[hardknott][PATCH 00/15] Patch review

[hardknott][PATCH 00/15] Patch review

[Anuj Mittal]

Next set of changes for hardknott. Please review.

No issues while testing except for an intermittent and unrelated failure
in qemuppc.

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3140

Thanks,

Anuj

The following changes since commit 7e569186820163d731cbb14f8c25ce6a2cc45dc9:

  python3-pyelftools: fix the override syntax (2022-01-11 10:07:36 +0800)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/hardknott

Bruce Ashfield (5):
  linux-yocto/5.10: update to v5.10.89
  linux-yocto/5.10/cfg: add kcov feature fragment
  linux-yocto/5.10: update to v5.10.90
  linux-yocto/5.10: amdgpu: updates for CVE-2021-42327
  linux-yocto/5.10: update to v5.10.91

Changqing Li (1):
  libsndfile1: fix CVE-2021-4156

Chen Qi (1):
  populate_sdk_base: remove unneeded dirs such as /dev

Joshua Watt (1):
  selftest: reproducible: Set maximum report size

Kevin Hao (2):
  arch-armv8-5a.inc: Add tune include for armv8.5a
  armv9a/tune: Add the support for the Neoverse N2 core

Konrad Weihmann (1):
  cve-check: add lockfile to task

Richard Purdie (1):
  scripts: Update to use exec_module() instead of load_module()

Robert Joslyn (1):
  curl: Backport CVE fixes

Ross Burton (1):
  xserver-xorg: whitelist two CVEs

Sakib Sajal (1):
  go: upgrade 1.16.10 -> 1.16.13

 meta/classes/cve-check.bbclass                |   1 +
 meta/classes/populate_sdk_base.bbclass        |  11 +-
 .../machine/include/arm/arch-armv8-5a.inc     |  19 +
 .../include/arm/armv9a/tune-neoversen2.inc    |  22 ++
 meta/lib/oeqa/selftest/cases/reproducible.py  |  10 +-
 .../go/{go-1.16.10.inc => go-1.16.13.inc}     |   4 +-
 ...1.16.10.bb => go-binary-native_1.16.13.bb} |   4 +-
 ....16.10.bb => go-cross-canadian_1.16.13.bb} |   0
 ...o-cross_1.16.10.bb => go-cross_1.16.13.bb} |   0
 ...ssdk_1.16.10.bb => go-crosssdk_1.16.13.bb} |   0
 ...native_1.16.10.bb => go-native_1.16.13.bb} |   0
 ...ntime_1.16.10.bb => go-runtime_1.16.13.bb} |   0
 .../go/{go_1.16.10.bb => go_1.16.13.bb}       |   0
 .../xorg-xserver/xserver-xorg.inc             |   8 +
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +-
 .../libsndfile1/CVE-2021-4156.patch           |  32 ++
 .../libsndfile/libsndfile1_1.0.28.bb          |   1 +
 .../curl/curl/CVE-2021-22945.patch            |  35 ++
 .../curl/curl/CVE-2021-22946.patch            | 333 ++++++++++++++++
 .../curl/curl/CVE-2021-22947.patch            | 357 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.75.0.bb      |   8 +
 scripts/lib/scriptutils.py                    |   7 +-
 scripts/lib/wic/pluginbase.py                 |   8 +-
 25 files changed, 867 insertions(+), 31 deletions(-)
 create mode 100644 meta/conf/machine/include/arm/arch-armv8-5a.inc
 create mode 100644 meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
 rename meta/recipes-devtools/go/{go-1.16.10.inc => go-1.16.13.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.16.10.bb => go-binary-native_1.16.13.bb} (83%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.16.10.bb => go-cross-canadian_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.16.10.bb => go-cross_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.16.10.bb => go-crosssdk_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.16.10.bb => go-native_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.16.10.bb => go-runtime_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.16.10.bb => go_1.16.13.bb} (100%)
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22945.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22946.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22947.patch

-- 
2.34.1

[hardknott][PATCH 01/15] go: upgrade 1.16.10 -> 1.16.13

[Anuj Mittal]

From: Sakib Sajal <sakib.sajal@windriver.com>

Release 1.16.13 includes fixes for CVE-2021-44716 and CVE-2021-44717.

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/go/{go-1.16.10.inc => go-1.16.13.inc}   | 4 ++--
 ...o-binary-native_1.16.10.bb => go-binary-native_1.16.13.bb} | 4 ++--
 ...cross-canadian_1.16.10.bb => go-cross-canadian_1.16.13.bb} | 0
 .../go/{go-cross_1.16.10.bb => go-cross_1.16.13.bb}           | 0
 .../go/{go-crosssdk_1.16.10.bb => go-crosssdk_1.16.13.bb}     | 0
 .../go/{go-native_1.16.10.bb => go-native_1.16.13.bb}         | 0
 .../go/{go-runtime_1.16.10.bb => go-runtime_1.16.13.bb}       | 0
 meta/recipes-devtools/go/{go_1.16.10.bb => go_1.16.13.bb}     | 0
 8 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-devtools/go/{go-1.16.10.inc => go-1.16.13.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.16.10.bb => go-binary-native_1.16.13.bb} (83%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.16.10.bb => go-cross-canadian_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.16.10.bb => go-cross_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.16.10.bb => go-crosssdk_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.16.10.bb => go-native_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.16.10.bb => go-runtime_1.16.13.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.16.10.bb => go_1.16.13.bb} (100%)

diff --git a/meta/recipes-devtools/go/go-1.16.10.inc b/meta/recipes-devtools/go/go-1.16.13.inc
similarity index 91%
rename from meta/recipes-devtools/go/go-1.16.10.inc
rename to meta/recipes-devtools/go/go-1.16.13.inc
index 08c85b275b..8675afc3bb 100644
--- a/meta/recipes-devtools/go/go-1.16.10.inc
+++ b/meta/recipes-devtools/go/go-1.16.13.inc
@@ -1,7 +1,7 @@
 require go-common.inc
 
 GO_BASEVERSION = "1.16"
-PV = "1.16.10"
+PV = "1.16.13"
 FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -18,7 +18,7 @@ SRC_URI += "\
     file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \
     file://0001-encoding-xml-handle-leading-trailing-or-double-colon.patch \
 "
-SRC_URI[main.sha256sum] = "a905472011585e403d00d2a41de7ced29b8884309d73482a307f689fd0f320b5"
+SRC_URI[main.sha256sum] = "b0926654eaeb01ef43816638f42d7b1681f2d3f41b9559f07735522b7afad41a"
 
 # Upstream don't believe it is a signifiant real world issue and will only
 # fix in 1.17 onwards where we can drop this.
diff --git a/meta/recipes-devtools/go/go-binary-native_1.16.10.bb b/meta/recipes-devtools/go/go-binary-native_1.16.13.bb
similarity index 83%
rename from meta/recipes-devtools/go/go-binary-native_1.16.10.bb
rename to meta/recipes-devtools/go/go-binary-native_1.16.13.bb
index 4866c9f847..6e498a17be 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.16.10.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.16.13.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
 PROVIDES = "go-native"
 
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "414cd18ce1d193769b9e97d2401ad718755ab47816e13b2a1cde203d263b55cf"
-SRC_URI[go_linux_arm64.sha256sum] = "bfe1d4b82626c742b4690a832ca59a21e3d702161556f3c0ed26dffb368927e9"
+SRC_URI[go_linux_amd64.sha256sum] = "275fc03c90c13b0bbff13125a43f1f7a9f9c00a0d5a9f2d5b16dbc2fa2c6e12a"
+SRC_URI[go_linux_arm64.sha256sum] = "3dd8e14837105cbfedf7124c7f8c524ce492748c370036c7316ef99e18d116d7"
 
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.16.10.bb b/meta/recipes-devtools/go/go-cross-canadian_1.16.13.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-cross-canadian_1.16.10.bb
rename to meta/recipes-devtools/go/go-cross-canadian_1.16.13.bb
diff --git a/meta/recipes-devtools/go/go-cross_1.16.10.bb b/meta/recipes-devtools/go/go-cross_1.16.13.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-cross_1.16.10.bb
rename to meta/recipes-devtools/go/go-cross_1.16.13.bb
diff --git a/meta/recipes-devtools/go/go-crosssdk_1.16.10.bb b/meta/recipes-devtools/go/go-crosssdk_1.16.13.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-crosssdk_1.16.10.bb
rename to meta/recipes-devtools/go/go-crosssdk_1.16.13.bb
diff --git a/meta/recipes-devtools/go/go-native_1.16.10.bb b/meta/recipes-devtools/go/go-native_1.16.13.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-native_1.16.10.bb
rename to meta/recipes-devtools/go/go-native_1.16.13.bb
diff --git a/meta/recipes-devtools/go/go-runtime_1.16.10.bb b/meta/recipes-devtools/go/go-runtime_1.16.13.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-runtime_1.16.10.bb
rename to meta/recipes-devtools/go/go-runtime_1.16.13.bb
diff --git a/meta/recipes-devtools/go/go_1.16.10.bb b/meta/recipes-devtools/go/go_1.16.13.bb
similarity index 100%
rename from meta/recipes-devtools/go/go_1.16.10.bb
rename to meta/recipes-devtools/go/go_1.16.13.bb
-- 
2.34.1

