[OE-core][dunfell 00/10] Patch review

[OE-core][dunfell 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5542

The following changes since commit 2aa82324d43467e7c8bfbbb59570ee3306264b75:

  systemd-systemctl: support instance expansion in WantedBy (2023-06-19 06:23:31 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ashish Sharma (1):
  go: Backport fix CVE-2023-29405

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.246
  linux-yocto/5.4: update to v5.4.247
  linux-yocto/5.4: update to v5.4.248
  linux-yocto-rt/54: fix 5.4-rt build breakage
  linux-yocto/5.4: cfg: fix DECNET configuration warning

Hitendra Prajapati (1):
  go: fix CVE-2023-29402 & CVE-2023-29404

Ross Burton (1):
  ninja: Whitelist CVE-2021-4336, wrong ninja

Vijay Anusuri (2):
  libjpeg-turbo: CVE-2020-35538 Null pointer dereference in
    jcopy_sample_rows() function
  libcap: backport Debian patches to fix CVE-2023-2602 and CVE-2023-2603

 meta/recipes-devtools/go/go-1.14.inc          |   4 +
 .../go/go-1.14/CVE-2023-29402.patch           | 201 ++++++++
 .../go/go-1.14/CVE-2023-29404.patch           |  84 ++++
 .../go/go-1.14/CVE-2023-29405-1.patch         | 112 +++++
 .../go/go-1.14/CVE-2023-29405-2.patch         |  38 ++
 meta/recipes-devtools/ninja/ninja_1.10.0.bb   |   3 +
 .../jpeg/files/CVE-2020-35538-1.patch         | 457 ++++++++++++++++++
 .../jpeg/files/CVE-2020-35538-2.patch         | 400 +++++++++++++++
 .../jpeg/libjpeg-turbo_2.0.4.bb               |   2 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../libcap/files/CVE-2023-2602.patch          |  52 ++
 .../libcap/files/CVE-2023-2603.patch          |  58 +++
 meta/recipes-support/libcap/libcap_2.32.bb    |   2 +
 15 files changed, 1431 insertions(+), 18 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
 create mode 100644 meta/recipes-support/libcap/files/CVE-2023-2602.patch
 create mode 100644 meta/recipes-support/libcap/files/CVE-2023-2603.patch

-- 
2.34.1

[OE-core][dunfell 01/10] libjpeg-turbo: CVE-2020-35538 Null pointer dereference in jcopy_sample_rows() function

