* [OE-core][kirkstone 01/38] zlib: ignore CVE-2026-22184
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 02/38] python3: patch CVE-2025-13837 Yoann Congal
` (36 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This is CVE for example tool contrib/untgz.
This is not compiled in Yocto zlib recipe.
This CVE has controversial CVSS3 score of 9.8.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-core/zlib/zlib_1.2.11.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb
index dc8f7c6c855..8dd0a90b523 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -58,3 +58,5 @@ BBCLASSEXTEND = "native nativesdk"
# this CVE is for cloudflare zlib
CVE_CHECK_IGNORE += "CVE-2023-6992"
+# vulnerable file is not compiled
+CVE_CHECK_IGNORE += "CVE-2026-22184"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 02/38] python3: patch CVE-2025-13837
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 01/38] zlib: ignore CVE-2026-22184 Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 03/38] python3: patch CVE-2025-12084 Yoann Congal
` (35 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch from 3.12 branch per NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2025-13837.patch | 162 ++++++++++++++++++
.../python/python3_3.10.19.bb | 1 +
2 files changed, 163 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13837.patch b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
new file mode 100644
index 00000000000..36bf75792bb
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
@@ -0,0 +1,162 @@
+From 5a8b19677d818fb41ee55f310233772e15aa1a2b Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Mon, 22 Dec 2025 15:49:44 +0200
+Subject: [PATCH] [3.12] gh-119342: Fix a potential denial of service in
+ plistlib (GH-119343) (#142149)
+
+Reading a specially prepared small Plist file could cause OOM because file's
+read(n) preallocates a bytes object for reading the specified amount of
+data. Now plistlib reads large data by chunks, therefore the upper limit of
+consumed memory is proportional to the size of the input file.
+(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
+
+CVE: CVE-2025-13837
+Upstream-Status: Backport [https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Lib/plistlib.py | 31 ++++++++++------
+ Lib/test/test_plistlib.py | 37 +++++++++++++++++--
+ ...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst | 5 +++
+ 3 files changed, 59 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+
+diff --git a/Lib/plistlib.py b/Lib/plistlib.py
+index 3292c30d5f..c5554ea1f7 100644
+--- a/Lib/plistlib.py
++++ b/Lib/plistlib.py
+@@ -73,6 +73,9 @@ from xml.parsers.expat import ParserCreate
+ PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
+ globals().update(PlistFormat.__members__)
+
++# Data larger than this will be read in chunks, to prevent extreme
++# overallocation.
++_MIN_READ_BUF_SIZE = 1 << 20
+
+ class UID:
+ def __init__(self, data):
+@@ -499,12 +502,24 @@ class _BinaryPlistParser:
+
+ return tokenL
+
++ def _read(self, size):
++ cursize = min(size, _MIN_READ_BUF_SIZE)
++ data = self._fp.read(cursize)
++ while True:
++ if len(data) != cursize:
++ raise InvalidFileException
++ if cursize == size:
++ return data
++ delta = min(cursize, size - cursize)
++ data += self._fp.read(delta)
++ cursize += delta
++
+ def _read_ints(self, n, size):
+- data = self._fp.read(size * n)
++ data = self._read(size * n)
+ if size in _BINARY_FORMAT:
+ return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
+ else:
+- if not size or len(data) != size * n:
++ if not size:
+ raise InvalidFileException()
+ return tuple(int.from_bytes(data[i: i + size], 'big')
+ for i in range(0, size * n, size))
+@@ -561,22 +576,16 @@ class _BinaryPlistParser:
+
+ elif tokenH == 0x40: # data
+ s = self._get_size(tokenL)
+- result = self._fp.read(s)
+- if len(result) != s:
+- raise InvalidFileException()
++ result = self._read(s)
+
+ elif tokenH == 0x50: # ascii string
+ s = self._get_size(tokenL)
+- data = self._fp.read(s)
+- if len(data) != s:
+- raise InvalidFileException()
++ data = self._read(s)
+ result = data.decode('ascii')
+
+ elif tokenH == 0x60: # unicode string
+ s = self._get_size(tokenL) * 2
+- data = self._fp.read(s)
+- if len(data) != s:
+- raise InvalidFileException()
++ data = self._read(s)
+ result = data.decode('utf-16be')
+
+ elif tokenH == 0x80: # UID
+diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
+index fa46050658..229a5a242e 100644
+--- a/Lib/test/test_plistlib.py
++++ b/Lib/test/test_plistlib.py
+@@ -838,8 +838,7 @@ class TestPlistlib(unittest.TestCase):
+
+ class TestBinaryPlistlib(unittest.TestCase):
+
+- @staticmethod
+- def decode(*objects, offset_size=1, ref_size=1):
++ def build(self, *objects, offset_size=1, ref_size=1):
+ data = [b'bplist00']
+ offset = 8
+ offsets = []
+@@ -851,7 +850,11 @@ class TestBinaryPlistlib(unittest.TestCase):
+ len(objects), 0, offset)
+ data.extend(offsets)
+ data.append(tail)
+- return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
++ return b''.join(data)
++
++ def decode(self, *objects, offset_size=1, ref_size=1):
++ data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
++ return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
+
+ def test_nonstandard_refs_size(self):
+ # Issue #21538: Refs and offsets are 24-bit integers
+@@ -959,6 +962,34 @@ class TestBinaryPlistlib(unittest.TestCase):
+ with self.assertRaises(plistlib.InvalidFileException):
+ plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
+
++ def test_truncated_large_data(self):
++ self.addCleanup(os_helper.unlink, os_helper.TESTFN)
++ def check(data):
++ with open(os_helper.TESTFN, 'wb') as f:
++ f.write(data)
++ # buffered file
++ with open(os_helper.TESTFN, 'rb') as f:
++ with self.assertRaises(plistlib.InvalidFileException):
++ plistlib.load(f, fmt=plistlib.FMT_BINARY)
++ # unbuffered file
++ with open(os_helper.TESTFN, 'rb', buffering=0) as f:
++ with self.assertRaises(plistlib.InvalidFileException):
++ plistlib.load(f, fmt=plistlib.FMT_BINARY)
++ for w in range(20, 64):
++ s = 1 << w
++ # data
++ check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
++ # ascii string
++ check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
++ # unicode string
++ check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
++ # array
++ check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
++ # dict
++ check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
++ # number of objects
++ check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
++
+
+ class TestKeyedArchive(unittest.TestCase):
+ def test_keyed_archive_data(self):
+diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+new file mode 100644
+index 0000000000..04fd8faca4
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+@@ -0,0 +1,5 @@
++Fix a potential memory denial of service in the :mod:`plistlib` module.
++When reading a Plist file received from untrusted source, it could cause
++an arbitrary amount of memory to be allocated.
++This could have led to symptoms including a :exc:`MemoryError`, swapping, out
++of memory (OOM) killed processes or containers, or even system crashes.
diff --git a/meta/recipes-devtools/python/python3_3.10.19.bb b/meta/recipes-devtools/python/python3_3.10.19.bb
index 5140445ad81..b87fc8d9ef2 100644
--- a/meta/recipes-devtools/python/python3_3.10.19.bb
+++ b/meta/recipes-devtools/python/python3_3.10.19.bb
@@ -39,6 +39,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
file://CVE-2025-6075.patch \
file://CVE-2025-13836.patch \
+ file://CVE-2025-13837.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 03/38] python3: patch CVE-2025-12084
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 01/38] zlib: ignore CVE-2026-22184 Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 02/38] python3: patch CVE-2025-13837 Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 04/38] libxml2: patch CVE-2026-0990 Yoann Congal
` (34 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch for this CVE merged into 3.10 branch.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2025-12084.patch | 171 ++++++++++++++++++
.../python/python3_3.10.19.bb | 1 +
2 files changed, 172 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-12084.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-12084.patch b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
new file mode 100644
index 00000000000..0c9bb435edf
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
@@ -0,0 +1,171 @@
+From c97e87593063d84a2bd9fe7068b30eb44de23dc0 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 25 Jan 2026 18:10:49 +0100
+Subject: [PATCH] [3.10] gh-142145: Remove quadratic behavior in node ID cache
+ clearing (GH-142146) (#142213)
+
+* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+
+* Remove quadratic behavior in node ID cache clearing
+
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+
+* Add news fragment
+
+CVE: CVE-2025-12084
+Upstream-Status: Backport [https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---------
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+
+* [3.14] gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794) (#142818)
+
+gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
+
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+
+* gh-142145: relax the no-longer-quadratic test timing (GH-143030)
+
+* gh-142145: relax the no-longer-quadratic test timing
+
+* require cpu resource
+(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
+
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+
+* merge NEWS entries into one
+
+---------
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/test/test_minidom.py | 33 ++++++++++++++++++-
+ Lib/xml/dom/minidom.py | 11 ++-----
+ ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst | 6 ++++
+ 3 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index ef38c36210..c68bd990f7 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -2,6 +2,7 @@
+
+ import copy
+ import pickle
++import time
+ import io
+ from test import support
+ import unittest
+@@ -9,7 +10,7 @@ import unittest
+ import pyexpat
+ import xml.dom.minidom
+
+-from xml.dom.minidom import parse, Attr, Node, Document, parseString
++from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
+ from xml.dom.minidom import getDOMImplementation
+ from xml.parsers.expat import ExpatError
+
+@@ -177,6 +178,36 @@ class MinidomTest(unittest.TestCase):
+ self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+ dom.unlink()
+
++ @support.requires_resource('cpu')
++ def testAppendChildNoQuadraticComplexity(self):
++ impl = getDOMImplementation()
++
++ newdoc = impl.createDocument(None, "some_tag", None)
++ top_element = newdoc.documentElement
++ children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
++ element = top_element
++
++ start = time.monotonic()
++ for child in children:
++ element.appendChild(child)
++ element = child
++ end = time.monotonic()
++
++ # This example used to take at least 30 seconds.
++ # Conservative assertion due to the wide variety of systems and
++ # build configs timing based tests wind up run under.
++ # A --with-address-sanitizer --with-pydebug build on a rpi5 still
++ # completes this loop in <0.5 seconds.
++ self.assertLess(end - start, 4)
++
++ def testSetAttributeNodeWithoutOwnerDocument(self):
++ # regression test for gh-142754
++ elem = Element("test")
++ attr = Attr("id")
++ attr.value = "test-id"
++ elem.setAttributeNode(attr)
++ self.assertEqual(elem.getAttribute("id"), "test-id")
++
+ def testAppendChildFragment(self):
+ dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+ dom.documentElement.appendChild(frag)
+diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
+index ef8a159833..cada981f39 100644
+--- a/Lib/xml/dom/minidom.py
++++ b/Lib/xml/dom/minidom.py
+@@ -292,13 +292,6 @@ def _append_child(self, node):
+ childNodes.append(node)
+ node.parentNode = self
+
+-def _in_document(node):
+- # return True iff node is part of a document tree
+- while node is not None:
+- if node.nodeType == Node.DOCUMENT_NODE:
+- return True
+- node = node.parentNode
+- return False
+
+ def _write_data(writer, data):
+ "Writes datachars to writer."
+@@ -355,6 +348,7 @@ class Attr(Node):
+ def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
+ prefix=None):
+ self.ownerElement = None
++ self.ownerDocument = None
+ self._name = qName
+ self.namespaceURI = namespaceURI
+ self._prefix = prefix
+@@ -680,6 +674,7 @@ class Element(Node):
+
+ def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
+ localName=None):
++ self.ownerDocument = None
+ self.parentNode = None
+ self.tagName = self.nodeName = tagName
+ self.prefix = prefix
+@@ -1539,7 +1534,7 @@ def _clear_id_cache(node):
+ if node.nodeType == Node.DOCUMENT_NODE:
+ node._id_cache.clear()
+ node._id_search_stack = None
+- elif _in_document(node):
++ elif node.ownerDocument:
+ node.ownerDocument._id_cache.clear()
+ node.ownerDocument._id_search_stack= None
+
+diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+new file mode 100644
+index 0000000000..05c7df35d1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+@@ -0,0 +1,6 @@
++Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In order
++to do this without breaking existing users, we also add the *ownerDocument*
++attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
++instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
++nodes is not supported; creator functions like
++:py:meth:`xml.dom.Document.documentElement` should be used instead.
diff --git a/meta/recipes-devtools/python/python3_3.10.19.bb b/meta/recipes-devtools/python/python3_3.10.19.bb
index b87fc8d9ef2..fbb2f80886b 100644
--- a/meta/recipes-devtools/python/python3_3.10.19.bb
+++ b/meta/recipes-devtools/python/python3_3.10.19.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2025-6075.patch \
file://CVE-2025-13836.patch \
file://CVE-2025-13837.patch \
+ file://CVE-2025-12084.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 04/38] libxml2: patch CVE-2026-0990
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-02-24 14:23 ` [OE-core][kirkstone 03/38] python3: patch CVE-2025-12084 Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 05/38] libxml2: patch CVE-2026-0992 Yoann Congal
` (33 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch which closed [1].
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libxml/libxml2/CVE-2026-0990.patch | 76 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 77 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
new file mode 100644
index 00000000000..e0c1e3c7076
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
@@ -0,0 +1,76 @@
+From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Wed, 17 Dec 2025 15:24:08 +0100
+Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
+
+CVE: CVE-2026-0989
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ catalog.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/catalog.c b/catalog.c
+index 76c063a8..46b877e6 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -2099,12 +2099,21 @@ static xmlChar *
+ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+ xmlChar *ret = NULL;
+ xmlChar *urnID = NULL;
++ xmlCatalogEntryPtr cur = NULL;
+
+ if (catal == NULL)
+ return(NULL);
+ if (URI == NULL)
+ return(NULL);
+
++ if (catal->depth > MAX_CATAL_DEPTH) {
++ xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
++ "Detected recursion in catalog %s\n",
++ catal->name, NULL, NULL);
++ return(NULL);
++ }
++ catal->depth++;
++
+ if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
+ urnID = xmlCatalogUnWrapURN(URI);
+ if (xmlDebugCatalogs) {
+@@ -2118,21 +2127,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+ ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
+ if (urnID != NULL)
+ xmlFree(urnID);
++ catal->depth--;
+ return(ret);
+ }
+- while (catal != NULL) {
+- if (catal->type == XML_CATA_CATALOG) {
+- if (catal->children == NULL) {
+- xmlFetchXMLCatalogFile(catal);
++ cur = catal;
++ while (cur != NULL) {
++ if (cur->type == XML_CATA_CATALOG) {
++ if (cur->children == NULL) {
++ xmlFetchXMLCatalogFile(cur);
+ }
+- if (catal->children != NULL) {
+- ret = xmlCatalogXMLResolveURI(catal->children, URI);
+- if (ret != NULL)
++ if (cur->children != NULL) {
++ ret = xmlCatalogXMLResolveURI(cur->children, URI);
++ if (ret != NULL) {
++ catal->depth--;
+ return(ret);
++ }
+ }
+ }
+- catal = catal->next;
++ cur = cur->next;
+ }
++
++ catal->depth--;
+ return(ret);
+ }
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 05a7dce95b4..a72aff6c83d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -44,6 +44,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2025-6170.patch \
file://CVE-2025-9714.patch \
file://CVE-2025-7425.patch \
+ file://CVE-2026-0990.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 05/38] libxml2: patch CVE-2026-0992
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-02-24 14:23 ` [OE-core][kirkstone 04/38] libxml2: patch CVE-2026-0990 Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 06/38] libxml2: add follow-up patch for CVE-2026-0992 Yoann Congal
` (32 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch which closed [1].
Adapt for missing xmlCatalogPrintDebug per [2].
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
[2] https://gitlab.gnome.org/GNOME/libxml2/-/commit/728869809eb7eee1b1681d558b4b506a8019c151
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libxml/libxml2/CVE-2026-0992.patch | 49 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
new file mode 100644
index 00000000000..d7c0b47b339
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
@@ -0,0 +1,49 @@
+From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 19 Dec 2025 11:02:18 +0100
+Subject: [PATCH] catalog: Ignore repeated nextCatalog entries
+
+This patch makes the catalog parsing to ignore repeated entries of
+nextCatalog with the same value.
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
+
+CVE: CVE-2026-0989
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ catalog.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/catalog.c b/catalog.c
+index 46b877e6..fa6d77ca 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -1279,9 +1279,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
+ BAD_CAST "delegateURI", BAD_CAST "uriStartString",
+ BAD_CAST "catalog", prefer, cgroup);
+ } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) {
++ xmlCatalogEntryPtr prev = parent->children;
++
+ entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG,
+ BAD_CAST "nextCatalog", NULL,
+ BAD_CAST "catalog", prefer, cgroup);
++ /* Avoid duplication of nextCatalog */
++ while (prev != NULL) {
++ if ((prev->type == XML_CATA_NEXT_CATALOG) &&
++ (xmlStrEqual (prev->URL, entry->URL)) &&
++ (xmlStrEqual (prev->value, entry->value)) &&
++ (prev->prefer == entry->prefer) &&
++ (prev->group == entry->group)) {
++ if (xmlDebugCatalogs)
++ fprintf(stderr,
++ "Ignoring repeated nextCatalog %s\n", entry->URL);
++ xmlFreeCatalogEntry(entry, NULL);
++ entry = NULL;
++ break;
++ }
++ prev = prev->next;
++ }
+ }
+ if (entry != NULL) {
+ if (parent != NULL) {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index a72aff6c83d..bf3099c1f42 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -45,6 +45,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2025-9714.patch \
file://CVE-2025-7425.patch \
file://CVE-2026-0990.patch \
+ file://CVE-2026-0992.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 06/38] libxml2: add follow-up patch for CVE-2026-0992
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-02-24 14:23 ` [OE-core][kirkstone 05/38] libxml2: patch CVE-2026-0992 Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:23 ` [OE-core][kirkstone 07/38] expat: patch CVE-2026-24515 Yoann Congal
` (31 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
References:
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
* https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...2026-0992.patch => CVE-2026-0992-01.patch} | 0
.../libxml/libxml2/CVE-2026-0992-02.patch | 325 ++++++++++++++++++
.../libxml/libxml2/CVE-2026-0992-03.patch | 33 ++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 4 +-
4 files changed, 361 insertions(+), 1 deletion(-)
rename meta/recipes-core/libxml/libxml2/{CVE-2026-0992.patch => CVE-2026-0992-01.patch} (100%)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
similarity index 100%
rename from meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
rename to meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
new file mode 100644
index 00000000000..50f72832d45
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
@@ -0,0 +1,325 @@
+From f8399e62a31095bf1ced01827c33f9b29494046f Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 19 Dec 2025 12:27:54 +0100
+Subject: [PATCH] testcatalog: Add new tests for catalog.c
+
+Adds a new test program to run specific tests related to catalog
+parsing.
+
+This initial version includes a couple of tests, the first one to check
+the infinite recursion detection related to:
+https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018.
+
+The second one tests the nextCatalog element repeated parsing, related
+to:
+https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
+https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040
+
+CVE: CVE-2026-0992
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f8399e62a31095bf1ced01827c33f9b29494046f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ CMakeLists.txt | 2 +
+ Makefile.am | 8 ++-
+ catalog.c | 63 +++++++++++-----
+ include/libxml/catalog.h | 2 +
+ test/catalogs/catalog-recursive.xml | 3 +
+ test/catalogs/repeated-next-catalog.xml | 10 +++
+ testcatalog.c | 96 +++++++++++++++++++++++++
+ 7 files changed, 164 insertions(+), 20 deletions(-)
+ create mode 100644 test/catalogs/catalog-recursive.xml
+ create mode 100644 test/catalogs/repeated-next-catalog.xml
+ create mode 100644 testcatalog.c
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 163661f8..7d5702df 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -555,6 +555,7 @@ if(LIBXML2_WITH_TESTS)
+ testapi
+ testAutomata
+ testC14N
++ testcatalog
+ testchar
+ testdict
+ testHTML
+@@ -579,6 +580,7 @@ if(LIBXML2_WITH_TESTS)
+ if(NOT WIN32)
+ add_test(NAME testapi COMMAND testapi)
+ endif()
++ add_test(NAME testcatalog COMMAND testcatalog)
+ add_test(NAME testchar COMMAND testchar)
+ add_test(NAME testdict COMMAND testdict)
+ add_test(NAME testrecurse COMMAND testrecurse WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+diff --git a/Makefile.am b/Makefile.am
+index c51dfd8e..c794eac8 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -12,7 +12,7 @@ AM_CFLAGS = $(EXTRA_CFLAGS) $(THREAD_CFLAGS) $(Z_CFLAGS) $(LZMA_CFLAGS)
+
+ check_PROGRAMS=testSchemas testRelax testSAX testHTML testXPath testURI \
+ testThreads testC14N testAutomata testRegexp \
+- testReader testapi testModule runtest runsuite testchar \
++ testReader testapi testModule runtest runsuite testcatalog testchar \
+ testdict runxmlconf testrecurse testlimits
+
+ bin_PROGRAMS = xmllint xmlcatalog
+@@ -81,6 +81,11 @@ testlimits_LDFLAGS =
+ testlimits_DEPENDENCIES = $(DEPS)
+ testlimits_LDADD= $(BASE_THREAD_LIBS) $(RDL_LIBS) $(LDADDS)
+
++testcatalog_SOURCES=testcatalog.c
++testcatalog_LDFLAGS =
++testcatalog_DEPENDENCIES = $(DEPS)
++testcatalog_LDADD= $(LDADDS)
++
+ testchar_SOURCES=testchar.c
+ testchar_LDFLAGS =
+ testchar_DEPENDENCIES = $(DEPS)
+@@ -213,6 +218,7 @@ runtests:
+ $(CHECKER) ./runtest$(EXEEXT) && \
+ $(CHECKER) ./testrecurse$(EXEEXT) && \
+ ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
++ $(CHECKER) ./testcatalog$(EXEEXT) \
+ $(CHECKER) ./testchar$(EXEEXT) && \
+ $(CHECKER) ./testdict$(EXEEXT) && \
+ $(CHECKER) ./runxmlconf$(EXEEXT)
+diff --git a/catalog.c b/catalog.c
+index 401dbc14..eb889162 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -658,43 +658,54 @@ static void xmlDumpXMLCatalogNode(xmlCatalogEntryPtr catal, xmlNodePtr catalog,
+ }
+ }
+
+-static int
+-xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) {
+- int ret;
+- xmlDocPtr doc;
++static xmlDocPtr
++xmlDumpXMLCatalogToDoc(xmlCatalogEntryPtr catal) {
+ xmlNsPtr ns;
+ xmlDtdPtr dtd;
+ xmlNodePtr catalog;
+- xmlOutputBufferPtr buf;
++ xmlDocPtr doc = xmlNewDoc(NULL);
++ if (doc == NULL) {
++ return(NULL);
++ }
+
+- /*
+- * Rebuild a catalog
+- */
+- doc = xmlNewDoc(NULL);
+- if (doc == NULL)
+- return(-1);
+ dtd = xmlNewDtd(doc, BAD_CAST "catalog",
+- BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN",
+-BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd");
++ BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN",
++ BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd");
+
+ xmlAddChild((xmlNodePtr) doc, (xmlNodePtr) dtd);
+
+ ns = xmlNewNs(NULL, XML_CATALOGS_NAMESPACE, NULL);
+ if (ns == NULL) {
+- xmlFreeDoc(doc);
+- return(-1);
++ xmlFreeDoc(doc);
++ return(NULL);
+ }
+ catalog = xmlNewDocNode(doc, ns, BAD_CAST "catalog", NULL);
+ if (catalog == NULL) {
+- xmlFreeNs(ns);
+- xmlFreeDoc(doc);
+- return(-1);
++ xmlFreeDoc(doc);
++ xmlFreeNs(ns);
++ return(NULL);
+ }
+ catalog->nsDef = ns;
+ xmlAddChild((xmlNodePtr) doc, catalog);
+-
+ xmlDumpXMLCatalogNode(catal, catalog, doc, ns, NULL);
+
++ return(doc);
++}
++
++static int
++xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) {
++ int ret;
++ xmlDocPtr doc;
++ xmlOutputBufferPtr buf;
++
++ /*
++ * Rebuild a catalog
++ */
++ doc = xmlDumpXMLCatalogToDoc(catal);
++ if (doc == NULL) {
++ return(-1);
++ }
++
+ /*
+ * reserialize it
+ */
+@@ -3430,6 +3441,20 @@ xmlCatalogDump(FILE *out) {
+
+ xmlACatalogDump(xmlDefaultCatalog, out);
+ }
++
++/**
++ * Dump all the global catalog content as a xmlDoc
++ * This function is just for testing/debugging purposes
++ *
++ * @returns The catalog as xmlDoc or NULL if failed, it must be freed by the caller.
++ */
++xmlDocPtr
++xmlCatalogDumpDoc(void) {
++ if (!xmlCatalogInitialized)
++ xmlInitializeCatalog();
++
++ return xmlDumpXMLCatalogToDoc(xmlDefaultCatalog->xml);
++}
+ #endif /* LIBXML_OUTPUT_ENABLED */
+
+ /**
+diff --git a/include/libxml/catalog.h b/include/libxml/catalog.h
+index 88a7483c..e1bc5feb 100644
+--- a/include/libxml/catalog.h
++++ b/include/libxml/catalog.h
+@@ -119,6 +119,8 @@ XMLPUBFUN void XMLCALL
+ #ifdef LIBXML_OUTPUT_ENABLED
+ XMLPUBFUN void XMLCALL
+ xmlCatalogDump (FILE *out);
++XMLPUBFUN xmlDocPtr
++ xmlCatalogDumpDoc (void);
+ #endif /* LIBXML_OUTPUT_ENABLED */
+ XMLPUBFUN xmlChar * XMLCALL
+ xmlCatalogResolve (const xmlChar *pubID,
+diff --git a/test/catalogs/catalog-recursive.xml b/test/catalogs/catalog-recursive.xml
+new file mode 100644
+index 00000000..3b3d03f9
+--- /dev/null
++++ b/test/catalogs/catalog-recursive.xml
+@@ -0,0 +1,3 @@
++<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
++ <delegateURI uriStartString="/foo" catalog="catalog-recursive.xml"/>
++</catalog>
+diff --git a/test/catalogs/repeated-next-catalog.xml b/test/catalogs/repeated-next-catalog.xml
+new file mode 100644
+index 00000000..76d34c3c
+--- /dev/null
++++ b/test/catalogs/repeated-next-catalog.xml
+@@ -0,0 +1,10 @@
++<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
++ <nextCatalog catalog="registry.xml"/>
++ <nextCatalog catalog="registry.xml"/>
++ <nextCatalog catalog="./registry.xml"/>
++ <nextCatalog catalog="././registry.xml"/>
++ <nextCatalog catalog="./././registry.xml"/>
++ <nextCatalog catalog="./../catalogs/registry.xml"/>
++ <nextCatalog catalog="./../catalogs/./registry.xml"/>
++</catalog>
++
+diff --git a/testcatalog.c b/testcatalog.c
+new file mode 100644
+index 00000000..86d33bd0
+--- /dev/null
++++ b/testcatalog.c
+@@ -0,0 +1,96 @@
++/*
++ * testcatalog.c: C program to run libxml2 catalog.c unit tests
++ *
++ * To compile on Unixes:
++ * cc -o testcatalog `xml2-config --cflags` testcatalog.c `xml2-config --libs` -lpthread
++ *
++ * See Copyright for the status of this software.
++ *
++ * Author: Daniel Garcia <dani@danigm.net>
++ */
++
++
++#include "libxml.h"
++#include <stdio.h>
++
++#ifdef LIBXML_CATALOG_ENABLED
++#include <libxml/catalog.h>
++
++/* Test catalog resolve uri with recursive catalog */
++static int
++testRecursiveDelegateUri(void) {
++ int ret = 0;
++ const char *cat = "test/catalogs/catalog-recursive.xml";
++ const char *entity = "/foo.ent";
++ xmlChar *resolved = NULL;
++
++ xmlInitParser();
++ xmlLoadCatalog(cat);
++
++ /* This should trigger recursive error */
++ resolved = xmlCatalogResolveURI(BAD_CAST entity);
++ if (resolved != NULL) {
++ fprintf(stderr, "CATALOG-FAILURE: Catalog %s entity should fail to resolve\n", entity);
++ ret = 1;
++ }
++ xmlCatalogCleanup();
++
++ return ret;
++}
++
++/* Test parsing repeated NextCatalog */
++static int
++testRepeatedNextCatalog(void) {
++ int ret = 0;
++ int i = 0;
++ const char *cat = "test/catalogs/repeated-next-catalog.xml";
++ const char *entity = "/foo.ent";
++ xmlDocPtr doc = NULL;
++ xmlNodePtr node = NULL;
++
++ xmlInitParser();
++
++ xmlLoadCatalog(cat);
++ /* To force the complete recursive load */
++ xmlCatalogResolveURI(BAD_CAST entity);
++ /**
++ * Ensure that the doc doesn't contain the same nextCatalog
++ */
++ doc = xmlCatalogDumpDoc();
++ xmlCatalogCleanup();
++
++ if (doc == NULL) {
++ fprintf(stderr, "CATALOG-FAILURE: Failed to dump the catalog\n");
++ return 1;
++ }
++
++ /* Just the root "catalog" node with a series of nextCatalog */
++ node = xmlDocGetRootElement(doc);
++ node = node->children;
++ for (i=0; node != NULL; node=node->next, i++) {}
++ if (i > 1) {
++ fprintf(stderr, "CATALOG-FAILURE: Found %d nextCatalog entries and should be 1\n", i);
++ ret = 1;
++ }
++
++ xmlFreeDoc(doc);
++
++ return ret;
++}
++
++int
++main(void) {
++ int err = 0;
++
++ err |= testRecursiveDelegateUri();
++ err |= testRepeatedNextCatalog();
++
++ return err;
++}
++#else
++/* No catalog, so everything okay */
++int
++main(void) {
++ return 0;
++}
++#endif
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
new file mode 100644
index 00000000000..89f5fb1ac66
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
@@ -0,0 +1,33 @@
+From deed3b7873dff30b7f87f7f33154c9932a772522 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <dani@danigm.net>
+Date: Sun, 18 Jan 2026 19:47:11 +0100
+Subject: [PATCH] catalog: Do not check value for duplication nextCatalog
+
+The value field stores the path as it appears in the catalog definition,
+the URL is built using xmlBuildURI that changes the relative paths to
+absolute.
