[gatesgarth][PATCH 00/35] review request

[gatesgarth][PATCH 00/35] review request

[Anuj Mittal]

Please review these next set of changes for gatesgarth. Builds cleanly
on autobuilder except for a known intermittent issue while executing a
tinfoil selftest.

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1842

Thanks,

Anuj

The following changes since commit c63feb7e062750ef9d1fcfd6ee16f1d220f8a369:

  strace: increase ptest timeout duration 120->240s (2021-02-05 23:34:49 +0000)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/gatesgarth

Alexander Kanavin (5):
  python3: split python target configuration into own class
  python3-pycairo: use python3targetconfig
  distutils3-base.bbclass: use python3targetconfig
  meta: drop _PYTHON_SYSCONFIGDATA_NAME hacks
  gpgme: use python3targetconfig

Anuj Mittal (2):
  sudo: fix CVE-2021-23240
  sudo: fix CVE-2021-3156

Awais Belal (1):
  kernel.bbclass: fix deployment for initramfs images

Bruce Ashfield (3):
  linux-yocto/5.4: update to v5.4.90
  linux-yocto-rt/5.4: fix 5.4-stable caused build breakage
  linux-yocto/5.4: update to v5.4.94

Chen Qi (1):
  systemd: change /bin/nologin to /sbin/nologin

Dorinda (1):
  sanity.bbclass: Check if PSEUDO_IGNORE_PATHS and paths under pseudo
    control overlap

Kamel Bouhara (2):
  npm.bbclass: make shrinkwrap file optional
  recipetool: create: only add npmsw url if required

Khem Raj (1):
  python3targetconfig.bbclass: Make py3 dep and tasks only for target
    recipes

Lee Chee Yang (2):
  openssl: set CVE_VERSION_SUFFIX
  wic/selftest: test_permissions also test bitbake image

Martin Jansa (1):
  image_types.bbclass: tar: use posix format instead of gnu

Michael Halstead (2):
  uninative: Upgrade to 2.10
  yocto-uninative.inc: version 2.11 updates glibc to 2.33

Mike Looijmans (1):
  license_image.bbclass: Don't attempt to symlink to the same file

Richard Purdie (8):
  image_types: Ensure tar archives are reproducible
  ncurses: Don't put terminfo into the sysroot
  python3: Avoid installing test data into recipe-sysroot
  staging: Clean up files installed into the sysroot
  package: Ensure do_packagedata is cleaned correctly
  qemu.inc: Should depend on qemu-system-native, not qemu-native
  openssh: Backport a fix to fix with glibc 2.33 on some platforms
  pseudo: Update to work with glibc 2.33

Steve Sakoman (1):
  glibc: update to latest release/2.32/master branch

Tomasz Dziendzielski (1):
  sstatesig: Add descriptive error message to getpwuid/getgrgid "uid/gid
    not found" KeyError

Vyacheslav Yurkov (1):
  npm.bbclass: use python3 for npm config

saloni (2):
  libgcrypt: Whitelisted CVEs
  libcroco: Added CVE

 meta/classes/distutils3-base.bbclass          |   2 +-
 meta/classes/image_types.bbclass              |   2 +-
 meta/classes/kernel.bbclass                   |   2 +-
 meta/classes/license_image.bbclass            |   3 +-
 meta/classes/npm.bbclass                      |  37 +-
 meta/classes/package.bbclass                  |   1 +
 meta/classes/python3native.bbclass            |   2 -
 meta/classes/python3targetconfig.bbclass      |  17 +
 meta/classes/sanity.bbclass                   |  10 +
 meta/classes/scons.bbclass                    |   3 -
 meta/classes/staging.bbclass                  |   4 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/conf/machine/include/qemu.inc            |   2 +-
 meta/lib/oe/prservice.py                      |   4 -
 meta/lib/oe/sstatesig.py                      |   6 +-
 meta/lib/oeqa/selftest/cases/wic.py           |  16 +
 ...440ca70abab947acbd77795e9f130967956c.patch |  28 ++
 .../openssh/openssh_8.3p1.bb                  |   1 +
 .../openssl/openssl_1.1.1i.bb                 |   2 +
 meta/recipes-core/glib-2.0/glib.inc           |   4 -
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/CVE-2019-25013.patch          | 137 ------
 meta/recipes-core/glibc/glibc_2.32.bb         |   4 +-
 meta/recipes-core/ncurses/ncurses.inc         |   5 +
 meta/recipes-core/systemd/systemd_246.9.bb    |  16 +-
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../python/python3-pycairo_1.19.1.bb          |   2 +-
 meta/recipes-devtools/python/python3_3.8.5.bb |   6 +
 .../sudo/files/CVE-2021-23240.patch           | 419 ++++++++++++++++++
 .../sudo/files/CVE-2021-3156-1.patch          | 100 +++++
 .../sudo/files/CVE-2021-3156-2.patch          |  53 +++
 .../sudo/files/CVE-2021-3156-3.patch          |  73 +++
 .../sudo/files/CVE-2021-3156-4.patch          |  29 ++
 .../sudo/files/CVE-2021-3156-5.patch          |  41 ++
 meta/recipes-extended/sudo/sudo_1.9.3.bb      |   6 +
 meta/recipes-graphics/mesa/mesa.inc           |   5 -
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 meta/recipes-support/gpgme/gpgme_1.14.0.bb    |   2 +-
 .../libcroco/files/CVE-2020-12825.patch       | 192 ++++++++
 .../libcroco/libcroco_0.6.13.bb               |   3 +
 .../libgcrypt/libgcrypt_1.8.6.bb              |   3 +
 scripts/lib/recipetool/create_npm.py          |   6 +-
 44 files changed, 1085 insertions(+), 213 deletions(-)
 create mode 100644 meta/classes/python3targetconfig.bbclass
 create mode 100644 meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
 delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-23240.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
 create mode 100644 meta/recipes-support/libcroco/files/CVE-2020-12825.patch

-- 
2.29.2

[gatesgarth][PATCH 01/35] image_types: Ensure tar archives are reproducible

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The tar output seems to vary depending on the version of tar used and distro
configuration. Be explict about the output format to avoid this and be
determinstic.

(From OE-Core rev: c56f3c9febc1732aa1302524c6c4da36f16bd1f7)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9dbe0f69f874d3687ae1accc19116570bad86c04)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/image_types.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 286009057e..85d619ca89 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -110,7 +110,7 @@ IMAGE_CMD_squashfs-lz4 = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAM
 
 IMAGE_CMD_TAR ?= "tar"
 # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
-IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=gnu --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
 
 do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
 IMAGE_CMD_cpio () {
-- 
2.29.2

[gatesgarth][PATCH 02/35] npm.bbclass: make shrinkwrap file optional

[Anuj Mittal]

From: Kamel Bouhara <kamel.bouhara@bootlin.com>

Some packages don't have shrinkwrap file which
means no npmsw uri is provided in the recipe.

Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 47760b0d7d66b2b68ee197d359f0b7b17374d742)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/npm.bbclass | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/meta/classes/npm.bbclass b/meta/classes/npm.bbclass
index 068032a1e5..d3dd1a9ab8 100644
--- a/meta/classes/npm.bbclass
+++ b/meta/classes/npm.bbclass
@@ -130,11 +130,17 @@ python npm_do_configure() {
     cached_manifest.pop("dependencies", None)
     cached_manifest.pop("devDependencies", None)
 
-    with open(orig_shrinkwrap_file, "r") as f:
-        orig_shrinkwrap = json.load(f)
+    has_shrinkwrap_file = True
 
-    cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap)
-    cached_shrinkwrap.pop("dependencies", None)
+    try:
+        with open(orig_shrinkwrap_file, "r") as f:
+            orig_shrinkwrap = json.load(f)
+    except IOError:
+        has_shrinkwrap_file = False
+
+    if has_shrinkwrap_file:
+       cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap)
+       cached_shrinkwrap.pop("dependencies", None)
 
     # Manage the dependencies
     progress = OutOfProgressHandler(d, r"^(\d+)/(\d+)$")
@@ -165,8 +171,10 @@ python npm_do_configure() {
             progress.write("%d/%d" % (progress_done, progress_total))
 
     dev = bb.utils.to_boolean(d.getVar("NPM_INSTALL_DEV"), False)
-    foreach_dependencies(orig_shrinkwrap, _count_dependency, dev)
-    foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev)
+
+    if has_shrinkwrap_file:
+        foreach_dependencies(orig_shrinkwrap, _count_dependency, dev)
+        foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev)
 
     # Configure the main package
     with tempfile.TemporaryDirectory() as tmpdir:
@@ -181,16 +189,19 @@ python npm_do_configure() {
                 cached_manifest[depkey] = {}
             cached_manifest[depkey][name] = version
 
-    _update_manifest("dependencies")
+    if has_shrinkwrap_file:
+        _update_manifest("dependencies")
 
     if dev:
-        _update_manifest("devDependencies")
+        if has_shrinkwrap_file:
+            _update_manifest("devDependencies")
 
     with open(cached_manifest_file, "w") as f:
         json.dump(cached_manifest, f, indent=2)
 
-    with open(cached_shrinkwrap_file, "w") as f:
-        json.dump(cached_shrinkwrap, f, indent=2)
+    if has_shrinkwrap_file:
+        with open(cached_shrinkwrap_file, "w") as f:
+            json.dump(cached_shrinkwrap, f, indent=2)
 }
 
 python npm_do_compile() {
-- 
2.29.2

[gatesgarth][PATCH 03/35] recipetool: create: only add npmsw url if required

[Anuj Mittal]

From: Kamel Bouhara <kamel.bouhara@bootlin.com>

Before adding a npmsw fetcher to a recipe we
should first check if the generated shrinkwrap file
contains dependencies.

Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ef153ad36d0299e83a03af8f207686d0d8a238b3)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 scripts/lib/recipetool/create_npm.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/recipetool/create_npm.py b/scripts/lib/recipetool/create_npm.py
index 579b7ae48a..2bcae91dfa 100644
--- a/scripts/lib/recipetool/create_npm.py
+++ b/scripts/lib/recipetool/create_npm.py
@@ -204,6 +204,9 @@ class NpmRecipeHandler(RecipeHandler):
         self._run_npm_install(d, srctree, registry, dev)
         shrinkwrap_file = self._generate_shrinkwrap(d, srctree, dev)
 
+        with open(shrinkwrap_file, "r") as f:
+            shrinkwrap = json.load(f)
+
         if os.path.exists(lock_copy):
             bb.utils.movefile(lock_copy, lock_file)
 
@@ -226,7 +229,8 @@ class NpmRecipeHandler(RecipeHandler):
             value = origvalue.replace("version=" + data["version"], "version=${PV}")
             value = value.replace("version=latest", "version=${PV}")
             values = [line.strip() for line in value.strip('\n').splitlines()]
-            values.append(url_recipe)
+            if "dependencies" in shrinkwrap:
+                values.append(url_recipe)
             return values, None, 4, False
 
         (_, newlines) = bb.utils.edit_metadata(lines_before, ["SRC_URI"], _handle_srcuri)
-- 
2.29.2

[gatesgarth][PATCH 04/35] npm.bbclass: use python3 for npm config

[Anuj Mittal]

From: Vyacheslav Yurkov <uvv.mail@gmail.com>

python2-native executable is not available in sysroot anymore, which
causes compilation of some nodejs modules to fail. Switch to python3 as a
default python version.

Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d21f50ecf8e8683a92b7d234fa8225c2c1470595)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/npm.bbclass | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/classes/npm.bbclass b/meta/classes/npm.bbclass
index d3dd1a9ab8..79f55febcc 100644
--- a/meta/classes/npm.bbclass
+++ b/meta/classes/npm.bbclass
@@ -17,6 +17,8 @@
 #  NPM_INSTALL_DEV:
 #       Set to 1 to also install devDependencies.
 
+inherit python3native
+
 DEPENDS_prepend = "nodejs-native "
 RDEPENDS_${PN}_prepend = "nodejs "
 
@@ -248,9 +250,7 @@ python npm_do_compile() {
         sysroot = d.getVar("RECIPE_SYSROOT_NATIVE")
         nodedir = os.path.join(sysroot, d.getVar("prefix_native").strip("/"))
         configs.append(("nodedir", nodedir))
-        bindir = os.path.join(sysroot, d.getVar("bindir_native").strip("/"))
-        pythondir = os.path.join(bindir, "python-native", "python")
-        configs.append(("python", pythondir))
+        configs.append(("python", d.getVar("PYTHON")))
 
         # Add node-pre-gyp configuration
         args.append(("target_arch", d.getVar("NPM_ARCH")))
-- 
2.29.2

[gatesgarth][PATCH 05/35] glibc: update to latest release/2.32/master branch

[Anuj Mittal]

From: Steve Sakoman <steve@sakoman.com>

Remove patches for CVE-2019-25013 and CVE-2020-27618 since they are
present in the branch now. Add both CVEs to CVE_CHECK_WHITELIST.

760e1d28782 gconv: Fix assertion failure in ISO-2022-JP-3 module (bug 27256)
d3cb8f6222a aarch64: fix static PIE start code for BTI [BZ #27068]
082798622d8 __vfscanf_internal: fix aliasing violation (bug 26690)
33dc30bc838 aarch64: Use mmap to add PROT_BTI instead of mprotect [BZ #26831]
46e1e64fe3e elf: Pass the fd to note processing
b6eae83717d elf: Move note processing after l_phdr is updated
c6090dcebd1 aarch64: align address for BTI protection [BZ #26988]
610e2c51504 aarch64: Fix missing BTI protection from dependencies [BZ #26926]
4c619b3eed5 x86: Check IFUNC definition in unrelocated executable [BZ #20019]
87450ecf8a8 x86: Set header.feature_1 in TCB for always-on CET [BZ #27177]
2b4f67c2b33 Update for [BZ #27130] fix
1a24bbd43e4 x86-64: Avoid rep movsb with short distance [BZ #27130]
0d9793e82a1 Fix buffer overrun in EUC-KR conversion module (bz #24973)
1d49bede4d8 tests-mcheck: New variable to run tests with MALLOC_CHECK_=3
050022910be iconv: Accept redundant shift sequences in IBM1364 [BZ #26224]
ac0a6929c5d sh: Add sh4 fpu Implies folder
3ea24955bff struct _Unwind_Exception alignment should not depend on compiler flags
5c36293f067 resolv: Serialize processing in resolv/tst-resolv-txnid-collision
2dfa659a66f resolv: Handle transaction ID collisions in parallel queries (bug 26600)
05c025abca1 support: Provide a way to clear the RA bit in DNS server responses
f688bcd83de support: Provide a way to reorder responses within the DNS test server
eba0ce60588 Remove __warndecl
5337b2af4b8 Remove __warn_memset_zero_len [BZ #25399]
c6e794640c3 aarch64: Add unwind information to _start (bug 26853)
70ee5e8b573 aarch64: Fix DT_AARCH64_VARIANT_PCS handling [BZ #26798]
8813b2682e4 x86: Optimizing memcpy for AMD Zen architecture.
e61a8fd8fad Reversing calculation of __x86_shared_non_temporal_threshold
0b9460d22e2 sysvipc: Fix IPC_INFO and SHM_INFO handling [BZ #26636]
c4aeedea598 sysvipc: Fix IPC_INFO and MSG_INFO handling [BZ #26639]
9b139b6b81a sysvipc: Fix SEM_STAT_ANY kernel argument pass [BZ #26637]
81c5484d93a AArch64: Use __memcpy_simd on Neoverse N2/V1
0f8f0ed25c1 AArch64: Improve backwards memmove performance
23482f78866 Set version.h RELEASE to "stable" (Bug 26700)
69beb5cbf85 string: Fix strerrorname_np return value [BZ #26555]
fe62c4d173f intl: Handle translation output codesets with suffixes [BZ #26383]
386543bc449 NEWS: Update for [BZ #26534] fix
cebc01cbfd6 x86-64: Fix FMA4 detection in ifunc [BZ #26534]