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30
&
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a46c111d9f3642f0ef3819e7298846ccc61869e0]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../jpeg/files/CVE-2020-35538-1.patch         | 457 ++++++++++++++++++
 .../jpeg/files/CVE-2020-35538-2.patch         | 400 +++++++++++++++
 .../jpeg/libjpeg-turbo_2.0.4.bb               |   2 +
 3 files changed, 859 insertions(+)
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
new file mode 100644
index 0000000000..8a52ed01e9
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
@@ -0,0 +1,457 @@
+From 9120a247436e84c0b4eea828cb11e8f665fcde30 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 23 Jul 2020 21:24:38 -0500
+Subject: [PATCH] Fix jpeg_skip_scanlines() segfault w/merged upsamp
+
+The additional segfault mentioned in #244 was due to the fact that
+the merged upsamplers use a different private structure than the
+non-merged upsamplers.  jpeg_skip_scanlines() was assuming the latter, so
+when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one
+of the IDCT method pointers in the merged upsampler's private structure.
+
+For reasons unknown, the test image in #441 did not encounter this
+segfault (too small?), but it encountered an issue similar to the one
+fixed in 5bc43c7821df982f65aa1c738f67fbf7cba8bd69, whereby it was
+necessary to set up a dummy postprocessing function in
+read_and_discard_scanlines() when merged upsampling was enabled.
+Failing to do so caused either a segfault in merged_2v_upsample() (due
+to a NULL pointer being passed to jcopy_sample_rows()) or an error
+("Corrupt JPEG data: premature end of data segment"), depending on the
+number of scanlines skipped and whether the first scanline skipped was
+an odd- or even-numbered row.
+
+Fixes #441
+Fixes #244 (for real this time)
+
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30]
+CVE: CVE-2020-35538
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ChangeLog.md |  7 +++++
+ jdapistd.c   | 72 ++++++++++++++++++++++++++++++++++++++++++++++------
+ jdmerge.c    | 46 +++++++--------------------------
+ jdmerge.h    | 47 ++++++++++++++++++++++++++++++++++
+ jdmrg565.c   | 10 ++++----
+ jdmrgext.c   |  6 ++---
+ 6 files changed, 135 insertions(+), 53 deletions(-)
+ create mode 100644 jdmerge.h
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 2ebfe71..19d18fa 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -54,6 +54,13 @@ a 16-bit binary PGM file into an RGB image buffer.
+ generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
+ file into an extended RGB image buffer.
+ 
++2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors
++in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG
++images using the merged (non-fancy) upsampling algorithms (that is, when
++setting `cinfo.do_fancy_upsampling` to `FALSE`.)  2.0.0[6] was a similar fix,
++but it did not cover all cases.
++
++
+ 2.0.3
+ =====
+ 
+diff --git a/jdapistd.c b/jdapistd.c
+index 2c808fa..91da642 100644
+--- a/jdapistd.c
++++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2018, D. R. Commander.
++ * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -21,6 +21,8 @@
+ #include "jinclude.h"
+ #include "jdmainct.h"
+ #include "jdcoefct.h"
++#include "jdmaster.h"
++#include "jdmerge.h"
+ #include "jdsample.h"
+ #include "jmemsys.h"
+ 
+@@ -304,6 +306,16 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+ }
+ 
+ 
++/* Dummy postprocessing function used by jpeg_skip_scanlines() */
++LOCAL(void)
++noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
++                   JDIMENSION *in_row_group_ctr,
++                   JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf,
++                   JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
++{
++}
++
++
+ /*
+  * In some cases, it is best to call jpeg_read_scanlines() and discard the
+  * output, rather than skipping the scanlines, because this allows us to
+@@ -316,11 +328,17 @@ LOCAL(void)
+ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ {
+   JDIMENSION n;
++  my_master_ptr master = (my_master_ptr)cinfo->master;
+   void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                          JDIMENSION input_row, JSAMPARRAY output_buf,
+                          int num_rows) = NULL;
+   void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+                           JSAMPARRAY output_buf, int num_rows) = NULL;
++  void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
++                             JDIMENSION *in_row_group_ctr,
++                             JDIMENSION in_row_groups_avail,
++                             JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
++                             JDIMENSION out_rows_avail) = NULL;
+ 
+   if (cinfo->cconvert && cinfo->cconvert->color_convert) {
+     color_convert = cinfo->cconvert->color_convert;
+@@ -332,6 +350,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     cinfo->cquantize->color_quantize = noop_quantize;
+   }
+ 
++  if (master->using_merged_upsample && cinfo->post &&
++      cinfo->post->post_process_data) {
++    post_process_data = cinfo->post->post_process_data;
++    cinfo->post->post_process_data = noop_post_process;
++  }
++
+   for (n = 0; n < num_lines; n++)
+     jpeg_read_scanlines(cinfo, NULL, 1);
+ 
+@@ -340,6 +364,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ 
+   if (color_quantize)
+     cinfo->cquantize->color_quantize = color_quantize;
++
++  if (post_process_data)
++    cinfo->post->post_process_data = post_process_data;
+ }
+ 
+ 
+@@ -382,7 +409,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ {
+   my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
+   my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_master_ptr master = (my_master_ptr)cinfo->master;
+   JDIMENSION i, x;
+   int y;
+   JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row;
+@@ -445,8 +472,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     main_ptr->buffer_full = FALSE;
+     main_ptr->rowgroup_ctr = 0;
+     main_ptr->context_state = CTX_PREPARE_FOR_IMCU;
+-    upsample->next_row_out = cinfo->max_v_samp_factor;
+-    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    if (master->using_merged_upsample) {
++      my_merged_upsample_ptr upsample =
++        (my_merged_upsample_ptr)cinfo->upsample;
++      upsample->spare_full = FALSE;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    } else {
++      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++      upsample->next_row_out = cinfo->max_v_samp_factor;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    }
+   }
+ 
+   /* Skipping is much simpler when context rows are not required. */
+@@ -458,8 +493,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_scanline += lines_left_in_iMCU_row;
+       main_ptr->buffer_full = FALSE;
+       main_ptr->rowgroup_ctr = 0;
+-      upsample->next_row_out = cinfo->max_v_samp_factor;
+-      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++      if (master->using_merged_upsample) {
++        my_merged_upsample_ptr upsample =
++          (my_merged_upsample_ptr)cinfo->upsample;
++        upsample->spare_full = FALSE;
++        upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++      } else {
++        my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++        upsample->next_row_out = cinfo->max_v_samp_factor;
++        upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++      }
+     }
+   }
+ 
+@@ -494,7 +537,14 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
+       increment_simple_rowgroup_ctr(cinfo, lines_to_read);
+     }
+-    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    if (master->using_merged_upsample) {
++      my_merged_upsample_ptr upsample =
++        (my_merged_upsample_ptr)cinfo->upsample;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    } else {
++      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    }
+     return num_lines;
+   }
+ 
+@@ -535,7 +585,13 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+    * bit odd, since "rows_to_go" seems to be redundantly keeping track of
+    * output_scanline.
+    */
+-  upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++  if (master->using_merged_upsample) {
++    my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
++    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++  } else {
++    my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++  }
+ 
+   /* Always skip the requested number of lines. */
+   return num_lines;
+diff --git a/jdmerge.c b/jdmerge.c
+index dff5a35..833ad67 100644
+--- a/jdmerge.c
++++ b/jdmerge.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+  * Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
+- * Copyright (C) 2009, 2011, 2014-2015, D. R. Commander.
++ * Copyright (C) 2009, 2011, 2014-2015, 2020, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -40,41 +40,13 @@
+ #define JPEG_INTERNALS
+ #include "jinclude.h"
+ #include "jpeglib.h"
++#include "jdmerge.h"
+ #include "jsimd.h"
+ #include "jconfigint.h"
+ 
+ #ifdef UPSAMPLE_MERGING_SUPPORTED
+ 
+ 
+-/* Private subobject */
+-
+-typedef struct {
+-  struct jpeg_upsampler pub;    /* public fields */
+-
+-  /* Pointer to routine to do actual upsampling/conversion of one row group */
+-  void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+-                    JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf);
+-
+-  /* Private state for YCC->RGB conversion */
+-  int *Cr_r_tab;                /* => table for Cr to R conversion */
+-  int *Cb_b_tab;                /* => table for Cb to B conversion */
+-  JLONG *Cr_g_tab;              /* => table for Cr to G conversion */
+-  JLONG *Cb_g_tab;              /* => table for Cb to G conversion */
+-
+-  /* For 2:1 vertical sampling, we produce two output rows at a time.
+-   * We need a "spare" row buffer to hold the second output row if the
+-   * application provides just a one-row buffer; we also use the spare
+-   * to discard the dummy last row if the image height is odd.
+-   */
+-  JSAMPROW spare_row;
+-  boolean spare_full;           /* T if spare buffer is occupied */
+-
+-  JDIMENSION out_row_width;     /* samples per output row */
+-  JDIMENSION rows_to_go;        /* counts rows remaining in image */
+-} my_upsampler;
+-
+-typedef my_upsampler *my_upsample_ptr;
+-
+ #define SCALEBITS       16      /* speediest right-shift on some machines */
+ #define ONE_HALF        ((JLONG)1 << (SCALEBITS - 1))
+ #define FIX(x)          ((JLONG)((x) * (1L << SCALEBITS) + 0.5))
+@@ -189,7 +161,7 @@ typedef my_upsampler *my_upsample_ptr;
+ LOCAL(void)
+ build_ycc_rgb_table(j_decompress_ptr cinfo)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   int i;
+   JLONG x;
+   SHIFT_TEMPS
+@@ -232,7 +204,7 @@ build_ycc_rgb_table(j_decompress_ptr cinfo)
+ METHODDEF(void)
+ start_pass_merged_upsample(j_decompress_ptr cinfo)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+ 
+   /* Mark the spare buffer empty */
+   upsample->spare_full = FALSE;
+@@ -254,7 +226,7 @@ merged_2v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                    JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
+ /* 2:1 vertical sampling case: may need a spare row. */
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   JSAMPROW work_ptrs[2];
+   JDIMENSION num_rows;          /* number of rows returned to caller */
+ 
+@@ -305,7 +277,7 @@ merged_1v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                    JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
+ /* 1:1 vertical sampling case: much easier, never need a spare row. */
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+ 
+   /* Just do the upsampling. */
+   (*upsample->upmethod) (cinfo, input_buf, *in_row_group_ctr,
+@@ -566,11 +538,11 @@ h2v2_merged_upsample_565D(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+ GLOBAL(void)
+ jinit_merged_upsampler(j_decompress_ptr cinfo)
+ {
+-  my_upsample_ptr upsample;
++  my_merged_upsample_ptr upsample;
+ 
+-  upsample = (my_upsample_ptr)
++  upsample = (my_merged_upsample_ptr)
+     (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                sizeof(my_upsampler));
++                                sizeof(my_merged_upsampler));
+   cinfo->upsample = (struct jpeg_upsampler *)upsample;
+   upsample->pub.start_pass = start_pass_merged_upsample;
+   upsample->pub.need_context_rows = FALSE;
+diff --git a/jdmerge.h b/jdmerge.h
+new file mode 100644
+index 0000000..b583396
+--- /dev/null
++++ b/jdmerge.h
+@@ -0,0 +1,47 @@
++/*
++ * jdmerge.h
++ *
++ * This file was part of the Independent JPEG Group's software:
++ * Copyright (C) 1994-1996, Thomas G. Lane.
++ * libjpeg-turbo Modifications:
++ * Copyright (C) 2020, D. R. Commander.
++ * For conditions of distribution and use, see the accompanying README.ijg
++ * file.
++ */
++
++#define JPEG_INTERNALS
++#include "jpeglib.h"
++
++#ifdef UPSAMPLE_MERGING_SUPPORTED
++
++
++/* Private subobject */
++
++typedef struct {
++  struct jpeg_upsampler pub;    /* public fields */
++
++  /* Pointer to routine to do actual upsampling/conversion of one row group */
++  void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
++                    JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf);
++
++  /* Private state for YCC->RGB conversion */
++  int *Cr_r_tab;                /* => table for Cr to R conversion */
++  int *Cb_b_tab;                /* => table for Cb to B conversion */
++  JLONG *Cr_g_tab;              /* => table for Cr to G conversion */
++  JLONG *Cb_g_tab;              /* => table for Cb to G conversion */
++
++  /* For 2:1 vertical sampling, we produce two output rows at a time.
++   * We need a "spare" row buffer to hold the second output row if the
++   * application provides just a one-row buffer; we also use the spare
++   * to discard the dummy last row if the image height is odd.
++   */
++  JSAMPROW spare_row;
++  boolean spare_full;           /* T if spare buffer is occupied */
++
++  JDIMENSION out_row_width;     /* samples per output row */
++  JDIMENSION rows_to_go;        /* counts rows remaining in image */
++} my_merged_upsampler;
++
++typedef my_merged_upsampler *my_merged_upsample_ptr;
++
++#endif /* UPSAMPLE_MERGING_SUPPORTED */
+diff --git a/jdmrg565.c b/jdmrg565.c
+index 1b87e37..53f1e16 100644
+--- a/jdmrg565.c
++++ b/jdmrg565.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+  * Copyright (C) 2013, Linaro Limited.
+- * Copyright (C) 2014-2015, 2018, D. R. Commander.
++ * Copyright (C) 2014-2015, 2018, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -19,7 +19,7 @@ h2v1_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                                   JDIMENSION in_row_group_ctr,
+                                   JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr;
+@@ -90,7 +90,7 @@ h2v1_merged_upsample_565D_internal(j_decompress_ptr cinfo,
+                                    JDIMENSION in_row_group_ctr,
+                                    JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr;
+@@ -163,7 +163,7 @@ h2v2_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                                   JDIMENSION in_row_group_ctr,
+                                   JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr0, outptr1;
+@@ -259,7 +259,7 @@ h2v2_merged_upsample_565D_internal(j_decompress_ptr cinfo,
+                                    JDIMENSION in_row_group_ctr,
+                                    JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr0, outptr1;
+diff --git a/jdmrgext.c b/jdmrgext.c
+index b1c27df..c9a44d8 100644
+--- a/jdmrgext.c
++++ b/jdmrgext.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2011, 2015, D. R. Commander.
++ * Copyright (C) 2011, 2015, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -25,7 +25,7 @@ h2v1_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                               JDIMENSION in_row_group_ctr,
+                               JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr;
+@@ -97,7 +97,7 @@ h2v2_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                               JDIMENSION in_row_group_ctr,
+                               JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr0, outptr1;
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
new file mode 100644
index 0000000000..f86175dff0
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
@@ -0,0 +1,400 @@
+From a46c111d9f3642f0ef3819e7298846ccc61869e0 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Mon, 27 Jul 2020 14:21:23 -0500
+Subject: [PATCH] Further jpeg_skip_scanlines() fixes
+
+- Introduce a partial image decompression regression test script that
+  validates the correctness of jpeg_skip_scanlines() and
+  jpeg_crop_scanlines() for a variety of cropping regions and libjpeg
+  settings.
+
+  This regression test catches the following issues:
+  #182, fixed in 5bc43c7
+  #237, fixed in 6e95c08
+  #244, fixed in 398c1e9
+  #441, fully fixed in this commit
+
+  It does not catch the following issues:
+  #194, fixed in 773040f
+  #244 (additional segfault), fixed in
+       9120a24
+
+- Modify the libjpeg-turbo regression test suite (make test) so that it
+  checks for the issue reported in #441 (segfault in
+  jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color
+  conversion.)
+
+- Fix issues in jpeg_skip_scanlines() that caused incorrect output with
+  h2v2 (4:2:0) merged upsampling/color conversion.  The previous commit
+  fixed the segfault reported in #441, but that was a symptom of a
+  larger problem.  Because merged 4:2:0 upsampling uses a "spare row"
+  buffer, it is necessary to allow the upsampler to run when skipping
+  rows (fancy 4:2:0 upsampling, which uses context rows, also requires
+  this.)  Otherwise, if skipping starts at an odd-numbered row, the
+  output image will be incorrect.
+
+- Throw an error if jpeg_skip_scanlines() is called with two-pass color
+  quantization enabled.  With two-pass color quantization, the first
+  pass occurs within jpeg_start_decompress(), so subsequent calls to
+  jpeg_skip_scanlines() interfere with the multipass state and prevent
+  the second pass from occurring during subsequent calls to
+  jpeg_read_scanlines().
+
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a46c111d9f3642f0ef3819e7298846ccc61869e0]
+CVE: CVE-2020-35538
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CMakeLists.txt |  9 +++--
+ ChangeLog.md   | 15 +++++---
+ croptest.in    | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ jdapistd.c     | 70 +++++++++++--------------------------
+ libjpeg.txt    |  6 ++--
+ 5 files changed, 136 insertions(+), 59 deletions(-)
+ create mode 100755 croptest.in
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index aee74c9..de451f4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -753,7 +753,7 @@ else()
+   set(MD5_PPM_3x2_IFAST fd283664b3b49127984af0a7f118fccd)
+   set(MD5_JPEG_420_ISLOW_ARI e986fb0a637a8d833d96e8a6d6d84ea1)
+   set(MD5_JPEG_444_ISLOW_PROGARI 0a8f1c8f66e113c3cf635df0a475a617)
+-  set(MD5_PPM_420M_IFAST_ARI 72b59a99bcf1de24c5b27d151bde2437)
++  set(MD5_PPM_420M_IFAST_ARI 57251da28a35b46eecb7177d82d10e0e)
+   set(MD5_JPEG_420_ISLOW 9a68f56bc76e466aa7e52f415d0f4a5f)
+   set(MD5_PPM_420M_ISLOW_2_1 9f9de8c0612f8d06869b960b05abf9c9)
+   set(MD5_PPM_420M_ISLOW_15_8 b6875bc070720b899566cc06459b63b7)
+@@ -1131,7 +1131,7 @@ foreach(libtype ${TEST_LIBTYPES})
+ 
+   if(WITH_ARITH_DEC)
+     # CC: RGB->YCC  SAMP: h2v2 merged  IDCT: ifast  ENT: arith
+-    add_bittest(djpeg 420m-ifast-ari "-fast;-ppm"
++    add_bittest(djpeg 420m-ifast-ari "-fast;-skip;1,20;-ppm"
+       testout_420m_ifast_ari.ppm ${TESTIMAGES}/testimgari.jpg
+       ${MD5_PPM_420M_IFAST_ARI})
+ 
+@@ -1266,6 +1266,11 @@ endforeach()
+ add_custom_target(testclean COMMAND ${CMAKE_COMMAND} -P
+   ${CMAKE_CURRENT_SOURCE_DIR}/cmakescripts/testclean.cmake)
+ 
++configure_file(croptest.in croptest @ONLY)
++add_custom_target(croptest
++  COMMAND echo croptest
++  COMMAND ${BASH} ${CMAKE_CURRENT_BINARY_DIR}/croptest)
++
+ if(WITH_TURBOJPEG)
+   configure_file(tjbenchtest.in tjbenchtest @ONLY)
+   configure_file(tjexampletest.in tjexampletest @ONLY)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 19d18fa..4562eff 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -54,11 +54,16 @@ a 16-bit binary PGM file into an RGB image buffer.
+ generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
+ file into an extended RGB image buffer.
+ 
+-2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors
+-in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG
+-images using the merged (non-fancy) upsampling algorithms (that is, when
+-setting `cinfo.do_fancy_upsampling` to `FALSE`.)  2.0.0[6] was a similar fix,
+-but it did not cover all cases.
++2. Fixed or worked around multiple issues with `jpeg_skip_scanlines()`:
++
++     - Fixed segfaults or "Corrupt JPEG data: premature end of data segment"
++errors in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or
++4:2:0 JPEG images using merged (non-fancy) upsampling/color conversion (that
++is, when setting `cinfo.do_fancy_upsampling` to `FALSE`.)  2.0.0[6] was a
++similar fix, but it did not cover all cases.
++     - `jpeg_skip_scanlines()` now throws an error if two-pass color
++quantization is enabled.  Two-pass color quantization never worked properly
++with `jpeg_skip_scanlines()`, and the issues could not readily be fixed.
+ 
+ 
+ 2.0.3
+diff --git a/croptest.in b/croptest.in
+new file mode 100755
+index 0000000..7e3c293
+--- /dev/null
++++ b/croptest.in
+@@ -0,0 +1,95 @@
++#!/bin/bash
++
++set -u
++set -e
++trap onexit INT
++trap onexit TERM
++trap onexit EXIT
++
++onexit()
++{
++	if [ -d $OUTDIR ]; then
++		rm -rf $OUTDIR
++	fi
++}
++
++runme()
++{
++	echo \*\*\* $*
++	$*
++}
++
++IMAGE=vgl_6548_0026a.bmp
++WIDTH=128
++HEIGHT=95
++IMGDIR=@CMAKE_CURRENT_SOURCE_DIR@/testimages
++OUTDIR=`mktemp -d /tmp/__croptest_output.XXXXXX`
++EXEDIR=@CMAKE_CURRENT_BINARY_DIR@
++
++if [ -d $OUTDIR ]; then
++	rm -rf $OUTDIR
++fi
++mkdir -p $OUTDIR
++
++exec >$EXEDIR/croptest.log
++
++echo "============================================================"
++echo "$IMAGE ($WIDTH x $HEIGHT)"
++echo "============================================================"
++echo
++
++for PROGARG in "" -progressive; do
++
++	cp $IMGDIR/$IMAGE $OUTDIR
++	basename=`basename $IMAGE .bmp`
++	echo "------------------------------------------------------------"
++	echo "Generating test images"
++	echo "------------------------------------------------------------"
++	echo
++	runme $EXEDIR/cjpeg $PROGARG -grayscale -outfile $OUTDIR/${basename}_GRAY.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 2x2 -outfile $OUTDIR/${basename}_420.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 2x1 -outfile $OUTDIR/${basename}_422.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 1x2 -outfile $OUTDIR/${basename}_440.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 1x1 -outfile $OUTDIR/${basename}_444.jpg $IMGDIR/${basename}.bmp
++	echo
++
++	for NSARG in "" -nosmooth; do
++
++		for COLORSARG in "" "-colors 256 -dither none -onepass"; do
++
++			for Y in {0..16}; do
++
++				for H in {1..16}; do
++
++					X=$(( (Y*16)%128 ))
++					W=$(( WIDTH-X-7 ))
++					if [ $Y -le 15 ]; then
++						CROPSPEC="${W}x${H}+${X}+${Y}"
++					else
++						Y2=$(( HEIGHT-H ));
++						CROPSPEC="${W}x${H}+${X}+${Y2}"
++					fi
++
++					echo "------------------------------------------------------------"
++					echo $PROGARG $NSARG $COLORSARG -crop $CROPSPEC
++					echo "------------------------------------------------------------"
++					echo
++					for samp in GRAY 420 422 440 444; do
++						$EXEDIR/djpeg $NSARG $COLORSARG -rgb -outfile $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}.jpg
++						convert -crop $CROPSPEC $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}_ref.ppm
++						runme $EXEDIR/djpeg $NSARG $COLORSARG -crop $CROPSPEC -rgb -outfile $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}.jpg
++						runme cmp $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}_ref.ppm
++					done
++					echo
++
++				done
++
++			done
++
++		done
++
++	done
++
++done
++
++echo SUCCESS!
+diff --git a/jdapistd.c b/jdapistd.c
+index 91da642..c502909 100644
+--- a/jdapistd.c
++++ b/jdapistd.c
+@@ -306,16 +306,6 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+ }
+ 
+ 
+-/* Dummy postprocessing function used by jpeg_skip_scanlines() */
+-LOCAL(void)
+-noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+-                   JDIMENSION *in_row_group_ctr,
+-                   JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf,
+-                   JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
+-{
+-}
+-
+-
+ /*
+  * In some cases, it is best to call jpeg_read_scanlines() and discard the
+  * output, rather than skipping the scanlines, because this allows us to
+@@ -329,16 +319,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ {
+   JDIMENSION n;
+   my_master_ptr master = (my_master_ptr)cinfo->master;
++  JSAMPARRAY scanlines = NULL;
+   void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                          JDIMENSION input_row, JSAMPARRAY output_buf,
+                          int num_rows) = NULL;
+   void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+                           JSAMPARRAY output_buf, int num_rows) = NULL;
+-  void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+-                             JDIMENSION *in_row_group_ctr,
+-                             JDIMENSION in_row_groups_avail,
+-                             JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
+-                             JDIMENSION out_rows_avail) = NULL;
+ 
+   if (cinfo->cconvert && cinfo->cconvert->color_convert) {
+     color_convert = cinfo->cconvert->color_convert;
+@@ -350,23 +336,19 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     cinfo->cquantize->color_quantize = noop_quantize;
+   }
+ 
+-  if (master->using_merged_upsample && cinfo->post &&
+-      cinfo->post->post_process_data) {
+-    post_process_data = cinfo->post->post_process_data;
+-    cinfo->post->post_process_data = noop_post_process;
++  if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) {
++    my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
++    scanlines = &upsample->spare_row;
+   }
+ 
+   for (n = 0; n < num_lines; n++)
+-    jpeg_read_scanlines(cinfo, NULL, 1);
++    jpeg_read_scanlines(cinfo, scanlines, 1);
+ 
+   if (color_convert)
+     cinfo->cconvert->color_convert = color_convert;
+ 
+   if (color_quantize)
+     cinfo->cquantize->color_quantize = color_quantize;
+-
+-  if (post_process_data)
+-    cinfo->post->post_process_data = post_process_data;
+ }
+ 
+ 
+@@ -380,6 +362,12 @@ increment_simple_rowgroup_ctr(j_decompress_ptr cinfo, JDIMENSION rows)
+ {
+   JDIMENSION rows_left;
+   my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
++  my_master_ptr master = (my_master_ptr)cinfo->master;
++
++  if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) {
++    read_and_discard_scanlines(cinfo, rows);
++    return;
++  }
+ 
+   /* Increment the counter to the next row group after the skipped rows. */
+   main_ptr->rowgroup_ctr += rows / cinfo->max_v_samp_factor;
+@@ -410,11 +398,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+   my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
+   my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
+   my_master_ptr master = (my_master_ptr)cinfo->master;
++  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
+   JDIMENSION i, x;
+   int y;
+   JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row;
+   JDIMENSION lines_to_skip, lines_to_read;
+ 
++  /* Two-pass color quantization is not supported. */
++  if (cinfo->quantize_colors && cinfo->two_pass_quantize)
++    ERREXIT(cinfo, JERR_NOTIMPL);
++
+   if (cinfo->global_state != DSTATE_SCANNING)
+     ERREXIT1(cinfo, JERR_BAD_STATE, cinfo->global_state);
+ 
+@@ -472,13 +465,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     main_ptr->buffer_full = FALSE;
+     main_ptr->rowgroup_ctr = 0;
+     main_ptr->context_state = CTX_PREPARE_FOR_IMCU;
+-    if (master->using_merged_upsample) {
+-      my_merged_upsample_ptr upsample =
+-        (my_merged_upsample_ptr)cinfo->upsample;
+-      upsample->spare_full = FALSE;
+-      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-    } else {
+-      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++    if (!master->using_merged_upsample) {
+       upsample->next_row_out = cinfo->max_v_samp_factor;
+       upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+     }
+@@ -493,13 +480,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_scanline += lines_left_in_iMCU_row;
+       main_ptr->buffer_full = FALSE;
+       main_ptr->rowgroup_ctr = 0;
+-      if (master->using_merged_upsample) {
+-        my_merged_upsample_ptr upsample =
+-          (my_merged_upsample_ptr)cinfo->upsample;
+-        upsample->spare_full = FALSE;
+-        upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-      } else {
+-        my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++      if (!master->using_merged_upsample) {
+         upsample->next_row_out = cinfo->max_v_samp_factor;
+         upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+       }
+@@ -537,14 +518,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
+       increment_simple_rowgroup_ctr(cinfo, lines_to_read);
+     }
+-    if (master->using_merged_upsample) {
+-      my_merged_upsample_ptr upsample =
+-        (my_merged_upsample_ptr)cinfo->upsample;
+-      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-    } else {
+-      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++    if (!master->using_merged_upsample)
+       upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-    }
+     return num_lines;
+   }
+ 
+@@ -585,13 +560,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+    * bit odd, since "rows_to_go" seems to be redundantly keeping track of
+    * output_scanline.
+    */
+-  if (master->using_merged_upsample) {
+-    my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
++  if (!master->using_merged_upsample)
+     upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-  } else {
+-    my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
+-    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-  }
+ 
+   /* Always skip the requested number of lines. */
+   return num_lines;
+diff --git a/libjpeg.txt b/libjpeg.txt
+index c50cf90..c233ecb 100644
+--- a/libjpeg.txt
++++ b/libjpeg.txt
+@@ -3,7 +3,7 @@ USING THE IJG JPEG LIBRARY
+ This file was part of the Independent JPEG Group's software:
+ Copyright (C) 1994-2013, Thomas G. Lane, Guido Vollbeding.
+ libjpeg-turbo Modifications:
+-Copyright (C) 2010, 2014-2018, D. R. Commander.
++Copyright (C) 2010, 2014-2018, 2020, D. R. Commander.
+ Copyright (C) 2015, Google, Inc.
+ For conditions of distribution and use, see the accompanying README.ijg file.
+ 
+@@ -750,7 +750,9 @@ multiple rows in the JPEG image.
+ 
+ Suspending data sources are not supported by this function.  Calling
+ jpeg_skip_scanlines() with a suspending data source will result in undefined
+-behavior.
++behavior.  Two-pass color quantization is also not supported by this function.
++Calling jpeg_skip_scanlines() with two-pass color quantization enabled will
++result in an error.
+ 
+ jpeg_skip_scanlines() will not allow skipping past the bottom of the image.  If
+ the value of num_lines is large enough to skip past the bottom of the image,
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 6575582b0c..630b20300f 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -14,6 +14,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
            file://0001-libjpeg-turbo-fix-package_qa-error.patch \
            file://CVE-2020-13790.patch \
            file://CVE-2021-46822.patch \
+           file://CVE-2020-35538-1.patch \
+           file://CVE-2020-35538-2.patch \
            "
 
 SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"
-- 
2.34.1

[OE-core][dunfell 02/10] ninja: Whitelist CVE-2021-4336, wrong ninja

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

(From OE-Core rev: c2dd2c13ff26c3f046e35a2f6b8afeb099ef422a)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9a106486ad7900924a87c5869702903204a35b54)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/ninja/ninja_1.10.0.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/ninja/ninja_1.10.0.bb b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
index ae3f3f1ea8..755b73a173 100644
--- a/meta/recipes-devtools/ninja/ninja_1.10.0.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
@@ -29,3 +29,6 @@ do_install() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+# This is a different Ninja
+CVE_CHECK_WHITELIST += "CVE-2021-4336"
-- 
2.34.1

[OE-core][dunfell 03/10] go: Backport fix CVE-2023-29405

[Steve Sakoman]

From: Ashish Sharma <asharma@mvista.com>

Upstream-Status: Backport
[https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4
&
https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-29405-1.patch         | 112 ++++++++++++++++++
 .../go/go-1.14/CVE-2023-29405-2.patch         |  38 ++++++
 3 files changed, 152 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 2c500e8331..ed505c01b3 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -63,6 +63,8 @@ SRC_URI += "\
     file://CVE-2023-24538-3.patch \
     file://CVE-2023-24539.patch \
     file://CVE-2023-24540.patch \
+    file://CVE-2023-29405-1.patch \
+    file://CVE-2023-29405-2.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
new file mode 100644
index 0000000000..70d50cc08a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
@@ -0,0 +1,112 @@
+From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 4 May 2023 14:06:39 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
+ line per flag
+
+The flags that we recorded in _cgo_flags did not use any quoting,
+so a flag containing embedded spaces was mishandled.
+Change the _cgo_flags format to put each flag on a separate line.
+That is a simple format that does not require any quoting.
+
+As far as I can tell only cmd/go uses _cgo_flags, and it is only
+used for gccgo. If this patch doesn't cause any trouble, then
+in the next release we can change to only using _cgo_flags for gccgo.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60306
+Fixes #60514
+Fixes CVE-2023-29405
+
+Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+---
+Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ src/cmd/cgo/out.go                            |  4 +++-
+ src/cmd/go/internal/work/gccgo.go             | 14 ++++++-------
+ .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d26f9e76a374a..d0c6fe3d4c2c2 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
+ 
+ 	fflg := creat(*objDir + "_cgo_flags")
+ 	for k, v := range p.CgoFlags {
+-		fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
++		for _, arg := range v {
++			fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
++		}
+ 		if k == "LDFLAGS" && !*gccgo {
+ 			for _, arg := range v {
+ 				fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
+diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
+index 08a4c2d8166c7..a048b7f4eecef 100644
+--- a/src/cmd/go/internal/work/gccgo.go
++++ b/src/cmd/go/internal/work/gccgo.go
+@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
+ 		const ldflagsPrefix = "_CGO_LDFLAGS="
+ 		for _, line := range strings.Split(string(flags), "\n") {
+ 			if strings.HasPrefix(line, ldflagsPrefix) {
+-				newFlags := strings.Fields(line[len(ldflagsPrefix):])
+-				for _, flag := range newFlags {
+-					// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+-					// but they don't mean anything to the linker so filter
+-					// them out.
+-					if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+-						cgoldflags = append(cgoldflags, flag)
+-					}
++				flag := line[len(ldflagsPrefix):]
++				// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
++				// but they don't mean anything to the linker so filter
++				// them out.
++				if flag != "-g" && !strings.HasPrefix(flag, "-O") {
++					cgoldflags = append(cgoldflags, flag)
+ 				}
+ 			}
+ 		}
+diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+new file mode 100644
+index 0000000000000..4e91ae56505b6
+--- /dev/null
++++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+@@ -0,0 +1,20 @@
++# Test that #cgo LDFLAGS are properly quoted.
++# The #cgo LDFLAGS below should pass a string with spaces to -L,
++# as though searching a directory with a space in its name.
++# It should not pass --nosuchoption to the external linker.
++
++[!cgo] skip
++
++go build
++
++[!exec:gccgo] skip
++
++go build -compiler gccgo
++
++-- go.mod --
++module m
++-- cgo.go --
++package main
++// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
++import "C"
++func main() {}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
new file mode 100644
index 0000000000..369eca581e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
@@ -0,0 +1,38 @@
+From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Tue, 6 Jun 2023 12:51:17 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
+
+For #60306
+For #60514
+
+Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+
+ src/cmd/cgo/out.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d0c6fe3d4c2c2..a48f52105628a 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
+ 	fflg := creat(*objDir + "_cgo_flags")
+ 	for k, v := range p.CgoFlags {
+ 		for _, arg := range v {
+-			fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
++			fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
+ 		}
+ 		if k == "LDFLAGS" && !*gccgo {
+ 			for _, arg := range v {
-- 
2.34.1

