* [OE-core][wrynose 01/55] bluez5: fix set volume failure
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 02/55] bluez5: Fix sending extra bytes with MGMT_OP_ADD_EXT_ADV_DATA Yoann Congal
` (54 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Jinwang Li <jinwang.li@oss.qualcomm.com>
Backport upstream fix for AVRCP volume initialization failure when
AVRCP connects before AVDTP.
Upstream-Status: Backport [bluez/bluez@121e5ca]
Signed-off-by: Jinwang Li <jinwang.li@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit ec27d1e5cf5010a51dca698274fea342f28958ea)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
...t-volume-failure-with-invalid-device.patch | 46 +++++++++++++++++++
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-transport-Fix-set-volume-failure-with-invalid-device.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index c792cc9c66c..c09a759244e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -71,6 +71,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-Revert-shared-shell-Don-t-init-input-for-non-interac.patch \
file://0001-tools-Work-around-broken-stdin-handling-in-home-made.patch \
file://0001-gatt-client-Fix-use-after-free-caused-by-reentrant-c.patch \
+ file://0001-transport-Fix-set-volume-failure-with-invalid-device.patch \
"
S = "${UNPACKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-transport-Fix-set-volume-failure-with-invalid-device.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-transport-Fix-set-volume-failure-with-invalid-device.patch
new file mode 100644
index 00000000000..b5846dec47f
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-transport-Fix-set-volume-failure-with-invalid-device.patch
@@ -0,0 +1,46 @@
+From 8a80f70c23ca5f93b1db7e3956cc7ee28c1fa767 Mon Sep 17 00:00:00 2001
+From: Jinwang Li <jinwang.li@oss.qualcomm.com>
+Date: Mon, 9 Mar 2026 19:18:26 +0800
+Subject: [PATCH] transport: Fix set volume failure with invalid device volume
+
+When AVRCP is connected before AVDTP, an invalid device volume causes
+the target to reject registration for the EVENT_VOLUME_CHANGED
+notification, which breaks subsequent volume updates.
+
+Fix this by initializing the volume to the maximum value in the AVRCP
+target init path when it is invalid, allowing the controller to
+subscribe to AVRCP_EVENT_VOLUME_CHANGED.
+
+Fixes: fa7828bddd21 ("transport: Fix not being able to initialize volume properly")
+Suggested-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Jinwang Li <jinwang.li@oss.qualcomm.com>
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/121e5ca79be559c5374f8a54c6fb6e233e383379]
+---
+ profiles/audio/avrcp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index 724b46c59..326dfdab7 100644
+--- a/profiles/audio/avrcp.c
++++ b/profiles/audio/avrcp.c
+@@ -4296,9 +4296,16 @@ static void target_init(struct avrcp *session)
+ if (target->version < 0x0104)
+ return;
+
+- if (avrcp_volume_supported(target))
++ if (avrcp_volume_supported(target)) {
+ session->supported_events |=
+ (1 << AVRCP_EVENT_VOLUME_CHANGED);
++ /* Check if transport volume hasn't been initialized then set it
++ * to max so it works properly if the controller attempts to
++ * subscribe to AVRCP_EVENT_VOLUME_CHANGED.
++ */
++ if (media_transport_get_a2dp_volume(session->dev) < 0)
++ media_transport_set_a2dp_volume(session->dev, 127);
++ }
+
+ session->supported_events |=
+ (1 << AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED) |
+--
+2.34.1
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 02/55] bluez5: Fix sending extra bytes with MGMT_OP_ADD_EXT_ADV_DATA
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 01/55] bluez5: fix set volume failure Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 03/55] bluez5: fix gatt cache sync issue Yoann Congal
` (53 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
MGMT_OP_ADD_EXT_ADV_DATA expects the command to be of struct mgmt_cp_add_ext_adv_data not mgmt_cp_add_advertising.
Signed-off-by: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f143e23e2e378129d6eaaab912b701cc12cc044a)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
| 33 +++++++++++++++++++
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index c09a759244e..1600107b878 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -72,6 +72,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-tools-Work-around-broken-stdin-handling-in-home-made.patch \
file://0001-gatt-client-Fix-use-after-free-caused-by-reentrant-c.patch \
file://0001-transport-Fix-set-volume-failure-with-invalid-device.patch \
+ file://0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch \
"
S = "${UNPACKDIR}/bluez-${PV}"
--git a/meta/recipes-connectivity/bluez5/bluez5/0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch
new file mode 100644
index 00000000000..0a737413679
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch
@@ -0,0 +1,33 @@
+From b16441fbb7a24325f7c7d0c5ecedc88b46ddd439 Mon Sep 17 00:00:00 2001
+From: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
+Date: Thu, 4 Jun 2026 17:32:27 +0800
+Subject: [PATCH] advertising: Fix sending extra bytes with
+ MGMT_OP_ADD_EXT_ADV_DATA
+
+MGMT_OP_ADD_EXT_ADV_DATA expects the command to be of size of
+struct mgmt_cp_add_ext_adv_data not mgmt_cp_add_advertising.
+
+Upstream-Status: Backport [2a6968b40378dca5650e18e03ad0407738c47be5]
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
+---
+ src/advertising.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/advertising.c b/src/advertising.c
+index 8970e65f7..0cb37d4ae 100644
+--- a/src/advertising.c
++++ b/src/advertising.c
+@@ -1487,8 +1487,7 @@ static void add_adv_params_callback(uint8_t status, uint16_t length,
+ }
+ }
+
+- param_len = sizeof(struct mgmt_cp_add_advertising) + adv_data_len +
+- scan_rsp_len;
++ param_len = sizeof(*cp) + adv_data_len + scan_rsp_len;
+
+ cp = malloc0(param_len);
+ if (!cp) {
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 03/55] bluez5: fix gatt cache sync issue
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 01/55] bluez5: fix set volume failure Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 02/55] bluez5: Fix sending extra bytes with MGMT_OP_ADD_EXT_ADV_DATA Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 04/55] bluez5: set L2CAP IMTU for OBEX profile listeners Yoann Congal
` (52 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Mengshi Wu <mengshi.wu@oss.qualcomm.com>
There is a timing issue to update DB Hash value.
The gatt_client_service_changed() callback in src/device.c
is called from service_changed_complete() in gatt-client.c,
which is invoked after db_hash_read_cb() has already updated
the hash. Adding store_gatt_db(device) here guarantees the
db is persisted with the correct, up-to-date hash for both
the addition and removal cases.
Upstream-Status: Backport [bluez/bluez@0fd01e9]
Signed-off-by: Mengshi Wu <mengshi.wu@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 137eeffd4faa50cc9f2574712217d97b1457a8f7)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
...x-stored-gatt-cache-DB-Hash-value-no.patch | 84 +++++++++++++++++++
2 files changed, 85 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 1600107b878..4e51cc9a213 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -73,6 +73,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-gatt-client-Fix-use-after-free-caused-by-reentrant-c.patch \
file://0001-transport-Fix-set-volume-failure-with-invalid-device.patch \
file://0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch \
+ file://0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch \
"
S = "${UNPACKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch
new file mode 100644
index 00000000000..69323bdc5ee
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch
@@ -0,0 +1,84 @@
+From 9ec8cad56e47c0555a056e928e6568d543b3ae0c Mon Sep 17 00:00:00 2001
+From: Mengshi Wu <mengshi.wu@oss.qualcomm.com>
+Date: Wed, 1 Apr 2026 19:30:04 +0800
+Subject: [PATCH v1] src/device: Fix stored gatt cache DB Hash value not update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is an asymmetry in behavior: when services are added during
+the same connection (via Service Changed indication), the persistent
+storage (disk) is not updated with the new DB hash, but when services
+are removed, it is updated.
+
+During the same connection, We check DB hash value stored at
+/var/lib/bluetooth/<adaptor addr>/cache/<remote addr>.
+When established connection, the stored DB Hash value is A.Then we
+add new services, the stored DB Hash value is still A which should
+change to B. However, if we remove the existing services, the stored
+DB Hash value changed to C.
+
+When performing addition, it goes like this:
+
+discover_primary_cb()
+ └─> gatt_db_insert_service() ← NEW service inserted into db
+ └─> gatt_service_added() ← callback fires immediately
+ └─> store_gatt_db() ← SAVED TO DISK (hash still OLD)
+ ...
+ └─> discovery_op_complete(success=true)
+ └─> read_db_hash(op) ← sends ATT Read By Type
+ └─> [ATT response arrives]
+ └─> db_hash_read_cb()
+ ├─> gatt_db_attribute_write(op->hash, ...)
+ │ └─> hash UPDATED IN MEMORY
+ └─> discovery_op_complete(true, 0)
+ ├─> [no services to remove, no
+ │ store_gatt_db called]
+ └─> service_changed_complete()
+
+Whereas removal perform like this:
+discovery_op_complete(success=true) [1st call]
+ └─> read_db_hash(op)
+ └─> op->hash is NULL → sends ATT request → early return
+...
+[ATT response arrives]
+db_hash_read_cb()
+ └─> gatt_db_attribute_write(op->hash, ) ← hash UPDATED IN MEMORY
+ └─> discovery_op_complete(true, 0) [2nd call]
+ └─> read_db_hash(op) → op->hash already set → returns false
+ └─> gatt_db_remove_service()
+ └─> gatt_service_removed()
+ └─> store_gatt_db() ← SAVED TO DISK (hash is NEW)
+
+There is a timing issue to update DB Hash value.
+
+The gatt_client_service_changed() callback in src/device.c is called
+from service_changed_complete() in gatt-client.c, which is invoked
+after db_hash_read_cb() has already updated the hash. Adding
+store_gatt_db(device) here guarantees the db is persisted with the
+correct, up-to-date hash for both the addition and removal cases.
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/0fd01e98cf94616a5c1c39749314cdd4a1654687]
+Signed-off-by: Mengshi Wu <mengshi.wu@oss.qualcomm.com>
+---
+ src/device.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/device.c b/src/device.c
+index 3ea683667..cfbde307b 100644
+--- a/src/device.c
++++ b/src/device.c
+@@ -6267,7 +6267,11 @@ static void gatt_client_service_changed(uint16_t start_handle,
+ uint16_t end_handle,
+ void *user_data)
+ {
++ struct btd_device *device = user_data;
++
+ DBG("start 0x%04x, end: 0x%04x", start_handle, end_handle);
++
++ store_gatt_db(device);
+ }
+
+ static void gatt_debug(const char *str, void *user_data)
+--
+2.34.1
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 04/55] bluez5: set L2CAP IMTU for OBEX profile listeners
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 03/55] bluez5: fix gatt cache sync issue Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 05/55] linux-yocto/6.18: update to v6.18.25 Yoann Congal
` (51 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Wei Deng <wei.deng@oss.qualcomm.com>
Backport upstream fix that adds an imtu field to default_settings for
OBEX profiles (OPP, FTP, PBAP, MAS, MNS) and applies it to the L2CAP
listening socket via bt_io_set(). Without this, the listening socket
advertises the L2CAP minimum of 672 bytes in L2CAP_CONFIGURATION_RSP,
limiting the peer's outgoing PDU size and degrading Rx throughput.
Upstream-Status: Backport [bluez/bluez@646014a]
Signed-off-by: Wei Deng <wei.deng@oss.qualcomm.com>
(cherry picked from commit 13cb97f6279e71320f6454fd5b89c3845b826c49)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
...2CAP-IMTU-for-OBEX-profile-listeners.patch | 118 ++++++++++++++++++
2 files changed, 119 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-profile-Set-L2CAP-IMTU-for-OBEX-profile-listeners.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 4e51cc9a213..ad07e0d3c4f 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -74,6 +74,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-transport-Fix-set-volume-failure-with-invalid-device.patch \
file://0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch \
file://0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch \
+ file://0001-profile-Set-L2CAP-IMTU-for-OBEX-profile-listeners.patch \
"
S = "${UNPACKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-profile-Set-L2CAP-IMTU-for-OBEX-profile-listeners.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-profile-Set-L2CAP-IMTU-for-OBEX-profile-listeners.patch
new file mode 100644
index 00000000000..332b11464eb
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-profile-Set-L2CAP-IMTU-for-OBEX-profile-listeners.patch
@@ -0,0 +1,118 @@
+From 646014a6a246fe99df27da12d2de7bcd2e04d0df Mon Sep 17 00:00:00 2001
+From: Wei Deng <wei.deng@oss.qualcomm.com>
+Date: Thu, 4 Jun 2026 15:00:24 +0530
+Subject: [PATCH] profile: Set L2CAP IMTU for OBEX profile listeners
+
+The default_settings entries for OBEX profiles (OPP, FTP, PBAP, MAS,
+MNS) have no imtu field, so ext_start_servers() creates the L2CAP
+listening socket without an explicit IMTU. This causes the socket to
+advertise the L2CAP minimum of 672 bytes in L2CAP_CONFIGURATION_RSP,
+limiting the peer's outgoing PDU size and degrading Rx throughput.
+
+Add an imtu field to default_settings and set it to 32767 for all
+OBEX profiles that use L2CAP. Copy the value in ext_set_defaults()
+and apply it to the listening socket via bt_io_set() after
+bt_io_listen() succeeds.
+
+Signed-off-by: Wei Deng <wei.deng@oss.qualcomm.com>
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/646014a6a246fe99df27da12d2de7bcd2e04d0df]
+---
+ src/profile.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/profile.c b/src/profile.c
+index dfc5f7161..65df0f7a0 100644
+--- a/src/profile.c
++++ b/src/profile.c
+@@ -55,6 +55,8 @@
+ #define MAS_DEFAULT_CHANNEL 16
+ #define MNS_DEFAULT_CHANNEL 17
+
++#define BT_RX_MTU 32767
++
+ #define BTD_PROFILE_PSM_AUTO -1
+ #define BTD_PROFILE_CHAN_AUTO -1
+
+@@ -678,6 +680,7 @@ struct ext_profile {
+
+ uint16_t version;
+ uint16_t features;
++ uint16_t imtu;
+
+ GSList *records;
+ GSList *servers;
+@@ -1423,6 +1426,9 @@ static uint32_t ext_start_servers(struct ext_profile *ext,
+ if (psm == 0)
+ bt_io_get(io, NULL, BT_IO_OPT_PSM, &psm,
+ BT_IO_OPT_INVALID);
++ if (ext->imtu)
++ bt_io_set(io, NULL, BT_IO_OPT_IMTU, ext->imtu,
++ BT_IO_OPT_INVALID);
+ l2cap->io = io;
+ l2cap->proto = BTPROTO_L2CAP;
+ l2cap->psm = psm;
+@@ -2075,6 +2081,7 @@ static struct default_settings {
+ struct ext_io *rfcomm);
+ uint16_t version;
+ uint16_t features;
++ uint16_t imtu;
+ } defaults[] = {
+ {
+ .uuid = SPP_UUID,
+@@ -2142,6 +2149,7 @@ static struct default_settings {
+ .authorize = false,
+ .get_record = get_opp_record,
+ .version = 0x0102,
++ .imtu = BT_RX_MTU,
+ }, {
+ .uuid = OBEX_FTP_UUID,
+ .name = "File Transfer",
+@@ -2151,6 +2159,7 @@ static struct default_settings {
+ .authorize = true,
+ .get_record = get_ftp_record,
+ .version = 0x0103,
++ .imtu = BT_RX_MTU,
+ }, {
+ .uuid = OBEX_SYNC_UUID,
+ .name = "Synchronization",
+@@ -2167,6 +2176,7 @@ static struct default_settings {
+ .authorize = true,
+ .get_record = get_pse_record,
+ .version = 0x0101,
++ .imtu = BT_RX_MTU,
+ }, {
+ .uuid = OBEX_PCE_UUID,
+ .name = "Phone Book Access Client",
+@@ -2182,7 +2192,8 @@ static struct default_settings {
+ .mode = BT_IO_MODE_ERTM,
+ .authorize = true,
+ .get_record = get_mas_record,
+- .version = 0x0100
++ .version = 0x0100,
++ .imtu = BT_RX_MTU,
+ }, {
+ .uuid = OBEX_MNS_UUID,
+ .name = "Message Notification",
+@@ -2191,7 +2202,8 @@ static struct default_settings {
+ .mode = BT_IO_MODE_ERTM,
+ .authorize = true,
+ .get_record = get_mns_record,
+- .version = 0x0104
++ .version = 0x0104,
++ .imtu = BT_RX_MTU,
+ },
+ };
+
+@@ -2249,6 +2261,9 @@ static void ext_set_defaults(struct ext_profile *ext)
+ if (settings->features)
+ ext->features = settings->features;
+
++ if (settings->imtu)
++ ext->imtu = settings->imtu;
++
+ if (settings->name)
+ ext->name = g_strdup(settings->name);
+ }
+--
+2.34.1
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 05/55] linux-yocto/6.18: update to v6.18.25
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 04/55] bluez5: set L2CAP IMTU for OBEX profile listeners Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 06/55] linux-yocto/6.18: update to v6.18.26 Yoann Congal
` (50 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
a256b1e6892e7 Linux 6.18.25
ce383ba615339 rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
2937f17bbeefb crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
051e51aa55fd4 crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
111dcc6d0f016 crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
28324a3b62d9c net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
6473ed16df1fe ALSA: caiaq: take a reference on the USB device in create_card()
f8397fc0ff9a4 ALSA: hda/realtek: Add quirk for Legion S7 15IMH
1d30e8d4a07c1 ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
c76cf339b8797 f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
028103656b842 writeback: Fix use after free in inode_switch_wbs_work_fn()
feefd5d5b5ee2 ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
5e7b8f3c539d6 ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
790304c02bf9b ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
3e5360b422dd7 ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
299db777ea0cf ksmbd: validate response sizes in ipc_validate_msg()
078fae8f50ade smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
38a69f08ee82c smb: client: require a full NFS mode SID before reading mode bits
3943e4565aae7 smb: server: fix max_connections off-by-one in tcp accept path
283027aa93380 smb: server: fix active_num_conn leak on transport allocation failure
90089584b2e25 ksmbd: require minimum ACE size in smb_check_perm_dacl()
3fa185e320197 fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized
9ef130452eaf1 fuse: quiet down complaints in fuse_conn_limit_write
1381635aeb7f8 fuse: Check for large folio with SPLICE_F_MOVE
0c7fca880a40a fuse: abort on fatal signal during sync init
7de93abfaae1b fuse: reject oversized dirents in page cache
59970b2586fef f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer
047c0aef6af37 f2fs: fix to avoid memory leak in f2fs_rename()
963d2e24d9d92 f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
748c5d08f1a92 f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
0112e6279420d fs/ntfs3: validate rec->used in journal-replay file record check
f218fb82877b1 scripts/dtc: Remove unused dts_version in dtc-lexer.l
c846ed5ac80fa lib/crypto: tests: Drop the default to CRYPTO_SELFTESTS
ca47b87f24571 kunit: configs: Enable all crypto library tests in all_tests.config
95c05443aa34e lib/crypto: tests: Introduce CRYPTO_LIB_ENABLE_ALL_FOR_KUNIT
b0ca42c018837 lib/crypto: tests: Add a .kunitconfig file
05f723be4d641 kunit: configs: Enable all CRC tests in all_tests.config
04c61029a3b76 lib/crc: tests: Add a .kunitconfig file
6897bdfa505f9 lib/crc: tests: Add CRC_ENABLE_ALL_FOR_KUNIT
e70c01412893c lib/crc: tests: Make crc_kunit test only the enabled CRC variants
28f77fca44497 sched/debug: Fix avg_vruntime() usage
c6c87a23de4bd arm64: errata: Work around early CME DVMSync acknowledgement
ee5ce483d4280 arm64: cputype: Add C1-Pro definitions
456d6040bb3b2 arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish()
e785d2751b1db arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB maintenance
243cec136a748 arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
609624576b6fd arm64: tlb: Allow XZR argument to TLBI ops
00ce8d6789dae ksmbd: validate owner of durable handle on reconnect
3d6682726c2d3 ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
377bbec04e167 scripts: generate_rust_analyzer.py: define scripts
07cbb1bd42437 crypto: krb5enc - fix async decrypt skipping hash verification
41d151254caa7 crypto: krb5enc - fix sleepable flag handling in encrypt dispatch
b7cddf6c01751 drm/amdgpu: replace PASID IDR with XArray
e97593f32bd57 net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers
c5cedee5d9738 ipv6: add NULL checks for idev in SRv6 paths
ecc0eb147806f crypto: authencesn - Fix src offset when decrypting in-place
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 268090b61118eb9358f57e753a42380b9ea91253)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index c6b46d229d8..bc601df34d0 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "61009d487b66b56d967a7d05e9ef15a05be8ca66"
-SRCREV_meta ?= "f94e250f9bd55d855b1a41e3cd72beebb3849ae3"
+SRCREV_machine ?= "b47fc8aaa6f14b240bd96eb35e73d3d8ba638d21"
+SRCREV_meta ?= "177495c151446a679945c20611499537d72ebcd9"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.24"
+LINUX_VERSION ?= "6.18.25"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index ef40c4864f5..638fdd18bf8 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.24"
+LINUX_VERSION ?= "6.18.25"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_meta ?= "f94e250f9bd55d855b1a41e3cd72beebb3849ae3"
+SRCREV_machine ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_meta ?= "177495c151446a679945c20611499537d72ebcd9"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 5a1c22b93d7..05eccdc05ae 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "36c7eede87754f5077c67b79f86a8110969c3386"
-SRCREV_machine:qemuarm64 ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_machine:qemuloongarch64 ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
+SRCREV_machine:qemuarm ?= "6788c0f14b51b8c84f0153d58b00d5115f2ee8e5"
+SRCREV_machine:qemuarm64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemuloongarch64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_machine:qemuriscv64 ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_machine:qemuriscv32 ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_machine:qemux86 ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_machine:qemux86-64 ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
+SRCREV_machine:qemuppc ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemuriscv64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemuriscv32 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemux86 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemux86-64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "b1ba5428513b52c2bd6acfd3ad0a910f699bc395"
-SRCREV_meta ?= "f94e250f9bd55d855b1a41e3cd72beebb3849ae3"
+SRCREV_machine ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_meta ?= "177495c151446a679945c20611499537d72ebcd9"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "c0d886e4af574740bcffafda40ae692918ca87f9"
+SRCREV_machine:class-devupstream ?= "a256b1e6892e7fe840f0f9746316fa938e9a421f"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.24"
+LINUX_VERSION ?= "6.18.25"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 06/55] linux-yocto/6.18: update to v6.18.26
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 05/55] linux-yocto/6.18: update to v6.18.25 Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 07/55] linux-yocto/6.18: update to v6.18.28 Yoann Congal
` (49 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
1fe06068166d4 Linux 6.18.26
d5f59216650c5 Buffer overflow in drivers/xen/sys-hypervisor.c
446ee446d9ae6 xen/privcmd: fix double free via VMA splitting
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d3ad7a943d47c63f40230a40fa4667d157c85bc)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index bc601df34d0..0be25ae2a2d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "b47fc8aaa6f14b240bd96eb35e73d3d8ba638d21"
-SRCREV_meta ?= "177495c151446a679945c20611499537d72ebcd9"
+SRCREV_machine ?= "e1a1c058b8b1fd85e631c877cacb0e5c38da1c57"
+SRCREV_meta ?= "127f83ad4e21b6663d72fceba80bfb945c21e4f0"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.25"
+LINUX_VERSION ?= "6.18.26"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 638fdd18bf8..1ff5f5d1d1c 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.25"
+LINUX_VERSION ?= "6.18.26"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_meta ?= "177495c151446a679945c20611499537d72ebcd9"
+SRCREV_machine ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_meta ?= "127f83ad4e21b6663d72fceba80bfb945c21e4f0"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 05eccdc05ae..3612ba56c11 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "6788c0f14b51b8c84f0153d58b00d5115f2ee8e5"
-SRCREV_machine:qemuarm64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_machine:qemuloongarch64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemuarm ?= "11ba8770344f8b1cf3d6960b2d04ca19ed6d1f81"
+SRCREV_machine:qemuarm64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemuloongarch64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_machine:qemuriscv64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_machine:qemuriscv32 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_machine:qemux86 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_machine:qemux86-64 ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
+SRCREV_machine:qemuppc ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemuriscv64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemuriscv32 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemux86 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemux86-64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "61a746df3dd151cccb3078ee6e1092d227b2514a"
-SRCREV_meta ?= "177495c151446a679945c20611499537d72ebcd9"
+SRCREV_machine ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_meta ?= "127f83ad4e21b6663d72fceba80bfb945c21e4f0"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "a256b1e6892e7fe840f0f9746316fa938e9a421f"
+SRCREV_machine:class-devupstream ?= "1fe06068166d4fc16722201f267b1fe19efad639"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.25"
+LINUX_VERSION ?= "6.18.26"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 07/55] linux-yocto/6.18: update to v6.18.28
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 06/55] linux-yocto/6.18: update to v6.18.26 Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 08/55] linux-yocto/6.18: update to v6.18.32 Yoann Congal
` (48 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
c31b94a4231c Linux 6.18.28
71a1d9d985d2 xfrm: esp: avoid in-place decrypt on shared skb frags
ce685b6a03dc Linux 6.18.27
97d35052a816 ipmi:ssif: NULL thread on error
52a7c9a2823d ipmi:ssif: Remove unnecessary indention
6f820139d16a netfilter: reject zero shift in nft_bitwise
b778b6d09542 net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
a8d95d274be2 mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
05b4ed8bef30 mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
e9b057a44def vmalloc: fix buffer overflow in vrealloc_node_align()
bdd9503c3d22 ALSA: aloop: Fix peer runtime UAF during format-change stop
6153878c5255 ALSA: caiaq: fix usb_dev refcount leak on probe failure
30c000a49094 drm/amdgpu: fix zero-size GDS range init on RDNA4
c261d07a8057 ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
3d46009e2ad4 ALSA: caiaq: Don't abort when no input device is available
1d160e30aa42 ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
b8c5acce56e0 driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
b42821c15445 crypto: authencesn - reject short ahash digests during instance creation
5cf6d5e5e3b8 net: qrtr: ns: Limit the total number of nodes
20855cef7e65 net: qrtr: ns: Limit the maximum number of lookups
35fb4a0c077c net: qrtr: ns: Limit the maximum server registration per node
5e9f1bad26df iio: frequency: admv1013: fix NULL pointer dereference on str
c772e9efe2b1 iio: frequency: admv1013: add dev variable
0adac0ee2c42 media: rc: igorplugusb: heed coherency rules
7ba734027b2b media: rc: ttusbir: respect DMA coherency rules
7d7863018f40 wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
0bc155c4ca47 wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
09e1c96594af phy: qcom: m31-eusb2: clear PLL_EN during init
37ef11ab2cf3 phy: qcom: m31-eusb2: Update init sequence to set PHY_ENABLE
da4a33e739dc mei: me: add nova lake point H DID
09033be12a82 mei: me: use PCI_DEVICE_DATA macro
38f113f81d3f lib: test_hmm: evict device pages on file close to avoid use-after-free
1e67c82fb778 arm64: mm: Fix rodata=full block mapping support for realm guests
5e07126d7ab8 arm64: mm: Simplify check in arch_kfence_init_pool()
6f977b0472f7 mm: prevent droppable mappings from being locked
bbc4bfae9e43 seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
13e550fbfccd scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
9da6e314ea5f sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle
43222ac484f9 rxgk: Fix potential integer overflow in length check
3fb7394a8377 rtmutex: Use waiter::task instead of current in remove_waiter()
f1af27cec07a ntfs3: fix integer overflow in run_unpack() volume boundary check
d3012690a706 ntfs3: add buffer boundary checks to run_unpack()
83e31039e0d7 NFSv4.1: Apply session size limits on clone path
fc8d81f189f0 ktest: Fix the month in the name of the failure directory
9f4ba5966c78 IB/core: Fix zero dmac race in neighbor resolution
4db061a40543 gtp: disable BH before calling udp_tunnel_xmit_skb()
b91e535f208c ceph: only d_add() negative dentries when they are unhashed
87c99a50e0fd dm mirror: fix integer overflow in create_dirty_log()
a616126cb080 crypto: nx - Fix packed layout in struct nx842_crypto_header
354a27e28447 crypto: nx - fix context leak in nx842_crypto_free_ctx
5c07962fed66 crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2ae365e32998 crypto: atmel-sha204a - Fix uninitialized data access on OTP read error
1193c12126d3 crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
64ea9dbf4c77 crypto: atmel-sha204a - Fix error codes in OTP reads
863d11b39277 crypto: atmel-tdes - fix DMA sync direction
910f335786a0 crypto: ccree - fix a memory leak in cc_mac_digest()
808685bfd124 crypto: hisilicon - Fix dma_unmap_single() direction
9c032781c2b1 crypto: atmel-ecc - Release client on allocation failure
61516b4a5b26 crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
4d713333dd32 crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
343a5bf68a8f crypto: acomp - fix wrong pointer stored by acomp_save_req()
c524c124e309 can: ucan: fix devres lifetime
1656698656f6 bus: mhi: host: pci_generic: Switch to async power up to avoid boot delays
e08d75753db1 Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
b4339521bb43 apparmor: use target task's context in apparmor_getprocattr()
b7a953374db9 mfd: core: Preserve OF node when ACPI handle is present
e88827bb0399 taskstats: set version in TGID exit notifications
83bb57635d7c tcp: call sk_data_ready() after listener migration
69c4d137b22d wifi: rtl8xxxu: fix potential use of uninitialized value
4f3374c990fb x86/shstk: Prevent deadlock during shstk sigreturn
ef7ce8f4a341 x86/cpu: Disable FRED when PTI is forced on
fdaa42ca370d inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
371f4dc80601 HID: apple: ensure the keyboard backlight is off if suspending
ea43a34452a6 check-uapi: link into shared objects
73ce72edd113 md/raid5: validate payload size before accessing journal metadata
1985cb3247e8 md/raid5: fix soft lockup in retry_aligned_read()
9142f00a9287 md/md-llbitmap: raise barrier before state machine transition
98623c7e2a51 md/md-llbitmap: skip reading rdevs that are not in_sync
f7d9d0e4a64f amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2
ac858718219f mtd: spinand: winbond: Declare the QE bit on W25NxxJW
134975be170b mtd: spi-nor: sst: Fix write enable before AAI sequence
1e6b0a69bf2c ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
537e06597702 ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
6b4bf6519e50 ring-buffer: Do not double count the reader_page
f9c279ffee6b ARM: 9472/1: fix race condition on PG_dcache_clean in __sync_icache_dcache()
cd2689d625b0 perf annotate: Use jump__delete when freeing LoongArch jumps
5955e053ff00 KVM: nSVM: Always intercept VMMCALL when L2 is active
009c0f726abe KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
83f7e055c138 KVM: nSVM: Add missing consistency check for nCR3 validity
0d1f3fd2664b KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE
aabd785f9565 KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
d79720fc9959 KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
b6656ba26525 KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
c2fad967e652 KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
d6f6371bbea6 KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT
410ea5575c66 KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper
72fe7d04a669 KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper
49c8b2395bac KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
2b922a42b531 KVM: SVM: Add missing save/restore handling of LBR MSRs
18ff4ab16412 KVM: SVM: Switch svm_copy_lbrs() to a macro
a5ea402844f1 KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run
a3f0981a5a0e KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
88572f9d83d7 KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
3a95eb7c6950 KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run
3428ed1529a1 KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN
46b3827abc44 KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
8302e9be9f9c KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
c15392ed9e49 KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
497f6af9679f KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
076ab13fe321 KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
e07ad47e53e9 KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
c098979293da KVM: x86: Defer non-architectural deliver of exception payload to userspace read
26f01d03775e LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()
fe06ea2f7b7f userfaultfd: allow registration of ranges below mmap_min_addr
0fedd09ef952 mm/damon/core: use time_in_range_open() for damos quota window start
b09958e235f2 mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp
8a62c58411cb mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
c42a7efb9060 mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()
687ccdf58216 mm/vmalloc: take vmap_purge_lock in shrinker
5184e2c065e3 rtc: ntxec: fix OF node reference imbalance
b5856e85a1f0 tpm: tpm_tis: stop transmit if retries are exhausted
6503775a5c41 tpm: tpm_tis: add error logging for data transfer
53e6d2d834df tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
726ce5042359 tpm: Fix auth session leak in tpm2_get_random() error path
f8775d9d9062 tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()
82aa32a4d697 pwm: imx-tpm: Count the number of enabled channels in probe
dedaa897b9d7 crypto: talitos - rename first/last to first_desc/last_desc
4861d6cd923f crypto: talitos - fix SEC1 32k ahash request limitation
75d40ccf38ca firmware: google: framebuffer: Do not unregister platform device
5c293a1e1ef0 xfs: fix a resource leak in xfs_alloc_buftarg()
fe570daa5193 xfs: start gc on zonegc_low_space attribute updates
27f561bf894e crypto: qat - fix IRQ cleanup on 6xxx probe failure
6d8087a7d0f3 arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
52e1a80bacc6 mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
d73c3a4070dc mmc: block: use single block write in retry
d780f24a4939 randomize_kstack: Maintain kstack_offset per task
95d48e37a130 hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
6b11dfb3c517 ASoC: Intel: avs: replace strcmp with sysfs_streq
77eb3e79a3e7 drm/amd: Fix set but not used warnings
b3166d165753 fs: prepare for adding LSM blob to backing_file
b69a8729f84a hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit
bff7dbfc326a power: supply: axp288_charger: Do not cancel work before initializing it
988eff645be4 LoongArch: Show CPU vulnerabilites correctly
c5dfddc57f1b tpm: avoid -Wunused-but-set-variable
80f54d6f9142 extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
11baa8b24bcb spi: fix resource leaks on device setup failure
016bc6636573 libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
c2178ff1c70e ipv4: icmp: validate reply type before using icmp_pointers
9b924f3a26b2 RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
f344f04e33bf tracing/fprobe: Reject registration of a registered fprobe before init
38387ccc0fbe slub: fix data loss and overflow in krealloc()
9eed57e9defd drm/arcpgu: fix device node leak
e9be7d2fb0b1 net: ks8851: Avoid excess softirq scheduling
f826f0000100 net: mctp: fix don't require received header reserved bits to be zero
20ba739bd627 netconsole: avoid out-of-bounds access on empty string in trim_newline()
5424e678f9b3 net: bridge: use a stable FDB dst snapshot in RCU readers
be8aad558b46 net: ks8851: Reinstate disabling of BHs around IRQ handler
ea0b5d0fe963 net/smc: avoid early lgr access in smc_clc_wait_msg
1c2afc4a1dd1 net: txgbe: fix firmware version check
033370ffb3c9 net: rds: fix MR cleanup on copy error
154fc7fe3f62 net: qrtr: ns: Free the node during ctrl_cmd_bye()
7ef5b521785b arm64: dts: marvell: uDPU: add ethernet aliases
d29cafc7e4ee net: txgbe: fix RTNL assertion warning when remove module
491344b826a5 tools/accounting: handle truncated taskstats netlink messages
ff591df2cd7f EDAC/versalnet: Fix memory leak in remove and probe error paths
761c37b761ed rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
76cb9a2d2522 rxrpc: Fix re-decryption of RESPONSE packets
293095ef6188 rxrpc: Fix error handling in rxgk_extract_token()
f0d3efd03b2a rxrpc: Fix rxkad crypto unalignment handling
ca71ac2de389 rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
861b9a0a1823 rxrpc: Fix memory leaks in rxkad_verify_response()
996b0487b3cd rxrpc: Fix potential UAF after skb_unshare() failure
d42d5404782f iio: adc: ad7768-1: remove switch to one-shot mode
4ca3746d9492 iio: adc: ad7768-1: fix one-shot mode data acquisition
54af1a51bb8b ALSA: pcmtest: Fix resource leaks in module init error paths
91c8e75ba1f1 ALSA: pcmtest: fix reference leak on failed device registration
89ed38540e6b ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx
1ac67f49ae2c ALSA: 6fire: Fix input volume change detection
e59ecd4ee3a4 ALSA: caiaq: Handle probe errors properly
30bd9ed68c84 ALSA: caiaq: Fix control_put() result and cache rollback
33df74673674 ALSA: core: Fix potential data race at fasync handling
9678e1b7f512 io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
ea0697129807 io_uring/poll: fix signed comparison in io_poll_get_ownership()
23b4b18bac28 iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
8661370e0865 block: relax pgmap check in bio_add_page for compatible zone device pages
dd154d768db5 io_uring/timeout: check unused sqe fields
81880f84cb36 block: fix zone write plugs refcount handling in disk_zone_wplug_schedule_bio_work()
ad0126ffcba8 rbd: fix null-ptr-deref when device_add_disk() fails
4d79d0cf6538 selftests/landlock: Skip stale records in audit_match_record()
127ae2e73e61 selftests/landlock: Fix snprintf truncation checks in audit helpers
1e85a1ae1452 selftests/landlock: Fix format warning for __u64 in net_test
a496488e1702 selftests/landlock: Drain stale audit records on init
2fcde49092aa landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()
df865a3bb91b selftests/mqueue: Fix incorrectly named file
558aa1e2cd11 sched: Use u64 for bandwidth ratio calculations
961db0b89200 reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime
06d0bed2552f remoteproc: xlnx: Only access buffer information if IPI is buffered
8ba804869382 RDMA/mana_ib: Disable RX steering on RSS QP destroy
dffdcbeabaac PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access
1fe317364cb5 parisc: Drop ip_fast_csum() inline assembly implementation
e6e3724c7870 parisc: _llseek syscall is only available for 32-bit userspace
c2462d54af3c nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
8bcc66896e01 nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
d89044889ecd mtd: docg3: fix use-after-free in docg3_release()
2774bcf71473 mm/hugetlb: fix early boot crash on parameters without '=' separator
2691332ad88b mm/damon/core: fix damon_call() vs kdamond_fn() exit race
d5b495ba9de0 mm/alloc_tag: clear codetag for pages allocated before page_ext initialization
3c52d0946977 mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
377f5ad257fb io_uring/register: fix ring resizing with mixed/large SQEs/CQEs
cac2106bb9a2 md/raid10: fix deadlock with check operation and nowait requests
bdf33ba450af KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs
2b2fee890250 jbd2: fix deadlock in jbd2_journal_cancel_revoke()
858bc8b9edb6 ipmi:ssif: Clean up kthread on errors
8ebb951a284b erofs: fix the out-of-bounds nameoff handling for trailing dirents
33074b1e6c18 ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
09496158f6eb ALSA: ctxfi: Add fallback to default RSR for S/PDIF
8d3124290a03 ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
df462e82e82c ALSA: aoa: i2sbus: fix OF node lifetime handling
e79427ee11a8 ALSA: aoa: i2sbus: clear stale prepared state
0ae7d28dda5c mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
2dde6377ab2e ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
2e127ceb1c41 net: qrtr: ns: Fix use-after-free in driver remove()
da47f8a5958c media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
4d3a4638e9d2 lib/ts_kmp: fix integer overflow in pattern length calculation
dca29d20ab23 PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
127a1fe59c78 Revert "ALSA: usb: Increase volume range that triggers a warning"
65fc57c8b8f0 PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
4ca4351d269f crypto: atmel-sha204a - Fix OTP sysfs read and error handling
26506a30e0e2 media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
19ca9475f18f net: strparser: fix skb_head leak in strp_abort_strp()
63d21a3aa010 net: caif: clear client service pointer on teardown
654c818a69c2 ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
fdc150dac1ad media: amphion: Fix race between m2m job_abort and device_run
e0a621459c61 PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX
b6e61356ad24 EDAC/versalnet: Fix device_node leak in mc_probe()
b6cb07f02253 hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
5b6122a67a29 of: unittest: fix use-after-free in testdrv_probe()
7f0f0926f301 of: unittest: fix use-after-free in of_unittest_changeset()
824897e69d7a dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock constraints
77d55bc8675e crypto: pcrypt - Fix handling of MAY_BACKLOG requests
ebc235675f24 crypto: algif_aead - snapshot IV for async AEAD requests
efc52947247a mm: call ->free_folio() directly in folio_unmap_invalidate()
ff8a7996dc8b spi: ch341: fix memory leaks on probe failures
132e47030b0b spi: imx: fix use-after-free on unbind
75f8f3c3e091 thermal: core: Fix thermal zone governor cleanup issues
2810fc760aaf um: drivers: call kernel_strrchr() explicitly in cow_user.c
5d6c349c9823 vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
7b436ade16cc vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
08da3594c8ba vfio/virtio: Convert list_lock from spinlock to mutex
7aa27b20e938 vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()
4e179a60a60c wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
000134a20bbf wifi: rtw88: check for PCI upstream bridge existence
a02363f71a79 zram: do not forget to endio for partial discard requests
a516d4388662 Input: edt-ft5x06 - fix use-after-free in debugfs teardown
3c636a3edca9 ocfs2: split transactions in dio completion to avoid credit exhaustion
944a6864aa06 mm: migrate: requeue destination folio on deferred split queue
3f8805b8ca23 arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
ecb3e4fa31ff firmware: google: framebuffer: Do not mark framebuffer as busy
f51f85c04480 fs: afs: revert mmap_prepare() change
d4d0c91a0afc kbuild: rust: allow `clippy::uninlined_format_args`
5447be57b311 rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs
4404d7d2dda4 drm/nouveau: fix nvkm_device leak on aperture removal failure
fa9a4c5e69aa device property: Make modifications of fwnode "flags" thread safe
3e8fefd2997c driver core: Don't let a device probe until it's ready
c1c2417c60db ibmasm: fix heap over-read in ibmasm_send_i2o_message()
ee5737891464 ibmasm: fix OOB reads in command_file_write due to missing size checks
22a16d3eafee misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
b2801647c203 greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()
fb91d4e49fcb greybus: gb-beagleplay: bound bootloader receive buffering
438e357b3cc6 leds: qcom-lpg: Check for array overflow when selecting the high resolution
332884f5eb79 drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
85cbf7fb568a LoongArch: Add spectre boundry for syscall dispatch table
c578b48b9fdf ALSA: usb-audio: Evaluate packsize caps at the right place
b216de91c0c0 usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change
6f480aa64d4d usb: chipidea: otg: not wait vbus drop if use role_switch
49340680d41f usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
f28a8281792b ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
9bbbbbd404d3 ALSA: usb-audio: Avoid false E-MU sample-rate notifications
4d7893a137ea ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f35a7bec1956824875b1eaf9f8afbe25691eb448)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index 0be25ae2a2d..8002faf245b 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "e1a1c058b8b1fd85e631c877cacb0e5c38da1c57"
-SRCREV_meta ?= "127f83ad4e21b6663d72fceba80bfb945c21e4f0"
+SRCREV_machine ?= "67f352d4d0901a3c3c2cb2cbecd23c66c793e860"
+SRCREV_meta ?= "c99063540e188e32b089f957e192780f5a4adf88"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.26"
+LINUX_VERSION ?= "6.18.28"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 1ff5f5d1d1c..2b824c75c44 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.26"
+LINUX_VERSION ?= "6.18.28"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_meta ?= "127f83ad4e21b6663d72fceba80bfb945c21e4f0"
+SRCREV_machine ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_meta ?= "c99063540e188e32b089f957e192780f5a4adf88"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 3612ba56c11..707c163fcc0 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "11ba8770344f8b1cf3d6960b2d04ca19ed6d1f81"
-SRCREV_machine:qemuarm64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_machine:qemuloongarch64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemuarm ?= "3f4d05e9da100380b042f317240ef81262ed1574"
+SRCREV_machine:qemuarm64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemuloongarch64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_machine:qemuriscv64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_machine:qemuriscv32 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_machine:qemux86 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_machine:qemux86-64 ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
+SRCREV_machine:qemuppc ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemuriscv64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemuriscv32 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemux86 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemux86-64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "4267d0126960b8bc599060c71014e8d8a4b8becf"
-SRCREV_meta ?= "127f83ad4e21b6663d72fceba80bfb945c21e4f0"
+SRCREV_machine ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_meta ?= "c99063540e188e32b089f957e192780f5a4adf88"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "1fe06068166d4fc16722201f267b1fe19efad639"
+SRCREV_machine:class-devupstream ?= "c31b94a4231c974dca12e6b83f2af1d1d95dfc5e"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.26"
+LINUX_VERSION ?= "6.18.28"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 08/55] linux-yocto/6.18: update to v6.18.32
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 07/55] linux-yocto/6.18: update to v6.18.28 Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:40 ` [OE-core][wrynose 09/55] linux-yocto/6.18: qat/intel configuration warning fixes Yoann Congal
` (47 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
52386a7b1beb Linux 6.18.32
271cd5429513 drm/amdgpu/vcn4: Avoid overflow on msg bound check
016b64a0313e drm/amdgpu/vcn3: Avoid overflow on msg bound check
e9edf9893cf2 vsock/virtio: fix accept queue count leak on transport mismatch
52da6a74ca3d vsock/virtio: fix empty payload in tap skb for non-linear buffers
a534e1f985b6 vsock/virtio: fix length and offset in tap skb for split packets
2602f7bb5818 vsock: fix buffer size clamping order
8be786053797 batman-adv: tp_meter: fix tp_num leak on kmalloc failure
5e9dfc07d061 tracing/fprobe: Remove fprobe from hash in failure path
a2181464a4a7 tracing/fprobe: Unregister fprobe even if memory allocation fails
d83e51202fec tracing: fprobe: optimization for entry only case
52277410cbed tracing: fprobe: use rhltable for fprobe_ip_table
5d12e0ab009a btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
dfd05a16b5c9 btrfs: fix double free in create_space_info_sub_group() error path
a4b5c5d2f8c5 btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
d784865ce48f usb: dwc3: Move GUID programming after PHY initialization
476ee6389120 usb: dwc3: Add dwc pointer to dwc3_readl/writel
e63942da5e96 usb: dwc3: Remove of dep->regs
ce9aaa3af445 sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
30cf8e05d635 sched/ext: Implement cgroup_set_idle() callback
dc34f8d8240f Bluetooth: hci_conn: fix potential UAF in create_big_sync
c0a8dca8d556 spi: zynq-qspi: fix controller deregistration
ed822a569645 spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
33e5ce64b817 spi: tegra114: fix controller deregistration
65eafad7a600 spi: tegra20-sflash: fix controller deregistration
fafa9a4e831b spi: uniphier: fix controller deregistration
b0a97cb0b9ba spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
6542e180fa6e pseries/papr-hvpipe: Fix race with interrupt handler
09c15bbbed53 papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()
24d2912962d0 EDAC/versalnet: Fix device name memory leak
d281f3ac0d00 block: fix zone write plug removal
7105d9f1387d fbcon: Avoid OOB font access if console rotation fails
1817dd0c350f fbcon: Rename struct fbcon_ops to struct fbcon_par
f0d3bb6f5125 drm/amdgpu: rework how we handle TLB fences
13e9ea445191 Revert "drm/amdgpu: don't attach the tlb fence for SI"
576b73b24656 drm/amdgpu: Fix validating flush_gpu_tlb_pasid()
fd78e63459ab drm/amdgpu: validate the flush_gpu_tlb_pasid()
a9591e4083cc mm/damon/core: disallow time-quota setting zero esz
377c3d5dc952 usb: typec: tcpm: reset internal port states on soft reset AMS
d893804e9e3b mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
4697ed7be9b9 mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
679e65ae721c mm/damon/core: implement damon_kdamond_pid()
20048f0b38cd LoongArch: KVM: Compile switch.S directly into the kernel
f49a00180dfc io_uring/zcrx: warn on freelist violations
1a516d19100e io_uring/zcrx: use guards for locking
0baf4b659cdc batman-adv: bla: put backbone reference on failed claim hash insert
b65365d2b1e6 batman-adv: bla: only purge non-released claims
00155f336a5e batman-adv: bla: prevent use-after-free when deleting claims
09dc0d1a1222 batman-adv: stop caching unowned originator pointers in BAT IV
03660dab86f9 batman-adv: stop tp_meter sessions during mesh teardown
e1e2194cc725 batman-adv: reject new tp_meter sessions during teardown
bf872db54f91 batman-adv: fix integer overflow on buff_pos
c9dadb31f360 sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
cd39452498e2 arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22
3eb7d0e2d4a0 arm64: dts: qcom: lemans: Correct QUP interrupt numbers
f8f546883e87 drm/amdgpu/pm: align Hawaii mclk workaround with radeon
6fed6e9f1062 drm/amdgpu/pm: add missing revision check for CI
0b91ea46bb68 drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
6fbd52d210c1 drm/amdkfd: Make all TLB-flushes heavy-weight
46bc180e6ede drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds
73af14be7645 drm/bridge: tda998x: Use __be32 for audio port OF property pointer
71614ab2a683 drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
f6dbec5bee72 drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds
ed21d6e4ce03 drm/exynos: remove bridge when component_add fails
b17175d0a375 drm/amdgpu: zero-initialize GART table on allocation
264ee64cf867 drm/radeon: add missing revision check for CI
672464dd5323 drm: Set old handle to NULL before prime swap in change_handle
87f9b1528e1f drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
fa449b88706e drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked()
0afa8b1ef582 drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
cd38e1503e67 drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()
f9ad21b90162 drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
2b5ba326f9d0 drm/udl: Increase GET_URB_TIMEOUT
db9530a9873a drm/amdkfd: validate SVM ioctl nattr against buffer size
a7735b491a2d drm/appletbdrm: Use kvzalloc for big allocations
1a17ea9861e8 drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
158def957199 drm/amd/display: Change dither policy for 10 bpc output back to dithering
638e48ee39d0 drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
63b51e8a9d54 drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
b3d1a0a45c4a drm/amdgpu/vce: Prevent partial address patches
a6d5563ba1f0 drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
fec8b11b55e5 drm/amdgpu: Add bounds checking to ib_{get,set}_value
44d5a450c04d drm/amdkfd: Add upper bound check for num_of_nodes
de137adccf7a drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x
f34eda3ff33d drm/amdgpu: gate VM CPU HDP flush on reset lock
2795d325bb5c drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.
