[hardknott][PATCH 00/20] Patch review

[hardknott][PATCH 00/20] Patch review

[Anuj Mittal]

Final set of changes before 3.3.6 is built. Please review.

No issues seen while testing on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3452

Thanks,

Anuj

The following changes since commit bcef80623f015c006778edee5cf40dad063e51db:

  wic: Use custom kernel path if provided (2022-03-15 23:00:09 +0800)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/hardknott

Alexander Kanavin (1):
  mobile-broadband-provider-info: upgrade 20201225 -> 20210805

Anuj Mittal (1):
  lttng-modules: upgrade 2.12.7 -> 2.12.8

Bruce Ashfield (5):
  linux-yocto: nohz_full boot arg fix
  linux-yocto/5.10: split vtpm for more granular inclusion
  linux-yocto/5.10: cfg/debug: add configs for kcsan
  linux-yocto-rt/5.10: update to -rt61
  linux-yocto/5.10: update to v5.10.107

Changhyeok Bae (1):
  mobile-broadband-provider-info: upgrade 20210805 -> 20220315

Chee Yang Lee (2):
  webkitgtk : update to 2.30.6
  go: update to 1.16.15

Joe Slater (2):
  libxml2: Fix CVE-2022-23308
  zip: modify when match.S is built

Li Wang (1):
  flac: fix CVE-2021-0561

Mingli Yu (2):
  epiphany: fix CVEs
  python3-numpy: fix CVE-2021-41496

Minjae Kim (2):
  gnu-config: update SRC_URI
  virglrenderer: update SRC_URI

Ovidiu Panait (1):
  openssl: upgrade 1.1.1l -> 1.1.1n

Ross Burton (1):
  zlib: backport the fix for CVE-2018-25032

wangmy (1):
  linux-firmware: upgrade 20220209 -> 20220310

 .../mobile-broadband-provider-info_git.bb     |   7 +-
 .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb}  |   3 +-
 .../CVE-2022-23308-fix-regression.patch       |  99 +++
 .../libxml/libxml2/CVE-2022-23308.patch       | 209 ++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   2 +
 .../zlib/zlib/CVE-2018-25032.patch            | 347 +++++++++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   1 +
 .../gnu-config/gnu-config_git.bb              |   2 +-
 .../go/{go-1.16.14.inc => go-1.16.15.inc}     |   4 +-
 ...1.16.14.bb => go-binary-native_1.16.15.bb} |   4 +-
 ....16.14.bb => go-cross-canadian_1.16.15.bb} |   0
 ...o-cross_1.16.14.bb => go-cross_1.16.15.bb} |   0
 ...ssdk_1.16.14.bb => go-crosssdk_1.16.15.bb} |   0
 ...native_1.16.14.bb => go-native_1.16.15.bb} |   0
 ...ntime_1.16.14.bb => go-runtime_1.16.15.bb} |   0
 .../go/{go_1.16.14.bb => go_1.16.15.bb}       |   0
 .../python-numpy/files/CVE-2021-41496.patch   |  64 ++
 .../python-numpy/python3-numpy_1.20.1.bb      |   1 +
 .../0001-configure-use-correct-CPP.patch      |  47 ++
 ...002-configure-support-PIC-code-build.patch |  34 +
 meta/recipes-extended/zip/zip_3.0.bb          |   2 +
 .../recipes-gnome/epiphany/epiphany_3.38.2.bb |   1 +
 .../files/encode-untrusted-data.patch         | 707 ++++++++++++++++++
 .../virglrenderer/virglrenderer_0.8.2.bb      |   2 +-
 ...20220209.bb => linux-firmware_20220310.bb} |   6 +-
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +-
 ...ules_2.12.7.bb => lttng-modules_2.12.8.bb} |   2 +-
 .../flac/flac/CVE-2021-0561.patch             |  41 +
 meta/recipes-multimedia/flac/flac_1.3.3.bb    |   1 +
 ...ebkitgtk_2.30.5.bb => webkitgtk_2.30.6.bb} |   2 +-
 32 files changed, 1592 insertions(+), 34 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (98%)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
 rename meta/recipes-devtools/go/{go-1.16.14.inc => go-1.16.15.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.16.14.bb => go-binary-native_1.16.15.bb} (83%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.16.14.bb => go-cross-canadian_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.16.14.bb => go-cross_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.16.14.bb => go-crosssdk_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.16.14.bb => go-native_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.16.14.bb => go-runtime_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.16.14.bb => go_1.16.15.bb} (100%)
 create mode 100644 meta/recipes-devtools/python-numpy/files/CVE-2021-41496.patch
 create mode 100644 meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch
 create mode 100644 meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch
 create mode 100644 meta/recipes-gnome/epiphany/files/encode-untrusted-data.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220209.bb => linux-firmware_20220310.bb} (99%)
 rename meta/recipes-kernel/lttng/{lttng-modules_2.12.7.bb => lttng-modules_2.12.8.bb} (94%)
 create mode 100644 meta/recipes-multimedia/flac/flac/CVE-2021-0561.patch
 rename meta/recipes-sato/webkit/{webkitgtk_2.30.5.bb => webkitgtk_2.30.6.bb} (98%)

-- 
2.35.1

[hardknott][PATCH 01/20] openssl: upgrade 1.1.1l -> 1.1.1n

[Anuj Mittal]

From: Ovidiu Panait <ovidiu.panait@windriver.com>

Upgrade openssl 1.1.1l -> 1.1.1n to fix CVE-2022-0778:
https://nvd.nist.gov/vuln/detail/CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65

This also fixes an evp_extra_test ptest failure introduced by openssl-1.1.1m:
"""
not ok 19 - test_signatures_with_engine
ERROR: (ptr) 'e = ENGINE_by_id(engine_id) != NULL' failed @ ../openssl-1.1.1m/test/evp_extra_test.c:1890
0x0
not ok 20 - test_cipher_with_engine
<snip>
"""

The ptest change is already present in Yocto master since oe-core
commit 5cd40648b0ba ("openssl: upgrade to 3.0.1").

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb}           | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
index 50500eebc2..df13abf54e 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
@@ -29,7 +29,7 @@ SRC_URI_append_riscv32 = " \
            file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \
            "
 
-SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1"
+SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -204,6 +204,7 @@ do_install_ptest () {
 	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
 
 	install -d ${D}${PTEST_PATH}/engines
+	install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
 	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
 
         # seems to be needed with perl 5.32.1
-- 
2.35.1

[hardknott][PATCH 02/20] gnu-config: update SRC_URI

[Anuj Mittal]

From: Minjae Kim <flowergom@gmail.com>

The git repo for gnu-config was changed, so update the
SRC_URI accordingly with the new link.

Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/gnu-config/gnu-config_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gnu-config/gnu-config_git.bb b/meta/recipes-devtools/gnu-config/gnu-config_git.bb
index ecbd60e72a..da52c943f5 100644
--- a/meta/recipes-devtools/gnu-config/gnu-config_git.bb
+++ b/meta/recipes-devtools/gnu-config/gnu-config_git.bb
@@ -12,7 +12,7 @@ INHIBIT_DEFAULT_DEPS = "1"
 SRCREV = "6faca61810d335c7837f320733fe8e15a1431fc2"
 PV = "20210125+git${SRCPV}"
 
-SRC_URI = "git://git.savannah.gnu.org/config.git;branch=master \
+SRC_URI = "git://git.savannah.gnu.org/git/config.git;protocol=https;branch=master \
            file://gnu-configize.in"
 S = "${WORKDIR}/git"
 UPSTREAM_CHECK_COMMITS = "1"
-- 
2.35.1

[hardknott][PATCH 03/20] virglrenderer: update SRC_URI

[Anuj Mittal]

From: Minjae Kim <flowergom@gmail.com>

The git repo for virglrenderer was changed, so update the
SRC_URI accordingly with the new link.

Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
index d92359565a..1c32a573b2 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c81c08eeefd9418fca8f88309a76db10"
 
 DEPENDS = "libdrm virtual/libgl libepoxy"
 SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
-SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=master \
+SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \
            file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
            file://0001-meson.build-use-python3-directly-for-python.patch \
            file://cve-2022-0135.patch \
-- 
2.35.1

[hardknott][PATCH 04/20] libxml2: Fix CVE-2022-23308

[Anuj Mittal]

From: Joe Slater <joe.slater@windriver.com>

The first patch is the fix in version 2.9.13.  The second
patch was added later and fixes a regression introduced
by the first.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../CVE-2022-23308-fix-regression.patch       |  99 +++++++++
 .../libxml/libxml2/CVE-2022-23308.patch       | 209 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   2 +
 3 files changed, 310 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
new file mode 100644
index 0000000000..eefecb9adb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,99 @@
+From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 22 Feb 2022 11:51:08 +0100
+Subject: [PATCH] Fix --without-valid build
+
+Regressed in commit 652dd12a.
+---
+ valid.c | 58 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 29 insertions(+), 29 deletions(-)
+---
+
+From https://github.com/GNOME/libxml2.git
+ commit 646fe48d1c8a74310c409ddf81fe7df6700052af
+
+CVE: CVE-2022-23308
+Upstream-status: Backport
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/valid.c b/valid.c
+index 8e596f1d..9684683a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
+-/**
+- * xmlValidNormalizeString:
+- * @str: a string
+- *
+- * Normalize a string in-place.
+- */
+-static void
+-xmlValidNormalizeString(xmlChar *str) {
+-    xmlChar *dst;
+-    const xmlChar *src;
+-
+-    if (str == NULL)
+-        return;
+-    src = str;
+-    dst = str;
+-
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
+-}
+-
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ 	    (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
+ 	    xmlFree((char *)(str));
+ 
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++    xmlChar *dst;
++    const xmlChar *src;
++
++    if (str == NULL)
++        return;
++    src = str;
++    dst = str;
++
++    while (*src == 0x20) src++;
++    while (*src != 0) {
++	if (*src == 0x20) {
++	    while (*src == 0x20) src++;
++	    if (*src != 0)
++		*dst++ = 0x20;
++	} else {
++	    *dst++ = *src++;
++	}
++    }
++    *dst = 0;
++}
++
+ static int
+ xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+     xmlParserCtxtPtr pctxt;
+-- 
+2.35.1
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..708a98b45a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,209 @@
+From 652dd12a858989b14eed4e84e453059cd3ba340e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Feb 2022 03:29:24 +0100
+Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
+
+If a document is parsed with XML_PARSE_DTDVALID and without
+XML_PARSE_NOENT, the value of ID attributes has to be normalized after
+potentially expanding entities in xmlRemoveID. Otherwise, later calls
+to xmlGetID can return a pointer to previously freed memory.
+
+ID attributes which are empty or contain only whitespace after
+entity expansion are affected in a similar way. This is fixed by
+not storing such attributes in the ID table.
+
+The test to detect streaming mode when validating against a DTD was
+broken. In connection with the defects above, this could result in a
+use-after-free when using the xmlReader interface with validation.
+Fix detection of streaming mode to avoid similar issues. (This changes
+the expected result of a test case. But as far as I can tell, using the
+XML reader with XIncludes referencing the root document never worked
+properly, anyway.)
+
+All of these issues can result in denial of service. Using xmlReader
+with validation could result in disclosure of memory via the error
+channel, typically stderr. The security impact of xmlGetID returning
+a pointer to freed memory depends on the application. The typical use
+case of calling xmlGetID on an unmodified document is not affected.
+---
+ result/XInclude/ns1.xml.rdr |  2 +-
+ valid.c                     | 88 +++++++++++++++++++++++--------------
+ 2 files changed, 56 insertions(+), 34 deletions(-)
+ ---
+ 
+From https://github.com/GNOME/libxml2.git
+ commit 652dd12a858989b14eed4e84e453059cd3ba340e
+
+Remove patch to ns1.xml.rdr which does not exist in version 2.9.10.
+
+CVE: CVE-2022-23308
+Upstream-status: Backport
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/valid.c b/valid.c
+index 5ee391c0..8e596f1d 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++    xmlChar *dst;
++    const xmlChar *src;
++
++    if (str == NULL)
++        return;
++    src = str;
++    dst = str;
++
++    while (*src == 0x20) src++;
++    while (*src != 0) {
++	if (*src == 0x20) {
++	    while (*src == 0x20) src++;
++	    if (*src != 0)
++		*dst++ = 0x20;
++	} else {
++	    *dst++ = *src++;
++	}
++    }
++    *dst = 0;
++}
++
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ 	    (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
+ 	    xmlFree((char *)(str));
+ 
++static int
++xmlIsStreaming(xmlValidCtxtPtr ctxt) {
++    xmlParserCtxtPtr pctxt;
++
++    if (ctxt == NULL)
++        return(0);
++    /*
++     * These magic values are also abused to detect whether we're validating
++     * while parsing a document. In this case, userData points to the parser
++     * context.
++     */
++    if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
++        (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
++        return(0);
++    pctxt = ctxt->userData;
++    return(pctxt->parseMode == XML_PARSE_READER);
++}
++
+ /**
+  * xmlFreeID:
+  * @not:  A id
+@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+     if (doc == NULL) {
+ 	return(NULL);
+     }
+-    if (value == NULL) {
++    if ((value == NULL) || (value[0] == 0)) {
+ 	return(NULL);
+     }
+     if (attr == NULL) {
+@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      */
+     ret->value = xmlStrdup(value);
+     ret->doc = doc;
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++    if (xmlIsStreaming(ctxt)) {
+ 	/*
+ 	 * Operating in streaming mode, attr is gonna disappear
+ 	 */
+@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+     ID = xmlNodeListGetString(doc, attr->children, 1);
+     if (ID == NULL)
+         return(-1);
++    xmlValidNormalizeString(ID);
+ 
+     id = xmlHashLookup(table, ID);
+     if (id == NULL || id->attr != attr) {
+@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      * fill the structure.
+      */
+     ret->value = xmlStrdup(value);
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++    if (xmlIsStreaming(ctxt)) {
+ 	/*
+ 	 * Operating in streaming mode, attr is gonna disappear
+ 	 */
+@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 	     xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
++    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+     int extsubset = 0;
+ 
+@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+ 	return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
++    xmlValidNormalizeString(ret);
+     if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
+ 	xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
+ "standalone: %s on %s value had to be normalized based on external subset declaration\n",
+@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+ 			        const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
++    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+ 
+     if (doc == NULL) return(NULL);
+@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+ 	return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
++    xmlValidNormalizeString(ret);
+     return(ret);
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index cabf911816..778312f662 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -30,6 +30,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2021-3518-0002.patch \
            file://CVE-2021-3537.patch \
            file://CVE-2021-3541.patch \
+           file://CVE-2022-23308.patch \
+           file://CVE-2022-23308-fix-regression.patch \
            "
 
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
-- 
2.35.1

[hardknott][PATCH 05/20] zip: modify when match.S is built

[Anuj Mittal]

From: Joe Slater <joe.slater@windriver.com>

Avoid generating non-PIC code.

