[zeus][PATCH 0/9] zeus review

[zeus][PATCH 0/9] zeus review

[Anuj Mittal]

Next set of changes for zeus. Please review.

Thanks,

Anuj

The following changes since commit c940e4b858d6be28b198770768117ecc098fa0d3:

  bluez: fix CVE-2020-0556 (2020-03-16 15:49:02 +0800)

are available in the git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/zeus

Anuj Mittal (4):
  icu: fix CVE-2020-10531
  screen: fix CVE-2020-9366
  e2fsprogs: fix CVE-2019-5188
  e2fsprogs: backport upstream patch

Bruce Ashfield (1):
  linux-yocto/4.19: update to v4.19.107

Chee Yang Lee (1):
  wic/direct: reserve 2 sector for extended partition

Julius Hemanth Pitti (1):
  nfs-utils: Disable statx if using glibc emulation

Ross Burton (1):
  sanity: check for more bits of Python

Tom Hochstein (1):
  security_flags.inc: fix flags missing from SDK toolchain

 meta/classes/sanity.bbclass                        |  12 +-
 meta/conf/distro/include/security_flags.inc        |   2 +
 ...01-Disable-statx-if-using-glibc-emulation.patch |  34 ++++++
 .../nfs-utils/nfs-utils_2.4.1.bb                   |   1 +
 ...k-don-t-try-to-rehash-a-deleted-directory.patch |  49 +++++++++
 .../e2fsprogs/e2fsprogs/CVE-2019-5188.patch        |  57 ++++++++++
 ...fsck-fix-use-after-free-in-calculate_tree.patch |  76 +++++++++++++
 .../recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb |   3 +
 .../screen/screen/CVE-2020-9366.patch              |  48 ++++++++
 meta/recipes-extended/screen/screen_4.6.2.bb       |   1 +
 meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb   |   6 +-
 meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb |   8 +-
 meta/recipes-kernel/linux/linux-yocto_4.19.bb      |  20 ++--
 meta/recipes-support/icu/icu/CVE-2020-10531.patch  | 122 +++++++++++++++++++++
 meta/recipes-support/icu/icu_64.2.bb               |   1 +
 scripts/lib/wic/plugins/imager/direct.py           |   6 +-
 16 files changed, 421 insertions(+), 25 deletions(-)
 create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2020-9366.patch
 create mode 100644 meta/recipes-support/icu/icu/CVE-2020-10531.patch

-- 
2.7.4

[zeus][PATCH 1/9] icu: fix CVE-2020-10531

[Anuj Mittal]

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-support/icu/icu/CVE-2020-10531.patch | 122 ++++++++++++++++++++++
 meta/recipes-support/icu/icu_64.2.bb              |   1 +
 2 files changed, 123 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2020-10531.patch

diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000..56303fc
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,122 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+
+Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca]
+CVE: CVE-2020-10531
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ icu4c/source/common/unistr.cpp          |  6 ++-
+ icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ icu4c/source/test/intltest/ustrtest.h   |  1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- a/icu4c/source/common/unistr.cpp
++++ b/icu4c/source/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
++  int32_t newLength;
++  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++    setToBogus();
++    return *this;
++  }
+ 
+   // Check for append onto ourself
+   const UChar* oldArray = getArrayStart();
+diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
+index b6515ea813c..ad38bdf53a3 100644
+--- a/icu4c/source/test/intltest/ustrtest.cpp
++++ b/icu4c/source/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+     TESTCASE_AUTO(TestWCharPointers);
+     TESTCASE_AUTO(TestNullPointers);
+     TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++    TESTCASE_AUTO(TestLargeAppend);
+     TESTCASE_AUTO_END;
+ }
+ 
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+     str.insert(2, sub);
+     assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++    if(quick) return;
++
++    IcuTestErrorCode status(*this, "TestLargeAppend");
++    // Make a large UnicodeString
++    int32_t len = 0xAFFFFFF;
++    UnicodeString str;
++    char16_t *buf = str.getBuffer(len);
++    // A fast way to set buffer to valid Unicode.
++    // 4E4E is a valid unicode character
++    uprv_memset(buf, 0x4e, len * 2);
++    str.releaseBuffer(len);
++    UnicodeString dest;
++    // Append it 16 times
++    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++    int64_t total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++    dest.remove();
++    total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total + len <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else if (total <= INT32_MAX) {
++            // Check that a string of exactly the maximum size works
++            UnicodeString str2;
++            int32_t remain = INT32_MAX - total;
++            char16_t *buf2 = str2.getBuffer(remain);
++            if (buf2 == nullptr) {
++                // if somehow memory allocation fail, return the test
++                return;
++            }
++            uprv_memset(buf2, 0x4e, remain * 2);
++            str2.releaseBuffer(remain);
++            dest.append(str2);
++            total += remain;
++            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++            assertFalse("dest is not bogus", dest.isBogus());
++
++            // Check that a string size+1 goes bogus
++            str2.truncate(1);
++            dest.append(str2);
++            total++;
++            assertTrue("dest should be bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++}
+diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
+index 218befdcc68..4a356a92c7a 100644
+--- a/icu4c/source/test/intltest/ustrtest.h
++++ b/icu4c/source/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
+     void TestWCharPointers();
+     void TestNullPointers();
+     void TestUnicodeStringInsertAppendToSelf();
++    void TestLargeAppend();
+ };
+ 
+ #endif
diff --git a/meta/recipes-support/icu/icu_64.2.bb b/meta/recipes-support/icu/icu_64.2.bb
index 10bac7a..2ed8077 100644
--- a/meta/recipes-support/icu/icu_64.2.bb
+++ b/meta/recipes-support/icu/icu_64.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "${BASE_SRC_URI} \
            file://fix-install-manx.patch \
            file://0001-Fix-big-endian-build.patch \
            file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2020-10531.patch;striplevel=3 \
            "
 