+
+This change fixes the issue of using relative path to the same catalog
+in the same file.
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040
+
+CVE: CVE-2026-0992
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ catalog.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/catalog.c b/catalog.c
+index eb889162..ba9ee7ae 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -1299,7 +1299,6 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
+ while (prev != NULL) {
+ if ((prev->type == XML_CATA_NEXT_CATALOG) &&
+ (xmlStrEqual (prev->URL, entry->URL)) &&
+- (xmlStrEqual (prev->value, entry->value)) &&
+ (prev->prefer == entry->prefer) &&
+ (prev->group == entry->group)) {
+ if (xmlDebugCatalogs)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index bf3099c1f42..fa39116404b 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -45,7 +45,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2025-9714.patch \
file://CVE-2025-7425.patch \
file://CVE-2026-0990.patch \
- file://CVE-2026-0992.patch \
+ file://CVE-2026-0992-01.patch \
+ file://CVE-2026-0992-02.patch \
+ file://CVE-2026-0992-03.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 07/38] expat: patch CVE-2026-24515
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-02-24 14:23 ` [OE-core][kirkstone 06/38] libxml2: add follow-up patch for CVE-2026-0992 Yoann Congal
@ 2026-02-24 14:23 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 08/38] expat: patch CVE-2026-25210 Yoann Congal
` (30 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:23 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick fix commit from PR linked in NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../expat/expat/CVE-2026-24515.patch | 43 +++++++++++++++++++
meta/recipes-core/expat/expat_2.5.0.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-24515.patch b/meta/recipes-core/expat/expat/CVE-2026-24515.patch
new file mode 100644
index 00000000000..da11cf81cf1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-24515.patch
@@ -0,0 +1,43 @@
+From 86fc914a7acc49246d5fde0ab6ed97eb8a0f15f9 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 18 Jan 2026 17:53:37 +0100
+Subject: [PATCH] lib: Make XML_ExternalEntityParserCreate copy unknown
+ encoding handler user data
+
+Patch suggested by Artiphishell Inc.
+
+CVE: CVE-2026-24515
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/86fc914a7acc49246d5fde0ab6ed97eb8a0f15f9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/xmlparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 593cd90d..18577ee3 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1289,6 +1289,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ XML_ExternalEntityRefHandler oldExternalEntityRefHandler;
+ XML_SkippedEntityHandler oldSkippedEntityHandler;
+ XML_UnknownEncodingHandler oldUnknownEncodingHandler;
++ void *oldUnknownEncodingHandlerData;
+ XML_ElementDeclHandler oldElementDeclHandler;
+ XML_AttlistDeclHandler oldAttlistDeclHandler;
+ XML_EntityDeclHandler oldEntityDeclHandler;
+@@ -1333,6 +1334,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ oldExternalEntityRefHandler = parser->m_externalEntityRefHandler;
+ oldSkippedEntityHandler = parser->m_skippedEntityHandler;
+ oldUnknownEncodingHandler = parser->m_unknownEncodingHandler;
++ oldUnknownEncodingHandlerData = parser->m_unknownEncodingHandlerData;
+ oldElementDeclHandler = parser->m_elementDeclHandler;
+ oldAttlistDeclHandler = parser->m_attlistDeclHandler;
+ oldEntityDeclHandler = parser->m_entityDeclHandler;
+@@ -1391,6 +1393,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ parser->m_externalEntityRefHandler = oldExternalEntityRefHandler;
+ parser->m_skippedEntityHandler = oldSkippedEntityHandler;
+ parser->m_unknownEncodingHandler = oldUnknownEncodingHandler;
++ parser->m_unknownEncodingHandlerData = oldUnknownEncodingHandlerData;
+ parser->m_elementDeclHandler = oldElementDeclHandler;
+ parser->m_attlistDeclHandler = oldAttlistDeclHandler;
+ parser->m_entityDeclHandler = oldEntityDeclHandler;
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 33207ff0dab..ae661947c3a 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
file://CVE-2024-45492.patch \
file://CVE-2024-50602-01.patch \
file://CVE-2024-50602-02.patch \
+ file://CVE-2026-24515.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 08/38] expat: patch CVE-2026-25210
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-02-24 14:23 ` [OE-core][kirkstone 07/38] expat: patch CVE-2026-24515 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 09/38] openssl: upgrade 3.0.18 -> 3.0.19 Yoann Congal
` (29 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patches from [1].
[1] https://github.com/libexpat/libexpat/pull/1075
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../expat/expat/CVE-2026-25210-01.patch | 27 ++++++++++++++
.../expat/expat/CVE-2026-25210-02.patch | 37 +++++++++++++++++++
.../expat/expat/CVE-2026-25210-03.patch | 28 ++++++++++++++
meta/recipes-core/expat/expat_2.5.0.bb | 3 ++
4 files changed, 95 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-01.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-02.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-03.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch
new file mode 100644
index 00000000000..cdd5f13338c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch
@@ -0,0 +1,27 @@
+From 7ddea353ad3795f7222441274d4d9a155b523cba Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH] lib: Make a doubling more readable
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2026-25210
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/7ddea353ad3795f7222441274d4d9a155b523cba]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 8cf29257..2f9adffc 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2977,7 +2977,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ tag->name.strLen = convLen;
+ break;
+ }
+- bufSize = (int)(tag->bufEnd - tag->buf) << 1;
++ bufSize = (int)(tag->bufEnd - tag->buf) * 2;
+ {
+ char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+ if (temp == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch
new file mode 100644
index 00000000000..d690a6e8fa7
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch
@@ -0,0 +1,37 @@
+From 8855346359a475c022ec8c28484a76c852f144d9 Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH] lib: Realign a size with the `REALLOC` type signature it is
+ passed into
+
+Note that this implicitly assumes `tag->bufEnd >= tag->buf`, which should
+already be guaranteed true.
+
+CVE: CVE-2026-25210
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8855346359a475c022ec8c28484a76c852f144d9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/xmlparse.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2f9adffc..ee18a87f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2966,7 +2966,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ const char *fromPtr = tag->rawName;
+ toPtr = (XML_Char *)tag->buf;
+ for (;;) {
+- int bufSize;
+ int convLen;
+ const enum XML_Convert_Result convert_res
+ = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr,
+@@ -2977,7 +2976,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ tag->name.strLen = convLen;
+ break;
+ }
+- bufSize = (int)(tag->bufEnd - tag->buf) * 2;
++ const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
+ {
+ char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+ if (temp == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch
new file mode 100644
index 00000000000..d8b38874286
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch
@@ -0,0 +1,28 @@
+From 9c2d990389e6abe2e44527eeaa8b39f16fe859c7 Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH] lib: Introduce an integer overflow check for tag buffer
+ reallocation
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2026-25210
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/xmlparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ee18a87f..d8c54c38 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2976,6 +2976,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ tag->name.strLen = convLen;
+ break;
+ }
++ if (SIZE_MAX / 2 < (size_t)(tag->bufEnd - tag->buf))
++ return XML_ERROR_NO_MEMORY;
+ const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
+ {
+ char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index ae661947c3a..c22dad2bbc1 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -31,6 +31,9 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
file://CVE-2024-50602-01.patch \
file://CVE-2024-50602-02.patch \
file://CVE-2026-24515.patch \
+ file://CVE-2026-25210-01.patch \
+ file://CVE-2026-25210-02.patch \
+ file://CVE-2026-25210-03.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 09/38] openssl: upgrade 3.0.18 -> 3.0.19
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 08/38] expat: patch CVE-2026-25210 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 10/38] inetutils: patch CVE-2026-24061 Yoann Congal
` (28 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
This release incorporates the following bug fixes and mitigations:
Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing. (CVE-2025-15467)
Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes. (CVE-2025-68160)
Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function calls. (CVE-2025-69418)
Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion. (CVE-2025-69419)
Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function. (CVE-2025-69420)
Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function. (CVE-2025-69421)
Fixed Missing ASN1_TYPE validation in PKCS#12 parsing. (CVE-2026-22795)
Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function. (CVE-2026-22796)
Changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.19/NEWS.md
Refreshed CVE-2023-50781 patches for openssl-3.0.19
Reference: https://openssl-library.org/news/secadv/20260127.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../openssl/openssl/CVE-2023-50781-1.patch | 46 ++++---
.../openssl/openssl/CVE-2023-50781-2.patch | 112 +++++++++---------
.../openssl/openssl/CVE-2023-50781-3.patch | 16 ++-
.../{openssl_3.0.18.bb => openssl_3.0.19.bb} | 2 +-
4 files changed, 85 insertions(+), 91 deletions(-)
rename meta/recipes-connectivity/openssl/{openssl_3.0.18.bb => openssl_3.0.19.bb} (99%)
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
index 234fe7b8aaa..a00f67027d1 100644
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
@@ -1,7 +1,7 @@
-From 24734088e1034392de981151dfe57e3a379ada18 Mon Sep 17 00:00:00 2001
+From 295485f5c4b3120b272b81f92356f6d24871c02e Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Tue, 15 Mar 2022 13:58:08 +0100
-Subject: [PATCH 1/3] rsa: add implicit rejection in PKCS#1 v1.5
+Subject: [PATCH] rsa: add implicit rejection in PKCS#1 v1.5
The RSA decryption as implemented before required very careful handling
of both the exit code returned by OpenSSL and the potentially returned
@@ -43,6 +43,7 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+
---
crypto/rsa/rsa_ossl.c | 95 +++++++-
crypto/rsa/rsa_pk1.c | 252 ++++++++++++++++++++++
@@ -56,7 +57,7 @@ Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
9 files changed, 393 insertions(+), 5 deletions(-)
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
-index 0fc642e777..330302ae55 100644
+index 6c32764..d658a3c 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -17,6 +17,9 @@
@@ -68,8 +69,8 @@ index 0fc642e777..330302ae55 100644
+#include <openssl/hmac.h>
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding);
+@@ -373,8 +376,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BIGNUM *f, *ret;
int j, num = 0, r = -1;
unsigned char *buf = NULL;
@@ -83,7 +84,7 @@ index 0fc642e777..330302ae55 100644
/*
* Used only if the blinding structure is shared. A non-NULL unblind
* instructs rsa_blinding_convert() and rsa_blinding_invert() to store
-@@ -408,6 +416,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+@@ -404,6 +412,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}
@@ -95,7 +96,7 @@ index 0fc642e777..330302ae55 100644
/* make data into a big number */
if (BN_bin2bn(from, (int)flen, f) == NULL)
goto err;
-@@ -472,13 +485,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+@@ -464,13 +477,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
@@ -188,17 +189,17 @@ index 0fc642e777..330302ae55 100644
break;
case RSA_PKCS1_OAEP_PADDING:
r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
-@@ -501,6 +592,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+@@ -493,6 +584,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
#endif
- err:
+ err:
+ HMAC_CTX_free(hmac);
+ EVP_MD_free(md);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
-index 51507fc030..5cd2b26879 100644
+index bebb43a..3fe12b2 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -21,10 +21,14 @@
@@ -214,7 +215,7 @@ index 51507fc030..5cd2b26879 100644
+
int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
- const unsigned char *from, int flen)
+ const unsigned char *from, int flen)
{
@@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
return constant_time_select_int(good, mlen, -1);
@@ -472,7 +473,7 @@ index 51507fc030..5cd2b26879 100644
* ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2
* padding from a decrypted RSA message in a TLS signature. The result is stored
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
-index 2f6ef0021d..015265a74d 100644
+index 2f6ef00..015265a 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -273,6 +273,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a
@@ -488,7 +489,7 @@ index 2f6ef0021d..015265a74d 100644
For B<x931> if the digest type is set it is used to format the block data
diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
-index 0a32fd965b..4c462abc8c 100644
+index 0a32fd9..4c462ab 100644
--- a/doc/man1/openssl-rsautl.pod.in
+++ b/doc/man1/openssl-rsautl.pod.in
@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
@@ -504,7 +505,7 @@ index 0a32fd965b..4c462abc8c 100644
Hex dump the output data.
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
-index 3075eaafd6..e788f38809 100644
+index 3075eaa..e788f38 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -386,6 +386,13 @@ this behaviour should be tolerated then
@@ -522,7 +523,7 @@ index 3075eaafd6..e788f38809 100644
EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA
diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
-index b6f9bad5f1..898535a7a2 100644
+index b6f9bad..898535a 100644
--- a/doc/man3/EVP_PKEY_decrypt.pod
+++ b/doc/man3/EVP_PKEY_decrypt.pod
@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a
@@ -545,7 +546,7 @@ index b6f9bad5f1..898535a7a2 100644
Decrypt data using OAEP (for RSA keys):
diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
-index 9f7025c497..36ae18563f 100644
+index 9f7025c..36ae185 100644
--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
@@ -121,8 +121,8 @@ L<ERR_get_error(3)>.
@@ -570,7 +571,7 @@ index 9f7025c497..36ae18563f 100644
L<RSA_public_encrypt(3)>,
diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
-index 1d38073aea..bd3f835ac6 100644
+index 1d38073..bd3f835 100644
--- a/doc/man3/RSA_public_encrypt.pod
+++ b/doc/man3/RSA_public_encrypt.pod
@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure.
@@ -599,20 +600,17 @@ index 1d38073aea..bd3f835ac6 100644
SSL, PKCS #1 v2.0
diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
-index 949873d0ee..f267e5d9d1 100644
+index 797dc1f..2f86e4c 100644
--- a/include/crypto/rsa.h
+++ b/include/crypto/rsa.h
@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg);
RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
- OSSL_LIB_CTX *libctx, const char *propq);
+ OSSL_LIB_CTX *libctx, const char *propq);
+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ int num, unsigned char *kdk);
int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to,
- size_t tlen,
- const unsigned char *from,
---
-2.34.1
-
+ size_t tlen,
+ const unsigned char *from,
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
index b336d9e8505..13ea3c717ab 100644
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
@@ -1,7 +1,7 @@
-From e92f0cd3b03e5aca948b03df7e3d02e536700f68 Mon Sep 17 00:00:00 2001
+From 584936eb09cef64eb0755c0ccb2661e7ba1aea58 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Thu, 27 Oct 2022 19:16:58 +0200
-Subject: [PATCH 2/3] rsa: Add option to disable implicit rejection
+Subject: [PATCH] rsa: Add option to disable implicit rejection
CVE: CVE-2023-50781
@@ -14,6 +14,7 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+
---
crypto/cms/cms_env.c | 7 +++++
crypto/evp/ctrl_params_translate.c | 6 +++++
@@ -28,10 +29,10 @@ Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
10 files changed, 95 insertions(+), 8 deletions(-)
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
-index 445a16fb77..49b0289114 100644
+index 2326253..96e3315 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
-@@ -581,6 +581,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
+@@ -576,6 +576,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
if (!ossl_cms_env_asn1_ctrl(ri, 1))
goto err;
@@ -43,15 +44,15 @@ index 445a16fb77..49b0289114 100644
+ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0");
+
if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen,
- ktri->encryptedKey->data,
- ktri->encryptedKey->length) <= 0)
+ ktri->encryptedKey->data,
+ ktri->encryptedKey->length)
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
-index 44d0895bcf..db7325439a 100644
+index 14306a0..b481776 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
-@@ -2269,6 +2269,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
- EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
- OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL },
+@@ -2249,6 +2249,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
+ EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
+ OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL },
+ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
+ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL,
@@ -60,13 +61,13 @@ index 44d0895bcf..db7325439a 100644
+ NULL },
+
{ SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
- EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
- OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
+ EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
+ OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
-index 330302ae55..4bdacd5ed9 100644
+index d658a3c..5a0b160 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
-@@ -395,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+@@ -391,6 +391,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
@@ -79,7 +80,7 @@ index 330302ae55..4bdacd5ed9 100644
if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
goto err;
BN_CTX_start(ctx);
-@@ -489,7 +495,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+@@ -481,7 +487,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
* derive the Key Derivation Key from private exponent and public
* ciphertext
*/
@@ -88,7 +89,7 @@ index 330302ae55..4bdacd5ed9 100644
/*
* because we use d as a handle to rsa->d we need to keep it local and
* free before any further use of rsa->d
-@@ -565,11 +571,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+@@ -557,11 +563,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
switch (padding) {
@@ -105,7 +106,7 @@ index 330302ae55..4bdacd5ed9 100644
case RSA_PKCS1_OAEP_PADDING:
r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
-index 0bf5ac098a..81b031f81b 100644
+index 85cdfb4..7f3d810 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -52,6 +52,8 @@ typedef struct {
@@ -133,17 +134,17 @@ index 0bf5ac098a..81b031f81b 100644
if (sctx->oaep_label) {
OPENSSL_free(dctx->oaep_label);
dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
-@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
- const unsigned char *in, size_t inlen)
+@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+ const unsigned char *in, size_t inlen)
{
int ret;
+ int pad_mode;
RSA_PKEY_CTX *rctx = ctx->data;
/*
* Discard const. Its marked as const because this may be a cached copy of
-@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
- rctx->oaep_labellen,
- rctx->md, rctx->mgf1md);
+@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+ rctx->oaep_labellen,
+ rctx->md, rctx->mgf1md);
} else {
- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
+ if (rctx->pad_mode == RSA_PKCS1_PADDING &&
@@ -155,7 +156,7 @@ index 0bf5ac098a..81b031f81b 100644
}
*outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
-@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
+@@ -587,6 +597,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
*(unsigned char **)p2 = rctx->oaep_label;
return rctx->oaep_labellen;
@@ -171,7 +172,7 @@ index 0bf5ac098a..81b031f81b 100644
case EVP_PKEY_CTRL_PKCS7_SIGN:
#ifndef OPENSSL_NO_CMS
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
-index 015265a74d..5e62551d34 100644
+index 015265a..5e62551 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -305,6 +305,16 @@ explicitly set in PSS mode then the signing digest is used.
@@ -192,7 +193,7 @@ index 015265a74d..5e62551d34 100644
=head1 RSA-PSS ALGORITHM
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
-index e788f38809..3844aa2199 100644
+index e788f38..3844aa2 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -392,6 +392,8 @@ instead of padding errors in case padding checks fail. Applications that
@@ -205,7 +206,7 @@ index e788f38809..3844aa2199 100644
=head2 DSA parameters
diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
-index 0976a263a8..2a8426a6ed 100644
+index 0976a26..2a8426a 100644
--- a/doc/man7/provider-asym_cipher.pod
+++ b/doc/man7/provider-asym_cipher.pod
@@ -234,6 +234,15 @@ The TLS protocol version first requested by the client.
@@ -225,50 +226,50 @@ index 0976a263a8..2a8426a6ed 100644
OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
-index 6bed5a8a67..5a350b537f 100644
+index 02bebc6..9586a6d 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -292,6 +292,7 @@ extern "C" {
- #define OSSL_PKEY_PARAM_DIST_ID "distid"
- #define OSSL_PKEY_PARAM_PUB_KEY "pub"
- #define OSSL_PKEY_PARAM_PRIV_KEY "priv"
-+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection"
+ #define OSSL_PKEY_PARAM_DIST_ID "distid"
+ #define OSSL_PKEY_PARAM_PUB_KEY "pub"
+ #define OSSL_PKEY_PARAM_PRIV_KEY "priv"
++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection"
/* Diffie-Hellman/DSA Parameters */
- #define OSSL_PKEY_PARAM_FFC_P "p"
+ #define OSSL_PKEY_PARAM_FFC_P "p"
@@ -467,6 +468,7 @@ extern "C" {
- #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
- #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
- #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
-+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection"
+ #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection"
/*
* Encoder / decoder parameters
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
-index a55c9727c6..247f9014e3 100644
+index 36a780d..ceb05b2 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -183,6 +183,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
- # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13)
+ #define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13)
-+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14)
++#define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14)
+
- # define RSA_PKCS1_PADDING 1
- # define RSA_NO_PADDING 3
- # define RSA_PKCS1_OAEP_PADDING 4
+ #define RSA_PKCS1_PADDING 1
+ #define RSA_NO_PADDING 3
+ #define RSA_PKCS1_OAEP_PADDING 4
@@ -192,6 +194,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
- # define RSA_PKCS1_PSS_PADDING 6
- # define RSA_PKCS1_WITH_TLS_PADDING 7
+ #define RSA_PKCS1_PSS_PADDING 6
+ #define RSA_PKCS1_WITH_TLS_PADDING 7
+/* internal RSA_ only */
-+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
++#define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+
- # define RSA_PKCS1_PADDING_SIZE 11
+ #define RSA_PKCS1_PADDING_SIZE 11
- # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
+ #define RSA_set_app_data(s, arg) RSA_set_ex_data(s, 0, arg)
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
-index c8921acd6e..11a91e62b1 100644
+index 799357f3..1e74150 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -75,6 +75,8 @@ typedef struct {
@@ -288,7 +289,7 @@ index c8921acd6e..11a91e62b1 100644
switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
case RSA_FLAG_TYPE_RSA:
-@@ -199,6 +202,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+@@ -203,6 +206,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@@ -296,12 +297,12 @@ index c8921acd6e..11a91e62b1 100644
size_t len = RSA_size(prsactx->rsa);
if (!ossl_prov_is_running())
-@@ -276,8 +280,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+@@ -280,8 +284,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
OPENSSL_free(tbuf);
} else {
- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa,
-- prsactx->pad_mode);
+- prsactx->pad_mode);
+ if ((prsactx->implicit_rejection == 0) &&
+ (prsactx->pad_mode == RSA_PKCS1_PADDING))
+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
@@ -311,7 +312,7 @@ index c8921acd6e..11a91e62b1 100644
}
*outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
ret = constant_time_select_int(constant_time_msb(ret), 0, 1);
-@@ -401,6 +409,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+@@ -403,6 +411,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
return 0;
@@ -322,8 +323,8 @@ index c8921acd6e..11a91e62b1 100644
return 1;
}
-@@ -412,6 +424,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
- NULL, 0),
+@@ -414,6 +426,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ NULL, 0),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
@@ -353,6 +354,3 @@ index c8921acd6e..11a91e62b1 100644
OSSL_PARAM_END
};
---
-2.34.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
index 0a1f63f30a0..324e41ed2fb 100644
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
@@ -1,7 +1,7 @@
-From ba78f7b0599ba5bfb5032dd2664465c5b13388e3 Mon Sep 17 00:00:00 2001
+From 156a6ca5791f9c642a77270a90d5dbd0a3a7a33d Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Tue, 22 Nov 2022 18:25:49 +0100
-Subject: [PATCH 3/3] smime/pkcs7: disable the Bleichenbacher workaround
+Subject: [PATCH] smime/pkcs7: disable the Bleichenbacher workaround
CVE: CVE-2023-50781
@@ -14,15 +14,16 @@ Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+
---
crypto/pkcs7/pk7_doit.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
-index e9de097da1..6d3124da87 100644
+index a38e8a3..d751f5e 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
-@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
+@@ -168,6 +168,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
if (EVP_PKEY_decrypt_init(pctx) <= 0)
goto err;
@@ -34,8 +35,5 @@ index e9de097da1..6d3124da87 100644
+ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0");
+
if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
- ri->enc_key->data, ri->enc_key->length) <= 0)
- goto err;
---
-2.34.1
-
+ ri->enc_key->data, ri->enc_key->length)
+ <= 0)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.18.bb b/meta/recipes-connectivity/openssl/openssl_3.0.19.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.0.18.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.19.bb
index a8dd3383271..293b450cd05 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.19.bb
@@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b"
+SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072"
inherit lib_package multilib_header multilib_script ptest perlnative
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 10/38] inetutils: patch CVE-2026-24061
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 09/38] openssl: upgrade 3.0.18 -> 3.0.19 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 11/38] scripts/install-buildtools: Update to 4.0.32 Yoann Congal
` (27 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patches per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2026-24061
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../inetutils/CVE-2026-24061-01.patch | 38 +++++++++
.../inetutils/CVE-2026-24061-02.patch | 82 +++++++++++++++++++
.../inetutils/inetutils_2.2.bb | 2 +
3 files changed, 122 insertions(+)
create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch
create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch
new file mode 100644
index 00000000000..0af666cb1a9
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch
@@ -0,0 +1,38 @@
+From fd702c02497b2f398e739e3119bed0b23dd7aa7b Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Tue, 20 Jan 2026 01:10:36 -0800
+Subject: [PATCH] Fix injection bug with bogus user names
+
+Problem reported by Kyu Neushwaistein.
+* telnetd/utility.c (_var_short_name):
+Ignore user names that start with '-' or contain shell metacharacters.
+
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+
+CVE: CVE-2026-24061
+Upstream-Status: Backport [https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ telnetd/utility.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index b486226e..c02cd0e6 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1737,7 +1737,14 @@ _var_short_name (struct line_expander *exp)
+ return user_name ? xstrdup (user_name) : NULL;
+
+ case 'U':
+- return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
++ {
++ /* Ignore user names starting with '-' or containing shell
++ metachars, as they can cause trouble. */
++ char const *u = getenv ("USER");
++ return xstrdup ((u && *u != '-'
++ && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++ ? u : "");
++ }
+
+ default:
+ exp->state = EXP_STATE_ERROR;
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch
new file mode 100644
index 00000000000..5a012eb2958
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch
@@ -0,0 +1,82 @@
+From ccba9f748aa8d50a38d7748e2e60362edd6a32cc Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Tue, 20 Jan 2026 14:02:39 +0100
+Subject: [PATCH] telnetd: Sanitize all variable expansions
+
+* telnetd/utility.c (sanitize): New function.
+(_var_short_name): Use it for all variables.
+
+CVE: CVE-2026-24061
+Upstream-Status: Backport [https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ telnetd/utility.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index c02cd0e6..b21ad961 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1688,6 +1688,17 @@ static void _expand_cond (struct line_expander *exp);
+ static void _skip_block (struct line_expander *exp);
+ static void _expand_block (struct line_expander *exp);
+
++static char *
++sanitize (const char *u)
++{
++ /* Ignore values starting with '-' or containing shell metachars, as
++ they can cause trouble. */
++ if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++ return u;
++ else
++ return "";
++}
++
+ /* Expand a variable referenced by its short one-symbol name.
+ Input: exp->cp points to the variable name.
