subtree updates
meta-raspberrypi: 8cffbf5e85..b601818301:
Changqing Li (1):
99-com.rules: fix error invalid substitution type
Khem Raj (2):
linux-firmware-rpidistro: Update to 20190114-1+rpt11
bluez-firmware-rpidistro: Update to 1.2-4+rpt8
Pierre-Jean Texier (1):
rpi-base: make SPLASH overridable from outside
SCVready (1):
rpi-config: comment updated
matt-hammond-bbc (1):
libva: Fix for when using `userland`
poky: 1203d1f24d..05a8aad57c:
Alejandro Enedino Hernandez Samaniego (2):
python3: Upgrade 3.9.2 -> 3.9.4
python3: Improve logging, syntax and update deprecated modules to create_manifest
Alexander Kanavin (6):
scripts/oe-debuginfod: correct several issues
oeqa: tear down oeqa decorators if one of them raises an exception in setup
meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the previous fix
Revert "oeqa: Set LD_LIBRARY_PATH when executing native commands"
diffoscope: add native libraries to LD_LIBRARY_PATH
linux-firmware: upgrade 20210208 -> 20210315
Anders Wallin (2):
lttng-tools: Fix missing legacy test files
lttng-tools: Fix path for test_python_looging
Anthony Bagwell (1):
systemd: upgrade 247.4 -> 247.6
Anuj Mittal (2):
qemu: fix CVE-2021-3392
lsb-release: fix reproducibility failure
Bruce Ashfield (19):
linux-yocto/5.4: update to v5.4.109
linux-yocto/5.10: update to v5.10.27
linux-yocto/5.10: BSP configuration fixes
linux-yocto/5.10: update to v5.10.29
linux-yocto/5.4: update to v5.4.111
linux-yocto/5.10: update to v5.10.30
linux-yocto-rt/5.10: update to -rt34
linux-yocto/5.4: update to v5.4.112
linux-yocto/5.4: fix arm defconfig warnings
linux-yocto/5.10: fix arm defconfig warnings
linux-yocto/5.10: aufs fixes
linux-yocto/5.10: qemuriscv32.cfg: RV32 only supports 1G physical memory
linux-yocto/5.10: update to v5.10.32
perf: fix python-audit RDEPENDS
linux-yocto/5.4: update to v5.4.114
linux-yocto/5.10: update to v5.10.34
linux-yocto/5.4: update to v5.4.116
linux-yocto/5.10: qemuppc32: reduce serial shutdown issues
linux-yocto/5.4: qemuppc32: reduce serial shutdown issues
Changqing Li (2):
cairo: fix CVE-2020-35492
gdk-pixbuf: fix CVE-2021-20240
Chen Qi (5):
busybox: fix CVE-2021-28831
glib-2.0: fix CVE-2021-28153
weston: fix build failure due to race condition
rsync: fix CVE-2020-14387
db: update CVE_PRODUCT
Christophe Chapuis (1):
rootfs.py: find .ko.gz and .ko.xz kernel modules as well
Daniel Ammann (1):
archiver: Fix typos
Douglas Royds (2):
Revert "externalsrc: Detect code changes in submodules"
externalsrc: Detect code changes in submodules
Gavin Li (1):
kmod: do not symlink config.guess/config.sub during autoreconf
He Zhe (1):
linux-yocto-dev: add features/scsi/scsi-debug.scc features/gpio/mockup.scc to KERNEL_FEATURES
Jon Mason (1):
oeqa/runtime: space needed
Jonas Höppner (1):
ltp: fix empty ltp-dev package
Jose Quaresma (1):
ptest-runner: libgcc must be installed for pthread_cancel to work
Joshua Watt (1):
classes/image: Use xargs to set file timestamps
Kai Kang (3):
kernel-yocto.bbclass: chdir to ${WORKDIR} for do_kernel_checkout
cmake.bbclass: remove ${B} before cmake_do_configure
grub2.inc: remove '-O2' from CFLAGS
Kevin Hao (3):
modutils-initscripts: Bail out when no module is installed
sysvinit-inittab/start_getty: Check /sys for the tty device existence
Revert "inittab: Add getty launch on hvc0 for qemuppc64"
Khairul Rohaizzat Jamaluddin (1):
qemu: Fix CVE-2020-35517
Khem Raj (6):
ca-certificates: Fix openssl runtime cert dependencies
systemd: Fix build on mips/musl
go: Use dl.google.com for SRC_URI
libjpeg-turbo: Use --reproducible option for nasm
busybox: Fix reproducibility
webkitgtk: Fix reproducibility in minibrowser
Konrad Weihmann (1):
cve-update-db-native: skip on empty cpe23Uri
Michael Opdenacker (1):
sanity.bbclass: mention CONNECTIVITY_CHECK_URIS in network failure message
Mikko Rapeli (2):
bitbake: bitbake: tests/fetch: fix test execution without .gitconfig
bitbake: bitbake: tests/fetch: remove write protected files too
Mingli Yu (6):
groff: not ship /usr/bin/grap2graph
libtool: make sure autoheader run before automake
packagegroup-core-tools-profile: Remove valgrind for riscv32
packagegroup-core-tools-testapps.bb: Remove kexec for riscv32
libxshmfence: Build fixes for riscv32
rpm: Upgrade to 4.16.1.3
Niels Avonds (1):
bitbake: fetch/gitsm: Fix crash when using git LFS and submodules
Peter Budny (1):
lib/oe/terminal: Fix tmux new-session on older tmux versions (<1.9)
Peter Kjellerstedt (1):
libcap: Configure Make variables correctly without a horrible hack
Randy MacLeod (1):
oe-time-dd-test.sh: increase timeout to 15 sec
Reto Schneider (2):
license_image.bbclass: Detect broken symlinks
license_image.bbclass: Fix symlink to generic license files
Richard Purdie (22):
oeqa/selftest: Hardcode test assumptions about heartbeat event timings
bitbake: runqueue: Fix deferred task issues
pseudo: Upgrade to add trailing slashes ignore path fix
oeqa/selftest: Ensure packages classes are set correctly for maintainers test
sanity: Add error check for '%' in build path
runqemu: Ensure we cleanup snapshot files after image run
yocto-check-layer: Avoid bug when iterating and autoadding dependencies
patchelf: Backport fix from upstream for note section overlap error
bitbake: runqueue: Fix multiconfig deferred task sstate validity caching issue
bitbake: runqueue: Handle deferred task rehashing in multiconfig builds
patchelf: Fix note section alignment issues
patchelf: Fix alignment patch
pybootchart/draw: Avoid divide by zero error
yocto-uninative: Update to 3.1 which includes a patchelf fix
lib/package_manager: Use shutil.copy instead of bb.utils.copyfile for intercepts
oeqa/qemurunner: Improve logging thread exit handling for qemu shutdown test
oeqa/qemurunner: Fix binary vs str issue
oeqa/qemurunner: Improve handling of run_serial for shutdown commands
puzzles: Upstream changed to main branch for development
poky.conf: Bump version for 3.3.1 hardknott release
build-appliance-image: Update to hardknott head revision
documentation: prepare for 3.3.1 release
Romain Naour (1):
dejagnu: needs expect at runtime
Ross Burton (4):
bitbake: bitbake-server: ensure server timeout is a float
insane: clean up some more warning messages
glslang: strip whitespace in pkgconfig file
oe-buildenv-internal: add BitBake's library to PYTHONPATH
Sakib Sajal (10):
oe-time-dd-test.sh: make executable
oe-time-dd-test.sh: provide more information from "top"
qemu: fix CVE-2021-20181
qemu: fix CVE-2020-29443
qemu: fix CVE-2021-20221
qemu: fix CVE-2021-3409
qemu: fix CVE-2021-3416
qemu: fix CVE-2021-20257
qemu: fix CVE-2020-27821
qemu: fix CVE-2021-20263
Saul Wold (1):
pango: re-enable ptest
Stefan Ghinea (3):
wpa-supplicant: fix CVE-2021-30004
libssh2: fix build failure with option no-ecdsa
xserver-xorg: fix CVE-2021-3472
Trevor Gamblin (1):
nettle: upgrade 3.7.1 -> 3.7.2
Ulrich Ölmann (1):
arch-armv6m.inc: fix access rights
Vinícius Ossanes Aquino (1):
lttng-modules: backport patches to fix build against 5.12+ kernel
Wes Lindauer (1):
oeqa/runtime/cases: Only disable/enable for current boot
Yanfei Xu (1):
parselogs: ignore floppy error on qemu-system-x86 at boot stage
Yann Dirson (1):
linux-firmware: include all relevant files in -bcm4356
Yi Fan Yu (1):
libevent: Increase ptest timing tolerance 50 ms -> 100 ms
hongxu (1):
deb: apply postinstall on sdk
wangmy (4):
mesa: upgrade 21.0.1 -> 21.0.2
go: update SRC_URI to use https protocol
go: upgrade 1.16.2 -> 1.16.3
mesa: upgrade 21.0.2 -> 21.0.3
zhengruoqin (2):
wireless-regdb: upgrade 2020.11.20 -> 2021.04.21
ruby: upgrade 3.0.0 -> 3.0.1
meta-openembedded: 98175fd0cc..bbe3855ec7:
Aditya.Tayade (1):
neon: Add ptest
Andreas Müller (17):
udisks2: upgrade 2.9.1 -> 2.9.2 / replace '_git' by version in recipe-name
poppler: upgrade 21.02.0 -> 21.03.0
xfce4-panel: upgrade 4.16.1 -> 4.16.2
xfce4-cpugraph-plugin: upgrade 1.2.1 -> 1.2.3
xfce4-time-out-plugin: upgrade 1.1.1 -> 1.1.2
mousepad: upgrade 0.5.2 -> 0.5.3
xfce4-panel-profiles: 1.0.12 -> 1.0.13
thunar: upgrade 4.16.2 -> 4.16.4
xfce4-taskmanager: upgrade 1.4.0 -> 1.4.2
networkmanager-openvpn: Fix packageing
mousepad: upgrade 0.5.3 -> 0.5.4
xfce4-battery-plugin: upgrade 1.1.3 -> 1.1.4
gigolo: upgrade 0.5.1 -> 0.5.2
thunar: upgrade 4.16.4 -> 4.16.6
poppler: upgrade 21.03.0 -> 21.04.0
catfish: add python3-dbus to RDEPENDS
fluidsynth: upgrade 2.1.7 -> 2.2.0
Andrei Gherzan (6):
python3-pep8: Fix HOMEPAGE
python3-mccabe: Fix HOMEPAGE
python3-ifaddr: Integrate a dependency of pysonos
python3-pysonos: Integrate the SONOS control HomeAssistant module
python3-aiohue: Integrate the hue control python module
packagegroup-meta-python: Add new modules (aiohue, ifaddr, pysonos)
Andrej Valek (1):
jsoncpp: Upgrade to 1.9.4
Andrew Geissler (1):
nodejs: ppc64le machine support
Armin Kuster (3):
wireguard: update to v1.0.20210219 +1
nostromo: Blacklist and exclude from world builds
packagegroup-meta-webserver: remove nostromo from pkg grp
Awais Belal (1):
libnet-ssleay-perl: add rdep on perl-module-autoloader
Bartosz Golaszewski (11):
pystemd: satisfy runtime dependencies
python3-pythonping: new package
python3-wpa-supplicant: new package
python3-txdbus: new package
python3-wpa-supplicant: add runtime dependencies
python3-wpa-supplicant: fix importing the cli submodule
python3-wpa-supplicant: replace DESCRIPTION with SUMMARY
libgpiod: update v1.6.2 -> v1.6.3
python3-txdbus: add missing runtime dependencies
python3-jmespath: new package
python3-docutils: new package
Ben Gampe (1):
python3-h11: new package
Carlos Rafael Giani (1):
pipewire: Upgrade to 0.3.24
Changqing Li (2):
php: allow php as empty
openldap: upgrade 2.4.57 -> 2.4.58
Chen Qi (2):
tigervnc: upgrade to 1.11.0
python3-django: upgrade to 2.2.20
Clément Péron (2):
grpc: move grpc plugins to a new grpc-compiler package
nodejs: 12.20.2 -> 12.21.0
Colin McAllister (1):
python3-gpsd-py3: Added recipe
Daniel Wagenknecht (1):
gnome-keyring: set file capabilities in pkg_postinst
Denys Dmytriyenko (1):
glmark2: also depend on wayland-protocols when wayland distro feature is on
Devon Pringle (1):
python3-pastedeploy: Add recipe
Fabio Berton (1):
python3-requests: Support idna version 3.1
Hermes Zhang (1):
gpsd: backport d-bus message time patch from upstream
Hongxu Jia (1):
debootstrap: 1.0.67 -> 1.0.123
INC@Cisco) (2):
bpftool: remove recipe from blacklist
bpftool: improve reproducibility
Jan Kaisrlik (1):
abseil-cpp: reorder content of packages
Joe Hershberger (1):
strongswan: Make PACKAGECONFIG a default value
Joshua Watt (1):
classes: Add Android sparse image class
Kai Kang (9):
python3-pillow: 8.1.0 -> 8.1.2
xfce4-cpufreq-plugin: 1.2.2 -> 1.2.5
exo: 4.16.0 -> 4.16.1
xfce4-netload-plugin: 1.3.2 -> 1.4.0
xfce4-genmon-plugin: 4.1.0 -> 4.1.1
xfce4-weather-plugin: 0.10.2 -> 0.11.0
xfce4-systemload-plugin: 1.2.4 -> 1.3.0
xfce4-taskmanager: 1.4.2 -> 1.5.2
freeradius: check existence of openssl's commands in bootstrap
Kamil Dziezyk (1):
bats: upgrade 1.1.0 -> 1.3.0
Kartikey Rameshbhai Parmar (1):
fluidsynth: update SRC_URI to remove non-existing 2.1.x branch
Khem Raj (77):
nss: Disable Werror
open-vm-tools: Do not use volatile qualifier
dconf-editor: Fix build with vala 0.50.4
libbacktrace: Add recipe
libleak: Add recipe
packagegroup-meta-oe: Add libleak to packagegroup-meta-oe-extended
mongodb: Upgrade to 4.4.4
packagegroup-meta-python: Add python3-semantic-version
python3-grpcio: Upgrade to 1.36.1
python3-grpcio: Fix build on mips and musl
mpv: Link libatomic on riscv64
glog: Link with libexecinfo on musl
musl-nscd: Make lex syntax posix'y
libbpf: Depend on virtual/kernel:do_shared_workdir
waf-cross-answers: Add powerpc64le version
python3-grpcio,python3-grpcio-tools: Disable for ppc64le
openh264: Disable building for ppc64le
ufs-utils: Upgrade to 1.9
libhugetlbfs: Fix ARCH setting for ppc64 LE
nodejs: Set correct nodejs arch for ppc64le
libnma: Disbale vapi
xrdp: Upgrade to 0.9.15
ply: upgrade to latest
ply: Disable on ppc64
ltrace: Fix build on ppc64le/musl
oprofile: Fix build on musl
gperftools: Update SRCREV to point to 2.9.1 release
mongodb: Fix cross build on ppc64le
abseil-cpp: Fix build on musl and ppc64
mariadb: Fix build on musl/ppc
mongodb: Fix build on ppc64le
breakpad: Upgrade to latest
ssiapi: Disable for ppc64
kexec-tools-klibc: Use SITEINFO_BITS to construct includepath
breakpad: Exclude for ppc64
python3-grpcio,python3-grpcio-tools: Enable build on ppc64/glibc
breakpad: Do not fallback to android implementation for getcontext/setcontext on musl
oprofile: Upgrade to 1.4.0 release
vboxguestdrivers: Add __divmoddi4 builtin support
links-x11,links: Upgrade to 2.22
layers: Drop gatesgarth from LAYERSERIES_COMPAT
xxhash: Remove recipe
gsound: Use () instead of {} for makefile variable in gsound_play_VALAFLAGS
pipewire: Package systemd unit file for pipewire-media-session
packagegroup-meta-python: Add new package python3-pythonping
python3-spidev: Remove recipe for 3.2
python3-werkzeug: Clarify BSD license type
python3-werkzeug: Delete recipe for 1.0.0
python3-hexdump: Move cleanup_hexfile into install_append
cryptsetup: DEPEND on renamed util-linux-libuuid
tracker-miners: Check for commercial license to enable ffmpeg
gnome-settings-daemon: Do not generate meson.native
libb64: Add recipe
sysdig: Upgrade to 0.27.1
sysdig: Depend on system libb64
gimp: Disable vector iconn on rv32/musl
libcamera: Update the patch to upstreamed one
flashrom: Add remaining RISCV support
mpd: Check for commercial in LICENSE_FLAGS_WHITELIST
mpv: Exclude from world if commercial is not in inclusion list
sox: Exclude from world if commercial is not in inclusion list
vlc: Exclude from world if commercial is not in inclusion list
sox: Remove LICENSE_FLAGS = "commercial"
mariadb: Fix build on newer 32bit architectures
libmanette: Add recipe
pidgin-sipe: Fix build with glib-2.0 >= 2.68
gjs: Fix build with gcc11
poppler: Backport patches to fix build with glib-2.0 2.68+ and GCC11
opencv: Upgrade to 5.4.2
tbb: Fix build with musl
core-image-minimal-xfce: Use graphical.target as default
vnstat: Disable install parallism to fix a potential install race
open-vm-tools: Fix build with gcc 11
nss: Re-enable -Werror
gimp: Disable vector icon generation on mips/glibc too
tbb: Re-introduce PE
gimp: Disable vector icons on musl/x86
Leon Anavi (134):
python3-elementpath: Upgrade 2.1.4 -> 2.2.0
python3-twisted: Upgrade 20.3.0 -> 21.2.0
python3-ipython: Upgrade 7.20.0 -> 7.21.0
python3-yamlloader: Upgrade 0.5.5 -> 1.0.0
python3-astroid: Upgrade 2.5 -> 2.5.1
python3-portion: Upgrade 2.1.4 -> 2.1.5
python3-pandas: Upgrade 1.2.2 -> 1.2.3
python3-ruamel-yaml: Upgrade 0.16.12 -> 0.16.13
python3-prettytable: Upgrade 2.0.0 -> 2.1.0
python3-huey: Upgrade 2.3.0 -> 2.3.1
python3-pychromecast: Upgrade 8.1.0 -> 9.1.1
python3-incremental: Upgrade 17.5.0 -> 21.3.0
python3-waitress: Upgrade 1.4.4 -> 2.0.0
python3-pako: Upgrade 0.3.0 -> 0.3.1
python3-pyscaffold: Upgrade 3.3.1 -> 4.0
python3-croniter: Upgrade 1.0.6 -> 1.0.8
python3-prompt-toolkit: Upgrade 3.0.16 -> 3.0.17
python3-pymisp: Upgrade 2.4.138 -> 2.4.140
python3-jsonpatch: Upgrade 1.31 -> 1.32
python3-jsonpointer: Upgrade 2.0 -> 2.1
python3-configargparse: Upgrade 1.3 -> 1.4
python3-luma-core: Upgrade 2.2.0 -> 2.3.1
python3-pycodestyle: Upgrade 2.6.0 -> 2.7.0
python3-bitarray: Upgrade 1.7.0 -> 1.7.1
python3-alembic: Upgrade 1.5.5 -> 1.5.7
python3-pyflakes: Upgrade 2.2.0 -> 2.3.0
python3-autobahn: Upgrade 21.2.2 -> 21.3.1
python3-pulsectl: Upgrade 21.2.0 -> 21.3.4
python3-configparser: Upgrade 5.0.1 -> 5.0.2
python3-defusedxml: Upgrade 0.6.0 -> 0.7.1
python3-twine: Upgrade 3.3.0 -> 3.4.0
python3-socketio: Upgrade 5.0.4 -> 5.1.0
python3-soupsieve: Upgrade 2.2 -> 2.2.1
python3-cassandra-driver: Upgrade 3.24.0 -> 3.25.0
python3-urllib3: Upgrade 1.26.3 -> 1.26.4
python3-bitarray: Upgrade 1.7.1 -> 1.8.0
python3-pyscaffold: Upgrade 4.0 -> 4.0.1
python3-flask-migrate: Upgrade 2.6.0 -> 2.7.0
python3-grpcio-tools: Upgrade 1.35.0 -> 1.36.1
python3-humanize: Upgrade 3.2.0 -> 3.3.0
python3-regex: Upgrade 2020.11.13 -> 2021.3.17
python3-twine: Upgrade 3.4.0 -> 3.4.1
python3-isort: Upgrade 5.7.0 -> 5.8.0
python3-sqlalchemy: Upgrade 1.3.23 -> 1.4.2
python3-scrypt: Upgrade 0.8.6 -> 0.8.17
python3-colorlog: Upgrade 4.7.2 -> 4.8.0
python3-croniter: Upgrade 1.0.8 -> 1.0.9
python3-pyperf: Upgrade 2.1.0 -> 2.2.0
python3-lazy-object-proxy: Upgrade 1.5.2 -> 1.6.0
python3-prompt-toolkit: Upgrade 3.0.17 -> 3.0.18
python3-configshell-fb: Upgrade 1.1.28 -> 1.1.29
python3-backports-functools-lru-cache: Upgrade 1.6.1 -> 1.6.3
python3-pytest-helpers-namespace: Upgrade 2019.1.8 -> 2021.3.24
python3-elementpath: Upgrade 2.2.0 -> 2.2.1
python3-alembic: Upgrade 1.5.7 -> 1.5.8
python3-rfc3339-validator: Upgrade 0.1.2 -> 0.1.3
python3-pyflakes: Upgrade 2.3.0 -> 2.3.1
python3-pint: Upgrade 0.16.1 -> 0.17
python3-flask-sqlalchemy: Upgrade 2.4.4 -> 2.5.1
python3-django: Upgrade 3.1.1 -> 3.1.7
python3-djangorestframework: Upgrade 3.12.2 -> 3.12.3
python3-ruamel-yaml: Upgrade 0.16.13 -> 0.17.0
python3-bitarray: Upgrade 1.8.0 -> 1.8.1
python3-sqlalchemy: Upgrade 1.4.2 -> 1.4.3
python3-xmlschema: Upgrade 1.5.1 -> 1.5.3
python3-croniter: Upgrade 1.0.9 -> 1.0.10
python3-astroid: Upgrade 2.5.1 -> 2.5.2
python3-pyroute2: Upgrade 0.5.14 -> 0.5.15
python3-coverage: Upgrade 5.4 -> 5.5
python3-gunicorn: Upgrade 20.0.4 -> 20.1.0
python3-djangorestframework: Upgrade 3.12.3 -> 3.12.4
python3-ipython: Upgrade 7.21.0 -> 7.22.0
python3-openpyxl: Upgrade 3.0.6 -> 3.0.7
python3-ruamel-yaml: Upgrade 0.17.0 -> 0.17.2
python3-sqlalchemy: Upgrade 1.4.3 -> 1.4.4
python3-bitarray: Upgrade 1.8.1 -> 1.8.2
python3-httplib2: Upgrade 0.19.0 -> 0.19.1
python3-parso: Upgrade 0.8.1 -> 0.8.2
python3-matplotlib: Upgrade 3.3.4 -> 3.4.1
python3-pyroute2: Upgrade 0.5.15 -> 0.5.16
python3-h5py: Upgrade 3.1.0 -> 3.2.1
python3-cheetah: Upgrade 3.2.6 -> 3.2.6.post1
python3-google-api-python-client: Upgrade 2.0.2 -> 2.1.0
python3-xlsxwriter: Upgrade 1.3.7 -> 1.3.8
python3-pymisp: Upgrade 2.4.140 -> 2.4.141
python3-tqdm: Upgrade 4.58.0 -> 4.59.0
python3-contextlib2: Upgrade 0.6.0 -> 0.6.0.post1
python3-typeguard: Upgrade 2.11.1 -> 2.12.0
python3-decorator: Upgrade 4.4.2 -> 5.0.1
python3-pillow: Upgrade 8.1.2 -> 8.2.0
python3-aiohttp: Upgrade 3.7.4 -> 3.7.4.post0
python3-networkx: Upgrade 2.5 -> 2.5.1
python3-pysonos: Upgrade 0.0.40 -> 0.0.41
python3-docutils: Upgrade 0.16 -> 0.17
python3-bitarray: Upgrade 1.8.2 -> 1.9.0
python3-regex: Upgrade 2021.3.17 -> 2021.4.4
python3-sqlalchemy: Upgrade 1.4.4 -> 1.4.5
python3-pychromecast: Upgrade 9.1.1 -> 9.1.2
python3-decorator: Upgrade 5.0.1 -> 5.0.5
python3-pymisp: Upgrade 2.4.141 -> 2.4.141.1
python3-pyroute2: Upgrade 0.5.16 -> 0.5.17
python3-transitions: Upgrade 0.8.7 -> 0.8.8
python3-sqlalchemy: Upgrade 1.4.5 -> 1.4.6
python3-bitarray: Upgrade 1.9.0 -> 1.9.1
python3-pysonos: Upgrade 0.0.41 -> 0.0.42
python3-django: Upgrade 3.1.7 -> 3.2
python3-tqdm: Upgrade 4.59.0 -> 4.60.0
python3-xmlschema: Upgrade 1.5.3 -> 1.6.0
python3-ruamel-yaml: Upgrade 0.17.2 -> 0.17.4
python3-croniter: Upgrade 1.0.10 -> 1.0.11
python3-decorator: Upgrade 5.0.5 -> 5.0.6
python3-grpcio-tools: Upgrade 1.36.1 -> 1.37.0
python3-speedtest-cli: Upgrade 2.1.2 -> 2.1.3
python3-python-vlc: Upgrade 3.0.11115 -> 3.0.12117
python3-robotframework: Upgrade 4.0 -> 4.0.1
python3-grpcio: Upgrade 1.36.1 -> 1.37.0
python3-cerberus: Upgrade 1.3.2 -> 1.3.3
python3-humanize: Upgrade 3.3.0 -> 3.4.0
python3-monotonic: Upgrade 1.5 -> 1.6
python3-sqlalchemy: Upgrade 1.4.6 -> 1.4.7
python3-typed-ast: Upgrade 1.4.2 -> 1.4.3
python3-backports-functools-lru-cache: Upgrade 1.6.3 -> 1.6.4
python3-xmlschema: Upgrade 1.6.0 -> 1.6.1
python3-pyroute2: Upgrade 0.5.17 -> 0.5.18
python3-sympy: Upgrade 1.7.1 -> 1.8
python3-pandas: Upgrade 1.2.3 -> 1.2.4
python3-humanize: Upgrade 3.4.0 -> 3.4.1
python3-decorator: Upgrade 5.0.6 -> 5.0.7
python3-colorlog: Upgrade 4.8.0 -> 5.0.1
python3-google-api-python-client: Upgrade 2.1.0 -> 2.2.0
python3-croniter: Upgrade 1.0.11 -> 1.0.12
python3-pysonos: Upgrade 0.0.42 -> 0.0.43
python3-asttokens: Upgrade 2.0.4 -> 2.0.5
python3-hyperframe: Upgrade 6.0.0 -> 6.0.1
Luca Boccassi (3):
cryptsetup: depend on new util-linux-uuid to break cycle
dbus-broker: upgrade 26 -> 27
dbus-broker: upgrade 27 -> 28
Marius Kriegerowski (1):
tmate: add recipe version 2.4.0
Martin Jansa (25):
glog: fix searching for Libunwind
ceres-solver: prevent fetching git hook during do_configure
packagegroup-meta-oe: include abseil-cpp for all architectures
packagegroup-meta-oe: include nodejs without meta-python2 conditional
packagegroup-meta-oe: move the packages depending on meta-python2 to separate packages
mysql-python, lio-utils, openlmi-tools: add conditional PNBLACKLIST like meta-python2 does
conf/layer.conf: include .bbappend files in BBFILES_DYNAMIC
open-vm-tools: move to meta-networking
packagegroup-meta-{oe,multimedia}: move pipewire to the right packagegroup
packagegroup-meta-multimedia: include projucer only with x11 in DISTRO_FEATURES
packagegroup-meta-multimedia: include vlc only with x11 in DISTRO_FEATURES
packagegroup-meta-oe: include glfw, icewm, geis only with x11 in DISTRO_FEATURES
phonet-utils: remove
packagegroup-meta-oe: use 4 spaces for identation
telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
uml-utilities: fix installed-vs-shipped with usrmerge
libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error with usrmerge
libyui: switch to libyui-old repo which still has this SRCREV
libyui(-ncurses): upgrade to 4.1.1, libyui repo was rewritten completely
android-tools: use PN instead of BPN in RDEPENDS
pidgin-sipe: fix g_memdup2 changes to be backwards compatible with glib-1.67
pidgin: upgrade to 2.14.2
opencv: fetch wechat_qrcode files used by dnn PACKAGECONFIG
opencv: link sfm module with Glog
ostree: switch from default master branch to main to fix do_fetch failure
Matteo Croce (1):
libbpf: use pkg-config
Michael Vetter (1):
jasper: upgrade 2.0.25 -> 2.0.26
Ming Liu (1):
atftp: move atftpd.init from files to atftp subdirectory
Mingli Yu (10):
geoip: Switch to use the main branch
geoip-perl: Switch to use the main branch
bridge-utils: Switch to use the main branch
netkit-telnet: Update SRC_URI
quagga: Update SRC_URI
hostapd: fix CVE-2019-5061
freeradius: Upgrade to 3.0.21
hostapd: fix CVE-2021-0326 and CVE-2021-27803
php: Upgrade to 7.4.16
python3-cryptography: Upgrade to 3.3.2
Naveen Saini (2):
tbb: upgrade 2020.3 -> 2021.2.0
ocl-icd: upgrade 2.2.14 -> 2.3.0
Nisha Parrakat (1):
neon: use pkg-config instead of xml2-config to configure
Oleksandr Kravchuk (10):
ipset: update to 7.11
libnice: update to 0.1.18
nbdkit: update to 1.25.3
python3-bitarray: update to 1.7.0
python3-google-api-python-client: update to 2.0.2
python3-jsonpatch: update to 1.31
python3-websocket-client: update to 0.58.0
python3-robotframework: update to 4.0
python3-sentry-sdk: update to 1.0.0
aom: update to 3.0.0
Peace Lee (2):
guider: Upgrade 3.9.7 -> 3.9.8
guider: Upgrade 3.9.7 -> 3.9.8
Persian Prince (1):
tinymembench: Correct PV
Philip Balister (1):
fftw: Add support for ptest.