The patches are taken from master 58b16da805... but we cannot
cherry-pick because zip_3.0.bb context is different.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../0001-configure-use-correct-CPP.patch      | 47 +++++++++++++++++++
 ...002-configure-support-PIC-code-build.patch | 34 ++++++++++++++
 meta/recipes-extended/zip/zip_3.0.bb          |  2 +
 3 files changed, 83 insertions(+)
 create mode 100644 meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch
 create mode 100644 meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch

diff --git a/meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch b/meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch
new file mode 100644
index 0000000000..02253f968c
--- /dev/null
+++ b/meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch
@@ -0,0 +1,47 @@
+From 7a2729ee7f5d9b9d4a0d9b83fe641a2ab03c4ee0 Mon Sep 17 00:00:00 2001
+From: Joe Slater <joe.slater@windriver.com>
+Date: Thu, 24 Feb 2022 17:36:59 -0800
+Subject: [PATCH 1/2] configure: use correct CPP
+
+configure uses CPP to test that two assembler routines
+can be built. Unfortunately, it will use /usr/bin/cpp
+if it exists, invalidating the tests.  We use the $CC
+passed to configure.
+
+Upstream-Status: Inappropriate [openembedded specific]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ unix/configure | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index 73ba803..7e21070 100644
+--- a/unix/configure
++++ b/unix/configure
+@@ -220,13 +220,16 @@ fi
+ echo Check for the C preprocessor
+ # on SVR4, cc -E does not produce correct assembler files. Need /lib/cpp.
+ CPP="${CC} -E"
++
++# We should not change CPP for yocto builds.
++#
+ # solaris as(1) needs -P, maybe others as well ?
+-[ -f /usr/ccs/lib/cpp ] && CPP="/usr/ccs/lib/cpp -P"
+-[ -f /usr/lib/cpp ] && CPP=/usr/lib/cpp
+-[ -f /lib/cpp ] && CPP=/lib/cpp
+-[ -f /usr/bin/cpp ] && CPP=/usr/bin/cpp
+-[ -f /xenix ] && CPP="${CC} -E"
+-[ -f /lynx.os ] && CPP="${CC} -E"
++# [ -f /usr/ccs/lib/cpp ] && CPP="/usr/ccs/lib/cpp -P"
++# [ -f /usr/lib/cpp ] && CPP=/usr/lib/cpp
++# [ -f /lib/cpp ] && CPP=/lib/cpp
++# [ -f /usr/bin/cpp ] && CPP=/usr/bin/cpp
++# [ -f /xenix ] && CPP="${CC} -E"
++# [ -f /lynx.os ] && CPP="${CC} -E"
+ 
+ echo "#include <stdio.h>" > conftest.c
+ $CPP conftest.c >/dev/null 2>/dev/null || CPP="${CC} -E"
+-- 
+2.24.1
+
diff --git a/meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch b/meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch
new file mode 100644
index 0000000000..6e0879616a
--- /dev/null
+++ b/meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch
@@ -0,0 +1,34 @@
+From b0492506d2c28581193906e9d260d4f0451e2c39 Mon Sep 17 00:00:00 2001
+From: Joe Slater <joe.slater@windriver.com>
+Date: Thu, 24 Feb 2022 17:46:03 -0800
+Subject: [PATCH 2/2] configure: support PIC code build
+
+Disable building match.S. The code requires
+relocation in .text.
+
+Upstream-Status: Inappropriate [openembedded specific]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ unix/configure | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index 7e21070..1bc698b 100644
+--- a/unix/configure
++++ b/unix/configure
+@@ -242,8 +242,9 @@ if eval "$CPP match.S > _match.s 2>/dev/null"; then
+   if test ! -s _match.s || grep error < _match.s > /dev/null; then
+     :
+   elif eval "$CC -c _match.s >/dev/null 2>/dev/null" && [ -f _match.o ]; then
+-    CFLAGS="${CFLAGS} -DASMV"
+-    OBJA="match.o"
++    # disable match.S for PIC code
++    # CFLAGS="${CFLAGS} -DASMV"
++    # OBJA="match.o"
+     echo "int foo() { return 0;}" > conftest.c
+     $CC -c conftest.c >/dev/null 2>/dev/null
+     echo Check if compiler generates underlines
+-- 
+2.24.1
+
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 18b5d8648e..f8e0b6e259 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -14,6 +14,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar.
            file://fix-security-format.patch \
            file://10-remove-build-date.patch \
            file://zipnote-crashes-with-segfault.patch \
+           file://0001-configure-use-correct-CPP.patch \
+           file://0002-configure-support-PIC-code-build.patch \
            "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
-- 
2.35.1

[hardknott][PATCH 06/20] webkitgtk : update to 2.30.6

[Anuj Mittal]

From: Chee Yang Lee <chee.yang.lee@intel.com>

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../webkit/{webkitgtk_2.30.5.bb => webkitgtk_2.30.6.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-sato/webkit/{webkitgtk_2.30.5.bb => webkitgtk_2.30.6.bb} (98%)

diff --git a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb b/meta/recipes-sato/webkit/webkitgtk_2.30.6.bb
similarity index 98%
rename from meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
rename to meta/recipes-sato/webkit/webkitgtk_2.30.6.bb
index 93cca20d01..1fdba611ea 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.30.6.bb
@@ -25,7 +25,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://CVE-2021-42762.patch \
            "
 
-SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f"
+SRC_URI[sha256sum] = "50736ec7a91770b5939d715196e5fe7209b93efcdeef425b24dc51fb8e9d7c1e"
 
 inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gtk-doc
 
-- 
2.35.1

[hardknott][PATCH 07/20] go: update to 1.16.15

[Anuj Mittal]

From: Chee Yang Lee <chee.yang.lee@intel.com>

go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and to the net package. See the Go 1.16.15 milestone on our issue tracker for detai
ls.

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/go/{go-1.16.14.inc => go-1.16.15.inc}   | 4 ++--
 ...o-binary-native_1.16.14.bb => go-binary-native_1.16.15.bb} | 4 ++--
 ...cross-canadian_1.16.14.bb => go-cross-canadian_1.16.15.bb} | 0
 .../go/{go-cross_1.16.14.bb => go-cross_1.16.15.bb}           | 0
 .../go/{go-crosssdk_1.16.14.bb => go-crosssdk_1.16.15.bb}     | 0
 .../go/{go-native_1.16.14.bb => go-native_1.16.15.bb}         | 0
 .../go/{go-runtime_1.16.14.bb => go-runtime_1.16.15.bb}       | 0
 meta/recipes-devtools/go/{go_1.16.14.bb => go_1.16.15.bb}     | 0
 8 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-devtools/go/{go-1.16.14.inc => go-1.16.15.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.16.14.bb => go-binary-native_1.16.15.bb} (83%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.16.14.bb => go-cross-canadian_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.16.14.bb => go-cross_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.16.14.bb => go-crosssdk_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.16.14.bb => go-native_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.16.14.bb => go-runtime_1.16.15.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.16.14.bb => go_1.16.15.bb} (100%)

diff --git a/meta/recipes-devtools/go/go-1.16.14.inc b/meta/recipes-devtools/go/go-1.16.15.inc
similarity index 91%
rename from meta/recipes-devtools/go/go-1.16.14.inc
rename to meta/recipes-devtools/go/go-1.16.15.inc
index 6482c6fa7c..8b1ad22bcc 100644
--- a/meta/recipes-devtools/go/go-1.16.14.inc
+++ b/meta/recipes-devtools/go/go-1.16.15.inc
@@ -1,7 +1,7 @@
 require go-common.inc
 
 GO_BASEVERSION = "1.16"
-PV = "1.16.14"
+PV = "1.16.15"
 FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -18,7 +18,7 @@ SRC_URI += "\
     file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \
     file://0001-encoding-xml-handle-leading-trailing-or-double-colon.patch \
 "
-SRC_URI[main.sha256sum] = "467898cd3a216de54dcb9014f541efe77e9b79a7154dbc1fd2dd778b0c63fb56"
+SRC_URI[main.sha256sum] = "90a08c689279e35f3865ba510998c33a63255c36089b3ec206c912fc0568c3d3"
 
 # Upstream don't believe it is a signifiant real world issue and will only
 # fix in 1.17 onwards where we can drop this.
diff --git a/meta/recipes-devtools/go/go-binary-native_1.16.14.bb b/meta/recipes-devtools/go/go-binary-native_1.16.15.bb
similarity index 83%
rename from meta/recipes-devtools/go/go-binary-native_1.16.14.bb
rename to meta/recipes-devtools/go/go-binary-native_1.16.15.bb
index 419fc4ffcf..ba11ee5695 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.16.14.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.16.15.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
 PROVIDES = "go-native"
 
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "f4f5f02eb6809ac5bf19b5ad517b23504fd5fc036f6487651968ad36aa7a20e0"
-SRC_URI[go_linux_arm64.sha256sum] = "5e59056e36704acb25809bcdb27191f27593cb7aba4d716b523008135a1e764a"
+SRC_URI[go_linux_amd64.sha256sum] = "77c782a633186d78c384f972fb113a43c24be0234c42fef22c2d8c4c4c8e7475"
+SRC_URI[go_linux_arm64.sha256sum] = "c2f27f0ce5620a9bc2ff3446165d1974ef94e9b885ec12dbfa3c07e0e198b7ce"
 
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.16.14.bb b/meta/recipes-devtools/go/go-cross-canadian_1.16.15.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-cross-canadian_1.16.14.bb
rename to meta/recipes-devtools/go/go-cross-canadian_1.16.15.bb
diff --git a/meta/recipes-devtools/go/go-cross_1.16.14.bb b/meta/recipes-devtools/go/go-cross_1.16.15.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-cross_1.16.14.bb
rename to meta/recipes-devtools/go/go-cross_1.16.15.bb
diff --git a/meta/recipes-devtools/go/go-crosssdk_1.16.14.bb b/meta/recipes-devtools/go/go-crosssdk_1.16.15.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-crosssdk_1.16.14.bb
rename to meta/recipes-devtools/go/go-crosssdk_1.16.15.bb
diff --git a/meta/recipes-devtools/go/go-native_1.16.14.bb b/meta/recipes-devtools/go/go-native_1.16.15.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-native_1.16.14.bb
rename to meta/recipes-devtools/go/go-native_1.16.15.bb
diff --git a/meta/recipes-devtools/go/go-runtime_1.16.14.bb b/meta/recipes-devtools/go/go-runtime_1.16.15.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-runtime_1.16.14.bb
rename to meta/recipes-devtools/go/go-runtime_1.16.15.bb
diff --git a/meta/recipes-devtools/go/go_1.16.14.bb b/meta/recipes-devtools/go/go_1.16.15.bb
similarity index 100%
rename from meta/recipes-devtools/go/go_1.16.14.bb
rename to meta/recipes-devtools/go/go_1.16.15.bb
-- 
2.35.1

[hardknott][PATCH 08/20] linux-firmware: upgrade 20220209 -> 20220310

[Anuj Mittal]

From: wangmy <wangmy@fujitsu.com>

License-Update:
 year updated to 2022
 Version of some driver files updated
 Added files for some drivers

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be1b1d204c89035c54a626db46c5054e553b82c2)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...inux-firmware_20220209.bb => linux-firmware_20220310.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220209.bb => linux-firmware_20220310.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20220209.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20220310.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20220209.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20220310.bb
index 9cb357fa90..7a6cb1903b 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20220209.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20220310.bb
@@ -72,7 +72,7 @@ LICENSE = "\
 LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \
                     file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \
-                    file://LICENSE.amdgpu;md5=d357524f5099e2a3db3c1838921c593f \
+                    file://LICENSE.amdgpu;md5=44c1166d052226cb2d6c8d7400090203 \
                     file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \
                     file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \
                     file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \
@@ -132,7 +132,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
                     file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
                     file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
-                    file://WHENCE;md5=ed3d7426e4df06fbadcca24ebf00cc5f \
+                    file://WHENCE;md5=45a9c4a92d152e9495db81e1192f2bdc \
                     "
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -205,7 +205,7 @@ PE = "1"
 
 SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz"
 
-SRC_URI[sha256sum] = "e2e46fa618414952bbf2f6920cd3abcddbef45bfb7d1352994b4bfc35394d177"
+SRC_URI[sha256sum] = "5938ee717b2023b48f6bfcf344b40ddc947e3e22c0bc36d4c3418f90fea68182"
 
 inherit allarch
 
-- 
2.35.1

[hardknott][PATCH 09/20] mobile-broadband-provider-info: upgrade 20201225 -> 20210805

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 93a335993ce592a8ee34fc9a490e327f2775e03f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../mobile-broadband-provider-info_git.bb                     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index b4cbc1a76c..4246f4dcbd 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -4,8 +4,8 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a"
-PV = "20201225"
+SRCREV = "11f2247eccd3c161b8fd9b41143862e9fb81193c"
+PV = "20210805"
 PE = "1"
 
 SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=master"
-- 
2.35.1

[hardknott][PATCH 10/20] mobile-broadband-provider-info: upgrade 20210805 -> 20220315

[Anuj Mittal]