[hardknott][PATCH 02/15] libsndfile1: fix CVE-2021-4156

[Anuj Mittal]

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../libsndfile1/CVE-2021-4156.patch           | 32 +++++++++++++++++++
 .../libsndfile/libsndfile1_1.0.28.bb          |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
new file mode 100644
index 0000000000..b0ff1a0885
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
@@ -0,0 +1,32 @@
+From 5adbc377cd90aa40f0cd56ae325ca70065a8aa19 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 13 Jan 2022 16:45:59 +0800
+Subject: [PATCH] flac: Fix improper buffer reusing
+
+CVE: CVE-2021-4156.patch
+Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/issues/731]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/flac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/flac.c b/src/flac.c
+index 0be82ac..6548bba 100644
+--- a/src/flac.c
++++ b/src/flac.c
+@@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+ 	/* Decode some more. */
+ 	while (pflac->pos < pflac->len)
+ 	{	if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
++		{	psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ;
++			/* Current frame is busted, so NULL the pointer. */
++			pflac->frame = NULL ;
+ 			break ;
++                }
+ 		state = FLAC__stream_decoder_get_state (pflac->fsd) ;
+ 		if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
+ 		{	psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
+-- 
+2.17.1
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 044881a859..8eb007884e 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://CVE-2017-12562.patch \
            file://CVE-2018-19758.patch \
            file://CVE-2019-3832.patch \
+           file://CVE-2021-4156.patch \
           "
 
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
-- 
2.34.1

[hardknott][PATCH 03/15] arch-armv8-5a.inc: Add tune include for armv8.5a

[Anuj Mittal]

From: Kevin Hao <kexin.hao@windriver.com>

This adds support for the armv8.5a architecture and the crypto
extension.

(From OE-Core rev: 0cb1a6d9cb4c32526d79dad93c8053b3793053f8)

Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Kevin: Convert to the old style override syntax]
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../machine/include/arm/arch-armv8-5a.inc     | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 meta/conf/machine/include/arm/arch-armv8-5a.inc

diff --git a/meta/conf/machine/include/arm/arch-armv8-5a.inc b/meta/conf/machine/include/arm/arch-armv8-5a.inc
new file mode 100644
index 0000000000..44c3b5bd22
--- /dev/null
+++ b/meta/conf/machine/include/arm/arch-armv8-5a.inc
@@ -0,0 +1,19 @@
+DEFAULTTUNE ?= "armv8-5a"
+
+TUNEVALID[armv8-5a] = "Enable instructions for ARMv8.5-a"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv8-5a', ' -march=armv8.5-a', '', d)}"
+# TUNE crypto will be handled by arch-armv8a.inc below
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv8-5a', 'armv8-5a:', '', d)}"
+
+require conf/machine/include/arm/arch-armv8a.inc
+
+# Little Endian base configs
+AVAILTUNES += "armv8-5a armv8-5a-crypto"
+ARMPKGARCH_tune-armv8-5a                    ?= "armv8-5a"
+ARMPKGARCH_tune-armv8-5a-crypto             ?= "armv8-5a"
+TUNE_FEATURES_tune-armv8-5a                  = "aarch64 armv8-5a"
+TUNE_FEATURES_tune-armv8-5a-crypto           = "${TUNE_FEATURES_tune-armv8-5a} crypto"
+PACKAGE_EXTRA_ARCHS_tune-armv8-5a            = "${PACKAGE_EXTRA_ARCHS_tune-armv8a} armv8-5a"
+PACKAGE_EXTRA_ARCHS_tune-armv8-5a-crypto     = "${PACKAGE_EXTRA_ARCHS_tune-armv8-5a} armv8-5a-crypto"
+BASE_LIB_tune-armv8-5a                       = "lib64"
+BASE_LIB_tune-armv8-5a-crypto                = "lib64"
-- 
2.34.1

[hardknott][PATCH 04/15] armv9a/tune: Add the support for the Neoverse N2 core

[Anuj Mittal]

From: Kevin Hao <kexin.hao@windriver.com>

This adds the support for the Neoverse N2 core, even though the
Neoverse N2 core implements the Arm v9.0-A architecture, but the support
of it in GCC is based on the Arm v8.5-A architecture. Please see the
commit 50d9db203bc3 ("aarch64: Add support for Neoverse N2 CPU") in GCC
for more detail.

(From OE-Core rev: 37597397f03b6b0082a702147dc536ff8b2fa7a3)

Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Kevin: Convert to the old style override syntax]
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../include/arm/armv9a/tune-neoversen2.inc    | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc

diff --git a/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc b/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
new file mode 100644
index 0000000000..dedabcf46e
--- /dev/null
+++ b/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
@@ -0,0 +1,22 @@
+#
+# Tune Settings for Neoverse-N2
+#
+DEFAULTTUNE ?= "neoversen2"
+
+TUNEVALID[neoversen2] = "Enable Neoverse-N2 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'neoversen2', ' -mcpu=neoverse-n2', '', d)}"
+
+# Even though the Neoverse N2 core implemnts the Arm v9.0-A architecture,
+# but the support of it in GCC is based on the Arm v8.5-A architecture.
+require conf/machine/include/arm/arch-armv8-5a.inc
+
+# Little Endian base configs
+AVAILTUNES                                         += "neoversen2 neoversen2-crypto"
+ARMPKGARCH_tune-neoversen2                          = "neoversen2"
+ARMPKGARCH_tune-neoversen2-crypto                   = "neoversen2-crypto"
+TUNE_FEATURES_tune-neoversen2                       = "${TUNE_FEATURES_tune-armv8-5a} neoversen2"
+TUNE_FEATURES_tune-neoversen2-crypto                = "${TUNE_FEATURES_tune-neoversen2} crypto"
+PACKAGE_EXTRA_ARCHS_tune-neoversen2                 = "${PACKAGE_EXTRA_ARCHS_tune-armv8-5a} neoversen2"
+PACKAGE_EXTRA_ARCHS_tune-neoversen2-crypto          = "${PACKAGE_EXTRA_ARCHS_tune-armv8-5a-crypto} neoversen2 neoversen2-crypto"
+BASE_LIB_tune-neoversen2                            = "lib64"
+BASE_LIB_tune-neoversen2-crypto                     = "lib64"
-- 
2.34.1

[hardknott][PATCH 05/15] curl: Backport CVE fixes

[Anuj Mittal]

From: Robert Joslyn <robert.joslyn@redrectangle.org>

Backport fixes for CVE-2021-22922, CVE-2021-22923, CVE-2021-22945,
CVE-2021-22946, and CVE-2021-22947.

 * https://curl.se/docs/CVE-2021-22922.html
 * https://curl.se/docs/CVE-2021-22923.html
 * https://curl.se/docs/CVE-2021-22945.html
 * https://curl.se/docs/CVE-2021-22946.html
 * https://curl.se/docs/CVE-2021-22947.html

22922 and 22923 were fixed by upstream by simply removing metalink
support in newer versions. These are mitigated in older versions by
disabling metalink support, which was already done by the recipe, so
whitelist these CVEs.

22945, 22946, and 22947 are backported with only trivial patch fuzz
modifications.