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8d05c277c5350c4d968eb488788eac7978968ef7)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/CVE-2019-25013.patch          | 137 ------------------
 meta/recipes-core/glibc/glibc_2.32.bb         |   4 +-
 3 files changed, 3 insertions(+), 140 deletions(-)
 delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-25013.patch

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 1566056297..586b2e207e 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.32/master"
 PV = "2.32"
-SRCREV_glibc ?= "3de512be7ea6053255afed6154db9ee31d4e557a"
+SRCREV_glibc ?= "760e1d287825fa91d4d5a0cc921340c740d803e2"
 SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
deleted file mode 100644
index 987e959db2..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@suse.de>
-Date: Mon, 21 Dec 2020 08:56:43 +0530
-Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
-
-The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
-area and is not allowed.  The from_euc_kr function used to skip two bytes
-when told to skip over the unknown designation, potentially running over
-the buffer end.
-
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
-CVE: CVE-2019-25013
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- iconvdata/Makefile      |  3 ++-
- iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
- iconvdata/euc-kr.c      |  6 +----
- iconvdata/ksc5601.h     |  6 ++---
- 4 files changed, 59 insertions(+), 9 deletions(-)
- create mode 100644 iconvdata/bug-iconv13.c
-
-diff --git a/iconvdata/Makefile b/iconvdata/Makefile
-index 4ec2741cdc..85009f3390 100644
---- a/iconvdata/Makefile
-+++ b/iconvdata/Makefile
-@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules))
- ifeq (yes,$(build-shared))
- tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
- 	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
--	bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4
-+	bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
-+	bug-iconv13
- ifeq ($(have-thread-library),yes)
- tests += bug-iconv3
- endif
-diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c
-new file mode 100644
-index 0000000000..87aaff398e
---- /dev/null
-+++ b/iconvdata/bug-iconv13.c
-@@ -0,0 +1,53 @@
-+/* bug 24973: Test EUC-KR module
-+   Copyright (C) 2020 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <errno.h>
-+#include <iconv.h>
-+#include <stdio.h>
-+#include <support/check.h>
-+
-+static int
-+do_test (void)
-+{
-+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
-+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
-+
-+  /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
-+     areas, which are not allowed and should be skipped over due to
-+     //IGNORE.  The trailing 0xfe also is an incomplete sequence, which
-+     should be checked first.  */
-+  char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
-+  char *inptr = input;
-+  size_t insize = sizeof (input);
-+  char output[4];
-+  char *outptr = output;
-+  size_t outsize = sizeof (output);
-+
-+  /* This used to crash due to buffer overrun.  */
-+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
-+  TEST_VERIFY (errno == EINVAL);
-+  /* The conversion should produce one character, the converted null
-+     character.  */
-+  TEST_VERIFY (sizeof (output) - outsize == 1);
-+
-+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
-+
-+  return 0;
-+}
-+
-+#include <support/test-driver.c>
-diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
-index b0d56cf3ee..1045bae926 100644
---- a/iconvdata/euc-kr.c
-+++ b/iconvdata/euc-kr.c
-@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
- 									      \
-     if (ch <= 0x9f)							      \
-       ++inptr;								      \
--    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
--       user-defined areas.  */						      \
--    else if (__builtin_expect (ch == 0xa0, 0)				      \
--	     || __builtin_expect (ch > 0xfe, 0)				      \
--	     || __builtin_expect (ch == 0xc9, 0))			      \
-+    else if (__glibc_unlikely (ch == 0xa0))				      \
-       {									      \
- 	/* This is illegal.  */						      \
- 	STANDARD_FROM_LOOP_ERR_HANDLER (1);				      \
-diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
-index d3eb3a4ff8..f5cdc72797 100644
---- a/iconvdata/ksc5601.h
-+++ b/iconvdata/ksc5601.h
-@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
-   unsigned char ch2;
-   int idx;
- 
-+  if (avail < 2)
-+    return 0;
-+
-   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
- 
-   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
-       || (ch - offset) == 0x49)
-     return __UNKNOWN_10646_CHAR;
- 
--  if (avail < 2)
--    return 0;
--
-   ch2 = (*s)[1];
-   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
-     return __UNKNOWN_10646_CHAR;
--- 
-2.27.0
-
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index d43c8c56cb..e4fe9b87b5 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -1,7 +1,8 @@
 require glibc.inc
 require glibc-version.inc
 
-CVE_CHECK_WHITELIST += "CVE-2020-10029"
+# whitelist CVE's with fixes in latest release/2.32/master branch
+CVE_CHECK_WHITELIST += "CVE-2019-25013 CVE-2020-10029 CVE-2020-27618"
 
 DEPENDS += "gperf-native bison-native make-native"
 
@@ -46,7 +47,6 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \
            file://CVE-2020-29562.patch \
            file://CVE-2020-29573.patch \
-           file://CVE-2019-25013.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
-- 
2.29.2

[gatesgarth][PATCH 06/35] ncurses: Don't put terminfo into the sysroot

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This recudes the file count from ~2850 to ~100 which is a huge win
for reducing build directory clutter, its unlikely anything uses the
terminfo data or man pages in the sysroot. This is especially helpful
as we usually end up with two copies of these sets of files.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 443633dfc20177ef88a388d96745675817510c99)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-core/ncurses/ncurses.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index fe4e8a5d6e..ef59bc3b0a 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -324,3 +324,8 @@ FILES_${PN}-terminfo-base = "\
 
 RSUGGESTS_${PN}-libtinfo = "${PN}-terminfo"
 RRECOMMENDS_${PN}-libtinfo = "${PN}-terminfo-base"
+
+# Putting terminfo into the sysroot adds around 2800 files to
+# each recipe specific sysroot. We can live without this, particularly
+# as many recipes may have native and target copies.
+SYSROOT_DIRS_remove = "${datadir}"
-- 
2.29.2

[gatesgarth][PATCH 07/35] python3: Avoid installing test data into recipe-sysroot

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

There are several thousand files in the test directory which we don't need.
Adding these for the native and target sysroots is a crazy amount of files
to be throwing around needlessly. Delete the files from the sysroot side
of things to tidy up the sysroots and improve performance.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f6bced03011ad1663d68b0322a2f8aeb4d836646)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/python/python3_3.8.5.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.8.5.bb b/meta/recipes-devtools/python/python3_3.8.5.bb
index 0e588d7e4c..fb066084bf 100644
--- a/meta/recipes-devtools/python/python3_3.8.5.bb
+++ b/meta/recipes-devtools/python/python3_3.8.5.bb
@@ -361,3 +361,9 @@ RDEPENDS_${PN}-dev = ""
 
 RDEPENDS_${PN}-tests_append_class-target = " ${MLPREFIX}bash"
 RDEPENDS_${PN}-tests_append_class-nativesdk = " ${MLPREFIX}bash"
+
+# Python's tests contain large numbers of files we don't need in the recipe sysroots
+SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup"
+py3_sysroot_cleanup () {
+	rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
+}
-- 
2.29.2

[gatesgarth][PATCH 08/35] staging: Clean up files installed into the sysroot

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

There are a variety of files being installed into $datadir which we
don't need. Pick the top "offenders" which amount of thousands of files
and simply don't install them. These include things like test data,
terminfo data, locale data for native tools and so on. This saves
copying these files into native and target sysroots and should improve
performance (smaller sstate, fewer files to copy around).

With this and the python recipe change, alsa-tools went from:

recipe-sysroot: 18357
recipe-sysroot-native: 14129

to

recipe-sysroot: 10809
recipe-sysroot-native: 8079

which is a decent improvement.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 366c72941fe1c24d0b1d96df46e13cb9eb4e79d6)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/staging.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index f0a619b35b..8165ab268e 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -27,11 +27,15 @@ SYSROOT_DIRS_BLACKLIST = " \
     ${mandir} \
     ${docdir} \
     ${infodir} \
+    ${datadir}/X11/locale \
     ${datadir}/applications \
+    ${datadir}/bash-completion \
     ${datadir}/fonts \
     ${datadir}/gtk-doc/html \
+    ${datadir}/installed-tests \
     ${datadir}/locale \
     ${datadir}/pixmaps \
+    ${datadir}/terminfo \
     ${libdir}/${BPN}/ptest \
 "
 
-- 
2.29.2

[gatesgarth][PATCH 09/35] linux-yocto/5.4: update to v5.4.90

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:

    ceed81a883dc Linux 5.4.90
    6f484096196b regmap: debugfs: Fix a reversed if statement in regmap_debugfs_init()
    bbb2fee395e9 net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet
    bd0051a5cb05 block: fix use-after-free in disk_part_iter_next
    c5fe50e18fcb KVM: arm64: Don't access PMCR_EL0 when no PMU is available
    f595e44b161a net: mvpp2: disable force link UP during port init procedure
    5b8d3c3a9fcb regulator: qcom-rpmh-regulator: correct hfsmps515 definition
    3582406b9c04 wan: ds26522: select CONFIG_BITREVERSE
    480c5e9c7e4c regmap: debugfs: Fix a memory leak when calling regmap_attach_dev
    c3c774886790 net/mlx5e: Fix two double free cases
    ce74b5a0689d net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups
    a2b2ae3812e5 bpftool: Fix compilation failure for net.o with older glibc
    2992e3371a3a iommu/intel: Fix memleak in intel_irq_remapping_alloc
    006319327d21 lightnvm: select CONFIG_CRC32
    46c15eeb0a8a block: rsxx: select CONFIG_CRC32
    4834a984e456 wil6210: select CONFIG_CRC32
    b28378bc91d0 qed: select CONFIG_CRC32
    cc196d4604c9 dmaengine: xilinx_dma: fix mixed_enum_type coverity warning
    d0eaf8a8eff8 dmaengine: xilinx_dma: fix incompatible param warning in _child_probe()
    e6f247a5f927 dmaengine: xilinx_dma: check dma_async_device_register return value
    c15556cb344a dmaengine: mediatek: mtk-hsdma: Fix a resource leak in the error handling path of the probe function
    55503711adff i2c: i801: Fix the i2c-mux gpiod_lookup_table not being properly terminated
    12e8bcaef61a spi: stm32: FIFO threshold level - fix align packet size
    9ff4796e6fd9 cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get()
    4dd15f9bc881 can: kvaser_pciefd: select CONFIG_CRC32
    82adac5ad13b can: m_can: m_can_class_unregister(): remove erroneous m_can_clk_stop()
    3b68980596fb can: tcan4x5x: fix bittiming const, use common bittiming from m_can driver
    b77e0283efdc dmaengine: dw-edma: Fix use after free in dw_edma_alloc_chunk()
    f6dd8c259ab8 i2c: sprd: use a specific timeout to avoid system hang up issue
    8d0cadc2ea64 ARM: OMAP2+: omap_device: fix idling of devices during probe
    003280bd8845 HID: wacom: Fix memory leakage caused by kfifo_alloc
    6f367fb1b7ee iio: imu: st_lsm6dsx: fix edge-trigger interrupts
    87ea51c90280 vmlinux.lds.h: Add PGO and AutoFDO input sections
    099340d3e758 exfat: Month timestamp metadata accidentally incremented
    bb039d45ebc5 x86/resctrl: Don't move a task to the same resource group
    628af07fc5cd x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR
    96fb3d28c885 chtls: Fix chtls resources release sequence
    fac9b53cfacb chtls: Added a check to avoid NULL pointer dereference
    38768ea1127d chtls: Replace skb_dequeue with skb_peek
    dcce456b2843 chtls: Fix panic when route to peer not configured
    44bed66b2be9 chtls: Remove invalid set_tcb call
    266ee00f402b chtls: Fix hardware tid leak
    ed62af62da41 net/mlx5e: ethtool, Fix restriction of autoneg with 56G
    cf59803ce4b3 net/mlx5: Use port_num 1 instead of 0 when delete a RoCE address
    3008c639c081 net: dsa: lantiq_gswip: Exclude RMII from modes that report 1 GbE
    fc1c907da5a1 s390/qeth: fix L2 header access in qeth_l3_osa_features_check()
    e6931e3eb084 nexthop: Unlink nexthop group entry in error path
    3cecab93f271 nexthop: Fix off-by-one error in error path
    f03b81e61ef5 octeontx2-af: fix memory leak of lmac and lmac->name
    12e10b12124c net: ip: always refragment ip defragmented packets
    41bfd4111257 net: fix pmtu check in nopmtudisc mode
    98fc9692ac3d tools: selftests: add test for changing routes with PTMU exceptions
    7694654168bb net: ipv6: fib: flush exceptions when purging route
    1cba7e270b16 net/sonic: Fix some resource leaks in error handling paths
    37e6368a8de6 net: vlan: avoid leaks on register_vlan_dev() failures
    4ff0737ebc76 net: stmmac: dwmac-sun8i: Balance internal PHY power
    5698f0921c9b net: stmmac: dwmac-sun8i: Balance internal PHY resource references
    fa020a28896c net: hns3: fix a phy loopback fail issue
    bddaf51d116c net: hns3: fix the number of queues actually used by ARQ
    d73f7e757526 net: cdc_ncm: correct overhead in delayed_ndp_size
    5597557244d4 vfio iommu: Add dma available capability
    335104082c21 x86/asm/32: Add ENDs to some functions and relabel with SYM_CODE_*
    a829146c3fdc Linux 5.4.89
    485e21729b1e scsi: target: Fix XCOPY NAA identifier lookup
    7795afa0d7a9 KVM: x86: fix shift out of bounds reported by UBSAN
    a9d49da7edf8 x86/mtrr: Correct the range check before performing MTRR type lookups
    a798b367a066 netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
    5e401ea71676 netfilter: xt_RATEEST: reject non-null terminated string from userspace
    1dd6a790c220 netfilter: ipset: fix shift-out-of-bounds in htable_bits()
    e0281bb5a82d netfilter: x_tables: Update remaining dereference to RCU
    828f2a20f946 drm/i915: clear the gpu reloc batch
    ef8133b1b47e dmabuf: fix use-after-free of dmabuf's file->f_inode
    284be2b993ca Revert "device property: Keep secondary firmware node secondary by type"
    64d06c7f2fa2 btrfs: send: fix wrong file path when there is an inode with a pending rmdir
    0cb0b876f17f ALSA: hda/realtek: Add two "Intel Reference board" SSID in the ALC256.
    02e59692a6b1 ALSA: hda/realtek: Enable mute and micmute LED on HP EliteBook 850 G7
    d63a96f45c4f ALSA: hda/realtek - Fix speaker volume control on Lenovo C940
    30fd9778cf8f ALSA: hda/conexant: add a new hda codec CX11970
    121944484cc4 ALSA: hda/via: Fix runtime PM for Clevo W35xSS
    a5c7a456680f kvm: check tlbs_dirty directly
    10dcb79ec79e x86/mm: Fix leak of pmd ptlock
    d3e5db486fd8 USB: serial: keyspan_pda: remove unused variable
    bcffe2de9dde usb: gadget: configfs: Fix use-after-free issue with udc_name
    276828221852 usb: gadget: configfs: Preserve function ordering after bind failure
    b2bd36f54495 usb: gadget: Fix spinlock lockup on usb_function_deactivate
    ce507b55db29 USB: gadget: legacy: fix return error code in acm_ms_bind()
    7f875ea9883c usb: gadget: u_ether: Fix MTU size mismatch with RX packet size
    b89a5f39c2b5 usb: gadget: function: printer: Fix a memory leak for interface descriptor
    692ab0726460 usb: gadget: f_uac2: reset wMaxPacketSize
    7ac84fa85ba2 usb: gadget: select CONFIG_CRC32
    77a804dd6b46 ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks
    5c263f16822f USB: usblp: fix DMA to stack
    41f15da2abd9 USB: yurex: fix control-URB timeout handling
    175f7a5fa7e6 USB: serial: option: add Quectel EM160R-GL
    1a59feb52dc4 USB: serial: option: add LongSung M5710 module support
    ac48b1dacb07 USB: serial: iuu_phoenix: fix DMA from stack
    8a051eaae708 usb: uas: Add PNY USB Portable SSD to unusual_uas
    a7b81d0d2e07 usb: usbip: vhci_hcd: protect shift size
    f7cc27eb358d USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set
    ea472d839133 usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data()
    a37a0667e1e0 usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion
    5b8e1be9e0c1 USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
    5445502a344b USB: cdc-acm: blacklist another IR Droid device
    eeae1d95ce4e usb: gadget: enable super speed plus
    70cf59b8ffb4 staging: mt7621-dma: Fix a resource leak in an error handling path
    c511f27e130e powerpc: Handle .text.{hot,unlikely}.* in linker script
    867c10a03f84 crypto: asym_tpm: correct zero out potential secrets
    ff7397add935 crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
    9e60056b1f53 video: hyperv_fb: Fix the mmap() regression for v5.4.y and older
    84d488719b27 Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close
    3417067b3111 kbuild: don't hardcode depmod path
    3f2a28930a7e net/sched: sch_taprio: ensure to reset/destroy all child qdiscs
    c41ea30c3839 ionic: account for vlan tag len in rx buffer len
    5c6eb887e192 vhost_net: fix ubuf refcount incorrectly when sendmsg fails
    8f64957fda12 net: usb: qmi_wwan: add Quectel EM160R-GL
    12ab7b627d43 CDC-NCM: remove "connected" log message
    171a2bce9d6c net: dsa: lantiq_gswip: Fix GSWIP_MII_CFG(p) register access
    c0883010d3b3 net: dsa: lantiq_gswip: Enable GSWIP_MII_CFG_EN also for internal PHYs
    07f26fc52b45 r8169: work around power-saving bug on some chip versions
    106ca9ca9acc net: hdlc_ppp: Fix issues when mod_timer is called while timer is running
    2b8aa896b151 erspan: fix version 1 check in gre_parse_header()
    606f5412ad86 net: hns: fix return value check in __lb_other_process()
    e40b5fc79110 net: sched: prevent invalid Scell_log shift count
    b16f883e71f3 ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst()
    a018c071de14 net: mvpp2: fix pkt coalescing int-threshold configuration
    443a71031e49 tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS
    c076e1198554 net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered
    8602c20a9160 net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc
    1f6b04a2b282 net-sysfs: take the rtnl lock when storing xps_rxqs
    67ed54a63f43 net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc
    fb14db9508c0 net-sysfs: take the rtnl lock when storing xps_cpus
    e43ec45d45af net: ethernet: Fix memleak in ethoc_probe
    56dc7908ed85 net/ncsi: Use real net-device for response handler
    dffef999e484 virtio_net: Fix recursive call to cpus_read_lock()
    5404192a8721 qede: fix offload for IPIP tunnel packets
    8009f6bb13a3 net: ethernet: mvneta: Fix error handling in mvneta_probe
    6d003fe7fe87 ibmvnic: continue fatal error reset after passive init
    3d16088a9668 net: mvpp2: Fix GoP port 3 Networking Complex Control configurations
    8548c9679939 atm: idt77252: call pci_disable_device() on error path
    2a006b4fa5cc ethernet: ucc_geth: set dev->max_mtu to 1518
    c2ca14cc6f55 ethernet: ucc_geth: fix use-after-free in ucc_geth_remove()
    af99cae96fdc net: systemport: set dev->max_mtu to UMAC_MAX_MTU_SIZE
    8dd98d5d2ba4 net: mvpp2: prs: fix PPPoE with ipv6 packet parse
    73445f29575a net: mvpp2: Add TCAM entry to drop flow control pause frames
    a5a6dc4dc293 iavf: fix double-release of rtnl_lock
    6aba31a7c72e i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs
    9ea03f6890ce proc: fix lookup in /proc/net subdirectories after setns(2)
    d2942e958f26 proc: change ->nlink under proc_subdir_lock
    59b10c8a59a1 depmod: handle the case of /sbin/depmod without /sbin in PATH
    663a0bcb3fa5 lib/genalloc: fix the overflow when size is too big
    19e0cf8fc481 scsi: scsi_transport_spi: Set RQF_PM for domain validation commands
    eb3e975ac2a3 scsi: ide: Do not set the RQF_PREEMPT flag for sense requests
    4ae3573c571e scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff()
    5f9c3d640505 scsi: ufs: Fix wrong print message in dev_err()
    515dc635eb76 workqueue: Kick a worker based on the actual activation of delayed works
    f3a4c8d50145 Linux 5.4.88
    0a49aaf4df29 mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
    117433236ae2 exec: Transform exec_update_mutex into a rw_semaphore
    d390fc97df62 rwsem: Implement down_read_interruptible
    1b75a263fbd9 rwsem: Implement down_read_killable_nested
    71b8355ba667 perf: Break deadlock involving exec_update_mutex
    732251cabeb3 fuse: fix bad inode
    06c672dd61b5 iio:imu:bmi160: Fix alignment and data leak issues
    7a736f41013e kdev_t: always inline major/minor helper functions
    61a0d8e437bb dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate()
    20d5ee563bfd dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()
    f2a0b7677444 dmaengine: at_hdmac: Substitute kzalloc with kmalloc
    4d3ba541bede Revert "mtd: spinand: Fix OOB read"
    da5b4cf021b9 Revert "drm/amd/display: Fix memory leaks in S3 resume"

