[hardknott][PATCH 00/23] review request

[hardknott][PATCH 00/23] review request

[Anuj Mittal]

Please review these changes for hardknott. Testing on autobuilder
resulted in some intermittent ptest failures in valgrind, tcl and
lttng-tools and also a qemu timeout failure in musl-qemux86-64.

Thanks,

Anuj

The following changes since commit 2fd915eda136e20ab52baea6bb908d08ef8f5cbc:

  oe-setup-builddir: update YP docs and OE URLs (2021-07-31 17:56:12 +0800)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/hardknott

Alexander Kanavin (2):
  devtool: print a warning on upgrades if PREFERRED_VERSION is set
  nettle: update 3.7.2 -> 3.7.3

Bruce Ashfield (4):
  linux-yocto/5.10: update to v5.10.53
  linux-yocto/5.4: update to v5.4.135
  linux-yocto-rt/5.10: update to -rt47
  linux-yocto/5.10: enable TYPEC_TCPCI in usbc fragment

Chen Qi (1):
  zstd: fix CVE_PRODUCT

Joe Slater (1):
  util-linux: fix CVE 2021-37600

Jon Mason (1):
  parselogs.py: qemuarm should be qemuarmv5

Khem Raj (1):
  stress-ng: Drop defining daddr_t

Lee Chee Yang (2):
  aspell: fix CVE-2019-25051
  qemu: fix CVE-2021-3527

Matthias Klein (1):
  runqemu: Fix typo in error message

Michael Opdenacker (3):
  cve-check: fix comments
  cve-check: update link to NVD website for CVE details
  cve-check: improve comment about CVE patch file names

Mingli Yu (2):
  curl: fix CVE-2021-22925
  curl: fix CVES

Richard Purdie (3):
  sstate: Fix rebuilds when changing layer config
  license: Exclude COPYING.MIT from pseudo
  oeqa/runtime/cases/ptest: Increase test timeout from 300s to 450s

Ross Burton (1):
  qemu: fix virtio vhost-user-gpu CVEs

hongxu (1):
  createrepo-c: fix createrepo-c failed in nativesdk

 meta/classes/cve-check.bbclass                |  19 +-
 meta/classes/license.bbclass                  |   2 +-
 meta/classes/sstate.bbclass                   |   1 +
 meta/lib/oeqa/runtime/cases/parselogs.py      |   3 +-
 meta/lib/oeqa/runtime/cases/ptest.py          |   2 +-
 meta/recipes-core/util-linux/util-linux.inc   |   1 +
 .../util-linux/CVE-2021-37600.patch           |  38 ++
 .../createrepo-c/createrepo-c_0.17.0.bb       |   4 +-
 meta/recipes-devtools/qemu/qemu.inc           |   9 +
 ...ix-memory-disclosure-in-virgl_cmd_ge.patch |  43 ++
 ...ix-resource-leak-in-vg_resource_crea.patch |  41 ++
 ...ix-memory-leak-in-vg_resource_attach.patch |  48 ++
 ...ix-memory-leak-while-calling-vg_reso.patch |  50 ++
 ...ix-memory-leak-in-virgl_cmd_resource.patch |  58 +++
 ...ix-memory-leak-in-virgl_resource_att.patch |  49 ++
 ...ix-OOB-write-in-virgl_cmd_get_capset.patch |  49 ++
 .../qemu/qemu/CVE-2021-3527-1.patch           |  42 ++
 .../qemu/qemu/CVE-2021-3527-2.patch           |  59 +++
 .../stress-ng/stress-ng/no_daddr_t.patch      |  32 --
 .../stress-ng/stress-ng_0.12.05.bb            |   2 -
 meta/recipes-extended/zstd/zstd_1.4.9.bb      |   2 +
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 meta/recipes-support/aspell/aspell_0.60.8.bb  |   4 +-
 .../aspell/files/CVE-2019-25051.patch         | 101 ++++
 .../curl/curl/CVE-2021-22901.patch            | 453 ++++++++++++++++++
 .../curl/curl/CVE-2021-22924.patch            | 298 ++++++++++++
 .../curl/curl/CVE-2021-22925.patch            |  50 ++
 .../curl/curl/CVE-2021-22926.patch            |  79 +++
 meta/recipes-support/curl/curl_7.75.0.bb      |   4 +
 .../{nettle_3.7.2.bb => nettle_3.7.3.bb}      |   2 +-
 scripts/lib/devtool/upgrade.py                |   3 +
 scripts/runqemu                               |   2 +-
 37 files changed, 1537 insertions(+), 87 deletions(-)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
 delete mode 100644 meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch
 create mode 100644 meta/recipes-support/aspell/files/CVE-2019-25051.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22901.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22924.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22925.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22926.patch
 rename meta/recipes-support/nettle/{nettle_3.7.2.bb => nettle_3.7.3.bb} (96%)

-- 
2.31.1

[hardknott][PATCH 01/23] stress-ng: Drop defining daddr_t

[Anuj Mittal]

From: Khem Raj <raj.khem@gmail.com>

This is fixed differently upstream [1]

[1] https://github.com/ColinIanKing/stress-ng/commit/7e150ab18b0e8954ca426eb5366000a8f0d01110
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96b1d483ccf2166bf577e73075d5fe57c45bbfdf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../stress-ng/stress-ng/no_daddr_t.patch      | 32 -------------------
 .../stress-ng/stress-ng_0.12.05.bb            |  2 --
 2 files changed, 34 deletions(-)
 delete mode 100644 meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch

diff --git a/meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch b/meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch
deleted file mode 100644
index dba4494b91..0000000000
--- a/meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 55e11765af2bdc8adfac87dab1fb2682f7e6c236 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Tue, 9 Jun 2020 22:10:28 -0700
-Subject: [PATCH] Define daddr_t if __DADDR_T_TYPE is not defined
-
-glibc defined daddr_t but musl does not, ideally it should not be used
-and simple int type is enough. However, its better to leave glibc behavior
-as it is and only define it to int if daddr_t is not provided by libc
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
----
- stress-ng.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/stress-ng.h b/stress-ng.h
-index 1a66293..802dc25 100644
---- a/stress-ng.h
-+++ b/stress-ng.h
-@@ -3763,6 +3763,10 @@ struct shim_statx {
- 	uint64_t __spare2[14];
- };
- 
-+#ifndef __DADDR_T_TYPE
-+typedef int daddr_t;
-+#endif
-+
- /* old ustat struct */
- struct shim_ustat {
- #if defined(HAVE_DADDR_T)
diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb b/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb
index eb6bdb4a81..3770ba9ae1 100644
--- a/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb
+++ b/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb
@@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \
            file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \
-           file://no_daddr_t.patch \
            "
 SRC_URI[sha256sum] = "af7779aee38e6d94726ed7d5cf36384a64d50c86e42fff89c141d8609913f425"
 
@@ -24,4 +23,3 @@ do_install() {
     oe_runmake DESTDIR=${D} install
     ln -s stress-ng ${D}${bindir}/stress
 }
-
-- 
2.31.1

[hardknott][PATCH 02/23] parselogs.py: qemuarm should be qemuarmv5

[Anuj Mittal]

From: Jon Mason <jdmason@kudzu.us>

All of the errors being masked off for qemuarm are legacy from before
the migration of qemuarm to qemuarmv5.  Rename the machine to that to
allow for qemuarmv5 to pass parselog test.  Light testing shows no
errors in dmesg for qemuarm.

Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 701a58504de15b244b970908f2de0971a35b5a09)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/lib/oeqa/runtime/cases/parselogs.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/runtime/cases/parselogs.py b/meta/lib/oeqa/runtime/cases/parselogs.py
index 1bb0425521..e06f92727e 100644
--- a/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -121,7 +121,7 @@ ignore_errors = {
         'synth uevent: /devices/vio: failed to send uevent',
         'PCI 0000:00 Cannot reserve Legacy IO [io  0x10000-0x10fff]',
         ] + common_errors,
-    'qemuarm' : [
+    'qemuarmv5' : [
         'mmci-pl18x: probe of fpga:05 failed with error -22',
         'mmci-pl18x: probe of fpga:0b failed with error -22',
         'Failed to load module "glx"',
@@ -135,6 +135,7 @@ ignore_errors = {
         'OF: amba_device_add() failed (-19) for /amba/fpga/sci@a000',
         'Failed to initialize \'/amba/timer@101e3000\': -22',
         'jitterentropy: Initialization failed with host not compliant with requirements: 2',
+        'clcd-pl11x: probe of 10120000.display failed with error -2',
         ] + common_errors,
     'qemuarm64' : [
         'Fatal server error:',
-- 
2.31.1

[hardknott][PATCH 03/23] devtool: print a warning on upgrades if PREFERRED_VERSION is set

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b0f53eed0aadbf45d9eead96ebf7725cc7447e6)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 scripts/lib/devtool/upgrade.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/lib/devtool/upgrade.py b/scripts/lib/devtool/upgrade.py
index a061f26076..834589f92b 100644
--- a/scripts/lib/devtool/upgrade.py
+++ b/scripts/lib/devtool/upgrade.py
@@ -582,6 +582,9 @@ def upgrade(args, config, basepath, workspace):
         logger.info('New recipe is %s' % rf)
         if license_diff:
             logger.info('License checksums have been updated in the new recipe; please refer to it for the difference between the old and the new license texts.')
+        preferred_version = rd.getVar('PREFERRED_VERSION_%s' % rd.getVar('PN'))
+        if preferred_version:
+            logger.warning('Version is pinned to %s via PREFERRED_VERSION; it may need adjustment to match the new version before any further steps are taken' % preferred_version)
     finally:
         tinfoil.shutdown()
     return 0
-- 
2.31.1

[hardknott][PATCH 04/23] zstd: fix CVE_PRODUCT

[Anuj Mittal]

From: Chen Qi <Qi.Chen@windriver.com>

zstd uses 'zstandard' in NVD database. e.g. CVE-2021-24031

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 304eb663e414171d38faeebb3c72e49e6e4e1112)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-extended/zstd/zstd_1.4.9.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/zstd/zstd_1.4.9.bb b/meta/recipes-extended/zstd/zstd_1.4.9.bb
index b86fdf8b2d..44224ec627 100644
--- a/meta/recipes-extended/zstd/zstd_1.4.9.bb
+++ b/meta/recipes-extended/zstd/zstd_1.4.9.bb
@@ -16,6 +16,8 @@ SRC_URI = "git://github.com/facebook/zstd.git;branch=release \
 SRCREV = "e4558ffd1dc49399faf4ee5d85abed4386b4dcf5"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
+CVE_PRODUCT = "zstandard"
+
 S = "${WORKDIR}/git"
 