Randy MacLeod (8):
gperftools: upgrade 2.8.1 -> 2.9.1
zabbix: upgrade 4.4.6 -> 5.2.5
nss: upgrade 3.60.1 -> 3.62
xterm: upgrade 362 -> 366
zstd: remove the recipe since it moved to oe-core
tclap: upgrade 1.2.2 -> 1.4.0
doxygen: Upgrade 1.8.20 -> 1.9.1
open-vm-tools: upgrade 11.0.1 -> 11.2.5
Ross Burton (4):
libxmlb: upgrade to 0.3.0
flashrom: recipe cleanup
openjpeg: add native/nativesdk class extension
fwts: upgrade to 21.03.00
Sakib Sajal (1):
grpc: upgrade 1.36.1 -> 1.36.2
Sam Van Den Berge (1):
libiio: fix build when python bindings are enabled
Sana Kazi (1):
mdns: Whitelisted CVE-2007-0613 for mdns
Sinan Kaya (1):
zram: add support for mem_limit
Stefan Ghinea (2):
hostapd: fix CVE-2021-30004
python3-django: fix CVE-2021-28658
Stefan Schmidt (2):
musl-rpmatch_git.bb: add new recipe to provide rpmatch() for musl libc builds
plymouth_0.9.5.bb: allow building with musl libc
Ulrich Ölmann (1):
v4l-utils: fix reproducibility
Valentin Longchamp (1):
libssh: add gcrypt to PACKAGECONFIG
Vinicius Aquino (1):
networkmanager: upgrade 1.28.0 -> 1.30.2
Vinícius Ossanes Aquino (2):
modemmanager: upgrade 1.14.10 -> 1.16.2
libqmi: upgrade 1.26.6 -> 1.28.2
Wang Mingyu (3):
czmq: Conflict resolution for sha1.h
python3-lxml: upgrade 4.6.2 -> 4.6.3
python3-zopeinterface: upgrade 5.2.0 -> 5.3.0
Yann Dirson (1):
mpv: remove explicit LICENSE_FLAGS
Yi Fan Yu (7):
librelp: update 1.6.0 -> 1.10.0
rsyslog: Fix rsyslog systemd service not starting
rsyslog: fix some of the ptests
redis: upgrade 6.0.9 -> 6.2.1
syslog-ng: upgrade 3.24.1 -> 3.31.2
syslog-ng: remove CONFIG_TLS override for arm DEBUG_BUILD
syslog-ng: Drop an obsolete patch to add --enable-libnet
Yi Zhao (3):
quagga: do not set PIDFile in service files
tclap: add pkg-config file
gvfs: rdepend on gsettings-desktop-schemas
Zang Ruochen (1):
gtkwave: upgrade 3.3.104 -> 3.3.108
akuster (1):
README: updated Maintainers list for Hardknott
hasan.men (2):
librdkafka: Add initial recipe v1.6.1
libcppkafka: Add initial recipe for cppkafka wrapper
persianpros (5):
PEP8 double aggressive E701, E70 and E502
PEP8 double aggressive E20 and E211
PEP8 double aggressive E22, E224, E241, E242 and E27
PEP8 double aggressive E301 ~ E306
PEP8 double aggressive W291 ~ W293 and W391
wangmy (2):
mariadb: upgrade 10.5.8 -> 10.5.9
uftrace: Fix error on aarch64 when binutils update to 2.35.1
zangrc (38):
dovecot: upgrade 2.3.13 -> 2.3.14
fetchmail: upgrade 6.4.16 -> 6.4.17
dialog: upgrade 1.3-20210117 -> 1.3-20210306
fio: upgrade 3.25 -> 3.26
xorriso: upgrade 1.5.3 -> 1.5.5
iscsi-initiator-utils: upgrade 2.1.3 -> 2.1.4
mosquitto: upgrade 2.0.8 -> 2.0.9
nbdkit: upgrade 1.25.3 -> 1.25.4
wireguard-tools: upgrade 1.0.20210223 -> 1.0.20210315
wireshark: upgrade 3.4.3 -> 3.4.4
live555: upgrade 20210129 -> 20210322
mg: upgrade 20200723 -> 20210314
nanopb: upgrade 0.4.4 -> 0.4.5
nss: upgrade 3.62 -> 3.63
uriparser: upgrade 0.9.4 -> 0.9.5
gnome-autoar: upgrade 0.2.4 -> 0.3.1
emacs: upgrade 27.1 -> 27.2
fbgrab: upgrade 1.4 -> 1.5
ostree: upgrade 2020.8 -> 2021.1
zabbix: upgrade 5.2.5 -> 5.2.6
libxaw: upgrade 1.0.13 -> 1.0.14
mosquitto: upgrade 2.0.9 -> 2.0.10
nbdkit: upgrade 1.25.4 -> 1.25.5
stunnel: upgrade 5.58 -> 5.59
usbredir: upgrade 0.8.0 -> 0.9.0
hwdata: upgrade 0.345 -> 0.346
live555: upgrade 20210322 -> 20210406
rabbitmq-c: upgrade 0.10.0 -> 0.11.0
xterm: upgrade 366 -> 367
fuse3: upgrade 3.10.2 -> 3.10.3
cifs-utils: upgrade 6.12 -> 6.13
dnsmasq: upgrade 2.84 -> 2.85
nbdkit: upgrade 1.25.5 -> 1.25.6
wolfssl: upgrade 4.7.0 -> 4.7.1
networkmanager: upgrade 1.30.2 -> 1.30.4
libdvdread: upgrade 6.1.1 -> 6.1.2
redis: upgrade 6.2.1 -> 6.2.2
nss: upgrade 3.63 -> 3.64
zhengruoqin (21):
phpmyadmin: upgrade 5.0.4 -> 5.1.0
uthash: upgrade 2.2.0 -> 2.3.0
gd: upgrade 2.3.1 -> 2.3.2
openocd: upgrade 0.10 -> 0.11
satyr: upgrade 0.36 -> 0.37
libcrypt-openssl-guess-perl: upgrade 0.11 -> 0.12
cryptsetup: upgrade 2.3.4 -> 2.3.5
glmark2: upgrade 20201114 -> 2021.02
grpc: upgrade 1.36.2 -> 1.36.3
dialog: upgrade 1.3-20210306 -> 1.3-20210319
grpc: upgrade 1.36.3 -> 1.36.4
libgee: upgrade 0.20.3 -> 0.20.4
fetchmail: upgrade 6.4.17 -> 6.4.18
lldpd: upgrade 1.0.4 -> 1.0.8
networkmanager-openvpn: upgrade 1.8.12 -> 1.8.14
snort: upgrade 2.9.17 -> 2.9.17.1
python3-absl: upgrade 0.10.0 -> 0.12.0
python3-astroid: upgrade 2.5.2 -> 2.5.3
python3-bitarray: upgrade 1.9.1 -> 1.9.2
irssi: upgrade 1.2.2 -> 1.2.3
librsync: upgrade 2.3.1 -> 2.3.2
meta-security: 775870980b..c6b1eec0e5:
Anton Antonov (5):
Use libest "main" branch instead of "master".
Add meta-parsec layer into meta-security.
Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
Clearly define clang toolchain in Parsec recipes
gitlab-ci: Move all parsec builds into a separate job
Armin Kuster (25):
packagegroup-core-security: drop clamav-cvd
clamav: upgrade 104.0
python3-privacyidea: upgrade 3.5.1 -> 3.5.2
clamav: fix systemd service install
swtpm: now need python-cryptography, pull in layer
swtpm: file pip3 issue
swtpm: fix check for tscd deamon on host
python3-suricata-update: update to 1.2.1
.gitlab-ci.yml: reorder to speed up builds
kas-security-base.yml: tweek build vars
gitlab-ci: fine tune order
clamav: remove rest of mirror.dat ref
lkrg-module: Add Linux Kernel Runtime Guard
kas-security-base: change branch to hardknott
kas-security-base: add hardknott local dirs
kas-security-base: Move some DISTRO_FEATURES around
*-tpm.yml: drop tpms jobs
gitlab-ci: move tpm build
.gitlab-ci: work on pipelime
gitlab-ci: cleanup after_script
gitlab-ci: add new before script
kas: cleanup some kas files
packagegroup-core-security: exclude apparmor in mips64
.gitlab-ci: use kas shell in some cases.
kas-security-base: fix feature namespace for tpm*
Ming Liu (2):
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I635e69c9d74af0c553cad5eadd972f26830c7add
diff --git a/meta-openembedded/README b/meta-openembedded/README
index 7318f09..0d86dcc 100644
--- a/meta-openembedded/README
+++ b/meta-openembedded/README
@@ -1,6 +1,6 @@
Collection of layers for the OE-core universe
-Main layer maintainer: Khem Raj <raj.khem@gmail.com>
+hardknott maintainer: Armin Kuster <akuster808@gmail.com>
This repository is a collection of layers to suppliment OE-Core
with additional packages, Each layer have designated maintainer
diff --git a/meta-openembedded/meta-filesystems/README b/meta-openembedded/meta-filesystems/README
index edcf8bf..14b223e 100644
--- a/meta-openembedded/meta-filesystems/README
+++ b/meta-openembedded/meta-filesystems/README
@@ -11,26 +11,26 @@
URI: git://git.openembedded.org/openembedded-core
layers: meta
- branch: master
+ branch: hardknott
URI: git://git.openembedded.org/meta-openembedded
layers: meta-oe
- branch: master
+ branch: hardknott
Patches
=======
Please submit any patches against the filesystems layer to the
OpenEmbedded development mailing list (openembedded-devel@lists.openembedded.org)
-with '[meta-filesystems]' in the subject.
+with '[meta-filesystems][hardknott]' in the subject.
-Layer maintainer: Khem Raj <raj.khem@gmail.com>
+hardknott maintainer: Armin Kuster <akuster808@gmail.com>
When sending single patches, please use something like:
git send-email -1 -M \
--to openembedded-devel@lists.openembedded.org \
- --subject-prefix=meta-filesystems][PATCH
+ --subject-prefix=meta-filesystems][hardknott][PATCH
Table of Contents
diff --git a/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.2.bb b/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.3.bb
similarity index 94%
rename from meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.2.bb
rename to meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.3.bb
index 91d0e37..72d0cd3 100644
--- a/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.2.bb
+++ b/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.3.bb
@@ -13,7 +13,7 @@
SRC_URI = "https://github.com/libfuse/libfuse/releases/download/fuse-${PV}/fuse-${PV}.tar.xz \
"
-SRC_URI[sha256sum] = "736e8d1ce65c09cb435fbbb500d53dc75f4d6e93bd325d22adc890951cf56337"
+SRC_URI[sha256sum] = "eb8373f208b05a39702f9f437f6e49caf4b1ace26a9acb68110b49912078560f"
S = "${WORKDIR}/fuse-${PV}"
diff --git a/meta-openembedded/meta-gnome/README b/meta-openembedded/meta-gnome/README
index a11815f..fda2a52 100644
--- a/meta-openembedded/meta-gnome/README
+++ b/meta-openembedded/meta-gnome/README
@@ -3,16 +3,16 @@
This layer depends on:
URI: git://github.com/openembedded/oe-core.git
-branch: master
+branch: hardknott
revision: HEAD
URI: git://github.com/openembedded/meta-oe.git
-branch: master
+branch: hardknott
revision: HEAD
-Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-gnome]' in the subject'
+Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-gnome][hardknott]' in the subject'
When sending single patches, please using something like:
-'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-gnome][PATCH'
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-gnome][hardknott][PATCH'
-Layer maintainer: Andreas Müller <schnitzeltony@gmail.com>
+maintainer: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb b/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb
index aa5112a..717716e 100644
--- a/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb
+++ b/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb
@@ -53,8 +53,9 @@
--disable-check-update \
--without-wmf"
-EXTRA_OECONF_append_libc-musl_mipsarch = " --disable-vector-icons"
+EXTRA_OECONF_append_mipsarch = " --disable-vector-icons"
EXTRA_OECONF_append_libc-musl_riscv32 = " --disable-vector-icons"
+EXTRA_OECONF_append_libc-musl_x86 = " --disable-vector-icons"
EXTRA_OECONF_append_arm = " --disable-vector-icons"
do_configure_append() {
diff --git a/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb b/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb
index ad5dab5..c8c16a3 100644
--- a/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb
+++ b/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb
@@ -8,6 +8,8 @@
DEPENDS += "libsecret glib-2.0 glib-2.0-native libgudev shadow-native \
gsettings-desktop-schemas dbus"
+RDEPENDS_${PN} += "gsettings-desktop-schemas"
+
SRC_URI = "https://download.gnome.org/sources/${BPN}/${@gnome_verdir("${PV}")}/${BPN}-${PV}.tar.xz;name=archive"
SRC_URI[archive.md5sum] = "72383474f52d05c21ef2be96d0b91974"
SRC_URI[archive.sha256sum] = "50ef3245d1b03666a40455109169a2a1bd51419fd2d51f9fa6cfd4f89f04fb46"
diff --git a/meta-openembedded/meta-initramfs/README b/meta-openembedded/meta-initramfs/README
index 79244d4..baa15d2 100644
--- a/meta-openembedded/meta-initramfs/README
+++ b/meta-openembedded/meta-initramfs/README
@@ -12,7 +12,7 @@
This layer depends on:
URI: git://github.com/openembedded/oe-core.git
-branch: master
+branch: hardknott
revision: HEAD
@@ -20,12 +20,12 @@
-----------
Send patches / pull requests to openembedded-devel@lists.openembedded.org
-with '[meta-initramfs]' in the subject.
+with '[meta-initramfs][hardknott]' in the subject.
When sending single patches, please using something like:
-'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-initramfs][PATCH'
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-initramfs][hardknott][PATCH'
-Interm layer maintainer: Khem Raj <raj.khem@gmail.com>
+hardknott maintainer: Armin Kuster <akuster808@gmail.com>
License
diff --git a/meta-openembedded/meta-multimedia/README b/meta-openembedded/meta-multimedia/README
index b4c2455..c4d665f 100644
--- a/meta-openembedded/meta-multimedia/README
+++ b/meta-openembedded/meta-multimedia/README
@@ -1,19 +1,19 @@
This layer depends on:
URI: git://github.com/openembedded/oe-core.git
-branch: master
+branch: hardknott
revision: HEAD
URI: git://github.com/openembedded/meta-oe.git
layers: meta-oe
-branch: master
+branch: hardknott
revision: HEAD
-Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-multimedia]' in the subject'
+Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-multimedia][hardknott]' in the subject'
When sending single patches, please use something like:
-'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-multimedia][PATCH
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-multimedia][hardknott][PATCH
You are encouraged to fork the mirror on github https://github.com/openembedded/meta-openembedded to share your patches, this is preferred for patch sets consisting of more than one patch. Other services like GitLab, repo.or.cz or self hosted setups are of course accepted as well, 'git fetch <remote>' works the same on all of them. We recommend github because it is free, easy to use, has been proven to be reliable and has a really good web GUI.
-Layer maintainer: Andreas Müller <schnitzeltony@gmail.com>
+hardknott maintainer: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-openembedded/meta-networking/MAINTAINERS b/meta-openembedded/meta-networking/MAINTAINERS
index 5c4c4ce..64e920b 100644
--- a/meta-openembedded/meta-networking/MAINTAINERS
+++ b/meta-openembedded/meta-networking/MAINTAINERS
@@ -2,38 +2,12 @@
Please submit any patches against meta-networking to the OpenEmbedded
development mailing list (openembedded-devel@lists.openembedded.org) with
-'[meta-networking]' in the subject.
+'[meta-networking][hardknott]' in the subject.
When sending single patches, please use something like:
git send-email -1 -M \
--to openembedded-devel@lists.openembedded.org \
- --subject-prefix=meta-networking][PATCH
+ --subject-prefix=meta-networking][hardknott][PATCH
-You may also contact the maintainers directly.
-
-Descriptions of section entries:
-
- M: Mail patches to: FullName <address@domain>
- F: Files and directories with wildcard patterns.
- A trailing slash includes all files and subdirectory files.
- F: recipes-devtools/ all files in and below recipes-devtools
- F: recipes-selinux/* all files in recipes-selinux, but not below
- One pattern per line. Multiple F: lines acceptable.
-
-Please keep this list in alphabetical order.
-
-Maintainers List (try to look for most precise areas first)
-
-COMMON
-M: Khem Raj <raj.khem@gmail.com>
-M: "Joe MacDonald (backup)" <joe@deserted.net>
-L: openembedded-devel@lists.openembedded.org
-Q: https://patchwork.openembedded.org/project/oe/
-S: Maintained
-F: conf
-F: recipes-*
-
-NETKIT
-M: Armin Kuster <akuster808@gmail.com>
-F: recipes-netkit
+hardknott Maintainer: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-openembedded/meta-networking/README b/meta-openembedded/meta-networking/README
index e1ba27d..ab4d809 100644
--- a/meta-openembedded/meta-networking/README
+++ b/meta-openembedded/meta-networking/README
@@ -18,19 +18,19 @@
This layer depends on:
URI: git://github.com/openembedded/openembedded-core.git
-branch: master
+branch: hardknott
revision: HEAD
For some recipes, the meta-oe layer is required:
URI: git://github.com/openembedded/meta-openembedded.git
subdirectory: meta-oe
-branch: master
+branch: hardknott
revision: HEAD
URI: git://github.com/openembedded/meta-openembedded.git
subdirectory: meta-python
-branch: master
+branch: hardknott
revision: HEAD
Maintenance
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch
new file mode 100644
index 0000000..fcadae9
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch
@@ -0,0 +1,38 @@
+bootstrap: check commands of openssl exist
+
+It calls openssl commands dhparam and pkcs12 in script bootstrap. These
+commands are configurable based on configure options 'no-dh' and
+'no-des', and may not be provided by openssl. So check existence of
+these commands. If not, abort running of script bootstrap.
+
+1. https://github.com/openssl/openssl/blob/master/apps/build.info#L37
+2. https://github.com/openssl/openssl/blob/master/apps/build.info#L22
+
+Upstream-Status: Denied [https://github.com/FreeRADIUS/freeradius-server/pull/4059]
+ The maintainer commented in the pull that the script could
+ be run on a host which provides these openssl commands.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ raddb/certs/bootstrap | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aafd4..17feddbeeb 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -13,6 +13,14 @@
+ umask 027
+ cd `dirname $0`
+
++# check commands of openssl exist
++for cmd in dhparam pkcs12; do
++ if ! openssl ${cmd} -help >/dev/null 2>&1; then
++ echo "Error: command ${cmd} is not supported by openssl."