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5dcc8a5977725a9fe11ac13ebd16a7acc1eef37d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index f6dd97c9b4..9588c57c39 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "b82b3d52ee94caf6165eda89d3294a561bfb4f0b"
-SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132"
+SRCREV_machine ?= "06c752971a7cb66123ab2b3731044103fc5662e0"
+SRCREV_meta ?= "70cec8c033a6f5c48f0a93374f0bfc25240f14fd"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.87"
+LINUX_VERSION ?= "5.4.90"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 05edcfa63d..8dfa5357bd 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.87"
+LINUX_VERSION ?= "5.4.90"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "18b82a8554b25c86cbf31af312765832edca3498"
-SRCREV_machine ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132"
+SRCREV_machine_qemuarm ?= "c65142e64f3d705d0b978b44394d274165d872b2"
+SRCREV_machine ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_meta ?= "70cec8c033a6f5c48f0a93374f0bfc25240f14fd"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index ba8660d5d3..71762dd615 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "03f94e8a96d027da980f2cc2ad6e95bbb45e22c5"
-SRCREV_machine_qemuarm64 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemumips ?= "0b055d3e2e8d41743b00cd84975ff383e35f1ae9"
-SRCREV_machine_qemuppc ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemuriscv64 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemux86 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemux86-64 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemumips64 ?= "126e385b2dd8580a266fe15907c3725d2da12458"
-SRCREV_machine ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132"
+SRCREV_machine_qemuarm ?= "17c98abae21d7d1bf43b58edc3d4aa2992436385"
+SRCREV_machine_qemuarm64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_machine_qemumips ?= "47a679ac3ca38116beaeb071888c01ef050f1424"
+SRCREV_machine_qemuppc ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_machine_qemuriscv64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_machine_qemux86 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_machine_qemux86-64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_machine_qemumips64 ?= "e4714b9bb683cf08909e6dc2e91fd508e56bfbc2"
+SRCREV_machine ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
+SRCREV_meta ?= "70cec8c033a6f5c48f0a93374f0bfc25240f14fd"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.87"
+LINUX_VERSION ?= "5.4.90"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.29.2

[gatesgarth][PATCH 10/35] linux-yocto-rt/5.4: fix 5.4-stable caused build breakage

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

5.4-stable included a backport of:

   Author: Eric W. Biederman <ebiederm@xmission.com>
   Date:   Thu Dec 3 14:11:13 2020 -0600

     rwsem: Implement down_read_interruptible

     [ Upstream commit 31784cff7ee073b34d6eddabb95e3be2880a425c ]

     In preparation for converting exec_update_mutex to a rwsem so that
     multiple readers can execute in parallel and not deadlock, add
     down_read_interruptible.  This is needed for perf_event_open to be
     converted (with no semantic changes) from working on a mutex to
     wroking on a rwsem.

     Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
     Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
     Link: https://lkml.kernel.org/r/87k0tybqfy.fsf@x220.int.ebiederm.org
     Signed-off-by: Sasha Levin <sashal@kernel.org>

We implement a -rt variant to fix the build issues.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e610fb7cc22447441f18a9b1bffe58aadb6aaab6)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb   | 4 ++--
 meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 9588c57c39..8a320b3113 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,8 +11,8 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "06c752971a7cb66123ab2b3731044103fc5662e0"
-SRCREV_meta ?= "70cec8c033a6f5c48f0a93374f0bfc25240f14fd"
+SRCREV_machine ?= "6b0893e9fddb5473b181b29059fe64980f353c83"
+SRCREV_meta ?= "d676bf5ff7b7071e14f44498d2482c0a596f14cd"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 8dfa5357bd..32fbf9dc55 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "c65142e64f3d705d0b978b44394d274165d872b2"
 SRCREV_machine ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_meta ?= "70cec8c033a6f5c48f0a93374f0bfc25240f14fd"
+SRCREV_meta ?= "d676bf5ff7b7071e14f44498d2482c0a596f14cd"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 71762dd615..5dbfbc1ae9 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -21,7 +21,7 @@ SRCREV_machine_qemux86 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
 SRCREV_machine_qemux86-64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
 SRCREV_machine_qemumips64 ?= "e4714b9bb683cf08909e6dc2e91fd508e56bfbc2"
 SRCREV_machine ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_meta ?= "70cec8c033a6f5c48f0a93374f0bfc25240f14fd"
+SRCREV_meta ?= "d676bf5ff7b7071e14f44498d2482c0a596f14cd"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.29.2

[gatesgarth][PATCH 11/35] linux-yocto/5.4: update to v5.4.94

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:

    0fbca6ce4174 Linux 5.4.94
    315cd8fc2ad2 fs: fix lazytime expiration handling in __writeback_single_inode()
    5f8b8fccdfbc writeback: Drop I_DIRTY_TIME_EXPIRE
    2d8848edc96b dm integrity: conditionally disable "recalculate" feature
    43546b74ce6c tools: Factor HOSTCC, HOSTLD, HOSTAR definitions
    ab85b382dcf7 SMB3.1.1: do not log warning message if server doesn't populate salt
    0edc78af73d0 arm64: mm: use single quantity to represent the PA to VA translation
    b899d5b2a42a tracing: Fix race in trace_open and buffer resize call
    c4a23c852e80 io_uring: Fix current->fs handling in io_sq_wq_submit_work()
    336bb7dc5a1c HID: wacom: Correct NULL dereference on AES pen proximity
    ecd62d2e9ab4 futex: Handle faults correctly for PI futexes
    55ea172ce3eb futex: Simplify fixup_pi_state_owner()
    a3155c362ca0 futex: Use pi_state_update_owner() in put_pi_state()
    ceb83cf9ed67 rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
    015b6a4c2564 futex: Provide and use pi_state_update_owner()
    65aad57cac8d futex: Replace pointless printk in fixup_owner()
    0dae88a92596 futex: Ensure the correct return value from futex_lock_pi()
    c27a2a1ecf69 Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
    4afd772371d9 gpio: mvebu: fix pwm .get_state period calculation
    131f8d8a889a Linux 5.4.93
    f7020c437e13 tcp: fix TCP_USER_TIMEOUT with zero window
    945d182a046f tcp: do not mess with cloned skbs in tcp_add_backlog()
    ccc248b6444a net: dsa: b53: fix an off by one in checking "vlan->vid"
    ff64094dc718 net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
    3e5b335a55e9 net: mscc: ocelot: allow offloading of bridge on top of LAG
    b47a3c32c4c2 ipv6: set multicast flag on the multicast route
    b778940f2ab9 net_sched: reject silly cell_log in qdisc_get_rtab()
    4ed347901f08 net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
    bc757ba6dc75 ipv6: create multicast route with RTPROT_KERNEL
    60fb547a3d5d udp: mask TOS bits in udp_v4_early_demux()
    da3711f42c68 kasan: fix incorrect arguments passing in kasan_add_zero_shadow
    0d190f53fa2f kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
    5a3890bad3a4 skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
    49aaf012c478 lightnvm: fix memory leak when submit fails
    0ff55fc4d6a1 sh_eth: Fix power down vs. is_opened flag ordering
    fd2f5130ae98 net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext
    4e1d17a1f73b sh: dma: fix kconfig dependency for G2_DMA
    8a0b8e26f79f netfilter: rpfilter: mask ecn bits before fib lookup
    99328b4b4408 x86/cpu/amd: Set __max_die_per_package on AMD
    6f8ba0ada139 pinctrl: ingenic: Fix JZ4760 support
    382ffe786647 driver core: Extend device_is_dependent()
    4e749a28c909 xhci: tegra: Delay for disabling LFPS detector
    a6a5d08170c2 xhci: make sure TRB is fully written before giving it to the controller
    7f3cfc7e378d usb: bdc: Make bdc pci driver depend on BROKEN
    f764f90b0c77 usb: udc: core: Use lock when write to soft_connect
    564f3c532642 usb: gadget: aspeed: fix stop dma register setting.
    f89a193fd9d3 USB: ehci: fix an interrupt calltrace error
    9a660760299b ehci: fix EHCI host controller initialization sequence
    5eda5db39e28 serial: mvebu-uart: fix tx lost characters at power off
    a8fade59466c stm class: Fix module init return on allocation failure
    5e4bacea58ca intel_th: pci: Add Alder Lake-P support
    c5885886c72c x86/mmx: Use KFPU_387 for MMX string operations
    d1a9cd1dc53c x86/topology: Make __max_die_per_package available unconditionally
    cdb4ce96fdd2 x86/fpu: Add kernel_fpu_begin_mask() to selectively initialize state
    cd1c4882ab43 irqchip/mips-cpu: Set IPI domain parent chip
    9a2f6007a228 cifs: do not fail __smb_send_rqst if non-fatal signals are pending
    745229c90301 iio: ad5504: Fix setting power-down state
    ddd1416f4413 can: peak_usb: fix use after free bugs
    a24476b37167 can: vxcan: vxcan_xmit: fix use after free bug
    ac48ef15826e can: dev: can_restart: fix use after free bug
    391187744436 selftests: net: fib_tests: remove duplicate log test
    237375005739 platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list
    57f0f0ddf9e4 i2c: octeon: check correct size of maximum RECV_LEN packet
    485e0255c19e powerpc: Fix alignment bug within the init sections
    cfea5cddeb71 scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression
    da3324ec5497 pinctrl: aspeed: g6: Fix PWMG0 pinctrl setting
    5625c3da7167 powerpc: Use the common INIT_DATA_SECTION macro in vmlinux.lds.S
    73a229119983 drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0
    af91a2e7fb5e drm/nouveau/mmu: fix vram heap sizing
    ee2c9e58f430 drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields
    38f35023fd30 drm/nouveau/privring: ack interrupts the same way as RM
    8c3d3b385ed8 drm/nouveau/bios: fix issue shadowing expansion ROMs
    f5dc9627ac04 drm/amd/display: Fix to be able to stop crc calculation
    9f6d85e20125 drm/amdgpu/psp: fix psp gfx ctrl cmds
    5b2266d62b54 riscv: defconfig: enable gpio support for HiFive Unleashed
    7eef73685871 dts: phy: fix missing mdio device and probe failure of vsc8541-01 device
    5fa6987258a7 x86/xen: Add xen_no_vector_callback option to test PCI INTX delivery
    a09d4e7acdbf xen: Fix event channel callback via INTX/GSI
    acc402fa5bf5 arm64: make atomic helpers __always_inline
    8ab3478335ad clk: tegra30: Add hda clock default rates to clock driver
    c074680653e2 HID: Ignore battery for Elan touchscreen on ASUS UX550
    9cec63a3aacb HID: logitech-dj: add the G602 receiver
    b1b943f5b65e riscv: Fix sifive serial driver
    cd0c46821aa5 riscv: Fix kernel time_init()
    5a1d7bb7d333 scsi: sd: Suppress spurious errors when WRITE SAME is being disabled
    68f99105752d scsi: qedi: Correct max length of CHAP secret
    97853a7eae80 scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback
    b477f4371045 dm integrity: select CRYPTO_SKCIPHER
    8ebe26a1e236 HID: multitouch: Enable multi-input for Synaptics pointstick/touchpad device
    6af49167440a ASoC: Intel: haswell: Add missing pm_ops
    ad1df24b37d9 drm/i915/gt: Prevent use of engine->wa_ctx after error
    6b59bd9eea08 drm/syncobj: Fix use-after-free
    559c0ffedbe0 drm/atomic: put state on error path
    42d855f06d12 dm integrity: fix a crash if "recalculate" used without "internal_hash"
    a03ce9cc4bb8 dm: avoid filesystem lookup in dm_get_dev_t()
    cd3aa1495d8a mmc: sdhci-xenon: fix 1.8v regulator stabilization
    6acdefd0bd34 mmc: core: don't initialize block size from ext_csd if not present
    d8a487e673ab btrfs: send: fix invalid clone operations when cloning from the same file and root
    4d1cf8eeda5b btrfs: don't clear ret in btrfs_start_dirty_block_groups
    e1065331b730 btrfs: fix lockdep splat in btrfs_recover_relocation
    68718453159e btrfs: don't get an EINTR during drop_snapshot for reloc
    a826af1dea4a ACPI: scan: Make acpi_bus_get_device() clear return pointer on error
    08fa4ae93e95 ALSA: hda/via: Add minimum mute flag
    1607adf1ac41 ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info()
    9c301133beda platform/x86: ideapad-laptop: Disable touchpad_switch for ELAN0634
    ea8d3c71313f platform/x86: i2c-multi-instantiate: Don't create platform device for INT3515 ACPI nodes
    60066d5181be i2c: bpmp-tegra: Ignore unknown I2C_M flags
    09f983f0c7fc Linux 5.4.92
    e2d69319b713 spi: cadence: cache reference clock rate during probe
    d04c7938d0f8 mac80211: check if atf has been disabled in __ieee80211_schedule_txq
    d46996cb4b16 mac80211: do not drop tx nulldata packets on encrypted links
    56e8947bcf81 tipc: fix NULL deref in tipc_link_xmit()
    55bac51762c3 net, sctp, filter: remap copy_from_user failure error
    52e0b20c8c57 rxrpc: Fix handling of an unsupported token type in rxrpc_read()
    5c466480d7d4 net: avoid 32 x truesize under-estimation for tiny skbs
    f6499a78e581 net: sit: unregister_netdevice on newlink's error path
    a3870cf8a7a2 net: stmmac: Fixed mtu channged by cache aligned
    c213d85cae39 rxrpc: Call state should be read with READ_ONCE() under some circumstances
    6d57b582fb35 net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
    d52f5929d997 net: dcb: Validate netlink message in DCB handler
    814e04776211 esp: avoid unneeded kmap_atomic call
    0ff06dd1b949 rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
    c897c10e4334 net: mvpp2: Remove Pause and Asym_Pause support
    18c29e175e30 mlxsw: core: Increase critical threshold for ASIC thermal zone
    7680783452ce mlxsw: core: Add validation of transceiver temperature thresholds
    ff6d4e8da7c6 net: ipv6: Validate GSO SKB before finish IPv6 processing
    b41352a93c16 net: skbuff: disambiguate argument and member for skb_list_walk_safe helper
    aa350dbe3a1e net: introduce skb_list_walk_safe for skb segment walking
    760e9fd4f7ab netxen_nic: fix MSI/MSI-x interrupts
    982e763ea3c3 udp: Prevent reuseport_select_sock from reading uninitialized socks
    bd4793843c85 bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback
    79ce12cfa56a bpf: Don't leak memory in bpf getsockopt when optlen == 0
    4aef760c28e8 nfsd4: readdirplus shouldn't return parent of export
    9b72d5ba50f1 spi: npcm-fiu: Disable clock in probe error path
    6ef67f59263e spi: npcm-fiu: simplify the return expression of npcm_fiu_probe()
    fa6de8d82d9c scsi: lpfc: Make lpfc_defer_acc_rsp static
    e82b58aa6471 scsi: lpfc: Make function lpfc_defer_pt2pt_acc static
    5e6b88828526 elfcore: fix building with clang
    ac29c052654f xen/privcmd: allow fetching resource sizes
    dd113b79ee7e compiler.h: Raise minimum version of GCC to 5.1 for arm64
    24cea7d70516 usb: ohci: Make distrust_firmware param default to false
    d26b3110041a Linux 5.4.91
    516bd00e5ac1 netfilter: nft_compat: remove flush counter optimization
    935114863364 netfilter: nf_nat: Fix memleak in nf_nat_init
    49fc6d92b484 netfilter: conntrack: fix reading nf_conntrack_buckets
    548e4168e68d ALSA: firewire-tascam: Fix integer overflow in midi_port_work()
    68e67535e26b ALSA: fireface: Fix integer overflow in transmit_midi_msg()
    2c3d03cdbd39 dm: eliminate potential source of excessive kernel log noise
    a34294774a32 net: sunrpc: interpret the return value of kstrtou32 correctly
    8b5107a74db3 iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev()
    c2226680343d mm, slub: consider rest of partial list if acquire_slab() fails
    cd9e901fe2fc drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence
    9269296721b5 IB/mlx5: Fix error unwinding when set_has_smi_cap fails
    40a782293545 RDMA/mlx5: Fix wrong free of blue flame register on error
    e8c8d2319bd7 bnxt_en: Improve stats context resource accounting with RDMA driver loaded.
    3bcf35a7c05f RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp
    da834a9bdc23 RDMA/restrack: Don't treat as an error allocation ID wrapping
    986fdc7685fa ext4: fix superblock checksum failure when setting password salt
    38992092b54e NFS: nfs_igrab_and_active must first reference the superblock
    6b3ae2030db9 NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter
    aa2399f55eff pNFS: Stricter ordering of layoutget and layoutreturn
    78c2ab7f5265 pNFS: Mark layout for return if return-on-close was not sent
    7d1241ae1dce pNFS: We want return-on-close to complete when evicting the inode
    69d121ca892c NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
    c70f6e0ac9f9 nvme-tcp: fix possible data corruption with bio merges
    55a102004376 ASoC: Intel: fix error code cnl_set_dsp_D0()
    2392a54de8ba ASoC: meson: axg-tdmin: fix axg skew offset
    973900cd4614 ASoC: meson: axg-tdm-interface: fix loopback
    08eb8a735c11 dump_common_audit_data(): fix racy accesses to ->d_name
    d443cefd9f73 perf intel-pt: Fix 'CPU too large' error
    221dee1d0d4e ARM: picoxcell: fix missing interrupt-parent properties
    ba74e0f222c7 drm/msm: Call msm_init_vram before binding the gpu
    0251d3eb4480 ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI
    bfdd0a3b86c3 usb: typec: Fix copy paste error for NVIDIA alt-mode description
    644baa95db2b drm/amdgpu: fix a GPU hang issue when remove device
    596b3423fddc nvmet-rdma: Fix list_del corruption on queue establishment failure
    4cb77b877fcc nvme-pci: mark Samsung PM1725a as IGNORE_DEV_SUBNQN
    242793c7ef2f selftests: fix the return value for UDP GRO test
    5fc06b706432 net: ethernet: fs_enet: Add missing MODULE_LICENSE
    15a8491cdcd4 misdn: dsp: select CONFIG_BITREVERSE
    635a658de303 arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC
    bc68af1fdcac bfq: Fix computation of shallow depth
    2abc54579d1b lib/raid6: Let $(UNROLL) rules work with macOS userland
    1d05b91ab72e hwmon: (pwm-fan) Ensure that calculation doesn't discard big period values
    1229d433960c habanalabs: Fix memleak in hl_device_reset
    93aef8e6cc08 habanalabs: register to pci shutdown callback
    79df21218d63 ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram
    331a6438ebfd regulator: bd718x7: Add enable times
    d5f996bea464 btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan
    c8dd8af4b35f netfilter: ipset: fixes possible oops in mtype_resize
    ca2fc0dc1cec ARC: build: move symlink creation to arch/arc/Makefile to avoid race
    6265a0f2410f ARC: build: add boot_targets to PHONY
    217d8ba22bce ARC: build: add uImage.lzma to the top-level target
    b9128252b9ee ARC: build: remove non-existing bootpImage from KBUILD_IMAGE
    5349b17c3df5 dm integrity: fix flush with external metadata device
    c553300f1453 cifs: fix interrupted close commands
    d17a9571e392 smb3: remove unused flag passed into close functions
    55a4dff288af ext4: don't leak old mountpoint samples
    2003c669df4c ext4: fix bug for rename with RENAME_WHITEOUT
    425faacff213 drm/i915/backlight: fix CPU mode backlight takeover on LPT
    72eb9fc82aea btrfs: tree-checker: check if chunk item end overflows
    82a948fc67ea r8152: Add Lenovo Powered USB-C Travel Hub
    ad5f19c7e9ce dm integrity: fix the maximum number of arguments
    5caac6317daf dm snapshot: flush merged data before committing metadata
    2017b99ec205 dm raid: fix discard limits for raid1
    4335af6c62fc mm/hugetlb: fix potential missing huge page size info
    c64366620d91 ACPI: scan: Harden acpi_device_add() against device ID overflows
    bc0b70f1d28c RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd()
    f7a97dc302be MIPS: relocatable: fix possible boot hangup with KASLR enabled
    f5c2f7970683 MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
    a650107de374 mips: lib: uncached: fix non-standard usage of variable 'sp'
    bda45bbc8e03 mips: fix Section mismatch in reference
    aeb64ef1f429 tracing/kprobes: Do the notrace functions check without kprobes on ftrace
    984f57e4258c x86/hyperv: check cpu mask after interrupt has been disabled
    1a202b9b9d23 ASoC: dapm: remove widget from dirty list on free
    82d1a5f6f2e5 btrfs: prevent NULL pointer dereference in extent_io_tree_panic
    bb562e6e0358 kbuild: enforce -Werror=return-type

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 80d066f627225e9eefba84c799e9b27bc17526fc)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 8a320b3113..f280e0efbd 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "6b0893e9fddb5473b181b29059fe64980f353c83"
-SRCREV_meta ?= "d676bf5ff7b7071e14f44498d2482c0a596f14cd"
+SRCREV_machine ?= "84a6ec1f97d6b6afebe3514e772536342a4189fc"
+SRCREV_meta ?= "e120076c07e69166ebeac0eee011c085bbde2139"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.90"
+LINUX_VERSION ?= "5.4.94"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 32fbf9dc55..bd21c619c9 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.90"
+LINUX_VERSION ?= "5.4.94"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "c65142e64f3d705d0b978b44394d274165d872b2"
-SRCREV_machine ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_meta ?= "d676bf5ff7b7071e14f44498d2482c0a596f14cd"
+SRCREV_machine_qemuarm ?= "768311f24c5d817e7cb9ee0803790ee284e9ff30"
+SRCREV_machine ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_meta ?= "e120076c07e69166ebeac0eee011c085bbde2139"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 5dbfbc1ae9..9c616f7a07 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "17c98abae21d7d1bf43b58edc3d4aa2992436385"
-SRCREV_machine_qemuarm64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_machine_qemumips ?= "47a679ac3ca38116beaeb071888c01ef050f1424"
-SRCREV_machine_qemuppc ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_machine_qemuriscv64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_machine_qemux86 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_machine_qemux86-64 ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_machine_qemumips64 ?= "e4714b9bb683cf08909e6dc2e91fd508e56bfbc2"
-SRCREV_machine ?= "d4bbfa0e2416ced1a3b4d05fa853e3171f034c57"
-SRCREV_meta ?= "d676bf5ff7b7071e14f44498d2482c0a596f14cd"
+SRCREV_machine_qemuarm ?= "17b04c3b496d6a89d5de8ef97ce8c2675ac19814"
+SRCREV_machine_qemuarm64 ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_machine_qemumips ?= "4b4534a5bb1e765574349baf31dddceb521e6bec"
+SRCREV_machine_qemuppc ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_machine_qemuriscv64 ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_machine_qemux86 ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_machine_qemux86-64 ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_machine_qemumips64 ?= "a3b16f0dc7b90e68e5a7d38e0ab70cbe290ec9a6"
+SRCREV_machine ?= "31db2b47ac7d8508080fbb7344399b501216de66"
+SRCREV_meta ?= "e120076c07e69166ebeac0eee011c085bbde2139"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.90"
+LINUX_VERSION ?= "5.4.94"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.29.2

[gatesgarth][PATCH 12/35] sanity.bbclass: Check if PSEUDO_IGNORE_PATHS and paths under pseudo control overlap

[Anuj Mittal]

From: Dorinda <dorindabassey@gmail.com>

Added a sanity check for when PSEUDO_IGNORE_PATHS and paths under pseudo control overlap to avoid random failures generated.

[YOCTO #14193]

Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e4bd8cabcdedf4b52345ef5eb421f71d0f19b1d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/sanity.bbclass | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 16275b2ea5..01c5434f0d 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -710,6 +710,16 @@ def check_sanity_version_change(status, d):
         if i and workdir.startswith(i):
             status.addresult("You are building in a path included in PSEUDO_IGNORE_PATHS " + str(i) + " please locate the build outside this path.\n")
 
+    # Check if PSEUDO_IGNORE_PATHS and and paths under pseudo control overlap
+    pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+    pseudo_control_dir = "${D},${PKGD},${PKGDEST},${IMAGEROOTFS},${SDK_OUTPUT}"
+    pseudocontroldir = d.expand(pseudo_control_dir).split(",")
+    for i in pseudoignorepaths:
+        for j in pseudocontroldir:
+            if i and j:
+                if j.startswith(i):
+                    status.addresult("A path included in PSEUDO_IGNORE_PATHS " + str(i) + " and the path " + str(j) + " overlap and this will break pseudo permission and ownership tracking. Please set the path " + str(j) + " to a different directory which does not overlap with pseudo controlled directories. \n")
+
     # Some third-party software apparently relies on chmod etc. being suid root (!!)
     import stat
     suid_check_bins = "chown chmod mknod".split()
-- 
2.29.2

[gatesgarth][PATCH 13/35] sstatesig: Add descriptive error message to getpwuid/getgrgid "uid/gid not found" KeyError

[Anuj Mittal]

From: Tomasz Dziendzielski <tomasz.dziendzielski@gmail.com>

If path is not owned by any user installed on target it gives
insufficient error "getpwuid(): uid not found" which may be misleading.
This exception occurs if uid/gid of path was not found in PSEUDO_PASSWD
files, which simply means the path is owned by host user and there is
host user contamination.

Add more information to the exception message to make it easier for user
to debug.

[YOCTO #14031]

Signed-off-by: Tomasz Dziendzielski <tomasz.dziendzielski@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 38540b59ed4ec8632e30a5fd6364b010d9da8470)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/lib/oe/sstatesig.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index 34558a6672..31a6140984 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -557,9 +557,11 @@ def OEOuthashBasic(path, sigfile, task, d):
                     try:
                         update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name)
                         update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name)
-                    except KeyError:
+                    except KeyError as e:
                         bb.warn("KeyError in %s" % path)
-                        raise
+                        msg = ("KeyError: %s\nPath %s is owned by uid %d, gid %d, which doesn't match "
+                            "any user/group on target. This may be due to host contamination." % (e, path, s.st_uid, s.st_gid))
+                        raise Exception(msg).with_traceback(e.__traceback__)
 
                 if include_timestamps:
                     update_hash(" %10d" % s.st_mtime)
-- 
2.29.2

[gatesgarth][PATCH 14/35] openssl: set CVE_VERSION_SUFFIX

[Anuj Mittal]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17df664a32a74f17baaef8c31ac23adec2d6255f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.1i.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
index c2db596f03..5d22c511aa 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
@@ -210,6 +210,8 @@ BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "openssl:openssl"
 
+CVE_VERSION_SUFFIX = "alphabetical"
+
 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
 CVE_CHECK_WHITELIST += "CVE-2019-0190"
-- 
2.29.2

[gatesgarth][PATCH 15/35] wic/selftest: test_permissions also test bitbake image

[Anuj Mittal]

From: Lee Chee Yang <chee.yang.lee@intel.com>

existing test case test_permissions use Wic command as standalone
tools to create wic image and check that wic image for permissions.

add extra steps to the test case to also check against image build
using bitbake do_image_wic.

