[OE-core][dunfell 00/13] Patch review

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end of
day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3397

The following changes since commit ff90d0e91aec252d3f5986df9ce02293cddadbca:

  build-appliance-image: Update to dunfell head revision (2022-03-14 14:45:29 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  mobile-broadband-provider-info: upgrade 20201225 -> 20210805

Changhyeok Bae (1):
  mobile-broadband-provider-info: upgrade 20210805 -> 20220315

Davide Gardenal (2):
  re2c: backport fix for CVE-2018-21232
  qemu: backport fix for CVE-2020-13253

Minjae Kim (1):
  bluez5: fix CVE-2021-3658

Ovidiu Panait (1):
  openssl: upgrade 1.1.1l -> 1.1.1n

Ralph Siemsen (2):
  libxml2: backport fix for CVE-2022-23308
  libxml2: move to gitlab.gnome.org

Richard Purdie (3):
  python3targetconfig: Use for nativesdk too
  oeqa/runtime/ping: Improve failure message to include more detail
  oeqa/selftest/tinfoil: Improve tinfoil event test debugging

Tim Orling (1):
  python3: upgrade 3.8.12 -> 3.8.13

wangmy (1):
  linux-firmware: upgrade 20220209 -> 20220310

 meta/classes/python3targetconfig.bbclass      |  12 +
 meta/lib/oeqa/runtime/cases/ping.py           |  20 +-
 meta/lib/oeqa/selftest/cases/tinfoil.py       |   4 +-
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2021-3658.patch         |  95 +++++
 .../mobile-broadband-provider-info_git.bb     |   7 +-
 .../openssl/openssl/CVE-2021-4160.patch       | 145 --------
 .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb}  |   4 +-
 .../libxml/libxml2/CVE-2022-23308.patch       | 204 ++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  11 +-
 ...-detection-of-mips-architecture-for-.patch |  42 ++-
 .../{python3_3.8.12.bb => python3_3.8.13.bb}  |   6 +-
 meta/recipes-devtools/qemu/qemu.inc           |   5 +
 .../qemu/qemu/CVE-2020-13253_1.patch          |  50 +++
 .../qemu/qemu/CVE-2020-13253_2.patch          | 112 ++++++
 .../qemu/qemu/CVE-2020-13253_3.patch          |  86 +++++
 .../qemu/qemu/CVE-2020-13253_4.patch          | 139 +++++++
 .../qemu/qemu/CVE-2020-13253_5.patch          |  54 +++
 ...20220209.bb => linux-firmware_20220310.bb} |   6 +-
 .../re2c/re2c/CVE-2018-21232-1.patch          | 347 ++++++++++++++++++
 .../re2c/re2c/CVE-2018-21232-2.patch          | 243 ++++++++++++
 .../re2c/re2c/CVE-2018-21232-3.patch          | 156 ++++++++
 .../re2c/re2c/CVE-2018-21232-4.patch          | 166 +++++++++
 meta/recipes-support/re2c/re2c_1.0.1.bb       |   6 +-
 24 files changed, 1730 insertions(+), 191 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (97%)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
 rename meta/recipes-devtools/python/{python3_3.8.12.bb => python3_3.8.13.bb} (98%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220209.bb => linux-firmware_20220310.bb} (99%)
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch

-- 
2.25.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back
by end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4633

The following changes since commit e44f0cda8176186d42a752631810c1cb5f1971eb:

  kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild (2022-12-06 07:52:17 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexey Smirnov (1):
  classes: make TOOLCHAIN more permissive for kernel

Chen Qi (1):
  psplash: consider the situation of psplash not exist for systemd

Harald Seiler (1):
  opkg: Set correct info_dir and status_file in opkg.conf

Hitendra Prajapati (3):
  libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c
  sysstat: fix CVE-2022-39377
  golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing
    regexps

Lee Chee Yang (1):
  dropbear: fix CVE-2021-36369

Mathieu Dubois-Briand (1):
  curl: Fix CVE CVE-2022-35260

Minjae Kim (1):
  xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and
    CVE-2022-3553

Pawan Badganchi (1):
  python3: Fix CVE-2022-37454

Qiu, Zheng (1):
  vim: upgrade 9.0.0820 -> 9.0.0947

Richard Purdie (1):
  oeqa/selftest/tinfoil: Add test for separate config_data with
    recipe_parse_file()

Riyaz Khan (1):
  rpm: Fix rpm CVE CVE-2021-3521

 meta/classes/kernel-arch.bbclass              |   2 +-
 meta/lib/oeqa/selftest/cases/tinfoil.py       |  14 +
 meta/recipes-core/dropbear/dropbear.inc       |   1 +
 .../dropbear/dropbear/CVE-2021-36369.patch    | 145 ++++++++
 .../psplash/files/psplash-start.service       |   1 +
 .../psplash/files/psplash-systemd.service     |   1 +
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-41715.patch           | 271 ++++++++++++++
 meta/recipes-devtools/opkg/opkg_0.4.2.bb      |   4 +-
 .../python/python3/CVE-2022-37454.patch       | 105 ++++++
 .../recipes-devtools/python/python3_3.8.14.bb |   1 +
 .../rpm/files/CVE-2021-3521-01.patch          |  60 ++++
 .../rpm/files/CVE-2021-3521-02.patch          |  55 +++
 .../rpm/files/CVE-2021-3521-03.patch          |  34 ++
 .../rpm/files/CVE-2021-3521.patch             | 330 ++++++++++++++++++
 meta/recipes-devtools/rpm/rpm_4.14.2.1.bb     |   4 +
 .../libarchive/CVE-2022-36227.patch           |  43 +++
 .../libarchive/libarchive_3.4.2.bb            |   1 +
 .../sysstat/sysstat/CVE-2022-39377.patch      |  92 +++++
 .../sysstat/sysstat_12.2.1.bb                 |   4 +-
 .../xserver-xorg/CVE-2022-3550.patch          |  40 +++
 .../xserver-xorg/CVE-2022-3551.patch          |  64 ++++
 .../xserver-xorg/CVE-2022-3553.patch          |  49 +++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |   3 +
 .../curl/curl/CVE-2022-35260.patch            |  68 ++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 27 files changed, 1393 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2022-37454.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
 create mode 100644 meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35260.patch

-- 
2.25.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5614

The following changes since commit b3fc8ef9aba822b3d485242c8ebd0e0bff0ebfc8:

  cve-update-nvd2-native: actually use API keys (2023-07-13 06:54:58 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (2):
  linux-firmware: upgrade 20230404 -> 20230515
  wireless-regdb: upgrade 2023.02.13 -> 2023.05.03

Anthony Bagwell (1):
  kernel-fitimage: fix dtbo support for fit images

Ashish Sharma (1):
  go: Fix CVE-2023-29400

Deepthi Hemraj (1):
  glibc: stable 2.31 branch updates.

Nikhil R (1):
  libpng: Add ptest for libpng

Poonam Jadhav (1):
  libx11: Fix CVE-2023-3138 for dunfell branch

Priyal Doshi (1):
  tzdata: upgrade to 2023c

Tom Hochstein (1):
  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

Trevor Gamblin (1):
  vim: upgrade 9.0.1527 -> 9.0.1592

Vijay Anusuri (1):
  qemu: backport Debian patch to fix CVE-2023-0330

Vivek Kumbhar (2):
  curl: fix CVE-2023-28320 siglongjmp race condition may lead to crash
  python3: fix CVE-2023-24329 urllib.parse url blocklisting bypass

 meta/classes/kernel-fitimage.bbclass          |   2 +-
 .../distro/include/ptest-packagelists.inc     |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../cmake/cmake/OEToolchainConfig.cmake       |   5 +-
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2023-29400.patch           |  94 +++++++++
 .../python/python3/CVE-2023-24329.patch       |  80 +++++++
 .../recipes-devtools/python/python3_3.8.17.bb |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2023-0330.patch             |  77 +++++++
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../xorg-lib/libx11/CVE-2023-3138.patch       | 111 ++++++++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   1 +
 ...20230404.bb => linux-firmware_20230515.bb} |   4 +-
 ....02.13.bb => wireless-regdb_2023.05.03.bb} |   2 +-
 .../recipes-multimedia/libpng/files/run-ptest |  29 +++
 .../libpng/libpng_1.6.37.bb                   |  15 +-
 .../curl/curl/CVE-2023-28320-fol1.patch       | 197 ++++++++++++++++++
 .../curl/curl/CVE-2023-28320.patch            |  86 ++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 21 files changed, 705 insertions(+), 16 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => linux-firmware_20230515.bb} (99%)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} (94%)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch

-- 
2.34.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Tuesday, October 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5966

The following changes since commit a9d194f21a3bdebca8aaff204804a5fdc67c76d1:

  vim: Upgrade 9.0.1664 -> 9.0.1894 (2023-09-25 07:03:13 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  nasm: update 2.15.03 -> 2.15.05

Archana Polampalli (1):
  nasm: fix CVE-2022-44370

Ashish Sharma (1):
  mdadm: Backport fix for CVE-2023-28736

Bruce Ashfield (4):
  linux-yocto/5.4: update to v5.4.252
  linux-yocto/5.4: update to v5.4.254
  linux-yocto/5.4: update to v5.4.256
  linux-yocto/5.4: update to v5.4.257

Colin McAllister (1):
  libwebp: Fix CVE-2023-5129

Lee Chee Yang (3):
  libxpm: fix CVE-2022-46285
  qemu: fix CVE-2020-24165
  python3: update to 3.8.18

Siddharth Doshi (1):
  go: Fix CVE-2023-39318 and CVE-2023-39319

Vijay Anusuri (1):
  ghostscript: fix CVE-2023-36664

 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-39318.patch           | 238 ++++++++++++
 .../go/go-1.14/CVE-2023-39319.patch           | 230 +++++++++++
 .../0002-Add-debug-prefix-map-option.patch    |  42 +-
 .../nasm/nasm/CVE-2022-44370.patch            | 104 +++++
 .../nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} |   5 +-
 .../{python3_3.8.17.bb => python3_3.8.18.bb}  |   4 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2020-24165.patch            |  94 +++++
 .../ghostscript/CVE-2023-36664-1.patch        | 145 +++++++
 .../ghostscript/CVE-2023-36664-2.patch        |  60 +++
 .../ghostscript/CVE-2023-36664-pre1.patch     |  62 +++
 .../ghostscript/ghostscript_9.52.bb           |   3 +
 .../mdadm/files/CVE-2023-28736.patch          |  77 ++++
 meta/recipes-extended/mdadm/mdadm_4.1.bb      |   1 +
 .../xorg-lib/libxpm/CVE-2022-46285.patch      |  40 ++
 .../xorg-lib/libxpm_3.5.13.bb                 |   2 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../webp/files/CVE-2023-5129.patch            | 364 ++++++++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.1.0.bb |   1 +
 22 files changed, 1467 insertions(+), 44 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
 rename meta/recipes-devtools/nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} (80%)
 rename meta/recipes-devtools/python/{python3_3.8.17.bb => python3_3.8.18.bb} (99%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
 create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch

-- 
2.34.1

[OE-core][dunfell 01/13] mdadm: Backport fix for CVE-2023-28736

[Steve Sakoman]

From: Ashish Sharma <asharma@mvista.com>

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../mdadm/files/CVE-2023-28736.patch          | 77 +++++++++++++++++++
 meta/recipes-extended/mdadm/mdadm_4.1.bb      |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch

diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
new file mode 100644
index 0000000000..8e0a06cbc7
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@
+From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
+From: Blazej Kucman <blazej.kucman@intel.com>
+Date: Fri, 3 Dec 2021 15:31:15 +0100
+Subject: mdadm: block creation with long names
+
+This fixes buffer overflows in create_mddev(). It prohibits
+creation with not supported names for DDF and native. For IMSM,
+mdadm will do silent cut to 16 later.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
+Signed-off-by: Jes Sorensen <jsorensen@fb.com>
+---
+
+Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
+CVE: CVE-2023-28736
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ mdadm.8.in | 5 +++++
+ mdadm.c    | 9 ++++++++-
+ mdadm.h    | 5 +++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/mdadm.8.in b/mdadm.8.in
+index 28d773c2..68e100cb 100644
+--- a/mdadm.8.in
++++ b/mdadm.8.in
+@@ -2186,6 +2186,11 @@ is run, but will be created by
+ .I udev
+ once the array becomes active.
+ 
++The max length md-device name is limited to 32 characters.
++Different metadata types have more strict limitation
++(like IMSM where only 16 characters are allowed).
++For that reason, long name could be truncated or rejected, it depends on metadata policy.
++
+ As devices are added, they are checked to see if they contain RAID
+ superblocks or filesystems.  They are also checked to see if the variance in
+ device size exceeds 1%.
+diff --git a/mdadm.c b/mdadm.c
+index 91e67467..26299b2e 100644
+--- a/mdadm.c
++++ b/mdadm.c
+@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
+ 			mdfd = open_mddev(devlist->devname, 1);
+ 			if (mdfd < 0)
+ 				exit(1);
+-		} else
++		} else {
++			char *bname = basename(devlist->devname);
++
++			if (strlen(bname) > MD_NAME_MAX) {
++				pr_err("Name %s is too long.\n", devlist->devname);
++				exit(1);
++			}
+ 			/* non-existent device is OK */
+ 			mdfd = open_mddev(devlist->devname, 0);
++		}
+ 		if (mdfd == -2) {
+ 			pr_err("device %s exists but is not an md array.\n", devlist->devname);
+ 			exit(1);
+diff --git a/mdadm.h b/mdadm.h
+index 54567396..c7268a71 100644
+--- a/mdadm.h
++++ b/mdadm.h
+@@ -1880,3 +1880,8 @@ enum r0layout {
+ #define INVALID_SECTORS 1
+ /* And another special number needed for --data_offset=variable */
+ #define VARIABLE_OFFSET 3
++
++/**
++ * This is true for native and DDF, IMSM allows 16.
++ */
++#define MD_NAME_MAX 32
+-- 
+cgit 
+
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index bb77759cf9..5238a41df2 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
            file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
            file://include_sysmacros.patch \
            file://0001-mdadm-skip-test-11spare-migration.patch \
+           file://CVE-2023-28736.patch \
            "
 
 SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"
-- 
2.34.1

[OE-core][dunfell 02/13] libwebp: Fix CVE-2023-5129

[Steve Sakoman]

From: Colin McAllister <colinmca242@gmail.com>

Add patch from libwebp 1.1.0 to fix CVE-2023-5129.

Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webp/files/CVE-2023-5129.patch            | 364 ++++++++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.1.0.bb |   1 +
 2 files changed, 365 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
new file mode 100644
index 0000000000..eb77e193c2
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
@@ -0,0 +1,364 @@
+From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Thu, 7 Sep 2023 21:16:03 +0200
+Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+
+First, BuildHuffmanTable is called to check if the data is valid.
+If it is and the table is not big enough, more memory is allocated.
+
+This will make sure that valid (but unoptimized because of unbalanced
+codes) streams are still decodable.
+
+Bug: chromium:1479274
+Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
+
+CVE: CVE-2023-5129
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76]
+Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+---
+ src/dec/vp8l_dec.c        | 46 ++++++++++---------
+ src/dec/vp8li_dec.h       |  2 +-
+ src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++--------
+ src/utils/huffman_utils.h | 27 +++++++++--
+ 4 files changed, 129 insertions(+), 43 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 93615d4e..0d38314d 100644
+--- a/src/dec/vp8l_dec.c
++++ b/src/dec/vp8l_dec.c
+@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
+   int symbol;
+   int max_symbol;
+   int prev_code_len = DEFAULT_CODE_LENGTH;
+-  HuffmanCode table[1 << LENGTHS_TABLE_BITS];
++  HuffmanTables tables;
+ 
+-  if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS,
+-                             code_length_code_lengths,
+-                             NUM_CODE_LENGTH_CODES)) {
++  if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) ||
++      !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS,
++                             code_length_code_lengths, NUM_CODE_LENGTH_CODES)) {
+     goto End;
+   }
+ 
+@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths(
+     int code_len;
+     if (max_symbol-- == 0) break;
+     VP8LFillBitWindow(br);
+-    p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
++    p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
+     VP8LSetBitPos(br, br->bit_pos_ + p->bits);
+     code_len = p->value;
+     if (code_len < kCodeLengthLiterals) {
+@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths(
+   ok = 1;
+ 
+  End:
++  VP8LHuffmanTablesDeallocate(&tables);
+   if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
+   return ok;
+ }
+@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths(
+ // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman
+ // tree.
+ static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
+-                           int* const code_lengths, HuffmanCode* const table) {
++                           int* const code_lengths,
++                           HuffmanTables* const table) {
+   int ok = 0;
+   int size = 0;
+   VP8LBitReader* const br = &dec->br_;
+@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+   VP8LMetadata* const hdr = &dec->hdr_;
+   uint32_t* huffman_image = NULL;
+   HTreeGroup* htree_groups = NULL;
+-  HuffmanCode* huffman_tables = NULL;
+-  HuffmanCode* huffman_table = NULL;
++  HuffmanTables* huffman_tables = &hdr->huffman_tables_;
+   int num_htree_groups = 1;
+   int num_htree_groups_max = 1;
+   int max_alphabet_size = 0;
+@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+   int* mapping = NULL;
+   int ok = 0;
+ 
++  // Check the table has been 0 initialized (through InitMetadata).
++  assert(huffman_tables->root.start == NULL);
++  assert(huffman_tables->curr_segment == NULL);
++
+   if (allow_recursion && VP8LReadBits(br, 1)) {
+     // use meta Huffman codes.
+     const int huffman_precision = VP8LReadBits(br, 3) + 2;
+@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+ 
+   code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
+                                       sizeof(*code_lengths));
+-  huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size,
+-                                                sizeof(*huffman_tables));
+   htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
+ 
+-  if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) {
++  if (htree_groups == NULL || code_lengths == NULL ||
++      !VP8LHuffmanTablesAllocate(num_htree_groups * table_size,
++                                 huffman_tables)) {
+     dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
+     goto Error;
+   }
+ 
+-  huffman_table = huffman_tables;
+   for (i = 0; i < num_htree_groups_max; ++i) {
+     // If the index "i" is unused in the Huffman image, just make sure the
+     // coefficients are valid but do not store them.
+@@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+       int max_bits = 0;
+       for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) {
+         int alphabet_size = kAlphabetSize[j];
+-        htrees[j] = huffman_table;
+         if (j == 0 && color_cache_bits > 0) {
+           alphabet_size += (1 << color_cache_bits);
+         }
+-        size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table);
++        size =
++            ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables);
++        htrees[j] = huffman_tables->curr_segment->curr_table;
+         if (size == 0) {
+           goto Error;
+         }
+         if (is_trivial_literal && kLiteralMap[j] == 1) {
+-          is_trivial_literal = (huffman_table->bits == 0);
++          is_trivial_literal = (htrees[j]->bits == 0);
+         }
+-        total_size += huffman_table->bits;
+-        huffman_table += size;
++        total_size += htrees[j]->bits;
++        huffman_tables->curr_segment->curr_table += size;
+         if (j <= ALPHA) {
+           int local_max_bits = code_lengths[0];
+           int k;
+@@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+   hdr->huffman_image_ = huffman_image;
+   hdr->num_htree_groups_ = num_htree_groups;
+   hdr->htree_groups_ = htree_groups;
+-  hdr->huffman_tables_ = huffman_tables;
+ 
+  Error:
+   WebPSafeFree(code_lengths);
+   WebPSafeFree(mapping);
+   if (!ok) {
+     WebPSafeFree(huffman_image);
+-    WebPSafeFree(huffman_tables);
++    VP8LHuffmanTablesDeallocate(huffman_tables);
+     VP8LHtreeGroupsFree(htree_groups);
+   }
+   return ok;
+@@ -1354,7 +1358,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) {
+   assert(hdr != NULL);
+ 
+   WebPSafeFree(hdr->huffman_image_);
+-  WebPSafeFree(hdr->huffman_tables_);
++  VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_);
+   VP8LHtreeGroupsFree(hdr->htree_groups_);
+   VP8LColorCacheClear(&hdr->color_cache_);
+   VP8LColorCacheClear(&hdr->saved_color_cache_);
+@@ -1670,7 +1674,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) {
+   // Sanity checks.
+   if (dec == NULL) return 0;
+ 
+-  assert(dec->hdr_.huffman_tables_ != NULL);
++  assert(dec->hdr_.huffman_tables_.root.start != NULL);
+   assert(dec->hdr_.htree_groups_ != NULL);
+   assert(dec->hdr_.num_htree_groups_ > 0);
+ 
+diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
+index 72b2e861..32540a4b 100644
+--- a/src/dec/vp8li_dec.h
++++ b/src/dec/vp8li_dec.h
+@@ -51,7 +51,7 @@ typedef struct {
+   uint32_t*       huffman_image_;
+   int             num_htree_groups_;
+   HTreeGroup*     htree_groups_;
+-  HuffmanCode*    huffman_tables_;
++  HuffmanTables   huffman_tables_;
+ } VP8LMetadata;
+ 
+ typedef struct VP8LDecoder VP8LDecoder;
+diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
+index 0cba0fbb..9efd6283 100644
+--- a/src/utils/huffman_utils.c
++++ b/src/utils/huffman_utils.c
+@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
+       if (num_open < 0) {
+         return 0;
+       }
+-      if (root_table == NULL) continue;
+       for (; count[len] > 0; --count[len]) {
+         HuffmanCode code;
+         if ((key & mask) != low) {
+-          table += table_size;
++          if (root_table != NULL) table += table_size;
+           table_bits = NextTableBitSize(count, len, root_bits);
+           table_size = 1 << table_bits;
+           total_size += table_size;
+           low = key & mask;
+-          root_table[low].bits = (uint8_t)(table_bits + root_bits);
+-          root_table[low].value = (uint16_t)((table - root_table) - low);
++          if (root_table != NULL) {
++            root_table[low].bits = (uint8_t)(table_bits + root_bits);
++            root_table[low].value = (uint16_t)((table - root_table) - low);
++          }
++        }
++        if (root_table != NULL) {
++          code.bits = (uint8_t)(len - root_bits);
++          code.value = (uint16_t)sorted[symbol++];
++          ReplicateValue(&table[key >> root_bits], step, table_size, code);
+         }
+-        code.bits = (uint8_t)(len - root_bits);
+-        code.value = (uint16_t)sorted[symbol++];
+-        ReplicateValue(&table[key >> root_bits], step, table_size, code);
+         key = GetNextKey(key, len);
+       }
+     }
+@@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
+   ((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES)
+ // Cut-off value for switching between heap and stack allocation.
+ #define SORTED_SIZE_CUTOFF 512
+-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
+                           const int code_lengths[], int code_lengths_size) {
+-  int total_size;
++  const int total_size =
++      BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL);
+   assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE);
+-  if (root_table == NULL) {
+-    total_size = BuildHuffmanTable(NULL, root_bits,
+-                                   code_lengths, code_lengths_size, NULL);
+-  } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
++  if (total_size == 0 || root_table == NULL) return total_size;
++
++  if (root_table->curr_segment->curr_table + total_size >=
++      root_table->curr_segment->start + root_table->curr_segment->size) {
++    // If 'root_table' does not have enough memory, allocate a new segment.
++    // The available part of root_table->curr_segment is left unused because we
++    // need a contiguous buffer.
++    const int segment_size = root_table->curr_segment->size;
++    struct HuffmanTablesSegment* next =
++        (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next));
++    if (next == NULL) return 0;
++    // Fill the new segment.
++    // We need at least 'total_size' but if that value is small, it is better to
++    // allocate a big chunk to prevent more allocations later. 'segment_size' is
++    // therefore chosen (any other arbitrary value could be chosen).
++    next->size = total_size > segment_size ? total_size : segment_size;
++    next->start =
++        (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start));
++    if (next->start == NULL) {
++      WebPSafeFree(next);
++      return 0;
++    }
++    next->curr_table = next->start;
++    next->next = NULL;
++    // Point to the new segment.
++    root_table->curr_segment->next = next;
++    root_table->curr_segment = next;
++  }
++  if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
+     // use local stack-allocated array.
+     uint16_t sorted[SORTED_SIZE_CUTOFF];
+-    total_size = BuildHuffmanTable(root_table, root_bits,
+-                                   code_lengths, code_lengths_size, sorted);
+-  } else {   // rare case. Use heap allocation.
++    BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
++                      code_lengths, code_lengths_size, sorted);
++  } else {  // rare case. Use heap allocation.
+     uint16_t* const sorted =
+         (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted));
+     if (sorted == NULL) return 0;
+-    total_size = BuildHuffmanTable(root_table, root_bits,
+-                                   code_lengths, code_lengths_size, sorted);
++    BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
++                      code_lengths, code_lengths_size, sorted);
+     WebPSafeFree(sorted);
+   }
+   return total_size;
+ }
++
++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) {
++  // Have 'segment' point to the first segment for now, 'root'.
++  HuffmanTablesSegment* const root = &huffman_tables->root;
++  huffman_tables->curr_segment = root;
++  // Allocate root.
++  root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start));
++  if (root->start == NULL) return 0;
++  root->curr_table = root->start;
++  root->next = NULL;
++  root->size = size;
++  return 1;
++}
++
++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) {
++  HuffmanTablesSegment *current, *next;
++  if (huffman_tables == NULL) return;
++  // Free the root node.
++  current = &huffman_tables->root;
++  next = current->next;
++  WebPSafeFree(current->start);
++  current->start = NULL;
++  current->next = NULL;
++  current = next;
++  // Free the following nodes.
++  while (current != NULL) {
++    next = current->next;
++    WebPSafeFree(current->start);
++    WebPSafeFree(current);
++    current = next;
++  }
++}
+diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
+index 13b7ad1a..98415c53 100644
+--- a/src/utils/huffman_utils.h
++++ b/src/utils/huffman_utils.h
+@@ -43,6 +43,29 @@ typedef struct {
+                     // or non-literal symbol otherwise
+ } HuffmanCode32;
+ 
++// Contiguous memory segment of HuffmanCodes.
++typedef struct HuffmanTablesSegment {
++  HuffmanCode* start;
++  // Pointer to where we are writing into the segment. Starts at 'start' and
++  // cannot go beyond 'start' + 'size'.
++  HuffmanCode* curr_table;
++  // Pointer to the next segment in the chain.
++  struct HuffmanTablesSegment* next;
++  int size;
++} HuffmanTablesSegment;
++
++// Chained memory segments of HuffmanCodes.
++typedef struct HuffmanTables {
++  HuffmanTablesSegment root;
++  // Currently processed segment. At first, this is 'root'.
++  HuffmanTablesSegment* curr_segment;
++} HuffmanTables;
++
++// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on
++// memory allocation error, 1 otherwise.
++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables);
++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables);
++
+ #define HUFFMAN_PACKED_BITS 6
+ #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS)
+ 
+@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups);
+ // the huffman table.
+ // Returns built table size or 0 in case of error (invalid tree or
+ // memory error).
+-// If root_table is NULL, it returns 0 if a lookup cannot be built, something
+-// > 0 otherwise (but not the table size).
+-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
+                           const int code_lengths[], int code_lengths_size);
+ 
+ #ifdef __cplusplus
+-- 
+2.34.1
+
diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
index f449ae750b..27c5d92c92 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
@@ -21,6 +21,7 @@ UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
 
 SRC_URI += " \
     file://CVE-2023-1999.patch \
+    file://CVE-2023-5129.patch \
 "
 
 EXTRA_OECONF = " \
-- 
2.34.1

[OE-core][dunfell 03/13] libxpm: fix CVE-2022-46285

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xorg-lib/libxpm/CVE-2022-46285.patch      | 40 +++++++++++++++++++
 .../xorg-lib/libxpm_3.5.13.bb                 |  2 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch

diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
new file mode 100644
index 0000000000..e8b654dfb2
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
@@ -0,0 +1,40 @@
+CVE: CVE-2022-46285
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 17 Dec 2022 12:23:45 -0800
+Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+comment in the file is not closed (i.e. a C-style comment starts with
+"/*" and is missing the closing "*/"), the ParseComment() function will
+loop forever calling getc() to try to read the rest of the comment,
+failing to notice that it has returned EOF, which may cause a denial of
+service to the calling program.
+
+Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/data.c b/src/data.c
+index 898889c..bfad4ff 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
+ 		notend = 0;
+ 		Ungetc(data, *s, file);
+ 	    }
++	    else if (c == EOF) {
++		/* hit end of file before the end of the comment */
++		return XpmFileInvalid;
++	    }
+ 	}
+ 	return 0;
+     }
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
index fda8e32d2c..8937e61cb5 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
@@ -21,6 +21,8 @@ PACKAGES =+ "sxpm cxpm"
 FILES_cxpm = "${bindir}/cxpm"
 FILES_sxpm = "${bindir}/sxpm"
 
+SRC_URI += " file://CVE-2022-46285.patch"
+
 SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa"
 SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"
 
-- 
2.34.1

[OE-core][dunfell 04/13] nasm: fix CVE-2022-44370

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

NASM v2.16 was discovered to contain a heap buffer overflow in the
component quote_for_pmake() asm/nasm.c:856

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-44370

Upstream patches:
https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d

( cherry picked from commit 1568df72136f46f0767bba56c10c48bf2a1ec259 )

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../nasm/nasm/CVE-2022-44370.patch            | 104 ++++++++++++++++++
 meta/recipes-devtools/nasm/nasm_2.15.03.bb    |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch

diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
new file mode 100644
index 0000000000..1bd49c9fd9
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
@@ -0,0 +1,104 @@
+From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@zytor.com>
+Date: Mon, 7 Nov 2022 10:26:03 -0800
+Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault
+
+while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix,
+introduce mempset() to make these kinds of errors less likely in the
+future.
+
+Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815
+Reported-by: <13579and24680@gmail.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+
+Upstream-Status: Backport
+CVE: CVE-2022-4437
+
+Reference to upstream patch:
+[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ asm/nasm.c         | 12 +++++-------
+ configure.ac       |  1 +
+ include/compiler.h |  7 +++++++
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/asm/nasm.c b/asm/nasm.c
+index 7a7f8b4..675cff4 100644
+--- a/asm/nasm.c
++++ b/asm/nasm.c
+@@ -1,6 +1,6 @@
+ /* ----------------------------------------------------------------------- *
+  *
+- *   Copyright 1996-2020 The NASM Authors - All Rights Reserved
++ *   Copyright 1996-2022 The NASM Authors - All Rights Reserved
+  *   See the file AUTHORS included with the NASM distribution for
+  *   the specific copyright holders.
+  *
+@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str)
+     }
+
+     /* Convert N backslashes at the end of filename to 2N backslashes */
+-    if (nbs)
+-        n += nbs;
++    n += nbs;
+
+     os = q = nasm_malloc(n);
+
+@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str)
+         switch (*p) {
+         case ' ':
+         case '\t':
+-            while (nbs--)
+-                *q++ = '\\';
++            q = mempset(q, '\\', nbs);
+             *q++ = '\\';
+             *q++ = *p;
++            nbs = 0;
+             break;
+         case '$':
+             *q++ = *p;
+@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str)
+             break;
+         }
+     }
+-    while (nbs--)
+-        *q++ = '\\';
+
++    q = mempset(q, '\\', nbs);
+     *q = '\0';
+
+     return os;
+diff --git a/configure.ac b/configure.ac
+index 39680b1..940ebe2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul)
+ AC_CHECK_FUNCS(iscntrl)
+ AC_CHECK_FUNCS(isascii)
+ AC_CHECK_FUNCS(mempcpy)
++AC_CHECK_FUNCS(mempset)
+
+ AC_CHECK_FUNCS(getuid)
+ AC_CHECK_FUNCS(getgid)
+diff --git a/include/compiler.h b/include/compiler.h
+index db3d6d6..b64da6a 100644
+--- a/include/compiler.h
++++ b/include/compiler.h
+@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n)
+ }
+ #endif
+
++#ifndef HAVE_MEMPSET
++static inline void *mempset(void *dst, int c, size_t n)
++{
++    return (char *)memset(dst, c, n) + n;
++}
++#endif
++
+ /*
+  * Hack to support external-linkage inline functions
+  */
+--
+2.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.03.bb b/meta/recipes-devtools/nasm/nasm_2.15.03.bb
index fc7046244a..6a8c57827d 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.03.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.03.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
 SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
            file://0001-stdlib-Add-strlcat.patch \
            file://0002-Add-debug-prefix-map-option.patch \
+           file://CVE-2022-44370.patch \
            "
 