+ FIXME: not implemented */
+@@ -1714,13 +1725,13 @@ _var_short_name (struct line_expander *exp)
+ return xstrdup (timebuf);
+
+ case 'h':
+- return xstrdup (remote_hostname);
++ return xstrdup (sanitize (remote_hostname));
+
+ case 'l':
+- return xstrdup (local_hostname);
++ return xstrdup (sanitize (local_hostname));
+
+ case 'L':
+- return xstrdup (line);
++ return xstrdup (sanitize (line));
+
+ case 't':
+ q = strchr (line + 1, '/');
+@@ -1728,23 +1739,16 @@ _var_short_name (struct line_expander *exp)
+ q++;
+ else
+ q = line;
+- return xstrdup (q);
++ return xstrdup (sanitize (q));
+
+ case 'T':
+- return terminaltype ? xstrdup (terminaltype) : NULL;
++ return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL;
+
+ case 'u':
+- return user_name ? xstrdup (user_name) : NULL;
++ return user_name ? xstrdup (sanitize (user_name)) : NULL;
+
+ case 'U':
+- {
+- /* Ignore user names starting with '-' or containing shell
+- metachars, as they can cause trouble. */
+- char const *u = getenv ("USER");
+- return xstrdup ((u && *u != '-'
+- && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+- ? u : "");
+- }
++ return xstrdup (sanitize (getenv ("USER")));
+
+ default:
+ exp->state = EXP_STATE_ERROR;
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.2.bb b/meta/recipes-connectivity/inetutils/inetutils_2.2.bb
index 6f9173dbc11..9f4e1a82e1b 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.2.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.2.bb
@@ -24,6 +24,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
file://CVE-2022-39028.patch \
file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
+ file://CVE-2026-24061-01.patch \
+ file://CVE-2026-24061-02.patch \
"
inherit autotools gettext update-alternatives texinfo
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 11/38] scripts/install-buildtools: Update to 4.0.32
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 10/38] inetutils: patch CVE-2026-24061 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 12/38] linux-yocto/5.15: update to v5.15.195 Yoann Congal
` (26 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Aleksandar Nikolic <aleksandar.nikolic010@gmail.com>
Update to the 4.0.32 release of the 4.0 series for buildtools
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic22@pm.me>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 2c9f3f25c65..c105dfe4623 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-4.0.31'
-DEFAULT_INSTALLER_VERSION = '4.0.31'
+DEFAULT_RELEASE = 'yocto-4.0.32'
+DEFAULT_INSTALLER_VERSION = '4.0.32'
DEFAULT_BUILDDATE = '202110XX'
# Python version sanity check
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 12/38] linux-yocto/5.15: update to v5.15.195
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 11/38] scripts/install-buildtools: Update to 4.0.32 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 13/38] linux-yocto/5.15: update to v5.15.196 Yoann Congal
` (25 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
ac56c046adf41 Linux 5.15.195
636e7d6bdf205 selftests: mptcp: join: validate C-flag + def limit
4b9b376856a95 mptcp: pm: in-kernel: usable client side with C-flag
946771c2a2b11 mm/slab: make __free(kfree) accept error pointers
81d0664bed91a media: pci: ivtv: Add check for DMA map result
71285c029dcc4 xen/events: Update virq_to_irq on migration
9c1df18612fbb media: pci: ivtv: Add missing check after DMA map
66c8a83bf1de2 media: pci/ivtv: switch from 'pci_' to 'dma_' API
55a954a54ffc8 arm64: mte: Do not flag the zero page as PG_mte_tagged
26ea9b6a93a54 media: cx18: Add missing check after DMA map
cb044864188cc media: switch from 'pci_' to 'dma_' API
9339cf38762ce writeback: Avoid excessively long inode switching times
6483eabc195dc writeback: Avoid softlockup when switching many inodes
9b902f370b93e cramfs: Verify inode mode when loading from disk
5c64e8be2a7ef fs: Add 'initramfs_options' to set initramfs mount options
c3b654021931d pid: Add a judgment for ns null in pid_nr_ns
1d144b4cdde08 minixfs: Verify inode mode when loading from disk
3fb4c19233a0e minmax.h: remove some #defines that are only expanded once
092036da9b6d5 minmax.h: simplify the variants of clamp()
64394017d091a minmax.h: move all the clamp() definitions after the min/max() ones
4942fcc84a1ee minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()
5011c410f9670 minmax.h: reduce the #define expansion of min(), max() and clamp()
b7ae5d8baa5ca minmax.h: update some comments
2524736951b23 minmax.h: add whitespace around operators and after commas
82b39b1090b0e minmax: fix up min3() and max3() too
b1094b4b54b0f minmax: improve macro expansion and type checking
3854a23090858 minmax: simplify min()/max()/clamp() implementation
89f6bf22d039a minmax: don't use max() in situations that want a C constant expression
e035ca130ff7f minmax: make generic MIN() and MAX() macros available everywhere
4b5dda7f8b02a minmax: simplify and clarify min_t()/max_t() implementation
3d1169785a9c1 minmax: add a few more MIN_T/MAX_T users
e73a9333cdaee minmax: avoid overly complicated constant expressions in VM code
9ed1e4221cb67 minmax: fix indentation of __cmp_once() and __clamp_once()
d16b73f6c5939 minmax: deduplicate __unconst_integer_typeof()
e3774f3281ed1 minmax: Introduce {min,max}_array()
9c88de0e0c1e5 arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees
d238fee82dd83 btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()
f2bd5493ef501 fscontext: do not consume log entries when returning -EMSGSIZE
f550466949e82 locking: Introduce __cleanup() based infrastructure
a0e54bd8d7ea7 dm: fix NULL pointer dereference in __dm_suspend()
95dd33361061f tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
41acc922c7811 ksmbd: fix error code overwriting in smb2_get_info_filesystem()
71a0ba7fdaf8d net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
32097a08ab5de mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag
21d79eac5f953 mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type
715f4914fdd3e mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value
5d327391f9faf media: mc: Clear minor number before put device
fbfc745db628d Squashfs: reject negative file sizes in squashfs_read_inode()
2ec88c3d9f8fe Squashfs: add additional inode sanity checking
49f3a867d948c ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()
44cee8ef325c0 ASoC: codecs: wcd934x: Simplify with dev_err_probe
e0ce3ed1048a4 KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
6836714a08756 lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older
a4e7273a45e85 ext4: free orphan info with kvfree
505e69f76ac49 ext4: guard against EA inode refcount underflow in xattr update
b975b3607605f ext4: correctly handle queries for metadata mappings
32702f1ce389f ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()
95a21611b14ae ext4: verify orphan file size is not too big
550e0bccec100 nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
8c5b1200596ce NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
735457683e235 mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
fff24a9c116d2 x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
46a986888a149 x86/umip: Check that the instruction opcode is at least two bytes
eaa16de419692 spi: cadence-quadspi: Flush posted register writes before DAC access
5a6c760bc332f spi: cadence-quadspi: Flush posted register writes before INDAC access
f104a67b28053 PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
870457e7b7229 PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
5533169bb2539 PCI/AER: Support errors introduced by PCIe r6.0
09adece72b8c8 PCI/AER: Fix missing uevent on recovery when a reset is requested
1f06b4864177b PCI/ERR: Fix uevent on failure to recover
a645ca21de09e PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
690f307a81954 PCI/sysfs: Ensure devices are powered for config reads
b167bfa432e3c rseq/selftests: Use weak symbol reference, not definition, to link with glibc
aaaa92ab55f13 rtc: interface: Fix long-standing race when setting alarm
fa1bdbefe1f46 rtc: interface: Ensure alarm irq is enabled when UIE is enabled
c19b29291f21c memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
e5caecea44a7a mmc: core: SPI mode remove cmd7
e614975f9b5df mtd: rawnand: fsmc: Default to autodetect buswidth
971009a25fb8b sparc: fix error handling in scan_one_device()
365282fc60155 sparc64: fix hugetlb for sun4u
1cd60e0d0fb8f sctp: Fix MAC comparison to be constant-time
d906e61d4d81b scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
9ee5eb3d09217 pwm: berlin: Fix wrong register in suspend/resume
40c86afc81b51 powerpc/pseries/msi: Fix potential underflow and leak issue
7bb05500a3ad3 powerpc/powernv/pci: Fix underflow and leak issue
aa18f55365e93 nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
6195d15fe4888 parisc: don't reference obsolete termio struct for TC* constants
ef84ddf89dab4 openat2: don't trigger automounts with RESOLVE_NO_XDEV
c2b88b66bc359 lib/genalloc: fix device leak in of_gen_pool_get()
4ce6902cc67d7 KEYS: trusted_tpm1: Compare HMAC values in constant time
e94c99c026179 iommu/vt-d: PRS isn't usable if PDS isn't supported
d202d1ac609bc iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume
3ed42a6686f4f init: handle bootloader identifier in kernel parameters
06d81ce319242 iio: frequency: adf4350: Fix prescaler usage.
0016356ebd6a3 iio: dac: ad5421: use int type to store negative error codes
c71fd8dcb7ae6 iio: dac: ad5360: use int type to store negative error codes
8df273ef0f5ad fs/ntfs3: Fix a resource leak bug in wnd_extend()
459d819648fe6 crypto: atmel - Fix dma_unmap_sg() direction
ad4e8f9bdbef1 cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
83b594504d64f copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64)
816bb8b4e5c46 bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()
d3a9a8e1275eb btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
184b0aab791a5 drm/nouveau: fix bad ret code in nouveau_bo_move_prep
a812fc67d8855 media: i2c: mt9v111: fix incorrect type for ret
e57d98c02ec84 firmware: meson_sm: fix device leak at probe
0c2ac5a03a209 xen/manage: Fix suspend error path
6f8e37bff9119 xen/events: Cleanup find_virq() return codes
846f911295b2a ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init
267801317911b arm64: dts: qcom: msm8916: Add missing MDSS reset
3a0f197dd8e5f ACPI: debug: fix signedness issues in read/write helpers
85580cbac5d4b ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
e28616ca3d67e bpf: Avoid RCU context warning when unpinning htab with internal structs
28112b3d86b15 gpio: wcd934x: mark the GPIO controller as sleeping
512aa949666ef gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells
33e49de5dc09b tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
df58651968f82 crypto: essiv - Check ssize for decryption and in-place encryption
4331a0ba2d15c bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()
fa391f17a819f drm/amd/display: Properly disable scaling on DCE6
cc857ceb2b3b4 drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
736153f3c4933 drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
32ee65934d6b7 drm/amdgpu: Add additional DCE6 SCL registers
057764172fcc6 bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
b2986d63303d3 mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
e3602ddfcc2f9 mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
325425b0d066f tools build: Align warning options with perf
b1d073728ef60 net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
eb85ad5f23268 tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
dbceedc0213e7 net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
4c918f9d1cccc drm/vmwgfx: Fix Use-after-free in validation
fb5df8006adde drm/vmwgfx: Copy DRM hash-table code into driver
4139b1e435e3f s390/cio: unregister the subchannel while purging
2dbf27f672c03 net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
6ba7e73cafd15 scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
c1f8a7e6efe58 scsi: mvsas: Use sas_task_find_rq() for tagging
77798c6e94fd2 scsi: mvsas: Delete mvs_tag_init()
43c3e8ce2f5f0 scsi: libsas: Add sas_task_find_rq()
9ecd496233772 cpufreq: tegra186: Set target frequency for all cpus in policy
bb78ef6dc7470 clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
7d9eee92ed67a clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
b7e5c59f3b097 perf test: Don't leak workload gopipe in PERF_RECORD_*
24e296d087f7d perf session: Fix handling when buffer exceeds 2 GiB
3e97394445a0f rtc: x1205: Fix Xicor X1205 vendor prefix
8dac32c17b01c perf util: Fix compression checks returning -1 as bool
250cd976bbda0 clk: at91: peripheral: fix return value
fcb3b7c30486d libperf event: Ensure tracing data is multiple of 8 sized
1450bbb0ccd7f perf evsel: Avoid container_of on a NULL leader
2977f02ee25a1 iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
86e23d78ec177 clocksource/drivers/clps711x: Fix resource leaks in error paths
ed43bf13a6ac8 fs: always return zero on success from replace_fd()
70322caf9f193 usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call
8a4dd74fe413d bus: fsl-mc: Check return value of platform_get_resource()
d77ef2f621cd1 pinctrl: check the return value of pinmux_ops::get_function_name()
e63aade22a33e Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
9eed157e5e27f Input: atmel_mxt_ts - allow reset GPIO to sleep
972cbba5cd384 nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
547e123e9d342 mm: hugetlb: avoid soft lockup when mprotect to large memory area
26b1bfbd84172 ext4: fix checks for orphan inodes
3901ae3c75a11 mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
8fcc7315a10a8 net: nfc: nci: Add parameter validation for packet data
1d1847812a1a5 fs: udf: fix OOB read in lengthAllocDescs handling
a44f61f878f32 uio_hv_generic: Let userspace take care of interrupt mask
61d38b5ce2782 Squashfs: fix uninit-value in squashfs_get_parent
21c58835634df Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set"
5aa9b88560281 net: dlink: handle copy_thresh allocation failure
7973555560eb0 net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable
3fa52104e4797 nfp: fix RSS hash key size when RSS is not supported
0eddc0e5aebcc drivers/base/node: fix double free in register_one_node()
827c8efa0d1af ocfs2: fix double free in user_cluster_connect()
d76b099011fa0 hwrng: ks-sa - fix division by zero in ks_sa_rng_init
eb682b765533d Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO
54f8ef1a970a8 net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
5c06bc0b44ed8 RDMA/siw: Always report immediate post SQ errors
8f67d2506f0ca usb: vhci-hcd: Prevent suspending virtually attached devices
a89253eb4e648 scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
1d79471414d7b ipvs: Defer ip_vs_ftp unregister during netns cleanup
eb5da8e9db25a NFSv4.1: fix backchannel max_resp_sz verification check
cef047e0a55cb coresight: trbe: Return NULL pointer for allocation failures
0e9ec3bab4622 remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice
58ce0b1bc2711 sparc: fix accurate exception reporting in copy_{from,to}_user for M7
b43c208c40179 sparc: fix accurate exception reporting in copy_to_user for Niagara 4
37547d8e6eba8 sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
1857cdca12c4a sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
59424dc0d0e04 sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
4acb786042da4 wifi: ath10k: avoid unnecessary wait for service ready message
c6d3da43b8540 Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram
c15829a1fb0b0 IB/sa: Fix sa_local_svc_timeout_ms read race
d77fb0bdce411 RDMA/core: Resolve MAC of next-hop device without ARP support
77edaeb4dde29 Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running"
523d184a495be scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()
ce75dfd1748e7 scsi: qla2xxx: edif: Fix incorrect sign of error code
54ded576045ef ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message
248776651cef4 wifi: mt76: fix potential memory leak in mt76_wmac_probe()
795c8dbc82827 RDMA/cm: Rate limit destroy CM ID timeout error message
1bdb3bc5bfd33 drivers/base/node: handle error properly in register_one_node()
eeeaa4b5a5f52 watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog
6a9c2fcf6de54 netfilter: ipset: Remove unused htable_bits in macro ahash_region
581ba44117ed7 iio: consumers: Fix offset handling in iio_convert_raw_to_processed()
f6b36cfd25cba fs: ntfs3: Fix integer overflow in run_unpack()
95e29db33b5f7 ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
dea9c8c9028c9 ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
fbd79072f1cab ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping
125527db41805 pps: fix warning in pps_register_cdev when register device fail
f77e91b4283b5 misc: genwqe: Fix incorrect cmd field being reported in error
c2024c8abd742 usb: gadget: configfs: Correctly set use_os_string at bind
fe9fdc066c8cf usb: phy: twl6030: Fix incorrect type for ret
650368aacbc78 drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()
82448110ee625 tcp: fix __tcp_close() to only send RST when required
14ebe743b9647 PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation
94aa9bf2ddfcb wifi: mwifiex: send world regulatory domain to driver
8b3589d7a763a drm/amdgpu: Power up UVD 3 for FW validation (v2)
e00d07d780b3d ALSA: lx_core: use int type to store negative error codes
39d0e7fd73efb media: rj54n1cb0c: Fix memleak in rj54n1_probe()
916c7891b59b9 scsi: myrs: Fix dma_alloc_coherent() error check
eef5ef400893f scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
e0e0ce06f3571 usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
2cd9c97ad5529 drm/radeon/r600_cs: clean up of dead code in r600_cs
666da97c49c2d i2c: designware: Add disabling clocks when probe fails
90fb83f7863b6 i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD
31660d4d93057 thermal/drivers/qcom/lmh: Add missing IRQ includes
32240232b2a3b thermal/drivers/qcom: Make LMH select QCOM_SCM
ae7b1443f4746 tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers
0b515a2839980 smp: Fix up and expand the smp_call_function_many() kerneldoc
6d8b1a21fd5c3 bpf: Explicitly check accesses to bpf_sock_addr
e822f368f758a selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported
7ac8f7a186451 i3c: master: svc: Recycle unused IBI slot
11269c08013f4 nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
ebf97395b0a0b pwm: tiehrpwm: Fix corner case in clock divisor calculation
cc2b2a8c18a96 arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible
3c8ceb2d4dbdb firmware: firmware: meson-sm: fix compile-test default
5cfaadc902249 pinctrl: renesas: Use int type to store negative error codes
45052d922054c PM: sleep: core: Clear power.must_resume in noirq suspend error path
22863772e94fd block: use int to store blk_stack_limits() return value
a04120b2d187b regulator: scmi: Use int type to store negative error codes
2927ef93169a0 ARM: at91: pm: fix MCKx restore routine
4b97e99b87a77 blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
29db98243205b pinctrl: meson-gxl: add missing i2c_d pinmux
8b063076fa7e1 soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS
1955c776a6077 ACPI: processor: idle: Fix memory leak when register cpuidle device failed
ce780f740cf44 cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()
3a502b0eefcfc libbpf: Fix reuse of DEVMAP
c6552fac71990 regmap: Remove superfluous check for !config in __regmap_init()
64f14b1ab6f39 x86/vdso: Fix output operand size of RDPID
5d01f2b815682 perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
90ea4c0484ebb coresight: trbe: Prevent overflow in PERF_IDX2OFF()
0ddd59d58b597 selftests: arm64: Check fread return value in exec_target
cf038b6bb9ed5 filelock: add FL_RECLAIM to show_fl_flags() macro
c1db864270eb7 net/9p: fix double req put in p9_fd_cancelled
3fe58fa612052 minmax: add in_range() macro
bd903c25b652c crypto: rng - Ensure set_ent is always present
46263a0b687a0 platform/x86: int3472: Check for adev == NULL
823671bb8b05d driver core/PM: Set power.no_callbacks along with power.no_pm
53dab62cda6e7 staging: axis-fifo: flush RX FIFO on read errors
82e0bb28a060c staging: axis-fifo: fix maximum TX packet length check
e18cfcb828ed2 serial: stm32: allow selecting console when the driver is module
48685b39f2fed hid: fix I2C read buffer overflow in raw_event() for mcp2221
c094712e40488 perf subcmd: avoid crash in exclude_cmds when excludes is empty
0eb762f420b25 dm-integrity: limit MAX_TAG_SIZE to 255
8ed134c2520d7 wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188
6c7c5b465a7b8 USB: serial: option: add SIMCom 8230C compositions
663faf1179db9 media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
3f876cd47ed8b media: tuner: xc5000: Fix use-after-free in xc5000_release
3fdeb807b93d0 media: tunner: xc5000: Refactor firmware load
c3ad8c30b6b10 udp: Fix memory accounting leak.
20fc1431bcdf4 KVM: arm64: Fix softirq masking in FPSIMD register saving sequence
71c52b073922d media: rc: fix races with imon_disconnect()
120e221b4bbe9 media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
ddc79fba132b8 scsi: target: target_core_configfs: Add length check to avoid buffer overflow
9407809b44dc6 iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index a79d3b1511d..7d55e175146 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "259f7f9d0bd0df2c3e497395568a655c5745b5ac"
-SRCREV_meta ?= "578937826ffad97749eba3a5d1b21b37b5cd7bdc"
+SRCREV_machine ?= "f54e8af7284d39e9129452ac12c6a78511333335"
+SRCREV_meta ?= "1bfe6bf1a07dbce00c9a7b4ab051014a26a799a8"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.194"
+LINUX_VERSION ?= "5.15.195"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index e2e56ec010f..896b512dac1 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.194"
+LINUX_VERSION ?= "5.15.195"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "57960f78280a75ea48270a3984ac01bd06078b88"
-SRCREV_meta ?= "578937826ffad97749eba3a5d1b21b37b5cd7bdc"
+SRCREV_machine ?= "9ce0ec0c426ae703dbce0bbc4d56b919bea21e10"
+SRCREV_meta ?= "1bfe6bf1a07dbce00c9a7b4ab051014a26a799a8"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index bbdf94746d3..b2adfd3544d 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,24 +14,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "7b19f872b07703f73c494baa81cd7e984db01336"
-SRCREV_machine:qemuarm64 ?= "431a37a229ce5be7b6ba116dc7bd282be4a745fa"
-SRCREV_machine:qemumips ?= "9404d4015b457e7324d5675d3e14f46d84cd8c40"
-SRCREV_machine:qemuppc ?= "bfd132d4b358cdb5260fccc71eb1e5a09daae033"
-SRCREV_machine:qemuriscv64 ?= "5df8e23ccadd62ab9945320b6b4327b082870c61"
-SRCREV_machine:qemuriscv32 ?= "5df8e23ccadd62ab9945320b6b4327b082870c61"
-SRCREV_machine:qemux86 ?= "5df8e23ccadd62ab9945320b6b4327b082870c61"
-SRCREV_machine:qemux86-64 ?= "5df8e23ccadd62ab9945320b6b4327b082870c61"
-SRCREV_machine:qemumips64 ?= "ed52c5eccf0cc2b0da2dd7d13d012c50db78a62a"
-SRCREV_machine ?= "5df8e23ccadd62ab9945320b6b4327b082870c61"
-SRCREV_meta ?= "578937826ffad97749eba3a5d1b21b37b5cd7bdc"
+SRCREV_machine:qemuarm ?= "5200e910cb4a700023e548693aacdd166b008f8b"
+SRCREV_machine:qemuarm64 ?= "2a69501b11075d6c4e6cab2e05fc04f61a8991cd"
+SRCREV_machine:qemumips ?= "6e318293304f232aa650d41bbc6ae7ad40c03fa5"
+SRCREV_machine:qemuppc ?= "c861e5a8012080cc03be9725dd996e0d68f4e93b"
+SRCREV_machine:qemuriscv64 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
+SRCREV_machine:qemuriscv32 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
+SRCREV_machine:qemux86 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
+SRCREV_machine:qemux86-64 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
+SRCREV_machine:qemumips64 ?= "d3a7bcb9d74f245de665994e3c9d8a35e42351de"
+SRCREV_machine ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
+SRCREV_meta ?= "1bfe6bf1a07dbce00c9a7b4ab051014a26a799a8"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "29e53a5b1c4f144301ee36a907e8b03d7733f0b0"
+SRCREV_machine:class-devupstream ?= "ac56c046adf41fdb64ddda46fd66090f21dc381a"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.194"
+LINUX_VERSION ?= "5.15.195"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 13/38] linux-yocto/5.15: update to v5.15.196
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 12/38] linux-yocto/5.15: update to v5.15.195 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 14/38] linux-yocto/5.15: update to v5.15.197 Yoann Congal
` (24 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
cc5ec87693063 Linux 5.15.196
59c78e8fddc1f PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()
83a563fab563f net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg
c5d116862dd3e usb: gadget: f_acm: Refactor bind path to use __free()
185193a4714aa usb: gadget: f_ncm: Refactor bind path to use __free()
d44e82f46cd0e usb: gadget: Introduce free_usb_request helper
97fc7aa654e30 usb: gadget: Store endpoint pointer in usb_request
02fbea0864fd4 arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
9b82da54a0305 xfs: always warn about deprecated mount options
b57a3760d12bd devcoredump: Fix circular locking dependency with devcd->mutex.
11300f645870a PCI: tegra194: Reset BARs when running in PCIe endpoint mode
61d6249ea441b PCI: rcar-host: Drop PMSR spinlock
9e14fb714ebf5 PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access()
97ab6a90c72d9 PCI: tegra194: Handle errors in BPMP response
13981b0555ab4 f2fs: fix wrong block mapping for multi-devices
ba88a53d7f5df NFSD: Define a proc_layoutcommit for the FlexFiles layout type
8004d4b8cbf1b vfs: Don't leak disconnected dentries on umount
0157c469edac2 drm/amdgpu: use atomic functions with memory barriers for vm fault info
c6fa15fa94016 PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
0e143e87264db wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again
ddcfc52965c19 PCI: j721e: Fix programming sequence of "strap" settings
2ddb51e228192 PCI: j721e: Enable ACSPCIE Refclk if "ti,syscon-acspcie-proxy-ctrl" exists
cfd1aa3e2b71f fuse: fix livelock in synchronous file put from fuseblk workers
a39f70d63f437 fuse: allocate ff->release_args only if release is needed
6012804a77860 padata: Reset next CPU when reorder sequence wraps around
38d702a06487c iio: imu: inv_icm42600: Simplify pm_runtime setup
be16df3c3c5dd PM: runtime: Add new devm functions
0f9f51390c866 iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended
f35ab1ba853ab iio: imu: inv_icm42600: use = { } instead of memset()
8e69c8f3ae1c5 NFSD: Fix last write offset handling in layoutcommit
0570c78e6c707 NFSD: Minor cleanup in layoutcommit processing
68d615f4b00ab NFSD: Rework encoding and decoding of nfsd4_deviceid
2dc2bc27578c3 xfs: fix log CRC mismatches between i386 and other architectures
71f9402044636 xfs: rename the old_crc variable in xlog_recover_process
6e7f06895db6e s390/cio: Update purge function to unregister the unused subchannels
dc9f91f849860 arm64: errata: Apply workarounds for Neoverse-V3AE
a6ef05314d5a8 arm64: cputype: Add Neoverse-V3AE definitions
1bff561ebe700 serial: 8250_exar: add support for Advantech 2 port card with Device ID 0x0018
ad2be44882716 most: usb: hdm_probe: Fix calling put_device() before device initialization
578eb18cd111a most: usb: Fix use-after-free in hdm_disconnect
cee4ab233f895 mei: me: add wildcat lake P DID
2670932f24657 comedi: fix divide-by-zero in comedi_buf_munge()
97a71d277e759 binder: remove "invalid inc weak" check
55c7290b1a2af xhci: dbc: enable back DbC in resume if it was enabled before suspend
6d0edbdb0bf72 usb: raw-gadget: do not limit transfer length
f9bfb3fc7ffa3 usb/core/quirks: Add Huawei ME906S to wakeup quirk
1a5afa2b586ee USB: serial: option: add Telit FN920C04 ECM compositions
443bc87ec125a USB: serial: option: add Quectel RG255C
57bb21f4e7b1d USB: serial: option: add UNISOC UIS7720
2c651b835b9f6 net: ravb: Ensure memory write completes before ringing TX doorbell
a63ab2c3c48a2 net: usb: rtl8150: Fix frame padding
09bba278ccde2 vsock: fix lock inversion in vsock_assign_transport()
93b1ab422f196 ocfs2: clear extent cache after moving/defragmenting extents
f2ef52fbdc5f0 MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering
5666bcc3c00f7 Revert "cpuidle: menu: Avoid discarding useful information"
f49962e51a428 net: bonding: fix possible peer notify event loss or dup issue
03e80a4b04ef1 sctp: avoid NULL dereference when chunk data buffer is missing
8a2375b0e9b89 arm64, mm: avoid always making PTE dirty in pte_mkwrite()
c42dbdcde7220 dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path
00daafde87d2e net: enetc: correct the value of ENETC_RXB_TRUESIZE
e7a8c57671a1f rtnetlink: Allow deleting FDB entries in user namespace
bde6afe89ac15 net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
7cd416cc0220c net: add ndo_fdb_del_bulk
31017cda9928e net: rtnetlink: add bulk delete support flag
a36130f7921c9 net: netlink: add NLM_F_BULK delete request modifier
40ffa6a8c1907 net: rtnetlink: use BIT for flag values
fc69b00561e49 net: rtnetlink: add helper to extract msg type's kind
a6c202c341624 m68k: bitops: Fix find_*_bit() signatures
1701af4d10b4f hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super()
2a112cdd66f5a hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
450ac1c490f8d dlm: check for defined force value in dlm_lockspace_release
9df3c241fbf69 hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
418e48cab99c5 hfs: validate record offset in hfsplus_bmap_alloc
c135b8dca6552 hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
725522af093ff hfs: make proper initalization of struct hfs_find_data
b92904866b9f3 hfs: clear offset and space out of valid records in b-tree node
25f09699edd36 nios2: ensure that memblock.current_limit is set when setting pfn limits