From: Changhyeok Bae <changhyeok.bae@gmail.com>

Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ed02ee8f20094f598448d58875cb7be8a24a019f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../mobile-broadband-provider-info_git.bb                  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 4246f4dcbd..781b9216c5 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -4,11 +4,12 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "11f2247eccd3c161b8fd9b41143862e9fb81193c"
-PV = "20210805"
+
+SRCREV = "4cbb44a9fe26aa6f0b28beb79f9488b37c097b5e"
+PV = "20220315"
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=master"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
 S = "${WORKDIR}/git"
 
 inherit autotools
-- 
2.35.1

[hardknott][PATCH 11/20] linux-yocto: nohz_full boot arg fix

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto/5.15:

    81bdce5b5876 tick/nohz: WARN_ON --> WARN_ON_ONCE to prevent console saturation
    97c963889222 sched/isolation: really align nohz_full with rcu_nocbs

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 11de5ad0cfee5bf8bcdd28da6b27447280add2cf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  2 +-
 .../linux/linux-yocto-tiny_5.10.bb            |  4 ++--
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 20 +++++++++----------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 8b10988438..4d75cf1b21 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,7 +11,7 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "abd24ddc62072fcc5ecf12cf8feadd2e6fda59bd"
+SRCREV_machine ?= "e0d87d9831a6e0df20a370adc9aba0d032d91661"
 SRCREV_meta ?= "792f1272dd0d68d5dba0ff35949b2094f818227e"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 8564b5becf..8227d5d8cc 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -15,8 +15,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "682b9a24accb1e3a305957dec28f7f565db95369"
-SRCREV_machine ?= "5e844e753c3e1f153af9dfee6b88e5dc1e57f30f"
+SRCREV_machine_qemuarm ?= "38f8b1b5b87959e6cb9367151e233d27befe015d"
+SRCREV_machine ?= "cc70f051e56005acda2e6ea994cadfb2538e66f6"
 SRCREV_meta ?= "792f1272dd0d68d5dba0ff35949b2094f818227e"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 2e12654fec..5a4939cf36 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,16 +13,16 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "56cfcfb12870782355bacaf8bcde9e268f422140"
-SRCREV_machine_qemuarm64 ?= "3aab5bb12bc180d582a6f82e4a085f45a7b0c283"
-SRCREV_machine_qemumips ?= "d76ec4c19a876a3235567ab2cee2e33f2875f79a"
-SRCREV_machine_qemuppc ?= "513a8885de593e8b1f3c24595c015bb9b1d55563"
-SRCREV_machine_qemuriscv64 ?= "de1b3b1aef1a5c3dec0676e152f6801e1cc309e5"
-SRCREV_machine_qemuriscv32 ?= "de1b3b1aef1a5c3dec0676e152f6801e1cc309e5"
-SRCREV_machine_qemux86 ?= "de1b3b1aef1a5c3dec0676e152f6801e1cc309e5"
-SRCREV_machine_qemux86-64 ?= "de1b3b1aef1a5c3dec0676e152f6801e1cc309e5"
-SRCREV_machine_qemumips64 ?= "b63b87635569c07343f25194abf008f1e27c0bca"
-SRCREV_machine ?= "de1b3b1aef1a5c3dec0676e152f6801e1cc309e5"
+SRCREV_machine_qemuarm ?= "74469c4b03f62e4b4da066e52785ed74b1d121ae"
+SRCREV_machine_qemuarm64 ?= "69f185342f516efa8a9233e31d2c3f8356b3a388"
+SRCREV_machine_qemumips ?= "d97607700b2fba19af10b2110b99c448ed9a88e9"
+SRCREV_machine_qemuppc ?= "090085d4bb6181c3b972d82c9f8f7ed88c90ad6b"
+SRCREV_machine_qemuriscv64 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
+SRCREV_machine_qemuriscv32 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
+SRCREV_machine_qemux86 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
+SRCREV_machine_qemux86-64 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
+SRCREV_machine_qemumips64 ?= "a1b43f69bce61143dd4d6d637f619eadd3fabb6e"
+SRCREV_machine ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
 SRCREV_meta ?= "792f1272dd0d68d5dba0ff35949b2094f818227e"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
-- 
2.35.1

[hardknott][PATCH 12/20] linux-yocto/5.10: split vtpm for more granular inclusion

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto/.:

    6ca1d510a03 features/tpm: split into tpm-1.2, tpm-2.0, tpm-2.0-crb and vtpm feature

Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit b61be908468b1057a9d2baf40c1ebfbbd74732b8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb   | 2 +-
 meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 4d75cf1b21..a35e80940e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -12,7 +12,7 @@ python () {
 }
 
 SRCREV_machine ?= "e0d87d9831a6e0df20a370adc9aba0d032d91661"
-SRCREV_meta ?= "792f1272dd0d68d5dba0ff35949b2094f818227e"
+SRCREV_meta ?= "b814c7ebf2a92fc361bcbeaf6efdd40b8cd0816a"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 8227d5d8cc..45cfd90e0a 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "38f8b1b5b87959e6cb9367151e233d27befe015d"
 SRCREV_machine ?= "cc70f051e56005acda2e6ea994cadfb2538e66f6"
-SRCREV_meta ?= "792f1272dd0d68d5dba0ff35949b2094f818227e"
+SRCREV_meta ?= "b814c7ebf2a92fc361bcbeaf6efdd40b8cd0816a"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 5a4939cf36..fdc985af13 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -23,7 +23,7 @@ SRCREV_machine_qemux86 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
 SRCREV_machine_qemux86-64 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
 SRCREV_machine_qemumips64 ?= "a1b43f69bce61143dd4d6d637f619eadd3fabb6e"
 SRCREV_machine ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_meta ?= "792f1272dd0d68d5dba0ff35949b2094f818227e"
+SRCREV_meta ?= "b814c7ebf2a92fc361bcbeaf6efdd40b8cd0816a"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.35.1

[hardknott][PATCH 13/20] linux-yocto/5.10: cfg/debug: add configs for kcsan

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto/.:

    b56db30a7c5 cfg/debug: add scc for syzkaller fuzzing
    c4494ad7f23 features/tun: add configs for Universal TUN/TAP device driver support
    148948c3829 features/bluetooth: add configs for Bluetooth Virtual HCI device driver
    824a7ba4dda features/usb: add configs for USB raw gadget
    0bd038864a5 features/usb: add configs for dummy HCD
    e8c765f559f features/ieee802154: add configs for mac802154 hwsim
    99aea8bc07b features/mac80211: add configs for mac80211 hwsim
    c7bf42227e3 cfg/debug: add configs for fault injection debugfs
    ae48b977f61 cfg/debug: add configs for kcsan

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 88a761c98d3a4dbf5a8b2b623248b53077717662)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb   | 2 +-
 meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index a35e80940e..804773b0ec 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -12,7 +12,7 @@ python () {
 }
 
 SRCREV_machine ?= "e0d87d9831a6e0df20a370adc9aba0d032d91661"
-SRCREV_meta ?= "b814c7ebf2a92fc361bcbeaf6efdd40b8cd0816a"
+SRCREV_meta ?= "b56db30a7c5a0d86ccc853ee68be925086318f88"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 45cfd90e0a..3b1741322d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "38f8b1b5b87959e6cb9367151e233d27befe015d"
 SRCREV_machine ?= "cc70f051e56005acda2e6ea994cadfb2538e66f6"
-SRCREV_meta ?= "b814c7ebf2a92fc361bcbeaf6efdd40b8cd0816a"
+SRCREV_meta ?= "b56db30a7c5a0d86ccc853ee68be925086318f88"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index fdc985af13..2b30a92b96 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -23,7 +23,7 @@ SRCREV_machine_qemux86 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
 SRCREV_machine_qemux86-64 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
 SRCREV_machine_qemumips64 ?= "a1b43f69bce61143dd4d6d637f619eadd3fabb6e"
 SRCREV_machine ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_meta ?= "b814c7ebf2a92fc361bcbeaf6efdd40b8cd0816a"
+SRCREV_meta ?= "b56db30a7c5a0d86ccc853ee68be925086318f88"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.35.1

[hardknott][PATCH 14/20] linux-yocto-rt/5.10: update to -rt61

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto-rt/5.10:

    48b12b48c110 Linux 5.10.90-rt61
    2367f287812f aio: Fix incorrect usage of eventfd_signal_allowed()
    640f56f85c08 stop_machine: Remove this_cpu_ptr() from print_stop_info().
    38c47ed56da8 eventfd: Make signal recursion protection a task bit
    45f3f3c787e3 Linux 5.10.90-rt60
    257f82607c82 Linux 5.10.87-rt59
    7ff031bb6566 Linux 5.10.83-rt58
    03cfb1aadc5e Linux 5.10.80-rt57

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit a201b82e999d2216fc58bd8db405bb06c9f22ff5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  4 ++--
 .../linux/linux-yocto-tiny_5.10.bb            |  6 ++---
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 22 +++++++++----------
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 804773b0ec..a11d0515e3 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,8 +11,8 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "e0d87d9831a6e0df20a370adc9aba0d032d91661"
-SRCREV_meta ?= "b56db30a7c5a0d86ccc853ee68be925086318f88"
+SRCREV_machine ?= "48b12b48c1103b811263aaed4d81bfb8b24fdfc4"
+SRCREV_meta ?= "cec5f94cd2090d98b2dcfeee7a4258ae6adce506"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 3b1741322d..5365301045 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "38f8b1b5b87959e6cb9367151e233d27befe015d"
-SRCREV_machine ?= "cc70f051e56005acda2e6ea994cadfb2538e66f6"
-SRCREV_meta ?= "b56db30a7c5a0d86ccc853ee68be925086318f88"
+SRCREV_machine_qemuarm ?= "3c9683e7166044d91c0ef900491f2f881a8bd6b7"
+SRCREV_machine ?= "7f3e78220d6510de21d74e3f330f1f93cb635745"
+SRCREV_meta ?= "cec5f94cd2090d98b2dcfeee7a4258ae6adce506"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 2b30a92b96..64dbdc826a 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "74469c4b03f62e4b4da066e52785ed74b1d121ae"
-SRCREV_machine_qemuarm64 ?= "69f185342f516efa8a9233e31d2c3f8356b3a388"
-SRCREV_machine_qemumips ?= "d97607700b2fba19af10b2110b99c448ed9a88e9"
-SRCREV_machine_qemuppc ?= "090085d4bb6181c3b972d82c9f8f7ed88c90ad6b"
-SRCREV_machine_qemuriscv64 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_machine_qemuriscv32 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_machine_qemux86 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_machine_qemux86-64 ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_machine_qemumips64 ?= "a1b43f69bce61143dd4d6d637f619eadd3fabb6e"
-SRCREV_machine ?= "e6c8ebd210a2ab7817618bb4c518d69d35d16cf7"
-SRCREV_meta ?= "b56db30a7c5a0d86ccc853ee68be925086318f88"
+SRCREV_machine_qemuarm ?= "ed7ac660431f6eb29add763876d7a10b6a6e539e"
+SRCREV_machine_qemuarm64 ?= "9ca22664eb7cd86b7c91770bdaa1c5581a081938"
+SRCREV_machine_qemumips ?= "4d5c2b576ee19c6ede626f2ffdb6a96d06ddd065"
+SRCREV_machine_qemuppc ?= "54e5ceedcce6039a0479eaeea000e3c42cf4e4bc"
+SRCREV_machine_qemuriscv64 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
+SRCREV_machine_qemuriscv32 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
+SRCREV_machine_qemux86 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
+SRCREV_machine_qemux86-64 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
+SRCREV_machine_qemumips64 ?= "012ce81097a4d2d94a7d5cb596fb4ad7d8f438f1"
+SRCREV_machine ?= "0370165abaa08fa66808c54ed345eb70a558268b"
+SRCREV_meta ?= "cec5f94cd2090d98b2dcfeee7a4258ae6adce506"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.35.1

[hardknott][PATCH 15/20] linux-yocto/5.10: update to v5.10.107

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:

    4c8814277b5d Linux 5.10.107
    7a0d13ef67a1 arm64: kvm: Fix copy-and-paste error in bhb templates for v5.10 stable
    dc1163203ae6 io_uring: return back safer resurrect
    8fdaab341bad kselftest/vm: fix tests build with old libc
    2490695ffdba sfc: extend the locking on mcdi->seqno
    2fad5b694896 tcp: make tcp_read_sock() more robust
    3f9a8f8a952c nl80211: Update bss channel on channel switch for P2P_CLIENT
    0ba557d33094 drm/vrr: Set VRR capable prop only if it is attached to connector
    9a8e4a5c5b73 iwlwifi: don't advertise TWT support
    c5ea0221c816 atm: firestream: check the return value of ioremap() in fs_init()
    efdd92c18ed4 can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready
    ebe106eac686 ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE
    e8ad9ecc4069 MIPS: smp: fill in sibling and core maps earlier
    8c70b9b47004 mac80211: refuse aggregations sessions before authorized
    d687d7559e24 ARM: dts: rockchip: fix a typo on rk3288 crypto-controller
    6f0a94931c47 ARM: dts: rockchip: reorder rk322x hmdi clocks
    6493c6aa8b44 arm64: dts: agilex: use the compatible "intel,socfpga-agilex-hsotg"
    c5c8c649fee0 arm64: dts: rockchip: reorder rk3399 hdmi clocks
    f7f062919f41 arm64: dts: rockchip: fix rk3399-puma eMMC HS400 signal integrity
    ca142038a54f xfrm: Fix xfrm migrate issues when address family changes
    d8889a445b53 xfrm: Check if_id in xfrm_migrate
    6056abc99b58 sctp: fix the processing for INIT chunk
    bdf0316982f0 Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0"
    327f1e7d813c Linux 5.10.106
    648895da69ce watch_queue: Fix filter limit check
    8bb5b72dbd9a ARM: fix Thumb2 regression with Spectre BHB
    6b1249db9e1c ext4: add check to prevent attempting to resize an fs with sparse_super2
    b297cf764d8c x86/traps: Mark do_int3() NOKPROBE_SYMBOL
    29f6f3500127 x86/boot: Add setup_indirect support in early_memremap_is_setup_data()
    b3444e5b640a x86/boot: Fix memremap of setup_indirect structures
    24d268130e3c watch_queue: Make comment about setting ->defunct more accurate
    ec03510e0a77 watch_queue: Fix lack of barrier/sync/lock between post and read
    06ab8444392a watch_queue: Free the alloc bitmap when the watch_queue is torn down
    880acbb718e1 watch_queue: Fix the alloc bitmap size to reflect notes allocated
    e2b52ca4988e watch_queue: Fix to always request a pow-of-2 pipe ring size
    2039900aadba watch_queue: Fix to release page in ->release()
    d729d4e99fb8 watch_queue, pipe: Free watchqueue state after clearing pipe ring
    573a3228ca32 virtio: acknowledge all features before access
    bf52b627cf47 virtio: unexport virtio_finalize_features
    8bfb959ea28d arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0
    1ef5fe3dba2a riscv: Fix auipc+jalr relocation range checks
    a69aa422b478 mmc: meson: Fix usage of meson_mmc_post_req()
    0c6eeaf8c168 net: macb: Fix lost RX packet wakeup race in NAPI receive
    6d9700b44509 staging: gdm724x: fix use after free in gdm_lte_rx()
    8c1bc04c8c82 staging: rtl8723bs: Fix access-point mode deadlock
    ab5595b45f73 fuse: fix pipe buffer lifetime for direct_io
    f2c52a4baf56 ARM: Spectre-BHB: provide empty stub for non-config
    f1f5d089fcc6 selftests/memfd: clean up mapping in mfd_fail_write
    71013d071b50 selftest/vm: fix map_fixed_noreplace test failure
    8d276f10e84a tracing: Ensure trace buffer is at least 4096 bytes large
    ae7597b47dda ipv6: prevent a possible race condition with lifetimes
    8c0c50e9fcff Revert "xen-netback: Check for hotplug-status existence before watching"
    625c04b523ca Revert "xen-netback: remove 'hotplug-status' once it has served its purpose"
    a0e2768fb901 gpio: Return EPROBE_DEFER if gc->to_irq is NULL
    65d4e9d130fb hwmon: (pmbus) Clear pmbus fault/warning bits after read
    d15c9f6e3335 net-sysfs: add check for netdevice being present to speed_show
    8c023c303978 spi: rockchip: terminate dma transmission when slave abort
    889254f98e99 spi: rockchip: Fix error in getting num-cs property
    4fb9be675be8 selftests/bpf: Add test for bpf_timer overwriting crash
    dc1c2b47b539 net: bcmgenet: Don't claim WOL when its not available
    b7e4d9ba2ddb sctp: fix kernel-infoleak for SCTP sockets
    3cf533f12001 net: phy: DP83822: clear MISR2 register to disable interrupts
    21044e679ed5 gianfar: ethtool: Fix refcount leak in gfar_get_ts_info
    3a4cd1c51eea gpio: ts4900: Do not set DAT and OE together
    7702e7e9e396 selftests: pmtu.sh: Kill tcpdump processes launched by subshell.
    2b1c85f56512 NFC: port100: fix use-after-free in port100_send_complete
    1fdabf2cf42b net/mlx5e: Lag, Only handle events from highest priority multipath entry
    f3331bc17449 net/mlx5: Fix a race on command flush flow
    5f1340963b11 net/mlx5: Fix size field in bufferx_reg struct
    e2201ef32f93 ax25: Fix NULL pointer dereference in ax25_kill_by_device
    cc7679079c7e net: ethernet: lpc_eth: Handle error for clk_enable
    b3e4fcb53921 net: ethernet: ti: cpts: Handle error for clk_enable
    5e42f90d7220 tipc: fix incorrect order of state message data sanity check
    979b418b96e3 ethernet: Fix error handling in xemaclite_of_probe
    506d61bc1b50 ice: Fix curr_link_speed advertised speed
    852a9e97d396 ice: Rename a couple of variables
    b21ffd5469a9 ice: Remove unnecessary checker loop
    875967aff5a6 ice: Align macro names to the specification
    8c613f7cd3ca ice: stop disabling VFs due to PF error responses
    d9ee2cbff2e9 i40e: stop disabling VFs due to PF error responses
    965070a2b71d ARM: dts: aspeed: Fix AST2600 quad spi group
    96b01b854151 net: dsa: mt7530: fix incorrect test in mt753x_phylink_validate()
    ed5bb00d8604 drm/sun4i: mixer: Fix P010 and P210 format numbers
    93223495bce5 qed: return status of qed_iov_get_link
    5bee2ed0508b esp: Fix BEET mode inter address family tunneling on GSO
    16386479ef59 net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare()
    33c74f808596 isdn: hfcpci: check the return value of dma_set_mask() in setup_hw()
    cca9d5035bd0 virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero
    a3d5fcc6cf2e mISDN: Fix memory leak in dsp_pipeline_build()
    f97ad179d12f mISDN: Remove obsolete PIPELINE_DEBUG debugging information
    2de76d37d4a6 tipc: fix kernel panic when enabling bearer
    ea3a5e6df512 arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias
    2c6a75ea32f9 HID: vivaldi: fix sysfs attributes leak
    2a18a38cbc3b clk: qcom: gdsc: Add support to update GDSC transition delay
    0d6882dd158e ARM: boot: dts: bcm2711: Fix HVS register range
    67c781d938b8 Linux 5.10.105
    561e91e5fee8 Revert "ACPI: PM: s2idle: Cancel wakeup before dispatching EC GPE"
    206c8e271ba2 xen/netfront: react properly to failing gnttab_end_foreign_access_ref()
    39c00d09286c xen/gnttab: fix gnttab_end_foreign_access() without page specified
    c4b16486d602 xen/pvcalls: use alloc/free_pages_exact()
    8357d75bfdb8 xen/9p: use alloc/free_pages_exact()
    17f01b7206af xen: remove gnttab_query_foreign_access()
    5f36ae75b847 xen/gntalloc: don't use gnttab_query_foreign_access()
    304725518277 xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
    f6690dd9446a xen/netfront: don't use gnttab_query_foreign_access() for mapped status
    96219af4e504 xen/blkfront: don't use gnttab_query_foreign_access() for mapped status
    3d81e85f30a8 xen/grant-table: add gnttab_try_end_foreign_access()
    5c600371b8fd xen/xenbus: don't let xenbus_grant_ring() remove grants in error case
    90f59cc2f2cc ARM: fix build warning in proc-v7-bugs.c
    8c4192d126ba ARM: Do not use NOCROSSREFS directive with ld.lld
    1749b553d73b ARM: fix co-processor register typo
    a330601c637b ARM: fix build error when BPF_SYSCALL is disabled
    b65b87e718c3 arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting
    551717cf3b58 arm64: Use the clearbhb instruction in mitigations
    38c26bdb3cc5 KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated
    e192c8baa69a arm64: Mitigate spectre style branch history side channels
    192023e6baf7 KVM: arm64: Allow indirect vectors to be used without SPECTRE_V3A
    13a807a0a080 arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2
    1f63326a5211 arm64: Add percpu vectors for EL1
    56cf5326bdf9 arm64: entry: Add macro for reading symbol addresses from the trampoline
    3f21b7e35523 arm64: entry: Add vectors that have the bhb mitigation sequences
    49379552969a arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations
    26211252c1c1 arm64: entry: Allow the trampoline text to occupy multiple pages
    73ee716a1f63 arm64: entry: Make the kpti trampoline's kpti sequence optional
    8c691e5308c5 arm64: entry: Move trampoline macros out of ifdef'd section
    e55025063276 arm64: entry: Don't assume tramp_vectors is the start of the vectors
    5275fb5ea5f5 arm64: entry: Allow tramp_alias to access symbols after the 4K boundary
    bda89602814c arm64: entry: Move the trampoline data page before the text page
    d93b25a66548 arm64: entry: Free up another register on kpti's tramp_exit path
    5242d6971e10 arm64: entry: Make the trampoline cleanup optional
    7048a21086fb arm64: spectre: Rename spectre_v4_patch_fw_mitigation_conduit
    dc5b630c0d53 arm64: entry.S: Add ventry overflow sanity checks
    97d8bdf33182 arm64: cpufeature: add HWCAP for FEAT_RPRES
    162aa002ec1a arm64: cpufeature: add HWCAP for FEAT_AFP
    dbcfa9853953 arm64: add ID_AA64ISAR2_EL1 sys register
    7ae8127e4123 arm64: Add HWCAP for self-synchronising virtual counter
    b19eaa004f2e arm64: Add Cortex-A510 CPU part definition
    86171569312b arm64: Add Cortex-X2 CPU part definition
    fc8070a9c5ad arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
    f3c12fc53e0a arm64: cputype: Add CPU implementor & types for the Apple M1 cores
    302754d023a0 ARM: include unprivileged BPF status in Spectre V2 reporting
    3f9c958e3572 ARM: Spectre-BHB workaround
    29d9b56df1e1 ARM: use LOADADDR() to get load address of sections
    46deb224680b ARM: early traps initialisation
    b7f1e73c4ddf ARM: report Spectre v2 status through sysfs
    d04937ae9490 x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT
    cc9e3e55bde7 x86/speculation: Warn about Spectre v2 LFENCE mitigation
    e335384560d1 x86/speculation: Update link to AMD speculation whitepaper
    2fdf67a1d215 x86/speculation: Use generic retpoline by default on AMD
    afc2d635b5e1 x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting
    071e8b69d780 Documentation/hw-vuln: Update spectre doc
    a6a119d647ad x86/speculation: Add eIBRS + Retpoline options
    f38774bb6e23 x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
    206cfe2dac3e x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
    97581b56b59f Linux 5.10.104
    dbbe09d95377 hamradio: fix macro redefine warning
    dcd03efd7e8d Revert "xfrm: xfrm_state_mtu should return at least 1280 for ipv6"
    292e1c88b8a5 btrfs: add missing run of delayed items after unlink during log replay
    41712c5fa518 btrfs: qgroup: fix deadlock between rescan worker and remove qgroup
    6e0319e77083 btrfs: fix lost prealloc extents beyond eof after full fsync
    827172ffa999 tracing: Fix return value of __setup handlers
    78059b1cfcd9 tracing/histogram: Fix sorting on old "cpu" value
    0e188fde82d7 HID: add mapping for KEY_ALL_APPLICATIONS
    f276ea5035aa HID: add mapping for KEY_DICTATE
    3b8f2a7aed80 Input: samsung-keypad - properly state IOMEM dependency
    a621ae6394ce Input: elan_i2c - fix regulator enable count imbalance after suspend/resume
    1397bbcd817f Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power()
    988f4f29cc44 net: dcb: disable softirqs in dcbnl_flush_dev()
    6828da5dea53 drm/amdgpu: fix suspend/resume hang regression
    f5e496ef73f3 nl80211: Handle nla_memdup failures in handle_nan_filter
    64e4305a03d0 iavf: Refactor iavf state machine tracking
    e6bc597fbcb2 net: chelsio: cxgb3: check the return value of pci_find_capability()
    320980b2496d ibmvnic: complete init_done on transport events
    86027004bb9d ARM: tegra: Move panels to AUX bus
    fbb810825aff soc: fsl: qe: Check of ioremap return value
    2824f6939e26 soc: fsl: guts: Add a missing memory allocation failure check
    3afe488d5c9c soc: fsl: guts: Revert commit 3c0d64e867ed
    44709130793b ARM: dts: Use 32KiHz oscillator on devkit8000
    298f6fae544f ARM: dts: switch timer config to common devkit8000 devicetree
    8b20c1999d3a s390/extable: fix exception table sorting
    49aa9c9c7fa7 memfd: fix F_SEAL_WRITE after shmem huge page allocated
    6acbc8875282 ibmvnic: free reset-work-item when flushing
    9d8a11d74de5 igc: igc_write_phy_reg_gpy: drop premature return
    223744f52133 pinctrl: sunxi: Use unique lockdep classes for IRQs
    2851b76e5fd0 selftests: mlxsw: tc_police_scale: Make test more robust
    85bf489c5c01 ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions
    6b6341049086 ARM: Fix kgdb breakpoint for Thumb2
    fefe4cb4a640 igc: igc_read_phy_reg_gpy: drop premature return
    0632854fb171 arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output
    43eaf1b17845 can: gs_usb: change active_channels's type from atomic_t to u8
    daaed6ced88c ASoC: cs4265: Fix the duplicated control name
    8b8ac465bf52 firmware: arm_scmi: Remove space in MODULE_ALIAS name
    667df6fe3ece efivars: Respect "block" flag in efivar_entry_set_safe()
    283c37e5429e ixgbe: xsk: change !netif_carrier_ok() handling in ixgbe_xmit_zc()
    5f394102ee27 net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()
    92b791771abd ibmvnic: register netdev after init of adapter
    6e0f986032c5 net: sxgbe: fix return value of __setup handler
    e1a82db1ebaf iavf: Fix missing check for running netdev
    c9a066fe4593 mac80211: treat some SAE auth steps as final
    e6d7f57f919f net: stmmac: fix return value of __setup handler
    fa65989a4867 mac80211: fix forwarded mesh frames AC & queue selection
    dcc3423c1dca ia64: ensure proper NUMA distance and possible map initialization
    1312ef5ad0a5 sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa()
    d753aecb3d4b sched/topology: Make sched_init_numa() use a set for the deduplicating sort
    05ae1f0fe9c6 ice: fix concurrent reset and removal of VFs
    41edeeaae51a ice: Fix race conditions between virtchnl handling and VF ndo ops
    0c145262ac99 rcu/nocb: Fix missed nocb_timer requeue
    9bb7237cc740 net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server
    d7eb662625eb net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error generated by client
    2e8d465b83db net/smc: fix connection leak
    6a8a4dc2a279 net: dcb: flush lingering app table entries for unregistered devices
    f4c63b24dea9 net: ipv6: ensure we call ipv6_mc_down() at most once
    a9c4a74ad5ae batman-adv: Don't expect inter-netns unique iflink indices
    3dae11d21fc8 batman-adv: Request iflink once in batadv_get_real_netdevice
    dcf10d78ff2c batman-adv: Request iflink once in batadv-on-batadv check
    81f817f3e559 netfilter: nf_queue: handle socket prefetch
    4d05239203fa netfilter: nf_queue: fix possible use-after-free
    3b9ba964f77c netfilter: nf_queue: don't assume sk is full socket
    4e178ed14bda net: fix up skbs delta_truesize in UDP GRO frag_list
    eb5e444fe37d e1000e: Correct NVM checksum verification flow
    b53d4bfd1a68 xfrm: enforce validity of offload input flags
    2f0e6d80e8b5 xfrm: fix the if_id check in changelink
    24efaae03b0d bpf, sockmap: Do not ignore orig_len parameter
    8b0142c4143c netfilter: fix use-after-free in __nf_register_net_hook()
    4952faa77d8d xfrm: fix MTU regression
    e93f2be33d4f mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls
    912186db092c ntb: intel: fix port config status offset for SPR
    1c0b51e62a50 thermal: core: Fix TZ_GET_TRIP NULL pointer dereference
    a1753d5c29a6 xen/netfront: destroy queues before real_num_tx_queues is zeroed
    ce41d8039196 drm/i915: s/JSP2/ICP2/ PCH
    61a895da4844 iommu/amd: Recover from event log overflow
    6951a5888165 ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min
    dd9dd24fd7cb riscv: Fix config KASAN && DEBUG_VIRTUAL
    7211aab2881b riscv: Fix config KASAN && SPARSEMEM && !SPARSE_VMEMMAP
    00fb385f0ac4 riscv/efi_stub: Fix get_boot_hartid_from_fdt() return value
    336872601cb8 ALSA: intel_hdmi: Fix reference to PCM buffer address
    e57dfaf66f2b tracing: Add ustring operation to filtering string pointers
    4a9d2390f3e2 drm/amdgpu: check vm ready by amdgpu_vm->evicting flag
    67e25eb1b474 ata: pata_hpt37x: fix PCI clock detection
    335f11ff74f2 serial: stm32: prevent TDR register overwrite when sending x_char
    c999c5927e96 tracing: Add test for user space strings when filtering on string pointers
    db36a94ed66b exfat: fix i_blocks for files truncated over 4 GiB
    1b810d5cb6ce exfat: reuse exfat_inode_info variable instead of calling EXFAT_I()
    fdd64084e405 usb: gadget: clear related members when goto fail
    c13159a58881 usb: gadget: don't release an existing dev->buf
    00d5ac05af3a net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
    16f903afbafb i2c: qup: allow COMPILE_TEST
    57c333ad8c28 i2c: cadence: allow COMPILE_TEST
    9d6285e63241 dmaengine: shdma: Fix runtime PM imbalance on error
    37b06d5ebf5c selftests/seccomp: Fix seccomp failure by adding missing headers
    df9db1a2af37 cifs: fix double free race when mount fails in cifs_get_root()
    e3850e211df6 tipc: fix a bit overflow in tipc_crypto_key_rcv()
    6d4985b8a0bf KVM: arm64: vgic: Read HW interrupt pending state from the HW
    5d4b00e053fc Input: clear BTN_RIGHT/MIDDLE on buttonpads
    6e7015d982ee regulator: core: fix false positive in regulator_late_cleanup()
    467d664e5fff ASoC: rt5682: do not block workqueue if card is unbound
    0b050b7a0d73 ASoC: rt5668: do not block workqueue if card is unbound
    11956c6eeb5a i2c: bcm2835: Avoid clock stretching timeouts
    13f0ea8d1193 mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work
    46f6d66219b5 mac80211_hwsim: report NOACK frames in tx_status