 SRC_URI[sha256sum] = "04e7343d9bf112bffa9fda86f6c7c8b120c2ccd700b882e2db9f57484b1bd778"
-- 
2.34.1

[OE-core][dunfell 05/13] ghostscript: fix CVE-2023-36664

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664

Upstream commits:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2023-36664-1.patch        | 145 ++++++++++++++++++
 .../ghostscript/CVE-2023-36664-2.patch        |  60 ++++++++
 .../ghostscript/CVE-2023-36664-pre1.patch     |  62 ++++++++
 .../ghostscript/ghostscript_9.52.bb           |   3 +
 4 files changed, 270 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
new file mode 100644
index 0000000000..a3bbe958eb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
+From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c4fffae..09ac6b3 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+-
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+ 
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++	memcpy(buffer, path, len);
++	buffer[len] = 0;
++	rlen = len;
++    }
++    else {
++	rlen = len+1;
++	bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
++	if (bufferfull == NULL)
++	    return gs_error_VMerror;
++
++	buffer = bufferfull + prefix_len;
++	if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++	    return gs_error_invalidfileaccess;
++	buffer[rlen] = 0;
++    }
+     while (1) {
+         switch (mode[0])
+         {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 20c5eee..355c0e3 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++	memcpy(buffer, path, len);
++	buffer[len] = 0;
++	rlen = len;
++    }
++    else {
++	rlen = len + 1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++	buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++
++	if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++	    return gs_error_invalidfileaccess;
++	buffer[rlen] = 0;
++    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++	memcpy(buffer, path, len);
++	buffer[len] = 0;
++	rlen = len;
++    }
++    else {
++	rlen = len+1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++	buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++
++	if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++	    return gs_error_invalidfileaccess;
++	buffer[rlen] = 0;
++    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
new file mode 100644
index 0000000000..e8c42f1deb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
+From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH] Bug 706778: 706761 revisit
+
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+
+This addresses both those.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 09ac6b3..01d449f 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ 	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ 	if (buffer == NULL)
+ 	    return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 355c0e3..d8f74a3 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ 	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ 	if (buffer == NULL)
+ 	    return gs_error_VMerror;
+@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ 	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ 	if (buffer == NULL)
+ 	    return gs_error_VMerror;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
new file mode 100644
index 0000000000..662736bb3d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
@@ -0,0 +1,62 @@
+From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Tue, 22 Sep 2020 13:10:04 -0700
+Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory.
+
+The gpmisc.c does allocations for gp_file objects and buffers used by
+gp_fprintf, as well as gp_validate_path_len. The helgrind run with
+-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf
+problem since the clist rendering would call gp_fprintf using the same
+allocator (PCL's chunk allocator which is non_gc_memory). The chunk
+allocator is intentionally not thread safe (for performance).
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5]
+CVE: CVE-2023-36664 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 34cd71f..c4fffae 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf)
+ 
+ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname)
+ {
+-    gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file");
++    gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file");
+     if (file == NULL)
+         return NULL;
+ 
+@@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t
+         memset(((char *)file)+sizeof(*prototype),
+                0,
+                size - sizeof(*prototype));
+-    file->memory = mem->non_gc_memory;
++    file->memory = mem->thread_safe_memory;
+ 
+     return file;
+ }
+@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+           prefix_len = 0;
+     }
+     rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path");
++    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+     if (bufferfull == NULL)
+         return gs_error_VMerror;
+ 
+@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+         break;
+     }
+ 
+-    gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path");
++    gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+         errno = EACCES;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 37e9ed8e84..0a2f9f5046 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -41,6 +41,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2021-3781_3.patch \
                 file://CVE-2023-28879.patch \
                 file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \
+                file://CVE-2023-36664-pre1.patch \
+                file://CVE-2023-36664-1.patch \
+                file://CVE-2023-36664-2.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.34.1

[OE-core][dunfell 06/13] qemu: fix CVE-2020-24165

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-24165.patch            | 94 +++++++++++++++++++
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 2669ba4ec8..e6b26aba88 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -141,6 +141,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2023-0330_2.patch \
            file://CVE-2023-3354.patch \
 	   file://CVE-2023-3180.patch \
+           file://CVE-2020-24165.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
new file mode 100644
index 0000000000..e0a27331a8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
@@ -0,0 +1,94 @@
+CVE:  CVE-2020-24165
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
+Date: Fri, 14 Feb 2020 14:49:52 +0000
+Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The bug describes a race whereby cpu_exec_step_atomic can acquire a TB
+which is invalidated by a tb_flush before we execute it. This doesn't
+affect the other cpu_exec modes as a tb_flush by it's nature can only
+occur on a quiescent system. The race was described as:
+
+  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
+  B3. tcg_tb_alloc obtains a new TB
+
+      C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
+          (same TB as B2)
+
+          A3. start_exclusive critical section entered
+          A4. do_tb_flush is called, TB memory freed/re-allocated
+          A5. end_exclusive exits critical section
+
+  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
+  B3. tcg_tb_alloc reallocates TB from B2
+
+      C4. start_exclusive critical section entered
+      C5. cpu_tb_exec executes the TB code that was free in A4
+
+The simplest fix is to widen the exclusive period to include the TB
+lookup. As a result we can drop the complication of checking we are in
+the exclusive region before we end it.
+
+Cc: Yifan <me@yifanlu.com>
+Buglink: https://bugs.launchpad.net/qemu/+bug/1863025
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/cpu-exec.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+index 2560c90eec79..d95c4848a47b 100644
+--- a/accel/tcg/cpu-exec.c
++++ b/accel/tcg/cpu-exec.c
+@@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu)
+     uint32_t cf_mask = cflags & CF_HASH_MASK;
+ 
+     if (sigsetjmp(cpu->jmp_env, 0) == 0) {
++        start_exclusive();
++
+         tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask);
+         if (tb == NULL) {
+             mmap_lock();
+@@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu)
+             mmap_unlock();
+         }
+ 
+-        start_exclusive();
+-
+         /* Since we got here, we know that parallel_cpus must be true.  */
+         parallel_cpus = false;
+         cc->cpu_exec_enter(cpu);
+@@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu)
+         qemu_plugin_disable_mem_helpers(cpu);
+     }
+ 
+-    if (cpu_in_exclusive_context(cpu)) {
+-        /* We might longjump out of either the codegen or the
+-         * execution, so must make sure we only end the exclusive
+-         * region if we started it.
+-         */
+-        parallel_cpus = true;
+-        end_exclusive();
+-    }
++
++    /*
++     * As we start the exclusive region before codegen we must still
++     * be in the region if we longjump out of either the codegen or
++     * the execution.
++     */
++    g_assert(cpu_in_exclusive_context(cpu));
++    parallel_cpus = true;
++    end_exclusive();
+ }
+ 
+ struct tb_desc {
-- 
2.34.1

[OE-core][dunfell 07/13] go: Fix CVE-2023-39318 and CVE-2023-39319

[Steve Sakoman]

From: Siddharth Doshi <sdoshi@mvista.com>

Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
CVE: CVE-2023-39318
Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5]
CVE: CVE-2023-39319
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-39318.patch           | 238 ++++++++++++++++++
 .../go/go-1.14/CVE-2023-39319.patch           | 230 +++++++++++++++++
 3 files changed, 470 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 784b502f46..be63f64825 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -77,6 +77,8 @@ SRC_URI += "\
     file://CVE-2023-24536_1.patch \
     file://CVE-2023-24536_2.patch \
     file://CVE-2023-24536_3.patch \
+    file://CVE-2023-39318.patch \
+    file://CVE-2023-39319.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
new file mode 100644
index 0000000000..20e70c0485
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -0,0 +1,238 @@
+From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:24:13 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
+ comments in script contexts
+
+Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
+comments in script contexts. Also per section 12.5, support hashbang
+comments. This brings our parsing in-line with how browsers treat these
+comment types.
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+
+Fixes #62196
+Fixes #62395
+Fixes CVE-2023-39318
+
+Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
+CVE: CVE-2023-39318
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/html/template/context.go      |  6 ++-
+ src/html/template/escape.go       |  5 +-
+ src/html/template/escape_test.go  | 10 ++++
+ src/html/template/state_string.go |  4 +-
+ src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
+ 5 files changed, 72 insertions(+), 33 deletions(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index 0b65313..4eb7891 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -124,6 +124,10 @@ const (
+ 	stateJSBlockCmt
+ 	// stateJSLineCmt occurs inside a JavaScript // line comment.
+ 	stateJSLineCmt
++	// stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
++	stateJSHTMLOpenCmt
++	// stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
++	stateJSHTMLCloseCmt
+ 	// stateCSS occurs inside a <style> element or style attribute.
+ 	stateCSS
+ 	// stateCSSDqStr occurs inside a CSS double quoted string.
+@@ -149,7 +153,7 @@ const (
+ // authors & maintainers, not for end-users or machines.
+ func isComment(s state) bool {
+ 	switch s {
+-	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
++	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
+ 		return true
+ 	}
+ 	return false
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 435f912..ad2ec69 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -698,9 +698,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
+ 		if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
+ 			// Preserve the portion between written and the comment start.
+ 			cs := i1 - 2
+-			if c1.state == stateHTMLCmt {
++			if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
+ 				// "<!--" instead of "/*" or "//"
+ 				cs -= 2
++			} else if c1.state == stateJSHTMLCloseCmt {
++				// "-->" instead of "/*" or "//"
++				cs -= 1
+ 			}
+ 			b.Write(s[written:cs])
+ 			written = i1
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index f550691..5f41e52 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
+ 			"<script>var a/*b*///c\nd</script>",
+ 			"<script>var a \nd</script>",
+ 		},
++		{
++			"JS HTML-like comments",
++			"<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
++			"<script>before \nbetween\nbefore\n</script>",
++		},
++		{
++			"JS hashbang comment",
++			"<script>#! beep\n</script>",
++			"<script>\n</script>",
++		},
+ 		{
+ 			"CSS comments",
+ 			"<style>p// paragraph\n" +
+diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
+index 05104be..b5cfe70 100644
+--- a/src/html/template/state_string.go
++++ b/src/html/template/state_string.go
+@@ -4,9 +4,9 @@ package template
+ 
+ import "strconv"
+ 
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+ 
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
+ 
+ func (i state) String() string {
+ 	if i >= state(len(_state_index)-1) {
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 92eb351..12aa4c4 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -14,32 +14,34 @@ import (
+ // the updated context and the number of bytes consumed from the front of the
+ // input.
+ var transitionFunc = [...]func(context, []byte) (context, int){
+-	stateText:        tText,
+-	stateTag:         tTag,
+-	stateAttrName:    tAttrName,
+-	stateAfterName:   tAfterName,
+-	stateBeforeValue: tBeforeValue,
+-	stateHTMLCmt:     tHTMLCmt,
+-	stateRCDATA:      tSpecialTagEnd,
+-	stateAttr:        tAttr,
+-	stateURL:         tURL,
+-	stateSrcset:      tURL,
+-	stateJS:          tJS,
+-	stateJSDqStr:     tJSDelimited,
+-	stateJSSqStr:     tJSDelimited,
+-	stateJSBqStr:     tJSDelimited,
+-	stateJSRegexp:    tJSDelimited,
+-	stateJSBlockCmt:  tBlockCmt,
+-	stateJSLineCmt:   tLineCmt,
+-	stateCSS:         tCSS,
+-	stateCSSDqStr:    tCSSStr,
+-	stateCSSSqStr:    tCSSStr,
+-	stateCSSDqURL:    tCSSStr,
+-	stateCSSSqURL:    tCSSStr,
+-	stateCSSURL:      tCSSStr,
+-	stateCSSBlockCmt: tBlockCmt,
+-	stateCSSLineCmt:  tLineCmt,
+-	stateError:       tError,
++	stateText:           tText,
++	stateTag:            tTag,
++	stateAttrName:       tAttrName,
++	stateAfterName:      tAfterName,
++	stateBeforeValue:    tBeforeValue,
++	stateHTMLCmt:        tHTMLCmt,
++	stateRCDATA:         tSpecialTagEnd,
++	stateAttr:           tAttr,
++	stateURL:            tURL,
++	stateSrcset:         tURL,
++	stateJS:             tJS,
++	stateJSDqStr:        tJSDelimited,
++	stateJSSqStr:        tJSDelimited,
++	stateJSBqStr:        tJSDelimited,
++	stateJSRegexp:       tJSDelimited,
++	stateJSBlockCmt:     tBlockCmt,
++	stateJSLineCmt:      tLineCmt,
++	stateJSHTMLOpenCmt:  tLineCmt,
++	stateJSHTMLCloseCmt: tLineCmt,
++	stateCSS:            tCSS,
++	stateCSSDqStr:       tCSSStr,
++	stateCSSSqStr:       tCSSStr,
++	stateCSSDqURL:       tCSSStr,
++	stateCSSSqURL:       tCSSStr,
++	stateCSSURL:         tCSSStr,
++	stateCSSBlockCmt:    tBlockCmt,
++	stateCSSLineCmt:     tLineCmt,
++	stateError:          tError,
+ }
+ 
+ var commentStart = []byte("<!--")
+@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
+ 
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-	i := bytes.IndexAny(s, "\"`'/")
++	i := bytes.IndexAny(s, "\"`'/<-#")
+ 	if i == -1 {
+ 		// Entire input is non string, comment, regexp tokens.
+ 		c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
+ 				err:   errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
+ 			}, len(s)
+ 		}
++	// ECMAScript supports HTML style comments for legacy reasons, see Appendix
++	// B.1.1 "HTML-like Comments". The handling of these comments is somewhat
++	// confusing. Multi-line comments are not supported, i.e. anything on lines
++	// between the opening and closing tokens is not considered a comment, but
++	// anything following the opening or closing token, on the same line, is
++	// ignored. As such we simply treat any line prefixed with "<!--" or "-->"
++	// as if it were actually prefixed with "//" and move on.
++	case '<':
++		if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
++			c.state, i = stateJSHTMLOpenCmt, i+3
++		}
++	case '-':
++		if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
++			c.state, i = stateJSHTMLCloseCmt, i+2
++		}
++	// ECMAScript also supports "hashbang" comment lines, see Section 12.5.
++	case '#':
++		if i+1 < len(s) && s[i+1] == '!' {
++			c.state, i = stateJSLineCmt, i+1
++		}
+ 	default:
+ 		panic("unreachable")
+ 	}
+@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
+ 	return c, i + 2
+ }
+ 
+-// tLineCmt is the context transition function for //comment states.
++// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
+ func tLineCmt(c context, s []byte) (context, int) {
+ 	var lineTerminators string
+ 	var endState state
+ 	switch c.state {
+-	case stateJSLineCmt:
++	case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
+ 		lineTerminators, endState = "\n\r\u2028\u2029", stateJS
+ 	case stateCSSLineCmt:
+ 		lineTerminators, endState = "\n\f\r", stateCSS
+-- 
+2.24.4
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
new file mode 100644
index 0000000000..69106e3e05
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
@@ -0,0 +1,230 @@
+From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:28:28 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: properly handle
+ special tags within the script context
+
+The HTML specification has incredibly complex rules for how to handle
+"<!--", "<script", and "</script" when they appear within literals in
+the script context. Rather than attempting to apply these restrictions
+(which require a significantly more complex state machine) we apply
+the workaround suggested in section 4.12.1.3 of the HTML specification [1].
+
+More precisely, when "<!--", "<script", and "</script" appear within
+literals (strings and regular expressions, ignoring comments since we
+already elide their content) we replace the "<" with "\x3C". This avoids
+the unintuitive behavior that using these tags within literals can cause,
+by simply preventing the rendered content from triggering it. This may
+break some correct usages of these tags, but on balance is more likely
+to prevent XSS attacks where users are unknowingly either closing or not
+closing the script blocks where they think they are.
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+
+Fixes #62197
+Fixes #62397
+Fixes CVE-2023-39319
+
+[1] https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
+
+Change-Id: Iab57b0532694827e3eddf57a7497ba1fab1746dc
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976594
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014621
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526099
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5]
+CVE: CVE-2023-39319
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/html/template/context.go     | 14 ++++++++++
+ src/html/template/escape.go      | 26 ++++++++++++++++++
+ src/html/template/escape_test.go | 47 +++++++++++++++++++++++++++++++-
+ src/html/template/transition.go  | 15 ++++++++++
+ 4 files changed, 101 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index 4eb7891..feb6517 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -168,6 +168,20 @@ func isInTag(s state) bool {
+ 	return false
+ }
+ 
++// isInScriptLiteral returns true if s is one of the literal states within a
++// <script> tag, and as such occurances of "<!--", "<script", and "</script"
++// need to be treated specially.
++func isInScriptLiteral(s state) bool {
++	// Ignore the comment states (stateJSBlockCmt, stateJSLineCmt,
++	// stateJSHTMLOpenCmt, stateJSHTMLCloseCmt) because their content is already
++	// omitted from the output.
++	switch s {
++	case stateJSDqStr, stateJSSqStr, stateJSBqStr, stateJSRegexp:
++		return true
++	}
++	return false
++}
++
+ // delim is the delimiter that will end the current HTML attribute.
+ type delim uint8
+ 
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index ad2ec69..de8cf6f 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -10,6 +10,7 @@ import (
+ 	"html"
+ 	"internal/godebug"
+ 	"io"
++	"regexp"
+ 	"text/template"
+ 	"text/template/parse"
+ )
+@@ -650,6 +651,26 @@ var delimEnds = [...]string{
+ 	delimSpaceOrTagEnd: " \t\n\f\r>",
+ }
+ 
++var (
++	// Per WHATWG HTML specification, section 4.12.1.3, there are extremely
++	// complicated rules for how to handle the set of opening tags <!--,
++	// <script, and </script when they appear in JS literals (i.e. strings,
++	// regexs, and comments). The specification suggests a simple solution,
++	// rather than implementing the arcane ABNF, which involves simply escaping
++	// the opening bracket with \x3C. We use the below regex for this, since it
++	// makes doing the case-insensitive find-replace much simpler.
++	specialScriptTagRE          = regexp.MustCompile("(?i)<(script|/script|!--)")
++	specialScriptTagReplacement = []byte("\\x3C$1")
++)
++
++func containsSpecialScriptTag(s []byte) bool {
++	return specialScriptTagRE.Match(s)
++}
++
++func escapeSpecialScriptTags(s []byte) []byte {
++	return specialScriptTagRE.ReplaceAll(s, specialScriptTagReplacement)
++}
++
+ var doctypeBytes = []byte("<!DOCTYPE")
+ 
+ // escapeText escapes a text template node.
+@@ -708,6 +729,11 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
+ 			b.Write(s[written:cs])
+ 			written = i1
+ 		}
++		if isInScriptLiteral(c.state) && containsSpecialScriptTag(s[i:i1]) {
++			b.Write(s[written:i])
++			b.Write(escapeSpecialScriptTags(s[i:i1]))
++			written = i1
++		}
+ 		if i == i1 && c.state == c1.state {
+ 			panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
+ 		}
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index 5f41e52..0cacb20 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -513,6 +513,21 @@ func TestEscape(t *testing.T) {
+ 			"<script>#! beep\n</script>",
+ 			"<script>\n</script>",
+ 		},
++		{
++			"Special tags in <script> string literals",
++			`<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
++			`<script>var a = "asd < 123 \x3C!-- 456 < fgh \x3Cscript jkl < 789 \x3C/script"</script>`,
++		},
++		{
++			"Special tags in <script> string literals (mixed case)",
++			`<script>var a = "<!-- <ScripT </ScripT"</script>`,
++			`<script>var a = "\x3C!-- \x3CScripT \x3C/ScripT"</script>`,
++		},
++		{
++			"Special tags in <script> regex literals (mixed case)",
++			`<script>var a = /<!-- <ScripT </ScripT/</script>`,
++			`<script>var a = /\x3C!-- \x3CScripT \x3C/ScripT/</script>`,
++		},
+ 		{
+ 			"CSS comments",
+ 			"<style>p// paragraph\n" +
+@@ -1501,8 +1516,38 @@ func TestEscapeText(t *testing.T) {
+ 			context{state: stateJS, element: elementScript},
+ 		},
+ 		{
++			// <script and </script tags are escaped, so </script> should not
++			// cause us to exit the JS state.
+ 			`<script>document.write("<script>alert(1)</script>");`,
+-			context{state: stateText},
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)</script>`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)<!--`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)</Script>");`,
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>document.write("<!--");`,
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>let a = /</script`,
++			context{state: stateJSRegexp, element: elementScript},
++		},
++		{
++			`<script>let a = /</script/`,
++			context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
+ 		},
+ 		{
+ 			`<script type="text/template">`,
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 12aa4c4..3d2a37c 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -214,6 +214,11 @@ var (
+ // element states.
+ func tSpecialTagEnd(c context, s []byte) (context, int) {
+ 	if c.element != elementNone {
++		// script end tags ("</script") within script literals are ignored, so that
++		// we can properly escape them.
++		if c.element == elementScript && (isInScriptLiteral(c.state) || isComment(c.state)) {
++			return c, len(s)
++		}
+ 		if i := indexTagEnd(s, specialTagEndMarkers[c.element]); i != -1 {
+ 			return context{}, i
+ 		}
+@@ -353,6 +358,16 @@ func tJSDelimited(c context, s []byte) (context, int) {
+ 			inCharset = true
+ 		case ']':
+ 			inCharset = false
++		case '/':
++			// If "</script" appears in a regex literal, the '/' should not
++			// close the regex literal, and it will later be escaped to
++			// "\x3C/script" in escapeText.
++			if i > 0 && i+7 <= len(s) && bytes.Compare(bytes.ToLower(s[i-1:i+7]), []byte("</script")) == 0 {
++				i++
++			} else if !inCharset {
++				c.state, c.jsCtx = stateJS, jsCtxDivOp
++				return c, i + 1
++			}
+ 		default:
+ 			// end delimiter
+ 			if !inCharset {
+-- 
+2.24.4
+
-- 
2.34.1