77d0b5d11387 drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
48fb2213e2c2 drm/i915/psr: Init variable to avoid early exit from et alignment loop
132b8d51f0ff drm/msm: always recover the gpu
c5b5a0e418b1 drm/imx: parallel-display: Prefer bus format set via legacy "interface-pix-fmt" DT property
c57c861956b8 drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
e9ae6590405d spi: cadence: fix clock imbalance on probe failure
6ac380a0071d spi: cadence: fix unclocked access on unbind
59701f07b19e spi: cadence: fix controller deregistration
6c3e413919a1 spi: mpc52xx: fix use-after-free on unbind
28f28a0f4e32 spi: mpc52xx: fix controller deregistration
336d9ad7560b spi: mpc52xx: fix use-after-free on registration failure
07dc76d31be4 spi: orion: fix clock imbalance on registration failure
b809b8d2a114 spi: orion: fix runtime pm leak on unbind
ec7a4cff8355 spi: orion: fix controller deregistration
5c03d52ee6ce spi: mxic: fix controller deregistration
2a2973cb3682 spi: imx: fix runtime pm leak on probe deferral
6a405d594207 spi: mpfs: fix controller deregistration
b2bdbe293012 spi: img-spfi: fix controller deregistration
4b0fe572a8ea spi: slave-mt27xx: fix controller deregistration
0df72db5a13c spi: sh-msiof: fix controller deregistration
aee76c1dd189 spi: rspi: fix controller deregistration
229cc70e4e90 spi: sprd: fix controller deregistration
cdbf6baefff0 spi: pic32-sqi: fix controller deregistration
82a95eca235b spi: cavium-thunderx: fix controller deregistration
e84a84209b3f spi: npcm-pspi: fix controller deregistration
ee2100d08094 spi: coldfire-qspi: fix controller deregistration
047f939c602c spi: bcmbca-hsspi: fix controller deregistration
ca3195c7b883 spi: fsl: fix controller deregistration
d78c5ca1563c spi: sh-hspi: fix controller deregistration
4422fc2411cb spi: ch341: fix devres lifetime
af4f58c18c4c spi: pl022: fix controller deregistration
cc8a904cbe6d spi: mtk-nor: fix controller deregistration
894d761a3a85 spi: pic32: fix controller deregistration
4ed7de898bbb spi: omap2-mcspi: fix controller deregistration
09ceedcebc77 spi: fsl-espi: fix controller deregistration
b99939bccae9 spi: s3c64xx: fix controller deregistration
c74ba7340010 spi: dln2: fix controller deregistration
724520793a2e spi: mt65xx: fix controller deregistration
cc525debdfc8 spi: mxs: fix controller deregistration
22ee38cbf536 media: qcom: camss: Add missing clocks for VFE lite on sa8775p
696ac7c49c27 media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()
095c51bc86d3 media: venus: fix QCOM_MDT_LOADER dependency
e56a25247860 media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on SC7280
9d6217429cd4 media: qcom: camss: Fix csid IRQ offset for sa8775p
8744fd0835dd media: qcom: camss: Fix csid clock configuration for sa8775p
dd24998a4a40 media: iris: Fix use-after-free in iris_release_internal_buffers()
1920b4602ec9 media: iris: fix QCOM_MDT_LOADER dependency
d172bb82f70c media: omap3isp: drop the use count of v4l2 pipeline
cedfde9f45b1 media: i2c: ov08d10: fix runtime PM handling in probe
d9e678e8c633 media: i2c: ov08d10: fix image vertical start setting
ea91dee38b4e media: staging: imx: request mbus_config in csi_start
731d7ab8dfa2 media: i2c: imx412: Assert reset GPIO during probe
34fe9c3c594e media: dib8000: avoid division by 0 in dib8000_set_dds()
def939175ab8 media: pci: zoran: fix potential memory leak in zoran_probe()
84d781069294 arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt
65d7b2aecdfe arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for pinctrl/pinctrl_aon
5167575b79e2 vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy
75c38af4d919 platform/x86: hp-wmi: Ignore backlight and FnLock events
45890a035e2b spi: aspeed-smc: fix controller deregistration
07938829cc11 spi: amlogic-spisg: fix controller deregistration
6047dc542fa4 media: saa7164: add ioremap return checks and cleanups
d6f56e66e8f4 spi: at91-usart: fix controller deregistration
5d707cf9c138 spi: qup: fix controller deregistration
4eccd83f228f spi: meson-spicc: fix controller deregistration
6ca3eaa82812 spi: lantiq-ssc: fix controller deregistration
184dcecc9521 regulator: bd9571mwv: fix OF node reference imbalance
037bcca27835 regulator: s2dos05: fix OF node reference imbalance
890a8bcef309 regulator: act8945a: fix OF node reference imbalance
41ef27dcaa12 media: i2c: imx283: Fix hang when going from large to small resolution
f43e30646fc9 media: intel/ipu6: fix error pointer dereference
21fade52ab9f media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
dd681c102b4b regulator: rk808: fix OF node reference imbalance
e7374c142169 regulator: bq257xx: fix OF node reference imbalance
6c5d4c819d92 media: i2c: imx283: Enter full standby when stopping streaming
ecd0c501bd63 media: rc: streamzap: Error handling in probe
63a960b39de9 media: rc: xbox_remote: heed DMA restrictions
a8ada5b76115 regulator: max77650: fix OF node reference imbalance
8993d307cf2c spi: st-ssc4: fix controller deregistration
2d51cfca8482 regulator: mt6357: fix OF node reference imbalance
c7848b67ef10 staging: media: atomisp: Disallow all private IOCTLs
af2dc8b8460c arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux
72972aba49df spi: atmel: fix controller deregistration
c66a6f226a5f spi: bcm63xx: fix controller deregistration
7fbb3b4bef02 drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages
ea28b33e1b15 media: chips-media: wave5: add missing spinlock protection for handle_dynamic_resolution_change()
d71fc6874fce media: chips-media: wave5: add missing spinlock protection for send_eos_event()
b40ec65e0926 media: chips-media: wave5: fix a potential memory leak in wave5_vdi_init()
6261d5fd172b media: dt-bindings: rockchip,vdec: Mark reg-names required for RK35{76,88}
361e66fb431d media: dt-bindings: rockchip,vdec: Add alternative reg-names order for RK35{76,88}
791598484fd5 media: i2c: ov8856: free control handler on error in ov8856_init_controls()
b6e5c80cc2b2 media: renesas: vin: Fix RAW8 (again)
bfb2081ba00a media: renesas: vsp1: Fix NULL pointer deref on module unload
4d6e8496486d media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0
0ac9ec121d89 drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames
06d99af8db11 media: uvcvideo: Enable VB2_DMABUF for metadata stream
80d8cc29d3b6 HID: pidff: Fix integer overflow in pidff_rescale
5c0830323689 HID: appletb-kbd: run inactivity autodim from workqueues
59a79938ca55 HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
7812694752a5 HID: playstation: Clamp num_touch_reports
6c1de6e6aa8c Linux 6.18.31
2a93a4fac7b6 ptrace: slightly saner 'get_dumpable()' logic
52dc660c85db Linux 6.18.30
1aa60fea7f63 ksmbd: validate inherited ACE SID length
28f5ed477eef x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
a0e560d15ff1 rust: pin-init: fix incorrect accessor reference lifetime
4af2e62cbcda net: stmmac: Prevent NULL deref when RX memory exhausted
9d1774b33e10 net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
5cffe3c13689 crypto: caam - guard HMAC key hex dumps in hash_digest_key
ef63ef44e86c printk: add print_hex_dump_devel()
c9ce18e6bb2c erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
24da4cc6bf27 erofs: tidy up z_erofs_lz4_handle_overlap()
d309d3308de6 hfsplus: fix held lock freed on hfsplus_fill_super()
a42090445096 hfsplus: fix uninit-value by validating catalog record size
23b814ec96a8 firmware: exynos-acpm: Drop fake 'const' on handle pointer
bbcef208c5da mm, swap: speed up hibernation allocation and writeout
4d7b42941c9b crypto: qat - fix firmware loading failure for GEN6 devices
fb6616806f3d crypto: qat - fix indentation of macros in qat_hal.c
afece4e3f2cd mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
f597ab044bea mmc: core: Add quirk for incorrect manufacturing date
ebad72308271 mmc: core: Adjust MDT beyond 2025
b0f4711b426a octeon_ep_vf: add NULL check for napi_build_skb()
1869da3efe70 hwmon: (powerz) Avoid cacheline sharing for DMA buffer
609936df7ce1 dma-mapping: add __dma_from_device_group_begin()/end()
25c2b77bc463 fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
1de2db19a602 mm/damon/core: disallow non-power of two min_region_sz on damon_start()
d18099f19e53 bpf: Fix use-after-free in arena_vm_close on fork
737adda64f51 io_uring/tw: serialize ctx->retry_llist with ->uring_lock
2563d7880c4d io_uring/kbuf: support min length left for incremental buffers
23900db3787a LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
aaaf41aee5ac LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
3d44ed6dd219 LoongArch: KVM: Move unconditional delay into timer clear scenery
b715ceb72ed9 LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software
1c32824fbdec LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry
e50d8573534f LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
9e1aed63a555 LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
7d3c27b54253 KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
931c9c777e35 KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
7e9f5f62f8d1 KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
81e7907fe542 KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
7b99369b2c7a KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
837db0777792 KVM: arm64: Wake-up from WFI when iqrchip is in userspace
8be551f538dc f2fs: fix fsck inconsistency caused by FGGC of node block
03806ec9c4cd f2fs: fix inline data not being written to disk in writeback path
4bdc05b2032b f2fs: refactor f2fs_move_node_folio function
8d269aae6f73 f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
b0e4395870eb f2fs: fix node_cnt race between extent node destroy and writeback
d438a9fb20d0 f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
f37012cc7c27 f2fs: fix incorrect file address mapping when inline inode is unwritten
bedb710b63ae f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
63c2d2ad40d1 f2fs: fix fiemap boundary handling when read extent cache is incomplete
060029ed542e f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
464747eae483 mptcp: pm: ADD_ADDR rtx: return early if no retrans
107e956ce544 mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
b74ad2019865 mptcp: pm: ADD_ADDR rtx: free sk if last
acd3d3562315 mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
2ad56e434199 mptcp: pm: ADD_ADDR rtx: fix potential data-race
cffc6fc446a2 mptcp: pm: ADD_ADDR rtx: allow ID 0
07c2f3c29a8a mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
6f5ba49da8b1 mptcp: pm: prio: skip closed subflows
8a005fe451c7 mptcp: fix scheduling with atomic in timestamp sockopt
e6ad28d9d5bf mptcp: fix rx timestamp corruption on fastopen
e083d1d8bbec mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
c7362eef3b70 mptcp: sockopt: set timestamp flags on subflow socket, not msk
e74f33c8a2c7 mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
fa26c8deed61 mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
4f269fc3c73a mptcp: fastclose msk when linger time is 0
2146145d6dd6 selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl
2efd6bd0e9b1 selftests: mptcp: check output: catch cmd errors
a8f4a82e5629 sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
0c63333ff97b RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
006a3a5f7534 RDMA/rxe: Reject unknown opcodes before ICRC processing
105bf79a23b8 RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
8832626a4834 RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
b087913ae882 RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
e01b8c9286c4 RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
1e2a44875b6a RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
012796f9541f RDMA/mana: Validate rx_hash_key_len
9ef65af26b2a RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
bb9cb36eaefa RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
ab64c63b460b RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
d886bcdcd00d RDMA/ionic: Fix typo in format string
61df14f306f1 RDMA/ionic: bound node_desc sysfs read with %.64s
44905248dd87 perf/x86/intel: Always reprogram ACR events to prevent stale masks
2546fb8c9acc powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
4b6886ca8114 power: supply: max17042: avoid overflow when determining health
1bf238ead7cc PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
24582f5044bf PCI/AER: Stop ruling out unbound devices as error source
70a5d28dd273 PCI/AER: Clear only error bits in PCIe Device Status
185d51ec3a54 PCI: Update saved_config_space upon resource assignment
eafd6f5372d2 mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
cb825c22c002 mm/damon/stat: detect and use fresh enabled value
bb1703949dca KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
d6f4e217d663 KVM: x86: check for nEPT/nNPT in slow flush hypercalls
c688f3ed73d3 smb: client: validate dacloffset before building DACL pointers
be1ef9512a3f smb: client: use kzalloc to zero-initialize security descriptor buffer
b8c8a704f0bc smb/client: fix out-of-bounds read in symlink_data()
512d33bc8ea4 smb/client: fix out-of-bounds read in smb2_compound_op()
45dcc815fc55 scsi: mpt3sas: Limit NVMe request size to 2 MiB
cf90a96b7a2d s390/debug: Reject zero-length input before trimming a newline
e3eee7ea5ec5 s390/debug: Reject zero-length input in debug_input_flush_fn()
bd62c0f61bc7 riscv: kvm: fix vector context allocation leak
1912f7879850 RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
ac4bf66686bb psp: strip variable-length PSP header in psp_dev_rcv()
51a7dd9cbae9 pmdomain: core: Fix detach procedure for virtual devices in genpd
3df75fff46b1 openvswitch: vport: fix self-deadlock on release of tunnel ports
781f47d64143 nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
67e1aaf93b49 nvmet-tcp: fix race between ICReq handling and queue teardown
c77c82935c0a nvme-apple: drop invalid put of admin queue reference count
913d556e4bd1 md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
b7df9fbd4869 libceph: Fix slab-out-of-bounds access in auth message processing
7cdf18608302 lib/scatterlist: fix temp buffer in extract_user_to_sg()
8fbba6829057 lib/scatterlist: fix length calculations in extract_kvec_to_sg
8637dfb4c1d8 lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
cbb032fc7432 iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
3ea9ce757bd3 iommu/vt-d: Block PASID attachment to nested domain with dirty tracking
0d96652adc8f iommufd: Fix return value of iommufd_fault_fops_write()
afbafeddf23d isofs: validate block number from NFS file handle in isofs_export_iget
e69da8eeab74 isofs: validate Rock Ridge CE continuation extent against volume size
1919acc5876c dm-verity-fec: correctly reject too-small hash devices
9a484c8149b2 dm-verity-fec: correctly reject too-small FEC devices
52b109f1b875 eventfs: Hold eventfs_mutex and SRCU when remount walks events
5af6a879e915 dm: fix a buffer overflow in ioctl processing
cb7c6a89e5d8 dm: don't report warning when doing deferred remove
85311a585a26 dm-thin: fix metadata refcount underflow
fb388eb58c1b btrfs: fix missing last_unlink_trans update when removing a directory
9a060970fd7b btrfs: fix double free in create_space_info() error path
48102d889090 ASoC: qcom: q6apm: remove child devices when apm is removed
7cab9f2ad51c ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
6d43355a5b9e ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
4e550b59315d ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
846fcce3a6bb ASoC: fsl_easrc: fix comment typo
3a5287c47b13 ASoC: ES8389: convert to devm_clk_get_optional() to get clock
65aabf889668 ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
54a44bbead39 cpuidle: powerpc: avoid double clear when breaking snooze
a0780aeea166 clk: microchip: mpfs-ccc: fix out of bounds access during output registration
9eccdb76ad5e clk: imx: imx8-acm: fix flags for acm clocks
b528c7ffdc3e tracing/probes: Limit size of event probe to 3K
d50ef3553acb spi: topcliff-pch: fix use-after-free on unbind
b3bdc7a8dd44 spi: topcliff-pch: fix controller deregistration
4b16c06da763 thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
3933dfb360e0 thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
eb295d2b6e70 thermal: core: Free thermal zone ID later during removal
1873eb81c65d udf: reject descriptors with oversized CRC length
b1040af58771 tracefs: Fix default permissions not being applied on initial mount
998f43196d73 spi: microchip-core-qspi: control built-in cs manually
ec9d0ddbde60 spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations
d945d71bbad5 spi: microchip-core-qspi: fix controller deregistration
121d1f253aed ice: fix double free in ice_sf_eth_activate() error path
c1f261863e65 ibmveth: Disable GSO for packets with small MSS
4f82f046f913 hv_sock: Return -EIO for malformed/short packets
317e434e26af hv_sock: Report EOF instead of -EIO for FIN
d1b9424f7393 hv_sock: fix ARM64 support
cb028f72fb3b hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
5b958822126d gpio: of: clear OF_POPULATED on hog nodes in remove path
bbf63275d4a5 extcon: ptn5150: handle pending IRQ events during system resume
196efa8b254b cifs: change_conf needs to be called for session setup
064f2e49199c cifs: abort open_cached_dir if we don't request leases
281a0014f46f block: only read from sqe on initial invocation of blkdev_uring_cmd()
f17d52107532 block: add pgmap check to biovec_phys_mergeable
cb27e43c0511 pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
8aacf87718b9 arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
c34c41446acf af_unix: Reject SIOCATMARK on non-stream sockets
aa4d6fee0449 hwmon: (corsair-psu) Close HID device on probe errors
370d4deba194 clk: rk808: fix OF node reference imbalance
13a0f0204d54 hwmon: (ltc2992) Fix u32 overflow in power read path
357ef14bfde2 hwmon: (ltc2992) Clamp threshold writes to hardware range
22b365ba1af3 x86/efi: Fix graceful fault handling after FPU softirq changes
c9b620425fd0 parisc: Fix IRQ leak in LASI driver
23ae72e8c2f1 platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2b56d7903ab8 net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
14ef6fd18db2 net/rds: handle zerocopy send cleanup before the message is queued
3d47d62c1348 netpoll: pass buffer size to egress_dev() to avoid MAC truncation
1bca036fe360 net: libwx: use request_irq for VF misc interrupt
e70cfb40c3a9 ip6_gre: Use cached t->net in ip6erspan_changelink().
33c5bb50b9c4 net: libwx: fix VF illegal register access
62951b49754a pseries/papr-hvpipe: Fix the usage of copy_to_user()
2b1335edaac5 pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()
0479b6e9f999 pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
0ff2b713f406 sound: ua101: fix division by zero at probe
aab56b95bee3 perf/x86/intel: Improve validation and configuration of ACR masks
4bf22a0afb27 mptcp: pm: ADD_ADDR rtx: skip inactive subflows
fbe0e6197225 net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
52070a91956f LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
8f75597dfc67 mm/hugetlb_cma: round up per_node before logging it
10c252577ccd arm64: signal: Preserve POR_EL0 if poe_context is missing
34bdcfb496b2 mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
83b131a214f1 KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
7baa02b0ae9d fanotify: fix false positive on permission events
d71240d2609b staging: vme_user: fix root device leak on init failure
1b66f16a571a spi: s3c64xx: fix NULL-deref on driver unbind
4f0dd529990d spi: zynqmp-gqspi: fix controller deregistration
93f83b3a50ef spi: sun6i: fix controller deregistration
9df7d2530412 spi: ti-qspi: fix controller deregistration
9aea3d4f23ca spi: sun4i: fix controller deregistration
40db1bd1ffc6 spi: syncuacer: fix controller deregistration
ca488ac3b083 rust: allow `clippy::collapsible_if` globally
16a7e845c3a0 rust: allow `clippy::collapsible_match` globally
4ea3b2e469fc rust: drm: gem: clean up GEM state in init failure case
32bd343803d4 Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1810e42ff671 Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
741e6024e315 Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
77981a507aa0 Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
624fb79dadc1 Bluetooth: btmtk: validate WMT event SKB length before struct access
3485c7236c59 Bluetooth: virtio_bt: validate rx pkt_type header length
b40cdd1b1370 Bluetooth: virtio_bt: clamp rx length before skb_put
53ad20efd20a LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
05b63fbddfca selinux: prune /sys/fs/selinux/user
058a5e705424 selinux: prune /sys/fs/selinux/disable
52a5d9608da5 selinux: prune /sys/fs/selinux/checkreqprot
e5c12a115ed5 selinux: shrink critical section in sel_write_load()
71e68e863a7e selinux: don't reserve xattr slot when we won't fill it
d350fef4bc24 selinux: use sk blob accessor in socket permission helpers
e3e722ea88e0 selinux: fix avdcache auditing
7db99a09b3bc xfrm: ah: account for ESN high bits in async callbacks
9d5047782f9b ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
4980162de555 xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
0fe995ac77a8 xfrm: provide message size for XFRM_MSG_MAPPING
c73fdf2e911d x86/efi: Restore IRQ state in EFI page fault handler
ef49059fce11 powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
9ef79d48f137 ALSA: seq: Fix UMP group 16 filtering
878c19dd4fbe ALSA: core: Serialize deferred fasync state checks
d761428f6cc7 ALSA: firewire-tascam: Do not drop unread control events
d829caccb426 ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15
ac3e9b55b7da ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
f8ad9ef77156 ALSA: hda: cs35l56: Propagate ASP TX source control errors
0c1c186f8f48 usb: typec: tcpm: fix debug accessory mode detection for sink ports
2a71e01b2cf9 usb: ulpi: fix memory leak on ulpi_register() error paths
6ef872d157f4 USB: serial: option: add Telit Cinterion LE910Cx compositions
52a0cf7cde26 USB: omap_udc: DMA: Don't enable burst 4 mode
411f2f7274e3 ALSA: usb-audio: Fix UAC3 cluster descriptor size check
be09b47ed867 ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
00e095dc5787 ALSA: usb-audio: midi2: Restart output URBs on resume
762a6ccf391d usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
8247f52d8221 usb: usblp: fix heap leak in IEEE 1284 device ID via short response
658d2e46c2e9 wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
d7029879bafd wifi: b43: enforce bounds check on firmware key index in b43_rx()
9e28654f79f4 wifi: mac80211: remove station if connection prep fails
e9f1081bc775 wifi: ath5k: do not access array OOB
7577a4b8a10f wifi: mac80211: use safe list iteration in radar detect work
4f9a4ae8d2c1 wifi: rsi: fix kthread lifetime race between self-exit and external-stop
e131562d6f2b wifi: mac80211: drop stray 'static' from fast-RX rx_result
9d1bc1558029 wifi: b43legacy: enforce bounds check on firmware key index in RX path
6d55948a62ab wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
0aa63d33742b wifi: mt76: mt7921: fix a potential clc buffer length underflow
6fc7c8b414ce wifi: mt76: mt7925: fix incorrect length field in txpower command
5860ab3ddeaa wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
6f49f94f3b11 exit: prevent preemption of oopsing TASK_DEAD task
8d09618840b9 net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
33fe95663d10 net: stmmac: Disable EEE RX clock stop when VLAN is enabled
53e821fd9bae KVM: SVM: check validity of VMCB controls when returning from SMM
edd446ee7cd3 net: af_key: zero aligned sockaddr tail in PF_KEY exports
9dea2aeabc86 smb: client/smbdirect: fix MR registration for coalesced SG lists
ff9e4d5e9bba mptcp: sync the msk->sndbuf at accept() time
0d00b9015069 flow_dissector: do not dissect PPPoE PFC frames
6200f41d6fcf ceph: fix num_ops off-by-one when crypto allocation fails
738ec97b1855 KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
ccee9833e33b ksmbd: rewrite stop_sessions() with restartable iteration
21a316f27095 spi: rockchip: fix controller deregistration
8c4339dbab49 wifi: mt76: mt7925: fix incorrect TLV length in CLC command
0f0c0c1397a4 ASoC: SOF: Don't allow pointer operations on unconfigured streams
9a2d03d324b2 iommufd: Fix a race with concurrent allocation and unmap
2c5b8eeea006 tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
540fa6a86b91 ACPI: video: force native backlight on HP OMEN 16 (8A44)
70446f52251f ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
42f83350394a ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
7f0a53c2b94c ACPI: scan: Use acpi_dev_put() in object add error paths
da9b065cedfd fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
bc13fce9eeec ipmi:si: Return state to normal if message allocation fails
42432b579a59 ipmi: Check event message buffer response for bad data
3d37d2165df9 ipmi: Add limits to event and receive message requests
00d91bfdce50 scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
d31a849ff501 Linux 6.18.29
3eae0f4f9f72 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3c6b4c18de91f4185dfca3ba7e24979967d49c5f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index 8002faf245b..031c81c2b30 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "67f352d4d0901a3c3c2cb2cbecd23c66c793e860"
-SRCREV_meta ?= "c99063540e188e32b089f957e192780f5a4adf88"
+SRCREV_machine ?= "dda294005f893c24b6322a7bdf58d7575f4ad21f"
+SRCREV_meta ?= "2d12860e7692327b02ec4d707585fe101b8c4d38"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.28"
+LINUX_VERSION ?= "6.18.32"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 2b824c75c44..824546e6618 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.28"
+LINUX_VERSION ?= "6.18.32"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_meta ?= "c99063540e188e32b089f957e192780f5a4adf88"
+SRCREV_machine ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_meta ?= "2d12860e7692327b02ec4d707585fe101b8c4d38"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 707c163fcc0..88b8949cf41 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "3f4d05e9da100380b042f317240ef81262ed1574"
-SRCREV_machine:qemuarm64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_machine:qemuloongarch64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemuarm ?= "ab16c590f189a534ded2f3940529d3ac63301c3a"
+SRCREV_machine:qemuarm64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemuloongarch64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_machine:qemuriscv64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_machine:qemuriscv32 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_machine:qemux86 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_machine:qemux86-64 ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
+SRCREV_machine:qemuppc ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemuriscv64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemuriscv32 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemux86 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemux86-64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "ed7dda90e9cbe47b9a234a82c41be27d624f7ee7"
-SRCREV_meta ?= "c99063540e188e32b089f957e192780f5a4adf88"
+SRCREV_machine ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_meta ?= "2d12860e7692327b02ec4d707585fe101b8c4d38"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "c31b94a4231c974dca12e6b83f2af1d1d95dfc5e"
+SRCREV_machine:class-devupstream ?= "52386a7b1beb0a7cb5a304935f73c157109c09ad"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.28"
+LINUX_VERSION ?= "6.18.32"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 09/55] linux-yocto/6.18: qat/intel configuration warning fixes
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 08/55] linux-yocto/6.18: update to v6.18.32 Yoann Congal
@ 2026-07-05 22:40 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 10/55] linux-yocto/6.18: update to v6.18.33 Yoann Congal
` (46 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:40 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Integrating the following commit(s) to linux-yocto/.:
1/2 [
Author: Yogesh Tyagi
Email: yogesh.tyagi@intel.com
Subject: qat: fix CONFIG_CRYPTO_CTS mismatch warnings
Date: Mon, 18 May 2026 22:21:02 +0530
[NOTE]: 'CONFIG_CRYPTO_CTS' last val (m) and .config val (y) do not match
[INFO]: CONFIG_CRYPTO_CTS : y ## .config: 8103 :configs/v6.18/ktypes/base/base.cfg (y) configs/v6.18/standard/features/qat/qat.cfg (m)
[INFO]: raw config text:
config CRYPTO_CTS
tristate "CTS (Cipher Text Stealing)"
select CRYPTO_SKCIPHER
select CRYPTO_MANAGER
depends on CRYPTO
help
CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
Addendum to SP800-38A (October 2010))
This mode is required for Kerberos gss mechanism support
for AES encryption.
Config 'CRYPTO_CTS' has the following Direct dependencies (CRYPTO_CTS=y):
CRYPTO(=y)
Parent dependencies are:
CRYPTO [y]
[INFO]: selection details for 'CONFIG_CRYPTO_CTS':
Symbols currently y-selecting this symbol:
- FS_ENCRYPTION_ALGS
Symbols currently n-selecting this symbol (no effect):
- RXGK
- CRYPTO_KRB5
base.cfg pins CRYPTO_CTS=y while features/qat/qat.cfg requests =m.
FS_ENCRYPTION_ALGS=y forces the symbol to =y at .config time, which is
the correct outcome -- QAT consumes CRYPTO_CTS via the in-kernel
crypto API and works against either built-in or modular CTS. Add the
symbol to the y_or_m_enabled.cfg whitelist so the audit no longer
flags this mismatch, matching the existing handling of CRYPTO_CCM
and CRYPTO_GCM.
Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
]
2/2 [
Author: Yogesh Tyagi
Email: yogesh.tyagi@intel.com
Subject: bsp/intel-{x86,common}: drop CONFIG_HIGHMEM64G
Date: Mon, 18 May 2026 22:21:03 +0530
CONFIG_HIGHMEM64G was removed from the kernel in v6.18-rc1 by:
commit bbeb69ce301323e84f1677484eb8e4cd8fb1f9f8
Author: Arnd Bergmann <arnd@arndb.de>
Date: Wed Feb 26 22:37:09 2025 +0100
x86/mm: Remove CONFIG_HIGHMEM64G support
The two intel 32-bit BSP fragments still carry CONFIG_HIGHMEM64G=y,
which against a v6.18 kernel produces:
[INFO]: the following symbols were not found in the active configuration:
- CONFIG_HIGHMEM64G
emitted by do_kernel_configcheck whenever MACHINE selects one of these
BSPs (e.g. MACHINE=intel-core2-32).
The replacement on x86-PAE kernels is the unconditional 64GiB ceiling
that landed alongside the removal commit; no fragment-level opt-in is
required. Drop the obsolete symbol from both fragments. This mirrors
the recent "x86: drop CONFIG_BIG_SMP" cleanup (3260f662) for symbols
upstream removed in the same series.
Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
]
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7ba0465eef261d649368c46ed1d2e1b24240c01f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb | 2 +-
meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb | 2 +-
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index 031c81c2b30..b5775d2fd14 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -16,7 +16,7 @@ python () {
}
SRCREV_machine ?= "dda294005f893c24b6322a7bdf58d7575f4ad21f"
-SRCREV_meta ?= "2d12860e7692327b02ec4d707585fe101b8c4d38"
+SRCREV_meta ?= "a5384458147b581e6beac32ee5cec4e4422d58b1"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 824546e6618..70577b74b59 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -19,7 +19,7 @@ KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
SRCREV_machine ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_meta ?= "2d12860e7692327b02ec4d707585fe101b8c4d38"
+SRCREV_meta ?= "a5384458147b581e6beac32ee5cec4e4422d58b1"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 88b8949cf41..96ea7122d6e 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -28,7 +28,7 @@ SRCREV_machine:qemux86 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
SRCREV_machine:qemux86-64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
SRCREV_machine ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_meta ?= "2d12860e7692327b02ec4d707585fe101b8c4d38"
+SRCREV_meta ?= "a5384458147b581e6beac32ee5cec4e4422d58b1"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 10/55] linux-yocto/6.18: update to v6.18.33
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-07-05 22:40 ` [OE-core][wrynose 09/55] linux-yocto/6.18: qat/intel configuration warning fixes Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 11/55] linux-yocto/6.18: update to v6.18.34 Yoann Congal
` (45 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
83657f418961 Linux 6.18.33
664736cc1f95 netfs: Fix potential uninitialised var in netfs_extract_user_iter()
e9a23ec9461e selftests/bpf: Remove test_access_variable_array
ff375cc75f91 net: skbuff: propagate shared-frag marker through frag-transfer helpers
3bd9e113d500 net: skbuff: preserve shared-frag marker during coalescing
640e37f58f99 net/rds: reset op_nents when zerocopy page pin fails
6bf4253af814 spi: sifive: fix controller deregistration
27fcf3dd04df spi: sifive: Simplify clock handling with devm_clk_get_enabled()
fac9cfad2f90 f2fs: fix false alarm of lockdep on cp_global_sem lock
a4a0340d20ab sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before
255c3998dae8 sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new
a3c44e77f379 perf/x86/intel: Disable PMI for self-reloaded ACR events
b6437e6f8f3d btrfs: do not mark inode incompressible after inline attempt fails
2647b8fe2f1f smb: client: Use FullSessionKey for AES-256 encryption key derivation
244575d0c695 eventfs: Use list_add_tail_rcu() for SRCU-protected children list
4fa42a249e8c drm/v3d: Reject empty multisync extension to prevent infinite loop
4e003e2fb6d3 drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
ab9256936b58 drm/gma500/oaktrail_lvds: fix hang on init failure
6d835a99474c drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
9a34b94832c3 drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC
39fdac6be02e drm/xe/dma-buf: fix UAF with retry loop
20a99ea1e2fd drm/xe/dma-buf: handle empty bo and UAF races
c76273c3eba9 drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
65a3a1cf29eb drm/i915: skip __i915_request_skip() for already signaled requests
9022cb9ac0c2 iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
88397fad7914 iommu/vt-d: Fix oops due to out of scope access
637b7ce89e54 iommu/vt-d: Disable DMAR for Intel Q35 IGFX
4d2b37abda95 libceph: handle rbtree insertion error in decode_choose_args()
0f3604cbe4df libceph: Fix potential out-of-bounds access in crush_decode()
f2f95e6d4b97 libceph: Fix potential null-ptr-deref in decode_choose_args()
48df98d12b15 libceph: Fix potential out-of-bounds access in osdmap_decode()
0de5cb2d61d0 irqchip/gic-v5: Allocate ITS parent LPIs as a range
2cbd4abe413e irqchip/gic-v5: Support range allocation for LPIs
e6550b17cc0e irqchip/gic-v5: Move LPI allocation into the LPI domain
84ff9ae64d9b irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type()
5b0756b6b757 irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
42558732af4a nfsd: fix file change detection in CB_GETATTR
fc6db1e47c55 netfs: fix error handling in netfs_extract_user_iter()
1a78bea6a5e9 powerpc/warp: Fix error handling in pika_dtm_thread
3f6fb0211b39 virt: sev-guest: Do not use host-controlled page order in cleanup path
690b7ca1f9b3 xfs: fix memory leak on error in xfs_alloc_zone_info()
b0bd7a850e1f x86/kexec: Push kjump return address even for non-kjump kexec
f0a0f01787ec iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
252c5051dba9 io-wq: check that the predecessor is hashed in io_wq_remove_pending()
d5bd8b4e39cf ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
3fa13ceefbc5 ceph: fix a buffer leak in __ceph_setxattr()
9ebb7eba1237 btrfs: only release the dirty pages io tree after successful writes
d7b2de5d9862 ALSA: usb-audio: qcom: Check offload mapping failures
09141583bd97 ALSA: usb-audio: Bound MIDI endpoint descriptor scans
f9c184a83574 ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
651760f57fe0 ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone
a424946e00f2 ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx
d3e03c25d520 accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout()
9b718ebe0e97 platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members
b6c0f545c8f9 platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers
1b2dca1f9b5a platform/x86: intel: Move debugfs register before creating devices
d25b863e2dff drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
318b995cffcf drm: Replace old pointer to new idr
d31c6b334215 drm/loongson: Use managed KMS polling
97a05b0ae9ea smb/client: fix possible infinite loop and oob read in symlink_data()
0ea9d6e036be nvme-apple: Reset q->sq_tail during queue init
527cb4a55155 Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
151cfe527f0a media: staging: imx: configure src_mux in csi_start
7c96f2e5b6fb ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
d92229dfa3f9 fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0
3ab135238832 HID: core: Fix size_t specifier in hid_report_raw_event()
301338b8edad HID: core: introduce hid_safe_input_report()
509c26050650 HID: pass the buffer size to hid_report_raw_event
8adc988e9f20 KVM: x86: Fix Xen hypercall tracepoint argument assignment
b22a2da8792a KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
0d419c23bb11 KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
d9017d233258 audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
e029cbd8c06d net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
1dced0725e2f netfilter: nft_ct: fix missing expect put in obj eval
a9f76de38ba3 Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
722b91d5086a idpf: fix double free and use-after-free in aux device error paths
c4a8998aafb8 cgroup/dmem: Return -ENOMEM on failed pool preallocation
bddf59818ae5 net: ena: PHC: Check return code before setting timestamp output
e35f3550c5b4 audit: fix incorrect inheritable capability in CAPSET records
430b05f6c918 netfilter: nf_conntrack_sip: get helper before allocating expectation
95e8ae9af2a6 net: ena: PHC: Fix potential use-after-free in get_timestamp
10addc25fa17 workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
f43240068791 i40e: Cleanup PTP pins on probe failure
a1c5672faf8e crypto: af_alg - Cap AEAD AD length to 0x80000000
b4e1c03b876c sched/fair: Revert force wakeup preemption
ec4f6da3373d sched/fair: Fix wakeup_preempt_fair() for not waking up task
ce8ac8432fd7 net: mana: Init gf_stats_work before potential error paths in probe
45d6c6c10b8b net: mana: Fix use-after-free in reset service rescan path
80c025618524 net: airoha: Fix VIP configuration for AN7583 SoC
81a2a3607866 net: airoha: Use gdm port enum value whenever possible
106581064439 net: airoha: Remove code duplication in airoha_regs.h
db9af8a2efad net/sched: sch_pie: annotate more data-races in pie_dump_stats()
90619fdedfb9 net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()
7645ead02939 net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit()
95fdee73c39c rtla: Fix parse_cpu_set() bug introduced by strtoi()
26b4ea23f511 net: airoha: Fix a copy and paste bug in probe()
dbbd60129f79 bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation
22f72b1dccfe PCI: Initialize temporary device in new_id_store()
735439394dde Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"
d66dc9505935 Revert "pseries/papr-hvpipe: Fix race with interrupt handler"
1dcd36420af2 futex: Drop CLONE_THREAD requirement for private default hash alloc
dcb89deed40b arm64: Reserve an extra page for early kernel mapping
b9d854388988 kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition
5704a90c0970 net/sched: cls_flower: revert unintended changes
3f4a3f740c23 sfc: fix error code in efx_devlink_info_running_versions()
9c54e76f8d6e net: tls: fix strparser anchor skb leak on offload RX setup failure
f5c5692a61f7 ice: add dpll peer notification for paired SMA and U.FL pins
f5f1b59bdb12 dpll: export __dpll_pin_change_ntf() for use under dpll_lock
47e53940451c dpll: Add notifier chain for dpll events
8bcfd78bbc32 dpll: Allow associating dpll pin with a firmware node
a723643ee055 ice: fix missing dpll notifications for SW pins
3b3aab57e33f ice: fix SMA and U.FL pin state changes affecting paired pin
0c56810ce1ba ice: fix missing SMA pin initialization in DPLL subsystem
c3cad2ae8088 ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw
1e9185b13ce5 ice: fix NULL pointer dereference in ice_reset_all_vfs()
b166453d8d01 iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
e469b1ff3319 iavf: wait for PF confirmation before removing VLAN filters
b0173c36977c iavf: stop removing VLAN filters from PF on interface down
033fa40dff77 iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
864577384d72 page_pool: fix memory-provider leak in page_pool_create_percpu() error path
c169c5837525 bonding: 3ad: implement proper RCU rules for port->aggregator
f2edb41645bf bonding: print churn state via netlink
c1e0b5eccdf0 net: airoha: Do not return err in ndo_stop() callback
aaad53a55812 net: airoha: fix BQL imbalance in TX path
d1469eb93af7 drm/xe/gsc: Fix BO leak on error in query_compatibility_version()
bebce43f34b5 drm/xe/eustall: Fix drm_dev_put called before stream disable in close
753b149d5a43 drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
2d8656c27ff6 drm/xe/debugfs: Correct printing of register whitelist ranges
8b85ffe52052 drm/amd/display: Read EDID from VBIOS embedded panel info
07822f1d9bdb drm/amd/display: Allow constructing DCE8 link encoder without DDC
e0f874f209d4 drm/amd/display: Allow constructing DCE6 link encoder without DDC
9b84d67ce8c9 drm/amd/display: Allow DCE link encoder without AUX registers
69a7cfc66405 futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
24c22c644ea5 ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1
7e6f7ac79abe ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()
f837c7b85143 ALSA: hda/conexant: Fix missing error check for jack detection
47984e9db9ca netconsole: propagate device name truncation in dev_name_store()
b19a6804d498 net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
cd0401593b2d net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)
74a02921c48f bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
ea9b4f07da5d sctp: discard stale INIT after handshake completion
50c450bae38d netfilter: skip recording stale or retransmitted INIT
841133395b42 ASoC: codecs: ab8500: Fix casting of private data
aa1a08a4632a net: psp: require admin permission for dev-set and key-rotate
d90df5ce6deb net: psp: check for device unregister when creating assoc
39767f944a8c io_uring/napi: cap busy_poll_to 10 msec
d0f6ae14c045 drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring
a7e63bb93a7f drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring
f26e3f7186cd drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring
8549b3933038 drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
6876d05b8991 drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
5ada37d7f736 drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
3a96fee676fc drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
b41248d1c183 drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
081ef0e46c9c drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring
139a8a52ef43 drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring
6d9a98c5ed65 drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring
9076a83e5ade drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
1286b6872de0 drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring
2d6525e7b250 drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
602d4c5872b2 drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
ac06ce5cac9e drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
fb128a905f7a net: phy: dp83869: fix setting CLK_O_SEL field.
1c07b968a5d7 s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()
0f5bca930f8d md/md-bitmap: add a none backend for bitmap grow
7035caaa1b6f md/md-bitmap: split bitmap sysfs groups
4d4814310391 md: factor bitmap creation away from sysfs handling
00d5ae2b3b0f md: add fallback to correct bitmap_ops on version mismatch
d934a2bbed53 md/raid1,raid10: don't fail devices for invalid IO errors
8252ae66cfc4 net: mctp i2c: check length before marking flow active
f3c16e1f4a31 sched/fair: Clear rel_deadline when initializing forked entities
63273472430e sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue
7ce7a08cde16 sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals
67bdf14af6b8 ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
f9e6b2f22b1f netpoll: fix IPv6 local-address corruption
9544ca41e1ec tcp: make probe0 timer handle expired user timeout
63063ba60d2d neigh: let neigh_xmit take skb ownership
48b26d48e762 net/sched: taprio: fix NULL pointer dereference in class dump
cca14c404c0e NFC: trf7970a: Ignore antenna noise when checking for RF field
3dc58085988b spi: amlogic-spisg: initialize completion before requesting IRQ
81fc967bf476 net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
6999d70e0eda net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
a7a97f2303e6 vrf: Fix a potential NPD when removing a port from a VRF
02495cc4a33e net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
10c242aa0c54 net/sched: sch_choke: annotate data-races in choke_dump_stats()
f670fa4b19ce net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit()
f4b7ed23fae6 net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs()
546d998978dc net: airoha: fix typo in function name
b48399bc63ff net: airoha: stop net_device TX queue before updating CPU index
7a72efd11722 net/sched: netem: check for negative latency and jitter
fabf2b2bbfa1 net/sched: netem: fix slot delay calculation overflow
2e2a8b077699 net/sched: netem: validate slot configuration
33cc6a26898a net/sched: netem: only reseed PRNG when seed is explicitly provided
8450462eaf91 net/sched: netem: fix queue limit check to include reordered packets
1633087d8a76 net/sched: netem: fix probability gaps in 4-state loss model
750d0091bebf netdevsim: zero initialize struct iphdr in dummy sk_buff
c9553e0567b0 cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
156f410cafa2 ACPI: APEI: EINJ: Fix EINJV2 memory error injection
f6553cca1775 ACPICA: Provide #defines for EINJV2 error types
b69f420c98b2 arm64/scs: Fix potential sign extension issue of advance_loc4
793bae6ce71c drm/color-mgmt: Typo s/R332/RGB332/
df332876455c drm/sysfb: ofdrm: fix PCI device reference leaks
f4343ddee93b ASoC: tas2770: Fix order of operations for temperature calculation
6c06e9ba8753 ASoC: tas2764: Mark die temp register as volatile
9834d8cc89fe spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
6c554462a6ad ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED
7df9863bf538 netfilter: nf_conntrack_sip: don't use simple_strtoul
938867e870fb netfilter: xt_policy: fix strict mode inbound policy matching
e0805ccf7917 drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
6d6cd5652c86 drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
a31c3feb54b1 drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
24c55a9aa298 drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM
616af8df424c nvme-pci: fix missed admin queue sq doorbell write
0bd93ce4f3c3 netfilter: nf_tables: use list_del_rcu for netlink hooks
1c55053f8ffd netfilter: arp_tables: fix IEEE1394 ARP payload parsing
c2a11441538b nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
119e84719f98 tracing: branch: Fix inverted check on stat tracer registration
1aa08e1fd60a cgroup: Increment nr_dying_subsys_* from rmdir context
64a5a3dfa8fd btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
b740cc86816b fsnotify: fix inode reference leak in fsnotify_recalc_mask()
f7f5d83b0dc2 mailbox: mailbox-test: make data_ready a per-instance variable
3c791f6fb791 mailbox: mailbox-test: initialize struct earlier
82f6dcea46cf mailbox: mailbox-test: don't free the reused channel
9dd748994332 mailbox: add sanity check for channel array
8d5e39df95ed cgroup/rdma: fix integer overflow in rdmacg_try_charge()
03dc070fa0fc sched/psi: fix race between file release and pressure write
742001919653 mailbox: mailbox-test: free channels on probe error
d3da3c85cdd6 mailbox: mtk-cmdq: Fix CURR and END addr for task insert case
d07bc4ce8e24 kbuild: Never respect CONFIG_WERROR / W=e to fixdep
4d837117d45d tools/power turbostat: Fix unrecognized option '-P'
262187aa6981 tools/power turbostat: Fix and document --header_iterations
481dbda367f4 tools/power turbostat: Use strtoul() for iteration parsing
8adeeef75597 tools/power turbostat.8: Document the "--force" option
c7a9cde132bf fbdev: offb: fix PCI device reference leak on probe failure
4b238fb04bd2 kbuild: builddeb - avoid recompiles for non-cross-compiles
03a817755611 rtc: abx80x: Disable alarm feature if no interrupt attached
a3fd5dc1c7b0 fs/adfs: validate nzones in adfs_validate_bblk()
ef4ca02e9536 eventpoll: fix ep_remove struct eventpoll / struct file UAF
eb206b8f55e1 eventpoll: move epi_fget() up
e644f892e1f2 eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()
e084713397a4 eventpoll: kill __ep_remove()
416b491cd289 eventpoll: split __ep_remove()
9348f4763aa9 eventpoll: use hlist_is_singular_node() in __ep_remove()
bd501c86407d nstree: fix func. parameter kernel-doc warnings
70f788e22693 vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
1d5e58905588 tipc: fix double-free in tipc_buf_append()
671f743d2dd5 tcp: send a challenge ACK on SEG.ACK > SND.NXT
b5992dbb3bc5 nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
1abf8c202caf virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET
6af1736b5810 vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
c60545ffb920 net: mana: Fix EQ leak in mana_remove on NULL port
fb9f98e1041a net: mana: Implement ndo_tx_timeout and serialize queue resets per port.