 SRC_URI_append_class-target = "\
-- 
2.7.4

[zeus][PATCH 2/9] screen: fix CVE-2020-9366

[Anuj Mittal]

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../screen/screen/CVE-2020-9366.patch              | 48 ++++++++++++++++++++++
 meta/recipes-extended/screen/screen_4.6.2.bb       |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2020-9366.patch

diff --git a/meta/recipes-extended/screen/screen/CVE-2020-9366.patch b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch
new file mode 100644
index 0000000..a52b9e6
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch
@@ -0,0 +1,48 @@
+From 8ce90c1d3d5bece150479d8bc9303fd9d9f45e03 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+Date: Thu, 30 Jan 2020 17:56:27 +0100
+Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+echo -e "\e]49\e;                                    \n\ec"
+crashes screen.
+
+This happens because 49 is divided by 10 and used as table index
+resulting in access to w_xtermosc[4], which is out of bounds with table
+itself being size 4. Increase size of table by 1 to 5, which is enough
+for all current uses.
+
+As this overwrites memory based on user input it is potential security
+issue.
+
+Reported-by: pippin@gimp.org
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b]
+CVE: CVE-2020-9366
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ window.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/window.h b/window.h
+index bd10dcd..a8afa19 100644
+--- a/window.h
++++ b/window.h
+@@ -237,7 +237,7 @@ struct win
+   char	 w_vbwait;
+   char	 w_norefresh;		/* dont redisplay when switching to that win */
+ #ifdef RXVT_OSC
+-  char	 w_xtermosc[4][MAXSTR];	/* special xterm/rxvt escapes */
++  char	 w_xtermosc[5][MAXSTR];	/* special xterm/rxvt escapes */
+ #endif
+   int    w_mouse;		/* mouse mode 0,9,1000 */
+ #ifdef HAVE_BRAILLE
diff --git a/meta/recipes-extended/screen/screen_4.6.2.bb b/meta/recipes-extended/screen/screen_4.6.2.bb
index 21b476d..d00b849 100644
--- a/meta/recipes-extended/screen/screen_4.6.2.bb
+++ b/meta/recipes-extended/screen/screen_4.6.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://0001-fix-for-multijob-build.patch \
            file://0001-configure.ac-fix-configure-failed-while-build-dir-ha.patch \
            file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2020-9366.patch \
           "
 
 SRC_URI[md5sum] = "a0f529d3333b128dfaa324d978ba73a8"
-- 
2.7.4

[zeus][PATCH 3/9] sanity: check for more bits of Python

[Anuj Mittal]

From: Ross Burton <ross.burton@intel.com>

MJ: icu in master doesn't need distutils anymore, because icu 65.1 currently in
dunfell/master doesn't depend on python3-distutils anymore since:
https://github.com/unicode-org/icu/commit/b4d41b0561b6e8de38b99850ce0e4be8ef536bb1

but the icu-64.2 in zeus and openembedded-core/meta/recipes-core/ovmf/ovmf_git.bb
still need python3-distutils as described in:
http://lists.openembedded.org/pipermail/openembedded-core/2020-March/293984.html

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/sanity.bbclass | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 936fe91..5c2f8f9 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -625,13 +625,14 @@ def check_sanity_version_change(status, d):
     # In other words, these tests run once in a given build directory and then 
     # never again until the sanity version or host distrubution id/version changes.
 