 PACKAGECONFIG ??= ""
-- 
2.31.1

[hardknott][PATCH 05/23] linux-yocto/5.10: update to v5.10.53

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:

    71046eac2db9 Linux 5.10.53
    6cd9bd2a2ddb udp: annotate data races around unix_sk(sk)->gso_size
    bfdb38a4268a drm/panel: nt35510: Do not fail if DSI read fails
    0d90d8492fb9 perf test bpf: Free obj_buf
    a9f36bf3613c bpf: Track subprog poke descriptors correctly and fix use-after-free
    782d71e29b29 bpftool: Properly close va_list 'ap' by va_end() on error
    2381b8e882d0 tools: bpf: Fix error in 'make -C tools/ bpf_install'
    638632997c31 tcp: call sk_wmem_schedule before sk_mem_charge in zerocopy path
    2fee3cf4c97b ipv6: tcp: drop silly ICMPv6 packet too big messages
    ad4ba3404931 tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
    d60f07bcb76f tcp: annotate data races around tp->mtu_info
    ea66fcb29605 tcp: consistently disable header prediction for mptcp
    c28c747e37db ARM: dts: tacoma: Add phase corrections for eMMC
    e55160537d76 ARM: dts: aspeed: Fix AST2600 machines line names
    ff4b8f35c96c kbuild: do not suppress Kconfig prompts for silent build
    0d514185ae79 dma-buf/sync_file: Don't leak fences on merge failure
    f33605908a9b net: fddi: fix UAF in fza_probe
    66c73f187d1e net: dsa: properly check for the bridge_leave methods in dsa_switch_bridge_leave()
    7d7d0e84ac0d Revert "mm/shmem: fix shmem_swapin() race with swapoff"
    2179d96ec702 net: validate lwtstate->data before returning from skb_tunnel_info()
    b61d8814c477 net: send SYNACK packet with accepted fwmark
    f2a062fcfe1d net: ti: fix UAF in tlan:remove_one
    b560521eca03 net: qcom/emac: fix UAF in emac:remove
    dbbf5b957bd9 net: moxa: fix UAF in moxart_mac_probe
    88ff9ec9c67a net: ip_tunnel: fix mtu calculation for ETHER tunnel devices
    846829e75db5 net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
    b9fa66072fee net: netdevsim: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops
    59070cc43d1d net: bridge: sync fdb to new unicast-filtering ports
    7b5a2910e782 net/sched: act_ct: remove and free nf_table callbacks
    6d4476236f79 vmxnet3: fix cksum offload issues for tunnels with non-default udp ports
    c3bc9ce7d400 net/sched: act_ct: fix err check for nf_conntrack_confirm
    fc40fdefd94a netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
    34365de50806 net: ipv6: fix return value of ip6_skb_dst_mtu
    73146745ff28 net: dsa: mv88e6xxx: enable devlink ATU hash param for Topaz
    a8c7ba368748 net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz
    14cd8ce80ad7 net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz
    c657413dcddf net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz
    fcb970edc0be net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear
    4e275a4aca68 usb: cdns3: Enable TDL_CHK only for OUT ep
    ce6ee46e0f39 mm/page_alloc: fix memory map initialization for descending nodes
    9e1cf2d1ed37 mm/userfaultfd: fix uffd-wp special cases for fork()
    84ff5f66c3f6 mm/thp: simplify copying of huge zero page pmd when fork
    a62177b35730 f2fs: Show casefolding support only when supported
    277b311ae170 Revert "swap: fix do_swap_page() race with swapoff"
    d92aa22f2419 arm64: dts: marvell: armada-37xx: move firmware node to generic dtsi file
    0e67c76384e9 firmware: turris-mox-rwtm: add marvell,armada-3700-rwtm-firmware compatible string
    e58c162789be cifs: prevent NULL deref in cifs_compose_mount_options()
    faa3e7da487a s390: introduce proper type handling call_on_stack() macro
    be10fff3a461 s390/traps: do not test MONITOR CALL without CONFIG_BUG
    9beba1469996 thermal/core/thermal_of: Stop zone device before unregistering it
    7412c988fe12 perf/x86/intel/uncore: Clean up error handling path of iio mapping
    892387e7619e sched/fair: Fix CFS bandwidth hrtimer expiry type
    eb859b043c2e scsi: qedf: Add check to synchronize abort and flush
    a4a54c54af25 scsi: libfc: Fix array index out of bound exception
    0d7596a954f1 scsi: libsas: Add LUN number check in .slave_alloc callback
    2f8df6332eb2 scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8
    cdb995a6cbb5 rtc: max77686: Do not enforce (incorrect) interrupt trigger type
    d3ba15fb0401 arch/arm64/boot/dts/marvell: fix NAND partitioning scheme
    e378db118925 kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set
    8c12a3a68d4f thermal/drivers/sprd: Add missing of_node_put for loop iteration
    20babcd83092 thermal/drivers/imx_sc: Add missing of_node_put for loop iteration
    469951ce4bb0 thermal/drivers/rcar_gen3_thermal: Do not shadow rcar_gen3_ths_tj_1
    bd40e2da3ae5 thermal/core: Correct function name thermal_zone_device_unregister()
    6c099d595fd7 arm64: dts: imx8mq: assign PCIe clocks
    24c41aa9d01b arm64: dts: ls208xa: remove bus-num from dspi node
    7e3f5739cccb firmware: tegra: bpmp: Fix Tegra234-only builds
    7c03982fa134 soc/tegra: fuse: Fix Tegra234-only builds
    ffa6f08be14a ARM: OMAP2+: Block suspend for am3 and am4 if PM is not configured
    f40a7c9b8ee1 ARM: dts: stm32: fix stpmic node for stm32mp1 boards
    2670d3d1ef47 ARM: dts: stm32: Rename spi-flash/mx66l51235l@N to flash@N on DHCOM SoM
    26cd441c529d ARM: dts: stm32: Drop unused linux,wakeup from touchscreen node on DHCOM SoM
    a5bc2a2d838e ARM: dts: stm32: fix the Odyssey SoM eMMC VQMMC supply
    e27052f21a2f ARM: dts: stm32: move stmmac axi config in ethernet node on stm32mp15
    6a7af6347810 ARM: dts: stm32: fix i2c node name on stm32f746 to prevent warnings
    160c92d728f3 ARM: dts: rockchip: fix supply properties in io-domains nodes
    d671fae04648 arm64: dts: juno: Update SCPI nodes as per the YAML schema
    fc71d8df5807 ARM: dts: bcm283x: Fix up GPIO LED node names
    4bc03e321f2a ARM: dts: bcm283x: Fix up MMC node names
    15d727c044d5 firmware: arm_scmi: Fix the build when CONFIG_MAILBOX is not selected
    b4009ea92f29 firmware: arm_scmi: Add SMCCC discovery dependency in Kconfig
    41e2bcca23f1 memory: tegra: Fix compilation warnings on 64bit platforms
    7ad965c8a723 ARM: dts: stm32: fix timer nodes on STM32 MCU to prevent warnings
    ccec32f77144 ARM: dts: stm32: fix RCC node name on stm32f429 MCU
    bfbc4b482078 ARM: dts: stm32: fix gpio-keys node on STM32 MCU boards
    34ec6702a2a1 ARM: dts: stm32: fix stm32mp157c-odyssey card detect pin
    44f4e344f4f0 ARM: dts: stm32: Fix touchscreen node on dhcom-pdk2
    3534a4b2d059 ARM: dts: stm32: Remove extra size-cells on dhcom-pdk2
    8da771b5527c arm64: dts: qcom: sc7180: Move rmtfs memory region
    a74d3bbe0553 ARM: tegra: nexus7: Correct 3v3 regulator GPIO of PM269 variant
    e89f4098d528 ARM: tegra: wm8903: Fix polarity of headphones-detection GPIO in device-trees
    c8815d6fee79 arm64: dts: ti: k3-am654x/j721e/j7200-common-proc-board: Fix MCU_RGMII1_TXC direction
    28d2ae98154e ARM: dts: OMAP2+: Replace underscores in sub-mailbox node names
    a73a22a69f6a ARM: dts: am335x: fix ti,no-reset-on-init flag for gpios
    ddf2d14894d0 ARM: dts: am437x-gp-evm: fix ti,no-reset-on-init flag for gpios
    a09b4c444941 ARM: dts: am57xx-cl-som-am57x: fix ti,no-reset-on-init flag for gpios
    3f0948569997 kbuild: sink stdout from cmd for silent build
    27582c9fa294 rtc: mxc_v2: add missing MODULE_DEVICE_TABLE
    6f5891a560df ARM: dts: imx6dl-riotboard: configure PHY clock and set proper EEE value
    5190a6604a10 ARM: dts: ux500: Fix orientation of accelerometer
    61fda04276bb ARM: dts: ux500: Rename gpio-controller node
    985947c53555 ARM: dts: ux500: Fix interrupt cells
    ff9ef21bb6fb arm64: dts: rockchip: fix regulator-gpio states array
    31e1b8c07d35 ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info
    d05ebeffca1d ARM: dts: imx6: phyFLEX: Fix UART hardware flow control
    249d8e4ea168 ARM: dts: Hurricane 2: Fix NAND nodes names
    f6541401dbd6 ARM: dts: BCM63xx: Fix NAND nodes names
    b5fc6b9ab427 ARM: NSP: dts: fix NAND nodes names
    5f844007eb91 ARM: Cygnus: dts: fix NAND nodes names
    9525d58c5af8 ARM: brcmstb: dts: fix NAND nodes names
    4e8eb51ae633 reset: ti-syscon: fix to_ti_syscon_reset_data macro
    cabcb576fc3e arm64: dts: rockchip: Fix power-controller node names for rk3399
    81ea23d988f9 arm64: dts: rockchip: Fix power-controller node names for rk3328
    e4f97b740d6a arm64: dts: rockchip: Fix power-controller node names for px30
    95b64be2e741 ARM: dts: rockchip: Fix power-controller node names for rk3288
    5881af8d692b ARM: dts: rockchip: Fix power-controller node names for rk3188
    70abb828312a ARM: dts: rockchip: Fix power-controller node names for rk3066a
    fc01549d7b87 ARM: dts: rockchip: Fix IOMMU nodes properties on rk322x
    55014c38e73d ARM: dts: rockchip: Fix the timer clocks order
    2e1f681b680c arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi
    7d3408c72336 ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288
    e2d1e4416174 ARM: dts: rockchip: Fix thermal sensor cells o rk322x
    c8f0cef75dd7 ARM: dts: gemini: add device_type on pci
    191523dcfa68 ARM: dts: gemini: rename mdio to the right name