[OE-core][dunfell 04/10] go: fix CVE-2023-29402 & CVE-2023-29404

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Backport fixes for:
* CVE-2023-29402 - Upstream-Status: Backport from https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f
* CVE-2023-29404 - Upstream-Status: Backport from https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-29402.patch           | 201 ++++++++++++++++++
 .../go/go-1.14/CVE-2023-29404.patch           |  84 ++++++++
 3 files changed, 287 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index ed505c01b3..ea7b9ea80f 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -65,6 +65,8 @@ SRC_URI += "\
     file://CVE-2023-24540.patch \
     file://CVE-2023-29405-1.patch \
     file://CVE-2023-29405-2.patch \
+    file://CVE-2023-29402.patch \
+    file://CVE-2023-29404.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
new file mode 100644
index 0000000000..01eed9fe1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
@@ -0,0 +1,201 @@
+rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001
+From: "Bryan C. Mills" <bcmills@google.com>
+Date: Fri, 12 May 2023 14:15:16 -0400
+Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories
+ containing newlines
+
+Directory or file paths containing newlines may cause tools (such as
+cmd/cgo) that emit "//line" or "#line" -directives to write part of
+the path into non-comment lines in generated source code. If those
+lines contain valid Go code, it may be injected into the resulting
+binary.
+
+(Note that Go import paths and file paths within module zip files
+already could not contain newlines.)
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60167.
+Fixes #60515.
+Fixes CVE-2023-29402.
+
+Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Bryan Mills <bcmills@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501218
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
+CVE: CVE-2023-29402
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/load/pkg.go               |   4 +
+ src/cmd/go/internal/work/exec.go              |   6 ++
+ src/cmd/go/script_test.go                     |   1 +
+ .../go/testdata/script/build_cwd_newline.txt  | 100 ++++++++++++++++++
+ 4 files changed, 111 insertions(+)
+ create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
+
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index 369a79b..d2b63b0 100644
+--- a/src/cmd/go/internal/load/pkg.go
++++ b/src/cmd/go/internal/load/pkg.go
+@@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) {
+ 		setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath))
+ 		return
+ 	}
++	if strings.ContainsAny(p.Dir, "\r\n") {
++		setError(fmt.Errorf("invalid package directory %q", p.Dir))
++		return
++	}
+ 
+ 	// Build list of imported packages and full dependency list.
+ 	imports := make([]*Package, 0, len(p.Imports))
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 9a9650b..050b785 100644
+--- a/src/cmd/go/internal/work/exec.go
++++ b/src/cmd/go/internal/work/exec.go
+@@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) {
+ 		b.Print(a.Package.ImportPath + "\n")
+ 	}
+ 
++	if p.Error != nil {
++		// Don't try to build anything for packages with errors. There may be a
++		// problem with the inputs that makes the package unsafe to build.
++		return p.Error
++	}
++
+ 	if a.Package.BinaryOnly {
+ 		p.Stale = true
+ 		p.StaleReason = "binary-only packages are no longer supported"
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index ec498bb..a1398ad 100644
+--- a/src/cmd/go/script_test.go
++++ b/src/cmd/go/script_test.go
+@@ -123,6 +123,7 @@ func (ts *testScript) setup() {
+ 		"devnull=" + os.DevNull,
+ 		"goversion=" + goVersion(ts),
+ 		":=" + string(os.PathListSeparator),
++                "newline=\n",
+ 	}
+ 
+ 	if runtime.GOOS == "plan9" {
+diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt
+new file mode 100644
+index 0000000..61c6966
+--- /dev/null
++++ b/src/cmd/go/testdata/script/build_cwd_newline.txt
+@@ -0,0 +1,100 @@
++[windows] skip 'filesystem normalizes / to \'
++[plan9] skip 'filesystem disallows \n in paths'
++
++# If the directory path containing a package to be built includes a newline,
++# the go command should refuse to even try to build the package.
++
++env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*'
++
++mkdir $DIR
++cd $DIR
++exec pwd
++cp $WORK/go.mod ./go.mod
++cp $WORK/main.go ./main.go
++cp $WORK/main_test.go ./main_test.go
++
++! go build -o $devnull .
++stderr 'package example: invalid package directory .*uh-oh'
++
++! go build -o $devnull main.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++! go run .
++stderr 'package example: invalid package directory .*uh-oh'
++
++! go run main.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++! go test .
++stderr 'package example: invalid package directory .*uh-oh'
++
++! go test -v main.go main_test.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++
++# Since we do preserve $PWD (or set it appropriately) for commands, and we do
++# not resolve symlinks unnecessarily, referring to the contents of the unsafe
++# directory via a safe symlink should be ok, and should not inject the data from
++# the symlink target path.
++
++[!symlink] stop 'remainder of test checks symlink behavior'
++[short] stop 'links and runs binaries'
++
++symlink $WORK${/}link -> $DIR
++
++go run $WORK${/}link${/}main.go
++! stdout panic
++! stderr panic
++stderr '^ok$'
++
++go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go
++! stdout panic
++! stderr panic
++stdout '^ok$'   # 'go test' combines the test's stdout into stderr
++
++cd $WORK/link
++
++! go run $DIR${/}main.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++go run .
++! stdout panic
++! stderr panic
++stderr '^ok$'
++
++go run main.go
++! stdout panic
++! stderr panic
++stderr '^ok$'
++
++go test -v
++! stdout panic
++! stderr panic
++stdout '^ok$'  # 'go test' combines the test's stdout into stderr
++
++go test -v .
++! stdout panic
++! stderr panic
++stdout '^ok$'  # 'go test' combines the test's stdout into stderr
++
++
++-- $WORK/go.mod --
++module example
++go 1.19
++-- $WORK/main.go --
++package main
++
++import "C"
++
++func main() {
++	/* nothing here */
++	println("ok")
++}
++-- $WORK/main_test.go --
++package main
++
++import "testing"
++
++func TestMain(*testing.M) {
++	main()
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
new file mode 100644
index 0000000000..61336ee9ee
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
@@ -0,0 +1,84 @@
+From bf3c8ce03e175e870763901a3850bca01381a828 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 5 May 2023 13:10:34 -0700
+Subject: [PATCH] [release-branch.go1.19] cmd/go: enforce flags with
+ non-optional arguments
+
+Enforce that linker flags which expect arguments get them, otherwise it
+may be possible to smuggle unexpected flags through as the linker can
+consume what looks like a flag as an argument to a preceding flag (i.e.
+"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
+somewhat more restrictive in the general format of some flags.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60305
+Fixes #60511
+Fixes CVE-2023-29404
+
+Change-Id: Icdffef2c0f644da50261cace6f43742783931cff
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501217
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828]
+CVE: CVE-2023-29404
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/work/security.go      | 6 +++---
+ src/cmd/go/internal/work/security_test.go | 5 +++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index a823b20..8acb6dc 100644
+--- a/src/cmd/go/internal/work/security.go
++++ b/src/cmd/go/internal/work/security.go
+@@ -177,17 +177,17 @@ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-Wl,-Bdynamic`),
+ 	re(`-Wl,-berok`),
+ 	re(`-Wl,-Bstatic`),
+-	re(`-WL,-O([^@,\-][^,]*)?`),
++	re(`-Wl,-O[0-9]+`),
+ 	re(`-Wl,-d[ny]`),
+ 	re(`-Wl,--disable-new-dtags`),
+-	re(`-Wl,-e[=,][a-zA-Z0-9]*`),
++	re(`-Wl,-e[=,][a-zA-Z0-9]+`),
+ 	re(`-Wl,--enable-new-dtags`),
+ 	re(`-Wl,--end-group`),
+ 	re(`-Wl,--(no-)?export-dynamic`),
+ 	re(`-Wl,-framework,[^,@\-][^,]+`),
+ 	re(`-Wl,-headerpad_max_install_names`),
+ 	re(`-Wl,--no-undefined`),
+-	re(`-Wl,-R([^@\-][^,@]*$)`),
++	re(`-Wl,-R,?([^@\-,][^,@]*$)`),
+ 	re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`),
+ 	re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`),
+ 	re(`-Wl,-s`),
+diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
+index bd707ff..7b0b7d3 100644
+--- a/src/cmd/go/internal/work/security_test.go
++++ b/src/cmd/go/internal/work/security_test.go
+@@ -220,6 +220,11 @@ var badLinkerFlags = [][]string{
+ 	{"-Wl,-R,@foo"},
+ 	{"-Wl,--just-symbols,@foo"},
+ 	{"../x.o"},
++	{"-Wl,-R,"},
++	{"-Wl,-O"},
++	{"-Wl,-e="},
++	{"-Wl,-e,"},
++	{"-Wl,-R,-flag"},
+ }
+ 
+ func TestCheckLinkerFlags(t *testing.T) {
+-- 
+2.25.1
+
-- 
2.34.1

[OE-core][dunfell 05/10] libcap: backport Debian patches to fix CVE-2023-2602 and CVE-2023-2603

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

import patches from ubuntu to fix
 CVE-2023-2602
 CVE-2023-2603

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb
&
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libcap/files/CVE-2023-2602.patch          | 52 +++++++++++++++++
 .../libcap/files/CVE-2023-2603.patch          | 58 +++++++++++++++++++
 meta/recipes-support/libcap/libcap_2.32.bb    |  2 +
 3 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-support/libcap/files/CVE-2023-2602.patch
 create mode 100644 meta/recipes-support/libcap/files/CVE-2023-2603.patch

diff --git a/meta/recipes-support/libcap/files/CVE-2023-2602.patch b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
new file mode 100644
index 0000000000..ca04d7297a
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
@@ -0,0 +1,52 @@
+Backport of:
+
+From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: Correct the check of pthread_create()'s return value.
+
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+
+Discussion:
+
+  https://stackoverflow.com/a/3581020/14760867
+
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2602.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb]
+CVE: CVE-2023-2602
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libcap/psx.c
++++ b/libcap/psx.c
+@@ -272,7 +272,7 @@ int psx_pthread_create(pthread_t *thread
+ 
+     psx_wait_for_idle();
+     int ret = pthread_create(thread, attr, start_routine, arg);
+-    if (ret != -1) {
++    if (ret == 0) {
+ 	psx_do_registration(*thread);
+     }
+     psx_resume_idle();
+@@ -287,7 +287,7 @@ int __wrap_pthread_create(pthread_t *thr
+ 			  void *(*start_routine) (void *), void *arg) {
+     psx_wait_for_idle();
+     int ret = __real_pthread_create(thread, attr, start_routine, arg);
+-    if (ret != -1) {
++    if (ret == 0) {
+ 	psx_do_registration(*thread);
+     }
+     psx_resume_idle();
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
new file mode 100644
index 0000000000..cf86ac2a46
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
+Backport of:
+
+From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
+CVE: CVE-2023-2603
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/libcap/cap_alloc.c
++++ b/libcap/cap_alloc.c
+@@ -76,13 +76,22 @@ cap_t cap_init(void)
+ char *_libcap_strdup(const char *old)
+ {
+     __u32 *raw_data;
++    size_t len;
+ 
+     if (old == NULL) {
+ 	errno = EINVAL;
+ 	return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
++    len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
++	_cap_debug("len is too long for libcap to manage");
++	errno = EINVAL;
++	return NULL;
++    }
++    len += sizeof(__u32) + 1;
++
++    raw_data = malloc(len);
+     if (raw_data == NULL) {
+ 	errno = ENOMEM;
+ 	return NULL;
diff --git a/meta/recipes-support/libcap/libcap_2.32.bb b/meta/recipes-support/libcap/libcap_2.32.bb
index d67babb5e9..64d5190aa7 100644
--- a/meta/recipes-support/libcap/libcap_2.32.bb
+++ b/meta/recipes-support/libcap/libcap_2.32.bb
@@ -13,6 +13,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
            file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
            file://0002-tests-do-not-run-target-executables.patch \
            file://0001-tests-do-not-statically-link-a-test.patch \
+           file://CVE-2023-2602.patch \
+           file://CVE-2023-2603.patch \
            "
 SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9"
 SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be"
-- 
2.34.1