[OE-core][dunfell 08/13] python3: update to 3.8.18

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

https://docs.python.org/release/3.8.18/whatsnew/changelog.html#changelog

Release date: 2023-08-24

Security
gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included protections
(like certificate verification) and treating sent unencrypted data as if
it were post-handshake TLS encrypted data. Security issue reported as
CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.

Library
gh-107845: tarfile.data_filter() now takes the location of symlinks into
account when determining their target, so it will no longer reject some
valid tarballs with LinkOutsideDestinationError.

Tools/Demos
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL
1.1.1v, 3.0.10, and 3.1.2.

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/{python3_3.8.17.bb => python3_3.8.18.bb}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3_3.8.17.bb => python3_3.8.18.bb} (99%)

diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb b/meta/recipes-devtools/python/python3_3.8.18.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.8.17.bb
rename to meta/recipes-devtools/python/python3_3.8.18.bb
index 00c4ff497a..9d0f72ecf9 100644
--- a/meta/recipes-devtools/python/python3_3.8.17.bb
+++ b/meta/recipes-devtools/python/python3_3.8.18.bb
@@ -43,8 +43,8 @@ SRC_URI_append_class-native = " \
            file://0001-Don-t-search-system-for-headers-libraries.patch \
            "
 
-SRC_URI[md5sum] = "70223497e664524303ca2364208647e1"
-SRC_URI[sha256sum] = "2e54b0c68191f16552f6de2e97a2396540572a219f6bbb28591a137cecc490a9"
+SRC_URI[md5sum] = "5ea6267ea00513fc31d3746feb35842d"
+SRC_URI[sha256sum] = "3ffb71cd349a326ba7b2fadc7e7df86ba577dd9c4917e52a8401adbda7405e3f"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
-- 
2.34.1

[OE-core][dunfell 09/13] nasm: update 2.15.03 -> 2.15.05

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Use autotools-brokensep as new version needs that.

upgrade include fix for CVE-2020-21686 and CVE-2022-29654

(cherry picked from commit c9c724ffa36757b56e70bc8d7b880c0c5777b153)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../0002-Add-debug-prefix-map-option.patch    | 42 +++++++++----------
 .../nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} |  4 +-
 2 files changed, 22 insertions(+), 24 deletions(-)
 rename meta/recipes-devtools/nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} (85%)

diff --git a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
index f788e0fd43..9f4c8dc0bd 100644
--- a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
+++ b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
@@ -1,4 +1,4 @@
-From bb4e42ad3a0cdd23a1d1797e6299c76b474867c0 Mon Sep 17 00:00:00 2001
+From 81d6519499dcfebe7d21e65e002a8885a4e8d852 Mon Sep 17 00:00:00 2001
 From: Joshua Watt <JPEWhacker@gmail.com>
 Date: Tue, 19 Nov 2019 13:12:17 -0600
 Subject: [PATCH] Add --debug-prefix-map option
@@ -11,7 +11,7 @@ Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392635]
 Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
 
 ---
- asm/nasm.c              | 26 +++++++++++++++++++++++++-
+ asm/nasm.c              | 24 ++++++++++++++++++++++++
  include/nasmlib.h       |  9 +++++++++
  nasm.txt                |  4 ++++
  nasmlib/filename.c      | 20 ++++++++++++++++++++
@@ -23,34 +23,32 @@ Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
  stdlib/strlcat.c        |  2 +-
  test/elfdebugprefix.asm |  6 ++++++
  test/performtest.pl     | 12 ++++++++++--
- 12 files changed, 83 insertions(+), 10 deletions(-)
+ 12 files changed, 82 insertions(+), 9 deletions(-)
  create mode 100644 test/elfdebugprefix.asm
 
 diff --git a/asm/nasm.c b/asm/nasm.c
-index a0e1719..fc6c62e 100644
+index e5ae89a..7a7f8b4 100644
 --- a/asm/nasm.c
 +++ b/asm/nasm.c
-@@ -938,7 +938,8 @@ enum text_options {
-     OPT_LIMIT,
+@@ -939,6 +939,7 @@ enum text_options {
      OPT_KEEP_ALL,
      OPT_NO_LINE,
--    OPT_DEBUG
-+    OPT_DEBUG,
-+    OPT_DEBUG_PREFIX_MAP
+     OPT_DEBUG,
++    OPT_DEBUG_PREFIX_MAP,
+     OPT_REPRODUCIBLE
  };
  enum need_arg {
-     ARG_NO,
-@@ -970,6 +971,7 @@ static const struct textargs textopts[] = {
+@@ -971,6 +972,7 @@ static const struct textargs textopts[] = {
      {"keep-all", OPT_KEEP_ALL, ARG_NO, 0},
      {"no-line",  OPT_NO_LINE, ARG_NO, 0},
      {"debug",    OPT_DEBUG, ARG_MAYBE, 0},
 +    {"debug-prefix-map", OPT_DEBUG_PREFIX_MAP, true, 0},
+     {"reproducible", OPT_REPRODUCIBLE, ARG_NO, 0},
      {NULL, OPT_BOGUS, ARG_NO, 0}
  };
- 
-@@ -1332,6 +1334,26 @@ static bool process_arg(char *p, char *q, int pass)
-                 case OPT_DEBUG:
-                     debug_nasm = param ? strtoul(param, NULL, 10) : debug_nasm+1;
+@@ -1337,6 +1339,26 @@ static bool process_arg(char *p, char *q, int pass)
+                 case OPT_REPRODUCIBLE:
+                     reproducible = true;
                      break;
 +                case OPT_DEBUG_PREFIX_MAP: {
 +                    struct debug_prefix_list *d;
@@ -75,7 +73,7 @@ index a0e1719..fc6c62e 100644
                  case OPT_HELP:
                      help(stdout);
                      exit(0);
-@@ -2297,6 +2319,8 @@ static void help(FILE *out)
+@@ -2304,6 +2326,8 @@ static void help(FILE *out)
          "    -w-x          disable warning x (also -Wno-x)\n"
          "    -w[+-]error   promote all warnings to errors (also -Werror)\n"
          "    -w[+-]error=x promote warning x to errors (also -Werror=x)\n"
@@ -85,7 +83,7 @@ index a0e1719..fc6c62e 100644
  
      fprintf(out, "       %-20s %s\n",
 diff --git a/include/nasmlib.h b/include/nasmlib.h
-index e9bfbcc..98fc653 100644
+index 438178d..4c3e90d 100644
 --- a/include/nasmlib.h
 +++ b/include/nasmlib.h
 @@ -250,10 +250,19 @@ int64_t readstrnum(char *str, int length, bool *warn);
@@ -181,10 +179,10 @@ index 54b22f8..c4a412c 100644
  
  static void as86_cleanup(void)
 diff --git a/output/outcoff.c b/output/outcoff.c
-index bcd9ff3..15bfcf3 100644
+index 58fa024..14baf7b 100644
 --- a/output/outcoff.c
 +++ b/output/outcoff.c
-@@ -1095,14 +1095,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value,
+@@ -1072,14 +1072,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value,
  
  static void coff_write_symbols(void)
  {
@@ -215,7 +213,7 @@ index 61af020..1292958 100644
      nsects = sectlen = 0;
      syms = saa_init((int32_t)sizeof(struct elf_symbol));
 diff --git a/output/outieee.c b/output/outieee.c
-index 4cc0f0f..2468724 100644
+index 6d6d4b2..cdb8333 100644
 --- a/output/outieee.c
 +++ b/output/outieee.c
 @@ -207,7 +207,7 @@ static void ieee_unqualified_name(char *, char *);
@@ -228,10 +226,10 @@ index 4cc0f0f..2468724 100644
      fpubhead = NULL;
      fpubtail = &fpubhead;
 diff --git a/output/outobj.c b/output/outobj.c
-index 0d4d311..d8dd6a0 100644
+index 56b43f9..fefea94 100644
 --- a/output/outobj.c
 +++ b/output/outobj.c
-@@ -638,7 +638,7 @@ static enum directive_result obj_directive(enum directive, char *);
+@@ -644,7 +644,7 @@ static enum directive_result obj_directive(enum directive, char *);
  
  static void obj_init(void)
  {
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.03.bb b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
similarity index 85%
rename from meta/recipes-devtools/nasm/nasm_2.15.03.bb
rename to meta/recipes-devtools/nasm/nasm_2.15.05.bb
index 6a8c57827d..c5638debdd 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.03.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -11,11 +11,11 @@ SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
            file://CVE-2022-44370.patch \
            "
 
-SRC_URI[sha256sum] = "04e7343d9bf112bffa9fda86f6c7c8b120c2ccd700b882e2db9f57484b1bd778"
+SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"
 
 EXTRA_AUTORECONF_append = " -I autoconf/m4"
 
-inherit autotools
+inherit autotools-brokensep
 
 BBCLASSEXTEND = "native"
 
-- 
2.34.1

[OE-core][dunfell 10/13] linux-yocto/5.4: update to v5.4.252

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    21732fd22497 Linux 5.4.252
    9399ea1ce481 x86: fix backwards merge of GDS/SRSO bit
    bc7b9a6c2ca4 xen/netback: Fix buffer overrun triggered by unusual packet
    43ed6f79b3e7 x86/cpu, kvm: Add support for CPUID_80000021_EAX
    1f0618bb2456 x86/bugs: Increase the x86 bugs vector size to two u32s
    08ba48152a8a tools headers cpufeatures: Sync with the kernel sources
    694b40dcfb41 x86/cpufeatures: Assign dedicated feature word for CPUID_0x8000001F[EAX]
    4fa849d4af68 x86/cpu: Add VM page flush MSR availablility as a CPUID feature
    998eec066607 x86/cpufeatures: Add SEV-ES CPU feature
    3e21d8b0f3a9 Documentation/x86: Fix backwards on/off logic about YMM support
    ad7670dd65cb x86/mm: Initialize text poking earlier
    979366f5c2aa mm: Move mm_cachep initialization to mm_init()
    3d1b8cfdd0c9 x86/mm: Use mm_alloc() in poking_init()
    ddcf05fe8850 x86/mm: fix poking_init() for Xen PV guests
    3f8968f1f0ad x86/xen: Fix secondary processors' FPU initialization
    e56c1e0f9134 KVM: Add GDS_NO support to KVM
    ed56430ab253 x86/speculation: Add Kconfig option for GDS
    e35c65794365 x86/speculation: Add force option to GDS mitigation
    f68f9f2df68e x86/speculation: Add Gather Data Sampling mitigation
    6e6044366897 x86/fpu: Move FPU initialization into arch_cpu_finalize_init()
    2ee37a46aa13 x86/fpu: Mark init functions __init
    77fe8150579c x86/fpu: Remove cpuinfo argument from init functions
    95356fff6fee init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init()
    7aa2cec22e28 init: Invoke arch_cpu_finalize_init() earlier
    944d5c3ffa4b init: Remove check_bugs() leftovers
    a03ef708788e um/cpu: Switch to arch_cpu_finalize_init()
    98c3955e145f sparc/cpu: Switch to arch_cpu_finalize_init()
    568d68fc1dd4 sh/cpu: Switch to arch_cpu_finalize_init()
    18cd611a3eaa mips/cpu: Switch to arch_cpu_finalize_init()
    2febb4a73004 m68k/cpu: Switch to arch_cpu_finalize_init()
    1f4494ea77e8 ia64/cpu: Switch to arch_cpu_finalize_init()
    73719e89e32b ARM: cpu: Switch to arch_cpu_finalize_init()
    1743bc756b6b x86/cpu: Switch to arch_cpu_finalize_init()
    afe787cf253b init: Provide arch_cpu_finalize_init()

