -------------------
 
 To build Gluon, first check out the repository. Replace *RELEASE* with the
-version you'd like to checkout, e.g. *v2021.1*.
+version you'd like to checkout, e.g. *v2021.1.2*.
 
 ::
 

docs/user/site.rst

@@ -478,7 +478,7 @@ config_mode \: optional
 
     *openlayers_url* allows to override the base URL of the
     *build/ol.js* and *css/ol.css* files (the default is
-    ``https://cdn.rawgit.com/openlayers/openlayers.github.io/master/en/v5.2.0``).
+    ``https://cdn.jsdelivr.net/gh/openlayers/openlayers.github.io@35ffe7626ce16c372143f3c903950750075e7068/en/v5.3.0``).
     It is also possible to replace the default tile layer (which is OpenStreetMap)
     with a custom one using the *tile_layer* section. Only XYZ layers are supported
     at this point.

docs/user/supported_devices.rst

@@ -405,6 +405,10 @@ ramips-mt76x8
 
   - VoCore2
 
+* Xiaomi
+
+  - Xiaomi Mi Router 4A (100M Edition)
+
 ramips-rt305x [#deprecated]_  [#device-class-tiny]_
 ---------------------------------------------------
 

modules

@@ -2,15 +2,16 @@ GLUON_FEEDS='packages routing gluon'
 
 OPENWRT_REPO=https://github.com/openwrt/openwrt.git
 OPENWRT_BRANCH=openwrt-19.07
-OPENWRT_COMMIT=ffd4452f8b241d1d5b5ea8a56206f51702bbd6c5
+OPENWRT_COMMIT=83b0e20711ee4a927634b3c2a018c93527e84a2b
 
 PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
 PACKAGES_PACKAGES_BRANCH=openwrt-19.07
-PACKAGES_PACKAGES_COMMIT=476b8b82bb7447a1ed847c96d85de567e09cdb62
+PACKAGES_PACKAGES_COMMIT=1c5e4c80f49bfddaee1998636fd8efe915fee7fc
 
-PACKAGES_ROUTING_REPO=https://github.com/openwrt-routing/packages.git
+PACKAGES_ROUTING_REPO=https://github.com/openwrt/routing.git
 PACKAGES_ROUTING_BRANCH=openwrt-19.07
-PACKAGES_ROUTING_COMMIT=101632e153b41238bc19dfd96ba2d23339dbcb76
+PACKAGES_ROUTING_COMMIT=8f23999365de1bf2617e03d3f536e4542258d985
 
 PACKAGES_GLUON_REPO=https://github.com/freifunk-gluon/packages.git
-PACKAGES_GLUON_COMMIT=8d53ff54e562ddb2ed8397781dd78edc76f6ff38
+PACKAGES_GLUON_BRANCH=v2021.1.x
+PACKAGES_GLUON_COMMIT=f9ef3fc7d9d7b270de893e80cf6fba916c06bf45

package/gluon-config-mode-core/luasrc/lib/gluon/config-mode/model/gluon-config-mode/wizard.lua

@@ -22,7 +22,7 @@ function f:write()
 	uci:set("gluon-setup-mode", uci:get_first("gluon-setup-mode", "setup_mode"), "configured", true)
 	uci:save("gluon-setup-mode")
 
-	os.execute('gluon-reconfigure')
+	os.execute('exec gluon-reconfigure >/dev/null')
 
 	f.template = "wizard/reboot"
 	f.package = "gluon-config-mode-core"

package/gluon-core/luasrc/lib/gluon/upgrade/010-primary-mac

@@ -130,6 +130,9 @@ local primary_addrs = {
 			'tplink,c2-v1',
 			'ex3700'
 		}},
+		{'ramips', 'mt76x8', {
+			'xiaomi,mir4a-100m',
+		}},
 		{'x86'},
 	}},
 	{interface('wan'), {

package/gluon-mesh-vpn-core/src/respondd.c

@@ -60,11 +60,11 @@ static struct json_object * get_bandwidth_limit(void) {
 	enabled = true;
 
 	const char *egress_str = uci_lookup_option_string(ctx, s, "limit_egress");
-	if (strcmp(egress_str, "-"))
+	if (egress_str && strcmp(egress_str, "-"))
 		egress = atoi(egress_str);
 
 	const char *ingress_str = uci_lookup_option_string(ctx, s, "limit_ingress");
-	if (strcmp(ingress_str, "-"))
+	if (ingress_str && strcmp(ingress_str, "-"))
 		ingress = atoi(ingress_str);
 
 	if (egress >= 0)
@@ -110,6 +110,9 @@ static struct json_object * get_mesh_vpn_enabled() {
 	int enabled = -1;
 	char *line = read_stdout("exec lua -e 'print(require(\"gluon.mesh-vpn\").enabled())'");
 
+	if (!line)
+		return NULL;
+
 	if (!strcmp(line, "true"))
 		enabled = 1;
 	if (!strcmp(line, "false"))
@@ -126,7 +129,7 @@ static struct json_object * get_mesh_vpn_enabled() {
 static struct json_object * get_active_vpn_provider() {
 	char *line = read_stdout("exec lua -e 'name, _ = require(\"gluon.mesh-vpn\").get_active_provider(); print(name)'");
 
-	if (!strcmp(line, "nil")) {
+	if (line && !strcmp(line, "nil")) {
 		free(line);
 		return NULL;
 	}

package/gluon-mesh-vpn-fastd/src/respondd.c

@@ -65,7 +65,7 @@ static struct json_object * get_fastd_version(void) {
 	}
 
 	const char *version = line;
-	if (strncmp(version, "fastd ", 6) == 0)
+	if (version && strncmp(version, "fastd ", 6) == 0)
 		version += 6;
 
 	struct json_object *ret = gluonutil_wrap_string(version);

package/gluon-neighbour-info/src/gluon-neighbour-info.c

@@ -69,8 +69,23 @@ void tv_subtract (struct timeval *r, const struct timeval *a, const struct timev
 	}
 }
 