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 1e600731a459c1dfe14032e5242806a25f091b41)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index a11d0515e3..50e6a9f1e2 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "48b12b48c1103b811263aaed4d81bfb8b24fdfc4"
-SRCREV_meta ?= "cec5f94cd2090d98b2dcfeee7a4258ae6adce506"
+SRCREV_machine ?= "7f96d3fd60eea0ab38afdf07b3fc7c8c9f501802"
+SRCREV_meta ?= "24ab54209a8822aad92afe2c51ea5b95f5175394"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.10.103"
+LINUX_VERSION ?= "5.10.107"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 5365301045..8f22c89165 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.10.103"
+LINUX_VERSION ?= "5.10.107"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "3c9683e7166044d91c0ef900491f2f881a8bd6b7"
-SRCREV_machine ?= "7f3e78220d6510de21d74e3f330f1f93cb635745"
-SRCREV_meta ?= "cec5f94cd2090d98b2dcfeee7a4258ae6adce506"
+SRCREV_machine_qemuarm ?= "d47f1b40f2f77d0c810defd853c69eb39cb84bf5"
+SRCREV_machine ?= "1ae0844c6a36151066744e43fd30db3a946bc21d"
+SRCREV_meta ?= "24ab54209a8822aad92afe2c51ea5b95f5175394"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 64dbdc826a..5ce504812f 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "ed7ac660431f6eb29add763876d7a10b6a6e539e"
-SRCREV_machine_qemuarm64 ?= "9ca22664eb7cd86b7c91770bdaa1c5581a081938"
-SRCREV_machine_qemumips ?= "4d5c2b576ee19c6ede626f2ffdb6a96d06ddd065"
-SRCREV_machine_qemuppc ?= "54e5ceedcce6039a0479eaeea000e3c42cf4e4bc"
-SRCREV_machine_qemuriscv64 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
-SRCREV_machine_qemuriscv32 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
-SRCREV_machine_qemux86 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
-SRCREV_machine_qemux86-64 ?= "0370165abaa08fa66808c54ed345eb70a558268b"
-SRCREV_machine_qemumips64 ?= "012ce81097a4d2d94a7d5cb596fb4ad7d8f438f1"
-SRCREV_machine ?= "0370165abaa08fa66808c54ed345eb70a558268b"
-SRCREV_meta ?= "cec5f94cd2090d98b2dcfeee7a4258ae6adce506"
+SRCREV_machine_qemuarm ?= "2ef8231651bb6a4c79b307f59a794b92238546ec"
+SRCREV_machine_qemuarm64 ?= "00684b441f15d202c5849eed164a9b3b94a5c1e8"
+SRCREV_machine_qemumips ?= "661a4f517906253e074fe301d68ff1e6b6968e9f"
+SRCREV_machine_qemuppc ?= "bff933cb7a11019c64e6034c48ab79453f75b99e"
+SRCREV_machine_qemuriscv64 ?= "763c0dbc0458ebcb1d06afe2f324925f0f61bd27"
+SRCREV_machine_qemuriscv32 ?= "763c0dbc0458ebcb1d06afe2f324925f0f61bd27"
+SRCREV_machine_qemux86 ?= "763c0dbc0458ebcb1d06afe2f324925f0f61bd27"
+SRCREV_machine_qemux86-64 ?= "763c0dbc0458ebcb1d06afe2f324925f0f61bd27"
+SRCREV_machine_qemumips64 ?= "7a89b456542ff1fa0ab71fa4a2ae6f04281f3a2d"
+SRCREV_machine ?= "763c0dbc0458ebcb1d06afe2f324925f0f61bd27"
+SRCREV_meta ?= "24ab54209a8822aad92afe2c51ea5b95f5175394"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.103"
+LINUX_VERSION ?= "5.10.107"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.35.1

[hardknott][PATCH 16/20] flac: fix CVE-2021-0561

[Anuj Mittal]

From: Li Wang <li.wang@windriver.com>

In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is
a possible out of bounds write due to a missing bounds check. This
could lead to local information disclosure with no additional
execution privileges needed. User interaction is not needed for
exploitation.Product: AndroidVersions: Android-11Android ID: A-174302683

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-0561

Upstream patches:
https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../flac/flac/CVE-2021-0561.patch             | 41 +++++++++++++++++++
 meta/recipes-multimedia/flac/flac_1.3.3.bb    |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-multimedia/flac/flac/CVE-2021-0561.patch

diff --git a/meta/recipes-multimedia/flac/flac/CVE-2021-0561.patch b/meta/recipes-multimedia/flac/flac/CVE-2021-0561.patch
new file mode 100644
index 0000000000..b48663ae42
--- /dev/null
+++ b/meta/recipes-multimedia/flac/flac/CVE-2021-0561.patch
@@ -0,0 +1,41 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles <giles@thaumas.net>
+
+Upstream-Status: Backport
+CVE: CVE-2021-0561
+
+Reference to upstream patch:
+https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 74387ec..8bb0ef3 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
+-- 
+2.23.0
+
diff --git a/meta/recipes-multimedia/flac/flac_1.3.3.bb b/meta/recipes-multimedia/flac/flac_1.3.3.bb
index cb6692aedf..d3c352cc44 100644
--- a/meta/recipes-multimedia/flac/flac_1.3.3.bb
+++ b/meta/recipes-multimedia/flac/flac_1.3.3.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \
 DEPENDS = "libogg"
 
 SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
+           file://CVE-2021-0561.patch \
 "
 
 SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69"
-- 
2.35.1

[hardknott][PATCH 17/20] epiphany: fix CVEs

[Anuj Mittal]

From: Mingli Yu <mingli.yu@windriver.com>

Backport patch [1] to fix below CVEs:
 - CVE-2021-45085
 - CVE-2021-45086
 - CVE-2021-45087
 - CVE-2021-45088

[1] https://sources.debian.org/data/main/e/epiphany-browser/3.38.2-1+deb11u2/debian/patches/encode-untrusted-data.patch

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../recipes-gnome/epiphany/epiphany_3.38.2.bb |   1 +
 .../files/encode-untrusted-data.patch         | 707 ++++++++++++++++++
 2 files changed, 708 insertions(+)
 create mode 100644 meta/recipes-gnome/epiphany/files/encode-untrusted-data.patch

diff --git a/meta/recipes-gnome/epiphany/epiphany_3.38.2.bb b/meta/recipes-gnome/epiphany/epiphany_3.38.2.bb
index 04f340f133..72d116da69 100644
--- a/meta/recipes-gnome/epiphany/epiphany_3.38.2.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_3.38.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}
            file://0002-help-meson.build-disable-the-use-of-yelp.patch \
            file://migrator.patch \
            file://distributor.patch \
+           file://encode-untrusted-data.patch \
            "
 SRC_URI[archive.sha256sum] = "8b05f2bcc1e80ecf4a10f6f01b3285087eb4cbdf5741dffb8c0355715ef5116d"
 