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb   | 6 +++---
 meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb | 6 +++---
 meta/recipes-kernel/linux/linux-yocto_5.4.bb      | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 3a44375824..8bb9b8792d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "6a552f5822442183d2487c91903f27085183ca0e"
-SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b"
+SRCREV_machine ?= "0d4b4bdf319c66188fed945ed84d55b63467a1cc"
+SRCREV_meta ?= "c068a3afc1a9d73b177643195e6b5546e6141efe"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.251"
+LINUX_VERSION ?= "5.4.252"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 3136b0defc..a9e59473f8 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.251"
+LINUX_VERSION ?= "5.4.252"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -16,8 +16,8 @@ KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
 SRCREV_machine_qemuarm ?= "29ae0b5c67d29249bf00cb8eaaae5914d928bbd6"
-SRCREV_machine ?= "16db12c2685020aa6347a18df5099f40a9176366"
-SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b"
+SRCREV_machine ?= "22f4db08b470bae35d90149956de4cdcd6b4c6ea"
+SRCREV_meta ?= "c068a3afc1a9d73b177643195e6b5546e6141efe"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index a466e5c2fc..f9afeb0acd 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -21,8 +21,8 @@ SRCREV_machine_qemuriscv64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
 SRCREV_machine_qemux86 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
 SRCREV_machine_qemux86-64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
 SRCREV_machine_qemumips64 ?= "854f6bee15babf95445644cba59691cd45173180"
-SRCREV_machine ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
-SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b"
+SRCREV_machine ?= "2176ac775b5360b26e8cab0f8c1607853af76633"
+SRCREV_meta ?= "c068a3afc1a9d73b177643195e6b5546e6141efe"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -31,7 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.251"
+LINUX_VERSION ?= "5.4.252"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 11/13] linux-yocto/5.4: update to v5.4.254

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    fd2a1d1f32ea Linux 5.4.254
    e7711f15ed6b sch_netem: fix issues in netem_change() vs get_dist_table()
    3c3ffd6a3cf7 alpha: remove __init annotation from exported page_is_ram()
    e12fac07f61c scsi: core: Fix possible memory leak if device_add() fails
    cea09922f5f7 scsi: snic: Fix possible memory leak if device_add() fails
    12162414a7c1 scsi: 53c700: Check that command slot is not NULL
    048ebc9a28fb scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
    ecb1fbe2879f scsi: core: Fix legacy /proc parsing buffer overflow
    979822844209 netfilter: nf_tables: report use refcount overflow
    137e25f0906e nvme-rdma: fix potential unbalanced freeze & unfreeze
    ab32fbe3fe70 nvme-tcp: fix potential unbalanced freeze & unfreeze
    756c024698f4 btrfs: set cache_block_group_error if we find an error
    fa7bc2684a05 btrfs: don't stop integrity writeback too early
    0a3b5893c6b1 ibmvnic: Handle DMA unmapping of login buffs in release functions
    d66a27113ebb net/mlx5: Allow 0 for total host VFs
    d7b2df974299 dmaengine: mcf-edma: Fix a potential un-allocated memory access
    e913d89445e3 wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
    c2145b18740c IB/hfi1: Fix possible panic during hotplug remove
    9d469552c9d2 drivers: net: prevent tun_build_skb() to exceed the packet size limit
    67eebc7a9217 dccp: fix data-race around dp->dccps_mss_cache
    ef8810965f0c bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
    9c7deea5afcc net/packet: annotate data-races around tp->status
    60d9662f39f5 mISDN: Update parameter type of dsp_cmx_send()
    dd72849bce27 selftests/rseq: Fix build with undefined __weak
    302d848188d6 drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
    ed8dcd9543b8 x86: Move gds_ucode_mitigated() declaration to header
    6b342b1f3b01 x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
    91a5e755e11f x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
    14254212b431 usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
    25038d3f16b9 usb: dwc3: Properly handle processing of pending events
    044f4446e06b usb-storage: alauda: Fix uninit-value in alauda_check_media()
    b97dad01c121 binder: fix memory leak in binder_init()
    182f0e71ff34 iio: cros_ec: Fix the allocation size for cros_ec_command
    d2c539c216cc nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
    655716938d14 x86/pkeys: Revert a5eff7259790 ("x86/pkeys: Add PKRU value to init_fpstate")
    ea1b4c31161f radix tree test suite: fix incorrect allocation size for pthreads
    aa0bfe169d29 drm/nouveau/gr: enable memory loads on helper invocation on all channels
    8a489b0bc87c dmaengine: pl330: Return DMA_PAUSED when transaction is paused
    7c62508d6b91 ipv6: adjust ndisc_is_useropt() to also return true for PIO
    0a67c1262162 mmc: moxart: read scr register without changing byte order
    4b4223f7d26d Linux 5.4.253
    9e5374875f96 Revert "driver core: Annotate dev_err_probe() with __must_check"
    ca33c0704151 drivers: core: fix kernel-doc markup for dev_err_probe()
    04ece65d9bad driver code: print symbolic error code
    f2c1b4f9c157 driver core: Annotate dev_err_probe() with __must_check
    2e8fc2ddffee ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node
    a1ba8725577b ARM: dts: imx6sll: fixup of operating points
    6c71d73945d2 ARM: dts: imx: add usb alias
    66579ee141a5 ARM: dts: imx: Align L2 cache-controller nodename with dtschema
    3b454fb938e1 ARM: dts: imx6sll: Make ssi node name same as other platforms
    03b119d900fd arm64: dts: stratix10: fix incorrect I2C property for SCL signal
    72c946246e21 ceph: defer stopping mdsc delayed_work
    f82fe11a30ae ceph: use kill_anon_super helper
    82edffead586 ceph: show tasks waiting on caps in debugfs caps file
    632023a2b3ac PM: sleep: wakeirq: fix wake irq arming
    d7f34e2cdd12 PM / wakeirq: support enabling wake-up irq after runtime_suspend called
    9cbffa33749a selftests/rseq: Play nice with binaries statically linked against glibc 2.35+
    13553469bdbd selftests/rseq: check if libc rseq support is registered
    a65e7b4b31ca powerpc/mm/altmap: Fix altmap boundary check
    f8cf0f83cf04 mtd: rawnand: omap_elm: Fix incorrect type in assignment
    2af8ed119722 test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation
    0f68b0f8eb5a test_firmware: prevent race conditions by a correct implementation of locking
    040cdadf9fdc ext2: Drop fragment support
    0336b42456e4 fs: Protect reconfiguration of sb read-write from racing writes
    a05ac5d00eb7 net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
    a2da00d1ea1a Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
    0a44ceba77c3 fs/sysv: Null check to prevent null-ptr-deref bug
    1202deb153d6 net: tap_open(): set sk_uid from current_fsuid()
    1d53ea776760 net: tun_chr_open(): set sk_uid from current_fsuid()
    ae9cf40873d3 mtd: rawnand: meson: fix OOB available bytes for ECC
    8deaaf4be175 mtd: spinand: toshiba: Fix ecc_get_status
    eacb19bd7cd2 USB: zaurus: Add ID for A-300/B-500/C-700
    5107f9e8db60 libceph: fix potential hang in ceph_osdc_notify()
    6f14228e82fe scsi: zfcp: Defer fc_rport blocking until after ADISC response
    a490c2e8927e tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen
    6d49ed957d77 tcp_metrics: annotate data-races around tm->tcpm_net
    fc566cf344d8 tcp_metrics: annotate data-races around tm->tcpm_vals[]
    76b47daba7cd tcp_metrics: annotate data-races around tm->tcpm_lock
    38661fe6d001 tcp_metrics: annotate data-races around tm->tcpm_stamp
    96f14d689dc5 tcp_metrics: fix addr_same() helper
    0438e60a00d4 ip6mr: Fix skb_under_panic in ip6mr_cache_report()
    5b3dbedb8d4a net: dcb: choose correct policy to parse DCB_ATTR_BCN
    363c56f97122 net: ll_temac: fix error checking of irq_of_parse_and_map()
    7928f81443f6 net: ll_temac: Switch to use dev_err_probe() helper
    97d8a0bbda6b driver core: add device probe log helper
    227b8ce59cd3 bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire
    1c8262f31fd2 net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
    83e3d4b0ae37 net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
    be785808db32 net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
    b705759a1a25 net: add missing data-race annotation for sk_ll_usec
    95dd65f29070 net: add missing data-race annotations around sk->sk_peek_off
    8a6dddcb47a6 net: add missing READ_ONCE(sk->sk_rcvbuf) annotation
    ec4b7532d70b net: add missing READ_ONCE(sk->sk_sndbuf) annotation
    9cd3adc26e53 net: add missing READ_ONCE(sk->sk_rcvlowat) annotation
    481186cad78f net: annotate data-races around sk->sk_max_pacing_rate
    1774250a20d7 mISDN: hfcpci: Fix potential deadlock on &hc->lock
    42b28808070e net: sched: cls_u32: Fix match key mis-addressing
    1b047dc9108e perf test uprobe_from_different_cu: Skip if there is no gcc
    ad46d4861ed3 rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length
    80381ecf2933 net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
    800d8c96bf99 net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
    4730c0a1131c KVM: s390: fix sthyi error handling
    d2fb0969262c word-at-a-time: use the same return type for has_zero regardless of endianness
    be4d2b456206 loop: Select I/O scheduler 'none' from inside add_disk()
    11e929c38029 perf: Fix function pointer case
    1db90f97d719 arm64: Fix bit-shifting UB in the MIDR_CPU_MODEL() macro
    f41cab7a4653 arm64: Add AMPERE1 to the Spectre-BHB affected list
    6e4aa8c89034 ASoC: cs42l51: fix driver to properly autoload with automatic module loading
    cf8ecd6ea680 net/sched: sch_qfq: account for stab overhead in qfq_enqueue
    0e0f324c259d btrfs: fix race between quota disable and quota assign ioctls
    4f8f86bc5d33 btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not enabled
    8c1d1f3a33e5 btrfs: qgroup: remove one-time use variables for quota_root checks
    c8b1499e420e cpufreq: intel_pstate: Drop ACPI _PSS states table patching
    f331413e1cf1 ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily
    511851c87031 ACPI: processor: perflib: Use the "no limit" frequency QoS
    81cd6ceee7ce dm cache policy smq: ensure IO doesn't prevent cleaner policy progress
    e3efc4767a46 ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register
    00748bc586a4 s390/dasd: fix hanging device after quiesce/resume
    73e872466ddc virtio-net: fix race between set queues and probe
    6db2a3c5c201 btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
    5adbd7ccd430 irq-bcm6345-l1: Do not assume a fixed block to cpu mapping
    a0019e13a9e9 tpm_tis: Explicitly check for error code
    d1c6e68003d3 btrfs: check for commit error at btrfs_attach_transaction_barrier()
    ee2eed8306b3 hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled
    5373a1aa91b2 staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
    352e0cae4cce Documentation: security-bugs.rst: clarify CVE handling
    e331a88ea56b Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
    fd21197af575 Revert "usb: xhci: tegra: Fix error check"
    e0c92c329131 usb: xhci-mtk: set the dma max_seg_size
    3f39d58a0c1a USB: quirks: add quirk for Focusrite Scarlett
    8f86b1b3b539 usb: ohci-at91: Fix the unhandle interrupt when resume
    640cb5f5e4b4 usb: dwc3: don't reset device side if dwc3 was configured as host-only
    a7d080cf4fab usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy
    5fc6ace75ceb Revert "usb: dwc3: core: Enable AutoRetry feature in the controller"
    80d40a3d6d45 can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED
    58f0affb3c47 USB: serial: simple: sort driver entries
    43ee3cf0c783 USB: serial: simple: add Kaufmann RKS+CAN VCP
    bcf1fc781ea1 USB: serial: option: add Quectel EC200A module support
    3ec7c5ef6021 USB: serial: option: support Quectel EM060K_128
    da7ebd86cd2e serial: sifive: Fix sifive_serial_console_setup() section
    d674cb90a9ef serial: 8250_dw: Preserve original value of DLF register
    cdcc35e64541 tracing: Fix warning in trace_buffered_event_disable()
    d7b20279244f ring-buffer: Fix wrong stat of cpu_buffer->read
    f6e1e569ac97 ata: pata_ns87415: mark ns87560_tf_read static
    53c06e0d15ee dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths
    9ebcca93bd41 block: Fix a source code comment in include/uapi/linux/blkzoned.h
    c0aad2fe1b9f ASoC: fsl_spdif: Silence output on stop
    3bd1b4793b01 drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb()
    4970f72f810c drm/msm/adreno: Fix snapshot BINDLESS_DATA size
    5200bd7e6096 drm/msm/dpu: drop enum dpu_core_perf_data_bus_id
    4990f529b745 RDMA/mlx4: Make check for invalid flags stricter
    74843851d418 benet: fix return value check in be_lancer_xmit_workarounds()
    07d9723cef28 net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
    2eb617529458 net/sched: mqprio: add extack to mqprio_parse_nlattr()
    29c5eb0ffac7 net/sched: mqprio: refactor nlattr parsing to a separate function
    17afc24d20c9 platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100
    504177c84f04 team: reset team's flags when down link is P2P device
    a3bb02598db9 bonding: reset bond's flags when down link is P2P device
    d87d67c8bdd1 tcp: Reduce chance of collisions in inet6_hashfn().
    458294ee1537 ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new temporary address
    a249705862d7 ethernet: atheros: fix return value check in atl1e_tso_csum()
    195e806b2afb phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
    27b63e8b8552 vxlan: calculate correct header length for GPE
    5e98318c632d i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir()
    6b1ee62ecbf1 ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
    65bd66a794bf keys: Fix linking a duplicate key to a keyring's assoc_array
    c1df96689fe1 uapi: General notification queue definitions
    ea64c727f201 scsi: qla2xxx: Array index may go out of bound
    5e387df414f9 scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c
    629628738078 pwm: meson: fix handling of period/duty if greater than UINT_MAX
    7ae4671a868e pwm: meson: Simplify duplicated per-channel tracking
    8abacc57af7b pwm: meson: Remove redundant assignment to variable fin_freq
    680e1455b828 ftrace: Fix possible warning on checking all pages used in ftrace_process_locs()
    05ff1d355e0b ftrace: Store the order of pages allocated in ftrace_page
    e3098e52bf5a ftrace: Check if pages were allocated before calling free_pages()
    aad84a978841 ftrace: Add information on number of page groups allocated
    bd020c7763d6 fs: dlm: interrupt posix locks only when process is killed
    f61d5752aed0 dlm: rearrange async condition return
    ed092c495e29 dlm: cleanup plock_op vs plock_xop
    a50ad9f8c06c PCI/ASPM: Avoid link retraining race
    e50434e33de9 PCI/ASPM: Factor out pcie_wait_for_retrain()
    7411202a0fee PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link()
    8eb15ff216c1 ext4: Fix reusing stale buffer heads from last failed mounting
    0204319de8ea ext4: rename journal_dev to s_journal_dev inside ext4_sb_info
    356056cbe667 btrfs: fix extent buffer leak after tree mod log failure at split_node()
    63008dab58ad btrfs: fix race between quota disable and relocation
    0a55f346e0e5 btrfs: qgroup: catch reserved space leaks at unmount time
    b070f29a6143 bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
    38a6dd2b68f9 bcache: remove 'int n' from parameter list of bch_bucket_alloc_set()
    edb81d6e1e50 gpio: tps68470: Make tps68470_gpio_output() always set the initial value
    34e71f7d3a03 jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint
    937cb20746c8 jbd2: recheck chechpointing non-dirty buffer
    acc9a81f7cb2 jbd2: remove redundant buffer io error checks
    05d440d0f5da jbd2: fix kernel-doc markups
    b41fa1ed91de jbd2: fix incorrect code style