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../curl/curl/CVE-2021-22945.patch            |  35 ++
 .../curl/curl/CVE-2021-22946.patch            | 333 ++++++++++++++++
 .../curl/curl/CVE-2021-22947.patch            | 357 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.75.0.bb      |   8 +
 4 files changed, 733 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22945.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22946.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22947.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22945.patch b/meta/recipes-support/curl/curl/CVE-2021-22945.patch
new file mode 100644
index 0000000000..44c42632ed
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22945.patch
@@ -0,0 +1,35 @@
+From 43157490a5054bd24256fe12876931e8abc9df49 Mon Sep 17 00:00:00 2001
+From: z2_ on hackerone <>
+Date: Tue, 24 Aug 2021 09:50:33 +0200
+Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
+
+CVE-2021-22945
+
+Bug: https://curl.se/docs/CVE-2021-22945.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/43157490a5054bd24256fe12876931e8abc9df49]
+
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+
+---
+ lib/mqtt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/mqtt.c b/lib/mqtt.c
+index f077e6c3d..fcd40b41e 100644
+--- a/lib/mqtt.c
++++ b/lib/mqtt.c
+@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
+     mq->sendleftovers = sendleftovers;
+     mq->nsend = nsend;
+   }
++  else {
++    mq->sendleftovers = NULL;
++    mq->nsend = 0;
++  }
+   return result;
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..1cb95f0ea7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,333 @@
+From 7c6e072216001fb1280d1868adfdcb54e3372ce7 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+
+Bug: https://curl.se/docs/CVE-2021-22946.html
+
+CVE-2021-22946
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca]
+
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+
+---
+ lib/ftp.c               |  9 ++++---
+ lib/imap.c              | 24 ++++++++----------
+ lib/pop3.c              | 33 +++++++++++-------------
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 3818a9e..8b3fe1d 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2665,9 +2665,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
+     /* we have now received a full FTP server response */
+     switch(ftpc->state) {
+     case FTP_WAIT220:
+-      if(ftpcode == 230)
+-        /* 230 User logged in - already! */
+-        return ftp_state_user_resp(data, ftpcode, ftpc->state);
++      if(ftpcode == 230) {
++        /* 230 User logged in - already! Take as 220 if TLS required. */
++        if(data->set.use_ssl <= CURLUSESSL_TRY ||
++           conn->bits.ftp_use_control_ssl)
++          return ftp_state_user_resp(data, ftpcode, ftpc->state);
++      }
+       else if(ftpcode != 220) {
+         failf(data, "Got a %03d ftp-server response when 220 was expected",
+               ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index 2d80699..b056208 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -933,22 +933,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
+       line += wordlen;
+     }
+   }
+-  else if(imapcode == IMAP_RESP_OK) {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(imapc->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = imap_perform_starttls(data, conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = imap_perform_authentication(data, conn);
+-      else {
+-        failf(data, "STARTTLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
++  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
++    /* PREAUTH is not compatible with STARTTLS. */
++    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
++      /* Switch to TLS connection now */
++      result = imap_perform_starttls(data, conn);
+     }
+-    else
++    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+       result = imap_perform_authentication(data, conn);
++    else {
++      failf(data, "STARTTLS not available.");
++      result = CURLE_USE_SSL_FAILED;
++    }
+   }
+   else
+     result = imap_perform_authentication(data, conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 0ed3d3e..018fda1 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -738,28 +738,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
+       }
+     }
+   }
+-  else if(pop3code == '+') {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(pop3c->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = pop3_perform_starttls(data, conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = pop3_perform_authentication(data, conn);
+-      else {
+-        failf(data, "STLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+-    }
+-    else
+-      result = pop3_perform_authentication(data, conn);
+-  }
+   else {
+     /* Clear text is supported when CAPA isn't recognised */
+-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
++    if(pop3code != '+')
++      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ 
+-    result = pop3_perform_authentication(data, conn);
++    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
++      result = pop3_perform_authentication(data, conn);
++    else if(pop3code == '+' && pop3c->tls_supported)
++      /* Switch to TLS connection now */
++      result = pop3_perform_starttls(data, conn);
++    else if(data->set.use_ssl <= CURLUSESSL_TRY)
++      /* Fallback and carry on with authentication */
++      result = pop3_perform_authentication(data, conn);
++    else {
++      failf(data, "STLS not supported.");
++      result = CURLE_USE_SSL_FAILED;
++    }
+   }
+ 
+   return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e08cfc7..e6e2551 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+ \
++test984 test985 test986 \
++\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
++++ b/tests/data/test984
+@@ -0,0 +1,56 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPABILITY A001 BAD Not implemented
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP require STARTTLS with failing capabilities
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++A001 CAPABILITY
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
++++ b/tests/data/test985
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPA -ERR Not implemented
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++  yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 require STARTTLS with failing capabilities
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++CAPA
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
++++ b/tests/data/test986
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY welcome 230 Welcome
++REPLY AUTH 500 unknown command
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP require STARTTLS while preauthenticated
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++    to
++      see
++that FTPS
++works
++  so does it?
++</file>
++ <command>
++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++AUTH SSL
++AUTH TLS
++</protocol>
++</verify>
++</testcase>
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
new file mode 100644
index 0000000000..9bd9890d72
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,357 @@
+From f3f2d2554d09ca0e13039e4915b83faaa55961c4 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Tue, 7 Sep 2021 13:26:42 +0200
+Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
+
+ pipelining
+
+If a server pipelines future responses within the STARTTLS response, the
+former are preserved in the pingpong cache across TLS negotiation and
+used as responses to the encrypted commands.
+
+This fix detects pipelined STARTTLS responses and rejects them with an
+error.
+
+CVE-2021-22947
+
+Bug: https://curl.se/docs/CVE-2021-22947.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68]
+
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+
+---
+ lib/ftp.c               |  3 +++
+ lib/imap.c              |  4 +++
+ lib/pop3.c              |  4 +++
+ lib/smtp.c              |  4 +++
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
+ tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 236 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test980
+ create mode 100644 tests/data/test981
+ create mode 100644 tests/data/test982
+ create mode 100644 tests/data/test983
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 8b3fe1d..a55566a 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2727,6 +2727,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
+     case FTP_AUTH:
+       /* we have gotten the response to a previous AUTH command */
+ 
++      if(pp->cache_size)
++        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
++
+       /* RFC2228 (page 5) says:
+        *
+        * If the server is willing to accept the named security mechanism,
+diff --git a/lib/imap.c b/lib/imap.c
+index b056208..9230f17 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -962,6 +962,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.imapc.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(imapcode != IMAP_RESP_OK) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 018fda1..4f953f7 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -769,6 +769,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
+   CURLcode result = CURLE_OK;
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.pop3c.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(pop3code != '+') {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/smtp.c b/lib/smtp.c
+index 1fc8800..51445f6 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -832,6 +832,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
+   CURLcode result = CURLE_OK;
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.smtpc.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(smtpcode != 220) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied, code %d", smtpcode);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e6e2551..22d7a0b 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+ \
+-test984 test985 test986 \
++test980 test981 test982 test983 test984 test985 test986 \
+ \
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+diff --git a/tests/data/test980 b/tests/data/test980
+new file mode 100644
+index 0000000..97567f8
+--- /dev/null
++++ b/tests/data/test980
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++SMTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++AUTH PLAIN
++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
++REPLY AUTH 535 5.7.8 Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++smtp
++</server>
++ <name>
++SMTP STARTTLS pipelined server response
++ </name>
++<stdin>
++mail body
++</stdin>
++ <command>
++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++EHLO %TESTNUMBER
++STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test981 b/tests/data/test981
+new file mode 100644
+index 0000000..2b98ce4
+--- /dev/null
++++ b/tests/data/test981
+@@ -0,0 +1,59 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
++REPLY LOGIN A003 BAD Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP STARTTLS pipelined server response
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++A001 CAPABILITY
++A002 STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test982 b/tests/data/test982
+new file mode 100644
+index 0000000..9e07cc0
+--- /dev/null
++++ b/tests/data/test982
+@@ -0,0 +1,57 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STLS USER
++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
++REPLY PASS -ERR Authentication credentials invalid
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++  yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 STARTTLS pipelined server response
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++CAPA
++STLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test983 b/tests/data/test983
+new file mode 100644
+index 0000000..300ec45
+--- /dev/null
++++ b/tests/data/test983
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
++REPLY PASS 530 Login incorrect
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP STARTTLS pipelined server response
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++    to
++      see
++that FTPS
++works
++  so does it?
++</file>
++ <command>
++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++AUTH SSL
++</protocol>
++</verify>
++</testcase>
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index d64e5e1f79..accede604c 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -21,6 +21,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2021-22901.patch \
            file://CVE-2021-22924.patch \
            file://CVE-2021-22926.patch \
+           file://CVE-2021-22945.patch \
+           file://CVE-2021-22946.patch \
+           file://CVE-2021-22947.patch \
 "
 
 SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
@@ -28,6 +31,10 @@ SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb3
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
 
+# These only apply when using --with-libmetalink, but --without-libmetalink is
+# set below.
+CVE_CHECK_WHITELIST += "CVE-2021-22922 CVE-2021-22923"
+
 inherit autotools pkgconfig binconfig multilib_header
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
@@ -65,6 +72,7 @@ PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threade
 PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
 PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
 