++ exit 1
++ fi
++done
++
+ make -h > /dev/null 2>&1
+
+ #
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
index 864a4e9..a6df2ae 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
@@ -31,6 +31,7 @@
file://0001-workaround-error-with-autoconf-2.7.patch \
file://radiusd.service \
file://radiusd-volatiles.conf \
+ file://check-openssl-cmds-in-script-bootstrap.patch \
"
SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.4.bb
similarity index 98%
rename from meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.2.bb
rename to meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.4.bb
index ec3bdd2..7c07b0a 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.2.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.4.bb
@@ -31,7 +31,7 @@
file://musl/0001-Fix-build-with-musl-systemd-specific.patch \
file://musl/0002-Fix-build-with-musl-systemd-specific.patch \
"
-SRC_URI[sha256sum] = "0c8e80e77877860e4a4e6ab4a0f7cdc1186e356b65b042a751897188b88944d2"
+SRC_URI[sha256sum] = "6050b724212ea3ce7386113359bea9afa1f679a54f60d999a5999892e672c190"
S = "${WORKDIR}/NetworkManager-${PV}"
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.0.bb b/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.1.bb
similarity index 93%
rename from meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.0.bb
rename to meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.1.bb
index 83406f5..76a5fd7 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.0.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.1.bb
@@ -14,7 +14,7 @@
SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https \
"
-SRCREV = "830de9a9fb99e30f9ac9caa0a7f7bba29c3b4863"
+SRCREV = "95b91d89133a712a3d0f389442924612c103da24"
S = "${WORKDIR}/git"
inherit autotools
diff --git a/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20201112.bb b/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20210219.bb
similarity index 94%
rename from meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20201112.bb
rename to meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20210219.bb
index 64958a7..0525b41 100644
--- a/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20201112.bb
+++ b/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20210219.bb
@@ -1,6 +1,6 @@
require wireguard.inc
-SRCREV = "fe402261666821514377d06c2c68ed9bc19e7634"
+SRCREV = "122f06bfd8fc7b06a0899fa9adc4ce8e06900d98"
SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat"
@@ -31,3 +31,4 @@
# OE-core post dunfell has moved to use kernel 5.8 which now means we cant build this module in world builds
# for reference machines e.g. qemu
EXCLUDE_FROM_WORLD = "1"
+
diff --git a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.12.bb b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
similarity index 96%
rename from meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.12.bb
rename to meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
index c68b474..41a9b8e 100644
--- a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.12.bb
+++ b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
@@ -4,7 +4,7 @@
LICENSE = "GPLv3 & LGPLv3"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-SRCREV = "73008e3292e4d46fde3eab5d5f618886210ec4a1"
+SRCREV = "464a60344a324311a6f5bb326fdf5f422a3c9005"
SRC_URI = "git://git.samba.org/cifs-utils.git"
S = "${WORKDIR}/git"
diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.84.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.84.bb
deleted file mode 100644
index 3dd9154..0000000
--- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.84.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-require dnsmasq.inc
-
-SRC_URI[dnsmasq-2.84.md5sum] = "6bf24b5bcf9293db2941fbdb545c1133"
-SRC_URI[dnsmasq-2.84.sha256sum] = "4caf385376f34fae5c55244a1f870dcf6f90e037bb7c4487210933dc497f9c36"
-SRC_URI += "\
- file://lua.patch \
-"
-
diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.85.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.85.bb
new file mode 100644
index 0000000..023dda3
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.85.bb
@@ -0,0 +1,8 @@
+require dnsmasq.inc
+
+SRC_URI[dnsmasq-2.85.md5sum] = "4079e1e6e1065e4bd14ded268cdd7bd7"
+SRC_URI[dnsmasq-2.85.sha256sum] = "f36b93ecac9397c15f461de9b1689ee5a2ed6b5135db0085916233053ff3f886"
+SRC_URI += "\
+ file://lua.patch \
+"
+
diff --git a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.5.bb b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.6.bb
similarity index 95%
rename from meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.5.bb
rename to meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.6.bb
index a6070cc..067911b 100644
--- a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.5.bb
+++ b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.6.bb
@@ -12,7 +12,7 @@
SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \
"
-SRCREV = "c828c6d48ff6b69454cad98054a1920d03c4b4c7"
+SRCREV = "023dac3e09a0e39d6f91dea4b7f8efb8f5faae36"
S = "${WORKDIR}/git"
diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb
index dd50fba..c178b4c 100644
--- a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb
+++ b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb
@@ -24,7 +24,7 @@
EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}"
-PACKAGECONFIG ??= "curl gmp openssl sqlite3 swanctl \
+PACKAGECONFIG ?= "curl gmp openssl sqlite3 swanctl \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \
"
PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni"
diff --git a/meta-openembedded/meta-oe/README b/meta-openembedded/meta-oe/README
index 98f671d..e031469 100644
--- a/meta-openembedded/meta-oe/README
+++ b/meta-openembedded/meta-oe/README
@@ -4,7 +4,7 @@
This layer depends on:
URI: git://github.com/openembedded/openembedded-core.git
-branch: master
+branch: hardknott
revision: HEAD
luajit recipe requires host compiler to be able to generate 32bit code when target is 32bit
@@ -20,7 +20,7 @@
Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-oe]' in the subject'
When sending single patches, please use something like:
-'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix="meta-oe][PATCH"'
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix="meta-oe][hardknott][PATCH"'
You are encouraged to fork the mirror on GitHub https://github.com/openembedded/meta-openembedded
to share your patches, this is preferred for patch sets consisting of more than one patch.
@@ -29,4 +29,4 @@
'git fetch <remote>' works the same on all of them. We recommend GitHub because it is free, easy
to use, has been proven to be reliable and has a really good web GUI.
-layer maintainer: Khem Raj <raj.khem@gmail.com>
+Branch maintainer: Armin Kuster <akuster@gmail.com>
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.2.bb b/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.3.bb
similarity index 81%
rename from meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.2.bb
rename to meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.3.bb
index 1c5a912..c95741c 100644
--- a/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.2.bb
+++ b/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.3.bb
@@ -6,8 +6,8 @@
DEPENDS = "glib-2.0 ncurses openssl"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz"
-SRC_URI[md5sum] = "8547f89e014e23e1bbbb665bcf7e2f70"
-SRC_URI[sha256sum] = "6727060c918568ba2ff4295ad736128dba0b995d7b20491bca11f593bd857578"
+SRC_URI[md5sum] = "381d3af259ad15d658be50c0a01f0c28"
+SRC_URI[sha256sum] = "a647bfefed14d2221fa77b6edac594934dc672c4a560417b1abcbbc6b88d769f"
UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch b/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
deleted file mode 100644
index 0cf4d5e..0000000
--- a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-Subject: Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption
- for a 12 bytes IV)
-
----
- ext/openssl/openssl.c | 10 ++++-----
- ext/openssl/tests/cipher_tests.inc | 21 +++++++++++++++++
- ext/openssl/tests/openssl_decrypt_ccm.phpt | 22 +++++++++++-------
- ext/openssl/tests/openssl_encrypt_ccm.phpt | 26 ++++++++++++++--------
- 4 files changed, 57 insertions(+), 22 deletions(-)
-
-diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
-index 04cb9b0f..fdad2c3b 100644
---- a/ext/openssl/openssl.c
-+++ b/ext/openssl/openssl.c
-@@ -6521,11 +6521,6 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir
- {
- char *iv_new;
-
-- /* Best case scenario, user behaved */
-- if (*piv_len == iv_required_len) {
-- return SUCCESS;
-- }
--
- if (mode->is_aead) {
- if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) {
- php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed");
-@@ -6534,6 +6529,11 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir
- return SUCCESS;
- }
-
-+ /* Best case scenario, user behaved */
-+ if (*piv_len == iv_required_len) {
-+ return SUCCESS;
-+ }
-+
- iv_new = ecalloc(1, iv_required_len + 1);
-
- if (*piv_len == 0) {
-diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc
-index b1e46b41..779bfa85 100644
---- a/ext/openssl/tests/cipher_tests.inc
-+++ b/ext/openssl/tests/cipher_tests.inc
-@@ -1,5 +1,26 @@
- <?php
- $php_openssl_cipher_tests = array(
-+ 'aes-128-ccm' => array(
-+ array(
-+ 'key' => '404142434445464748494a4b4c4d4e4f',
-+ 'iv' => '1011121314151617',
-+ 'aad' => '000102030405060708090a0b0c0d0e0f',
-+ 'tag' => '1fc64fbfaccd',
-+ 'pt' => '202122232425262728292a2b2c2d2e2f',
-+ 'ct' => 'd2a1f0e051ea5f62081a7792073d593d',
-+ ),
-+ array(
-+ 'key' => '404142434445464748494a4b4c4d4e4f',
-+ 'iv' => '101112131415161718191a1b',
-+ 'aad' => '000102030405060708090a0b0c0d0e0f' .
-+ '10111213',
-+ 'tag' => '484392fbc1b09951',
-+ 'pt' => '202122232425262728292a2b2c2d2e2f' .
-+ '3031323334353637',
-+ 'ct' => 'e3b201a9f5b71a7a9b1ceaeccd97e70b' .
-+ '6176aad9a4428aa5',
-+ ),
-+ ),
- 'aes-256-ccm' => array(
- array(
- 'key' => '1bde3251d41a8b5ea013c195ae128b21' .
-diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt
-index a5f01b87..08ef5bb7 100644
---- a/ext/openssl/tests/openssl_decrypt_ccm.phpt
-+++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt
-@@ -10,14 +10,16 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods()))
- --FILE--
- <?php
- require_once __DIR__ . "/cipher_tests.inc";
--$method = 'aes-256-ccm';
--$tests = openssl_get_cipher_tests($method);
-+$methods = ['aes-128-ccm', 'aes-256-ccm'];
-
--foreach ($tests as $idx => $test) {
-- echo "TEST $idx\n";
-- $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
-- $test['iv'], $test['tag'], $test['aad']);
-- var_dump($test['pt'] === $pt);
-+foreach ($methods as $method) {
-+ $tests = openssl_get_cipher_tests($method);
-+ foreach ($tests as $idx => $test) {
-+ echo "$method - TEST $idx\n";
-+ $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
-+ $test['iv'], $test['tag'], $test['aad']);
-+ var_dump($test['pt'] === $pt);
-+ }
- }
-
- // no IV
-@@ -32,7 +34,11 @@ var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
-
- ?>
- --EXPECTF--
--TEST 0
-+aes-128-ccm - TEST 0
-+bool(true)
-+aes-128-ccm - TEST 1
-+bool(true)
-+aes-256-ccm - TEST 0
- bool(true)
-
- Warning: openssl_decrypt(): Setting of IV length for AEAD mode failed in %s on line %d
-diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt
-index fb5dbbc8..8c4c41f8 100644
---- a/ext/openssl/tests/openssl_encrypt_ccm.phpt
-+++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt
-@@ -10,15 +10,17 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods()))
- --FILE--
- <?php
- require_once __DIR__ . "/cipher_tests.inc";
--$method = 'aes-256-ccm';
--$tests = openssl_get_cipher_tests($method);
-+$methods = ['aes-128-ccm', 'aes-256-ccm'];
-
--foreach ($tests as $idx => $test) {
-- echo "TEST $idx\n";
-- $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
-- $test['iv'], $tag, $test['aad'], strlen($test['tag']));
-- var_dump($test['ct'] === $ct);
-- var_dump($test['tag'] === $tag);
-+foreach ($methods as $method) {
-+ $tests = openssl_get_cipher_tests($method);
-+ foreach ($tests as $idx => $test) {
-+ echo "$method - TEST $idx\n";
-+ $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
-+ $test['iv'], $tag, $test['aad'], strlen($test['tag']));
-+ var_dump($test['ct'] === $ct);
-+ var_dump($test['tag'] === $tag);
-+ }
- }
-
- // Empty IV error
-@@ -32,7 +34,13 @@ var_dump(strlen($tag));
- var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024));
- ?>
- --EXPECTF--
--TEST 0
-+aes-128-ccm - TEST 0
-+bool(true)
-+bool(true)
-+aes-128-ccm - TEST 1
-+bool(true)
-+bool(true)
-+aes-256-ccm - TEST 0
- bool(true)
- bool(true)
-
---
-2.25.1
-
diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch b/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
deleted file mode 100644
index e5b527f..0000000
--- a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: Patch fix-urldecode for HTTP related Bug #79699
-
----
- main/php_variables.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/main/php_variables.c b/main/php_variables.c
-index 1a40c2a1..cbdc7cf1 100644
---- a/main/php_variables.c
-+++ b/main/php_variables.c
-@@ -514,7 +514,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
- }
-
- val = estrndup(val, val_len);
-- php_url_decode(var, strlen(var));
-+ if (arg != PARSE_COOKIE) {
-+ php_url_decode(var, strlen(var));
-+ }
- if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
- php_register_variable_safe(var, val, new_val_len, &array);
- }
---
-2.25.1
-
diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb
similarity index 97%
rename from meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.9.bb
rename to meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb
index e19d5dd..821d9cd 100644
--- a/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb
@@ -3,7 +3,7 @@
SECTION = "console/network"
LICENSE = "PHP-3.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=7e571b888d585b31f9ef5edcc647fa30"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=99532e0f6620bc9bca34f12fadaee33c"
BBCLASSEXTEND = "native"
DEPENDS = "zlib bzip2 libxml2 virtual/libiconv php-native lemon-native"
@@ -30,13 +30,10 @@
file://phar-makefile.patch \
file://0001-opcache-config.m4-enable-opcache.patch \
file://xfail_two_bug_tests.patch \
- file://CVE-2020-7070.patch \
- file://CVE-2020-7069.patch \
"
S = "${WORKDIR}/php-${PV}"
-SRC_URI[md5sum] = "e68a66c54b080d108831f6dc2e1e403d"
-SRC_URI[sha256sum] = "2e270958a4216480da7886743438ccc92b6acf32ea96fefda88d07e0a5095deb"
+SRC_URI[sha256sum] = "85710f007cfd0fae94e13a02a3a036f4e81ef43693260cae8a2e1ca93659ce3e"
inherit autotools pkgconfig python3native gettext
diff --git a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb
index c382ad8..32aa842 100644
--- a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb
+++ b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb
@@ -22,7 +22,7 @@
PREMIRRORS = ""
SRC_URI = " \
- gitsm://github.com/ostreedev/ostree \
+ gitsm://github.com/ostreedev/ostree;branch=main \
file://run-ptest \
"
SRCREV = "e9e4b9112083228b8c385ad26924b6c4623f4179"
diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.1.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb
similarity index 95%
rename from meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.1.bb
rename to meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index 89990df..65b5257 100644
--- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.1.bb
+++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -17,7 +17,7 @@
file://GNU_SOURCE.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
"
-SRC_URI[sha256sum] = "cd222505012cce20b25682fca931ec93bd21ae92cb4abfe742cf7b76aa907520"
+SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
inherit autotools-brokensep update-rc.d systemd useradd
diff --git a/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init b/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init
index ccc3aaf..28082f7 100755
--- a/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init
+++ b/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init
@@ -24,3 +24,8 @@
zramctl -a ${ZRAM_ALGORITHM} -s ${memzram}KB $device
mkswap -L "zram-swap" $device
+
+devname="${device##*/}"
+if [ ! -z ${ZRAM_SIZE_LIMIT+x} ]; then
+ echo ${ZRAM_SIZE_LIMIT} > /sys/block/$devname/mem_limit
+fi
diff --git a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch
index 4e875ba..5a42e67 100644
--- a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch
+++ b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch
@@ -1,29 +1,30 @@
-From c3460d63f0b6cd50b9a64265f420f0439e12a1d5 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 25 Apr 2017 01:36:44 -0400
-Subject: [PATCH 2/4] do not build tests sub directory
+From 076d0e12a7be6cd2108e4ca0dcde1cb658918fa5 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Mon, 19 Apr 2021 23:02:45 -0700
+Subject: [PATCH] do not build tests sub directory
-Upstream-Status: Inappropriate [oe specific]
+Upstream-Status: Inappropriate [OE Specific]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Hongxu Jia <Hongxu.Jia@windriver.com>
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
CMakeLists.txt | 3 ---
1 file changed, 3 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 94ec2ef..fb72a00 100644
+index 7bf99441..bda80598 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
-@@ -300,9 +300,6 @@ if(BUILD_VIEWER)
+@@ -304,9 +304,6 @@ if(BUILD_VIEWER)
add_subdirectory(media)
endif()
-add_subdirectory(tests)
-
-
- include(cmake/BuildPackages.cmake)
+ add_subdirectory(release)
# uninstall
--
-2.7.4
+2.30.2
diff --git a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch
index 97b0a38..5f14665 100644
--- a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch
+++ b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch
@@ -1,44 +1,34 @@
-From 9563b69640227da2220ee0c39077afb736cc96d1 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Thu, 20 Jul 2017 17:12:17 +0800
-Subject: [PATCH 4/4] tigervnc: add fPIC option to COMPILE_FLAGS
+From 7f8acd59bb2e54f9be25a98dd71534700a9e355a Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Mon, 19 Apr 2021 23:14:28 -0700
+Subject: [PATCH] tigervnc: add fPIC option to COMPILE_FLAGS
-The static libraries in Xregion/network/rdr/rfb were linked by shared
+The static libraries in network/rdr/rfb were linked by shared
library libvnc.so, so we should add fPIC option to COMPILE_FLAGS to fix
relocation issue.
Upstream-Status: Pending
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
- common/Xregion/CMakeLists.txt | 1 +
common/network/CMakeLists.txt | 1 +
common/rdr/CMakeLists.txt | 1 +
common/rfb/CMakeLists.txt | 1 +
- 4 files changed, 4 insertions(+)
+ 3 files changed, 3 insertions(+)
-diff --git a/common/Xregion/CMakeLists.txt b/common/Xregion/CMakeLists.txt
-index 40ca97e..9411328 100644
---- a/common/Xregion/CMakeLists.txt
-+++ b/common/Xregion/CMakeLists.txt
-@@ -3,4 +3,5 @@ add_library(Xregion STATIC
-
- if(UNIX)
- libtool_create_control_file(Xregion)
-+ set_target_properties(Xregion PROPERTIES COMPILE_FLAGS -fPIC)
- endif()
diff --git a/common/network/CMakeLists.txt b/common/network/CMakeLists.txt
-index b624c8e..6c06ec9 100644
+index d00ca452..e84e0290 100644
--- a/common/network/CMakeLists.txt
+++ b/common/network/CMakeLists.txt
-@@ -9,4 +9,5 @@ endif()
+@@ -16,4 +16,5 @@ endif()
if(UNIX)
libtool_create_control_file(network)
+ set_target_properties(network PROPERTIES COMPILE_FLAGS -fPIC)
endif()
diff --git a/common/rdr/CMakeLists.txt b/common/rdr/CMakeLists.txt
-index 989ba2f..20f6489 100644
+index 989ba2f4..20f6489d 100644
--- a/common/rdr/CMakeLists.txt
+++ b/common/rdr/CMakeLists.txt
@@ -27,4 +27,5 @@ target_link_libraries(rdr ${RDR_LIBRARIES})
@@ -48,15 +38,15 @@
+ set_target_properties(rdr PROPERTIES COMPILE_FLAGS -fPIC)
endif()
diff --git a/common/rfb/CMakeLists.txt b/common/rfb/CMakeLists.txt
-index 5047e5e..88838ab 100644
+index fc5a37bf..7f5ce131 100644
--- a/common/rfb/CMakeLists.txt
+++ b/common/rfb/CMakeLists.txt
-@@ -98,4 +98,5 @@ target_link_libraries(rfb ${RFB_LIBRARIES})
+@@ -99,4 +99,5 @@ target_link_libraries(rfb ${RFB_LIBRARIES})
if(UNIX)
libtool_create_control_file(rfb)
+ set_target_properties(rfb PROPERTIES COMPILE_FLAGS -fPIC)
endif()
--
-2.7.4
+2.30.2
diff --git a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
similarity index 89%
rename from meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb
rename to meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
index f97c2b2..ce6c59b 100644
--- a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb
+++ b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
@@ -2,22 +2,22 @@
HOMEPAGE = "http://www.tigervnc.com/"
LICENSE = "GPLv2+"
SECTION = "x11/utils"
-DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk"
-RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl"
+DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk libpam"
+RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl bash"
LIC_FILES_CHKSUM = "file://LICENCE.TXT;md5=75b02c2872421380bbd47781d2bd75d3"
S = "${WORKDIR}/git"
inherit features_check
-REQUIRED_DISTRO_FEATURES = "x11"
+REQUIRED_DISTRO_FEATURES = "x11 pam"
inherit autotools cmake
B = "${S}"
-SRCREV = "4739493b635372bd40a34640a719f79fa90e4dba"
+SRCREV = "540bfc3278e396321124d4b18a798ac2bc18b6ca"
-SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch \
+SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch \
file://0002-do-not-build-tests-sub-directory.patch \
file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \
file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \
@@ -83,6 +83,8 @@
--disable-xwayland \
"
+EXTRA_OECMAKE += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '-DCMAKE_INSTALL_UNITDIR=/lib/systemd/system', '-DINSTALL_SYSTEMD_UNITS=OFF', d)}"
+
do_configure_append () {
olddir=`pwd`
cd ${XSERVER_SOURCE_DIR}
@@ -125,6 +127,7 @@
FILES_${PN} += " \
${libdir}/xorg/modules/extensions \
${datadir}/icons \
+ ${systemd_unitdir} \
"
FILES_${PN}-dbg += "${libdir}/xorg/modules/extensions/.debug"
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.1.bb b/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.2.bb
similarity index 71%
rename from meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.1.bb
rename to meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.2.bb
index 65f5b6a..ed7443d 100644
--- a/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.1.bb
+++ b/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.2.bb
@@ -4,8 +4,8 @@
LIC_FILES_CHKSUM = "file://COPYING;md5=64e753fa7d1ca31632bc383da3b57c27"
SRC_URI = "http://download.videolan.org/pub/videolan/libdvdread/${PV}/libdvdread-${PV}.tar.bz2"
-SRC_URI[md5sum] = "09c7423568fb679279fd2a2bc6b10b6e"
-SRC_URI[sha256sum] = "3e357309a17c5be3731385b9eabda6b7e3fa010f46022a06f104553bf8e21796"
+SRC_URI[md5sum] = "034581479968405ed415c34a50d00224"
+SRC_URI[sha256sum] = "cc190f553758ced7571859e301f802cb4821f164d02bfacfd320c14a4e0da763"
inherit autotools lib_package binconfig pkgconfig
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0008-configure.ac-autodetect-availability-of-systemd.patch b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0008-configure.ac-autodetect-availability-of-systemd.patch
new file mode 100644
index 0000000..5aec3c5
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0008-configure.ac-autodetect-availability-of-systemd.patch
@@ -0,0 +1,47 @@
+From 3f61e353424fb9ea3dce742022b94dfd7ea1ed9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de>
+Date: Thu, 4 Mar 2021 14:23:39 +0100
+Subject: [PATCH] configure.ac: autodetect availability of systemd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Import systemd's official suggestion [1] how this should be handled in packages
+using autoconf. A side effect of this is the removal of the hardcoded fallback
+path "/lib/systemd/system" which leaks build host information when cross
+compiling v4l-utils and therefore defeats reproducible builds.
+
+[1] https://www.freedesktop.org/software/systemd/man/daemon.html#Installing%20systemd%20Service%20Files
+
+Upstream-Status: Backport [https://git.linuxtv.org/v4l-utils.git/commit/?id=3f61e353424fb9ea3dce742022b94dfd7ea1ed9f]
+
+Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
+Signed-off-by: Sean Young <sean@mess.org>
+---
+ configure.ac | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 727730c5ccf4..8470116df4b1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -388,7 +388,15 @@ AC_ARG_WITH(udevdir,
+ AC_ARG_WITH(systemdsystemunitdir,
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [set systemd system unit directory]),
+ [],
+- [with_systemdsystemunitdir=`$PKG_CONFIG --variable=systemdsystemunitdir systemd || echo /lib/systemd/system`])
++ [with_systemdsystemunitdir=auto])
++AS_IF([test "x$with_systemdsystemunitdir" = "xyes" -o "x$with_systemdsystemunitdir" = "xauto"],
++ [def_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
++ AS_IF([test "x$def_systemdsystemunitdir" = "x"],
++ [AS_IF([test "x$with_systemdsystemunitdir" = "xyes"],
++ [AC_MSG_ERROR([systemd support requested but pkg-config unable to query systemd package])])
++ with_systemdsystemunitdir=no],
++ [with_systemdsystemunitdir="$def_systemdsystemunitdir"])])
++AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$with_systemdsystemunitdir" != "xno"])
+
+ # Generic check: works with most distributions
+ def_gconv_dir=`for i in /lib64 /usr/lib64 /usr/local/lib64 /lib /usr/lib /usr/local/lib; do if @<:@ -d \$i/gconv @:>@; then echo \$i/gconv; break; fi; done`
+--
+2.29.2
+
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch
new file mode 100644
index 0000000..63a695f
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch
@@ -0,0 +1,40 @@
+From 01f2c6c58e6f4441df7df8e27eb7919f1f01e310 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de>
+Date: Thu, 4 Mar 2021 14:23:40 +0100
+Subject: [PATCH] keytable: restrict installation of 50-rc_keymap.conf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It is only needed if BPF is effectively used and the package is compiled for a
+systemd based target.
+
+Upstream-Status: Backport [https://git.linuxtv.org/v4l-utils.git/commit/?id=01f2c6c58e6f4441df7df8e27eb7919f1f01e310]
+
+Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
+Signed-off-by: Sean Young <sean@mess.org>
+---
+ utils/keytable/Makefile.am | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/utils/keytable/Makefile.am b/utils/keytable/Makefile.am
+index c5eb414acf2f..eee61f0e0551 100644
+--- a/utils/keytable/Makefile.am
++++ b/utils/keytable/Makefile.am
+@@ -3,9 +3,13 @@ man_MANS = ir-keytable.1 rc_keymap.5
+ sysconf_DATA = rc_maps.cfg
+ keytablesystem_DATA = $(srcdir)/rc_keymaps/*
+ udevrules_DATA = 70-infrared.rules
++if WITH_BPF
++if HAVE_SYSTEMD
+ if HAVE_UDEVDSYSCALLFILTER
+ systemdsystemunit_DATA = 50-rc_keymap.conf
+ endif
++endif
++endif
+
+ ir_keytable_SOURCES = keytable.c parse.h ir-encode.c ir-encode.h toml.c toml.h keymap.c keymap.h
+
+--
+2.29.2
+
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb
index 3e92d49..2261feb 100644
--- a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb
+++ b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb
@@ -5,7 +5,8 @@
PROVIDES = "libv4l media-ctl"
DEPENDS = "jpeg \
- ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'virtual/libx11', '', d)}"
+ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'virtual/libx11', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
DEPENDS_append_libc-musl = " argp-standalone"
DEPENDS_append_class-target = " udev"
LDFLAGS_append = " -pthread"
@@ -21,13 +22,14 @@
file://export-mediactl-headers.patch \
file://0002-contrib-test-Link-mc_nextgen_test-with-libargp-if-ne.patch \
file://0007-Do-not-use-getsubopt.patch \
+ file://0008-configure.ac-autodetect-availability-of-systemd.patch \
+ file://0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch \
"
SRC_URI[md5sum] = "46f9e2c0b2fdccd009da2f7e1aa87894"
SRC_URI[sha256sum] = "956118713f7ccb405c55c7088a6a2490c32d54300dd9a30d8d5008c28d3726f7"
EXTRA_OECONF = "--disable-qv4l2 --enable-shared --with-udevdir=${base_libdir}/udev \
- --disable-v4l2-compliance-32 --disable-v4l2-ctl-32 \
- --with-systemdsystemunitdir=${systemd_system_unitdir}"
+ --disable-v4l2-compliance-32 --disable-v4l2-ctl-32"
VIRTUAL-RUNTIME_ir-keytable-keymaps ?= "rc-keymaps"
@@ -37,8 +39,7 @@
FILES_media-ctl = "${bindir}/media-ctl ${libdir}/libmediactl.so.*"
-FILES_ir-keytable = "${bindir}/ir-keytable ${base_libdir}/udev/rules.d/*-infrared.rules \
- ${systemd_system_unitdir}/systemd-udevd.service.d/50-rc_keymap.conf"
+FILES_ir-keytable = "${bindir}/ir-keytable ${base_libdir}/udev/rules.d/*-infrared.rules"
RDEPENDS_ir-keytable += "${VIRTUAL-RUNTIME_ir-keytable-keymaps}"
FILES_rc-keymaps = "${sysconfdir}/rc* ${base_libdir}/udev/rc*"
diff --git a/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.1.bb b/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.2.bb
similarity index 88%
rename from meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.1.bb
rename to meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.2.bb
index 004c93d..f199713 100644
--- a/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.1.bb
+++ b/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.2.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499"
SRC_URI = "git://github.com/librsync/librsync.git"
-SRCREV = "27f738650c20fef1285f11d85a34e5094a71c06f"
+SRCREV = "42b636d2a65ab6914ea7cac50886da28192aaf9b"
S = "${WORKDIR}/git"
DEPENDS = "popt"
diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.63.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb
similarity index 96%
rename from meta-openembedded/meta-oe/recipes-support/nss/nss_3.63.bb
rename to meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb
index ab2c43d..1863db1 100644
--- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.63.bb
+++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb
@@ -11,11 +11,12 @@
DEPENDS = "sqlite3 nspr zlib nss-native"
DEPENDS_class-native = "sqlite3-native nspr-native zlib-native"
-LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)"
+LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0+ & MIT) | (MPL-2.0 & LGPL-2.1+ & MIT)"
LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \
file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
- file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132"
+ file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \
+ file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=d4096c1e4421ee56e9e0f441a8161f78"
VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}"
@@ -32,7 +33,7 @@
file://nss-fix-nsinstall-build.patch \
file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
"
-SRC_URI[sha256sum] = "182d2fef629102ae9423aabf2c192242b565cf5098e82c5a26cf70c5e4ea2221"
+SRC_URI[sha256sum] = "d3175427172e9c3a6f1ebc74452cb791590f28191c6a1a443dbc0d87c9df1126"
UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases"
UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes"
@@ -121,8 +122,6 @@
fi
export NSS_DISABLE_GTESTS=1
- # see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99420
- export NSS_ENABLE_WERROR=0
# We can modify CC in the environment, but if we set it via an
# argument to make, nsinstall, a host program, will also build with it!
#
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0001-syslog-ng-fix-segment-fault-during-service-start.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0001-syslog-ng-fix-segment-fault-during-service-start.patch
deleted file mode 100644
index b5bfcd0..0000000
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0001-syslog-ng-fix-segment-fault-during-service-start.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-Subject: [PATCH] syslog-ng: fix segment fault during service start on arm64
-
-service start failed since segment fault on arch arm64,
-syslog-ng have a submodule ivykis, from ivykis V0.42,
-it use pthread_atfork, but for arm64, this symbol is
-not included by libpthread, so cause segment fault.