[OE-core][dunfell 06/10] linux-yocto/5.4: update to v5.4.246

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    f568a20f058f Linux 5.4.246
    6c0fc4725f6f drm/edid: fix objtool warning in drm_cvt_modes()
    914bf541c3bb wifi: rtlwifi: 8192de: correct checking of IQK reload
    58bc9baaef92 drm/edid: Fix uninitialized variable in drm_cvt_modes()
    77e442733faa RDMA/bnxt_re: Remove the qp from list only if the qp destroy succeeds
    a616aa258e46 RDMA/bnxt_re: Remove set but not used variable 'dev_attr'
    4ffad598bff4 scsi: dpt_i2o: Do not process completions with invalid addresses
    e2897f133acd scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)
    56a4a9dc5ed1 regmap: Account for register length when chunking
    94f3bc7e84af test_firmware: fix the memory leak of the allocated firmware buffer
    fb7dce686fd1 fbcon: Fix null-ptr-deref in soft_cursor
    5ea6122caf51 ext4: add lockdep annotations for i_data_sem for ea_inode's
    b06346ef5778 ext4: disallow ea_inodes with extended attributes
    ec2a04f8fc9f ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
    2e636c0c9344 ext4: add EA_INODE checking to ext4_iget()
    d9de088797a0 tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
    7df474125c37 selinux: don't use make's grouped targets feature yet
    b18bc3c9c2c5 tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
    ae7fb0c8bf80 mmc: vub300: fix invalid response handling
    9d8f5797d791 wifi: rtlwifi: remove always-true condition pointed out by GCC 12
    843f51766784 lib/dynamic_debug.c: use address-of operator on section symbols
    0638dcc7e75f treewide: Remove uninitialized_var() usage
    1eb88dccb827 kernel/extable.c: use address-of operator on section symbols
    d069c7ce3995 eth: sun: cassini: remove dead code
    d04adc383f32 gcc-12: disable '-Wdangling-pointer' warning for now
    253d70232573 ACPI: thermal: drop an always true check
    a010f8e64689 x86/boot: Wrap literal addresses in absolute_pointer()
    f0bb5135553c flow_dissector: work around stack frame size warning
    cd943425c6aa ata: libata-scsi: Use correct device no in ata_find_dev()
    76c67ff783ac scsi: stex: Fix gcc 13 warnings
    cd91ead608f0 misc: fastrpc: reject new invocations during device removal
    bf1d0b84dfd2 misc: fastrpc: return -EPIPE to invocations on device removal
    d5f183881529 usb: gadget: f_fs: Add unbind event before functionfs_unbind
    ac388cbbd97c net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
    e101e8160cf0 iio: dac: build ad5758 driver when AD5758 is selected
    a87236446a62 iio: dac: mcp4725: Fix i2c_master_send() return value handling
    c3b25245e3a8 iio: light: vcnl4035: fixed chip ID check
    711049e31e09 HID: wacom: avoid integer overflow in wacom_intuos_inout()
    4251ff7fd4a4 HID: google: add jewel USB id
    f3b4e2a636d1 iio: adc: mxs-lradc: fix the order of two cleanup operations
    030ca3f7b042 mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
    11b084412055 atm: hide unused procfs functions
    cea581b385ab ALSA: oss: avoid missing-prototype warnings
    384fd08858da netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
    f7e62f1b7229 wifi: b43: fix incorrect __packed annotation
    8a9035110288 scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
    f1e6a1097141 arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
    c87334f4e705 ARM: dts: stm32: add pin map for CAN controller on stm32f7
    a39f24357fdc wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
    353fd22693a6 media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
    66a6d704c251 media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
    ed47886a73db media: dvb-core: Fix use-after-free due on race condition at dvb_net
    e9033a425ab2 media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
    08b20cb8e5b9 media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
    46e8b0fe538b media: dvb_ca_en50221: fix a size write bug
    b66849f35462 media: netup_unidvb: fix irq init by register it at the end of probe
    88aef84eefb3 media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
    6b9a534ec5cf media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
    f3c8ed7366cd media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
    65033ab2f930 media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
    37e36b426197 media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
    64f1b8296bef media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
    d16f5dc3aa09 media: dvb_demux: fix a bug for the continuity counter
    a7c87057f259 ASoC: ssm2602: Add workaround for playback distortions
    619f008df14e xfrm: Check if_id in inbound policy/secpath match
    21ca81704611 ASoC: dwc: limit the number of overrun messages
    acd5f476c16e nbd: Fix debugfs_create_dir error checking
    19ce1e1f348d fbdev: stifb: Fix info entry in sti_struct on error path
    aa32f2fadb4c fbdev: modedb: Add 1920x1080 at 60 Hz video mode
    199f9c5430f9 media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
    b950966b44f9 ARM: 9295/1: unwind:fix unwind abort for uleb128 case
    a823d8e0bb02 mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
    29bfbc8a63c4 watchdog: menz069_wdt: fix watchdog initialisation
    0018639be2d9 mtd: rawnand: marvell: don't set the NAND frequency select
    5f0043efdc24 mtd: rawnand: marvell: ensure timing values are written
    6c0aacf1b4e1 net: dsa: mv88e6xxx: Increase wait after reset deactivation
    94a00f1142c5 net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
    dd4b5a204dfa udp6: Fix race condition in udp6_sendmsg & connect
    cd4a37f0dcc9 net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
    cec562fbf8c5 ocfs2/dlm: move BITS_TO_BYTES() to bitops.h for wider use
    9e6bb63e5e66 net: sched: fix NULL pointer dereference in mq_attach
    2188c0f09532 net/sched: Prohibit regrafting ingress or clsact Qdiscs
    80b20d528a71 net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
    321f38375517 net/sched: sch_clsact: Only create under TC_H_CLSACT
    5f67d33c01b3 net/sched: sch_ingress: Only create under TC_H_INGRESS
    381a703220fb tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
    32e9a9ee285f tcp: deny tcp_disconnect() when threads are waiting
    26e830858a2b af_packet: do not use READ_ONCE() in packet_bind()
    43f1402dc2e9 mtd: rawnand: ingenic: fix empty stub helper definitions
    dd3773e8c8c9 amd-xgbe: fix the false linkup in xgbe_phy_status
    603eec060d14 af_packet: Fix data-races of pkt_sk(sk)->num.
    bab2f42d8d8a netrom: fix info-leak in nr_write_internal()
    d7aeb591b101 net/mlx5: fw_tracer, Fix event handling
    c7ac3ebf41ee dmaengine: pl330: rename _start to prevent build error
    17d70de57248 iommu/amd: Don't block updates to GATag if guest mode is on
    fa961ad9ef91 iommu/rockchip: Fix unwind goto issue
    5abb81b4d762 RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
    2bafc7f22db3 RDMA/bnxt_re: Refactor queue pair creation code
    56446791bccd RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series
    cc5a673d85a9 RDMA/efa: Fix unsupported page sizes in device
    cf0b1e5482ea Linux 5.4.245
    ec14c6e0a2e5 netfilter: ctnetlink: Support offloaded conntrack entry deletion
    5b7d4d91c047 ipv{4,6}/raw: fix output xfrm lookup wrt protocol
    6c88024cab83 binder: fix UAF caused by faulty buffer cleanup
    e6183912ee90 bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
    9ba28194ea50 io_uring: have io_kill_timeout() honor the request references
    6de3014d4bd8 io_uring: don't drop completion lock before timer is fully initialized
    b0bfceaa8c0e io_uring: always grab lock in io_cancel_async_work()
    00395fd7f9a0 cdc_ncm: Fix the build warning
    672e59995e70 net/mlx5: Devcom, serialize devcom registration
    f42feb29bad9 net/mlx5: devcom only supports 2 ports
    67637a7ee6bd fs: fix undefined behavior in bit shift for SB_NOUSER
    02281c23d069 power: supply: bq24190: Call power_supply_changed() after updating input current
    f6518954c146 power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier()
    db00ef8fd609 power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
    ff484163dfb6 net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
    a270ca35a949 cdc_ncm: Implement the 32-bit version of NCM Transfer Block
    51d0ac4577c2 Linux 5.4.244
    edec0d399907 3c589_cs: Fix an error handling path in tc589_probe()
    3dfc1004d9af net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
    c59106f8bca1 net/mlx5: Fix error message when failing to allocate device memory
    8680d838c98c forcedeth: Fix an error handling path in nv_probe()
    b8db4a4e2007 ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
    0099a29bc5a0 x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
    c60f38c9bdcb xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
    9b13972e4f23 coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
    f6b610730e8f power: supply: sbs-charger: Fix INHIBITED bit for Status reg
    0c5f4cec7596 power: supply: bq27xxx: Fix poll_interval handling and races on remove
    dafe9136be7b power: supply: bq27xxx: Fix I2C IRQ race on remove
    7b3b11964979 power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
    96bfafbc7d80 power: supply: leds: Fix blink to LED on transition
    011f47c8b838 ipv6: Fix out-of-bounds access in ipv6_find_tlv()
    120cdad8b2ae bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
    9928ce5225d6 selftests: fib_tests: mute cleanup error message
    58766252f6b2 net: fix skb leak in __skb_tstamp_tx()
    2b580d0f03c4 media: radio-shark: Add endpoint checks
    a730feb672c7 USB: sisusbvga: Add endpoint checks
    80100e0863e5 USB: core: Add routines for endpoint checks in old drivers
    7e3ae83371a4 udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
    9ea0c5f90a27 net: fix stack overflow when LRO is disabled for virtual interfaces
    1522dc58bff8 fbdev: udlfb: Fix endpoint check
    be646802b3dc debugobjects: Don't wake up kswapd from fill_pool()
    4e5a7181a6c3 x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
    6d091e0ddcf3 parisc: Fix flush_dcache_page() for usage from irq context
    b556618baca5 selftests/memfd: Fix unknown type name build failure
    04aee084a3fa x86/mm: Avoid incomplete Global INVLPG flushes
    a9f5423460a6 btrfs: use nofs when cleaning up aborted transactions
    4f92934d8073 gpio: mockup: Fix mode of debugfs files
    da8adda57984 parisc: Allow to reboot machine after system halt
    43ffe982a304 parisc: Handle kgdb breakpoints only in kernel context
    f7d19a366cd2 m68k: Move signal frame following exception on 68020/030
    8facb9cc168a ALSA: hda/realtek: Enable headset onLenovo M70/M90
    5cc3e698c2bb ALSA: hda/ca0132: add quirk for EVGA X299 DARK
    68e4c390173e mt76: mt7615: Fix build with older compilers
    b558275c1b04 spi: fsl-cpm: Use 16 bit mode for large transfers with even size
    d64a45c019ac spi: fsl-spi: Re-organise transfer bits_per_word adaptation
    aabe8ca79139 watchdog: sp5100_tco: Immediately trigger upon starting.
    aeff9e7e87c1 s390/qdio: fix do_sqbs() inline assembly constraint
    ab196fe70a18 s390/qdio: get rid of register asm
    a4e3c4c65ae8 vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
    74e644795d37 vc_screen: rewrite vcs_size to accept vc, not inode
    e9399d4ea5ee usb: gadget: u_ether: Fix host MAC address case
    939cafcdf7de usb: gadget: u_ether: Convert prints to device prints
    c8489e0fab18 lib/string_helpers: Introduce string_upper() and string_lower() helpers
    7e15602c5073 HID: wacom: add three styli to wacom_intuos_get_tool_type
    2a12339ce34f HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
    b5185f1b11c7 HID: wacom: Force pen out of prox if no events have been received in a while
    e0c1b35239d9 netfilter: nf_tables: hold mutex on netns pre_exit path
    6236af6936dd netfilter: nf_tables: validate NFTA_SET_ELEM_OBJREF based on NFT_SET_OBJECT flag
    05b4105e6852 netfilter: nf_tables: stricter validation of element data
    e832e4bae556 netfilter: nf_tables: allow up to 64 bytes in the set element data area
    28fe10236a64 netfilter: nf_tables: add nft_setelem_parse_key()
    eb5b579bd69f netfilter: nf_tables: validate registers coming from userspace.
    cfe1b9719cce netfilter: nftables: statify nft_parse_register()
    7c788393d453 netfilter: nftables: add nft_parse_register_store() and use it
    25336cd96b03 netfilter: nftables: add nft_parse_register_load() and use it
    116d53f09ff5 nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
    df89b1753eb1 powerpc/64s/radix: Fix soft dirty tracking
    60b9a9c8f370 tpm/tpm_tis: Disable interrupts for more Lenovo devices
    a33c172c1e34 ceph: force updating the msg pointer in non-split case
    6eb9ed0ab7b5 serial: Add support for Advantech PCI-1611U card
    21f107a95965 statfs: enforce statfs[64] structure initialization
    1eb3e32de7b1 KVM: x86: do not report a vCPU as preempted outside instruction boundaries
    a88638a95407 can: kvaser_pciefd: Disable interrupts in probe error path
    4579e2556767 can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
    33d5a0a4985a can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
    e5ac4f12074e can: kvaser_pciefd: Empty SRB buffer in probe
    c0e9fb21b612 can: kvaser_pciefd: Call request_irq() before enabling interrupts
    36cd7601e6b9 can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
    e65811289346 can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
    880482525101 ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
    57fd0d122edd ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
    739056188ad3 ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
    4ef155ddf957 ALSA: hda: Fix Oops by 9.1 surround channel names
    4f9c0a7c2726 usb: typec: altmodes/displayport: fix pin_assignment_show
    33b6648d27b8 usb: dwc3: debugfs: Resume dwc3 before accessing registers
    241491524ab0 USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
    1f36dc41616b usb-storage: fix deadlock when a scsi command timeouts more than once
    7cef7681aa77 USB: usbtmc: Fix direction for 0-length ioctl control messages
    f662f856acec vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
    53bf7cda160b igb: fix bit_shift to be in [1..8] range
    e20105d967ab cassini: Fix a memory leak in the error handling path of cas_init_one()
    e519a404a5bb wifi: iwlwifi: mvm: don't trust firmware n_channels
    d0baaadd1c5e net: bcmgenet: Restore phy_stop() depending upon suspend/close
    2cca63d5bc4e net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
    435855b0831b net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
    ed50fcab1435 drm/exynos: fix g2d_open/close helper function definitions
    1550bcf2983a media: netup_unidvb: fix use-after-free at del_timer()
    69055f99900b net: hns3: fix reset delay time to avoid configuration timeout
    304e5cb77eb8 net: hns3: fix sending pfc frames after reset issue
    d1bcc606870e erspan: get the proto with the md version for collect_md
    f185ede016c9 ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode
    0eb3ec0a3553 ip6_gre: Make o_seqno start from 0 in native mode
    304096241398 ip6_gre: Fix skb_under_panic in __gre6_xmit()
    7525aa211758 serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
    5a90309002cd vsock: avoid to close connected socket after the timeout
    5009aead17f0 ALSA: firewire-digi00x: prevent potential use after free
    b22b514209ff net: fec: Better handle pm_runtime_get() failing in .remove()
    033297ef3bba af_key: Reject optional tunnel/BEET mode templates in outbound policies
    912a6cff0db1 cpupower: Make TSC read per CPU for Mperf monitor
    131eb9c9b1a0 ASoC: fsl_micfil: register platform component before registering cpu dai
    a3714a47b401 btrfs: fix space cache inconsistency after error loading it from disk
    596898303745 btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid
    1e453cb55014 mfd: dln2: Fix memory leak in dln2_probe()
    bdc33478d5d3 phy: st: miphy28lp: use _poll_timeout functions for waits
    e6e917e82de4 Input: xpad - add constants for GIP interface numbers
    9fcef1e37d54 iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
    4461f41ece4d clk: tegra20: fix gcc-7 constant overflow warning
    c23e6383d7fe RDMA/core: Fix multiple -Warray-bounds warnings
    3ed95a6f6c64 recordmcount: Fix memory leaks in the uwrite function
    38a118fd545b sched: Fix KCSAN noinstr violation
    cbe3063a9be1 mcb-pci: Reallocate memory region to avoid memory overlapping
    d5cd2928d310 serial: 8250: Reinit port->pm on port specific driver unbind
    ccb12585a735 usb: typec: tcpm: fix multiple times discover svids error
    c5405c767173 HID: wacom: generic: Set battery quirk only when we see battery data
    d3f32dc2ccc2 spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
    bf80dbd52899 HID: logitech-hidpp: Reconcile USB and Unifying serials
    e28f9de2d4d7 HID: logitech-hidpp: Don't use the USB serial for USB devices
    8a65476dd1ca staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
    2112c4c47d36 Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
    fa57021262e9 wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
    0ad8dd870aa1 wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
    f6f2d16c77f9 wifi: iwlwifi: pcie: fix possible NULL pointer dereference
    a7ec2f424f6e samples/bpf: Fix fout leak in hbm's run_bpf_prog
    4ceedc2f8bdf f2fs: fix to drop all dirty pages during umount() if cp_error is set
    8659c5f4ffaa ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
    cee78217a7ae ext4: set goal start correctly in ext4_mb_normalize_request
    d43b1bdb1005 gfs2: Fix inode height consistency check
    410e610a96c5 scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
    cc2d2b3dbfb0 lib: cpu_rmap: Avoid use after free on rmap->obj array entries
    89f5055f9b0b scsi: target: iscsit: Free cmds before session free
    67236cf14db3 net: Catch invalid index in XPS mapping
    92af9cb86ab0 net: pasemi: Fix return type of pasemi_mac_start_tx()
    644a9d5e2276 scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
    c4813f858e5c ext2: Check block size validity during mount
    56c7e9c39bd5 wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
    c409eb45f5dd ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
    710e09fd116e ACPICA: Avoid undefined behavior: applying zero offset to null pointer
    99c8f2e6f33a drm/tegra: Avoid potential 32-bit integer overflow
    ccae2233e993 ACPI: EC: Fix oops when removing custom query handlers
    48ac727ea4a3 firmware: arm_sdei: Fix sleep from invalid context BUG
    a2a5d3a584bf memstick: r592: Fix UAF bug in r592_remove due to race condition
    d73e8c47675e regmap: cache: Return error in cache sync operations for REGCACHE_NONE
    9b72cb394f96 drm/amd/display: Use DC_LOG_DC in the trasform pixel function
    a75d9211a07f fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
    196528ad4844 af_unix: Fix data races around sk->sk_shutdown.
    7d17bc2d4e75 af_unix: Fix a data race of sk->sk_receive_queue->qlen.
    699c9e7c9f66 net: datagram: fix data-races in datagram_poll()
    1aa872e967f2 ipvlan:Fix out-of-bounds caused by unclear skb->cb
    4188c5269475 net: add vlan_get_protocol_and_depth() helper
    57a269d82f2e net: tap: check vlan with eth_type_vlan() method
    1747aa98ab13 net: annotate sk->sk_err write from do_recvmmsg()
    a507022c862e netlink: annotate accesses to nlk->cb_running
    b47aae7038cc netfilter: conntrack: fix possible bug_on with enable_hooks=1
    d7343f8de019 net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
    42e1dafa65e2 linux/dim: Do nothing if no time delta between samples
    7460ac5a66fb ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
    22b8ac608af5 drm/mipi-dsi: Set the fwnode for mipi_dsi_device
    d4992b2b5c68 driver core: add a helper to setup both the of_node and fwnode of a device