2c345eb03d2f net: mana: Handle hardware recovery events when probing the device
e0596009873e net: mana: Handle SKB if TX SGEs exceed hardware limit
577441de1983 net: mana: Don't overwrite port probe error with add_adev result
95e4598b6805 net: mana: Add standard counter rx_missed_errors
8804f00ea028 net: mana: Move hardware counter stats from per-port to per-VF context
a1ddfd2c0b7a net: mana: Guard mana_remove against double invocation
8709d4457faf net: mana: Init link_change_work before potential error paths in probe
5a90c4cfd8b7 net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()
d8ad264e9a01 net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path
4d4acfa348a1 net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
b707f3109f1a net: dsa: realtek: rtl8365mb: fix mode mask calculation
c0cfce4d7670 net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()
ad02cb61c52c net: airoha: Add the capability to consume out-of-order DMA tx descriptors
b7c1bbf78b09 net: airoha: Add AN7583 SoC support
8d913ab01419 net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback
1a21910e32d7 net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct
56b99327a451 net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct
ae68eb4f2fdd net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
910213de955e net/sched: sch_red: annotate data-races in red_dump_stats()
1dbe52b6a0af net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
796fb2037d85 net/sched: sch_pie: annotate data-races in pie_dump_stats()
48de5f5f0f7b net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
7846f1e20f9a ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g
9fb0d0528177 ice: fix ready bitmap check for non-E822 devices
77803e30cdd0 ice: perform PHY soft reset for E825C ports at initialization
2496a593c6e3 ice: fix timestamp interrupt configuration for E825C
91ce1bb6e419 net/rds: zero per-item info buffer before handing it to visitors
1269a7d38577 bnge: remove unsupported backing store type
a2b26c4ade3e bnge: fix initial HWRM sequence
20e3b61e21c7 net: validate skb->napi_id in RX tracepoints
2cc8a4db633b ksmbd: scope conn->binding slowpath to bound sessions only
06f709d0e531 ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
9c3936515a52 ksmbd: destroy async_ida in ksmbd_conn_free()
6237cc0f7a4c ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
9c59c79788e8 pwm: atmel-tcb: Cache clock rates and mark chip as atomic
83cc775fc8fd arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
3a6dfd9f2cdb arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0
86cf2eba2056 net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change()
0511ecb00e61 slip: bound decode() reads against the compressed packet length
9e1ff0eead07 slip: reject VJ receive packets on instances with no rstate array
79b90a96688e netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
21883587593d netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
5b73746bd85f ipvs: fix MTU check for GSO packets in tunnel mode
32fdd2e38e74 netfilter: nat: use kfree_rcu to release ops
76160e04440c netfilter: xtables: restrict several matches to inet family
8e3be0d12615 netfilter: conntrack: remove sprintf usage
fb965b1cfe92 netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
6e9038e7b394 netfilter: nft_osf: restrict it to ipv4
8d298ece6db7 net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()
fa6e90bc443b openvswitch: cap upcall PID array size and pre-size vport replies
d17830d050f7 net/mlx5: Fix HCA caps leak on notifier init failure
0cab5d077dd1 pppoe: drop PFC frames
70a089cc9590 sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
7c66b368c6ff ipv6: fix possible UAF in icmpv6_rcv()
d77baa6214b7 e1000e: Unroll PTP in probe error handling
15c666a99626 iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2
3c29ddd46aba i40e: don't advertise IFF_SUPP_NOFCS
3c5c3ac308a7 ice: fix ICE_AQ_LINK_SPEED_M for 200G
7cb19ec8ac08 ice: fix double-free of tx_buf skb
55500245ec04 ice: Remove jumbo_remove step from TX path
05fd391f9065 ice: update PCS latency settings for E825 10G/25Gb modes
722fcf831107 ice: fix 'adjust' timer programming for E830 devices
1b579c2001d0 tcp: annotate data-races around tp->plb_rehash
4d1ea8a2c6ac tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
37f33454b284 tcp: annotate data-races around tp->timeout_rehash
0edffaf11267 tcp: annotate data-races around tp->srtt_us
cd6011dc4c33 tcp: better handle TCP_TX_DELAY on established flows
3955bfec74ab tcp: annotate data-races around tp->reord_seen
7fc9ef56acfe tcp: annotate data-races around tp->dsack_dups
b20898430984 tcp: annotate data-races around tp->bytes_retrans
d0ae38a0ee95 tcp: annotate data-races around tp->bytes_sent
5987cec30473 tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE
4215a5c7b079 tcp: annotate data-races around tp->delivered and tp->delivered_ce
d8068252f043 tcp: annotate data-races around tp->snd_ssthresh
9bce4d9c6da1 tcp: add data-races annotations around tp->reordering, tp->snd_cwnd
9eb93126c012 tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
2962660dc75a tcp: annotate data-races in tcp_get_info_chrono_stats()
c67c9032ce56 tcp: inline tcp_chrono_start()
8e8a7c72a24f tcp: move tp->chrono_type next tp->chrono_stat[]
ce2e164c1c51 ksmbd: fix use-after-free in smb2_open during durable reconnect
ff3e8515c1d9 smb: move smb_version_values to common/smbglob.h
37c8933064be net: enetc: fix NTMP DMA use-after-free issue
1f379216ccc8 net: enetc: correct the command BD ring consumer index
74d64ae4254e net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops
4c078a699a8c net: dsa: append ethtool counters of all hidden ports to conduit
87bbc2e86439 net: dsa: use kernel data types for ethtool ops on conduit
f128f04a893d net: dsa: cpu_dp->orig_ethtool_ops might be NULL
b73235da5dde net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
75b6c361f417 net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup()
613c8f4a5014 nexthop: fix IPv6 route referencing IPv4 nexthop
7ad66185052d net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
b6b7154e9f5d macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
7db3e4e03032 net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
7b5501a62214 pwm: stm32: Fix rounding issue for requests with inverted polarity
ad5dc433b34e arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names
5b5f8ff0a2e8 arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
8002eb9b60a6 arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
33d043815ccc arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
cde69482d2e6 reset: amlogic: t7: Fix null reset ops
4790bd29d626 PCMCIA: Fix garbled log messages for KERN_CONT
9e8087ac4636 arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
2b7db3e83f78 arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
d8d75e113532 arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT
e754961b2655 arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT
4ff0003fabd7 arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT
9011a6128935 arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for PMIC_nINT
dde47488fb19 arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT
91c150b3760d arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
3a958f45a676 arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT
e821e5e0c61b arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
4a259bb36702 arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
858e4d98a86a erofs: unify lcn as u64 for 32-bit platforms
df9784bb5b63 crypto: ccp - copy IV using skcipher ivsize
d05ebf0d3f8c crypto: sa2ul - Fix AEAD fallback algorithm names
fc9310d79fdb crypto: eip93 - fix hmac setkey algo selection
c6efc77954d8 virt: arm-cca-guest: fix error check for RSI_INCOMPLETE
60a6842061b4 drm/i915/wm: Verify the correct plane DDB entry
d0e877810baf f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
2b0ae4b59ff5 f2fs: allow empty mount string for Opt_usr|grp|projjquota
1c5973c84ab4 clk: visconti: pll: initialize clk_init_data to zero
cccefa34c09a clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON
a841167c1ef7 f2fs: fix to preserve previous reserve_{blocks,node} value when remount
ef72360aa88a f2fs: expand scalability of f2fs mount option
480307ffa289 lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
3547f6b9a110 clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains
4623c251496b f2fs: avoid reading already updated pages during GC
fa18659f883e f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page()
da99d0302d3c clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()
16472129ffd7 clk: qcom: dispcc-sc7180: Add missing MDSS resets
28e796ac0279 dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
a0195eab4ed5 clk: xgene: Fix mapping leak in xgene_pllclk_init()
558b2eb623f2 clk: qoriq: avoid format string warning
074105928626 x86/um: fix vDSO installation
0f548ecd2d78 x86/um/vdso: Drop VDSO64-y from Makefile
b55d2128faf5 clk: imx8mq: Correct the CSI PHY sels
e3d41039263d clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
3cb3f533424b clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
8ae85245632c clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
d7f633fc6e4d clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
d79e6ca14c55 clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
a263813276f9 clk: qcom: gcc-sc8180x: Use retention for USB power domains
ed9ca2c4dc02 clk: qcom: gcc-sc8180x: Add missing GDSCs
841d49517768 dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
a2fb7c42ab9b scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item
51075df70c46 scsi: target: core: Fix integer overflow in UNMAP bounds check
ac0411865e3e clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}
3c0a96358c13 clk: renesas: r9a09g057: Fix ordering of module clocks array
21aae9f766a3 clk: renesas: r9a09g057: Add entries for RSCIs
34e869e21080 clk: renesas: r9a09g057: Add clock and reset entries for RTC
87534f2a3842 clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting
b92a29da9f7e clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting
b0015d7752af clk: qcom: dispcc-milos: Fix DSI byte clock rate setting
0c7a14a3d580 clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting
6c87b3a371fa clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers
1afd963fcd96 scsi: sg: Resolve soft lockup issue when opening /dev/sgX
6a4ccbb9b40e scsi: sg: Fix sysctl sg-big-buff register during sg_init()
b9ab6cf1c2ef clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock
e906a312ee06 clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
89715e519ab7 clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source
1e56e335bc86 clk: qcom: gcc-glymur: Add video axi clock resets for glymur
927c8a511c2a dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur
f2c7b39dde2e RDMA/core: Prefer NLA_NUL_STRING
c5683ca4949a platform/x86: dell-wmi-sysman: bound enumeration string aggregation
58688eeaa307 platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
6136bbb054f7 fs/ntfs3: terminate the cached volume label after UTF-8 conversion
c44ad02d591b tty: serial: ip22zilog: Fix section mispatch warning
bfd3e5309503 platform/x86: asus-wmi: fix screenpad brightness range
38a9aa192ef7 platform/x86: asus-wmi: adjust screenpad power/brightness handling
4584229395d0 NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
248e4b9cc719 nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
ac8551a4254d mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
cc7716bd050b platform/x86: barco-p50-gpio: normalize return value of gpio_get
e4a666652dae platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
37a3d1b68277 usb: typec: ps883x: Fix Oops at unbind
3104a3f40feb tty: hvc_iucv: fix off-by-one in number of supported devices
19951118fb22 usb: typec: Fix error pointer dereference
099494e4499d leds: lgm-sso: Remove duplicate assignments for priv->mmap
34be68c52af8 platform/surface: surfacepro3_button: Drop wakeup source on remove
834dece8ced2 backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
7d88f2e1a972 i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
1c70c5b933e2 i3c: master: adi: Fix error propagation for CCCs
b5a2893ce6fd i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()
1b6a7e94be67 i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
c192859f2775 i3c: master: dw-i3c: Fix missing reset assertion in remove() callback
b0cdbc690dae perf util: Kill die() prototype, dead for a long time
e97cc0120390 perf maps: Fix copy_from that can break sorted by name order
def6cd4271e7 perf maps: Fix fixup_overlap_and_insert that can break sorted by name order
59a58ada259c pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description
c98c71ed8834 pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description
2db35db04c03 perf cgroup: Update metric leader in evlist__expand_cgroup
e21bac135220 ipmi: ssif_bmc: change log level to dbg in irq callback
ca4d0555000f ipmi: ssif_bmc: fix message desynchronization after truncated response
3cce2a3f8f60 ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
e62ac39eb2ce perf expr: Return -EINVAL for syntax error in expr__find_ids()
131e9cb0b932 perf tools: Fix module symbol resolution for non-zero .text sh_addr
7377e48f9ca8 memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name()
3fb038e078ec perf stat: Fix opt->value type for parse_cache_level
206ac6c702ca perf lock: Fix option value type in parse_max_stack
509d342d02ff pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers
71e13d4c1d77 pinctrl: abx500: Fix type of 'argument' variable
bb548a3c26a1 pinctrl: realtek: Fix function signature for config argument
6476aac13805 pinctrl: pinconf-generic: Fully validate 'pinmux' property
be787fea6c66 perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
9878e6ed7ec5 perf branch: Avoid incrementing NULL
518ae2a82efe pinctrl: cy8c95x0: Avoid returning positive values to user space
df50e63cdf15 pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
815a7b8af68d pinctrl: cy8c95x0: remove duplicate error message
dbfb30248dbe perf trace: Avoid an ERR_PTR in syscall_stats
4d994ff45727 pinctrl: pinctrl-pic32: Fix resource leak
dc3ece1d92e6 perf trace: Fix IS_ERR() vs NULL check bug
02c06e764fe5 bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
e15900888c09 bpf: Validate node_id in arena_alloc_pages()
e8bd8274ae56 libbpf: Prevent double close and leak of btf objects
8abad856e2a5 bpf: allow UTF-8 literals in bpf_bprintf_prepare()
6982653ce5f1 bpf: Fix NULL deref in map_kptr_match_type for scalar regs
5c04f89f9557 bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
921920c34cb5 bpf, sockmap: Take state lock for af_unix iter
041eb6348d73 bpf, sockmap: Fix af_unix null-ptr-deref in proto update
527057ebe807 bpf, sockmap: Fix af_unix iter deadlock
77ad43af2642 bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize
ca51684db023 bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize
1a113b549729 bpf, arm64: Fix off-by-one in check_imm signed range check
07793ce19221 ext4: fix possible null-ptr-deref in mbt_kunit_exit()
c7abd0e6c874 HID: usbhid: fix deadlock in hid_post_reset()
c3a6ee43246d mtd: spinand: winbond: Clarify when to enable the HS bit
52aaa647b02d mtd: spinand: Give the bus interface to the configuration helper
6a5f5c25fb1f mtd: spinand: Add support for setting a bus interface
d4e22374b9b0 mtd: spinand: Gather all the bus interface steps in one single function
a602b7efb876 mtd: spinand: winbond: Configure the IO mode after the dummy cycles
a5d27efc8e4f mtd: spinand: winbond: Rename IO_MODE register macro
729833537104 mtd: spinand: Create an array of operation templates
d5de6d39a3bb mtd: spinand: Decouple write enable and write disable operations
b5804b3ae4b8 mtd: spinand: Add missing check
34e666a256de mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
84688b608f01 cxl/pci: Check memdev driver binding status in cxl_reset_done()
5a282a6f8129 mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
c92dc1b31a1d mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
5549c3f88dd7 mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
53d7a4e1b041 mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
0173aca3e4b1 mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
6278713f55d4 mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
ad41b585f0e4 mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
756afec88e85 dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
b6766b171a5c ima_fs: Correctly create securityfs files for unsupported hash algos
e4e0bd721b92 mtd: physmap_of_gemini: Fix disabled pinctrl state check
fb9364ba4fa6 HID: asus: do not abort probe when not necessary
59601f0e83d4 HID: asus: make asus_resume adhere to linux kernel coding standards
148e4f7ece72 ima: check return value of crypto_shash_final() in boot aggregate
5bfc58588ae0 remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode()
28122fcd7bcc stop_machine: Fix the documentation for a NULL cpus argument
405c94550c68 remoteproc: xlnx: Fix sram property parsing
514f1eb75ffb hte: tegra194: remove Kconfig dependency on Tegra194 SoC
0402c60abe76 tracing: Rebuild full_name on each hist_field_name() call
d7338f4dde91 tracing: move __printf() attribute on __ftrace_vbprintk()
2be24b87a474 tracing: move tracing declarations from kernel.h to a dedicated header
d09b029f639c tracing: remove size parameter in __trace_puts()
1e78af701976 soundwire: cadence: Clear message complete before signaling waiting thread
8995ef2dbebc dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
4cafee50af44 soundwire: Intel: test bus.bpt_stream before assigning it
03d56c4c3861 soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
8cedbb75f70e dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
aed87e866d1a ocfs2: validate group add input before caching
4c2d62ddde89 ocfs2: validate bg_bits during freefrag scan
2685df8577a3 ocfs2: fix listxattr handling when the buffer is full
a28f56988c8e fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
a3879c708a60 firmware: arm_ffa: Use the correct buffer size during RXTX_MAP
28a547af4432 ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
6eab9741965b lib: kunit_iov_iter: fix memory leaks
3bf5e19c804d slab: Introduce kmalloc_obj() and family
9777d7e6fc58 arm64/xor: fix conflicting attributes for xor_block_template
8f466be889a2 ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
42fbb173e855 arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
9dd9d748c5a0 soc: qcom: aoss: compare against normalized cooling state
611d9e46bdc6 soc: qcom: llcc: fix v1 SB syndrome register offset
1fb7f356547d ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
3f474c33ebc2 ocfs2/dlm: validate qr_numregions in dlm_match_regions()
a261fccdb4ac unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
c892d0d4fe5e soc/tegra: cbb: Fix cross-fabric target timeout lookup
f46870b451f7 soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
9dc2462a7595 soc/tegra: cbb: Set ERD on resume for err interrupt
aabc9baae9a7 arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
bf9a33944d7d arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual
3341ca45d280 arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word
857dbf1f51fe arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes
e77a86d883b5 arm64: dts: lx2160a: add sda gpio references for i2c bus recovery
ce85b22e556a arm64: dts: lx2160a: rename pinmux nodes for readability
b165c477175b arm64: dts: lx2160a: remove duplicate pinmux nodes
69f4d9ce27d8 arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit
5f2ca479f0f3 arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3
7fedcbedec65 arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC
85163323ab36 arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing
4675ae61aa63 arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label
45669e3578ac arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins
5f852e9baea0 arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins
8caadf4fef50 arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader
bf30d3790340 arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
7f8365e8ff82 arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
1327f28e4775 arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes
3578d41b7ef0 arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
2ea7bfce0024 arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
6360bcaf5727 arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host controller
168ec540bdfd arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller
cd2894362390 arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller
c1b5e85c88fb arm64: dts: qcom: sm8750: Fix GIC_ITS range length
000d5533f451 arm64: dts: qcom: sm8650: Fix GIC_ITS range length
6670dc96864b arm64: dts: qcom: sm8550: Fix GIC_ITS range length
1de0b109aaa7 arm64: dts: qcom: sm8450: Fix GIC_ITS range length
3bb7be86f4c0 arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail
16771dd53aa9 arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail
14ec98366e30 arm64: dts: qcom: monaco: correct Iris corners for the MXC rail
e589b6c38265 arm64: dts: qcom: lemans: correct Iris corners for the MXC rail
c0040375fec7 arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail
8344cd62b825 bus: rifsc: fix RIF configuration check for peripherals
8bfa413a1bd8 arm64: dts: rockchip: Add mphy reset to ufshc node
835d16955dd7 arm64: dts: rockchip: Fix RK3562 EVB2 model name
2fea83507b4c soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
c10e14863b62 soc: qcom: ocmem: register reasons for probe deferrals
702ee8e9821b soc: qcom: ocmem: make the core clock optional
99eb1df4acd4 arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace
fd16a9e05b48 arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace
6db6534abfe1 Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1"
31d145a54f16 arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi
2fda9b3776e0 arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
151c29b6952c arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
1ab2769df3de arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference
6c5178dd6036 arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier
7e6420179e21 arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices
a5f56ff8573f iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}
d02f10e74fe2 arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
1cda0e4ef9c4 arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count
1a94d799de9e arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
a2475c0a2bbb arm64: dts: qcom: talos: Add missing clock-names to GCC
c4620dad9f1b arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges
449023f22c11 arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon
e849632c0988 arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges
6256ef55fe90 arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id
4e3f607c3b99 arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype
643af7b85459 iommufd: vfio compatibility extension check for noiommu mode
982b56bf7c7d arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
8e7ff76becce arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config
e483129ae513 arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD
a028d9919f46 arm64: dts: imx8-apalis: Fix LEDs name collision
86b77735cb4c memory: tegra30-emc: Fix dll_change check
1793249c067a memory: tegra124-emc: Fix dll_change check
6dd527eb8b70 ARM: dts: mediatek: mt7623: fix efuse fallback compatible
e2b1e633257e arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon
7164b3953cef ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
e0e6b14995fd efi/capsule-loader: fix incorrect sizeof in phys array reallocation
d8ffae016c4a gfs2: prevent NULL pointer dereference during unmount
49d9be0722da gfs2: add some missing log locking
3f90bfd31f16 vfio: unhide vdev->debug_root
fdd424d7c356 quota: Fix race of dquot_scan_active() with quota deactivation
d05d4a6ee877 gfs2: less aggressive low-memory log flushing
2c57d6c0afcd rtla/utils: Fix resource leak in set_comm_sched_attr()
6a815bb366c9 rtla: Replace atoi() with a robust strtoi()
dac3f0a68ec2 rtla: Fix -C/--cgroup interface
0a7a4ab3be8e ktest: Run POST_KTEST hooks on failure and cancellation
9b798ad99692 ktest: Honor empty per-test option overrides
f68e24b9697a ktest: Avoid undef warning when WARNINGS_FILE is unset
14dee7a3441f fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()
27c95204b518 fanotify: avoid/silence premature LSM capability checks
0d19bce16932 gfs2: Call unlock_new_inode before d_instantiate
ac25916e75ca ALSA: hda/realtek - fixed speaker no sound update
457369880110 ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP
ff734dbd9e24 crypto: jitterentropy - replace long-held spinlock with mutex
3ab9ab2dc188 sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking
b60a90bf7cde sched_ext: Track @p's rq lock across set_cpus_allowed_scx -> ops.set_cpumask
9769c143015c dm cache: fix missing return in invalidate_committed's error path
9a0f6c048554 ALSA: sc6000: Keep the programmed board state in card-private data
e0b049bd7b27 spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
b059a41bdd5b PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on
4e7a00aeb091 PCI: tegra194: Disable L1.2 capability of Tegra234 EP
2914977cb75e PCI: tegra194: Remove unnecessary L1SS disable code
9daf2a8d9cc1 PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
5cb649c27024 PCI: tegra194: Use DWC IP core version
1e877168b0e7 PCI: tegra194: Free up Endpoint resources during remove()
e697ea9ecdeb PCI: tegra194: Allow system suspend when the Endpoint link is not up
849068f0129c PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode
e463beb1e130 PCI: tegra194: Disable direct speed change for Endpoint mode
f4556f70f00a PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
89b7185833db PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
871d9a6bf21b PCI: tegra194: Don't force the device into the D0 state before L2
fb08535d374c PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
8626b64c37c9 PCI: tegra194: Increase LTSSM poll time on surprise link down
f38e0c5f377a PCI: tegra194: Fix polling delay for L2 state
feac3db37d14 ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream
19ad2384ce5e PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports
989ccfcc920e ASoC: SOF: compress: return the configured codec from get_params
12d76d99e845 ALSA: scarlett2: Add missing sentinel initializer field
2fdb6c1e743d selftest: memcg: skip memcg_sock test if address family not supported
0619073fd082 Documentation: fix a hugetlbfs reservation statement
fc1ca4f0d6be kho: make debugfs interface optional
43106160a00b selftests/mm: skip migration tests if NUMA is unavailable
fa123b901eb6 gpu: nova-core: bitfield: fix broken Default implementation
af46044d1671 gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro
e6b0e1f74d35 gpu: nova-core: register: use field type for Into implementation
0a2d60edc3e5 PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
db805e9399c8 PCI: Enable AtomicOps only if Root Port supports them
134c61925e9e ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
254091c91767 crypto: qat - use swab32 macro
8d77cf260535 crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()
52906bb0f636 crypto: qat - fix type mismatch in RAS sysfs show functions
684bd5404f9c crypto: qat - fix compression instance leak
06b30beb9104 crypto: qat - disable 420xx AE cluster when lead engine is fused off
6aef8e6fdf4d crypto: qat - disable 4xxx AE cluster when lead engine is fused off
44faf7ea013c PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value
a1a24d4b8c96 ASoC: qcom: qdsp6: topology: check widget type before accessing data
9f0632b0d424 iommu/riscv: Remove overflows on the invalidation path
20b3c566e270 iommu/amd: Fix clone_alias() to use the original device's devid
715d7b1e1af8 ASoC: fsl_easrc: Change the type for iec958 channel status controls
9f8304abcd7e ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
cbf3693ddf5a ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
15ff6da3e9bd ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
4ab351b4b785 ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
4095fa1c8ed9 ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
fe6e720bf2a0 ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
79acc3ea6fb6 ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
891c51e19d3a ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
2a6a72a0beab ASoC: fsl_micfil: Add access property for "VAD Detected"
1140626eb6f5 drm/msm/dpu: drop INTF_0 on MSM8953
507cc9ab1e8c PM: domains: De-constify fields in struct dev_pm_domain_attach_data
2ba2e8ce483c pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
2d9cb1f588ce pmdomain: ti: omap_prm: Fix a reference leak on device node
9232d70f98cd ALSA: hda/cmedia: Remove duplicate pin configuration parsing
70f694e0bb87 drm/msm/a6xx: Use barriers while updating HFI Q headers
4180d90a4054 drm/msm/a6xx: Fix dumping A650+ debugbus blocks
279fde87aa70 drm/msm/shrinker: Fix can_block() logic
6a83ea4da004 drm/msm/a6xx: Fix HLSQ register dumping
206f812ef140 drm/msm: Fix VM_BIND UNMAP locking
8cf18974284f drm/msm: Reject fb creation from _NO_SHARE objs
30b8a3f88c59 drm/msm/vma: Avoid lock in VM_BIND fence signaling path
d0b28251ca44 ASoC: SOF: Intel: hda: Place check before dereference
c87f914822c2 ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}')
f329dccceb76 hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback
06fed91296f8 PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors
0a84e210daec drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled
2381d4c5cc1e drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
c140492d0bbe drm/amd/pm/ci: Fill DW8 fields from SMC
1de9639b50db drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
9d92707b43f7 drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
432fdc0141b5 drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
c829b4633041 drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
21e8dd9906bf drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
67e582c86ab1 ASoC: amd: acp: update dmic_num logic for acp pdm dmic
edfa91bb652e ALSA: core: Validate compress device numbers without dynamic minors
3c349995e51e iommu/riscv: Fix signedness bug
e3fae61f4799 iommu/riscv: Skip IRQ count check when using MSI interrupts
ccd4c3e5c907 PCI: Fix alignment calculation for resource size larger than align
b375c3c7209c crypto: hisilicon/sec2 - prevent req used-after-free for sec
2d18cf09f2b0 PCI: Fix premature removal from realloc_head list during resource assignment
34678c978888 PCI: Use res_to_dev_res() in reassign_resources_sorted()
f176c47683bf PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support
cd3938c12bda drm/panel: simple: Correct G190EAN01 prepare timing
31b2d7be7540 drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
131e01ba249f ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode
9c47a36ceaf0 drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
a303f8863c97 drm/msm/dsi: fix hdisplay calculation for CMD mode panel
e82ef4ef320c drm/msm/dsi: fix bits_per_pclk
94e021272c45 drm/msm/dpu: don't try using 2 LMs if only one DSC is available
acde37cb798d drm/msm/dsi: add the missing parameter description
0f7dd5839cfa drm/msm/dpu: fix mismatch between power and frequency
c7d586c6348d drm/msm: add missing MODULE_DEVICE_ID definitions
3441e4b70cf9 iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement
86c8d5cdadd9 iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()
3a8d94405fd5 drm/imagination: Switch reset_reason fields from enum to u32
3d0ef0567d21 spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
eae672a7ec8a drm/amdgpu/gfx11: look at the right prop for gfx queue priority
0cd9d5878b3c drm/amdgpu/gfx10: look at the right prop for gfx queue priority
db201e6fab1e PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation
5a9f29a3e076 padata: Put CPU offline callback in ONLINE section to allow failure
8e26246dc104 padata: Remove cpu online check from cpu add and removal
3ffcd6c5dca9 crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
f4b747f0755e crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
9458a6513fe7 crypto: tegra - Disable softirqs before finalizing request
4a894ba48fa5 fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
57a1079af3ee dm init: ensure device probing has finished in dm-mod.waitfor=
c695257f6b8d drm/amdgpu: Add default case in DVI mode validation
0d3b392b0f2c iommu/riscv: Stop polling when CQCSR reports an error
380698b43f07 iommu/riscv: Add missing GENERIC_MSI_IRQ
3f917d9bff68 iommu/riscv: Add IOTINVAL after updating DDT/PDT entries
b6263eb2b188 crypto: inside-secure/eip93 - register hash before authenc algorithms
4ad705f5e889 drm/sun4i: Fix resource leaks
555eb897a455 drm/v3d: Handle error from drm_sched_entity_init()
cb54064705ad selftests/sched_ext: Add missing error check for exit__load()
75849e13e428 drm/amd/pm: Fix xgmi max speed reporting
9b614ddf3185 media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe
1de12fc4b943 spi: fsl-qspi: Use reinit_completion() for repeated operations
c1c2871f3336 spi: nxp-fspi: Use reinit_completion() for repeated operations
d7b0489d9955 drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check
1a9bef10f894 drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs
cf2ac2cac8b3 drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
3149c4f7f26f iopoll: fix function parameter names in read_poll_timeout_atomic()
b455903eed45 dm log: fix out-of-bounds write due to region_count overflow
322a3b70368d dm cache metadata: fix memory leak on metadata abort retry
a3c61bd4e943 PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()
104a6e53484e PCI: dwc: Invoke post_init in dw_pcie_resume_noirq()
a763a53d648d PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix()
b7ed10f2d8b5 platform/chrome: chromeos_tbmc: Drop wakeup source on remove
7f3e53990ad3 dm-mpath: don't stop probing paths at presuspend
21c503d60a25 dm cache: fix dirty mapping checking in passthrough mode switching
cb8b250b4277 dm cache: fix concurrent write failure in passthrough mode
c348ae47d8e6 dm cache policy smq: fix missing locks in invalidating cache blocks
b8ace9e96983 dm cache: fix write hang in passthrough mode
788ac6c94d04 dm cache: fix write path cache coherency in passthrough mode
25dcc1989c19 dm cache: fix null-deref with concurrent writes in passthrough mode
a3f3c332882c ASoC: sti: use managed regmap_field allocations
17584bdc7247 ASoC: sti: Return errors from regmap_field_alloc()
7ed07c9ce525 crypto: inside-secure/eip93 - fix register definition
1f2e41bd668f ASoC: SDCA: Update counting of SU/GE DAPM routes
36a0dcd0077b PCI: imx6: Fix device node reference leak in imx_pcie_probe()
47038159c559 drm/sun4i: backend: fix error pointer dereference
175717cfc06c PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc
b13984f0212f PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested
511c093d9ef4 PCI/TPH: Allow TPH enable for RCiEPs
e14de2cb819f ASoC: soc-compress: use function to clear symmetric params
1f7687123d38 drm/virtio: Allow importing prime buffers when 3D is enabled
fe1f80f8f6e8 drm/komeda: fix integer overflow in AFBC framebuffer size check
60a90d853fca selftests/futex: Fix incorrect result reporting of futex_requeue test item
f98084d97864 net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()
7bad93e99737 net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
6a7139084973 sctp: fix missing encap_port propagation for GSO fragments
c5a1cb8ff82b tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().
81cfd603c0bd udp: Force compute_score to always inline
1218bfe2ad6f net: phy: qcom: at803x: Use the correct bit to disable extended next page
b28b3bd9c42f Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec
dc89961b76f1 Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
385b2d0468a0 Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
3daa5818e473 Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
4ae187c7915d Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
8042240412de bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
afdc8516213e net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
ef6d5a068811 net/mlx5e: Fix features not applied during netdev registration
15a9928f8a93 net: phy: fix a return path in get_phy_c45_ids()
d7637c455a92 dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
a3be96c7b1e5 net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
65c7f0bf8ca3 net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
5013be175c7f ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
6086079e6d1c bpf: Fix OOB in pcpu_init_value
a7494479757d net/rds: Restrict use of RDS/IB to the initial network namespace
d3f880a6eb44 net/rds: Optimize rds_ib_laddr_check
bc678fa87552 selftests/bpf: Fix reg_bounds to match new tnum-based refinement
cddf2bde8420 bpf: Allow instructions with arena source and non-arena dest registers
9d51c86355d9 net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue()
3ddf6523957a net: mana: Move current_speed debugfs file to mana_init_port()
90ebf3e9c12f net: mana: Support HW link state events
34dbd7b81954 net: mana: Use pci_name() for debugfs directory naming
64daf391198c selftests: netfilter: nft_tproxy.sh: adjust to socat changes
4c727c6967a4 net/sched: act_ct: Only release RCU read lock after ct_ft
8e1387216d66 selftests/bpf: fix __jited_unpriv tag name
691adf738817 bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
adaee08e711b bpf: Relax scalar id equivalence for state pruning
0df9abbb138f net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available
83d6371570ba net: airoha: Generalize airoha_ppe2_is_enabled routine
4ea17f5e5126 net: airoha: Add airoha_eth_soc_data struct
ae1b40d3abc1 net: airoha: Add airoha_ppe_get_num_stats_entries() and airoha_ppe_get_num_total_stats_entries()
987af7625ceb net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
e1ed678855e3 bpf: Fix RCU stall in bpf_fd_array_map_clear()
592226d13837 bpf: return VMA snapshot from task_vma iterator
3745834cf761 bpf: switch task_vma iterator from mmap_lock to per-VMA locks
d0862de7c866 bpf: fix mm lifecycle in open-coded task_vma iterator
b79d567fbc53 netfilter: nft_fwd_netdev: check ttl/hl before forwarding
35a38df4085b netfilter: xt_socket: enable defrag after all other checks
b9ee2c6c0761 eth: fbnic: Use wake instead of start
6d28910c5194 net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()
c270e2bec3e5 net: bcmgenet: fix racing timeout handler
25ff3a3e47ea net: bcmgenet: fix leaking free_bds
4cab761fc51c net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
0d8726af877e macsec: Support VLAN-filtering lower devices
f33fb701ab7e arm64: kexec: Remove duplicate allocation for trans_pgd
bcfdf159d128 ACPI: AGDI: fix missing newline in error message
73ae96e2be4e arm64: entry: Don't preempt with SError or Debug masked
d88e8e4a3b52 bpf: Fix linked reg delta tracking when src_reg == dst_reg
9f88b29b79a0 bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking
254633506626 wifi: ath10k: fix station lookup failure during disconnect
76f2ebaf79a9 bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
281f2a214565 bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
a9937a3ac585 wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()
cbea71b44803 wifi: brcmfmac: Fix error pointer dereference
a710df104abb net: ethernet: ti-cpsw: fix linking built-in code to modules
2bbe3d5c9353 net: ethernet: ti-cpsw:: rename soft_reset() function
059525cf18e6 bpf: Fix stale offload->prog pointer after constant blinding
32ce55d42439 bpf: fix end-of-list detection in cgroup_storage_get_next_key()
d3d3d2791c59 macvlan: annotate data-races around port->bc_queue_len_used
b312cf41b9e4 bpf: Fix abuse of kprobe_write_ctx via freplace
d41508adff01 selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
9103787054c6 powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug
eef879190a1f powerpc/crash: fix backup region offset update to elfcorehdr
50c601805fe3 r8152: fix incorrect register write to USB_UPHY_XTAL
ae5f83c0809f drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block
fa3b3e43e883 vfio: refactor vfio_pci_mmap_huge_fault function
6b9694702c37 wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
97757d231bc6 bpf,arc_jit: Fix missing newline in pr_err messages
1391ecf3a99a bpf: Fix variable length stack write over spilled pointers
d4c4bd231eba bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
0b69217310ee bpf: Fix refcount check in check_struct_ops_btf_id()
a1a8a8bdfa21 wifi: mt76: mt7996: fix RRO EMU configuration
dc34c01521bf wifi: mt76: support upgrading passive scans to active
a2cde15af378 wifi: mt76: fix multi-radio on-channel scanning
98e0118ab51c wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter()
e54c6440114d wifi: mt76: mt7996: Switch to the secondary link if the default one is removed
d6f6b3a65660 wifi: mt76: mt7996: use correct link_id when filling TXD and TXP
5a3353b06387 wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links()
7da35e2d2fb7 wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property
1e0f3e5e2835 wifi: mt76: mt7921: fix 6GHz regulatory update on connection
aa4a31cd89f4 wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
6b7cbb13c838 wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
419babee9b5c wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
ae94ef093a15 wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP
612bfcfdb993 arm64: cpufeature: Make PMUVer and PerfMon unsigned
5fc8c5d45e44 wifi: mt76: fix deadlock in remain-on-channel
35180c772f5e wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync
153bcba36c87 wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync
e125def8b380 wifi: mt76: mt7925: drop puncturing handling from BSS change path
a1a59bd3cd1e wifi: mt76: mt7925: cqm rssi low/high event notify
dcbc13d19bef wifi: mt76: Fix memory leak destroying device
35835ff71e6e wifi: mt76: mt7921: Place upper limit on station AID
e00c27608536 wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
815db7fd57aa wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi
93d0694fb56d wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr()
b81a93dc0aed wifi: mt76: mt7915: fix use_cts_prot support
729b4adad191 wifi: mt76: mt7615: fix use_cts_prot support
9aa3b49e1c5b wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control
3880639cec09 wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr()
1e16b0a9b988 wifi: mt76: mt7996: Reset ampdu_state state in case of failure in mt7996_tx_check_aggr()
455a48685fee wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()
6d7f231d5fff wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in mt7996_vif_link_remove()
15205c72f1ec wifi: mt76: mt7996: Set mtxq->wcid just for primary link
900579479395 wifi: mt76: mt7996: fix iface combination for different chipsets
096b74331df2 wifi: mt76: mt7996: fix the behavior of radar detection
d902905cb708 tools/nolibc/printf: Move snprintf length check to callback
ea23d00b98f5 tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to 'outbuf[]'
ca5b2452d6f1 tools/nolibc: implement %m if errno is not defined
00c0317cebf4 wifi: libertas: don't kill URBs in interrupt context
a761a1539a55 wifi: libertas: use USB anchors for tracking in-flight URBs
d538795ea2ef module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
8f32c95a5678 params: Replace __modinit with __init_or_module
c8b710655012 powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy
366b0e05ee24 s390/bpf: Zero-extend bpf prog return values and kfunc arguments
3849f0ee39ea dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
eebe930e785d dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
0ee803fc4787 wifi: ieee80211: fix definition of EHT-MCS 15 in MRU
dd827cff429d wifi: ieee80211: split EHT definitions out
df5720d35848 wifi: ieee80211: split HE definitions out
f8d1e8038bc7 wifi: ieee80211: split VHT definitions out
4d5caab09dab wifi: ieee80211: split HT definitions out
3f459076b2d8 wifi: ieee80211: split mesh definitions out
5500913516e0 bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
aa10a452e348 wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
9fe48cacab63 wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
b4f0a37724de sched/rt: Skip group schedulable check with rt_group_sched=0
4bd99f4f86b1 firmware: dmi: Correct an indexing error in dmi.h
e5bdb8404df4 x86/vdso: Clean up remnants of VDSO32_NOTE_MASK
d739426c2fd1 ASoC: Intel: avs: Include CPUID header at file scope
7e16c122695c ASoC: Intel: avs: Check maximum valid CPUID leaf
e2a2781d1ae6 irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()
b5232c2f04e1 sched/topology: Fix sched_domain_span()
87800a0bd2fe sched/topology: Compute sd_weight considering cpuset partitions
5fbefcd7c38e locking: Fix rwlock support in <linux/spinlock_up.h>
8e1be8f79fca scripts/gdb: timerlist: Adapt to move of tk_core
6adc01405605 sparc64: vdso: Link with -z noexecstack
bec2fa23eaf2 rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`
90e8cfcd217c x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE
2783ed2442ce perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler
aaf2712f7674 perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR
e017f5b69b76 hrtimer: Reduce trace noise in hrtimer_start()
a8759eef4951 hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
6b05c427a638 irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
8139ce66b52a bus: fsl-mc: use generic driver_override infrastructure
2081957d8c32 s390/cio: use generic driver_override infrastructure
654ef9c33e13 vdpa: use generic driver_override infrastructure
2c5507010fc3 platform/wmi: use generic driver_override infrastructure
58a42be0d703 PCI: use generic driver_override infrastructure
e52830bf37a2 cpufreq: Pass the policy to cpufreq_driver->adjust_perf()
e6210630b24e amd-pstate: Update cppc_req_cached in fast_switch case
539aabbab190 amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()
187c8be0c48f soundwire: debugfs: initialize firmware_file to empty string
bfe63c16fefb debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
172b40b1468e debugfs: check for NULL pointer in debugfs_create_str()
5b4604cd5a9d thermal/drivers/spear: Fix error condition for reading st,thermal-flags
01cdbf3dcf89 devres: fix missing node debug info in devm_krealloc()
ae04d2e67f9a ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
9f8a61db50a8 ACPI: x86: cmos_rtc: Clean up address space handler driver
265ab7e7d40d OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()
7cbabc3411a7 OPP: debugfs: Use performance level if available to distinguish between rates
9a24f0000876 btrfs: fix deadlock between reflink and transaction commit when using flushoncommit
ff6b93410192 md: wake raid456 reshape waiters before suspend
f8b799e4fd97 md: remove unused static md_wq workqueue
3f1e2902b5ec dm: add WQ_PERCPU to alloc_workqueue users
d5559ac21f4a erofs: handle 48-bit blocks/uniaddr for extra devices
62c44566da74 md: fix array_state=clear sysfs deadlock
46194b5ba93b erofs: include the trailing NUL in FS_IOC_GETFSLABEL
5263ed3dd13b pstore/ram: fix resource leak when ioremap() fails
b3e005f16cd9 blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
e5ff0ba4b698 nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
37466ec483ea loop: fix partition scan race between udev and loop_reread_partitions()
996d279f2c98 drbd: Balance RCU calls in drbd_adm_dump_devices()
c3ec2db64bfe md/raid1: fix the comparing region of interval tree
0e4eff315d79 fs/mbcache: cancel shrink work before destroying the cache
6561afc38398 fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
93383b668107 blk-cgroup: wait for blkcg cleanup before initializing new disk
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be009835e779e9ad30ef595aed4131c3f2a792d6)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index b5775d2fd14..fea34b09c69 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "dda294005f893c24b6322a7bdf58d7575f4ad21f"
-SRCREV_meta ?= "a5384458147b581e6beac32ee5cec4e4422d58b1"
+SRCREV_machine ?= "058dc6c42aff140a8fa55c732809d896223fd6fc"
+SRCREV_meta ?= "3fe9b5c19ed6f8883e7d12a89a0ea882e3facfef"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.32"
+LINUX_VERSION ?= "6.18.33"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 70577b74b59..de87b6bdd3e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.32"
+LINUX_VERSION ?= "6.18.33"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_meta ?= "a5384458147b581e6beac32ee5cec4e4422d58b1"
+SRCREV_machine ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_meta ?= "3fe9b5c19ed6f8883e7d12a89a0ea882e3facfef"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 96ea7122d6e..78ee98fec97 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "ab16c590f189a534ded2f3940529d3ac63301c3a"
-SRCREV_machine:qemuarm64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_machine:qemuloongarch64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemuarm ?= "9b84e2ac85be6a214946c65debaab56e3bebd546"
+SRCREV_machine:qemuarm64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemuloongarch64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_machine:qemuriscv64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_machine:qemuriscv32 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_machine:qemux86 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_machine:qemux86-64 ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
+SRCREV_machine:qemuppc ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemuriscv64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemuriscv32 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemux86 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemux86-64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "8b43828d68f73df49a408e5bba88eade55b0ca09"
-SRCREV_meta ?= "a5384458147b581e6beac32ee5cec4e4422d58b1"
+SRCREV_machine ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_meta ?= "3fe9b5c19ed6f8883e7d12a89a0ea882e3facfef"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "52386a7b1beb0a7cb5a304935f73c157109c09ad"
+SRCREV_machine:class-devupstream ?= "83657f4189612e5cbcabc3058acd36c0bd120729"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.32"
+LINUX_VERSION ?= "6.18.33"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 11/55] linux-yocto/6.18: update to v6.18.34
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 10/55] linux-yocto/6.18: update to v6.18.33 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 12/55] linux-yocto/6.18: update to v6.18.35 Yoann Congal
` (44 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
18ad16ce4a6b Linux 6.18.34
50bb3435a5e6 security/keys: fix missed RCU read section on lookup
239172639075 drm/msm: Restore second parameter name in purge() and evict()
306ba9d0e5aa LoongArch: kprobes: Fix handling of fatal unrecoverable recursions
a1a39f227c80 ksmbd: fix durable reconnect error path file lifetime
6836f694126e io_uring/nop: pass all errors to userspace
e334cbf3388f net: gro: don't merge zcopy skbs
8129611d4ede pds_core: ensure null-termination for firmware version strings
d1d76bbb6d7a net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback
719007c3492f tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
fa627a5eaa83 net: mana: validate rx_req_idx to prevent out-of-bounds array access
bc0020490f88 octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs
76dd50b7888d selftests: net: Fix checksums in xdp_native
04ef7592eaad drm/xe/oa: Fix exec_queue leak on width check in stream open
db86ac6d8daf ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()
decacc6308c5 gpio: aggregator: lock device when calling device_is_bound()
3e657619cf72 gpio: aggregator: remove the software node when deactivating the aggregator
80d94cf1773a gpio: aggregator: stop using dev-sync-probe
ea28b286649b gpio: aggregator: fix a potential use-after-free
4669f84adcb1 gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
e47f7060eaf6 tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction
1861d369efd6 bpf, skmsg: fix verdict sk_data_ready racing with ktls rx
26f1d4522060 net: ag71xx: check error for platform_get_irq
585f9f6aef5c crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks
2417df5e7bb4 net: shaper: rework the VALID marking (again)
5a2c2aa139c8 net: shaper: annotate the data races
b5bd4249e430 net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA
a0f5268c77eb Bluetooth: btmtk: fix urb->setup_packet leak in error paths
c7860b6a6d2d Bluetooth: btintel_pcie: Fix incorrect MAC access programming
d6c8b3ebdcdb tracing: Avoid NULL return from hist_field_name() on truncation
8bf00d3ac425 cgroup: rstat: relax NMI guard after switch to try_cmpxchg
3aab4a58d23f ALSA: seq: Serialize UMP output teardown with event_input
95c82d498d74 wifi: wilc1000: fix dma_buffer leak on bus acquire failure
55c479aae99b wifi: mac80211: fix MLE defragmentation
2d8379834800 wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs
425d32d6288d erofs: fix managed cache race for unaligned extents
91d13e92b983 pds_core: fix debugfs_lookup dentry leak and error handling
784dd2bdc622 pds_core: fix error handling in pdsc_devcmd_wait
ce23832071af net: airoha: Fix NPU RX DMA descriptor bits
0c277d203684 net: phy: honor eee_disabled_modes in phy_advertise_eee_all()
bd731994cff1 net: phy: honor eee_disabled_modes in phy_support_eee()
a9224862d597 bridge: mcast: Fix a possible use-after-free when removing a bridge port
981aea209977 net: bridge: Flush multicast groups when snooping is disabled
eae62c5451e6 RDMA/rtrs: Fix use-after-free in path file creation cleanup
8c63698737b4 RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port
d5b11e15ee67 ASoC: soc-utils: Add missing va_end in snd_soc_ret()
09deb063eecf platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
f6dfd64bfd9b platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
ed864a7b881c platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
7ea5aad8d351 platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
098419a4b062 platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7
09ec063d87c2 net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
f71fc35b5e45 net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
89bed786f231 net: dsa: mt7530: fix FDB entries not aging out with short timeout
f1739debda62 kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme
ad8e3d096fa1 drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP
1f83545f432d igc: set tx buffer type for SMD frames
89964ddb322a ice: ptp: use primary NAC semaphore on E825
0010296879df ice: ptp: serialize E825 PHY timer start with PTP lock
6a01413a4e8f cgroup/rstat: validate cpu before css_rstat_cpu() access
83b8a0f72ecc drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable
8ea34da68964 drm/mediatek: mtk_cec: Fix non-static global variable
926a08cf19be wifi: ath11k: fix peer resolution on rx path when peer_id=0
6c9e9272bc37 drm/xe/pf: Fix CFI failure in debugfs access
dc26e00860a1 drm/xe/vf: Fix signature of print functions
2c890e71ae26 drm/xe/gsc: Fix double-free of managed BO in error path
181e67bc11c5 dma-mapping: move dma_map_resource() sanity check into debug code
3a74aaad0473 wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it
9e360e610a73 wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled
bed1fc32e0eb hwmon: (lm90) Add lock protection to lm90_alert
c98107817b0f hwmon: (lm90) Stop work before releasing hwmon device
cdd1aaf0ee96 drm/msm/snapshot: fix dumping of the unaligned regions
0c9e4d9484cc ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5
df19b6af1716 netfilter: nft_inner: release local_lock before re-enabling softirqs
0fa225896f4b spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
fecfed41da73 ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging
7e91d3a1a98a btrfs: fix squota accounting during enable generation
ca56ffdb017b btrfs: check for subvolume before deleting squota qgroup
b422609291f6 btrfs: relax squota parent qgroup deletion rule
22d558df51d9 btrfs: check squota parent usage on membership change
a1296bb9f44a btrfs: remaining BTRFS_PATH_AUTO_FREE conversions
76ad957a72c7 btrfs: don't search back for dir inode item in INO_LOOKUP_USER
16141bef6fb1 btrfs: use the key format macros when printing keys
35f69e993d00 btrfs: add macros to facilitate printing of keys
76b995bc57bd vsock/virtio: fix zerocopy completion for multi-skb sends
782693eb53f8 io_uring/net: punt IORING_OP_BIND async if it needs file create
c53cac053d62 ALSA: scarlett2: Add missing error check when initialise Autogain Status
1ddf678bb75b ASoC: codecs: fs210x: fix possible buffer overflow
36de63965464 scsi: sd: Fix return code handling in sd_spinup_disk()
b4dc0056397f net/mlx5: Do not restore destination-less TC rules
81c8a9f75a42 tls: Preserve sk_err across recvmsg() when data has been copied
1370acb8bc39 ovpn: disable BHs when updating device stats
f7808b7ddcf2 x86/xen: Fix xen_e820_swap_entry_with_ram()
2378d25675da gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE
097d62df3831 ovpn: fix race between deleting interface and adding new peer
8298834912d7 ovpn: respect peer refcount in CMD_NEW_PEER error path
e5460eb7238c ovpn: tcp - use cached peer pointer in ovpn_tcp_close()
2bc34520ce5c net: phy: DP83TC811: add reading of abilities
af855f4c966a net: tls: prevent chain-after-chain in plain text SG
eca989eab4b2 net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
afa9036b8c99 net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
6dcd072a5ae3 powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
f4e37f3df436 drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
eea43d5ed450 drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
3a7b59d2385d Documentation: intel_pstate: Fix description of asymmetric packing with SMT
3ad2d8be6e4d x86/mce: Restore MCA polling interval halving
15dba511d569 selftests: ublk: cap nthreads to kernel's actual nr_hw_queues
ff58e5ef1b46 drm/msm/dpu: don't mix devm and drmm functions
a184aec79013 drm/msm/dsi: don't dump registers past the mapped region
d235f8f7b264 ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
d2ea0b8aef87 net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
97a8e89cdef3 accel/qaic: Add overflow check to remap_pfn_range during mmap
76410790f149 block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()
086695145000 HID: quirks: really enable the intended work around for appledisplay
0943f81e1b31 block: recompute nr_integrity_segments in blk_insert_cloned_request
0d48654af4d1 block: don't overwrite bip_vcnt in bio_integrity_copy_user()
a52486394493 net: shaper: reject QUEUE scope handle with missing id
77ec90d41c59 net: shaper: enforce singleton NETDEV scope with id 0
d7c2bbbaa2c4 net: shaper: fix undersized reply skb allocation in GROUP command
f817ce8d1943 net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit
5098b223f0f0 net: shaper: reject duplicate leaves in GROUP request
d6128451c591 net: shaper: fix trivial ordering issue in net_shaper_commit()
d947e6685ff4 net: shaper: flip the polarity of the valid flag
e1b429d8e712 wifi: ath10k: skip WMI and beacon transmission when device is wedged
d94127d04017 wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()
acde4692afcd wifi: ath11k: fix error path leaks in some WMI WOW calls
9bc70fe995da net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
c373b34877af net: ethernet: cortina: Carry over frag counter
3cd05250a2df net: ethernet: cortina: Drop half-assembled SKB
cfd62907f3cd net: ethernet: cortina: Make RX SKB per-port
77bb293049d6 netfs, afs: Fix write skipping in dir/link writepages
f17b9121bb99 netfs: Fix netfs_read_folio() to wait on writeback
551b5c71ee31 netfs: Fix folio->private handling in netfs_perform_write()
3d9601c029b9 netfs: Fix partial invalidation of streaming-write folio
6080fa3ecfbb netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()
22ae28aae436 netfs: Fix leak of request in netfs_write_begin() error handling
d4f4bc87c765 netfs: Fix early put of sink folio in netfs_read_gaps()
616578e40dcb netfs: Fix write streaming disablement if fd open O_RDWR
0b18cd70ebab netfs: Fix read-gaps to remove netfs_folio from filled folio
003aa0dd26c9 netfs: Fix potential deadlock in write-through mode
ef9b521212e4 netfs: Fix streaming write being overwritten
185ded4112cd netfs: Defer the emission of trace_netfs_folio()
fb6ec883b48b netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone
afeb32d9bf9a netfs: Fix overrun check in netfs_extract_user_iter()
b63971238beb netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call
884c4c4f35e5 netfs: Fix netfs_read_to_pagecache() to pause on subreq failure
5366199be46f netfs: Fix cancellation of a DIO and single read subrequests
9c6f23cf3a07 powerpc: fix dead default for GUEST_STATE_BUFFER_TEST
822bb1614ec4 powerpc: 82xx: fix uninitialized pointers with free attribute
aed60070ed7b ASoC: SOF: amd: Fix error code handling in psp_send_cmd()
510db031ba6e tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().
eba8af785fde zonefs: handle integer overflow in zonefs_fname_to_fno
9525e3a6fbb1 nvme-pci: fix use-after-free in nvme_free_host_mem()
fea4b46f84c5 nvme: fix bio leak on mapping failure
18c0456ea261 irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
06ee55f78fbe nsfs: fix wrong error code returned for pidns ioctls
d168a71fc1d6 ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation
617a2564d863 irqchip/ath79-cpu: Remove unused function
ace6b3e033c6 fs: Fix return in jfs_mkdir and orangefs_mkdir
e37ea2c6f17f fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap
56b4cfcf1518 fprobe: Fix unregister_fprobe() to wait for RCU grace period
36dc0cea30db ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC
5afefecfe054 ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC
fe59ae27d734 NFSD: Fix infinite loop in layout state revocation
e9405f704127 phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
994358adc098 net: ti: icssm-prueth: fix eth_ports_node leak in probe
7df3e1dfee53 net: lan966x: avoid unregistering netdev on register failure
d91a9a049698 ice: fix locking in ice_dcb_rebuild()
34ad3c782644 ice: fix setting RSS VSI hash for E830
eb5991d4c8ba idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()
a248793f00ab net: shaper: Reject reparenting of existing nodes
bfe08fe5624b net: napi: Avoid gro timer misfiring at end of busypoll
77e7818eb347 tcp: Fix imbalanced icsk_accept_queue count.