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 8bb9b8792d..38ffa5cce8 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "0d4b4bdf319c66188fed945ed84d55b63467a1cc"
-SRCREV_meta ?= "c068a3afc1a9d73b177643195e6b5546e6141efe"
+SRCREV_machine ?= "f2579170aa90e502fb972bdb87c150c909735056"
+SRCREV_meta ?= "b05cf0166411efabc3704035e61c93d8a299d702"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.252"
+LINUX_VERSION ?= "5.4.254"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index a9e59473f8..ce8f4ddfea 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.252"
+LINUX_VERSION ?= "5.4.254"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "29ae0b5c67d29249bf00cb8eaaae5914d928bbd6"
-SRCREV_machine ?= "22f4db08b470bae35d90149956de4cdcd6b4c6ea"
-SRCREV_meta ?= "c068a3afc1a9d73b177643195e6b5546e6141efe"
+SRCREV_machine_qemuarm ?= "cb6922c0bf40c0171473ffad3e3c734af7535f9e"
+SRCREV_machine ?= "7121dcf1e4579162b3c5586cbdef005b155f2d00"
+SRCREV_meta ?= "b05cf0166411efabc3704035e61c93d8a299d702"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index f9afeb0acd..fc2a34dbcf 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -13,16 +13,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "9a096c043b453855252aece3716d50fdf4111a77"
-SRCREV_machine_qemuarm64 ?= "25499e5c52ebb2111a3dd7dd863937f56cf2a39d"
-SRCREV_machine_qemumips ?= "12e990899599d1aac8dd8007a8864db68135d6f0"
-SRCREV_machine_qemuppc ?= "19d91ad471bb87a464520283e58d5ff83c7151fa"
-SRCREV_machine_qemuriscv64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
-SRCREV_machine_qemux86 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
-SRCREV_machine_qemux86-64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
-SRCREV_machine_qemumips64 ?= "854f6bee15babf95445644cba59691cd45173180"
-SRCREV_machine ?= "2176ac775b5360b26e8cab0f8c1607853af76633"
-SRCREV_meta ?= "c068a3afc1a9d73b177643195e6b5546e6141efe"
+SRCREV_machine_qemuarm ?= "b48a097e3afc2c3cb75439a138ad62aac1f611de"
+SRCREV_machine_qemuarm64 ?= "30e9b327db697ba836406fd892dd2461dcc52978"
+SRCREV_machine_qemumips ?= "1404c8a0c15cd302e99cb766cf117f53ec9d12d4"
+SRCREV_machine_qemuppc ?= "8ddc9d98289ff9e0dd92a5ac4a1ab9395286c426"
+SRCREV_machine_qemuriscv64 ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
+SRCREV_machine_qemux86 ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
+SRCREV_machine_qemux86-64 ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
+SRCREV_machine_qemumips64 ?= "c64d8a92d051687aaf05990475254ad795d5105d"
+SRCREV_machine ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
+SRCREV_meta ?= "b05cf0166411efabc3704035e61c93d8a299d702"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -31,7 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.252"
+LINUX_VERSION ?= "5.4.254"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 12/13] linux-yocto/5.4: update to v5.4.256

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    0c2544add9fc Linux 5.4.256
    1ba96e65ef4c Revert "MIPS: Alchemy: fix dbdma2"
    94aef0fe5a82 powerpc/pmac/smp: Drop unnecessary volatile qualifier
    b29a10fd0734 powerpc/pmac/smp: Avoid unused-variable warnings
    5eb967dd50a5 Linux 5.4.255
    e171795856a6 dma-buf/sw_sync: Avoid recursive lock during fence signal
    f49cac7634da pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function}
    197c546a598a clk: Fix undefined reference to `clk_rate_exclusive_{get,put}'
    7fd9cded5646 scsi: core: raid_class: Remove raid_component_add()
    56428d89a0da scsi: snic: Fix double free in snic_tgt_create()
    b6db4ef5ea41 irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable
    61b5d77169e1 Documentation/sysctl: document page_lock_unfairness
    b2421a196cb0 ALSA: pcm: Check for null pointer of pointer substream before dereferencing it
    e8bf830efa8a interconnect: Do not skip aggregation for disabled paths
    456a7a73404c Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available"
    52a7c86e63d2 ALSA: pcm: Fix build error on m68k and others
    a1ef12540ebd rtnetlink: Reject negative ifindexes in RTM_NEWLINK
    c404e1e19780 mm: allow a controlled amount of unfairness in the page lock
    97640d8e2cee x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4
    b156ce3b3b61 drm/display/dp: Fix the DP DSC Receiver cap size
    9e5fe282f9e2 PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus
    ac0e0df5180c media: vcodec: Fix potential array out-of-bounds in encoder queue_setup
    79a05ca73637 radix tree: remove unused variable
    32639f13441b lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels
    c5f261825ff6 batman-adv: Hold rtnl lock during MTU update via netlink
    61b71562beb3 batman-adv: Fix batadv_v_ogm_aggr_send memory leak
    5fb1a2133707 batman-adv: Fix TT global entry leak when client roamed back
    e6e9d7808179 batman-adv: Do not get eth header before batadv_check_management_packet
    c97442e09884 batman-adv: Don't increase MTU when set by user
    22288ea6beba batman-adv: Trigger events for auto adjusted MTU
    3b83759fd46c nfsd: Fix race to FREE_STATEID and cl_revoked
    c0284760f470 clk: Fix slab-out-of-bounds error in devm_clk_release()
    a0bc5cf2e7f4 NFSv4: Fix dropped lock for racing OPEN and delegation return
    815fb2531a48 ibmveth: Use dcbf rather than dcbfl
    35e31aff6160 bonding: fix macvlan over alb bond support
    faf3f988cc63 net: remove bond_slave_has_mac_rcu()
    eebd074af272 net/sched: fix a qdisc modification with ambiguous command request
    62383d9fa1af igb: Avoid starting unnecessary workqueues
    adef04cc4819 net: validate veth and vxcan peer ifindexes
    52ddda8d218b net: bcmgenet: Fix return value check for fixed_phy_register()
    189ad377d1ca net: bgmac: Fix return value check for fixed_phy_register()
    dcbfcb54a28f ipvlan: Fix a reference count leak warning in ipvlan_ns_exit()
    8e6433fecb2b dccp: annotate data-races in dccp_poll()
    7d6cc6919952 sock: annotate data-races around prot->memory_pressure
    d28ea7acfae7 octeontx2-af: SDP: fix receive link config
    05319d707732 tracing: Fix memleak due to race between current_tracer and trace
    c8920972d086 drm/amd/display: check TG is non-null before checking if enabled
    7d4174a99b1d drm/amd/display: do not wait for mpc idle if tg is disabled
    94239d1830a1 ASoC: fsl_sai: Disable bit clock with transmitter
    ef9cae4a6c8d ASoC: fsl_sai: Add new added registers and new bit definition
    1b3d75104542 ASoC: fsl_sai: Refine enable/disable TE/RE sequence in trigger()
    f9afb326b7ba regmap: Account for register length in SMBus I/O limits
    7e1d1456c8db ALSA: pcm: Fix potential data race at PCM memory allocation helpers
    140797d0a46e ALSA: pcm: Use SG-buffer only when direct DMA is available
    95b30a431254 ALSA: pcm: Set per-card upper limit of PCM buffer allocations
    d0ef103e192c dm integrity: reduce vmalloc space footprint on 32-bit architectures
    072d247d7a62 dm integrity: increase RECALC_SECTORS to improve recalculate speed
    4e96ee117500 fbdev: fix potential OOB read in fast_imageblit()
    ebf84320a587 fbdev: Fix sys_imageblit() for arbitrary image widths
    96f8e80656ec fbdev: Improve performance of sys_imageblit()
    7e5b7360df81 MIPS: cpu-features: Use boot_cpu_type for CPU type based features
    302a8fbf8cab MIPS: cpu-features: Enable octeon_cache by cpu_type
    7b57fc3f4c49 fs: dlm: fix mismatch of plock results from userspace
    721d5b514dfc fs: dlm: use dlm_plock_info for do_unlock_close
    da794f6dd549 fs: dlm: change plock interrupted message to debug again
    f03726ef19e1 fs: dlm: add pid to debug log
    8b73497e50ef dlm: replace usage of found with dedicated list iterator variable
    526cc04d718b dlm: improve plock logging if interrupted
    7abd6dce29f6 PCI: acpiphp: Reassign resources on bridge if necessary
    fce081555293 net: phy: broadcom: stub c45 read/write for 54810
    e91d5ace7051 mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove
    a0e20e267aec net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure
    f0c10a4497af net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled
    b1be2cfcf6cf virtio-net: set queues after driver_ok
    4821df2ffe38 af_unix: Fix null-ptr-deref in unix_stream_sendpage().
    0afc186aba1e netfilter: set default timeout to 3 secs for sctp shutdown send and recv state
    6875690b0eea mmc: block: Fix in_flight[issue_type] value error
    54deee3fab1b mmc: wbsd: fix double mmc_free_host() in wbsd_init()
    4259dd534245 cifs: Release folio lock on fscache read hit.
    03373410247b ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces.
    b653289ca646 serial: 8250: Fix oops for port->pm on uart_change_pm()
    7b4e6bff03e2 ASoC: meson: axg-tdm-formatter: fix channel slot allocation
    29d862ee5fef ASoC: rt5665: add missed regulator_bulk_disable
    f21fa1892d42 ARM: dts: imx: Set default tuning step for imx6sx usdhc
    aadee0ae0a5f ARM: dts: imx: Set default tuning step for imx7d usdhc
    a23e10dafd77 ARM: dts: imx: Adjust dma-apbh node name
    536c1bbedd5d ARM: dts: imx7s: Drop dma-apb interrupt-names
    37cfbf847c2d bus: ti-sysc: Flush posted write on enable before reset
    4637b2fa6541 bus: ti-sysc: Improve reset to work with modules with no sysconfig
    210ff31342ad net: do not allow gso_size to be set to GSO_BY_FRAGS
    1c7db7abd4ba sock: Fix misuse of sk_under_memory_pressure()
    aa670bdefc0c net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
    702c58a05eb5 i40e: fix misleading debug logs
    ac16de2d02eb team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
    81da9e2c4255 netfilter: nft_dynset: disallow object maps
    bdd7c2ff4143 ipvs: fix racy memcpy in proc_do_sync_threshold
    38e5c37bfab1 selftests: mirror_gre_changes: Tighten up the TTL test match
    8046beb890eb xfrm: add NULL check in xfrm_update_ae_params
    d34c30442d5e ip_vti: fix potential slab-use-after-free in decode_session6
    eb47e612e59c ip6_vti: fix slab-use-after-free in decode_session6
    db0e50741f03 xfrm: fix slab-use-after-free in decode_session6
    64c6df80d35a xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c
    32cc777c0a53 net: af_key: fix sadb_x_filter validation
    373848d51fde net: xfrm: Fix xfrm_address_filter OOB read
    a0a462a0f209 btrfs: fix BUG_ON condition in btrfs_cancel_balance
    cc423a972cfd tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms
    1d29e21ed09f powerpc/rtas_flash: allow user copy to flash block cache objects
    97ddf1c2105a fbdev: mmp: fix value check in mmphw_probe()
    3259e2d8781f i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue
    b788ad3b2468 virtio-mmio: don't break lifecycle of vm_dev
    e22a4b77b69d virtio-mmio: Use to_virtio_mmio_device() to simply code
    432429d1b25f virtio-mmio: convert to devm_platform_ioremap_resource
    12c4c227891e nfsd: Remove incorrect check in nfsd4_validate_stateid
    a4e3c4cd02f5 nfsd4: kill warnings on testing stateids with mismatched clientids
    ff652b0150a4 net/ncsi: Fix gma flag setting after response
    b66a1defb205 tracing/probes: Fix to update dynamic data counter if fetcharg uses it
    bdc309d89b32 tracing/probes: Have process_fetch_insn() take a void * instead of pt_regs
    cc93a372e03e leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename
    939b8b312adc mmc: sunxi: fix deferred probing
    c6d1a281ae83 mmc: bcm2835: fix deferred probing
    b48b4b1885f7 USB: dwc3: qcom: fix NULL-deref on suspend
    6da1f9fd9c8e usb: dwc3: qcom: Add helper functions to enable,disable wake irqs
    5335bb0cefde interconnect: Add helpers for enabling/disabling a path
    e062fb979410 interconnect: Move internal structs into a separate file
    abc25a18a64c irqchip/mips-gic: Use raw spinlock for gic_lock
    05de6069b52c irqchip/mips-gic: Get rid of the reliance on irq_cpu_online()
    1224e5a9787c ALSA: hda: Fix unhandled register update during auto-suspend period
    a55d55a30781 PM: runtime: Add pm_runtime_get_if_active()
    e5d98d42bca5 PM-runtime: add tracepoints for usage_count changes
    59aba9d5cd36 iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE
    8f302378c704 iio: addac: stx104: Fix race condition when converting analog-to-digital
    7251b2915d33 iio: addac: stx104: Fix race condition for stx104_write_raw()
    70d135e7de08 iio: stx104: Move to addac subdirectory
    8ba99f7fc7eb iio: adc: stx104: Implement and utilize register structures
    4edf338adee7 iio: adc: stx104: Utilize iomap interface
    e13b26d0dd10 iio: add addac subdirectory
    e6f66a0ad755 IMA: allow/fix UML builds
    635278e97a94 powerpc/kasan: Disable KCOV in KASAN code
    109f0aaa0b88 ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()
    97ed58437705 ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760
    c6059af6bf5e drm/amdgpu: Fix potential fence use-after-free v2
    fe49aa73cca6 Bluetooth: L2CAP: Fix use-after-free
    22100df1d57f pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
    b4a7ab57effb gfs2: Fix possible data races in gfs2_show_options()
    c4d5c945b69a usb: chipidea: imx: don't request QoS for imx8ulp
    c1c5826223ae media: platform: mediatek: vpu: fix NULL ptr dereference
    ef009fe2010e media: v4l2-mem2mem: add lock to protect parameter num_rdy
    2a8807f9f511 FS: JFS: Check for read-only mounted filesystem in txBegin
    a7d17d6bd7cd FS: JFS: Fix null-ptr-deref Read in txBegin
    2225000d62c1 MIPS: dec: prom: Address -Warray-bounds warning
    6e7d9d76e565 fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev
    3f1368af47ac udf: Fix uninitialized array access for some pathnames
    8f203dd401e8 ovl: check type and offset of struct vfsmount in ovl_entry
    8abed186aabd HID: add quirk for 03f0:464a HP Elite Presenter Mouse
    3f378783c47b quota: fix warning in dqgrab()
    c3a1f5ba11c5 quota: Properly disable quotas when add_dquot_ref() fails
    dd445ebbee88 ALSA: emu10k1: roll up loops in DSP setup code for Audigy
    b8fab6aebdf2 drm/radeon: Fix integer overflow in radeon_cs_parser_init
    3a3bb438dae3 macsec: use DEV_STATS_INC()
    b5e20a3ddea4 macsec: Fix traffic counters/statistics
    4b854879f82d selftests: forwarding: tc_flower: Relax success criterion
    e5883ffdd0a8 mmc: sdhci-f-sdh30: Replace with sdhci_pltfm
    e7bd70c3bc62 mmc: sdhci_f_sdh30: convert to devm_platform_ioremap_resource