+# Keep --without-libmetalink to mitigate CVE-2021-22922 and CVE-2021-22923
 EXTRA_OECONF = " \
     --disable-libcurl-option \
     --disable-ntlm-wb \
-- 
2.34.1

[hardknott][PATCH 06/15] scripts: Update to use exec_module() instead of load_module()

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This is deprecated in python 3.12 and Fedora 35 is throwing warnings so
move to the new functions.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 655cd3f614d736416eab0d708b7c49674bf5c977)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 scripts/lib/scriptutils.py    | 7 +++++--
 scripts/lib/wic/pluginbase.py | 8 ++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/scripts/lib/scriptutils.py b/scripts/lib/scriptutils.py
index 3164171eb2..47a08194d0 100644
--- a/scripts/lib/scriptutils.py
+++ b/scripts/lib/scriptutils.py
@@ -18,7 +18,8 @@ import sys
 import tempfile
 import threading
 import importlib
-from importlib import machinery
+import importlib.machinery
+import importlib.util
 
 class KeepAliveStreamHandler(logging.StreamHandler):
     def __init__(self, keepalive=True, **kwargs):
@@ -82,7 +83,9 @@ def load_plugins(logger, plugins, pluginpath):
         logger.debug('Loading plugin %s' % name)
         spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] )
         if spec:
-            return spec.loader.load_module()
+            mod = importlib.util.module_from_spec(spec)
+            spec.loader.exec_module(mod)
+            return mod
 
     def plugin_name(filename):
         return os.path.splitext(os.path.basename(filename))[0]
diff --git a/scripts/lib/wic/pluginbase.py b/scripts/lib/wic/pluginbase.py
index d9b4e57747..b64568339b 100644
--- a/scripts/lib/wic/pluginbase.py
+++ b/scripts/lib/wic/pluginbase.py
@@ -9,9 +9,11 @@ __all__ = ['ImagerPlugin', 'SourcePlugin']
 
 import os
 import logging
+import types
 
 from collections import defaultdict
-from importlib.machinery import SourceFileLoader
+import importlib
+import importlib.util
 
 from wic import WicError
 from wic.misc import get_bitbake_var
@@ -54,7 +56,9 @@ class PluginMgr:
                             mname = fname[:-3]
                             mpath = os.path.join(ppath, fname)
                             logger.debug("loading plugin module %s", mpath)
-                            SourceFileLoader(mname, mpath).load_module()
+                            spec = importlib.util.spec_from_file_location(mname, mpath)
+                            module = importlib.util.module_from_spec(spec)
+                            spec.loader.exec_module(module)
 
         return PLUGINS.get(ptype)
 
-- 
2.34.1

[hardknott][PATCH 07/15] selftest: reproducible: Set maximum report size

[Anuj Mittal]

From: Joshua Watt <JPEWhacker@gmail.com>

Diffoscope can end up running for a very long time if there are a lot of
changes. To put a limit on how long it can run, cap the maximum report
size at 250 MB by default.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 52d5f76f54eac384f9480dffe96df089d9ee8f33)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index a62757399b..546dc91120 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -114,8 +114,9 @@ def compare_file(reference, test, diffutils_sysroot):
     result.status = SAME
     return result
 
-def run_diffoscope(a_dir, b_dir, html_dir, **kwargs):
-    return runCmd(['diffoscope', '--no-default-limits', '--exclude-directory-metadata', 'yes', '--html-dir', html_dir, a_dir, b_dir],
+def run_diffoscope(a_dir, b_dir, html_dir, max_report_size=0, **kwargs):
+    return runCmd(['diffoscope', '--no-default-limits', '--max-report-size', str(max_report_size),
+                   '--exclude-directory-metadata', 'yes', '--html-dir', html_dir, a_dir, b_dir],
                 **kwargs)
 
 class DiffoscopeTests(OESelftestTestCase):
@@ -145,6 +146,9 @@ class ReproducibleTests(OESelftestTestCase):
 
     package_classes = ['deb', 'ipk', 'rpm']
 
+    # Maximum report size, in bytes
+    max_report_size = 250 * 1024 * 1024
+
     # targets are the things we want to test the reproducibility of
     targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'core-image-weston', 'world']
     # sstate targets are things to pull from sstate to potentially cut build/debugging time
@@ -321,7 +325,7 @@ class ReproducibleTests(OESelftestTestCase):
                 # Copy jquery to improve the diffoscope output usability
                 self.copy_file(os.path.join(jquery_sysroot, 'usr/share/javascript/jquery/jquery.min.js'), os.path.join(package_html_dir, 'jquery.js'))
 
-                run_diffoscope('reproducibleA', 'reproducibleB', package_html_dir,
+                run_diffoscope('reproducibleA', 'reproducibleB', package_html_dir, max_report_size=self.max_report_size,
                         native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=package_dir)
 
         if fails:
-- 
2.34.1

[hardknott][PATCH 08/15] xserver-xorg: whitelist two CVEs

[Anuj Mittal]

From: Ross Burton <ross@burtonini.com>

CVE-2011-4613 is specific to Debian/Ubuntu.

CVE-2020-25697 is a non-trivial attack that may not actually be feasible
considering the default behaviour for clients is to exit if the
connection is lost.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 497515a04a..d83cb94317 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -18,6 +18,14 @@ XORG_PN = "xorg-server"
 SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2"
 
 CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+CVE_CHECK_WHITELIST += "CVE-2011-4613"
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
-- 
2.34.1

[hardknott][PATCH 09/15] populate_sdk_base: remove unneeded dirs such as /dev

[Anuj Mittal]

From: Chen Qi <Qi.Chen@windriver.com>

We met a problem that core-image-tiny-initramfs's SDK cannot be
installed. The error message is like below.

  tar: ./sysroots/core2-64-poky-linux/dev/console: Cannot mknod: Operation not permitted

In fact, the '/dev' direcotry is not needed by SDK. So remove it.

This patches uses a variable, SDK_PRUNE_SYSROOT_DIRS, to hold useless dir entries
so that it could be extended. For example, '/usr/bin' could be added if wanted.

(From OE-Core rev: 9154f71c7267e9731156c1dfd57397103e9e6a2b)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/populate_sdk_base.bbclass | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass
index 2d33611ddd..76757a3a9d 100644
--- a/meta/classes/populate_sdk_base.bbclass
+++ b/meta/classes/populate_sdk_base.bbclass
@@ -90,6 +90,8 @@ SDK_HOST_MANIFEST = "${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.host.manifest"
 SDK_EXT_TARGET_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.target.manifest"
 SDK_EXT_HOST_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.host.manifest"
 
+SDK_PRUNE_SYSROOT_DIRS ?= "/dev"
+
 python write_target_sdk_manifest () {
     from oe.sdk import sdk_list_installed_packages
     from oe.utils import format_pkg_list
@@ -101,6 +103,12 @@ python write_target_sdk_manifest () {
         output.write(format_pkg_list(pkgs, 'ver'))
 }
 
+sdk_prune_dirs () {
+    for d in ${SDK_PRUNE_SYSROOT_DIRS}; do
+        rm -rf ${SDK_OUTPUT}${SDKTARGETSYSROOT}$d
+    done
+}
+
 python write_sdk_test_data() {
     from oe.data import export2json
     testdata = "%s/%s.testdata.json" % (d.getVar('SDKDEPLOYDIR'), d.getVar('TOOLCHAIN_OUTPUTNAME'))
@@ -120,8 +128,9 @@ python write_host_sdk_manifest () {
 }
 
 POPULATE_SDK_POST_TARGET_COMMAND_append = " write_sdk_test_data ; "
-POPULATE_SDK_POST_TARGET_COMMAND_append_task-populate-sdk  = " write_target_sdk_manifest ; "
+POPULATE_SDK_POST_TARGET_COMMAND_append_task-populate-sdk  = " write_target_sdk_manifest; sdk_prune_dirs; "
 POPULATE_SDK_POST_HOST_COMMAND_append_task-populate-sdk = " write_host_sdk_manifest; "
+
 SDK_PACKAGING_COMMAND = "${@'${SDK_PACKAGING_FUNC};' if '${SDK_PACKAGING_FUNC}' else ''}"
 SDK_POSTPROCESS_COMMAND = " create_sdk_files; check_sdk_sysroots; archive_sdk; ${SDK_PACKAGING_COMMAND} "
 