1c24cf1fd67f test_kprobes: clear kprobes between test runs
ae8a5c6b0316 kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()
c647e2a21bbb netfilter: bridge: eb_tables: close module init race
524b6337277a netfilter: x_tables: close dangling table module init race
cc989ef1c044 netfilter: ebtables: close dangling table module init race
739d5dac7b2d netfilter: ebtables: move to two-stage removal scheme
86ee5bc9c0f0 netfilter: x_tables: add and use xtables_unregister_table_exit
89ebafe7910d netfilter: x_tables: add and use xt_unregister_table_pre_exit
a9b2f73f6ba7 netfilter: x_tables: unregister the templates first
c32a7e0e3c73 btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
373f65b448ed ALSA: hda: cs35l41: Put ACPI device on missing physical node
fecae8b1fb2d ALSA: hda: cs35l56: Put ACPI device after setting companion
e984dc22e2c2 ARM: integrator: Fix early initialization
9e472874c954 firmware: arm_ffa: Fix sched-recv callback partition lookup
d1e38551fade firmware: arm_ffa: Snapshot notifier callbacks under lock
419cef661ae8 firmware: arm_ffa: Align RxTx buffer size before mapping
3c51d99449dc firmware: arm_ffa: Validate framework notification message layout
0a5dbac5ef53 firmware: arm_ffa: Keep framework RX release under lock
f39bc7ebe75e firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies
fd2b01637e56 pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
3f4d82780001 kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
91e4446b35f6 kunit: config: Enable KUNIT_DEBUGFS by default
96b8b9d0dead riscv: mm: Fixup no5lvl failure when vaddr is invalid
f3216d930c0f riscv: errata: Fix bitwise vs logical AND in MIPS errata patching
1aa01b46fe3b firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0
07907b897bb7 firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue
1418765d28ab firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
820245d86ce5 firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
4894847fcec1 HID: uclogic: Fix regression of input name assignment
e912d5dc0096 HID: intel-thc-hid: Intel-quickspi: Fix some error codes
1fce9dcb3a66 pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615
e917713f0134 pinctrl: meson: amlogic-a4: fix deadlock issue
8d1c6b603327 pinctrl: renesas: rzg2l: Fix SMT register cache handling
c4cfa8ee7737 pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume
a7fee1322683 ARM: dts: renesas: rskrza1: Drop superfluous cells
d27b29e474a6 ARM: dts: renesas: genmai: Drop superfluous cells
00aca89f5e34 pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function
eb3cd9bb5904 hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
dd12c6dbe2ac hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
a203125c0e81 hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
b2998ae90331 hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple
fa7ca363069a hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
97a9cf2a8217 hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
2279c342d94e hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
75c862adf3d3 hwmon: (pmbus/adm1266) reject implausible blackbox record_count
e9b8f85daebf hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
e37dbe150515 batman-adv: tt: prevent TVLV entry number overflow
730de8733dd9 batman-adv: tt: fix negative tt_buff_len
179eb62506a0 batman-adv: tt: fix negative last_changeset_len
b93ca6012712 batman-adv: tt: avoid empty VLAN responses
7cac9c9ef4b7 batman-adv: tt: reject oversized local TVLV buffers
4cc85aec8d3c batman-adv: tt: fix TOCTOU race for reported vlans
2d2d365d0b9d batman-adv: tp_meter: avoid role confusion in tp_list
72d670d7a492 batman-adv: tp_meter: fix race condition in send error reporting
b285bc0a97f4 batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
770bf0a35f06 batman-adv: tp_meter: directly shut down timer on cleanup
dc2ae5fbd2da batman-adv: tp_meter: avoid use of uninit sender vars
6921a7683ae9 batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
45384612f296 batman-adv: bla: avoid double decrement of bla.num_requests
c6de1a5a9c40 batman-adv: bla: fix report_work leak on backbone_gw purge
5895ad21c705 batman-adv: frag: disallow unicast fragment in fragment
90ae3eae06b7 batman-adv: fix tp_meter counter underflow during shutdown
3eb8bcb82339 batman-adv: fix fragment reassembly length accounting
9cceea8eeba7 batman-adv: dat: handle forward allocation error
ae7aeb0ce3c0 batman-adv: clear current gateway during teardown
8a3707653ab6 batman-adv: mcast: fix use-after-free in orig_node RCU release
ca3ff3d2a0af batman-adv: iv: recover OGM scheduling after forward packet error
ede47988ac56 batman-adv: tvlv: reject oversized TVLV packets
23d4ce84df4d batman-adv: tvlv: abort OGM send on tvlv append failure
1be1e99cbd5b batman-adv: v: stop OGMv2 on disabled interface
1ecde19bfce6 drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
7ca695b31222 drm/amd/display: Validate GPIO pin LUT table size before iterating
6bbd703ea1c1 drm/amd/display: Fix integer overflow in bios_get_image()
d35563813296 drm/bridge: megachips: remove bridge when irq request fails
95306db11956 drm/bridge: it66121: acquire reset GPIO in probe
3ed448c1dc78 drm/amdgpu/vpe: Force collaborate sync after TRAP
8fadd01cf461 drm/virtio: use uninterruptible resv lock for plane updates
35671087a272 drm/v3d: Release indirect CSD GEM reference on CPU job free
0f8efc45740b drm/v3d: Fix use-after-free of CPU job query arrays on error path
942968260e61 drm/msm: Fix shrinker deadlock
508fd8ab158a device property: set fwnode->secondary to NULL in fwnode_init()
22d9b9739b8e LoongArch: Remove unused code to avoid build warning
f27a3b9aadfb LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions
9e3f18883a98 fwctl: pds: Validate RPC input size before parsing
1012896f4225 RDMA/siw: Reject MPA FPDU length underflow before signed receive math
d7a076fb596c spi: ti-qspi: fix use-after-free after DMA setup failure
be409d2bbe9c spi: sprd: fix error pointer deref after DMA setup failure
8e027db9fa31 spi: ep93xx: fix error pointer deref after DMA setup failure
b9ff86310062 scsi: isci: Fix use-after-free in device removal path
78a369a065f1 phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4 fix
58f4a7bd8d73 phy: tegra: xusb: Fix per-pad high-speed termination calibration
a1f50f5aaa69 phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870
4bb4764f2c51 spi: qup: fix error pointer deref after DMA setup failure
ecdf21536c6d drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
bee400ad4f42 virt: sev-guest: Explicitly leak pages in unknown state
4f087193b5ff riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM
77071943c752 riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
94ade38f317e KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)
7023900b4988 KVM: arm64: vgic: Free private_irqs when init fails after allocation
0680f5119265 KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
240373425e2d arm64: probes: Handle probes on hinted conditional branch instructions
798183376d9d tracing: Do not call map->ops->elt_free() if elt_alloc() fails
5e7d9d0805e5 cifs: Fix busy dentry used after unmounting
2dd9304727c7 wifi: mac80211: consume only present negotiated TTLM maps
acdff9907478 af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
6cfae4914439 wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
50884c2afd7a ice: restore PTP Rx timestamp config after ethtool set-channels
0b9431b972a0 ice: fix setting promisc mode while adding VID filter
9c9d00d81b41 ice: fix locking around wait_event_interruptible_locked_irq
f1bafd35f11b igc: fix potential skb leak in igc_fpe_xmit_smd_frame()
8864b664d044 octeontx2-pf: fix double free in rvu_rep_rsrc_init()
47a4cf2229be octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
5b906f31e977 lsm: hold cred_guard_mutex for lsm_set_self_attr()
9dcd4f5c99b4 rbd: eliminate a race in lock_dwork draining on unmap
dfef79e09ed2 ixgbevf: fix use-after-free in VEPA multicast source pruning
7725cd3b4717 ipv4: raw: reject IP_HDRINCL packets with ihl < 5
dc31c6947652 wifi: iwlwifi: mld: stop TX during firmware restart
6fe92651b44f wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
614cacec60fe wifi: ath11k: clear shared SRNG pointer state on restart
a3529032afe2 ice: fix VF queue configuration with low MTU values
c618cf8926c0 vsock/virtio: reset connection on receiving queue overflow
440447699c68 vsock/vmci: fix UAF when peer resets connection during handshake
29b643351012 mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
abdd03229414 ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
2bc60c175568 ring-buffer: Flush and stop persistent ring buffer on panic
610ff6bc2f44 ring-buffer: Fix reporting of missed events in iterator
0e47fc1c9181 qed: fix double free in qed_cxt_tables_alloc()
e0c3dd7b30cc l2tp: use list_del_rcu in l2tp_session_unhash
d73dcd1520d6 fs/ntfs3: handle attr_set_size() errors when truncating files
358692462555 net: ethtool: phy: avoid NULL deref when PHY driver is unbound
61f53c1e58d6 net: ethtool: fix NULL pointer dereference in phy_reply_size
752ea4a105e6 cgroup/cpuset: Reset DL migration state on can_attach() failure
1aed73795392 tracing/fprobe: Check the same type fprobe on table as the unregistered one
f0ad68d2f0ad tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
bb92f356d2b7 tracing: fprobe: use ftrace if CONFIG_DYNAMIC_FTRACE_WITH_ARGS
52cc572c9565 tracing: fprobe: Remove unused local variable
45c7c4e3db8b sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path
6e73ec10b2a3 sched_ext: Fix missing warning in scx_set_task_state() default case
689bbf48c1f4 netfilter: nft_inner: Fix IPv6 inner_thoff desync
952e988163c2 netfilter: ipset: stop hash:* range iteration at end
15d464265120 netfilter: nf_queue: hold bridge skb->dev while queued
57b0ac5e1b46 netfilter: ip6t_hbh: reject oversized option lists
dac025c4e8f9 net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()
f8a5a76b4a68 net: ifb: report ethtool stats over num_tx_queues
1604a2d68414 net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover
49eff79967fd net: phy: skip EEE advertisement write when autoneg is disabled
3d4ef05266ab net: bcmgenet: keep RBUF EEE/PM disabled
84bc87beb4cd phonet/pep: disable BH around forwarded sk_receive_skb()
8b4c412e001b Bluetooth: serialize accept_q access
f1febe93ef07 Bluetooth: MGMT: validate Add Extended Advertising Data length
051922ab709c Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
192cb0f1ca70 Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
5506aec79513 Bluetooth: bnep: Fix UAF read of dev->name
61f2410a96de Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
added1213395 Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
ffb6dbb49c96 net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
0fa24311bd42 selftests/mm: run_vmtests.sh: fix destructive tests invocation
738d18f1da35 mm/page_alloc: fix initialization of tags of the huge zero folio with init_on_free
09ce923071e7 mm/memory_hotplug: fix memory block reference leak on remove
62153767e8fc mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()
2fff0cdd9422 mm/memory: fix spurious warning when unmapping device-private/exclusive pages
24de676da63c ipv6: ioam: refresh hdr pointer before ioam6_event()
24840b3139d7 drivers/base/memory: fix memory block reference leak in poison accounting
b737c6612c60 io_uring/waitid: clear waitid info before copying it to userspace
5fb947ddae55 spi: amd: Set correct bus number in ACPI probe path
c32a1fbe0f9a efi: Allocate runtime workqueue before ACPI init
fcbd0a5fd812 ALSA: scarlett2: Allow flash writes ending at segment boundary
61c5017c64e2 ALSA: asihpi: Fix potential OOB array access at reading cache
feff0251386a ALSA: pcm: Don't setup bogus iov_iter for silencing
cba8dab72e9b ALSA: ua101: Reject too-short USB descriptors
ca560f7566df hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
9803e75c9813 smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close
d65104a4a815 smb: client: use data_len for SMB2 READ encrypted folioq copy
bf4ebdb19ff9 smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked()
a8d17d22db59 smb: client: require net admin for CIFS SWN netlink
6827647fd2dc regulator: tps65219: fix irq_data.rdev not being assigned
18d8db24b0a5 ksmbd: validate SID in parent security descriptor during ACL inheritance
0e198f09cb2a ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
cd5c1b75d2f4 ksmbd: fix null pointer dereference in compare_guid_key()
302e02f9ba49 mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
48fa96538bd2 sysfs: don't remove existing directory on update failure
141ffb83abe9 drm/vblank: Fix kernel docs for vblank timer
ed39ecd3a96c drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks()
a0582cc92398 drm/vkms: Convert to DRM's vblank timer
60918357456d drm/vblank: Add CRTC helpers for simple use cases
fa4b91eea433 drm/vblank: Add vblank timer
18a08b87db71 Revert "ice: Remove jumbo_remove step from TX path"
523cd0ea0324 Revert "ice: fix double-free of tx_buf skb"
515de0a3b6c1 ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
4e6eada8de38 ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS
f207ebd5656e ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT
62ee00c1042c ata: libata-scsi: improve readability of ata_scsi_qc_issue()
9d11e4b1db1c mfd: bcm2835-pm: Add support for BCM2712
ed915823d469 arm64: dts: broadcom: bcm2712: Add watchdog DT node
375d5a17dc8d dt-bindings: soc: bcm: Add bcm2712 compatible
91f89c1d83e8 smb: client: reject userspace cifs.spnego descriptions
5da69a65b282 ksmbd: close durable scavenger races against m_fp_list lookups
aae4a47073b1 spi: spi-dw-dma: fix print error log when wait finish transaction
e8ec80430bfa bridge: mrp: reject zero test interval to avoid OOM panic
0638bf16b7a7 sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
3f0543bdf446 sched: Employ sched_change guards
dc184ac2f0ba cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
da3d241c5b92 fuse: fix uninit-value in fuse_dentry_revalidate()
488d2c76bd9f iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
b9a4184271b9 iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs
814326e86e92 drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 37e63d10757bcbcb27e5edd65086868593a0d0bc)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index fea34b09c69..09adce37c18 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "058dc6c42aff140a8fa55c732809d896223fd6fc"
-SRCREV_meta ?= "3fe9b5c19ed6f8883e7d12a89a0ea882e3facfef"
+SRCREV_machine ?= "70ee73bc5040b0150d134f5830dcbb83f8f550f6"
+SRCREV_meta ?= "3a459546a712ea2b92d6b5a5cfd175dd1851896c"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.33"
+LINUX_VERSION ?= "6.18.34"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index de87b6bdd3e..3723c81c729 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.33"
+LINUX_VERSION ?= "6.18.34"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_meta ?= "3fe9b5c19ed6f8883e7d12a89a0ea882e3facfef"
+SRCREV_machine ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_meta ?= "3a459546a712ea2b92d6b5a5cfd175dd1851896c"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 78ee98fec97..09c2093e16d 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "9b84e2ac85be6a214946c65debaab56e3bebd546"
-SRCREV_machine:qemuarm64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_machine:qemuloongarch64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemuarm ?= "1fa8e29233b43f22ce5dd26e3bc08ad79784a7ca"
+SRCREV_machine:qemuarm64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemuloongarch64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_machine:qemuriscv64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_machine:qemuriscv32 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_machine:qemux86 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_machine:qemux86-64 ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
+SRCREV_machine:qemuppc ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemuriscv64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemuriscv32 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemux86 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemux86-64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "32bc3dcadb49e9a4f4474ec743e2c5ddd7f44a27"
-SRCREV_meta ?= "3fe9b5c19ed6f8883e7d12a89a0ea882e3facfef"
+SRCREV_machine ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_meta ?= "3a459546a712ea2b92d6b5a5cfd175dd1851896c"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "83657f4189612e5cbcabc3058acd36c0bd120729"
+SRCREV_machine:class-devupstream ?= "18ad16ce4a6b2714583fd1e1044c6ea8e53b3519"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.33"
+LINUX_VERSION ?= "6.18.34"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 12/55] linux-yocto/6.18: update to v6.18.35
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 11/55] linux-yocto/6.18: update to v6.18.34 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 13/55] libssh2: fix CVE-2026-55200 Yoann Congal
` (43 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.18 to the latest korg -stable release that comprises
the following commits:
acb7cf4c1184 Linux 6.18.35
918450ad6010 KVM: arm64: Reassign nested_mmus array behind mmu_lock
2bbc395e81bd KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
adc6fc240a61 tools: ynl: add scope qualifier for definitions
f54b30f3316a usb: core: Fix SuperSpeed root hub wMaxPacketSize
830c8a9b467e thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
21bfa15a89d8 drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable
00869f2320dc mailbox: Fix NULL message support in mbox_send_message()
5372f6f10b0a xhci: tegra: Fix ghost USB device on dual-role port unplug
58b2c0f096b3 net: phy: micrel: fix LAN8814 QSGMII soft reset
972ea882d4bf mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
56857385f313 hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
6b94f9f5fe28 hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
192516d72774 hwmon: (pmbus) Add support for guarded PMBus lock
d8fdf33d6fcf USB: serial: mct_u232: fix memory corruption with small endpoint
062dcc0b324a USB: serial: digi_acceleport: fix memory corruption with small endpoints
284105c40fc3 USB: serial: cypress_m8: fix memory corruption with small endpoint
c73c62a4bd52 usb: dwc3: xilinx: fix error handling in zynqmp init error paths
9327252e0462 xfrm: iptfs: reset runtime state when cloning SAs
bb50838a2a06 cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E
7cb2daed3509 cpufreq: intel_pstate: Add and use hybrid_get_cpu_type()
8f72a2509163 mptcp: reset rcv wnd on disconnect
82e742b9d2cc mptcp: cleanup fallback dummy mapping generation
0d9b9d7dbef9 octeontx2-pf: avoid double free of pool->stack on AQ init failure
fe93e907b1af arm64: tlb: Flush walk cache when unsharing PMD tables
bb37498a99e4 mptcp: do not drop partial packets
a84164847b1e mptcp: borrow forward memory from subflow
c67f986fc02c mptcp: handle first subflow closing consistently
134c517dfa63 net: devmem: reject dma-buf bind with non-page-aligned size or SG length
b2beed6ad149 selftests: mptcp: drop nanoseconds width specifier
c5e7d4865292 Bluetooth: hci_qca: Convert timeout from jiffies to ms
8264178afb5c Bluetooth: hci_qca: Migrate to serdev specific shutdown function
0acba63d7d46 serdev: Provide a bustype shutdown function
8bf7dbb741dd rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
46cb765e2e5a rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
fed725cace3a x86/mm: Disable broadcast TLB flush when PCID is disabled
81181a39bde9 platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
1730c91a8b9a platform/x86/intel/vsec: Make driver_data info const
4b0e87f9b50f platform/x86/intel/vsec: Refactor base_addr handling
71b88acec0a7 serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()
7f8b194ed720 serial: 8250: dispatch SysRq character in serial8250_handle_irq()
5f2172d799f3 serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)
237dc8c08de3 serial: zs: Convert to use a platform device
81984447eac4 serial: zs: Switch to using channel reset
b1ceeaef4fbc serial: zs: Fix bootconsole handover lockup
2ff0401ffdda serial: dz: Convert to use a platform device
2c5b693d918c serial: dz: Fix bootconsole handover lockup
24b7be239b0b serial: dz: Fix bootconsole message clobbering at chip reset
f059b4c493df drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
fa372f4e8aef drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
1eb86334e391 drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO
275396bf71c4 drm/amdkfd: Check for pdd drm file first in CRIU restore path
5cf4a41aa0d7 drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
2f9c3c161692 drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
348e01e64a87 serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
8e39badab090 serial: zs: Fix swapped RI/DSR modem line transition counting
10ddd1a320e1 serial: sh-sci: fix memory region release in error path
654f45a8569f serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
78d0d6f69bd6 serial: qcom-geni: fix UART_RX_PAR_EN bit position
9a91692fae5c serial: altera_jtaguart: handle uart_add_one_port() failures
ffa7dce35b64 drm/amd/pm/si: Disregard vblank time when no displays are connected
c9ae7e7e3bc9 drm/i915: Fix potential UAF in TTM object purge
fed64e47a32f drm/i915/psr: Block DC states on vblank enable when Panel Replay supported
0dfa42cfe4db drm/gem: fix race between change_handle and handle_delete
164dc7bf1760 drm/hyperv: validate VMBus packet size in receive callback
9c698b2c43c2 drm/hyperv: validate resolution_count and fix WIN8 fallback
4a3a19c98a82 scsi: target: iscsi: Validate CHAP_R length before base64 decode
594a40360012 scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
89c81d1228c0 scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
35461d237441 scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
14dd80a20a72 scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
d548179adcc8 thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
31b98e503ecc thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
c7d421123b98 usb: gadget: f_fs: serialize DMABUF cancel against request completion
607730a41477 usb: gadget: f_fs: copy only received bytes on short ep0 read
5933063935e8 usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
f8f5a8f48c7c usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
f928630f450b usb: gadget: f_hid: fix device reference leak in hidg_alloc()
e6f8be12f030 usb: gadget: net2280: Fix double free in probe error path
caec0145e597 usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
f06bcaba2970 USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
6c0cf56f00f2 USB: serial: mxuport: fix memory corruption with small endpoint
ea2b792330b4 USB: serial: keyspan: fix missing indat transfer sanity check
ae03453f2c80 USB: serial: cypress_m8: validate interrupt packet headers
22823a319fb2 USB: serial: belkin_sa: validate interrupt status length
f7c3fcd63405 USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
38ba1a464c0d USB: serial: option: add MeiG SRM813Q
62fbc1396108 usb: typec: ucsi: Don't update power_supply on power role change if not connected
d62d97c9c8c2 usb: typec: ucsi: Check if power role change actually happened before handling
f34effb0b545 usb: typec: tcpm: improve handling of DISCOVER_MODES failures
02d9d8b79e18 usb: typec: tipd: Fix error code in tps6598x_probe()
a90139ff1eba usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
75f6d3da2cc6 usb: usbtmc: check URB actual_length for interrupt-IN notifications
88d459e5b5a4 usbip: vudc: Fix use after free bug in vudc_remove due to race condition
5b78d8b9a832 usb: storage: Add quirks for PNY Elite Portable SSD
94b05aec1985 USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
69f9f2b30af0 usb: musb: omap2430: Fix use-after-free in omap2430_probe()
3bc65566331a usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
7118304b1a77 usb: chipidea: core: convert ci_role_switch to local variable
9fd48937046e tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
66f8bfea055b tty: serial: pch_uart: add check for dma_alloc_coherent()
b4bebb6e0a44 counter: Fix refcount leak in counter_alloc() error path
c7e670cb2538 comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
269f5be6a6e4 comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
fdb74898d91d Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
7f95f4792c0d Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
639fa8af506e misc: rp1: Send IACK on IRQ activate to fix kdump/kexec
94215d55b094 ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
6617ee91062b Input: xpad - add support for ASUS ROG RAIKIRI II
3d63b8077f5b Input: xpad - add "Nova 2 Lite" from GameSir
2ffd8b0dd448 ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP
c093468aea82 xfrm: esp: restore combined single-frag length gate
c4609fff0665 ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
35be14ea8298 ASoC: qcom: q6asm-dai: close stream only when running
b98ab51c45c5 netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
b9027ff112b6 ALSA: firewire-motu: Protect register DSP event queue positions
befcb15c1f05 ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
aa0c7e59192b xfrm: ah: use skb_to_full_sk in async output callbacks
dc6dcba80d72 xfrm: ipcomp: Free destination pages on acomp errors
448bb92ca101 xfrm: route MIGRATE notifications to caller's netns
22d41b176b99 nfc: hci: fix out-of-bounds read in HCP header parsing
8b1f4f618fd8 iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
b8338111e141 HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
59139473a7a7 spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
96a4713ae041 net: skbuff: fix missing zerocopy reference in pskb_carve helpers
fc32be9ac278 ip6: vti: Use ip6_tnl.net in vti6_changelink().
947013fd7c8c l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
9f7ebb45a83a xfrm: input: hold netns during deferred transport reinjection
a35daeabb433 ipv6: validate extension header length before copying to cmsg
853f6ea482df ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
751db1b802a0 ipv6: exthdrs: refresh nh after handling HAO option
90983f841dfa ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
c512e1c819df ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
6d00f5c7e5ff macsec: fix replay protection at XPN lower-PN wrap
5e1902866796 bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
e4892b1ecd73 wireguard: send: append trailer after expanding head
d59cc66b7027 x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
3f43865cb64d i2c: davinci: fix division by zero on missing clock-frequency
bf769358419e Input: elan_i2c - validate firmware size before use
84ea928ed584 usb: dwc2: Fix use after free in debug code
94c92f9c886c usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
459c4fa089f7 usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
b2723bd468c5 usb: cdns3: gadget: fix request skipping after clearing halt
0fee0ccac29e USB: serial: omninet: fix memory corruption with small endpoint
3412a95afaa5 iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
a3763ae33476 iio: buffer: hw-consumer: fix use-after-free in error path
390254cf509b iio: light: cm3323: fix reg_conf not being initialized correctly
5e4d34092a5e iio: chemical: scd30: fix division by zero in write_raw
a5a05410cb34 iio: chemical: mhz19b: reject oversized serial replies
cbd2d7e6bd4f iio: Fix iio_multiply_value use in iio_read_channel_processed_scale
8d4daa614440 iio: light: veml6070: Fix resource leak in probe error path
ae01ec83841d iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
aefc19ca3dd3 iio: temperature: tsys01: fix broken PROM checksum validation
04a4d9822210 iio: ssp_sensors: cancel delayed work_refresh on remove
aaf9d640e9ae iio: gyro: adis16260: fix division by zero in write_raw
15a0b3f33ffb iio: gyro: itg3200: fix i2c read into the wrong stack location
5cb8cede8baf iio: adc: ad4695: Fix call ordering in offload buffer postenable
7155e7fce429 iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
944082fdb028 iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
991d359faa95 iio: dac: ad5686: fix powerdown control on dual-channel devices
31de336a2c0d iio: dac: ad5686: acquire lock when doing powerdown control
f541c9a1eb89 iio: dac: ad5686: fix input raw value check
69f7d101976c iio: dac: ad5686: fix ref bit initialization for single-channel parts
684bfd655b80 iio: dac: max5821: fix return value check in powerdown sync
88c9dd5170e0 iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings
2ce5ca7824a1 iio: adc: npcm: fix unbalanced clk_disable_unprepare()
0ee771fff32e iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
bb1b43e8a7ed Disable -Wattribute-alias for clang-23 and newer
bbd989d6fd36 KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
b1dfaa6f7a95 KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
75c8d1d72912 KVM: SEV: Check PSC request indices against the actual size of the buffer
9f0a9e780f02 KVM: SEV: Compute the correct max length of the in-GHCB scratch area
5300aedbee56 KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
e4ab26f81a63 KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
2254972d4d69 KVM: SEV: Ignore Port I/O requests of length '0'
c9b4198fbc6e KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
ec62e8480e82 KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
b1fc4a83dd44 KVM: arm64: PMU: Preserve AArch32 counter low bits
625153b917bc USB: cdc-acm: Fix bit overlap and move quirk definitions to header
667599e71832 rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN
f2f2671e32c5 rust_binder: Avoid holding lock when dropping delivered_death
74d6aae1df45 parport: Fix race between port and client registration
9749db57233b Input: xpad - fix out-of-bounds access for Share button
d9019210c8c3 Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
2b7651f58670 Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
e6b78019664d Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
bc08c15746f2 Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
c318aa51830a Bluetooth: ISO: fix UAF in iso_recv_frame
6348dfed5b0f Bluetooth: HIDP: fix missing length checks in hidp_input_report()
e8a5baff5be2 Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
859d3ace791e Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
388051f7389a smb: client: fix uninitialized variable in smb2_writev_callback
197476b12601 auxdisplay: line-display: fix OOB read on zero-length message_store()
0fcc34d0d8fe mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one
0995d1f79aed memfd: deny writeable mappings when implying SEAL_WRITE
f1f0cdca932b mm: memcontrol: propagate NMI slab stats to memcg vmstats
a3cc795129e5 ipc: limit next_id allocation to the valid ID range
0ba6c05156d9 mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
0886c6f257fe hpfs: fix a crash if hpfs_map_dnode_bitmap fails
4064a30381fa Bluetooth: btusb: Allow firmware re-download when version matches
6728e80c9d29 HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
8735a28f2dcd Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
f33b5a61673b media: rc: igorplugusb: fix control request setup packet
f793b67d41e5 USB: serial: safe_serial: fix memory corruption with small endpoint
0edd1e21587b usb: typec: ucsi: validate connector number in ucsi_connector_change()
9b496e3371c0 usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
e94933dc41b8 usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
b10eff5abe6a usb: typec: altmodes/displayport: validate count before reading Status Update VDO
052dbef45cb3 usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
4505f33dab56 usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
f9d787fbe831 usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
a38ed87818b2 usb: typec: ucsi: ccg: reject firmware images without a ':' record header
a58400f58f82 iio: pressure: bmp280: fix stack leak in bmp580 trigger handler
ce582b22dd2f iio: imu: adis16550: fix stack leak in trigger handler
e6bb3a49c5f9 iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
278b0df1f736 phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
487393023feb drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
c058cf6b84c1 drm/i915/psr: Read Intel DPCD workaround register
dd4cbab2a446 drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
600ad63124de s390/cio: Restore GFP_DMA for CHSC allocation
0171e01de47a Revert "x86/fpu: Refine and simplify the magic number check during signal return"
ff0ca46b13b9 smb: client: validate the whole DACL before rewriting it in cifsacl
efacf63ed087 media: rc: ttusbir: fix inverted error logic
e250b672d40a media: rc: fix race between unregister and urb/irq callbacks
814be4a0924b net: skbuff: fix pskb_carve leaking zcopy pages
ab9a10969a90 ipv6: fix possible infinite loop in fib6_select_path()
dc36a04621dc ipv6: fix possible infinite loop in rt6_fill_node()
b62e2b2b4a50 vsock/virtio: bind uarg before filling zerocopy skb
68667ee4c7da sctp: fix race between sctp_wait_for_connect and peeloff
c4152b4e28b3 net: mana: Skip redundant detach on already-detached port
da87896f34e0 net: mana: Add NULL guards in teardown path to prevent panic on attach failure
7f945f7f10f4 gpio: rockchip: teardown bugs and resource leaks
e2fabb984bfd gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
5d43c71fa8e1 gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
b6cdbb681ce1 gpio: adnp: fix flow control regression caused by scoped_guard()
ae2eac5e9cfe Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
47330cc875b3 Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
41e29548b5e8 Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
f39049304ba6 Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
1d4dcfe60fe1 net/handshake: Pass negative errno through handshake_complete()
25b2fcdea6f6 nvme-tcp: store negative errno in queue->tls_err
0866569fc36a net/handshake: Use spin_lock_bh for hn_lock
c35064294eca net: hibmcge: disable Relaxed Ordering to fix RX packet corruption
7f97b8352ce5 net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
6fe1cb312038 ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
fd0de51c54fa ethtool: eeprom: add more safeties to EEPROM Netlink fallback
c944cab3df82 ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
3e656023a649 ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
2008f9bb1ede ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure
ab94e0d6664d ethtool: tsinfo: fix uninitialized stats on the by-PHC path
d02342d9bb4f ethtool: tsconfig: fix missing ethnl_ops_complete()
912f8b23bc4b ethtool: pse-pd: fix missing ethnl_ops_complete()
49455e27838a ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
d11c98484485 ethtool: tsconfig: fix reply error handling
0c02c190bcd9 ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
e976e3f2f200 bridge: Fix sleep in atomic context in sysfs path
c9c2e609e839 bridge: Fix sleep in atomic context in netlink path
9ea8a648d912 bonding: refuse to enslave CAN devices
e673889a35a5 Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
75cf24709037 drm/xe: Restore IDLEDLY regiter on engine reset
164dcbec9632 ASoC: codecs: simple-mux: Fix enum control bounds check
de9eb0b44fa9 ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
43368636c663 tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
5303925e3605 vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
6dff77899b9e tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
2a8c9994406b cxl/test: Update mock dev array before calling platform_device_add()
41d2dc766bf8 ethtool: cmis: validate fw->size against start_cmd_payload_size
0696709e951b ethtool: cmis: validate start_cmd_payload_size from module
0cbce444db75 ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
4d42fb88ec61 ethtool: cmis: require exact CDB reply length
e1dd697094f1 ethtool: module: fix cleanup if socket used for flashing multiple devices
9e70c8efb0ca ethtool: module: check fw_flash_in_progress under rtnl_lock
9f5108f5ee27 ethtool: module: avoid racy updates to dev->ethtool bitfield
61848c83b913 ethtool: module: avoid leaking a netdev ref on module flash errors
d9defbf8b62b ethtool: module: call ethnl_ops_complete() on module flash errors
7877d8fbbec2 ethtool: rss: avoid device context leak on reply-build failure
7ddc3b3ddee8 ethtool: rss: fix hkey leak when indir_size is 0
33d05c22d6f2 ethtool: rss: fix indir_table and hkey leak on get_rxfh failure
39c01c405063 ethtool: rss: fix falsely ignoring indir table updates
6a775ec73210 ethtool: rss: add missing errno on RSS context delete
f23e4d7324b8 ethtool: rss: avoid modifying the RSS context response
48fd840a26d3 net: Avoid checksumming unreadable skb tail on trim
03e9405c518c net: team: fix NULL pointer dereference in team_xmit during mode change
c2af23b48f93 net: team: Rename port_disabled team mode op to port_tx_disabled
a20e6ae5f05e net: team: Remove unused team_mode_op, port_enabled
f2e077e8979f gpio: mxc: fix irq_high handling
fbd0662f9c9a net: hsr: fix potential OOB access in supervision frame handling
2a15a03e58b0 net/mlx5: HWS: Reject unsupported remove-header action
f0ac76e3d55e ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
e13922bb97b4 ALSA: pcm: oss: Fix setup list UAF on proc write error
a7f4eefb6e14 ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
475f2b37a78f scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
981736924338 net/iucv: fix locking in .getsockopt
55cba6b883b4 net/smc: Do not re-initialize smc hashtables
bcd0d19db3e6 net: netlink: don't set nsid on local notifications
ca5e36629641 net: netlink: fix sending unassigned nsid after assigned one
ef3b3ea864d0 vsock: keep poll shutdown state consistent
aa308e9dbb9a tun: free page on build_skb failure in tun_xdp_one()
37a1c268c2c8 tun: free page on short-frame rejection in tun_xdp_one()
96bea2a7baac netfilter: nf_tables: fix dst corruption in same register operation
bf8e8eac7ede netfilter: ebtables: fix OOB read in compat_mtw_from_user
052468b1c93b netfilter: xt_cpu: prefer raw_smp_processor_id
f0fea2b6d545 netfilter: synproxy: refresh tcphdr after skb_ensure_writable
18abd88d19ea accel/rocket: fix UAF via dangling GEM handle in create_bo
45564a16a24f kunit: fix use-after-free in debugfs when using kunit.filter
e1b8a53834dc HID: remove duplicate hid_warn_ratelimited definition
bebc7dc0fb4b tools/bootconfig: Fix buf leaks in apply_xbc
b4702049417f nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
82ac903e0b51 xfrm: Check for underflow in xfrm_state_mtu
650bdd8fdfab nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
912ebc49d440 nfc: llcp: Fix use-after-free in llcp_sock_release()
8b733ee4aecd bcache: fix uninitialized closure object
dbc560858da8 net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
91cc13978ab0 xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
54ed418de62a net: mctp: ensure our nlmsg responses are initialised
41845bc5bb64 net/sched: cls_fw: fix NULL dereference of "old" filters before change()
0ca809ea8e03 Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5aec8fee3cdd4025ae2e6117a55819dee90fa4fb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_6.18.bb | 6 ++---
.../linux/linux-yocto-tiny_6.18.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index 09adce37c18..00c0b090df0 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -15,13 +15,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "70ee73bc5040b0150d134f5830dcbb83f8f550f6"
-SRCREV_meta ?= "3a459546a712ea2b92d6b5a5cfd175dd1851896c"
+SRCREV_machine ?= "35a623d1a755631bbc73e11fa02eee0e1092188b"
+SRCREV_meta ?= "4dafe0e420087b6381728e68eeeff6d9af0a32e7"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.18.34"
+LINUX_VERSION ?= "6.18.35"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 3723c81c729..e2fd09a403e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -9,7 +9,7 @@ require recipes-kernel/linux/linux-yocto.inc
include recipes-kernel/linux/cve-exclusion.inc
include recipes-kernel/linux/cve-exclusion_6.18.inc
-LINUX_VERSION ?= "6.18.34"
+LINUX_VERSION ?= "6.18.35"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -18,8 +18,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_meta ?= "3a459546a712ea2b92d6b5a5cfd175dd1851896c"
+SRCREV_machine ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_meta ?= "4dafe0e420087b6381728e68eeeff6d9af0a32e7"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 09c2093e16d..2b1298dedf9 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.18/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.18/standard/base"
KBRANCH:qemumips64 ?= "v6.18/standard/mti-malta"
-SRCREV_machine:qemuarm ?= "1fa8e29233b43f22ce5dd26e3bc08ad79784a7ca"
-SRCREV_machine:qemuarm64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_machine:qemuloongarch64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemuarm ?= "84b49a9fef57bf4ff3a2919591fde336fe7944bf"
+SRCREV_machine:qemuarm64 ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_machine:qemuloongarch64 ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
SRCREV_machine:qemumips ?= "62ea92a539f58803a222be98b81118403074206e"
-SRCREV_machine:qemuppc ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_machine:qemuriscv64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_machine:qemuriscv32 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_machine:qemux86 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_machine:qemux86-64 ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
+SRCREV_machine:qemuppc ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_machine:qemuriscv64 ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_machine:qemuriscv32 ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_machine:qemux86 ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_machine:qemux86-64 ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
SRCREV_machine:qemumips64 ?= "9fb4ff0187c85426f21fd40d4c61b742800f65c4"
-SRCREV_machine ?= "9b4e099993ff056f132851e3d3ff67550e0e9090"
-SRCREV_meta ?= "3a459546a712ea2b92d6b5a5cfd175dd1851896c"
+SRCREV_machine ?= "efc05d9af9f5b5a647e229c92542e413c3a9915d"
+SRCREV_meta ?= "4dafe0e420087b6381728e68eeeff6d9af0a32e7"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "18ad16ce4a6b2714583fd1e1044c6ea8e53b3519"
+SRCREV_machine:class-devupstream ?= "acb7cf4c1184e27622be0faf89244d5001ed1e87"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.18/base"
@@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.18;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.18.34"
+LINUX_VERSION ?= "6.18.35"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 13/55] libssh2: fix CVE-2026-55200
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 12/55] linux-yocto/6.18: update to v6.18.35 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 14/55] libssh2: fix CVE-2026-55199 Yoann Congal
` (42 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Daniel Turull <daniel.turull@ericsson.com>
Backport patch to fix CVE-2026-55200.
https://nvd.nist.gov/vuln/detail/CVE-2026-55200
Upstream fix:
https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
Tested with ptest:
Before: PASSED: 3, FAILED: 0, SKIPPED: 0
After: PASSED: 3, FAILED: 0, SKIPPED: 0
Reviewed-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
(cherry picked from commit 42c8c6ec3066dc47b9eeeba0247ffa927193abff)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libssh2/libssh2/CVE-2026-55200.patch | 36 +++++++++++++++++++
.../recipes-support/libssh2/libssh2_1.11.1.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch
diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch
new file mode 100644
index 00000000000..9a71277cce4
--- /dev/null
+++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch
@@ -0,0 +1,36 @@
+From df0b03ee5ef12f3a46fccc0fc688ebfb91702972 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 12 Jun 2026 15:57:44 -0700
+Subject: [PATCH] transport.c: Additional boundary checks for packet length
+ (#2052)
+
+Add additional bounds checking on packet length to prevent OOB write.
+
+Credit: [TristanInSec](https://github.com/TristanInSec)
+
+CVE: CVE-2026-55200
+Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8]
+
+Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
+---
+ src/transport.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/transport.c b/src/transport.c
+index e1120656..d147505b 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -639,8 +639,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+ total_num = 4;
+
+ p->packet_length = _libssh2_ntohu32(block);
+- if(p->packet_length < 1)
++ if(p->packet_length < 1) {
+ return LIBSSH2_ERROR_DECRYPT;
++ }
++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++ }
+
+ /* total_num may include size field, however due to existing
+ * logic it needs to be removed after the entire packet is read
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
index e825c8c5bb8..5ffc40b8fcf 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://run-ptest \
file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \
file://CVE-2026-7598.patch \
+ file://CVE-2026-55200.patch \
"
SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 14/55] libssh2: fix CVE-2026-55199
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 13/55] libssh2: fix CVE-2026-55200 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 15/55] binutils: Fix CVE-2026-6846 Yoann Congal
` (41 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Daniel Turull <daniel.turull@ericsson.com>
Backport patch to fix CVE-2026-55199.
https://nvd.nist.gov/vuln/detail/CVE-2026-55199
Upstream fix:
https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4
Tested with ptest:
Before: PASSED: 3, FAILED: 0, SKIPPED: 0
After: PASSED: 3, FAILED: 0, SKIPPED: 0
Reviewed-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
(cherry picked from commit 5b52af4a02849c1ce74491056a2d13e4e3b6ad2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libssh2/libssh2/CVE-2026-55199.patch | 44 +++++++++++++++++++
.../recipes-support/libssh2/libssh2_1.11.1.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-55199.patch
diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-55199.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-55199.patch
new file mode 100644
index 00000000000..81815486ada
--- /dev/null
+++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-55199.patch
@@ -0,0 +1,44 @@
+From b5cb1c1781ba5f275485f65855d61faaba6542b2 Mon Sep 17 00:00:00 2001
+From: TristanInSec <tristan.mtn@gmail.com>
+Date: Wed, 15 Apr 2026 14:51:08 -0400
+Subject: [PATCH] packet: check `_libssh2_get_string()` return in `EXT_INFO`
+ handler
+
+The `SSH_MSG_EXT_INFO` handler discards the return values from
+`_libssh2_get_string()` when parsing extension name/value pairs. When
+the buffer is exhausted before all claimed extensions are parsed,
+the loop continues with no-op iterations until `nr_extensions` reaches
+zero.
+
+The `nr_extensions >= 1024` cap limits the worst case, but the loop
+should still break on parse failure for correctness and consistency
+with other parsers in this file (e.g. `SSH_MSG_CHANNEL_OPEN`,
+`SSH_MSG_KEXINIT`) that check `_libssh2_get_string()` return values.
+
+Closes #1864
+
+CVE: CVE-2026-55199
+Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4]
+
+Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
+---
+ src/packet.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 6da14e9f..ebaddae5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -868,8 +868,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ nr_extensions -= 1;
+
+- _libssh2_get_string(&buf, &name, &name_len);
+- _libssh2_get_string(&buf, &value, &value_len);
++ if(_libssh2_get_string(&buf, &name, &name_len))
++ break;
++ if(_libssh2_get_string(&buf, &value, &value_len))
++ break;
+
+ if(name && value) {
+ _libssh2_debug((session,
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
index 5ffc40b8fcf..2407ed34d94 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \
file://CVE-2026-7598.patch \
file://CVE-2026-55200.patch \
+ file://CVE-2026-55199.patch \
"
SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 15/55] binutils: Fix CVE-2026-6846
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 14/55] libssh2: fix CVE-2026-55199 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 16/55] cmake-native: prevent host libidn2 contamination Yoann Congal
` (40 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
This patch applies the upstream fix as referenced in [2], using the commit shown in [1].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a089e0302382f4d4e077941156e1eaa68d01393
[2] https://security-tracker.debian.org/tracker/CVE-2026-6846
Tested with binutils-testsuite (bitbake binutils-testsuite -c check):
binutils: PASSED: 327, FAILED: 0, SKIPPED: 5
gas: PASSED: 2091, FAILED: 0, SKIPPED: 4
ld: PASSED: 1899, FAILED: 0, SKIPPED: 129
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
(cherry picked from commit 48a578533a584cc550f308490e9ff6443192c79c)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../binutils/binutils-2.46.inc | 1 +
.../binutils/binutils/CVE-2026-6846.patch | 59 +++++++++++++++++++
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
index 13d2a02108a..cab270cea5d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.46.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
@@ -39,4 +39,5 @@ SRC_URI = "\
file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
file://CVE-2026-4647.patch \
+ file://CVE-2026-6846.patch \
"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch
new file mode 100644
index 00000000000..e7d1c3aa007
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch
@@ -0,0 +1,59 @@
+From 7a089e0302382f4d4e077941156e1eaa68d01393 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 6 Apr 2026 22:58:22 +0930
+Subject: [PATCH] PR 34049 buffer overflow in xcoff_link_add_symbols
+
+The fact that coffcode.h:coff_set_alignment_hook for rs6000 removes
+sections can result in target_index > section_count. Thus any array
+indexed by target_index must not be sized by section_count.
+
+ PR ld/34049
+ * xcofflink.c (xcoff_link_add_symbols): Size reloc_info array
+ using max target_index.
+
+CVE: CVE-2026-6846
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=7a089e0302382f4d4e077941156e1eaa68d01393]
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+(cherry picked from commit 7a089e0302382f4d4e077941156e1eaa68d01393)
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ bfd/xcofflink.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c
+index 1781182fa6a..7f1c0df760f 100644
+--- a/bfd/xcofflink.c
++++ b/bfd/xcofflink.c
+@@ -1335,6 +1335,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info)
+ } *reloc_info = NULL;
+ bfd_size_type amt;
+ unsigned short visibility;
++ unsigned int max_target_index;
+
+ keep_syms = obj_coff_keep_syms (abfd);
+
+@@ -1398,7 +1399,19 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info)
+ order by VMA within a given section, so we handle this by
+ scanning along the relocs as we process the csects. We index
+ into reloc_info using the section target_index. */
+- amt = abfd->section_count + 1;
++ max_target_index = 0;
++ for (o = abfd->section_last; o != NULL; o = o->prev)
++ if (o->target_index != 0)
++ {
++ /* The last section added from the object file will have the
++ highest target_index. See coffgen.c coff_real_object_p and
++ make_a_section_from_file. Sections added by
++ xcoff_link_create_extra_sections will have a zero
++ target_index. */
++ max_target_index = o->target_index;
++ break;
++ }
++ amt = max_target_index + 1;
+ amt *= sizeof (struct reloc_info_struct);
+ reloc_info = bfd_zmalloc (amt);
+ if (reloc_info == NULL)
+--
+2.43.7
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 16/55] cmake-native: prevent host libidn2 contamination
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 15/55] binutils: Fix CVE-2026-6846 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 17/55] libxpm: upgrade 3.5.18 -> 3.5.19 Yoann Congal
` (39 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
The bundled cmcurl in CMake 4.3.x unconditionally enables USE_LIBIDN2
and calls find_package(Libidn2). On hosts with libidn2-devel installed
(common on RHEL/EL8), this detects the host library during configure
but the compile fails because the compiler is correctly restricted to
the native sysroot:
fatal error: idn2.h: No such file or directory
This was introduced in the upgrade from CMake 3.28.x to 4.3.x, where
the bundled cmcurl added find_package(Libidn2) for IDN support.
cmake-native does not need IDN support in its internal curl usage.
Use CMAKE_DISABLE_FIND_PACKAGE_Libidn2 to prevent the host package
from being found without patching the source.