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 73d94f33b328200fbf9655ab71381a27e6f55bf8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 133b1f6fe3..2e46d72dfa 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "dad5434fab65cdd316f940c5e9bd46e0d0607b5a"
-SRCREV_meta ?= "c3900f83a5679b563adff82c24fdeb02096ed736"
+SRCREV_machine ?= "e1b9700217e1dd963f9b034ffde9863abb53a92d"
+SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.10.52"
+LINUX_VERSION ?= "5.10.53"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 238123a42f..073dff1a5b 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.10.52"
+LINUX_VERSION ?= "5.10.53"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "faa3b7802d0ee1fe0217283ecaf2c54c9503fa20"
-SRCREV_machine ?= "240422889570d39c3f7d63808159c8e743117a1d"
-SRCREV_meta ?= "c3900f83a5679b563adff82c24fdeb02096ed736"
+SRCREV_machine_qemuarm ?= "d5a79da206965b27043f558739b28a434efca75c"
+SRCREV_machine ?= "f44b5bb716fdb6f804383fa087c9fdb54584cd5b"
+SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 40a2a5e3b2..1c072b3e22 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "96a6083817785461bcabad63f3872d0a08b21c29"
-SRCREV_machine_qemuarm64 ?= "c8d8b20a749f476020d0844d76f63cd9e4cca644"
-SRCREV_machine_qemumips ?= "acdebd5080a846f3906ba1d5343d5af5c4b76522"
-SRCREV_machine_qemuppc ?= "afd31d567447f4693b7c9af35f09bb37cc0c0fa4"
-SRCREV_machine_qemuriscv64 ?= "c2dc854ee7392d43728093bfc206a2ade98c76dd"
-SRCREV_machine_qemuriscv32 ?= "c2dc854ee7392d43728093bfc206a2ade98c76dd"
-SRCREV_machine_qemux86 ?= "c2dc854ee7392d43728093bfc206a2ade98c76dd"
-SRCREV_machine_qemux86-64 ?= "c2dc854ee7392d43728093bfc206a2ade98c76dd"
-SRCREV_machine_qemumips64 ?= "efad0ca4150cddffa6d052ffb53fec0553de4da8"
-SRCREV_machine ?= "c2dc854ee7392d43728093bfc206a2ade98c76dd"
-SRCREV_meta ?= "c3900f83a5679b563adff82c24fdeb02096ed736"
+SRCREV_machine_qemuarm ?= "c74da440f36f7073b1e99f42cb363031bb0c38ca"
+SRCREV_machine_qemuarm64 ?= "e4e52d0a19fba26538218d78c70e54319ae00ca3"
+SRCREV_machine_qemumips ?= "60118f08d49cd825d17f11b078d5848eb5bb7e6d"
+SRCREV_machine_qemuppc ?= "eb3d2abf3d5aab1814d53767193770c282552774"
+SRCREV_machine_qemuriscv64 ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
+SRCREV_machine_qemuriscv32 ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
+SRCREV_machine_qemux86 ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
+SRCREV_machine_qemux86-64 ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
+SRCREV_machine_qemumips64 ?= "643c332e487cfa1557d14050d6e1148d1c5d75da"
+SRCREV_machine ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
+SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.52"
+LINUX_VERSION ?= "5.10.53"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.31.1

[hardknott][PATCH 06/23] linux-yocto/5.4: update to v5.4.135

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:

    0a0beb1f9120 Linux 5.4.135
    d2f7b384a74f udp: annotate data races around unix_sk(sk)->gso_size
    c72374978b3f perf test bpf: Free obj_buf
    17bc942c0b96 bpftool: Properly close va_list 'ap' by va_end() on error
    84ed8340941a ipv6: tcp: drop silly ICMPv6 packet too big messages
    315033cab379 tcp: annotate data races around tp->mtu_info
    41f45e91c92c dma-buf/sync_file: Don't leak fences on merge failure
    04b06716838b net: fddi: fix UAF in fza_probe
    8aa13a86964c net: validate lwtstate->data before returning from skb_tunnel_info()
    8cff7b28ab05 net: send SYNACK packet with accepted fwmark
    b7e5563f2a78 net: ti: fix UAF in tlan:remove_one
    2b70ca92847c net: qcom/emac: fix UAF in emac:remove
    463c0addb4eb net: moxa: fix UAF in moxart_mac_probe
    7ac4a6a74e75 net: ip_tunnel: fix mtu calculation for ETHER tunnel devices
    d5dc50ca1f7a net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
    7ecd40801e5b net: bridge: sync fdb to new unicast-filtering ports
    813d45499f51 net/sched: act_ct: fix err check for nf_conntrack_confirm
    24973073562f netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
    c6f4a71153f4 net: ipv6: fix return value of ip6_skb_dst_mtu
    9872273b670a net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz
    6148ddff2dcb net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz
    d73c180e6add dm writecache: return the exact table values that were set
    8a85afc6621a mm: slab: fix kmem_cache_create failed when sysfs node not destroyed
    f53729b828db usb: cdns3: Enable TDL_CHK only for OUT ep
    52b01a808696 f2fs: Show casefolding support only when supported
    91d846016729 arm64: dts: marvell: armada-37xx: move firmware node to generic dtsi file
    f696cc7f1bc8 firmware: turris-mox-rwtm: add marvell,armada-3700-rwtm-firmware compatible string
    e2b28026b861 arm64: dts: armada-3720-turris-mox: add firmware node
    f7d1fa65e742 cifs: prevent NULL deref in cifs_compose_mount_options()
    06d8a7eb5803 s390: introduce proper type handling call_on_stack() macro
    2a47e0719ae7 sched/fair: Fix CFS bandwidth hrtimer expiry type
    5b7d065868a6 scsi: qedf: Add check to synchronize abort and flush
    0fe70c15f943 scsi: libfc: Fix array index out of bound exception
    d7b647d05586 scsi: libsas: Add LUN number check in .slave_alloc callback
    863c4bc883d5 scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8
    712e9ed6134f rtc: max77686: Do not enforce (incorrect) interrupt trigger type
    199d8ea4c7b1 kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set
    484193b635a7 thermal/core: Correct function name thermal_zone_device_unregister()
    556cf0283035 arm64: dts: imx8mq: assign PCIe clocks
    9d3eb68a5385 arm64: dts: ls208xa: remove bus-num from dspi node
    e054b361caec firmware: tegra: bpmp: Fix Tegra234-only builds
    94d009577033 soc/tegra: fuse: Fix Tegra234-only builds
    270a2e9fafea ARM: dts: stm32: move stmmac axi config in ethernet node on stm32mp15
    4bc66215bc22 ARM: dts: stm32: fix i2c node name on stm32f746 to prevent warnings
    856c753237ae ARM: dts: rockchip: fix supply properties in io-domains nodes
    c5bb9cc2ce23 arm64: dts: juno: Update SCPI nodes as per the YAML schema
    f572a9139396 ARM: dts: stm32: fix timer nodes on STM32 MCU to prevent warnings
    95e795474c81 ARM: dts: stm32: fix RCC node name on stm32f429 MCU
    a898aa9f88cc ARM: dts: stm32: fix gpio-keys node on STM32 MCU boards
    5c17edaaead7 ARM: dts: am437x-gp-evm: fix ti,no-reset-on-init flag for gpios
    3446233096ff ARM: dts: am57xx-cl-som-am57x: fix ti,no-reset-on-init flag for gpios
    e79e29a4e162 kbuild: sink stdout from cmd for silent build
    f817d4677582 rtc: mxc_v2: add missing MODULE_DEVICE_TABLE
    0a22b5178276 ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info
    e20e85639e25 ARM: dts: imx6: phyFLEX: Fix UART hardware flow control
    a5b19d33ae22 ARM: dts: Hurricane 2: Fix NAND nodes names
    f83535a47ff8 ARM: dts: BCM63xx: Fix NAND nodes names
    cb05b84ad7f1 ARM: NSP: dts: fix NAND nodes names
    14e3bad3b548 ARM: Cygnus: dts: fix NAND nodes names
    587a757afe73 ARM: brcmstb: dts: fix NAND nodes names
    a9c32c7aeee6 reset: ti-syscon: fix to_ti_syscon_reset_data macro
    b400afa42739 arm64: dts: rockchip: Fix power-controller node names for rk3328
    dfb4e8ed0792 arm64: dts: rockchip: Fix power-controller node names for px30
    789070f17886 ARM: dts: rockchip: Fix power-controller node names for rk3288
    6aaffe6ce8a9 ARM: dts: rockchip: Fix power-controller node names for rk3188
    439115ee56d8 ARM: dts: rockchip: Fix power-controller node names for rk3066a
    3b4c34728382 ARM: dts: rockchip: Fix IOMMU nodes properties on rk322x
    c9d29d62da59 ARM: dts: rockchip: Fix the timer clocks order
    d105e15de610 arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi
    cfe3d29e5cde ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288
    79573c64410b ARM: dts: gemini: add device_type on pci
    7037876393ce ARM: dts: gemini: rename mdio to the right name