-ssize_t recvtimeout(int socket, void *buffer, size_t length, int flags, const struct timeval *timeout) {
+void resize_recvbuffer(char **recvbuffer, size_t *recvbuffer_len, size_t recvlen)
+{
+	free(*recvbuffer);
+	*recvbuffer = malloc(recvlen);
+
+	if (!(*recvbuffer)) {
+		perror("Could not resize recvbuffer");
+		exit(EXIT_FAILURE);
+	}
+
+	*recvbuffer_len = recvlen;
+}
+
+ssize_t recvtimeout(int socket, char **recvbuffer, size_t *recvbuffer_len,
+		    const struct timeval *timeout) {
 	struct timeval now, timeout_left;
+	ssize_t recvlen;
 
 	getclock(&now);
 	tv_subtract(&timeout_left, timeout, &now);
@@ -79,18 +94,28 @@ ssize_t recvtimeout(int socket, void *buffer, size_t length, int flags, const st
 		return -1;
 
 	setsockopt(socket, SOL_SOCKET, SO_RCVTIMEO, &timeout_left, sizeof(timeout_left));
-	return recv(socket, buffer, length, flags);
+
+	recvlen = recv(socket, NULL, 0, MSG_PEEK | MSG_TRUNC);
+	if (recvlen < 0)
+		return recvlen;
+
+	if (recvlen > *recvbuffer_len)
+		resize_recvbuffer(recvbuffer, recvbuffer_len, recvlen);
+
+	return recv(socket, *recvbuffer, *recvbuffer_len, 0);
 }
 
-int request(const int sock, const struct sockaddr_in6 *client_addr, const char *request, const char *sse, double timeout, unsigned int max_count) {
+int request(const int sock, char **recvbuffer, size_t *recvbuffer_len,
+	    const struct sockaddr_in6 *client_addr, const char *request,
+	    const char *sse, double timeout, unsigned int max_count) {
 	ssize_t ret;
-	char buffer[8192];
 	unsigned int count = 0;
 
 	ret = sendto(sock, request, strlen(request), 0, (struct sockaddr *)client_addr, sizeof(struct sockaddr_in6));
 
 	if (ret < 0) {
 		perror("Error in sendto()");
+		free(*recvbuffer);
 		exit(EXIT_FAILURE);
 	}
 
@@ -105,7 +130,7 @@ int request(const int sock, const struct sockaddr_in6 *client_addr, const char *
 	}
 
 	do {
-		ret = recvtimeout(sock, buffer, sizeof(buffer), 0, &tv_timeout);
+		ret = recvtimeout(sock, recvbuffer, recvbuffer_len, &tv_timeout);
 
 		if (ret < 0)
 			break;
@@ -116,7 +141,7 @@ int request(const int sock, const struct sockaddr_in6 *client_addr, const char *
 			fputs("data: ", stdout);
 		}
 
-		fwrite(buffer, sizeof(char), ret, stdout);
+		fwrite(*recvbuffer, sizeof(char), ret, stdout);
 
 		if (sse)
 			fputs("\n\n", stdout);
@@ -137,6 +162,8 @@ int main(int argc, char **argv) {
 	int sock;
 	struct sockaddr_in6 client_addr = {};
 	char *request_string = NULL;
+	char *recvbuffer = NULL;
+	size_t recvbuffer_len = 0;
 
 	sock = socket(PF_INET6, SOCK_DGRAM, 0);
 
@@ -243,11 +270,13 @@ int main(int argc, char **argv) {
 	}
 
 	do {
-		ret = request(sock, &client_addr, request_string, sse, timeout, max_count);
+		ret = request(sock, &recvbuffer, &recvbuffer_len, &client_addr,
+			      request_string, sse, timeout, max_count);
 	} while(loop);
 
 	if (sse)
 		fputs("event: eot\ndata: null\n\n", stdout);
 
+	free(recvbuffer);
 	return ret;
 }

package/gluon-status-page/files/lib/gluon/status-page/view/status-page.html

@@ -1,7 +1,11 @@
 <%-
+	local iwinfo = require 'iwinfo'
 	local ubus = require 'ubus'
 	local unistd = require 'posix.unistd'
 	local util = require 'gluon.util'
+	local wireless = require 'gluon.wireless'
+
+	local uci = require('simple-uci').cursor()
 
 	local translations = {}
 	local site_i18n = i18n 'gluon-site'
@@ -29,17 +33,31 @@
 
 	local mesh = get_mesh()
 
-	local function get_interfaces()
-		local uconn = ubus.connect()
-		if not uconn then
-			error('failed to connect to ubus')
-		end
+	local function get_interfaces(uconn)
 		local interfaces = util.get_mesh_devices(uconn)
-		ubus.close(uconn)
 		table.sort(interfaces)
 		return interfaces
 	end
 
+	local function get_radios()
+		local ret = {}
+
+		wireless.foreach_radio(uci, function(radio)
+			local channel = iwinfo.nl80211.channel(wireless.find_phy(radio))
+			if channel then
+				table.insert(ret, {
+					name = radio['.name'],
+					channel = channel,
+				})
+			end
+		end)
+		table.sort(ret, function(a, b)
+			return a.name < b.name
+		end)
+
+		return ret
+	end
+
 	local function is_wireless(iface)
 		while true do
 			local pattern = '/sys/class/net/' .. iface .. '/lower_*'
@@ -52,7 +70,16 @@
 		return unistd.access('/sys/class/net/' .. iface .. '/wireless') ~= nil
 	end
 
-	local interfaces = get_interfaces()
+	local uconn = ubus.connect()
+	if not uconn then
+		error('failed to connect to ubus')
+	end
+
+	local interfaces = get_interfaces(uconn)
+
+	ubus.close(uconn)
+
+	local radios = get_radios()
 
 	local function sorted(t)
 		t = {unpack(t)}
@@ -66,12 +93,17 @@
 
 	local function formatBits(bits)
 		local units = {[0]='', 'k', 'M', 'G'}
+		local unit = 0
 
-		local pow = math.floor(math.log(math.max(math.abs(bits), 1)) / math.log(1000))
-		local known_pow = math.min(pow, #units)
+		for i = 1, #units do
+			if math.abs(bits) < 1000 then
+				break
+			end
+			unit = i
+			bits = bits / 1000
+		end
 