-
-refer systemd, replace pthread_atfork with __register_atfork
-to fix this problem.
-
-I have create an issue, and this proposal to upstream.
-https://github.com/buytenh/ivykis/issues/15
-
-Upstream-Status: Pending
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
-
-Update for 3.24.1.
-Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
----
- lib/ivykis/src/pthr.h | 23 ++++++++++++-----------
- 1 file changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/lib/ivykis/src/pthr.h b/lib/ivykis/src/pthr.h
-index 29e4be7..5d29096 100644
---- a/lib/ivykis/src/pthr.h
-+++ b/lib/ivykis/src/pthr.h
-@@ -24,6 +24,16 @@
- #include <pthread.h>
- #include <signal.h>
-
-+#ifdef __GLIBC__
-+/* We use glibc __register_atfork() + __dso_handle directly here, as they are not included in the glibc
-+ * headers. __register_atfork() is mostly equivalent to pthread_atfork(), but doesn't require us to link against
-+ * libpthread, as it is part of glibc anyway. */
-+extern int __register_atfork(void (*prepare) (void), void (*parent) (void), void (*child) (void), void * __dso_handle);
-+extern void* __dso_handle __attribute__ ((__weak__));
-+#else
-+#define __register_atfork(prepare,parent,child,dso) pthread_atfork(prepare,parent,child)
-+#endif
-+
- #ifdef HAVE_PRAGMA_WEAK
- #pragma weak pthread_create
- #endif
-@@ -36,16 +46,7 @@ static inline int pthreads_available(void)
-
- #ifdef HAVE_PRAGMA_WEAK
-
--/*
-- * On Linux, pthread_atfork() is defined in libc_nonshared.a (for
-- * glibc >= 2.28) or libpthread_nonshared.a (for glibc <= 2.27), and
-- * we want to avoid "#pragma weak" for that symbol because that causes
-- * it to be undefined even if you link lib*_nonshared.a in explicitly.
-- */
--#if !defined(HAVE_LIBC_NONSHARED) && !defined(HAVE_LIBPTHREAD_NONSHARED)
--#pragma weak pthread_atfork
--#endif
--
-+#pragma weak __register_atfork
- #pragma weak pthread_create
- #pragma weak pthread_detach
- #pragma weak pthread_getspecific
-@@ -73,7 +74,7 @@ static inline int
- pthr_atfork(void (*prepare)(void), void (*parent)(void), void (*child)(void))
- {
- if (pthreads_available())
-- return pthread_atfork(prepare, parent, child);
-+ return __register_atfork(prepare, parent, child, __dso_handle);
-
- return ENOSYS;
- }
---
-2.7.4
-
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0002-scl-fix-wrong-ownership-during-installation.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0002-scl-fix-wrong-ownership-during-installation.patch
new file mode 100644
index 0000000..b268335
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0002-scl-fix-wrong-ownership-during-installation.patch
@@ -0,0 +1,30 @@
+From 7a8c458b7acf4732af74317f8a535077eb451b1e Mon Sep 17 00:00:00 2001
+From: Ming Liu <ming.liu@windriver.com>
+Date: Thu, 17 Jul 2014 05:37:08 -0400
+Subject: [PATCH] scl: fix wrong ownership during installation
+
+The ownership of build user is preserved for some target files, fixed it by
+adding --no-same-owner option to tar when extracting files.
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+
+Upstream-Status: Backport [9045908]
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ scl/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scl/Makefile.am b/scl/Makefile.am
+index 940a467..3c19e50 100644
+--- a/scl/Makefile.am
++++ b/scl/Makefile.am
+@@ -51,7 +51,7 @@ scl-install-data-local:
+ fi; \
+ done
+ $(mkinstalldirs) $(DESTDIR)/$(scldir)
+- (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf -)
++ (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf - --no-same-owner)
+ chmod -R u+rwX $(DESTDIR)/$(scldir)
+
+ scl-uninstall-local:
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0005-.py-s-python-python3-exclude-tests.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0005-.py-s-python-python3-exclude-tests.patch
new file mode 100644
index 0000000..a8be7d8
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0005-.py-s-python-python3-exclude-tests.patch
@@ -0,0 +1,53 @@
+From b64fcc414316592968f181c85447cfd01d1e461e Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Thu, 15 Apr 2021 13:48:19 -0400
+Subject: [PATCH] *.py: s/python/python3/ (exclude tests)
+
+As stated by https://github.com/syslog-ng/syslog-ng/pull/3603
+python2 is EOL.
+
+Fix all shebangs calling python instead of python3
+except the tests.
+
+(correcting lib/merge-grammar.py)
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+(adding the rest)
+Upstream-Status: Submitted [https://github.com/syslog-ng/syslog-ng/pull/3647]
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ contrib/scripts/config-graph-json-to-dot.py | 2 +-
+ lib/merge-grammar.py | 2 +-
+ modules/python/pylib/setup.py | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/scripts/config-graph-json-to-dot.py b/contrib/scripts/config-graph-json-to-dot.py
+index 4955c81..0351a9a 100755
+--- a/contrib/scripts/config-graph-json-to-dot.py
++++ b/contrib/scripts/config-graph-json-to-dot.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ import json, sys
+
+ j = None
+diff --git a/lib/merge-grammar.py b/lib/merge-grammar.py
+index 7313ff5..459712d 100755
+--- a/lib/merge-grammar.py
++++ b/lib/merge-grammar.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ #############################################################################
+ # Copyright (c) 2010-2017 Balabit
+ #
+diff --git a/modules/python/pylib/setup.py b/modules/python/pylib/setup.py
+index 23bb5cc..a2fa05e 100755
+--- a/modules/python/pylib/setup.py
++++ b/modules/python/pylib/setup.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ #############################################################################
+ # Copyright (c) 2015-2016 Balabit
+ #
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/configure.ac-add-option-enable-thread-tls-to-manage-.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/configure.ac-add-option-enable-thread-tls-to-manage-.patch
deleted file mode 100644
index 4f8a3d0..0000000
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/configure.ac-add-option-enable-thread-tls-to-manage-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-configure.ac: add option --enable-thread-tls to manage thread ssl support
-
-Add option --enable-thread-tls to manage the including of thread
-local storage, so we could explicitly disable it.
-
-Upstream-Status: Pending
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- configure.ac | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-Index: syslog-ng-3.15.1/configure.ac
-===================================================================
---- syslog-ng-3.15.1.orig/configure.ac
-+++ syslog-ng-3.15.1/configure.ac
-@@ -190,6 +190,9 @@ AC_ARG_ENABLE(gprof,
- AC_ARG_ENABLE(memtrace,
- [ --enable-memtrace Enable alternative leak debugging code.])
-
-+AC_ARG_ENABLE(thread-tls,
-+ [ --enable-thread-tls Enable Thread Local Storage support.],,enable_thread_tls="no")
-+
- AC_ARG_ENABLE(dynamic-linking,
- [ --enable-dynamic-linking Link everything dynamically.],,enable_dynamic_linking="auto")
-
-@@ -591,12 +594,14 @@ dnl ***************************************************************************
- dnl Is the __thread keyword available?
- dnl ***************************************************************************
-
--AC_LINK_IFELSE([AC_LANG_PROGRAM(
--[[#include <pthread.h>
--__thread int a;
--]],
--[a=0;])],
--[ac_cv_have_tls=yes; AC_DEFINE_UNQUOTED(HAVE_THREAD_KEYWORD, 1, "Whether Thread Local Storage is supported by the system")])
-+if test "x$enable_thread_tls" != "xno"; then
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM(
-+ [[#include <pthread.h>
-+ __thread int a;
-+ ]],
-+ [a=0;])],
-+ [ac_cv_have_tls=yes; AC_DEFINE_UNQUOTED(HAVE_THREAD_KEYWORD, 1, "Whether Thread Local Storage is supported by the system")])
-+fi
-
- dnl ***************************************************************************
- dnl How to do static linking?
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-config-libnet.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-config-libnet.patch
deleted file mode 100644
index 4ad0afa..0000000
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-config-libnet.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Subject: [PATCH] add libnet enable option
-
-Upstream-Status: Pending
-
-This would avoid a implicit auto-detecting result.
-
-Signed-off-by: Ming Liu <ming.liu@windriver.com>
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-
-Update for 3.24.1.
-Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
----
- configure.ac | 28 ++++++++++++++++------------
- 1 file changed, 16 insertions(+), 12 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 00eb566..e7d5ac1 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -143,6 +143,9 @@ AC_CONFIG_HEADERS(config.h)
- dnl ***************************************************************************
- dnl Arguments
-
-+AC_ARG_ENABLE(libnet,
-+ [ --enable-libnet Enable libnet support.],, enable_libnet="no")
-+
- AC_ARG_WITH(libnet,
- [ --with-libnet=path use path to libnet-config script],
- ,
-@@ -1047,19 +1050,20 @@ dnl ***************************************************************************
- dnl libnet headers/libraries
- dnl ***************************************************************************
- AC_MSG_CHECKING(for LIBNET)
--if test "x$with_libnet" = "x"; then
-- LIBNET_CONFIG="`which libnet-config`"
--else
-- LIBNET_CONFIG="$with_libnet/libnet-config"
--fi
-+if test "x$enable_libnet" = xyes; then
-+ if test "x$with_libnet" = "x"; then
-+ LIBNET_CONFIG="`which libnet-config`"
-+ else
-+ LIBNET_CONFIG="$with_libnet/libnet-config"
-+ fi
-
--if test -n "$LIBNET_CONFIG" -a -x "$LIBNET_CONFIG"; then
-- LIBNET_CFLAGS="`$LIBNET_CONFIG --defines`"
-- LIBNET_LIBS="`$LIBNET_CONFIG --libs`"
-- AC_MSG_RESULT(yes)
--dnl libnet-config does not provide the _DEFAULT_SOURCE define, that can cause warning during build
--dnl as upstream libnet-config does uses _DEFAULT_SOURCE this is just a fix till
-- LIBNET_CFLAGS="$LIBNET_CFLAGS -D_DEFAULT_SOURCE"
-+ if test -n "$LIBNET_CONFIG" -a -x "$LIBNET_CONFIG"; then
-+ LIBNET_CFLAGS="`$LIBNET_CONFIG --defines`"
-+ LIBNET_LIBS="`$LIBNET_CONFIG --libs`"
-+ AC_MSG_RESULT(yes)
-+ else
-+ AC_MSG_ERROR([Could not find libnet, and libnet support was explicitly enabled.])
-+ fi
-
- else
- LIBNET_LIBS=
---
-2.7.4
-
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-invalid-ownership.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-invalid-ownership.patch
deleted file mode 100644
index 54ecce5..0000000
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-invalid-ownership.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-syslog-ng: fix wrong ownership issue
-
-Upstream-Status: Pending
-
-The ownership of build user is preserved for some target files, fixed it by
-adding --no-same-owner option to tar when extracting files.
-
-Signed-off-by: Ming Liu <ming.liu@windriver.com>
----
- scl/Makefile.am | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-Index: syslog-ng-3.8.1/scl/Makefile.am
-===================================================================
---- syslog-ng-3.8.1.orig/scl/Makefile.am
-+++ syslog-ng-3.8.1/scl/Makefile.am
-@@ -27,7 +27,7 @@ scl-install-data-local:
- fi; \
- done
- $(mkinstalldirs) $(DESTDIR)/$(scldir)
-- (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf -)
-+ (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf - --no-same-owner)
- chmod -R u+rwX $(DESTDIR)/$(scldir)
-
- scl-uninstall-local:
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/shebang.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/shebang.patch
deleted file mode 100644
index 35d9677..0000000
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/shebang.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-syslog-ng: change shebang to use python3
-
-Correct shebang for python3. This is far from the only python file with an out of date shebang,
-but it is the only one that winds up on a target.
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
-
---- a/lib/merge-grammar.py
-+++ b/lib/merge-grammar.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- #############################################################################
- # Copyright (c) 2010-2017 Balabit
- #
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd
index 6a86276..b63f46d 100644
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd
+++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd
@@ -1,4 +1,4 @@
-@version: 3.24
+@version: 3.31
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation. Originally written by anonymous (I can't find his name)
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit
index 32b9861..07cd3b0 100644
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit
+++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit
@@ -1,4 +1,4 @@
-@version: 3.24
+@version: 3.31
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation. Originally written by anonymous (I can't find his name)
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc
index 818cad5..80c5099 100644
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc
+++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc
@@ -10,7 +10,7 @@
HOMEPAGE = "http://www.balabit.com/network-security/syslog-ng/opensource-logging-system"
LICENSE = "GPLv2 & LGPLv2.1"
-LIC_FILES_CHKSUM = "file://COPYING;md5=24c0c5cb2c83d9f2ab725481e4df5240"
+LIC_FILES_CHKSUM = "file://COPYING;md5=189c3826d32deaf83ad8d0d538a10023"
# util-linux added to get libuuid
DEPENDS = "libpcre flex glib-2.0 openssl util-linux bison-native"
@@ -22,7 +22,6 @@
file://syslog-ng.conf.sysvinit \
file://initscript \
file://volatiles.03_syslog-ng \
- file://configure.ac-add-option-enable-thread-tls-to-manage-.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/balabit/syslog-ng/releases"
@@ -42,12 +41,8 @@
--disable-python \
--disable-java --disable-java-modules \
--with-pidfile-dir=${localstatedir}/run/${BPN} \
- ${CONFIG_TLS} \
"
-CONFIG_TLS = "--enable-thread-tls"
-CONFIG_TLS_arm = "${@oe.utils.conditional( "DEBUG_BUILD", "1", " --disable-thread-tls", " --enable-thread-tls", d )}"
-
PACKAGECONFIG ??= " \
${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} \
"
@@ -55,7 +50,7 @@
PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_unitdir}/system/,--disable-systemd --without-systemdsystemunitdir,systemd,"
PACKAGECONFIG[linux-caps] = "--enable-linux-caps,--disable-linux-caps,libcap,"
PACKAGECONFIG[dbi] = "--enable-sql,--disable-sql,libdbi,"
-PACKAGECONFIG[libnet] = "--enable-libnet --with-libnet=${STAGING_BINDIR_CROSS},--disable-libnet,libnet,"
+PACKAGECONFIG[spoof-source] = "--enable-spoof-source --with-libnet=${STAGING_BINDIR_CROSS},--disable-spoof-source,libnet,"
PACKAGECONFIG[http] = "--enable-http,--disable-http,curl,"
PACKAGECONFIG[smtp] = "--enable-smtp --with-libesmtp=${STAGING_LIBDIR},--disable-smtp,libesmtp,"
PACKAGECONFIG[json] = "--enable-json,--disable-json,json-c,"
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb
deleted file mode 100644
index 10bf00f..0000000
--- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-require syslog-ng.inc
-
-# We only want to add stuff we need to the defaults provided in syslog-ng.inc.
-#
-SRC_URI += " \
- file://fix-config-libnet.patch \
- file://fix-invalid-ownership.patch \
- file://syslog-ng.service-the-syslog-ng-service.patch \
- file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \
- file://shebang.patch \
- file://syslog-ng-tmp.conf \
- "
-
-SRC_URI[md5sum] = "ef9de066793f7358af7312b964ac0450"
-SRC_URI[sha256sum] = "d4d0a0357b452be96b69d6f741129275530d8f0451e35adc408ad5635059fa3d"
diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.31.2.bb b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.31.2.bb
new file mode 100644
index 0000000..5d2b7f7
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.31.2.bb
@@ -0,0 +1,16 @@
+require syslog-ng.inc
+
+# We only want to add stuff we need to the defaults provided in syslog-ng.inc.
+#
+SRC_URI += "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.tar.gz \
+ file://syslog-ng.conf.systemd \
+ file://syslog-ng.conf.sysvinit \
+ file://initscript \
+ file://volatiles.03_syslog-ng \
+ file://syslog-ng-tmp.conf \
+ file://syslog-ng.service-the-syslog-ng-service.patch \
+ file://0002-scl-fix-wrong-ownership-during-installation.patch \
+ file://0005-.py-s-python-python3-exclude-tests.patch \
+ "
+SRC_URI[md5sum] = "69ef4dc5628d5e603e9e4a1b937592f8"
+SRC_URI[sha256sum] = "2eeb8e0dbbcb556fdd4e50bc9f29bc8c66c9b153026f87caa7567bd3139c186a"
diff --git a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb
index b05a59d..7e57ebf 100644
--- a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb
+++ b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb
@@ -9,6 +9,8 @@
DEPENDS_append_libc-musl = " libucontext"
+PE = "1"
+
BRANCH = "onetbb_2021"
SRCREV = "2dba2072869a189b9fdab3ffa431d3ea49059a19"
SRC_URI = "git://github.com/oneapi-src/oneTBB.git;protocol=https;branch=${BRANCH} \
diff --git a/meta-openembedded/meta-perl/README b/meta-openembedded/meta-perl/README
index 67f2910..7b177ba 100644
--- a/meta-openembedded/meta-perl/README
+++ b/meta-openembedded/meta-perl/README
@@ -52,7 +52,7 @@
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
- branch: master
+ branch: hardknott
revision: HEAD
prio: default
@@ -75,14 +75,12 @@
-----------
Send patches / pull requests to openembedded-devel@lists.openembedded.org with
-'[meta-perl]' in the subject.
+'[meta-perl][hardknott]' in the subject.
When sending single patches, please using something like:
-'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-perl][PATCH'
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-perl][hardknott][PATCH'
-Layer maintainers:
- Hongxu Jia <hongxu.jia@windriver.com>
- Tim "moto-timo" Orling <ticotimo@gmail.com>
+hardknott maintainers: Armin kuster <akuster808@gmail.com>
License
-------
diff --git a/meta-openembedded/meta-python/README b/meta-openembedded/meta-python/README
index ca0a290..904d2f9 100644
--- a/meta-openembedded/meta-python/README
+++ b/meta-openembedded/meta-python/README
@@ -13,12 +13,12 @@
URI: git://git.openembedded.org/openembedded-core
layers: meta
- branch: master
+ branch: hardknott
revision: HEAD
URI: git://git.openembedded.org/meta-openembedded
layers: meta-oe
- branch: master
+ branch: hardknott
revision: HEAD
Please follow the recommended setup procedures of your OE distribution.
@@ -35,16 +35,12 @@
before posting.
Send pull requests to openembedded-devel@lists.openembedded.org with
-'[meta-python]' in the subject.
+'[meta-python][hardknott]' in the subject.
When sending single patches, please use something like:
-'git send-email -M -1 --to=openembedded-devel@lists.openembedded.org --subject-prefix=meta-python][PATCH'
+'git send-email -M -1 --to=openembedded-devel@lists.openembedded.org --subject-prefix=meta-python][hardknott][PATCH'
Maintenance
-------------------------
-Layer Maintainers:
- Tim "moto-timo" Orling <TicoTimo@gmail.com>
- Derek Straka <derek@asterius.io>
- Trevor Gamblin <trevor.gamblin@windriver.com>
-
+hardknott Maintainers: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.0.bb b/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.1.bb
similarity index 60%
rename from meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.0.bb
rename to meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.1.bb
index 4a936b4..2d46e96 100644
--- a/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.0.bb
+++ b/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.1.bb
@@ -4,7 +4,6 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=5bf1c68e73fbaec2b1687b7e71514393"
-SRC_URI[md5sum] = "30136a712e092b1a45ae3cad3ae93131"
-SRC_URI[sha256sum] = "742d2a4bc3152a340a49d59f32e33ec420aa8e7054c1444ef5c7efff255842f1"
+SRC_URI[sha256sum] = "ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914"
inherit pypi setuptools3
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.4.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.5.bb
similarity index 81%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.4.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.5.bb
index c214933..429a56b 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.4.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.5.bb
@@ -7,7 +7,7 @@
inherit pypi setuptools3
-SRC_URI[sha256sum] = "a42e57e28f2ac1c85ed9b1f84109401427e5c63c04f61d15b8842b027eec5128"
+SRC_URI[sha256sum] = "9a54c114f02c7a9480d56550932546a3f1fe71d8a02f1bc7ccd0ee3ee35cf4d5"
DEPENDS += "\
python3-setuptools-scm-native \
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.2.bb
similarity index 93%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.1.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.2.bb
index 79a7ac1..0a36ffe 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.1.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.2.bb
@@ -6,7 +6,7 @@
LDSHARED += "-pthread"
-SRC_URI[sha256sum] = "7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6"
+SRC_URI[sha256sum] = "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed"
SRC_URI += " \
file://run-ptest \
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.16.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
deleted file mode 100644
index 0715abb..0000000
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-require python-django.inc
-inherit setuptools3
-
-SRC_URI[md5sum] = "93faf5bbd54a19ea49f4932a813b9758"
-SRC_URI[sha256sum] = "62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2786594"
-
-RDEPENDS_${PN} += "\
- ${PYTHON_PN}-sqlparse \
-"
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb
new file mode 100644
index 0000000..905d022
--- /dev/null
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb
@@ -0,0 +1,9 @@
+require python-django.inc
+inherit setuptools3
+
+SRC_URI[md5sum] = "947060d96ccc0a05e8049d839e541b25"
+SRC_URI[sha256sum] = "2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64"
+
+RDEPENDS_${PN} += "\
+ ${PYTHON_PN}-sqlparse \
+"
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.42.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.43.bb
similarity index 79%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.42.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.43.bb
index 25defab..dbb6a8d 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.42.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.43.bb
@@ -4,7 +4,7 @@
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=07b0e2ca9ac77cd65cd4edf2e13367ea"
-SRC_URI[sha256sum] = "20b45fa1779a01325e67822d243e1a3f7657d8b515308d84c1eb3c805cc3bdb5"
+SRC_URI[sha256sum] = "47be2b37defc856f15d7e7a419cfb939e9822750efe968db192156ebeba31684"
inherit pypi setuptools3
diff --git a/meta-openembedded/meta-webserver/README b/meta-openembedded/meta-webserver/README
index 7b60630..e525b0b 100644
--- a/meta-openembedded/meta-webserver/README
+++ b/meta-openembedded/meta-webserver/README
@@ -13,14 +13,14 @@
URI: git://github.com/openembedded/oe-core.git
subdirectory: meta
-branch: master
+branch: hardknott
revision: HEAD
For some recipes, the meta-oe layer is required:
URI: git://github.com/openembedded/meta-oe.git
subdirectory: meta-oe
-branch: master
+branch: hardknott
revision: HEAD
@@ -52,9 +52,9 @@
-----------
Send patches / pull requests to openembedded-devel@lists.openembedded.org
-with '[meta-webserver]' in the subject.
+with '[meta-webserver][hardknott]' in the subject.