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5c36549fab7cc27bd2f4f9e8b6be1ec8546d32bd)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index a975004d76..0b5afd83cf 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "849a67646d942d3a6d706f456df39954367ac7bf"
-SRCREV_meta ?= "d6aec4fb69bae34f34db6f153871a0847d8198f3"
+SRCREV_machine ?= "f4e30367bf1e579ff497fc9e7a16010c879048dc"
+SRCREV_meta ?= "231d3a07e10680c7c89ea101cd803b0684482b11"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.134"
+LINUX_VERSION ?= "5.4.135"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 95ead533d1..d7911cd54e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.134"
+LINUX_VERSION ?= "5.4.135"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "86c31c51c87557af60e4d4dbee73f18618bc4c92"
-SRCREV_machine ?= "bf89a54b3f77fbac15dd0194870db288aee5c8b7"
-SRCREV_meta ?= "d6aec4fb69bae34f34db6f153871a0847d8198f3"
+SRCREV_machine_qemuarm ?= "fa414639057bbad7acd21a1a70a3847f9be469c0"
+SRCREV_machine ?= "c81f0e376b1fce7a1198eec7b286966d98eae44d"
+SRCREV_meta ?= "231d3a07e10680c7c89ea101cd803b0684482b11"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 90a557bb63..4ac84e8ca3 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "bea52ab7529ef152f99a0f6ebd97cc7e904e5360"
-SRCREV_machine_qemuarm64 ?= "8a29c9de0fc366bd89ce6954685dce0e330dbabe"
-SRCREV_machine_qemumips ?= "b15816ccad0762d27c78c269e7a1986504e60c63"
-SRCREV_machine_qemuppc ?= "906f9509a8d2f842ec8766bf81287f8939ff1fa8"
-SRCREV_machine_qemuriscv64 ?= "dd8a64a523fb714a98328441e0de72cde115a6fc"
-SRCREV_machine_qemux86 ?= "dd8a64a523fb714a98328441e0de72cde115a6fc"
-SRCREV_machine_qemux86-64 ?= "dd8a64a523fb714a98328441e0de72cde115a6fc"
-SRCREV_machine_qemumips64 ?= "152e33a0782920e9707c36ccacf53585a8911e9f"
-SRCREV_machine ?= "dd8a64a523fb714a98328441e0de72cde115a6fc"
-SRCREV_meta ?= "d6aec4fb69bae34f34db6f153871a0847d8198f3"
+SRCREV_machine_qemuarm ?= "f367cbe6d0c21c65257c66a4c9b1845fd43285f8"
+SRCREV_machine_qemuarm64 ?= "8dcb7ee83e58da8bf51ed8b72165e1ed35beb928"
+SRCREV_machine_qemumips ?= "3d4c6263bfdf95960894b75c76aa450d240e3e8e"
+SRCREV_machine_qemuppc ?= "125a824c8d14c49b640bc0d6e040d495177caa10"
+SRCREV_machine_qemuriscv64 ?= "997c04e7a40084a53bc3d45490949584364697bd"
+SRCREV_machine_qemux86 ?= "997c04e7a40084a53bc3d45490949584364697bd"
+SRCREV_machine_qemux86-64 ?= "997c04e7a40084a53bc3d45490949584364697bd"
+SRCREV_machine_qemumips64 ?= "7082f58984404a5aad90bca1dac4e27773fff26e"
+SRCREV_machine ?= "997c04e7a40084a53bc3d45490949584364697bd"
+SRCREV_meta ?= "231d3a07e10680c7c89ea101cd803b0684482b11"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.134"
+LINUX_VERSION ?= "5.4.135"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.31.1

[hardknott][PATCH 07/23] linux-yocto-rt/5.10: update to -rt47

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto/5.10:

    969fef49cbbc Linux 5.10.52-rt47
    bb5ff998ba62 Linux 5.10.47-rt46
    340f6b6cdd37 sched: Don't defer CPU pick to migration_cpu_stop()
    f3d0be7cdae8 sched: Simplify set_affinity_pending refcounts
    6b28888ca42a sched: Fix affine_move_task() self-concurrency
    ea66e426a3b7 sched: Optimize migration_cpu_stop()
    ac73ac41db62 sched: Collate affine_move_task() stoppers
    6963e6b6e008 sched: Simplify migration_cpu_stop()
    d3a5a12fd350 sched: Fix migration_cpu_stop() requeueing
    28dda3752954 Linux 5.10.47-rt45
    d5f6c5f008ee Linux 5.10.44-rt44
    ec9978fdc6aa Linux 5.10.42-rt43

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 46b1ab616a5eb792e8cb29cfbe340fecd605bea7)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 2e46d72dfa..944d171928 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,7 +11,7 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "e1b9700217e1dd963f9b034ffde9863abb53a92d"
+SRCREV_machine ?= "969fef49cbbc8639e9622e6a0655337fbfcc7627"
 SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
-- 
2.31.1

[hardknott][PATCH 08/23] linux-yocto/5.10: enable TYPEC_TCPCI in usbc fragment

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

To make the usbc fragment more generally usable, we enable
the Type-C Port Controller driver for TCPCI-compliant controller.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 485baca981188896a555d3a48c8b560718bb6e9d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb   | 2 +-
 meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 944d171928..d365d91ce3 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -12,7 +12,7 @@ python () {
 }
 
 SRCREV_machine ?= "969fef49cbbc8639e9622e6a0655337fbfcc7627"
-SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
+SRCREV_meta ?= "3f38ad49cf38519dc4492a3f802b743fde7b467e"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 073dff1a5b..580d71d2ac 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "d5a79da206965b27043f558739b28a434efca75c"
 SRCREV_machine ?= "f44b5bb716fdb6f804383fa087c9fdb54584cd5b"
-SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
+SRCREV_meta ?= "3f38ad49cf38519dc4492a3f802b743fde7b467e"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 1c072b3e22..362b3ac2cb 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -23,7 +23,7 @@ SRCREV_machine_qemux86 ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
 SRCREV_machine_qemux86-64 ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
 SRCREV_machine_qemumips64 ?= "643c332e487cfa1557d14050d6e1148d1c5d75da"
 SRCREV_machine ?= "0b44b705c4f7d5c83e562dd7036cb5188d622285"
-SRCREV_meta ?= "26a2a3cf764dde593325b8c08024f5990a5f6f02"
+SRCREV_meta ?= "3f38ad49cf38519dc4492a3f802b743fde7b467e"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.31.1

[hardknott][PATCH 09/23] sstate: Fix rebuilds when changing layer config

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When adding a layer which changed SSTATE_EXCLUDEDEPS_SYSROOT, the state
hashes were changing when they should not. This was caused by wider use
of setscene_depvalid which means the dependency on the variable was seen
when it was previously not.

Exclude the variable since this should be be included in the hashes.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 09725a29365c69ccbd603fe3a1de72189f26d5ac)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/sstate.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 55d2937812..5c7a98839f 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -1018,6 +1018,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
         bb.parse.siggen.checkhashes(sq_data, missed, found, d)
 
     return found
+setscene_depvalid[vardepsexclude] = "SSTATE_EXCLUDEDEPS_SYSROOT"
 
 BB_SETSCENE_DEPVALID = "setscene_depvalid"
 
-- 
2.31.1

[hardknott][PATCH 10/23] license: Exclude COPYING.MIT from pseudo

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Along with the other license exclusions, we need to exclude the
top level COPYING.MIT file else when:

COPY_LIC_DIRS     = "1"
COPY_LIC_MANIFEST = "1"

is set, we see eSDK failures from a pseudo abort.

[YOCTO #14366]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3eb580843de3f055e42fcce60b0f15c4190c0542)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/license.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index f7978e266b..0d0faa28d7 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -31,7 +31,7 @@ python do_populate_lic() {
             f.write("%s: %s\n" % (key, info[key]))
 }
 
-PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}"
+PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}"
 # it would be better to copy them in do_install_append, but find_license_filesa is python
 python perform_packagecopy_prepend () {
     enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d)
-- 
2.31.1

[hardknott][PATCH 11/23] runqemu: Fix typo in error message

[Anuj Mittal]

From: Matthias Klein <matthias@extraklein.de>

Signed-off-by: Matthias Klein <matthias@extraklein.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5cc0051d50974e198313f9513b24fd7ae9a96dd4)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 scripts/runqemu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index c985f4e75a..f3527a4412 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -775,7 +775,7 @@ class BaseConfig(object):
                 raise RunQemuError('BIOS not found: %s' % bios_match_name)
 
         if not os.path.exists(self.bios):
-            raise RunQemuError("KERNEL %s not found" % self.bios)
+            raise RunQemuError("BIOS %s not found" % self.bios)
 
 
     def check_mem(self):
-- 
2.31.1

[hardknott][PATCH 12/23] aspell: fix CVE-2019-25051

[Anuj Mittal]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 297f8c4eb4ff209b5ea69910902d216d86dbe2bf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-support/aspell/aspell_0.60.8.bb  |   4 +-
 .../aspell/files/CVE-2019-25051.patch         | 101 ++++++++++++++++++
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/aspell/files/CVE-2019-25051.patch

diff --git a/meta/recipes-support/aspell/aspell_0.60.8.bb b/meta/recipes-support/aspell/aspell_0.60.8.bb
index 6548c54b64..9147c820e7 100644
--- a/meta/recipes-support/aspell/aspell_0.60.8.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.8.bb
@@ -13,7 +13,9 @@ HOMEPAGE = "http://aspell.net/"
 LICENSE = "LGPLv2 | LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
 
-SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
+           file://CVE-2019-25051.patch \
+"
 SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3"
 SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2"
 
diff --git a/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
new file mode 100644
index 0000000000..8513f6de79
--- /dev/null
+++ b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
@@ -0,0 +1,101 @@
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+
+Upstream-Status: Backport
+[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a]
+CVE: CVE-2019-25051
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+ 
+ namespace acommon {
+ 
+@@ -26,6 +27,12 @@ class ObjStack
+   byte * temp_end;
+   void setup_chunk();
+   void new_chunk();
++  bool will_overflow(size_t sz) const {
++    return offsetof(Node,data) + sz > chunk_size;
++  }
++  void check_size(size_t sz) {
++    assert(!will_overflow(sz));
++  }
+ 
+   ObjStack(const ObjStack &);
+   void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ class ObjStack
+   void * alloc_bottom(size_t size)  {
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++    if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+     return tmp;
+   }
+   // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ class ObjStack
+     align_bottom(align);
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); goto loop;}
++    if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+     return tmp;
+   }
+   char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ class ObjStack
+   // always be aligned as such.
+   void * alloc_top(size_t size) {
+     top -= size;
+-    if (top < bottom) {new_chunk(); top -= size;}
++    if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+     return top;
+   }
+   // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ class ObjStack
+   {loop:
+     top -= size;
+     align_top(align);
+-    if (top < bottom) {new_chunk(); goto loop;}
++    if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+     return top;
+   }
+   char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ class ObjStack
+   void * alloc_temp(size_t size) {
+     temp_end = bottom + size;
+     if (temp_end > top) {
++      check_size(size);
+       new_chunk();
+       temp_end = bottom + size;
+     }
+@@ -131,6 +139,7 @@ class ObjStack
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
++      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
+@@ -150,6 +159,7 @@ class ObjStack
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
++      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
-- 
2.31.1

[hardknott][PATCH 13/23] createrepo-c: fix createrepo-c failed in nativesdk

[Anuj Mittal]

From: hongxu <hongxu.jia@windriver.com>

In sdk, call createrepo-c failed with:
...
$ createrepo_c --update ./test_repo/rpm
Directory walk started Critical: Failed to detect compression for file
./test_repo/rpm/cortexa72/hello-2.10-r0.cortexa72.rpm: magic_load() failed: could not find any valid magic files!
...