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 01eca24a00..a604e08822 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "c705bb899d37bbd61a87a2f850e4d6f04613a908"
-SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f"
+SRCREV_machine ?= "5cc4655a187a2c5a1a30c6c2295fefab9c8c986d"
+SRCREV_meta ?= "e454f2ec4c69cd5afd7d13df74dd124b856e8765"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.243"
+LINUX_VERSION ?= "5.4.246"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index c3d4ff4608..0938c3d854 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.243"
+LINUX_VERSION ?= "5.4.246"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "140d4ff6bab1e5959377d4974ade490c837ef9cc"
-SRCREV_machine ?= "66990885cd865944a093b47ee7164ef2838f75a3"
-SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f"
+SRCREV_machine_qemuarm ?= "ffc4cd8db8b2c495a04a9f28e2da3b4c91f30711"
+SRCREV_machine ?= "9a992a65fe0346b8a7a86ffb2c491dadecada05a"
+SRCREV_meta ?= "e454f2ec4c69cd5afd7d13df74dd124b856e8765"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index c361f0c701..28ef51f883 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "3c105623bdba36118195e9c188d728edcc00345a"
-SRCREV_machine_qemuarm64 ?= "993c666984249097d093ee71eb3dffa0844fef6c"
-SRCREV_machine_qemumips ?= "2469bc35f1c2ef5ab2e85b7b705b32e33c6350c7"
-SRCREV_machine_qemuppc ?= "98229034b888ad319d7d030d279381a671c41dc0"
-SRCREV_machine_qemuriscv64 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
-SRCREV_machine_qemux86 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
-SRCREV_machine_qemux86-64 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
-SRCREV_machine_qemumips64 ?= "fb1936fa93be6bfd1b18cd8568cfc5b279904fa5"
-SRCREV_machine ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
-SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f"
+SRCREV_machine_qemuarm ?= "0682b6432f4fb3931fc5a32938ae2957e97ad3fd"
+SRCREV_machine_qemuarm64 ?= "736062be272094d22416e228b92560302298f9fd"
+SRCREV_machine_qemumips ?= "db77f08d3d5176d1b079195beefd558a32e18b69"
+SRCREV_machine_qemuppc ?= "1dbaf2ab5019f7d114b2c309eb7539828f93f10b"
+SRCREV_machine_qemuriscv64 ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
+SRCREV_machine_qemux86 ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
+SRCREV_machine_qemux86-64 ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
+SRCREV_machine_qemumips64 ?= "19c1ba85d643f819cf3e62ee57d05eec2855e97e"
+SRCREV_machine ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
+SRCREV_meta ?= "e454f2ec4c69cd5afd7d13df74dd124b856e8765"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.243"
+LINUX_VERSION ?= "5.4.246"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 07/10] linux-yocto/5.4: update to v5.4.247