-    # Check the python install is complete. glib-2.0-natives requries
-    # xml.parsers.expat
+    # Check the python install is complete. Examples that are often removed in
+    # minimal installations: glib-2.0-natives requries # xml.parsers.expat and icu
+    # requires distutils.sysconfig.
     try:
         import xml.parsers.expat
-    except ImportError:
-        status.addresult('Your python is not a full install. Please install the module xml.parsers.expat (python-xml on openSUSE and SUSE Linux).\n')
-    import stat
+        import distutils.sysconfig
+    except ImportError as e:
+        status.addresult('Your Python 3 is not a full install. Please install the module %s (see the Getting Started guide for further information).\n' % e.name)
 
     status.addresult(check_make_version(d))
     status.addresult(check_patch_version(d))
@@ -667,6 +668,7 @@ def check_sanity_version_change(status, d):
         status.addresult('Please use ASSUME_PROVIDED +=, not ASSUME_PROVIDED = in your local.conf\n')
 
     # Check that TMPDIR isn't on a filesystem with limited filename length (eg. eCryptFS)
+    import stat
     tmpdir = d.getVar('TMPDIR')
     status.addresult(check_create_long_filename(tmpdir, "TMPDIR"))
     tmpdirmode = os.stat(tmpdir).st_mode
-- 
2.7.4

[zeus][PATCH 4/9] nfs-utils: Disable statx if using glibc emulation

[Anuj Mittal]

From: Julius Hemanth Pitti <jpitti@cisco.com>

nfs-utils 2.4.1, moves from "stat" to "statx
with AT_STATX_DONT_SYNC" in parts of the code.

statx is supported in Linux kernel v4.11 and above.
For all older kernels glibc emulates statx, and it
doesn't support AT_STATX_DONT_SYNC and will return
EINVAL.

When server uses nfs-utils 2.4.1 on kernel v4.10
and older, mount.nfs4 would fail with error
"reason given by server: No such file or directory".

Since Linux v4.4 and v4.9 are LTS, its more likely
that people would use above combination.

This issue has been fixed in nfs-utils 2.4.3 and
above. Backporting fix to 2.4.1.

Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...01-Disable-statx-if-using-glibc-emulation.patch | 34 ++++++++++++++++++++++
 .../nfs-utils/nfs-utils_2.4.1.bb                   |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch

diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch
new file mode 100644
index 0000000..98b1391
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch
@@ -0,0 +1,34 @@
+From ff3ad88c233ecd87f7983ad13836323f944540ec Mon Sep 17 00:00:00 2001
+From: Doug Nazar <nazard@nazar.ca>
+Date: Mon, 9 Dec 2019 10:53:37 -0500
+Subject: [PATCH] Disable statx if using glibc emulation
+
+On older kernels without statx, glibc with statx support will attempt
+to emulate the call. However it doesn't support AT_STATX_DONT_SYNC and
+will return EINVAL. This causes all xstat/xlstat calls to fail.
+
+Upstream-Status: Backport
+
+Signed-off-by: Doug Nazar <nazard@nazar.ca>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ support/misc/xstat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/support/misc/xstat.c b/support/misc/xstat.c
+index 661e29e4..a438fbcc 100644
+--- a/support/misc/xstat.c
++++ b/support/misc/xstat.c
+@@ -51,6 +51,9 @@ statx_do_stat(int fd, const char *pathname, struct stat *statbuf, int flags)
+ 			statx_copy(statbuf, &stxbuf);
+ 			return 0;
+ 		}
++		/* glibc emulation doesn't support AT_STATX_DONT_SYNC */
++		if (errno == EINVAL)
++			errno = ENOSYS;
+ 		if (errno == ENOSYS)
+ 			statx_supported = 0;
+ 	} else
+-- 
+2.19.1
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
index 7e80354..3ae8f96 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
@@ -33,6 +33,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x
            file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
            file://0001-Don-t-build-tools-with-CC_FOR_BUILD.patch \
            file://0001-Fix-include-order-between-config.h-and-stat.h.patch \
+           file://0001-Disable-statx-if-using-glibc-emulation.patch \
 "
 SRC_URI_append_libc-glibc = " file://0001-configure.ac-Do-not-fatalize-Wmissing-prototypes.patch"
 SRC_URI_append_libc-musl = " file://nfs-utils-musl-res_querydomain.patch"
-- 
2.7.4

[zeus][PATCH 5/9] e2fsprogs: fix CVE-2019-5188

[Anuj Mittal]

Also see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508

(From OE-Core rev: 09bdcef183d885025da6aa87a7c2bf7e8268774e)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...k-don-t-try-to-rehash-a-deleted-directory.patch | 49 +++++++++++++++++++
 .../e2fsprogs/e2fsprogs/CVE-2019-5188.patch        | 57 ++++++++++++++++++++++
 .../recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb |  2 +
 3 files changed, 108 insertions(+)
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch

diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
new file mode 100644
index 0000000..ba4e3a3
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
@@ -0,0 +1,49 @@
+From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 19 Dec 2019 19:45:06 -0500
+Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
+
+If directory has been deleted in pass1[bcd] processing, then we
+shouldn't try to rehash the directory in pass 3a when we try to
+rehash/reoptimize directories.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ e2fsck/pass1b.c | 4 ++++
+ e2fsck/rehash.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
+index 5693b9cf..bca701ca 100644
+--- a/e2fsck/pass1b.c
++++ b/e2fsck/pass1b.c
+@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
+ 		fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
+ 	if (ctx->inode_bad_map)
+ 		ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
++	if (ctx->inode_reg_map)
++		ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
++	ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
++	ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
+ 	ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
+ 	quota_data_sub(ctx->qctx, &dp->inode, ino,
+ 		       pb.dup_blocks * fs->blocksize);
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index 3dd1e941..2c908be0 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
+ 			if (!ext2fs_u32_list_iterate(iter, &ino))
+ 				break;
+ 		}
++		if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
++			continue;
+ 
+ 		pctx.dir = ino;
+ 		if (first) {
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
new file mode 100644
index 0000000..de4bce0
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,57 @@
+From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 19 Dec 2019 19:37:34 -0500
+Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
+ rehashing
+
+In e2fsck pass 3a, when we are rehashing directories, at least in
+theory, all of the directories should have had corruptions with
+respect to directory entry structure fixed.  However, it's possible
+(for example, if the user declined a fix) that we can reach this stage
+of processing with a corrupted directory entries.
+
+So check for that case and don't try to process a corrupted directory
+block so we don't run into trouble in mutate_name() if there is a
+zero-length file name.
+
+Addresses: TALOS-2019-0973
+Addresses: CVE-2019-5188
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+
+CVE: CVE-2019-5188
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
+---
+ e2fsck/rehash.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index a5fc1be1..3dd1e941 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
+ 		dir_offset += rec_len;
+ 		if (dirent->inode == 0)
+ 			continue;
++		if ((name_len) == 0) {
++			fd->err = EXT2_ET_DIR_CORRUPTED;
++			return BLOCK_ABORT;
++		}
+ 		if (!fd->compress && (name_len == 1) &&
+ 		    (dirent->name[0] == '.'))
+ 			continue;
+@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
+ 			continue;
+ 		}
+ 		new_len = ext2fs_dirent_name_len(ent->dir);
++		if (new_len == 0) {
++			 /* should never happen */
++			ext2fs_unmark_valid(fs);
++			continue;
++		}
+ 		memcpy(new_name, ent->dir->name, new_len);
+ 		mutate_name(new_name, &new_len);
+ 		for (j=0; j < fd->num_array; j++) {
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
index 14c05a4..2014e68 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
@@ -6,6 +6,8 @@ SRC_URI += "file://remove.ldconfig.call.patch \
             file://mkdir_p.patch \
             file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
             file://CVE-2019-5094.patch \
+            file://CVE-2019-5188.patch \
+            file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
             "
 
 SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
-- 
2.7.4

[zeus][PATCH 6/9] e2fsprogs: backport upstream patch

[Anuj Mittal]

Fixes a bug wherein a use after free could potentially be used to run
malicious code if a user can be tricked into running e2fsck on a
maliciously crafted file system.

Also see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948517

(From OE-Core rev: 23c1b157362609bd8d85c7d35e6c7f0f60c32c88)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...fsck-fix-use-after-free-in-calculate_tree.patch | 76 ++++++++++++++++++++++
 .../recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb |  1 +
 2 files changed, 77 insertions(+)
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch

diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
new file mode 100644
index 0000000..342a2b8
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
@@ -0,0 +1,76 @@
+From: Wang Shilong <wshilong@ddn.com>
+Date: Mon, 30 Dec 2019 19:52:39 -0500
+Subject: e2fsck: fix use after free in calculate_tree()
+
+The problem is alloc_blocks() will call get_next_block() which might
+reallocate outdir->buf, and memory address could be changed after
+this.  To fix this, pointers that point into outdir->buf, such as
+int_limit and root need to be recaulated based on the new starting
+address of outdir->buf.
+
+[ Changed to correctly recalculate int_limit, and to optimize how we
+  reallocate outdir->buf.  -TYT ]
+
+Addresses-Debian-Bug: 948517
+Signed-off-by: Wang Shilong <wshilong@ddn.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+(cherry picked from commit 101e73e99ccafa0403fcb27dd7413033b587ca01)
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=101e73e99ccafa0403fcb27dd7413033b587ca01]
+---
+ e2fsck/rehash.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index 0a5888a9..2574e151 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -295,7 +295,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir,
+ 	errcode_t	retval;
+ 
+ 	if (outdir->num >= outdir->max) {
+-		retval = alloc_size_dir(fs, outdir, outdir->max + 50);
++		int increment = outdir->max / 10;
++
++		if (increment < 50)
++			increment = 50;
++		retval = alloc_size_dir(fs, outdir, outdir->max + increment);
+ 		if (retval)
+ 			return retval;
+ 	}
+@@ -637,6 +641,9 @@ static int alloc_blocks(ext2_filsys fs,
+ 	if (retval)
+ 		return retval;
+ 
++	/* outdir->buf might be reallocated */
++	*prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
++
+ 	*next_ent = set_int_node(fs, block_start);
+ 	*limit = (struct ext2_dx_countlimit *)(*next_ent);
+ 	if (next_offset)
+@@ -726,6 +733,9 @@ static errcode_t calculate_tree(ext2_filsys fs,
+ 					return retval;
+ 			}
+ 			if (c3 == 0) {
++				int delta1 = (char *)int_limit - outdir->buf;
++				int delta2 = (char *)root - outdir->buf;
++
+ 				retval = alloc_blocks(fs, &limit, &int_ent,
+ 						      &dx_ent, &int_offset,
+ 						      NULL, outdir, i, &c2,
+@@ -733,6 +743,11 @@ static errcode_t calculate_tree(ext2_filsys fs,
+ 				if (retval)
+ 					return retval;
+ 
++				/* outdir->buf might be reallocated */
++				int_limit = (struct ext2_dx_countlimit *)
++					(outdir->buf + delta1);
++				root = (struct ext2_dx_entry *)
++					(outdir->buf + delta2);
+ 			}
+ 			dx_ent->block = ext2fs_cpu_to_le32(i);
+ 			if (c3 != limit->limit)
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
index 2014e68..f81defb 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \
             file://CVE-2019-5094.patch \
             file://CVE-2019-5188.patch \
             file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
+            file://e2fsck-fix-use-after-free-in-calculate_tree.patch \
             "
 
 SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
-- 
2.7.4

[zeus][PATCH 7/9] security_flags.inc: fix flags missing from SDK toolchain

[Anuj Mittal]

From: Tom Hochstein <tom.hochstein@nxp.com>

The security flags were missing from the SDK toolchain
because they were added specifically to class-target.
Add them to class-cross-canadian as well (since the SDK environment
file is created from cross-canadian target flags).

Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
Signed-off-by: Antoine Manache <a.manache@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/conf/distro/include/security_flags.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index aaf04e9..568d036 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc = ""
 
 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
 
 SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
 SECURITY_STACK_PROTECTOR_pn-glibc = ""
-- 
2.7.4

[zeus][PATCH 8/9] linux-yocto/4.19: update to v4.19.107

[Anuj Mittal]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating linux-yocto/4.19 to the latest korg -stable release that comprises
the following commits:

    16ae5406361a crypto: CVE-2019-18808
    a083db76118d Linux 4.19.107
    cfc30449bbc5 Revert "char/random: silence a lockdep splat with printk()"
    8541452acba5 s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range
    fee87e931cc5 xen: Enable interrupts when calling _cond_resched()
    28a73a946a46 ata: ahci: Add shutdown to freeze hardware resources of ahci
    43cac315bec1 rxrpc: Fix call RCU cleanup using non-bh-safe locks
    acbc5071f073 netfilter: xt_hashlimit: limit the max size of hashtable
    5a2972600a2f ALSA: seq: Fix concurrent access to queue current tick/time
    b105447809b1 ALSA: seq: Avoid concurrent access to queue flags
    63495d1e1c7c ALSA: rawmidi: Avoid bit fields for state flags
    bf3043d27755 bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill
    3132696dd748 genirq/proc: Reject invalid affinity masks (again)
    ba2c07dfa0d8 iommu/vt-d: Fix compile warning from intel-svm.h
    c0965be4b28b ecryptfs: replace BUG_ON with error handling code
    1bae8f424c84 staging: greybus: use after free in gb_audio_manager_remove_all()
    568991c91849 staging: rtl8723bs: fix copy of overlapping memory
    f8e6a3412dc6 usb: dwc2: Fix in ISOC request length checking
    de8dbb7b02fa usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
    1cad1a6497ec scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
    c66b2b571211 scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
    b046c6fec04e Revert "dmaengine: imx-sdma: Fix memory leak"
    cd26d53a27d6 Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents
    4d886f91ca13 btrfs: do not check delayed items are empty for single transaction cleanup
    68b7db197bf8 btrfs: reset fs_root to NULL on error in open_ctree
    0ba8e5f347b2 btrfs: fix bytes_may_use underflow in prealloc error condtition
    e541982a6e5f KVM: apic: avoid calculating pending eoi from an uninitialized val
    267eec2d216d KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1
    85dd0eb771e8 KVM: nVMX: Check IO instruction VM-exit conditions
    e5c0857bd5cc KVM: nVMX: Refactor IO bitmap checks into helper function
    8cf20fb73e73 ext4: fix race between writepages and enabling EXT4_EXTENTS_FL
    48fdbe2a818d ext4: rename s_journal_flag_rwsem to s_writepages_rwsem
    b7dc081c24db ext4: fix mount failure with quota configured as module
    50017cec3dbb ext4: fix potential race between s_flex_groups online resizing and access
    7720966a68c8 ext4: fix potential race between s_group_info online resizing and access
    cc9948abe47b ext4: fix potential race between online resizing and write operations
    38884609b8b5 ext4: add cond_resched() to __ext4_find_entry()
    9b6e90918bc0 ext4: fix a data race in EXT4_I(inode)->i_disksize
    0e3a6e86d43b drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets
    da3418ad747f lib/stackdepot.c: fix global out-of-bounds in stack_slabs
    56ad5b4b7405 tty: serial: qcom_geni_serial: Fix RX cancel command failure
    e6ebad85883d tty: serial: qcom_geni_serial: Remove xfer_mode variable
    4e438733f727 tty: serial: qcom_geni_serial: Remove set_rfr_wm() and related variables
    1cc8834773b2 tty: serial: qcom_geni_serial: Remove use of *_relaxed() and mb()
    4d1a94fa6d14 tty: serial: qcom_geni_serial: Remove interrupt storm
    0a38fd9326fd tty: serial: qcom_geni_serial: Fix UART hang
    fe1cfc645845 KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI
    ed9e97c35b45 KVM: nVMX: Don't emulate instructions in guest mode
    6ca274be314b xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
    8300ed5a2175 drm/amdgpu/soc15: fix xclk for raven
    837ba4829b9f mm/vmscan.c: don't round up scan size for online memory cgroup
    ea2a11561d01 genirq/irqdomain: Make sure all irq domain flags are distinct
    576c04cbbef2 nvme-multipath: Fix memory leak with ana_log_buf
    e75d2de90b86 mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
    cf85f00f87db Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
    af4693daff1b MAINTAINERS: Update drm/i915 bug filing URL
    c9ca2010202b serdev: ttyport: restore client ops on deregistration
    463a3db812d9 tty: serial: imx: setup the correct sg entry for tx dma
    6807593e8edc tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
    f4e6d51f3f40 serial: 8250: Check UPF_IRQ_SHARED in advance
    f28ec250579c x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
    5e5b443ae6cc x86/mce/amd: Fix kobject lifetime
    0a3aca3a0f41 x86/mce/amd: Publish the bank pointer only after setup has succeeded
    4512119ac90a jbd2: fix ocfs2 corrupt when clearing block group bits
    72e2df70fb52 powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery
    e34182fb8a2f staging: rtl8723bs: Fix potential overuse of kernel memory
    e4770de3ae41 staging: rtl8723bs: Fix potential security hole
    b4eab56d96f1 staging: rtl8188eu: Fix potential overuse of kernel memory
    2a50bd9e2a69 staging: rtl8188eu: Fix potential security hole
    d59f6a6e35b7 usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields
    c787444891a4 usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows
    8cfda0c9c966 USB: hub: Fix the broken detection of USB3 device in SMSC hub
    37d2eb43b64c USB: hub: Don't record a connect-change event during reset-resume
    babaa26b7c1c USB: Fix novation SourceControl XL after suspend
    2debc1717cf2 usb: uas: fix a plug & unplug racing
    4db4761cfe15 USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
    63d176ed148a USB: core: add endpoint-blacklist quirk
    d74d5d042d42 usb: host: xhci: update event ring dequeue pointer on purpose
    2a2582dc62e9 xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2
    7c8cde41a0c3 xhci: fix runtime pm enabling for quirky Intel hosts
    dce60e7efa97 xhci: Force Maximum Packet size for Full-speed bulk devices to valid range.