-Layer maintainer: Derek Straka <derek@asterius.io>
+hardknott Maintainer: Armin Kuster <akuster808@gmail.com>
License
diff --git a/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb b/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb
index 2fa5bc4..ec3334d 100644
--- a/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb
+++ b/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb
@@ -26,7 +26,6 @@
monkey \
nginx \
nginx \
- nostromo \
sthttpd \
"
diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb b/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb
index e726c9a..f1cf593 100644
--- a/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb
+++ b/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb
@@ -62,3 +62,6 @@
fi
fi
}
+
+PNBLACKLIST[nostromo] ?= "Host site for URI is dead"
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta-openembedded/meta-xfce/README b/meta-openembedded/meta-xfce/README
index 70ad47a..2ae6f16 100644
--- a/meta-openembedded/meta-xfce/README
+++ b/meta-openembedded/meta-xfce/README
@@ -1,11 +1,11 @@
This layer depends on:
URI: git://github.com/openembedded/oe-core.git
-branch: master
+branch: hardknott
revision: HEAD
URI: git://github.com/openembedded/meta-oe.git
-branch: master
+branch: hardknott
revision: HEAD
meta-xfce depends on meta-oe, meta-gnome and meta-multimedia in this repository.
@@ -14,9 +14,9 @@
BBMASK = "meta-xfce/recipes-multimedia"
-Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-xfce]' in the subject'
+Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-xfce][hardknott]' in the subject'
When sending single patches, please using something like:
-'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-xfce][PATCH'
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-xfce][hardknott][PATCH'
-Layer maintainer: Kai Kang <kai.kang@windriver.com>
+hardknott Maintainer: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-raspberrypi/conf/machine/include/rpi-base.inc b/meta-raspberrypi/conf/machine/include/rpi-base.inc
index 572fe22..77cada7 100644
--- a/meta-raspberrypi/conf/machine/include/rpi-base.inc
+++ b/meta-raspberrypi/conf/machine/include/rpi-base.inc
@@ -102,7 +102,7 @@
BOOTFILES_DIR_NAME ?= "bootfiles"
# Set Raspberrypi splash image
-SPLASH = "psplash-raspberrypi"
+SPLASH ?= "psplash-raspberrypi"
def make_dtb_boot_files(d):
# Generate IMAGE_BOOT_FILES entries for device tree files listed in
diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
index de43c4b..c4b4411 100644
--- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
+++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
@@ -118,10 +118,15 @@
# Video camera support
if [ "${VIDEO_CAMERA}" = "1" ]; then
- # TODO: It has been observed that Raspberry Pi 4B 4GB may fail to enable the camera if "start_x=1" is at the end
- # of the file. The underlying cause is unknown, but it can be related with a file size limitation affecting
- # this variable. Therefore, "start_x=1" has been set to replace the original occurrence in config.txt,
- # which is at the middle of the file.
+ # It has been observed that Raspberry Pi 4B 4GB may fail to enable the
+ # camera if "start_x=1" is at the end of the file. Therefore,
+ # "start_x=1" has been set to replace the original occurrence in
+ # config.txt, which is at the middle of the file.
+ # The exact underlying cause is unknown. There are similar issues
+ # reported in the raspberrypi/firware repo and the conclusion reached
+ # was that there could be a file size limitation affecting certain
+ # variables. It was commented that this limitation could be 4k but
+ # not proved.
sed -i '/#start_x=/ c\start_x=1' $CONFIG
fi
diff --git a/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules b/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules
index 6bf019b..ddd1e17 100644
--- a/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules
+++ b/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules
@@ -1,8 +1,8 @@
KERNEL=="ttyAMA[01]", PROGRAM="/bin/sh -c '\
ALIASES=/proc/device-tree/aliases; \
- if cmp -s $ALIASES/uart0 $ALIASES/serial0; then \
+ if cmp -s $$ALIASES/uart0 $$ALIASES/serial0; then \
echo 0;\
- elif cmp -s $ALIASES/uart0 $ALIASES/serial1; then \
+ elif cmp -s $$ALIASES/uart0 $$ALIASES/serial1; then \
echo 1; \
else \
exit 1; \
@@ -11,9 +11,9 @@
KERNEL=="ttyS0", PROGRAM="/bin/sh -c '\
ALIASES=/proc/device-tree/aliases; \
- if cmp -s $ALIASES/uart1 $ALIASES/serial0; then \
+ if cmp -s $$ALIASES/uart1 $$ALIASES/serial0; then \
echo 0; \
- elif cmp -s $ALIASES/uart1 $ALIASES/serial1; then \
+ elif cmp -s $$ALIASES/uart1 $$ALIASES/serial1; then \
echo 1; \
else \
exit 1; \
diff --git a/meta-raspberrypi/recipes-graphics/libva/libva_%.bbappend b/meta-raspberrypi/recipes-graphics/libva/libva_%.bbappend
new file mode 100644
index 0000000..56ff421
--- /dev/null
+++ b/meta-raspberrypi/recipes-graphics/libva/libva_%.bbappend
@@ -0,0 +1,3 @@
+# when using userland graphic KHR/khrplatform.h is provided by userland but virtual/libgl is provided by mesa-gl where
+# we explicitly delete KHR/khrplatform.h since its already coming from userland package
+DEPENDS_append_rpi = " ${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '', 'userland', d)}"
diff --git a/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb b/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb
index 310d2f8..d28e2c1 100644
--- a/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb
+++ b/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb
@@ -16,7 +16,7 @@
# [^1]: https://github.com/RPi-Distro/bluez-firmware/issues/1
LICENSE = "Firmware-cypress-rpidistro"
LIC_FILES_CHKSUM = "\
- file://LICENCE.cypress-rpidistro;md5=852f9d10cbedba1f6c439729bd0617b4 \
+ file://LICENCE.cypress-rpidistro;md5=c5d12ae0b24ef7177902a8e288751a4e \
"
# These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -24,8 +24,8 @@
NO_GENERIC_LICENSE[Firmware-cypress-rpidistro] = "LICENCE.cypress-rpidistro"
SRC_URI = "git://github.com/RPi-Distro/bluez-firmware"
-SRCREV = "96eefffcccc725425fd83be5e0704a5c32b79e54"
-PV = "0.0+git${SRCPV}"
+SRCREV = "e7fd166981ab4bb9a36c2d1500205a078a35714d"
+PV = "1.2-4+rpt8"
S = "${WORKDIR}/git"
@@ -55,11 +55,15 @@
PACKAGES = "\
${PN}-cypress-license \
${PN}-bcm43430a1-hcd \
+ ${PN}-bcm43430b0-hcd \
${PN}-bcm4345c0-hcd \
+ ${PN}-bcm4345c5-hcd \
"
LICENSE_${PN}-bcm43430a1-hcd = "Firmware-cypress-rpidistro"
+LICENSE_${PN}-bcm43430b0-hcd = "Firmware-cypress-rpidistro"
LICENSE_${PN}-bcm4345c0-hcd = "Firmware-cypress-rpidistro"
+LICENSE_${PN}-bcm4345c5-hcd = "Firmware-cypress-rpidistro"
LICENSE_${PN}-cypress-license = "Firmware-cypress-rpidistro"
FILES_${PN}-cypress-license = "\
@@ -68,16 +72,28 @@
FILES_${PN}-bcm43430a1-hcd = "\
${nonarch_base_libdir}/firmware/brcm/BCM43430A1.hcd \
"
+FILES_${PN}-bcm43430b0-hcd = "\
+ ${nonarch_base_libdir}/firmware/brcm/BCM43430B0.hcd \
+"
FILES_${PN}-bcm4345c0-hcd = "\
${nonarch_base_libdir}/firmware/brcm/BCM4345C0.hcd \
"
+FILES_${PN}-bcm4345c5-hcd = "\
+ ${nonarch_base_libdir}/firmware/brcm/BCM4345C5.hcd \
+"
RDEPENDS_${PN}-bcm43430a1-hcd += "${PN}-cypress-license"
+RDEPENDS_${PN}-bcm43430b0-hcd += "${PN}-cypress-license"
RDEPENDS_${PN}-bcm4345c0-hcd += "${PN}-cypress-license"
+RDEPENDS_${PN}-bcm4345c5-hcd += "${PN}-cypress-license"
RCONFLICTS_${PN}-bcm43430a1-hcd = "linux-firmware-bcm43430a1-hcd"
RREPLACES_${PN}-bcm43430a1-hcd = "linux-firmware-bcm43430a1-hcd"
+RCONFLICTS_${PN}-bcm43430b0-hcd = "linux-firmware-bcm43430b0-hcd"
+RREPLACES_${PN}-bcm43430b0-hcd = "linux-firmware-bcm43430b0-hcd"
RCONFLICTS_${PN}-bcm43435c0-hcd = "linux-firmware-bcm4345c0-hcd"
RREPLACES_${PN}-bcm43435c0-hcd = "linux-firmware-bcm4345c0-hcd"
+RCONFLICTS_${PN}-bcm43435c5-hcd = "linux-firmware-bcm4345c5-hcd"
+RREPLACES_${PN}-bcm43435c5-hcd = "linux-firmware-bcm4345c5-hcd"
# Firmware files are generally not run on the CPU, so they can be
# allarch despite being architecture specific
diff --git a/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb b/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb
index 671dfa2..a091585 100644
--- a/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb
+++ b/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb
@@ -36,8 +36,8 @@
SRC_URI = "git://github.com/RPi-Distro/firmware-nonfree"
-SRCREV = "b66ab26cebff689d0d3257f56912b9bb03c20567"
-PV = "20190114-1+rpt10"
+SRCREV = "83938f78ca2d5a0ffe0c223bb96d72ccc7b71ca5"
+PV = "20190114-1+rpt11"
S = "${WORKDIR}/git"
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index f673ef6..3211025 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -1,33 +1,76 @@
-stages:
- - build
-
-.build:
- stage: build
- image: crops/poky
- before_script:
+.before-my-script: &before-my-script
- echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
- echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
- export PATH=~/.local/bin:$PATH
- wget https://bootstrap.pypa.io/get-pip.py
- python3 get-pip.py
- python3 -m pip install kas
- after_script:
+
+.after-my-script: &after-my-script
- cd $CI_PROJECT_DIR/poky
- . ./oe-init-build-env $CI_PROJECT_DIR/build
- for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do
- send-error-report -y tmp/log/error-report/$x
- done
- - cd $CI_PROJECT_DIR
- - rm -rf build
- cache:
- paths:
- - layers
+ - rm -fr $CI_PROJECT_DIR/build
+
+
+stages:
+ - build
+ - parsec
+ - multi
+ - alt
+ - musl
+ - test
+
+.build:
+ before_script:
+ - *before-my-script
+ stage: build
+ after_script:
+ - *after-my-script
+
+.parsec:
+ before_script:
+ - *before-my-script
+ stage: parsec
+ after_script:
+ - *after-my-script
+
+
+.multi:
+ before_script:
+ - *before-my-script
+ stage: multi
+ after_script:
+ - *after-my-script
+
+.alt:
+ before_script:
+ - *before-my-script
+ stage: alt
+ after_script:
+ - *after-my-script
+
+.musl:
+ before_script:
+ - *before-my-script
+ stage: musl
+ after_script:
+ - *after-my-script
+
+.test:
+ before_script:
+ - *before-my-script
+ stage: test
+ after_script:
+ - *after-my-script
+
qemux86:
extends: .build
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
- kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
- kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
@@ -35,8 +78,7 @@
qemux86-64:
extends: .build
script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+ - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image"
- kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
@@ -44,20 +86,17 @@
extends: .build
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
qemuarm64:
extends: .build
script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+ - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image"
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
qemuppc:
extends: .build
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
qemumips64:
extends: .build
@@ -69,61 +108,58 @@
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
-qemux86-64-tpm:
- extends: .build
- script:
- - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml
- - kas build --target security-tpm2-image kas/$CI_JOB_NAME2.yml
-
-qemuarm64-tpm2:
- extends: .build
- script:
- - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml
-
qemuarm64-alt:
- extends: .build
+ extends: .alt
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemuarm64-multi:
- extends: .build
+ extends: .multi
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemumips64-alt:
- extends: .build
+ extends: .alt
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemumips64-multi:
- extends: .build
+ extends: .multi
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-64-alt:
- extends: .build
+ extends: .alt
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-64-multi:
- extends: .build
+ extends: .multi
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-musl:
- extends: .build
+ extends: .musl
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemuarm64-musl:
- extends: .build
+ extends: .musl
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-test:
- extends: .build
+ extends: .test
allow_failure: true
script:
- kas build --target security-test-image kas/$CI_JOB_NAME.yml
- kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
+parsec:
+ extends: .parsec
+ script:
+ - kas build --target security-build-image kas/qemuarm-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemuarm64-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemux86-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemux86-64-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemuppc-$CI_JOB_NAME.yml
diff --git a/meta-security/README b/meta-security/README
index eb15366..f223fee 100644
--- a/meta-security/README
+++ b/meta-security/README
@@ -11,19 +11,28 @@
URI: git://git.openembedded.org/openembedded-core
branch: master
+ revision: HEAD
+ prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-oe
branch: master
+ revision: HEAD
+ prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-perl
branch: master
+ revision: HEAD
+ prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-python
branch: master
+ revision: HEAD
+ prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-networking
branch: master
-
+ revision: HEAD
+ prio: default
Adding the security layer to your build
========================================
@@ -42,23 +51,11 @@
/path/to/meta-openembedded/meta-perl \
/path/to/meta-openembedded/meta-python \
/path/to/meta-openembedded/meta-networking \
- /path/to/layer/meta-security "
-
-Optional Rust dependancy
-======================================
-If you want to use the latest Suricata that needs rust, you will need to clone
-
- URI: https://github.com/meta-rust/meta-rust.git
- branch: master
-
- BBLAYERS += "/path/to/layer/meta-rust"
-
-This will activate the dynamic-layer mechanism and pull in the newer suricata
-
+ /path/to/layer/meta-security \
Maintenance
-======================================
+-----------
Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 906e024..fd21da1 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -12,7 +12,3 @@
LAYERSERIES_COMPAT_security = "hardknott"
LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
-
-BBFILES_DYNAMIC += " \
-rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \
-"
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch
deleted file mode 100644
index fc44ce6..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Skip pkg Makefile from using its own rust steps
-
-Upstream-Status: OE Specific
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: suricata-6.0.2/Makefile.am
-===================================================================
---- suricata-6.0.2.orig/Makefile.am
-+++ suricata-6.0.2/Makefile.am
-@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
- $(SURICATA_UPDATE_DIR) \
- lua \
- acsite.m4
--SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \
-+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \
- $(SURICATA_UPDATE_DIR)
-
- CLEANFILES = stamp-h[0-9]*
-Index: suricata-6.0.2/Makefile.in
-===================================================================
---- suricata-6.0.2.orig/Makefile.in
-+++ suricata-6.0.2/Makefile.in
-@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
- lua \
- acsite.m4
-
--SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \
-+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \
- $(SURICATA_UPDATE_DIR)
-
- CLEANFILES = stamp-h[0-9]*
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest
deleted file mode 100644
index 666ba9c..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-suricata -u
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service
deleted file mode 100644
index a99a76e..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=Suricata IDS/IDP daemon
-After=network.target
-Requires=network.target
-Documentation=man:suricata(8) man:suricatasc(8)
-Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
-RestrictAddressFamilies=
-ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
-ExecReload=/bin/kill -HUP $MAINPID
-PrivateTmp=yes
-ProtectHome=yes
-ProtectSystem=yes
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml
deleted file mode 100644
index 8d06a27..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml
+++ /dev/null
@@ -1,1326 +0,0 @@
-%YAML 1.1
----
-
-# Suricata configuration file. In addition to the comments describing all
-# options in this file, full documentation can be found at:
-# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
-
-
-# Number of packets allowed to be processed simultaneously. Default is a
-# conservative 1024. A higher number will make sure CPU's/CPU cores will be
-# more easily kept busy, but may negatively impact caching.
-#
-# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
-# apply. In that case try something like 60000 or more. This is because the CUDA
-# pattern matcher buffers and scans as many packets as possible in parallel.
-#max-pending-packets: 1024
-
-# Runmode the engine should use. Please check --list-runmodes to get the available
-# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
-# load balancing).
-#runmode: autofp
-
-# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
-#
-# Supported schedulers are:
-#
-# round-robin - Flows assigned to threads in a round robin fashion.
-# active-packets - Flows assigned to threads that have the lowest number of
-# unprocessed packets (default).
-# hash - Flow alloted usihng the address hash. More of a random
-# technique. Was the default in Suricata 1.2.1 and older.
-#
-#autofp-scheduler: active-packets
-
-# If suricata box is a router for the sniffed networks, set it to 'router'. If
-# it is a pure sniffing setup, set it to 'sniffer-only'.
-# If set to auto, the variable is internally switch to 'router' in IPS mode
-# and 'sniffer-only' in IDS mode.
-# This feature is currently only used by the reject* keywords.
-host-mode: auto
-
-# Run suricata as user and group.
-#run-as:
-# user: suri
-# group: suri
-
-# Default pid file.
-# Will use this file if no --pidfile in command options.
-#pid-file: /var/run/suricata.pid
-
-# Daemon working directory
-# Suricata will change directory to this one if provided
-# Default: "/"
-#daemon-directory: "/"
-
-# Preallocated size for packet. Default is 1514 which is the classical
-# size for pcap on ethernet. You should adjust this value to the highest
-# packet size (MTU + hardware header) on your system.
-#default-packet-size: 1514
-
-# The default logging directory. Any log or output file will be
-# placed here if its not specified with a full path name. This can be
-# overridden with the -l command line parameter.
-default-log-dir: /var/log/suricata/
-
-# Unix command socket can be used to pass commands to suricata.
-# An external tool can then connect to get information from suricata
-# or trigger some modifications of the engine. Set enabled to yes
-# to activate the feature. You can use the filename variable to set
-# the file name of the socket.
-unix-command:
- enabled: no
- #filename: custom.socket
-
-# Configure the type of alert (and other) logging you would like.
-outputs:
-
- # a line based alerts log similar to Snort's fast.log
- - fast:
- enabled: yes
- filename: fast.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # Extensible Event Format (nicknamed EVE) event log in JSON format
- - eve-log:
- enabled: yes
- type: file #file|syslog|unix_dgram|unix_stream
- filename: eve.json
- # the following are valid when type: syslog above
- #identity: "suricata"
- #facility: local5
- #level: Info ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
- types:
- - alert
- - http:
- extended: yes # enable this for extended logging information
- # custom allows additional http fields to be included in eve-log
- # the example below adds three additional fields when uncommented
- #custom: [Accept-Encoding, Accept-Language, Authorization]
- - dns
- - tls:
- extended: yes # enable this for extended logging information
- - files:
- force-magic: no # force logging magic on all logged files
- force-md5: no # force logging of md5 checksums
- #- drop
- - ssh
-
- # alert output for use with Barnyard2
- - unified2-alert:
- enabled: yes
- filename: unified2.alert
-
- # File size limit. Can be specified in kb, mb, gb. Just a number
- # is parsed as bytes.
- #limit: 32mb
-
- # Sensor ID field of unified2 alerts.
- #sensor-id: 0
-
- # HTTP X-Forwarded-For support by adding the unified2 extra header that
- # will contain the actual client IP address or by overwriting the source
- # IP address (helpful when inspecting traffic that is being reversed
- # proxied).
- xff:
- enabled: no
- # Two operation modes are available, "extra-data" and "overwrite". Note
- # that in the "overwrite" mode, if the reported IP address in the HTTP
- # X-Forwarded-For header is of a different version of the packet
- # received, it will fall-back to "extra-data" mode.
- mode: extra-data
- # Header name were the actual IP address will be reported, if more than
- # one IP address is present, the last IP address will be the one taken
- # into consideration.
- header: X-Forwarded-For
-
- # a line based log of HTTP requests (no alerts)
- - http-log:
- enabled: yes
- filename: http.log
- append: yes
- #extended: yes # enable this for extended logging information
- #custom: yes # enabled the custom logging format (defined by customformat)
- #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # a line based log of TLS handshake parameters (no alerts)
- - tls-log:
- enabled: no # Log TLS connections.
- filename: tls.log # File to store TLS logs.
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- #extended: yes # Log extended information like fingerprint
- certs-log-dir: certs # directory to store the certificates files
-
- # a line based log of DNS requests and/or replies (no alerts)
- - dns-log:
- enabled: no
- filename: dns.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # a line based log to used with pcap file study.
- # this module is dedicated to offline pcap parsing (empty output
- # if used with another kind of input). It can interoperate with
- # pcap parser like wireshark via the suriwire plugin.
- - pcap-info:
- enabled: no
-
- # Packet log... log packets in pcap format. 2 modes of operation: "normal"
- # and "sguil".
- #
- # In normal mode a pcap file "filename" is created in the default-log-dir,
- # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
- # In this base dir the pcaps are created in th directory structure Sguil expects:
- #
- # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
- #
- # By default all packets are logged except:
- # - TCP streams beyond stream.reassembly.depth
- # - encrypted streams after the key exchange
- #
- - pcap-log:
- enabled: no
- filename: log.pcap
-
- # File size limit. Can be specified in kb, mb, gb. Just a number
- # is parsed as bytes.
- limit: 1000mb
-
- # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
- max-files: 2000
-
- mode: normal # normal or sguil.
- #sguil-base-dir: /nsm_data/
- #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
- use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
-
- # a full alerts log containing much information for signature writers
- # or for investigating suspected false positives.
- - alert-debug:
- enabled: no
- filename: alert-debug.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # alert output to prelude (http://www.prelude-technologies.com/) only
- # available if Suricata has been compiled with --enable-prelude
- - alert-prelude:
- enabled: no
- profile: suricata
- log-packet-content: no
- log-packet-header: yes
-
- # Stats.log contains data from various counters of the suricata engine.
- # The interval field (in seconds) tells after how long output will be written
- # on the log file.
- - stats:
- enabled: yes
- filename: stats.log
- interval: 8
-
- # a line based alerts log similar to fast.log into syslog
- - syslog:
- enabled: no
- # reported identity to syslog. If ommited the program name (usually
- # suricata) will be used.
- #identity: "suricata"
- facility: local5
- #level: Info ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
-
- # a line based information for dropped packets in IPS mode
- - drop:
- enabled: no
- filename: drop.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # output module to store extracted files to disk
- #
- # The files are stored to the log-dir in a format "file.<id>" where <id> is
- # an incrementing number starting at 1. For each file "file.<id>" a meta
- # file "file.<id>.meta" is created.
- #
- # File extraction depends on a lot of things to be fully done:
- # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
- # - http request / response body sizes. Again set to 0 for optimal results.
- # - rules that contain the "filestore" keyword.
- - file-store:
- enabled: no # set to yes to enable
- log-dir: files # directory to store the files
- force-magic: no # force logging magic on all stored files
- force-md5: no # force logging of md5 checksums
- #waldo: file.waldo # waldo file to store the file_id across runs
-
- # output module to log files tracked in a easily parsable json format
- - file-log:
- enabled: no
- filename: files-json.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- force-magic: no # force logging magic on all logged files
- force-md5: no # force logging of md5 checksums
-
-# Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-magic-file: /usr/share/misc/magic.mgc
-
-# When running in NFQ inline mode, it is possible to use a simulated
-# non-terminal NFQUEUE verdict.
-# This permit to do send all needed packet to suricata via this a rule:
-# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
-# And below, you can have your standard filtering ruleset. To activate
-# this mode, you need to set mode to 'repeat'
-# If you want packet to be sent to another queue after an ACCEPT decision
-# set mode to 'route' and set next-queue value.
-# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
-# by processing several packets before sending a verdict (worker runmode only).
-# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
-# accept the packet if suricata is not able to keep pace.
-nfq:
-# mode: accept
-# repeat-mark: 1
-# repeat-mask: 1
-# route-queue: 2
-# batchcount: 20
-# fail-open: yes
-
-#nflog support
-nflog:
- # netlink multicast group
- # (the same as the iptables --nflog-group param)
- # Group 0 is used by the kernel, so you can't use it
- - group: 2
- # netlink buffer size
- buffer-size: 18432
- # put default value here
- - group: default
- # set number of packet to queue inside kernel
- qthreshold: 1
- # set the delay before flushing packet in the queue inside kernel
- qtimeout: 100
- # netlink max buffer size
- max-size: 20000
-
-# af-packet support
-# Set threads to > 1 to use PACKET_FANOUT support
-af-packet:
- - interface: eth0
- # Number of receive threads (>1 will enable experimental flow pinned
- # runmode)
- threads: 1
- # Default clusterid. AF_PACKET will load balance packets based on flow.
- # All threads/processes that will participate need to have the same
- # clusterid.
- cluster-id: 99
- # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
- # This is only supported for Linux kernel > 3.1
- # possible value are:
- # * cluster_round_robin: round robin load balancing
- # * cluster_flow: all packets of a given flow are send to the same socket
- # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
- cluster-type: cluster_flow
- # In some fragmentation case, the hash can not be computed. If "defrag" is set
- # to yes, the kernel will do the needed defragmentation before sending the packets.
- defrag: yes
- # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
- use-mmap: yes
- # Ring size will be computed with respect to max_pending_packets and number
- # of threads. You can set manually the ring size in number of packets by setting
- # the following value. If you are using flow cluster-type and have really network
- # intensive single-flow you could want to set the ring-size independantly of the number
- # of threads:
- #ring-size: 2048
- # On busy system, this could help to set it to yes to recover from a packet drop
- # phase. This will result in some packets (at max a ring flush) being non treated.
- #use-emergency-flush: yes
- # recv buffer size, increase value could improve performance
- # buffer-size: 32768
- # Set to yes to disable promiscuous mode
- # disable-promisc: no
- # Choose checksum verification mode for the interface. At the moment
- # of the capture, some packets may be with an invalid checksum due to
- # offloading to the network card of the checksum computation.
- # Possible values are:
- # - kernel: use indication sent by kernel for each packet (default)
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used.
- # Warning: 'checksum-validation' must be set to yes to have any validation
- #checksum-checks: kernel
- # BPF filter to apply to this interface. The pcap filter syntax apply here.
- #bpf-filter: port 80 or udp
- # You can use the following variables to activate AF_PACKET tap od IPS mode.