-- 
2.34.1

[hardknott][PATCH 10/15] linux-yocto/5.10: update to v5.10.89

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:

eb967e323f7f Linux 5.10.89
52ad5da8e316 phonet/pep: refuse to enable an unbound pipe
7dd52af1eb57 hamradio: improve the incomplete fix to avoid NPD
450121075a6a hamradio: defer ax25 kfree after unregister_netdev
8e34d07dd4d9 ax25: NPD bug when detaching AX25 device
50f78486f90b hwmon: (lm90) Do not report 'busy' status bit as alarm
ec1d222d37ea hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681
441d3873664d pinctrl: mediatek: fix global-out-of-bounds issue
9c75a9657bdc ASoC: rt5682: fix the wrong jack type detected
94caab5af19a ASoC: tas2770: Fix setting of high sample rates
c7282790c782 Input: goodix - add id->model mapping for the "9111" model
3bb3bf50d69f Input: elants_i2c - do not check Remark ID on eKTH3900/eKTH5312
ee6f34215c5d mm: mempolicy: fix THP allocations escaping mempolicy restrictions
8008fc1d0be1 KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state
d91ed251fd70 usb: gadget: u_ether: fix race in setting MAC address in setup phase
6697f29bf56b ceph: fix up non-directory creation in SGID directories
fffb6581a23a f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
ad338d825e3f tee: optee: Fix incorrect page free bug
1f2070767401 mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
ac61b9c6c054 mac80211: fix locking in ieee80211_start_ap error path
89876d10830d ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
c3253d3a38bc mmc: mmci: stm32: clear DLYB_CR after sending tuning command
0d66b395210c mmc: core: Disable card detect during shutdown
c8e366a01c20 mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands
4af79153617b mmc: sdhci-tegra: Fix switch to HS400ES mode
9a7ec7979785 gpio: dln2: Fix interrupts when replugging the device
f5b02912e2dd pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
28626e76baf5 KVM: VMX: Wake vCPU when delivering posted IRQ even if vCPU == this vCPU
7a37f2e37069 platform/x86: intel_pmc_core: fix memleak on registration failure
b57afd124046 x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
c05d8f66ec34 tee: handle lookup of shm with reference count 0
0ffb9f83e4f6 parisc: Fix mask used to select futex spinlock
5deeb9ad598b parisc: Correct completer in lws start
8b745616ba8f ipmi: fix initialization when workqueue allocation fails
1f6ab847461c ipmi: ssif: initialize ssif_info->client early
a5192f31160c ipmi: bail out if init_srcu_struct fails
bc674f1b2119 Input: atmel_mxt_ts - fix double free in mxt_read_info_block
30140e252fdb ASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s
2b4c020b70cc ALSA: hda/realtek: Fix quirk for Clevo NJ51CU
7470780f3b0c ALSA: hda/realtek: Add new alc285-hp-amp-init model
4cb7dc2e3074 ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6
69e492161c7b ALSA: drivers: opl3: Fix incorrect use of vp->state
a96c08e0b41e ALSA: jack: Check the return value of kstrdup()
51c7b2a7b86a hwmon: (lm90) Drop critical attribute support for MAX6654
2464738d0ee4 hwmon: (lm90) Introduce flag indicating extended temperature support
196df56c3dc8 hwmon: (lm90) Add basic support for TI TMP461
fa2e149260bf hwmon: (lm90) Fix usage of CONFIG2 register in detect function
ba696b470839 pinctrl: bcm2835: Change init order for gpio hogs
676c572439e5 Input: elantech - fix stack out of bound access in elantech_change_report_id()
2792fde84cce sfc: falcon: Check null pointer of rx_queue->page_ring
d70b4001ef74 sfc: Check null pointer of rx_queue->page_ring
75c962f02a4f net: ks8851: Check for error irq
9db0f8d395fd drivers: net: smc911x: Check for error irq
ca2a15053b07 fjes: Check for error irq
c6d2754006c1 bonding: fix ad_actor_system option setting to default
6809da518514 ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
61e6b82e7b6c igb: fix deadlock caused by taking RTNL in RPM resume path
e00eace2325c net: skip virtio_net_hdr_set_proto if protocol already set
ed05e4dcfba6 net: accept UFOv6 packages in virtio_net_hdr_to_skb
56b0bbba782b qlcnic: potential dereference null pointer of rx_queue->page_ring
78e49d77e517 net: marvell: prestera: fix incorrect return of port_find
861b4413e41d ARM: dts: imx6qdl-wandboard: Fix Ethernet support
d79f5e0d458b netfilter: fix regression in looped (broad|multi)cast's MAC handling
579cefef7c42 RDMA/hns: Replace kfree() with kvfree()
7cf6466e00a7 IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
cd9c90682b2f ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent()
580ecf86e772 spi: change clk_disable_unprepare to clk_unprepare
93a957bbf46c arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode
ef2dce43257d HID: potential dereference of null pointer
3110bc5862d2 HID: holtek: fix mouse probing
0875873b2a97 ext4: check for inconsistent extents between index and leaf block
76366c024f56 ext4: check for out-of-order index extents in ext4_valid_extent_entries()
1d4b1c4e8bbd ext4: prevent partial update of the extent blocks
f69a47fcbb9c net: usb: lan78xx: add Allied Telesis AT29M2-AF
8c0059a25cb1 arm64: vdso32: require CROSS_COMPILE_COMPAT for gcc+bfd
b16b124a42e0 arm64: vdso32: drop -no-integrated-as flag
856f88f27bbc Linux 5.10.88
88f20cccbeec xen/netback: don't queue unlimited number of packages
525875c410df xen/netback: fix rx queue stall detection
8fa3a370cc2a xen/console: harden hvc_xen against event channel storms
d31b3379179d xen/netfront: harden netfront against event channel storms
8ac3b6ee7c9f xen/blkfront: harden blkfront against event channel storms
76ec7fe2d866 Revert "xsk: Do not sleep in poll() when need_wakeup set"
e24fc8983025 bus: ti-sysc: Fix variable set but not used warning for reinit_modules
70692b06208c rcu: Mark accesses to rcu_state.n_force_qs
a9078e791426 scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
bdb854f134b9 scsi: scsi_debug: Fix type in min_t to avoid stack OOB
aa1f912712a1 scsi: scsi_debug: Don't call kcalloc() if size arg is zero
6859985a2fbd ovl: fix warning in ovl_create_real()
5fd7d62daa24 fuse: annotate lock in fuse_reverse_inval_entry()
b99bdf127af9 media: mxl111sf: change mutex_init() location
0413f7a1a533 xsk: Do not sleep in poll() when need_wakeup set
6b8d8ecdd980 ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
8affa1b68db6 Input: touchscreen - avoid bitwise vs logical OR warning
aec5897b277b drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
c1d519263ded libata: if T_LENGTH is zero, dma direction should be DMA_NONE
a9f2c6af5a60 timekeeping: Really make sure wall_to_monotonic isn't positive
6471ebcd6f15 serial: 8250_fintek: Fix garbled text for console
a7c80674538f iocost: Fix divide-by-zero on donation from low hweight cgroup
bcebb8eb1948 zonefs: add MODULE_ALIAS_FS
1c414ff63b2d btrfs: fix double free of anon_dev after failure to create subvolume
005d9292b5b2 btrfs: fix memory leak in __add_inode_ref()
cd98cb5216a0 USB: serial: option: add Telit FN990 compositions
5c93584d9a2f USB: serial: cp210x: fix CP2105 GPIO registration
8f207f12630b usb: xhci: Extend support for runtime power management for AMD's Yellow carp.
e5949933f313 PCI/MSI: Mask MSI-X vectors only on success
f8aa09186c30 PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
d17c5a389768 usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe
2b2edc8fc5a8 USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
fd623e16b2ff tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous
9439fabfc349 KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES
5fe305c6d485 Revert "usb: early: convert to readl_poll_timeout_atomic()"
2b54f485f2c1 USB: gadget: bRequestType is a bitfield, not a enum
151ffac3ac27 powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n
fcf9194d366c bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
6f46c59e60b6 sit: do not call ipip6_dev_free() from sit_init_net()
6e1011cd183f net: systemport: Add global locking for descriptor lifecycle
d1765f984c99 net/smc: Prevent smc_release() from long blocking
337bb7bf7c31 net: Fix double 0x prefix print in SKB dump
734a3f310605 sfc_ef100: potential dereference of null pointer
7da349f07e45 net/packet: rx_owner_map depends on pg_vec
1a34fb9e2bf3 netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
d3e1f54508f1 ixgbe: set X550 MDIO speed before talking to PHY
48e01e388182 ixgbe: Document how to enable NBASE-T support
776ed8b36697 igc: Fix typo in i225 LTR functions
74a16e062b23 igbvf: fix double free in `igbvf_probe`
ddac50d04f34 igb: Fix removal of unicast MAC filters of VFs
12c1938870dc soc/tegra: fuse: Fix bitwise vs. logical OR warning
451f1eded7f5 mptcp: clear 'kern' flag from fallback sockets
222cebd995cd drm/amd/pm: fix a potential gpu_metrics_table memory leak
74dc97dfb276 rds: memory leak in __rds_conn_create()
67f4362ae286 flow_offload: return EOPNOTSUPP for the unsupported mpls action type
03fd6ca05601 mac80211: fix lookup when adding AddBA extension element
bef59d6a83d3 mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock
96bc86cac0a9 drm/ast: potential dereference of null pointer
cac0fd4b9bd3 selftest/net/forwarding: declare NETIFS p9 p10
81fbdd45652d net/sched: sch_ets: don't remove idle classes from the round-robin list
be32c8a78887 dmaengine: st_fdma: fix MODULE_ALIAS
dfff1d5e85ff selftests: Fix IPv6 address bind tests
08896ecfffc3 selftests: Fix raw socket bind tests with VRF
5ba4dfb8b8a1 selftests: Add duplicate config only for MD5 VRF tests
12512bc8f25b net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg
3a4f6dba1eb9 inet_diag: fix kernel-infoleak for UDP sockets
20ad1ef02f9a sch_cake: do not call cake_destroy() from cake_init()
1208b445a497 s390/kexec_file: fix error handling when applying relocations
c058c544e73a selftests: net: Correct ping6 expected rc from 2 to 1
9983425c203b virtio/vsock: fix the transport to work with VMADDR_CID_ANY
94a01e6fb2d8 soc: imx: Register SoC device only on i.MX boards
cc426a91d384 clk: Don't parent clks until the parent is fully registered
429bb01e4dda ARM: socfpga: dts: fix qspi node compatible
7b4cc168d9ca ceph: initialize pathlen variable in reconnect_caps_cb
e0f06c32afb2 ceph: fix duplicate increment of opened_inodes metric
640e28d618e8 tee: amdtee: fix an IS_ERR() vs NULL bug
eed897a22230 mac80211: track only QoS data frames for admission control
24983f750881 arm64: dts: rockchip: fix audio-supply for Rock Pi 4
49bd597719bf arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
9fcdbbf3964d arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply
ba866840b240 arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge
3516bc149223 arm64: dts: imx8mp-evk: Improve the Ethernet PHY description
06294e7e341a arm64: dts: imx8m: correct assigned clocks for FEC
4cc6badff97f audit: improve robustness of the audit queue handling
0e21e6cd5eeb dm btree remove: fix use after free in rebalance_children()
f5187a9d52ae recordmcount.pl: look for jgnop instruction as well as bcrl on s390
51f6302f81d2 vdpa: check that offsets are within bounds
e3a1ab5aea4c virtio_ring: Fix querying of maximum DMA mapping size for virtio device
0612679e48d0 bpf, selftests: Add test case trying to taint map value pointer
279e0bf80d95 bpf: Make 32->64 bounds propagation slightly more robust
e2aad0b5f2cb bpf: Fix signed bounds propagation after mov32
f0f484714f35 firmware: arm_scpi: Fix string overflow in SCPI genpd driver
7fd214fc7f2e mac80211: validate extended element ID is present
0bb50470f1e0 mac80211: send ADDBA requests using the tid/queue of the aggregation session
29bb131dbbb5 mac80211: mark TX-during-stop for TX in in_reconfig
15640e40e3bb mac80211: fix regression in SSN handling of addba tx
49b7e496928e KVM: downgrade two BUG_ONs to WARN_ON_ONCE
8d0f56c2ed71 KVM: selftests: Make sure kvm_create_max_vcpus test won't hit RLIMIT_NOFILE