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 551ce73a90757ba43501fe5cf9ac84a7b77de549)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/lib/oeqa/selftest/cases/wic.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index 714637ec1e..9f4a9db444 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -588,6 +588,9 @@ part / --source rootfs  --fstype=ext4 --include-path %s --include-path core-imag
     def test_permissions(self):
         """Test permissions are respected"""
 
+        # prepare wicenv and rootfs
+        bitbake('core-image-minimal core-image-minimal-mtdutils -c do_rootfs_wicenv')
+
         oldpath = os.environ['PATH']
         os.environ['PATH'] = get_bb_var("PATH", "wic-tools")
 
@@ -621,6 +624,19 @@ part /etc --source rootfs --fstype=ext4 --change-directory=etc
                     res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
                     self.assertEqual(True, files_own_by_root(res.output))
 
+                config = 'IMAGE_FSTYPES += "wic"\nWKS_FILE = "%s"\n' % wks_file
+                self.append_config(config)
+                bitbake('core-image-minimal')
+                tmpdir = os.path.join(get_bb_var('WORKDIR', 'core-image-minimal'),'build-wic')
+
+                # check each partition for permission
+                for part in glob(os.path.join(tmpdir, 'temp-*.direct.p*')):
+                    res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
+                    self.assertTrue(files_own_by_root(res.output)
+                        ,msg='Files permission incorrect using wks set "%s"' % test)
+
+                # clean config and result directory for next cases
+                self.remove_config(config)
                 rmtree(self.resultdir, ignore_errors=True)
 
         finally:
-- 
2.29.2

[gatesgarth][PATCH 16/35] package: Ensure do_packagedata is cleaned correctly

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

In an earlier commit, libprocps was split into a separate package leaving
no shlibs in the main package. A bug was seen where igt-gpu-tools wouldn't
build correctly in some cases as it thought the librbary was still in the
main package, throwing qa errors as a result.

The issue was due to an extra file being left in the sstate output of
the do_packagedata task in the shlibs2/ folder which contained the bad
shlibs information.

The reason for this was that the temporary directory used in this
task wasn't being cleaned so files which were deleted were not handled
correctly. Add a missing cleandirs entry to fix this.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50f17d0a655a3a2556f9fcad67259101c2814a36)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/package.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 247bdc7bbf..5a32e5c2e3 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -2446,6 +2446,7 @@ python do_packagedata () {
 
     bb.build.exec_func("packagedata_translate_pr_autoinc", d)
 }
+do_packagedata[cleandirs] += "${WORKDIR}/pkgdata-pdata-input"
 
 # Translate the EXTENDPRAUTO and AUTOINC to the final values
 packagedata_translate_pr_autoinc() {
-- 
2.29.2

[gatesgarth][PATCH 17/35] kernel.bbclass: fix deployment for initramfs images

[Anuj Mittal]

From: Awais Belal <Awais_Belal@mentor.com>

The do_bundle_initramfs() only processes kernel image
types that are found in KERNEL_IMAGETYPE_FOR_MAKE whereas
the build system can generate other types that are not
directly supported by the kernel build system. In which
case when we come to the deploy phase not all the images
mentioned in KERNEL_IMAGETYPES would have a respective
initramfs bundled image. An example is using vmlinux.gz
in KERNEL_IMAGETYPES and enabling initramfs and then we
see

install: cannot stat 'arch/arm64/boot/vmlinux.gz.initramfs': No such file or directory

So we align the deploy phase with bundle initramfs phase
and pick up relevant initramfs bundled images using
KERNEL_IMAGETYPE_FOR_MAKE instead of KERNEL_IMAGETYPES.

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 526bdd88ccd758204452579333ba188e29270bde)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/kernel.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 1a444efabf..f405b6e523 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -743,7 +743,7 @@ kernel_do_deploy() {
 	fi
 
 	if [ ! -z "${INITRAMFS_IMAGE}" -a x"${INITRAMFS_IMAGE_BUNDLE}" = x1 ]; then
-		for imageType in ${KERNEL_IMAGETYPES} ; do
+		for imageType in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
 			if [ "$imageType" = "fitImage" ] ; then
 				continue
 			fi
-- 
2.29.2

[gatesgarth][PATCH 18/35] qemu.inc: Should depend on qemu-system-native, not qemu-native

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This looks like it was from before the recipe was split, we'd expect
the system qemu mode for running the images so the dependency should be
updated.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3a4fed4ae0e8a0d1bd62ea5fa1ef12925e1f20f5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/conf/machine/include/qemu.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/machine/include/qemu.inc b/meta/conf/machine/include/qemu.inc
index 8dedb1a42d..7d0a6fe458 100644
--- a/meta/conf/machine/include/qemu.inc
+++ b/meta/conf/machine/include/qemu.inc
@@ -21,7 +21,7 @@ RDEPENDS_${KERNEL_PACKAGE_NAME}-base = ""
 # Use a common kernel recipe for all QEMU machines
 PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto"
 
-EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"
+EXTRA_IMAGEDEPENDS += "qemu-system-native qemu-helper-native"
 
 # Provide the nfs server kernel module for all qemu images
 KERNEL_FEATURES_append_pn-linux-yocto = " features/nfsd/nfsd-enable.scc"
-- 
2.29.2

[gatesgarth][PATCH 19/35] sudo: fix CVE-2021-23240

[Anuj Mittal]

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../sudo/files/CVE-2021-23240.patch           | 419 ++++++++++++++++++
 meta/recipes-extended/sudo/sudo_1.9.3.bb      |   1 +
 2 files changed, 420 insertions(+)
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-23240.patch

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23240.patch b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch
new file mode 100644
index 0000000000..740a13cd90
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch
@@ -0,0 +1,419 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/8fcb36ef422a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-23240
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1609953360 25200
+# Node ID 8fcb36ef422a251fe33738a347551439944a4a37
+# Parent  ea19d0073c02951bbbf35342dd63304da83edce8
+Add security checks before using temp files for SELinux RBAC sudoedit.
+Otherwise, it may be possible for the user running sudoedit to
+replace the newly-created temporary files with a symbolic link and
+have sudoedit set the owner of an arbitrary file.
+Problem reported by Matthias Gerstner of SUSE.
+
+diff -r ea19d0073c02 -r 8fcb36ef422a src/copy_file.c
+--- a/src/copy_file.c	Wed Jan 06 10:16:00 2021 -0700
++++ b/src/copy_file.c	Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -23,6 +23,8 @@
+ 
+ #include <config.h>
+ 
++#include <sys/stat.h>
++
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <errno.h>
+@@ -134,3 +136,34 @@
+     sudo_warn(U_("unable to write to %s"), dst);
+     debug_return_int(-1);
+ }
++
++#ifdef HAVE_SELINUX
++bool
++sudo_check_temp_file(int tfd, const char *tfile, uid_t uid, struct stat *sb)
++{
++    struct stat sbuf;
++    debug_decl(sudo_check_temp_file, SUDO_DEBUG_UTIL);
++
++    if (sb == NULL)
++	sb = &sbuf;
++
++    if (fstat(tfd, sb) == -1) {
++	sudo_warn(U_("unable to stat %s"), tfile);
++	debug_return_bool(false);
++    }
++    if (!S_ISREG(sb->st_mode)) {
++	sudo_warnx(U_("%s: not a regular file"), tfile);
++	debug_return_bool(false);
++    }
++    if ((sb->st_mode & ALLPERMS) != (S_IRUSR|S_IWUSR)) {
++	sudo_warnx(U_("%s: bad file mode: 0%o"), tfile, sb->st_mode & ALLPERMS);
++	debug_return_bool(false);
++    }
++    if (sb->st_uid != uid) {
++	sudo_warnx(U_("%s is owned by uid %u, should be %u"),
++	    tfile, (unsigned int)sb->st_uid, (unsigned int)uid);
++	debug_return_bool(false);
++    }
++    debug_return_bool(true);
++}
++#endif /* SELINUX */
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sesh.c
+--- a/src/sesh.c	Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sesh.c	Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2008, 2010-2018, 2020 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2008, 2010-2018, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -132,7 +132,7 @@
+ static int
+ sesh_sudoedit(int argc, char *argv[])
+ {
+-    int i, oflags_dst, post, ret = SESH_ERR_FAILURE;
++    int i, oflags_src, oflags_dst, post, ret = SESH_ERR_FAILURE;
+     int fd_src = -1, fd_dst = -1, follow = 0;
+     struct stat sb;
+     struct timespec times[2];
+@@ -174,10 +174,12 @@
+ 	debug_return_int(SESH_ERR_BAD_PATHS);
+ 
+     /*
+-     * Use O_EXCL if we are not in the post editing stage
+-     * so that it's ensured that the temporary files are
+-     * created by us and that we are not opening any symlinks.
++     * In the pre-editing stage, use O_EXCL to ensure that the temporary
++     * files are created by us and that we are not opening any symlinks.
++     * In the post-editing stage, use O_NOFOLLOW so we don't follow symlinks
++     * when opening the temporary files.
+      */
++    oflags_src = O_RDONLY|(post ? O_NONBLOCK|O_NOFOLLOW : follow);
+     oflags_dst = O_WRONLY|O_CREAT|(post ? follow : O_EXCL);
+     for (i = 0; i < argc - 1; i += 2) {
+ 	const char *path_src = argv[i];
+@@ -187,7 +189,7 @@
+ 	 * doesn't exist, that's OK, we'll create an empty
+ 	 * destination file.
+ 	 */
+-	if ((fd_src = open(path_src, O_RDONLY|follow, S_IRUSR|S_IWUSR)) < 0) {
++	if ((fd_src = open(path_src, oflags_src, S_IRUSR|S_IWUSR)) < 0) {
+ 	    if (errno != ENOENT) {
+ 		sudo_warn("%s", path_src);
+ 		if (post) {
+@@ -197,6 +199,14 @@
+ 		    goto cleanup_0;
+ 	    }
+ 	}
++	if (post) {
++	    /* Make sure the temporary file is safe and has the proper owner. */
++	    if (!sudo_check_temp_file(fd_src, path_src, geteuid(), &sb)) {
++		ret = SESH_ERR_SOME_FILES;
++		goto nocleanup;
++	    }
++	    fcntl(fd_src, F_SETFL, fcntl(fd_src, F_GETFL, 0) & ~O_NONBLOCK);
++	}
+ 
+ 	if ((fd_dst = open(path_dst, oflags_dst, post ?
+ 	    (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) : (S_IRUSR|S_IWUSR))) < 0) {
+@@ -214,10 +224,7 @@
+ 	    off_t len_dst = -1;
+ 
+ 	    if (post) {
+-		if (fstat(fd_src, &sb) != 0) {
+-		    ret = SESH_ERR_SOME_FILES;
+-		    goto nocleanup;
+-		}
++		/* sudo_check_temp_file() filled in sb for us. */
+ 		len_src = sb.st_size;
+ 		if (fstat(fd_dst, &sb) != 0) {
+ 		    ret = SESH_ERR_SOME_FILES;
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_edit.c
+--- a/src/sudo_edit.c	Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sudo_edit.c	Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2004-2008, 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2004-2008, 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -259,8 +259,10 @@
+     } else {
+ 	len = asprintf(tfile, "%s/%s.XXXXXXXX", edit_tmpdir, cp);
+     }
+-    if (len == -1)
+-	sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++    if (len == -1) {
++	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++	debug_return_int(-1);
++    }
+     tfd = mkstemps(*tfile, suff ? strlen(suff) : 0);
+     sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ 	"%s -> %s, fd %d", ofile, *tfile, tfd);
+@@ -735,7 +737,8 @@
+ 
+ #ifdef HAVE_SELINUX
+ static int
+-selinux_run_helper(char *argv[], char *envp[])
++selinux_run_helper(uid_t uid, gid_t gid, int ngroups, GETGROUPS_T *groups,
++    char *const argv[], char *const envp[])
+ {
+     int status, ret = SESH_ERR_FAILURE;
+     const char *sesh;
+@@ -755,8 +758,10 @@
+ 	break;
+     case 0:
+ 	/* child runs sesh in new context */
+-	if (selinux_setcon() == 0)
++	if (selinux_setcon() == 0) {
++	    switch_user(uid, gid, ngroups, groups);
+ 	    execve(sesh, argv, envp);
++	}
+ 	_exit(SESH_ERR_FAILURE);
+     default:
+ 	/* parent waits */
+@@ -775,7 +780,7 @@
+     struct tempfile *tf, char *files[], int nfiles)
+ {
+     char **sesh_args, **sesh_ap;
+-    int i, rc, sesh_nargs;
++    int i, error, sesh_nargs, ret = -1;
+     struct stat sb;
+     debug_decl(selinux_edit_create_tfiles, SUDO_DEBUG_EDIT);
+     
+@@ -787,7 +792,7 @@
+     sesh_args = sesh_ap = reallocarray(NULL, sesh_nargs, sizeof(char *));
+     if (sesh_args == NULL) {
+ 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	debug_return_int(-1);
++	goto done;
+     }
+     *sesh_ap++ = "sesh";
+     *sesh_ap++ = "-e";
+@@ -795,7 +800,6 @@
+ 	*sesh_ap++ = "-h";
+     *sesh_ap++ = "0";
+ 
+-    /* XXX - temp files should be created with user's context */
+     for (i = 0; i < nfiles; i++) {
+ 	char *tfile, *ofile = files[i];
+ 	int tfd;
+@@ -813,8 +817,7 @@
+ 	if (tfd == -1) {
+ 	    sudo_warn("mkstemps");
+ 	    free(tfile);
+-	    free(sesh_args);
+-	    debug_return_int(-1);
++	    goto done;
+ 	}
+ 	/* Helper will re-create temp file with proper security context. */
+ 	close(tfd);
+@@ -825,8 +828,10 @@
+     *sesh_ap = NULL;
+ 
+     /* Run sesh -e [-h] 0 <o1> <t1> ... <on> <tn> */
+-    rc = selinux_run_helper(sesh_args, command_details->envp);
+-    switch (rc) {
++    error = selinux_run_helper(command_details->uid, command_details->gid,
++	command_details->ngroups, command_details->groups, sesh_args,
++	command_details->envp);
++    switch (error) {
+     case SESH_SUCCESS:
+ 	break;
+     case SESH_ERR_BAD_PATHS:
+@@ -836,21 +841,35 @@
+     case SESH_ERR_KILLED:
+ 	sudo_fatalx("%s", U_("sesh: killed by a signal"));
+     default:
+-	sudo_fatalx(U_("sesh: unknown error %d"), rc);
++	sudo_warnx(U_("sesh: unknown error %d"), error);
++	goto done;
+     }
+ 
+-    /* Chown to user's UID so they can edit the temporary files. */
+     for (i = 0; i < nfiles; i++) {
+-	if (chown(tf[i].tfile, user_details.uid, user_details.gid) != 0) {
++	int tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
++	if (tfd == -1) {
++	    sudo_warn(U_("unable to open %s"), tf[i].tfile);
++	    goto done;
++	}
++	if (!sudo_check_temp_file(tfd, tf[i].tfile, command_details->uid, NULL)) {
++	    close(tfd);
++	    goto done;
++	}
++	if (fchown(tfd, user_details.uid, user_details.gid) != 0) {
+ 	    sudo_warn("unable to chown(%s) to %d:%d for editing",
+ 		tf[i].tfile, user_details.uid, user_details.gid);
++	    close(tfd);
++	    goto done;
+ 	}
++	close(tfd);
+     }
++    ret = nfiles;
+ 
++done:
+     /* Contents of tf will be freed by caller. */
+     free(sesh_args);
+ 
+-    return (nfiles);
++    debug_return_int(ret);
+ }
+ 
+ static int
+@@ -858,7 +877,8 @@
+     struct tempfile *tf, int nfiles, struct timespec *times)
+ {
+     char **sesh_args, **sesh_ap;
+-    int i, rc, sesh_nargs, ret = 1;
++    int i, error, sesh_nargs, ret = 1;
++    int tfd = -1;
+     struct timespec ts;
+     struct stat sb;
+     debug_decl(selinux_edit_copy_tfiles, SUDO_DEBUG_EDIT);
+@@ -879,33 +899,43 @@
+ 
+     /* Construct args for sesh -e 1 */
+     for (i = 0; i < nfiles; i++) {
+-	if (stat(tf[i].tfile, &sb) == 0) {
+-	    mtim_get(&sb, ts);
+-	    if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) {
+-		/*
+-		 * If mtime and size match but the user spent no measurable
+-		 * time in the editor we can't tell if the file was changed.
+-		 */
+-		if (sudo_timespeccmp(&times[0], &times[1], !=)) {
+-		    sudo_warnx(U_("%s unchanged"), tf[i].ofile);
+-		    unlink(tf[i].tfile);
+-		    continue;
+-		}
++	if (tfd != -1)
++	    close(tfd);
++	if ((tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW)) == -1) {
++	    sudo_warn(U_("unable to open %s"), tf[i].tfile);
++	    continue;
++	}
++	if (!sudo_check_temp_file(tfd, tf[i].tfile, user_details.uid, &sb))
++	    continue;
++	mtim_get(&sb, ts);
++	if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) {
++	    /*
++	     * If mtime and size match but the user spent no measurable
++	     * time in the editor we can't tell if the file was changed.
++	     */
++	    if (sudo_timespeccmp(&times[0], &times[1], !=)) {
++		sudo_warnx(U_("%s unchanged"), tf[i].ofile);
++		unlink(tf[i].tfile);
++		continue;
+ 	    }
+ 	}
+ 	*sesh_ap++ = tf[i].tfile;
+ 	*sesh_ap++ = tf[i].ofile;
+-	if (chown(tf[i].tfile, command_details->uid, command_details->gid) != 0) {
++	if (fchown(tfd, command_details->uid, command_details->gid) != 0) {
+ 	    sudo_warn("unable to chown(%s) back to %d:%d", tf[i].tfile,
+ 		command_details->uid, command_details->gid);
+ 	}
+     }
+     *sesh_ap = NULL;
++    if (tfd != -1)
++	close(tfd);
+ 
+     if (sesh_ap - sesh_args > 3) {
+ 	/* Run sesh -e 1 <t1> <o1> ... <tn> <on> */
+-	rc = selinux_run_helper(sesh_args, command_details->envp);
+-	switch (rc) {
++	error = selinux_run_helper(command_details->uid, command_details->gid,
++	    command_details->ngroups, command_details->groups, sesh_args,
++	    command_details->envp);
++	switch (error) {
+ 	case SESH_SUCCESS:
+ 	    ret = 0;
+ 	    break;
+@@ -921,7 +951,7 @@
+ 	    sudo_warnx("%s", U_("sesh: killed by a signal"));
+ 	    break;
+ 	default:
+-	    sudo_warnx(U_("sesh: unknown error %d"), rc);
++	    sudo_warnx(U_("sesh: unknown error %d"), error);
+ 	    break;
+ 	}
+ 	if (ret != 0)
+@@ -943,7 +973,7 @@
+ {
+     struct command_details saved_command_details;
+     char **nargv = NULL, **ap, **files = NULL;
+-    int errors, i, ac, nargc, rc;
++    int errors, i, ac, nargc, ret;
+     int editor_argc = 0, nfiles = 0;
+     struct timespec times[2];
+     struct tempfile *tf = NULL;
+@@ -1038,7 +1068,7 @@
+     command_details->ngroups = user_details.ngroups;
+     command_details->groups = user_details.groups;
+     command_details->argv = nargv;
+-    rc = run_command(command_details);
++    ret = run_command(command_details);
+     if (sudo_gettime_real(&times[1]) == -1) {
+ 	sudo_warn("%s", U_("unable to read the clock"));
+ 	goto cleanup;
+@@ -1062,14 +1092,14 @@
+ 	errors = sudo_edit_copy_tfiles(command_details, tf, nfiles, times);
+     if (errors) {
+ 	/* Preserve the edited temporary files. */
+-	rc = W_EXITCODE(1, 0);
++	ret = W_EXITCODE(1, 0);
+     }
+ 
+     for (i = 0; i < nfiles; i++)
+ 	free(tf[i].tfile);
+     free(tf);
+     free(nargv);
+-    debug_return_int(rc);
++    debug_return_int(ret);
+ 
+ cleanup:
+     /* Clean up temp files and return. */
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_exec.h
+--- a/src/sudo_exec.h	Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sudo_exec.h	Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2010-2017, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -84,9 +84,11 @@
+  */
+ struct command_details;
+ struct command_status;
++struct stat;
+ 
+ /* copy_file.c */
+ int sudo_copy_file(const char *src, int src_fd, off_t src_len, const char *dst, int dst_fd, off_t dst_len);
++bool sudo_check_temp_file(int tfd, const char *tname, uid_t uid, struct stat *sb);
+ 
+ /* exec.c */
+ void exec_cmnd(struct command_details *details, int errfd);
+
+
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb
index 132d9a8cb9..4edcbfc607 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.3.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
            file://CVE-2021-23239.patch \
+           file://CVE-2021-23240.patch \
            "
 