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
Reviewed-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
(cherry picked from commit 861eaeb79f12273baddd24f615997ac78cfcb2a3)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/cmake/cmake-native_4.3.1.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/cmake/cmake-native_4.3.1.bb b/meta/recipes-devtools/cmake/cmake-native_4.3.1.bb
index 9ab1f0ce738..a859cef1517 100644
--- a/meta/recipes-devtools/cmake/cmake-native_4.3.1.bb
+++ b/meta/recipes-devtools/cmake/cmake-native_4.3.1.bb
@@ -31,6 +31,7 @@ EXTRA_OECMAKE += "\
-DCMAKE_USE_SYSTEM_LIBRARY_LIBRHASH=0 \
-DCMAKE_USE_SYSTEM_LIBRARY_EXPAT=0 \
-DCMAKE_USE_SYSTEM_LIBRARY_CURL=0 \
+ -DCMAKE_DISABLE_FIND_PACKAGE_Libidn2=ON \
-DENABLE_ACL=0 -DHAVE_ACL_LIBACL_H=0 \
-DHAVE_SYS_ACL_H=0 \
"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 17/55] libxpm: upgrade 3.5.18 -> 3.5.19
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 16/55] cmake-native: prevent host libidn2 contamination Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 18/55] cargo: Fix CVE-2026-5222 Yoann Congal
` (38 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
A vulnerability in the `xpmNextWord()` function could cause an internal pointer to read beyond the file's end due to improper validation of file boundaries. This issue was fixed in libXpm 3.5.19.
The changes between 3.5.18 and 3.5.19 contain only the fix to CVE-2026-4367.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Enoch Ng <enoch.ng@windriver.com>
(cherry picked from commit 1fc25a668ee8bbabf7e8e369b2d94867cd22243b)
[YC: changelog: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/compare/libXpm-3.5.18...libXpm-3.5.19 ]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../xorg-lib/{libxpm_3.5.18.bb => libxpm_3.5.19.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.18.bb => libxpm_3.5.19.bb} (88%)
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.18.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.19.bb
similarity index 88%
rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.18.bb
rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.19.bb
index 94bf28232e9..32e052fd424 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.18.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.19.bb
@@ -22,6 +22,6 @@ PACKAGES =+ "sxpm cxpm"
FILES:cxpm = "${bindir}/cxpm"
FILES:sxpm = "${bindir}/sxpm"
-SRC_URI[sha256sum] = "b4ed79bfc718000edee837d551c35286f0b84576db0ce07bbbebe60a4affa1e4"
+SRC_URI[sha256sum] = "ad3576d689221a39dc728f0e0dc02ca7bb6a0d724c9a77fd1bfa1e9af83be900"
BBCLASSEXTEND = "native"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 18/55] cargo: Fix CVE-2026-5222
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 17/55] libxpm: upgrade 3.5.18 -> 3.5.19 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 19/55] cargo: Fix CVE-2026-5223 Yoann Congal
` (37 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Anil Dongare <adongare@cisco.com>
This patch applies the upstream fix as referenced in [2], using the commit shown in [1].
[1] https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f
[2] https://security-tracker.debian.org/tracker/CVE-2026-5222
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../rust/files/CVE-2026-5222.patch | 92 +++++++++++++++++++
meta/recipes-devtools/rust/rust-source.inc | 1 +
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-devtools/rust/files/CVE-2026-5222.patch
diff --git a/meta/recipes-devtools/rust/files/CVE-2026-5222.patch b/meta/recipes-devtools/rust/files/CVE-2026-5222.patch
new file mode 100644
index 00000000000..e323e67651f
--- /dev/null
+++ b/meta/recipes-devtools/rust/files/CVE-2026-5222.patch
@@ -0,0 +1,92 @@
+From c4d63a44234de22dc745231c416b80ed848d997f Mon Sep 17 00:00:00 2001
+From: Arlo Siemsen <arkixml@gmail.com>
+Date: Mon, 25 May 2026 09:49:43 +0200
+Subject: [PATCH] CVE-2026-5222: avoid stripping .git suffix when for non git
+ registries
+
+CVE: CVE-2026-5222
+Upstream-Status: Backport [https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f]
+
+(cherry picked from commit c4d63a44234de22dc745231c416b80ed848d997f)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ src/tools/cargo/src/cargo/sources/git/source.rs | 7 ++++
+ src/tools/cargo/src/cargo/util/canonical_url.rs | 44 ++++++++++++++-----------
+ 2 files changed, 31 insertions(+), 20 deletions(-)
+
+diff --git a/src/tools/cargo/src/cargo/sources/git/source.rs b/src/tools/cargo/src/cargo/sources/git/source.rs
+index d6dbe03..a7b3205 100644
+--- a/src/tools/cargo/src/cargo/sources/git/source.rs
++++ b/src/tools/cargo/src/cargo/sources/git/source.rs
+@@ -470,6 +470,13 @@ mod test {
+ assert_eq!(ident1, ident2);
+ }
+
++ #[test]
++ fn test_canonicalize_idents_does_not_strip_dot_git_for_sparse() {
++ let ident1 = ident(&src("sparse+https://crates.io/fake-registry"));
++ let ident2 = ident(&src("sparse+https://crates.io/fake-registry.git"));
++ assert_ne!(ident1, ident2);
++ }
++
+ fn src(s: &str) -> SourceId {
+ SourceId::for_git(&s.into_url().unwrap(), GitReference::DefaultBranch).unwrap()
+ }
+diff --git a/src/tools/cargo/src/cargo/util/canonical_url.rs b/src/tools/cargo/src/cargo/util/canonical_url.rs
+index 7516e03..2716d2d 100644
+--- a/src/tools/cargo/src/cargo/util/canonical_url.rs
++++ b/src/tools/cargo/src/cargo/util/canonical_url.rs
+@@ -33,27 +33,31 @@ impl CanonicalUrl {
+ url.path_segments_mut().unwrap().pop_if_empty();
+ }
+
+- // For GitHub URLs specifically, just lower-case everything. GitHub
+- // treats both the same, but they hash differently, and we're gonna be
+- // hashing them. This wants a more general solution, and also we're
+- // almost certainly not using the same case conversion rules that GitHub
+- // does. (See issue #84)
+- if url.host_str() == Some("github.com") {
+- url = format!("https{}", &url[url::Position::AfterScheme..])
+- .parse()
+- .unwrap();
+- let path = url.path().to_lowercase();
+- url.set_path(&path);
+- }
++ // Perform further canonicalization specific to git registries, which
++ // do not contain a `+` specifier.
++ if !url.scheme().contains('+') {
++ // For GitHub URLs specifically, just lower-case everything. GitHub
++ // treats both the same, but they hash differently, and we're gonna be
++ // hashing them. This wants a more general solution, and also we're
++ // almost certainly not using the same case conversion rules that GitHub
++ // does. (See issue #84)
++ if url.host_str() == Some("github.com") {
++ url = format!("https{}", &url[url::Position::AfterScheme..])
++ .parse()
++ .unwrap();
++ let path = url.path().to_lowercase();
++ url.set_path(&path);
++ }
+
+- // Repos can generally be accessed with or without `.git` extension.
+- let needs_chopping = url.path().ends_with(".git");
+- if needs_chopping {
+- let last = {
+- let last = url.path_segments().unwrap().next_back().unwrap();
+- last[..last.len() - 4].to_owned()
+- };
+- url.path_segments_mut().unwrap().pop().push(&last);
++ // Repos can generally be accessed with or without `.git` extension.
++ let needs_chopping = url.path().ends_with(".git");
++ if needs_chopping {
++ let last = {
++ let last = url.path_segments().unwrap().next_back().unwrap();
++ last[..last.len() - 4].to_owned()
++ };
++ url.path_segments_mut().unwrap().pop().push(&last);
++ }
+ }
+
+ Ok(CanonicalUrl(url))
+--
+2.44.4
diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc
index f11bbea9b34..36407fa9750 100644
--- a/meta/recipes-devtools/rust/rust-source.inc
+++ b/meta/recipes-devtools/rust/rust-source.inc
@@ -11,6 +11,7 @@ SRC_URI += "https://static.rust-lang.org/dist/rustc-${RUST_VERSION}-src.tar.xz;n
file://0001-Update-amdgpu-data-layout.patch;patchdir=${RUSTSRC} \
file://0001-Adjust-loongarch-assembly-test.patch;patchdir=${RUSTSRC} \
file://0001-Fix-multiple-option-or-permutations-test-for-big-end.patch;patchdir=${RUSTSRC} \
+ file://CVE-2026-5222.patch;patchdir=${RUSTSRC} \
"
SRC_URI[rust.sha256sum] = "174fce10ce012317ca995810296d8af199318838180b03d68a853e0f02d4b571"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 19/55] cargo: Fix CVE-2026-5223
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (17 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 18/55] cargo: Fix CVE-2026-5222 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 20/55] qemu: Fix CVE-2026-2243 Yoann Congal
` (36 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Anil Dongare <adongare@cisco.com>
This patch applies the upstream fix as referenced in [2], using the commit shown in [1].
[1] https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577
[2] https://security-tracker.debian.org/tracker/CVE-2026-5223
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../rust/files/CVE-2026-5223.patch | 125 ++++++++++++++++++
meta/recipes-devtools/rust/rust-source.inc | 1 +
2 files changed, 126 insertions(+)
create mode 100644 meta/recipes-devtools/rust/files/CVE-2026-5223.patch
diff --git a/meta/recipes-devtools/rust/files/CVE-2026-5223.patch b/meta/recipes-devtools/rust/files/CVE-2026-5223.patch
new file mode 100644
index 00000000000..5041dedac5c
--- /dev/null
+++ b/meta/recipes-devtools/rust/files/CVE-2026-5223.patch
@@ -0,0 +1,125 @@
+From 285cebf58911eca5b7f177f5d0b1c53e1f646577 Mon Sep 17 00:00:00 2001
+From: Josh Triplett <josh@joshtriplett.org>
+Date: Mon, 30 Mar 2026 10:35:55 -0700
+Subject: [PATCH] CVE-2026-5223: prohibit unpacking symlinks and other
+ unexpected entries
+
+Cargo has historically not allowed creating .crate packages containing
+symlinks. (It packages the symlink target in place of the symlink,
+instead.) So, any package containing a symlink would have to be
+hand-constructed. Such packages are also not allowed on crates.io, so it
+could only come from an alternate registry.
+
+Rather than dealing with symlink traversal attacks when unpacking a
+crate, just prohibit symlinks entirely.
+
+In the process, also prohibit other kinds of unusual entries. As an
+exception, allow character devices but warn about them, because some
+exist in crates on crates.io.
+
+CVE: CVE-2026-5223
+Upstream-Status: Backport [https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577]
+
+(cherry picked from commit 285cebf58911eca5b7f177f5d0b1c53e1f646577)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ src/tools/cargo/src/cargo/sources/registry/mod.rs | 10 +++++-
+ src/tools/cargo/tests/testsuite/registry.rs | 39 ++++++++++-------------
+ 2 files changed, 26 insertions(+), 23 deletions(-)
+
+diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+index 04d4ec3..d152a1e 100644
+--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+@@ -197,7 +197,7 @@ use cargo_util::paths::{self, exclude_from_backups_and_indexing};
+ use flate2::read::GzDecoder;
+ use serde::Deserialize;
+ use serde::Serialize;
+-use tar::Archive;
++use tar::{Archive, EntryType};
+ use tracing::debug;
+
+ use crate::core::dependency::Dependency;
+@@ -1088,6 +1088,14 @@ fn unpack(
+ )
+ }
+
++ // Prevent unpacking symlinks and other unexpected entry types
++ match entry.header().entry_type() {
++ EntryType::Regular | EntryType::Directory => {}
++ t => anyhow::bail!(
++ "invalid tarball downloaded, contains an entry at {entry_path:?} with invalid type {t:?}",
++ ),
++ }
++
+ // Prevent unpacking the lockfile from the crate itself.
+ if entry_path
+ .file_name()
+diff --git a/src/tools/cargo/tests/testsuite/registry.rs b/src/tools/cargo/tests/testsuite/registry.rs
+index 5a30dad..4a4e836 100644
+--- a/src/tools/cargo/tests/testsuite/registry.rs
++++ b/src/tools/cargo/tests/testsuite/registry.rs
+@@ -3274,8 +3274,7 @@ fn package_lock_inside_package_is_overwritten() {
+ }
+
+ #[cargo_test]
+-fn package_lock_as_a_symlink_inside_package_is_overwritten() {
+- let registry = registry::init();
++fn package_lock_as_a_symlink_inside_package_is_invalid() {
+ let p = project()
+ .file(
+ "Cargo.toml",
+@@ -3298,21 +3297,23 @@ fn package_lock_as_a_symlink_inside_package_is_overwritten() {
+ .symlink(".cargo-ok", "src/lib.rs")
+ .publish();
+
+- p.cargo("check").run();
++ p.cargo("check")
++ .with_status(101)
++ .with_stderr_data(str![[r#"
++[UPDATING] `dummy-registry` index
++[LOCKING] 1 package to latest compatible version
++[DOWNLOADING] crates ...
++[DOWNLOADED] bar v0.0.1 (registry `dummy-registry`)
++[ERROR] failed to download replaced source registry `crates-io`
+
+- let id = SourceId::for_registry(registry.index_url()).unwrap();
+- let hash = cargo::util::hex::short_hash(&id);
+- let pkg_root = paths::cargo_home()
+- .join("registry")
+- .join("src")
+- .join(format!("-{}", hash))
+- .join("bar-0.0.1");
+- let ok = pkg_root.join(".cargo-ok");
+- let librs = pkg_root.join("src/lib.rs");
++Caused by:
++ failed to unpack package `bar v0.0.1 (registry `dummy-registry`)`
+
+- // Is correctly overwritten and doesn't affect the file linked to
+- assert_eq!(ok.metadata().unwrap().len(), 7);
+- assert_eq!(fs::read_to_string(librs).unwrap(), "pub fn f() {}");
++Caused by:
++ invalid tarball downloaded, contains an entry at "bar-0.0.1/.cargo-ok" with invalid type Symlink
++
++"#]])
++ .run();
+ }
+
+ #[cargo_test]
+@@ -4751,13 +4752,7 @@ Caused by:
+ failed to unpack package `bar v1.0.0 (registry `dummy-registry`)`
+
+ Caused by:
+- failed to unpack entry at `bar-1.0.0/smuggled`
+-
+-Caused by:
+- failed to unpack `[ROOT]/home/.cargo/registry/src/-[HASH]/bar-1.0.0/smuggled`
+-
+-Caused by:
+- [..] when creating dir [ROOT]/home/.cargo/registry/src/-[HASH]/bar-1.0.0/smuggled
++ invalid tarball downloaded, contains an entry at "bar-1.0.0/smuggled" with invalid type Symlink
+
+ "#]])
+ .run();
+--
+2.44.4
diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc
index 36407fa9750..d897b2c262c 100644
--- a/meta/recipes-devtools/rust/rust-source.inc
+++ b/meta/recipes-devtools/rust/rust-source.inc
@@ -12,6 +12,7 @@ SRC_URI += "https://static.rust-lang.org/dist/rustc-${RUST_VERSION}-src.tar.xz;n
file://0001-Adjust-loongarch-assembly-test.patch;patchdir=${RUSTSRC} \
file://0001-Fix-multiple-option-or-permutations-test-for-big-end.patch;patchdir=${RUSTSRC} \
file://CVE-2026-5222.patch;patchdir=${RUSTSRC} \
+ file://CVE-2026-5223.patch;patchdir=${RUSTSRC} \
"
SRC_URI[rust.sha256sum] = "174fce10ce012317ca995810296d8af199318838180b03d68a853e0f02d4b571"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 20/55] qemu: Fix CVE-2026-2243
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (18 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 19/55] cargo: Fix CVE-2026-5223 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 21/55] qemu: Fix CVE-2026-0665 Yoann Congal
` (35 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2026-2243.
The upstream fix commit is referenced in [1], and the public CVE advisory
is referenced in [2].
[1] https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689
[2] https://github.com/advisories/GHSA-cw9w-w7fx-35q6
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2026-2243.patch | 45 +++++++++++++++++++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4b6c2252b7f..1d493ee1a32 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
file://CVE-2024-6519.patch \
+ file://CVE-2026-2243.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
new file mode 100644
index 00000000000..bb2cb63b915
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
@@ -0,0 +1,45 @@
+From 1633b8cd69483ed6c481aa596d3c760c09257c27 Mon Sep 17 00:00:00 2001
+From: "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>
+Date: Tue, 10 Feb 2026 13:33:25 +0100
+Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
+
+Bounds check for marker.size doesn't account for the 12-byte marker
+header, allowing zlib to read past the allocated buffer.
+
+Move the check inside the has_marker block and subtract the marker size.
+
+CVE: CVE-2026-2243
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689]
+
+Fixes: CVE-2026-2243
+Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
+Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 86b5130fefbe476f3c0a85b9e136f9e3fd518689)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ block/vmdk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 89e89cd10..cd8b4ec7c 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset,
+ marker = (VmdkGrainMarker *)cluster_buf;
+ compressed_data = marker->data;
+ data_len = le32_to_cpu(marker->size);
+- }
+- if (!data_len || data_len > buf_bytes) {
+- ret = -EINVAL;
+- goto out;
++ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
++ ret = -EINVAL;
++ goto out;
++ }
+ }
+ ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
+ if (ret != Z_OK) {
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 21/55] qemu: Fix CVE-2026-0665
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (19 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 20/55] qemu: Fix CVE-2026-2243 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 22/55] qemu: Fix CVE-2025-14876 Yoann Congal
` (34 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2026-0665.
The upstream fix commit is referenced in [1], and the public CVE advisory
is referenced in [2].
[1] https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af
[2] https://github.com/advisories/GHSA-4pq4-6gr5-cr69
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2026-0665.patch | 38 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 1d493ee1a32..518ef69789d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.udev \
file://CVE-2024-6519.patch \
file://CVE-2026-2243.patch \
+ file://CVE-2026-0665.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
new file mode 100644
index 00000000000..ed8623c2257
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
@@ -0,0 +1,38 @@
+From 77705f3f91dc1ede803228a0eaf4593103466e3a Mon Sep 17 00:00:00 2001
+From: Vulnerability Report <vr@darknavy.com>
+Date: Fri, 9 Jan 2026 10:35:48 +0800
+Subject: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
+
+Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().
+
+CVE: CVE-2026-0665
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af]
+
+Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
+Fixes: CVE-2026-0665
+Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Vulnerability Report <vr@darknavy.com>
+Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 058e1774d678031ec207441a51efcf8ae94cc6af)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/i386/kvm/xen_evtchn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
+index dd566c496..173e0818c 100644
+--- a/hw/i386/kvm/xen_evtchn.c
++++ b/hw/i386/kvm/xen_evtchn.c
+@@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
+ return pirq;
+ }
+ map->pirq = pirq;
+- } else if (pirq > s->nr_pirqs) {
++ } else if (pirq >= s->nr_pirqs) {
+ return -EINVAL;
+ } else {
+ /*
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 22/55] qemu: Fix CVE-2025-14876
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (20 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 21/55] qemu: Fix CVE-2026-0665 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 23/55] vim: fix for CVE-2026-41411 & CVE-2026-44656 Yoann Congal
` (33 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2025-14876.
The upstream fix commits are referenced in [1] and [2], and the
public CVE advisory is referenced in [3].
[1] https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77
[2] https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b
[3] https://github.com/advisories/GHSA-gq25-pccv-6q8j
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2025-14876_p1.patch | 52 +++++++++++++++++
.../qemu/qemu/CVE-2025-14876_p2.patch | 56 +++++++++++++++++++
3 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 518ef69789d..60a5c62fe9f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2024-6519.patch \
file://CVE-2026-2243.patch \
file://CVE-2026-0665.patch \
+ file://CVE-2025-14876_p1.patch \
+ file://CVE-2025-14876_p2.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
new file mode 100644
index 00000000000..44e0b0f1a98
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
@@ -0,0 +1,52 @@
+From 1a7c7a0066f2bdb4ddb0d4f689d4949ca70bb8c4 Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@tensorfer.com>
+Date: Sun, 21 Dec 2025 10:43:20 +0800
+Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The total lenght of request is limited by cryptodev config, verify it
+to avoid unexpected request from guest.
+
+CVE: CVE-2025-14876
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77]
+
+Fixes: CVE-2025-14876
+Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
+Reported-by: 이재영 <nakamurajames123@gmail.com>
+Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev>
+(cherry picked from commit 91c6438caffc880e999a7312825479685d659b44)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/virtio/virtio-crypto.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 517f2089c..b20f29993 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
+ uint32_t len;
+ uint8_t *src = NULL;
+ uint8_t *dst = NULL;
++ uint64_t max_len;
+
+ asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
+ src_len = ldl_le_p(&req->para.src_data_len);
+ dst_len = ldl_le_p(&req->para.dst_data_len);
+
++ max_len = (uint64_t)src_len + dst_len;
++ if (unlikely(max_len > vcrypto->conf.max_size)) {
++ virtio_error(vdev, "virtio-crypto asym request is too large");
++ goto err;
++ }
++
+ if (src_len > 0) {
+ src = g_malloc0(src_len);
+ len = iov_to_buf(iov, out_num, 0, src, src_len);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
new file mode 100644
index 00000000000..580440f9002
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
@@ -0,0 +1,56 @@
+From baff597605a973ca92d57a1a728db98d9c2b680e Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@tensorfer.com>
+Date: Sun, 21 Dec 2025 10:43:21 +0800
+Subject: [PATCH] cryptodev-builtin: Limit the maximum size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This backend driver is used for demonstration purposes only, unlimited
+size leads QEMU OOM.
+
+CVE: CVE-2025-14876
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b]
+
+Fixes: CVE-2025-14876
+Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
+Reported-by: 이재영 <nakamurajames123@gmail.com>
+Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20251221024321.143196-3-zhenwei.pi@linux.dev>
+(cherry picked from commit 7b913094c703641a0442bb1d1165323a019c591c)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 51514aa3c2f1e072c9728c975865e0b247b2619b)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ backends/cryptodev-builtin.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
+index 0414c01e0..55a3fbd27 100644
+--- a/backends/cryptodev-builtin.c
++++ b/backends/cryptodev-builtin.c
+@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
+
+ #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512
+ #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64
++/* demonstration purposes only, use a limited size to avoid QEMU OOM */
++#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024)
+
+ struct CryptoDevBackendBuiltin {
+ CryptoDevBackend parent_obj;
+@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
+ 1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
+ backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
+ backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
+- /*
+- * Set the Maximum length of crypto request.
+- * Why this value? Just avoid to overflow when
+- * memory allocation for each crypto request.
+- */
+- backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
++ backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
+ backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
+ backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
+ cryptodev_builtin_init_akcipher(backend);
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 23/55] vim: fix for CVE-2026-41411 & CVE-2026-44656
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (21 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 22/55] qemu: Fix CVE-2025-14876 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 24/55] vim: fix for CVE-2026-45130 & CVE-2026-46483 Yoann Congal
` (32 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] & [2] also mentioned at NVD report in [3] & [4]
[1] https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
[2] https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-41411
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-44656
More info :
CVE-2026-41411 - Disallow backticks before attempting to expand filenames.
CVE-2026-44656 - Prevent shell execution from 'path' backticks via modelines.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../vim/files/CVE-2026-41411.patch | 75 +++++++++++
.../vim/files/CVE-2026-44656.patch | 124 ++++++++++++++++++
meta/recipes-support/vim/vim.inc | 2 +
3 files changed, 201 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2026-41411.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-44656.patch
diff --git a/meta/recipes-support/vim/files/CVE-2026-41411.patch b/meta/recipes-support/vim/files/CVE-2026-41411.patch
new file mode 100644
index 00000000000..13d613c2044
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-41411.patch
@@ -0,0 +1,75 @@
+From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 15 Apr 2026 20:17:17 +0000
+Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks
+ in tag files
+
+Problem: [security]: command injection via backticks in tag files
+ (Srinivas Piskala Ganesh Babu, Andy Ngo)
+Solution: Disallow backticks before attempting to expand filenames.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
+
+Supported by AI
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+CVE: CVE-2026-41411
+Upstream-Status: Backport [https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/tag.c | 4 +++-
+ src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index d3e27e6023..0f12e384b5 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand)
+
+ /*
+ * Expand file name (for environment variables) when needed.
++ * Disallow backticks, they could execute arbitrary shell
++ * commands. This is not needed for tag filenames.
+ */
+- if (expand && mch_has_wildcard(fname))
++ if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL)
+ {
+ ExpandInit(&xpc);
+ xpc.xp_context = EXPAND_FILES;
+diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
+index bbab3c70e8..c0fa7b02e6 100644
+--- a/src/testdir/test_tagjump.vim
++++ b/src/testdir/test_tagjump.vim
+@@ -1693,4 +1693,26 @@ func Test_tag_excmd_with_number_vim9script()
+ bwipe!
+ endfunc
+
++" Test that backtick expressions in tag filenames are not expanded.
++" This prevents command injection via malicious tags files.
++func Test_tag_backtick_filename_not_expanded()
++ let pwned_file = 'Xtags_pwnd'
++ call assert_false(filereadable(pwned_file))
++
++ let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf"
++ call writefile([tagline], 'Xbt_tags', 'D')
++ call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 'D')
++
++ set tags=Xbt_tags
++ sp Xbt_main.c
++
++ " The :tag command should fail to find the file, but must NOT execute
++ " the backtick shell command.
++ call assert_fails('tag main', 'E429:')
++ call assert_false(filereadable(pwned_file))
++
++ set tags&
++ bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/files/CVE-2026-44656.patch b/meta/recipes-support/vim/files/CVE-2026-44656.patch
new file mode 100644
index 00000000000..971e4c145bf
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-44656.patch
@@ -0,0 +1,124 @@
+From 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 3 May 2026 16:10:03 +0000
+Subject: [PATCH] patch 9.2.0435: [security]: backticks in 'path' may cause
+ shell execution on completion
+
+Problem: [security]: Backticks enclosed shell commands in the 'path'
+ option value are executed during completion (q1uf3ng).
+Solution: Skip path entries containing backticks, add P_SECURE to 'path'
+ option, so that it cannot be set from a modeline (for symmetry with
+ the 'cdpath' option)
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
+
+Supported by AI.
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+CVE: CVE-2026-44656
+Upstream-Status: Backport [https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ runtime/doc/options.txt | 3 +++
+ src/findfile.c | 4 ++++
+ src/optiondefs.h | 2 +-
+ src/testdir/test_find_complete.vim | 17 +++++++++++++++++
+ src/testdir/test_modeline.vim | 14 ++++++++++++++
+ 5 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
+index f083d6ff10..8a4d782262 100644
+--- a/runtime/doc/options.txt
++++ b/runtime/doc/options.txt
+@@ -6750,6 +6750,9 @@ A jump table for the options with a short description can be found at |Q_op|.
+ < Replace the ';' with a ':' or whatever separator is used. Note that
+ this doesn't work when $INCL contains a comma or white space.
+
++ This option cannot be set from a |modeline| or in the |sandbox|, for
++ security reasons.
++
+ *'perldll'*
+ 'perldll' string (default depends on the build)
+ global
+diff --git a/src/findfile.c b/src/findfile.c
+index 0c5d1cf252..fccbc05a76 100644
+--- a/src/findfile.c
++++ b/src/findfile.c
+@@ -2412,6 +2412,10 @@ expand_path_option(
+ {
+ buflen = copy_option_part(&path_option, buf, MAXPATHL, " ,");
+
++ // do not expand backticks, could have been set via a modeline
++ if (vim_strchr(buf, '`') != NULL)
++ continue;
++
+ if (buf[0] == '.' && (buf[1] == NUL || vim_ispathsep(buf[1])))
+ {
+ size_t plen;
+diff --git a/src/optiondefs.h b/src/optiondefs.h
+index a5e1fe99df..dac06119fc 100644
+--- a/src/optiondefs.h
++++ b/src/optiondefs.h
+@@ -1954,7 +1954,7 @@ static struct vimoption options[] =
+ (char_u *)&p_pm, PV_NONE,
+ did_set_backupext_or_patchmode, NULL,
+ {(char_u *)"", (char_u *)0L} SCTX_INIT},
+- {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP,
++ {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_SECURE|P_COMMA|P_NODUP,
+ (char_u *)&p_path, PV_PATH, NULL, NULL,
+ {
+ #if defined(AMIGA) || defined(MSWIN)
+diff --git a/src/testdir/test_find_complete.vim b/src/testdir/test_find_complete.vim
+index 079fb78043..8b8b71c303 100644
+--- a/src/testdir/test_find_complete.vim
++++ b/src/testdir/test_find_complete.vim
+@@ -161,4 +161,21 @@ func Test_find_complete()
+ set path&
+ endfunc
+
++" Verify that backticks in 'path' are not executed
++func Test_find_completion_backtick_in_path()
++ CheckUnix
++ CheckExecutable id
++
++ new Xpoc.c
++ setl path+=`id>Xrce_marker`
++ " Triggering completion must not execute the backtick command.
++ call getcompletion('', 'file_in_path')
++ call assert_false(filereadable('Xrce_marker'))
++ call feedkeys(":find \t\n", "xt")
++ call assert_false(filereadable('Xrce_marker'))
++
++ bwipe!
++ call delete('Xrce_marker')
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
+index 79fc7d14d5..20fb7e0677 100644
+--- a/src/testdir/test_modeline.vim
++++ b/src/testdir/test_modeline.vim
+@@ -493,4 +493,18 @@ func Test_modeline_nowrap_lcs_extends()
+ set equalalways&
+ endfunc
+
++" Verify that backticks in 'path' set from a modeline are not executed
++func Test_path_modeline()
++ let lines =<< trim END
++ // vim: set path+=foobar :
++ END
++ call writefile(lines, 'Xpoc.c', 'D')
++
++ set nomodelinestrict modeline
++ call assert_fails('split Xpoc.c', 'E520:')
++
++ bwipe!
++ set modelinestrict& modeline&
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index d6fdf457069..efd24650f4a 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -16,6 +16,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV}
file://disable_acl_header_check.patch \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
+ file://CVE-2026-44656.patch \
+ file://CVE-2026-41411.patch \
"
PV .= ".0340"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 24/55] vim: fix for CVE-2026-45130 & CVE-2026-46483
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (22 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 23/55] vim: fix for CVE-2026-41411 & CVE-2026-44656 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 25/55] cups: fix CVE-2026-27447 Yoann Congal
` (31 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] & [2] also mentioned at NVD report in [3] & [4]
[1] https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8
[2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-45130
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../vim/files/CVE-2026-45130.patch | 115 ++++++++++++++++++
.../vim/files/CVE-2026-46483.patch | 77 ++++++++++++
meta/recipes-support/vim/vim.inc | 2 +
3 files changed, 194 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2026-45130.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch
diff --git a/meta/recipes-support/vim/files/CVE-2026-45130.patch b/meta/recipes-support/vim/files/CVE-2026-45130.patch
new file mode 100644
index 00000000000..a86ba79e74f
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-45130.patch
@@ -0,0 +1,115 @@
+From 92993329178cb1f72d700fff45ca86e1c2d369f8 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 6 May 2026 20:50:00 +0200
+Subject: [PATCH] patch 9.2.0450: [security]: heap buffer overflow in
+ spellfile.c read_compound()
+
+Problem: read_compound() in spellfile.c computes the size of the regex
+ pattern buffer using signed-int arithmetic on the attacker
+ controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008
+ and UTF-8 encoding active the multiplication wraps to 27 while
+ the per-byte loop writes up to ~1B bytes, overflowing the heap.
+ Reachable when loading a crafted .spl file (e.g. via 'set spell'
+ after a modeline sets 'spelllang'). The cp/ap/crp allocations
+ have the same int + 1 overflow class (Daniel Cervera)
+Solution: Use type size_t as buffer size and reject values larger than
+ COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to
+ the cp/ap/crp allocations.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8]
+CVE: CVE-2026-45130
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/spellfile.c | 20 ++++++++++++++------
+ src/testdir/test_spellfile.vim | 4 ++++
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/spellfile.c b/src/spellfile.c
+index a9a347a89a..5102dad5b6 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -290,6 +290,9 @@
+ #define CF_WORD 0x01
+ #define CF_UPPER 0x02
+
++// Max allowed length for COMPOUND section
++#define COMPOUND_MAX_LEN 100000
++
+ /*
+ * Loop through all the siblings of a node (including the node)
+ */
+@@ -1219,6 +1222,8 @@ read_compound(FILE *fd, slang_T *slang, int len)
+ char_u *crp;
+ int cnt;
+ garray_T *gap;
++ size_t patsize;
++ size_t flagsize;
+
+ if (todo < 2)
+ return SP_FORMERROR; // need at least two bytes
+@@ -1275,16 +1280,19 @@ read_compound(FILE *fd, slang_T *slang, int len)
+ // "a[bc]/a*b+" -> "^\(a[bc]\|a*b\+\)$".
+ // Inserting backslashes may double the length, "^\(\)$<Nul>" is 7 bytes.
+ // Conversion to utf-8 may double the size.
+- c = todo * 2 + 7;
++ if ((size_t)todo > COMPOUND_MAX_LEN)
++ return SP_FORMERROR;
++ patsize = (size_t)todo * 2 + 7;
+ if (enc_utf8)
+- c += todo * 2;
+- pat = alloc(c);
++ patsize += (size_t)todo * 2;
++ flagsize = (size_t)todo + 1;
++ pat = alloc(patsize);
+ if (pat == NULL)
+ return SP_OTHERERROR;
+
+ // We also need a list of all flags that can appear at the start and one
+ // for all flags.
+- cp = alloc(todo + 1);
++ cp = alloc(flagsize);
+ if (cp == NULL)
+ {
+ vim_free(pat);
+@@ -1293,7 +1301,7 @@ read_compound(FILE *fd, slang_T *slang, int len)
+ slang->sl_compstartflags = cp;
+ *cp = NUL;
+
+- ap = alloc(todo + 1);
++ ap = alloc(flagsize);
+ if (ap == NULL)
+ {
+ vim_free(pat);
+@@ -1305,7 +1313,7 @@ read_compound(FILE *fd, slang_T *slang, int len)
+ // And a list of all patterns in their original form, for checking whether
+ // compounding may work in match_compoundrule(). This is freed when we
+ // encounter a wildcard, the check doesn't work then.
+- crp = alloc(todo + 1);
++ crp = alloc(flagsize);
+ slang->sl_comprules = crp;
+
+ pp = pat;
+diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
+index f46a25d99e..8f3ef4907d 100644
+--- a/src/testdir/test_spellfile.vim
++++ b/src/testdir/test_spellfile.vim
+@@ -334,6 +334,10 @@ func Test_spellfile_format_error()
+ " SN_COMPOUND: incorrect comppatlen
+ call Spellfile_Test(0z080000000007040101000000020165, 'E758:')
+
++ " SN_COMPOUND: oversized sectionlen
++ let v = eval('0z08004000000803010161' .. repeat('61', 50) .. 'FF')
++ call Spellfile_Test(v, 'E759:')
++
+ " SN_INFO: missing info
+ call Spellfile_Test(0z0F0000000005040101, '')
+
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/files/CVE-2026-46483.patch b/meta/recipes-support/vim/files/CVE-2026-46483.patch
new file mode 100644
index 00000000000..72167d4c25e
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-46483.patch
@@ -0,0 +1,77 @@
+From 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 14 May 2026 15:35:28 +0000
+Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection
+ in tar plugin
+
+Problem: [security]: runtime(tar): command injection in tar plugin
+ (Christopher Lusk)
+Solution: Use the correct shellescape(args, 1) form for a :! command
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1]
+CVE: CVE-2026-46483
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ runtime/autoload/tar.vim | 5 +++--
+ src/testdir/test_plugin_tar.vim | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
+index 722a0ab680..d2db9d3b18 100644
+--- a/runtime/autoload/tar.vim
++++ b/runtime/autoload/tar.vim
+@@ -23,6 +23,7 @@
+ " 2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925)
+ " 2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
+ " 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
++" 2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar()
+ "
+ " Contains many ideas from Michael Toren's <tar.vim>
+ "
+@@ -812,9 +813,9 @@ fun! tar#Vimuntar(...)
+ " if necessary, decompress the tarball; then, extract it
+ if tartail =~ '\.tgz'
+ if executable("gunzip")
+- silent exe "!gunzip ".shellescape(tartail)
++ silent exe "!gunzip ".shellescape(tartail, 1)
+ elseif executable("gzip")
+- silent exe "!gzip -d ".shellescape(tartail)
++ silent exe "!gzip -d ".shellescape(tartail, 1)
+ else
+ echoerr "unable to decompress<".tartail."> on this system"
+ if simplify(curdir) != simplify(tarhome)
+diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim
+index 80b7a76d6d..f1ee9130c6 100644
+--- a/src/testdir/test_plugin_tar.vim
++++ b/src/testdir/test_plugin_tar.vim
+@@ -313,3 +313,22 @@ def g:Test_extract_with_dotted_filename()
+ delete('X.txt')
+ bw!
+ enddef
++
++def g:Test_extract_command_injection()
++ CheckExecutable gunzip
++ CheckExecutable touch
++ var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' ..
++ '7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' ..
++ 'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' ..
++ '000000000FCD11D32415E2C00280000')
++ var dirname = tempname()
++
++ mkdir(dirname, 'R')
++ var tar = dirname .. "/';%$(touch pwned)'.tgz"
++ writefile(tgz, tar)
++ new
++ exe "e " .. fnameescape(tar)
++ exe ":Vimuntar " .. dirname
++ assert_false(filereadable(dirname .. "/pwned"))
++ bw!
++enddef
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index efd24650f4a..6eafc53c746 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,6 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV}
file://no-path-adjust.patch \
file://CVE-2026-44656.patch \
file://CVE-2026-41411.patch \
+ file://CVE-2026-45130.patch \
+ file://CVE-2026-46483.patch \
"
PV .= ".0340"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 25/55] cups: fix CVE-2026-27447
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (23 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 24/55] vim: fix for CVE-2026-45130 & CVE-2026-46483 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 26/55] cups: fix CVE-2026-41079 Yoann Congal
` (30 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Anil Dongare <adongare@cisco.com>
Pick the upstream fix [1] for CVE-2026-27447 as referenced by Debian [2].
Also include the two upstream regression fixes that followed the CVE fix:
- CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the referenced
user does not exist on the server. This regression was reported in
OpenPrinting/cups Issue [5].
- CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print policies for
non-local accounts. This regression was reported in OpenPrinting/cups Issue [6].
[1] https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb
[2] https://security-tracker.debian.org/tracker/CVE-2026-27447
[3] https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562
[4] https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0
[5] https://github.com/OpenPrinting/cups/issues/1555
[6] https://github.com/OpenPrinting/cups/issues/1557
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/cups/cups.inc | 3 +
.../cups/CVE-2026-27447-regression_p1.patch | 46 +++++++
.../cups/CVE-2026-27447-regression_p2.patch | 58 +++++++++
.../cups/cups/CVE-2026-27447.patch | 120 ++++++++++++++++++
4 files changed, 227 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 194b9c2638f..49b828506a1 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -21,6 +21,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
file://CVE-2026-39316.patch \
+ file://CVE-2026-27447.patch \
+ file://CVE-2026-27447-regression_p1.patch \
+ file://CVE-2026-27447-regression_p2.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
new file mode 100644
index 00000000000..bbd44913d37
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
@@ -0,0 +1,46 @@
+From c4c0a46b266bd227fa3925ad08556a620da342ae Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 22 Apr 2026 12:40:14 +0200
+Subject: [PATCH] Fix cupsd crash if user does not exist on server
+
+CVE: CVE-2026-27447
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562]
+
+Backport Changes:
+- Rebase CHANGES.md context to the CUPS 2.4.16 changelog section.
+
+(cherry picked from commit 6d97ee39fedf12a7a5429a74f4156ef9bb67f562)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index d591ead..16e9527 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -7,6 +7,7 @@ Changes in CUPS v2.4.16 (2025-12-04)
+
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
++- Fixed cupsd crash if user does not exist (Issue #1555)
+ - `cupsUTF8ToCharset` didn't validate 2-byte UTF-8 sequences, potentially
+ reading past the end of the source string (Issue #1438)
+ - The web interface did not support domain usernames fully (Issue #1441)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 3e7041e..d5f564e 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1835,7 +1835,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+--
+2.43.7
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
new file mode 100644
index 00000000000..69b7ea962cc
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
@@ -0,0 +1,58 @@
+From 6a712bd3b5236df3e1bd145e89ea1108fb860d8b Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Fri, 24 Apr 2026 14:06:06 -0400
+Subject: [PATCH] Fix unauthenticated print policies (Issue #1557)
+
+CVE: CVE-2026-27447
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0]
+
+Backport Changes:
+- Rebase CHANGES.md context to the CUPS 2.4.16 changelog section.
+
+(cherry picked from commit 849fba7d7a1144e48d45c5e6ba2504765912ece0)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/auth.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 16e9527..47b394b 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -8,6 +8,7 @@ Changes in CUPS v2.4.16 (2025-12-04)
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
+ - Fixed cupsd crash if user does not exist (Issue #1555)
++- Fixed a regression in shared printing from non-local accounts (Issue #1557)
+ - `cupsUTF8ToCharset` didn't validate 2-byte UTF-8 sequences, potentially
+ reading past the end of the source string (Issue #1438)
+ - The web interface did not support domain usernames fully (Issue #1441)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index d5f564e..7e211ff 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1835,8 +1835,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+- !strcmp(pw->pw_name, ownername))
++ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ ((pw && !strcmp(pw->pw_name, ownername)) ||
++ (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername))))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1850,6 +1851,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ }
+ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
++ else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name))
++ return (HTTP_STATUS_OK);
+ }
+
+ for (name = (char *)cupsArrayFirst(best->names);
+--
+2.43.7
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
new file mode 100644
index 00000000000..b73377ce4d3
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
@@ -0,0 +1,120 @@
+From f792687607462386ea3778fac5e0394da09c8a72 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:04:21 -0400
+Subject: [PATCH] CVE-2026-27447: The scheduler treated local user and group
+ names as case-insensitive.
+
+CVE: CVE-2026-27447
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb]
+
+Backport Changes:
+- Rebase CHANGES.md context to the CUPS 2.4.16 changelog section.
+
+(cherry picked from commit a0c62c1e69604ff061089b750073199fab5a1beb)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/auth.c | 31 +++++++++++++++----------------
+ 2 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 78a9a94..d591ead 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -5,6 +5,8 @@ CHANGES - OpenPrinting CUPS
+ Changes in CUPS v2.4.16 (2025-12-04)
+ ------------------------------------
+
++- CVE-2026-27447: The scheduler treated local user and group names as case-
++ insensitive.
+ - `cupsUTF8ToCharset` didn't validate 2-byte UTF-8 sequences, potentially
+ reading past the end of the source string (Issue #1438)
+ - The web interface did not support domain usernames fully (Issue #1441)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 18ac443..3e7041e 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1,7 +1,7 @@
+ /*
+ * Authorization routines for the CUPS scheduler.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1184,7 +1184,7 @@ cupsdCheckGroup(
+ group = getgrnam(groupname);
+ endgrent();
+
+- if (group != NULL)
++ if (user && group)
+ {
+ /*
+ * Group exists, check it...
+@@ -1198,7 +1198,7 @@ cupsdCheckGroup(
+ * User appears in the group membership...
+ */
+
+- if (!_cups_strcasecmp(username, group->gr_mem[i]))
++ if (!strcmp(user->pw_name, group->gr_mem[i]))
+ return (1);
+ }
+
+@@ -1209,25 +1209,24 @@ cupsdCheckGroup(
+ * belongs to...
+ */
+
+- if (user)
+- {
+- int ngroups; /* Number of groups */
++ int ngroups; /* Number of groups */
+ # ifdef __APPLE__
+- int groups[2048]; /* Groups that user belongs to */
++ int groups[2048]; /* Groups that user belongs to */
+ # else
+- gid_t groups[2048]; /* Groups that user belongs to */
++ gid_t groups[2048]; /* Groups that user belongs to */
+ # endif /* __APPLE__ */
+
+- ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
++ ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+ # ifdef __APPLE__
+- getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups);
+ # else
+- getgrouplist(username, user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups);
+ #endif /* __APPLE__ */
+
+- for (i = 0; i < ngroups; i ++)
+- if ((int)groupid == (int)groups[i])
+- return (1);
++ for (i = 0; i < ngroups; i ++)
++ {
++ if ((int)groupid == (int)groups[i])
++ return (1);
+ }
+ #endif /* HAVE_GETGROUPLIST */
+ }
+@@ -1837,7 +1836,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name = (char *)cupsArrayNext(best->names))
+ {
+ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+- !_cups_strcasecmp(username, ownername))
++ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1849,7 +1848,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ if (cupsdCheckGroup(username, pw, name + 1))
+ return (HTTP_OK);
+ }
+- else if (!_cups_strcasecmp(username, name))
++ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
+ }
+
+--
+2.43.7
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 26/55] cups: fix CVE-2026-41079
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (24 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 25/55] cups: fix CVE-2026-27447 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 27/55] libsolv: Fix CVE-2026-9149 Yoann Congal
` (29 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Anil Dongare <adongare@cisco.com>
Pick the upstream fix [1] for CVE-2026-41079 as referenced by Debian [2].
[1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
[2] https://security-tracker.debian.org/tracker/CVE-2026-41079
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-41079.patch | 73 +++++++++++++++++++
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 49b828506a1..9f5d5fe7261 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -24,6 +24,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-27447.patch \
file://CVE-2026-27447-regression_p1.patch \
file://CVE-2026-27447-regression_p2.patch \
+ file://CVE-2026-41079.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
new file mode 100644
index 00000000000..2392a77311e
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
@@ -0,0 +1,73 @@
+From a331e93e2f9baf411715ef69ae19b73827da23d7 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 13 Apr 2026 11:50:23 -0400
+Subject: [PATCH] Limit num_bytes for SNMP string values.
+
+CVE: CVE-2026-41079
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
+
+(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ cups/snmp-private.h | 6 +++---
+ cups/snmp.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/cups/snmp-private.h b/cups/snmp-private.h
+index 52b8740..015f53e 100644
+--- a/cups/snmp-private.h
++++ b/cups/snmp-private.h
+@@ -1,7 +1,7 @@
+ /*
+ * Private SNMP definitions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2014 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
+
+ typedef struct cups_snmp_string_s /**** String value ****/
+ {
+- unsigned char bytes[CUPS_SNMP_MAX_STRING];
+- /* Bytes in string */
+ unsigned num_bytes; /* Number of bytes */
++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
++ /* Bytes in string */
+ } cups_snmp_string_t;
+
+ union cups_snmp_value_u /**** Object value ****/
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 54e348f..2fcb38d 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1,7 +1,7 @@
+ /*
+ * SNMP functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
+ case CUPS_ASN1_OCTET_STRING :
+ case CUPS_ASN1_BIT_STRING :
+ case CUPS_ASN1_HEX_STRING :
+- packet->object_value.string.num_bytes = length;
+ asn1_get_string(&bufptr, bufend, length,
+ (char *)packet->object_value.string.bytes,
+ sizeof(packet->object_value.string.bytes));
++
++ if (length >= sizeof(packet->object_value.string.bytes))
++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
++ else
++ packet->object_value.string.num_bytes = length;
+ break;
+
+ case CUPS_ASN1_OID :
+--
+2.43.7
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 27/55] libsolv: Fix CVE-2026-9149
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (25 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 26/55] cups: fix CVE-2026-41079 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 28/55] gnupg: fix CVE-2026-57062 Yoann Congal
` (28 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Shubham Pushpkar <spushpka@cisco.com>
This patch applies the upstream fix as referenced in [1], using the CVE advisory shown in [2].
[1] https://github.com/openSUSE/libsolv/commit/210386037c892a720972ad35a3d8f7073b4d763b
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-9149
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libsolv/libsolv/CVE-2026-9149.patch | 152 ++++++++++++++++++
.../libsolv/libsolv_0.7.36.bb | 1 +
2 files changed, 153 insertions(+)
create mode 100644 meta/recipes-extended/libsolv/libsolv/CVE-2026-9149.patch
diff --git a/meta/recipes-extended/libsolv/libsolv/CVE-2026-9149.patch b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9149.patch
new file mode 100644
index 00000000000..11acf758b58
--- /dev/null
+++ b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9149.patch
@@ -0,0 +1,152 @@
+From 175bd2008d3b3a4b54253bd6657cc46948360534 Mon Sep 17 00:00:00 2001
+From: Petr Písař <ppisar@redhat.com>
+Date: Thu, 23 Apr 2026 18:04:24 +0200
+Subject: [PATCH 2/2] Cope with integer overflow in data size arithmetics in
+ repo_add_solv()
+
+When parsing solv files with maliciously large "maxsize" or "allsize"
+data size, e.g. this maxsize value at offset 0x29--0x2E:
+
+ 00000000 53 4f 4c 56 00 00 00 08 00 00 00 01 00 00 00 00 |SOLV............|
+ 00000010 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 |................|
+ 00000020 00 00 00 00 00 00 00 00 00 8f ff ff bf 77 86 8d |.............w..|
+ 00000030 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ...............|
+ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
+ *
+ 00002030 00 |.|
+ 00002031
+
+read_id() function will decode and return 4294959095 value, and a subsequent
+assignment:
+
+ int maxsize;
+ [...]
+ maxsize = read_id(&data, 0);
+
+will experience an integer overflow on plaforms where signed int has 4-byte
+size (e.g. x86_64).