-		local significand = bits/(1000^known_pow)
-		return string.format('%g %sbit', significand, units[known_pow])
+		return string.format('%g %sbit', bits, units[unit])
 	end
 
 	local function statistics(key, format)
@@ -135,11 +167,11 @@
 						<% if nodeinfo.network.mesh_vpn.bandwidth_limit.enabled then -%>
 						<dt><%:Bandwidth limit%></dt>
 						<dd>
-							<% if nodeinfo.network.mesh_vpn.bandwidth_limit.egress then -%>
-								▲ <%| formatBits(nodeinfo.network.mesh_vpn.bandwidth_limit.egress*1000) %>/s <%:upstream%><br />
-							<%- end %>
 							<% if nodeinfo.network.mesh_vpn.bandwidth_limit.ingress then -%>
-								▼ <%| formatBits(nodeinfo.network.mesh_vpn.bandwidth_limit.ingress*1000) %>/s <%:downstream%>
+								▼ <%| formatBits(nodeinfo.network.mesh_vpn.bandwidth_limit.ingress*1000) %>/s <%:downstream%><br />
+							<%- end %>
+							<% if nodeinfo.network.mesh_vpn.bandwidth_limit.egress then -%>
+								▲ <%| formatBits(nodeinfo.network.mesh_vpn.bandwidth_limit.egress*1000) %>/s <%:upstream%>
 							<%- end %>
 						</dd>
 						<%- end %>
@@ -190,11 +222,17 @@
 					<tr><th><%:Wireless 2.4 GHz%></th><td><%= statistics('clients/wifi24') %></td></tr>
 					<tr><th><%:Wireless 5 GHz%></th><td><%= statistics('clients/wifi5') %></td></tr>
 				</table>
-					<div id="radios" style="display: none">
+				<% if radios[1] then -%>
 					<h3><%:Radios%></h3>
-					<table id="radio-devices">
+					<table>
+						<% for _, radio in ipairs(radios) do -%>
+							<tr>
+								<th><%| radio.name %></th>
+								<td><%| translatef('Channel %u', radio.channel) %></td>
+							</tr>
+						<%- end %>
 					</table>
-				</div>
+				<%- end %>
 
 				<h3><%:Traffic%></h3>
 				<table>

package/gluon-status-page/i18n/de.po

@@ -31,8 +31,8 @@ msgstr "Automatische Updates"
 msgid "Bandwidth limit"
 msgstr "Bandbreitenlimit"
 
-msgid "Channel"
-msgstr "Kanal"
+msgid "Channel %u"
+msgstr "Kanal %u"
 
 msgid "Clients"
 msgstr "Clients"

package/gluon-status-page/i18n/gluon-status-page.pot

@@ -22,7 +22,7 @@ msgstr ""
 msgid "Bandwidth limit"
 msgstr ""
 
-msgid "Channel"
+msgid "Channel %u"
 msgstr ""
 
 msgid "Clients"

package/gluon-status-page/javascript/status-page.js

@@ -121,7 +121,15 @@
 				var neigh = iface.lookup_neigh(addr);
 				if (!neigh)
 					continue;
-				return 'via ' + neigh.get_hostname() + ' (' + i + ')';
+
+				var span = document.createElement('span');
+				span.appendChild(document.createTextNode('via '));
+				var a = document.createElement('a');
+				a.href = 'http://[' + neigh.get_addr() + ']/';
+				a.textContent = neigh.get_hostname();
+				span.appendChild(a);
+				span.appendChild(document.createTextNode(' (' + i + ')'));
+				return span;
 			}
 
 			return 'via ' + addr + ' (unknown iface)';
@@ -208,50 +216,6 @@
 		});
 	}
 
-	function update_radios(wireless) {
-		function channel(frequency) {
-			if (frequency===2484)
-				return 14
-
-			if (2412<=frequency && frequency<=2472)
-				return (frequency-2407)/5
-
-			if (5160<=frequency && frequency<=5885)
-				return (frequency-5000)/5
-
-			return 'unknown'
-		}
-
-		var div = document.getElementById('radios');
-		if (!wireless) {
-			div.style.display = 'none';
-			return;
-		}
-		div.style.display = '';
-
-		var table = document.getElementById('radio-devices');
-		while (table.lastChild)
-			table.removeChild(table.lastChild);
-
-		wireless.sort(function (a, b) {
-			return a.phy - b.phy;
-		});
-
-		wireless.forEach(function (radio) {
-			var tr = document.createElement('tr');
-
-			var th = document.createElement('th');
-			th.textContent = "phy" + radio.phy;
-			tr.appendChild(th);
-
-			var td = document.createElement('td');
-			td.innerHTML = radio.frequency + " MHz<br />Channel " + channel(radio.frequency);
-			tr.appendChild(td);
-
-			table.appendChild(tr);
-		});
-	}
-
 	var statisticsElems = document.querySelectorAll('[data-statistics]');
 
 	add_event_source('/cgi-bin/dyn/statistics', function(data, dataPrev) {
@@ -264,9 +228,16 @@
 			var valuePrev = resolve_key(dataPrev, stat);
 			var value = resolve_key(data, stat);
 			try {
-				var text = formats[format](value, valuePrev, diff);
-				if (text !== undefined)
-					elem.textContent = text;
+				var format_result = formats[format](value, valuePrev, diff);
+				switch (typeof format_result) {
+					case "object":
+						if (elem.lastChild)
+							elem.removeChild(elem.lastChild);
+						elem.appendChild(format_result);
+						break;
+					default:
+						elem.textContent = format_result;
+				}
 			} catch (e) {
 				console.error(e);
 			}
@@ -277,11 +248,6 @@
 		} catch (e) {
 			console.error(e);
 		}
-		try {
-			update_radios(data.wireless);
-		} catch (e) {
-			console.error(e);
-		}
 	})
 
 	function haversine(lat1, lon1, lat2, lon2) {
@@ -319,7 +285,7 @@
 			'resize': function(w, h) {
 				var lastImage;
 				try {
-					ctx.getImageData(0, 0, w, h);
+					lastImage = ctx.getImageData(0, 0, w, h);
 				} catch (e) {}
 				canvas.width = w;
 				canvas.height = h;
@@ -492,6 +458,7 @@
 		}
 
 		var hostname = document.createElement("span");
+		var addr;
 		hostname.textContent = addr;
 		tdHostname.appendChild(hostname);
 
@@ -552,13 +519,13 @@
 			el.classList.add("highlight");
 			if (signal)
 				signal.highlight = true;
-		}
+		};
 
 		el.onmouseleave = function () {
-			el.classList.remove("highlight")
+			el.classList.remove("highlight");
 			if (signal)
 				signal.highlight = false;
-		}
+		};
 
 		var timeout;
 
@@ -586,7 +553,8 @@
 			var n = parts.length;
 			var groups = [];
 