diff --git a/meta/recipes-gnome/epiphany/files/encode-untrusted-data.patch b/meta/recipes-gnome/epiphany/files/encode-untrusted-data.patch
new file mode 100644
index 0000000000..4805ee4e6b
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/encode-untrusted-data.patch
@@ -0,0 +1,707 @@
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Subject: Properly encode untrusted data when injecting into trusted pages
+
+CVE: CVE-2021-45085 CVE-2021-45086 CVE-2021-45087 CVE-2021-45088
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/epiphany/-/compare/c27a8180e12e6ec92292dcf53b9243815ad9aa2e...abac58c5191b7d653fbefa8d44e5c2bd4d002825?from_project_id=1906]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+Index: epiphany-browser/embed/ephy-about-handler.c
+===================================================================
+--- epiphany-browser.orig/embed/ephy-about-handler.c
++++ epiphany-browser/embed/ephy-about-handler.c
+@@ -27,6 +27,7 @@
+ #include "ephy-file-helpers.h"
+ #include "ephy-flatpak-utils.h"
+ #include "ephy-history-service.h"
++#include "ephy-output-encoding.h"
+ #include "ephy-prefs.h"
+ #include "ephy-settings.h"
+ #include "ephy-smaps.h"
+@@ -263,16 +264,34 @@ handle_applications_finished_cb (EphyAbo
+ 
+     for (p = applications; p; p = p->next) {
+       EphyWebApplication *app = (EphyWebApplication *)p->data;
+-
++      g_autofree char *html_encoded_id = NULL;
++      g_autofree char *encoded_icon_url = NULL;
++      g_autofree char *encoded_name = NULL;
++      g_autofree char *encoded_url = NULL;
++      g_autofree char *js_encoded_id = NULL;
++      g_autofree char *encoded_install_date = NULL;
++
++      /* Most of these fields are untrusted. The web app suggests its own title,
++       * which gets used in the app ID and icon URL. The main URL could contain
++       * anything. Install date is the only trusted field here in that it's
++       * constructed by Epiphany, but it's a freeform string and we're encoding
++       * everything else here anyway, so might as well encode this too.
++       */
++      html_encoded_id = ephy_encode_for_html_attribute (app->id);
++      encoded_icon_url = ephy_encode_for_html_attribute (app->icon_url);
++      encoded_name = ephy_encode_for_html_entity (app->name);
++      encoded_url = ephy_encode_for_html_entity (app->url);
++      js_encoded_id = ephy_encode_for_javascript (app->id);
++      encoded_install_date = ephy_encode_for_html_entity (app->install_date);
+       g_string_append_printf (data_str,
+                               "<tbody><tr id =\"%s\">"
+                               "<td class=\"icon\"><img width=64 height=64 src=\"file://%s\"></img></td>"
+                               "<td class=\"data\"><div class=\"appname\">%s</div><div class=\"appurl\">%s</div></td>"
+                               "<td class=\"input\"><input type=\"button\" value=\"%s\" onclick=\"deleteWebApp('%s');\"></td>"
+                               "<td class=\"date\">%s <br /> %s</td></tr></tbody>",
+-                              app->id, app->icon_url, app->name, app->url, _("Delete"), app->id,
++                              html_encoded_id, encoded_icon_url, encoded_name, encoded_url, _("Delete"), js_encoded_id,
+                               /* Note for translators: this refers to the installation date. */
+-                              _("Installed on:"), app->install_date);
++                              _("Installed on:"), encoded_install_date);
+     }
+ 
+     g_string_append (data_str, "</table></div></body></html>");
+@@ -407,7 +426,9 @@ history_service_query_urls_cb (EphyHisto
+     EphyHistoryURL *url = (EphyHistoryURL *)l->data;
+     const char *snapshot;
+     g_autofree char *thumbnail_style = NULL;
+-    g_autofree char *markup = NULL;
++    g_autofree char *entity_encoded_title = NULL;
++    g_autofree char *attribute_encoded_title = NULL;
++    g_autofree char *encoded_url = NULL;
+ 
+     snapshot = ephy_snapshot_service_lookup_cached_snapshot_path (snapshot_service, url->url);
+     if (snapshot)
+@@ -415,15 +436,19 @@ history_service_query_urls_cb (EphyHisto
+     else
+       ephy_embed_shell_schedule_thumbnail_update (shell, url);
+ 
+-    markup = g_markup_escape_text (url->title, -1);
++    /* Title and URL are controlled by web content and could be malicious. */
++    entity_encoded_title = ephy_encode_for_html_entity (url->title);
++    attribute_encoded_title = ephy_encode_for_html_attribute (url->title);
++    encoded_url = ephy_encode_for_html_attribute (url->url);
+     g_string_append_printf (data_str,
+                             "<a class=\"overview-item\" title=\"%s\" href=\"%s\">"
+                             "  <div class=\"overview-close-button\" title=\"%s\"></div>"
+                             "  <span class=\"overview-thumbnail\"%s></span>"
+                             "  <span class=\"overview-title\">%s</span>"
+                             "</a>",
+-                            markup, url->url, _("Remove from overview"),
+-                            thumbnail_style ? thumbnail_style : "", url->title);
++                            attribute_encoded_title, encoded_url, _("Remove from overview"),
++                            thumbnail_style ? thumbnail_style : "",
++                            entity_encoded_title);
+   }
+ 
+   data_str = g_string_append (data_str,
+Index: epiphany-browser/embed/ephy-pdf-handler.c
+===================================================================
+--- epiphany-browser.orig/embed/ephy-pdf-handler.c
++++ epiphany-browser/embed/ephy-pdf-handler.c
+@@ -23,6 +23,7 @@
+ 
+ #include "ephy-embed-container.h"
+ #include "ephy-embed-shell.h"
++#include "ephy-output-encoding.h"
+ #include "ephy-web-view.h"
+ 
+ #include <gio/gio.h>
+@@ -124,8 +125,9 @@ pdf_file_loaded (GObject      *source,
+   GBytes *html_file;
+   g_autoptr (GError) error = NULL;
+   g_autoptr (GString) html = NULL;
+-  g_autofree gchar *b64 = NULL;
+   g_autofree char *file_data = NULL;
++  g_autofree char *encoded_file_data = NULL;
++  g_autofree char *encoded_filename = NULL;
+   gsize len = 0;
+ 
+   if (!g_file_load_contents_finish (G_FILE (source), res, &file_data, &len, NULL, &error)) {
+@@ -134,13 +136,13 @@ pdf_file_loaded (GObject      *source,
+     return;
+   }
+ 
+-  html_file = g_resources_lookup_data ("/org/gnome/epiphany/pdfjs/web/viewer.html", 0, NULL);
+-
+-  b64 = g_base64_encode ((const guchar *)file_data, len);
+   g_file_delete_async (G_FILE (source), G_PRIORITY_DEFAULT, NULL, pdf_file_deleted, NULL);
+ 
+-  html = g_string_new ("");
+-  g_string_printf (html, g_bytes_get_data (html_file, NULL), b64, self->file_name ? self->file_name : "");
++  html = g_string_new (NULL);
++  html_file = g_resources_lookup_data ("/org/gnome/epiphany/pdfjs/web/viewer.html", 0, NULL);
++  encoded_file_data = g_base64_encode ((const guchar *)file_data, len);
++  encoded_filename = self->file_name ? ephy_encode_for_html_attribute (self->file_name) : g_strdup ("");
++  g_string_printf (html, g_bytes_get_data (html_file, NULL), encoded_file_data, encoded_filename);
+ 
+   finish_uri_scheme_request (self, g_strdup (html->str), NULL);
+ }
+Index: epiphany-browser/embed/ephy-reader-handler.c
+===================================================================
+--- epiphany-browser.orig/embed/ephy-reader-handler.c
++++ epiphany-browser/embed/ephy-reader-handler.c
+@@ -24,6 +24,7 @@
+ #include "ephy-embed-container.h"
+ #include "ephy-embed-shell.h"
+ #include "ephy-lib-type-builtins.h"
++#include "ephy-output-encoding.h"
+ #include "ephy-settings.h"
+ #include "ephy-web-view.h"
+ 
+@@ -156,7 +157,9 @@ readability_js_finish_cb (GObject      *
+   g_autoptr (WebKitJavascriptResult) js_result = NULL;
+   g_autoptr (GError) error = NULL;
+   g_autofree gchar *byline = NULL;
++  g_autofree gchar *encoded_byline = NULL;
+   g_autofree gchar *content = NULL;
++  g_autofree gchar *encoded_title = NULL;
+   g_autoptr (GString) html = NULL;
+   g_autoptr (GBytes) style_css = NULL;
+   const gchar *title;
+@@ -173,10 +176,14 @@ readability_js_finish_cb (GObject      *
+ 
+   byline = readability_get_property_string (js_result, "byline");
+   content = readability_get_property_string (js_result, "content");
++  title = webkit_web_view_get_title (web_view);
++
++  encoded_byline = byline ? ephy_encode_for_html_entity (byline) : g_strdup ("");
++  encoded_title = ephy_encode_for_html_entity (title);
+ 
+-  html = g_string_new ("");
++  html = g_string_new (NULL);
+   style_css = g_resources_lookup_data ("/org/gnome/epiphany/readability/reader.css", G_RESOURCE_LOOKUP_FLAGS_NONE, NULL);
+-  title = webkit_web_view_get_title (web_view);
++
+   font_style = enum_nick (EPHY_TYPE_PREFS_READER_FONT_STYLE,
+                           g_settings_get_enum (EPHY_SETTINGS_READER,
+                                                EPHY_PREFS_READER_FONT_STYLE));
+@@ -186,7 +193,8 @@ readability_js_finish_cb (GObject      *
+ 
+   g_string_append_printf (html, "<style>%s</style>"
+                           "<title>%s</title>"
+-                          "<meta http-equiv=\"Content-Type\" content=\"text/html;\" charset=\"UTF-8\">" \
++                          "<meta http-equiv='Content-Type' content='text/html;' charset='UTF-8'>" \
++                          "<meta http-equiv='Content-Security-Policy' content=\"script-src 'none'\">" \
+                           "<body class='%s %s'>"
+                           "<article>"
+                           "<h2>"
+@@ -197,13 +205,27 @@ readability_js_finish_cb (GObject      *
+                           "</i>"
+                           "<hr>",
+                           (gchar *)g_bytes_get_data (style_css, NULL),
+-                          title,
++                          encoded_title,
+                           font_style,
+                           color_scheme,
+-                          title,
+-                          byline != NULL ? byline : "");
++                          encoded_title,
++                          encoded_byline);
++
++  /* We cannot encode the page content because it contains HTML tags inserted by
++   * Readability.js. Upstream recommends that we use an XSS sanitizer like
++   * DOMPurify plus Content-Security-Policy, but I'm not keen on adding more
++   * bundled JS dependencies, and we have an advantage over Firefox in that we
++   * don't need scripts to work at this point. So instead the above CSP
++   * completely blocks all scripts, which should hopefully obviate the need for
++   * a DOM purifier.
++   *
++   * Note the encoding for page title and byline is still required, as they're
++   * not supposed to contain markup, and Readability.js unescapes them before
++   * returning them to us.
++   */
+   g_string_append (html, content);
+   g_string_append (html, "</article>");
++  g_string_append (html, "</body>");
+ 
+   finish_uri_scheme_request (request, g_strdup (html->str), NULL);
+ }
+Index: epiphany-browser/embed/ephy-view-source-handler.c
+===================================================================
+--- epiphany-browser.orig/embed/ephy-view-source-handler.c
++++ epiphany-browser/embed/ephy-view-source-handler.c
+@@ -23,6 +23,7 @@
+ 
+ #include "ephy-embed-container.h"
+ #include "ephy-embed-shell.h"
++#include "ephy-output-encoding.h"
+ #include "ephy-web-view.h"
+ 
+ #include <gio/gio.h>
+@@ -109,7 +110,9 @@ web_resource_data_cb (WebKitWebResource
+                       EphyViewSourceRequest *request)
+ {
+   g_autofree guchar *data = NULL;
+-  g_autofree char *escaped_str = NULL;
++  g_autofree char *data_str = NULL;
++  g_autofree char *encoded_str = NULL;
++  g_autofree char *encoded_uri = NULL;
+   g_autoptr (GError) error = NULL;
+   g_autofree char *html = NULL;
+   gsize length;
+@@ -120,8 +123,13 @@ web_resource_data_cb (WebKitWebResource
+     return;
+   }
+ 
+-  /* Warning: data is not a string, so we pass length here because it's not NUL-terminated. */
+-  escaped_str = g_markup_escape_text ((const char *)data, length);
++  /* Convert data to a string */
++  data_str = g_malloc (length + 1);
++  memcpy (data_str, data, length);
++  data_str[length] = '\0';
++
++  encoded_str = ephy_encode_for_html_entity (data_str);
++  encoded_uri = ephy_encode_for_html_entity (webkit_web_resource_get_uri (resource));
+ 
+   html = g_strdup_printf ("<head>"
+                           "  <link rel='stylesheet' href='ephy-resource:///org/gnome/epiphany/highlightjs/nnfx.css' media='(prefers-color-scheme: no-preference), (prefers-color-scheme: light)'>"
+@@ -136,8 +144,8 @@ web_resource_data_cb (WebKitWebResource
+                           "          hljs.initLineNumbersOnLoad();</script>"
+                           "  <pre><code class='html'>%s</code></pre>"
+                           "</body>",
+-                          webkit_web_resource_get_uri (resource),
+-                          escaped_str);
++                          encoded_uri,
++                          encoded_str);
+ 
+   finish_uri_scheme_request (request, g_steal_pointer (&html), NULL);
+ }
+Index: epiphany-browser/embed/ephy-web-view.c
+===================================================================
+--- epiphany-browser.orig/embed/ephy-web-view.c
++++ epiphany-browser/embed/ephy-web-view.c
+@@ -38,6 +38,7 @@
+ #include "ephy-gsb-utils.h"
+ #include "ephy-history-service.h"
+ #include "ephy-lib-type-builtins.h"
++#include "ephy-output-encoding.h"
+ #include "ephy-permissions-manager.h"
+ #include "ephy-prefs.h"
+ #include "ephy-reader-handler.h"
+@@ -1772,9 +1773,11 @@ format_network_error_page (const char  *
+                            const char **icon_name,
+                            const char **style)
+ {
+-  char *formatted_origin;
+-  char *formatted_reason;
+-  char *first_paragraph;
++  g_autofree char *encoded_uri = NULL;
++  g_autofree char *encoded_origin = NULL;
++  g_autofree char *formatted_origin = NULL;
++  g_autofree char *formatted_reason = NULL;
++  g_autofree char *first_paragraph = NULL;
+   const char *second_paragraph;
+ 
+   /* Page title when a site cannot be loaded due to a network error. */
+@@ -1783,7 +1786,8 @@ format_network_error_page (const char  *
+   /* Message title when a site cannot be loaded due to a network error. */
+   *message_title = g_strdup (_("Unable to display this website"));
+ 
+-  formatted_origin = g_strdup_printf ("<strong>%s</strong>", origin);
