Update to Linux 6.1 and Alpine 3.18

- Update base-layout to 3.4.3
- Update busybox to 1.36.1
- Update iptables to 1.8.9
- Update linux-lts to 6.1.53
- Update to openrc to 0.48
- Update rtl8821ce to snapshot of 20230915
- Replace rtwB88 with a third-party driver
- Update rtw89 to snapshot of 20230913
- Import wpa_supplicant fixes from Arch Linux

1 files changed, 149 insertions, 0 deletions

diff --git a/aports/busybox/0001-modutils-check-ELF-header-before-calling-finit_modul.patch b/aports/busybox/0001-modutils-check-ELF-header-before-calling-finit_modul.patch
new file mode 100644
index 0000000..dd83a76
--- /dev/null
+++ b/aports/busybox/0001-modutils-check-ELF-header-before-calling-finit_modul.patch
@@ -0,0 +1,149 @@
+From e1a02faa656420a3c32fc8733e0566c2e430e6d6 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Sun, 3 Jan 2021 16:00:14 +0000
+Subject: [PATCH] modutils: check ELF header before calling finit_module()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+finit_module() and init_module() system calls have clear specification
+to only accept valid ELF image.
+
+Although we try finit_module() on compressed modules to let the kernel
+determine if it's an ELF image, but it's not ideal, especially when
+newer kernel will complain when some invalid files/memory is passed in.
+
+Treat the kernel better by just doing a very basic ELF header check
+before calling finit_module().
+
+Signed-off-by: Qu Wenruo <wqu at suse.com>
+---
+ modutils/modprobe-small.c | 33 ++++++++++++++++++++++++++++++++-
+ modutils/modutils.c       | 37 ++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 68 insertions(+), 2 deletions(-)
+
+diff --git a/modutils/modprobe-small.c b/modutils/modprobe-small.c
+index b61651621..4763e0811 100644
+--- a/modutils/modprobe-small.c
++++ b/modutils/modprobe-small.c
+@@ -24,6 +24,7 @@
+ //kbuild:lib-$(CONFIG_MODPROBE_SMALL) += modprobe-small.o
+ 
+ #include "libbb.h"
++#include <elf.h> /* for ELF header magic */
+ /* After libbb.h, since it needs sys/types.h on some systems */
+ #include <sys/utsname.h> /* uname() */
+ #include <fnmatch.h>
+@@ -249,6 +250,33 @@ static const char *moderror(int err)
+ 	}
+ }
+ 
++#ifdef __NR_finit_module
++/*
++ * Return:
++ * 0 on success,
++ * <0 for error.
++ *
++ * finit_module()/init_module() only accepts ELF format.
++ * Do basic ELF check to avoid calling finit_module() with compressed module.
++ */
++static int check_elf_header(int fd)
++{
++	unsigned char buf[EI_NIDENT];
++	int ret;
++
++	ret = pread(fd, buf, sizeof(buf), 0);
++	if (ret < sizeof(buf))
++		return -EIO;
++	if (buf[EI_MAG0] != ELFMAG0 ||
++	    buf[EI_MAG1] != ELFMAG1 ||
++	    buf[EI_MAG2] != ELFMAG2 ||
++	    buf[EI_MAG3] != ELFMAG3)
++		return -EINVAL;
++	/* Other more comprehensive check will be done inside kernel */
++	return 0;
++}
++#endif
++
+ static int load_module(const char *fname, const char *options)
+ {
+ #if 1
+@@ -272,7 +300,10 @@ static int load_module(const char *fname, const char *options)
+ 	{
+ 		int fd = open(fname, O_RDONLY | O_CLOEXEC);
+ 		if (fd >= 0) {
+-			r = finit_module(fd, options, 0) != 0;
++			if (!check_elf_header(fd))
++				r = finit_module(fd, options, 0) != 0;
++			else
++				r = 1;
+ 			close(fd);
+ 		}
+ 	}
+diff --git a/modutils/modutils.c b/modutils/modutils.c
+index f7ad5e805..037d609e4 100644
+--- a/modutils/modutils.c
++++ b/modutils/modutils.c
+@@ -7,6 +7,7 @@
+  */
+ #include "modutils.h"
+ 
++#include <elf.h>
+ #include <sys/syscall.h>
+ 
+ #define init_module(mod, len, opts) syscall(__NR_init_module, mod, len, opts)
+@@ -186,6 +187,33 @@ void* FAST_FUNC try_to_mmap_module(const char *filename, size_t *image_size_p)
+ }
+ #endif
+ 
++#ifdef __NR_finit_module
++/*
++ * Return:
++ * 0 on success,
++ * <0 for error.
++ *
++ * finit_module()/init_module() only accepts ELF format.
++ * Do basic ELF check to avoid calling finit_module() with compressed module.
++ */
++static int check_elf_header(int fd)
++{
++	unsigned char buf[EI_NIDENT];
++	int ret;
++
++	ret = pread(fd, buf, sizeof(buf), 0);
++	if (ret < sizeof(buf))
++		return -EIO;
++	if (buf[EI_MAG0] != ELFMAG0 ||
++	    buf[EI_MAG1] != ELFMAG1 ||
++	    buf[EI_MAG2] != ELFMAG2 ||
++	    buf[EI_MAG3] != ELFMAG3)
++		return -EINVAL;
++	/* Other more comprehensive check will be done inside kernel */
++	return 0;
++}
++#endif
++
+ /* Return:
+  * 0 on success,
+  * -errno on open/read error,
+@@ -212,12 +240,19 @@ int FAST_FUNC bb_init_module(const char *filename, const char *options)
+ 	 * to only allow loading of modules off of secure storage (like a read-
+ 	 * only rootfs) which needs the finit_module call.  If it fails, we fall
+ 	 * back to normal module loading to support compressed modules.
++	 *
++	 * Note that finit_module()/init_module() only accept ELF image, do
++	 * basic check before calling finit_module() to avoid kernel
++	 * complaining.
+ 	 */
+ # ifdef __NR_finit_module
+ 	{
+ 		int fd = open(filename, O_RDONLY | O_CLOEXEC);
+ 		if (fd >= 0) {
+-			rc = finit_module(fd, options, 0) != 0;
++			if (!check_elf_header(fd))
++				rc = finit_module(fd, options, 0) != 0;
++			else
++				rc = 1;
+ 			close(fd);
+ 			if (rc == 0)
+ 				return rc;