-			parts.forEach(function(part, i) {
+			for (var i = 0; i < parts.length; i++) {
+				var part = parts[i];
 				if (part === '') {
 					while (n++ <= 8)
 						groups.push(0);
@@ -596,7 +564,7 @@
 
 					groups.push(parseInt(part, 16));
 				}
-			});
+			};
 
 			return groups;
 		}
@@ -664,8 +632,11 @@
 			'get_hostname': function() {
 				return hostname.textContent;
 			},
+			'get_addr': function() {
+				return addr;
+			},
 			'update_nodeinfo': function(nodeinfo) {
-				var addr = choose_address(nodeinfo.network.addresses);
+				addr = choose_address(nodeinfo.network.addresses);
 				if (addr) {
 					if (hostname.nodeName.toLowerCase() === 'span') {
 						var oldHostname = hostname;

package/gluon-status-page/luasrc/lib/gluon/status-page/controller/status-page.lua

@@ -61,7 +61,7 @@ local function match(a, b, n)
 end
 
 entry({}, call(function(http, renderer)
-	local nodeinfo = json.parse(util.exec('exec gluon-neighbour-info -d ::1 -p 1001 -t 1 -c 1 -r nodeinfo'))
+	local nodeinfo = json.parse(util.exec('exec gluon-neighbour-info -d ::1 -p 1001 -t 3 -c 1 -r nodeinfo'))
 
 	local node_ip = parse_ip(http:getenv('SERVER_ADDR'))
 	if node_ip and (

package/gluon-web-admin/files/lib/gluon/config-mode/view/admin/upgrade.html

@@ -44,7 +44,6 @@ $Id$
 
 	<div class="gluon-page-actions">
 		<input type="hidden" name="step" value="2" />
-		<input type="hidden" name="token" value="<%=token%>" />
 		<input class="gluon-button gluon-button-submit" type="submit" value="<%:Upload image%>" />
 	</div>
 </form>

package/gluon-web-admin/files/lib/gluon/config-mode/view/admin/upgrade_confirm.html

@@ -49,13 +49,11 @@ You may obtain a copy of the License at
   <form method="post" enctype="multipart/form-data" action="<%|url(request)%>" style="display:inline">
     <input type="hidden" name="step" value="3" />
     <input type="hidden" name="keepcfg" value="<%=keepconfig and "1" or "0"%>" />
-    <input type="hidden" name="token" value="<%=token%>" />
     <input class="gluon-button gluon-button-submit" type="submit" value="<%:Continue%>" />
   </form>
   <form method="post" enctype="multipart/form-data" action="<%|url(request)%>" style="display:inline">
     <input type="hidden" name="step" value="1" />
     <input type="hidden" name="keepcfg" value="<%=keepconfig and "1" or "0"%>" />
-    <input type="hidden" name="token" value="<%=token%>" />
     <input class="gluon-button gluon-button-reset" type="submit" value="<%:Cancel%>" />
   </form>
 </div>

package/gluon-web-model/files/lib/gluon/web/view/model/form.html

@@ -1,5 +1,4 @@
 <form method="post" enctype="multipart/form-data" action="<%|url(request)%>" data-update="reset">
-	<input type="hidden" name="token" value="<%=token%>" />
 	<input type="hidden" name="<%=id%>" value="1" />
 
 	<div class="gluon-form" id="form-<%=id%>">

package/gluon-web-osm/files/lib/gluon/web/view/model/osm/map.html

@@ -1,6 +1,7 @@
 <div id="<%=id%>" class="gluon-osm-map" style="display: none"></div>
 <script type="text/javascript" src="/static/gluon-web-osm.js"></script>
 <script type="text/javascript">
+	//<![CDATA[
 	(function() {
 		var elMap = document.getElementById(<%=json(id)%>);
 		var wrapper = elMap.parentNode;
@@ -41,4 +42,5 @@
 			});
 		});
 	})();
+	//]]>
 </script>

package/gluon-web-osm/luasrc/usr/lib/lua/gluon/web/model/osm.lua

@@ -4,7 +4,8 @@ local util = require "gluon.web.util"
 local class = util.class
 
 
-local DEFAULT_URL = 'https://cdn.rawgit.com/openlayers/openlayers.github.io/master/en/v5.2.0'
+local DEFAULT_URL =
+	'https://cdn.jsdelivr.net/gh/openlayers/openlayers.github.io@35ffe7626ce16c372143f3c903950750075e7068/en/v5.3.0'
 
 
 local M = {}

package/gluon-web/luasrc/usr/lib/lua/gluon/web/dispatcher.lua

@@ -184,9 +184,15 @@ local function dispatch(config, http, request)
 		return
 	end
 
-	http:parse_input(node.filehandler)
+	local ok, err = pcall(http.parse_input, http, node.filehandler)
+	if not ok then
+		http:status(400, "Bad request")
+		http:prepare_content("text/plain")
+		http:write(err .. "\r\n")
+		return
+	end
 
-	local ok, err = pcall(node.target)
+	ok, err = pcall(node.target)
 	if not ok then
 		http:status(500, "Internal Server Error")
 		renderer.render_layout("error/500", {
@@ -208,6 +214,6 @@ return function(config, http)
 	if not ok then
 		http:status(500, "Internal Server Error")
 		http:prepare_content("text/plain")
-		http:write(err)
+		http:write(err .. "\r\n")
 	end
 end

package/gluon-web/luasrc/usr/lib/lua/gluon/web/http/protocol.lua

@@ -108,16 +108,11 @@ end
 --  o String value containing a chunk of the file data
 --  o Boolean which indicates whether the current chunk is the last one (eof)
 local function mimedecode_message_body(src, msg, filecb)
-
-	if msg and msg.env.CONTENT_TYPE then
-		msg.mime_boundary = msg.env.CONTENT_TYPE:match("^multipart/form%-data; boundary=(.+)$")
+	local mime_boundary = (msg.env.CONTENT_TYPE or ''):match("^multipart/form%-data; boundary=(.+)$")
+	if not mime_boundary then
+		error("Invalid Content-Type found")
 	end
 
-	if not msg.mime_boundary then
-		return nil, "Invalid Content-Type found"
-	end
-
-
 	local tlen   = 0
 	local inhdr  = false
 	local field  = nil
@@ -188,10 +183,10 @@ local function mimedecode_message_body(src, msg, filecb)
 			local spos, epos, found
 
 			repeat
-				spos, epos = data:find("\r\n--" .. msg.mime_boundary .. "\r\n", 1, true)
+				spos, epos = data:find("\r\n--" .. mime_boundary .. "\r\n", 1, true)
 
 				if not spos then
-					spos, epos = data:find("\r\n--" .. msg.mime_boundary .. "--\r\n", 1, true)
+					spos, epos = data:find("\r\n--" .. mime_boundary .. "--\r\n", 1, true)
 				end
 