+
+The same flaw is possible at the next line:
+
+ allsize = read_id(&data, 0);
+
+Subsequent arithmetics will interpreter the value as a very large negative
+number, possibly doing wrong decisions:
+
+ maxsize += 5; /* so we can read the next schema of an array */
+ if (maxsize > allsize)
+ maxsize = allsize;
+
+and finally, the negative value passed to solv_calloc():
+
+ buf = solv_calloc(maxsize + DATA_READ_CHUNK + 4, 1); /* 4 extra bytes to detect overflows */
+
+will be coerced to an unsigned type (size_t) leading to allocating a smaller
+buffer then intended. Then writing to the small buffer will experience a heap
+buffer overflow:
+
+ l = maxsize;
+ if (l < DATA_READ_CHUNK)
+ l = DATA_READ_CHUNK;
+ if (l > allsize)
+ l = allsize;
+ if (!l || fread(buf, l, 1, data.fp) != 1)
+
+This flaw can be demostrated by passing that solv file to the dumpsolv tool which
+will crash if compiled with ASAN:
+
+ $ /tmp/b/tools/dumpsolv /tmp/vuln_1_101_1_negative_maxsize.solv
+ =================================================================
+ ==17608==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c0a2ede00b1 at pc 0x7fea30451468 b
+ p 0x7ffe07220a50 sp 0x7ffe07220220
+ WRITE of size 8192 at 0x7c0a2ede00b1 thread T0
+ #0 0x7fea30451467 in fread.part.0 (/lib64/libasan.so.8+0x51467) (BuildId: 80bfc4ae44fdec6ef5fecfb01
+ e2b57d28660991c)
+ #1 0x7fea3028eef1 in repo_add_solv /home/test/libsolv/src/repo_solv.c:1034
+ #2 0x0000004041cc in main /home/test/libsolv/tools/dumpsolv.c:471
+ #3 0x7fea3003c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
+ #4 0x7fea3003c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
+ #5 0x000000400694 in _start (/tmp/b/tools/dumpsolv+0x400694) (BuildId: 0a70b5b14e5cd81f90a309bb2ff3219dfbf30bb8)
+
+ 0x7c0a2ede00b1 is located 0 bytes after 1-byte region [0x7c0a2ede00b0,0x7c0a2ede00b1)
+ allocated by thread T0 here:
+ #0 0x7fea304ef41f in malloc (/lib64/libasan.so.8+0xef41f) (BuildId: 80bfc4ae44fdec6ef5fecfb01e2b57d28660991c)
+ #1 0x7fea302e4b4c in solv_calloc /home/test/libsolv/src/util.c:77
+ #2 0x7fea3028ee38 in repo_add_solv /home/test/libsolv/src/repo_solv.c:1025
+ #3 0x0000004041cc in main /home/test/libsolv/tools/dumpsolv.c:471
+ #4 0x7fea3003c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
+ #5 0x7fea3003c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
+ #6 0x000000400694 in _start (/tmp/b/tools/dumpsolv+0x400694) (BuildId: 0a70b5b14e5cd81f90a309bb2ff3219dfbf30bb8)
+
+ SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/libsolv/src/repo_solv.c:1034 in repo_add_solv
+
+This patch catches the integer overflow, sets an error and jumps to the end of
+the function just after deallocation of the buffer (which would contain an
+undefined pointer). This patch also handles a possible integer overflow at
+"maxsize += 5" line.
+
+I originally wanted to replace read_id() with read_u32(), but
+complemtary repowriter_write() function also stored the value as
+a signed integer, so I guess the the Id type is inteded there.
+
+There are probably other ways how to fix it, like passing INT_MAX-5
+limit to read_id(), though the error message would be less
+understandable.
+
+It's also possible to reject this patch with an explanation that loading
+untrusted solv files is not supported. Though some kind of
+fortification would be welcomed by people who debug solver problems
+from reported solv files.
+
+Reported by Aisle Research.
+
+CVE: CVE-2026-9149
+Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/210386037c892a720972ad35a3d8f7073b4d763b]
+
+(cherry picked from commit 210386037c892a720972ad35a3d8f7073b4d763b)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/repo_solv.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/repo_solv.c b/src/repo_solv.c
+index 629ac683..00639aa0 100644
+--- a/src/repo_solv.c
++++ b/src/repo_solv.c
+@@ -18,6 +18,7 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include "repo_solv.h"
+ #include "util.h"
+@@ -1078,6 +1079,18 @@ repo_add_solv(Repo *repo, FILE *fp, int flags)
+
+ maxsize = read_id(&data, 0);
+ allsize = read_id(&data, 0);
++ if (maxsize < 0 || allsize < 0)
++ {
++ data.error = pool_error(pool, SOLV_ERROR_CORRUPT, "negative data size in solv header");
++ id = 0;
++ goto data_error;
++ }
++ if (maxsize > INT_MAX - 5)
++ {
++ data.error = pool_error(pool, SOLV_ERROR_OVERFLOW, "data size overflow in solv header");
++ id = 0;
++ goto data_error;
++ }
+ maxsize += 5; /* so we can read the next schema of an array */
+ if (maxsize > allsize)
+ maxsize = allsize;
+@@ -1403,6 +1416,7 @@ printf("=> %s %s %p\n", pool_id2str(pool, keys[key].name), pool_id2str(pool, key
+ }
+ solv_free(buf);
+
++data_error:
+ if (data.error)
+ {
+ /* free solvables */
+--
+2.35.6
diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.36.bb b/meta/recipes-extended/libsolv/libsolv_0.7.36.bb
index f3c3738d7c1..cca2511ea57 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.7.36.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.7.36.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https;ta
file://0001-compress_buf-fix-musl-segfaults.patch \
file://run-ptest \
file://CVE-2026-9150.patch \
+ file://CVE-2026-9149.patch \
"
SRCREV = "1e377699be108ec82bb798ec9c223d45d84a733c"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 28/55] gnupg: fix CVE-2026-57062
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (26 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 27/55] libsolv: Fix CVE-2026-9149 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 29/55] tar: Fix CVE-2026-5704 Yoann Congal
` (27 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Roland Kovacs <roland.kovacs@est.tech>
CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20
mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be
12 bytes but 4 bytes is accepted.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++
meta/recipes-support/gnupg/gnupg_2.5.17.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
new file mode 100644
index 00000000000..d18b9e9cb3d
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
@@ -0,0 +1,43 @@
+From 09d686f5ca09f1161f1e433473968d15b563687f Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 18 Jun 2026 10:51:34 +0200
+Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption.
+
+* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen.
+--
+
+Reported-by: Thai Duong <thai@calif.io>
+This is similar to OpenSSL's
+CVE-id: CVE-2026-34182
+
+CVE: CVE-2026-57062
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ sm/decrypt.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sm/decrypt.c b/sm/decrypt.c
+index c4bc57657..09ed7f8a7 100644
+--- a/sm/decrypt.c
++++ b/sm/decrypt.c
+@@ -1399,7 +1399,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp)
+ }
+ if (DBG_CRYPTO)
+ log_printhex (authtag, authtaglen, "Authtag ...:");
+- rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
++ if (authtaglen < 12)
++ {
++ log_info ("authentication tag is too short (%zu octets)\n",
++ authtaglen);
++ rc = gpg_error (GPG_ERR_CHECKSUM);
++ }
++ else
++ rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
+ xfree (authtag);
+ if (rc)
+ log_error ("data is not authentic: %s\n", gpg_strerror (rc));
+--
+2.34.1
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.17.bb
index fd6588769ca..6b2af1c96c9 100644
--- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.5.17.bb
@@ -19,6 +19,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0002-use-pkgconfig-instead-of-npth-config.patch \
file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+ file://CVE-2026-57062.patch \
"
SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
file://relocate.patch"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 29/55] tar: Fix CVE-2026-5704
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (27 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 28/55] gnupg: fix CVE-2026-57062 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 30/55] dhcpcd: patch CVE-2026-56113 Yoann Congal
` (26 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Himanshu Jadon <hjadon@cisco.com>
Backport the upstream 3-commit fix chain for CVE-2026-5704.
The final CVE fix is [1], which depends on the earlier cleanup in [2]
and the behavioral change in [3]. Keep this patch order so the final
fix applies cleanly and preserves the upstream logic.
Also include upstream follow-up [4] to fix the --no-overwrite-dir ptest
regression caused by the CVE backport. Without this follow-up, tar can
temporarily chmod an existing directory even when --no-overwrite-dir is
used, which breaks the upstream --no-overwrite-dir ptest.
[1] https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3
[2] https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=112ead79312ea308e58414b74623f101b8c06f0b
[3] https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b009124ffde415515081db844d7a104e1d1c6c58
[4] https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=4e742fc8674064a9fa00d4483d06aca48d5b0463
[5] https://security-tracker.debian.org/tracker/CVE-2026-5704
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 872d86b99ad3e77a105b386331a41f7fa40c2b72)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../tar/tar/CVE-2026-5704-dependent_p1.patch | 484 +++++++++++++++
.../tar/tar/CVE-2026-5704-dependent_p2.patch | 169 ++++++
.../tar/tar/CVE-2026-5704-regression.patch | 176 ++++++
.../tar/tar/CVE-2026-5704.patch | 556 ++++++++++++++++++
meta/recipes-extended/tar/tar_1.35.bb | 4 +
5 files changed, 1389 insertions(+)
create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p1.patch
create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p2.patch
create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704-regression.patch
create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704.patch
diff --git a/meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p1.patch b/meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p1.patch
new file mode 100644
index 00000000000..b7180e16719
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p1.patch
@@ -0,0 +1,484 @@
+From cb6d041ba711620b52637ebd2f9cb0c445a91e4f Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Fri, 1 Nov 2024 14:15:09 -0700
+Subject: [PATCH] Prefer other types to int in extract.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* src/extract.c (fd_chmod, extract_chdir, open_output_file)
+(extract_file, extract_link, extract_symlink, extract_node)
+(extract_fifo, tar_extractor_t, pepare_to_extract): Prefer char to
+int for typeflag, since it’s a char. All uses changed.
+(fd_chmod): Use clearer code for errno.
+(extract_dir, extract_file, create_placeholder_file, extract_link)
+(extract_symlink, extract_node, extract_fifo, tar_extractor_t):
+Return bool true for success, false for failure. All uses changed.
+(open_output_file): Prefer bool for boolean.
+(prepare_to_extract): Simplify by returning the extractor a null
+pointer, rather than storing through a pointer to an extractor.
+
+CVE: CVE-2026-5704
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=112ead79312ea308e58414b74623f101b8c06f0b]
+
+Backport Changes:
+- In src/extract.c, the extractor-selection and extraction-control-flow
+ hunk was adapted to the older tar-1.35 code layout around
+ prepare_to_extract() and extract_archive(). The backport preserves the
+ upstream logic but does not apply as an exact textual match in that
+ section.
+
+(cherry picked from commit 112ead79312ea308e58414b74623f101b8c06f0b)
+Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
+---
+ src/extract.c | 141 ++++++++++++++++++++++++--------------------------
+ 1 file changed, 69 insertions(+), 72 deletions(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index 314d8bc0..b384fed3 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -254,9 +254,9 @@ fd_i_chmod (int fd, char const *file, mode_t mode, int atflag)
+ notation.
+ */
+ static int
+-fd_chmod(int fd, char const *file_name, int mode, int atflag, int typeflag)
++fd_chmod (int fd, char const *file_name, int mode, int atflag, char typeflag)
+ {
+- int chmod_errno = fd_i_chmod (fd, file_name, mode, atflag) == 0 ? 0 : errno;
++ int chmod_errno = fd_i_chmod (fd, file_name, mode, atflag) < 0 ? errno : 0;
+
+ /* On Solaris, chmod may fail if we don't have PRIV_ALL, because
+ setuid-root files would otherwise be a backdoor. See
+@@ -265,7 +265,7 @@ fd_chmod(int fd, char const *file_name, int mode, int atflag, int typeflag)
+ if (chmod_errno == EPERM && (mode & S_ISUID)
+ && priv_set_restore_linkdir () == 0)
+ {
+- chmod_errno = fd_i_chmod (fd, file_name, mode, atflag) == 0 ? 0 : errno;
++ chmod_errno = fd_i_chmod (fd, file_name, mode, atflag) < 0 ? errno : 0;
+ priv_set_remove_linkdir ();
+ }
+
+@@ -275,7 +275,7 @@ fd_chmod(int fd, char const *file_name, int mode, int atflag, int typeflag)
+ supported and if the file is not a symlink. This
+ introduces a race, alas. */
+ if (atflag && typeflag != SYMTYPE && ! implemented (chmod_errno))
+- chmod_errno = fd_i_chmod (fd, file_name, mode, 0) == 0 ? 0 : errno;
++ chmod_errno = fd_i_chmod (fd, file_name, mode, 0) < 0 ? errno : 0;
+
+ if (chmod_errno && (typeflag != SYMTYPE || implemented (chmod_errno)))
+ {
+@@ -1036,8 +1036,8 @@ safe_dir_mode (struct stat const *st)
+
+ /* Extractor functions for various member types */
+
+-static int
+-extract_dir (char *file_name, int typeflag)
++static bool
++extract_dir (char *file_name, char typeflag)
+ {
+ int status;
+ mode_t mode;
+@@ -1089,7 +1089,7 @@ extract_dir (char *file_name, int typeflag)
+
+ if (keep_directory_symlink_option
+ && is_directory_link (file_name, &st))
+- return 0;
++ return true;
+
+ if ((st.st_mode != 0 && fstatat_flags == 0)
+ || deref_stat (file_name, &st) == 0)
+@@ -1102,7 +1102,7 @@ extract_dir (char *file_name, int typeflag)
+ if (interdir_made)
+ {
+ repair_delayed_set_stat (file_name, &st);
+- return 0;
++ return true;
+ }
+ else if (old_files_option == NO_OVERWRITE_DIR_OLD_FILES)
+ {
+@@ -1154,7 +1154,7 @@ extract_dir (char *file_name, int typeflag)
+ if (errno != EEXIST)
+ {
+ mkdir_error (file_name);
+- return 1;
++ return false;
+ }
+ break;
+ }
+@@ -1167,13 +1167,13 @@ extract_dir (char *file_name, int typeflag)
+ delay_set_stat (file_name, ¤t_stat_info,
+ current_mode, current_mode_mask,
+ current_stat_info.stat.st_mode, atflag);
+- return status;
++ return status == 0;
+ }
+
+
+
+ static int
+-open_output_file (char const *file_name, int typeflag, mode_t mode,
++open_output_file (char const *file_name, char typeflag, mode_t mode,
+ int file_created, mode_t *current_mode,
+ mode_t *current_mode_mask)
+ {
+@@ -1189,11 +1189,11 @@ open_output_file (char const *file_name, int typeflag, mode_t mode,
+
+ if (typeflag == CONTTYPE)
+ {
+- static int conttype_diagnosed;
++ static bool conttype_diagnosed;
+
+ if (!conttype_diagnosed)
+ {
+- conttype_diagnosed = 1;
++ conttype_diagnosed = true;
+ WARNOPT (WARN_CONTIGUOUS_CAST,
+ (0, 0, _("Extracting contiguous files as regular files")));
+ }
+@@ -1245,8 +1245,8 @@ open_output_file (char const *file_name, int typeflag, mode_t mode,
+ return fd;
+ }
+
+-static int
+-extract_file (char *file_name, int typeflag)
++static bool
++extract_file (char *file_name, char typeflag)
+ {
+ int fd;
+ off_t size;
+@@ -1268,7 +1268,7 @@ extract_file (char *file_name, int typeflag)
+ if (fd < 0)
+ {
+ skip_member ();
+- return 0;
++ return true;
+ }
+ }
+ else
+@@ -1291,9 +1291,9 @@ extract_file (char *file_name, int typeflag)
+ {
+ skip_member ();
+ if (recover == RECOVER_SKIP)
+- return 0;
++ return true;
+ open_error (file_name);
+- return 1;
++ return false;
+ }
+ }
+ }
+@@ -1344,7 +1344,7 @@ extract_file (char *file_name, int typeflag)
+ it doesn't exist, or we don't want to touch it anyway. */
+
+ if (to_stdout_option)
+- return 0;
++ return true;
+
+ if (! to_command_option)
+ set_stat (file_name, ¤t_stat_info, fd,
+@@ -1359,7 +1359,7 @@ extract_file (char *file_name, int typeflag)
+ if (to_command_option)
+ sys_wait_command ();
+
+- return status;
++ return status == 0;
+ }
+
+ /* Return true if NAME is a delayed link. This can happen only if the link
+@@ -1399,7 +1399,7 @@ find_delayed_link_source (char const *name)
+ process.
+ */
+
+-static int
++static bool
+ create_placeholder_file (char *file_name, bool is_symlink, bool *interdir_made)
+ {
+ int fd;
+@@ -1413,7 +1413,7 @@ create_placeholder_file (char *file_name, bool is_symlink, bool *interdir_made)
+ that the link being extracted is a duplicate of an already
+ processed one. Skip it.
+ */
+- return 0;
++ return true;
+ }
+
+ switch (maybe_recoverable (file_name, false, interdir_made))
+@@ -1422,11 +1422,11 @@ create_placeholder_file (char *file_name, bool is_symlink, bool *interdir_made)
+ continue;
+
+ case RECOVER_SKIP:
+- return 0;
++ return true;
+
+ case RECOVER_NO:
+ open_error (file_name);
+- return -1;
++ return false;
+ }
+ }
+
+@@ -1484,14 +1484,14 @@ create_placeholder_file (char *file_name, bool is_symlink, bool *interdir_made)
+ if ((h = find_direct_ancestor (file_name)) != NULL)
+ mark_after_links (h);
+
+- return 0;
++ return true;
+ }
+
+- return -1;
++ return false;
+ }
+
+-static int
+-extract_link (char *file_name, MAYBE_UNUSED int typeflag)
++static bool
++extract_link (char *file_name, MAYBE_UNUSED char typeflag)
+ {
+ bool interdir_made = false;
+ char const *link_name;
+@@ -1531,7 +1531,7 @@ extract_link (char *file_name, MAYBE_UNUSED int typeflag)
+ }
+ }
+
+- return 0;
++ return true;
+ }
+ else if ((e == EEXIST && strcmp (link_name, file_name) == 0)
+ || ((fstatat (chdir_fd, link_name, &st1, AT_SYMLINK_NOFOLLOW)
+@@ -1540,7 +1540,7 @@ extract_link (char *file_name, MAYBE_UNUSED int typeflag)
+ == 0)
+ && st1.st_dev == st2.st_dev
+ && st1.st_ino == st2.st_ino))
+- return 0;
++ return true;
+
+ errno = e;
+ }
+@@ -1548,17 +1548,17 @@ extract_link (char *file_name, MAYBE_UNUSED int typeflag)
+ == RECOVER_OK);
+
+ if (rc == RECOVER_SKIP)
+- return 0;
++ return true;
+ if (!(incremental_option && errno == EEXIST))
+ {
+ link_error (link_name, file_name);
+- return 1;
++ return false;
+ }
+- return 0;
++ return true;
+ }
+
+-static int
+-extract_symlink (char *file_name, MAYBE_UNUSED int typeflag)
++static bool
++extract_symlink (char *file_name, MAYBE_UNUSED char typeflag)
+ {
+ #ifdef HAVE_SYMLINK
+ bool interdir_made = false;
+@@ -1575,16 +1575,16 @@ extract_symlink (char *file_name, MAYBE_UNUSED int typeflag)
+ continue;
+
+ case RECOVER_SKIP:
+- return 0;
++ return true;
+
+ case RECOVER_NO:
+ symlink_error (current_stat_info.link_name, file_name);
+- return -1;
++ return false;
+ }
+
+ set_stat (file_name, ¤t_stat_info, -1, 0, 0,
+ SYMTYPE, false, AT_SYMLINK_NOFOLLOW);
+- return 0;
++ return true;
+
+ #else
+ static int warned_once;
+@@ -1601,8 +1601,8 @@ extract_symlink (char *file_name, MAYBE_UNUSED int typeflag)
+ }
+
+ #if S_IFCHR || S_IFBLK
+-static int
+-extract_node (char *file_name, int typeflag)
++static bool
++extract_node (char *file_name, char typeflag)
+ {
+ bool interdir_made = false;
+ mode_t mode = (current_stat_info.stat.st_mode & (MODE_RWX | S_IFBLK | S_IFCHR)
+@@ -1616,23 +1616,23 @@ extract_node (char *file_name, int typeflag)
+ continue;
+
+ case RECOVER_SKIP:
+- return 0;
++ return true;
+
+ case RECOVER_NO:
+ mknod_error (file_name);
+- return -1;
++ return false;
+ }
+
+ set_stat (file_name, ¤t_stat_info, -1,
+ mode & ~ current_umask, MODE_RWX,
+ typeflag, false, AT_SYMLINK_NOFOLLOW);
+- return 0;
++ return true;
+ }
+ #endif
+
+ #if HAVE_MKFIFO || defined mkfifo
+-static int
+-extract_fifo (char *file_name, int typeflag)
++static bool
++extract_fifo (char *file_name, char typeflag)
+ {
+ bool interdir_made = false;
+ mode_t mode = (current_stat_info.stat.st_mode & MODE_RWX
+@@ -1645,31 +1645,31 @@ extract_fifo (char *file_name, int typeflag)
+ continue;
+
+ case RECOVER_SKIP:
+- return 0;
++ return true;
+
+ case RECOVER_NO:
+ mkfifo_error (file_name);
+- return -1;
++ return false;
+ }
+
+ set_stat (file_name, ¤t_stat_info, -1,
+ mode & ~ current_umask, MODE_RWX,
+ typeflag, false, AT_SYMLINK_NOFOLLOW);
+- return 0;
++ return true;
+ }
+ #endif
+
+-typedef int (*tar_extractor_t) (char *file_name, int typeflag);
++typedef bool (*tar_extractor_t) (char *file_name, char typeflag);
+
+ \f
+ /* Prepare to extract a file. Find extractor function.
+- Return true to proceed with the extraction, false to skip the current
+- member. */
++ Return an extractor to proceed with the extraction,
++ a null pointer to skip the current member. */
+
+-static bool
+-prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
++static tar_extractor_t
++prepare_to_extract (char const *file_name, char typeflag)
+ {
+- tar_extractor_t extractor = NULL;
++ tar_extractor_t extractor;
+
+ /* Select the extractor */
+ switch (typeflag)
+@@ -1683,10 +1683,8 @@ prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
+ case CONTTYPE:
+ /* Appears to be a file. But BSD tar uses the convention that a slash
+ suffix means a directory. */
+- if (current_stat_info.had_trailing_slash)
+- extractor = extract_dir;
+- else
+- extractor = extract_file;
++ extractor = (current_stat_info.had_trailing_slash
++ ? extract_dir : extract_file);
+ break;
+
+ case SYMTYPE:
+@@ -1725,18 +1723,18 @@ prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
+ break;
+
+ case GNUTYPE_VOLHDR:
+- return false;
++ return NULL;
+
+ case GNUTYPE_MULTIVOL:
+ ERROR ((0, 0,
+ _("%s: Cannot extract -- file is continued from another volume"),
+ quotearg_colon (current_stat_info.file_name)));
+- return false;
++ return NULL;
+
+ case GNUTYPE_LONGNAME:
+ case GNUTYPE_LONGLINK:
+ ERROR ((0, 0, _("Unexpected long name header")));
+- return false;
++ return NULL;
+
+ default:
+ WARNOPT (WARN_UNKNOWN_CAST,
+@@ -1749,7 +1747,7 @@ prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
+ if (EXTRACT_OVER_PIPE)
+ {
+ if (extractor != extract_file)
+- return false;
++ return NULL;
+ }
+ else
+ {
+@@ -1763,7 +1761,7 @@ prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
+ && errno && errno != ENOENT)
+ {
+ unlink_error (file_name);
+- return false;
++ return NULL;
+ }
+ break;
+
+@@ -1773,7 +1771,7 @@ prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
+ WARNOPT (WARN_IGNORE_NEWER,
+ (0, 0, _("Current %s is newer or same age"),
+ quote (file_name)));
+- return false;
++ return NULL;
+ }
+ break;
+
+@@ -1781,9 +1779,7 @@ prepare_to_extract (char const *file_name, int typeflag, tar_extractor_t *fun)
+ break;
+ }
+ }
+- *fun = extractor;
+-
+- return true;
++ return extractor;
+ }
+
+ /* Extract a file from the archive. */
+@@ -1791,7 +1787,6 @@ void
+ extract_archive (void)
+ {
+ char typeflag;
+- tar_extractor_t fun;
+ bool skip_dotdot_name;
+
+ fatal_exit_hook = extract_finish;
+@@ -1841,12 +1836,14 @@ extract_archive (void)
+
+ /* Extract the archive entry according to its type. */
+ /* KLUDGE */
+- typeflag = sparse_member_p (¤t_stat_info) ?
+- GNUTYPE_SPARSE : current_header->header.typeflag;
++ typeflag = (sparse_member_p (¤t_stat_info)
++ ? GNUTYPE_SPARSE : current_header->header.typeflag);
+
+- if (prepare_to_extract (current_stat_info.file_name, typeflag, &fun))
++ tar_extractor_t fun = prepare_to_extract (current_stat_info.file_name,
++ typeflag);
++ if (fun)
+ {
+- if (fun (current_stat_info.file_name, typeflag) == 0)
++ if (fun (current_stat_info.file_name, typeflag))
+ return;
+ }
+ else
+--
+2.44.1
+
diff --git a/meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p2.patch b/meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p2.patch
new file mode 100644
index 00000000000..c3a94db5a05
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p2.patch
@@ -0,0 +1,169 @@
+From a934d62acc1edc202e93e9f1b38eff1d880568a0 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Mon, 12 May 2025 17:17:21 +0300
+Subject: [PATCH] Handle directory members consistently when listing and when
+ extracting.
+
+* src/list.c (skim_member): Recognize directory members using
+the same rules as during extraction.
+* tests/skipdir.at: New testcase.
+* tests/testsuite.at: Add new test.
+* tests/Makefile.am: Likewise.
+
+CVE: CVE-2026-5704
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b009124ffde415515081db844d7a104e1d1c6c58]
+
+(cherry picked from commit b009124ffde415515081db844d7a104e1d1c6c58)
+Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
+---
+ src/list.c | 22 ++++++++++++++++--
+ tests/Makefile.am | 1 +
+ tests/skipdir.at | 56 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/testsuite.at | 3 ++-
+ 4 files changed, 79 insertions(+), 3 deletions(-)
+ create mode 100644 tests/skipdir.at
+
+diff --git a/src/list.c b/src/list.c
+index e9a68159..928779e1 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -1440,6 +1440,23 @@ skip_member (void)
+ skim_member (false);
+ }
+
++static bool
++member_is_dir (struct tar_stat_info *info, char typeflag)
++{
++ switch (typeflag) {
++ case AREGTYPE:
++ case REGTYPE:
++ case CONTTYPE:
++ return info->had_trailing_slash;
++
++ case DIRTYPE:
++ return true;
++
++ default:
++ return false;
++ }
++}
++
+ /* Skip the current member in the archive.
+ If MUST_COPY, always copy instead of skipping. */
+ void
+@@ -1447,14 +1464,15 @@ skim_member (bool must_copy)
+ {
+ if (!current_stat_info.skipped)
+ {
+- char save_typeflag = current_header->header.typeflag;
++ bool is_dir = member_is_dir (¤t_stat_info,
++ current_header->header.typeflag);
+ set_next_block_after (current_header);
+
+ mv_begin_read (¤t_stat_info);
+
+ if (current_stat_info.is_sparse)
+ sparse_skim_file (¤t_stat_info, must_copy);
+- else if (save_typeflag != DIRTYPE)
++ else if (!is_dir)
+ skim_file (current_stat_info.stat.st_size, must_copy);
+
+ mv_end ();
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 1884b722..6cf726c0 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -240,6 +240,7 @@ TESTSUITE_AT = \
+ shortrec.at\
+ shortupd.at\
+ sigpipe.at\
++ skipdir.at\
+ sparse01.at\
+ sparse02.at\
+ sparse03.at\
+diff --git a/tests/skipdir.at b/tests/skipdir.at
+new file mode 100644
+index 00000000..7106ee74
+--- /dev/null
++++ b/tests/skipdir.at
+@@ -0,0 +1,56 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++
++# Test suite for GNU tar.
++# Copyright 2025 Free Software Foundation, Inc.
++
++# This file is part of GNU tar.
++
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++# Description: determining member type when listing and extracting
++# should follow the same principles.
++#
++# Until version 1.35 the same archive member could have been processed
++# as a directory when extracting and as a regular file when being
++# skipped during listing.
++#
++# References: https://savannah.gnu.org/patch/index.php?10100
++
++AT_SETUP([skip directory members])
++AT_KEYWORDS([skipdir])
++AT_DATA([archive.in],
++[/Td6WFoAAATm1rRGAgAhARwAAAAQz1jM4Cf/AG1dADedyh4ubnxHHIi7Cen6orusgKqY3paKeQwp
++3//HS9EIT7Hm+MsndXfRntXVt8mu8oDpLOfC+AB9VldyCtp2jqOfTwa455qfGAcONPn6WWDgsaAh
++O2Y6ptXuaF/vdaNkub7SkOBME8jHYITT5QAAAAAAHtdcflb5Zw8AAYkBgFAAAPYgb0axxGf7AgAA
++AAAEWVo=
++])
++AT_CHECK([base64 --help >/dev/null 2>&1 || AT_SKIP_TEST
++xz --help >/dev/null 2>&1 || AT_SKIP_TEST
++base64 -d < archive.in | xz -c -d > archive.tar
++])
++AT_CHECK([tar tf archive.tar],
++[0],
++[owo1/
++owo2/
++])
++AT_CHECK([tar vxf archive.tar],
++[0],
++[owo1/
++owo2/
++])
++AT_CHECK([tar -xvf archive.tar --exclude owo1],
++[0],
++[owo2/
++])
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 44ae773b..f2229be1 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -464,7 +464,7 @@ AT_BANNER([Volume operations])
+ m4_include([volume.at])
+ m4_include([volsize.at])
+
+-AT_BANNER()
++AT_BANNER([Various tests])
+ m4_include([comprec.at])
+ m4_include([shortfile.at])
+ m4_include([shortupd.at])
+@@ -473,6 +473,7 @@ m4_include([truncate.at])
+ m4_include([grow.at])
+ m4_include([sigpipe.at])
+ m4_include([comperr.at])
++m4_include([skipdir.at])
+
+ AT_BANNER([Removing files after archiving])
+ m4_include([remfiles01.at])
+--
+2.44.1
+
diff --git a/meta/recipes-extended/tar/tar/CVE-2026-5704-regression.patch b/meta/recipes-extended/tar/tar/CVE-2026-5704-regression.patch
new file mode 100644
index 00000000000..d38b46b8ecd
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2026-5704-regression.patch
@@ -0,0 +1,176 @@
+From 4e742fc8674064a9fa00d4483d06aca48d5b0463 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sat, 26 Jul 2025 21:41:23 -0700
+Subject: [PATCH] --no-overwrite-dir no overwrite even temporarily
+
+Problem and fix reported by Pavel Cahyna in
+https://lists.gnu.org/r/bug-tar/2025-01/msg00000.html
+* src/extract.c (extract_dir): With --no-overwrite-dir,
+skip the chmod if the directory already exists.
+* tests/extrac23.at (--no-overwrite-dir on empty directory):
+Move the part of the test that looks at a nonempty directory ...
+* tests/extrac30.at: ... to this new file, because the test now
+must be run as non-root. Adjust the test to match the new behavior.
+* tests/Makefile.am (TESTSUITE_AT), tests/testsuite.at: Add it.
+
+CVE: CVE-2026-5704
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=4e742fc8674064a9fa00d4483d06aca48d5b0463]
+
+Backport Changes:
+- Omit the NEWS update.
+- Adapt tests/Makefile.am and tests/testsuite.at context to the tar-1.35
+ test list carried by OE-Core.
+
+(cherry picked from commit 4e742fc8674064a9fa00d4483d06aca48d5b0463)
+Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
+---
+diff --git a/src/extract.c b/src/extract.c
+index 3bf0d77..4ed19b6 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1102,31 +1102,6 @@ extract_dir (char *file_name, MAYBE_UNUSED char typeflag)
+ repair_delayed_set_stat (file_name, &st);
+ return true;
+ }
+- else if (old_files_option == NO_OVERWRITE_DIR_OLD_FILES)
+- {
+- /* Temporarily change the directory mode to a safe
+- value, to be able to create files in it, should
+- the need be.
+- */
+- mode = safe_dir_mode (&st);
+- status = fd_chmod (-1, file_name, mode,
+- AT_SYMLINK_NOFOLLOW, DIRTYPE);
+- if (status == 0)
+- {
+- /* Store the actual directory mode, to be restored
+- later.
+- */
+- current_stat_info.stat = st;
+- current_mode = mode & ~ current_umask;
+- current_mode_mask = MODE_RWX;
+- atflag = AT_SYMLINK_NOFOLLOW;
+- break;
+- }
+- else
+- {
+- chmod_error_details (file_name, mode);
+- }
+- }
+ break;
+ }
+ }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index baeb55b..a75abdb 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -133,6 +133,7 @@ TESTSUITE_AT = \
+ extrac23.at\
+ extrac24.at\
+ extrac25.at\
++ extrac30.at\
+ extrac32.at\
+ filerem01.at\
+ filerem02.at\
+diff --git a/tests/extrac23.at b/tests/extrac23.at
+index cb63ebb..efc9a32 100644
+--- a/tests/extrac23.at
++++ b/tests/extrac23.at
+@@ -15,15 +15,12 @@
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see <http://www.gnu.org/licenses/>.
+-AT_SETUP([--no-overwrite-dir])
++AT_SETUP([--no-overwrite-dir on empty directory])
+ AT_KEYWORDS([extract extrac23 no-overwrite-dir])
+
+ # Description: Implementation of the --no-overwrite-dir option was flawed in
+ # tar versions up to 1.32.90. This option is intended to preserve metadata
+ # of existing directories. In fact it worked only for non-empty directories.
+-# Moreover, if the actual directory was owned by the user tar runs as and the
+-# S_IWUSR bit was not set in its actual permissions, tar failed to create files
+-# in it.
+ #
+ # Reported by: Michael Kaufmann <mail@michael-kaufmann.ch>
+ # References: <20200207112934.Horde.anXzYhAj2CHiwUrw5CuT0G-@webmail.michael-kaufmann.ch>,
+@@ -38,21 +35,10 @@ chmod 777 dir
+ tar -xf a.tar --no-overwrite-dir
+ genfile --stat=mode.777 dir
+
+-# Test if temporary permissions are set correctly to allow the owner
+-# to write to the directory.
+-genfile --file dir/file
+-tar cf a.tar dir
+-rm dir/file
+-chmod 400 dir
+-tar -xf a.tar --no-overwrite-dir
+-genfile --stat=mode.777 dir
+-chmod 700 dir
+ find dir
+ ],
+ [0],
+ [777
+-400
+ dir
+-dir/file
+ ])
+ AT_CLEANUP
+diff --git a/tests/extrac30.at b/tests/extrac30.at
+new file mode 100644
+index 0000000..8c879c9
+--- /dev/null
++++ b/tests/extrac30.at
+@@ -0,0 +1,47 @@
++# Test suite for GNU tar. -*- Autotest -*-
++# Copyright 2020-2025 Free Software Foundation, Inc.
++#
++# This file is part of GNU tar.
++#
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++AT_SETUP([--no-overwrite-dir on unwritable directory])
++AT_KEYWORDS([extract extrac30 no-overwrite-dir])
++
++# Make sure that tar does not change permissions on directories if
++# --no-overwrite-dir tells it not to, not even temporarily.
++
++AT_TAR_CHECK([
++AT_UNPRIVILEGED_PREREQ
++
++# Test that the user cannot write to a unwritable directory
++# if --no-overwrite-dir is used.
++mkdir dir
++chmod 755 dir
++genfile --file dir/file
++tar cf a.tar dir
++rm dir/file
++chmod 555 dir
++tar -xf a.tar --no-overwrite-dir
++genfile --stat=mode.777 dir
++chmod 755 dir
++find dir
++],
++[0],
++[555
++dir
++],
++[tar: dir/file: Cannot open: Permission denied
++tar: Exiting with failure status due to previous errors
++])
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 5875700..331a6e3 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -352,0 +353 @@
++m4_include([extrac30.at])
diff --git a/meta/recipes-extended/tar/tar/CVE-2026-5704.patch b/meta/recipes-extended/tar/tar/CVE-2026-5704.patch
new file mode 100644
index 00000000000..81c6df37128
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2026-5704.patch
@@ -0,0 +1,556 @@
+From b97bbb10103a911d418015b7ff41384af0419952 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sun, 22 Mar 2026 12:19:40 -0700
+Subject: [PATCH] Fix more -t/-x discrepancies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem reported by Guillermo de Angel in:
+https://lists.gnu.org/r/bug-tar/2026-03/msg00007.html
+* THANKS: Add him, and sort.
+* src/extract.c (extract_dir, extract_file):
+* src/incremen.c (purge_directory):
+Do not call skip_member, as the caller now does that, and does it
+more reliably.
+* src/extract.c (extract_file):
+Mark file as skipped when we’ve read it.
+(extract_archive): Always call skip_member after extracting,
+as it suppresses the skip as needed.
+* src/incremen.c (try_purge_directory): Remove; no longer
+needed. Move internals to purge_directory.
+* src/list.c (read_header): Do not treat LNKTYPE header as having
+size zero, as it can be nonzero (e.g., ‘pax -o linkdata’).
+Set info->skipped field according to how the header was read.
+(member_is_dir): Remove; no longer needed.
+(skim_member): Skip directory data too, unless it’s already been
+skipped (i.e., read).
+* tests/extrac32.at: New file.
+* tests/Makefile.am (TESTSUITE_AT):
+* tests/testsuite.at:
+Add it.
+* tests/skipdir.at (skip directory members):
+Fix test to match the correct behavior.
+This fixes a bug introduced in commit
+b009124ffde415515081db844d7a104e1d1c6c58
+dated 2025-05-12 17:17:21 +0300.
+
+CVE: CVE-2026-5704
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3]
+
+Backport Changes:
+- Replaced UNNAMED(typeflag) with MAYBE_UNUSED char typeflag in extract_dir()
+ under src/extract.c, as the UNNAMED macro is not available in tar 1.35
+ (introduced later in upstream commit 9280aa3807c1 "Prefer UNNAMED to
+ MAYBE_UNUSED").
+- THANKS file context difference: tar 1.35 has "Jurgen Botz" (ASCII),
+ while upstream has "Jürgen Botz" (UTF-8 umlaut), changed in upstream
+ commit 390950282d98 ("maint: fix some encodings and email addresses");
+ the removed line in the diff reflects the tar 1.35 spelling.
+
+(cherry picked from commit b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3)
+Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
+---
+ THANKS | 30 +++++++++++++++--------------
+ src/extract.c | 23 ++++++----------------
+ src/incremen.c | 22 +++++++--------------
+ src/list.c | 48 +++++++++++++++-------------------------------
+ tests/Makefile.am | 1 +
+ tests/extrac32.at | 47 +++++++++++++++++++++++++++++++++++++++++++++
+ tests/skipdir.at | 6 +-----
+ tests/testsuite.at | 1 +
+ 8 files changed, 94 insertions(+), 84 deletions(-)
+ create mode 100644 tests/extrac32.at
+
+diff --git a/THANKS b/THANKS
+index aee0a924..03fa49d5 100644
+--- a/THANKS
++++ b/THANKS
+@@ -6,6 +6,7 @@ Many people further contributed to GNU tar by reporting problems,
+ suggesting various improvements or submitting actual code. Here is a
+ list of these people. Help me keep it complete and exempt of errors.
+ See various ChangeLogs for a detailed description of contributions.
++This listed is sorted via "LC_ALL=C sort".
+
+ Aage Robeck aagero@ifi.uio.no
+ Adam Borowski kilobyte@angband.pl
+@@ -36,8 +37,8 @@ Andrew J. Schorr schorr@ead.dsa.com
+ Andrew Torda torda@igc.chem.ethz.ch
+ Andrey A. Chernov ache@astral.msk.su
+ Andy Gay andy@rdl.co.uk
+-Antonio Jose Coutinho ajc@di.uminho.pt
+ Anthony G. Basile blueness@gentoo.org
++Antonio Jose Coutinho ajc@di.uminho.pt
+ Ariel Faigon ariel@engr.sgi.com
+ Arne Wichmann aw@math.uni-sb.de
+ Arnold Robbins arnold@gnu.org
+@@ -79,9 +80,9 @@ Cesar Romani romani@ifm.uni-hamburg.de
+ Chad Hurwitz churritz@cts.com
+ Chance Reschke creschke@usra.edu
+ Charles Fu ccwf@klab.caltech.edu
+-Charles McGarvey chazmcgarvey@brokenzipper.com
+ Charles Lopes Charles.Lopes@infm.ulst.ac.uk
+ Charles M. Hannum mycroft@gnu.org
++Charles McGarvey chazmcgarvey@brokenzipper.com
+ Chip Salzenberg tct!chip
+ Chris Arthur csa@gnu.org
+ Chris F.M. Verberne verberne@prl.philips.nl
+@@ -93,9 +94,9 @@ Christian Callsen Christian.Callsen@eng.sun.com
+ Christian Kirsch ck@held.mind.de
+ Christian Laubscher christian.laubscher@tiscalinet.ch
+ Christian T. Dum ctd@mpe-garching.mpg.de
+-Christian von Roques roques@pond.sub.org
+-Christian Wetzel wetzel@phoenix-pacs.de
+ Christian Weisgerber naddy@mips.inka.de
++Christian Wetzel wetzel@phoenix-pacs.de
++Christian von Roques roques@pond.sub.org
+ Christoph Litauer litauer@mailhost.uni-koblenz.de
+ Christophe Colle colle@krtkg1.rug.ac.be
+ Christophe Kalt Christophe.Kalt@kbcfp.com
+@@ -117,8 +118,8 @@ Dan Bloch dan@transarc.com
+ Dan Drake dan@dandrake.org
+ Dan Reish dreish@izzy.net
+ Daniel Hagerty hag@gnu.org
+-Daniel Quinlan quinlan@pathname.com
+ Daniel Kahn Gillmor dkg@fifthhorseman.net
++Daniel Quinlan quinlan@pathname.com
+ Daniel R. Guilderson d.guilderson@ma30.bull.com
+ Daniel S. Barclay daniel@compass-da.com
+ Daniel Trinkle trinkle@cs.purdue.edu
+@@ -198,6 +199,7 @@ Greg Hudson ghudson@mit.edu
+ Greg Maples greg@clari.net
+ Greg McGary gkm@cstone.net
+ Greg Schafer gschafer@zip.com.au
++Guillermo de Angel gdeangelg@gmail.com
+ Göran Uddeborg gvran@uddeborg.pp.se
+ Gürkan Karaman karaman@dssgmbh.de
+ Hans Guerth 100664.3101@compuserve.com
+@@ -222,6 +224,7 @@ Indra Singhal indra@synoptics.com
+ J. Dean Brock brock@cs.unca.edu
+ J.J. Bailey jjb@jagware.bcc.com
+ J.T. Conklin jtc@cygnus.com
++James Antill jantill@redhat.com
+ James Crawford Ralston qralston+@pitt.edu
+ James E. Carpenter jimc@zach1.tiac.net
+ James H Caldwell Jr caldwell@cs.fsu.edu
+@@ -233,15 +236,15 @@ Jan Carlson janc@sni.ca
+ Jan Djarv jan.djarv@mbox200.swipnet.se
+ Janice Burton r06a165@bcc25.kodak.com
+ Janne Snabb snabb@niksula.hut.fi
+-Jason R. Mastaler jason@webmaster.net
+ Jason Armistead Jason.Armistead@otis.com
++Jason R. Mastaler jason@webmaster.net
+ Jay Fenlason hack@gnu.org
+ Jean-Louis Martineau martineau@zmanda.com
+-Jean-Michel Soenen soenen@lectra.fr
+ Jean-Loup Gailly jloup@chorus.fr
+-Jeff Moskow jeff@rtr.com
++Jean-Michel Soenen soenen@lectra.fr
+ Jean-Ph. Martin-Flatin syj@ecmwf.int
+ Jean-Pierre Demailly Jean-Pierre.Demailly@ujf-grenoble.fr
++Jeff Moskow jeff@rtr.com
+ Jeff Prothero jsp@betz.biostr.washington.edu
+ Jeff Siegel js@hornet.att.com
+ Jeff Sorensen sorenj@alumni.rpi.edu
+@@ -249,7 +252,6 @@ Jeffrey Goldberg J.Goldberg@cranfield.ac.uk
+ Jeffrey Mark Siskind Qobi@emba.uvm.edu
+ Jeffrey W. Parker jwpkr@mcs.com
+ Jens Henrik Jensen recjhl@mediator.uni-c.dk
+-Jérémy Bobbio lunar@debian.org
+ Jim Blandy jimb@totoro.cs.oberlin.edu
+ Jim Clausing jac@postbox.acs.ohio-state.edu
+ Jim Farrell jwf@platinum.com
+@@ -283,13 +285,14 @@ Joutsiniemi Tommi Il tj75064@cs.tut.fi
+ Joy Kendall jak8@world.std.com
+ Judy Ricker jricker@gdstech.grumman.com
+ Juha Sarlin juha@tds.kth.se
+-Jurgen Botz jbotz@orixa.mtholyoke.edu
+ Jyh-Shyang Wang erik@vsp.ee.nctu.edu.tw
++Jérémy Bobbio lunar@debian.org
+ Jörg Schilling schilling@fokus.fraunhofer.de
+-Jörg Weule weule@cs.uni-duesseldorf.de
+ Jörg Weilbier gnu@weilbier.net
++Jörg Weule weule@cs.uni-duesseldorf.de
+ Jörgen Hågg Jorgen.Hagg@axis.se
+ Jörgen Weigert jw@suse.de
++Jürgen Botz jbotz@orixa.mtholyoke.edu
+ Jürgen Lüters jlueters@t-online.de
+ Jürgen Reiss reiss@psychologie.uni-wuerzburg.de
+ Kai Petzke wpp@marie.physik.tu-berlin.de
+@@ -311,7 +314,6 @@ Kimmy Posey kimmyd@bnr.ca
+ Koji Kishi kis@rqa.sony.co.jp
+ Konno Hiroharu konno@pac.co.jp
+ Kurt Jaeger pi@lf.net
+-James Antill jantill@redhat.com
+ Larry Creech lcreech@lonestar.rcclub.org
+ Larry Schwimmer rosebud@cyclone.stanford.edu
+ Lasse Collin lasse.collin@tukaani.org
+@@ -394,7 +396,6 @@ Oswald P. Backus IV backus@lks.csi.com
+ Pascal Meheut pascal@cnam.cnam.fr
+ Patrick Fulconis fulco@sig.uvsq.fr
+ Patrick Timmons timmons@electech.polymtl.ca
+-Pavel Raiskup praiskup@redhat.com
+ Paul Eggert eggert@twinsun.com
+ Paul Kanz paul@icx.com
+ Paul Mitchell P.Mitchell@surrey.ac.uk
+@@ -402,6 +403,7 @@ Paul Nevai pali+@osu.edu
+ Paul Nordstrom 100067.3532@compuserve.com
+ Paul O'Connor oconnorp@ul.ie
+ Paul Siddall pauls@postman.essex.ac.uk
++Pavel Raiskup praiskup@redhat.com
+ Peder Chr. Norgaard pcn@tbit.dk
+ Pekka Janhunen Pekka.Janhunen@fmi.fi
+ Per Bojsen pb@delta.dk
+@@ -420,9 +422,9 @@ Piotr Rotter piotr.rotter@active24.pl
+ R. Kent Dybvig dyb@cadence.bloomington.in.us
+ R. Scott Butler butler@prism.es.dupont.com
+ Rainer Orth ro@TechFak.Uni-Bielefeld.DE
+-Ralf Wildenhues Ralf.Wildenhues@gmx.de
+ Ralf S. Engelschall rse@engelschall.com
+ Ralf Suckow suckow@contrib.de
++Ralf Wildenhues Ralf.Wildenhues@gmx.de
+ Ralph Corderoy ralph@inputplus.co.uk
+ Ralph Schleicher rs@purple.ul.bawue.de
+ Randy Bias randyb@edge.edge.net
+diff --git a/src/extract.c b/src/extract.c
+index b384fed3..3bf0d77e 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1037,7 +1037,7 @@ safe_dir_mode (struct stat const *st)
+ /* Extractor functions for various member types */
+
+ static bool
+-extract_dir (char *file_name, char typeflag)
++extract_dir (char *file_name, MAYBE_UNUSED char typeflag)
+ {
+ int status;
+ mode_t mode;
+@@ -1060,8 +1060,6 @@ extract_dir (char *file_name, char typeflag)
+ if (incremental_option)
+ /* Read the entry and delete files that aren't listed in the archive. */
+ purge_directory (file_name);
+- else if (typeflag == GNUTYPE_DUMPDIR)
+- skip_member ();
+
+ mode = safe_dir_mode (¤t_stat_info.stat);
+
+@@ -1266,10 +1264,7 @@ extract_file (char *file_name, char typeflag)
+ {
+ fd = sys_exec_command (file_name, 'f', ¤t_stat_info);
+ if (fd < 0)
+- {
+- skip_member ();
+- return true;
+- }
++ return true;
+ }
+ else
+ {
+@@ -1289,7 +1284,6 @@ extract_file (char *file_name, char typeflag)
+ int recover = maybe_recoverable (file_name, true, &interdir_made);
+ if (recover != RECOVER_OK)
+ {
+- skip_member ();
+ if (recover == RECOVER_SKIP)
+ return true;
+ open_error (file_name);
+@@ -1337,6 +1331,7 @@ extract_file (char *file_name, char typeflag)
+ }
+
+ skim_file (size, false);
++ current_stat_info.skipped = true;
+
+ mv_end ();
+
+@@ -1841,15 +1836,9 @@ extract_archive (void)
+
+ tar_extractor_t fun = prepare_to_extract (current_stat_info.file_name,
+ typeflag);
+- if (fun)
+- {
+- if (fun (current_stat_info.file_name, typeflag))
+- return;
+- }
+- else
+- skip_member ();
+-
+- if (backup_option)
++ bool ok = fun && fun (current_stat_info.file_name, typeflag);
++ skip_member ();
++ if (!ok && backup_option)
+ undo_last_backup ();
+ }
+
+diff --git a/src/incremen.c b/src/incremen.c
+index 7bcfdb93..194d5cb1 100644
+--- a/src/incremen.c
++++ b/src/incremen.c
+@@ -1625,8 +1625,8 @@ dumpdir_ok (char *dumpdir)
+
+ /* Examine the directories under directory_name and delete any
+ files that were not there at the time of the back-up. */
+-static bool
+-try_purge_directory (char const *directory_name)
++void
++purge_directory (char const *directory_name)
+ {
+ char *current_dir;
+ char *cur, *arc, *p;
+@@ -1634,18 +1634,18 @@ try_purge_directory (char const *directory_name)
+ struct dumpdir *dump;
+
+ if (!is_dumpdir (¤t_stat_info))
+- return false;
++ return;
+
+ current_dir = tar_savedir (directory_name, 0);
+
+ if (!current_dir)
+ /* The directory doesn't exist now. It'll be created. In any
+ case, we don't have to delete any files out of it. */
+- return false;
++ return;
+
+ /* Verify if dump directory is sane */
+ if (!dumpdir_ok (current_stat_info.dumpdir))
+- return false;
++ return;
+
+ /* Process renames */
+ for (arc = current_stat_info.dumpdir; *arc; arc += strlen (arc) + 1)
+@@ -1666,7 +1666,7 @@ try_purge_directory (char const *directory_name)
+ quote (temp_stub)));
+ free (temp_stub);
+ free (current_dir);
+- return false;
++ return;
+ }
+ }
+ else if (*arc == 'R')
+@@ -1700,7 +1700,7 @@ try_purge_directory (char const *directory_name)
+ free (current_dir);
+ /* FIXME: Make sure purge_directory(dst) will return
+ immediately */
+- return false;
++ return;
+ }
+ }
+ }
+@@ -1758,14 +1758,6 @@ try_purge_directory (char const *directory_name)
+ dumpdir_free (dump);
+
+ free (current_dir);
+- return true;
+-}
+-
+-void
+-purge_directory (char const *directory_name)
+-{
+- if (!try_purge_directory (directory_name))
+- skip_member ();
+ }
+
+ void
+diff --git a/src/list.c b/src/list.c
+index 928779e1..c9623eb4 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -437,20 +437,15 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
+ break;
+
+- /* Good block. Decode file size and return. */
+-
+- if (header->header.typeflag == LNKTYPE)
+- info->stat.st_size = 0; /* links 0 size on tape */
+- else
++ info->stat.st_size = OFF_FROM_HEADER (header->header.size);
++ if (info->stat.st_size < 0)
+ {
+- info->stat.st_size = OFF_FROM_HEADER (header->header.size);
+- if (info->stat.st_size < 0)
+- {
+- status = HEADER_FAILURE;
+- break;
+- }
++ status = HEADER_FAILURE;
++ break;
+ }
+
++ info->skipped = false;
++
+ if (header->header.typeflag == GNUTYPE_LONGNAME
+ || header->header.typeflag == GNUTYPE_LONGLINK
+ || header->header.typeflag == XHDTYPE
+@@ -513,11 +508,15 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ }
+
+ *bp = '\0';
++ info->skipped = true;
+ }
+ else if (header->header.typeflag == XHDTYPE
+ || header->header.typeflag == SOLARIS_XHDTYPE)
+- xheader_read (&info->xhdr, header,
+- OFF_FROM_HEADER (header->header.size));
++ {
++ xheader_read (&info->xhdr, header,
++ OFF_FROM_HEADER (header->header.size));
++ info->skipped = true;
++ }
+ else if (header->header.typeflag == XGLTYPE)
+ {
+ struct xheader xhdr;
+@@ -531,6 +530,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ OFF_FROM_HEADER (header->header.size));
+ xheader_decode_global (&xhdr);
+ xheader_destroy (&xhdr);
++ info->skipped = true;
+ if (mode == read_header_x_global)
+ {
+ status = HEADER_SUCCESS_EXTENDED;
+@@ -1440,23 +1440,6 @@ skip_member (void)
+ skim_member (false);
+ }
+
+-static bool
+-member_is_dir (struct tar_stat_info *info, char typeflag)
+-{
+- switch (typeflag) {
+- case AREGTYPE:
+- case REGTYPE:
+- case CONTTYPE:
+- return info->had_trailing_slash;
+-
+- case DIRTYPE:
+- return true;
+-
+- default:
+- return false;
+- }
+-}
+-
+ /* Skip the current member in the archive.