45ec13d6ce557 exec: Fix incorrect type for ret
3324e5e3ac97a Revert "perf test: Don't leak workload gopipe in PERF_RECORD_*"
ae9ad3b673252 PCI/sysfs: Ensure devices are powered for config reads (part 2)
7ab44236b32ed hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
736159f7b296d ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
3c77e994e4ecd ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
fdccb3adc59d7 sched/fair: Fix pelt lost idle time detection
15fda76f7a57a sched/balancing: Rename newidle_balance() => sched_balance_newidle()
343e991e2596a drm/amd/powerplay: Fix CIK shutdown temperature
d38aec7cd3502 riscv: kprobes: Fix probe address validation
6a90c8381c333 net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset
50b2fb48a4733 net: usb: lan78xx: Add error handling to lan78xx_init_mac_address
a6b33d9edf260 net: usb: use eth_hw_addr_set() instead of ether_addr_copy()
bab04baafc1c5 tls: don't rely on tx_work during send()
09b1c01df5d46 tls: always set record_type in tls_process_cmsg
669d389ed231b tls: wait for async encrypt in case of error during latter iterations of sendmsg
2cb75c87428e0 net: tls: wait for async completion on last message
4de9057aebb15 splice, net: Add a splice_eof op to file-ops and socket-ops
01abf7b445062 tg3: prevent use of uninitialized remote_adv and local_adv variables
c43fe40e67d69 tcp: fix tcp_tso_should_defer() vs large RTT
14c9047ad5165 amd-xgbe: Avoid spurious link down messages during interface toggle
402b6985e872b net/ip6_tunnel: Prevent perpetual tunnel growth
1095322a7e014 r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H
5b9c949c66846 doc: fix seg6_flowlabel path
06477bbe26e04 net: dlink: handle dma_map_single() failure properly
97760193e892b can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()
aca91cae0c917 dax: skip read lock assertion for read-only filesystems
77711d850bed7 HID: multitouch: fix sticky fingers
a510364e8cac0 cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
9699fd9e13df2 crypto: rockchip - Fix dma_unmap_sg() nents value
df808a1f1550b drm/exynos: exynos7_drm_decon: remove ctx->suspended
d6a3c53eebd1f drm/exynos: exynos7_drm_decon: properly clear channels during bind
0e212fdcea59c drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions
4b354a29166a3 blk-crypto: fix missing blktrace bio split events
5918d914a3a67 media: lirc: Fix error handling in lirc_register()
ddb9a92a999b6 media: rc: Directly use ida_free()
723e7084497ef media: s5p-mfc: remove an unused/uninitialized variable
78f6eaf14fe3d btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running
2e9e10657b041 ext4: detect invalid INLINE_DATA + EXTENTS flag combination
14476553253b2 jbd2: ensure that all ongoing I/O complete before freeing blocks
34033f75d0ccb r8152: add error handling in rtl8152_driver_init
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 7d55e175146..a315593e7cc 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "f54e8af7284d39e9129452ac12c6a78511333335"
-SRCREV_meta ?= "1bfe6bf1a07dbce00c9a7b4ab051014a26a799a8"
+SRCREV_machine ?= "ec706ff09f989e8c03cdc0e1ec5cafd7cf3ee8a2"
+SRCREV_meta ?= "0279325ca207a9cdfa8a956632154831453a85c1"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.195"
+LINUX_VERSION ?= "5.15.196"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 896b512dac1..66da58322ed 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.195"
+LINUX_VERSION ?= "5.15.196"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "9ce0ec0c426ae703dbce0bbc4d56b919bea21e10"
-SRCREV_meta ?= "1bfe6bf1a07dbce00c9a7b4ab051014a26a799a8"
+SRCREV_machine ?= "6aa88785aa94fe7253e4dcda162c35c8eaa9f500"
+SRCREV_meta ?= "0279325ca207a9cdfa8a956632154831453a85c1"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index b2adfd3544d..5b6213a9d7d 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,24 +14,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "5200e910cb4a700023e548693aacdd166b008f8b"
-SRCREV_machine:qemuarm64 ?= "2a69501b11075d6c4e6cab2e05fc04f61a8991cd"
-SRCREV_machine:qemumips ?= "6e318293304f232aa650d41bbc6ae7ad40c03fa5"
-SRCREV_machine:qemuppc ?= "c861e5a8012080cc03be9725dd996e0d68f4e93b"
-SRCREV_machine:qemuriscv64 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
-SRCREV_machine:qemuriscv32 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
-SRCREV_machine:qemux86 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
-SRCREV_machine:qemux86-64 ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
-SRCREV_machine:qemumips64 ?= "d3a7bcb9d74f245de665994e3c9d8a35e42351de"
-SRCREV_machine ?= "8f21ac8bce967e4ae9afbe4c66f8fbc11982c59e"
-SRCREV_meta ?= "1bfe6bf1a07dbce00c9a7b4ab051014a26a799a8"
+SRCREV_machine:qemuarm ?= "6938c8f38582bac21da19fde0f2b27beb6b15ba8"
+SRCREV_machine:qemuarm64 ?= "5650eb3e0a12ce52f0c2b9d5469ec169ab8239e7"
+SRCREV_machine:qemumips ?= "1b8f74e960fcd90cf09ff65426d88fe5ec4affae"
+SRCREV_machine:qemuppc ?= "29d4d06006e7def2e86d3c8c99d0a8550cae5a84"
+SRCREV_machine:qemuriscv64 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
+SRCREV_machine:qemuriscv32 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
+SRCREV_machine:qemux86 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
+SRCREV_machine:qemux86-64 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
+SRCREV_machine:qemumips64 ?= "20aaafeb01a044c6e1f2480e119e575461e3fa23"
+SRCREV_machine ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
+SRCREV_meta ?= "0279325ca207a9cdfa8a956632154831453a85c1"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "ac56c046adf41fdb64ddda46fd66090f21dc381a"
+SRCREV_machine:class-devupstream ?= "cc5ec87693063acebb60f587e8a019ba9b94ae0e"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.195"
+LINUX_VERSION ?= "5.15.196"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 14/38] linux-yocto/5.15: update to v5.15.197
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 13/38] linux-yocto/5.15: update to v5.15.196 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 15/38] linux-yocto/5.15: update to v5.15.198 Yoann Congal
` (23 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
68efe5a6c16a Linux 5.15.197
3b7841a78357 libbpf: Fix invalid return address register in s390
46d78c07ce40 libbpf, riscv: Use a0 for RC register
9e11d30ab096 libbpf: Fix riscv register names
aadc10434cd1 selftests/bpf: Don't rely on preserving volatile in PT_REGS macros in loop3
a5d954802bda scsi: pm80xx: Set phy->enable_completion only when we
f7b814a132c5 Bluetooth: Add more enc key size check
4df96f1f47a4 usb: typec: ucsi: psy: Set max current to zero when disconnected
cd5e86e34c66 usb: renesas_usbhs: Fix synchronous external abort on unbind
bd6a1b29fa31 usb: renesas_usbhs: Convert to platform remove callback returning void
d146e96fef87 smb: client: fix memory leak in cifs_construct_tcon()
7ee8f015eb47 mptcp: Fix proto fallback detection with BPF
dad1e44ed940 mptcp: avoid unneeded subflow-level drops
5bd1d0ca17f0 selftests: mptcp: join: rm: set backup flag
85cc2f990287 staging: rtl8712: Remove driver using deprecated API wext
f22c55a20a2d libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
05ec43e9a9de libceph: fix potential use-after-free in have_mon_and_osd_map()
09092269cb76 drm/amd/display: Check NULL before accessing
c9a315a56da2 drm: sti: fix device leaks at component probe
6176101b519f USB: serial: option: add support for Rolling RW101R-GL
6738408111c2 USB: serial: ftdi_sio: add support for u-blox EVK-M101
593d93b871dc xhci: dbgtty: Fix data corruption when transmitting data form DbC to host
67192e8cb7f9 usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
66ac05e7b0d6 usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
26e9b5da3231 usb: storage: sddr55: Reject out-of-bound new_pba
4aa7426f5326 USB: storage: Remove subclass and protocol overrides from Novatek quirk
4ba515dfff7e usb: storage: Fix memory leak in USB bulk transport
5a1628283cd9 usb: gadget: f_eem: Fix memory leak in eem_unwrap
7fb4b54bbf07 usb: cdns3: Fix double resource release in cdns3_pci_probe
a4c4118c2af2 most: usb: fix double free on late probe failure
1f9ba65b019f serial: amba-pl011: prefer dma_mapping_error() over explicit address checking
354fb03002da firmware: stratix10-svc: fix bug in saving controller data
113f10c86d7d slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves
db0835dfac45 thunderbolt: Add support for Intel Wildcat Lake
5a0dcabc8a14 drivers/usb/dwc3: fix PCI parent check
ed69c3db499c dm-verity: fix unreliable memory allocation
6fdcd310f92a can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling
e36369dfa2e7 can: sja1000: fix max irq loop handling
bd1415efbab5 atm/fore200e: Fix possible data race in fore200e_open()
19f3ace94943 MIPS: mm: Prevent a TLB shutdown on initial uniquification
aad9d048a321 iio: accel: bmc150: Fix irq assumption regression
17a38b85226c iio:common:ssp_sensors: Fix an error handling path ssp_probe()
57f759d399e7 iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields
5b9790d2009e Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()"
891775b1b4ed spi: bcm63xx: fix premature CS deassertion on RX-only transactions
f231314b64c5 mailbox: mailbox-test: Fix debugfs_create_dir error checking
b0c4d5135b04 net: atlantic: fix fragment overflow handling in RX path
05c51c116e0b net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic
0bd2b12b3ca9 net: dsa: sja1105: simplify static configuration reload
1989e6ecee91 net: dsa: sja1105: Convert to mdiobus_c45_read
18ef3ad1bb57 net: sxgbe: fix potential NULL dereference in sxgbe_rx()
3c11ac20b5fd net/mlx5e: Fix validation logic in rate limiting
58a8e250d5b6 net: aquantia: Add missing descriptor cache invalidation on ATL2
15d560cdf5b3 platform/x86: intel: punit_ipc: fix memory corruption
4475bac8224c Bluetooth: SMP: Fix not generating mackey and ltk when repairing
69c7825df64e can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
0e2d3a8d9fff Revert "block: don't add or resize partition on the disk with GENHD_FL_NO_PART"
91db2663893a Revert "block: Move checking GENHD_FL_NO_PART to bdev_add_partition()"
0b6a100efd9b mptcp: do not fallback when OoO is present
e2d1ad207174 mptcp: fix a race in mptcp_pm_del_add_timer()
2cc425276ccb mptcp: fix premature close in case of fallback
4c3d91386d18 mptcp: fix ack generation for fallback msk
fab9232b3f27 dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
444c875c347c ata: libata-scsi: Fix system suspend for a security locked drive
015b71996269 Input: pegasus-notetaker - fix potential out-of-bounds access
7bf70ce0a08e Input: remove third argument of usb_maxpacket()
78acf73dfc30 usb: deprecate the third argument of usb_maxpacket()
c22cedbc18dd mptcp: Disallow MPTCP subflows from sockmap
4a4f32f3185a selftests: mptcp: connect: fix fallback note due to OoO
f3737fc3b8d9 pmdomain: samsung: plug potential memleak during probe
582f48d22eb5 pmdomain: arm: scmi: Fix genpd leak on provider registration failure
1d3f3d4c1faf pmdomain: imx: Fix reference count leak in imx_gpc_remove
890472d6fbf0 net: netpoll: fix incorrect refcount handling causing incorrect cleanup
e9af27d1880a mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4
e24a45da635b net: qede: Initialize qede_ll_ops with designated initializer
c993fd02ba47 btrfs: fix crash on racing fsync and size-extending write into prealloc
bff4d06c38a7 btrfs: add helper to truncate inode items when logging inode
707d49dd441a Makefile.compiler: replace cc-ifversion with compiler-specific macros
4c019e93f0e5 uio_hv_generic: Set event for all channels on the device
80fe72069168 tracing/tools: Fix incorrcet short option in usage text for --threads
3afeb909c3e2 net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error
75ccdb4afe41 ALSA: usb-audio: fix uac2 clock source at terminal parser
bb1c19636aed mm/secretmem: fix use-after-free race in fault handler
2ef178413183 mm/mm_init: fix hash table order logging in alloc_large_system_hash()
dcf80cb1bf88 kconfig/nconf: Initialize the default locale at startup
87297ab1e783 kconfig/mconf: Initialize the default locale at startup
699c6cc0f18e net: tls: Cancel RX async resync request on rcd_delta overflow
fbbcd769c800 selftests: net: use BASH for bareudp testing
804b5b8e3545 scsi: core: Fix a regression triggered by scsi_host_busy()
674329151458 vsock: Ignore signal/timeout on connect() if already established
ecbb12caf399 net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
597bbbe023d9 kernel.h: Move ARRAY_SIZE() to a separate header
ca4452aa69ab platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos
7616e2eee679 s390/ctcm: Fix double-kfree
f95bef5ba0b8 net: openvswitch: remove never-working support for setting nsh fields
20d7e6bce8e2 net: dsa: hellcreek: fix missing error handling in LED registration
ba8d3df04c00 mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
5fb232c76334 drm/tegra: dc: Fix reference leak in tegra_dc_couple()
99908e2d6012 mptcp: fix race condition in mptcp_schedule_work()
7536472a4575 MIPS: Malta: Fix !EVA SOC-it PCI MMIO
f449a1edd7a1 scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
109afbd88ecc scsi: sg: Do not sleep in atomic context
60ba31330faf nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
4ce5218b1012 Input: imx_sc_key - fix memory corruption on unload
729d21c82c1b Input: cros_ec_keyb - fix an invalid memory access
630360c6724e be2net: pass wrb_params in case of OS2BMC
f2e52a9d10d8 exfat: check return value of sb_min_blocksize in exfat_read_boot_sector
9c58c64ec412 mtd: rawnand: cadence: fix DMA device NULL pointer dereference
de9dc8cbeea0 HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155
652b24f07bae net/sched: act_connmark: handle errno on tcf_idr_check_alloc
b70c24827e11 isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
bf51f26c5bcc EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection
76eb3ac2f01a EDAC/altera: Handle OCRAM ECC enable after warm reset
4b63d3858a1e spi: Try to get ACPI GPIO IRQ earlier
8af069dc2fbf ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check
217d47255a2e ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
4cba73c4c892 fs/proc: fix uaf in proc_readdir_de()
298f1e0694ab ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
5fb4722507b7 strparser: Fix signed/unsigned mismatch bug
3b9447e68777 gcov: add support for GCC 15
b114996a095d NFSD: free copynotify stateid in nfs4_free_ol_stateid()
d0ee0b42a9c0 HID: hid-ntrig: Prevent memory leak in ntrig_report_version()
4681960bc0f4 netfilter: nf_tables: reject duplicate device on updates
cbbe9170ca2a mtd: onenand: Pass correct pointer to IRQ handler
20067f737dc0 lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN
b69f19244c2b mm/ksm: fix flag-dropping behavior in ksm_madvise
1a6ed803c4b1 mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR
c4cdd143c359 bpf: Add bpf_prog_run_data_pointers()
9f282104627b ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
6ec3bfe0ad73 NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()
709e5c088f9c drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
bfa4f33f0a43 ASoC: cs4271: Fix regulator leak on probe failure
ee29c2319ee8 regulator: fixed: fix GPIO descriptor leak on register failure
5c1fd2b81e13 acpi,srat: Fix incorrect device handle check for Generic Initiator
9d1d7858fc5b Bluetooth: L2CAP: export l2cap_chan_hold for modules
8b1551cacb66 hsr: Fix supervision frame sending on HSRv0
f8706e15710f net_sched: limit try_bulk_dequeue_skb() batches
5af7ec404e85 net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps
727f158d9a8a net/mlx5e: Fix maxrate wraparound in threshold between units
37f0680887c5 net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
218b67c8c824 net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
def0860b2caf net_sched: act_connmark: use RCU in tcf_connmark_dump()
0d14e8ba20cf net/sched: act_connmark: transition to percpu stats and rcu
b99642817f60 net: sched: act_connmark: get rid of tcf_connmark_walker and tcf_connmark_search
6a45a97e0099 net: sched: act: move global static variable net_id to tc_action_ops
659e94c35a3f wifi: mac80211: skip rate verification for not captured PSDUs
1040834078ac net: mdio: fix resource leak in mdiobus_register_device()
51b8f0ab888f tipc: Fix use-after-free in tipc_mon_reinit_self().
8a695769c1e8 net/smc: fix mismatch between CLC header and proposal
abb086b9a95d sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
17ef29586b76 Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions
2f2b940e7fa3 Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion
d566e9a2bfc8 Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
7a6d1e740220 Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
d11c10bce6f4 net: fec: correct rx_bytes statistic for the case SHIFT16 is set
dd60d0ba60f8 ASoC: max98090/91: fixed max98091 ALSA widget powering up/down
652585576866 NFS: check if suid/sgid was cleared after a write as needed
9727b5dc98c3 HID: quirks: avoid Cooler Master MM712 dongle wakeup bug
d2560884113c NFS4: Fix state renewals missing after boot
e5d5b4228e05 RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors
be5a8537b2b9 compiler_types: Move unused static inline functions warning to W=2
e988634d7aae drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
7d316c3c9e53 selftests: netdevsim: set test timeout to 10 minutes
3694a618609b extcon: adc-jack: Cleanup wakeup source only if it was enabled
d3eaf1052cd8 lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC
3a9f46f5d467 rtc: rx8025: fix incorrect register reference
38771ab159d9 tracing: Fix memory leaks in create_field_var()
a304aa581895 bnxt_en: Fix a possible memory leak in bnxt_ptp_init
25979f34feec bnxt_en: PTP: Refactor PTP initialization functions
4e6b9004f01d net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
82b5ddac0843 sctp: Hold sock lock while iterating over address list
72e3fea68eac sctp: Prevent TOCTOU out-of-bounds write
ad5ddc33af9f sctp: Hold RCU read lock while iterating over address list
6618c36f6d86 net: dsa: b53: stop reading ARL entries if search is done
ae52ba1ad2ed net: dsa: b53: fix enabling ip multicast
cd8c2419b50b net: dsa: b53: fix resetting speed and pause on forced link
48df5cc7fd7c net: vlan: sync VLAN features with lower device
82acad39d05c selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh
f3903664c883 netdevsim: add Makefile for selftests
c2ce8d37e49e selftests/net: use destination options instead of hop-by-hop
32c3e1cbc2e6 selftests/net: fix GRO coalesce test and add ext header coalesce tests
e4603c1c4fd1 selftests/net: fix out-of-order delivery of FIN in gro:tcp test
a8d549eb5aca net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx
f8d974a0e8c2 riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro
53c7a2110285 Revert "wifi: ath10k: avoid unnecessary wait for service ready message"
b345e06f2d35 ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again
676ee2061f72 ceph: add checking of wait_for_completion_killable() return value
8bff07a8fc0a ASoC: meson: aiu-encoder-i2s: fix bit clock polarity
1943b69e87b0 fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
6da480c32392 ACPI: property: Return present device nodes only on fwnode interface
a66596cf5643 9p: sysfs_init: don't hardcode error to ENOMEM
879f6a7e75c3 cpufreq: tegra186: Initialize all cores to max frequencies
435b42a10995 9p: fix /sys/fs/9p/caches overwriting itself
66f257db400a clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled
c50651c205f6 clk: at91: clk-master: Add check for divide by 3
e7322da6c50f ARM: at91: pm: save and restore ACR during PLL disable/enable
a02f2dbdd77a rtc: pcf2127: clear minute/second interrupt
cebc9f5ee3e3 um: Fix help message for ssl-non-raw
64ef62fb1c4a fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink
f7af3813ccff btrfs: mark dirty extent range for out of bound prealloc extents
8a139fe903f3 RDMA/hns: Fix wrong WQE data when QP wraps around
63bb04cda173 RDMA/irdma: Set irdma_cq cq_num field during CQ create
e8805e90ff0c RDMA/irdma: Remove unused struct irdma_cq fields
2380d634959a RDMA/irdma: Fix SD index calculation
cc9ab6e1a375 ACPICA: Update dsmethod.c to get rid of unused variable warning
15afebb95974 orangefs: fix xattr related buffer overflow...
c12ebeacfbae page_pool: Clamp pool size to max 16K pages
2acf073edeb7 exfat: limit log print for IO error
c70926971b36 ALSA: usb-audio: add mono main switch to Presonus S1824c
b65ca9708bfb Bluetooth: bcsp: receive data only if registered
d2850f037c2a Bluetooth: SCO: Fix UAF on sco_conn_free
d4d90a419b55 net: macb: avoid dealing with endianness in macb_set_hwaddr()
bb7d0d13c6e1 fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock
b2eef65a3be2 scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
fa4daf7d11e4 nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
a8a97e0d0b60 NFSv4.1: fix mount hang after CREATE_SESSION failure
679fd67bac26 NFSv4: handle ERR_GRACE on delegation recalls
ca806ebc497b remoteproc: qcom: q6v5: Avoid handling handover twice
e50066336660 sparc/module: Add R_SPARC_UA64 relocation handling
eb3d29ca0820 PCI: cadence: Check for the existence of cdns_pcie::ops before using it
c3f99fd7ed17 r8169: set EEE speed down ratio to 1
826ad86e1270 net: intel: fm10k: Fix parameter idx set but not used
eb0c150d0279 wifi: ath10k: Fix connection after GTK rekeying
0f7f34292071 iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()
f878bfd2c14c net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X
a2aa97cde985 jfs: fix uninitialized waitqueue in transaction manager
46c76cfa17d1 jfs: Verify inode mode when loading from disk
14b6f0b3cfe2 ipv6: np->rxpmtu race annotation
318aeeb3f8fe usb: xhci: plat: Facilitate using autosuspend for xhci plat devices
7a219cbbc9e8 usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs
311df10cca0e allow finish_no_open(file, ERR_PTR(-E...))
ffae0417168e scsi: lpfc: Define size of debugfs entry for xri rebalancing
57225d17cd8d scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup
430e3ca0a53d scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET
41cd00665c99 selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency
0ec2cd5c5879 page_pool: always add GFP_NOWARN for ATOMIC allocations
a58098c6b91c drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl
fd62e1a94cff net/cls_cgroup: Fix task_get_classid() during qdisc run
45e4e4a8772f udp_tunnel: use netdev_warn() instead of netdev_WARN()
d276a6c3bb74 selftests: Replace sleep with slowwait
fbf410aafc85 eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP
ff4cd9564dc3 selftests: Disable dad for ipv6 in fcnal-test.sh
b16a010338bf x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT
56c832864e5e netfilter: nf_reject: don't reply to icmp error messages
0858b8e38884 selftests: traceroute: Use require_command()
9d2e3da0a0e8 media: redrat3: use int type to store negative error codes
ffb663e41dde net: sh_eth: Disable WoL if system can not suspend
eab8d5e5e1d0 phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0
04f057e4c156 phy: cadence: cdns-dphy: Enable lower resolutions in dphy
63eb6730ce06 ntfs3: pretend $Extend records as regular files
8a8d07553583 net: phy: marvell: Fix 88e1510 downshift counter errata
0f30019f5a58 drm/msm: make sure to not queue up recovery more than once
0cf9a50af91f usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
2dc7bcc0b112 usb: gadget: f_hid: Fix zero length packet transfer
bb8f9de71c9b iommu/amd: Skip enabling command/event buffers for kdump
66bcd6c577d8 net: call cond_resched() less often in __release_sock()
07ae8cc64557 net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms
fdfd91ac1f44 ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled
1452d49956d9 drm/msm/dsi/phy_7nm: Fix missing initial VCO rate
b4a4bf4b4452 drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL
bda8e00b354a dmaengine: dw-edma: Set status for callback_result
35e42324c21f dmaengine: mv_xor: match alloc_wc and free_wc
e12a50e3621f dmaengine: sh: setup_xref error handling
774e8d44ac88 ptp: Limit time setting of PTP clocks
48c1d49c64d0 scsi: pm8001: Use int instead of u32 to store error codes
7ce10ef9a9b6 mips: lantiq: xway: sysctrl: rename stp clock
e1f79a12bd62 mips: lantiq: danube: add missing device_type in pci node
a39c88bedb0f mips: lantiq: danube: add missing properties to cpu node
69f04cdd1a50 media: fix uninitialized symbol warnings
b751b7f87acb drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption
92071a422131 extcon: adc-jack: Fix wakeup source leaks on device unbind
62443e7d827a scsi: pm80xx: Fix race condition caused by static variables
866d93632daa scsi: mpi3mr: Fix controller init failure on fault during queue creation
9650cd59f4e1 rds: Fix endianness annotation for RDS_MPATH_HASH
fb4f59e66952 ALSA: usb-audio: Add validation of UAC2/UAC3 effect units
30cc10a05b22 PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call
38edfa2a5a7a net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV.
f80a71a29f2d net: When removing nexthops, don't call synchronize_net if it is not necessary
d2ee1c7fc9c2 char: misc: Does not request module for miscdevice with dynamic minor
e14d3af189de usb: gadget: f_ncm: Fix MAC assignment NCM ethernet
f979f913b99c iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register
ad22eebd7177 drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts
26f6a1dd5d81 media: imon: make send_packet() more robust
0bf756ae1e69 net: ipv6: fix field-spanning memcpy warning in AH output
15def75e75a7 bridge: Redirect to backup port when port is administratively down
a65cbffb0e81 powerpc/eeh: Use result of error_detected() in uevent
e269b500b23f thunderbolt: Use is_pciehp instead of is_hotplug_bridge
157b7b41a5d2 net: stmmac: Check stmmac_hw_setup() in stmmac_resume()
d178723da249 x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall
5ba991865cee drm/tidss: Set crtc modesetting parameters with adjusted mode
603c103f9e30 drm/tidss: Use the crtc_* timings when programming the HW
965813f1afaf media: pci: ivtv: Don't create fake v4l2_fh
556da2856798 drm/amdkfd: return -ENOTTY for unsupported IOCTLs
e04e3165bc8b selftests/net: Ensure assert() triggers in psock_tpacket.c
634d43ee1d23 selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8
be80a71699b4 PCI: Disable MSI on RDC PCI to PCIe bridges
31caf9efba7e drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()
19096bddf873 drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff
b9d1d32766d3 drm/amd/pm: Use cached metrics data on arcturus
89af20042ea5 drm/amd/pm: Use cached metrics data on aldebaran
446631df0714 mfd: da9063: Split chip variant reading in two bus transactions
adde0c657c90 mfd: madera: Work around false-positive -Wininitialized warning
d7bc1931a256 mfd: stmpe-i2c: Add missing MODULE_LICENSE
72f7a31793bb mfd: stmpe: Remove IRQ domain upon removal
fa0d842eea8c tools/power x86_energy_perf_policy: Prefer driver HWP limits
1c0eb3211e17 tools/power x86_energy_perf_policy: Enhance HWP enable
87de7b4213c1 tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage
2ba32bd019cf tools/cpupower: Fix incorrect size in cpuidle_state_disable()
481e609c7854 hwmon: (dell-smm) Add support for Dell OptiPlex 7040
2617ae62f086 uprobe: Do not emulate/sstep original instruction when ip is changed
cf3e51d388e1 clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel
39805c732891 cpuidle: Fail cpuidle device registration if there is one already
7f6993bd3224 tools/cpupower: fix error return value in cpupower_write_sysfs()
6e9e9558da65 video: backlight: lp855x_bl: Set correct EPROM start for LP8556
e8cde03de867 nvme-fc: use lock accessing port_state and rport state
2f4852db87e2 nvmet-fc: avoid scheduling association deletion twice
75a98126757e tee: allow a driver to allocate a tee_device without a pool
5a7e2d5d1b68 ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method()
13257496a496 mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card
e3f7173df91b power: supply: sbs-charger: Support multiple devices
a59c9c1370db hwmon: (sbtsi_temp) AMD CPU extended temperature range support
9545f5ef8258 ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]
799f75a894a6 ACPI: PRM: Skip handlers with NULL handler_address or NULL VA
2ca16b41e88b irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment
1ba13dde6a45 arc: Fix __fls() const-foldability via __builtin_clzl()
55cf586b9556 cpufreq/longhaul: handle NULL policy in longhaul_exit
916f62bf6964 selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2
76ab1edadf69 ACPI: video: force native for Lenovo 82K8
edc0b38f26fc memstick: Add timeout to prevent indefinite waiting
9e18372fcf17 mmc: host: renesas_sdhi: Fix the actual clock
fd031d98081e pinctrl: single: fix bias pull up/down handling in pin_config_set
13ce905f0777 bpf: Don't use %pK through printk
49be75e00d21 soc: ti: pruss: don't use %pK through printk
ed7b7fbf2d5f spi: loopback-test: Don't use %pK through printk
d06bbd6f5cd8 soc: qcom: smem: Fix endian-unaware access of num_entries
9a0d4017a138 soc: aspeed: socinfo: Add AST27xx silicon IDs
04dde9a7cb73 block: make REQ_OP_ZONE_OPEN a write operation
6abeff03cb79 drm/sysfb: Do not dereference NULL pointer in plane reset
afd6e9fe377f drm/sched: Fix race in drm_sched_entity_select_rq()
9ec40fba7357 usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
e6f1413b1cfb Revert "docs/process/howto: Replace C89 with C11"
518eadd15f7e arch: back to -std=gnu89 in < v5.18
f28b14d235a8 x86/boot: Compile boot code with -std=gnu11 too
8050bbc2a2b9 xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall event
fe9092c42877 xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive.
79d7094ecd75 xhci: dbc: Improve performance by removing delay in transfer event polling.