    <snip>

    c7f81d70d7ae ubifs: Fix default compression selection in ubifs
    3331e61b23b1 nvme: fix kernel paging oops
    2f99d478ddbd xfs: require both realtime inodes to mount
    b2d84967f076 bcache: do not mark writeback_running too early
    6f48e23888b9 bcache: do not check if debug dentry is ERR or NULL explicitly on remove
    c318f88411a8 rtl818x: fix potential use after free
    7cf86c89d7e4 brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373
    38b73129c113 brcmfmac: set F2 watermark to 256 for 4373
    6138e4b132cd mwifiex: debugfs: correct histogram spacing, formatting
    1450ff720076 mwifiex: fix potential NULL dereference and use after free
    4912b454e029 arm64: dts: renesas: draak: Fix CVBS input
    48d37cc42390 crypto: user - support incremental algorithm dumps
    43cd68d7002b s390/zcrypt: make sysfs reset attribute trigger queue reset
    5ac0da68eae1 nvme: provide fallback for discard alloc failure
    d702d7bc7eb4 scsi: qla2xxx: Fix for FC-NVMe discovery for NPIV port
    78777dd6174e scsi: qla2xxx: Fix NPIV handling for FC-NVMe
    58ab95b03497 scsi: lpfc: Enable Management features for IF_TYPE=6
    e772949a3fd6 ACPI / LPSS: Ignore acpi_device_fix_up_power() return value
    d411bd858447 ARM: ks8695: fix section mismatch warning
    22227437ca68 xfs: zero length symlinks are not valid
    4d54a7969524 PM / AVS: SmartReflex: NULL check before some freeing functions is not needed
    d2e3e3c3c14b RDMA/vmw_pvrdma: Use atomic memory allocation in create AH
    64694b276d74 arm64: preempt: Fix big-endian when checking preempt count in assembly
    2ec103458855 RDMA/hns: Fix the bug while use multi-hop of pbl
    60da6da4b511 ARM: OMAP1: fix USB configuration for device-only setups
    0086d127f90d platform/x86: mlx-platform: Fix LED configuration
    08d8ab9615c5 bus: ti-sysc: Check for no-reset and no-idle flags at the child level
    4b40393b5240 arm64: smp: Handle errors reported by the firmware
    e3d27b94111b arm64: mm: Prevent mismatched 52-bit VA support
    57f3359cdabe ARM: dts: Fix hsi gdd range for omap4
    9b1f6bde17d6 parisc: Fix HP SDC hpa address output
    d18f228f504e parisc: Fix serio address output
    72a50a1e1c65 ARM: dts: imx53-voipac-dmm-668: Fix memory node duplication
    bf39f5b323eb ARM: dts: imx25: Fix memory node duplication
    d2eb50e57a5c ARM: dts: imx27: Fix memory node duplication
    54750b6f6671 ARM: dts: imx1: Fix memory node duplication
    6aeb6bd0eda6 ARM: dts: imx23: Fix memory node duplication
    1694780bd4ca ARM: dts: imx50: Fix memory node duplication
    2442b4c0f30a ARM: dts: imx6sl: Fix memory node duplication
    bae011f4c9a4 ARM: dts: imx6sx: Fix memory node duplication
    0990926c9395 ARM: dts: imx6ul: Fix memory node duplication
    e021f0ccc4fa ARM: dts: imx7: Fix memory node duplication
    a90469345b26 ARM: dts: imx35: Fix memory node duplication
    6bc1e695b4be ARM: dts: imx31: Fix memory node duplication
    ca02e14bdd7f ARM: dts: imx53: Fix memory node duplication
    5a1e6f95733c ARM: dts: imx51: Fix memory node duplication
    8c0c8c2a80b2 ARM: debug-imx: only define DEBUG_IMX_UART_PORT if needed
    dee3f7703207 tracing: Lock event_mutex before synth_event_mutex
    67547b9b4660 ARM: dts: Fix up SQ201 flash access
    ee6d2bedb400 scsi: lpfc: Fix dif and first burst use in write commands
    20feb7333049 scsi: lpfc: Fix kernel Oops due to null pring pointers