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    61a2f83e4762 Linux 5.4.247
    4b0199bc8189 Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE"
    85258ae30708 mtd: spinand: macronix: Add support for MX35LFxGE4AD
    8e546674031f btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()
    4223d91ca1b5 btrfs: check return value of btrfs_commit_transaction in relocation
    a35d89d3605b rbd: get snapshot context after exclusive lock is ensured to be held
    52a40eaa55d6 drm/atomic: Don't pollute crtc_state->mode_blob with error pointers
    2cc5d40e4d49 cifs: handle empty list of targets in cifs_reconnect()
    307ffb716282 cifs: get rid of unused parameter in reconn_setup_dfs_targets()
    73ed7996bbec ext4: only check dquot_initialize_needed() when debugging
    7d0a29c74a31 eeprom: at24: also select REGMAP
    0360652bf6ab i2c: sprd: Delete i2c adapter in .remove's error path
    c73f1c2f6816 bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
    ec946898039a usb: usbfs: Use consistent mmap functions
    0147952d158b usb: usbfs: Enforce page requirements for mmap
    090878903dd3 pinctrl: meson-axg: add missing GPIOA_18 gpio group
    c6e842555050 rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting
    69653f941619 Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
    953335a377b6 ceph: fix use-after-free bug for inodes when flushing capsnaps
    2416bac0e7b2 can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
    bf0245bd44c0 can: j1939: change j1939_netdev_lock type to mutex
    9eed68d62e2a can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket
    2fc62d51d3e4 drm/amdgpu: fix xclk freq on CHIP_STONEY
    e752bb1c039f ALSA: hda/realtek: Add Lenovo P3 Tower platform
    ca599db7a5e0 ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01
    d5ca4799e6d3 Input: psmouse - fix OOB access in Elantech protocol
    282a96e3f88f Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
    a3a99a069eb9 batman-adv: Broken sync while rescheduling delayed work
    df7044fc099b bnxt_en: Query default VLAN before VNIC setup on a VF
    a6ca81297392 lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
    198da74a4e8d net: sched: fix possible refcount leak in tc_chain_tmplt_add()
    8f7cbd6d5e39 net: sched: move rtm_tca_policy declaration to include file
    b8b90f92444b rfs: annotate lockless accesses to RFS sock flow table
    28ac3cf2ac21 rfs: annotate lockless accesses to sk->sk_rxhash
    a4c72805fda4 netfilter: ipset: Add schedule point in call_ad().
    0b705ed9d403 netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
    c2c6133eebaf Bluetooth: L2CAP: Add missing checks for invalid DCID
    0f841f80390d Bluetooth: Fix l2cap_disconnect_req deadlock
    b0b1b97702a5 net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods
    7e0da73ce546 neighbour: fix unaligned access to pneigh_entry
    314713ff4c9b neighbour: Replace zero-length array with flexible-array member
    e96f52705a63 spi: qup: Request DMA before enabling clocks
    1cc6435cd704 i40e: fix build warnings in i40e_alloc.h
    fc75b8973de4 i40iw: fix build warning in i40iw_manage_apbvt()
    c425e71826e4 block/blk-iocost (gcc13): keep large values in a new enum
    ec97af8e8a36 blk-iocost: avoid 64-bit division in ioc_timer_fn

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index a604e08822..8e0f7ae217 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "5cc4655a187a2c5a1a30c6c2295fefab9c8c986d"
-SRCREV_meta ?= "e454f2ec4c69cd5afd7d13df74dd124b856e8765"
+SRCREV_machine ?= "3ec10d880e38eb58af39c33094e455da59afd42b"
+SRCREV_meta ?= "b09511ad6dbb6f38303add48d2da78906bab1380"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.246"
+LINUX_VERSION ?= "5.4.247"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 0938c3d854..6a6787a091 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.246"
+LINUX_VERSION ?= "5.4.247"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "ffc4cd8db8b2c495a04a9f28e2da3b4c91f30711"
-SRCREV_machine ?= "9a992a65fe0346b8a7a86ffb2c491dadecada05a"
-SRCREV_meta ?= "e454f2ec4c69cd5afd7d13df74dd124b856e8765"
+SRCREV_machine_qemuarm ?= "5780bc7b75d300e9b90b78c9297ff4717a78a893"
+SRCREV_machine ?= "45eaa635123abc1568c35d4abd0f31cc7c4f75a9"
+SRCREV_meta ?= "b09511ad6dbb6f38303add48d2da78906bab1380"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 28ef51f883..6c9cea6993 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "0682b6432f4fb3931fc5a32938ae2957e97ad3fd"
-SRCREV_machine_qemuarm64 ?= "736062be272094d22416e228b92560302298f9fd"
-SRCREV_machine_qemumips ?= "db77f08d3d5176d1b079195beefd558a32e18b69"
-SRCREV_machine_qemuppc ?= "1dbaf2ab5019f7d114b2c309eb7539828f93f10b"
-SRCREV_machine_qemuriscv64 ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
-SRCREV_machine_qemux86 ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
-SRCREV_machine_qemux86-64 ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
-SRCREV_machine_qemumips64 ?= "19c1ba85d643f819cf3e62ee57d05eec2855e97e"
-SRCREV_machine ?= "31ef22a71bebca6fda5592e2dec249886c29cfbb"
-SRCREV_meta ?= "e454f2ec4c69cd5afd7d13df74dd124b856e8765"
+SRCREV_machine_qemuarm ?= "5f8520357626b4a63278e222fa32b322f9811f34"
+SRCREV_machine_qemuarm64 ?= "5aae64158e118c7c96b6b2db41aa0c565d733c47"
+SRCREV_machine_qemumips ?= "50721182f0802cab035f92538c9fe60fa32e27a6"
+SRCREV_machine_qemuppc ?= "032f6844ab616a7c3c96a27a9f7c19c56e4b37a5"
+SRCREV_machine_qemuriscv64 ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
+SRCREV_machine_qemux86 ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
+SRCREV_machine_qemux86-64 ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
+SRCREV_machine_qemumips64 ?= "77a6c71bda43b4d11767ea3946385f6a5d2d24b6"
+SRCREV_machine ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
+SRCREV_meta ?= "b09511ad6dbb6f38303add48d2da78906bab1380"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.246"
+LINUX_VERSION ?= "5.4.247"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 08/10] linux-yocto/5.4: update to v5.4.248

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    f2b499c27a95 Linux 5.4.248
    1cdc48aaff18 mmc: block: ensure error propagation for non-blk
    de517032ee39 drm/nouveau/kms: Fix NULL pointer dereference in nouveau_connector_detect_depth
    d3f7f557d8a2 neighbour: delete neigh_lookup_nodev as not used
    a433b85d1750 net: Remove unused inline function dst_hold_and_use()
    fbc0209ae3a7 neighbour: Remove unused inline function neigh_key_eq16()
    bc1ea55bf1cf afs: Fix vlserver probe RTT handling
    98acd5f0ce10 selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET
    1140f8bc29c2 net: tipc: resize nlattr array to correct size
    b83f86ba414c net: lapbether: only support ethernet devices
    ec694ad393cc net/sched: cls_api: Fix lockup on flushing explicitly created chain
    0456f470fa02 drm/nouveau: add nv_encoder pointer check for NULL
    b1d76d16af2a drm/nouveau/kms: Don't change EDID when it hasn't actually changed
    f654b8a1325f drm/nouveau/dp: check for NULL nv_connector->native_mode
    2ac7be7718a1 igb: fix nvm.ops.read() error handling
    44008337f80e sctp: fix an error code in sctp_sf_eat_auth()
    edd3d3dc4849 ipvlan: fix bound dev checking for IPv6 l3s mode
    6718478c18a4 IB/isert: Fix incorrect release of isert connection
    f8a91a024ab9 IB/isert: Fix possible list corruption in CMA handler
    8a867ab71302 IB/isert: Fix dead lock in ib_isert
    22125be516ef IB/uverbs: Fix to consider event queue closing also upon non-blocking mode
    ea4cf04d3f19 iavf: remove mask from iavf_irq_enable_queues()
    19a500f530c2 RDMA/rxe: Fix the use-before-initialization error of resp_pkts
    42ab73534583 RDMA/rxe: Removed unused name from rxe_task struct
    f99b6de58b5e RDMA/rxe: Remove the unused variable obj
    46305daf8064 net/sched: cls_u32: Fix reference counter leak leading to overflow
    88d6c1958bc0 ping6: Fix send to link-local addresses with VRF.
    474e0adf29cf netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM
    67cafcd3e661 spi: fsl-dspi: avoid SCK glitches with continuous transfers
    8231594e21d1 spi: spi-fsl-dspi: Remove unused chip->void_write_data
    9d8b388a24c6 usb: dwc3: gadget: Reset num TRBs before giving back the request
    94e52fac1519 serial: lantiq: add missing interrupt ack
    b577b74f8f83 USB: serial: option: add Quectel EM061KGL series
    6b1203ae83c3 Remove DECnet support from kernel
    aad6addc17ae ALSA: hda/realtek: Add a quirk for Compaq N14JP6
    def7e17c98f7 net: usb: qmi_wwan: add support for Compal RXM-G1
    74bd53737372 RDMA/uverbs: Restrict usage of privileged QKEYs
    a8997ffad359 nouveau: fix client work fence deletion race
    01fd784b0762 powerpc/purgatory: remove PGO flags
    b16bf76b3828 kexec: support purgatories with .text.hot sections
    b27a5fbe3c87 nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
    0dd2d8331eb4 nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
    e1fb47f13970 nios2: dts: Fix tse_mac "max-frame-size" property
    5e531f448e5a ocfs2: check new file size on fallocate call
    f6878da39f47 ocfs2: fix use-after-free when unmounting read-only filesystem
    82173fde61c7 drm:amd:amdgpu: Fix missing buffer object unlock in failure path
    63afd766211b xen/blkfront: Only check REQ_FUA for writes
    27447dada0b5 mips: Move initrd_start check after initrd address sanitisation.
    a365600bba27 MIPS: Alchemy: fix dbdma2
    6b39b06b8d5b parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()
    de873bce06a8 parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu()
    28850d25a62c btrfs: handle memory allocation failure in btrfs_csum_one_bio
    b31586747bae power: supply: Fix logic checking if system is running from battery
    dd8804117d4b irqchip/meson-gpio: Mark OF related data as maybe unused
    30ade27dbe66 regulator: Fix error checking for debugfs_create_dir
    a12155f0b1b6 platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0
    d26edc403c0a power: supply: Ratelimit no data debug output
    af44b2ddfc08 ARM: dts: vexpress: add missing cache properties
    bd725832eb50 power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule()
    82bfd14f1359 power: supply: sc27xx: Fix external_power_changed race
    66d5882dcc9f power: supply: ab8500: Fix external_power_changed race
    a8f286bfbc71 s390/dasd: Use correct lock while counting channel queue length
    d60be47f4357 dasd: refactor dasd_ioctl_information
    7f3bb75a0484 KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
    75d9e00f65cd test_firmware: fix a memory leak with reqs buffer

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 8e0f7ae217..a98a64110a 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "3ec10d880e38eb58af39c33094e455da59afd42b"
-SRCREV_meta ?= "b09511ad6dbb6f38303add48d2da78906bab1380"
+SRCREV_machine ?= "8472ed342e0ac3f529c10b474b12ef0e05995778"
+SRCREV_meta ?= "5c912968f2cb938ad084d457dae99bf8eb16032d"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.247"
+LINUX_VERSION ?= "5.4.248"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 6a6787a091..46a8856963 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.247"
+LINUX_VERSION ?= "5.4.248"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "5780bc7b75d300e9b90b78c9297ff4717a78a893"
-SRCREV_machine ?= "45eaa635123abc1568c35d4abd0f31cc7c4f75a9"
-SRCREV_meta ?= "b09511ad6dbb6f38303add48d2da78906bab1380"
+SRCREV_machine_qemuarm ?= "ca5368c73bab4eb276a8e721df28c02ceb8f3eeb"
+SRCREV_machine ?= "abb579170926348d1518bc1a2de8cb1cdf403808"
+SRCREV_meta ?= "5c912968f2cb938ad084d457dae99bf8eb16032d"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 6c9cea6993..fae2de5c72 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "5f8520357626b4a63278e222fa32b322f9811f34"
-SRCREV_machine_qemuarm64 ?= "5aae64158e118c7c96b6b2db41aa0c565d733c47"
-SRCREV_machine_qemumips ?= "50721182f0802cab035f92538c9fe60fa32e27a6"
-SRCREV_machine_qemuppc ?= "032f6844ab616a7c3c96a27a9f7c19c56e4b37a5"
-SRCREV_machine_qemuriscv64 ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
-SRCREV_machine_qemux86 ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
-SRCREV_machine_qemux86-64 ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
-SRCREV_machine_qemumips64 ?= "77a6c71bda43b4d11767ea3946385f6a5d2d24b6"
-SRCREV_machine ?= "2ded7ddaca7d93e0df26c4392b713dd7b016a402"
-SRCREV_meta ?= "b09511ad6dbb6f38303add48d2da78906bab1380"
+SRCREV_machine_qemuarm ?= "68775a8671944b96c6a1ee795809f81149951f2d"
+SRCREV_machine_qemuarm64 ?= "54bc3d459501d8df9baf093a34d8bb676c207a07"
+SRCREV_machine_qemumips ?= "ba2d346cc66307fa6332b9fb86eb8ca66f30ebcd"
+SRCREV_machine_qemuppc ?= "6703d4c7c75fab78e0c72227a98aba8071d5b1c3"
+SRCREV_machine_qemuriscv64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
+SRCREV_machine_qemux86 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
+SRCREV_machine_qemux86-64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
+SRCREV_machine_qemumips64 ?= "66cac7d41a43594760f6ac48e848d73315cc5dd3"
+SRCREV_machine ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
+SRCREV_meta ?= "5c912968f2cb938ad084d457dae99bf8eb16032d"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.247"
+LINUX_VERSION ?= "5.4.248"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 09/10] linux-yocto-rt/54: fix 5.4-rt build breakage