Since commit [ea666fbc74 createrepo-c: set path to magic database for
native and nativesdk] applied, the MAGIC is incorrectly assigned.

The variable datadir will be expanded automatically for nativesdk,
do not need to add prefix ${SDKPATHNATIVE} to MAGIC

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 54368f1b02e1ac4aa068515730a8c8bcd3683eb3)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb b/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb
index e0433806b2..7480affbc0 100644
--- a/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb
+++ b/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb
@@ -33,8 +33,8 @@ do_install_append_class-native() {
 do_install_append_class-nativesdk() {
         create_wrapper ${D}/${bindir}/createrepo_c \
                 RPM_CONFIGDIR=${SDKPATHNATIVE}${libdir_nativesdk}/rpm \
-                MAGIC=${SDKPATHNATIVE}${datadir}/misc/magic.mgc
+                MAGIC=${datadir}/misc/magic.mgc
         create_wrapper ${D}/${bindir}/modifyrepo_c \
-                MAGIC=${SDKPATHNATIVE}${datadir}/misc/magic.mgc
+                MAGIC=${datadir}/misc/magic.mgc
         rm -rf ${D}/etc
 }
-- 
2.31.1

[hardknott][PATCH 14/23] oeqa/runtime/cases/ptest: Increase test timeout from 300s to 450s

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Some tests such as lttng-tools are marginal and timing out on the autobuilder
with the current 300s default. Increase to avoid this noise in the ptest
failures list.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5fb902a52e35130af6b0735a087c709daa35655f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/lib/oeqa/runtime/cases/ptest.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/runtime/cases/ptest.py b/meta/lib/oeqa/runtime/cases/ptest.py
index 0800f3c27f..00742da2b5 100644
--- a/meta/lib/oeqa/runtime/cases/ptest.py
+++ b/meta/lib/oeqa/runtime/cases/ptest.py
@@ -57,7 +57,7 @@ class PtestRunnerTest(OERuntimeTestCase):
         ptest_dirs = [ '/usr/lib' ]
         if not libdir in ptest_dirs:
             ptest_dirs.append(libdir)
-        status, output = self.target.run('ptest-runner -d \"{}\"'.format(' '.join(ptest_dirs)), 0)
+        status, output = self.target.run('ptest-runner -t 450 -d \"{}\"'.format(' '.join(ptest_dirs)), 0)
         os.makedirs(ptest_log_dir)
         with open(ptest_runner_log, 'w') as f:
             f.write(output)
-- 
2.31.1

[hardknott][PATCH 15/23] cve-check: fix comments

[Anuj Mittal]

From: Michael Opdenacker <michael.opdenacker@bootlin.com>

This implements various fixes in comments in cve-check.bbclass
In particular, the "whitlisted" typo is important as the "whitelisted"
word is going to be replaced in a near future.

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5eecd2bf942254d08c252388594e5ec7ae330f45)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/cve-check.bbclass | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 112ee3379d..7cc2a703db 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -20,7 +20,7 @@
 # the only method to check against CVEs. Running this tool
 # doesn't guarantee your packages are free of CVEs.
 
-# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# The product name that the CVE database uses defaults to BPN, but may need to
 # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
@@ -56,11 +56,11 @@ CVE_CHECK_WHITELIST ?= ""
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 
-# Layers to be included 
+# Layers to be included
 CVE_CHECK_LAYER_INCLUDELIST ??= ""
 
 
-# set to "alphabetical" for version using single alphabetical character as increament release
+# set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
 python cve_save_summary_handler () {
@@ -230,7 +230,7 @@ def check_cves(d, patched_cves):
         return ([], [], [])
     pv = d.getVar("CVE_VERSION").split("+git")[0]
 
-    # If the recipe has been whitlisted we return empty lists
+    # If the recipe has been whitelisted we return empty lists
     if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [], [])
-- 
2.31.1

[hardknott][PATCH 16/23] cve-check: update link to NVD website for CVE details

[Anuj Mittal]

From: Michael Opdenacker <michael.opdenacker@bootlin.com>

The old URL schema
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-ID
now redirects to
https://nvd.nist.gov/vuln/detail/CVE-ID

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 57adb57a9d9b08c08ab606ec7b561792e4f4ff2d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 7cc2a703db..246393338c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -355,7 +355,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
     if include_layers and layer not in include_layers:
         return
 
-    nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
+    nvd_link = "https://nvd.nist.gov/vuln/detail/"
     write_string = ""
     unpatched_cves = []
     bb.utils.mkdirhier(os.path.dirname(cve_file))
-- 
2.31.1

[hardknott][PATCH 17/23] cve-check: improve comment about CVE patch file names

[Anuj Mittal]

From: Michael Opdenacker <michael.opdenacker@bootlin.com>

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8aa613480663e11ecc62278d8c57ca719eb23899)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/cve-check.bbclass | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 246393338c..4fa1a64f85 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,9 +166,12 @@ def get_patches_cves(d):
     pn = d.getVar("PN")
     cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
 
-    # Matches last CVE-1234-211432 in the file name, also if written
-    # with small letters. Not supporting multiple CVE id's in a single
-    # file name.
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+
     cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
 
     patched_cves = set()
-- 
2.31.1

[hardknott][PATCH 18/23] curl: fix CVE-2021-22925

[Anuj Mittal]

From: Mingli Yu <mingli.yu@windriver.com>

CVE-2021-22925

Reported-by: Red Hat Product Security
Bug: https://curl.se/docs/CVE-2021-22925.html

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../curl/curl/CVE-2021-22925.patch            | 50 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.75.0.bb      |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22925.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
new file mode 100644
index 0000000000..e3009c9533
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,50 @@
+From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+
+CVE-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+
+CVE: CVE-2021-22925
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 1d3024ec4..a81bb81c3 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
++          int rv;
++          char sep[2] = "";
++          varval[0] = 0;
++          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++          if(rv == 1)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s", CURL_NEW_ENV_VAR, varname);
++          else if(rv >= 2)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index 42be2eb0b5..b2aad0bbc2 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://vtls-fix-warning.patch \
            file://CVE-2021-22898.patch \
            file://CVE-2021-22897.patch \
+           file://CVE-2021-22925.patch \
 "
 
 SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
-- 
2.31.1

[hardknott][PATCH 19/23] curl: fix CVES

[Anuj Mittal]