    a8c0f6334e56 scsi: target/tcmu: Fix queue_cmd_ring() declaration
    480233f89d42 pwm: bcm-iproc: Prevent unloading the driver module while in use
    27d22db4ccf1 block: drbd: remove a stray unlock in __drbd_send_protocol()
    51a564498cfb mac80211: fix station inactive_time shortly after boot
    b707e0da2791 net/fq_impl: Switch to kvmalloc() for memory allocation
    a8a61f82cc9f ceph: return -EINVAL if given fsc mount option on kernel w/o support
    0f716cda304b net: mscc: ocelot: fix __ocelot_rmw_ix prototype
    a30c6e424fdd net: bcmgenet: reapply manual settings to the PHY
    acd6a29134f0 net: bcmgenet: use RGMII loopback for MAC reset
    ff3f7465ee98 scripts/gdb: fix debugging modules compiled with hot/cold partitioning
    22f4892950b2 ASoC: stm32: sai: add restriction on mmap support
    3f034e6889e7 watchdog: meson: Fix the wrong value of left time
    7302e7b10855 can: mcp251x: mcp251x_restart_work_handler(): Fix potential force_quit race condition
    24e10fc2e0db can: flexcan: increase error counters if skb enqueueing via can_rx_offload_queue_sorted() fails
    ee7981538293 can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error
    5c8f5485614c can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error
    eca4b786f3bb can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors
    a85ce0107d6b can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM
    b83d4e4899d6 can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max
    77f94f0d7f52 can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak
    66e21b7b9251 can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open
    7559e68ca91f can: peak_usb: report bus recovery as well
    c5b0bbef4367 bridge: ebtables: don't crash when using dnat target in output chains
    2070b33ee987 net: fec: add missed clk_disable_unprepare in remove
    28f34294442b clk: ti: clkctrl: Fix failed to enable error with double udelay timeout
    cb5a4049608c clk: ti: dra7-atl-clock: Remove ti_clk_add_alias call
    1677a0e54937 x86/resctrl: Prevent NULL pointer dereference when reading mondata
    8ef58b82d1e4 idr: Fix idr_alloc_u32 on 32-bit systems
    88358c7610cc idr: Fix integer overflow in idr_for_each_entry
    a6359d5e2d98 powerpc/bpf: Fix tail call implementation
    4665759af735 samples/bpf: fix build by setting HAVE_ATTR_TEST to zero
    40c3b8fc47b3 ARM: dts: sun8i-a83t-tbs-a711: Fix WiFi resume from suspend
    40017db20bfa clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18
    49ade064ea4b clk: sunxi: Fix operator precedence in sunxi_divs_clk_setup
    15fc2f3c64e7 clk: at91: avoid sleeping early
    8885552a061b reset: fix reset_control_ops kerneldoc comment
    a94913c0c8cf ARM: dts: imx6qdl-sabreauto: Fix storm of accelerometer interrupts
    5b15b1bf5428 pinctrl: cherryview: Allocate IRQ chip dynamic
    a0554203bc12 clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume
    80e28fa256c9 ASoC: kirkwood: fix device remove ordering
    6a7472add344 ASoC: kirkwood: fix external clock probe defer
    a2c2cf16b059 clk: samsung: exynos5433: Fix error paths
    9a5933aa1242 reset: Fix memory leak in reset_control_array_put()
    e8eb6233be9a ASoC: compress: fix unsigned integer overflow check
    7971b7fd5623 ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX
    daa2c4030510 clocksource/drivers/mediatek: Fix error handling
    9c65bb9518ea clk: meson: gxbb: let sar_adc_clk_div set the parent clock rate