++  encoded_origin = ephy_encode_for_html_entity (origin);
++  formatted_origin = g_strdup_printf ("<strong>%s</strong>", encoded_origin);
+   /* Error details when a site cannot be loaded due to a network error. */
+   first_paragraph = g_strdup_printf (_("The site at %s seems to be "
+                                        "unavailable."),
+@@ -1805,16 +1809,13 @@ format_network_error_page (const char  *
+ 
+   /* The button on the network error page. DO NOT ADD MNEMONICS HERE. */
+   *button_label = g_strdup (_("Reload"));
+-  *button_action = g_strdup_printf ("window.location = '%s';", uri);
++  encoded_uri = ephy_encode_for_javascript (uri);
++  *button_action = g_strdup_printf ("window.location = '%s';", encoded_uri);
+   /* Mnemonic for the Reload button on browser error pages. */
+   *button_accesskey = C_("reload-access-key", "R");
+ 
+   *icon_name = "network-error-symbolic.svg";
+   *style = "default";
+-
+-  g_free (formatted_origin);
+-  g_free (formatted_reason);
+-  g_free (first_paragraph);
+ }
+ 
+ static void
+@@ -1828,10 +1829,12 @@ format_crash_error_page (const char  *ur
+                          const char **icon_name,
+                          const char **style)
+ {
+-  char *formatted_uri;
+-  char *formatted_distributor;
+-  char *first_paragraph;
+-  char *second_paragraph;
++  g_autofree char *html_encoded_uri = NULL;
++  g_autofree char *js_encoded_uri = NULL;
++  g_autofree char *formatted_uri = NULL;
++  g_autofree char *formatted_distributor = NULL;
++  g_autofree char *first_paragraph = NULL;
++  g_autofree char *second_paragraph = NULL;
+ 
+   /* Page title when a site cannot be loaded due to a page crash error. */
+   *page_title = g_strdup_printf (_("Problem Loading Page"));
+@@ -1839,7 +1842,8 @@ format_crash_error_page (const char  *ur
+   /* Message title when a site cannot be loaded due to a page crash error. */
+   *message_title = g_strdup (_("Oops! There may be a problem"));
+ 
+-  formatted_uri = g_strdup_printf ("<strong>%s</strong>", uri);
++  html_encoded_uri = ephy_encode_for_html_entity (uri);
++  formatted_uri = g_strdup_printf ("<strong>%s</strong>", html_encoded_uri);
+   /* Error details when a site cannot be loaded due to a page crash error. */
+   first_paragraph = g_strdup_printf (_("The page %s may have caused Web to "
+                                        "close unexpectedly."),
+@@ -1858,17 +1862,13 @@ format_crash_error_page (const char  *ur
+ 
+   /* The button on the page crash error page. DO NOT ADD MNEMONICS HERE. */
+   *button_label = g_strdup (_("Reload"));
+-  *button_action = g_strdup_printf ("window.location = '%s';", uri);
++  js_encoded_uri = ephy_encode_for_javascript (uri);
++  *button_action = g_strdup_printf ("window.location = '%s';", js_encoded_uri);
+   /* Mnemonic for the Reload button on browser error pages. */
+   *button_accesskey = C_("reload-access-key", "R");
+ 
+   *icon_name = "computer-fail-symbolic.svg";
+   *style = "default";
+-
+-  g_free (formatted_uri);
+-  g_free (formatted_distributor);
+-  g_free (first_paragraph);
+-  g_free (second_paragraph);
+ }
+ 
+ static void
+@@ -1882,6 +1882,7 @@ format_process_crash_error_page (const c
+                                  const char **icon_name,
+                                  const char **style)
+ {
++  g_autofree char *encoded_uri = NULL;
+   const char *first_paragraph;
+ 
+   /* Page title when a site cannot be loaded due to a process crash error. */
+@@ -1897,7 +1898,8 @@ format_process_crash_error_page (const c
+ 
+   /* The button on the process crash error page. DO NOT ADD MNEMONICS HERE. */
+   *button_label = g_strdup (_("Reload"));
+-  *button_action = g_strdup_printf ("window.location = '%s';", uri);
++  encoded_uri = ephy_encode_for_javascript (uri);
++  *button_action = g_strdup_printf ("window.location = '%s';", encoded_uri);
+   /* Mnemonic for the Reload button on browser error pages. */
+   *button_accesskey = C_("reload-access-key", "R");
+ 
+@@ -1921,8 +1923,9 @@ format_tls_error_page (EphyWebView  *vie
+                        const char  **icon_name,
+                        const char  **style)
+ {
+-  char *formatted_origin;
+-  char *first_paragraph;
++  g_autofree char *encoded_origin = NULL;
++  g_autofree char *formatted_origin = NULL;
++  g_autofree char *first_paragraph = NULL;
+ 
+   /* Page title when a site is not loaded due to an invalid TLS certificate. */
+   *page_title = g_strdup_printf (_("Security Violation"));
+@@ -1930,7 +1933,8 @@ format_tls_error_page (EphyWebView  *vie
+   /* Message title when a site is not loaded due to an invalid TLS certificate. */
+   *message_title = g_strdup (_("This Connection is Not Secure"));
+ 
+-  formatted_origin = g_strdup_printf ("<strong>%s</strong>", origin);
++  encoded_origin = ephy_encode_for_html_entity (origin);
++  formatted_origin = g_strdup_printf ("<strong>%s</strong>", encoded_origin);
+   /* Error details when a site is not loaded due to an invalid TLS certificate. */
+   first_paragraph = g_strdup_printf (_("This does not look like the real %s. "
+                                        "Attackers might be trying to steal or "
+@@ -1956,9 +1960,6 @@ format_tls_error_page (EphyWebView  *vie
+ 
+   *icon_name = "channel-insecure-symbolic.svg";
+   *style = "danger";
+-
+-  g_free (formatted_origin);
+-  g_free (first_paragraph);
+ }
+ 
+ static void
+@@ -1978,8 +1979,9 @@ format_unsafe_browsing_error_page (EphyW
+                                    const char  **icon_name,
+                                    const char  **style)
+ {
+-  char *formatted_origin;
+-  char *first_paragraph;
++  g_autofree char *encoded_origin = NULL;
++  g_autofree char *formatted_origin = NULL;
++  g_autofree char *first_paragraph = NULL;
+ 
+   /* Page title when a site is flagged by Google Safe Browsing verification. */
+   *page_title = g_strdup_printf (_("Security Warning"));
+@@ -1987,7 +1989,8 @@ format_unsafe_browsing_error_page (EphyW
+   /* Message title on the unsafe browsing error page. */
+   *message_title = g_strdup (_("Unsafe website detected!"));
+ 
+-  formatted_origin = g_strdup_printf ("<strong>%s</strong>", origin);
++  encoded_origin = ephy_encode_for_html_entity (origin);
++  formatted_origin = g_strdup_printf ("<strong>%s</strong>", encoded_origin);
+   /* Error details on the unsafe browsing error page.
+    * https://developers.google.com/safe-browsing/v4/usage-limits#UserWarnings
+    */
+@@ -2045,9 +2048,6 @@ format_unsafe_browsing_error_page (EphyW
+ 
+   *icon_name = "security-high-symbolic.svg";
+   *style = "danger";
+-
+-  g_free (formatted_origin);
+-  g_free (first_paragraph);
+ }
+ 
+ static void
+@@ -2061,7 +2061,8 @@ format_no_such_file_error_page (EphyWebV
+                                 const char  **icon_name,
+                                 const char  **style)
+ {
+-  g_autofree gchar *formatted_origin = NULL;
++  g_autofree gchar *encoded_address = NULL;
++  g_autofree gchar *formatted_address = NULL;
+   g_autofree gchar *first_paragraph = NULL;
+   g_autofree gchar *second_paragraph = NULL;
+ 
+@@ -2071,10 +2072,11 @@ format_no_such_file_error_page (EphyWebV
+   /* Message title on the no such file error page. */
+   *message_title = g_strdup (_("File not found"));
+ 
+-  formatted_origin = g_strdup_printf ("<strong>%s</strong>", view->address);
++  encoded_address = ephy_encode_for_html_entity (view->address);
++  formatted_address = g_strdup_printf ("<strong>%s</strong>", encoded_address);
+ 
+   first_paragraph = g_strdup_printf (_("%s could not be found."),
+-                                     formatted_origin);
++                                     formatted_address);
+   second_paragraph = g_strdup_printf (_("Please check the file name for "
+                                         "capitalization or other typing errors. Also check if "
+                                         "it has been moved, renamed, or deleted."));
+@@ -2109,19 +2111,19 @@ ephy_web_view_load_error_page (EphyWebVi
+                                GError               *error,
+                                gpointer              user_data)
+ {
+-  GBytes *html_file;
+-  GString *html = g_string_new ("");
+-  char *origin = NULL;
+-  char *lang = NULL;
+-  char *page_title = NULL;
+-  char *msg_title = NULL;
+-  char *msg_body = NULL;
+-  char *msg_details = NULL;
+-  char *button_label = NULL;
+-  char *hidden_button_label = NULL;
+-  char *button_action = NULL;
+-  char *hidden_button_action = NULL;
+-  char *style_sheet = NULL;
++  g_autoptr (GBytes) html_file = NULL;
++  g_autoptr (GString) html = g_string_new (NULL);
++  g_autofree char *origin = NULL;
++  g_autofree char *lang = NULL;
++  g_autofree char *page_title = NULL;
++  g_autofree char *msg_title = NULL;
++  g_autofree char *msg_body = NULL;
++  g_autofree char *msg_details = NULL;
++  g_autofree char *button_label = NULL;
++  g_autofree char *hidden_button_label = NULL;
++  g_autofree char *button_action = NULL;
++  g_autofree char *hidden_button_action = NULL;
++  g_autofree char *style_sheet = NULL;
+   const char *button_accesskey = NULL;
+   const char *hidden_button_accesskey = NULL;
+   const char *icon_name = NULL;
+@@ -2261,23 +2263,9 @@ ephy_web_view_load_error_page (EphyWebVi
+                    button_accesskey, button_label);
+ #pragma GCC diagnostic pop
+ 
+-  g_bytes_unref (html_file);
+-  g_free (origin);
+-  g_free (lang);
+-  g_free (page_title);
+-  g_free (msg_title);
+-  g_free (msg_body);
+-  g_free (msg_details);
+-  g_free (button_label);
+-  g_free (button_action);
+-  g_free (hidden_button_label);
+-  g_free (hidden_button_action);
+-  g_free (style_sheet);
+-
+   /* Make our history backend ignore the next page load, since it will be an error page. */
+   ephy_web_view_freeze_history (view);
+   webkit_web_view_load_alternate_html (WEBKIT_WEB_VIEW (view), html->str, uri, 0);
+-  g_string_free (html, TRUE);
+ }
+ 
+ static gboolean
+Index: epiphany-browser/lib/ephy-output-encoding.c
+===================================================================
+--- /dev/null
++++ epiphany-browser/lib/ephy-output-encoding.c
+@@ -0,0 +1,117 @@
++/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/*
++ *  Copyright © Red Hat Inc.
++ *
++ *  This file is part of Epiphany.
++ *
++ *  Epiphany is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  Epiphany is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with Epiphany.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "config.h"
++#include "ephy-output-encoding.h"
++
++#include <glib.h>
++
++#if !GLIB_CHECK_VERSION(2, 68, 0)
++static guint
++g_string_replace (GString     *string,
++                  const gchar *find,
++                  const gchar *replace,
++                  guint        limit)
++{
++  gsize f_len, r_len, pos;
++  gchar *cur, *next;
++  guint n = 0;
++
++  g_return_val_if_fail (string != NULL, 0);
++  g_return_val_if_fail (find != NULL, 0);
++  g_return_val_if_fail (replace != NULL, 0);
++
++  f_len = strlen (find);
++  r_len = strlen (replace);
++  cur = string->str;
++
++  while ((next = strstr (cur, find)) != NULL)
++    {
++      pos = next - string->str;
++      g_string_erase (string, pos, f_len);
++      g_string_insert (string, pos, replace);
++      cur = string->str + pos + r_len;
++      n++;
++      /* Only match the empty string once at any given position, to
++       * avoid infinite loops */
++      if (f_len == 0)
++        {
++          if (cur[0] == '\0')
++            break;
++          else
++            cur++;
++        }
++      if (n == limit)
++        break;
++    }
++
++  return n;
++}
++#endif
++
++char *
++ephy_encode_for_html_entity (const char *input)
++{
++  GString *str = g_string_new (input);
++
++  g_string_replace (str, "&", "&amp;", 0);
++  g_string_replace (str, "<", "&lt;", 0);
++  g_string_replace (str, ">", "&gt;", 0);
++  g_string_replace (str, "\"", "&quot;", 0);
++  g_string_replace (str, "'", "&#x27;", 0);
++  g_string_replace (str, "/", "&#x2F;", 0);
++
++  return g_string_free (str, FALSE);
++}
++
++static char *
++encode_all_except_alnum (const char *input,
++                         const char *format)
++{
++  GString *str;
++  const char *c = input;
++
++  if (!g_utf8_validate (input, -1, NULL))
++    return g_strdup ("");
++
++  str = g_string_new (NULL);
++  do {
++    gunichar u = g_utf8_get_char (c);
++    if (g_unichar_isalnum (u))
++      g_string_append_unichar (str, u);
++    else
++      g_string_append_printf (str, format, u);
++    c = g_utf8_next_char (c);
++  } while (*c);
++
++  return g_string_free (str, FALSE);
++}
++
++char *
++ephy_encode_for_html_attribute (const char *input)
++{
++  return encode_all_except_alnum (input, "&#x%02x;");
++}
++
++char *
++ephy_encode_for_javascript (const char *input)
++{
++  return encode_all_except_alnum (input, "\\u%04u;");
++}
+Index: epiphany-browser/lib/ephy-output-encoding.h
+===================================================================
+--- /dev/null
++++ epiphany-browser/lib/ephy-output-encoding.h
+@@ -0,0 +1,38 @@
++/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/*
++ *  Copyright © 2021 Red Hat Inc.
++ *
++ *  This file is part of Epiphany.
++ *
++ *  Epiphany is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  Epiphany is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with Epiphany.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#pragma once
++
++#include <glib.h>
++
++G_BEGIN_DECLS
++
++/* These functions implement the OWASP XSS prevention output encoding rules:
++ * https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary
++ *
++ * You must *carefully* read that document to safely inject untrusted data into
++ * web content. Here be dragons.
++ */
++
++char *ephy_encode_for_html_entity    (const char *input);
++char *ephy_encode_for_html_attribute (const char *input);
++char *ephy_encode_for_javascript     (const char *input);
++
++G_END_DECLS
+Index: epiphany-browser/lib/meson.build
+===================================================================
+--- epiphany-browser.orig/lib/meson.build
++++ epiphany-browser/lib/meson.build
+@@ -21,6 +21,7 @@ libephymisc_sources = [
+   'ephy-langs.c',
+   'ephy-notification.c',
+   'ephy-notification-container.c',
++  'ephy-output-encoding.c',
+   'ephy-permissions-manager.c',
+   'ephy-profile-utils.c',
+   'ephy-search-engine-manager.c',
-- 
2.35.1