 
@@ -250,20 +245,61 @@ local function mimedecode_message_body(src, msg, filecb)
 		return true
 	end
 
-	return pump(src, snk)
+	assert(pump(src, snk))
+end
+
+local function check_post_origin(msg)
+	local default_port = '80'
+	local request_scheme = 'http'
+	if msg.env.HTTPS then
+		default_port = '443'
+		request_scheme = 'https'
+	end
+
+	local request_host = msg.env.HTTP_HOST
+	if not request_host then
+		error('POST request without Host header')
+	end
+	if not request_host:match(':[0-9]+$') then
+		request_host = request_host .. ':' .. default_port
+	end
+
+	local origin = msg.env.HTTP_ORIGIN
+	if not origin then
+		error('POST request without Origin header')
+	end
+	local origin_scheme, origin_host = origin:match('^([^:]*)://(.*)$')
+	if not origin_host then
+		error('POST request with invalid Origin header')
+	end
+	if not origin_host:match(':[0-9]+$') then
+		local origin_port
+		if origin_scheme == 'http' then
+			origin_port = '80'
+		elseif origin_scheme == 'https' then
+			origin_port = '443'
+		else
+			error('POST request with invalid Origin header')
+		end
+		origin_host = origin_host .. ':' .. origin_port
+	end
+
+	if request_scheme ~= origin_scheme or request_host ~= origin_host then
+		error('Invalid cross-origin POST')
+	end
 end
 
 -- This function will examine the Content-Type within the given message object
 -- to select the appropriate content decoder.
 -- Currently only the multipart/form-data mime type is supported.
 function M.parse_message_body(src, msg, filecb)
-	if not (msg.env.REQUEST_METHOD == "POST" and msg.env.CONTENT_TYPE) then
+	if msg.env.REQUEST_METHOD ~= "POST" then
 		return
 	end
 
-	if msg.env.CONTENT_TYPE:match("^multipart/form%-data") then
-		return mimedecode_message_body(src, msg, filecb)
-	end
+	check_post_origin(msg)
+
+	mimedecode_message_body(src, msg, filecb)
 end
 
 return M

patches/openwrt/0013-mac80211-create-channel-list-for-fixed-channel-operation.patch

@@ -13,10 +13,10 @@ circumvent this issue.
 Signed-off-by: David Bauer <mail@david-bauer.net>
 
 diff --git a/package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh b/package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh
-index 36aebbb2ccfec2137d5d260fe2111d77f531ddec..367a3e8e37a8e8435c35ca2912ef0855efbdfc78 100644
+index bb48ab9a15e470b6807693e08fdc84fb3c94aeed..272fb2a726bb34fa3ab74dfe48150197dbf918ca 100644
 --- a/package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh
 +++ b/package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh
-@@ -100,6 +100,9 @@ mac80211_hostapd_setup_base() {
+@@ -101,6 +101,9 @@ mac80211_hostapd_setup_base() {
  	json_get_vars noscan ht_coex
  	json_get_values ht_capab_list ht_capab tx_burst
  

patches/openwrt/0015-kernel-bridge-Implement-MLD-Querier-wake-up-calls-Android-bug-workaround.patch

@@ -1954,10 +1954,10 @@ index 0000000000000000000000000000000000000000..92bb9275df9d54778ce8f00b1cb6e999
 +2.27.0
 +
 diff --git a/target/linux/generic/config-4.14 b/target/linux/generic/config-4.14
-index d54ede9efda0a3ffd84e9a0c49dc410a01737d82..15b50523bf55d9a77fc1655ec6ba6ffde6d93a3e 100644
+index a0569e4eb0e1249880864563ee980fadcbcc4ac6..c672ee6ff8e7540920c48be9f0a45ed73e428c1b 100644
 --- a/target/linux/generic/config-4.14
 +++ b/target/linux/generic/config-4.14
-@@ -628,6 +628,7 @@ CONFIG_BRIDGE=y
+@@ -630,6 +630,7 @@ CONFIG_BRIDGE=y
  # CONFIG_BRIDGE_EBT_T_NAT is not set
  # CONFIG_BRIDGE_EBT_VLAN is not set
  CONFIG_BRIDGE_IGMP_SNOOPING=y

patches/openwrt/0020-ipq40xx-add-support-for-Plasma-Cloud-PA1200.patch

@@ -429,7 +429,7 @@ index 0000000000000000000000000000000000000000..bcb9552ce777d1d522c7642649e22ec2
 +	qcom,ath10k-calibration-variant = "PlasmaCloud-PA1200";
 +};
 diff --git a/target/linux/ipq40xx/image/Makefile b/target/linux/ipq40xx/image/Makefile
-index 68dcbc59a42f6d8360b87c7b4e74cd34f697b465..e14d00ad08b8caf2dae935d573f0ba7bb0433c23 100644
+index 68dcbc59a42f6d8360b87c7b4e74cd34f697b465..3a2e7a4410afcba1a1369cac328e237fc350668b 100644
 --- a/target/linux/ipq40xx/image/Makefile
 +++ b/target/linux/ipq40xx/image/Makefile
 @@ -345,6 +345,21 @@ endef
@@ -447,7 +447,7 @@ index 68dcbc59a42f6d8360b87c7b4e74cd34f697b465..e14d00ad08b8caf2dae935d573f0ba7b
 +	IMAGES = factory.bin sysupgrade.bin
 +	IMAGE/factory.bin := append-rootfs | pad-rootfs | openmesh-image ce_type=PA1200
 +	IMAGE/sysupgrade.bin/squashfs := append-rootfs | pad-rootfs | sysupgrade-tar rootfs=$$$$@ | append-metadata
-+	DEVICE_PACKAGES := uboot-envtools ipq-wifi-plasmacloud-pa1200
++	DEVICE_PACKAGES := uboot-envtools ipq-wifi-plasmacloud_pa1200
 +endef
 +TARGET_DEVICES += plasmacloud_pa1200
 +