- # If copy-mode is set to ips or tap, the traffic coming to the current
- # interface will be copied to the copy-iface interface. If 'tap' is set, the
- # copy is complete. If 'ips' is set, the packet matching a 'drop' action
- # will not be copied.
- #copy-mode: ips
- #copy-iface: eth1
- - interface: eth1
- threads: 1
- cluster-id: 98
- cluster-type: cluster_flow
- defrag: yes
- # buffer-size: 32768
- # disable-promisc: no
- # Put default values here
- - interface: default
- #threads: 2
- #use-mmap: yes
-
-legacy:
- uricontent: enabled
-
-# You can specify a threshold config file by setting "threshold-file"
-# to the path of the threshold config file:
-# threshold-file: /etc/suricata/threshold.config
-
-# The detection engine builds internal groups of signatures. The engine
-# allow us to specify the profile to use for them, to manage memory on an
-# efficient way keeping a good performance. For the profile keyword you
-# can use the words "low", "medium", "high" or "custom". If you use custom
-# make sure to define the values at "- custom-values" as your convenience.
-# Usually you would prefer medium/high/low.
-#
-# "sgh mpm-context", indicates how the staging should allot mpm contexts for
-# the signature groups. "single" indicates the use of a single context for
-# all the signature group heads. "full" indicates a mpm-context for each
-# group head. "auto" lets the engine decide the distribution of contexts
-# based on the information the engine gathers on the patterns from each
-# group head.
-#
-# The option inspection-recursion-limit is used to limit the recursive calls
-# in the content inspection code. For certain payload-sig combinations, we
-# might end up taking too much time in the content inspection code.
-# If the argument specified is 0, the engine uses an internally defined
-# default limit. On not specifying a value, we use no limits on the recursion.
-detect-engine:
- - profile: medium
- - custom-values:
- toclient-src-groups: 2
- toclient-dst-groups: 2
- toclient-sp-groups: 2
- toclient-dp-groups: 3
- toserver-src-groups: 2
- toserver-dst-groups: 4
- toserver-sp-groups: 2
- toserver-dp-groups: 25
- - sgh-mpm-context: auto
- - inspection-recursion-limit: 3000
- # When rule-reload is enabled, sending a USR2 signal to the Suricata process
- # will trigger a live rule reload. Experimental feature, use with care.
- #- rule-reload: true
- # If set to yes, the loading of signatures will be made after the capture
- # is started. This will limit the downtime in IPS mode.
- #- delayed-detect: yes
-
-# Suricata is multi-threaded. Here the threading can be influenced.
-threading:
- # On some cpu's/architectures it is beneficial to tie individual threads
- # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
- # and each extra CPU/core has one "detect" thread.
- #
- # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
- #
- set-cpu-affinity: no
- # Tune cpu affinity of suricata threads. Each family of threads can be bound
- # on specific CPUs.
- cpu-affinity:
- - management-cpu-set:
- cpu: [ 0 ] # include only these cpus in affinity settings
- - receive-cpu-set:
- cpu: [ 0 ] # include only these cpus in affinity settings
- - decode-cpu-set:
- cpu: [ 0, 1 ]
- mode: "balanced"
- - stream-cpu-set:
- cpu: [ "0-1" ]
- - detect-cpu-set:
- cpu: [ "all" ]
- mode: "exclusive" # run detect threads in these cpus
- # Use explicitely 3 threads and don't compute number by using
- # detect-thread-ratio variable:
- # threads: 3
- prio:
- low: [ 0 ]
- medium: [ "1-2" ]
- high: [ 3 ]
- default: "medium"
- - verdict-cpu-set:
- cpu: [ 0 ]
- prio:
- default: "high"
- - reject-cpu-set:
- cpu: [ 0 ]
- prio:
- default: "low"
- - output-cpu-set:
- cpu: [ "all" ]
- prio:
- default: "medium"
- #
- # By default Suricata creates one "detect" thread per available CPU/CPU core.
- # This setting allows controlling this behaviour. A ratio setting of 2 will
- # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
- # will result in 4 detect threads. If values below 1 are used, less threads
- # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
- # thread being created. Regardless of the setting at a minimum 1 detect
- # thread will always be created.
- #
- detect-thread-ratio: 1.5
-
-# Cuda configuration.
-cuda:
- # The "mpm" profile. On not specifying any of these parameters, the engine's
- # internal default values are used, which are same as the ones specified in
- # in the default conf file.
- mpm:
- # The minimum length required to buffer data to the gpu.
- # Anything below this is MPM'ed on the CPU.
- # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
- # A value of 0 indicates there's no limit.
- data-buffer-size-min-limit: 0
- # The maximum length for data that we would buffer to the gpu.
- # Anything over this is MPM'ed on the CPU.
- # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
- data-buffer-size-max-limit: 1500
- # The ring buffer size used by the CudaBuffer API to buffer data.
- cudabuffer-buffer-size: 500mb
- # The max chunk size that can be sent to the gpu in a single go.
- gpu-transfer-size: 50mb
- # The timeout limit for batching of packets in microseconds.
- batching-timeout: 2000
- # The device to use for the mpm. Currently we don't support load balancing
- # on multiple gpus. In case you have multiple devices on your system, you
- # can specify the device to use, using this conf. By default we hold 0, to
- # specify the first device cuda sees. To find out device-id associated with
- # the card(s) on the system run "suricata --list-cuda-cards".
- device-id: 0
- # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
- # For this option you need a device with Compute Capability > 1.0.
- cuda-streams: 2
-
-# Select the multi pattern algorithm you want to run for scan/search the
-# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
-# ac and ac-gfbs.
-#
-# The mpm you choose also decides the distribution of mpm contexts for
-# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
-# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
-# to be set to "single", because of ac's memory requirements, unless the
-# ruleset is small enough to fit in one's memory, in which case one can
-# use "full" with "ac". Rest of the mpms can be run in "full" mode.
-#
-# There is also a CUDA pattern matcher (only available if Suricata was
-# compiled with --enable-cuda: b2g_cuda. Make sure to update your
-# max-pending-packets setting above as well if you use b2g_cuda.
-
-mpm-algo: ac
-
-# The memory settings for hash size of these algorithms can vary from lowest
-# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
-# (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
-# medium (1024) - high (2048).
-#
-# For B2g/B3g algorithms, there is a support for two different scan/search
-# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
-# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
-# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
-# B3gSearchBNDMq.
-#
-# For B2g the different scan/search algorithms and, hash and bloom
-# filter size settings. For B3g the different scan/search algorithms and, hash
-# and bloom filter size settings. For wumanber the hash and bloom filter size
-# settings.
-
-pattern-matcher:
- - b2gc:
- search-algo: B2gSearchBNDMq
- hash-size: low
- bf-size: medium
- - b2gm:
- search-algo: B2gSearchBNDMq
- hash-size: low
- bf-size: medium
- - b2g:
- search-algo: B2gSearchBNDMq
- hash-size: low
- bf-size: medium
- - b3g:
- search-algo: B3gSearchBNDMq
- hash-size: low
- bf-size: medium
- - wumanber:
- hash-size: low
- bf-size: medium
-
-# Defrag settings:
-
-defrag:
- memcap: 32mb
- hash-size: 65536
- trackers: 65535 # number of defragmented flows to follow
- max-frags: 65535 # number of fragments to keep (higher than trackers)
- prealloc: yes
- timeout: 60
-
-# Enable defrag per host settings
-# host-config:
-#
-# - dmz:
-# timeout: 30
-# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
-#
-# - lan:
-# timeout: 45
-# address:
-# - 192.168.0.0/24
-# - 192.168.10.0/24
-# - 172.16.14.0/24
-
-# Flow settings:
-# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
-# for flow allocation inside the engine. You can change this value to allow
-# more memory usage for flows.
-# The hash-size determine the size of the hash used to identify flows inside
-# the engine, and by default the value is 65536.
-# At the startup, the engine can preallocate a number of flows, to get a better
-# performance. The number of flows preallocated is 10000 by default.
-# emergency-recovery is the percentage of flows that the engine need to
-# prune before unsetting the emergency state. The emergency state is activated
-# when the memcap limit is reached, allowing to create new flows, but
-# prunning them with the emergency timeouts (they are defined below).
-# If the memcap is reached, the engine will try to prune flows
-# with the default timeouts. If it doens't find a flow to prune, it will set
-# the emergency bit and it will try again with more agressive timeouts.
-# If that doesn't work, then it will try to kill the last time seen flows
-# not in use.
-# The memcap can be specified in kb, mb, gb. Just a number indicates it's
-# in bytes.
-
-flow:
- memcap: 64mb
- hash-size: 65536
- prealloc: 10000
- emergency-recovery: 30
-
-# This option controls the use of vlan ids in the flow (and defrag)
-# hashing. Normally this should be enabled, but in some (broken)
-# setups where both sides of a flow are not tagged with the same vlan
-# tag, we can ignore the vlan id's in the flow hashing.
-vlan:
- use-for-tracking: true
-
-# Specific timeouts for flows. Here you can specify the timeouts that the
-# active flows will wait to transit from the current state to another, on each
-# protocol. The value of "new" determine the seconds to wait after a hanshake or
-# stream startup before the engine free the data of that flow it doesn't
-# change the state to established (usually if we don't receive more packets
-# of that flow). The value of "established" is the amount of
-# seconds that the engine will wait to free the flow if it spend that amount
-# without receiving new packets or closing the connection. "closed" is the
-# amount of time to wait after a flow is closed (usually zero).
-#
-# There's an emergency mode that will become active under attack circumstances,
-# making the engine to check flow status faster. This configuration variables
-# use the prefix "emergency-" and work similar as the normal ones.
-# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
-# icmp.
-
-flow-timeouts:
-
- default:
- new: 30
- established: 300
- closed: 0
- emergency-new: 10
- emergency-established: 100
- emergency-closed: 0
- tcp:
- new: 60
- established: 3600
- closed: 120
- emergency-new: 10
- emergency-established: 300
- emergency-closed: 20
- udp:
- new: 30
- established: 300
- emergency-new: 10
- emergency-established: 100
- icmp:
- new: 30
- established: 300
- emergency-new: 10
- emergency-established: 100
-
-# Stream engine settings. Here the TCP stream tracking and reassembly
-# engine is configured.
-#
-# stream:
-# memcap: 32mb # Can be specified in kb, mb, gb. Just a
-# # number indicates it's in bytes.
-# checksum-validation: yes # To validate the checksum of received
-# # packet. If csum validation is specified as
-# # "yes", then packet with invalid csum will not
-# # be processed by the engine stream/app layer.
-# # Warning: locally generated trafic can be
-# # generated without checksum due to hardware offload
-# # of checksum. You can control the handling of checksum
-# # on a per-interface basis via the 'checksum-checks'
-# # option
-# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
-# midstream: false # don't allow midstream session pickups
-# async-oneside: false # don't enable async stream handling
-# inline: no # stream inline mode
-# max-synack-queued: 5 # Max different SYN/ACKs to queue
-#
-# reassembly:
-# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
-# # indicates it's in bytes.
-# depth: 1mb # Can be specified in kb, mb, gb. Just a number
-# # indicates it's in bytes.
-# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
-# # The max acceptable size is 4024 bytes.
-# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
-# # The max acceptable size is 4024 bytes.
-# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
-# # This lower the risk of some evasion technics but could lead
-# # detection change between runs. It is set to 'yes' by default.
-# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
-# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
-# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
-# # of randomize-chunk-range is 10.
-#
-# raw: yes # 'Raw' reassembly enabled or disabled.
-# # raw is for content inspection by detection
-# # engine.
-#
-# chunk-prealloc: 250 # Number of preallocated stream chunks. These
-# # are used during stream inspection (raw).
-# segments: # Settings for reassembly segment pool.
-# - size: 4 # Size of the (data)segment for a pool
-# prealloc: 256 # Number of segments to prealloc and keep
-# # in the pool.
-#
-stream:
- memcap: 32mb
- checksum-validation: yes # reject wrong csums
- inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
- reassembly:
- memcap: 128mb
- depth: 1mb # reassemble 1mb into a stream
- toserver-chunk-size: 2560
- toclient-chunk-size: 2560
- randomize-chunk-size: yes
- #randomize-chunk-range: 10
- #raw: yes
- #chunk-prealloc: 250
- #segments:
- # - size: 4
- # prealloc: 256
- # - size: 16
- # prealloc: 512
- # - size: 112
- # prealloc: 512
- # - size: 248
- # prealloc: 512
- # - size: 512
- # prealloc: 512
- # - size: 768
- # prealloc: 1024
- # - size: 1448
- # prealloc: 1024
- # - size: 65535
- # prealloc: 128
-
-# Host table:
-#
-# Host table is used by tagging and per host thresholding subsystems.
-#
-host:
- hash-size: 4096
- prealloc: 1000
- memcap: 16777216
-
-# Logging configuration. This is not about logging IDS alerts, but
-# IDS output about what its doing, errors, etc.
-logging:
-
- # The default log level, can be overridden in an output section.
- # Note that debug level logging will only be emitted if Suricata was
- # compiled with the --enable-debug configure option.
- #
- # This value is overriden by the SC_LOG_LEVEL env var.
- default-log-level: notice
-
- # The default output format. Optional parameter, should default to
- # something reasonable if not provided. Can be overriden in an
- # output section. You can leave this out to get the default.
- #
- # This value is overriden by the SC_LOG_FORMAT env var.
- #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
-
- # A regex to filter output. Can be overridden in an output section.
- # Defaults to empty (no filter).
- #
- # This value is overriden by the SC_LOG_OP_FILTER env var.
- default-output-filter:
-
- # Define your logging outputs. If none are defined, or they are all
- # disabled you will get the default - console output.
- outputs:
- - console:
- enabled: yes
- - file:
- enabled: no
- filename: /var/log/suricata.log
- - syslog:
- enabled: yes
- facility: local5
- format: "[%i] <%d> -- "
-
-# Tilera mpipe configuration. for use on Tilera TILE-Gx.
-mpipe:
-
- # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
- load-balance: dynamic
-
- # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
- iqueue-packets: 2048
-
- # List of interfaces we will listen on.
- inputs:
- - interface: xgbe2
- - interface: xgbe3
- - interface: xgbe4
-
-
- # Relative weight of memory for packets of each mPipe buffer size.
- stack:
- size128: 0
- size256: 9
- size512: 0
- size1024: 0
- size1664: 7
- size4096: 0
- size10386: 0
- size16384: 0
-
-# PF_RING configuration. for use with native PF_RING support
-# for more info see http://www.ntop.org/PF_RING.html
-pfring:
- - interface: eth0
- # Number of receive threads (>1 will enable experimental flow pinned
- # runmode)
- threads: 1
-
- # Default clusterid. PF_RING will load balance packets based on flow.
- # All threads/processes that will participate need to have the same
- # clusterid.
- cluster-id: 99
-
- # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
- # This is only supported in versions of PF_RING > 4.1.1.
- cluster-type: cluster_flow
- # bpf filter for this interface
- #bpf-filter: tcp
- # Choose checksum verification mode for the interface. At the moment
- # of the capture, some packets may be with an invalid checksum due to
- # offloading to the network card of the checksum computation.
- # Possible values are:
- # - rxonly: only compute checksum for packets received by network card.
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used. (default)
- # Warning: 'checksum-validation' must be set to yes to have any validation
- #checksum-checks: auto
- # Second interface
- #- interface: eth1
- # threads: 3
- # cluster-id: 93
- # cluster-type: cluster_flow
- # Put default values here
- - interface: default
- #threads: 2
-
-pcap:
- - interface: eth0
- # On Linux, pcap will try to use mmaped capture and will use buffer-size
- # as total of memory used by the ring. So set this to something bigger
- # than 1% of your bandwidth.
- #buffer-size: 16777216
- #bpf-filter: "tcp and port 25"
- # Choose checksum verification mode for the interface. At the moment
- # of the capture, some packets may be with an invalid checksum due to
- # offloading to the network card of the checksum computation.
- # Possible values are:
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used. (default)
- # Warning: 'checksum-validation' must be set to yes to have any validation
- #checksum-checks: auto
- # With some accelerator cards using a modified libpcap (like myricom), you
- # may want to have the same number of capture threads as the number of capture
- # rings. In this case, set up the threads variable to N to start N threads
- # listening on the same interface.
- #threads: 16
- # set to no to disable promiscuous mode:
- #promisc: no
- # set snaplen, if not set it defaults to MTU if MTU can be known
- # via ioctl call and to full capture if not.
- #snaplen: 1518
- # Put default values here
- - interface: default
- #checksum-checks: auto
-
-pcap-file:
- # Possible values are:
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used. (default)
- # Warning: 'checksum-validation' must be set to yes to have checksum tested
- checksum-checks: auto
-
-# For FreeBSD ipfw(8) divert(4) support.
-# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
-# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
-# Additionally, you need to have an ipfw rule for the engine to see
-# the packets from ipfw. For Example:
-#
-# ipfw add 100 divert 8000 ip from any to any
-#
-# The 8000 above should be the same number you passed on the command
-# line, i.e. -d 8000
-#
-ipfw:
-
- # Reinject packets at the specified ipfw rule number. This config
- # option is the ipfw rule number AT WHICH rule processing continues
- # in the ipfw processing system after the engine has finished
- # inspecting the packet for acceptance. If no rule number is specified,
- # accepted packets are reinjected at the divert rule which they entered
- # and IPFW rule processing continues. No check is done to verify
- # this will rule makes sense so care must be taken to avoid loops in ipfw.
- #
- ## The following example tells the engine to reinject packets
- # back into the ipfw firewall AT rule number 5500:
- #
- # ipfw-reinjection-rule-number: 5500
-
-# Set the default rule path here to search for the files.
-# if not set, it will look at the current working dir
-default-rule-path: /etc/suricata/rules
-rule-files:
- - botcc.rules
- - ciarmy.rules
- - compromised.rules
- - drop.rules
- - dshield.rules
- - emerging-activex.rules
- - emerging-attack_response.rules
- - emerging-chat.rules
- - emerging-current_events.rules
- - emerging-dns.rules
- - emerging-dos.rules
- - emerging-exploit.rules
- - emerging-ftp.rules
- - emerging-games.rules
- - emerging-icmp_info.rules
-# - emerging-icmp.rules
- - emerging-imap.rules
- - emerging-inappropriate.rules
- - emerging-malware.rules
- - emerging-misc.rules
- - emerging-mobile_malware.rules
- - emerging-netbios.rules
- - emerging-p2p.rules
- - emerging-policy.rules
- - emerging-pop3.rules
- - emerging-rpc.rules
- - emerging-scada.rules
- - emerging-scan.rules
- - emerging-shellcode.rules
- - emerging-smtp.rules
- - emerging-snmp.rules
- - emerging-sql.rules
- - emerging-telnet.rules
- - emerging-tftp.rules
- - emerging-trojan.rules
- - emerging-user_agents.rules
- - emerging-voip.rules
- - emerging-web_client.rules
- - emerging-web_server.rules
- - emerging-web_specific_apps.rules
- - emerging-worm.rules
- - tor.rules
- - decoder-events.rules # available in suricata sources under rules dir
- - stream-events.rules # available in suricata sources under rules dir
- - http-events.rules # available in suricata sources under rules dir
- - smtp-events.rules # available in suricata sources under rules dir
- - dns-events.rules # available in suricata sources under rules dir
- - tls-events.rules # available in suricata sources under rules dir
-
-classification-file: /etc/suricata/classification.config
-reference-config-file: /etc/suricata/reference.config
-
-# Holds variables that would be used by the engine.
-vars:
-
- # Holds the address group vars that would be passed in a Signature.
- # These would be retrieved during the Signature address parsing stage.
- address-groups:
-
- HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
-
- EXTERNAL_NET: "!$HOME_NET"
-
- HTTP_SERVERS: "$HOME_NET"
-
- SMTP_SERVERS: "$HOME_NET"
-
- SQL_SERVERS: "$HOME_NET"
-
- DNS_SERVERS: "$HOME_NET"
-
- TELNET_SERVERS: "$HOME_NET"
-
- AIM_SERVERS: "$EXTERNAL_NET"
-
- DNP3_SERVER: "$HOME_NET"
-
- DNP3_CLIENT: "$HOME_NET"
-
- MODBUS_CLIENT: "$HOME_NET"
-
- MODBUS_SERVER: "$HOME_NET"
-
- ENIP_CLIENT: "$HOME_NET"
-
- ENIP_SERVER: "$HOME_NET"
-
- # Holds the port group vars that would be passed in a Signature.
- # These would be retrieved during the Signature port parsing stage.
- port-groups:
-
- HTTP_PORTS: "80"
-
- SHELLCODE_PORTS: "!80"
-
- ORACLE_PORTS: 1521
-
- SSH_PORTS: 22
-
- DNP3_PORTS: 20000
-
-# Set the order of alerts bassed on actions
-# The default order is pass, drop, reject, alert
-action-order:
- - pass
- - drop
- - reject
- - alert
-
-# IP Reputation
-#reputation-categories-file: /etc/suricata/iprep/categories.txt
-#default-reputation-path: /etc/suricata/iprep
-#reputation-files:
-# - reputation.list
-
-# Host specific policies for defragmentation and TCP stream
-# reassembly. The host OS lookup is done using a radix tree, just
-# like a routing table so the most specific entry matches.
-host-os-policy:
- # Make the default policy windows.
- windows: [0.0.0.0/0]
- bsd: []
- bsd-right: []
- old-linux: []
- linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
- old-solaris: []
- solaris: ["::1"]
- hpux10: []
- hpux11: []
- irix: []
- macos: []
- vista: []
- windows2k3: []
-
-
-# Limit for the maximum number of asn1 frames to decode (default 256)
-asn1-max-frames: 256
-
-# When run with the option --engine-analysis, the engine will read each of
-# the parameters below, and print reports for each of the enabled sections
-# and exit. The reports are printed to a file in the default log dir
-# given by the parameter "default-log-dir", with engine reporting
-# subsection below printing reports in its own report file.
-engine-analysis:
- # enables printing reports for fast-pattern for every rule.
- rules-fast-pattern: yes
- # enables printing reports for each rule
- rules: yes
-
-#recursion and match limits for PCRE where supported
-pcre:
- match-limit: 3500
- match-limit-recursion: 1500
-
-# Holds details on the app-layer. The protocols section details each protocol.
-# Under each protocol, the default value for detection-enabled and "
-# parsed-enabled is yes, unless specified otherwise.
-# Each protocol covers enabling/disabling parsers for all ipprotos
-# the app-layer protocol runs on. For example "dcerpc" refers to the tcp
-# version of the protocol as well as the udp version of the protocol.
-# The option "enabled" takes 3 values - "yes", "no", "detection-only".
-# "yes" enables both detection and the parser, "no" disables both, and
-# "detection-only" enables detection only(parser disabled).
-app-layer:
- protocols:
- tls:
- enabled: yes
- detection-ports:
- dp: 443
-
- #no-reassemble: yes
- dcerpc:
- enabled: yes
- ftp:
- enabled: yes
- ssh:
- enabled: yes
- smtp:
- enabled: yes
- imap:
- enabled: detection-only
- msn:
- enabled: detection-only
- smb:
- enabled: yes
- detection-ports:
- dp: 139
- # smb2 detection is disabled internally inside the engine.
- #smb2:
- # enabled: yes
- dns:
- # memcaps. Globally and per flow/state.
- #global-memcap: 16mb
- #state-memcap: 512kb
-
- # How many unreplied DNS requests are considered a flood.
- # If the limit is reached, app-layer-event:dns.flooded; will match.
- #request-flood: 500
-
- tcp:
- enabled: yes
- detection-ports:
- dp: 53
- udp:
- enabled: yes
- detection-ports:
- dp: 53
- http:
- enabled: yes
- # memcap: 64mb
-
- ###########################################################################
- # Configure libhtp.
- #
- #
- # default-config: Used when no server-config matches
- # personality: List of personalities used by default
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
- # Currently Available Personalities:
- # Minimal
- # Generic
- # IDS (default)
- # IIS_4_0
- # IIS_5_0
- # IIS_5_1
- # IIS_6_0
- # IIS_7_0
- # IIS_7_5
- # Apache_2
- ###########################################################################
- libhtp:
-
- default-config:
- personality: IDS
-
- # Can be specified in kb, mb, gb. Just a number indicates
- # it's in bytes.
- request-body-limit: 3072
- response-body-limit: 3072
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 32kb
- response-body-inspect-window: 4kb
- # Take a random value for inspection sizes around the specified value.
- # This lower the risk of some evasion technics but could lead
- # detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
- # If randomize-inspection-sizes is active, the value of various
- # inspection size will be choosen in the [1 - range%, 1 + range%]
- # range
- # Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
-
- # decoding
- double-decode-path: no
- double-decode-query: no
-
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
-# Profiling settings. Only effective if Suricata has been built with the
-# the --enable-profiling configure flag.
-#
-profiling:
- # Run profiling for every xth packet. The default is 1, which means we
- # profile every packet. If set to 1000, one packet is profiled for every
- # 1000 received.
- #sample-rate: 1000
-
- # rule profiling
- rules:
-
- # Profiling can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: yes
- filename: rule_perf.log
- append: yes
-
- # Sort options: ticks, avgticks, checks, matches, maxticks
- sort: avgticks
-
- # Limit the number of items printed at exit.
- limit: 100
-
- # per keyword profiling
- keywords:
- enabled: yes
- filename: keyword_perf.log
- append: yes
-
- # packet profiling
- packets:
-
- # Profiling can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: yes
- filename: packet_stats.log
- append: yes
-
- # per packet csv output
- csv:
-
- # Output can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: no
- filename: packet_stats.csv
-
- # profiling of locking. Only available when Suricata was built with
- # --enable-profiling-locks.