[hardknott][PATCH 18/20] python3-numpy: fix CVE-2021-41496

[Anuj Mittal]

From: Mingli Yu <mingli.yu@windriver.com>

Backport patch [1] to fix CVE-2021-41496.

[1] https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../python-numpy/files/CVE-2021-41496.patch   | 64 +++++++++++++++++++
 .../python-numpy/python3-numpy_1.20.1.bb      |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-devtools/python-numpy/files/CVE-2021-41496.patch

diff --git a/meta/recipes-devtools/python-numpy/files/CVE-2021-41496.patch b/meta/recipes-devtools/python-numpy/files/CVE-2021-41496.patch
new file mode 100644
index 0000000000..0afc79ae0d
--- /dev/null
+++ b/meta/recipes-devtools/python-numpy/files/CVE-2021-41496.patch
@@ -0,0 +1,64 @@
+From 86d81322c5c0ab67f89d64f56f6e77d4fe185910 Mon Sep 17 00:00:00 2001
+From: Warren Weckesser <warren.weckesser@gmail.com>
+Date: Tue, 29 Mar 2022 15:58:00 +0800
+Subject: [PATCH] BUG: f2py: Simplify creation of an exception message. Closes
+ gh-19000.
+
+CVE: CVE-2021-41496
+
+Upstream-Status: Backport [https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ numpy/f2py/src/fortranobject.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/numpy/f2py/src/fortranobject.c b/numpy/f2py/src/fortranobject.c
+index 3275f90..85c9c7f 100644
+--- a/numpy/f2py/src/fortranobject.c
++++ b/numpy/f2py/src/fortranobject.c
+@@ -637,14 +637,14 @@ static int check_and_fix_dimensions(const PyArrayObject* arr,
+                                     npy_intp *dims);
+ 
+ static int
+-count_negative_dimensions(const int rank,
++find_first_negative_dimension(const int rank,
+                           const npy_intp *dims) {
+-    int i=0,r=0;
+-    while (i<rank) {
+-        if (dims[i] < 0) ++r;
+-        ++i;
++    for (int i = 0; i < rank; ++i) {
++        if (dims[i] < 0) {
++            return i;
++        }
+     }
+-    return r;
++    return -1;
+ }
+ 
+ #ifdef DEBUG_COPY_ND_ARRAY
+@@ -721,14 +721,12 @@ PyArrayObject* array_from_pyobj(const int type_num,
+         || ((intent & F2PY_OPTIONAL) && (obj==Py_None))
+         ) {
+         /* intent(cache), optional, intent(hide) */
+-        if (count_negative_dimensions(rank,dims) > 0) {
+-            int i;
+-            strcpy(mess, "failed to create intent(cache|hide)|optional array"
+-                   "-- must have defined dimensions but got (");
+-            for(i=0;i<rank;++i)
+-                sprintf(mess+strlen(mess),"%" NPY_INTP_FMT ",",dims[i]);
+-            strcat(mess, ")");
+-            PyErr_SetString(PyExc_ValueError,mess);
++        int i = find_first_negative_dimension(rank, dims);
++        if (i >= 0) {
++            PyErr_Format(PyExc_ValueError,
++                         "failed to create intent(cache|hide)|optional array"
++                         " -- must have defined dimensions, but dims[%d] = %"
++                         NPY_INTP_FMT, i, dims[i]);
+             return NULL;
+         }
+         arr = (PyArrayObject *)
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python-numpy/python3-numpy_1.20.1.bb b/meta/recipes-devtools/python-numpy/python3-numpy_1.20.1.bb
index 6c3b886782..9e55e74d2c 100644
--- a/meta/recipes-devtools/python-numpy/python3-numpy_1.20.1.bb
+++ b/meta/recipes-devtools/python-numpy/python3-numpy_1.20.1.bb
@@ -10,6 +10,7 @@ SRCNAME = "numpy"
 SRC_URI = "https://github.com/${SRCNAME}/${SRCNAME}/releases/download/v${PV}/${SRCNAME}-${PV}.tar.gz \
            file://0001-Don-t-search-usr-and-so-on-for-libraries-by-default-.patch \
            file://0001-numpy-core-Define-RISCV-32-support.patch \
+           file://CVE-2021-41496.patch \
            file://run-ptest \
 "
 SRC_URI[sha256sum] = "9bf51d69ebb4ca9239e55bedc2185fe2c0ec222da0adee7ece4125414676846d"
-- 
2.35.1

[hardknott][PATCH 19/20] zlib: backport the fix for CVE-2018-25032

[Anuj Mittal]

From: Ross Burton <ross@burtonini.com>

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../zlib/zlib/CVE-2018-25032.patch            | 347 ++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   1 +
 2 files changed, 348 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch

diff --git a/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
new file mode 100644
index 0000000000..5cb6183641
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
@@ -0,0 +1,347 @@
+CVE: CVE-2018-25032
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 17 Apr 2018 22:09:22 -0700
+Subject: [PATCH] Fix a bug that can crash deflate on some input when using
+ Z_FIXED.
+
+This bug was reported by Danilo Ramos of Eideticom, Inc. It has
+lain in wait 13 years before being found! The bug was introduced
+in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
+option forces the use of fixed Huffman codes. For rare inputs with
+a large number of distant matches, the pending buffer into which
+the compressed data is written can overwrite the distance symbol
+table which it overlays. That results in corrupted output due to
+invalid distances, and can result in out-of-bound accesses,
+crashing the application.
+
+The fix here combines the distance buffer and literal/length
+buffers into a single symbol buffer. Now three bytes of pending
+buffer space are opened up for each literal or length/distance
+pair consumed, instead of the previous two bytes. This assures
+that the pending buffer cannot overwrite the symbol table, since
+the maximum fixed code compressed length/distance is 31 bits, and
+since there are four bytes of pending space for every three bytes
+of symbol space.
+---
+ deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
+ deflate.h | 25 +++++++++----------
+ trees.c   | 50 +++++++++++--------------------------
+ 3 files changed, 79 insertions(+), 70 deletions(-)
+
+diff --git a/deflate.c b/deflate.c
+index 425babc00..19cba873a 100644
+--- a/deflate.c
++++ b/deflate.c
+@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+     int wrap = 1;
+     static const char my_version[] = ZLIB_VERSION;
+ 
+-    ushf *overlay;
+-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+-     * output size for (length,distance) codes is <= 24 bits.
+-     */
+-
+     if (version == Z_NULL || version[0] != my_version[0] ||
+         stream_size != sizeof(z_stream)) {
+         return Z_VERSION_ERROR;
+@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+ 
+     s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+ 
+-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+-    s->pending_buf = (uchf *) overlay;
+-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
++    /* We overlay pending_buf and sym_buf. This works since the average size
++     * for length/distance pairs over any compressed block is assured to be 31
++     * bits or less.
++     *
++     * Analysis: The longest fixed codes are a length code of 8 bits plus 5
++     * extra bits, for lengths 131 to 257. The longest fixed distance codes are
++     * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
++     * possible fixed-codes length/distance pair is then 31 bits total.
++     *
++     * sym_buf starts one-fourth of the way into pending_buf. So there are
++     * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
++     * in sym_buf is three bytes -- two for the distance and one for the
++     * literal/length. As each symbol is consumed, the pointer to the next
++     * sym_buf value to read moves forward three bytes. From that symbol, up to
++     * 31 bits are written to pending_buf. The closest the written pending_buf
++     * bits gets to the next sym_buf symbol to read is just before the last
++     * code is written. At that time, 31*(n-2) bits have been written, just
++     * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
++     * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
++     * symbols are written.) The closest the writing gets to what is unread is
++     * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
++     * can range from 128 to 32768.
++     *
++     * Therefore, at a minimum, there are 142 bits of space between what is
++     * written and what is read in the overlain buffers, so the symbols cannot
++     * be overwritten by the compressed data. That space is actually 139 bits,
++     * due to the three-bit fixed-code block header.
++     *
++     * That covers the case where either Z_FIXED is specified, forcing fixed
++     * codes, or when the use of fixed codes is chosen, because that choice
++     * results in a smaller compressed block than dynamic codes. That latter
++     * condition then assures that the above analysis also covers all dynamic
++     * blocks. A dynamic-code block will only be chosen to be emitted if it has
++     * fewer bits than a fixed-code block would for the same set of symbols.
++     * Therefore its average symbol length is assured to be less than 31. So
++     * the compressed data for a dynamic block also cannot overwrite the
++     * symbols from which it is being constructed.
++     */
++
++    s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
++    s->pending_buf_size = (ulg)s->lit_bufsize * 4;
+ 
+     if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+         s->pending_buf == Z_NULL) {
+@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+         deflateEnd (strm);
+         return Z_MEM_ERROR;
+     }
+-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
++    s->sym_buf = s->pending_buf + s->lit_bufsize;
++    s->sym_end = (s->lit_bufsize - 1) * 3;
++    /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
++     * on 16 bit machines and because stored blocks are restricted to
++     * 64K-1 bytes.
++     */
+ 
+     s->level = level;
+     s->strategy = strategy;
+@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
+ 
+     if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
+     s = strm->state;
+-    if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
++    if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
+         return Z_BUF_ERROR;
+     do {
+         put = Buf_size - s->bi_valid;
+@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
+ #else
+     deflate_state *ds;
+     deflate_state *ss;
+-    ushf *overlay;
+ 
+ 
+     if (deflateStateCheck(source) || dest == Z_NULL) {
+@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
+     ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+     ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+     ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+-    ds->pending_buf = (uchf *) overlay;
++    ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
+ 
+     if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+         ds->pending_buf == Z_NULL) {
+@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
+     zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+ 
+     ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
++    ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
+ 
+     ds->l_desc.dyn_tree = ds->dyn_ltree;
+     ds->d_desc.dyn_tree = ds->dyn_dtree;
+@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+diff --git a/deflate.h b/deflate.h
+index 23ecdd312..d4cf1a98b 100644
+--- a/deflate.h
++++ b/deflate.h
+@@ -217,7 +217,7 @@ typedef struct internal_state {
+     /* Depth of each subtree used as tie breaker for trees of equal frequency
+      */
+ 
+-    uchf *l_buf;          /* buffer for literals or lengths */
++    uchf *sym_buf;        /* buffer for distances and literals/lengths */
+ 
+     uInt  lit_bufsize;
+     /* Size of match buffer for literals/lengths.  There are 4 reasons for
+@@ -239,13 +239,8 @@ typedef struct internal_state {
+      *   - I can't count above 4
+      */
+ 
+-    uInt last_lit;      /* running index in l_buf */
+-
+-    ushf *d_buf;
+-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+-     * the same number of elements. To use different lengths, an extra flag
+-     * array would be necessary.
+-     */
++    uInt sym_next;      /* running index in sym_buf */
++    uInt sym_end;       /* symbol table full when sym_next reaches this */
+ 
+     ulg opt_len;        /* bit length of current block with optimal trees */
+     ulg static_len;     /* bit length of current block with static trees */
+@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
+ 
+ # define _tr_tally_lit(s, c, flush) \
+   { uch cc = (c); \
+-    s->d_buf[s->last_lit] = 0; \
+-    s->l_buf[s->last_lit++] = cc; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = cc; \
+     s->dyn_ltree[cc].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+    }
+ # define _tr_tally_dist(s, distance, length, flush) \
+   { uch len = (uch)(length); \
+     ush dist = (ush)(distance); \
+-    s->d_buf[s->last_lit] = dist; \
+-    s->l_buf[s->last_lit++] = len; \
++    s->sym_buf[s->sym_next++] = dist; \
++    s->sym_buf[s->sym_next++] = dist >> 8; \
++    s->sym_buf[s->sym_next++] = len; \
+     dist--; \
+     s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+     s->dyn_dtree[d_code(dist)].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+   }
+ #else
+ # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+diff --git a/trees.c b/trees.c
+index 4f4a65011..decaeb7c3 100644
+--- a/trees.c
++++ b/trees.c
+@@ -416,7 +416,7 @@ local void init_block(s)
+ 
+     s->dyn_ltree[END_BLOCK].Freq = 1;
+     s->opt_len = s->static_len = 0L;
+-    s->last_lit = s->matches = 0;
++    s->sym_next = s->matches = 0;
+ }
+ 
+ #define SMALLEST 1
+@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
+ 
+         Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+                 opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+-                s->last_lit));
++                s->sym_next / 3));
+ 
+         if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+ 
+@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+     unsigned dist;  /* distance of matched string */
+     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+ {
+-    s->d_buf[s->last_lit] = (ush)dist;
+-    s->l_buf[s->last_lit++] = (uch)lc;
++    s->sym_buf[s->sym_next++] = dist;
++    s->sym_buf[s->sym_next++] = dist >> 8;
++    s->sym_buf[s->sym_next++] = lc;
+     if (dist == 0) {
+         /* lc is the unmatched char */
+         s->dyn_ltree[lc].Freq++;
+@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+         s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+         s->dyn_dtree[d_code(dist)].Freq++;
+     }
+-
+-#ifdef TRUNCATE_BLOCK
+-    /* Try to guess if it is profitable to stop the current block here */
+-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+-        /* Compute an upper bound for the compressed length */
+-        ulg out_length = (ulg)s->last_lit*8L;
+-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+-        int dcode;
+-        for (dcode = 0; dcode < D_CODES; dcode++) {
+-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+-                (5L+extra_dbits[dcode]);
+-        }
+-        out_length >>= 3;
+-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+-               s->last_lit, in_length, out_length,
+-               100L - out_length*100L/in_length));
+-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+-    }
+-#endif
+-    return (s->last_lit == s->lit_bufsize-1);
+-    /* We avoid equality with lit_bufsize because of wraparound at 64K
+-     * on 16 bit machines and because stored blocks are restricted to
+-     * 64K-1 bytes.
+-     */
++    return (s->sym_next == s->sym_end);
+ }
+ 
+ /* ===========================================================================
+@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
+ {
+     unsigned dist;      /* distance of matched string */
+     int lc;             /* match length or unmatched char (if dist == 0) */
+-    unsigned lx = 0;    /* running index in l_buf */
++    unsigned sx = 0;    /* running index in sym_buf */
+     unsigned code;      /* the code to send */
+     int extra;          /* number of extra bits to send */
+ 
+-    if (s->last_lit != 0) do {
+-        dist = s->d_buf[lx];
+-        lc = s->l_buf[lx++];
++    if (s->sym_next != 0) do {
++        dist = s->sym_buf[sx++] & 0xff;
++        dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
++        lc = s->sym_buf[sx++];
+         if (dist == 0) {
+             send_code(s, lc, ltree); /* send a literal byte */
+             Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
+             }
+         } /* literal or match pair ? */
+ 
+-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+-        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
+-               "pendingBuf overflow");
++        /* Check that the overlay between pending_buf and sym_buf is ok: */
++        Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
+ 
+-    } while (lx < s->last_lit);
++    } while (sx < s->sym_next);
+ 
+     send_code(s, END_BLOCK, ltree);
+ }
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb
index ef9431ae47..bc42cd64e9 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://ldflags-tests.patch \
+           file://CVE-2018-25032.patch \
            file://run-ptest \
            "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
-- 
2.35.1

[hardknott][PATCH 20/20] lttng-modules: upgrade 2.12.7 -> 2.12.8

[Anuj Mittal]

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../lttng/{lttng-modules_2.12.7.bb => lttng-modules_2.12.8.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-kernel/lttng/{lttng-modules_2.12.7.bb => lttng-modules_2.12.8.bb} (94%)

diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.12.7.bb b/meta/recipes-kernel/lttng/lttng-modules_2.12.8.bb
similarity index 94%
rename from meta/recipes-kernel/lttng/lttng-modules_2.12.7.bb
rename to meta/recipes-kernel/lttng/lttng-modules_2.12.8.bb
index 5eb3902bb3..eff97f27af 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.12.7.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.12.8.bb
@@ -13,7 +13,7 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
            "
 
-SRC_URI[sha256sum] = "32ab2d17d513cd2f458f8844c66a0d013283301fc7329b55d6503153cf8cb253"
+SRC_URI[sha256sum] = "1302005a982fd4a15cc4843866971008546939f65660023d7762aa046d4b9213"
 
 export INSTALL_MOD_DIR="kernel/lttng-modules"
 
-- 
2.35.1