From: Mingli Yu <mingli.yu@windriver.com>

Backport patches to fix below CVEs:
CVE-2021-22901
CVE-2021-22924
CVE-2021-22926

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../curl/curl/CVE-2021-22901.patch            | 453 ++++++++++++++++++
 .../curl/curl/CVE-2021-22924.patch            | 298 ++++++++++++
 .../curl/curl/CVE-2021-22926.patch            |  79 +++
 meta/recipes-support/curl/curl_7.75.0.bb      |   3 +
 4 files changed, 833 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22901.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22924.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22926.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22901.patch b/meta/recipes-support/curl/curl/CVE-2021-22901.patch
new file mode 100644
index 0000000000..c5775c6306
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22901.patch
@@ -0,0 +1,453 @@
+From a801ebdc2b1c008fa72c31f1bf7773d99e6e2a2d Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Tue, 3 Aug 2021 08:41:45 +0000
+Subject: [PATCH] openssl: associate/detach the transfer from connection
+
+CVE-2021-22901
+
+Bug: https://curl.se/docs/CVE-2021-22901.html
+
+CVE: CVE-2021-22901
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/multi.c          |   5 +-
+ lib/vtls/gskit.c     |   4 +-
+ lib/vtls/gtls.c      |   4 +-
+ lib/vtls/mbedtls.c   |   4 +-
+ lib/vtls/mesalink.c  |   4 +-
+ lib/vtls/nss.c       |   4 +-
+ lib/vtls/openssl.c   | 146 +++++++++++++++++++++++++++++++------------
+ lib/vtls/schannel.c  |   6 +-
+ lib/vtls/sectransp.c |   4 +-
+ lib/vtls/vtls.c      |  23 ++++++-
+ lib/vtls/vtls.h      |  12 ++++
+ lib/vtls/wolfssl.c   |   4 +-
+ 12 files changed, 170 insertions(+), 50 deletions(-)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 85707a1..a4ff9ac 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -875,8 +875,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi)
+ void Curl_detach_connnection(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+-  if(conn)
++  if(conn) {
+     Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL);
++    Curl_ssl_detach_conn(data, conn);
++  }
+   data->conn = NULL;
+ }
+ 
+@@ -893,6 +895,7 @@ void Curl_attach_connnection(struct Curl_easy *data,
+   data->conn = conn;
+   Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data,
+                          &data->conn_queue);
++  Curl_ssl_associate_conn(data, conn);
+ }
+ 
+ static int waitconnect_getsock(struct connectdata *conn,
+diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
+index 9b5f649..bd9c602 100644
+--- a/lib/vtls/gskit.c
++++ b/lib/vtls/gskit.c
+@@ -1282,7 +1282,9 @@ const struct Curl_ssl Curl_ssl_gskit = {
+   Curl_none_set_engine_default,   /* set_engine_default */
+   Curl_none_engines_list,         /* engines_list */
+   Curl_none_false_start,          /* false_start */
+-  NULL                            /* sha256sum */
++  NULL,                           /* sha256sum */
++  NULL,                           /* associate_connection */
++  NULL                            /* disassociate_connection */
+ };
+ 
+ #endif /* USE_GSKIT */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 28ca528..24e036b 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -1683,7 +1683,9 @@ const struct Curl_ssl Curl_ssl_gnutls = {
+   Curl_none_set_engine_default,  /* set_engine_default */
+   Curl_none_engines_list,        /* engines_list */
+   Curl_none_false_start,         /* false_start */
+-  gtls_sha256sum                 /* sha256sum */
++  gtls_sha256sum,                /* sha256sum */
++  NULL,                          /* associate_connection */
++  NULL                           /* disassociate_connection */
+ };
+ 
+ #endif /* USE_GNUTLS */
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index bd0e080..fc973c7 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -1112,7 +1112,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
+   Curl_none_set_engine_default,     /* set_engine_default */
+   Curl_none_engines_list,           /* engines_list */
+   Curl_none_false_start,            /* false_start */
+-  mbedtls_sha256sum                 /* sha256sum */
++  mbedtls_sha256sumi,               /* sha256sum */
++  NULL,                             /* associate_connection */
++  NULL                              /* disassociate_connection */
+ };
+ 
+ #endif /* USE_MBEDTLS */
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index ad807d3..8a91487 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -666,7 +666,9 @@ const struct Curl_ssl Curl_ssl_mesalink = {
+   Curl_none_set_engine_default,  /* set_engine_default */
+   Curl_none_engines_list,        /* engines_list */
+   Curl_none_false_start,         /* false_start */
+-  NULL                           /* sha256sum */
++  NULL,                          /* sha256sum */
++  NULL,                          /* associate_connection */
++  NULL                           /* disassociate_connection */
+ };
+ 
+ #endif
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index e5ab71c..fb9f763 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2444,7 +2444,9 @@ const struct Curl_ssl Curl_ssl_nss = {
+   Curl_none_set_engine_default, /* set_engine_default */
+   Curl_none_engines_list,       /* engines_list */
+   nss_false_start,              /* false_start */
+-  nss_sha256sum                 /* sha256sum */
++  nss_sha256sum,                /* sha256sum */
++  NULL,                         /* associate_connection */
++  NULL                          /* disassociate_connection */
+ };
+ 
+ #endif /* USE_NSS */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 8304264..946b4c5 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -244,6 +244,10 @@ struct ssl_backend_data {
+ #endif
+ };
+ 
++static void ossl_associate_connection(struct Curl_easy *data,
++                                      struct connectdata *conn,
++                                      int sockindex);
++
+ /*
+  * Number of bytes to read from the random number seed file. This must be
+  * a finite value (because some entropy "files" like /dev/urandom have
+@@ -2527,6 +2531,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+   curl_socket_t sockfd = conn->sock[sockindex];
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   ctx_option_t ctx_options = 0;
++  void *ssl_sessionid = NULL;
+ 
+ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+   bool sni;
+@@ -3224,46 +3229,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+   }
+ #endif
+ 
+-  /* Check if there's a cached ID we can/should use here! */
+-  if(SSL_SET_OPTION(primary.sessionid)) {
+-    void *ssl_sessionid = NULL;
+-    int data_idx = ossl_get_ssl_data_index();
+-    int connectdata_idx = ossl_get_ssl_conn_index();
+-    int sockindex_idx = ossl_get_ssl_sockindex_index();
+-    int proxy_idx = ossl_get_proxy_index();
+-
+-    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
+-       proxy_idx >= 0) {
+-      /* Store the data needed for the "new session" callback.
+-       * The sockindex is stored as a pointer to an array element. */
+-      SSL_set_ex_data(backend->handle, data_idx, data);
+-      SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+-      SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
+-#ifndef CURL_DISABLE_PROXY
+-      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+-                      NULL);
+-#else
+-      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
+-#endif
+-
+-    }
++  ossl_associate_connection(data, conn, sockindex);
+ 
+-    Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
+-                              &ssl_sessionid, NULL, sockindex)) {
+-      /* we got a session id, use it! */
+-      if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+-        Curl_ssl_sessionid_unlock(data);
+-        failf(data, "SSL: SSL_set_session failed: %s",
+-              ossl_strerror(ERR_get_error(), error_buffer,
+-                            sizeof(error_buffer)));
+-        return CURLE_SSL_CONNECT_ERROR;
+-      }
+-      /* Informational message */
+-      infof(data, "SSL re-using session ID\n");
++  Curl_ssl_sessionid_lock(data);
++  if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                            &ssl_sessionid, NULL, sockindex)) {
++    /* we got a session id, use it! */
++    if(!SSL_set_session(backend->handle, ssl_sessionid)) {
++      Curl_ssl_sessionid_unlock(data);
++      failf(data, "SSL: SSL_set_session failed: %s",
++            ossl_strerror(ERR_get_error(), error_buffer,
++                          sizeof(error_buffer)));
++      return CURLE_SSL_CONNECT_ERROR;
+     }
+-    Curl_ssl_sessionid_unlock(data);
++     /* Informational message */
++    infof(data, "SSL re-using session ID\n");
+   }
++  Curl_ssl_sessionid_unlock(data);
+ 
+ #ifndef CURL_DISABLE_PROXY
+   if(conn->proxy_ssl[sockindex].use) {
+@@ -4481,6 +4463,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl,
+          (void *)backend->ctx : (void *)backend->handle;
+ }
+ 
++static void ossl_associate_connection(struct Curl_easy *data,
++                                      struct connectdata *conn,
++                                      int sockindex)
++{
++  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
++  struct ssl_backend_data *backend = connssl->backend;
++
++  /* If we don't have SSL context, do nothing. */
++  if(!backend->handle)
++    return;
++
++  if(SSL_SET_OPTION(primary.sessionid)) {
++    int data_idx = ossl_get_ssl_data_index();
++    int connectdata_idx = ossl_get_ssl_conn_index();
++    int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
++
++    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++       proxy_idx >= 0) {
++      /* Store the data needed for the "new session" callback.
++       * The sockindex is stored as a pointer to an array element. */
++      SSL_set_ex_data(backend->handle, data_idx, data);
++      SSL_set_ex_data(backend->handle, connectdata_idx, conn);
++      SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++                      NULL);
++#else
++      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++    }
++  }
++}
++
++/*
++ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after
++ * the handshake. If the transfer that sets up the callback gets killed before
++ * this callback arrives, we must make sure to properly clear the data to
++ * avoid UAF problems. A future optimization could be to instead store another
++ * transfer that might still be using the same connection.
++ */
++
++static void ossl_disassociate_connection(struct Curl_easy *data,
++                                         int sockindex)
++{
++  struct connectdata *conn = data->conn;
++  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
++  struct ssl_backend_data *backend = connssl->backend;
++
++  /* If we don't have SSL context, do nothing. */
++  if(!backend->handle)
++    return;
++
++  if(SSL_SET_OPTION(primary.sessionid)) {
++    bool isproxy = FALSE;
++    bool incache;
++    void *old_ssl_sessionid = NULL;
++    int data_idx = ossl_get_ssl_data_index();
++    int connectdata_idx = ossl_get_ssl_conn_index();
++    int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
++
++    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++       proxy_idx >= 0) {
++      /* Invalidate the session cache entry, if any */
++      isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE;
++
++      /* Disable references to data in "new session" callback to avoid
++       * accessing a stale pointer. */
++      SSL_set_ex_data(backend->handle, data_idx, NULL);
++      SSL_set_ex_data(backend->handle, connectdata_idx, NULL);
++      SSL_set_ex_data(backend->handle, sockindex_idx, NULL);
++      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++    }
++
++    Curl_ssl_sessionid_lock(data);
++    incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++                                      &old_ssl_sessionid, NULL, sockindex));
++    if(incache)
++      Curl_ssl_delsessionid(data, old_ssl_sessionid);
++    Curl_ssl_sessionid_unlock(data);
++  }
++}
++
+ const struct Curl_ssl Curl_ssl_openssl = {
+   { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */
+ 
+@@ -4514,10 +4580,12 @@ const struct Curl_ssl Curl_ssl_openssl = {
+   ossl_engines_list,        /* engines_list */
+   Curl_none_false_start,    /* false_start */
+ #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
+-  ossl_sha256sum            /* sha256sum */
++  ossl_sha256sum,           /* sha256sum */
+ #else
+-  NULL                      /* sha256sum */
++  NULL,                     /* sha256sum */
+ #endif
++  ossl_associate_connection, /* associate_connection */
++  ossl_disassociate_connection /* disassociate_connection */
+ };
+ 
+ #endif /* USE_OPENSSL */
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 670310d..596106a 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -325,7 +325,7 @@ get_alg_id_by_name(char *name)
+ 
+ static CURLcode
+ set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
+-                int *algIds)
++                ALG_ID *algIds)
+ {
+   char *startCur = ciphers;
+   int algCount = 0;
+@@ -2429,7 +2429,9 @@ const struct Curl_ssl Curl_ssl_schannel = {
+   Curl_none_set_engine_default,      /* set_engine_default */
+   Curl_none_engines_list,            /* engines_list */
+   Curl_none_false_start,             /* false_start */
+-  schannel_sha256sum                 /* sha256sum */
++  schannel_sha256sum,                /* sha256sum */
++  NULL,                              /* associate_connection */
++  NULL                               /* disassociate_connection */
+ };
+ 
+ #endif /* USE_SCHANNEL */
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 6d1ea7e..37b41f8 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -3311,7 +3311,9 @@ const struct Curl_ssl Curl_ssl_sectransp = {
+   Curl_none_set_engine_default,       /* set_engine_default */
+   Curl_none_engines_list,             /* engines_list */
+   sectransp_false_start,              /* false_start */
+-  sectransp_sha256sum                 /* sha256sum */
++  sectransp_sha256sum,                /* sha256sum */
++  NULL,                               /* associate_connection */
++  NULL                                /* disassociate_connection */
+ };
+ 
+ #ifdef __clang__
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 00b6268..59a7efb 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -579,6 +579,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+   return CURLE_OK;
+ }
+ 
++void Curl_ssl_associate_conn(struct Curl_easy *data,
++                             struct connectdata *conn)
++{
++  if(Curl_ssl->associate_connection) {
++    Curl_ssl->associate_connection(data, conn, FIRSTSOCKET);
++    if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted)
++      Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET);
++  }
++}
++
++void Curl_ssl_detach_conn(struct Curl_easy *data,
++                          struct connectdata *conn)
++{
++  if(Curl_ssl->disassociate_connection) {
++    Curl_ssl->disassociate_connection(data, FIRSTSOCKET);
++    if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted)
++      Curl_ssl->disassociate_connection(data, SECONDARYSOCKET);
++  }
++}
+ 