- locks:
- enabled: no
- filename: lock_stats.log
- append: yes
-
-# Suricata core dump configuration. Limits the size of the core dump file to
-# approximately max-dump. The actual core dump size will be a multiple of the
-# page size. Core dumps that would be larger than max-dump are truncated. On
-# Linux, the actual core dump size may be a few pages larger than max-dump.
-# Setting max-dump to 0 disables core dumping.
-# Setting max-dump to 'unlimited' will give the full core dump file.
-# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
-# to be 'unlimited'.
-
-coredump:
- max-dump: unlimited
-
-napatech:
- # The Host Buffer Allowance for all streams
- # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
- hba: -1
-
- # use_all_streams set to "yes" will query the Napatech service for all configured
- # streams and listen on all of them. When set to "no" the streams config array
- # will be used.
- use-all-streams: yes
-
- # The streams to listen on
- streams: [1, 2, 3]
-
-# Includes. Files included here will be handled as if they were
-# inlined in this configuration file.
-#include: include1.yaml
-#include: include2.yaml
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata
deleted file mode 100644
index fbf3784..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata
+++ /dev/null
@@ -1,2 +0,0 @@
-#Type Path Mode UID GID Age Argument
-d /var/log/suricata 0755 root root
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata
deleted file mode 100644
index 4627bd3..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata
+++ /dev/null
@@ -1,2 +0,0 @@
-# <type> <owner> <group> <mode> <path> <linksource>
-d root root 0755 /var/log/suricata none
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
deleted file mode 100644
index 34e72e9..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
+++ /dev/null
@@ -1,27 +0,0 @@
-SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces."
-
-require suricata.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
-
-SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1"
-
-DEPENDS = "zlib"
-
-inherit autotools-brokensep pkgconfig
-
-CFLAGS += "-D_DEFAULT_SOURCE"
-
-#S = "${WORKDIR}/suricata-${VER}/${BPN}"
-
-S = "${WORKDIR}/git"
-
-do_configure () {
- cd ${S}
- ./autogen.sh
- oe_runconf
-}
-
-RDEPENDS_${PN} += "zlib"
-
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
deleted file mode 100644
index 85f419e..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
+++ /dev/null
@@ -1,8 +0,0 @@
-HOMEPAGE = "http://suricata-ids.org/"
-SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
-
-VER = "6.0.2"
-SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-
-SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52"
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
deleted file mode 100644
index a4255d2..0000000
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
+++ /dev/null
@@ -1,193 +0,0 @@
-SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
-
-require suricata.inc
-
-DEPENDS = "lz4 libhtp"
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-SRC_URI += " \
- file://volatiles.03_suricata \
- file://tmpfiles.suricata \
- file://suricata.yaml \
- file://suricata.service \
- file://run-ptest \
- file://fixup.patch \
- "
-
-SRC_URI += " \
- crate://crates.io/autocfg/1.0.1 \
- crate://crates.io/semver-parser/0.7.0 \
- crate://crates.io/arrayvec/0.4.12 \
- crate://crates.io/ryu/1.0.5 \
- crate://crates.io/libc/0.2.86 \
- crate://crates.io/bitflags/1.2.1 \
- crate://crates.io/version_check/0.9.2 \
- crate://crates.io/memchr/2.3.4 \
- crate://crates.io/nodrop/0.1.14 \
- crate://crates.io/cfg-if/0.1.9 \
- crate://crates.io/static_assertions/0.3.4 \
- crate://crates.io/getrandom/0.1.16 \
- crate://crates.io/cfg-if/1.0.0 \
- crate://crates.io/siphasher/0.3.3 \
- crate://crates.io/ppv-lite86/0.2.10 \
- crate://crates.io/proc-macro-hack/0.5.19 \
- crate://crates.io/proc-macro2/0.4.30 \
- crate://crates.io/unicode-xid/0.1.0 \
- crate://crates.io/syn/0.15.44 \
- crate://crates.io/build_const/0.2.1 \
- crate://crates.io/num-derive/0.2.5 \
- crate://crates.io/base64/0.11.0 \
- crate://crates.io/widestring/0.4.3 \
- crate://crates.io/md5/0.7.0 \
- crate://crates.io/uuid/0.8.2 \
- crate://crates.io/byteorder/1.4.2 \
- crate://crates.io/semver/0.9.0 \
- crate://crates.io/nom/5.1.1 \
- crate://crates.io/num-traits/0.2.14 \
- crate://crates.io/num-integer/0.1.44 \
- crate://crates.io/num-bigint/0.2.6 \
- crate://crates.io/num-bigint/0.3.1 \
- crate://crates.io/num-rational/0.2.4 \
- crate://crates.io/num-complex/0.2.4 \
- crate://crates.io/num-iter/0.1.42 \
- crate://crates.io/phf_shared/0.8.0 \
- crate://crates.io/crc/1.8.1 \
- crate://crates.io/rustc_version/0.2.3 \
- crate://crates.io/phf/0.8.0 \
- crate://crates.io/lexical-core/0.6.7 \
- crate://crates.io/time/0.1.44 \
- crate://crates.io/quote/0.6.13 \
- crate://crates.io/rand_core/0.5.1 \
- crate://crates.io/rand_chacha/0.2.2 \
- crate://crates.io/rand_pcg/0.2.1 \
- crate://crates.io/num-traits/0.1.43 \
- crate://crates.io/rand/0.7.3 \
- crate://crates.io/enum_primitive/0.1.1 \
- crate://crates.io/phf_generator/0.8.0 \
- crate://crates.io/phf_codegen/0.8.0 \
- crate://crates.io/tls-parser/0.9.4 \
- crate://crates.io/num/0.2.1 \
- crate://crates.io/rusticata-macros/2.1.0 \
- crate://crates.io/ntp-parser/0.4.0 \
- crate://crates.io/der-oid-macro/0.2.0 \
- crate://crates.io/der-parser/3.0.4 \
- crate://crates.io/ipsec-parser/0.5.0 \
- crate://crates.io/x509-parser/0.6.5 \
- crate://crates.io/der-parser/4.1.0 \
- crate://crates.io/snmp-parser/0.6.0 \
- crate://crates.io/kerberos-parser/0.5.0 \
- crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \
- crate://crates.io/winapi/0.3.9 \
- crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
- crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
- crate://crates.io/log/0.4.0 \
- crate://crates.io/rand_hc/0.2.0 \
- crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \
- "
-
-# test case support
-SRC_URI += " \
- crate://crates.io/test-case/1.0.1 \
- crate://crates.io/proc-macro2/1.0.1 \
- crate://crates.io/quote/1.0.1 \
- crate://crates.io/syn/1.0.1 \
- crate://crates.io/unicode-xid/0.2.0 \
- "
-
-inherit autotools pkgconfig python3native systemd ptest cargo
-
-EXTRA_OECONF += " --disable-debug \
- --disable-gccmarch-native \
- --enable-non-bundled-htp \
- --disable-suricata-update \
- --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \
- "
-
-CARGO_SRC_DIR = "rust"
-
-B = "${S}"
-
-PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr "
-PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
-
-PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ,"
-PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
-PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap"
-PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
-PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet,"
-PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
-PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
-
-PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
-PACKAGECONFIG[file] = ",,file, file"
-PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss,"
-PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr,"
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core"
-PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
-
-export logdir = "${localstatedir}/log"
-
-CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes"
-
-do_configure_prepend () {
- oe_runconf
-}
-
-do_compile () {
- # we do this to bypass the make provided by this pkg
- # patches Makefile to skip the subdir
- cargo_do_compile
-
- # Finish building
- cd ${S}
- make
-}
-
-do_install () {
- install -d ${D}${sysconfdir}/suricata
-
- oe_runmake install DESTDIR=${D}
-
- install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
- install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata
-
- install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
- install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata
-
- if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
- install -d ${D}${sysconfdir}/tmpfiles.d
- install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
-
- install -d ${D}${systemd_unitdir}/system
- sed -e s:/etc:${sysconfdir}:g \
- -e s:/var/run:/run:g \
- -e s:/var:${localstatedir}:g \
- -e s:/usr/bin:${bindir}:g \
- -e s:/bin/kill:${base_bindir}/kill:g \
- -e s:/usr/lib:${libdir}:g \
- ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
- fi
-
- # Remove /var/run as it is created on startup
- rm -rf ${D}${localstatedir}/run
-
- sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc
- sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl
-}
-
-pkg_postinst_ontarget_${PN} () {
-if command -v systemd-tmpfiles >/dev/null; then
- systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
-elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
- ${sysconfdir}/init.d/populate-volatile.sh update
-fi
-}
-
-SYSTEMD_PACKAGES = "${PN}"
-
-PACKAGES =+ "${PN}-python"
-FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
-FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
-
-CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml
index 309acaa..1514524 100644
--- a/meta-security/kas/kas-security-alt.yml
+++ b/meta-security/kas/kas-security-alt.yml
@@ -5,4 +5,4 @@
local_conf_header:
alt: |
- DISTRO_FEATURES_append = " apparmor pam smack systemd"
+ DISTRO_FEATURES_append = " systemd"
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index aa68336..7096d09 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -14,7 +14,7 @@
poky:
url: https://git.yoctoproject.org/git/poky
- refspec: master
+ refspec: hardknott
layers:
meta:
meta-poky:
@@ -22,7 +22,7 @@
meta-openembedded:
url: http://git.openembedded.org/meta-openembedded
- refspec: master
+ refspec: hardknott
layers:
meta-oe:
meta-perl:
@@ -35,14 +35,14 @@
CONF_VERSION = "1"
SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/"
SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n"
+ SSTATE_DIR = "/home/build/sstate-cache/hardknott"
+ DL_DIR = "/home/build/downloads/hardknott"
BB_HASHSERVE = "auto"
BB_SIGNATURE_HANDLER = "OEEquivHash"
INHERIT += "buildstats buildstats-summary buildhistory"
INHERIT += "report-error"
INHERIT += "testimage"
INHERIT += "rm_work"
- BB_NUMBER_THREADS="24"
- BB_NUMBER_PARSE_THREADS="12"
BB_TASK_NICE_LEVEL = '5'
BB_TASK_NICE_LEVEL_task-testimage = '0'
BB_TASK_IONICE_LEVEL = '2.7'
@@ -51,6 +51,8 @@
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
PACKAGE_CLASSES = "package_ipk"
+ DISTRO_FEATURES_append = " pam apparmor smack"
+ MACHINE_FEATURES_append = " tpm tpm2"
diskmon: |
BB_DISKMON_DIRS = "\
diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml
deleted file mode 100644
index 3a8d8fc..0000000
--- a/meta-security/kas/qemuarm64-tpm2.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " tpm2"
-
-machine: qemuarm64
diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml
index 923c213..c5d54d4 100644
--- a/meta-security/kas/qemumips64-alt.yml
+++ b/meta-security/kas/qemumips64-alt.yml
@@ -1,10 +1,6 @@
header:
version: 8
includes:
- - kas-security-base.yml
-
-local_conf_header:
- alt: |
- DISTRO_FEATURES_append = " pam systmed"
+ - kas-security-alt.yml
machine: qemumips64
diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml
deleted file mode 100644
index 565b423..0000000
--- a/meta-security/kas/qemux86-64-tpm.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " tpm"
-
-machine: qemux86-64
diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml
deleted file mode 100644
index a43693e..0000000
--- a/meta-security/kas/qemux86-64-tpm2.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " tpm2"
-
-machine: qemux86-64
diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml
index 7b5f451..83a5353 100644
--- a/meta-security/kas/qemux86-test.yml
+++ b/meta-security/kas/qemux86-test.yml
@@ -3,9 +3,4 @@
includes:
- kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " apparmor smack pam"
-
machine: qemux86
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 9ac0d2c..c723bad 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -80,6 +80,8 @@
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
"
+RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor"
+
RDEPENDS_packagegroup-meta-security-ptest-packages = "\
ptest-runner \
samhain-standalone-ptest \
diff --git a/poky/bitbake/bin/bitbake-server b/poky/bitbake/bin/bitbake-server
index ffbc789..65796be 100755
--- a/poky/bitbake/bin/bitbake-server
+++ b/poky/bitbake/bin/bitbake-server
@@ -26,7 +26,7 @@
logfile = sys.argv[4]
lockname = sys.argv[5]
sockname = sys.argv[6]
-timeout = sys.argv[7]
+timeout = float(sys.argv[7])
xmlrpcinterface = (sys.argv[8], int(sys.argv[9]))
if xmlrpcinterface[0] == "None":
xmlrpcinterface = (None, xmlrpcinterface[1])
diff --git a/poky/bitbake/lib/bb/fetch2/git.py b/poky/bitbake/lib/bb/fetch2/git.py
index e3ba80a..cf7424e 100644
--- a/poky/bitbake/lib/bb/fetch2/git.py
+++ b/poky/bitbake/lib/bb/fetch2/git.py
@@ -394,7 +394,7 @@
tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR'))
try:
# Do the checkout. This implicitly involves a Git LFS fetch.
- self.unpack(ud, tmpdir, d)
+ Git.unpack(self, ud, tmpdir, d)
# Scoop up a copy of any stuff that Git LFS downloaded. Merge them into
# the bare clonedir.
diff --git a/poky/bitbake/lib/bb/runqueue.py b/poky/bitbake/lib/bb/runqueue.py
index cd56a55..6c41fe6 100644
--- a/poky/bitbake/lib/bb/runqueue.py
+++ b/poky/bitbake/lib/bb/runqueue.py
@@ -2030,8 +2030,6 @@
logger.debug("%s didn't become valid, skipping setscene" % nexttask)
self.sq_task_failoutright(nexttask)
return True
- else:
- self.sqdata.outrightfail.remove(nexttask)
if nexttask in self.sqdata.outrightfail:
logger.debug2('No package found, so skipping setscene task %s', nexttask)
self.sq_task_failoutright(nexttask)
@@ -2296,10 +2294,16 @@
self.updated_taskhash_queue.remove((tid, unihash))
if unihash != self.rqdata.runtaskentries[tid].unihash:
- hashequiv_logger.verbose("Task %s unihash changed to %s" % (tid, unihash))
- self.rqdata.runtaskentries[tid].unihash = unihash
- bb.parse.siggen.set_unihash(tid, unihash)
- toprocess.add(tid)
+ # Make sure we rehash any other tasks with the same task hash that we're deferred against.
+ torehash = [tid]
+ for deftid in self.sq_deferred:
+ if self.sq_deferred[deftid] == tid:
+ torehash.append(deftid)
+ for hashtid in torehash:
+ hashequiv_logger.verbose("Task %s unihash changed to %s" % (hashtid, unihash))
+ self.rqdata.runtaskentries[hashtid].unihash = unihash
+ bb.parse.siggen.set_unihash(hashtid, unihash)
+ toprocess.add(hashtid)
# Work out all tasks which depend upon these
total = set()
@@ -2827,6 +2831,8 @@
sqdata.stamppresent.remove(tid)
if tid in sqdata.valid:
sqdata.valid.remove(tid)
+ if tid in sqdata.outrightfail:
+ sqdata.outrightfail.remove(tid)
noexec, stamppresent = check_setscene_stamps(tid, rqdata, rq, stampcache, noexecstamp=True)
@@ -2845,6 +2851,7 @@
sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary)
sqdata.hashes = {}
+ sqrq.sq_deferred = {}
for mc in sorted(sqdata.multiconfigs):
for tid in sorted(sqdata.sq_revdeps):
if mc_from_tid(tid) != mc:
@@ -2857,10 +2864,13 @@
continue
if tid in sqrq.scenequeue_notcovered:
continue
- sqdata.outrightfail.add(tid)
+ if tid in sqrq.scenequeue_covered:
+ continue
h = pending_hash_index(tid, rqdata)
if h not in sqdata.hashes:
+ if tid in tids:
+ sqdata.outrightfail.add(tid)
sqdata.hashes[h] = tid
else:
sqrq.sq_deferred[tid] = sqdata.hashes[h]
diff --git a/poky/bitbake/lib/bb/server/process.py b/poky/bitbake/lib/bb/server/process.py
index b27b4ae..3e99bce 100644
--- a/poky/bitbake/lib/bb/server/process.py
+++ b/poky/bitbake/lib/bb/server/process.py
@@ -509,7 +509,7 @@
os.set_inheritable(self.bitbake_lock.fileno(), True)
os.set_inheritable(self.readypipein, True)
serverscript = os.path.realpath(os.path.dirname(__file__) + "/../../../bin/bitbake-server")
- os.execl(sys.executable, "bitbake-server", serverscript, "decafbad", str(self.bitbake_lock.fileno()), str(self.readypipein), self.logfile, self.bitbake_lock.name, self.sockname, str(self.server_timeout), str(self.xmlrpcinterface[0]), str(self.xmlrpcinterface[1]))
+ os.execl(sys.executable, "bitbake-server", serverscript, "decafbad", str(self.bitbake_lock.fileno()), str(self.readypipein), self.logfile, self.bitbake_lock.name, self.sockname, str(self.server_timeout or 0), str(self.xmlrpcinterface[0]), str(self.xmlrpcinterface[1]))
def execServer(lockfd, readypipeinfd, lockname, sockname, server_timeout, xmlrpcinterface):
diff --git a/poky/bitbake/lib/bb/tests/fetch.py b/poky/bitbake/lib/bb/tests/fetch.py
index ddf6e97..b921a95 100644
--- a/poky/bitbake/lib/bb/tests/fetch.py
+++ b/poky/bitbake/lib/bb/tests/fetch.py
@@ -390,6 +390,7 @@
if os.environ.get("BB_TMPDIR_NOCLEAN") == "yes":
print("Not cleaning up %s. Please remove manually." % self.tempdir)
else:
+ bb.process.run('chmod u+rw -R %s' % self.tempdir)
bb.utils.prunedir(self.tempdir)
class MirrorUriTest(FetcherTest):
@@ -679,6 +680,8 @@
prefix='gitfetch_localusehead_')
src_dir = os.path.abspath(src_dir)
bb.process.run("git init", cwd=src_dir)
+ bb.process.run("git config user.email 'you@example.com'", cwd=src_dir)
+ bb.process.run("git config user.name 'Your Name'", cwd=src_dir)
bb.process.run("git commit --allow-empty -m'Dummy commit'",
cwd=src_dir)
# Use other branch than master
@@ -705,6 +708,8 @@
prefix='gitfetch_localusehead_')
src_dir = os.path.abspath(src_dir)
bb.process.run("git init", cwd=src_dir)
+ bb.process.run("git config user.email 'you@example.com'", cwd=src_dir)
+ bb.process.run("git config user.name 'Your Name'", cwd=src_dir)
bb.process.run("git commit --allow-empty -m'Dummy commit'",
cwd=src_dir)
# Use other branch than master
@@ -1390,6 +1395,8 @@
self.gitdir = os.path.join(self.tempdir, 'gitshallow')
bb.utils.mkdirhier(self.gitdir)
bb.process.run('git init', cwd=self.gitdir)
+ bb.process.run('git config user.email "you@example.com"', cwd=self.gitdir)
+ bb.process.run('git config user.name "Your Name"', cwd=self.gitdir)
def assertRefs(self, expected_refs):
actual_refs = self.git(['for-each-ref', '--format=%(refname)']).splitlines()
@@ -1513,6 +1520,8 @@
bb.utils.mkdirhier(self.srcdir)
self.git('init', cwd=self.srcdir)
+ self.git('config user.email "you@example.com"', cwd=self.srcdir)
+ self.git('config user.name "Your Name"', cwd=self.srcdir)
self.d.setVar('WORKDIR', self.tempdir)
self.d.setVar('S', self.gitdir)
self.d.delVar('PREMIRRORS')
@@ -1594,6 +1603,7 @@
# fetch and unpack, from the shallow tarball
bb.utils.remove(self.gitdir, recurse=True)
+ bb.process.run('chmod u+w -R "%s"' % ud.clonedir)
bb.utils.remove(ud.clonedir, recurse=True)
bb.utils.remove(ud.clonedir.replace('gitsource', 'gitsubmodule'), recurse=True)
@@ -1746,6 +1756,8 @@
smdir = os.path.join(self.tempdir, 'gitsubmodule')
bb.utils.mkdirhier(smdir)
self.git('init', cwd=smdir)
+ self.git('config user.email "you@example.com"', cwd=smdir)
+ self.git('config user.name "Your Name"', cwd=smdir)
# Make this look like it was cloned from a remote...
self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir)
self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir)
@@ -1776,6 +1788,8 @@
smdir = os.path.join(self.tempdir, 'gitsubmodule')
bb.utils.mkdirhier(smdir)
self.git('init', cwd=smdir)
+ self.git('config user.email "you@example.com"', cwd=smdir)
+ self.git('config user.name "Your Name"', cwd=smdir)
# Make this look like it was cloned from a remote...
self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir)
self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir)
@@ -1818,8 +1832,8 @@
self.git('annex init', cwd=self.srcdir)
open(os.path.join(self.srcdir, 'c'), 'w').close()
self.git('annex add c', cwd=self.srcdir)
- self.git('commit -m annex-c -a', cwd=self.srcdir)
- bb.process.run('chmod u+w -R %s' % os.path.join(self.srcdir, '.git', 'annex'))
+ self.git('commit --author "Foo Bar <foo@bar>" -m annex-c -a', cwd=self.srcdir)
+ bb.process.run('chmod u+w -R %s' % self.srcdir)
uri = 'gitannex://%s;protocol=file;subdir=${S}' % self.srcdir
fetcher, ud = self.fetch_shallow(uri)
@@ -2094,6 +2108,8 @@
bb.utils.mkdirhier(self.srcdir)
self.git('init', cwd=self.srcdir)
+ self.git('config user.email "you@example.com"', cwd=self.srcdir)
+ self.git('config user.name "Your Name"', cwd=self.srcdir)
with open(os.path.join(self.srcdir, '.gitattributes'), 'wt') as attrs:
attrs.write('*.mp3 filter=lfs -text')
self.git(['add', '.gitattributes'], cwd=self.srcdir)
diff --git a/poky/documentation/conf.py b/poky/documentation/conf.py
index 5a2e25f..a764ea4 100644
--- a/poky/documentation/conf.py
+++ b/poky/documentation/conf.py
@@ -16,7 +16,7 @@
import sys
import datetime
-current_version = "dev"
+current_version = "3.3.1"
# String used in sidebar
version = 'Version: ' + current_version
diff --git a/poky/documentation/poky.yaml b/poky/documentation/poky.yaml
index 8ccb359..a273de3 100644
--- a/poky/documentation/poky.yaml
+++ b/poky/documentation/poky.yaml
@@ -1,12 +1,12 @@
-DISTRO : "3.2.3"
-DISTRO_NAME_NO_CAP : "gatesgarth"
-DISTRO_NAME : "Gatesgarth"
-DISTRO_NAME_NO_CAP_MINUS_ONE : "dunfell"
-DISTRO_NAME_NO_CAP_LTS : "dunfell"
-YOCTO_DOC_VERSION : "3.2.3"
-YOCTO_DOC_VERSION_MINUS_ONE : "3.1.6"
-DISTRO_REL_TAG : "yocto-3.2.3"
-POKYVERSION : "24.0.3"
+DISTRO : "3.3.1"
+DISTRO_NAME_NO_CAP : "hardknott"
+DISTRO_NAME : "Hardknott"
+DISTRO_NAME_NO_CAP_MINUS_ONE : "gatesgarth"
+DISTRO_NAME_NO_CAP_LTS : "gatesgarth"
+YOCTO_DOC_VERSION : "3.3.1"
+YOCTO_DOC_VERSION_MINUS_ONE : "3.2.4"
+DISTRO_REL_TAG : "yocto-3.3.1"
+POKYVERSION : "25.0.1"
YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;"
YOCTO_DL_URL : "https://downloads.yoctoproject.org"
YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
diff --git a/poky/documentation/releases.rst b/poky/documentation/releases.rst
index 6a65b9f..daf8912 100644
--- a/poky/documentation/releases.rst
+++ b/poky/documentation/releases.rst
@@ -5,6 +5,14 @@
=========================
*******************************
+3.3 'hardknott' Release Series
+*******************************
+
+- :yocto_docs:`3.3 Documentation </3.3>`
+- :yocto_docs:`3.3.1 Documentation </3.3.1>`
+
+
+*******************************
3.2 'gatesgarth' Release Series
*******************************
@@ -12,6 +20,7 @@
- :yocto_docs:`3.2.1 Documentation </3.2.1>`
- :yocto_docs:`3.2.2 Documentation </3.2.2>`
- :yocto_docs:`3.2.3 Documentation </3.2.3>`
+- :yocto_docs:`3.2.4 Documentation </3.2.4>`
****************************
3.1 'dunfell' Release Series
diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf
index c098b30..dac8f4d 100644
--- a/poky/meta-poky/conf/distro/poky.conf
+++ b/poky/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
DISTRO = "poky"
DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "3.3"
+DISTRO_VERSION = "3.3.1"
DISTRO_CODENAME = "hardknott"
SDK_VENDOR = "-pokysdk"
SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
diff --git a/poky/meta/classes/archiver.bbclass b/poky/meta/classes/archiver.bbclass
index 858507b..a396230 100644
--- a/poky/meta/classes/archiver.bbclass
+++ b/poky/meta/classes/archiver.bbclass
@@ -118,7 +118,7 @@
d.appendVarFlag('do_deploy_archives', 'depends', ' %s:do_ar_patched' % pn)
elif ar_src == "configured":
# We can't use "addtask do_ar_configured after do_configure" since it
- # will cause the deptask of do_populate_sysroot to run not matter what
+ # will cause the deptask of do_populate_sysroot to run no matter what
# archives we need, so we add the depends here.
# There is a corner case with "gcc-source-${PV}" recipes, they don't have
@@ -163,7 +163,7 @@
d.appendVarFlag('do_package_write_rpm', 'depends', ' %s:do_ar_configured' % pn)
}
-# Take all the sources for a recipe and puts them in WORKDIR/archiver-work/.