patches/openwrt/0021-ipq40xx-add-support-for-Plasma-Cloud-PA2200.patch

@@ -501,7 +501,7 @@ index 0000000000000000000000000000000000000000..2d0655114b4e0749e0c878a3d16ece2a
 +	ieee80211-freq-limit = <5470000 5875000>;
 +};
 diff --git a/target/linux/ipq40xx/image/Makefile b/target/linux/ipq40xx/image/Makefile
-index e14d00ad08b8caf2dae935d573f0ba7bb0433c23..9872d0c4abcbb9d607bb15c47f0f820e7cdea077 100644
+index 3a2e7a4410afcba1a1369cac328e237fc350668b..b6241d622574657b5261a45507ba5959d39eaa67 100644
 --- a/target/linux/ipq40xx/image/Makefile
 +++ b/target/linux/ipq40xx/image/Makefile
 @@ -360,6 +360,21 @@ define Device/plasmacloud_pa1200
@@ -519,7 +519,7 @@ index e14d00ad08b8caf2dae935d573f0ba7bb0433c23..9872d0c4abcbb9d607bb15c47f0f820e
 +	IMAGES = factory.bin sysupgrade.bin
 +	IMAGE/factory.bin := append-rootfs | pad-rootfs | openmesh-image ce_type=PA2200
 +	IMAGE/sysupgrade.bin/squashfs := append-rootfs | pad-rootfs | sysupgrade-tar rootfs=$$$$@ | append-metadata
-+	DEVICE_PACKAGES := ath10k-firmware-qca9888-ct ipq-wifi-plasmacloud-pa2200 uboot-envtools
++	DEVICE_PACKAGES := ath10k-firmware-qca9888-ct ipq-wifi-plasmacloud_pa2200 uboot-envtools
 +endef
 +TARGET_DEVICES += plasmacloud_pa2200
 +

patches/openwrt/0023-ath79-add-support-for-Joy-IT-JT-OR750i.patch

@@ -0,0 +1,220 @@
+From: Vincent Wiemann <vincent.wiemann@ironai.com>
+Date: Sun, 20 Jun 2021 16:56:21 +0200
+Subject: ath79: add support for Joy-IT JT-OR750i
+
+Specifications:
+ * QCA9531, 16 MiB flash (Winbond W25Q128JVSQ), 128 MiB RAM
+ * 802.11n 2T2R (external antennas)
+ * QCA9887, 802.11ac 1T1R (connected with diplexer to one of the antennas)
+ * 3x 10/100 LAN, 1x 10/100 WAN
+ * UART header with pinout printed on PCB
+
+Installation:
+ * The device comes with a bootloader installed only
+ * The bootloader offers DHCP and is reachable at http://10.123.123.1
+ * Accept the agreement and flash sysupgrade.bin
+ * Use Firefox if flashing does not work
+
+TFTP recovery with static IP:
+ * Rename sysupgrade.bin to jt-or750i_firmware.bin
+ * Offer it via TFTP server at 192.168.0.66
+ * Keep the reset button pressed for 4 seconds after connecting power
+
+TFTP recovery with dynamic IP:
+ * Rename sysupgrade.bin to jt-or750i_firmware.bin
+ * Offer it via TFTP server with a DHCP server running at the same address
+ * Keep the reset button pressed for 6 seconds after connecting power
+
+Co-authored-by: Sebastian Schaper <openwrt@sebastianschaper.net>
+Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
+(cherry picked from commit 55b4b3655263984b92e4b9fc515a5e6b8003c655)
+
+diff --git a/target/linux/ath79/base-files/etc/board.d/01_leds b/target/linux/ath79/base-files/etc/board.d/01_leds
+index dd0f91affa3cd9a731343a816bc666e0bbd44e99..ba8dcd430304a284296861b9e0694be42c68fe44 100755
+--- a/target/linux/ath79/base-files/etc/board.d/01_leds
++++ b/target/linux/ath79/base-files/etc/board.d/01_leds
+@@ -84,6 +84,9 @@ glinet,gl-ar300m-lite)
+ glinet,gl-x750)
+ 	ucidef_set_led_netdev "wan" "WAN" "$boardname:green:wan" "eth1"
+ 	;;
++joyit,jt-or750i)
++	ucidef_set_led_default "ath10k" "ath10k-disable" "ath10k-phy0" "0"
++	;;
+ netgear,wnr612-v2|\
+ on,n150r)
+ 	ucidef_set_led_netdev "wan" "WAN" "netgear:green:wan" "eth0"
+diff --git a/target/linux/ath79/base-files/etc/board.d/02_network b/target/linux/ath79/base-files/etc/board.d/02_network
+index 57429fbc1c851b6d8a8a03096d7043f78a489549..fba5d68eafff37bcedeb734a4d524cfb338d00fa 100755
+--- a/target/linux/ath79/base-files/etc/board.d/02_network
++++ b/target/linux/ath79/base-files/etc/board.d/02_network
+@@ -171,6 +171,11 @@ ath79_setup_interfaces()
+ 		ucidef_add_switch "switch0" \
+ 			"0@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan"
+ 	;;
++	joyit,jt-or750i)
++		ucidef_set_interface_wan "eth1"
++		ucidef_add_switch "switch0" \
++			"0@eth0" "2:lan:3" "3:lan:2" "4:lan:1"
++		;;
+ 	librerouter,librerouter-v1)
+ 		ucidef_add_switch "switch0" \
+ 			"0@eth0" "5:wan" "6@eth1" "4:lan"
+diff --git a/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata b/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
+index c917f38211d0b246f064dba4b7feefecf61f5856..39205de2ec2ecd4d67a560dccfad36aab7a0aa0b 100644
+--- a/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
++++ b/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
+@@ -100,7 +100,8 @@ case "$FIRMWARE" in
+ 		ath10kcal_extract "art" 20480 2116
+ 		ath10kcal_patch_mac $(mtd_get_mac_ascii devdata "wlan5mac")
+ 		;;
+-	elecom,wrc-1750ghbk2-i)
++	elecom,wrc-1750ghbk2-i|\
++	joyit,jt-or750i)
+ 		ath10kcal_extract "art" 20480 2116
+ 		;;
+ 	engenius,ecb1750)
+diff --git a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+new file mode 100644
+index 0000000000000000000000000000000000000000..8a4d4c682380b26aa2437b26391273ddc7bf2d75
+--- /dev/null
++++ b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+@@ -0,0 +1,120 @@
++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
++/dts-v1/;
++
++#include "qca953x.dtsi"
++
++#include <dt-bindings/gpio/gpio.h>
++#include <dt-bindings/input/input.h>
++
++/ {
++	compatible = "joyit,jt-or750i", "qca,qca9531";
++	model = "Joy-IT JT-OR750i";
++
++	aliases {
++		led-boot = &led_status_green;
++		led-failsafe = &led_status_red;
++		led-running = &led_status_green;
++		led-upgrade = &led_status_red;
++		label-mac-device = &eth0;
++	};
++
++	keys {
++		compatible = "gpio-keys";
++
++		reset {
++			label = "reset";
++			linux,code = <KEY_RESTART>;
++			gpios = <&gpio 17 GPIO_ACTIVE_LOW>;
++		};
++	};
++
++	leds {
++		compatible = "gpio-leds";
++
++		led_status_green: status_green {
++			label = "green:status";
++			gpios = <&gpio 13 GPIO_ACTIVE_LOW>;
++			default-state = "on";
++		};
++
++		led_status_red: status_red {
++			label = "red:status";
++			gpios = <&gpio 12 GPIO_ACTIVE_LOW>;
++		};
++	};
++};
++
++&pinmux {
++	pinmux_led_eth_pins: pinmux_led_eth_pins {
++		pinctrl-single,bits = \
++			/* GPIO 4: LED_LINK_5 (WAN) */     \
++			<0x04 0x0000002d 0x000000ff>,      \
++			/* GPIO 14: LED_LINK_2 (LAN 3) */  \
++			/* GPIO 15: LED_LINK_3 (LAN 2) */  \
++			<0x0c 0x2b2c0000 0xffff0000>,      \
++			/* GPIO 16: LED_LINK_4 (LAN 1) */  \
++			<0x10 0x0000002a 0x000000ff>;
++	};
++};
++
++&spi {
++	status = "okay";
++
++	flash@0 {
++		compatible = "jedec,spi-nor";
++		reg = <0>;
++		spi-max-frequency = <50000000>;
++
++		partitions {
++			compatible = "fixed-partitions";
++			#address-cells = <1>;
++			#size-cells = <1>;
++
++			partition@0 {
++				label = "u-boot";
++				reg = <0x0 0x40000>;
++				read-only;
++			};
++
++			partition@40000 {
++				label = "u-boot-env";
++				reg = <0x40000 0x10000>;
++				read-only;
++			};
++
++			partition@50000 {
++				label = "firmware";
++				reg = <0x50000 0xfa0000>;
++				compatible = "denx,uimage";
++			};
++
++			art: partition@ff0000 {
++				label = "art";
++				reg = <0xff0000 0x10000>;
++				read-only;
++			};
++		};
++	};
++};
++
++&eth0 {
++	status = "okay";
++
++	phy-handle = <&swphy4>;
++
++	mtd-mac-address = <&art 0x0>;
++};
++
++&eth1 {
++	mtd-mac-address = <&art 0x6>;
++};
++
++&pcie0 {
++	status = "okay";
++};
++
++&wmac {
++	status = "okay";
++
++	mtd-cal-data = <&art 0x1000>;
++};
+diff --git a/target/linux/ath79/image/generic.mk b/target/linux/ath79/image/generic.mk
+index 7159f9c6d2dabf0a80b4a107790471da32af97bc..080be91fe1351b45a68057de71e5cd1464773f11 100644
+--- a/target/linux/ath79/image/generic.mk
++++ b/target/linux/ath79/image/generic.mk
+@@ -484,6 +484,14 @@ define Device/jjplus_ja76pf2
+ endef
+ TARGET_DEVICES += jjplus_ja76pf2
+ 
++define Device/joyit_jt-or750i
++  ATH_SOC := qca9531
++  DEVICE_TITLE := Joy-IT JT-OR750i
++  DEVICE_PACKAGES := kmod-ath10k-ct ath10k-firmware-qca9887-ct
++  IMAGE_SIZE := 16000k
++endef
++TARGET_DEVICES += joyit_jt-or750i
++
+ define Device/librerouter_librerouter-v1
+   ATH_SOC := qca9558
+   DEVICE_TITLE := LibreRouter v1