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 38ffa5cce8..fefbb63209 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "f2579170aa90e502fb972bdb87c150c909735056"
-SRCREV_meta ?= "b05cf0166411efabc3704035e61c93d8a299d702"
+SRCREV_machine ?= "ccbf907f43d15ffd113a58e77986ece2b9cd0b53"
+SRCREV_meta ?= "139494ae6aa521d549ad94aa51ace747d37ee4e4"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.254"
+LINUX_VERSION ?= "5.4.256"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index ce8f4ddfea..febbf1cb7e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.254"
+LINUX_VERSION ?= "5.4.256"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "cb6922c0bf40c0171473ffad3e3c734af7535f9e"
-SRCREV_machine ?= "7121dcf1e4579162b3c5586cbdef005b155f2d00"
-SRCREV_meta ?= "b05cf0166411efabc3704035e61c93d8a299d702"
+SRCREV_machine_qemuarm ?= "b3176395ae2665d4d417c7b78dfb43dcf49462a9"
+SRCREV_machine ?= "88509f87ebd23e35482a3e7acd6f88a1ca209f9a"
+SRCREV_meta ?= "139494ae6aa521d549ad94aa51ace747d37ee4e4"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index fc2a34dbcf..b5e85bd3ea 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -13,16 +13,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "b48a097e3afc2c3cb75439a138ad62aac1f611de"
-SRCREV_machine_qemuarm64 ?= "30e9b327db697ba836406fd892dd2461dcc52978"
-SRCREV_machine_qemumips ?= "1404c8a0c15cd302e99cb766cf117f53ec9d12d4"
-SRCREV_machine_qemuppc ?= "8ddc9d98289ff9e0dd92a5ac4a1ab9395286c426"
-SRCREV_machine_qemuriscv64 ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
-SRCREV_machine_qemux86 ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
-SRCREV_machine_qemux86-64 ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
-SRCREV_machine_qemumips64 ?= "c64d8a92d051687aaf05990475254ad795d5105d"
-SRCREV_machine ?= "b8f66b4961995b49af6b392be1a28132afe0f9a6"
-SRCREV_meta ?= "b05cf0166411efabc3704035e61c93d8a299d702"
+SRCREV_machine_qemuarm ?= "80d0730537aad4de79fc587a65ed7819790dcc6f"
+SRCREV_machine_qemuarm64 ?= "d569fe3e1a114ddcac5c4af67814405a614147ad"
+SRCREV_machine_qemumips ?= "0a41991fe10d34d22e87c276911142d2f1a67a93"
+SRCREV_machine_qemuppc ?= "1034463b20b1154014d1d6ffe87d018842ad094b"
+SRCREV_machine_qemuriscv64 ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
+SRCREV_machine_qemux86 ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
+SRCREV_machine_qemux86-64 ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
+SRCREV_machine_qemumips64 ?= "60ddf305567af22536ec5c85d1af614a3b5bbfad"
+SRCREV_machine ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
+SRCREV_meta ?= "139494ae6aa521d549ad94aa51ace747d37ee4e4"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -31,7 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.254"
+LINUX_VERSION ?= "5.4.256"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 13/13] linux-yocto/5.4: update to v5.4.257

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    a140610d8aff Linux 5.4.257
    42900fd140c8 net/sched: Retire rsvp classifier
    b3637835ac99 drm/amdgpu: fix amdgpu_cs_p1_user_fence
    650ebbba5c15 mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
    b1ef1f2f3737 ext4: fix rec_len verify error
    e4efb0aaf288 scsi: megaraid_sas: Fix deadlock on firmware crashdump
    44654114fb6f i2c: aspeed: Reset the i2c controller when timeout occurs
    ce47fe53f78b tracefs: Add missing lockdown check to tracefs_create_dir()
    b6c042d4ac6a nfsd: fix change_info in NFSv4 RENAME replies
    952e477f9080 tracing: Have option files inc the trace array ref count
    ff8cf370d359 tracing: Have current_trace inc the trace array ref count
    a70c6e57316b btrfs: fix lockdep splat and potential deadlock after failure running delayed items
    8e8dcc0f1518 attr: block mode changes of symlinks
    a8403f9fd402 md/raid1: fix error: ISO C90 forbids mixed declarations
    349640248b5e selftests: tracing: Fix to unmount tracefs for recovering environment
    5b50c95cf842 btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super
    b61aad18b38a btrfs: add a helper to read the superblock metadata_uuid
    bd0fe5489102 btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h
    a04cce3e79c6 perf tools: Add an option to build without libbfd
    f3701ef61fd7 perf jevents: Make build dependency on test JSONs
    a12e9ba7f346 tools features: Add feature test to check if libbfd has buildid support
    964e025ceefd kobject: Add sanity check for kset->kobj.ktype in kset_register()
    545d1070ed7c media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
    44d72e9edd1b serial: cpm_uart: Avoid suspicious locking
    2cbe6a88fbdd scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
    9cd6b3802d7c usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
    abe0cd279aee media: pci: cx23885: replace BUG with error return
    641e60223971 media: tuners: qt1010: replace BUG_ON with a regular error
    991c77fe18c6 media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
    8dc5b370254a media: anysee: fix null-ptr-deref in anysee_master_xfer
    0c02eb70b1dd media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
    beb9550494e7 media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
    b49c6e5dd236 media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
    7ffe14fce742 powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
    5873df019512 jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
    b12ccbfdf653 fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
    a7fde3d46ac6 ext2: fix datatype of block number in ext2_xattr_set2()
    25a68f2286be md: raid1: fix potential OOB in raid1_remove_disk()
    77918680ab07 bus: ti-sysc: Configure uart quirks for k3 SoC
    279e32b79d03 drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
    3beb97bed860 wifi: mac80211_hwsim: drop short frames
    6773ea9982dc alx: fix OOB-read compiler warning
    fd1a177d2ccb mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450
    ff75c853b7db tpm_tis: Resend command to recover from data transfer errors
    61f5453e9706 crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
    d1473fc030d3 wifi: mwifiex: fix fortify warning
    38eb4ef67f60 wifi: ath9k: fix printk specifier
    93f4a0b74413 devlink: remove reload failed checks in params get/set callbacks
    aadb178c5123 hw_breakpoint: fix single-stepping when using bpf_overflow_handler
    cb37e7fa2339 perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09
    4de282f49135 ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
    d0a13c395e22 kernel/fork: beware of __put_task_struct() calling context
    3bf4463e40a1 ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
    117fb80cd1e6 locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock
    7afbfde45d66 btrfs: output extra debug info if we failed to find an inline backref
    6079dc77c6f3 autofs: fix memory leak of waitqueues in autofs_catatonic_mode
    8c027a5798f1 parisc: Drop loops_per_jiffy from per_cpu struct
    4316b8294503 drm/amd/display: Fix a bug when searching for insert_above_mpcc
    1ce8362b4ac6 kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
    b5fc6fd660ab ixgbe: fix timestamp configuration code
    f9f3ce7719eb net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
    08d36f317c40 platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
    0507815ae94b mlxbf-tmfifo: sparse tags for config access
    7efc9e97f6e2 platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
    479c71cda14b kcm: Fix memory leak in error path of kcm_sendmsg()
    c565533407cd r8152: check budget for r8152_poll()
    653fbddbdfc6 net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
    ba6673824efa net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
    5624f26a3574 net: ipv4: fix one memleak in __inet_del_ifa()
    e757ca9c1ca1 clk: imx8mm: Move 1443X/1416X PLL clock structure to common place
    75e0bd976154 ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2
    5f71716772b8 usb: typec: bus: verify partner exists in typec_altmode_attention
    14fe0f8627f8 usb: typec: tcpm: Refactor tcpm_handle_vdm_request
    979f8743f373 usb: typec: tcpm: Refactor tcpm_handle_vdm_request payload handling
    6ca8e31480b5 perf tools: Handle old data in PERF_RECORD_ATTR
    dffa46d0ca52 perf hists browser: Fix hierarchy mode header
    6095dd28217e mtd: rawnand: brcmnand: Fix potential false time out warning
    aae45746f4ae mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
    09417fbf12f8 mtd: rawnand: brcmnand: Fix crash during the panic_write
    aa64f6f0ce7e btrfs: use the correct superblock to compare fsid in btrfs_validate_super
    6eb1fc314ce4 btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
    b0d236e3afac fuse: nlookup missing decrement in fuse_direntplus_link
    0e918d7c00da ata: pata_ftide010: Add missing MODULE_DESCRIPTION
    e03ac1773414 ata: sata_gemini: Add missing MODULE_DESCRIPTION
    118db787bab3 sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
    89099d73b2dd net: hns3: fix the port information display when sfp is absent
    a44602888bbe netfilter: nfnetlink_osf: avoid OOB read
    62c363e6041c ip_tunnels: use DEV_STATS_INC()
    a5dffc12038f idr: fix param name in idr_alloc_cyclic() doc
    6b0cb9c05584 s390/zcrypt: don't leak memory if dev_set_name() fails
    c149b61301fe igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
    4a5defbfe88b igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
    c805b8741476 igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
    8047a4898498 kcm: Destroy mutex in kcm_exit_net()
    a6d11571b91d net: sched: sch_qfq: Fix UAF in qfq_dequeue()
    f1ba9a03b166 af_unix: Fix data race around sk->sk_err.
    1ffed3ea8750 af_unix: Fix data-races around sk->sk_shutdown.
    5d91b7891f4a af_unix: Fix data-race around unix_tot_inflight.
    adcf4e069358 af_unix: Fix data-races around user->unix_inflight.
    e13db62db9ef net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
    23b4b1a069e9 veth: Fixing transmit return status for dropped packets
    0133bc289720 igb: disable virtualization features on 82580
    41f10a4d78fe net: read sk->sk_family once in sk_mc_loop()
    cd12efc54ff8 ipv4: annotate data-races around fi->fib_dead
    01585fa32650 sctp: annotate data-races around sk->sk_wmem_queued
    04301da4d870 pwm: lpc32xx: Remove handling of PWM channels
    565f7bb0b3fe watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
    7a0e41223e98 perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
    c5be10f1bf61 x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
    1d0cc1a9c4bd perf annotate bpf: Don't enclose non-debug code with an assert()
    c7cc4dc2473c kconfig: fix possible buffer overflow
    0158dab8e8b8 NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
    64c5e916fabe soc: qcom: qmi_encdec: Restrict string length in decode
    5c7608d976ab clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
    b88626c47217 parisc: led: Reduce CPU overhead for disk & lan LED computation
    536f30922556 parisc: led: Fix LAN receive and transmit LEDs
    cbfffe51221b lib/test_meminit: allocate pages up to order MAX_ORDER
    9b7f6e500969 drm/ast: Fix DRAM init on AST2200
    8ffa40ff64aa fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
    6d5eb57a02a5 scsi: qla2xxx: Remove unsupported ql2xenabledif option
    e24bc58113d1 scsi: qla2xxx: Turn off noisy message log
    05935f9106f1 scsi: qla2xxx: Fix erroneous link up failure
    61641000ad33 scsi: qla2xxx: fix inconsistent TMF timeout
    f966dc8c2d18 net/ipv6: SKB symmetric hash should incorporate transport ports
    d31331e2df6e drm: fix double free for gbo in drm_gem_vram_init and drm_gem_vram_create
    34eb4bd9152c udf: initialize newblock to 0
    206d2b7bafc0 usb: typec: tcpci: clear the fault status bit
    824421868102 serial: sc16is7xx: fix broken port 0 uart init
    159bc8c6b5db sc16is7xx: Set iobase to device index
    355ac795843f cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
    5e7d0acc69b5 crypto: stm32 - fix loop iterating through scatterlist for DMA
    306e356d583d s390/ipl: add missing secure/has_secure file to ipl type 'unknown'
    e972231db29b pstore/ram: Check start of empty przs during init
    b6c9d040191f fsverity: skip PKCS#7 parser when keyring is empty
    712491c9abf2 net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
    15b3727108c7 X.509: if signature is unsupported skip validation
    7a7dd70cb954 dccp: Fix out of bounds access in DCCP error handler
    1c675c937cb2 dlm: fix plock lookup when using multiple lockspaces
    8cd1c5cec6c9 parisc: Fix /proc/cpuinfo output for lscpu
    0337bb53cb7d procfs: block chmod on /proc/thread-self/comm
    2e1f12ce0da7 Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
    eb1fa4819d9c ntb: Fix calculation ntb_transport_tx_free_entry()
    b2a6a169c222 ntb: Clean up tx tail index on link down
    94491412a2af ntb: Drop packets when qp link is down
    ff3bb51e2136 media: dvb: symbol fixup for dvb_attach()
    b047ac1528a1 xtensa: PMU: fix base address for the newer hardware
    2791a2a69a2c backlight/lv5207lp: Compare against struct fb_info.device
    bc86f29e1281 backlight/bd6107: Compare against struct fb_info.device
    3dd8ff569596 backlight/gpio_backlight: Compare against struct fb_info.device
    c2e1ce4fa498 ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
    f53ab5a2bf20 ipmi_si: fix a memleak in try_smi_init()
    e7f97980f735 ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
    29811f4b8255 PM / devfreq: Fix leak in devfreq_dev_release()
    c2ad60ed38b8 igb: set max size RX buffer when store bad packet is enabled
    d44403ec0676 skbuff: skb_segment, Call zero copy functions before using skbuff frags
    64831fb6a204 netfilter: xt_sctp: validate the flag_info count
    28ce8495b559 netfilter: xt_u32: validate user space input
    109e830585e8 netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
    3d54e9949930 igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
    ec6ad9d99ef4 virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
    12fcca2ee445 cpufreq: Fix the race condition while updating the transition_task of policy
    fe5dd3950178 dmaengine: ste_dma40: Add missing IRQ check in d40_probe
    e0f2d85ea3d0 um: Fix hostaudio build errors
    88d508faf3dd mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume()
    efa7f31669f0 rpmsg: glink: Add check for kstrdup
    d2473df751d2 phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write
    f36a06988c19 phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate
    b0d5d77b14b4 phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328
    90e037cabc2c tracing: Fix race issue between cpu buffer write and swap
    ac78921ec246 x86/speculation: Mark all Skylake CPUs as vulnerable to GDS
    df7ca43fe090 HID: multitouch: Correct devm device reference for hidinput input_dev name
    cf48a7ba5c09 HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()
    011daffb53ce RDMA/siw: Correct wrong debug message
    35a78898cdfd RDMA/siw: Balance the reference of cep->kref in the error path
    9b6296861a5a Revert "IB/isert: Fix incorrect release of isert connection"
    03db4fe7917b amba: bus: fix refcount leak
    93a4aefa5745 serial: tegra: handle clk prepare error in tegra_uart_hw_init()
    d2bf25674cea scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
    b1e3199bade0 scsi: core: Use 32-bit hostnum in scsi_host_lookup()
    103b41e97275 media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
    009b1202a099 media: ov2680: Fix vflip / hflip set functions
    560624cf1d3a media: ov2680: Fix ov2680_bayer_order()
    218b60bc06bc media: ov2680: Remove auto-gain and auto-exposure controls
    768d4d230c02 media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
    c04ae531eea6 media: ov5640: Enable MIPI interface in ov5640_set_power_mipi()
    916219c523e0 media: i2c: ov5640: Configure HVP lines in s_power callback
    93c518d28600 USB: gadget: f_mass_storage: Fix unused variable warning
    0d8c6770983e media: go7007: Remove redundant if statement
    38269b9ec843 iommu/vt-d: Fix to flush cache of PASID directory table
    a94aaffe9290 IB/uverbs: Fix an potential error pointer dereference
    c3a679853826 driver core: test_async: fix an error code
    27a218419c86 dma-buf/sync_file: Fix docs syntax
    c9e6c1fefcd5 coresight: tmc: Explicit type conversions to prevent integer overflow
    463934ca5d98 scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
    668ce8d508a3 scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly
    06a2dde58f40 scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
    e26d52128691 x86/APM: drop the duplicate APM_MINOR_DEV macro
    c65be6ad55e5 serial: sprd: Fix DMA buffer leak issue
    730d1b7ec94c serial: sprd: Assign sprd_port after initialized to avoid wrong access
    dff8066579c0 serial: sprd: remove redundant sprd_port cleanup
    a7d80271a150 serial: sprd: getting port index via serial aliases only
    47f3be62eab5 scsi: qla4xxx: Add length check when parsing nlattrs
    bc66e701ca8f scsi: be2iscsi: Add length check when parsing nlattrs
    161d4509dde4 scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
    bc4fbf2dab31 usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
    de4345fe4312 media: mediatek: vcodec: Return NULL if no vdec_fb is found
    02c0ea731f31 media: cx24120: Add retval check for cx24120_message_send()
    75d6ef197c48 media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
    74697b417624 media: dib7000p: Fix potential division by zero
    afd90d353f80 drivers: usb: smsusb: fix error handling code in smsusb_init_device
    4bc5ffaf8ac4 media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
    008b334af84a media: v4l2-fwnode: simplify v4l2_fwnode_parse_link
    064e156e9f66 media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling
    7a9619e38c2b NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN
    16282aeca44b NFSD: da_addr_body field missing in some GETDEVICEINFO replies
    93a14ab67582 fs: lockd: avoid possible wrong NULL parameter
    d3351799be41 jfs: validate max amount of blocks before allocation.
    65bf8a196ba2 powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
    650803f93dd8 nfs/blocklayout: Use the passed in gfp flags
    68ba08ab40c5 wifi: ath10k: Use RMW accessors for changing LNKCTL
    ab28c56192f5 drm/radeon: Use RMW accessors for changing LNKCTL
    d835a13232c0 drm/radeon: Prefer pcie_capability_read_word()
    06c0c15ab03c drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions
    30e633dbcd4c drm/radeon: Correct Transmit Margin masks
    108ce391d6da drm/amdgpu: Use RMW accessors for changing LNKCTL
    7085f1aab194 drm/amdgpu: Prefer pcie_capability_read_word()
    62a1c1bd45d8 drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions
    adf810206cca drm/amdgpu: Correct Transmit Margin masks
    7f9129b66c87 PCI: Add #defines for Enter Compliance, Transmit Margin
    81d1de3b9793 powerpc/fadump: reset dump area size if fadump memory reserve fails
    7159a27b1ac1 clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op
    044ff5356a3b PCI/ASPM: Use RMW accessors for changing LNKCTL
    73d73556ed1d PCI: pciehp: Use RMW accessors for changing LNKCTL
    e7e3268ae9b7 PCI: Mark NVIDIA T4 GPUs to avoid bus reset
    a611e38d5b94 clk: sunxi-ng: Modify mismatched function name
    9ad9cca12b10 drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
    de677f4379fa ipmi:ssif: Fix a memory leak when scanning for an adapter
    ef0d286989b1 ipmi:ssif: Add check for kstrdup
    90fddb87892e ALSA: ac97: Fix possible error value of *rac97
    0b1e48e4dccb of: unittest: Fix overlay type in apply/revert check
    0a6f39488c38 drm/mediatek: Fix potential memory leak if vmap() fail
    f6364fa751d7 audit: fix possible soft lockup in __audit_inode_child()
    43f0c2bb16af smackfs: Prevent underflow in smk_set_cipso()
    b8a61df6f404 drm/msm/mdp5: Don't leak some plane state
    1f3d0e65d111 ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
    dbdc828991ae drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01
    4db0a85cf865 drm/armada: Fix off-by-one error in armada_overlay_get_property()
    dadf0d0dfcc8 of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
    def1fd88ae97 drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
    c1ff601e1aa5 drm/tegra: Remove superfluous error messages around platform_get_irq()
    1603f086200a md/md-bitmap: hold 'reconfig_mutex' in backlog_store()
    630be0110e6a md/bitmap: don't set max_write_behind if there is no write mostly device
    a8f8c4e7281c drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl'
    c6b423ab655c arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC
    69d9fb39480c ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
    e6fc20a5425b drm: adv7511: Fix low refresh rate register for ADV7533/5
    88d32b9ad274 ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
    dfe36c23abf9 ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
    febead00308f ARM: dts: s5pv210: correct ethernet unit address in SMDKV210
    00b3f8004bdc ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210
    9dff1deb2507 ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210
    df9929c61c9d ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
    c20456c2cd29 ARM: dts: s3c64xx: align pinctrl with dtschema
    a355d140eb49 ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410
    e5deee40fa04 ARM: dts: s3c6410: move fixed clocks under root node in Mini6410
    d38b67da1572 drm/etnaviv: fix dumping of active MMU context
    5b8c8527a2c3 ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
    5680c01363ea ARM: dts: BCM53573: Add cells sizes to PCIe node
    17a5848bdca0 ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger
    c01cbe6c0345 drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
    d40c192e1198 quota: fix dqput() to follow the guarantees dquot_srcu should provide
    dd918952b1ed quota: add new helper dquot_active()
    88c0cdfe10fb quota: rename dquot_active() to inode_quota_active()
    29d7249bb61c quota: factor out dquot_write_dquot()
    f2f64c2951a3 quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list
    1e4f7ce32a1d drm/bridge: tc358764: Fix debug print parameter order
    835f0a848a8b netrom: Deny concurrent connect().
    da13749d5ff7 net/sched: sch_hfsc: Ensure inner classes have fsc curve
    83382eafc745 mlxsw: i2c: Limit single transaction buffer size
    b2d7f0f313b8 mlxsw: i2c: Fix chunk size setting in output mailbox buffer
    400ef5f79c90 net: arcnet: Do not call kfree_skb() under local_irq_disable()
    f306bbdce631 wifi: ath9k: use IS_ERR() with debugfs_create_dir()
    231086e6a363 wifi: mwifiex: avoid possible NULL skb pointer dereference
    5f6f00bcf947 wifi: ath9k: protect WMI command response buffer replacement with a lock
    ff703b5f3f3c wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
    df1753eae74b wifi: mwifiex: Fix missed return in oob checks failed path
    8f717752f94e wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
    ab4810042cdd fs: ocfs2: namei: check return value of ocfs2_add_entry()
    dbe64279ae34 lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
    67f8f2bae8e7 lwt: Fix return values of BPF xmit ops
    12bf7d9cc6af hwrng: iproc-rng200 - Implement suspend and resume calls
    4f1ca8e39732 hwrng: iproc-rng200 - use semicolons rather than commas to separate statements
    6c015ebce180 crypto: caam - fix unchecked return value error
    ec348676c7d0 Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
    0ce06035ea67 crypto: stm32 - Properly handle pm_runtime_get failing
    34de9f1d6359 wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
    87f8c5442373 mwifiex: switch from 'pci_' to 'dma_' API
    29eca8b7863d wifi: mwifiex: Fix OOB and integer underflow when rx packets
    042aeb45e484 can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
    516f21f21068 spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
    4fb6fcc04a99 regmap: rbtree: Use alloc_flags for memory allocations
    57935355dc67 tcp: tcp_enter_quickack_mode() should be static
    75b8b5b52985 bpf: Clear the probe_addr for uprobe
    a0fa690894c1 cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
    991b7c260476 perf/imx_ddr: don't enable counter0 if none of 4 counters are used
    07415be140d0 x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved
    6dbac48ea344 x86/boot: Annotate local functions
    c418814fae86 x86/asm: Make more symbols local
    3eb241e47d05 OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd()
    5d3975e36c64 tmpfs: verify {g,u}id mount options correctly
    48c54877ce33 fs: Fix error checking for d_hash_and_lookup()
    0c8c20538115 new helper: lookup_positive_unlocked()
    0a2b1eb8a9ce eventfd: prevent underflow for eventfd semaphores
    3e9617d63edf eventfd: Export eventfd_ctx_do_read()
    f59ff666989c reiserfs: Check the return value from __getblk()
    e74903b5fbc9 Revert "net: macsec: preserve ingress frame ordering"
    b36c4a731aae udf: Handle error when adding extent to a file
    7648ea9896b3 udf: Check consistency of Space Bitmap Descriptor
    3e2265cda14e powerpc/32s: Fix assembler warning about r0
    aea73dde7180 net: Avoid address overwrite in kernel_connect
    d7d42f114252 platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications
    6614af25e142 ALSA: seq: oss: Fix racy open/close of MIDI devices
    601dc776a09a scsi: storvsc: Always set no_report_opcodes
    107f5cad230b cifs: add a warning when the in-flight count goes negative
    f31618e4fc00 sctp: handle invalid error codes without calling BUG()
    8d7395d0ea5e bnx2x: fix page fault following EEH recovery
    c1ce2f09573e netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
    499eb477f76b scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
    d0189e40c2d1 idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
    617d1d0e1730 net: usb: qmi_wwan: add Quectel EM05GV2
    5d2481bc924e clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM
    3899c1d158c5 security: keys: perform capable check only on privileged operations
    97ed1be29bf0 platform/x86: huawei-wmi: Silence ambient light sensor
    762c352dfc41 platform/x86: intel: hid: Always call BTNL ACPI method
    0e3f0e55974c ASoC: atmel: Fix the 8K sample parameter in I2SC master
    0b718d1d5780 ASoc: codecs: ES8316: Fix DMIC config
    b796adfc9869 fs/nls: make load_nls() take a const parameter
    35a9b057bfd4 s390/dasd: fix hanging device after request requeue
    d7768b33d0fd s390/dasd: use correct number of retries for ERP requests
    a21ff228f0e1 m68k: Fix invalid .section syntax
    4dfc0d1edad3 vxlan: generalize vxlan_parse_gpe_hdr and remove unused args
    d65c5ef975d1 ethernet: atheros: fix return value check in atl1c_tso_csum()
    ea95a0111494 ASoC: da7219: Check for failure reading AAD IRQ events
    216953c3de60 ASoC: da7219: Flush pending AAD IRQ when suspending
    b6f827c3f8db 9p: virtio: make sure 'offs' is initialized in zc_request
    b6fefef07dca pinctrl: amd: Don't show `Invalid config param` errors
    99a73016a5e1 nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
    724474dfaa98 nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
    efe8244ba960 fsi: master-ast-cf: Add MODULE_FIRMWARE macro
    6b701dab1993 firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
    bee7f3a49469 serial: sc16is7xx: fix bug when first setting GPIO direction
    a6650d27ab2c Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
    5876cae6d6ef staging: rtl8712: fix race condition
    a17c6efa1413 HID: wacom: remove the battery when the EKR is off
    e4f5ad7b539a USB: serial: option: add FOXCONN T99W368/T99W373 product
    837f6647b2bf USB: serial: option: add Quectel EM05G variant (0x030e)
    1d2432804815 modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
    6938ef59e3ff rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
    0e0914f9a899 net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index
    6b39bd898bb0 mmc: au1xmmc: force non-modular build and remove symbol_get usage
    7a67c5d93292 ARM: pxa: remove use of symbol_get()
    e83f5d13cb73 erofs: ensure that the post-EOF tails are all zeroed