2f5c3743466f xhci: dbc: Allow users to modify DbC poll interval via sysfs
d596d39e16e3 xhci: dbc: poll at different rate depending on data transfer activity
902f900b46e9 xhci: dbc: Provide sysfs option to configure dbc descriptors
42ccfa662c2e x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID
12a895faa0c9 net: phy: dp83867: Disable EEE support as not implemented
56612e80a80b can: gs_usb: increase max interface to U8_MAX
941285def6f6 net: ravb: Enforce descriptor type ordering
6664de2a13b5 ravb: Exclude gPTP feature support for RZ/G2L
381eb91874a6 dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp
bfb5e825c206 serial: 8250_dw: handle reset control deassert error
3299a39f9a09 serial: 8250_dw: Use devm_add_action_or_reset()
d979639f099c regmap: slimbus: fix bus_context pointer in regmap init calls
c5279b8c91c9 block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL
c674a191ada3 drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
f64e5bdde3be drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
ca8cc1ae1425 drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()
e5e712518b29 net: hns3: return error code when function fails
8814f060d364 drm/etnaviv: fix flush sequence logic
43005002b60e usbnet: Prevents free active kevent
18652ab01a20 libbpf: Fix powerpc's stack register definition in bpf_tracing.h
e5996b15ab1d libbpf: Normalize PT_REGS_xxx() macro definitions
82a674170040 riscv, libbpf: Add RISC-V (RV64) support to bpf_tracing.h
9450d2fe01d0 bpf: Do not audit capability check in do_jit()
de2ce6b14bc3 bpf: Sync pending IRQ work before freeing ring buffer
29b6987bdea3 ALSA: usb-audio: fix control pipe direction
ea48293df43b drm/msm/a6xx: Fix GMU firmware parser
488f3206325e wifi: ath10k: Fix memory leak on unsupported WMI command
641e47ea2831 ASoC: qdsp6: q6asm: do not sleep while atomic
cca3958c5565 mptcp: restore window probe
90d835caf3eb fbdev: valkyriefb: Fix reference count leak in valkyriefb_init
9c78e8179a14 fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS
55f60a72a178 wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
db5c9a162d2f fbdev: bitblit: bound-check glyph index in bit_putcs*
bc78a4f51d54 ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
4b05bd1d75d3 fbdev: atyfb: Check if pll_ops->init_pll failed
c7bf258321a1 net: usb: asix_devices: Check return value of usbnet_get_endpoints
375fdd8993ce NFSD: Fix crash in nfsd4_read_release()
5fa8b4382c01 btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot()
5a6f9727ae78 btrfs: always drop log root tree reference in btrfs_replay_log()
f5c926c9e7fe btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io()
a740e71c2344 x86/bugs: Fix reporting of LFENCE retpoline
1bed56f089f0 net/sched: sch_qfq: Fix null-deref in agg_dequeue
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index a315593e7cc..4baf0bd9833 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "ec706ff09f989e8c03cdc0e1ec5cafd7cf3ee8a2"
-SRCREV_meta ?= "0279325ca207a9cdfa8a956632154831453a85c1"
+SRCREV_machine ?= "9f3853efc84c7065918f3cb90be1464f61bd0871"
+SRCREV_meta ?= "65baed3263fc04a3bdd461278cca80891b80cc9a"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.196"
+LINUX_VERSION ?= "5.15.197"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 66da58322ed..a8ba1470443 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.196"
+LINUX_VERSION ?= "5.15.197"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "6aa88785aa94fe7253e4dcda162c35c8eaa9f500"
-SRCREV_meta ?= "0279325ca207a9cdfa8a956632154831453a85c1"
+SRCREV_machine ?= "6a3023cca521bd2e295fc1482e5b0c88c08ab2e4"
+SRCREV_meta ?= "65baed3263fc04a3bdd461278cca80891b80cc9a"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 5b6213a9d7d..26765a216e5 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,24 +14,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "6938c8f38582bac21da19fde0f2b27beb6b15ba8"
-SRCREV_machine:qemuarm64 ?= "5650eb3e0a12ce52f0c2b9d5469ec169ab8239e7"
-SRCREV_machine:qemumips ?= "1b8f74e960fcd90cf09ff65426d88fe5ec4affae"
-SRCREV_machine:qemuppc ?= "29d4d06006e7def2e86d3c8c99d0a8550cae5a84"
-SRCREV_machine:qemuriscv64 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
-SRCREV_machine:qemuriscv32 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
-SRCREV_machine:qemux86 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
-SRCREV_machine:qemux86-64 ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
-SRCREV_machine:qemumips64 ?= "20aaafeb01a044c6e1f2480e119e575461e3fa23"
-SRCREV_machine ?= "3f1742244637534d7f0c70ca2ad471307917ce3f"
-SRCREV_meta ?= "0279325ca207a9cdfa8a956632154831453a85c1"
+SRCREV_machine:qemuarm ?= "2d635a3e35b83998b2f84bbd2e932eaafdf61826"
+SRCREV_machine:qemuarm64 ?= "bb65897d11ebca68c2017bf0bed4e26599e05ddb"
+SRCREV_machine:qemumips ?= "8192334823c116e4e56368fbf6ca67cdb0c945d0"
+SRCREV_machine:qemuppc ?= "ec35a9c80e2a5006d01a073f9787c784fdf0a04f"
+SRCREV_machine:qemuriscv64 ?= "c04373a83e017e615d8333767c8955732c6c975b"
+SRCREV_machine:qemuriscv32 ?= "c04373a83e017e615d8333767c8955732c6c975b"
+SRCREV_machine:qemux86 ?= "c04373a83e017e615d8333767c8955732c6c975b"
+SRCREV_machine:qemux86-64 ?= "c04373a83e017e615d8333767c8955732c6c975b"
+SRCREV_machine:qemumips64 ?= "5a3b47b8a7c60c97447170242b5c2e70db803b2f"
+SRCREV_machine ?= "c04373a83e017e615d8333767c8955732c6c975b"
+SRCREV_meta ?= "65baed3263fc04a3bdd461278cca80891b80cc9a"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "cc5ec87693063acebb60f587e8a019ba9b94ae0e"
+SRCREV_machine:class-devupstream ?= "68efe5a6c16a05391e3d96025b41e9bf573f968c"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.196"
+LINUX_VERSION ?= "5.15.197"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 15/38] linux-yocto/5.15: update to v5.15.198
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 14/38] linux-yocto/5.15: update to v5.15.197 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:32 ` Patchtest results for " patchtest
2026-02-24 14:24 ` [OE-core][kirkstone 16/38] linux-yocto/5.15: update to v5.15.199 Yoann Congal
` (22 subsequent siblings)
37 siblings, 1 reply; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
9eec9a14ee10 Linux 5.15.198
72d750886b21 NFS: add barriers when testing for NFS_FSDATA_BLOCKED
7981cff2bee1 NFS: unlink/rmdir shouldn't call d_delete() twice on ENOENT
220a5ee395e0 efi/cper: Fix cper_bits_to_str buffer handling and return value
b82594248af1 firmware: imx: scu-irq: Set mu_resource_id before get handle
bbd35608330d scsi: sg: Fix occasional bogus elapsed time that exceeds timeout
5517e2497d11 ASoC: fsl_sai: Add missing registers to cache default
c3a4316e3c74 can: j1939: make j1939_session_activate() fail if device is no longer registered
c618c4ccb79b powercap: fix sscanf() error return value handling
7b78832aa94f powercap: fix race condition in register_control_type()
047ea38d41d9 blk-throttle: Set BIO_THROTTLED when bio has been throttled
7f7080c51410 pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
3dc4b3bb4e0a pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells
ef668c9a2261 counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
e8bfa2401d4c nfsd: provide locking for v4_end_grace
061158d27c46 NFSD: Remove NFSERR_EAGAIN
530476199947 nfs_common: factor out nfs_errtbl and nfs_stat_to_errno
eb204a6d8bad NFS: trace: show TIMEDOUT instead of 0x6e
393525dee5c3 arp: do not assume dev_hard_header() does not change skb->head
2caa31d02c73 net: enetc: fix build warning when PAGE_SIZE is greater than 128K
a40af9a2904a net: usb: pegasus: fix memory leak in update_eth_regs_async()
0809c4bc06c9 net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
303987beb595 HID: quirks: work around VID/PID conflict for appledisplay
b4bfc8d26b96 bnxt_en: Fix potential data corruption with HW GRO/LRO
4248fb36df8d eth: bnxt: move and rename reset helpers
0e9a7c61978e net/mlx5e: Don't print error message due to invalid module
ac1fd8362346 netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates
c655d2167bf0 net: sock: fix hardened usercopy panic in sock_recv_errqueue
bee569f5fcf7 inet: ping: Fix icmp out counting
8767f238b0e6 net: mscc: ocelot: Fix crash when adding interface under a lag
bf1ffe5e95bd bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
8a4333b2818f net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
c4cde57c8aff netfilter: nf_conncount: update last_gc only when GC has been performed
92d17b97479c netfilter: nf_tables: fix memory leak in nf_tables_newrule()
d65b19f34c2a netfilter: nft_synproxy: avoid possible data-race on update operation
ddd097698d8b ARM: dts: imx6q-ba16: fix RTC interrupt level
e91cffed1c58 arm64: dts: add off-on-delay-us for usdhc2 regulator
274dfe3b1801 scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed"
ebabaddab72c scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset
5ef4392495a8 NFS: Fix up the automount fs_context to use the correct cred
f269abad66bd NFSv4: ensure the open stateid seqid doesn't go backwards
d4d09d18059a alpha: don't reference obsolete termio struct for TC* constants
8c97b0183923 ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels
df9967c3b757 csky: fix csky_cmpxchg_fixup not working
b374e9ecc92a ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
6c94fd068ba2 ext4: introduce ITAIL helper
5d0dc83cb9a6 libceph: make calc_target() set t->paused, not just clear it
77229551f2cf libceph: return the handler error from mon_handle_auth_done()
851241d3f78a libceph: make free_choose_arg_map() resilient to partial allocation
4b106fbb1c7b libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
194cfe2af4d2 libceph: prevent potential out-of-bounds reads in handle_auth_done()
a3827e310b5a wifi: avoid kernel-infoleak from struct iw_point
6a0cceb1a8b9 drm/pl111: Fix error handling in pl111_amba_probe
250e1f9f911d lib/crypto: aes: Fix missing MMU protection for AES S-box
e57137354d85 mei: me: add nova lake point S DID
6cff14b831db net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
02b79361cf97 atm: Fix dma_free_coherent() size
7f696f15c18b usb: gadget: lpc32xx_udc: fix clock imbalance in error path
c3ba0557ab2e net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()
f3cc921c237c Revert "iommu/amd: Skip enabling command/event buffers for kdump"
0b956f79b2f8 firmware: arm_scmi: Fix unused notifier-block in unregister
3079bf04d35f ext4: fix error message when rejecting the default hash
bfac7e3ff587 ext4: factor out ext4_hash_info_init()
86b81d4eab1c ext4: filesystems without casefold feature cannot be mounted with siphash
e1b826e10ff9 pwm: stm32: Always program polarity
69e4c711d3f5 x86: remove __range_not_ok()
dd6d10e00cf4 selftests: net: test_vxlan_under_vrf: fix HV connectivity test
20d3eb00ab81 ipv4: Fix uninit-value access in __ip_make_skb()
40e5444a3ac3 ipv6: Fix potential uninit-value access in __ip6_make_skb()
ef2fe0c6353b KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning
eeeaba737919 HID: core: Harden s32ton() against conversion to 0 bits
5f35099fa3d5 KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
d69f28ef7cda page_pool: Fix use-after-free in page_pool_recycle_in_ring
aec6a1be0be1 drm/i915/selftests: fix subtraction overflow bug
0f55ac683b27 mmc: core: use sysfs_emit() instead of sprintf()
f51e471cb157 net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
32ffca069d20 drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
0a59a3895f80 wifi: mac80211: Discard Beacon frames to non-broadcast address
7daa50a2157e ASoC: stm32: sai: fix OF node leak on probe
ecd91855dd4f lockd: fix vfs_test_lock() calls
86d91420bbe3 powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
325fd00621d5 mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
ed920d0feafb mm/balloon_compaction: we cannot have isolated pages in the balloon list
f16e78225eda mm/balloon_compaction: make balloon page compaction callbacks static
1e3a5fec4917 ASoC: stm32: sai: fix clk prepare imbalance on probe failure
a93887d284a6 ASoC: stm32: sai: Use the devm_clk_get_optional() helper
39e5b2de0207 ASoC: stm: Use dev_err_probe() helper
6009167915d5 r8169: fix RTL8117 Wake-on-Lan in DASH mode
4c0278938c36 iommu/qcom: fix device leak on of_xlate()
2e9a95d60f1d powerpc/64s/slb: Fix SLB multihit issue during SLB preload
374f9984edc8 PCI: brcmstb: Fix disabling L0s capability
bf03a56d6af9 powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
4141049144b3 media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
3ccce30e5919 media: samsung: exynos4-is: fix potential ABBA deadlock on init
75f91534f9ac NFSD: NFSv4 file creation neglects setting ACL
2e6f384b4e6c media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
b425cd5bc54e media: vpif_capture: fix section mismatch
61d19d81485d media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
4dedb6a11243 SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
610ef5893628 KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
543bf004e4ea crypto: af_alg - zero initialize memory allocated via sock_kmalloc
a22316f5e9a2 svcrdma: bound check rq_pages index in inline path
c80b58581fad ARM: dts: microchip: sama7g5: fix uart fifo size to 32
cbbf3f1bb9f8 fuse: fix readahead reclaim deadlock
a6c208695220 usb: ohci-nxp: fix device leak on probe failure
0928573aeccb usb: ohci-nxp: Use helper function devm_clk_get_enabled()
50ee04e0ae62 mptcp: pm: ignore unknown endpoint flags
2cf9e72ec9a4 usb: dwc3: keep susphy enabled during exit to avoid controller faults
72c58a82e6fb f2fs: fix to avoid updating zero-sized extent in extent cache
671910d2e5b8 f2fs: fix to propagate error from f2fs_enable_checkpoint()
474cc3ed3743 f2fs: use global inline_xattr_slab instead of per-sb slab cache
f30ea4a9e793 f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
0e8bddb3e081 xfs: fix a memory leak in xfs_buf_item_init()
06cad7ba5c7b KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
fa2dd45ce8ae NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
d2f5d8cf1ead ALSA: wavefront: Fix integer overflow in sample size validation
73d7bfacc5ca ALSA: wavefront: Use standard print API
151c632b9162 ALSA: wavefront: Clear substream pointers on close
214a854d0d99 wifi: mt76: Fix DTS power-limits on little endian systems
8a589c56b0d6 btrfs: don't rewrite ret from inode_permission
275c686f1e3c tpm: Cap the number of PCR banks
ed7441ffe3fd jbd2: fix the inconsistency between checksum and data in memory for journal sb
ee199d259349 xhci: dbgtty: fix device unregister
4b4315ab4a14 xhci: dbgtty: use IDR to support several dbc instances.
eee16f3ff08e usb: gadget: udc: fix use-after-free in usb_gadget_state_work
8b586de6f03c usb: xhci: Apply the link chain quirk on NEC isoc endpoints
d16a2857ad17 usb: xhci: move link chain bit quirk checks into one helper function.
86aae7053d2d drm/vmwgfx: Fix a null-ptr access in the cursor snooper
cfb82ea9cccc virtio_console: fix order of fields cols and rows
6161d0d62351 kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules
94b45fddc261 mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
554b17dc14d0 mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
77ec39ad0ceb mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
233409d46dc5 mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
3f7668f4ffd5 mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
db10496b2797 mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
df458acf79c6 mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
c6895612b1e4 mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
5629064f92f0 RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
483b541b7ee3 mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
5ff02cf6c74d mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
87caa0d35aab drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb
47a85604a761 drm/ttm: Avoid NULL pointer deref for evicted BOs
d376aea5f101 drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
e02a1c33f10a net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
66d3d821a27f net: usb: sr9700: fix incorrect command used to write single register
02a02eb93cec nfsd: Drop the client reference in client_states_open()
96e9b4b4eebe fjes: Add missing iounmap in fjes_hw_init()
278b7cfe0d4d e1000: fix OOB in e1000_tbi_should_accept()
abf38398724e RDMA/cm: Fix leaking the multicast GID table reference
bfe10318fc23 RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
adca36b7312f idr: fix idr_alloc() returning an ID out of range
ec9fd10b4803 media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
d80c606877e3 media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
3de6afefd37e media: TDA1997x: Remove redundant cancel_delayed_work in probe
faf38cced019 media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
718fd69207b6 media: cec: Fix debugfs leak on bus_register() failure
c3548c44c3c2 fbdev: tcx.c fix mem_map to correct smem_start offset
37fa1e7e4884 fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
51fd9c20a530 fbdev: gbefb: fix to use physical address instead of dma address
c9d6fc7d60c6 dm-ebs: Mark full buffer dirty even on partial write
f913b9a2ccd6 media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
6a483e56c1ad parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
0a476ed7bc87 parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
76bbb99a030f media: rc: st_rc: Fix reset control resource leak
f69506115f61 mfd: max77620: Fix potential IRQ chip conflict when probing two devices
ef97d93d0775 mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
a357f04e6c47 leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
e24cad510abc leds: leds-lp50xx: Allow LED 0 to be added to module bank
c9f0eac5745d PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
f0ae659c9652 HID: logitech-dj: Remove duplicate error logging
3f50e9dbfe9d iommu/tegra: fix device leak on probe_device()
157b01742a68 iommu/sun50i: fix device leak on of_xlate()
fa4e003b8fcf iommu/omap: fix device leaks on probe_device()
6705d63820c6 iommu/mediatek: fix device leak on of_xlate()
e6b0e3882ab0 iommu/mediatek-v1: fix device leak on probe_device()
cadf7c83302f iommu/ipmmu-vmsa: fix device leak on of_xlate()
f62661f577b3 iommu/exynos: fix device leak on of_xlate()
ac0c50cc85ed iommu/apple-dart: fix device leak on of_xlate()
fdb64bba6a46 ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
d543ddcecc93 ASoC: qcom: q6adm: the the copp device only during last instance
47587d958185 ASoC: qcom: q6asm-dai: perform correct state check before closing
938117827bca ASoC: stm32: sai: fix device leak on probe
d739270d09e0 selftests/ftrace: traceonoff_triggers: strip off names
1f29db2cfb01 RDMA/bnxt_re: fix dma_free_coherent() pointer
2d34cffaf8c9 RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
19682d51e1b6 RDMA/bnxt_re: Fix to use correct page size for PDE table
b299f01e464d RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
8165f064641c RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
af9a938b087d RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
c8002b3a098a RDMA/efa: Remove possible negative shift
db93ae6fa66f RDMA/irdma: avoid invalid read in irdma_net_event
ed2639414d43 net: rose: fix invalid array index in rose_kill_by_device()
33ff5c207c87 ipv4: Fix reference count leak when using error routes with nexthop objects
6b7522424529 ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
4cc4cfe4d23c octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
6b3a6cb3493f net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
fc96018f09f8 net: usb: asix: validate PHY address before use
b3c214ac512e net: dsa: b53: skip multicast entries for fdb_dump()
d55b060b6c56 firewire: nosy: Fix dma_free_coherent() size
1fc0c943e445 genalloc.h: fix htmldocs warning
1c4cb705e733 smc91x: fix broken irq-context in PREEMPT_RT
2f966186b995 net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
f820e438b8ec team: fix check for port enabled in team_queue_override_port_prio_changed()
6f935c0f549f platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
1c423f0fcb08 platform/x86: msi-laptop: add missing sysfs_remove_group()
41a1a3140aff ip6_gre: make ip6gre_header() robust
052e5db5be45 net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
214802e4caaa net: mdio: aspeed: add dummy read to avoid read-after-write issue
6ff75a5132df net: mdio: aspeed: move reg accessing part into separate functions
fff9206b0907 Bluetooth: btusb: revert use of devm_kzalloc in btusb
baf0e2d1e03d crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
5bb18bfd505c iavf: fix off-by-one issues in iavf_config_rss_reg()
cfddf4af22a3 i40e: validate ring_len parameter against hardware-specific values
0daf39ee1e4e i40e: Refactor argument of i40e_detect_recover_hung()
3fec9e1bad69 i40e: Refactor argument of several client notification functions
4f28b415a483 i40e: fix scheduling in set_rx_mode
f7455c5f9218 hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
bf5b03227f2e hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
5082cdce4344 hwmon: (max16065) Use local variable to avoid TOCTOU
ac45b270ea28 i2c: amd-mp2: fix reference leak in MP2 PCI device
24fd02c3a479 rpmsg: glink: fix rpmsg device leak
dd86de8f8573 soc: amlogic: canvas: fix device leak on lookup
5527dde9ff12 soc: qcom: ocmem: fix device leak on lookup
53693b3268c2 amba: tegra-ahb: Fix device leak on SMMU enable
5ba8ba12920c drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
2420ef01b2e8 io_uring: fix filename leak in __io_openat_prep()
685889472f29 svcrdma: return 0 on success from svc_rdma_copy_inline_range
8564deae5375 nfsd: Mark variable __maybe_unused to avoid W=1 build break
859bdf438f01 fsnotify: do not generate ACCESS/MODIFY events on child for special files
323e203a944b PM: runtime: Do not clear needs_force_resume with enabled runtime PM
6d15f08e6d8d tracing: Do not register unsupported perf events
fd4c14c7b772 KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
d8c44d566187 KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
30c71d9b4d76 KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
d2da0df7bbc4 KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
6ae727f72be0 KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
fa0c3fbc4bb5 KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
145d140abda8 libceph: make decode_pool() more resilient against corrupted osdmaps
7a146f34e5be parisc: Do not reprogram affinitiy on ASP chip
cfdf6250b63b scs: fix a wrong parameter in __scs_magic
e1da6e399df9 platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
d0fd1f732ea8 ocfs2: fix kernel BUG in ocfs2_find_victim_chain
12ab6ebb3778 media: vidtv: initialize local pointers upon transfer of memory ownership
04e5abccf5a3 tools/testing/nvdimm: Use per-DIMM device handle
0de4977a1eea f2fs: fix return value of f2fs_recover_fsync_data()
3d95ed8cf980 f2fs: invalidate dentry cache on failed whiteout creation
45fd86b44410 scsi: target: Reset t_task_cdb pointer in error case
fc3ab9b2cce5 NFSD: use correct reservation type in nfsd4_scsi_fence_client
278455a82245 scsi: aic94xx: fix use-after-free in device removal path
50b097d92c99 scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
47e7c7496f5a cpufreq: nforce2: fix reference count leak in nforce2
4f3e0af0d9a8 intel_th: Fix error handling in intel_th_output_open
d1b045228002 char: applicom: fix NULL pointer dereference in ac_ioctl
677f382acab1 usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
439c8d0425bb usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
43e58abad6c0 usb: phy: isp1301: fix non-OF device reference imbalance
0c2b0e747010 USB: lpc32xx_udc: Fix error handling in probe
76b52ed875d5 phy: broadcom: bcm63xx-usbh: fix section mismatches
424dd7ef4109 media: pvrusb2: Fix incorrect variable used in trace message
c2305b4c5fc1 media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
d14c800ec300 usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
0ea5763a6ced media: v4l2-mem2mem: Fix outdated documentation
048f29c90275 jbd2: use a weaker annotation in journal handling
a973d037229b ext4: align max orphan file size with e2fsprogs limit
2930d9cb9cd3 ext4: fix incorrect group number assertion in mb_check_buddy
331d6f52201b ext4: clear i_state_flags when alloc inode
3d8d22e75f7e ext4: xattr: fix null pointer deref in ext4_raw_inode()
ea4e2ad6f612 ktest.pl: Fix uninitialized var in config-bisect.pl
1c0e2617b51c fs/ntfs3: fix mount failure for sparse runs in run_unpack()
7f24094db7af floppy: fix for PAGE_SIZE != 4KB
2f945c9892b0 block: rate-limit capacity change info log
3c35608d6577 lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
d685237855bf mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
3fd7df4636d8 KEYS: trusted: Fix a memory leak in tpm2_load_cmd
8a69b95bc8c4 vhost/vsock: improve RCU read sections around vhost_vsock_get()
94476ed97e38 platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
4099d8f057f2 nvme-fc: don't hold rport lock when putting ctrl
8cb8a84f7af3 serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
db963adebdf5 usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
6ddc1cf758b2 usb: xhci: limit run_graceperiod for only usb 3.0 devices
58941bbb0050 usb: typec: ucsi: Handle incorrect num_connectors capability
f3f0303b5330 usbip: Fix locking bug in RT-enabled kernels
c4034574f87a exfat: fix remount failure in different process environments
c7b986adc9e9 via_wdt: fix critical boot hang due to unnamed resource allocation
36fe06f5a292 scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
8416236b992f scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
80e898a3c614 scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
46778b34e021 powerpc/addnote: Fix overflow on 32-bit builds
c49300043e7b clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
a5622f46f4fc ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
92f285834099 firmware: imx: scu-irq: Init workqueue before request mbox channel
22292508e1c9 ipmi: Fix __scan_channels() failing to rescan channels
5c7d972756d4 ipmi: Fix the race between __scan_channels() and deliver_response()
2168866396bd ALSA: usb-mixer: us16x08: validate meter packet indices
19b626d36aed ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
9f490d2f5dc9 ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
c851e43b88b4 net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
2b4aa7f24820 mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
9c34a4a2ead0 spi: fsl-cpm: Check length parity before switching to 16 bit mode
b5e70e7fa904 ACPI: CPPC: Fix missing PCC check for guaranteed_perf
d16cc7a2b3ed Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
136abe173a3c Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
ac6b3033d1e5 HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
42c91dfa772c net: hns3: add VLAN id validation before using
c9bbeca124e9 net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
de631a0f9872 net: hns3: Align type of some variables with their print type
bcefdb288eed net: hns3: using the num_tqps in the vf driver to apply for resources
42406760b28c net/mlx5: fw_tracer, Handle escaped percent properly
768d559f466c net/mlx5: fw_tracer, Validate format string parameters
a59e9812aca1 net/mlx5: fw_tracer, Add support for unrecognized string
f9dc0f45d2cd ethtool: Avoid overflowing userspace buffer on stats query
72d1c4a07780 net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers
c8666be7c338 net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats
78f0d7353bdf ethtool: use phydev variable
7bf3910b82f6 nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
02783a37cb1c net/sched: ets: Remove drr class from the active list if it changes to strict
c54091eec6fe caif: fix integer underflow in cffrml_receive()
312d7cd88882 ipvs: fix ipv4 null-ptr-deref in route error path
e1ac8dce3a89 netfilter: nf_conncount: fix leaked ct in error paths
a94493dd78b4 broadcom: b44: prevent uninitialized value usage
3bc2efff20a3 net: openvswitch: fix middle attribute validation in push_nsh() action
6e367c361a52 mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
9e0a0d9eeb0d mlxsw: spectrum_router: Fix neighbour use-after-free
194cd36ec05d ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
c7f6e7cc14df net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
09efbf54eeae netrom: Fix memory leak in nr_sendmsg()
e0f859d5035a Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
ca91db4f8979 btrfs: scrub: always update btrfs_scrub_progress::last_physical
eb6a4e7e3d04 hfsplus: fix volume corruption issue for generic/073
d92333c7a358 hfsplus: Verify inode mode when loading from disk
39e149d58ef4 hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
1432a4819917 hfsplus: fix volume corruption issue for generic/070
f6ca2faa3f3e fs/ntfs3: Support timestamps prior to epoch
3d4e15ef5ccb livepatch: Match old_sympos 0 and 1 in klp_find_func()
a0f5ffc01af5 cpufreq: s5pv210: fix refcount leak
08ba2b9983ad ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
ecb296286c87 ACPICA: Avoid walking the Namespace if start_node is NULL
0144d18dd96d x86/ptrace: Always inline trivial accessors
9019e399684e sched/deadline: only set free_cpus for online runqueues
fe293b7b0759 btrfs: fix memory leak of fs_devices in degraded seed device path
b3f937e8912d bpf, arm64: Do not audit capability check in do_jit()
2ed5e0ca5d9a spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
36cb73c557d1 spi: tegra210-quad: Fix validate combined sequence
fcf4ad3208e9 coresight: etm4x: Correct polling IDLE bit
754512b096b9 netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around
460fd9a9e820 NFS: Fix missing unlock in nfs_unlink()
434b84ecb8ff ASoC: fsl_xcvr: get channel status data when PHY is not exists
3cf854cec0eb ALSA: dice: fix buffer overflow in detect_stream_formats()
ce205e480799 usb: phy: Initialize struct usb_phy list_head
b3c4465f2519 usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
8877bbb620a9 ocfs2: fix memory leak in ocfs2_merge_rec_left()
c5a352071f83 efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
ec7b34401123 efi/cper: Adjust infopfx size to accept an extra space
095ebf8277b5 efi/cper: Add a new helper function to print bitmasks
de9f85fdf7eb dm log-writes: Add missing set_freezable() for freezable kthread
8d656002fa38 dm-raid: fix possible NULL dereference with undefined raid type
a9bfe4eb0103 ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad()
ceb5dff91c86 ALSA: uapi: Fix typo in asound.h comment
7f031777be02 dma/pool: eliminate alloc_pages warning in atomic_pool_expand
d8b52fa40fc8 block: fix comment for op_is_zone_mgmt() to include RESET_ALL
8fe7de5d1c7f blk-mq: Abort suspend when wakeup events are pending
f123e1fad3a8 ASoC: ak5558: Disable regulator when error happens
8cb3ed1b5669 ASoC: ak4458: Disable regulator when error happens
5a38a44815e0 ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure()
97044043d531 platform/x86: asus-wmi: use brightness_set_blocking() for kbd led
680f72890147 fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8()
ba1495aefd22 NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
1b44528bf4a1 fs_context: drop the unused lsm_flags member
ce578fbf8e83 Revert "nfs: ignore SB_RDONLY when mounting nfs"
8e921550cc85 Revert "nfs: clear SB_RDONLY before getting superblock"
dca481c17f81 Revert "nfs: ignore SB_RDONLY when remounting nfs"
b6e4e3a08c03 NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
3dc5156ad61a NFS: Initialise verifiers for visible dentries in nfs_atomic_open()
e77419cbb547 NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open()
19bac87dd821 NFSv4: Add some support for case insensitive filesystems
3e367777b69c fs/nls: Fix utf16 to utf8 conversion
2093051b4698 NFS: Avoid changing nlink when file removes and attribute updates race
777564417810 NFS: don't unhash dentry during unlink/rename
186072b7a23c NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink()
5f1bc99ea831 fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe()
007408ab8449 pinctrl: single: Fix incorrect type for error return variable
184146300f78 pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling
8609287a2646 perf tools: Fix split kallsyms DSO counting
38abf6e931b1 net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
140e6cd7b092 remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs
0d39bd3ef77a mtd: lpddr_cmds: fix signed shifts in lpddr_cmds
1d6155900a69 net: stmmac: fix rx limit check in stmmac_rx_zc()
53bc0ac47f4f netfilter: nft_connlimit: update the count if add was skipped
b160895d6bc9 netfilter: nf_conncount: rework API to use sk_buff directly
be69850b461e netfilter: nf_conncount: reduce unnecessary GC
aea811b4cf6c netfilter: flowtable: check for maximum number of encapsulations in bridge vlan
9d041a7ba13f regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
4a79a1d496b9 ASoC: Intel: catpt: Fix error path in hw_params()
c6035886b9d8 virtio: fix virtqueue_set_affinity() docs
9410895c0e5f virtio_vdpa: fix misleading return in void function
a9f01f0776f0 vdpa: Sync calls set/get config/status with cf_mutex
447092100c7e vdpa: Introduce query of device config layout
3ca8c7a6f9a0 vdpa: Introduce and use vdpa device get, set config helpers
eed1541ff09d ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation
c082093313c0 ext4: remove unused return value of __mb_check_buddy
99e011a78210 ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4
1e8124068c93 drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1()
212825c1c8cb ASoC: fsl_xcvr: clear the channel status control memory
650127b100b1 ASoC: fsl_xcvr: Add support for i.MX93 platform
c464a9e42def ASoC: fsl_xcvr: Add Counter registers
9cfb946f51ce RDMA/irdma: Fix data race in irdma_free_pble
04050bf1a767 RDMA/irdma: Fix data race in irdma_sc_ccq_arm
5c494997d09e iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal
342b2c26e5ac backlight: lp855x: Fix lp855x.h kernel-doc warnings
cd01a24b3e52 backlight: led-bl: Add devlink to supplier LEDs
d0deba37ac85 backlight: led_bl: Take led_access lock when required
53072791efe8 wifi: ieee80211: correct FILS status codes
67d15b5ea082 PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition
7547755997b3 staging: fbtft: core: fix potential memory leak in fbtft_probe_common()
d6c91fc73269 mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
f57925f0c498 crypto: ccree - Correctly handle return of sg_nents_for_len
76fc288ce114 selftests/bpf: Improve reliability of test_perf_branches_no_hw()
1d2e267f4331 selftests/bpf: skip test_perf_branches_hw() on unsupported platforms
90bb940f1c2f usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
7b1766b525da usb: dwc2: fix hang during suspend if set as peripheral
316a067b2769 usb: dwc2: fix hang during shutdown if set as peripheral
16514b403f0a usb: dwc2: disable platform lowlevel hw resources during shutdown
5c94f6e84aec usb: chaoskey: fix locking for O_NONBLOCK
f2f4627b74c1 ima: Handle error code returned by ima_filter_rule_match()
6a96bd0d9430 wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
81f087859c97 mfd: mt6358-irq: Fix missing irq_domain_remove() in error path
68715d885bb6 mfd: mt6397-irq: Fix missing irq_domain_remove() in error path
d705f1c35080 pwm: bcm2835: Make sure the channel is enabled after pwm_request()
9a76b3b33e52 drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue
e1c7bb405edc fs/ntfs3: Prevent memory leaks in add sub record
e910114bdbd8 fs/ntfs3: out1 also needs to put mi
925e825f0c8e fs/ntfs3: Make ni_ins_new_attr return error
83177ae96486 fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free
d29f1ea12adf fs/ntfs3: Remove unused mi_mark_free
e0a6dcbb8ce5 powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format
89caaeee8dd9 wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
01f1e3015a77 NFSD/blocklayout: Fix minlength check in proc_layoutget
dbeddfaaa3c0 watchdog: wdat_wdt: Fix ACPI table leak in probe function
dbe2bb24ac4c watchdog: wdat_wdt: Stop watchdog when uninstalling module
f93b75779dc0 selftests/bpf: Fix failure paths in send_signal test
cf31d9fc454f ps3disk: use memcpy_{from,to}_bvec index
4174c6409e51 PCI: keystone: Exit ks_pcie_probe() for invalid mode
b6fa2843b30f leds: netxbig: Fix GPIO descriptor leak in error paths
6682d122e88e scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls
b9f141eb4182 ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint()
08b93c1c12c6 ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
3e764e8a055b lib/vsprintf: Check pointer before dereferencing in time_and_date()
a6189b555ccc clk: renesas: r9a06g032: Fix memory leak in error path
8368be8a5072 coresight: etm4x: Add context synchronization before enabling trace
368466234b54 coresight: etm4x: Extract the trace unit controlling
d4b7290c1b5f coresight-etm4x: add isb() before reading the TRCSTATR
35d756da2d7e coresight: etm4x: Use Trace Filtering controls dynamically
53511743c5a8 coresight: etm4x: Save restore TRFCR_EL1
cd93db1b1b44 nbd: defer config unlock in nbd_genl_connect
40e6a1ebe430 wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper()
14c209835e47 macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
3061b299fced powerpc/32: Fix unpaired stwcx. on interrupt exit
79c8a77b1782 ntfs3: init run lock for extend inode
9794c1a99a3a RDMA/rtrs: server: Fix error handling in get_or_create_srv
5e9a106883c6 dt-bindings: PCI: amlogic: Fix the register name of the DBI region
558222badffe dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema
f0988e776c64 scsi: stex: Fix reboot_notifier leak in probe error path
d3ba31267591 nbd: defer config put in recv_work
6b4b2d939537 nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply()
41ecdc2097b1 nbd: clean up return value checking of sock_xmit()
85db50d9662b regulator: core: disable supply if enabling main regulator fails
c0763fe31cfe perf/x86/intel: Correct large PEBS flag check
de33b4593b81 ext4: correct the checking of quota files before moving extents
8de56b96de2d ext4: minor defrag code improvements
c23ea1f28855 mfd: da9055: Fix missing regmap_del_irq_chip() in error path
88db8bb7ed1b spi: tegra210-quad: Fix timeout handling
f603efe72a28 spi: tegra210-quad: modify chip select (CS) deactivation
c6d33b46ce13 spi: tegra210-quad: combined sequence mode
f64a36c44896 spi: tegra210-quad: add new chips to compatible
036d15dbee1a spi: tegra210-quad: use device_reset method
5a26b3e8b811 scsi: target: Do not write NUL characters into ASCII configfs output
43428053153f power: supply: apm_power: only unset own apm_get_power_status
7158890e3692 power: supply: wm831x: Check wm831x_set_bits() return value
bf5e04401a10 i3c: master: svc: Prevent incomplete IBI transaction
763d194b13be i3c: fix refcount inconsistency in i3c_master_register
fe067c65f760 pinctrl: stm32: fix hwspinlock resource leak in probe function
9ff4cea267ef x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()
898581813aaf x86: kmsan: don't instrument stack walking functions
49c6b5e1e7fa kmsan: introduce __no_sanitize_memory and __no_kmsan_checks
bd4bcf2d97a8 compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer
4af48d5cb642 sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().