 PAM_SRC_URI = "file://sudo.pam"
-- 
2.29.2

[gatesgarth][PATCH 20/35] sudo: fix CVE-2021-3156

[Anuj Mittal]

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../sudo/files/CVE-2021-3156-1.patch          | 100 ++++++++++++++++++
 .../sudo/files/CVE-2021-3156-2.patch          |  53 ++++++++++
 .../sudo/files/CVE-2021-3156-3.patch          |  73 +++++++++++++
 .../sudo/files/CVE-2021-3156-4.patch          |  29 +++++
 .../sudo/files/CVE-2021-3156-5.patch          |  41 +++++++
 meta/recipes-extended/sudo/sudo_1.9.3.bb      |   5 +
 6 files changed, 301 insertions(+)
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
new file mode 100644
index 0000000000..83c277575e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
+# Parent  90aba6ba6e03f3bc33b4eabf16358396ed83642d
+Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
+This is consistent with how the -e option is handled.
+Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
+Found by Qualys, this is part of the fix for CVE-2021-3156.
+
+diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
+--- a/src/parse_args.c	Mon Jan 18 12:30:52 2021 +0100
++++ b/src/parse_args.c	Sat Jan 23 08:43:59 2021 -0700
+@@ -117,7 +117,10 @@
+ /*
+  * Default flags allowed when running a command.
+  */
+-#define DEFAULT_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
++#define DEFAULT_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
++#define EDIT_VALID_FLAGS	MODE_NONINTERACTIVE
++#define LIST_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_LONG_LIST)
++#define VALIDATE_VALID_FLAGS	MODE_NONINTERACTIVE
+ 
+ /* Option number for the --host long option due to ambiguity of the -h flag. */
+ #define OPT_HOSTNAME	256
+@@ -262,6 +265,7 @@
+ 	progname = "sudoedit";
+ 	mode = MODE_EDIT;
+ 	sudo_settings[ARG_SUDOEDIT].value = "true";
++	valid_flags = EDIT_VALID_FLAGS;
+     }
+ 
+     /* Load local IP addresses and masks. */
+@@ -365,7 +369,7 @@
+ 			usage_excl();
+ 		    mode = MODE_EDIT;
+ 		    sudo_settings[ARG_SUDOEDIT].value = "true";
+-		    valid_flags = MODE_NONINTERACTIVE;
++		    valid_flags = EDIT_VALID_FLAGS;
+ 		    break;
+ 		case 'g':
+ 		    assert(optarg != NULL);
+@@ -377,6 +381,7 @@
+ 		    break;
+ 		case 'H':
+ 		    sudo_settings[ARG_SET_HOME].value = "true";
++		    SET(flags, MODE_RESET_HOME);
+ 		    break;
+ 		case 'h':
+ 		    if (optarg == NULL) {
+@@ -431,7 +436,7 @@
+ 			    usage_excl();
+ 		    }
+ 		    mode = MODE_LIST;
+-		    valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
++		    valid_flags = LIST_VALID_FLAGS;
+ 		    break;
+ 		case 'n':
+ 		    SET(flags, MODE_NONINTERACTIVE);
+@@ -439,6 +444,7 @@
+ 		    break;
+ 		case 'P':
+ 		    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
++		    SET(flags, MODE_PRESERVE_GROUPS);
+ 		    break;
+ 		case 'p':
+ 		    /* An empty prompt is allowed. */
+@@ -505,7 +511,7 @@
+ 		    if (mode && mode != MODE_VALIDATE)
+ 			usage_excl();
+ 		    mode = MODE_VALIDATE;
+-		    valid_flags = MODE_NONINTERACTIVE;
++		    valid_flags = VALIDATE_VALID_FLAGS;
+ 		    break;
+ 		case 'V':
+ 		    if (mode && mode != MODE_VERSION)
+@@ -533,7 +539,7 @@
+     if (!mode) {
+ 	/* Defer -k mode setting until we know whether it is a flag or not */
+ 	if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
+-	    if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
++	    if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
+ 		mode = MODE_INVALIDATE;	/* -k by itself */
+ 		sudo_settings[ARG_IGNORE_TICKET].value = NULL;
+ 		valid_flags = 0;
+@@ -601,7 +607,7 @@
+     /*
+      * For shell mode we need to rewrite argv
+      */
+-    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
++    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
+ 	char **av, *cmnd = NULL;
+ 	int ac = 1;
+ 
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
new file mode 100644
index 0000000000..6d051252cb
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
+From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
+From: Anuj Mittal <anuj.mittal@intel.com>
+Date: Sat, 6 Feb 2021 15:57:55 +0800
+Subject: [PATCH] sudo: fix CVE-2021-3156
+
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID a97dc92eae6b60ae285055441341d493c17262ff
+# Parent  9b97f1787804aedccaec63c379053b1a91a0e409
+Add sudoedit flag checks in plugin that are consistent with front-end.
+Don't assume the sudo front-end is sending reasonable mode flags.
+These checks need to be kept consistent between the sudo front-end
+and the sudoers plugin.
+
+---
+ plugins/sudoers/policy.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index c4749a6..2f18fe1 100644
+--- a/plugins/sudoers/policy.c
++++ b/plugins/sudoers/policy.c
+@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
+ int
+ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ {
++    const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
+     struct sudoers_open_info *info = v;
+-    char * const *cur;
+     const char *p, *errstr, *groups = NULL;
+     const char *remhost = NULL;
++    char * const *cur;
+     int flags = 0;
+     debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
+ 
+@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ #endif
+     }
+ 
++    /* Sudo front-end should restrict mode flags for sudoedit. */
++    if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
++	sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
++	goto bad;
++    }
++
+     user_gid = (gid_t)-1;
+     user_sid = (pid_t)-1;
+     user_uid = (gid_t)-1;
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
new file mode 100644
index 0000000000..30a574d05c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+# Parent  a97dc92eae6b60ae285055441341d493c17262ff
+Fix potential buffer overflow when unescaping backslashes in user_args.
+Also, do not try to unescaping backslashes unless in run mode *and*
+we are running the command via a shell.
+Found by Qualys, this fixes CVE-2021-3156.
+
+diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c
+--- a/plugins/sudoers/sudoers.c	Sat Jan 23 08:43:59 2021 -0700
++++ b/plugins/sudoers/sudoers.c	Sat Jan 23 08:43:59 2021 -0700
+@@ -547,7 +547,7 @@
+ 
+     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
+     /* XXX - causes confusion when root is not listed in sudoers */
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
++    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
+ 	if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
+ 	    struct passwd *pw;
+ 
+@@ -932,8 +932,8 @@
+     if (user_cmnd == NULL)
+ 	user_cmnd = NewArgv[0];
+ 
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
+-	if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
++    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
++	if (!ISSET(sudo_mode, MODE_EDIT)) {
+ 	    const char *runchroot = user_runchroot;
+ 	    if (runchroot == NULL && def_runchroot != NULL &&
+ 		    strcmp(def_runchroot, "*") != 0)
+@@ -961,7 +961,8 @@
+ 		sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ 		debug_return_int(NOT_FOUND_ERROR);
+ 	    }
+-	    if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
++	    if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
++		    ISSET(sudo_mode, MODE_RUN)) {
+ 		/*
+ 		 * When running a command via a shell, the sudo front-end
+ 		 * escapes potential meta chars.  We unescape non-spaces
+@@ -969,10 +970,22 @@
+ 		 */
+ 		for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
+ 		    while (*from) {
+-			if (from[0] == '\\' && !isspace((unsigned char)from[1]))
++			if (from[0] == '\\' && from[1] != '\0' &&
++				!isspace((unsigned char)from[1])) {
+ 			    from++;
++			}
++			if (size - (to - user_args) < 1) {
++			    sudo_warnx(U_("internal error, %s overflow"),
++				__func__);
++			    debug_return_int(NOT_FOUND_ERROR);
++			}
+ 			*to++ = *from++;
+ 		    }
++		    if (size - (to - user_args) < 1) {
++			sudo_warnx(U_("internal error, %s overflow"),
++			    __func__);
++			debug_return_int(NOT_FOUND_ERROR);
++		    }
+ 		    *to++ = ' ';
+ 		}
+ 		*--to = '\0';
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
new file mode 100644
index 0000000000..c1b00c740e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID 09f98816fc8978f1d8623a857073d2d5746f0379
+# Parent  049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL.
+We want to zero the struct starting at flags, not type (which was just set).
+Found by Qualys.
+
+diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c
+--- a/plugins/sudoers/timestamp.c	Sat Jan 23 08:43:59 2021 -0700
++++ b/plugins/sudoers/timestamp.c	Sat Jan 23 08:44:00 2021 -0700
+@@ -643,8 +643,8 @@
+ 	if (entry.size == sizeof(struct timestamp_entry_v1)) {
+ 	    /* Old sudo record, convert it to TS_LOCKEXCL. */
+ 	    entry.type = TS_LOCKEXCL;
+-	    memset((char *)&entry + offsetof(struct timestamp_entry, type), 0,
+-		nread - offsetof(struct timestamp_entry, type));
++	    memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
++		nread - offsetof(struct timestamp_entry, flags));
+ 	    if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
+ 		debug_return_bool(false);
+ 	} else {
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
new file mode 100644
index 0000000000..c04b8e72a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
+# Parent  09f98816fc8978f1d8623a857073d2d5746f0379
+Don't assume that argv is allocated as a single flat buffer.
+While this is how the kernel behaves it is not a portable assumption.
+The assumption may also be violated if getopt_long(3) permutes arguments.
+Found by Qualys.
+
+diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
+--- a/src/parse_args.c	Sat Jan 23 08:44:00 2021 -0700
++++ b/src/parse_args.c	Sat Jan 23 08:44:00 2021 -0700
+@@ -614,16 +614,16 @@
+ 	if (argc != 0) {
+ 	    /* shell -c "command" */
+ 	    char *src, *dst;
+-	    size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
+-		strlen(argv[argc - 1]) + 1;
++	    size_t size = 0;
+ 
+-	    cmnd = dst = reallocarray(NULL, cmnd_size, 2);
+-	    if (cmnd == NULL)
++	    for (av = argv; *av != NULL; av++)
++		size += strlen(*av) + 1;
++	    if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
+ 		sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ 	    if (!gc_add(GC_PTR, cmnd))
+ 		exit(EXIT_FAILURE);
+ 
+-	    for (av = argv; *av != NULL; av++) {
++	    for (dst = cmnd, av = argv; *av != NULL; av++) {
+ 		for (src = *av; *src != '\0'; src++) {
+ 		    /* quote potential meta characters */
+ 		    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
+
+
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb
index 4edcbfc607..37fd6386dd 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.3.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -5,6 +5,11 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
            file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
            file://CVE-2021-23239.patch \
            file://CVE-2021-23240.patch \
+           file://CVE-2021-3156-1.patch \
+           file://CVE-2021-3156-2.patch \
+           file://CVE-2021-3156-3.patch \
+           file://CVE-2021-3156-4.patch \
+           file://CVE-2021-3156-5.patch \
            "
 
 PAM_SRC_URI = "file://sudo.pam"
-- 
2.29.2

[gatesgarth][PATCH 21/35] libgcrypt: Whitelisted CVEs

[Anuj Mittal]

From: saloni <saloni.jain@kpit.com>

Whitelisted below CVEs:

1. CVE-2018-12433
Link: https://security-tracker.debian.org/tracker/CVE-2018-12433
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-12433
CVE-2018-12433 is marked disputed and ignored by NVD as it does
not impact crypt libraries for any distros and hence, can be safely
marked whitelisted.