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb   |  6 +++---
 meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb |  8 ++++----
 meta/recipes-kernel/linux/linux-yocto_4.19.bb      | 20 ++++++++++----------
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
index b6e0a1e..93c4472 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "2fbf678238302f33b3aec5a2cba829f260744f24"
-SRCREV_meta ?= "4f5d761316a9cf14605e5d0cc91b53c1b2e9dc6a"
+SRCREV_machine ?= "40e34fdcb540e35b1a97e8e52c11dfe52bd68b16"
+SRCREV_meta ?= "7cb520d405cd5ca8f21a333941fbc0861bbb36b0"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.19.87"
+LINUX_VERSION ?= "4.19.107"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
index e2626ab..76b2467 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.19.87"
+LINUX_VERSION ?= "4.19.107"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "bd239fb802a15c2759ea456dd1f09f5e106fc88a"
-SRCREV_machine ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_meta ?= "4f5d761316a9cf14605e5d0cc91b53c1b2e9dc6a"
+SRCREV_machine_qemuarm ?= "e2c947b59c650f2aa2f0f88d6af90f9dfb336e04"
+SRCREV_machine ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_meta ?= "7cb520d405cd5ca8f21a333941fbc0861bbb36b0"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.19.bb b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
index c6e482a..6e3b00e 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
@@ -11,22 +11,22 @@ KBRANCH_qemux86  ?= "v4.19/standard/base"
 KBRANCH_qemux86-64 ?= "v4.19/standard/base"
 KBRANCH_qemumips64 ?= "v4.19/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "19fa1657d1d82d01647c6f73a2bbf39305505294"
-SRCREV_machine_qemuarm64 ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemumips ?= "8fb7ab96b84852ee3d9e1d9d9e7bc35e1249b653"
-SRCREV_machine_qemuppc ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemux86 ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemux86-64 ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemumips64 ?= "c8a036abd7d469013dddab15a23e0d2dde1d0000"
-SRCREV_machine ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_meta ?= "4f5d761316a9cf14605e5d0cc91b53c1b2e9dc6a"
+SRCREV_machine_qemuarm ?= "c8b87f4d12eb957d8a95442a928ef4820037bb55"
+SRCREV_machine_qemuarm64 ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemumips ?= "94f102eaca76ffdcc3d47ea94b47486d7157c531"
+SRCREV_machine_qemuppc ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemux86 ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemux86-64 ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemumips64 ?= "98288b7e79bc8130c2a889d763c9c1aa15ff4939"
+SRCREV_machine ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_meta ?= "7cb520d405cd5ca8f21a333941fbc0861bbb36b0"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA} \
           "
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "4.19.87"
+LINUX_VERSION ?= "4.19.107"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.7.4

[zeus][PATCH 9/9] wic/direct: reserve 2 sector for extended partition

[Anuj Mittal]

From: Chee Yang Lee <chee.yang.lee@intel.com>

extended partition should reserve at least 2 unallocated sectors
between the start of the extended partition and the start of a
logical partition.

[YOCTO #13658]

(From OE-Core rev: 884c8a0e50a49bdca5e048197a9dc0ff37cc8d1a)

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 590555e3b8ccbd94b628aa6778adea7f4538d966)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 scripts/lib/wic/plugins/imager/direct.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py
index 2441cc3..5148df2 100644
--- a/scripts/lib/wic/plugins/imager/direct.py
+++ b/scripts/lib/wic/plugins/imager/direct.py
@@ -403,7 +403,7 @@ class PartitionedImage():
                 # Reserve a sector for EBR for every logical partition
                 # before alignment is performed.
                 if part.type == 'logical':
-                    self.offset += 1
+                    self.offset += 2
 
             align_sectors = 0
             if part.align:
@@ -446,7 +446,7 @@ class PartitionedImage():
                         self.extendedpart = part.num
                     else:
                         self.extended_size_sec += align_sectors
-                    self.extended_size_sec += part.size_sec + 1
+                    self.extended_size_sec += part.size_sec + 2
                 else:
                     self.primary_part_num += 1
                     part.num = self.primary_part_num
@@ -512,7 +512,7 @@ class PartitionedImage():
                 # add a sector at the back, so that there is enough
                 # room for all logical partitions.
                 self._create_partition(self.path, "extended",
-                                       None, part.start - 1,
+                                       None, part.start - 2,
                                        self.extended_size_sec)
 
             if part.fstype == "swap":
-- 
2.7.4