59a797709dcb phy: mscc: Fix PTP for VSC8574 and VSC8572
3c149ffe83d5 firmware: imx: scu-irq: fix OF node leak in
9c5c10b32f48 s390/ap: Don't leak debug feature files if AP instructions are not available
fc09726c9213 s390/smp: Fix fallback CPU detection
0049c460c57c crypto: hisilicon/qm - restore original qos values
c13c6e9de91d crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
5c56bbed31e4 uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe
d27289e628bf arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl
15c09dad9a82 iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member
5fbae4ee1d2a iio: imu: st_lsm6dsx: discard samples during filters settling time
830c8336db60 iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine
0314de967578 inet: Avoid ehash lookup race in inet_ehash_insert()
1600b14e3c41 rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu()
90e23db1a859 ntfs3: Fix uninit buffer allocated by __getname()
afb144bc8e92 ntfs3: fix uninit memory after failed mi_read in mi_format_new
7bf22893398e irqchip/qcom-irq-combiner: Fix section mismatch
50fde089fb8a USB: Fix descriptor count when handling invalid MBIM extended descriptor
489b2158aec9 drm/vgem-fence: Fix potential deadlock on release
ea0fd5535b0b drm/panel: visionox-rm69299: Don't clear all mode flags
ca9388fba50d gpu: host1x: Fix race in syncpt alloc/free
6b1e45e13546 smack: fix bug: unprivileged task can create labels
c03cb1116289 staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
4445adedae77 staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
7141915bf0c4 comedi: check device's attached status in compat ioctls
4cde9a7e025c comedi: multiq3: sanitize config options in multiq3_attach()
f7fa1f4670c3 comedi: c6xdigio: Fix invalid PNP driver unregistration
606f57e57267 HID: elecom: Add support for ELECOM M-XT3URBK (018F)
2aa1485eff98 platform/x86: huawei-wmi: add keys for HONOR models
090003de3f6c platform/x86: acer-wmi: Ignore backlight event
d8dcf8e8852b pinctrl: qcom: msm: Fix deadlock in pinmux configuration
aeccd6743ee4 bfs: Reconstruct file type when loading from disk
93536b1d8478 spi: imx: keep dma request disabled before dma transfer setup
9106a929628f spi: xilinx: increase number of retries before declaring stall
e86288cb0a8c USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
5882a3fe61d3 USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
c032ddd06fe1 serial: add support of CPCI cards
999138bc35b8 USB: serial: ftdi_sio: match on interface number for jtag
141ed16ab9b7 USB: serial: option: move Telit 0x10c7 composition in the right place
2d5855509140 USB: serial: option: add Telit Cinterion FE910C04 new compositions
97c9ba42d178 USB: serial: option: add Foxconn T99W760
b2a5b172dc05 comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
61e03dc3794e ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
c228cb699a07 locking/spinlock/debug: Fix data-race in do_raw_write_lock
43bf001f0fe4 ext4: refresh inline data size before write operations
ed62fd8c15d4 jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
5821b648480a Documentation: process: Also mention Sasha Levin as stable tree maintainer
d76c2063db44 leds: spi-byte: Use devm_led_classdev_register_ext()
fdcf33b9738c leds: Replace all non-returning strlcpy with strscpy
799e37e49cb6 drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR
a647db560793 dpaa2-mac: bail if the dpmacs fwnode is not found
e1d414c5719a xfrm: flush all states in xfrm_state_fini
1dad653643f2 xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
9f2d85ead8ff Revert "xfrm: destroy xfrm_state synchronously on net exit path"
4b2c17d0f9be xfrm: delete x->tunnel as we delete x
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 4baf0bd9833..ebe610c64b1 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "9f3853efc84c7065918f3cb90be1464f61bd0871"
-SRCREV_meta ?= "65baed3263fc04a3bdd461278cca80891b80cc9a"
+SRCREV_machine ?= "2afe5ce992e8048f0728eafea9efed380ec08d46"
+SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.197"
+LINUX_VERSION ?= "5.15.198"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index a8ba1470443..1a3a110c670 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.197"
+LINUX_VERSION ?= "5.15.198"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "6a3023cca521bd2e295fc1482e5b0c88c08ab2e4"
-SRCREV_meta ?= "65baed3263fc04a3bdd461278cca80891b80cc9a"
+SRCREV_machine ?= "30a5abb43773a288fe85ed754f1d4518ca8f28bb"
+SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 26765a216e5..f33ef22d83f 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,24 +14,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "2d635a3e35b83998b2f84bbd2e932eaafdf61826"
-SRCREV_machine:qemuarm64 ?= "bb65897d11ebca68c2017bf0bed4e26599e05ddb"
-SRCREV_machine:qemumips ?= "8192334823c116e4e56368fbf6ca67cdb0c945d0"
-SRCREV_machine:qemuppc ?= "ec35a9c80e2a5006d01a073f9787c784fdf0a04f"
-SRCREV_machine:qemuriscv64 ?= "c04373a83e017e615d8333767c8955732c6c975b"
-SRCREV_machine:qemuriscv32 ?= "c04373a83e017e615d8333767c8955732c6c975b"
-SRCREV_machine:qemux86 ?= "c04373a83e017e615d8333767c8955732c6c975b"
-SRCREV_machine:qemux86-64 ?= "c04373a83e017e615d8333767c8955732c6c975b"
-SRCREV_machine:qemumips64 ?= "5a3b47b8a7c60c97447170242b5c2e70db803b2f"
-SRCREV_machine ?= "c04373a83e017e615d8333767c8955732c6c975b"
-SRCREV_meta ?= "65baed3263fc04a3bdd461278cca80891b80cc9a"
+SRCREV_machine:qemuarm ?= "3cce45b328f3485e7de2bedee542ef6898e050be"
+SRCREV_machine:qemuarm64 ?= "2b2737663d7c08b6df6ae791d46caae904710ce0"
+SRCREV_machine:qemumips ?= "7ae75ed1e71b6038140416ed1c0791373b0ed5e9"
+SRCREV_machine:qemuppc ?= "490def1150cbd931cf4ae1214c6400c47bf7bde6"
+SRCREV_machine:qemuriscv64 ?= "9121f41155a13f494c537589064abf738cb00c76"
+SRCREV_machine:qemuriscv32 ?= "9121f41155a13f494c537589064abf738cb00c76"
+SRCREV_machine:qemux86 ?= "9121f41155a13f494c537589064abf738cb00c76"
+SRCREV_machine:qemux86-64 ?= "9121f41155a13f494c537589064abf738cb00c76"
+SRCREV_machine:qemumips64 ?= "7e46020155a56cdcedf78dcaa4c90fc97393c09c"
+SRCREV_machine ?= "9121f41155a13f494c537589064abf738cb00c76"
+SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "68efe5a6c16a05391e3d96025b41e9bf573f968c"
+SRCREV_machine:class-devupstream ?= "9eec9a14ee10820a0c00dd3e02ac1e0ab27ad142"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.197"
+LINUX_VERSION ?= "5.15.198"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* Patchtest results for [OE-core][kirkstone 15/38] linux-yocto/5.15: update to v5.15.198
2026-02-24 14:24 ` [OE-core][kirkstone 15/38] linux-yocto/5.15: update to v5.15.198 Yoann Congal
@ 2026-02-24 14:32 ` patchtest
0 siblings, 0 replies; 42+ messages in thread
From: patchtest @ 2026-02-24 14:32 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2248 bytes --]
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch /home/patchtest/share/mboxes/kirkstone-15-38-linux-yocto-5.15-update-to-v5.15.198.patch
FAIL: test commit message user tags: Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
---
Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
^ permalink raw reply [flat|nested] 42+ messages in thread
* [OE-core][kirkstone 16/38] linux-yocto/5.15: update to v5.15.199
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 15/38] linux-yocto/5.15: update to v5.15.198 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:32 ` Patchtest results for " patchtest
2026-02-24 14:24 ` [OE-core][kirkstone 17/38] bind: Upgrade 9.18.41 -> 9.18.44 Yoann Congal
` (21 subsequent siblings)
37 siblings, 1 reply; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
7b232985052fc Linux 5.15.199
7e6040853f5b5 wifi: cfg80211: init wiphy_work before allocating rfkill fails
c6d143fc945f7 wifi: cfg80211: fully move wiphy work to unbound workqueue
8930a3e1568cf wifi: cfg80211: cancel wiphy_work before freeing wiphy
d81ebee178731 wifi: cfg80211: fix wiphy delayed work queueing
4737cc74b2fd8 wifi: cfg80211: use system_unbound_wq for wiphy work
c8b15b0d2eec3 team: Move team device type change at the end of team_port_add
9b32d72687cfb pinctrl: meson: mark the GPIO controller as sleeping
2ccfb37ef544f mptcp: avoid dup SUB_CLOSED events after disconnect
e69e435ec6e68 writeback: fix 100% CPU usage when dirtytime_expire_interval is 0
52755c5680ce3 drm/imx/tve: fix probe device leak
28f5cbcce5d9d pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver
46933b9bc76f4 net/sched: act_ife: convert comma to semicolon
ffac9893ce8d0 btrfs: prevent use-after-free on page private data in btrfs_subpage_clear_uptodate()
e11e8a29b304c drm/amdkfd: fix a memory leak in device_queue_manager_init()
dc934d9667399 can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
186df821de0f3 genirq/irq_sim: Initialize work context pointers properly
00d52b2fa6083 HID: uclogic: Add NULL check in uclogic_input_configured()
51f49e3927ad5 HID: uclogic: Correct devm device reference for hidinput input_dev name
c3a2e803b24eb wifi: mac80211: move TDLS work to wiphy work
9ac16e7b0b828 wifi: mac80211: use wiphy work for sdata->work
ddb1bfbf4ab5c wifi: cfg80211: add a work abstraction with special semantics
e1fa25a91091b Bluetooth: Fix hci_suspend_sync crash
b15c9a21950e1 net: stmmac: make sure that ptp_rate is not 0 before configuring EST
65d04291adf7c usbnet: Fix using smp_processor_id() in preemptible code warnings
49b57b98fa601 NFSD: fix race between nfsd registration and exports_proc
98fc9c2cc45cf ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
05db2b850a2b8 espintcp: fix skb leaks
0561aa6033dd1 blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()
bdf38063fd15f fs/ntfs3: Initialize allocated memory before use
446beed646b2e ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
c4079a34c0ade drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED
10644e8839544 ksm: use range-walk function to jump over holes in scan_get_next_rmap_item
f87f4de092c7a mm/pagewalk: add walk_page_range_vma()
f569f5b8bfd51 ksmbd: smbd: fix dma_unmap_sg() nents
2c34622d9c724 mei: trace: treat reg parameter as string
d5e80d1f97ae5 ALSA: scarlett2: Fix buffer overflow in config retrieval
95ab26bc462d7 nvme: fix PCIe subsystem reset controller state transition
886d98fa48580 nvme-pci: do not directly handle subsys reset fallout
25c6804cbde4b nvme-fc: rename free_ctrl callback to match name pattern
937309b52ca26 xfs: set max_agbno to allow sparse alloc of last full inode chunk
6393da54dcb34 dmaengine: stm32: dmamux: fix device leak on route allocation
7ff0a6402741e dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
060b08d72a38b w1: therm: Fix off-by-one buffer overflow in alarms_store
fb6fcdc03fce4 w1: w1_therm: use swap() to make code cleaner
7b94e4650020e arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s
427b0fb30ddec scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
600894c7a2363 iio: adc: exynos_adc: fix OF populate on driver rebind
f6b672daaca1c of: platform: Use default match table for /firmware
16c806d04be13 comedi: Fix getting range information for subdevices 16 to 255
2b1bef126bbb8 tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
10d1b3cf657d5 net: Add locking to protect skb->dev access in ip_output
aade7df55e12e mptcp: only reset subflow errors when propagated
461f1832a6d1c scsi: qla2xxx: edif: Fix dma_free_coherent() size
f8cd47294b4bf scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo()
df13548c0a94f ASoC: fsl: imx-card: Do not force slot width to sample width
a4181b228db3b dma/pool: distinguish between missing and exhausted atomic pools
1dd15630fc633 gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler
65ba13a5b3d05 scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()
478873f7324f7 net: bridge: fix static key check
eaa5da5130ded nfc: nci: Fix race between rfkill and nci_unregister_device().
1d8ae83e1c61b net/mlx5e: Account for netdev stats in ndo_get_stats64
138dbe22d8854 net/mlx5e: Report rx_discards_phy via rx_dropped
ba253d322e536 net/mlx5e: Expose rx_oversize_pkts_buffer counter
b3f0dab4f9682 net/mlx5: Add HW definitions of vport debug counters
5b47b402f5833 ice: stop counting UDP csum mismatch as rx_errors
65e976e1f474a nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
b11e6f926480a rocker: fix memory leak in rocker_world_port_post_fini()
9fe793a779ce8 ipv6: use the right ifindex when replying to icmpv6 from localhost
94ae00a809c07 net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
2b65e3ae33818 net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
ccc683f597ceb Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
feae34c992eb7 bpf: Reject narrower access to pointer ctx fields
e0ffb64a2d72c bpf: Do not let BPF test infra emit invalid GSO types to stack
ad97b9a55246e migrate: correct lock ordering for hugetlb file folios
ef6e608e5ee71 can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
b5a1ccdc63b71 can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
40a3334ffda47 can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
f48eabd15194b can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
e2f9c751f73a2 irqchip/gic-v3-its: Avoid truncating memory addresses
ede8ce83c2184 perf/x86/intel: Do not enable BTS for guests
6e0110ea90313 netrom: fix double-free in nr_route_frame()
8b57bf1d3b1db uacce: ensure safe queue release with state management
ebfa85658a39b uacce: implement mremap in uacce_vm_ops to return -EPERM
1bc3e51367c42 uacce: fix cdev handling in the cleanup path
64015cbf06e8b intel_th: fix device leak on output open()
948615429c9f2 slimbus: core: fix device reference leak on report present
00cf6f7478c9f slimbus: core: fix runtime PM imbalance on report present
6c77ce4da447a octeontx2: Fix otx2_dma_map_page() error return code
361df59ad0130 arm64: Set __nocfi on swsusp_arch_resume()
0d7c9e793e351 wifi: rsi: Fix memory corruption due to not set vif driver data size
de34a80e0d6ec wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
fc8da65f9fe1b wifi: ath10k: fix dma_free_coherent() pointer
c1c758ecd68bf mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
56fb6efd5d04c ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
afca7ff5d5d4d ALSA: ctxfi: Fix potential OOB access in audio mixer handling
029efb5adffb1 iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
fdc8c835c637a iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
92a2745aa0f66 iio: adc: ad9467: fix ad9434 vref mask
fb396ee1bc53a of: fix reference count leak in of_alias_scan()
d117fdcb21b05 leds: led-class: Only Add LED to leds_list when it is fully ready
f775881f99fa7 x86: make page fault handling disable interrupts properly
dd9442aedbeae net/sched: act_ife: avoid possible NULL deref
669bd7a54e626 octeontx2-af: Fix error handling
3be945abdd228 bonding: provide a net pointer to __skb_flow_dissect()
92c6dc181a18e be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
9d02de4b2fd6d drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2)
078c6eef1db5f drm/amd/pm: Don't clear SI SMC table when setting power limit
b339601c238af usbnet: limit max_mtu based on device's hard_mtu
4630897eb1a03 ipv6: annotate data-race in ndisc_router_discovery()
13f3b3b870688 mISDN: annotate data-race around dev->work
bd495244dec6e net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue
7d203254f04ff net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M
435c3bd709642 ALSA: usb: Increase volume range that triggers a warning
766e243ae8c8b regmap: Fix race condition in hwspinlock irqsave routine
e18ce45f5c809 iio: adc: ad7280a: handle spi_setup() errors in probe()
bea5c8df16866 staging:iio:adc:ad7280a: Register define cleanup.
7023a74cdb01d x86/kfence: avoid writing L1TF-vulnerable PTEs
4daf82511496a scsi: storvsc: Process unsupported MODE_SENSE_10
e85531cefe175 Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA
d303e5d338672 Input: i8042 - add quirks for MECHREVO Wujie 15X Pro
7b673faac4784 Revert "nfc/nci: Add the inconsistency check between the input data length and count"
c49b1646cc50f w1: fix redundant counter decrement in w1_attach_slave_device()
2081f7ba69c7b comedi: dmm32at: serialize use of paged registers
fee86edf5803f crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
b8c24cf5268fb net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
ae810e6a8ac4f net/sched: Enforce that teql can only be used as root qdisc
70feb16e3fbfb ipvlan: Make the addrs_lock be per port
36c40a80109f1 l2tp: avoid one data-race in l2tp_tunnel_del_work()
611ef4bd9c73d fou: Don't allow 0 for FOU_ATTR_IPPROTO.
8568171dec862 net: fou: use policy and operation tables generated from the spec
9e470606c4448 net: fou: rename the source for linking
cef28f55a515b netlink: add a proto specification for FOU
380a82d36e37d gue: Fix skb memleak with inner IP protocol 0.
8f4e8887d43d4 amd-xgbe: avoid misleading per-packet error log
784428ab1889e sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
72925dbb0c8c7 bonding: limit BOND_MODE_8023AD to Ethernet devices
e85cf62f75505 net: usb: dm9601: remove broken SR9700 support
bef3a83a9a67c testptp: Add option to open PHC in readonly mode
6b32d042aa825 selftest/ptp: update ptp selftest to exercise the gettimex options
8510559c0fa1e ptp: add testptp mask test
3d4f2eda35897 selftests/ptp: Add -X option for testing PTP_SYS_OFFSET_PRECISE
3d58f0709a292 selftests/ptp: Add -x option for testing PTP_SYS_OFFSET_EXTENDED
3cc43c9b568a5 testptp: Add support for testing ptp_clock_info .adjphase callback
f33c4d3f4b3f3 testptp: add option to shift clock by nanoseconds
7d9aa9032d0a9 ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE.
9c46bf50b676f posix-clock: Store file pointer in struct posix_clock_context
62a5adf57b56e Fix memory leak in posix_clock_open()
a006fc4485159 posix-clock: introduce posix_clock_context concept
dc84036c173cf btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
41aac90212612 dmaengine: ti: k3-udma: fix device leak on udma lookup
c933aa74d9f8d dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
1d8478b31a3da dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
68ed0d88d1a70 dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
4532f18e4ab36 dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
499ddae78c4ba dmaengine: lpc18xx-dmamux: fix device leak on route allocation
b7bd948f89271 dmaengine: idxd: fix device leaks on compat bind and unbind
4730f12a192d7 dmaengine: bcm-sba-raid: fix device leak on probe
4c67b4f45c854 dmaengine: at_hdmac: fix device leak on of_dma_xlate()
e8758f114a922 drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
bb309377eece5 drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
c775abb6cd82a drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
eda99622e6f39 mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
c85c550eff812 x86/resctrl: Fix memory bandwidth counter width for Hygon
fa226f722e2fe x86/resctrl: Add missing resctrl initialization for Hygon
d35365d8f8888 EDAC/i3200: Fix a resource leak in i3200_probe1()
123a6bbe87cc1 EDAC/x38: Fix a resource leak in x38_probe1()
6cf35964a8150 hrtimer: Fix softirq base check in update_needs_ipi()
6241cd1d0acc2 ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
e306c64bd2c56 nvme-pci: disable secondary temp for Wodposit WPBSNM8
2e8ea7257c5fd USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
7e4c68838c605 USB: serial: option: add Telit LE910 MBIM composition
23defd20f98f3 USB: OHCI/UHCI: Add soft dependencies on ehci_platform
14739a3543c8d usb: dwc3: Check for USB4 IP_NAME
742ff37b51270 phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
e7e87af627449 phy: rockchip: inno-usb2: fix communication disruption in gadget mode
53b1ed2f400ee phy: rockchip: inno-usb2: fix disconnection in gadget mode
b6923f0ffb981 x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
adabf01c19561 net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
aab3a76c03b7c ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
7d76380e98bfa HID: usbhid: paper over wrong bNumDescriptor field
2b29f38f4f966 dmaengine: omap-dma: fix dma_pool resource leak in error paths
23a52bffe415f phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
fb9d513cdf161 phy: stm32-usphyc: Fix off by one in probe()
d8f1e61238799 dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing
76992310f8077 dmaengine: tegra-adma: Fix use-after-free
b36b4c0dd281b mm, kfence: describe @slab parameter in __kfence_obj_info()
ea46adfe5cc03 textsearch: describe @list member in ts_ops search
209f350326c8d ASoC: tlv320adcx140: fix word length
cff6cd703f41d net/sched: sch_qfq: do not free existing class in qfq_change_class()
0badf6ffd2c39 selftests: drv-net: fix RPS mask handling for high CPU numbers
bf1dfd389b6ae net/mlx5e: Restore destroying state bit after profile cleanup
014ba8f2953c0 vsock/test: add a final full barrier after run all tests
8d5b6b2d79c1c ipv4: ip_gre: make ipgre_header() robust
484919832e2db macvlan: fix possible UAF in macvlan_forward_source()
45126b1249757 net: update netdev_lock_{type,name}
64c71d60a21a9 ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
76abc83a9d255 nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
4fcde4590de2d nvmet-tcp: remove boilerplate code
97250eb05e4b6 can: etas_es58x: allow partial RX URB allocation to succeed
27c90d8ed81e7 pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 4 ++--
.../linux/linux-yocto-tiny_5.15.bb | 4 ++--
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 24 +++++++++----------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index ebe610c64b1..e23c8bf88ab 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "2afe5ce992e8048f0728eafea9efed380ec08d46"
+SRCREV_machine ?= "27c8048897d9d7ff1ed6d2643cbc024eb13ae342"
SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.198"
+LINUX_VERSION ?= "5.15.199"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 1a3a110c670..21233285b57 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.198"
+LINUX_VERSION ?= "5.15.199"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,7 +14,7 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "30a5abb43773a288fe85ed754f1d4518ca8f28bb"
+SRCREV_machine ?= "7b20eb2129d25bb2a1cb963d30c2f3adb1e144b3"
SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index f33ef22d83f..861af0041af 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,16 +14,16 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "3cce45b328f3485e7de2bedee542ef6898e050be"
-SRCREV_machine:qemuarm64 ?= "2b2737663d7c08b6df6ae791d46caae904710ce0"
-SRCREV_machine:qemumips ?= "7ae75ed1e71b6038140416ed1c0791373b0ed5e9"
-SRCREV_machine:qemuppc ?= "490def1150cbd931cf4ae1214c6400c47bf7bde6"
-SRCREV_machine:qemuriscv64 ?= "9121f41155a13f494c537589064abf738cb00c76"
-SRCREV_machine:qemuriscv32 ?= "9121f41155a13f494c537589064abf738cb00c76"
-SRCREV_machine:qemux86 ?= "9121f41155a13f494c537589064abf738cb00c76"
-SRCREV_machine:qemux86-64 ?= "9121f41155a13f494c537589064abf738cb00c76"
-SRCREV_machine:qemumips64 ?= "7e46020155a56cdcedf78dcaa4c90fc97393c09c"
-SRCREV_machine ?= "9121f41155a13f494c537589064abf738cb00c76"
+SRCREV_machine:qemuarm ?= "0ea8d4a7d24642475c1d1e0d8be44976600eb630"
+SRCREV_machine:qemuarm64 ?= "33aae9ebda82736fc0246e4d2bd7967bb7ef492a"
+SRCREV_machine:qemumips ?= "0d159686c17443503bc7b59f25b5129c8543193d"
+SRCREV_machine:qemuppc ?= "c8e213f83bae4792c1042bdcedd46fa60963c69b"
+SRCREV_machine:qemuriscv64 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
+SRCREV_machine:qemuriscv32 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
+SRCREV_machine:qemux86 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
+SRCREV_machine:qemux86-64 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
+SRCREV_machine:qemumips64 ?= "58c96e47bbd784e078e265426b9276bad2bb7e22"
+SRCREV_machine ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
@@ -31,7 +31,7 @@ SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "9eec9a14ee10820a0c00dd3e02ac1e0ab27ad142"
+SRCREV_machine:class-devupstream ?= "7b232985052fcf6a78bf0f965aa4241c0678c2ba"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.198"
+LINUX_VERSION ?= "5.15.199"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* Patchtest results for [OE-core][kirkstone 16/38] linux-yocto/5.15: update to v5.15.199
2026-02-24 14:24 ` [OE-core][kirkstone 16/38] linux-yocto/5.15: update to v5.15.199 Yoann Congal
@ 2026-02-24 14:32 ` patchtest
0 siblings, 0 replies; 42+ messages in thread
From: patchtest @ 2026-02-24 14:32 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2248 bytes --]
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch /home/patchtest/share/mboxes/kirkstone-16-38-linux-yocto-5.15-update-to-v5.15.199.patch
FAIL: test commit message user tags: Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
---
Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
^ permalink raw reply [flat|nested] 42+ messages in thread
* [OE-core][kirkstone 17/38] bind: Upgrade 9.18.41 -> 9.18.44
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 16/38] linux-yocto/5.15: update to v5.15.199 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 18/38] libpng: patch CVE-2026-22695 Yoann Congal
` (20 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
This upgrade fixes CVE-2025-13878
Changelog
==========
https://downloads.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../bind/{bind_9.18.41.bb => bind_9.18.44.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/bind/{bind_9.18.41.bb => bind_9.18.44.bb} (97%)
diff --git a/meta/recipes-connectivity/bind/bind_9.18.41.bb b/meta/recipes-connectivity/bind/bind_9.18.44.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.41.bb
rename to meta/recipes-connectivity/bind/bind_9.18.44.bb
index 0e557163d5f..64dbdf890a2 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.41.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.44.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d"
+SRC_URI[sha256sum] = "81f5035a25c576af1a93f0061cf70bde6d00a0c7bd1274abf73f5b5389a6f82d"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# follow the ESV versions divisible by 2
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 18/38] libpng: patch CVE-2026-22695
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 17/38] bind: Upgrade 9.18.41 -> 9.18.44 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 19/38] libpng: patch CVE-2026-22801 Yoann Congal
` (19 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per [1].
This CVE is regression of fix for CVE-2025-65018.
[1] https://security-tracker.debian.org/tracker/CVE-2026-22695
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libpng/files/CVE-2026-22695.patch | 77 +++++++++++++++++++
.../libpng/libpng_1.6.39.bb | 1 +
2 files changed, 78 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
new file mode 100644
index 00000000000..673411eb341
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
@@ -0,0 +1,77 @@
+From e4f7ad4ea2a471776c81dda4846b7691925d9786 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 9 Jan 2026 20:51:53 +0200
+Subject: [PATCH] Fix a heap buffer over-read in `png_image_read_direct_scaled`
+
+Fix a regression from commit 218612ddd6b17944e21eda56caf8b4bf7779d1ea.
+
+The function `png_image_read_direct_scaled`, introduced by the fix for
+CVE-2025-65018, copies transformed row data from an intermediate buffer
+(`local_row`) to the user's output buffer. The copy incorrectly used
+`row_bytes` (the caller's stride) as the size parameter to memcpy, even
+though `local_row` is only `png_get_rowbytes()` bytes long.
+
+This causes a heap buffer over-read when:
+
+1. The caller provides a padded stride (e.g., for memory alignment):
+ memcpy reads past the end of `local_row` by `stride - row_width`
+ bytes.