+ If MUST_COPY, always copy instead of skipping. */
+ void
+@@ -1464,18 +1447,17 @@ skim_member (bool must_copy)
+ {
+ if (!current_stat_info.skipped)
+ {
+- bool is_dir = member_is_dir (¤t_stat_info,
+- current_header->header.typeflag);
+ set_next_block_after (current_header);
+
+ mv_begin_read (¤t_stat_info);
+
+ if (current_stat_info.is_sparse)
+ sparse_skim_file (¤t_stat_info, must_copy);
+- else if (!is_dir)
++ else
+ skim_file (current_stat_info.stat.st_size, must_copy);
+
+ mv_end ();
++ current_stat_info.skipped = true;
+ }
+ }
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 6cf726c0..baeb55bb 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -133,6 +133,7 @@ TESTSUITE_AT = \
+ extrac23.at\
+ extrac24.at\
+ extrac25.at\
++ extrac32.at\
+ filerem01.at\
+ filerem02.at\
+ grow.at\
+diff --git a/tests/extrac32.at b/tests/extrac32.at
+new file mode 100644
+index 00000000..3829a483
+--- /dev/null
++++ b/tests/extrac32.at
+@@ -0,0 +1,47 @@
++# Check for file injection bug with symlinks. -*- Autotest -*-
++
++# Copyright 2026 Free Software Foundation, Inc.
++
++# This file is part of GNU tar.
++
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++# Thanks to Guillermo de Angel for the bug report and test cases; see:
++# https://lists.gnu.org/r/bug-tar/2026-03/msg00007.html
++
++AT_SETUP([skip file injection])
++AT_KEYWORDS([injection])
++AT_DATA([archive.in],
++[/Td6WFoAAATm1rRGBMDbAYAcIQEcAAAAAAAAACYr+9LgDf8A010AMZhKvfVdtHe4Rxjj7M03ek97
++UgeKfJ0ORqYg0XDFntWxdTH4PYrTOo9CoqBrnTM2NcwFBrRVr7aFwdd56vddyAw2QGDjxgNexDU3
++ImTi/+z8ZOLMi/+AybdEpd5aA/M9Maa+8tQ84bySzSAwrmxMWJJ6W9IKvsqfiRa3TrD51v44PZU/
++KLVKpocS56n/O3g+b+hiZwaysR0eLO+tiU8FB/e3PEq3vTtDFVi/YfZMieBWSzomSX9eF13K1yPY
++UuWgp7VokXqduL0YGNVV40MTPG9oAAAApD6mpajengIAAfcBgBwAAOM4xw6xxGf7AgAAAAAEWVo=
++])
++AT_CHECK([base64 --help >/dev/null 2>&1 || AT_SKIP_TEST
++xz --help >/dev/null 2>&1 || AT_SKIP_TEST
++base64 -d < archive.in | xz -c -d > archive.tar
++])
++cp archive.tar /tmp
++AT_CHECK([tar tf archive.tar],
++[0],
++[carrier_entry
++marker.txt
++])
++AT_CHECK([tar xvf archive.tar],
++[0],
++[carrier_entry
++marker.txt
++])
++AT_CLEANUP
+diff --git a/tests/skipdir.at b/tests/skipdir.at
+index 7106ee74..a58a20fd 100644
+--- a/tests/skipdir.at
++++ b/tests/skipdir.at
+@@ -42,15 +42,11 @@ base64 -d < archive.in | xz -c -d > archive.tar
+ AT_CHECK([tar tf archive.tar],
+ [0],
+ [owo1/
+-owo2/
+ ])
+ AT_CHECK([tar vxf archive.tar],
+ [0],
+ [owo1/
+-owo2/
+ ])
+ AT_CHECK([tar -xvf archive.tar --exclude owo1],
+-[0],
+-[owo2/
+-])
++[0])
+ AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index f2229be1..58757005 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -349,6 +349,7 @@ m4_include([extrac22.at])
+ m4_include([extrac23.at])
+ m4_include([extrac24.at])
+ m4_include([extrac25.at])
++m4_include([extrac32.at])
+
+ m4_include([backup01.at])
+
+--
+2.44.1
+
diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb
index 042baa035c9..d15e7f8a4e5 100644
--- a/meta/recipes-extended/tar/tar_1.35.bb
+++ b/meta/recipes-extended/tar/tar_1.35.bb
@@ -42,6 +42,10 @@ SRC_URI += " \
file://0001-tests-fix-TESTSUITE_AT.patch \
file://0002-tests-check-for-recently-fixed-bug.patch \
file://0003-Exclude-VCS-directory-with-writing-from-an-archive.patch \
+ file://CVE-2026-5704-dependent_p1.patch \
+ file://CVE-2026-5704-dependent_p2.patch \
+ file://CVE-2026-5704.patch \
+ file://CVE-2026-5704-regression.patch \
"
inherit ptest
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 30/55] dhcpcd: patch CVE-2026-56113
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (28 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 29/55] tar: Fix CVE-2026-5704 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 31/55] dhcpcd: patch CVE-2026-56114 Yoann Congal
` (25 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25
[2] https://security-tracker.debian.org/tracker/CVE-2026-56113
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../dhcpcd/dhcpcd_10.3.1.bb | 1 +
.../dhcpcd/files/CVE-2026-56113.patch | 92 +++++++++++++++++++
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
index c940d6806a6..b348c895e8b 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd.service \
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
+ file://CVE-2026-56113.patch \
"
SRCREV = "42ff6d2548209af3185473e6cb6f9d235c48bbf4"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
new file mode 100644
index 00000000000..602fb7979e2
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
@@ -0,0 +1,92 @@
+From 7c4a5dbae8ff99f8d3c2d8c1d3be95b60ffb4485 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 02:17:10 +0100
+Subject: [PATCH] DHCPv6: When deprecating addresses, restart on prefix
+ deletions
+
+As that might invalidate the next address to iterate on.
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 5733d3c59a5651f64357ac11c98b4f39895c8d25)
+
+CVE: CVE-2026-56113
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/dhcp6.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 91341994..8a8a20a0 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2593,12 +2593,13 @@ dhcp6_findia(struct interface *ifp, struct dhcp6_message *m, size_t l,
+ }
+
+ #ifndef SMALL
+-static void
++static bool
+ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ {
+ struct ipv6_addr *da, *dan, *dda;
+ struct timespec now;
+ struct dhcp6_state *state;
++ bool freed = false;
+
+ timespecclear(&now);
+ TAILQ_FOREACH_SAFE(da, &ia->pd_pfxs, pd_next, dan) {
+@@ -2624,11 +2625,14 @@ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ if (IN6_ARE_ADDR_EQUAL(&dda->addr, &da->addr))
+ break;
+ }
+- if (dda != NULL) {
++ if (dda != ia && dda != NULL) {
+ TAILQ_REMOVE(&state->addrs, dda, next);
+ ipv6_freeaddr(dda);
++ freed = true;
+ }
+ }
++
++ return freed;
+ }
+ #endif
+
+@@ -2636,7 +2640,11 @@ static void
+ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ {
+ struct ipv6_addr *ia, *ian;
++#ifndef SMALL
++ bool again;
++#endif
+
++again:
+ TAILQ_FOREACH_SAFE(ia, addrs, next, ian) {
+ if (ia->flags & IPV6_AF_EXTENDED)
+ ;
+@@ -2658,7 +2666,9 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ /* If we delegated from this prefix, deprecate or remove
+ * the delegations. */
+ if (ia->flags & IPV6_AF_PFXDELEGATION)
+- dhcp6_deprecatedele(ia);
++ again = dhcp6_deprecatedele(ia);
++ else
++ again = false;
+ #endif
+
+ if (ia->flags & IPV6_AF_REQUEST) {
+@@ -2671,6 +2681,11 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ if (!(ia->flags & IPV6_AF_EXTENDED))
+ ipv6_deleteaddr(ia);
+ ipv6_freeaddr(ia);
++#ifndef SMALL
++ /* Deletion may invalidate the next pointer so restart */
++ if (again)
++ goto again;
++#endif
+ }
+ }
+
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 31/55] dhcpcd: patch CVE-2026-56114
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (29 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 30/55] dhcpcd: patch CVE-2026-56113 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 32/55] dhcpcd: patch CVE-2026-56116 Yoann Congal
` (24 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029
[2] https://security-tracker.debian.org/tracker/CVE-2026-56114
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../dhcpcd/dhcpcd_10.3.1.bb | 1 +
.../dhcpcd/files/CVE-2026-56114.patch | 34 +++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
index b348c895e8b..8195cea029f 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
file://CVE-2026-56113.patch \
+ file://CVE-2026-56114.patch \
"
SRCREV = "42ff6d2548209af3185473e6cb6f9d235c48bbf4"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
new file mode 100644
index 00000000000..0c2be7edfc3
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
@@ -0,0 +1,34 @@
+From 94766be134a053d88670377c70d3bdfc68b5db4a Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 02:06:55 +0100
+Subject: [PATCH] DHCPv6: Prefix exclude option can be 17 octets (#671)
+
+Well that's a simple off by one error
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 2f00c7bfc408b6582d331932dfa47829c4819029)
+
+CVE: CVE-2026-56114
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/dhcp6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 8a8a20a0..5e497cfd 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -1093,7 +1093,7 @@ dhcp6_makemessage(struct interface *ifp)
+
+ /* RFC6603 Section 4.2 */
+ if (ap->prefix_exclude_len) {
+- uint8_t exb[16], *ep, u8;
++ uint8_t exb[17], *ep, u8;
+ const uint8_t *pp;
+
+ n = (size_t)((ap->prefix_exclude_len -
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 32/55] dhcpcd: patch CVE-2026-56116
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (30 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 31/55] dhcpcd: patch CVE-2026-56114 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 33/55] dhcpcd: patch CVE-2026-56117 Yoann Congal
` (23 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/708b4a56bae080a5b18c2e0c4c6fbe103131a2b0
[2] https://security-tracker.debian.org/tracker/CVE-2026-56116
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../dhcpcd/dhcpcd_10.3.1.bb | 1 +
.../dhcpcd/files/CVE-2026-56116.patch | 31 +++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56116.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
index 8195cea029f..e214c03416e 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
file://CVE-2026-56113.patch \
file://CVE-2026-56114.patch \
+ file://CVE-2026-56116.patch \
"
SRCREV = "42ff6d2548209af3185473e6cb6f9d235c48bbf4"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56116.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56116.patch
new file mode 100644
index 00000000000..a329f92e6f9
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56116.patch
@@ -0,0 +1,31 @@
+From d37f45a39aed5fd5d0d2c87f62b22f5eed7495bd Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 00:34:58 +0100
+Subject: [PATCH] IPv6ND: Free routeinfo when it expires (#670)
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 708b4a56bae080a5b18c2e0c4c6fbe103131a2b0)
+
+CVE: CVE-2026-56116
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/708b4a56bae080a5b18c2e0c4c6fbe103131a2b0]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/ipv6nd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/ipv6nd.c b/src/ipv6nd.c
+index ccf71241..557ff50e 100644
+--- a/src/ipv6nd.c
++++ b/src/ipv6nd.c
+@@ -1789,6 +1789,7 @@ ipv6nd_expirera(void *arg)
+ logwarnx("%s: expired route %s",
+ rap->iface->name, rinfo->sprefix);
+ TAILQ_REMOVE(&rap->rinfos, rinfo, next);
++ free(rinfo);
+ }
+ }
+
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 33/55] dhcpcd: patch CVE-2026-56117
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (31 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 32/55] dhcpcd: patch CVE-2026-56116 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 34/55] sudo: fix pam-wheel sed for sudo 1.9.17p2 sudoers Yoann Congal
` (22 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/78ea09ed1633a583dbcde6e7bab9df4639ec8a34
[2] https://security-tracker.debian.org/tracker/CVE-2026-56117
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../dhcpcd/dhcpcd_10.3.1.bb | 1 +
.../dhcpcd/files/CVE-2026-56117.patch | 167 ++++++++++++++++++
2 files changed, 168 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
index e214c03416e..eb257cb27c1 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.3.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://CVE-2026-56113.patch \
file://CVE-2026-56114.patch \
file://CVE-2026-56116.patch \
+ file://CVE-2026-56117.patch \
"
SRCREV = "42ff6d2548209af3185473e6cb6f9d235c48bbf4"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
new file mode 100644
index 00000000000..2aabced8974
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
@@ -0,0 +1,167 @@
+From d4b53e813f6119a4f090f6ba10a91778ce3cd1d5 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Mon, 22 Jun 2026 23:41:53 +0100
+Subject: [PATCH] control: Avoid hangup in the recvdata path
+
+Instead return an error and bubble it up where it can be
+hangup / freed more cleanly.
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 78ea09ed1633a583dbcde6e7bab9df4639ec8a34)
+
+CVE: CVE-2026-56117
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/78ea09ed1633a583dbcde6e7bab9df4639ec8a34]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/control.c | 47 ++++++++++++++++++++++++-------------------
+ src/control.h | 2 +-
+ src/privsep-control.c | 7 ++++++-
+ 3 files changed, 33 insertions(+), 23 deletions(-)
+
+diff --git a/src/control.c b/src/control.c
+index ec1c633c..e6115f66 100644
+--- a/src/control.c
++++ b/src/control.c
+@@ -115,10 +115,8 @@ control_handle_read(struct fd_list *fd)
+ bytes = read(fd->fd, buffer, sizeof(buffer) - 1);
+ if (bytes == -1)
+ logerr(__func__);
+- if (bytes == -1 || bytes == 0) {
+- control_hangup(fd);
+- return -1;
+- }
++ if (bytes == -1 || bytes == 0)
++ return (int)bytes;
+
+ #ifdef PRIVSEP
+ if (IN_PRIVSEP(fd->ctx)) {
+@@ -134,15 +132,13 @@ control_handle_read(struct fd_list *fd)
+ if (err == 1 &&
+ ps_ctl_sendargs(fd, buffer, (size_t)bytes) == -1) {
+ logerr(__func__);
+- control_free(fd);
+ return -1;
+ }
+- return 0;
++ return 1;
+ }
+ #endif
+
+- control_recvdata(fd, buffer, (size_t)bytes);
+- return 0;
++ return control_recvdata(fd, buffer, (size_t)bytes);
+ }
+
+ static int
+@@ -205,23 +201,31 @@ static void
+ control_handle_data(void *arg, unsigned short events)
+ {
+ struct fd_list *fd = arg;
++ int err;
+
+ if (!(events & (ELE_READ | ELE_WRITE | ELE_HANGUP)))
+ logerrx("%s: unexpected event 0x%04x", __func__, events);
+
+ if (events & ELE_WRITE && !(events & ELE_HANGUP)) {
+- if (control_handle_write(fd) == -1)
+- return;
++ err = control_handle_write(fd);
++ if (err == -1)
++ goto hangup;
+ }
+ if (events & ELE_READ) {
+- if (control_handle_read(fd) == -1)
+- return;
++ err = control_handle_read(fd);
++ if (err == -1 || err == 0)
++ goto hangup;
+ }
+ if (events & ELE_HANGUP)
+- control_hangup(fd);
++ goto hangup;
++
++ return;
++
++hangup:
++ control_hangup(fd);
+ }
+
+-void
++int
+ control_recvdata(struct fd_list *fd, char *data, size_t len)
+ {
+ char *p = data, *e;
+@@ -243,12 +247,13 @@ control_recvdata(struct fd_list *fd, char *data, size_t len)
+ if (e == NULL) {
+ errno = EINVAL;
+ logerrx("%s: no terminator", __func__);
+- return;
++ return -1;
+ }
+- if ((size_t)argc >= sizeof(argvp) / sizeof(argvp[0])) {
++ if ((size_t)argc + 1 >=
++ sizeof(argvp) / sizeof(argvp[0])) {
+ errno = ENOBUFS;
+ logerrx("%s: no arg buffer", __func__);
+- return;
++ return -1;
+ }
+ *ap++ = p;
+ argc++;
+@@ -268,12 +273,12 @@ control_recvdata(struct fd_list *fd, char *data, size_t len)
+ *ap = NULL;
+ if (dhcpcd_handleargs(fd->ctx, fd, argc, argvp) == -1) {
+ logerr(__func__);
+- if (errno != EINTR && errno != EAGAIN) {
+- control_free(fd);
+- return;
+- }
++ if (errno != EINTR && errno != EAGAIN)
++ return -1;
+ }
+ }
++
++ return 1;
+ }
+
+ struct fd_list *
+diff --git a/src/control.h b/src/control.h
+index ef592268..1f09fc8f 100644
+--- a/src/control.h
++++ b/src/control.h
+@@ -76,5 +76,5 @@ struct fd_list *control_new(struct dhcpcd_ctx *, int, unsigned int);
+ void control_free(struct fd_list *);
+ void control_delete(struct fd_list *);
+ int control_queue(struct fd_list *, void *, size_t);
+-void control_recvdata(struct fd_list *fd, char *, size_t);
++int control_recvdata(struct fd_list *fd, char *, size_t);
+ #endif
+diff --git a/src/privsep-control.c b/src/privsep-control.c
+index b9ea7f9c..3cdeedea 100644
+--- a/src/privsep-control.c
++++ b/src/privsep-control.c
+@@ -110,6 +110,7 @@ ps_ctl_dispatch(void *arg, struct ps_msghdr *psm, struct msghdr *msg)
+ struct iovec *iov = msg->msg_iov;
+ struct fd_list *fd;
+ unsigned int fd_flags = FD_SENDLEN;
++ int err;
+
+ switch (psm->ps_flags) {
+ case PS_CTL_PRIV:
+@@ -133,7 +134,11 @@ ps_ctl_dispatch(void *arg, struct ps_msghdr *psm, struct msghdr *msg)
+ if (fd == NULL)
+ return -1;
+ ctx->ps_control_client = fd;
+- control_recvdata(fd, iov->iov_base, iov->iov_len);
++ err = control_recvdata(fd, iov->iov_base, iov->iov_len);
++ if (err == -1 || err == 0) {
++ control_free(fd);
++ ctx->ps_control_client = NULL;
++ }
+ break;
+ case PS_CTL_EOF:
+ ctx->ps_control_client = NULL;
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 34/55] sudo: fix pam-wheel sed for sudo 1.9.17p2 sudoers
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (32 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 33/55] dhcpcd: patch CVE-2026-56117 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 35/55] texinfo: add missing perl module runtime dependencies Yoann Congal
` (21 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Nate Kent <nathan@otiv.ai>
[YOCTO #16321]
In version 1.9.17p2, the line that the recipe uses to add the 'wheel'
group to the sudoers file does not exist. This updates the sed usage to
the actual line in question.
Signed-off-by: Nate Kent <nathan@otiv.ai>
Tested-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 76231f202a437be221c2580d4fa0fc100c453e92)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb
index 7dfa0cef6c2..489c0db09df 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb
@@ -37,7 +37,7 @@ do_install:append () {
install -D -m 644 ${UNPACKDIR}/sudo.pam ${D}/${sysconfdir}/pam.d/sudo
if ${@bb.utils.contains('PACKAGECONFIG', 'pam-wheel', 'true', 'false', d)} ; then
echo 'auth required pam_wheel.so use_uid' >>${D}${sysconfdir}/pam.d/sudo
- sed -i 's/# \(%wheel ALL=(ALL) ALL\)/\1/' ${D}${sysconfdir}/sudoers
+ sed -i 's/# \(%wheel ALL=(ALL:ALL) ALL\)/\1/' ${D}${sysconfdir}/sudoers
fi
fi
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 35/55] texinfo: add missing perl module runtime dependencies
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (33 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 34/55] sudo: fix pam-wheel sed for sudo 1.9.17p2 sudoers Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 36/55] perl: patch CVE-2026-8376 Yoann Congal
` (20 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Xiaozhan Li <Xiaozhan.Li.CN@windriver.com>
Some makeinfo commands like makeinfo --version, makeinfo --html fail on target
with errors like:Can't locate xxx.pm in @INC
This is because texinfo's texi2any requires several core Perl modules
that are split into separate packages in OE. Add the missing modules
to RDEPENDS so they are pulled into the image automatically.
Signed-off-by: Xiaozhan Li <Xiaozhan.Li.CN@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bfe02ddac02e4d949dea67db20979565ea4c3f30)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb | 2 ++
meta/recipes-extended/texinfo/texinfo_7.3.bb | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
index f97a28cab56..768a0383c5a 100644
--- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
+++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
@@ -37,6 +37,8 @@ DUMMYPROVIDES_PACKAGES = "\
nativesdk-perl-module-threads \
nativesdk-perl-module-warnings \
nativesdk-perl-module-vars \
+ nativesdk-perl-module-locale \
+ nativesdk-perl-module-config \
"
DUMMYPROVIDES = "\
diff --git a/meta/recipes-extended/texinfo/texinfo_7.3.bb b/meta/recipes-extended/texinfo/texinfo_7.3.bb
index fae4e510b45..5d942464d49 100644
--- a/meta/recipes-extended/texinfo/texinfo_7.3.bb
+++ b/meta/recipes-extended/texinfo/texinfo_7.3.bb
@@ -77,6 +77,10 @@ FILES:info-doc = "${infodir}/info.info* ${infodir}/dir ${infodir}/info-*.info* \
FILES:${PN} = "${bindir}/makeinfo ${bindir}/texi* ${bindir}/pdftexi2dvi ${bindir}/pod2texi ${datadir}/texinfo ${datadir}/texi2any"
RDEPENDS:${PN} = "perl"
+RDEPENDS:${PN} += "perl-module-if perl-module-utf8 perl-module-encode perl-module-encode-encoding perl-module-locale perl-module-integer \
+ perl-module-file-spec perl-module-cwd perl-module-file-basename perl-module-getopt-long perl-module-posix perl-module-data-dumper \
+ perl-module-storable perl-module-feature perl-module-unicode-normalize perl-module-charnames perl-module-unicore perl-module-file-copy \
+ perl-module-file-glob"
FILES:${PN}-doc = "${infodir}/texi* \
${datadir}/${tex_texinfo} \
${mandir}/man1 ${mandir}/man5"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 36/55] perl: patch CVE-2026-8376
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (34 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 35/55] texinfo: add missing perl module runtime dependencies Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 37/55] python3: skiptest tracemalloc_track_race Yoann Congal
` (19 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patches from [1]
[1] https://github.com/Perl/perl5/pull/24433
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5dd5865a74accaec21eb8391b2491f98908f8586)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../perl/files/CVE-2026-8376-01.patch | 62 +++++++++++++++++++
.../perl/files/CVE-2026-8376-02.patch | 49 +++++++++++++++
meta/recipes-devtools/perl/perl_5.42.0.bb | 2 +
3 files changed, 113 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-8376-01.patch
create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-8376-02.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2026-8376-01.patch b/meta/recipes-devtools/perl/files/CVE-2026-8376-01.patch
new file mode 100644
index 00000000000..af94eec29cf
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2026-8376-01.patch
@@ -0,0 +1,62 @@
+From fd23f4370d24d00352d1cc09b16687f16da6ae5b Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 12 May 2026 14:47:31 +1000
+Subject: [PATCH 1/2] perl/perl-security#147: test cases
+
+The suggested case from the ticket and an alternative.
+
+(cherry picked from commit e842efdafe7c51a687a4907e4887988fe6a025ef)
+
+CVE: CVE-2026-8376
+Upstream-Status: Backport [https://github.com/Perl/perl5/commit/e842efdafe7c51a687a4907e4887988fe6a025ef]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ t/re/pat_psycho.t | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/t/re/pat_psycho.t b/t/re/pat_psycho.t
+index 336039521d..73a7992372 100644
+--- a/t/re/pat_psycho.t
++++ b/t/re/pat_psycho.t
+@@ -10,7 +10,7 @@
+ use strict;
+ use warnings;
+ use 5.010;
+-
++use Config;
+
+ sub run_tests;
+
+@@ -31,7 +31,7 @@ BEGIN {
+
+ skip_all('$PERL_SKIP_PSYCHO_TEST set') if $ENV{PERL_SKIP_PSYCHO_TEST};
+
+-plan tests => 15; # Update this when adding/deleting tests.
++plan tests => 17; # Update this when adding/deleting tests.
+
+ run_tests() unless caller;
+
+@@ -211,6 +211,20 @@ EOF
+
+
+ }
++
++ SKIP:
++ { # sec #147
++ $Config{ptrsize} == 4
++ or skip "these only fail on x32 and use too much memory on x64", 2;
++ local $::TODO = "This crashes";
++ # original case
++ fresh_perl_like('/\x{10000}{1073741824}/',
++ qr/Regexp out of space/, {}, "ssize_t overflow");
++
++ # synthesized but similar case
++ fresh_perl_like('/(?:\x{10001}\x{10000}){536870912}/',
++ qr/Regexp out of space/, {}, "ssize_t overflow again");
++ }
+ } # End of sub run_tests
+
+ 1;
+--
+2.43.0
+
diff --git a/meta/recipes-devtools/perl/files/CVE-2026-8376-02.patch b/meta/recipes-devtools/perl/files/CVE-2026-8376-02.patch
new file mode 100644
index 00000000000..39b3d510fe4
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2026-8376-02.patch
@@ -0,0 +1,49 @@
+From 49c18d4c91d5b49e0a7cbb8277f3149198004c36 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 12 May 2026 14:51:00 +1000
+Subject: [PATCH 2/2] perl/perl-security#147: test against the actual character
+ lengths
+
+(cherry picked from commit 5e7f119eb2bb1181be908701f22bf7068e722f1c)
+
+CVE: CVE-2026-8376
+Upstream-Status: Backport [https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ regcomp_study.c | 7 +++++++
+ t/re/pat_psycho.t | 1 -
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/regcomp_study.c b/regcomp_study.c
+index 9106452dd5..05f1b017b1 100644
+--- a/regcomp_study.c
++++ b/regcomp_study.c
+@@ -2770,6 +2770,13 @@ Perl_study_chunk(pTHX_
+ (U8 *) SvEND(data->last_found))
+ - (U8*)s;
+ l -= old;
++
++ if (l > 0 &&
++ (mincount >= SSize_t_MAX / (SSize_t)l
++ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
++ FAIL("Regexp out of space");
++ }
++
+ /* Get the added string: */
+ last_str = newSVpvn_utf8(s + old, l, UTF);
+ last_chrs = UTF ? utf8_length((U8*)(s + old),
+diff --git a/t/re/pat_psycho.t b/t/re/pat_psycho.t
+index 73a7992372..9fd764fd5e 100644
+--- a/t/re/pat_psycho.t
++++ b/t/re/pat_psycho.t
+@@ -216,7 +216,6 @@ EOF
+ { # sec #147
+ $Config{ptrsize} == 4
+ or skip "these only fail on x32 and use too much memory on x64", 2;
+- local $::TODO = "This crashes";
+ # original case
+ fresh_perl_like('/\x{10000}{1073741824}/',
+ qr/Regexp out of space/, {}, "ssize_t overflow");
+--
+2.43.0
+
diff --git a/meta/recipes-devtools/perl/perl_5.42.0.bb b/meta/recipes-devtools/perl/perl_5.42.0.bb
index cf28067bab8..1833b7a352d 100644
--- a/meta/recipes-devtools/perl/perl_5.42.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.42.0.bb
@@ -16,6 +16,8 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://0002-Constant-Fix-up-shebang.patch \
file://determinism.patch \
file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
+ file://CVE-2026-8376-01.patch \
+ file://CVE-2026-8376-02.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 37/55] python3: skiptest tracemalloc_track_race
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (35 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 36/55] perl: patch CVE-2026-8376 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 38/55] common-licenses/PHP-3.0: Correct the license text Yoann Congal
` (18 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Kris Gavvala <kris.gavvala@windriver.com>
In python3 ptests, tracemalloc_track_race fails with a segfault.
To avoid ptest failures for now, skip the test.
Fixes [YOCTO #16182]
Upstream Issue: https://github.com/python/cpython/issues/143143
(cherry picked from commit 7504490ba5e6ce0317dd12bdb961542062f05830)
Signed-off-by: Kris Gavvala <kris.gavvala@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/python/python3_3.14.5.bb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb
index ed413dc1fe9..fd407c96035 100644
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.5.bb
@@ -253,6 +253,13 @@ do_install:append:class-nativesdk () {
}
SKIPPED_TESTS = "--ignore test.test_os.test_os.TimerfdTests.test_timerfd_TFD_TIMER_ABSTIME"
+
+# Fails with segfault
+# Bugzilla YP 16182 (test_tracemalloc_track_race)
+SKIPPED_TESTS += " \
+ --ignore test.test_tracemalloc.TestCAPI.test_tracemalloc_track_race \
+"
+
SKIPPED_TESTS:append:class-target:libc-musl = " \
-x test__locale \
-x test_c_locale_coercion \
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 38/55] common-licenses/PHP-3.0: Correct the license text
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (36 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 37/55] python3: skiptest tracemalloc_track_race Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 39/55] quota: use native rpcgen and a single-word RPCGEN_CPP Yoann Congal
` (17 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Peter Kjellerstedt <pkj@axis.com>
For some reason, this previously contained the licenses text for the
PHP-3.01 license.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61591c3c982a90dcb2c63d6e1f02d8dc22f6fb6b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/files/common-licenses/PHP-3.0 | 76 +++++++-----------------------
1 file changed, 17 insertions(+), 59 deletions(-)
diff --git a/meta/files/common-licenses/PHP-3.0 b/meta/files/common-licenses/PHP-3.0
index ef0b20306ae..d6e8ae61a76 100644
--- a/meta/files/common-licenses/PHP-3.0
+++ b/meta/files/common-licenses/PHP-3.0
@@ -1,70 +1,28 @@
+The PHP License, version 3.0
---------------------------------------------------------------------
- The PHP License, version 3.01
-Copyright (c) 1999 - 2010 The PHP Group. All rights reserved.
---------------------------------------------------------------------
+Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
-Redistribution and use in source and binary forms, with or without
-modification, is permitted provided that the following conditions
-are met:
+Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the
- distribution.
-
- 3. The name "PHP" must not be used to endorse or promote products
- derived from this software without prior written permission. For
- written permission, please contact group@php.net.
-
- 4. Products derived from this software may not be called "PHP", nor
- may "PHP" appear in their name, without prior written permission
- from group@php.net. You may indicate that your software works in
- conjunction with PHP by saying "Foo for PHP" instead of calling
- it "PHP Foo" or "phpfoo"
-
- 5. The PHP Group may publish revised and/or new versions of the
- license from time to time. Each version will be given a
- distinguishing version number.
- Once covered code has been published under a particular version
- of the license, you may always continue to use it under the terms
- of that version. You may also choose to use such covered code
- under the terms of any subsequent version of the license
- published by the PHP Group. No one other than the PHP Group has
- the right to modify the terms applicable to covered code created
- under this License.
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- 6. Redistributions of any form whatsoever must retain the following
- acknowledgment:
- "This product includes PHP software, freely available from
- <http://www.php.net/software/>".
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS`` AND
-ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP
-DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-OF THE POSSIBILITY OF SUCH DAMAGE.
+3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net.
---------------------------------------------------------------------
+4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
-This software consists of voluntary contributions made by many
-individuals on behalf of the PHP Group.
+5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.
+
+6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>".
+
+THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-The PHP Group can be contacted via Email at group@php.net.
-For more information on the PHP Group and the PHP project,
-please see <http://www.php.net>.
+This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
+
+The PHP Group can be contacted via Email at group@php.net.
-PHP includes the Zend Engine, freely available at
-<http://www.zend.com>.
+For more information on the PHP Group and the PHP project, please see <http://www.php.net>.
+This product includes the Zend Engine, freely available at <http://www.zend.com>.
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 39/55] quota: use native rpcgen and a single-word RPCGEN_CPP
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (37 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 38/55] common-licenses/PHP-3.0: Correct the license text Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 40/55] python3-click: Fixes for new pytest and flaky ptest Yoann Congal
` (16 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Otavio Salvador <otavio@ossystems.com.br>
The rpc PACKAGECONFIG regenerates rquota.{c,h} and rquota_clnt.c from
rquota.x with rpcgen at build time, as the tarball ships no
pre-generated copies. Two problems made this fail:
- rpcgen was picked up from the host via HOSTTOOLS rather than from the
build, which is non-deterministic and breaks on hosts that have no
rpcgen at all.
- rpcgen execs its C preprocessor as a single program name, but OE
exports $CPP as a multi-word "gcc -E --sysroot=... <flags>" string,
so rpcgen reports "cannot find C preprocessor" and aborts.
Depend on rpcsvc-proto-native so rpcgen comes from the build, and set
RPCGEN_CPP to the single-word cross cpp so the preprocessor can be
exec'd.
Tested with bitbake quota (configure/compile/install/package) on
qemuarm.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 97a93dc468bdd172fe7eadca86bad9e149891eeb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/quota/quota_4.11.bb | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-extended/quota/quota_4.11.bb b/meta/recipes-extended/quota/quota_4.11.bb
index b3860719611..811056f1f75 100644
--- a/meta/recipes-extended/quota/quota_4.11.bb
+++ b/meta/recipes-extended/quota/quota_4.11.bb
@@ -26,6 +26,10 @@ ASNEEDED = ""
PACKAGECONFIG ??= "rpc bsd"
PACKAGECONFIG:libc-musl = "rpc"
-PACKAGECONFIG[rpc] = "--enable-rpc,--disable-rpc,libtirpc"
+# rpcgen execs its preprocessor as a single program; OE's multi-word $CPP fails,
+# so point it at the cross cpp instead.
+export RPCGEN_CPP = "${TARGET_PREFIX}cpp"
+
+PACKAGECONFIG[rpc] = "--enable-rpc,--disable-rpc,libtirpc rpcsvc-proto-native"
PACKAGECONFIG[bsd] = "--enable-bsd_behaviour=yes,--enable-bsd_behaviour=no,"
PACKAGECONFIG[ldapmail] = "--enable-ldapmail,--disable-ldapmail,openldap"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 40/55] python3-click: Fixes for new pytest and flaky ptest
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (38 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 39/55] quota: use native rpcgen and a single-word RPCGEN_CPP Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 41/55] i2c-tools: add LGPL-2.1-or-later license for libi2c Yoann Congal
` (15 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Submit a patch upstream to allow it to work with the new version of pytest.
Also backport a "flaky test" fix which may help issues we're seeing on the
autobuilder.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 976beed0875a40d71d0c98d56696c97988684ada)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...7494c991c9197902fdf4995e11b2da3e9762.patch | 173 ++++++++++++++++++
.../python/python3-click/pytest-fix.patch | 29 +++
.../python/python3-click_8.3.1.bb | 1 +
3 files changed, 203 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-click/ffcc7494c991c9197902fdf4995e11b2da3e9762.patch
create mode 100644 meta/recipes-devtools/python/python3-click/pytest-fix.patch
diff --git a/meta/recipes-devtools/python/python3-click/ffcc7494c991c9197902fdf4995e11b2da3e9762.patch b/meta/recipes-devtools/python/python3-click/ffcc7494c991c9197902fdf4995e11b2da3e9762.patch
new file mode 100644
index 00000000000..e16f84ec9a3
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-click/ffcc7494c991c9197902fdf4995e11b2da3e9762.patch
@@ -0,0 +1,173 @@
+"Fix pager test flackiness and add stress tests for echo_via_pager"
+
+From 7eb57cff7cd292fbd526eaf861c8f945ddeb07a3 Mon Sep 17 00:00:00 2001
+From: Kevin Deldycke <kevin@deldycke.com>
+Date: Fri, 22 May 2026 11:13:12 +0200
+Subject: [PATCH] Fix pager test race by raising before yield
+
+Upstream-Status: Backport [https://github.com/pallets/click/commit/ffcc7494c991c9197902fdf4995e11b2da3e9762]
+
+Refs: #3470 #2899
+---
+ pyproject.toml | 3 +-
+ src/click/_compat.py | 1 -
+ tests/test_stream_lifecycle.py | 4 +-
+ tests/test_utils.py | 79 +++++++++++++++++++++++++++++++---
+ 4 files changed, 78 insertions(+), 9 deletions(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index e39ef21055..ed91e5d741 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -185,12 +185,11 @@ commands = [[
+ ]]
+
+ [tool.tox.env.stress]
+-description = "stress tests for stream lifecycle race conditions"
++description = "high-iteration stress tests for race conditions"
+ commands = [[
+ "pytest", "-v", "--tb=short", "-x", "-m", "stress",
+ "--basetemp={env_tmp_dir}",
+ "--override-ini=addopts=",
+- "tests/test_stream_lifecycle.py",
+ {replace = "posargs", default = [], extend = true},
+ ]]
+
+diff --git a/src/click/_compat.py b/src/click/_compat.py
+index 36c0e53975..134c4f3893 100644
+--- a/src/click/_compat.py
++++ b/src/click/_compat.py
+@@ -12,7 +12,6 @@
+
+ CYGWIN = sys.platform.startswith("cygwin")
+ WIN = sys.platform.startswith("win")
+-MAC = sys.platform == "darwin"
+ auto_wrap_for_ansi: t.Callable[[t.TextIO], t.TextIO] | None = None
+ _ansi_re = re.compile(r"\033\[[;?0-9]*[a-zA-Z]")
+
+diff --git a/tests/test_stream_lifecycle.py b/tests/test_stream_lifecycle.py
+index 42e26acc34..9f4aa20868 100644
+--- a/tests/test_stream_lifecycle.py
++++ b/tests/test_stream_lifecycle.py
+@@ -484,7 +484,9 @@ def cli():
+ # Category 6: Stress tests - high-iteration reproducers for race conditions
+ #
+ # These are marked with ``pytest.mark.stress`` so they can be included or
+-# excluded independently. The CI workflow runs them in a separate job.
++# excluded independently. The ``tox -e stress`` env collects every
++# ``pytest.mark.stress`` test across the suite (not just this file), so
++# stress regressions for other components live alongside their unit tests.
+ # ---------------------------------------------------------------------------
+
+
+diff --git a/tests/test_utils.py b/tests/test_utils.py
+index 139cd7324f..1aebf3cc5a 100644
+--- a/tests/test_utils.py
++++ b/tests/test_utils.py
+@@ -16,7 +16,6 @@
+
+ import click._termui_impl
+ import click.utils
+-from click._compat import MAC
+ from click._compat import WIN
+ from click._utils import UNSET
+
+@@ -286,6 +285,11 @@ def _test_gen_func():
+
+
+ def _test_gen_func_fails():
++ raise RuntimeError("This is a test.")
++ yield # unreachable, keeps this a generator function
++
++
++def _test_gen_func_yields_then_fails():
+ yield "test"
+ raise RuntimeError("This is a test.")
+
+@@ -315,10 +319,6 @@ def _test_simulate_keyboard_interrupt(file=None):
+
+
+ @pytest.mark.skipif(WIN, reason="Different behavior on windows.")
+-@pytest.mark.skipif(
+- MAC and sys.version_info >= (3, 13) and not sys._is_gil_enabled(),
+- reason="Generator exception tests are flaky in Python 3.14t on macOS.",
+-)
+ @pytest.mark.parametrize(
+ "pager_cmd", ["cat", "cat ", " cat ", "less", " less", " less "]
+ )
+@@ -456,6 +456,75 @@ def test_echo_via_pager(monkeypatch, capfd, pager_cmd, test, tmp_path):
+ )
+
+
++@pytest.mark.skipif(WIN, reason="Different behavior on windows.")
++def test_echo_via_pager_yields_before_exception(monkeypatch, tmp_path):
++ """A generator that yields then raises: click writes the partial output to
++ the pager stream before propagating the exception.
++
++ The pager file content is intentionally NOT asserted: pipe-drain timing
++ between click and the pager subprocess is outside click's control
++ (#2899, #3470). Spying on ``MaybeStripAnsi.write`` records what click sent
++ to the pager, which is deterministic regardless of scheduling.
++ """
++ monkeypatch.setitem(os.environ, "PAGER", "cat")
++ monkeypatch.setattr(click._termui_impl, "isatty", lambda x: True)
++
++ writes: list[str] = []
++ real_write = click._termui_impl.MaybeStripAnsi.write
++
++ def spy(self, text):
++ writes.append(text)
++ return real_write(self, text)
++
++ monkeypatch.setattr(click._termui_impl.MaybeStripAnsi, "write", spy)
++
++ pager_out_tmp = tmp_path / "pager_out.txt"
++ with (
++ pager_out_tmp.open("w") as f,
++ patch.object(subprocess, "Popen", partial(subprocess.Popen, stdout=f)),
++ pytest.raises(RuntimeError, match="This is a test."),
++ ):
++ click.echo_via_pager(_test_gen_func_yields_then_fails())
++
++ assert "".join(writes) == "test", (
++ f"click should have written the yielded chunk before exception, got {writes!r}"
++ )
++
++
++@pytest.mark.stress
++@pytest.mark.skipif(WIN, reason="Different behavior on windows.")
++@pytest.mark.parametrize("_", range(1000))
++def test_stress_echo_via_pager_exception_cleanup(_, monkeypatch, tmp_path):
++ """Repeated exceptions during ``echo_via_pager`` must not leak subprocesses.
++
++ Regression coverage for the cleanup path in ``_pipepager``'s exception
++ handler (issue #2899, PR #3470). Each iteration spawns a real pager
++ subprocess, raises before any data is written and check there is no leak.
++ """
++ monkeypatch.setitem(os.environ, "PAGER", "cat")
++ monkeypatch.setattr(click._termui_impl, "isatty", lambda x: True)
++
++ spawned: list[subprocess.Popen] = []
++ real_popen = subprocess.Popen
++
++ def tracking_popen(*args, **kwargs):
++ p = real_popen(*args, **kwargs)
++ spawned.append(p)
++ return p
++
++ pager_out_tmp = tmp_path / "pager_out.txt"
++ with (
++ pager_out_tmp.open("w") as f,
++ patch.object(subprocess, "Popen", partial(tracking_popen, stdout=f)),
++ pytest.raises(RuntimeError),
++ ):
++ click.echo_via_pager(_test_gen_func_fails())
++
++ assert spawned, "pager subprocess was never started"
++ for p in spawned:
++ assert p.returncode is not None, "pager subprocess not reaped"
++
++
+ def test_echo_color_flag(monkeypatch, capfd):
+ isatty = True
+ monkeypatch.setattr(click._compat, "isatty", lambda x: isatty)
diff --git a/meta/recipes-devtools/python/python3-click/pytest-fix.patch b/meta/recipes-devtools/python/python3-click/pytest-fix.patch
new file mode 100644
index 00000000000..662ad8aae9d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-click/pytest-fix.patch
@@ -0,0 +1,29 @@
+Fix an error with newer versions of pytest (9.1.0) by converting the generator into a tuple:
+
+E pytest.PytestRemovedIn10Warning: Passing a non-Collection iterable to parametrize is deprecated.
+E Test: tests/test_basic.py::test_boolean_conversion, argvalues type: chain
+E Please convert to a list or tuple.
+E See https://docs.pytest.org/en/stable/deprecations.html#parametrize-iterators
+ERROR: tests/test_basic.py:tests/test_basic.py
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Upstream-Status: Submitted [https://github.com/pallets/click/pull/3597]
+
+Index: click-8.3.3/tests/test_basic.py
+===================================================================
+--- click-8.3.3.orig/tests/test_basic.py
++++ click-8.3.3/tests/test_basic.py
+@@ -258,10 +258,10 @@ def test_boolean_flag(runner, default, a
+
+ @pytest.mark.parametrize(
+ ("value", "expect"),
+- chain(
++ tuple(chain(
+ ((x, "True") for x in ("1", "true", "t", "yes", "y", "on")),
+ ((x, "False") for x in ("0", "false", "f", "no", "n", "off")),
+- ),
++ )),
+ )
+ def test_boolean_conversion(runner, value, expect):
+ @click.command()
diff --git a/meta/recipes-devtools/python/python3-click_8.3.1.bb b/meta/recipes-devtools/python/python3-click_8.3.1.bb
index 1f42fe1a50c..eba9f09f82a 100644
--- a/meta/recipes-devtools/python/python3-click_8.3.1.bb
+++ b/meta/recipes-devtools/python/python3-click_8.3.1.bb
@@ -8,6 +8,7 @@ HOMEPAGE = "http://click.pocoo.org/"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1fa98232fd645608937a0fdc82e999b8"
+SRC_URI += "file://pytest-fix.patch"
SRC_URI[sha256sum] = "12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a"
inherit pypi python_flit_core ptest-python-pytest
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 41/55] i2c-tools: add LGPL-2.1-or-later license for libi2c
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (39 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 40/55] python3-click: Fixes for new pytest and flaky ptest Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 42/55] strace: remove skip-bpf.patch Yoann Congal
` (14 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Sai Sneha <saisneha196@gmail.com>
The libi2c library included in i2c-tools is licensed under
LGPL-2.1-or-later, as stated in the upstream README and the
COPYING.LGPL file. Update LICENSE and LIC_FILES_CHKSUM to reflect
this.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=16313
Signed-off-by: Sai Sneha <saisneha196@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c2b1410faa150384562bada22c1c8f7c944c7951)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/i2c-tools/i2c-tools_4.4.bb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/i2c-tools/i2c-tools_4.4.bb b/meta/recipes-devtools/i2c-tools/i2c-tools_4.4.bb
index f4881f3c2fe..55d434ed212 100644
--- a/meta/recipes-devtools/i2c-tools/i2c-tools_4.4.bb
+++ b/meta/recipes-devtools/i2c-tools/i2c-tools_4.4.bb
@@ -2,8 +2,9 @@ SUMMARY = "Set of i2c tools for linux"
HOMEPAGE = "https://i2c.wiki.kernel.org/index.php/I2C_Tools"
DESCRIPTION = "The i2c-tools package contains a heterogeneous set of I2C tools for Linux: a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. All versions of Linux are supported, as long as I2C support is included in the kernel."