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8710dca273bada79536e84ad3c206bd1b40aab97)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 6a1f48bbb0..3a346195c9 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "d6b1cc83a5315388b060eaa6195f1ce77103c3d1"
-SRCREV_meta ?= "1ab943530f4016a9ee7bd8fc3d10acf702c23c44"
+SRCREV_machine ?= "301346d30bcaccedc71da8d5f78bd262063d4ba7"
+SRCREV_meta ?= "38b4f2e3bc974717352e8bc5491664e47542d237"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.10.87"
+LINUX_VERSION ?= "5.10.89"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 38c01b78b2..3c70d6c2ea 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.10.87"
+LINUX_VERSION ?= "5.10.89"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "a46d018920762d81e283ecc80cf156fe226712ed"
-SRCREV_machine ?= "e36ccf7356af83243e55f6ca491049462f7feab7"
-SRCREV_meta ?= "1ab943530f4016a9ee7bd8fc3d10acf702c23c44"
+SRCREV_machine_qemuarm ?= "913d41ebe409dfd03c49fafd1923f8663df2a4ff"
+SRCREV_machine ?= "5575e67330fb6d979ed1cd2e9e64400b4c21b595"
+SRCREV_meta ?= "38b4f2e3bc974717352e8bc5491664e47542d237"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index d877c1e6b5..fc7071c6fc 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "c5c39f3ba284421eceeb9b084da1508167b37abe"
-SRCREV_machine_qemuarm64 ?= "fab21fdf95a62d013b98eb91adc0d9cfc69f700b"
-SRCREV_machine_qemumips ?= "ef1d4a1e93c209637022c9337131394a6f3679ae"
-SRCREV_machine_qemuppc ?= "8009be617e2fd4c34c80892776d79f463d436fc0"
-SRCREV_machine_qemuriscv64 ?= "4f2bb635ea267e71f112fd11323c1d3a2f2b85d0"
-SRCREV_machine_qemuriscv32 ?= "4f2bb635ea267e71f112fd11323c1d3a2f2b85d0"
-SRCREV_machine_qemux86 ?= "4f2bb635ea267e71f112fd11323c1d3a2f2b85d0"
-SRCREV_machine_qemux86-64 ?= "4f2bb635ea267e71f112fd11323c1d3a2f2b85d0"
-SRCREV_machine_qemumips64 ?= "2f42ab7aac37cd61f47231301b3f1e232807e0e6"
-SRCREV_machine ?= "4f2bb635ea267e71f112fd11323c1d3a2f2b85d0"
-SRCREV_meta ?= "1ab943530f4016a9ee7bd8fc3d10acf702c23c44"
+SRCREV_machine_qemuarm ?= "b0dfabc86c3b6e1fb2ddb153664961e107bedfa9"
+SRCREV_machine_qemuarm64 ?= "fea23aa594ce16a15564f991e14868dd255674cf"
+SRCREV_machine_qemumips ?= "0ec16d85647a337f392ae358db3dcc200d958938"
+SRCREV_machine_qemuppc ?= "a6a07d8acd8991883464bd3034beabb9ee23f11a"
+SRCREV_machine_qemuriscv64 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
+SRCREV_machine_qemuriscv32 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
+SRCREV_machine_qemux86 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
+SRCREV_machine_qemux86-64 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
+SRCREV_machine_qemumips64 ?= "29cb56446b0b66b7a15d2577773e69c4e813bfd7"
+SRCREV_machine ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
+SRCREV_meta ?= "38b4f2e3bc974717352e8bc5491664e47542d237"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.87"
+LINUX_VERSION ?= "5.10.89"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[hardknott][PATCH 11/15] linux-yocto/5.10/cfg: add kcov feature fragment

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto:

41721be8a03 cfg/debug: add kcov kernel configs

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6a11ed0910a9ed231bc3c4a9ee532358014ce535)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb   | 2 +-
 meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 3a346195c9..0a31714524 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -12,7 +12,7 @@ python () {
 }
 
 SRCREV_machine ?= "301346d30bcaccedc71da8d5f78bd262063d4ba7"
-SRCREV_meta ?= "38b4f2e3bc974717352e8bc5491664e47542d237"
+SRCREV_meta ?= "fdabd97ceceb2e3e74a132332c875f68b47b755b"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 3c70d6c2ea..bad6f10905 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "913d41ebe409dfd03c49fafd1923f8663df2a4ff"
 SRCREV_machine ?= "5575e67330fb6d979ed1cd2e9e64400b4c21b595"
-SRCREV_meta ?= "38b4f2e3bc974717352e8bc5491664e47542d237"
+SRCREV_meta ?= "fdabd97ceceb2e3e74a132332c875f68b47b755b"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index fc7071c6fc..20e7f68f8f 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -23,7 +23,7 @@ SRCREV_machine_qemux86 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
 SRCREV_machine_qemux86-64 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
 SRCREV_machine_qemumips64 ?= "29cb56446b0b66b7a15d2577773e69c4e813bfd7"
 SRCREV_machine ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
-SRCREV_meta ?= "38b4f2e3bc974717352e8bc5491664e47542d237"
+SRCREV_meta ?= "fdabd97ceceb2e3e74a132332c875f68b47b755b"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.34.1