patches/openwrt/0024-ath79-enable-missing-pinmux-for-JT-OR750i.patch

@@ -0,0 +1,24 @@
+From: David Bauer <mail@david-bauer.net>
+Date: Wed, 28 Jul 2021 13:52:22 +0200
+Subject: ath79: enable missing pinmux for JT-OR750i
+
+Without explicit configuration of these pins the ethernet as well as
+status LED of the device do not work correctly.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+(cherry picked from commit 4feb9a4211d4c8e118e6b8f01fa0bbd4eab5d35c)
+
+diff --git a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+index 8a4d4c682380b26aa2437b26391273ddc7bf2d75..d87daddd771325a8788b59edf2159c3be7bedf07 100644
+--- a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
++++ b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+@@ -31,6 +31,9 @@
+ 	leds {
+ 		compatible = "gpio-leds";
+ 
++		pinctrl-names = "default";
++		pinctrl-0 = <&jtag_disable_pins &pinmux_led_eth_pins>;
++
+ 		led_status_green: status_green {
+ 			label = "green:status";
+ 			gpios = <&gpio 13 GPIO_ACTIVE_LOW>;

patches/openwrt/0025-ath79-fix-JT-OR750i-switch-LED-assignment.patch

@@ -0,0 +1,26 @@
+From: David Bauer <mail@david-bauer.net>
+Date: Wed, 28 Jul 2021 14:17:13 +0200
+Subject: ath79: fix JT-OR750i switch LED assignment
+
+The LEDs for LAN1 and LAN3 were swapped. Link on port 1 would illuminate
+the LED on port 3 and vice versa.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+(cherry picked from commit f0a885ed8636b9762d12f2eb2755f63297ff0cb5)
+
+diff --git a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+index d87daddd771325a8788b59edf2159c3be7bedf07..60fa922878355ebdaf7d2983fe926efdf8b97207 100644
+--- a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
++++ b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+@@ -54,9 +54,9 @@
+ 			<0x04 0x0000002d 0x000000ff>,      \
+ 			/* GPIO 14: LED_LINK_2 (LAN 3) */  \
+ 			/* GPIO 15: LED_LINK_3 (LAN 2) */  \
+-			<0x0c 0x2b2c0000 0xffff0000>,      \
++			<0x0c 0x2b2a0000 0xffff0000>,      \
+ 			/* GPIO 16: LED_LINK_4 (LAN 1) */  \
+-			<0x10 0x0000002a 0x000000ff>;
++			<0x10 0x0000002c 0x000000ff>;
+ 	};
+ };
+ 