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit:

    commit 8d8179549a233e7517523ac12887016451da2e20
    Author: Bruce Ashfield <bruce.ashfield@gmail.com>
    Date:   Tue Jun 27 10:13:01 2023 -0400

        rt: fix 5.4-stable introduced compile errors

        The 5.4 stable series brough back two elements removed
        by the -rt patch:

         - tick_period
         - deferred/safe printk

        We fix the build by dropping the use of the period and
        deferred printk

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb   | 4 ++--
 meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index a98a64110a..541d169379 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,8 +11,8 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "8472ed342e0ac3f529c10b474b12ef0e05995778"
-SRCREV_meta ?= "5c912968f2cb938ad084d457dae99bf8eb16032d"
+SRCREV_machine ?= "8d8179549a233e7517523ac12887016451da2e20"
+SRCREV_meta ?= "b6e41788aebaf8058d1f15f6cdcf55a6edb77755"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 46a8856963..171ff8493c 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "ca5368c73bab4eb276a8e721df28c02ceb8f3eeb"
 SRCREV_machine ?= "abb579170926348d1518bc1a2de8cb1cdf403808"
-SRCREV_meta ?= "5c912968f2cb938ad084d457dae99bf8eb16032d"
+SRCREV_meta ?= "b6e41788aebaf8058d1f15f6cdcf55a6edb77755"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index fae2de5c72..527728d9d0 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -21,7 +21,7 @@ SRCREV_machine_qemux86 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
 SRCREV_machine_qemux86-64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
 SRCREV_machine_qemumips64 ?= "66cac7d41a43594760f6ac48e848d73315cc5dd3"
 SRCREV_machine ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
-SRCREV_meta ?= "5c912968f2cb938ad084d457dae99bf8eb16032d"
+SRCREV_meta ?= "b6e41788aebaf8058d1f15f6cdcf55a6edb77755"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.34.1

[OE-core][dunfell 10/10] linux-yocto/5.4: cfg: fix DECNET configuration warning

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Dropping CONFIG_DECNET as it has been removed from -stable
and we now get a configuration warning.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb   | 2 +-
 meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb | 2 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 541d169379..d775a60e9f 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -12,7 +12,7 @@ python () {
 }
 
 SRCREV_machine ?= "8d8179549a233e7517523ac12887016451da2e20"
-SRCREV_meta ?= "b6e41788aebaf8058d1f15f6cdcf55a6edb77755"
+SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 171ff8493c..5e2b2ab6cf 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -17,7 +17,7 @@ KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "ca5368c73bab4eb276a8e721df28c02ceb8f3eeb"
 SRCREV_machine ?= "abb579170926348d1518bc1a2de8cb1cdf403808"
-SRCREV_meta ?= "b6e41788aebaf8058d1f15f6cdcf55a6edb77755"
+SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 527728d9d0..336e72eede 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -21,7 +21,7 @@ SRCREV_machine_qemux86 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
 SRCREV_machine_qemux86-64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
 SRCREV_machine_qemumips64 ?= "66cac7d41a43594760f6ac48e848d73315cc5dd3"
 SRCREV_machine ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
-SRCREV_meta ?= "b6e41788aebaf8058d1f15f6cdcf55a6edb77755"
+SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
-- 
2.34.1

[OE-core][dunfell 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, October 19

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6058

with the exception of a reproducibility issue for the vim-common package
where we have:

"Content-Type:·text/plain;·charset=CP1251\n"

in the A build and:

"Content-Type:·text/plain;·charset=cp1251\n"

in the B build.

Dunfell autobuilder builds are currently using an older buildtools tarball
which is missing:

https://git.yoctoproject.org/poky/commit/?id=a2f1791f8d0118f44cf752341c4793d656a54a94

I'm sending a patch to the list to update dunfell to the latest buildtools tarball

The following changes since commit 0e167ef0eb7ac62ddb991ce80c27882863d8ee7c:

  cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream backport (2023-10-09 07:30:51 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Marek Vasut (2):
  libtiff: Add fix for tiffcrop CVE-2023-1916
  systemd: Backport systemd-resolved: use hostname for certificate
    validation in DoT

Mike Crowe (2):
  curl: Backport fix for CVE-2023-38545
  curl: Backport fix for CVE-2023-38546

Pawan (1):
  libwebp: Update CVE ID CVE-2023-4863

Ryan Eatmon (1):
  kernel.bbclass: Add force flag to rm calls

Siddharth Doshi (4):
  glib-2.0: Fix multiple vulnerabilities
  vim: Upgrade 9.0.1894 -> 9.0.2009
  xorg-lib-common: Add variable to set tarball type
  libxpm: upgrade to 3.5.17

 meta/classes/kernel.bbclass                   |   4 +-
 .../glib-2.0/glib-2.0/CVE-2023-29499.patch    | 290 ++++++++++++
 .../glib-2.0/CVE-2023-32611-0001.patch        |  89 ++++
 .../glib-2.0/CVE-2023-32611-0002.patch        | 255 +++++++++++
 .../glib-2.0/glib-2.0/CVE-2023-32636.patch    |  49 ++
 .../glib-2.0/glib-2.0/CVE-2023-32643.patch    | 154 +++++++
 .../glib-2.0/CVE-2023-32665-0001.patch        | 103 +++++
 .../glib-2.0/CVE-2023-32665-0002.patch        | 210 +++++++++
 .../glib-2.0/CVE-2023-32665-0003.patch        | 417 ++++++++++++++++++
 .../glib-2.0/CVE-2023-32665-0004.patch        | 113 +++++
 .../glib-2.0/CVE-2023-32665-0005.patch        |  80 ++++
 .../glib-2.0/CVE-2023-32665-0006.patch        | 396 +++++++++++++++++
 .../glib-2.0/CVE-2023-32665-0007.patch        |  49 ++
 .../glib-2.0/CVE-2023-32665-0008.patch        | 394 +++++++++++++++++
 .../glib-2.0/CVE-2023-32665-0009.patch        |  97 ++++
 meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb |  14 +
 .../systemd/systemd/CVE-2018-21029.patch      | 120 +++++
 meta/recipes-core/systemd/systemd_244.5.bb    |   1 +
 .../xorg-lib/libxpm/CVE-2022-46285.patch      |  40 --
 .../{libxpm_3.5.13.bb => libxpm_3.5.17.bb}    |   9 +-
 .../xorg-lib/xorg-lib-common.inc              |   3 +-
 .../libtiff/files/CVE-2023-1916.patch         |  91 ++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 .../webp/files/CVE-2023-5129.patch            |   9 +-
 .../curl/curl/CVE-2023-38545.patch            | 148 +++++++
 .../curl/curl/CVE-2023-38546.patch            | 132 ++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 28 files changed, 3223 insertions(+), 51 deletions(-)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
 delete mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
 rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.17.bb} (68%)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38545.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38546.patch

-- 
2.34.1

[OE-core][dunfell 00/10] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end of
day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3433

The following changes since commit 71015408c60ddf2e9af00cc8574815971e1b689d:

  oeqa/selftest/tinfoil: Improve tinfoil event test debugging (2022-03-21 04:17:02 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Davide Gardenal (3):
  qemu: backport patch fix for CVE-2020-13791
  apt: backport patch fix for CVE-2020-3810
  ghostscript: backport patch fix for CVE-2021-3781

Minjae Kim (2):
  gnu-config: update SRC_URI
  virglrenderer: update SRC_URI

Ralph Siemsen (1):
  libxml2: fix CVE-2022-23308 regression

Richard Purdie (1):
  oeqa/selftest/tinfoil: Fix intermittent event loss issue in test

Ross Burton (1):
  python3: ignore CVE-2022-26488

Steve Sakoman (2):
  libsolv: fix CVE: CVE-2021-44568-71 and CVE-2021-44573-77
  ghostscript: fix CVE-2020-15900 and CVE-2021-45949 for -native

 meta/lib/oeqa/selftest/cases/tinfoil.py       |   2 +-
 .../CVE-2022-23308-fix-regression.patch       |  98 ++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   1 +
 meta/recipes-devtools/apt/apt.inc             |   1 +
 .../apt/apt/CVE-2020-3810.patch               | 174 +++++++++++++
 .../gnu-config/gnu-config_git.bb              |   2 +-
 .../recipes-devtools/python/python3_3.8.13.bb |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2020-13791.patch            |  44 ++++
 .../ghostscript/CVE-2021-3781_1.patch         | 121 +++++++++
 .../ghostscript/CVE-2021-3781_2.patch         |  37 +++
 .../ghostscript/CVE-2021-3781_3.patch         | 238 ++++++++++++++++++
 .../ghostscript/ghostscript_9.52.bb           |   9 +-
 .../libsolv/files/CVE-2021-3200.patch         |  10 +
 .../virglrenderer/virglrenderer_0.8.2.bb      |   2 +-
 15 files changed, 735 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
 create mode 100644 meta/recipes-devtools/apt/apt/CVE-2020-3810.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch

-- 
2.25.1

[OE-core][dunfell 00/10] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3026

with the exception of a known autobuilder intermittent issue which passed 
on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/86/builds/2924

The following changes since commit f788765e1b9832d0da8ec4ce49aa811115864b0e:

  README.OE-Core.md: update URLs (2021-12-06 04:48:48 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Andrey Zhizhikin (1):
  lttng-modules: do not search in non-existing folder during install

Markus Volk (1):
  wic:direct.py: ignore invalid mountpoints during fstab update

Marta Rybczynska (1):
  libgcrypt: solve CVE-2021-33560 and CVE-2021-40528

Richard Purdie (1):
  gcc: Add CVE-2021-37322 to the list of CVEs to ignore

Ross Burton (1):
  runqemu: check the qemu PID has been set before kill()ing it

Sana Kazi (1):
  busybox: Fix multiple security issues in awk

Stefan Herbrechtsmeier (2):
  recipetool: Set master branch only as fallback
  selftest/devtool: Check branch in git fetch

Steve Sakoman (2):
  cve-extra-exclusions: add db CVEs to exclusion list
  selftest: skip virgl test on centos 8 entirely

 .../distro/include/cve-extra-exclusions.inc   |   9 +-
 meta/lib/oeqa/selftest/cases/devtool.py       |   5 +-
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   1 +
 .../busybox/files/CVE-2021-423xx-awk.patch    | 215 ++++++++++++++++++
 meta/recipes-devtools/gcc/gcc-9.3.inc         |   3 +
 .../lttng/lttng-modules_2.11.6.bb             |   4 +-
 .../libgcrypt/files/CVE-2021-33560.patch      | 138 +++++------
 .../libgcrypt/files/CVE-2021-40528.patch      | 109 +++++++++
 .../libgcrypt/libgcrypt_1.8.5.bb              |   1 +
 scripts/lib/recipetool/create.py              |  15 +-
 scripts/lib/wic/plugins/imager/direct.py      |   2 +-
 scripts/runqemu                               |   3 +-
 13 files changed, 408 insertions(+), 99 deletions(-)
 create mode 100644 meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch
 create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch

-- 
2.25.1