2. CVE-2018-12438
Link: https://security-tracker.debian.org/tracker/CVE-2018-12438
Link: https://ubuntu.com/security/CVE-2018-12438
CVE-2018-12438 was reported for affecting openjdk crypt libraries
but there are no details available on which openjdk versions are
affected and does not directly affect libgcrypt or any specific
yocto distributions, hence, can be whitelisted.

Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2943efe3f56d394308f9364b439c25f6a7613288)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
index ac09417e89..832d07d515 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
@@ -28,6 +28,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
 "
 SRC_URI[sha256sum] = "0cba2700617b99fc33864a0c16b1fa7fdf9781d9ed3509f5d767178e5fd7b975"
 
+# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
+CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
+
 BINCONFIG = "${bindir}/libgcrypt-config"
 
 inherit autotools texinfo binconfig-disabled pkgconfig
-- 
2.29.2

[gatesgarth][PATCH 22/35] libcroco: Added CVE

[Anuj Mittal]

From: saloni <saloni.jain@kpit.com>

Added below CVE:
CVE-2020-12825
Link: CVE-2020-12825 [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
Link: https://gitlab.gnome.org/Archive/libcroco/-/issues/8

Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f8cee7386c556e1c5adb07a0aee385642b7a5568)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../libcroco/files/CVE-2020-12825.patch       | 192 ++++++++++++++++++
 .../libcroco/libcroco_0.6.13.bb               |   3 +
 2 files changed, 195 insertions(+)
 create mode 100644 meta/recipes-support/libcroco/files/CVE-2020-12825.patch

diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
new file mode 100644
index 0000000000..42f92e3607
--- /dev/null
+++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
@@ -0,0 +1,192 @@
+From fdf78a4877afa987ba646a8779b513f258e6d04c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Fri, 31 Jul 2020 15:21:53 -0500
+Subject: [PATCH] libcroco: Limit recursion in block and any productions
+
+ (CVE-2020-12825)
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+Fixes #8
+This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+
+https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404
+
+CVE: CVE-2020-12825
+Upstream-Status: Backport [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
+Comment: No refreshing changes done.
+Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
+
+---
+ src/cr-parser.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index 18c9a01..f4a62e3 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+ 
+ #define CHARS_TAB_SIZE 12
+ 
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+  * IS_NUM:
+  *@a_char: the char to test.
+@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+ 
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+ 
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++                                               guint      n_calls);
+ 
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++                                                 guint      n_calls);
+ 
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+ 
+@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+         cr_parser_try_to_skip_spaces_and_comments (a_this);
+ 
+         do {
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, 0);
+         } while (status == CR_OK);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, 
+                                       token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
++                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status,
+                                       FALSE);
+                 goto done;
+@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ 
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+-        status = cr_parser_parse_any_core (a_this);
++        status = cr_parser_parse_any_core (a_this, 0);
+         CHECK_PARSING_STATUS (status, FALSE);
+ 
+         do {
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, 0);
+ 
+         } while (status == CR_OK);
+ 
+@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+  *in chapter 4.1 of the css2 spec.
+  *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+  *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+  *FIXME: code this function.
+  */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++                            guint      n_calls)
+ {
+         CRToken *token = NULL;
+         CRInputPos init_pos;
+@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+ 
+         g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+ 
++        if (n_calls > RECURSIVE_CALLERS_LIMIT)
++                return CR_ERROR;
++
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -996,13 +1005,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+         } else if (token->type == CBO_TK) {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
++                status = cr_parser_parse_block_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         } else {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         }
+@@ -1109,7 +1118,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
++                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 ref++;
+                 goto continue_parsing;
+@@ -1123,7 +1132,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, 0);
+                 if (status == CR_OK) {
+                         ref++;
+                         goto continue_parsing;
+@@ -1162,10 +1171,12 @@ cr_parser_parse_value_core (CRParser * a_this)
+  *        | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+  *
+  *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+  *@return CR_OK upon successfull completion, an error code otherwise.
+  */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++                          guint      n_calls)
+ {
+         CRToken *token1 = NULL,
+                 *token2 = NULL;
+@@ -1174,6 +1185,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+ 
+         g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+ 
++        if (n_calls > RECURSIVE_CALLERS_LIMIT)
++                return CR_ERROR;
++
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1212,7 +1226,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                  *We consider parameter as being an "any*" production.
+                  */
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
++                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1237,7 +1251,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+ 
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
++                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1265,7 +1279,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+ 
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
++                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 9171a9de5c..a443ff23fe 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -18,3 +18,6 @@ inherit gnomebase gtk-doc binconfig-disabled
 
 SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
 SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
+
+SRC_URI +="file://CVE-2020-12825.patch \
+"
-- 
2.29.2

[gatesgarth][PATCH 23/35] image_types.bbclass: tar: use posix format instead of gnu

[Anuj Mittal]

From: Martin Jansa <Martin.Jansa@gmail.com>

* gnu isn't compatible with  --xattrs used e.g. here:
https://github.com/advancedtelematic/meta-updater/blob/d3a832f66e8802cb45536ff278d5c77f946d341d/classes/image_types_ostree.bbclass#L16
causing do_image_tar failing with:

| tar: --xattrs can be used only on POSIX archives
| Try 'tar --help' or 'tar --usage' for more information.

* https://www.gnu.org/software/tar/manual/html_chapter/tar_8.html
  says about posix format:

  This is the most flexible and feature-rich format.
  It does not impose any restrictions on file sizes or file name lengths.
  This format is quite recent, so not all tar implementations are able to handle it properly.
  However, this format is designed in such a way that any tar implementation able to read `ustar'
  archives will be able to read most `posix' archives as well, with the only exception that any
  additional information (such as long file names etc.) will in such case be extracted as plain
  text files along with the files it refers to.

  This archive format will be the default format for future versions of GNU tar.

  and:

  The default format for GNU tar is defined at compilation time.
  You may check it by running tar --help, and examining the last lines of its output.
  Usually, GNU tar is configured to create archives in `gnu' format, however, future version will switch to `posix'.

* I've compared tar on centos7 and ubuntu-18.04:

bash-4.2$ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)

bash-4.2$ tar --version
tar (GNU tar) 1.26
...

bash-4.2$ tar --help | tail -n 5
*This* tar defaults to:
--format=gnu -f- -b20 --quoting-style=escape --rmt-command=/etc/rmt
--rsh-command=/usr/bin/ssh
...

bitbake@e0ee76f81c2f:/$ grep VERSION /etc/os-release
VERSION="18.04.5 LTS (Bionic Beaver)"
VERSION_ID="18.04"
VERSION_CODENAME=bionic

bitbake@e0ee76f81c2f:/$ tar --version
tar (GNU tar) 1.29
...

bitbake@e0ee76f81c2f:/$ tar --help | tail -n 5
...
*This* tar defaults to:
--format=gnu -f- -b20 --quoting-style=escape --rmt-command=/usr/lib/tar/rmt
--rsh-command=/usr/bin/rsh

Both support posix format (as pax POSIX 1003.1-2001). But centos7 version is
already too old anyway, because it doesn't support --sort=name used since:
https://git.openembedded.org/openembedded-core/commit/?id=4fa68626bbcfd9795577e1426c27d00f4d9d1c17
and
https://git.openembedded.org/openembedded-core/commit/?id=f19e43dec63a86c200e04ba14393583588550380
says that 1.28 is the minium version now and
https://git.openembedded.org/openembedded-core/commit/?id=7a66434cf11b7f051699b774e4fccd6738351368
recommends to use install-buildtools for hosts with tar < 1.28

On the other side latest tumbleweed from:
https://hub.docker.com/r/opensuse/tumbleweed
with tar-1.33 alredy defaults to posix format:

b99dbb3d86dd:/ # head -n 3 /etc/os-release
NAME="openSUSE Tumbleweed"
ID="opensuse-tumbleweed"

b99dbb3d86dd:/ # tar --version
tar (GNU tar) 1.33
...

b99dbb3d86dd:/ # tar --help | tail -n 3
*This* tar defaults to:
--format=posix -f- -b20 --quoting-style=escape --rmt-command=/usr/bin/rmt
--rsh-command=/usr/bin/ssh

I've packaged some sample rootfs directory with both tars and the result is
identical (with --format=gnu as well as --format=posix).

with ubuntu:
tar --sort=name --format=gnu --numeric-owner -cf rootfs.ubuntu.gnu.tar -C rootfs .
tar --xattrs --xattrs-include=* --sort=name --format=posix --numeric-owner -cf rootfs.ubuntu.posix.tar -C rootfs .
tumbleweed:
tar --sort=name --format=gnu --numeric-owner -cf rootfs.tumbleweed.gnu.tar -C rootfs .
tar --xattrs --xattrs-include=* --sort=name --format=posix --numeric-owner -cf rootfs.tumbleweed.posix.tar -C rootfs .
centos7 (without --sort=name):
tar --format=gnu --numeric-owner -cf rootfs.centos7.gnu.tar -C rootfs .
tar --xattrs --xattrs-include=* --format=posix --numeric-owner -cf rootfs.centos7.posix.tar -C rootfs .

size is identical:
-rw-r--r-- 1 mjansa mjansa 2487480320 Feb  5 09:19 rootfs.ubuntu.gnu.tar
-rw-r--r-- 1 mjansa mjansa 2487480320 Feb  5 10:17 rootfs.centos7.gnu.tar
-rw-r--r-- 1 mjansa mjansa 2487480320 Feb  5 10:26 rootfs.tumbleweed.gnu.tar
-rw-r--r-- 1 mjansa mjansa 2579875840 Feb  5 10:15 rootfs.ubuntu.posix.tar
-rw-r--r-- 1 mjansa mjansa 2579875840 Feb  5 10:16 rootfs.centos7.posix.tar
-rw-r--r-- 1 mjansa mjansa 2579875840 Feb  5 10:26 rootfs.tumbleweed.posix.tar

but md5s aren't:
5e3880283379dd773ac054e20562fdea  rootfs.centos7.gnu.tar
abeaf992c780aa780a27be01365d26f5  rootfs.centos7.posix.tar
0c6ee59d87ab56583293262de110bca4  rootfs.tumbleweed.gnu.tar
1555bc7276eaba924bf82a13a010fd6d  rootfs.tumbleweed.posix.tar
553d802bba351e273191bd5b2a621b66  rootfs.ubuntu.gnu.tar
b6d7b43b30174686f6625ba3c7aefdc6  rootfs.ubuntu.posix.tar

diffoscope shows some differences when using gnu format:

$ diffoscope rootfs.tumbleweed.gnu.tar rootfs.ubuntu.gnu.tar
...
-00239890: 3030 3000 3030 3737 3637 0020 4b00 0000  000.007767. K...
+00239890: 3030 3000 3031 3135 3737 0020 4b00 0000  000.011577. K...
...
-00239900: 0075 7374 6172 2020 0000 0000 0000 0000  .ustar  ........
+00239900: 0075 7374 6172 2020 0072 6f6f 7400 0000  .ustar  .root...
...
-00239920: 0000 0000 0000 0000 0000 0000 0000 0000  ................
+00239920: 0000 0000 0000 0000 0072 6f6f 7400 0000  .........root...

with posix format there are also some differences shown by diffoscope:

$ diffoscope rootfs.tumbleweed.posix.tar rootfs.ubuntu.posix.tar
 016a4c00: 2e2f 7573 722f 6269 6e2f 5061 7848 6561  ./usr/bin/PaxHea
-016a4c10: 6465 7273 2f63 6861 7474 722e 6532 6673  ders/chattr.e2fs
-016a4c20: 7072 6f67 7300 0000 0000 0000 0000 0000  progs...........
+016a4c10: 6465 7273 2e32 322f 6368 6174 7472 2e65  ders.22/chattr.e
+016a4c20: 3266 7370 726f 6773 0000 0000 0000 0000  2fsprogs........
...
 03937000: 2e2f 7573 722f 6269 6e2f 5061 7848 6561  ./usr/bin/PaxHea
-03937010: 6465 7273 2f63 6f6e 7461 696e 6572 642d  ders/containerd-
-03937020: 6374 7200 0000 0000 0000 0000 0000 0000  ctr.............
+03937010: 6465 7273 2e32 322f 636f 6e74 6169 6e65  ders.22/containe
+03937020: 7264 2d63 7472 0000 0000 0000 0000 0000  rd-ctr..........

so cannot really say which format is better for reproducible tar
archives from different distros, but posix at least supports xattrs
and it's the format for future.

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ecea58f2a3382d9f4b410d6ad7089111334cb6f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/image_types.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 85d619ca89..30951ae366 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -110,7 +110,7 @@ IMAGE_CMD_squashfs-lz4 = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAM
 
 IMAGE_CMD_TAR ?= "tar"
 # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
-IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=gnu --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=posix --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
 
 do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
 IMAGE_CMD_cpio () {
-- 
2.29.2

[gatesgarth][PATCH 24/35] license_image.bbclass: Don't attempt to symlink to the same file

[Anuj Mittal]

From: Mike Looijmans <mike.looijmans@topic.nl>

Sometimes (that is, in all my builds) the lic_manifest_dir and
lic_manifest_symlink_dir end up pointing to the same file, resulting
in an error like this:
  Exception: FileExistsError: [Errno 17] File exists: '/.../tmp-glibc/deploy/licenses/my-image-tdkz15' -> '/.../tmp-glibc/deploy/licenses/my-image-tdkz15'

First check to see if this is the case before attempting to create
the link.

Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50f83fb542065eaf7a20ac07b63ae06441ada180)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/license_image.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass
index 119c8dfc86..6f478ce22c 100644
--- a/meta/classes/license_image.bbclass
+++ b/meta/classes/license_image.bbclass
@@ -210,7 +210,8 @@ def license_deployed_manifest(d):
             os.unlink(lic_manifest_symlink_dir)
 
         # create the image dir symlink
-        os.symlink(lic_manifest_dir, lic_manifest_symlink_dir)
+        if lic_manifest_dir != lic_manifest_symlink_dir:
+            os.symlink(lic_manifest_dir, lic_manifest_symlink_dir)
 
 def get_deployed_dependencies(d):
     """
-- 
2.29.2

[gatesgarth][PATCH 25/35] systemd: change /bin/nologin to /sbin/nologin

[Anuj Mittal]

From: Chen Qi <Qi.Chen@windriver.com>

Our nologin path is /sbin/nologin instead of /bin/nologin.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cd7f55e960e759d946d8b619b0a306e610f66356)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-core/systemd/systemd_246.9.bb | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd_246.9.bb b/meta/recipes-core/systemd/systemd_246.9.bb
index 9215adf8dc..2f460e9bee 100644
--- a/meta/recipes-core/systemd/systemd_246.9.bb
+++ b/meta/recipes-core/systemd/systemd_246.9.bb
@@ -357,15 +357,15 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \
                     ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \
 "
 GROUPADD_PARAM_${PN} = "-r systemd-journal"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /bin/nologin systemd-network;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /bin/nologin systemd-timesync;', '', d)}"
-USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /bin/nologin systemd-bus-proxy"
-USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /bin/nologin systemd-journal-gateway"
-USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /bin/nologin systemd-journal-remote"
-USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /bin/nologin systemd-journal-upload"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /sbin/nologin systemd-resolve;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /sbin/nologin systemd-timesync;', '', d)}"
+USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /sbin/nologin systemd-bus-proxy"
+USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /sbin/nologin systemd-journal-gateway"
+USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /sbin/nologin systemd-journal-remote"
+USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /sbin/nologin systemd-journal-upload"
 
 FILES_${PN}-analyze = "${bindir}/systemd-analyze"
 
-- 
2.29.2

[gatesgarth][PATCH 26/35] openssh: Backport a fix to fix with glibc 2.33 on some platforms

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This fixes openssh failing to work on qemux86 with glibc 2.33 due to
seccomp and the fact new syscalls are used. Also likely fixes issues
on other platforms.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 22f8ce6e6d998c0539a40b2776b1a2abb4f44bb3)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...440ca70abab947acbd77795e9f130967956c.patch | 28 +++++++++++++++++++
 .../openssh/openssh_8.3p1.bb                  |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
new file mode 100644
index 0000000000..b88bc18f12
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
@@ -0,0 +1,28 @@
+From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Fri, 20 Nov 2020 13:37:54 +1100
+Subject: [PATCH] Add new pselect6_time64 syscall on ARM.
+
+This is apparently needed on armhfp/armv7hl.  bz#3232, patch from
+jjelen at redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Upstream-Status: Backport
+[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33]
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c063..5065ae7ef 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++	SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif
diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
index 2aa1df20bd..3061ed2975 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://0f90440ca70abab947acbd77795e9f130967956c.patch \
            "
 SRC_URI[sha256sum] = "f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2"
 
-- 
2.29.2

[gatesgarth][PATCH 27/35] pseudo: Update to work with glibc 2.33

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Update to a pseudo version which contains some heqader fixes for
glibc 2.33.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c897ac317926b132547578b1f6bd347fe5677dfc)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 0ba7b50355..0072e0558b 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
            file://fallback-group \
            "
 
-SRCREV = "8317c0ab172db47dabcef909bae02cd77b1f1010"
+SRCREV = "f332f5633b5dd73fa2b6e5d605eb33e4a446d7ad"
 S = "${WORKDIR}/git"
 PV = "1.9.0+git${SRCPV}"
 
-- 
2.29.2

[gatesgarth][PATCH 28/35] uninative: Upgrade to 2.10

[Anuj Mittal]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Final glibc 2.32 based uninative.

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8b5d932a42ce9e3e801837bea9cf319c455d9ae5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 69b6edee5f..85336014b1 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -8,7 +8,7 @@
 
 UNINATIVE_MAXGLIBCVERSION = "2.32"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
-UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
-UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
-UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.10/"
+UNINATIVE_CHECKSUM[aarch64] ?= "645e5c50b2b48aabb8b10f783a9f94b4b7c5ddc7cfceb5386d43b86d30253202"
+UNINATIVE_CHECKSUM[i686] ?= "233e09b5ff30e15341232a0c16fa8448ff31dccb8f3f3e2ad3948cdac8c4a598"
+UNINATIVE_CHECKSUM[x86_64] ?= "04333677f81990ce2cf55c3bc256cd84a66085d18fc95ccddfab8581e4aec014"
-- 
2.29.2

[gatesgarth][PATCH 29/35] yocto-uninative.inc: version 2.11 updates glibc to 2.33

[Anuj Mittal]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Support glibc 2.33.

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5c7f963d395aa4a94d78c37883488baac471ea43)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 85336014b1..bc47083978 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.32"
+UNINATIVE_MAXGLIBCVERSION = "2.33"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.10/"
-UNINATIVE_CHECKSUM[aarch64] ?= "645e5c50b2b48aabb8b10f783a9f94b4b7c5ddc7cfceb5386d43b86d30253202"
-UNINATIVE_CHECKSUM[i686] ?= "233e09b5ff30e15341232a0c16fa8448ff31dccb8f3f3e2ad3948cdac8c4a598"
-UNINATIVE_CHECKSUM[x86_64] ?= "04333677f81990ce2cf55c3bc256cd84a66085d18fc95ccddfab8581e4aec014"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.11/"
+UNINATIVE_CHECKSUM[aarch64] ?= "fa703e25c26eaebb1afd895337b92a24cc5077818e093af74912e53846a117fe"
+UNINATIVE_CHECKSUM[i686] ?= "638901c990ffbe716a34400134a2ad49a1c3104e3b48cdafd6fcd28e9b133294"
+UNINATIVE_CHECKSUM[x86_64] ?= "047ddd78d6b5cabd2a102120e27755a9eaa1d5724c6a8f4007daa3f10ecb6871"
-- 
2.29.2

[gatesgarth][PATCH 30/35] python3: split python target configuration into own class

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Setting _PYTHON_SYSCONFIGDATA_NAME in python3native class globally was
problematic as it was leaking into host python environment, which
was causing tracebacks depending on host distro and action
(typically anything involving importing sysconfig module).

The new class sets the variable only in specific tasks where it is needed,
and should be inherited explicitly:
- use python3native to run scripts with native python
- use python3targetconfig to run scripts with native python
if those scripts need to access target config data (such
as correct installation directories). This also adds a dependency
on target python, so should be used carefully to avoid lengthening builds.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 823cbf815d6984e813f0ae812f6a14469150eeff)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/python3native.bbclass       |  2 --
 meta/classes/python3targetconfig.bbclass | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 meta/classes/python3targetconfig.bbclass

diff --git a/meta/classes/python3native.bbclass b/meta/classes/python3native.bbclass
index d98fb4c758..2e3a88c126 100644
--- a/meta/classes/python3native.bbclass
+++ b/meta/classes/python3native.bbclass
@@ -17,8 +17,6 @@ export STAGING_LIBDIR
 export PYTHON_LIBRARY="${STAGING_LIBDIR}/lib${PYTHON_DIR}${PYTHON_ABI}.so"
 export PYTHON_INCLUDE_DIR="${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}"
 
-export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
-
 # suppress host user's site-packages dirs.
 export PYTHONNOUSERSITE = "1"
 
diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
new file mode 100644
index 0000000000..640d0c97b6
--- /dev/null
+++ b/meta/classes/python3targetconfig.bbclass
@@ -0,0 +1,15 @@
+inherit python3native
+
+DEPENDS_append = " python3"
+
+do_configure_prepend() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_compile_prepend() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_install_prepend() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
-- 
2.29.2

[gatesgarth][PATCH 31/35] python3-pycairo: use python3targetconfig

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 27d1dcf065ac2ccb57229eef54dd63b45d0fc5f9)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/python/python3-pycairo_1.19.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
index 34c8543bce..1734610d12 100644
--- a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
+++ b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
@@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "2c143183280feb67f5beb4e543fd49990c28e7df427301ede04fc550d3
 
 S = "${WORKDIR}/pycairo-${PV}"
 
-inherit meson pkgconfig
+inherit meson pkgconfig python3targetconfig
 
 CFLAGS += "-fPIC"
 
-- 
2.29.2

[gatesgarth][PATCH 32/35] distutils3-base.bbclass: use python3targetconfig

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10cdc26748e64394e829d919a15e899812bb2fe2)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/distutils3-base.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/distutils3-base.bbclass b/meta/classes/distutils3-base.bbclass
index 7dbf07ac4b..a277d1c7bc 100644
--- a/meta/classes/distutils3-base.bbclass
+++ b/meta/classes/distutils3-base.bbclass
@@ -1,5 +1,5 @@
 DEPENDS  += "${@["${PYTHON_PN}-native ${PYTHON_PN}", ""][(d.getVar('PACKAGES') == '')]}"
 RDEPENDS_${PN} += "${@['', '${PYTHON_PN}-core']['${CLASSOVERRIDE}' == 'class-target']}"
 
-inherit distutils-common-base python3native
+inherit distutils-common-base python3native python3targetconfig
 
-- 
2.29.2

[gatesgarth][PATCH 33/35] meta: drop _PYTHON_SYSCONFIGDATA_NAME hacks

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7901859e38de06c56b8535a8425e76cb114c57dc)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/scons.bbclass          | 3 ---
 meta/lib/oe/prservice.py            | 4 ----
 meta/recipes-core/glib-2.0/glib.inc | 4 ----
 meta/recipes-graphics/mesa/mesa.inc | 5 -----
 4 files changed, 16 deletions(-)

diff --git a/meta/classes/scons.bbclass b/meta/classes/scons.bbclass
index 6b171ca8df..4f3ae502ef 100644
--- a/meta/classes/scons.bbclass
+++ b/meta/classes/scons.bbclass
@@ -5,7 +5,6 @@ DEPENDS += "python3-scons-native"
 EXTRA_OESCONS ?= ""
 
 do_configure() {
-	unset _PYTHON_SYSCONFIGDATA_NAME
 	if [ -n "${CONFIGURESTAMPFILE}" ]; then
 		if [ -e "${CONFIGURESTAMPFILE}" -a "`cat ${CONFIGURESTAMPFILE}`" != "${BB_TASKHASH}" -a "${CLEANBROKEN}" != "1" ]; then
 			${STAGING_BINDIR_NATIVE}/scons --clean PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS}
@@ -17,13 +16,11 @@ do_configure() {
 }
 
 scons_do_compile() {
-	unset _PYTHON_SYSCONFIGDATA_NAME
 	${STAGING_BINDIR_NATIVE}/scons ${PARALLEL_MAKE} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} || \
 	die "scons build execution failed."
 }
 
 scons_do_install() {
-	unset _PYTHON_SYSCONFIGDATA_NAME
 	${STAGING_BINDIR_NATIVE}/scons install_root=${D}${prefix} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} install || \
 	die "scons install execution failed."
 }
diff --git a/meta/lib/oe/prservice.py b/meta/lib/oe/prservice.py
index 2d3c9c7e50..fcdbe66c19 100644
--- a/meta/lib/oe/prservice.py
+++ b/meta/lib/oe/prservice.py
@@ -3,10 +3,6 @@
 #
 
 def prserv_make_conn(d, check = False):
-    # Otherwise this fails when called from recipes which e.g. inherit python3native (which sets _PYTHON_SYSCONFIGDATA_NAME) with:
-    # No module named '_sysconfigdata'
-    if '_PYTHON_SYSCONFIGDATA_NAME' in os.environ:
-        del os.environ['_PYTHON_SYSCONFIGDATA_NAME']
     import prserv.serv
     host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f])
     try:
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index e48b5cb67b..71777bc459 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -34,10 +34,6 @@ DEPENDS_append_class-target = "${@' gtk-doc' if d.getVar('GTKDOC_ENABLED') == 'T
 
 GTKDOC_MESON_OPTION = "gtk_doc"
 
-# This avoids the need to depend on target python3, which in case of mingw is not even possible.
-# meson's python configuration pokes into python3 configuration, so this provides the native config to it.
-unset _PYTHON_SYSCONFIGDATA_NAME
-
 S = "${WORKDIR}/glib-${PV}"
 
 PACKAGECONFIG ??= "system-pcre libmount \
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc
index 9fc62e95e1..a4c7007157 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -48,11 +48,6 @@ PROVIDES = " \
 
 inherit meson pkgconfig python3native gettext features_check
 
-# Unset these to stop python trying to report the target Python setup
-_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
-STAGING_INCDIR[unexport] = "1"
-STAGING_LIBDIR[unexport] = "1"
-
 BBCLASSEXTEND = "native nativesdk"
 
 ANY_OF_DISTRO_FEATURES_class-target = "opengl vulkan"
-- 
2.29.2

[gatesgarth][PATCH 34/35] gpgme: use python3targetconfig

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 375d13fcb362b48e57ba8851b03f2b72dd44da11)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-support/gpgme/gpgme_1.14.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/gpgme/gpgme_1.14.0.bb b/meta/recipes-support/gpgme/gpgme_1.14.0.bb
index 9fa8212808..fb7215381c 100644
--- a/meta/recipes-support/gpgme/gpgme_1.14.0.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.14.0.bb
@@ -48,7 +48,7 @@ DEFAULT_LANGUAGES_class-target = "cpp"
 LANGUAGES ?= "${DEFAULT_LANGUAGES} python"
 
 PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python2', 'pythonnative', '', d)}"
-PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}"
+PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native python3targetconfig', '', d)}"
 
 EXTRA_OECONF += '--enable-languages="${LANGUAGES}" \
                  --disable-gpgconf-test \
-- 
2.29.2

[gatesgarth][PATCH 35/35] python3targetconfig.bbclass: Make py3 dep and tasks only for target recipes

[Anuj Mittal]

From: Khem Raj <raj.khem@gmail.com>

python3targetconfig append target python3 to dependencies
unconditionally, and here its inherited unconditionally too but
distutils3-base is inherited in BBCLASSEXTEND'ed recipes and other not-target
recipes as well. Hence the change added via 9c8f666097802cb594a759989edcf01603a22df3
is now bridging the native dependencies with target python3 and thats
resulting all sorts of rebuilds for multimachine builds e.g.

MACHINE=qemuarm bitbake python3-scons-native
MACHINE=qemumips bitbake python3-scons-native

results in rebuilds for python3-scons-native

bitbake-diffsigs shows

Hash for dependent task python/python3-scons-native_3.1.2.bb:do_populate_sysroot changed from 1cdb93193b416477df6faa137e83a967b433c7aa29033146b405153f73f36933 to 3cea1e7cbedd121ecb768fbc291cc4e4d7d3b5c0442897
0e3b97bd058d162065
    Hash for dependent task python/python3-scons-native_3.1.2.bb:do_install changed from 8d6018fd03ffc6060a04532dc39a5b7ccca1be026a69d069cb4fb11aef86dd89 to c5f1d173596a8e910f45a2b6e0b4dab96cd0102be4d62bd3156
229cb0f5ebb11
        Hash for dependent task python/python3-scons-native_3.1.2.bb:do_compile changed from e3ee4b52a15267e6ae7853ec19a666b2fb62608a597608793336382d1c45f8a0 to 1e582043dfe6b3e00aaa532f363ce6afb37652abe837dac
7cc9769194c43eae1
            Hash for dependent task python/python3-scons-native_3.1.2.bb:do_configure changed from 770a4d5a77a96ebd9e1e7368f710bca3f88e3b1266dffa3b2d0360b1e3a81e27 to a366982778b03eee5165c3117ee778f848acdfaa2
b346650fbdf114ac70ab57b
                Hash for dependent task python/python3-scons-native_3.1.2.bb:do_prepare_recipe_sysroot changed from 958910037856ff5d5eb2b5162b3cdd02a3a710fc543b933cfeba771ee095cb72 to 474333fb565f908992fd3716
4935aaecf31a79e867826fe634cde4f44171d8e7
                    Hash for dependent task python/python3_3.9.0.bb:do_populate_sysroot changed from 7ac1c4fcbb2eacf98d2c32d991751bd2f3c7d55e2e32f2c9e485e7f5975fecf8 to 25dcfe74a95af19cce8df7c29311cc5edbbf6ad
08777e46a6fa6e417c0445018

...

Therefore limit effects of this class only for target recipes.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: Martin Jansa <Martin.Jansa@gmail.com>
Cc: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 59cc148de3fd19f5041727f072f087f741c506f6)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/python3targetconfig.bbclass | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
index 640d0c97b6..fc1025c207 100644
--- a/meta/classes/python3targetconfig.bbclass
+++ b/meta/classes/python3targetconfig.bbclass
@@ -1,15 +1,17 @@
 inherit python3native
 
-DEPENDS_append = " python3"
+EXTRA_PYTHON_DEPENDS ?= ""
+EXTRA_PYTHON_DEPENDS_class-target = "python3"
+DEPENDS_append = " ${EXTRA_PYTHON_DEPENDS}"
 
-do_configure_prepend() {
+do_configure_prepend_class-target() {
         export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
 }
 
-do_compile_prepend() {
+do_compile_prepend_class-target() {
         export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
 }
 
-do_install_prepend() {
+do_install_prepend_class-target() {
         export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
 }
-- 
2.29.2