+
+2. The caller provides a negative stride (for bottom-up layouts):
+ casting ptrdiff_t to size_t produces ~2^64, causing memcpy to
+ attempt reading exabytes, resulting in an immediate crash.
+
+The fix consists in using the size of the row buffer for the copy and
+using the stride for pointer advancement only.
+
+Reported-by: Petr Simecek <simecek@users.noreply.github.com>
+Analyzed-by: Stanislav Fort
+Analyzed-by: Pavel Kohout
+Co-authored-by: Petr Simecek <simecek@users.noreply.github.com>
+Signed-off-by: Cosmin Truta <ctruta@gmail.com>
+
+CVE: CVE-2026-22695
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ AUTHORS | 1 +
+ pngread.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index 26b7bb50f..b9c0fffcf 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -22,6 +22,7 @@ Authors, for copyright and licensing purposes.
+ * Mike Klein
+ * Pascal Massimino
+ * Paul Schmidt
++ * Petr Simecek
+ * Qiang Zhou
+ * Sam Bushell
+ * Samuel Williams
+diff --git a/pngread.c b/pngread.c
+index e3426292b..9d86b01dc 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -3268,9 +3268,11 @@ png_image_read_direct_scaled(png_voidp argument)
+ argument);
+ png_imagep image = display->image;
+ png_structrp png_ptr = image->opaque->png_ptr;
++ png_inforp info_ptr = image->opaque->info_ptr;
+ png_bytep local_row = png_voidcast(png_bytep, display->local_row);
+ png_bytep first_row = png_voidcast(png_bytep, display->first_row);
+ ptrdiff_t row_bytes = display->row_bytes;
++ size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr);
+ int passes;
+
+ /* Handle interlacing. */
+@@ -3300,7 +3302,7 @@ png_image_read_direct_scaled(png_voidp argument)
+ png_read_row(png_ptr, local_row, NULL);
+
+ /* Copy from local_row to user buffer. */
+- memcpy(output_row, local_row, (size_t)row_bytes);
++ memcpy(output_row, local_row, copy_bytes);
+ output_row += row_bytes;
+ }
+ }
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index 70685b68e7b..9ca68d9b8bc 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -22,6 +22,7 @@ SRC_URI = "\
file://CVE-2025-65018-02.patch \
file://CVE-2025-66293-01.patch \
file://CVE-2025-66293-02.patch \
+ file://CVE-2026-22695.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 19/38] libpng: patch CVE-2026-22801
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (17 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 18/38] libpng: patch CVE-2026-22695 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 20/38] libpng: patch CVE-2026-25646 Yoann Congal
` (18 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick comit per [1].
[1] https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libpng/files/CVE-2026-22801.patch | 164 ++++++++++++++++++
.../libpng/libpng_1.6.39.bb | 1 +
2 files changed, 165 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
new file mode 100644
index 00000000000..544134e1342
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
@@ -0,0 +1,164 @@
+From cf155de014fc6c5cb199dd681dd5c8fb70429072 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 10 Jan 2026 15:20:18 +0200
+Subject: [PATCH] fix: Remove incorrect truncation casts from
+ `png_write_image_*`
+
+The type of the row stride (`display->row_bytes`) is ptrdiff_t. Casting
+to png_uint_16 before division will truncate large strides, causing
+incorrect pointer arithmetic for images exceeding 65535 bytes per row.
+For bottom-up images (negative stride), the truncation also corrupts
+the sign, advancing the row pointer forward instead of backward.
+
+Remove the erroneous casts and let the compiler handle the pointer
+arithmetic correctly. Also replace `sizeof (png_uint_16)` with 2.
+
+Add regression test via `pngstest --stride-extra N` where N > 32767
+triggers the affected code paths.
+
+A NOTE ABOUT HISTORY:
+The original code in libpng 1.5.6 (2011) had no such casts. They were
+introduced in libpng 1.6.26 (2016), likely to silence compiler warnings
+on 16-bit systems where the cast would be a no-op. On 32/64-bit systems
+the cast truncates the strides above 65535 and corrupts the negative
+strides.
+
+CVE: CVE-2026-22801
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ CMakeLists.txt | 7 +++++++
+ contrib/libtests/pngstest.c | 29 ++++++++++++++++++++++++++++-
+ pngwrite.c | 10 +++++-----
+ tests/pngstest-large-stride | 8 ++++++++
+ 4 files changed, 48 insertions(+), 6 deletions(-)
+ create mode 100755 tests/pngstest-large-stride
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index a8cd82402..a595ed91d 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -804,6 +804,13 @@ if(PNG_TESTS AND PNG_SHARED)
+ endforeach()
+ endforeach()
+
++ # Regression test:
++ # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
++ png_add_test(NAME pngstest-large-stride
++ COMMAND pngstest
++ OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log
++ FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png")
++
+ add_executable(pngunknown ${pngunknown_sources})
+ target_link_libraries(pngunknown png)
+
+diff --git a/contrib/libtests/pngstest.c b/contrib/libtests/pngstest.c
+index ff4c2b24a..2f29afee2 100644
+--- a/contrib/libtests/pngstest.c
++++ b/contrib/libtests/pngstest.c
+@@ -1,7 +1,7 @@
+
+ /* pngstest.c
+ *
+- * Copyright (c) 2021 Cosmin Truta
++ * Copyright (c) 2021-2026 Cosmin Truta
+ * Copyright (c) 2013-2017 John Cunningham Bowler
+ *
+ * This code is released under the libpng license.
+@@ -3571,6 +3571,33 @@ main(int argc, char **argv)
+ opts |= NO_RESEED;
+ else if (strcmp(arg, "--fault-gbg-warning") == 0)
+ opts |= GBG_ERROR;
++ else if (strcmp(arg, "--stride-extra") == 0)
++ {
++ if (c+1 < argc)
++ {
++ char *ep;
++ unsigned long val = strtoul(argv[++c], &ep, 0);
++
++ if (ep > argv[c] && *ep == 0 && val <= 65535)
++ stride_extra = (int)val;
++
++ else
++ {
++ fflush(stdout);
++ fprintf(stderr, "%s: bad argument for --stride-extra: %s\n",
++ argv[0], argv[c]);
++ exit(99);
++ }
++ }
++
++ else
++ {
++ fflush(stdout);
++ fprintf(stderr, "%s: missing argument for --stride-extra\n",
++ argv[0]);
++ exit(99);
++ }
++ }
+ else if (strcmp(arg, "--tmpfile") == 0)
+ {
+ if (c+1 < argc)
+diff --git a/pngwrite.c b/pngwrite.c
+index 08066bcc4..a95b846c8 100644
+--- a/pngwrite.c
++++ b/pngwrite.c
+@@ -1,7 +1,7 @@
+
+ /* pngwrite.c - general routines to write a PNG file
+ *
+- * Copyright (c) 2018-2022 Cosmin Truta
++ * Copyright (c) 2018-2026 Cosmin Truta
+ * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
+ * Copyright (c) 1996-1997 Andreas Dilger
+ * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
+@@ -1632,7 +1632,7 @@ png_write_image_16bit(png_voidp argument)
+ }
+
+ png_write_row(png_ptr, png_voidcast(png_const_bytep, display->local_row));
+- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
++ input_row += display->row_bytes / 2;
+ }
+
+ return 1;
+@@ -1758,7 +1758,7 @@ png_write_image_8bit(png_voidp argument)
+
+ png_write_row(png_ptr, png_voidcast(png_const_bytep,
+ display->local_row));
+- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
++ input_row += display->row_bytes / 2;
+ } /* while y */
+ }
+
+@@ -1783,7 +1783,7 @@ png_write_image_8bit(png_voidp argument)
+ }
+
+ png_write_row(png_ptr, output_row);
+- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
++ input_row += display->row_bytes / 2;
+ }
+ }
+
+@@ -2102,7 +2102,7 @@ png_image_write_main(png_voidp argument)
+ ptrdiff_t row_bytes = display->row_stride;
+
+ if (linear != 0)
+- row_bytes *= (sizeof (png_uint_16));
++ row_bytes *= 2;
+
+ if (row_bytes < 0)
+ row += (image->height-1) * (-row_bytes);
+diff --git a/tests/pngstest-large-stride b/tests/pngstest-large-stride
+new file mode 100755
+index 000000000..7958c5b42
+--- /dev/null
++++ b/tests/pngstest-large-stride
+@@ -0,0 +1,8 @@
++#!/bin/sh
++
++# Regression test:
++# Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
++exec ./pngstest \
++ --stride-extra 33000 \
++ --tmpfile "large-stride-" \
++ --log "${srcdir}/contrib/testpngs/rgb-alpha-16-linear.png"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index 9ca68d9b8bc..c4347a67151 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -23,6 +23,7 @@ SRC_URI = "\
file://CVE-2025-66293-01.patch \
file://CVE-2025-66293-02.patch \
file://CVE-2026-22695.patch \
+ file://CVE-2026-22801.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 20/38] libpng: patch CVE-2026-25646
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (18 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 19/38] libpng: patch CVE-2026-22801 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 21/38] classes/buildhistory: Do not sign buildhistory commits Yoann Congal
` (17 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport patch mentioned in NVD CVE report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libpng/files/CVE-2026-25646.patch | 61 +++++++++++++++++++
.../libpng/libpng_1.6.39.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
new file mode 100644
index 00000000000..e97c5078b04
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
@@ -0,0 +1,61 @@
+From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 6 Feb 2026 19:11:54 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`
+
+The color distance hash table stored the current palette indices, but
+the color-pruning loop assumed the original indices. When colors were
+eliminated and indices changed, the stored indices became stale. This
+caused the loop bound `max_d` to grow past the 769-element hash array.
+
+The fix consists in storing the original indices via `palette_to_index`
+to match the pruning loop's expectations.
+
+Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
+Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
+Signed-off-by: Cosmin Truta <ctruta@gmail.com>
+
+CVE: CVE-2026-25646
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ AUTHORS | 1 +
+ pngrtran.c | 6 +++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index b9c0fffcf..4094f4a57 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -14,6 +14,7 @@ Authors, for copyright and licensing purposes.
+ * Guy Eric Schalnat
+ * James Yu
+ * John Bowler
++ * Joshua Inscoe
+ * Kevin Bracey
+ * Magnus Holmgren
+ * Mandar Sahastrabuddhe
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c..1fce9af12 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1,7 +1,7 @@
+
+ /* pngrtran.c - transforms the data in a row for PNG readers
+ *
+- * Copyright (c) 2018-2019 Cosmin Truta
++ * Copyright (c) 2018-2026 Cosmin Truta
+ * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
+ * Copyright (c) 1996-1997 Andreas Dilger
+ * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
+@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ break;
+
+ t->next = hash[d];
+- t->left = (png_byte)i;
+- t->right = (png_byte)j;
++ t->left = png_ptr->palette_to_index[i];
++ t->right = png_ptr->palette_to_index[j];
+ hash[d] = t;
+ }
+ }
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index c4347a67151..448594e0d77 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -24,6 +24,7 @@ SRC_URI = "\
file://CVE-2025-66293-02.patch \
file://CVE-2026-22695.patch \
file://CVE-2026-22801.patch \
+ file://CVE-2026-25646.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 21/38] classes/buildhistory: Do not sign buildhistory commits
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (19 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 20/38] libpng: patch CVE-2026-25646 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 22/38] glib-2.0: patch CVE-2026-0988 Yoann Congal
` (16 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Fabio Berton <fabio.berton@ctw.bmwgroup.com>
This change adds the --no-gpg-sign option to prevent buildhistory
commits from failing due to GPG signing issues. Depending on the setup,
buildhistory may fail to create a commit if the user has the
commit.gpgsign option enabled.
For example, if the user creates a signing key that requires a password,
the commit won't be created and will fail with the following error:
/
|error: Enter passphrase: Load key "/home/<user>/.ssh/id_ed25519":
|incorrect passphrase supplied to decrypt private key?
|fatal: failed to write commit object
\
The bitbake command won't fail, but buildhistory won't have a commit.
Also, the commit may silently fail when building inside a container due
to missing packages or issues with accessing the GPG agent.
This is similar to [1], and signing the buildhistory commit
should be avoided to prevent such issues.
1 - https://git.openembedded.org/openembedded-core/commit/?id=7595a0a63a933af9dd9d1e458dc34a4ba80d9eae
Signed-off-by: Fabio Berton <fabio.berton@ctw.bmwgroup.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a5e18714aee52db898aaf9d222fb5a4168bde96e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes/buildhistory.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 83993f5752c..52f886dff68 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -859,7 +859,7 @@ result: $result
metadata revisions:
END
cat ${BUILDHISTORY_DIR}/metadata-revs >> $commitmsgfile
- git commit $commitopts -F $commitmsgfile --author "${BUILDHISTORY_COMMIT_AUTHOR}" > /dev/null
+ git commit --no-gpg-sign $commitopts -F $commitmsgfile --author "${BUILDHISTORY_COMMIT_AUTHOR}" > /dev/null
rm $commitmsgfile
}
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 22/38] glib-2.0: patch CVE-2026-0988
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (20 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 21/38] classes/buildhistory: Do not sign buildhistory commits Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 23/38] glib-2.0: patch CVE-2026-1484 Yoann Congal
` (15 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick relevant commit from [2] linked from [1].
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../glib-2.0/glib-2.0/CVE-2026-0988.patch | 58 +++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 +
2 files changed, 59 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
new file mode 100644
index 00000000000..1cdc3735edf
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
@@ -0,0 +1,58 @@
+From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 18 Dec 2025 23:12:18 +0000
+Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
+ peek()
+
+If the caller provides `offset` and `count` arguments which overflow,
+their sum will overflow and could lead to `memcpy()` reading out more
+memory than expected.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3851
+
+CVE: CVE-2026-0988
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gio/gbufferedinputstream.c | 2 +-
+ gio/tests/buffered-input-stream.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
+index 9e6bacc62..56d656be0 100644
+--- a/gio/gbufferedinputstream.c
++++ b/gio/gbufferedinputstream.c
+@@ -588,7 +588,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
+
+ available = g_buffered_input_stream_get_available (stream);
+
+- if (offset > available)
++ if (offset > available || offset > G_MAXSIZE - count)
+ return 0;
+
+ end = MIN (offset + count, available);
+diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
+index a1af4eeff..2b2a0d9aa 100644
+--- a/gio/tests/buffered-input-stream.c
++++ b/gio/tests/buffered-input-stream.c
+@@ -58,6 +58,16 @@ test_peek (void)
+ g_assert_cmpint (npeek, ==, 0);
+ g_free (buffer);
+
++ buffer = g_new0 (char, 64);
++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
++ g_assert_cmpint (npeek, ==, 0);
++ g_free (buffer);
++
++ buffer = g_new0 (char, 64);
++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
++ g_assert_cmpint (npeek, ==, 0);
++ g_free (buffer);
++
+ g_object_unref (in);
+ g_object_unref (base);
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 50701be3d03..7c0ed01f555 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -70,6 +70,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-14087-02.patch \
file://CVE-2025-14087-03.patch \
file://CVE-2025-14512.patch \
+ file://CVE-2026-0988.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 23/38] glib-2.0: patch CVE-2026-1484
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (21 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 22/38] glib-2.0: patch CVE-2026-0988 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 24/38] glib-2.0: patch CVE-2026-1485 Yoann Congal
` (14 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patches from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3870
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4979
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../glib-2.0/glib-2.0/CVE-2026-1484-01.patch | 48 +++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2026-1484-02.patch | 45 +++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 2 +
3 files changed, 95 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
new file mode 100644
index 00000000000..e3a232aa9f5
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
@@ -0,0 +1,48 @@
+From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001
+From: Marco Trevisan <mail@3v1n0.net>
+Date: Fri, 23 Jan 2026 18:48:30 +0100
+Subject: [PATCH] gbase64: Use gsize to prevent potential overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Both g_base64_encode_step() and g_base64_encode_close() return gsize
+values, but these are summed to an int value.
+
+If the sum of these returned values is bigger than MAXINT, we overflow
+while doing the null byte write.
+
+Spotted by treeplus.
+Thanks to the Sovereign Tech Resilience programme from the Sovereign
+Tech Agency.
+
+ID: #YWH-PGM9867-168
+Closes: #3870
+
+
+(cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2)
+
+Co-authored-by: Marco Trevisan (Treviño) <mail@3v1n0.net>
+
+CVE: CVE-2026-1484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/5ba0ed9ab2c28294713bdc56a8744ff0a446b59c]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gbase64.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gbase64.c b/glib/gbase64.c
+index 2ea4a4ef4..214b48911 100644
+--- a/glib/gbase64.c
++++ b/glib/gbase64.c
+@@ -262,8 +262,9 @@ g_base64_encode (const guchar *data,
+ gsize len)
+ {
+ gchar *out;
+- gint state = 0, outlen;
++ gint state = 0;
+ gint save = 0;
++ gsize outlen;
+
+ g_return_val_if_fail (data != NULL || len == 0, NULL);
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
new file mode 100644
index 00000000000..d0956e62f8c
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
@@ -0,0 +1,45 @@
+From 25429bd0b22222d6986d000d62b44eebf490837d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Wed, 21 Jan 2026 20:09:44 +0100
+Subject: [PATCH] gbase64: Ensure that the out value is within allocated size
+
+We do not want to deference or write to it
+
+Related to: #3870
+
+CVE: CVE-2026-1484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/25429bd0b22222d6986d000d62b44eebf490837d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gbase64.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gbase64.c b/glib/gbase64.c
+index 214b48911..0141b3b07 100644
+--- a/glib/gbase64.c
++++ b/glib/gbase64.c
+@@ -265,6 +265,7 @@ g_base64_encode (const guchar *data,
+ gint state = 0;
+ gint save = 0;
+ gsize outlen;
++ gsize allocsize;
+
+ g_return_val_if_fail (data != NULL || len == 0, NULL);
+
+@@ -272,10 +273,15 @@ g_base64_encode (const guchar *data,
+ +1 is needed for trailing \0, also check for unlikely integer overflow */
+ g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL);
+
+- out = g_malloc ((len / 3 + 1) * 4 + 1);
++ allocsize = (len / 3 + 1) * 4 + 1;
++ out = g_malloc (allocsize);
+
+ outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
++ g_assert (outlen <= allocsize);
++
+ outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
++ g_assert (outlen <= allocsize);
++
+ out[outlen] = '\0';
+
+ return (gchar *) out;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 7c0ed01f555..c6816f93fa8 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -71,6 +71,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-14087-03.patch \
file://CVE-2025-14512.patch \
file://CVE-2026-0988.patch \
+ file://CVE-2026-1484-01.patch \
+ file://CVE-2026-1484-02.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 24/38] glib-2.0: patch CVE-2026-1485
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (22 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 23/38] glib-2.0: patch CVE-2026-1484 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 25/38] glib-2.0: patch CVE-2026-1489 Yoann Congal
` (13 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3871
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4981
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../glib-2.0/glib-2.0/CVE-2026-1485.patch | 44 +++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1485.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1485.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1485.patch
new file mode 100644
index 00000000000..6768a1d00c4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1485.patch
@@ -0,0 +1,44 @@
+From ee5acb2cefc643450509374da2600cd3bf49a109 Mon Sep 17 00:00:00 2001
+From: Marco Trevisan <mail@3v1n0.net>
+Date: Fri, 23 Jan 2026 19:05:44 +0100
+Subject: [PATCH] gio/gcontenttype-fdo: Do not overflow if header is longer
+ than MAXINT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case the header size is longer than MAXINT we may read and write to
+invalid locations
+
+Spotted by treeplus.
+Thanks to the Sovereign Tech Resilience programme from the Sovereign
+Tech Agency.
+
+ID: #YWH-PGM9867-169
+Closes: #3871
+
+
+(cherry picked from commit aacda5b07141b944408c79e83bcbed3b2e1e6e45)
+
+Co-authored-by: Marco Trevisan (Treviño) <mail@3v1n0.net>
+
+CVE: CVE-2026-1485
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ee5acb2cefc643450509374da2600cd3bf49a109]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gio/gcontenttype.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gio/gcontenttype.c b/gio/gcontenttype.c
+index 230cea182..11323973a 100644
+--- a/gio/gcontenttype.c
++++ b/gio/gcontenttype.c
+@@ -1013,7 +1013,7 @@ tree_match_free (TreeMatch *match)
+ static TreeMatch *
+ parse_header (gchar *line)
+ {
+- gint len;
++ size_t len;
+ gchar *s;
+ TreeMatch *match;
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index c6816f93fa8..37a5fd34a96 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -73,6 +73,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2026-0988.patch \
file://CVE-2026-1484-01.patch \
file://CVE-2026-1484-02.patch \
+ file://CVE-2026-1485.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 25/38] glib-2.0: patch CVE-2026-1489
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (23 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 24/38] glib-2.0: patch CVE-2026-1485 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 26/38] ffmpeg: set status of CVE-2025-25468 and CVE-2025-25469 Yoann Congal
` (12 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3872
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4984
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../glib-2.0/glib-2.0/CVE-2026-1489-01.patch | 42 +++
.../glib-2.0/glib-2.0/CVE-2026-1489-02.patch | 30 ++
.../glib-2.0/glib-2.0/CVE-2026-1489-03.patch | 290 ++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2026-1489-04.patch | 68 ++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 4 +
5 files changed, 434 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-04.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-01.patch
new file mode 100644
index 00000000000..612bb8bec52
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-01.patch
@@ -0,0 +1,42 @@
+From 662aa569efa65eaa4672ab0671eb8533a354cd89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Wed, 21 Jan 2026 22:00:17 +0100
+Subject: [PATCH] guniprop: Use size_t for output_marks length
+
+The input string length may overflow, and this would lead to wrong
+behavior and invalid writes.
+
+Spotted by treeplus.
+Thanks to the Sovereign Tech Resilience programme from the Sovereign
+Tech Agency.
+
+ID: #YWH-PGM9867-171
+Closes: #3872
+
+CVE: CVE-2026-1489
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/662aa569efa65eaa4672ab0671eb8533a354cd89]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/guniprop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/glib/guniprop.c b/glib/guniprop.c
+index fe0033fd6..1a0cc6408 100644
+--- a/glib/guniprop.c
++++ b/glib/guniprop.c
+@@ -753,13 +753,13 @@ get_locale_type (void)
+ return LOCALE_NORMAL;
+ }
+
+-static gint
++static size_t
+ output_marks (const char **p_inout,
+ char *out_buffer,
+ gboolean remove_dot)
+ {
+ const char *p = *p_inout;
+- gint len = 0;
++ size_t len = 0;
+
+ while (*p)
+ {
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-02.patch
new file mode 100644
index 00000000000..7587a9e09e1
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-02.patch
@@ -0,0 +1,30 @@
+From 58356619525a1d565df8cc348e9784716f020f2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Wed, 21 Jan 2026 22:01:49 +0100
+Subject: [PATCH] guniprop: Do not convert size_t to gint
+
+We were correctly using size_t in output_special_case() since commit
+362f92b69, but then we converted the value back to int
+
+Related to: #3872
+
+CVE: CVE-2026-1489
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/58356619525a1d565df8cc348e9784716f020f2f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/guniprop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/glib/guniprop.c b/glib/guniprop.c
+index 1a0cc6408..fe50a287c 100644
+--- a/glib/guniprop.c
++++ b/glib/guniprop.c
+@@ -779,7 +779,7 @@ output_marks (const char **p_inout,
+ return len;
+ }
+
+-static gint
++static size_t
+ output_special_case (gchar *out_buffer,
+ int offset,
+ int type,
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-03.patch
new file mode 100644
index 00000000000..1755254ff7d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-03.patch
@@ -0,0 +1,290 @@
+From 170dc8c4068db4c4cbf63c7d27192e230436da21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Wed, 21 Jan 2026 22:04:22 +0100
+Subject: [PATCH] guniprop: Ensure we do not overflow size in
+ g_utf8_{strdown,gstrup}()
+
+While this is technically not a security issue, when repeatedly adding
+to a size_t value, we can overflow and start from 0.
+
+Now, while being unlikely, technically an utf8 lower or upper string can
+have a longer size than the input value, and if the output string is
+bigger than G_MAXSIZE we'd end up cutting it silently.
+
+Let's instead assert each time we increase the output length
+
+CVE: CVE-2026-1489
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/170dc8c4068db4c4cbf63c7d27192e230436da21]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/guniprop.c | 109 +++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 70 insertions(+), 39 deletions(-)
+
+diff --git a/glib/guniprop.c b/glib/guniprop.c
+index fe50a287c..86020b6e0 100644
+--- a/glib/guniprop.c
++++ b/glib/guniprop.c
+@@ -753,14 +753,36 @@ get_locale_type (void)
+ return LOCALE_NORMAL;
+ }
+
+-static size_t
+-output_marks (const char **p_inout,
+- char *out_buffer,
+- gboolean remove_dot)
++static inline void
++increase_size (size_t *sizeptr, size_t add)
++{
++ g_assert (G_MAXSIZE - *(sizeptr) >= add);
++ *(sizeptr) += add;
++}
++
++static inline void
++append_utf8_char_to_buffer (gunichar c,
++ char *out_buffer,
++ size_t *in_out_len)
++{
++ gint utf8_len;
++ char *buffer;
++
++ buffer = out_buffer ? out_buffer + *(in_out_len) : NULL;
++ utf8_len = g_unichar_to_utf8 (c, buffer);
++
++ g_assert (utf8_len >= 0);
++ increase_size (in_out_len, utf8_len);
++}
++
++static void
++append_mark (const char **p_inout,
++ char *out_buffer,
++ size_t *in_out_len,
++ gboolean remove_dot)
+ {
+ const char *p = *p_inout;
+- size_t len = 0;
+-
++
+ while (*p)
+ {
+ gunichar c = g_utf8_get_char (p);
+@@ -768,7 +790,7 @@ output_marks (const char **p_inout,
+ if (ISMARK (TYPE (c)))
+ {
+ if (!remove_dot || c != 0x307 /* COMBINING DOT ABOVE */)
+- len += g_unichar_to_utf8 (c, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (c, out_buffer, in_out_len);
+ p = g_utf8_next_char (p);
+ }
+ else
+@@ -776,14 +798,14 @@ output_marks (const char **p_inout,
+ }
+
+ *p_inout = p;
+- return len;
+ }
+
+-static size_t
+-output_special_case (gchar *out_buffer,
+- int offset,
+- int type,
+- int which)
++static void
++append_special_case (char *out_buffer,
++ size_t *in_out_len,
++ int offset,
++ int type,
++ int which)
+ {
+ const gchar *p = special_case_table + offset;
+ gint len;
+@@ -795,10 +817,12 @@ output_special_case (gchar *out_buffer,
+ p += strlen (p) + 1;
+
+ len = strlen (p);
+- if (out_buffer)
+- memcpy (out_buffer, p, len);
++ g_assert (len < G_MAXSIZE - *in_out_len);
+
+- return len;
++ if (out_buffer)
++ memcpy (out_buffer + *in_out_len, p, len);
++
++ increase_size (in_out_len, len);
+ }
+
+ static gsize
+@@ -839,11 +863,13 @@ real_toupper (const gchar *str,
+ decomp_len = g_unichar_fully_decompose (c, FALSE, decomp, G_N_ELEMENTS (decomp));
+ for (i=0; i < decomp_len; i++)
+ {
++
+ if (decomp[i] != 0x307 /* COMBINING DOT ABOVE */)
+- len += g_unichar_to_utf8 (g_unichar_toupper (decomp[i]), out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (g_unichar_toupper (decomp[i]),
++ out_buffer, &len);
+ }
+-
+- len += output_marks (&p, out_buffer ? out_buffer + len : NULL, TRUE);
++
++ append_mark (&p, out_buffer, &len, TRUE);
+
+ continue;
+ }
+@@ -856,17 +882,17 @@ real_toupper (const gchar *str,
+ if (locale_type == LOCALE_TURKIC && c == 'i')
+ {
+ /* i => LATIN CAPITAL LETTER I WITH DOT ABOVE */
+- len += g_unichar_to_utf8 (0x130, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x130, out_buffer, &len);
+ }
+ else if (c == 0x0345) /* COMBINING GREEK YPOGEGRAMMENI */
+ {
+ /* Nasty, need to move it after other combining marks .. this would go away if
+ * we normalized first.