SECTION = "base"
-LICENSE = "GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe \
+ file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c"
SRC_URI = "${KERNELORG_MIRROR}/software/utils/i2c-tools/${BP}.tar.gz \
"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 42/55] strace: remove skip-bpf.patch
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (40 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 41/55] i2c-tools: add LGPL-2.1-or-later license for libi2c Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 43/55] devtool: provide explicit error for missing "script" command Yoann Congal
` (13 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex@linutronix.de>
Issue was resolved in https://github.com/strace/strace/commit/982e5ff96a670473187ccdf6e2d8ddb3c40c82e1
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 52fd493a9851a44bc836a712800584cd93564240)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../strace/strace/skip-bpf.patch | 25 -------------------
meta/recipes-devtools/strace/strace_6.19.bb | 1 -
2 files changed, 26 deletions(-)
delete mode 100644 meta/recipes-devtools/strace/strace/skip-bpf.patch
diff --git a/meta/recipes-devtools/strace/strace/skip-bpf.patch b/meta/recipes-devtools/strace/strace/skip-bpf.patch
deleted file mode 100644
index b058b0ba03d..00000000000
--- a/meta/recipes-devtools/strace/strace/skip-bpf.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-These tests failed when upgrading to 6.18. Skip them for now until the issue can be resolved
-as the upgrade is needed for newer kernel versons.
-
-Upstream-Status: Inappropriate [issue reported at https://github.com/strace/strace/issues/370]
-
-Index: strace-6.16/tests/bpf-v.gen.test
-===================================================================
---- strace-6.16.orig/tests/bpf-v.gen.test
-+++ strace-6.16/tests/bpf-v.gen.test
-@@ -1,4 +1,5 @@
- #!/bin/sh -efu
- # Generated by ./tests/gen_tests.sh from ./tests/gen_tests.in (bpf-v -a20 -v -e trace=bpf); do not edit.
- . "${srcdir=.}/init.sh"
-+skip_ "Test doesn't work atm"
- run_strace_match_diff -a20 -v -e trace=bpf
-Index: strace-6.16/tests/bpf.gen.test
-===================================================================
---- strace-6.16.orig/tests/bpf.gen.test
-+++ strace-6.16/tests/bpf.gen.test
-@@ -1,4 +1,5 @@
- #!/bin/sh -efu
- # Generated by ./tests/gen_tests.sh from ./tests/gen_tests.in (bpf -a20 ); do not edit.
- . "${srcdir=.}/init.sh"
-+skip_ "Test doesn't work atm"
- run_strace_match_diff -a20
diff --git a/meta/recipes-devtools/strace/strace_6.19.bb b/meta/recipes-devtools/strace/strace_6.19.bb
index 7b8d4851fb5..39c9b8cd451 100644
--- a/meta/recipes-devtools/strace/strace_6.19.bb
+++ b/meta/recipes-devtools/strace/strace_6.19.bb
@@ -12,7 +12,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/strace-${PV}.tar.xz \
file://ptest-spacesave.patch \
file://0001-strace-fix-reproducibilty-issues.patch \
file://skip-load.patch \
- file://skip-bpf.patch \
file://0001-configure-Use-autoconf-macro-to-detect-largefile-sup.patch \
file://0002-tests-Replace-off64_t-with-off_t.patch \
file://0001-m4-Backport-ax_prog_cc_for_build.m4-macros.patch \
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 43/55] devtool: provide explicit error for missing "script" command
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (41 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 42/55] strace: remove skip-bpf.patch Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 44/55] sstate: Reduce native sysroot execution race potential Yoann Congal
` (12 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Walter Werner Schneider <contact@schnwalter.eu>
Without this "script" command, the "devtool build" provides a very
ambigous error: `/bin/sh: line 1: script: command not found`. With this
patch we provide a more detailed error.
On Fedora 43 the "script" command is not present by default, one needs
to install the "util-linux-script" package. On other systems it's in a
different package.
Signed-off-by: Walter Werner Schneider <contact@schnwalter.eu>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit e9103c0ed24b0f3a50b878c626879748d8260ad0)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
scripts/lib/devtool/__init__.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/lib/devtool/__init__.py b/scripts/lib/devtool/__init__.py
index f47f57c465d..58b02eb4604 100644
--- a/scripts/lib/devtool/__init__.py
+++ b/scripts/lib/devtool/__init__.py
@@ -42,6 +42,9 @@ def exec_build_env_command(init_path, builddir, cmd, watch=False, **options):
init_prefix = ''
if watch:
if sys.stdout.isatty():
+ import shutil
+ if not shutil.which('script'):
+ raise DevtoolError('The util-linux "script" command was not found')
# Fool bitbake into thinking it's outputting to a terminal (because it is, indirectly)
cmd = 'script -e -q -c "%s" /dev/null' % cmd
return exec_watch('%s%s' % (init_prefix, cmd), **options)
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 44/55] sstate: Reduce native sysroot execution race potential
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (42 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 43/55] devtool: provide explicit error for missing "script" command Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 45/55] tcl: disable the timer tests in run-ptest Yoann Congal
` (11 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Whilst this doesn't remove all possible issues, removing files in /bin/
directories, then removing support files (like shared libraries) does
reduce the potential for weird failures if the system calls things like
python3.
[YOCTO #16323]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d595615c6a027b80d6f7ea80ab25e85e97b2436f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes-global/sstate.bbclass | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/classes-global/sstate.bbclass b/meta/classes-global/sstate.bbclass
index 904a4148ddb..4ac63823351 100644
--- a/meta/classes-global/sstate.bbclass
+++ b/meta/classes-global/sstate.bbclass
@@ -474,6 +474,10 @@ def sstate_clean_manifest(manifest, d, canrace=False, prefix=None):
with open(manifest) as mfile:
entries = mfile.readlines()
+ # Remove binaries first, then all the other files, just in case somehow something
+ # is trying to execute something in a sysroot (e.g. python3 from PATH).
+ entries.sort(key=lambda d: '/bin/' not in d)
+
for entry in entries:
entry = entry.strip()
if prefix and not entry.startswith("/"):
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 45/55] tcl: disable the timer tests in run-ptest
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (43 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 44/55] sstate: Reduce native sysroot execution race potential Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 46/55] libjitterentropy: fix license statement Yoann Congal
` (10 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
We've seen the timer tests fail on the autobuilder, presumably because
any tests that are exercising the timers will be unstable on a loaded
system.
[ YOCTO #16324 ]
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 73bdad5ed6906edb92f96baa70adc772f9dc18de)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/tcltk/tcl/run-ptest | 2 ++
meta/recipes-devtools/tcltk8/tcl8/run-ptest | 2 ++
2 files changed, 4 insertions(+)
diff --git a/meta/recipes-devtools/tcltk/tcl/run-ptest b/meta/recipes-devtools/tcltk/tcl/run-ptest
index 46f6cdca333..c01a7a1da28 100644
--- a/meta/recipes-devtools/tcltk/tcl/run-ptest
+++ b/meta/recipes-devtools/tcltk/tcl/run-ptest
@@ -34,6 +34,8 @@ SKIP="$SKIP http11-\*"
SKIP="$SKIP httpProxy-\*"
# These tests appear to be load-sensitive (16214)
SKIP="$SKIP mutex-condition-\*"
+# Timer-related tests are going to be fragile (16324)
+SKIP="$SKIP timer-\*"
# Run all tests in tests/*.test unless tests are specified as arguments
TESTS=${*:-tests/*.test}
diff --git a/meta/recipes-devtools/tcltk8/tcl8/run-ptest b/meta/recipes-devtools/tcltk8/tcl8/run-ptest
index 86b74a4177d..f4d0e90c0f0 100644
--- a/meta/recipes-devtools/tcltk8/tcl8/run-ptest
+++ b/meta/recipes-devtools/tcltk8/tcl8/run-ptest
@@ -32,6 +32,8 @@ SKIP="$SKIP socket-\* socket_inet\* socket_inet6\*"
SKIP="$SKIP http11-\*"
# tries to access google.com
SKIP="$SKIP httpProxy-\*"
+# Timer-related tests are going to be fragile (16324)
+SKIP="$SKIP timer-\*"
# Run all tests in tests/*.test unless tests are specified as arguments
TESTS=${*:-tests/*.test}
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 46/55] libjitterentropy: fix license statement
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (44 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 45/55] tcl: disable the timer tests in run-ptest Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 47/55] ptest-packagelists.inc: disable glib-2.0 for RISCV64 Yoann Congal
` (9 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
LICENSE clearly states the alternative to BSD is GPL-2.0-only:
ALTERNATIVELY, this product may be distributed under the terms of the
GNU General Public License, in which case the provisions of the GPL2
are required INSTEAD OF the above restrictions.
Use GPL-2.0-only, and reorder to match.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ce53ab57a6c0fd48759f5a8def5467cbcb0c729)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../recipes-support/libjitterentropy/libjitterentropy_3.6.3.bb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/recipes-support/libjitterentropy/libjitterentropy_3.6.3.bb b/meta/recipes-support/libjitterentropy/libjitterentropy_3.6.3.bb
index 7890dfa5c70..36721d201c4 100644
--- a/meta/recipes-support/libjitterentropy/libjitterentropy_3.6.3.bb
+++ b/meta/recipes-support/libjitterentropy/libjitterentropy_3.6.3.bb
@@ -4,7 +4,7 @@ It does not depend on any system resource other than a high-resolution time \
stamp. It is a small-scale, yet fast entropy source that is viable in almost \
all environments and on a lot of CPU architectures."
HOMEPAGE = "http://www.chronox.de/jent.html"
-LICENSE = "GPL-2.0-or-later | BSD-3-Clause"
+LICENSE = "BSD-3-Clause | GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e01027c4ad1fe5a4768f8488c945d491 \
file://LICENSE.gplv2;md5=eb723b61539feef013de476e68b5c50a \
file://LICENSE.bsd;md5=66a5cedaf62c4b2637025f049f9b826f \
@@ -23,4 +23,3 @@ do_install () {
LIBDIR="${baselib}" \
INSTALL_STRIP="install"
}
-
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 47/55] ptest-packagelists.inc: disable glib-2.0 for RISCV64
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (45 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 46/55] libjitterentropy: fix license statement Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 48/55] nospdx: also drop do_create_recipe_sbom Yoann Congal
` (8 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: João Marcos Costa <joaomarcos.costa@bootlin.com>
Timeouts and other intermittent failures have been observed in the
autobuilder, and they are tracked in different entries at Bugzilla:
- https://bugzilla.yoctoproject.org/show_bug.cgi?id=15891
- https://bugzilla.yoctoproject.org/show_bug.cgi?id=16230
They also happen when musl is enabled, but not only.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5b718f4c044147dfa0742caacbc20133ead53f10)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/conf/distro/include/ptest-packagelists.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc
index 11a894accf2..a2c5c0477a4 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -154,8 +154,8 @@ PTESTS_PROBLEMS:append:riscv32 = " lttng-tools strace"
PTESTS_SLOW:append:libc-musl = " libc-test"
# These tests don't yet pass for riscv64
-PTESTS_SLOW:remove:riscv64 = "tcl tcl8 python3-cffi strace lttng-tools python3-numpy perl"
-PTESTS_PROBLEMS:append:riscv64 = " tcl tcl8 python3-cffi strace lttng-tools python3-numpy perl"
+PTESTS_SLOW:remove:riscv64 = "tcl tcl8 python3-cffi strace lttng-tools python3-numpy perl glib-2.0"
+PTESTS_PROBLEMS:append:riscv64 = " tcl tcl8 python3-cffi strace lttng-tools python3-numpy perl glib-2.0"
# These tests don't yet pass for musl qemuarm64
PTESTS_SLOW:remove:libc-musl:qemuarm64 = "strace perl gnutls glib-2.0"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 48/55] nospdx: also drop do_create_recipe_sbom
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (46 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 47/55] ptest-packagelists.inc: disable glib-2.0 for RISCV64 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 49/55] dmidecode: fix x86-only tools being installed on ARM targets Yoann Congal
` (7 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Hiago De Franco <hfranco@baylibre.com>
create-spdx-3.0 adds do_create_recipe_sbom, which assembles the recipe
SBOM from the SPDX document produced by do_create_recipe_spdx.
nospdx deletes do_create_recipe_spdx but leaves do_create_recipe_sbom
in, so on a recipe that inherits nospdx it has no SPDX document to read
and, if executed, fails with:
ERROR: meta-world-pkgdata-1.0-r0 do_create_recipe_sbom: Could not find
a static SPDX document named static-meta-world-pkgdata
do_create_recipe_sbom is reachable via sbom-cve-check-recipe.bbclass or
explicit "bitbake -c create_recipe_sbom". In those cases nospdx recipes
such as meta-world-pkgdata break. Delete it alongside the other recipe
SPDX task.
Signed-off-by: Hiago De Franco <hfranco@baylibre.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4478086b7b13ec365dfb4b2335fb35013e8ceea0)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes-recipe/nospdx.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes-recipe/nospdx.bbclass b/meta/classes-recipe/nospdx.bbclass
index 7c99fcd1ec5..925dc7c5b7a 100644
--- a/meta/classes-recipe/nospdx.bbclass
+++ b/meta/classes-recipe/nospdx.bbclass
@@ -5,6 +5,7 @@
#
deltask do_create_recipe_spdx
+deltask do_create_recipe_sbom
deltask do_create_spdx
deltask do_create_spdx_runtime
deltask do_create_package_spdx
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 49/55] dmidecode: fix x86-only tools being installed on ARM targets
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (47 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 48/55] nospdx: also drop do_create_recipe_sbom Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 50/55] qemuboot.bbclass: add missing task dependency on kernel deploy Yoann Congal
` (6 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Wei Gao <wei.gao@windriver.com>
The dmidecode Makefile uses $(shell uname -m) to detect architecture, which
returns the build host's arch (x86_64) during cross-compilation. This causes
x86-only utilities (biosdecode, vpddecode, ownership) to be incorrectly built
and installed on ARM targets.
On NVIDIA Tegra234, running biosdecode triggers a flood of CBB fabric
DECODE_ERR interrupts (23,568+ printk messages dropped) by scanning
non-existent x86 BIOS memory at 0xF0000-0xFFFFF.
Fix by passing TARGET_ARCH to the Makefile's MACHINE variable, so it correctly
detects the target architecture and skips x86-only tools on ARM builds.
Signed-off-by: Wei Gao <wei.gao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 06a28d3a0a83551e0a75441ad2477ad7d2be98f1)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/dmidecode/dmidecode_3.7.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.7.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.7.bb
index 93c3678d9a1..5c70765051d 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.7.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.7.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz"
COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux"
+EXTRA_OEMAKE += "MACHINE=${TARGET_ARCH}"
do_install() {
oe_runmake \
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 50/55] qemuboot.bbclass: add missing task dependency on kernel deploy
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (48 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 49/55] dmidecode: fix x86-only tools being installed on ARM targets Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 51/55] baremetal-helloworld: Fix override order Yoann Congal
` (5 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Siva Balasubramanian <sivakumar.bs@gmail.com>
do_write_qemuboot_conf had no dependency on the kernel deploy task,
so if the kernel was rebuilt without invalidating the rootfs sstate,
the task was skipped and .qemuboot.conf was left stale while new
image artifacts were deployed with a new timestamp suffix.
Add do_write_qemuboot_conf[depends] on KERNEL_DEPLOY_DEPEND using a
Python inline expression that skips the dependency when
INITRAMFS_IMAGE_BUNDLE=1. When the initramfs is bundled into the
kernel, linux-yocto:do_deploy depends on the initramfs image
completing first, so an unconditional kernel deploy dependency on
do_write_qemuboot_conf would create a circular dependency.
KERNEL_DEPLOY_DEPEND is defined with ?= in image.bbclass and is
already used by do_build[depends] for the same reason.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14520
Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ed97056104ed2b97a687f956b49be7241862be53)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes-recipe/qemuboot.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes-recipe/qemuboot.bbclass b/meta/classes-recipe/qemuboot.bbclass
index 56106b19581..d1794c7899d 100644
--- a/meta/classes-recipe/qemuboot.bbclass
+++ b/meta/classes-recipe/qemuboot.bbclass
@@ -128,6 +128,7 @@ inherit image-artifact-names
# Create qemuboot.conf
addtask do_write_qemuboot_conf after do_rootfs before do_image
+do_write_qemuboot_conf[depends] += "${@ '' if bb.utils.to_boolean(d.getVar('INITRAMFS_IMAGE_BUNDLE')) else (d.getVar('KERNEL_DEPLOY_DEPEND') or '')}"
def qemuboot_vars(d):
build_vars = ['MACHINE', 'TUNE_ARCH', 'DEPLOY_DIR_IMAGE',
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 51/55] baremetal-helloworld: Fix override order
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (49 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 50/55] qemuboot.bbclass: add missing task dependency on kernel deploy Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 52/55] bc: set CVE_PRODUCT Yoann Congal
` (4 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
In current state it does not work as intended.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a02059069443cfe0dc5860eae4aebba68b9a4ec4)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../baremetal-example/baremetal-helloworld_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb b/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb
index 43077160697..5af09d4a8f5 100644
--- a/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb
+++ b/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb
@@ -22,7 +22,7 @@ IMAGE_NAME_SUFFIX ?= ""
inherit baremetal-image
# startup code for x86 uses NASM syntax
-DEPENDS:qemux86:append = " nasm-native"
+DEPENDS:append:qemux86 = " nasm-native"
# These parameters are app specific for this example
# This will be translated automatically to the architecture and
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 52/55] bc: set CVE_PRODUCT
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (50 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 51/55] baremetal-helloworld: Fix override order Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 53/55] libxml2: patch CVE-2026-11979 Yoann Congal
` (3 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Daniel Turull <daniel.turull@ericsson.com>
Set vendor to gnu similar as other tools from gnu
to have clear naming for registering into vulnerability management tools
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ecf869558f7bd22a12281157bda432892e4362d0)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/bc/bc_1.08.2.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-extended/bc/bc_1.08.2.bb b/meta/recipes-extended/bc/bc_1.08.2.bb
index cebfed9642b..933329caa64 100644
--- a/meta/recipes-extended/bc/bc_1.08.2.bb
+++ b/meta/recipes-extended/bc/bc_1.08.2.bb
@@ -10,6 +10,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
file://lib/number.c;endline=20;md5=cf43068cc88f837731dc53240456cfaf"
SECTION = "base"
+
+CVE_PRODUCT = "gnu:bc"
+
DEPENDS = "flex-native"
SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 53/55] libxml2: patch CVE-2026-11979
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (51 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 52/55] bc: set CVE_PRODUCT Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 54/55] dropbear: Add missing WTFPL & Unlicense in LICENSE and LIC_FILES_CHKSUM Yoann Congal
` (2 subsequent siblings)
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Anton Skorup <anton@skorup.se>
Pick patch from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e
[2] https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3dd117b14be1b7c257df15c383ea33be481511ec)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libxml/libxml2/CVE-2026-11979.patch | 81 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.15.2.bb | 1 +
2 files changed, 82 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
new file mode 100644
index 00000000000..a14e566681e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
@@ -0,0 +1,81 @@
+From dfad0660f7dab3b5f8317b703b16ad0b0d12697d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 22 May 2026 12:21:20 +0200
+Subject: [PATCH] xmlcatalog: overflow check for large --shell commands
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124
+
+CVE: CVE-2026-11979
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e]
+---
+ test/catalogs/test.sh | 11 +++++++++++
+ xmlcatalog.c | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/test/catalogs/test.sh b/test/catalogs/test.sh
+index 7e5eaa76..84e8b90a 100755
+--- a/test/catalogs/test.sh
++++ b/test/catalogs/test.sh
+@@ -10,6 +10,17 @@ fi
+
+ exitcode=0
+
++# Test xmlcatalog --shell command line
++# Case 1: Really long argument (470 chars)
++input=""; for i in {1..470}; do input="${input}A"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++# Case 2: public + long argument
++input="public "; for i in {1..470}; do input="${input}A"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++# Case 3: public + lots of args
++input="public "; for i in {1..80}; do input="${input} x"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++
+ for i in test/catalogs/*.script ; do
+ name=$(basename $i .script)
+ xml="./test/catalogs/$name.xml"
+diff --git a/xmlcatalog.c b/xmlcatalog.c
+index b400c7cb..5113e930 100644
+--- a/xmlcatalog.c
++++ b/xmlcatalog.c
+@@ -135,6 +135,12 @@ static void usershell(void) {
+ (*cur != '\n') && (*cur != '\r')) {
+ if (*cur == 0)
+ break;
++ /* Do not read beyond the command array capacity */
++ if (i >= (int)sizeof(command) - 2) {
++ printf("Invalid command %s\n", cur);
++ i = 0;
++ break;
++ }
+ command[i++] = *cur++;
+ }
+ command[i] = 0;
+@@ -152,6 +158,11 @@ static void usershell(void) {
+ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ if (*cur == 0)
+ break;
++ if (i >= (int)sizeof(arg) - 2) {
++ printf("Invalid arg %s\n", arg);
++ i = 0;
++ break;
++ }
+ arg[i++] = *cur++;
+ }
+ arg[i] = 0;
+@@ -164,6 +175,11 @@ static void usershell(void) {
+ cur = arg;
+ memset(argv, 0, sizeof(argv));
+ while (*cur != 0) {
++ if (i >= (int)sizeof(argv) / (int)sizeof(char*)) {
++ printf("Too much arguments\n");
++ break;
++ }
++
+ while ((*cur == ' ') || (*cur == '\t')) cur++;
+ if (*cur == '\'') {
+ cur++;
+--
+2.43.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.15.2.bb b/meta/recipes-core/libxml/libxml2_2.15.2.bb
index 99560f4b243..9181949ea54 100644
--- a/meta/recipes-core/libxml/libxml2_2.15.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.15.2.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
file://run-ptest \
file://install-tests.patch \
file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
+ file://CVE-2026-11979.patch \
"
SRC_URI[archive.sha256sum] = "c8b9bc81f8b590c33af8cc6c336dbff2f53409973588a351c95f1c621b13d09d"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 54/55] dropbear: Add missing WTFPL & Unlicense in LICENSE and LIC_FILES_CHKSUM
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (52 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 53/55] libxml2: patch CVE-2026-11979 Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-05 22:41 ` [OE-core][wrynose 55/55] clang/llvm: Upgrade to 22.1.8 release Yoann Congal
2026-07-06 8:42 ` [OE-core][wrynose 00/55] Patch review Yoann Congal
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Yoann Congal <yoann.congal@smile.fr>
Vendored libtomcrypt and libtommath are respectively WTFPL and
Unlicense: update LICENSE to reflect that and include vendored LICENSE
files in LIC_FILES_CHKSUM to detect changes.
Note: libtomcrypt/LICENSE also specify "Public domain" but that is not a
real licence, so choose the alternative: WTFPL.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 06d3dbfcb12dc030a068fb658153d9e4679dd05f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-core/dropbear/dropbear_2025.89.bb | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/dropbear/dropbear_2025.89.bb b/meta/recipes-core/dropbear/dropbear_2025.89.bb
index ece065265ff..685ecf9a1b3 100644
--- a/meta/recipes-core/dropbear/dropbear_2025.89.bb
+++ b/meta/recipes-core/dropbear/dropbear_2025.89.bb
@@ -6,8 +6,12 @@ SECTION = "console/network"
# some files are from other projects and have others license terms:
# public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
# The 'public-domain' file is headered as MIT
-LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f"
+LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & WTFPL & Unlicense"
+LIC_FILES_CHKSUM = " \
+ file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \
+ file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
+ file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
+"
DEPENDS = "zlib virtual/crypt"
RPROVIDES:${PN} = "ssh sshd"
^ permalink raw reply related [flat|nested] 57+ messages in thread* [OE-core][wrynose 55/55] clang/llvm: Upgrade to 22.1.8 release
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (53 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 54/55] dropbear: Add missing WTFPL & Unlicense in LICENSE and LIC_FILES_CHKSUM Yoann Congal
@ 2026-07-05 22:41 ` Yoann Congal
2026-07-06 8:42 ` [OE-core][wrynose 00/55] Patch review Yoann Congal
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-05 22:41 UTC (permalink / raw)
To: openembedded-core
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
https://discourse.llvm.org/t/llvm-22-1-8-released/91084
Brings following fixes:
ca7933e47d3a [libc++] Disable mistakenly enabled `optional<T&>` constructors for `optional<T>` (#194446)
208ef916cf20 [WebAssembly] narrow instructions use signed saturation (#201798)
e80beda6e255 [VPlan] Account for any-of costs in legacy cost model
3397c37d5d31 Inline stack probes immediately after `allocateStack` in `eliminateCallFramePseudoInstr` (#195456)
1f5aee55a3fc [DAG] Narrow vselect mask to vXi1 in foldToMaskedStore (#201609)
070e505ce21d [LLD][ELF] Add missing initialization of Symbol `used` member.
761b9134dd9b [BPF] treat compiler fence as codegen no-op (#196734)
724301d98c6e Fix "Cannot select" crash on bitcast between f64 and int vector types (#201509)
60c18c6aeaed [CMake][Release] Use llvm-bitcode-strip on Darwin for build with -ffat-lto-objects (#200764)
b65aa9b5ea8d [Clang] Profile the NNS of UnresolvedUsingType and CXXThisType correctly in concept hashing (#199617)
b4fe3880d09b Bump version to 22.1.8
a255c1ed36a1 (tag: llvmorg-22.1.7) [WebAssembly] Avoid crash in LateEHPrepare with empty cleanup pads (#200322)
a2b779045093 [SystemZ] Fix off-by-one error in backend (#200141)
2615295c15ba [libc++] Fix multi{map,set}::extract not returning the first matching element (#199703)
a760d7c07024 [LLD] [COFF] Fix handling of immediates in ARM64_SECREL_HIGH12A (#200060)
294ae8d1e62a [PowerPC] Drop invalid range metadata when lowering i64 load to fp in INT_TO_FP (#198705)
6db0725886bb [X86] lowerV64I8Shuffle - avoid lowerShuffleAsRepeatedMaskAndLanePermute call on VBMI targets (#183109)
c43c9b426055 [X86] lowerV64I8Shuffle - prefer VPERMV3 byte shuffles to OR(PSHUFB,PSHUFB) on VBMI targets (#182852)
6ac68778a76e [X86] Add test coverage for #137422 (#182832)
ad9524f38657 [PowerPC] Fix i128 vcmpequb optimization for loads with range metadata and small constants (#196801)
48967cc1a0d4 build: adjust LLDB and clang library naming on Windows (#185084)
8798085803f1 [libc] Demote compiler check error to a warning (#198033)
6e5effc4990b [LoongArch] Revert "Add patterns to support vector type average instructions generation" (#198306)
4d5dffb59420 [ELF] Initialize Symbol fields in the constructor instead of via memset (#198129)
823afe046164 Reland [C++20] [Modules] Don't profiling the callee of CXXFoldExpr (#190732) (#195983)
e624f1204282 [CoroSplit] Never collect allocas used by catchpad into frame (#186728)
81c69e140401 Bump version to 22.1.7
fc4aad7b5db3 (tag: llvmorg-22.1.6) [Clang][Coroutines] Don't emit fake uses for coroutine parameters (#194690)
5fb52fc3fda6 [Coverage] Fix assertion failure when a -isystem header invokes a user macro (#195427)
fd10d8f31077 [DAGTypeLegalizer] Add missing BR_CC handler for soft-promoted half operands (#196214)
c0262e742787 [SystemZ] Fix internal error with single-element vector types (#196127)
cbb1eb533ded [lldb-dap] Fix crash in source request handler (#195847)
897d3e2b2a63 [lldb][windows] fix cross DLL file descriptor lookup crash (#195855)
60e3203b2e90 Bump version to 22.1.6
5ea218a153f4 (tag: llvmorg-22.1.5) [CMake] Add multi-target cross to ARM/AArch64 Linux toolchain CMake cache file. (#179598)
7237429c2edc [AArch64] Fix `shufflevector` miscompilation on `aarch64_be` (#193076)
5e29d8aa0481 Prevent undefined behavior caused by combination of branch and load delay slots on MIPS1 (#185427)
c61be37fe844 [clang][CodeView] Prevent the input name from appearing in LF_BUILDINFO (#194140)
a4aca5a91cc3 [libunwind] fix build errors on x32 and mips n32 (#194310)
57370e18b8a9 [Coverage] Fix quadratic propagation in RawCoverageMappingReader (#194996)
932756ad6c64 [X86][FastISel] Restore support for struct returns (#194586)
19f65f31105c [LLD][ELF] Fix performance regression when using linker scripts (#194668)
5c9647b8e680 release/22.x: [WebAssembly] Fix EHPadStack calculation in fixCallUnwindMismatches (#194184)
f3ce7a7db0dc [clang] fix crash with c-style casts involving dependent member-pointer types (#194696)
692d49bdb7ad [clang-tidy] Add note about removal of `hicpp` module
ca0698598261 [SystemZ] Enable -fpatchable-function-entry=M,N (#178191)
0d37e79da8db [X86] lowerV4F32Shuffle - don't use INSERTPS if SHUFPS will suffice (#186468)
9b722024f1be [compiler-rt][sanitizer] Remove linux/scc.h (#194116)
7bf7d99b794d [NFC][AArch64] Allocate AArch64Subtarget on the heap instead of stack (#176488)
98348c38cf17 [C++20] [Modules] Add VisiblePromoted module ownership kind (#189903)
a9fb4799dcad [clang] NFC: Add test case for #178324 and mark it as fixed (#190490)
f131d162201b [clang] fix error: cannot compile this l-value expression yet (#187755)
20fd94cf9314 [SLP] Fix a very long loads offset, being stored in DenseMap
267ce6017a57 [lldb] Add EXPORT to lldb-tblgen (#192610)
c4b74e87ca35 Bump version to 22.1.5
35990504507d (tag: llvmorg-22.1.4) [Hexagon] Add missing MIRParser link dependency (#191010)
22ad4d688a72 [Hexagon][MIR] Serialize HexagonMachineFunctionInfo::StackAlignBaseReg to MIR (#190003)
a1a9924414aa [Hexagon] Add AP register to liveins when used for frame index access (#188942)
7eb182991920 [Hexagon] Fix use-before-def of AP register in prologue CSR spills (#188504)
74049f6e3a70 [VectorCombine] Fix transitive Uses in foldShuffleToIdentity (#188989)
a01a45066dae [NFC][test] Precommit test for pr188989 (#188667)
9f29c1e3fd8a [X86] Fix missing ByValTemporaries update in CopyViaTemp path for musttail calls (#190540)
d46116b2e464 Suppress octal literal diagnostics from system macros (#192481)
a5564a033004 [OpenMP][OMPT] Revert `control_tool.c` changes from #191429 (#192069)
3f9b9936be95 [OpenMP][OMPT] Fix `omp_control_tool` before any directive (#191429)
d1c9116f8442 [clang-format] Correctly annotate binary stars in braced init lists (#186732)
99031a474bb1 release/22.x: [Clang] Track constraint's SubstIndex only if it contains outer parameter packs
5a1590c14433 [ClangLinkerWrapper] Fix `-v` for newer CMake passing it directly (#188883)
c8e984d27b27 [X86] Fix VPMOVPattern folding for extended registers (#191760)
07c19c303387 [compiler-rt] [Darwin] Move macOS ASAN reservation above 512G (#191039)
fa56327584fe [22.x][LoongArch] Revert musttail/byval/sret Changes
10be0a255205 [clang] Allow -Wno-error=X to downgrade -pedantic-errors diagnostics to warnings (#184756)
c2aea991dba1 [Hexagon] Fix O(N^2) compile-time regression in HexagonOptAddrMode (#189531)
f444cca96bd5 [AArch64][SME] Preserve ZA in agnostic ZA functions without +sme (#190141)
5d161731998c MIPS/expandAtomicBinOp: Remove tailing kill dead register operands (#186055)
def143a6c624 [clang] fix getReplacedTemplateParameter for function template specializations (#189559)
5b4dd04594bd [pdb] Fix public symbol hashing in GSIHashStreamBuilder::finalizeBuckets (#190133)
f42d371a5d72 [WebAssembly] Fix: fixCallUnwindMismatches after fixCatchUnwindMismatches (#187484)
e9a36c0cca40 [CodeGen] Preserve big-endian trunc in concat_vectors (#190701)
53c41b3a599f [PowerPC] Optimize bitcast(truncate) patterns using vbpermq (#181233)
ab2f55b13bcb [LLD] [COFF] Fix crashes for conflicting exports with -export-all-symbols (#190492)
f0593ab291c7 Bump version to 22.1.4
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/conf/distro/include/maintainers.inc | 2 +-
meta/recipes-devtools/clang/common-clang.inc | 2 +-
meta/recipes-devtools/clang/common.inc | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 99242af484a..7499f7ab95a 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -483,7 +483,7 @@ RECIPE_MAINTAINER:pn-linux-yocto-tiny = "Bruce Ashfield <bruce.ashfield@gmail.co
RECIPE_MAINTAINER:pn-lld = "Khem Raj <raj.khem@gmail.com>"
RECIPE_MAINTAINER:pn-lldb = "Khem Raj <raj.khem@gmail.com>"
RECIPE_MAINTAINER:pn-llvm = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-llvm-project-source-22.1.3 = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-llvm-project-source-22.1.8 = "Khem Raj <raj.khem@gmail.com>"
RECIPE_MAINTAINER:pn-llvm-tblgen-native = "Khem Raj <raj.khem@gmail.com>"
RECIPE_MAINTAINER:pn-log4cplus = "Unassigned <unassigned@yoctoproject.org>"
RECIPE_MAINTAINER:pn-logrotate = "Yi Zhao <yi.zhao@windriver.com>"
diff --git a/meta/recipes-devtools/clang/common-clang.inc b/meta/recipes-devtools/clang/common-clang.inc
index 1b8909eeb58..ed628008e06 100644
--- a/meta/recipes-devtools/clang/common-clang.inc
+++ b/meta/recipes-devtools/clang/common-clang.inc
@@ -5,7 +5,7 @@ LLVM_HTTP ?= "https://github.com/llvm"
MAJOR_VER = "22"
MINOR_VER = "1"
-PATCH_VER = "3"
+PATCH_VER = "8"
# could be 'rcX' or 'git' or empty ( for release )
VER_SUFFIX = ""
diff --git a/meta/recipes-devtools/clang/common.inc b/meta/recipes-devtools/clang/common.inc
index 9d45898c685..441ea099a9e 100644
--- a/meta/recipes-devtools/clang/common.inc
+++ b/meta/recipes-devtools/clang/common.inc
@@ -17,7 +17,7 @@ BASEURI ?= "${LLVM_HTTP}/llvm-project/releases/download/llvmorg-${PV}${VER_SUFFI
UPSTREAM_CHECK_URI = "${LLVM_HTTP}/llvm-project/releases/"
UPSTREAM_CHECK_REGEX = "releases/tag/llvmorg-?(?P<pver>\d+(\.\d+)+)"
SOURCEDIR ?= "llvm-project-${PV}${VER_SUFFIX}.src"
-SRC_URI[sha256sum] = "2488c33a959eafba1c44f253e5bbe7ac958eb53fa626298a3a5f4b87373767cd"
+SRC_URI[sha256sum] = "922f1817a0df7b1489272d18134ee0087a8b068828f87ac63b9861b1a9965888"
SRC_URI = "\
${BASEURI} \
^ permalink raw reply related [flat|nested] 57+ messages in thread* Re: [OE-core][wrynose 00/55] Patch review
2026-07-05 22:40 [OE-core][wrynose 00/55] Patch review Yoann Congal
` (54 preceding siblings ...)
2026-07-05 22:41 ` [OE-core][wrynose 55/55] clang/llvm: Upgrade to 22.1.8 release Yoann Congal
@ 2026-07-06 8:42 ` Yoann Congal
55 siblings, 0 replies; 57+ messages in thread
From: Yoann Congal @ 2026-07-06 8:42 UTC (permalink / raw)
To: Yoann Congal, openembedded-core
On Mon Jul 6, 2026 at 12:40 AM CEST, Yoann Congal wrote:
> Please review this set of changes for wrynose and have comments back by
> end of day Tuesday, July 7. Since this is a relatively big series, if
> you plan to review it but need more time to do so, ping me and I'll
> delay the pull-request.
>
> Notable changes:
> * kernel upgrade -> v6.18.35 cherry-picked from master
> * clang/llvm upgrade -> 22.1.18 (following master)
> * Licensing fixes
>
> A previous version of the series, with 4 more patches that I removed and
> should not change test outcome, passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/4151
> * oe-selftest-armhost failed with Bug 16236 - AB-INT: test_list_pkg_files: ResourceWarning: unclosed transport
> retried as https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/4280
>
> I've started a new build with this version of the series:
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/4156
That build failed in qemuarm64 with 16295 – AB-INT: go-runtime: do_create_package_spdx: No SPDX document named .../package-go-runtime-staticdev.spdx.json
rebuilt in https://autobuilder.yoctoproject.org/valkyrie/?#/builders/36/builds/4073
Also, I've replaced the bluez5 patches with their respective
cherry-picks from master (no code change, only signed-off-by changes)
Regards,
>
> The following changes since commit 5d1aa5c806c061a2994f4decb59016610f093213:
>
> build-appliance-image: Update to wrynose head revisions (2026-06-24 14:17:46 +0100)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib stable/wrynose-nut
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/wrynose-nut
>
> for you to fetch changes up to 728e70d7c681402d8e797691825bfd9929aa79cb:
>
> clang/llvm: Upgrade to 22.1.8 release (2026-07-06 00:04:52 +0200)
>
> ----------------------------------------------------------------
>
> Alexander Kanavin (1):
> strace: remove skip-bpf.patch
>
> Anil Dongare (4):
> cargo: Fix CVE-2026-5222
> cargo: Fix CVE-2026-5223
> cups: fix CVE-2026-27447
> cups: fix CVE-2026-41079
>
> Anton Skorup (1):
> libxml2: patch CVE-2026-11979
>
> Ashishkumar Parmar (3):
> qemu: Fix CVE-2026-2243
> qemu: Fix CVE-2026-0665
> qemu: Fix CVE-2025-14876
>
> Bruce Ashfield (8):
> linux-yocto/6.18: update to v6.18.25
> linux-yocto/6.18: update to v6.18.26
> linux-yocto/6.18: update to v6.18.28
> linux-yocto/6.18: update to v6.18.32
> linux-yocto/6.18: qat/intel configuration warning fixes
> linux-yocto/6.18: update to v6.18.33
> linux-yocto/6.18: update to v6.18.34
> linux-yocto/6.18: update to v6.18.35
>
> Daniel Turull (3):
> libssh2: fix CVE-2026-55200
> libssh2: fix CVE-2026-55199
> bc: set CVE_PRODUCT
>
> Deepesh Varatharajan (1):
> clang/llvm: Upgrade to 22.1.8 release
>
> Hiago De Franco (1):
> nospdx: also drop do_create_recipe_sbom
>
> Himanshu Jadon (1):
> tar: Fix CVE-2026-5704
>
> Hitendra Prajapati (2):
> vim: fix for CVE-2026-41411 & CVE-2026-44656
> vim: fix for CVE-2026-45130 & CVE-2026-46483
>
> Jaipaul Cheernam (2):
> binutils: Fix CVE-2026-6846
> cmake-native: prevent host libidn2 contamination
>
> Jinwang Li (1):
> bluez5: fix set volume failure
>
> João Marcos Costa (1):
> ptest-packagelists.inc: disable glib-2.0 for RISCV64
>
> Khem Raj (1):
> baremetal-helloworld: Fix override order
>
> Kris Gavvala (1):
> python3: skiptest tracemalloc_track_race
>
> Mengshi Wu (1):
> bluez5: fix gatt cache sync issue
>
> Nate Kent (1):
> sudo: fix pam-wheel sed for sudo 1.9.17p2 sudoers
>
> Otavio Salvador (1):
> quota: use native rpcgen and a single-word RPCGEN_CPP
>
> Peter Kjellerstedt (1):
> common-licenses/PHP-3.0: Correct the license text
>
> Richard Purdie (3):
> libxpm: upgrade 3.5.18 -> 3.5.19
> python3-click: Fixes for new pytest and flaky ptest
> sstate: Reduce native sysroot execution race potential
>
> Roland Kovacs (1):
> gnupg: fix CVE-2026-57062
>
> Ross Burton (2):
> tcl: disable the timer tests in run-ptest
> libjitterentropy: fix license statement
>
> Sai Sneha (1):
> i2c-tools: add LGPL-2.1-or-later license for libi2c
>
> Shubham Pushpkar (1):
> libsolv: Fix CVE-2026-9149
>
> Siva Balasubramanian (1):
> qemuboot.bbclass: add missing task dependency on kernel deploy
>
> Theo Gaige (Schneider Electric) (5):
> dhcpcd: patch CVE-2026-56113
> dhcpcd: patch CVE-2026-56114
> dhcpcd: patch CVE-2026-56116
> dhcpcd: patch CVE-2026-56117
> perl: patch CVE-2026-8376
>
> Walter Werner Schneider (1):
> devtool: provide explicit error for missing "script" command
>
> Wei Deng (1):
> bluez5: set L2CAP IMTU for OBEX profile listeners
>
> Wei Gao (1):
> dmidecode: fix x86-only tools being installed on ARM targets
>
> Xiaozhan Li (1):
> texinfo: add missing perl module runtime dependencies
>
> Xiuzhuo Shang (1):
> bluez5: Fix sending extra bytes with MGMT_OP_ADD_EXT_ADV_DATA
>
> Yoann Congal (1):
> dropbear: Add missing WTFPL & Unlicense in LICENSE and
> LIC_FILES_CHKSUM
>
> meta/classes-global/sstate.bbclass | 4 +
> meta/classes-recipe/nospdx.bbclass | 1 +
> meta/classes-recipe/qemuboot.bbclass | 1 +
> meta/conf/distro/include/maintainers.inc | 2 +-
> .../distro/include/ptest-packagelists.inc | 4 +-
> meta/files/common-licenses/PHP-3.0 | 76 +--
> meta/recipes-connectivity/bluez5/bluez5.inc | 4 +
> ...sending-extra-bytes-with-MGMT_OP_ADD.patch | 33 ++
> ...2CAP-IMTU-for-OBEX-profile-listeners.patch | 118 ++++
> ...x-stored-gatt-cache-DB-Hash-value-no.patch | 84 +++
> ...t-volume-failure-with-invalid-device.patch | 46 ++
> .../dhcpcd/dhcpcd_10.3.1.bb | 4 +
> .../dhcpcd/files/CVE-2026-56113.patch | 92 +++
> .../dhcpcd/files/CVE-2026-56114.patch | 34 ++
> .../dhcpcd/files/CVE-2026-56116.patch | 31 +
> .../dhcpcd/files/CVE-2026-56117.patch | 167 ++++++
> .../recipes-core/dropbear/dropbear_2025.89.bb | 8 +-
> .../libxml/libxml2/CVE-2026-11979.patch | 81 +++
> meta/recipes-core/libxml/libxml2_2.15.2.bb | 1 +
> .../meta/nativesdk-buildtools-perl-dummy.bb | 2 +
> .../binutils/binutils-2.46.inc | 1 +
> .../binutils/binutils/CVE-2026-6846.patch | 59 ++
> meta/recipes-devtools/clang/common-clang.inc | 2 +-
> meta/recipes-devtools/clang/common.inc | 2 +-
> .../cmake/cmake-native_4.3.1.bb | 1 +
> .../dmidecode/dmidecode_3.7.bb | 1 +
> .../i2c-tools/i2c-tools_4.4.bb | 5 +-
> .../perl/files/CVE-2026-8376-01.patch | 62 ++
> .../perl/files/CVE-2026-8376-02.patch | 49 ++
> meta/recipes-devtools/perl/perl_5.42.0.bb | 2 +
> ...7494c991c9197902fdf4995e11b2da3e9762.patch | 173 ++++++
> .../python/python3-click/pytest-fix.patch | 29 +
> .../python/python3-click_8.3.1.bb | 1 +
> .../recipes-devtools/python/python3_3.14.5.bb | 7 +
> meta/recipes-devtools/qemu/qemu.inc | 4 +
> .../qemu/qemu/CVE-2025-14876_p1.patch | 52 ++
> .../qemu/qemu/CVE-2025-14876_p2.patch | 56 ++
> .../qemu/qemu/CVE-2026-0665.patch | 38 ++
> .../qemu/qemu/CVE-2026-2243.patch | 45 ++
> .../rust/files/CVE-2026-5222.patch | 92 +++
> .../rust/files/CVE-2026-5223.patch | 125 ++++
> meta/recipes-devtools/rust/rust-source.inc | 2 +
> .../strace/strace/skip-bpf.patch | 25 -
> meta/recipes-devtools/strace/strace_6.19.bb | 1 -
> meta/recipes-devtools/tcltk/tcl/run-ptest | 2 +
> meta/recipes-devtools/tcltk8/tcl8/run-ptest | 2 +
> .../baremetal-helloworld_git.bb | 2 +-
> meta/recipes-extended/bc/bc_1.08.2.bb | 3 +
> meta/recipes-extended/cups/cups.inc | 4 +
> .../cups/CVE-2026-27447-regression_p1.patch | 46 ++
> .../cups/CVE-2026-27447-regression_p2.patch | 58 ++
> .../cups/cups/CVE-2026-27447.patch | 120 ++++
> .../cups/cups/CVE-2026-41079.patch | 73 +++
> .../libsolv/libsolv/CVE-2026-9149.patch | 152 +++++
> .../libsolv/libsolv_0.7.36.bb | 1 +
> meta/recipes-extended/quota/quota_4.11.bb | 6 +-
> meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 2 +-
> .../tar/tar/CVE-2026-5704-dependent_p1.patch | 484 +++++++++++++++
> .../tar/tar/CVE-2026-5704-dependent_p2.patch | 169 ++++++
> .../tar/tar/CVE-2026-5704-regression.patch | 176 ++++++
> .../tar/tar/CVE-2026-5704.patch | 556 ++++++++++++++++++
> meta/recipes-extended/tar/tar_1.35.bb | 4 +
> meta/recipes-extended/texinfo/texinfo_7.3.bb | 4 +
> .../{libxpm_3.5.18.bb => libxpm_3.5.19.bb} | 2 +-
> .../linux/linux-yocto-rt_6.18.bb | 6 +-
> .../linux/linux-yocto-tiny_6.18.bb | 6 +-
> meta/recipes-kernel/linux/linux-yocto_6.18.bb | 24 +-
> .../gnupg/gnupg/CVE-2026-57062.patch | 43 ++
> meta/recipes-support/gnupg/gnupg_2.5.17.bb | 1 +
> .../libjitterentropy_3.6.3.bb | 3 +-
> .../libssh2/libssh2/CVE-2026-55199.patch | 44 ++
> .../libssh2/libssh2/CVE-2026-55200.patch | 36 ++
> .../recipes-support/libssh2/libssh2_1.11.1.bb | 2 +
> .../vim/files/CVE-2026-41411.patch | 75 +++
> .../vim/files/CVE-2026-44656.patch | 124 ++++
> .../vim/files/CVE-2026-45130.patch | 115 ++++
> .../vim/files/CVE-2026-46483.patch | 77 +++
> meta/recipes-support/vim/vim.inc | 4 +
> scripts/lib/devtool/__init__.py | 3 +
> 79 files changed, 3938 insertions(+), 118 deletions(-)
> create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-advertising-Fix-sending-extra-bytes-with-MGMT_OP_ADD.patch
> create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-profile-Set-L2CAP-IMTU-for-OBEX-profile-listeners.patch
> create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-src-device-Fix-stored-gatt-cache-DB-Hash-value-no.patch
> create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-transport-Fix-set-volume-failure-with-invalid-device.patch
> create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
> create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
> create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56116.patch
> create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-8376-01.patch
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-8376-02.patch
> create mode 100644 meta/recipes-devtools/python/python3-click/ffcc7494c991c9197902fdf4995e11b2da3e9762.patch
> create mode 100644 meta/recipes-devtools/python/python3-click/pytest-fix.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
> create mode 100644 meta/recipes-devtools/rust/files/CVE-2026-5222.patch
> create mode 100644 meta/recipes-devtools/rust/files/CVE-2026-5223.patch
> delete mode 100644 meta/recipes-devtools/strace/strace/skip-bpf.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> create mode 100644 meta/recipes-extended/libsolv/libsolv/CVE-2026-9149.patch
> create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p1.patch
> create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704-dependent_p2.patch
> create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704-regression.patch
> create mode 100644 meta/recipes-extended/tar/tar/CVE-2026-5704.patch
> rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.18.bb => libxpm_3.5.19.bb} (88%)
> create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
> create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-55199.patch
> create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch
> create mode 100644 meta/recipes-support/vim/files/CVE-2026-41411.patch
> create mode 100644 meta/recipes-support/vim/files/CVE-2026-44656.patch
> create mode 100644 meta/recipes-support/vim/files/CVE-2026-45130.patch
> create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 57+ messages in thread