patches/openwrt/0026-ath79-Joy-IT-OR750i-fix-UART.patch

@@ -0,0 +1,21 @@
+From: Nico Boehr <freifunk@nicoboehr.de>
+Date: Sat, 7 May 2022 08:39:05 +0200
+Subject: ath79: Joy-IT OR750i: fix UART
+
+The serial console defaults to disabled in the DTSI files, explicitly
+enable it for the Joy-IT OR750i, so we can get a console in linux.
+
+Signed-off-by: Nico Boehr <freifunk@nicoboehr.de>
+
+diff --git a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+index 60fa922878355ebdaf7d2983fe926efdf8b97207..042348d82c479c097f534f0bf2bb383ace55e02d 100644
+--- a/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
++++ b/target/linux/ath79/dts/qca9531_joyit_jt-or750i.dts
+@@ -121,3 +121,7 @@
+ 
+ 	mtd-cal-data = <&art 0x1000>;
+ };
++
++&uart {
++       status = "okay";
++};

patches/packages/packages/0003-perl-don-t-build-in-parallel-and-bump-release.patch

@@ -0,0 +1,24 @@
+From: Martin Weinelt <martin@darmstadt.freifunk.net>
+Date: Tue, 8 Feb 2022 21:09:20 +0100
+Subject: perl: don't build in parallel and bump release
+
+Parallel builds cause spurious build failures with high core counts.
+
+https://github.com/openwrt/packages/issues/8238
+https://github.com/openwrt/packages/pull/17274
+
+diff --git a/lang/perl/Makefile b/lang/perl/Makefile
+index 84d256d2d8c682f18670a4cbae0a48e3333fb222..c2e5cf8e703af675dd296704597934aa9b5f7446 100644
+--- a/lang/perl/Makefile
++++ b/lang/perl/Makefile
+@@ -34,8 +34,8 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/perl/$(PKG_NAME)-$(PKG_VERSION)
+ HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/perl/$(PKG_NAME)-$(PKG_VERSION)
+ PKG_INSTALL:=1
+ PKG_BUILD_DEPENDS:=perl/host
+-PKG_BUILD_PARALLEL:=1
+-HOST_BUILD_PARALLEL:=1
++PKG_BUILD_PARALLEL:=0
++HOST_BUILD_PARALLEL:=0
+ 
+ # Variables used during configuration/build
+ HOST_PERL_PREFIX:=$(STAGING_DIR_HOSTPKG)/usr

patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch

@@ -0,0 +1,73 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 27 Apr 2022 19:01:39 +0200
+Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
+index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644
+--- a/utils/ecdsautils/Makefile
++++ b/utils/ecdsautils/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=ecdsautils
+ PKG_VERSION:=0.3.2.20160630
+-PKG_RELEASE:=1
++PKG_RELEASE:=2
+ PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
+--- /dev/null
++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+@@ -0,0 +1,48 @@
++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Wed, 20 Apr 2022 22:04:07 +0200
++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
++
++Verify that r and s are non-zero. Without these checks, an all-zero
++signature is always considered valid.
++
++While it would be nicer to error out in ecdsa_verify_prepare_legacy()
++already, that would require users of libecdsautil to check a return value
++of the prepare step. To be safe, implement the fix in an API/ABI-compatible
++way that doesn't need changes to the users.
++---
++ src/lib/ecdsa.c | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
++index 8cd7722be8cd..a661b56bd7c8 100644
++--- a/src/lib/ecdsa.c
+++++ b/src/lib/ecdsa.c
++@@ -135,6 +135,12 @@ regenerate:
++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
++   ecc_int256_t w, u1, tmp;
++ 
+++  if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
+++    // Signature is invalid, mark by setting ctx->r to an invalid value
+++    memset(&ctx->r, 0, sizeof(ctx->r));
+++    return;
+++  }
+++
++   ctx->r = signature->r;
++ 
++   ecc_25519_gf_recip(&w, &signature->s);
++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
++   ecc_25519_work_t s2, work;
++   ecc_int256_t w, tmp;
++ 
+++  // Signature was detected as invalid in prepare step
+++  if (ecc_25519_gf_is_zero(&ctx->r))
+++    return false;
+++
++   ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
++   ecc_25519_add(&work, &ctx->s1, &s2);
++   ecc_25519_store_xy_legacy(&w, NULL, &work);
++-- 
++2.36.0
++

scripts/container.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# move into base directory, in case this script is not executed via `make container`
+cd "$(dirname "$0")/.."
+
+# normalize branch name to reflect a valid image name
+BRANCH=$(git branch --show-current 2>/dev/null | sed 's/[^a-z0-9-]/_/ig')
+TAG="gluon:${BRANCH:-latest}"
+
+if [ "$(command -v podman)" ]
+then
+	podman build -t "${TAG}" contrib/docker
+	podman run -it --rm --userns=keep-id --volume="$(pwd):/gluon" "${TAG}"
+elif [ "$(command -v docker)" ]
+then
+	docker build -t "${TAG}" contrib/docker
+	docker run -it --rm --volume="$(pwd):/gluon" "${TAG}"
+else
+	1>&2 echo "Please install either podman or docker. Exiting" >/dev/null
+	exit 1
+fi
+

targets/ath79-generic

@@ -65,6 +65,15 @@ device('gl.inet-gl-ar750s-nor', 'glinet_gl-ar750s', {
 	packages = ATH10K_PACKAGES_QCA9887,
 })
 
+
+-- JOY-IT
+
+device('joy-it-jt-or750i', 'joyit_jt-or750i', {
+	packages = ATH10K_PACKAGES_QCA9887,
+	factory = false,
+})
+
+
 -- OCEDO
 
 device('ocedo-raccoon', 'ocedo_raccoon', {

targets/ramips-mt76x8

@@ -74,3 +74,10 @@ device('tp-link-tl-wr902ac-v3', 'tplink_tl-wr902ac-v3', {
 device('vocore2', 'vocore2', {
 	factory = false,
 })
+
+
+-- Xiaomi
+
+device('xiaomi-mi-router-4a-100m-edition', 'xiaomi_mir4a-100m', {
+	factory = false,
+})