+ */
+- len += output_marks (&p, out_buffer ? out_buffer + len : NULL, FALSE);
++ append_mark (&p, out_buffer, &len, TRUE);
+
+ /* And output as GREEK CAPITAL LETTER IOTA */
+- len += g_unichar_to_utf8 (0x399, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x399, out_buffer, &len);
+ }
+ else if (IS (t,
+ OR (G_UNICODE_LOWERCASE_LETTER,
+@@ -877,8 +903,8 @@ real_toupper (const gchar *str,
+
+ if (val >= 0x1000000)
+ {
+- len += output_special_case (out_buffer ? out_buffer + len : NULL, val - 0x1000000, t,
+- t == G_UNICODE_LOWERCASE_LETTER ? 0 : 1);
++ append_special_case (out_buffer, &len, val - 0x1000000, t,
++ t == G_UNICODE_LOWERCASE_LETTER ? 0 : 1);
+ }
+ else
+ {
+@@ -898,7 +924,7 @@ real_toupper (const gchar *str,
+ /* Some lowercase letters, e.g., U+000AA, FEMININE ORDINAL INDICATOR,
+ * do not have an uppercase equivalent, in which case val will be
+ * zero. */
+- len += g_unichar_to_utf8 (val ? val : c, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (val ? val : c, out_buffer, &len);
+ }
+ }
+ else
+@@ -908,7 +934,7 @@ real_toupper (const gchar *str,
+ if (out_buffer)
+ memcpy (out_buffer + len, last, char_len);
+
+- len += char_len;
++ increase_size (&len, char_len);
+ }
+
+ }
+@@ -946,6 +972,8 @@ g_utf8_strup (const gchar *str,
+ * We use a two pass approach to keep memory management simple
+ */
+ result_len = real_toupper (str, len, NULL, locale_type);
++ g_assert (result_len < G_MAXSIZE);
++
+ result = g_malloc (result_len + 1);
+ real_toupper (str, len, result, locale_type);
+ result[result_len] = '\0';
+@@ -1003,14 +1031,15 @@ real_tolower (const gchar *str,
+ {
+ /* I + COMBINING DOT ABOVE => i (U+0069)
+ * LATIN CAPITAL LETTER I WITH DOT ABOVE => i (U+0069) */
+- len += g_unichar_to_utf8 (0x0069, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x0069, out_buffer, &len);
++
+ if (combining_dot)
+ p = g_utf8_next_char (p);
+ }
+ else
+ {
+ /* I => LATIN SMALL LETTER DOTLESS I */
+- len += g_unichar_to_utf8 (0x131, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x131, out_buffer, &len);
+ }
+ }
+ /* Introduce an explicit dot above when lowercasing capital I's and J's
+@@ -1018,19 +1047,19 @@ real_tolower (const gchar *str,
+ else if (locale_type == LOCALE_LITHUANIAN &&
+ (c == 0x00cc || c == 0x00cd || c == 0x0128))
+ {
+- len += g_unichar_to_utf8 (0x0069, out_buffer ? out_buffer + len : NULL);
+- len += g_unichar_to_utf8 (0x0307, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x0069, out_buffer, &len);
++ append_utf8_char_to_buffer (0x0307, out_buffer, &len);
+
+ switch (c)
+ {
+ case 0x00cc:
+- len += g_unichar_to_utf8 (0x0300, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x0300, out_buffer, &len);
+ break;
+ case 0x00cd:
+- len += g_unichar_to_utf8 (0x0301, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x0301, out_buffer, &len);
+ break;
+ case 0x0128:
+- len += g_unichar_to_utf8 (0x0303, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (0x0303, out_buffer, &len);
+ break;
+ }
+ }
+@@ -1039,8 +1068,8 @@ real_tolower (const gchar *str,
+ c == 'J' || c == G_UNICHAR_FULLWIDTH_J || c == 0x012e) &&
+ has_more_above (p))
+ {
+- len += g_unichar_to_utf8 (g_unichar_tolower (c), out_buffer ? out_buffer + len : NULL);
+- len += g_unichar_to_utf8 (0x0307, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (g_unichar_tolower (c), out_buffer, &len);
++ append_utf8_char_to_buffer (0x0307, out_buffer, &len);
+ }
+ else if (c == 0x03A3) /* GREEK CAPITAL LETTER SIGMA */
+ {
+@@ -1063,7 +1092,7 @@ real_tolower (const gchar *str,
+ else
+ val = 0x3c2; /* GREEK SMALL FINAL SIGMA */
+
+- len += g_unichar_to_utf8 (val, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (val, out_buffer, &len);
+ }
+ else if (IS (t,
+ OR (G_UNICODE_UPPERCASE_LETTER,
+@@ -1074,7 +1103,7 @@ real_tolower (const gchar *str,
+
+ if (val >= 0x1000000)
+ {
+- len += output_special_case (out_buffer ? out_buffer + len : NULL, val - 0x1000000, t, 0);
++ append_special_case (out_buffer, &len, val - 0x1000000, t, 0);
+ }
+ else
+ {
+@@ -1093,7 +1122,7 @@ real_tolower (const gchar *str,
+
+ /* Not all uppercase letters are guaranteed to have a lowercase
+ * equivalent. If this is the case, val will be zero. */
+- len += g_unichar_to_utf8 (val ? val : c, out_buffer ? out_buffer + len : NULL);
++ append_utf8_char_to_buffer (val ? val : c, out_buffer, &len);
+ }
+ }
+ else
+@@ -1103,7 +1132,7 @@ real_tolower (const gchar *str,
+ if (out_buffer)
+ memcpy (out_buffer + len, last, char_len);
+
+- len += char_len;
++ increase_size (&len, char_len);
+ }
+
+ }
+@@ -1140,6 +1169,8 @@ g_utf8_strdown (const gchar *str,
+ * We use a two pass approach to keep memory management simple
+ */
+ result_len = real_tolower (str, len, NULL, locale_type);
++ g_assert (result_len < G_MAXSIZE);
++
+ result = g_malloc (result_len + 1);
+ real_tolower (str, len, result, locale_type);
+ result[result_len] = '\0';
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-04.patch
new file mode 100644
index 00000000000..779d36ccda4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-04.patch
@@ -0,0 +1,68 @@
+From b96966058f4291db8970ced70ee22103e63679e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Fri, 23 Jan 2026 17:39:34 +0100
+Subject: [PATCH] glib/tests/unicode: Add test debug information when parsing
+ input files
+
+On case of failures makes it easier to understand on what line of the
+source file we're at, as it might not be clear for non-ascii chars
+
+CVE: CVE-2026-1489
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/b96966058f4291db8970ced70ee22103e63679e5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/tests/unicode.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/glib/tests/unicode.c b/glib/tests/unicode.c
+index 90b5a98b8..44d1083dd 100644
+--- a/glib/tests/unicode.c
++++ b/glib/tests/unicode.c
+@@ -546,6 +546,7 @@ test_casemap_and_casefold (void)
+ const char *locale;
+ const char *test;
+ const char *expected;
++ size_t line = 0;
+ char *convert;
+ char *current_locale = setlocale (LC_CTYPE, NULL);
+
+@@ -555,6 +556,7 @@ test_casemap_and_casefold (void)
+
+ while (fgets (buffer, sizeof (buffer), infile))
+ {
++ line++;
+ if (buffer[0] == '#')
+ continue;
+
+@@ -588,6 +590,9 @@ test_casemap_and_casefold (void)
+
+ convert = g_utf8_strup (test, -1);
+ expected = strings[4][0] ? strings[4] : test;
++ g_test_message ("Converting '%s' => '%s' (line %" G_GSIZE_FORMAT ")",
++ test, expected, line);
++
+ g_assert_cmpstr (convert, ==, expected);
+ g_free (convert);
+
+@@ -607,9 +612,11 @@ test_casemap_and_casefold (void)
+
+ infile = fopen (filename, "r");
+ g_assert (infile != NULL);
++ line = 0;
+
+ while (fgets (buffer, sizeof (buffer), infile))
+ {
++ line++;
+ if (buffer[0] == '#')
+ continue;
+
+@@ -619,6 +626,9 @@ test_casemap_and_casefold (void)
+ test = strings[0];
+
+ convert = g_utf8_casefold (test, -1);
++ g_test_message ("Converting '%s' => '%s' (line %" G_GSIZE_FORMAT ")",
++ test, strings[1], line);
++
+ g_assert_cmpstr (convert, ==, strings[1]);
+ g_free (convert);
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 37a5fd34a96..8d349af1d5d 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -74,6 +74,10 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2026-1484-01.patch \
file://CVE-2026-1484-02.patch \
file://CVE-2026-1485.patch \
+ file://CVE-2026-1489-01.patch \
+ file://CVE-2026-1489-02.patch \
+ file://CVE-2026-1489-03.patch \
+ file://CVE-2026-1489-04.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 26/38] ffmpeg: set status of CVE-2025-25468 and CVE-2025-25469
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (24 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 25/38] glib-2.0: patch CVE-2026-1489 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 27/38] vim: ignore CVE-2025-66476 Yoann Congal
` (11 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
These CVEs have the same fix commit per NVD report [3].
Blaming the fix [1] is showing that the return without freeing memory
was introduced in [2].
[1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d5873be583ada9e1fb887e2fe8dcfd4b12e0efcd
[2] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d38fc25519cf12a9212dadcba1258fc176ffbade
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-25468
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index d64b97e7877..4793035eb72 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -105,6 +105,11 @@ CVE_CHECK_IGNORE += "CVE-2022-3341"
# bugfix: https://github.com/FFmpeg/FFmpeg/commit/28c83584e8f3cd747c1476a74cc2841d3d1fa7f3
CVE_CHECK_IGNORE += "CVE-2023-6603"
+# These vulnerabilities were introduced in v8.0
+# introduced: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d38fc25519cf12a9212dadcba1258fc176ffbade
+# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d5873be583ada9e1fb887e2fe8dcfd4b12e0efcd
+CVE_CHECK_IGNORE += "CVE-2025-25468 CVE-2025-25469"
+
# Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 27/38] vim: ignore CVE-2025-66476
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (25 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 26/38] ffmpeg: set status of CVE-2025-25468 and CVE-2025-25469 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 28/38] avahi: patch CVE-2025-68276 Yoann Congal
` (10 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-support/vim/vim_9.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/vim/vim_9.1.bb b/meta/recipes-support/vim/vim_9.1.bb
index f358e61132b..e536d4ce4bd 100644
--- a/meta/recipes-support/vim/vim_9.1.bb
+++ b/meta/recipes-support/vim/vim_9.1.bb
@@ -17,3 +17,6 @@ ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
# in many places for _FORTIFY_SOURCE=2. Security flags become part of CC.
#
lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}"
+
+# not-applicable-platform: Issue only applies on Windows
+CVE_CHECK_IGNORE += "CVE-2025-66476"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 28/38] avahi: patch CVE-2025-68276
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (26 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 27/38] vim: ignore CVE-2025-66476 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 29/38] avahi: patch CVE-2025-68468 Yoann Congal
` (9 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
Backport the patch[1] from the PR[2] mentioned in the nvd[3].
[1] https://github.com/avahi/avahi/commit/2d48e42d44a183f26a4d12d1f5d41abb9b7c6355
[2] https://github.com/avahi/avahi/pull/806
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-68276
Dropped CI changes from the original PR during backport.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 +
.../avahi/files/CVE-2025-68276.patch | 65 +++++++++++++++++++
2 files changed, 66 insertions(+)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68276.patch
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 20b2791ef32..b38fedb38bf 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -37,6 +37,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://CVE-2023-38473.patch \
file://CVE-2024-52616.patch \
file://CVE-2024-52615.patch \
+ file://CVE-2025-68276.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2025-68276.patch b/meta/recipes-connectivity/avahi/files/CVE-2025-68276.patch
new file mode 100644
index 00000000000..75169419f10
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2025-68276.patch
@@ -0,0 +1,65 @@
+From 8ec85459d8e6e59cc14457e16fb7ba171901f90e Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 17 Dec 2025 08:11:23 +0000
+Subject: [PATCH] core: refuse to create wide-area record browsers when
+ wide-area is off
+
+It fixes a bug where it was possible for unprivileged local users to
+crash avahi-daemon (with wide-area disabled) by creating record browsers
+with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus (either by calling
+the RecordBrowserNew method directly or by creating hostname/address/service
+resolvers/browsers that create those browsers internally themselves).
+
+```
+$ gdbus call --system --dest org.freedesktop.Avahi --object-path / --method org.freedesktop.Avahi.Server.ResolveHostName -- -1 -1 yo.local -1 1
+Error: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
+```
+```
+dbus-protocol.c: interface=org.freedesktop.Avahi.Server, path=/, member=ResolveHostName
+avahi-daemon: wide-area.c:725: avahi_wide_area_scan_cache: Assertion `e' failed.
+==307948==
+==307948== Process terminating with default action of signal 6 (SIGABRT)
+==307948== at 0x4B3630C: __pthread_kill_implementation (pthread_kill.c:44)
+==307948== by 0x4ADF921: raise (raise.c:26)
+==307948== by 0x4AC74AB: abort (abort.c:77)
+==307948== by 0x4AC741F: __assert_fail_base.cold (assert.c:118)
+==307948== by 0x48D8B85: avahi_wide_area_scan_cache (wide-area.c:725)
+==307948== by 0x48C8953: lookup_scan_cache (browse.c:351)
+==307948== by 0x48C8B1B: lookup_go (browse.c:386)
+==307948== by 0x48C9148: defer_callback (browse.c:516)
+==307948== by 0x48AEA0E: expiration_event (timeeventq.c:94)
+==307948== by 0x489D3AE: timeout_callback (simple-watch.c:447)
+==307948== by 0x489D787: avahi_simple_poll_dispatch (simple-watch.c:563)
+==307948== by 0x489D91E: avahi_simple_poll_iterate (simple-watch.c:605)
+==307948==
+```
+
+wide-area has been disabled by default since
+9c4214146738146e454f098264690e8e884c39bd (v0.9-rc2).
+
+https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc
+
+CVE: CVE-2025-68276
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/2d48e42d44a183f26a4d12d1f5d41abb9b7c6355]
+(cherry picked from commit 2d48e42d44a183f26a4d12d1f5d41abb9b7c6355)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ avahi-core/browse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index e8a915e..59d53cb 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -541,6 +541,11 @@ AvahiSRecordBrowser *avahi_s_record_browser_prepare(
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !(flags & AVAHI_LOOKUP_USE_WIDE_AREA) || !(flags & AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+
++ if ((flags & AVAHI_LOOKUP_USE_WIDE_AREA) && !server->wide_area_lookup_engine) {
++ avahi_server_set_errno(server, AVAHI_ERR_NOT_SUPPORTED);
++ return NULL;
++ }
++
+ if (!(b = avahi_new(AvahiSRecordBrowser, 1))) {
+ avahi_server_set_errno(server, AVAHI_ERR_NO_MEMORY);
+ return NULL;
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 29/38] avahi: patch CVE-2025-68468
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (27 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 28/38] avahi: patch CVE-2025-68276 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 30/38] avahi: patch CVE-2025-68471 Yoann Congal
` (8 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f2ed8adc37a42b561b3c4853cf8106fba39889e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 +
.../avahi/files/CVE-2025-68468.patch | 32 +++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index b38fedb38bf..3faebcba832 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -38,6 +38,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://CVE-2024-52616.patch \
file://CVE-2024-52615.patch \
file://CVE-2025-68276.patch \
+ file://CVE-2025-68468.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
new file mode 100644
index 00000000000..3635cc8d53e
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
@@ -0,0 +1,32 @@
+From 483f83828cfda965fac914ff1b39c63c256372b2 Mon Sep 17 00:00:00 2001
+From: Hugo Muis <198191869+friendlyhugo@users.noreply.github.com>
+Date: Sun, 2 Mar 2025 18:06:24 +0100
+Subject: [PATCH] core: fix DoS bug by removing incorrect assertion
+
+Closes https://github.com/avahi/avahi/issues/683
+
+CVE: CVE-2025-68468
+
+Upstream-Status: Backport
+[https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ avahi-core/browse.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 86e4432..79595fe 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -295,7 +295,6 @@ static void lookup_multicast_callback(
+ lookup_drop_cname(l, interface, protocol, 0, r);
+ else {
+ /* It's a normal record, so let's call the user callback */
+- assert(avahi_key_equal(b->key, l->key));
+
+ b->callback(b, interface, protocol, event, r, flags, b->userdata);
+ }
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 30/38] avahi: patch CVE-2025-68471
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (28 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 29/38] avahi: patch CVE-2025-68468 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 31/38] avahi: patch CVE-2026-24401 Yoann Congal
` (7 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5ec4156330c765bc52dbce28dbba6def9868d30f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 +
.../avahi/files/CVE-2025-68471.patch | 36 +++++++++++++++++++
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68471.patch
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 3faebcba832..c1d919783c1 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -39,6 +39,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://CVE-2024-52615.patch \
file://CVE-2025-68276.patch \
file://CVE-2025-68468.patch \
+ file://CVE-2025-68471.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2025-68471.patch b/meta/recipes-connectivity/avahi/files/CVE-2025-68471.patch
new file mode 100644
index 00000000000..210565cdd61
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2025-68471.patch
@@ -0,0 +1,36 @@
+From 4e84c1d6eb2f54d1643bd7ce62817c722ca36d25 Mon Sep 17 00:00:00 2001
+From: Hugo Muis <198191869+friendlyhugo@users.noreply.github.com>
+Date: Sun, 2 Mar 2025 18:06:24 +0100
+Subject: [PATCH] core: fix DoS bug by changing assert to return
+
+Closes https://github.com/avahi/avahi/issues/678
+
+CVE: CVE-2025-68471
+
+Upstream-Status: Backport
+[https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ avahi-core/browse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 2941e57..86e4432 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -320,7 +320,10 @@ static int lookup_start(AvahiSRBLookup *l) {
+ assert(l);
+
+ assert(!(l->flags & AVAHI_LOOKUP_USE_WIDE_AREA) != !(l->flags & AVAHI_LOOKUP_USE_MULTICAST));
+- assert(!l->wide_area && !l->multicast);
++ if (l->wide_area || l->multicast) {
++ /* Avoid starting a duplicate lookup */
++ return 0;
++ }
+
+ if (l->flags & AVAHI_LOOKUP_USE_WIDE_AREA) {
+
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 31/38] avahi: patch CVE-2026-24401
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (29 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 30/38] avahi: patch CVE-2025-68471 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 32/38] pseudo: Update to 1.9.3 release Yoann Congal
` (6 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
Details https://nvd.nist.gov/vuln/detail/CVE-2026-24401
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 183d0ee54f1c194e245a7bbf243c19b3c2acf4f5)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 +
.../avahi/files/CVE-2026-24401.patch | 74 +++++++++++++++++++
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index c1d919783c1..9ef771e5a2d 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://CVE-2025-68276.patch \
file://CVE-2025-68468.patch \
file://CVE-2025-68471.patch \
+ file://CVE-2026-24401.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch b/meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch
new file mode 100644
index 00000000000..1a442966fc9
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch
@@ -0,0 +1,74 @@
+From 5eea2640324928c15936b7a2bcbf8ea0de7b08f7 Mon Sep 17 00:00:00 2001
+From: Hugo Muis <198191869+friendlyhugo@users.noreply.github.com>
+Date: Sun, 2 Mar 2025 18:06:24 +0100
+Subject: [PATCH] core: fix uncontrolled recursion bug using a simple loop
+ detection algorithm
+
+Closes https://github.com/avahi/avahi/issues/501
+
+CVE: CVE-2026-24401
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524]
+(cherry picked from commit 78eab31128479f06e30beb8c1cbf99dd921e2524)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ avahi-core/browse.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index f461083..975b3e9 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -401,6 +401,40 @@ static int lookup_go(AvahiSRBLookup *l) {
+ return n;
+ }
+
++static int lookup_exists_in_path(AvahiSRBLookup* lookup, AvahiSRBLookup* from, AvahiSRBLookup* to) {
++ AvahiRList* rl;
++ if (from == to)
++ return 0;
++ for (rl = from->cname_lookups; rl; rl = rl->rlist_next) {
++ int r = lookup_exists_in_path(lookup, rl->data, to);
++ if (r == 1) {
++ /* loop detected, propagate result */
++ return r;
++ } else if (r == 0) {
++ /* is loop detected? */
++ return lookup == from;
++ } else {
++ /* `to` not found, continue */
++ continue;
++ }
++ }
++ /* no path found */
++ return -1;
++}
++
++static int cname_would_create_loop(AvahiSRBLookup* l, AvahiSRBLookup* n) {
++ int ret;
++ if (l == n)
++ /* Loop to self */
++ return 1;
++
++ ret = lookup_exists_in_path(n, l->record_browser->root_lookup, l);
++
++ /* Path to n always exists */
++ assert(ret != -1);
++ return ret;
++}
++
+ static void lookup_handle_cname(AvahiSRBLookup *l, AvahiIfIndex interface, AvahiProtocol protocol, AvahiLookupFlags flags, AvahiRecord *r) {
+ AvahiKey *k;
+ AvahiSRBLookup *n;
+@@ -420,6 +454,12 @@ static void lookup_handle_cname(AvahiSRBLookup *l, AvahiIfIndex interface, Avahi
+ return;
+ }
+
++ if (cname_would_create_loop(l, n)) {
++ /* CNAME loops are not allowed */
++ lookup_unref(n);
++ return;
++ }
++
+ l->cname_lookups = avahi_rlist_prepend(l->cname_lookups, lookup_ref(n));
+
+ lookup_go(n);
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 32/38] pseudo: Update to 1.9.3 release
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (30 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 31/38] avahi: patch CVE-2026-24401 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 33/38] pseudo: Update to include an openat2 fix Yoann Congal
` (5 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following changes:
Makefile.in: Bump version to 1.9.3
configure: Minor code quality changes
pseudo: code quality scan - resolved various potential issues
makewrappers: improve error handling and robustness
Update COPYRIGHT files
ports/linux/pseudo_wrappers.c: Call the wrappers where possible
ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11
ports/linux/pseudo_wrappers.c: Reorder the syscall operations
ports/unix/guts/realpath.c: Fix indents
pseudo_util.c: Skip realpath like expansion for /proc on Linux
test/test-proc-pipe.sh: Add test case for proc pipes
ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index dae4f4bc84a..8130fb21356 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "125b020dd2bc46baa37a80784704e382732357b4"
+SRCREV = "750362cc7b9fa58dffccd95d919b435c6d8ac614"
S = "${WORKDIR}/git"
-PV = "1.9.2+git"
+PV = "1.9.3+git"
# largefile and 64bit time_t support adds these macros via compiler flags globally
# remove them for pseudo since pseudo intercepts some of the functions which will be
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 33/38] pseudo: Update to include an openat2 fix
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (31 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 32/38] pseudo: Update to 1.9.3 release Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 34/38] pseudo: Update to include a fix for systems with kernel <5.6 Yoann Congal
` (4 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing occasional autobuilder failures with tar issues related to openat2.
It appears there are definitions missing on debian 11 and opensuse 15.5 systems
which mean the openat2 syscall intercept isn't compiled in. This then triggers
on systems using the openat2 syscall, such as alma9 where it is used in a tar
CVE fix.
This updates to include the fix from upstream pseudo (along with a compile warning
fix).
This was tested by taking sstate for pseudo-native from a debian 11 system and using
it in a build of "bitbake nativesdk-git -c install" on a alma9 system where that task
failed. After this fix, it completes.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c20c05b324e5d6564c8554381019170839509bb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 8130fb21356..db3951f23c1 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "750362cc7b9fa58dffccd95d919b435c6d8ac614"
+SRCREV = "9ab513512d8b5180a430ae4fa738cb531154cdef"
S = "${WORKDIR}/git"
PV = "1.9.3+git"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 34/38] pseudo: Update to include a fix for systems with kernel <5.6
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (32 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 33/38] pseudo: Update to include an openat2 fix Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 35/38] harfbuzz: ignore CVE-2026-22693 Yoann Congal
` (3 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Yoann Congal <yoann.congal@smile.fr>
$ git log --oneline --no-decorate 9ab513512d8b5180a430ae4fa738cb531154cdef..43cbd8fb4914328094ccdb4bb827d74b1bac2046
43cbd8f ports/linux: define __NR_openat2 if missing
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9a35f32b983de724d2c2e436c017b49d5b70469)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index db3951f23c1..6ebe4f457ed 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "9ab513512d8b5180a430ae4fa738cb531154cdef"
+SRCREV = "43cbd8fb4914328094ccdb4bb827d74b1bac2046"
S = "${WORKDIR}/git"
PV = "1.9.3+git"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 35/38] harfbuzz: ignore CVE-2026-22693
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (33 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 34/38] pseudo: Update to include a fix for systems with kernel <5.6 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 36/38] glibc: stable 2.35 branch updates Yoann Congal
` (2 subsequent siblings)
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Patch [1] linked in NVD report fixes issue in cache code introduced only
in v6.0.0 (as can be seen in tags containind that commit).
[1] https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
[2] https://github.com/harfbuzz/harfbuzz/commit/7a004a7ac27da776b623c0892ebced3d12213c39
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
index f7dc61ebd56..f4e90799228 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
@@ -50,3 +50,6 @@ FILES:${PN}-icu-dev = "${libdir}/libharfbuzz-icu.la \
FILES:${PN}-subset = "${libdir}/libharfbuzz-subset.so.*"
BBCLASSEXTEND = "native nativesdk"
+
+# fixed-version: vulnerability was introduced in v6.0.0
+CVE_CHECK_IGNORE += "CVE-2026-22693"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 36/38] glibc: stable 2.35 branch updates
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (34 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 35/38] harfbuzz: ignore CVE-2026-22693 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 37/38] libtasn1: Fix CVE-2025-13151 Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 38/38] u-boot: move CVE patch out of u-boot-common.inc Yoann Congal
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
git log --oneline 4e50046821f05ada5f14c76803845125ddb3ed7d..bb59339d02faebac534a87eea50c83c948f35b77
bb59339d02 (HEAD -> release/2.35/master, origin/release/2.35/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
66f0cb057c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
499d1ccafc memalign: reinstate alignment overflow check (CVE-2026-0861)
9e1a305028 nptl: Optimize trylock for high cache contention workloads (BZ #33704)
a94467ce05 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091)
Testing Results:
Before After Diff
PASS 4774 4770 -4
XPASS 6 6 0
FAIL 149 154 +5
XFAIL 16 16 0
UNSUPPORTED 246 246 0
Changes in failed testcases:
testcase-name before after
malloc/tst-malloc-fork-deadlock-malloc-hugetlb2 FAIL PASS
posix/tst-wait4 FAIL PASS
malloc/tst-malloc-too-large PASS FAIL
malloc/tst-malloc-too-large-malloc-check PASS FAIL
malloc/tst-malloc-too-large-malloc-hugetlb1 PASS FAIL
malloc/tst-malloc-too-large-malloc-hugetlb2 PASS FAIL
malloc/tst-malloc-too-large-mcheck PASS FAIL
malloc/tst-mallocfork2 PASS FAIL
malloc/tst-mallocfork3 PASS FAIL
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-core/glibc/glibc-version.inc | 2 +-
meta/recipes-core/glibc/glibc_2.35.bb | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index b9f5e8fb8fb..06edbeb47f8 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.35/master"
PV = "2.35"
-SRCREV_glibc ?= "4e50046821f05ada5f14c76803845125ddb3ed7d"
+SRCREV_glibc ?= "bb59339d02faebac534a87eea50c83c948f35b77"
SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index 1b5830699fd..97ba50bec4a 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -27,7 +27,8 @@ CVE_CHECK_IGNORE += "CVE-2023-4527"
CVE_CHECK_IGNORE += " \
CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 \
CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 \
- CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 \
+ CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 CVE-2025-15281 \
+ CVE-2026-0861 CVE-2026-0915 \
"
DEPENDS += "gperf-native bison-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 37/38] libtasn1: Fix CVE-2025-13151
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (35 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 36/38] glibc: stable 2.35 branch updates Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
2026-02-24 14:24 ` [OE-core][kirkstone 38/38] u-boot: move CVE patch out of u-boot-common.inc Yoann Congal
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Upstream-Status: Backport from https://gitlab.com/gnutls/libtasn1/-/commit/d276cc495a2a32b182c3c39851f1ba58f2d9f9b8
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
[YC: pick the merged commit from the MR linked from the NVD report]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../gnutls/libtasn1/CVE-2025-13151.patch | 30 +++++++++++++++++++
.../recipes-support/gnutls/libtasn1_4.20.0.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch
diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch
new file mode 100644
index 00000000000..5047d679840
--- /dev/null
+++ b/meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch
@@ -0,0 +1,30 @@
+From ff7aa7ef2b9ba41df8f2d1e71b05bf2c2ad868dd Mon Sep 17 00:00:00 2001
+From: Vijay Sarvepalli <vssarvepalli@cert.org>
+Date: Mon, 22 Dec 2025 12:24:27 -0500
+Subject: [PATCH] Fix for CVE-2025-13151 Buffer overflow
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/d276cc495a2a32b182c3c39851f1ba58f2d9f9b8]
+CVE: CVE-2025-13151
+
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/decoding.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 1e0fcb3..abcb49f 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -1983,7 +1983,7 @@ int
+ asn1_expand_octet_string (asn1_node_const definitions, asn1_node *element,
+ const char *octetName, const char *objectName)
+ {
+- char name[2 * ASN1_MAX_NAME_SIZE + 1], value[ASN1_MAX_NAME_SIZE];
++ char name[2 * ASN1_MAX_NAME_SIZE + 2], value[ASN1_MAX_NAME_SIZE];
+ int retCode = ASN1_SUCCESS, result;
+ int len, len2, len3;
+ asn1_node_const p2;
+--
+2.47.1
+
diff --git a/meta/recipes-support/gnutls/libtasn1_4.20.0.bb b/meta/recipes-support/gnutls/libtasn1_4.20.0.bb
index 8127ba5b1db..bfc011a2f17 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.20.0.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.20.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \
SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
file://dont-depend-on-help2man.patch \
+ file://CVE-2025-13151.patch \
"
DEPENDS = "bison-native"
^ permalink raw reply related [flat|nested] 42+ messages in thread* [OE-core][kirkstone 38/38] u-boot: move CVE patch out of u-boot-common.inc
2026-02-24 14:23 [OE-core][kirkstone 00/38] Patch review Yoann Congal
` (36 preceding siblings ...)
2026-02-24 14:24 ` [OE-core][kirkstone 37/38] libtasn1: Fix CVE-2025-13151 Yoann Congal
@ 2026-02-24 14:24 ` Yoann Congal
37 siblings, 0 replies; 42+ messages in thread
From: Yoann Congal @ 2026-02-24 14:24 UTC (permalink / raw)
To: openembedded-core
From: Scott Murray <scott.murray@konsulko.com>
Commit f5b980ad added CVE-2024-42040.patch to the base U-Boot
SRC_URI in u-boot-common.inc as opposed to adding it in the
u-boot recipe where all the other patch additions are. This
breaks at least one downstream BSP that reuses u-boot-common.inc
(meta-sifive), so move that patch addition to the recipe file
with all the others.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-bsp/u-boot/u-boot-common.inc | 4 +---
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 7a634206426..d366f103982 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,9 +14,7 @@ PE = "1"
# repo during parse
SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
- file://CVE-2024-42040.patch \
-"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build"
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index 0ff2477c394..f0ea3ef9e07 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2022-30790.patch \
file://CVE-2022-2347_1.patch \
file://CVE-2022-2347_2.patch \
+ file://CVE-2024-42040.patch \
file://CVE-2024-57254.patch \
file://CVE-2024-57255.patch \
file://CVE-2024-57256.patch \
^ permalink raw reply related [flat|nested] 42+ messages in thread