[hardknott][PATCH 12/15] linux-yocto/5.10: update to v5.10.90

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:

d3e491a20d15 Linux 5.10.90
8c15bfb36a44 bpf: Add kconfig knob for disabling unpriv bpf by default
d8a5b1377bf6 perf script: Fix CPU filtering of a script's switch events
2386e81a1d27 net: fix use-after-free in tw_timer_handler
34087cf96046 Input: spaceball - fix parsing of movement data packets
9f329d0d6c91 Input: appletouch - initialize work before device registration
2a4f551dec1a scsi: vmw_pvscsi: Set residual data length conditionally
1cb8444f3114 binder: fix async_free_space accounting for empty parcels
a6e26251dd3a usb: mtu3: set interval of FS intr and isoc endpoint
3b6efe0b7ba0 usb: mtu3: fix list_head check warning
f10b01c48f85 usb: mtu3: add memory barrier before set GPD's HWO
1c4ace3e6b85 usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
1933fe8ce712 xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
b8553330a077 drm/amdgpu: add support for IP discovery gc_info table v2
28863ffe21ff drm/amdgpu: When the VCN(1.0) block is suspended, powergating is explicitly enabled
a0f3ac399ef5 uapi: fix linux/nfc.h userspace compilation errors
818c9e0a04df nfc: uapi: use kernel size_t to fix user-space builds
8d31cbab4c29 i2c: validate user data in compat ioctl
51c94d8fbd09 fsl/fman: Fix missing put_device() call in fman_port_probe
920932b20e0c net/ncsi: check for error return from call to nla_put_u32
610af55f9fbe selftests/net: udpgso_bench_tx: fix dst ip argument
78503589b1e0 net/mlx5e: Fix wrong features assignment in case of error
61146008087a ionic: Initialize the 'lif->dbid_inuse' bitmap
b7c9a1427b32 igc: Fix TX timestamp support for non-MSI-X platforms
e8a5988a85c7 net/smc: fix kernel panic caused by race of smc_sock
97c87c1db9ff net/smc: don't send CDC/LLC message if link not ready
99f19566b1c4 net/smc: improved fix wait on already cleared link
e553265ea564 NFC: st21nfca: Fix memory leak in device probe and remove
8d70dc0eecf0 net: lantiq_xrx200: fix statistics of received bytes
7ef89bd1e8f1 net: ag71xx: Fix a potential double free in error handling paths
40d36186913b net: usb: pegasus: Do not drop long Ethernet frames
a67becdaa8ad net/smc: fix using of uninitialized completions
769d14abd35e sctp: use call_rcu to free endpoint
13c1bf43b674 selftests: Calculate udpgso segment count without header adjustment
abe74fb43378 udp: using datalen to cap ipv6 udp max gso segments
5e6ad649e927 net/mlx5e: Fix ICOSQ recovery flow for XSK
73665165b64a net/mlx5e: Wrap the tx reporter dump callback to extract the sq
4cd1da02f0c3 net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources
fcb32eb3d04d scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
4833ad4908a1 selinux: initialize proto variable in selinux_ip_postroute_compat()
ec941a2277a1 recordmcount.pl: fix typo in s390 mcount regex
a0e82d5ef992 memblock: fix memblock_phys_alloc() section mismatch error
7da855e93964 platform/x86: apple-gmux: use resource_size() with res
d01e9ce1af61 parisc: Clear stale IIR value on instruction access rights trap
0643d9175dc6 tomoyo: use hwight16() in tomoyo_domain_quota_is_ok()
e2048a1f9186 tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok().
210c7c6908f3 Input: i8042 - enable deferred probe quirk for ASUS UM325UA
bb672eff7447 Input: i8042 - add deferred probe support

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ada52c924b8033939a448d8cedfc4e587bfdbc46)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 0a31714524..90ec900c2b 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "301346d30bcaccedc71da8d5f78bd262063d4ba7"
-SRCREV_meta ?= "fdabd97ceceb2e3e74a132332c875f68b47b755b"
+SRCREV_machine ?= "e137d5d92c05530840f2e191ec471f8f0ea2d62e"
+SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.10.89"
+LINUX_VERSION ?= "5.10.90"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index bad6f10905..9af2e622ac 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.10.89"
+LINUX_VERSION ?= "5.10.90"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "913d41ebe409dfd03c49fafd1923f8663df2a4ff"
-SRCREV_machine ?= "5575e67330fb6d979ed1cd2e9e64400b4c21b595"
-SRCREV_meta ?= "fdabd97ceceb2e3e74a132332c875f68b47b755b"
+SRCREV_machine_qemuarm ?= "c0774ebd6bc1c7541deb4f9a649a1a6bfa42853f"
+SRCREV_machine ?= "ab201bf6e3f9d187c7c26a0ec6537fadb41de918"
+SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 20e7f68f8f..5d84c46254 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "b0dfabc86c3b6e1fb2ddb153664961e107bedfa9"
-SRCREV_machine_qemuarm64 ?= "fea23aa594ce16a15564f991e14868dd255674cf"
-SRCREV_machine_qemumips ?= "0ec16d85647a337f392ae358db3dcc200d958938"
-SRCREV_machine_qemuppc ?= "a6a07d8acd8991883464bd3034beabb9ee23f11a"
-SRCREV_machine_qemuriscv64 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
-SRCREV_machine_qemuriscv32 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
-SRCREV_machine_qemux86 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
-SRCREV_machine_qemux86-64 ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
-SRCREV_machine_qemumips64 ?= "29cb56446b0b66b7a15d2577773e69c4e813bfd7"
-SRCREV_machine ?= "d59202c85b0f96b7a928ec594021a38e80c35a46"
-SRCREV_meta ?= "fdabd97ceceb2e3e74a132332c875f68b47b755b"
+SRCREV_machine_qemuarm ?= "d9597fe71e155c5a96452d23694188d6d4091673"
+SRCREV_machine_qemuarm64 ?= "210fcd9ee603afb731beaa5833e7e3f1d1918786"
+SRCREV_machine_qemumips ?= "8688d3707cea38bd7ed115a12005079c2215f77d"
+SRCREV_machine_qemuppc ?= "933b47667b7549bb36a809cca90bc372a7182620"
+SRCREV_machine_qemuriscv64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
+SRCREV_machine_qemuriscv32 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
+SRCREV_machine_qemux86 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
+SRCREV_machine_qemux86-64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
+SRCREV_machine_qemumips64 ?= "25fcfe4f5c4be9bbb67498f09b2dd088f8bb6dfd"
+SRCREV_machine ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
+SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.89"
+LINUX_VERSION ?= "5.10.90"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[hardknott][PATCH 13/15] linux-yocto/5.10: amdgpu: updates for CVE-2021-42327

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto/5.10:

    fd84b99a8ccb drm/amd/display: Don't allow partial copy_from_user
    024f4ff63d55 drm/amdgpu: Fix even more out of bound writes from debugfs