+ void Curl_ssl_close_all(struct Curl_easy *data)
+ {
+@@ -1212,7 +1231,9 @@ static const struct Curl_ssl Curl_ssl_multi = {
+   Curl_none_set_engine_default,      /* set_engine_default */
+   Curl_none_engines_list,            /* engines_list */
+   Curl_none_false_start,             /* false_start */
+-  NULL                               /* sha256sum */
++  NULL,                              /* sha256sum */
++  NULL,                              /* associate_connection */
++  NULL                               /* disassociate_connection */
+ };
+ 
+ const struct Curl_ssl *Curl_ssl =
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index 1351215..94049f9 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -75,6 +75,11 @@ struct Curl_ssl {
+   bool (*false_start)(void);
+   CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen,
+                     unsigned char *sha256sum, size_t sha256sumlen);
++  
++  void (*associate_connection)(struct Curl_easy *data,
++                               struct connectdata *conn,
++                               int sockindex);
++  void (*disassociate_connection)(struct Curl_easy *data, int sockindex);
+ };
+ 
+ #ifdef USE_SSL
+@@ -264,6 +269,11 @@ bool Curl_ssl_cert_status_request(void);
+ 
+ bool Curl_ssl_false_start(void);
+ 
++void Curl_ssl_associate_conn(struct Curl_easy *data,
++                             struct connectdata *conn);
++void Curl_ssl_detach_conn(struct Curl_easy *data,
++                          struct connectdata *conn);
++
+ #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
+ 
+ #else /* if not USE_SSL */
+@@ -290,6 +300,8 @@ bool Curl_ssl_false_start(void);
+ #define Curl_ssl_cert_status_request() FALSE
+ #define Curl_ssl_false_start() FALSE
+ #define Curl_ssl_tls13_ciphersuites() FALSE
++#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt
++#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt
+ #endif
+ 
+ #endif /* HEADER_CURL_VTLS_H */
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index f1b12b1..f734a84 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -1165,7 +1165,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
+   Curl_none_set_engine_default,    /* set_engine_default */
+   Curl_none_engines_list,          /* engines_list */
+   Curl_none_false_start,           /* false_start */
+-  wolfssl_sha256sum                /* sha256sum */
++  wolfssl_sha256sum,               /* sha256sum */
++  NULL,                            /* associate_connection */
++  NULL                             /* disassociate_connection */
+ };
+ 
+ #endif
+-- 
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
new file mode 100644
index 0000000000..f09704c8a9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,298 @@
+From 205cf19fc374ee8eb848c5448e31fa703392832e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 4 Aug 2021 01:52:40 +0000
+Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
+ sensitivity
+
+CVE-2021-22924
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+
+CVE: CVE-2021-22924
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/url.c          | 10 ++++++----
+ lib/urldata.h      |  6 ++++--
+ lib/vtls/gtls.c    | 10 +++++-----
+ lib/vtls/nss.c     |  4 ++--
+ lib/vtls/openssl.c | 18 +++++++++---------
+ lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
+ 6 files changed, 47 insertions(+), 27 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index c02d2c2..474c53b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3695,6 +3695,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+   */
+   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
+   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
++  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
++  data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.primary.cipher_list =
+@@ -3719,8 +3721,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.pinned_key =
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
++  data->set.proxy_ssl.primary.issuercert =
++    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
++  data->set.proxy_ssl.primary.issuercert_blob =
++    data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3729,7 +3734,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+   data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
+   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
+@@ -3743,9 +3747,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+-
+   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
+-  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
+ 
+   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+                                     &conn->ssl_config)) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f7d60b2..7d01874 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -246,6 +246,7 @@ struct ssl_primary_config {
+   long version_max;      /* max supported version the client wants to use*/
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
++  char *issuercert;      /* optional issuer certificate filename */
+   char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+@@ -253,6 +254,7 @@ struct ssl_primary_config {
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
+   struct curl_blob *cert_blob;
++  struct curl_blob *issuercert_blob;
+   char *curves;          /* list of curves to use */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+@@ -264,8 +266,6 @@ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+-  char *issuercert;/* optional issuer certificate filename */
+-  struct curl_blob *issuercert_blob;
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert_type; /* format for certificate (default: PEM)*/
+@@ -1545,6 +1545,7 @@ enum dupstring {
+   STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */
+   STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */
+   STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */
++  STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
+   STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */
+   STRING_SSL_ENGINE,      /* name of ssl engine */
+   STRING_USERNAME,        /* <username>, if used */
+@@ -1600,6 +1601,7 @@ enum dupblob {
+   BLOB_CERT_PROXY,
+   BLOB_KEY_ORIG,
+   BLOB_KEY_PROXY,
++  BLOB_SSL_ISSUERCERT,
+   BLOB_SSL_ISSUERCERT_ORIG,
+   BLOB_SSL_ISSUERCERT_PROXY,
+   BLOB_LAST
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 2c65ba0..d1c3919 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -855,7 +855,7 @@ gtls_connect_step3(struct Curl_easy *data,
+   if(!chainp) {
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+-       SSL_SET_OPTION(issuercert)) {
++       SSL_CONN_CONFIG(issuercert)) {
+ #ifdef HAVE_GNUTLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+@@ -1039,21 +1039,21 @@ gtls_connect_step3(struct Curl_easy *data,
+        gnutls_x509_crt_t format */
+     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     gnutls_x509_crt_init(&x509_issuer);
+-    issuerp = load_file(SSL_SET_OPTION(issuercert));
++    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+     gnutls_x509_crt_deinit(x509_issuer);
+     unload_file(issuerp);
+     if(rc <= 0) {
+       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+       gnutls_x509_crt_deinit(x509_cert);
+       return CURLE_SSL_ISSUER_ERROR;
+     }
+     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+   }
+ 
+   size = sizeof(certname);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index fb9f763..dab12b6 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
+   if(result)
+     goto error;
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     SECStatus ret = SECFailure;
+-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
++    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+     if(nickname) {
+       /* we support only nicknames in case of issuercert for now */
+       ret = check_issuer_cert(backend->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 946b4c5..85e1ee5 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3881,10 +3881,10 @@ static CURLcode servercert(struct Curl_easy *data,
+        deallocating the certificate. */
+ 
+     /* e.g. match issuer name with provided issuer certificate */
+-    if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
+-      if(SSL_SET_OPTION(issuercert_blob))
+-        fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
+-                             (int)SSL_SET_OPTION(issuercert_blob)->len);
++    if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
++      if(SSL_CONN_CONFIG(issuercert_blob))
++        fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
++                             (int)SSL_CONN_CONFIG(issuercert_blob)->len);
+       else {
+         fp = BIO_new(BIO_s_file());
+         if(fp == NULL) {
+@@ -3898,10 +3898,10 @@ static CURLcode servercert(struct Curl_easy *data,
+           return CURLE_OUT_OF_MEMORY;
+         }
+ 
+-        if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
++        if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+           if(strict)
+             failf(data, "SSL: Unable to open issuer cert (%s)",
+-                  SSL_SET_OPTION(issuercert));
++                  SSL_CONN_CONFIG(issuercert));
+           BIO_free(fp);
+           X509_free(backend->server_cert);
+           backend->server_cert = NULL;
+@@ -3913,7 +3913,7 @@ static CURLcode servercert(struct Curl_easy *data,
+       if(!issuer) {
+         if(strict)
+           failf(data, "SSL: Unable to read issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(backend->server_cert);
+@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
+       if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
+         if(strict)
+           failf(data, "SSL: Certificate issuer check failed (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(backend->server_cert);
+@@ -3933,7 +3933,7 @@ static CURLcode servercert(struct Curl_easy *data,
+       }
+ 
+       infof(data, " SSL certificate issuer check ok (%s)\n",
+-            SSL_SET_OPTION(issuercert));
++            SSL_CONN_CONFIG(issuercert));
+       BIO_free(fp);
+       X509_free(issuer);
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 59a7efb..eb885da 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+   return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+ 
++static bool safecmp(char *a, char *b)
++{
++  if(a && b)
++    return !strcmp(a, b);
++  else if(!a && !b)
++    return TRUE; /* match */
++  return FALSE; /* no match */
++}
++
++
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+                         struct ssl_primary_config *needle)
+@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+      blobcmp(data->cert_blob, needle->cert_blob) &&
+-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
++     blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
++     safecmp(data->CApath, needle->CApath) &&
++     safecmp(data->CAfile, needle->CAfile) &&
++     safecmp(data->issuercert, needle->issuercert) &&
++     safecmp(data->clientcert, needle->clientcert) &&
++     safecmp(data->random_file, needle->random_file) &&
++     safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
+@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   dest->sessionid = source->sessionid;
+ 
+   CLONE_BLOB(cert_blob);
++  CLONE_BLOB(issuercert_blob);
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
++  CLONE_STRING(issuercert);
+   CLONE_STRING(clientcert);
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ {
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->CAfile);
++  Curl_safefree(sslc->issuercert);
+   Curl_safefree(sslc->clientcert);
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+   Curl_safefree(sslc->cipher_list13);
+   Curl_safefree(sslc->pinned_key);
+   Curl_safefree(sslc->cert_blob);
++  Curl_safefree(sslc->issuercert_blob);
+   Curl_safefree(sslc->curves);
+ }
+ 
+-- 
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22926.patch b/meta/recipes-support/curl/curl/CVE-2021-22926.patch
new file mode 100644
index 0000000000..3a803bcc98
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22926.patch
@@ -0,0 +1,79 @@
+From 6180ef7c19defa9f77ae166acb8b63ed98a9c09a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 4 Aug 2021 03:05:45 +0000
+Subject: [PATCH] sectransp: check for client certs by name first, then file
+
+CVE-2021-22926
+
+Bug: https://curl.se/docs/CVE-2021-22926.html
+
+Assisted-by: Daniel Gustafsson
+Reported-by: Harry Sintonen
+
+CVE: CVE-2021-22926
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/vtls/sectransp.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 37b41f8..f8effde 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -32,6 +32,7 @@
+ #include "curl_base64.h"
+ #include "strtok.h"
+ #include "multiif.h"
++#include "strcase.h"
+ 
+ #ifdef USE_SECTRANSP
+ 
+@@ -1648,24 +1649,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+     bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
+     SecIdentityRef cert_and_key = NULL;
+ 
+-    /* User wants to authenticate with a client cert. Look for it:
+-       If we detect that this is a file on disk, then let's load it.
+-       Otherwise, assume that the user wants to use an identity loaded
+-       from the Keychain. */
+-    if(is_cert_file || is_cert_data) {
++    /* User wants to authenticate with a client cert. Look for it. Assume that
++       the user wants to use an identity loaded from the Keychain. If not, try
++       it as a file on disk */
++
++    if(!is_cert_data)
++      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
++    else
++      err = !noErr;
++    if((err != noErr) && (is_cert_file || is_cert_data)) {
+       if(!SSL_SET_OPTION(cert_type))
+-        infof(data, "WARNING: SSL: Certificate type not set, assuming "
+-                    "PKCS#12 format.\n");
+-      else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
+-        strlen(SSL_SET_OPTION(cert_type))) != 0)
+-        infof(data, "WARNING: SSL: The Security framework only supports "
+-                    "loading identities that are in PKCS#12 format.\n");
++        infof(data, "SSL: Certificate type not set, assuming "
++              "PKCS#12 format.");
++      else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
++        failf(data, "SSL: The Security framework only supports "
++              "loading identities that are in PKCS#12 format.");
++        return CURLE_SSL_CERTPROBLEM;
++      }
+ 
+       err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
+-        SSL_SET_OPTION(key_passwd), &cert_and_key);
++                                       SSL_SET_OPTION(key_passwd),
++                                       &cert_and_key);
+     }
+-    else
+-      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
+ 
+     if(err == noErr && cert_and_key) {
+       SecCertificateRef cert = NULL;
+-- 
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index b2aad0bbc2..d64e5e1f79 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -18,6 +18,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2021-22898.patch \
            file://CVE-2021-22897.patch \
            file://CVE-2021-22925.patch \
+           file://CVE-2021-22901.patch \
+           file://CVE-2021-22924.patch \
+           file://CVE-2021-22926.patch \
 "
 
 SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
-- 
2.31.1

[hardknott][PATCH 20/23] util-linux: fix CVE 2021-37600

[Anuj Mittal]

From: Joe Slater <joe.slater@windriver.com>

Backport patch, which should be in next release (2.37.2).

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-core/util-linux/util-linux.inc   |  1 +
 .../util-linux/CVE-2021-37600.patch           | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 6b47f417aa..b21d6d46d2 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -36,5 +36,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://display_testname_for_subtest.patch \
            file://avoid_parallel_tests.patch \
            file://Automake-use-EXTRA_LTLIBRARIES-instead-of-noinst_LTL.patch \
+           file://CVE-2021-37600.patch \
            "
 SRC_URI[sha256sum] = "f7516ba9d8689343594356f0e5e1a5f0da34adfbc89023437735872bb5024c5f"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
new file mode 100644
index 0000000000..11934eee8d
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
@@ -0,0 +1,38 @@
+From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 27 Jul 2021 11:58:31 +0200
+Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64
+ nmembs
+
+Fix: https://github.com/karelzak/util-linux/issues/1395
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-37600
+
+after version 2.37.1
+https://github.com/karelzak/util-linux.git 1c9143d0c1d...
+unmodified
+
+Upstream-Status: Backport
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ sys-utils/ipcutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
+index e784c4d..18868cf 100644
+--- a/sys-utils/ipcutils.c
++++ b/sys-utils/ipcutils.c
+@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
+ {
+ 	size_t i;
+ 
+-	if (!p || !p->sem_nsems || p->sem_perm.id < 0)
++	if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
+ 		return;
+ 
+ 	p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
+-- 
+2.7.4
+
-- 
2.31.1

[hardknott][PATCH 21/23] qemu: fix virtio vhost-user-gpu CVEs

[Anuj Mittal]

From: Ross Burton <ross@burtonini.com>

Fix a slew of CVEs (CVE-2021-3544, CVE-2021-3545, CVE-2021-3546) by
backporting the relevant patches from qemu's git.

(From OE-Core rev: ce850a5ce84f949d3114024c89ae3dd98fcbef41)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ce850a5ce84f949d3114024c89ae3dd98fcbef41)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  7 +++
 ...ix-memory-disclosure-in-virgl_cmd_ge.patch | 43 ++++++++++++++
 ...ix-resource-leak-in-vg_resource_crea.patch | 41 +++++++++++++
 ...ix-memory-leak-in-vg_resource_attach.patch | 48 +++++++++++++++
 ...ix-memory-leak-while-calling-vg_reso.patch | 50 ++++++++++++++++
 ...ix-memory-leak-in-virgl_cmd_resource.patch | 58 +++++++++++++++++++
 ...ix-memory-leak-in-virgl_resource_att.patch | 49 ++++++++++++++++
 ...ix-OOB-write-in-virgl_cmd_get_capset.patch | 49 ++++++++++++++++
 8 files changed, 345 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3921546df7..5f7d82dfed 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -57,6 +57,13 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2020-27821.patch \
            file://CVE-2021-20263.patch \
            file://CVE-2021-3392.patch \
+           file://0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch \
+           file://0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch \
+           file://0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch \
+           file://0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch \
+           file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \
+           file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
+           file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
new file mode 100644
index 0000000000..981c237292
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
@@ -0,0 +1,43 @@
+CVE: CVE-2021-3545
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in
+ virgl_cmd_get_capset_info (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise some of the 'resp' will be leaked to guest.
+
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 9e6660c7ab..6a332d601f 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+ 
+     VUGPU_FILL_CMD(info);
+ 
++    memset(&resp, 0, sizeof(resp));
+     if (info.capset_index == 0) {
+         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+         virgl_renderer_get_cap_set(resp.capset_id,
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
new file mode 100644
index 0000000000..a9aee47e39
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
@@ -0,0 +1,41 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:57 -0700
+Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in
+ 'vg_resource_create_2d' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index f73f292c9f..b5e153d0d6 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
+         g_critical("%s: resource creation failed %d %d %d",
+                    __func__, c2d.resource_id, c2d.width, c2d.height);
+         g_free(res);
++        vugbm_buffer_destroy(&res->buffer);
+         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+         return;
+     }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
new file mode 100644
index 0000000000..1718486405
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
@@ -0,0 +1,48 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:58 -0700
+Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in
+ vg_resource_attach_backing (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index b5e153d0d6..0437e52b64 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
++    if (res->iov) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++        return;
++    }
++
+     ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+     if (ret != 0) {
+         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
new file mode 100644
index 0000000000..9fc2fafe1d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
@@ -0,0 +1,50 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:59 -0700
+Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling
+ 'vg_resource_unref' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the guest trigger following sequences, the attach_backing will be leaked:
+
+	vg_resource_create_2d
+	vg_resource_attach_backing
+	vg_resource_unref
+
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index 0437e52b64..770dfad529 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
+     }
+ 
+     vugbm_buffer_destroy(&res->buffer);
++    g_free(res->iov);
+     pixman_image_unref(res->image);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
new file mode 100644
index 0000000000..e70f3c02c2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
@@ -0,0 +1,58 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:00 -0700
+Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in
+ 'virgl_cmd_resource_unref' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'res->iov' will be leaked if the guest trigger following sequences:
+
+	virgl_cmd_create_resource_2d
+	virgl_resource_attach_backing
+	virgl_cmd_resource_unref
+
+This patch fixes this.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 6a332d601f..c669d73a1d 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+                          struct virtio_gpu_ctrl_command *cmd)
+ {
+     struct virtio_gpu_resource_unref unref;
++    struct iovec *res_iovs = NULL;
++    int num_iovs = 0;
+ 
+     VUGPU_FILL_CMD(unref);
+ 
++    virgl_renderer_resource_detach_iov(unref.resource_id,
++                                       &res_iovs,
++                                       &num_iovs);
++    g_free(res_iovs);
++
+     virgl_renderer_resource_unref(unref.resource_id);
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
new file mode 100644
index 0000000000..5efb87ca33
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
@@ -0,0 +1,49 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in
+ 'virgl_resource_attach_backing' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index c669d73a1d..a16a311d80 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
++    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+                                        res_iovs, att_rb.nr_entries);
++    if (ret != 0) {
++        g_free(res_iovs);
++    }
+ }
+ 
+ static void
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
new file mode 100644
index 0000000000..33e6a66193
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
@@ -0,0 +1,49 @@
+CVE: CVE-2021-3546
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index a16a311d80..7172104b19 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
++    if (!max_size) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++        return;
++    }
+     resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+-- 
+2.25.1
+
-- 
2.31.1

[hardknott][PATCH 22/23] qemu: fix CVE-2021-3527

[Anuj Mittal]

From: Lee Chee Yang <chee.yang.lee@intel.com>

(cherry picked from commit 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  2 +
 .../qemu/qemu/CVE-2021-3527-1.patch           | 42 +++++++++++++
 .../qemu/qemu/CVE-2021-3527-2.patch           | 59 +++++++++++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5f7d82dfed..a22721004e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -64,6 +64,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \
            file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
            file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
+           file://CVE-2021-3527-1.patch \
+           file://CVE-2021-3527-2.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
+From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
++                (totalsize == (16 * KiB - 36) && p->int_req) ||
++                /* Next package may grow combined package over 1MiB */
++                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
new file mode 100644
index 0000000000..6371aced12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
+From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:12 +0200
+Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use autofree heap allocation instead.
+
+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/redirect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f3417..6a75b0dc4a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
+                 .endpoint = ep,
+                 .length = p->iov.size
+             };
+-            uint8_t buf[p->iov.size];
++            g_autofree uint8_t *buf = g_malloc(p->iov.size);
+             /* No id, we look at the ep when receiving a status back */
+             usb_packet_copy(p, buf, p->iov.size);
+             usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+                                         &bulk_packet, NULL, 0);
+     } else {
+-        uint8_t buf[size];
++        g_autofree uint8_t *buf = g_malloc(size);
+         usb_packet_copy(p, buf, size);
+         usbredir_log_data(dev, "bulk data out:", buf, size);
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
+                                                USBPacket *p, uint8_t ep)
+ {
+     struct usb_redir_interrupt_packet_header interrupt_packet;
+-    uint8_t buf[p->iov.size];
++    g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ 
+     DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+             p->iov.size, p->id);
+-- 
+GitLab
+
-- 
2.31.1

[hardknott][PATCH 23/23] nettle: update 3.7.2 -> 3.7.3

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

fix CVE-2021-3580

(From OE-Core rev: 219c89310264f99c2c43bb80e437a8a1e8e3217a)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../recipes-support/nettle/{nettle_3.7.2.bb => nettle_3.7.3.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/nettle/{nettle_3.7.2.bb => nettle_3.7.3.bb} (96%)

diff --git a/meta/recipes-support/nettle/nettle_3.7.2.bb b/meta/recipes-support/nettle/nettle_3.7.3.bb
similarity index 96%
rename from meta/recipes-support/nettle/nettle_3.7.2.bb
rename to meta/recipes-support/nettle/nettle_3.7.3.bb
index f8f3360086..031500d741 100644
--- a/meta/recipes-support/nettle/nettle_3.7.2.bb
+++ b/meta/recipes-support/nettle/nettle_3.7.3.bb
@@ -24,7 +24,7 @@ SRC_URI_append_class-target = "\
             file://dlopen-test.patch \
             "
 
-SRC_URI[sha256sum] = "8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162"
+SRC_URI[sha256sum] = "661f5eb03f048a3b924c3a8ad2515d4068e40f67e774e8a26827658007e3bcf0"
 
 UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar"
 
-- 
2.31.1