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index fefbb63209..148712b6f3 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "ccbf907f43d15ffd113a58e77986ece2b9cd0b53"
-SRCREV_meta ?= "139494ae6aa521d549ad94aa51ace747d37ee4e4"
+SRCREV_machine ?= "85315779726690bf22e615a8f5e2ab9f3ea8e580"
+SRCREV_meta ?= "3f4db4c1957e98a3da50908339aaee426e58fd13"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.256"
+LINUX_VERSION ?= "5.4.257"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index febbf1cb7e..89fda1c71b 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.256"
+LINUX_VERSION ?= "5.4.257"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "b3176395ae2665d4d417c7b78dfb43dcf49462a9"
-SRCREV_machine ?= "88509f87ebd23e35482a3e7acd6f88a1ca209f9a"
-SRCREV_meta ?= "139494ae6aa521d549ad94aa51ace747d37ee4e4"
+SRCREV_machine_qemuarm ?= "dd581fe8efd97479b60c1169c77d2e9e37fdbd42"
+SRCREV_machine ?= "739b4ff36fdf4203e60448f252dd4afcd8871046"
+SRCREV_meta ?= "3f4db4c1957e98a3da50908339aaee426e58fd13"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index b5e85bd3ea..e10e542663 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -13,16 +13,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "80d0730537aad4de79fc587a65ed7819790dcc6f"
-SRCREV_machine_qemuarm64 ?= "d569fe3e1a114ddcac5c4af67814405a614147ad"
-SRCREV_machine_qemumips ?= "0a41991fe10d34d22e87c276911142d2f1a67a93"
-SRCREV_machine_qemuppc ?= "1034463b20b1154014d1d6ffe87d018842ad094b"
-SRCREV_machine_qemuriscv64 ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
-SRCREV_machine_qemux86 ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
-SRCREV_machine_qemux86-64 ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
-SRCREV_machine_qemumips64 ?= "60ddf305567af22536ec5c85d1af614a3b5bbfad"
-SRCREV_machine ?= "c6ed5a124febbc8b22f95f9c8866188d290206ca"
-SRCREV_meta ?= "139494ae6aa521d549ad94aa51ace747d37ee4e4"
+SRCREV_machine_qemuarm ?= "af8795f548930f376f648b3c38c96ea9adeca302"
+SRCREV_machine_qemuarm64 ?= "08b2d42ab0000a6f12d816c0828632c162f5173a"
+SRCREV_machine_qemumips ?= "37c8da56986328d9030015e1a80beaa90babab30"
+SRCREV_machine_qemuppc ?= "3cd238f6056560888f7f717c569ca4a1fe16ccc9"
+SRCREV_machine_qemuriscv64 ?= "aee8802f6fec35ea9b393707cc2adb4d433d93c8"
+SRCREV_machine_qemux86 ?= "aee8802f6fec35ea9b393707cc2adb4d433d93c8"
+SRCREV_machine_qemux86-64 ?= "aee8802f6fec35ea9b393707cc2adb4d433d93c8"
+SRCREV_machine_qemumips64 ?= "44fbd145164885c2ba73a8ddcb09fd6f3ab0d59c"
+SRCREV_machine ?= "aee8802f6fec35ea9b393707cc2adb4d433d93c8"
+SRCREV_meta ?= "3f4db4c1957e98a3da50908339aaee426e58fd13"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -31,7 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.256"
+LINUX_VERSION ?= "5.4.257"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.34.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, November 30

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6252

The following changes since commit ff7dbcc0206203e2ece68ca91a37050a4bc822a2:

  selftest: skip virgl test on all fedora (2023-11-14 06:35:38 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Archana Polampalli (1):
  vim: Upgrade 9.0.2048 -> 9.0.2068

Etienne Cordonnier (1):
  vim: update obsolete comment

Hitendra Prajapati (1):
  grub: fix CVE-2023-4692 & CVE-2023-4693

Lee Chee Yang (3):
  wayland: fix CVE-2021-3782
  python3-setuptools: fix CVE-2022-40897
  curl: fix CVE-2023-28321 CVE-2023-28322

Richard Purdie (1):
  vim: Improve locale handling

Steve Sakoman (1):
  vim: use upstream generated .po files

Vijay Anusuri (5):
  libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787
  shadow: backport patch to fix CVE-2023-29383
  bind: Backport fix for CVE-2023-3341
  avahi: backport Debian patches to fix multiple CVE's
  tiff: backport Debian patch to fix CVE-2022-40090

 .../grub/files/CVE-2023-4692.patch            |  97 ++++
 .../grub/files/CVE-2023-4693.patch            |  62 ++
 meta/recipes-bsp/grub/grub2.inc               |   2 +
 meta/recipes-connectivity/avahi/avahi.inc     |   9 +
 .../avahi/files/CVE-2023-1981.patch           |  60 ++
 .../avahi/files/CVE-2023-38469-1.patch        |  48 ++
 .../avahi/files/CVE-2023-38469-2.patch        |  65 +++
 .../avahi/files/CVE-2023-38470-1.patch        |  57 ++
 .../avahi/files/CVE-2023-38470-2.patch        |  53 ++
 .../avahi/files/CVE-2023-38471-1.patch        |  73 +++
 .../avahi/files/CVE-2023-38471-2.patch        |  52 ++
 .../avahi/files/CVE-2023-38472.patch          |  45 ++
 .../avahi/files/CVE-2023-38473.patch          | 109 ++++
 .../bind/bind/CVE-2023-3341.patch             | 175 ++++++
 .../recipes-connectivity/bind/bind_9.11.37.bb |   1 +
 .../python/python-setuptools.inc              |   2 +
 .../python3-setuptools/CVE-2022-40897.patch   |  29 +
 .../files/0001-Overhaul-valid_field.patch     |  66 +++
 .../shadow/files/CVE-2023-29383.patch         |  54 ++
 meta/recipes-extended/shadow/shadow.inc       |   2 +
 .../wayland/wayland/CVE-2021-3782.patch       | 111 ++++
 .../wayland/wayland_1.18.0.bb                 |   1 +
 .../xorg-lib/libx11/CVE-2023-43785.patch      |  63 ++
 .../xorg-lib/libx11/CVE-2023-43786-1.patch    |  42 ++
 .../xorg-lib/libx11/CVE-2023-43786-2.patch    |  46 ++
 .../xorg-lib/libx11/CVE-2023-43787-1.patch    |  52 ++
 .../xorg-lib/libx11/CVE-2023-43787-2.patch    |  64 ++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   5 +
 .../libtiff/files/CVE-2022-40090.patch        | 548 ++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 .../curl/curl/CVE-2023-28321.patch            | 272 +++++++++
 .../curl/curl/CVE-2023-28322.patch            | 380 ++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 meta/recipes-support/vim/vim.inc              |  25 +-
 34 files changed, 2658 insertions(+), 15 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
 create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
 create mode 100644 meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28321.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322.patch

-- 
2.34.1