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5488466ea1b332a0bfc0d27dcc5378edd842d16)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  4 ++--
 .../linux/linux-yocto-tiny_5.10.bb            |  6 ++---
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 22 +++++++++----------
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 90ec900c2b..41047bac04 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,8 +11,8 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "e137d5d92c05530840f2e191ec471f8f0ea2d62e"
-SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5"
+SRCREV_machine ?= "fbed4064df813f01c1a862548f28b2050ee9b09e"
+SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 9af2e622ac..5ae12b1953 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "c0774ebd6bc1c7541deb4f9a649a1a6bfa42853f"
-SRCREV_machine ?= "ab201bf6e3f9d187c7c26a0ec6537fadb41de918"
-SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5"
+SRCREV_machine_qemuarm ?= "ca2928bf9b108b45a8ecfe6c76ae9d66b9527f0c"
+SRCREV_machine ?= "5d7922b2755129e1066944a25675a4f9bdbbe706"
+SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 5d84c46254..2b1d7bbff9 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "d9597fe71e155c5a96452d23694188d6d4091673"
-SRCREV_machine_qemuarm64 ?= "210fcd9ee603afb731beaa5833e7e3f1d1918786"
-SRCREV_machine_qemumips ?= "8688d3707cea38bd7ed115a12005079c2215f77d"
-SRCREV_machine_qemuppc ?= "933b47667b7549bb36a809cca90bc372a7182620"
-SRCREV_machine_qemuriscv64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
-SRCREV_machine_qemuriscv32 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
-SRCREV_machine_qemux86 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
-SRCREV_machine_qemux86-64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
-SRCREV_machine_qemumips64 ?= "25fcfe4f5c4be9bbb67498f09b2dd088f8bb6dfd"
-SRCREV_machine ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55"
-SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5"
+SRCREV_machine_qemuarm ?= "dbf49e7b0801b1b92994f7bc3c6bba943340e273"
+SRCREV_machine_qemuarm64 ?= "0b092f0c4e3471ef22aef0343477519b0ba8b533"
+SRCREV_machine_qemumips ?= "1806335706c3549985836385bb400c1d80819d73"
+SRCREV_machine_qemuppc ?= "270ee670f95ad200c7c32bf8a8ffbf6ed43d7964"
+SRCREV_machine_qemuriscv64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
+SRCREV_machine_qemuriscv32 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
+SRCREV_machine_qemux86 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
+SRCREV_machine_qemux86-64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
+SRCREV_machine_qemumips64 ?= "ea456bce3f1ed65b1ab00a0cf8cf551b5967aec3"
+SRCREV_machine ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
+SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.34.1

[hardknott][PATCH 14/15] linux-yocto/5.10: update to v5.10.91

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:

    df395c763ba0 Linux 5.10.91
    674071c9eb26 Input: zinitix - make sure the IRQ is allocated before it gets enabled
    ef81f7d406c2 ARM: dts: gpio-ranges property is now required
    f63fa1a0d4df ipv6: raw: check passed optlen before reading
    cf07884e6bec drm/amd/display: Added power down for DCN10
    10b9ccd0674d mISDN: change function names to avoid conflicts
    dd8a09cfbb99 atlantic: Fix buff_ring OOB in aq_ring_rx_clean
    c2f4bb251eb4 net: udp: fix alignment problem in udp4_seq_show()
    f82b48d1d86b ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
    8c87a83ef891 scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
    b798b677f94d usb: mtu3: fix interval value for intr and isoc
    498d77fc5e38 ipv6: Do cleanup if attribute validation fails in multipath route
    72b0d14a0a88 ipv6: Continue processing multipath route even if gateway attribute is invalid
    5a7d650bb181 power: bq25890: Enable continuous conversion for ADC at charging
    4f260ea5537d phonet: refcount leak in pep_sock_accep
    61952934608c rndis_host: support Hytera digital radios
    62cbde77d9c1 power: reset: ltc2952: Fix use of floating point literals
    998d157e3b2a power: supply: core: Break capacity loop
    16d8568378f9 xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate
    aa606b82cdfb net: ena: Fix error handling when calculating max IO queues number
    e7f5480978fd net: ena: Fix undefined state when tx request id is out of bounds
    2de3d961f8e7 sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
    4c34d5fd8c96 batman-adv: mcast: don't send link-local multicast to mcast routers
    f403b5f96e9a lwtunnel: Validate RTA_ENCAP_TYPE attribute length
    48d5adb08d60 ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
    173bfa2782fa ipv6: Check attribute length for RTA_GATEWAY in multipath route
    914420a2a6c5 ipv4: Check attribute length for RTA_FLOW in multipath route
    a8fe915be6c2 ipv4: Check attribute length for RTA_GATEWAY in multipath route
    786a335fef18 ftrace/samples: Add missing prototypes direct functions
    c859c4de0bd7 i40e: Fix incorrect netdev's real number of RX/TX queues
    d0ad64438fb5 i40e: Fix for displaying message regarding NVM version
    32845aa60203 i40e: fix use-after-free in i40e_sync_filters_subtask()
    f7edb6b9438b sfc: The RX page_ring is optional
    2b3f34da0d79 mac80211: initialize variable have_higher_than_11mbit
    16e5cad6eca1 RDMA/uverbs: Check for null return of kmalloc_array
    a7c2cae997db netrom: fix copying in user data in nr_setsockopt
    beeb0fdedae8 RDMA/core: Don't infoleak GRH fields
    3ca132e6b065 iavf: Fix limit of total number of queues to active queues of VF
    396e3016905d i40e: Fix to not show opcode msg on unsuccessful VF MAC change
    7f13d14e563c ieee802154: atusb: fix uninit value in atusb_set_extended_addr
    7db1e245cb71 tracing: Tag trace_percpu_buffer as a percpu pointer
    760c6a625506 tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
    c1e2da4b3f72 selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv()
    384111e12367 f2fs: quota: fix potential deadlock

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13b53d922df1a53913fbe7a0dfbf2adaedfe5dfd)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index 41047bac04..ca7d5dd97c 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "fbed4064df813f01c1a862548f28b2050ee9b09e"
-SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e"
+SRCREV_machine ?= "85c14e209f1ab7cee673735c4561e656b4e65217"
+SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.10.90"
+LINUX_VERSION ?= "5.10.91"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 5ae12b1953..dbfeea6c82 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.10.90"
+LINUX_VERSION ?= "5.10.91"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "ca2928bf9b108b45a8ecfe6c76ae9d66b9527f0c"
-SRCREV_machine ?= "5d7922b2755129e1066944a25675a4f9bdbbe706"
-SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e"
+SRCREV_machine_qemuarm ?= "2227ab16358ca3193f03d0cd8509092076aeffbb"
+SRCREV_machine ?= "b3fdab7a9f3c11a61565cead0445883a61081583"
+SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 2b1d7bbff9..82dfb0f903 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86  ?= "v5.10/standard/base"
 KBRANCH_qemux86-64 ?= "v5.10/standard/base"
 KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "dbf49e7b0801b1b92994f7bc3c6bba943340e273"
-SRCREV_machine_qemuarm64 ?= "0b092f0c4e3471ef22aef0343477519b0ba8b533"
-SRCREV_machine_qemumips ?= "1806335706c3549985836385bb400c1d80819d73"
-SRCREV_machine_qemuppc ?= "270ee670f95ad200c7c32bf8a8ffbf6ed43d7964"
-SRCREV_machine_qemuriscv64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
-SRCREV_machine_qemuriscv32 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
-SRCREV_machine_qemux86 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
-SRCREV_machine_qemux86-64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
-SRCREV_machine_qemumips64 ?= "ea456bce3f1ed65b1ab00a0cf8cf551b5967aec3"
-SRCREV_machine ?= "fd84b99a8ccbfae11300c3a72183616bc0560870"
-SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e"
+SRCREV_machine_qemuarm ?= "fb570663823bd492e4c8d4339be825bda4210dc6"
+SRCREV_machine_qemuarm64 ?= "5a52b700c1693a95b8efa54cb65bec7807a75cd2"
+SRCREV_machine_qemumips ?= "8eb8a801f5f4764c362aefd5e97e704755cf740b"
+SRCREV_machine_qemuppc ?= "21b014e385a6b54a2fd7d667a1b556c69cda77de"
+SRCREV_machine_qemuriscv64 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
+SRCREV_machine_qemuriscv32 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
+SRCREV_machine_qemux86 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
+SRCREV_machine_qemux86-64 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
+SRCREV_machine_qemumips64 ?= "5468343e50389dba73b5d441289d5094bd0dc9f0"
+SRCREV_machine ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
+SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc"
 
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.90"
+LINUX_VERSION ?= "5.10.91"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[hardknott][PATCH 15/15] cve-check: add lockfile to task

[Anuj Mittal]

From: Konrad Weihmann <kweihmann@outlook.com>

this should prevent running into the very rare error
sqlite3.OperationalError: attempt to write a readonly database

As highlighted by https://www.sqlite.org/faq.html#q5
it is likely that the adapter won't allow use multiple exec calls
at the same time.

So it's best to prevent multiple accesses at a time, by reusing
the already in place CVE_CHECK_DB_FILE_LOCK

YOCTO #14110

Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 677f5741bd265be49d4a5bb933b3e8d8c4eec653)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/cve-check.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 4fa1a64f85..3add826fca 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -110,6 +110,7 @@ python do_cve_check () {
 }
 
 addtask cve_check before do_build after do_fetch
+do_cve_check[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
 do_cve_check[depends] = "cve-update-db-native:do_fetch"
 do_cve_check[nostamp] = "1"
 
-- 
2.34.1