+# Take all the sources for a recipe and put them in WORKDIR/archiver-work/.
# Files in SRC_URI are copied directly, anything that's a directory
# (e.g. git repositories) is "unpacked" and then put into a tarball.
python do_ar_original() {
@@ -463,7 +463,7 @@
ar_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
pn = d.getVar('PN')
- # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
+ # The kernel class functions require it to be on work-shared, so we don't change WORKDIR
if not is_work_shared(d):
# Change the WORKDIR to make do_unpack do_patch run in another dir.
d.setVar('WORKDIR', ar_workdir)
@@ -505,7 +505,7 @@
# of the output file ensures that we create it each time the recipe
# gets rebuilt, at least as long as a PR server is used. We also rely
# on that mechanism to catch changes in the file content, because the
-# file content is not part of of the task signature either.
+# file content is not part of the task signature either.
do_ar_recipe[vardepsexclude] += "BBINCLUDED"
python do_ar_recipe () {
"""
diff --git a/poky/meta/classes/cmake.bbclass b/poky/meta/classes/cmake.bbclass
index 8876ce5..f01db74 100644
--- a/poky/meta/classes/cmake.bbclass
+++ b/poky/meta/classes/cmake.bbclass
@@ -149,16 +149,14 @@
CONFIGURE_FILES = "CMakeLists.txt"
+do_configure[cleandirs] = "${@d.getVar('B') if d.getVar('S') != d.getVar('B') else ''}"
+
cmake_do_configure() {
if [ "${OECMAKE_BUILDPATH}" ]; then
bbnote "cmake.bbclass no longer uses OECMAKE_BUILDPATH. The default behaviour is now out-of-tree builds with B=WORKDIR/build."
fi
- if [ "${S}" != "${B}" ]; then
- rm -rf ${B}
- mkdir -p ${B}
- cd ${B}
- else
+ if [ "${S}" = "${B}" ]; then
find ${B} -name CMakeFiles -or -name Makefile -or -name cmake_install.cmake -or -name CMakeCache.txt -delete
fi
diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass
index 54cc7ed..3d6b80b 100644
--- a/poky/meta/classes/externalsrc.bbclass
+++ b/poky/meta/classes/externalsrc.bbclass
@@ -217,11 +217,10 @@
env['GIT_INDEX_FILE'] = tmp_index.name
subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env)
git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
- submodule_helper = subprocess.check_output(['git', 'submodule', 'status'], cwd=s_dir, env=env).decode("utf-8")
+ submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8")
for line in submodule_helper.splitlines():
- module_relpath = line.split()[1]
- if not module_relpath.split('/')[0] == '..':
- module_dir = os.path.join(s_dir, module_relpath)
+ module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1])
+ if os.path.isdir(module_dir):
proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
proc.communicate()
proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
diff --git a/poky/meta/classes/image.bbclass b/poky/meta/classes/image.bbclass
index 013455f..353cc67 100644
--- a/poky/meta/classes/image.bbclass
+++ b/poky/meta/classes/image.bbclass
@@ -657,7 +657,7 @@
fi
# Set mtime of all files to a reproducible value
bbnote "reproducible_final_image_task: mtime set to $REPRODUCIBLE_TIMESTAMP_ROOTFS"
- find ${IMAGE_ROOTFS} -exec touch -h --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS {} \;
+ find ${IMAGE_ROOTFS} -print0 | xargs -0 touch -h --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS
fi
}
diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass
index fa05fc0..763d5f1 100644
--- a/poky/meta/classes/insane.bbclass
+++ b/poky/meta/classes/insane.bbclass
@@ -176,7 +176,7 @@
if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir):
# The dynamic linker searches both these places anyway. There is no point in
# looking there again.
- package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath))
+ package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath))
QAPATHTEST[dev-so] = "package_qa_check_dev"
def package_qa_check_dev(path, name, d, elf, messages):
@@ -185,8 +185,8 @@
"""
if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path):
- package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \
- (name, package_qa_clean_path(path,d)))
+ package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \
+ (name, package_qa_clean_path(path, d, name)))
QAPATHTEST[dev-elf] = "package_qa_check_dev_elf"
def package_qa_check_dev_elf(path, name, d, elf, messages):
@@ -196,8 +196,8 @@
install link-time .so files that are linker scripts.
"""
if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf:
- package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \
- (name, package_qa_clean_path(path,d)))
+ package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \
+ (name, package_qa_clean_path(path, d, name)))
QAPATHTEST[staticdev] = "package_qa_check_staticdev"
def package_qa_check_staticdev(path, name, d, elf, messages):
@@ -210,7 +210,7 @@
if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path:
package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \
- (name, package_qa_clean_path(path,d)))
+ (name, package_qa_clean_path(path,d, name)))
QAPATHTEST[mime] = "package_qa_check_mime"
def package_qa_check_mime(path, name, d, elf, messages):
diff --git a/poky/meta/classes/kernel-yocto.bbclass b/poky/meta/classes/kernel-yocto.bbclass
index 15c8dbb..30f07de 100644
--- a/poky/meta/classes/kernel-yocto.bbclass
+++ b/poky/meta/classes/kernel-yocto.bbclass
@@ -378,7 +378,7 @@
# checkout and clobber any unimportant files
git checkout -f ${machine_branch}
}
-do_kernel_checkout[dirs] = "${S}"
+do_kernel_checkout[dirs] = "${S} ${WORKDIR}"
addtask kernel_checkout before do_kernel_metadata after do_symlink_kernsrc
addtask kernel_metadata after do_validate_branches do_unpack before do_patch
diff --git a/poky/meta/classes/license_image.bbclass b/poky/meta/classes/license_image.bbclass
index c96b032..73cebb4 100644
--- a/poky/meta/classes/license_image.bbclass
+++ b/poky/meta/classes/license_image.bbclass
@@ -1,3 +1,5 @@
+ROOTFS_LICENSE_DIR = "${IMAGE_ROOTFS}/usr/share/common-licenses"
+
python write_package_manifest() {
# Get list of installed packages
license_image_dir = d.expand('${LICENSE_DIRECTORY}/${IMAGE_NAME}')
@@ -104,8 +106,7 @@
copy_lic_manifest = d.getVar('COPY_LIC_MANIFEST')
copy_lic_dirs = d.getVar('COPY_LIC_DIRS')
if rootfs and copy_lic_manifest == "1":
- rootfs_license_dir = os.path.join(d.getVar('IMAGE_ROOTFS'),
- 'usr', 'share', 'common-licenses')
+ rootfs_license_dir = d.getVar('ROOTFS_LICENSE_DIR')
bb.utils.mkdirhier(rootfs_license_dir)
rootfs_license_manifest = os.path.join(rootfs_license_dir,
os.path.split(license_manifest)[1])
@@ -143,12 +144,13 @@
continue
# Make sure we use only canonical name for the license file
- rootfs_license = os.path.join(rootfs_license_dir, "generic_%s" % generic_lic)
+ generic_lic_file = "generic_%s" % generic_lic
+ rootfs_license = os.path.join(rootfs_license_dir, generic_lic_file)
if not os.path.exists(rootfs_license):
oe.path.copyhardlink(pkg_license, rootfs_license)
if not os.path.exists(pkg_rootfs_license):
- os.symlink(os.path.join('..', lic), pkg_rootfs_license)
+ os.symlink(os.path.join('..', generic_lic_file), pkg_rootfs_license)
else:
if (oe.license.license_ok(canonical_license(d,
lic), bad_licenses) == False or
@@ -267,3 +269,13 @@
addtask populate_lic_deploy before do_build after do_image_complete
do_populate_lic_deploy[recrdeptask] += "do_populate_lic do_deploy"
+python license_qa_dead_symlink() {
+ import os
+
+ for root, dirs, files in os.walk(d.getVar('ROOTFS_LICENSE_DIR')):
+ for file in files:
+ full_path = root + "/" + file
+ if os.path.islink(full_path) and not os.path.exists(full_path):
+ bb.error("broken symlink: " + full_path)
+}
+IMAGE_QA_COMMANDS += "license_qa_dead_symlink"
diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass
index 894f0e3..a2ac4ee 100644
--- a/poky/meta/classes/sanity.bbclass
+++ b/poky/meta/classes/sanity.bbclass
@@ -392,9 +392,12 @@
msg = data.getVar('CONNECTIVITY_CHECK_MSG') or ""
if len(msg) == 0:
msg = "%s.\n" % err
- msg += " Please ensure your host's network is configured correctly,\n"
- msg += " or set BB_NO_NETWORK = \"1\" to disable network access if\n"
- msg += " all required sources are on local disk.\n"
+ msg += " Please ensure your host's network is configured correctly.\n"
+ msg += " If your ISP or network is blocking the above URL,\n"
+ msg += " try with another domain name, for example by setting:\n"
+ msg += " CONNECTIVITY_CHECK_URIS = \"https://www.yoctoproject.org/\""
+ msg += " You could also set BB_NO_NETWORK = \"1\" to disable network\n"
+ msg += " access if all required sources are on local disk.\n"
retval = msg
return retval
@@ -887,6 +890,8 @@
status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.")
if oeroot.find('@') != -1:
status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.")
+ if oeroot.find('%') != -1:
+ status.addresult("Error, you have an invalid character (%) in your COREBASE directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters.")
if oeroot.find(' ') != -1:
status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.")
diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc
index a2a2dd1..05b79d1 100644
--- a/poky/meta/conf/distro/include/yocto-uninative.inc
+++ b/poky/meta/conf/distro/include/yocto-uninative.inc
@@ -8,7 +8,7 @@
UNINATIVE_MAXGLIBCVERSION = "2.33"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.0/"
-UNINATIVE_CHECKSUM[aarch64] ?= "1c668909098c5b56132067adc69a249cb771f4560428e5822de903a12d97bf33"
-UNINATIVE_CHECKSUM[i686] ?= "e6cc2fc056234cffa6a2ff084cce27d544ea3f487a62b5e253351cefd4421900"
-UNINATIVE_CHECKSUM[x86_64] ?= "5ec5a9276046e7eceeac749a18b175667384e1f445cd4526300a41404d985a5b"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.1/"
+UNINATIVE_CHECKSUM[aarch64] ?= "7fa12b9fe7a95934cc09beb0e8a25ff97179ef3105116015d32548eadd27b024"
+UNINATIVE_CHECKSUM[i686] ?= "bbfcdd48336800b5af97e294918c6586a0a8fa903f127f813b0bd5110de8c55c"
+UNINATIVE_CHECKSUM[x86_64] ?= "5d0611df544edff6428cef7d871257a91aa6ba1bd92f5365a2df8deb54b6b31e"
diff --git a/poky/meta/conf/machine/include/arm/arch-armv6m.inc b/poky/meta/conf/machine/include/arm/arch-armv6m.inc
old mode 100755
new mode 100644
diff --git a/poky/meta/lib/oe/package_manager/__init__.py b/poky/meta/lib/oe/package_manager/__init__.py
index 8e7128b..4d22bc0 100644
--- a/poky/meta/lib/oe/package_manager/__init__.py
+++ b/poky/meta/lib/oe/package_manager/__init__.py
@@ -189,7 +189,7 @@
bb.utils.remove(self.intercepts_dir, True)
bb.utils.mkdirhier(self.intercepts_dir)
for intercept in postinst_intercepts:
- bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
+ shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
@abstractmethod
def _handle_intercept_failure(self, failed_script):
diff --git a/poky/meta/lib/oe/package_manager/deb/sdk.py b/poky/meta/lib/oe/package_manager/deb/sdk.py
index 9859d8f..f4b0b65 100644
--- a/poky/meta/lib/oe/package_manager/deb/sdk.py
+++ b/poky/meta/lib/oe/package_manager/deb/sdk.py
@@ -65,6 +65,8 @@
self.target_pm.install_complementary(self.d.getVar('SDKIMAGE_INSTALL_COMPLEMENTARY'))
+ self.target_pm.run_pre_post_installs()
+
self.target_pm.run_intercepts(populate_sdk='target')
execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_TARGET_COMMAND"))
@@ -78,6 +80,8 @@
self._populate_sysroot(self.host_pm, self.host_manifest)
self.install_locales(self.host_pm)
+ self.host_pm.run_pre_post_installs()
+
self.host_pm.run_intercepts(populate_sdk='host')
execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND"))
diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py
index 5f81023..d634add 100644
--- a/poky/meta/lib/oe/rootfs.py
+++ b/poky/meta/lib/oe/rootfs.py
@@ -305,7 +305,7 @@
def _check_for_kernel_modules(self, modules_dir):
for root, dirs, files in os.walk(modules_dir, topdown=True):
for name in files:
- found_ko = name.endswith(".ko")
+ found_ko = name.endswith((".ko", ".ko.gz", ".ko.xz"))
if found_ko:
return found_ko
return False
diff --git a/poky/meta/lib/oe/terminal.py b/poky/meta/lib/oe/terminal.py
index 61c2687..59aa80d 100644
--- a/poky/meta/lib/oe/terminal.py
+++ b/poky/meta/lib/oe/terminal.py
@@ -163,7 +163,12 @@
# devshells, if it's already there, add a new window to it.
window_name = 'devshell-%i' % os.getpid()
- self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name)
+ self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'
+ if not check_tmux_version('1.9'):
+ # `tmux new-session -c` was added in 1.9;
+ # older versions fail with that flag
+ self.command = 'tmux new -d -s {0} -n {0} "{{command}}"'
+ self.command = self.command.format(window_name)
Terminal.__init__(self, sh_cmd, title, env, d)
attach_cmd = 'tmux att -t {0}'.format(window_name)
@@ -253,13 +258,18 @@
except OSError:
return
+def check_tmux_version(desired):
+ vernum = check_terminal_version("tmux")
+ if vernum and LooseVersion(vernum) < desired:
+ return False
+ return vernum
+
def check_tmux_pane_size(tmux):
import subprocess as sub
# On older tmux versions (<1.9), return false. The reason
# is that there is no easy way to get the height of the active panel
# on current window without nested formats (available from version 1.9)
- vernum = check_terminal_version("tmux")
- if vernum and LooseVersion(vernum) < '1.9':
+ if not check_tmux_version('1.9'):
return False
try:
p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux,
diff --git a/poky/meta/lib/oeqa/core/case.py b/poky/meta/lib/oeqa/core/case.py
index aae451f..bc4446a 100644
--- a/poky/meta/lib/oeqa/core/case.py
+++ b/poky/meta/lib/oeqa/core/case.py
@@ -43,8 +43,13 @@
clss.tearDownClassMethod()
def _oeSetUp(self):
- for d in self.decorators:
- d.setUpDecorator()
+ try:
+ for d in self.decorators:
+ d.setUpDecorator()
+ except:
+ for d in self.decorators:
+ d.tearDownDecorator()
+ raise
self.setUpMethod()
def _oeTearDown(self):
diff --git a/poky/meta/lib/oeqa/core/decorator/oetimeout.py b/poky/meta/lib/oeqa/core/decorator/oetimeout.py
index df90d1c..5e6873a 100644
--- a/poky/meta/lib/oeqa/core/decorator/oetimeout.py
+++ b/poky/meta/lib/oeqa/core/decorator/oetimeout.py
@@ -24,5 +24,6 @@
def tearDownDecorator(self):
signal.alarm(0)
- signal.signal(signal.SIGALRM, self.alarmSignal)
- self.logger.debug("Removed SIGALRM handler")
+ if hasattr(self, 'alarmSignal'):
+ signal.signal(signal.SIGALRM, self.alarmSignal)
+ self.logger.debug("Removed SIGALRM handler")
diff --git a/poky/meta/lib/oeqa/core/tests/cases/timeout.py b/poky/meta/lib/oeqa/core/tests/cases/timeout.py
index 5dfecc7..69cf969 100644
--- a/poky/meta/lib/oeqa/core/tests/cases/timeout.py
+++ b/poky/meta/lib/oeqa/core/tests/cases/timeout.py
@@ -8,6 +8,7 @@
from oeqa.core.case import OETestCase
from oeqa.core.decorator.oetimeout import OETimeout
+from oeqa.core.decorator.depends import OETestDepends
class TimeoutTest(OETestCase):
@@ -19,3 +20,15 @@
def testTimeoutFail(self):
sleep(2)
self.assertTrue(True, msg='How is this possible?')
+
+
+ def testTimeoutSkip(self):
+ self.skipTest("This test needs to be skipped, so that testTimeoutDepends()'s OETestDepends kicks in")
+
+ @OETestDepends(["timeout.TimeoutTest.testTimeoutSkip"])
+ @OETimeout(3)
+ def testTimeoutDepends(self):
+ self.assertTrue(False, msg='How is this possible?')
+
+ def testTimeoutUnrelated(self):
+ sleep(6)
diff --git a/poky/meta/lib/oeqa/core/tests/test_decorators.py b/poky/meta/lib/oeqa/core/tests/test_decorators.py
index b798bf7..5095f39 100755
--- a/poky/meta/lib/oeqa/core/tests/test_decorators.py
+++ b/poky/meta/lib/oeqa/core/tests/test_decorators.py
@@ -133,5 +133,11 @@
msg = "OETestTimeout didn't restore SIGALRM"
self.assertIs(alarm_signal, signal.getsignal(signal.SIGALRM), msg=msg)
+ def test_timeout_cancel(self):
+ tests = ['timeout.TimeoutTest.testTimeoutSkip', 'timeout.TimeoutTest.testTimeoutDepends', 'timeout.TimeoutTest.testTimeoutUnrelated']
+ msg = 'Unrelated test failed to complete'
+ tc = self._testLoader(modules=self.modules, tests=tests)
+ self.assertTrue(tc.runTests().wasSuccessful(), msg=msg)
+
if __name__ == '__main__':
unittest.main()
diff --git a/poky/meta/lib/oeqa/runtime/cases/date.py b/poky/meta/lib/oeqa/runtime/cases/date.py
index fdd2a6a..e143229 100644
--- a/poky/meta/lib/oeqa/runtime/cases/date.py
+++ b/poky/meta/lib/oeqa/runtime/cases/date.py
@@ -13,12 +13,12 @@
def setUp(self):
if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
self.logger.debug('Stopping systemd-timesyncd daemon')
- self.target.run('systemctl disable --now systemd-timesyncd')
+ self.target.run('systemctl disable --now --runtime systemd-timesyncd')
def tearDown(self):
if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
self.logger.debug('Starting systemd-timesyncd daemon')
- self.target.run('systemctl enable --now systemd-timesyncd')
+ self.target.run('systemctl enable --now --runtime systemd-timesyncd')
@OETestDepends(['ssh.SSHTest.test_ssh'])
@OEHasPackage(['coreutils', 'busybox'])
diff --git a/poky/meta/lib/oeqa/runtime/cases/parselogs.py b/poky/meta/lib/oeqa/runtime/cases/parselogs.py
index 4714741..1bb0425 100644
--- a/poky/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/poky/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -88,6 +88,8 @@
'tsc: HPET/PMTIMER calibration failed',
"modeset(0): Failed to initialize the DRI2 extension",
"glamor initialization failed",
+ "blk_update_request: I/O error, dev fd0, sector 0 op 0x0:(READ)",
+ "floppy: error",
] + common_errors
ignore_errors = {
diff --git a/poky/meta/lib/oeqa/runtime/cases/rtc.py b/poky/meta/lib/oeqa/runtime/cases/rtc.py
index a34c101..c4e6681 100644
--- a/poky/meta/lib/oeqa/runtime/cases/rtc.py
+++ b/poky/meta/lib/oeqa/runtime/cases/rtc.py
@@ -9,12 +9,12 @@
def setUp(self):
if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
self.logger.debug('Stopping systemd-timesyncd daemon')
- self.target.run('systemctl disable --now systemd-timesyncd')
+ self.target.run('systemctl disable --now --runtime systemd-timesyncd')
def tearDown(self):
if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
self.logger.debug('Starting systemd-timesyncd daemon')
- self.target.run('systemctl enable --now systemd-timesyncd')
+ self.target.run('systemctl enable --now --runtime systemd-timesyncd')
@OETestDepends(['ssh.SSHTest.test_ssh'])
@OEHasPackage(['coreutils', 'busybox'])
diff --git a/poky/meta/lib/oeqa/runtime/decorator/package.py b/poky/meta/lib/oeqa/runtime/decorator/package.py
index 5717865..2d7e174 100644
--- a/poky/meta/lib/oeqa/runtime/decorator/package.py
+++ b/poky/meta/lib/oeqa/runtime/decorator/package.py
@@ -45,14 +45,14 @@
msg = 'Checking if %s is not installed' % ', '.join(unneed_pkgs)
self.logger.debug(msg)
if not self.case.tc.image_packages.isdisjoint(unneed_pkgs):
- msg = "Test can't run with %s installed" % ', or'.join(unneed_pkgs)
+ msg = "Test can't run with %s installed" % ', or '.join(unneed_pkgs)
self._decorator_fail(msg)
if need_pkgs:
msg = 'Checking if at least one of %s is installed' % ', '.join(need_pkgs)
self.logger.debug(msg)
if self.case.tc.image_packages.isdisjoint(need_pkgs):
- msg = "Test requires %s to be installed" % ', or'.join(need_pkgs)
+ msg = "Test requires %s to be installed" % ', or '.join(need_pkgs)
self._decorator_fail(msg)
def _decorator_fail(self, msg):
diff --git a/poky/meta/lib/oeqa/selftest/cases/buildoptions.py b/poky/meta/lib/oeqa/selftest/cases/buildoptions.py
index 20fe8ed..1859d32 100644
--- a/poky/meta/lib/oeqa/selftest/cases/buildoptions.py
+++ b/poky/meta/lib/oeqa/selftest/cases/buildoptions.py
@@ -58,15 +58,15 @@
class DiskMonTest(OESelftestTestCase):
def test_stoptask_behavior(self):
- self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"')
+ self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
res = bitbake("delay -c delay", ignore_status = True)
self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output)
self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
- self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"')
+ self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
res = bitbake("delay -c delay", ignore_status = True)
self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output)
self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
- self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"')
+ self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
res = bitbake("delay -c delay")
self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output)
diff --git a/poky/meta/lib/oeqa/selftest/cases/distrodata.py b/poky/meta/lib/oeqa/selftest/cases/distrodata.py
index fbc0c2a..0ad6e1e 100644
--- a/poky/meta/lib/oeqa/selftest/cases/distrodata.py
+++ b/poky/meta/lib/oeqa/selftest/cases/distrodata.py
@@ -99,7 +99,7 @@
return True
return False
- feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\n'
+ feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\nPACKAGE_CLASSES = "package_ipk package_deb package_rpm"\n'
self.write_config(feature)
with bb.tinfoil.Tinfoil() as tinfoil:
diff --git a/poky/meta/lib/oeqa/selftest/cases/runqemu.py b/poky/meta/lib/oeqa/selftest/cases/runqemu.py
index 7e676bc..da22f77 100644
--- a/poky/meta/lib/oeqa/selftest/cases/runqemu.py
+++ b/poky/meta/lib/oeqa/selftest/cases/runqemu.py
@@ -163,12 +163,11 @@
bitbake(cls.recipe)
def _start_qemu_shutdown_check_if_shutdown_succeeded(self, qemu, timeout):
+ # Allow the runner's LoggingThread instance to exit without errors
+ # (such as the exception "Console connection closed unexpectedly")
+ # as qemu will disappear when we shut it down
+ qemu.runner.allowexit()
qemu.run_serial("shutdown -h now")
- # Stop thread will stop the LoggingThread instance used for logging
- # qemu through serial console, stop thread will prevent this code
- # from facing exception (Console connection closed unexpectedly)
- # when qemu was shutdown by the above shutdown command
- qemu.runner.stop_thread()
time_track = 0
try:
while True:
diff --git a/poky/meta/lib/oeqa/utils/commands.py b/poky/meta/lib/oeqa/utils/commands.py
index a71c16a..0242614 100644
--- a/poky/meta/lib/oeqa/utils/commands.py
+++ b/poky/meta/lib/oeqa/utils/commands.py
@@ -174,11 +174,8 @@
if native_sysroot:
extra_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin" % \
(native_sysroot, native_sysroot, native_sysroot)
- extra_libpaths = "%s/lib:%s/usr/lib" % \
- (native_sysroot, native_sysroot)
nenv = dict(options.get('env', os.environ))
nenv['PATH'] = extra_paths + ':' + nenv.get('PATH', '')
- nenv['LD_LIBRARY_PATH'] = extra_libpaths + ':' + nenv.get('LD_LIBRARY_PATH', '')
options['env'] = nenv
cmd = Command(command, timeout=timeout, output_log=output_log, **options)
diff --git a/poky/meta/lib/oeqa/utils/qemurunner.py b/poky/meta/lib/oeqa/utils/qemurunner.py
index 278904b..a0f17d5 100644
--- a/poky/meta/lib/oeqa/utils/qemurunner.py
+++ b/poky/meta/lib/oeqa/utils/qemurunner.py
@@ -71,6 +71,8 @@
self.monitorpipe = None
self.logger = logger
+ # Whether we're expecting an exit and should show related errors
+ self.canexit = False
# Enable testing other OS's
# Set commands for target communication, and default to Linux ALWAYS
@@ -471,6 +473,11 @@
self.thread.stop()
self.thread.join()
+ def allowexit(self):
+ self.canexit = True
+ if self.thread:
+ self.thread.allowexit()
+
def restart(self, qemuparams = None):
self.logger.warning("Restarting qemu process")
if self.runqemu.poll() is None:
@@ -526,7 +533,9 @@
if re.search(self.boot_patterns['search_cmd_finished'], data):
break
else:
- raise Exception("No data on serial console socket")
+ if self.canexit:
+ return (1, "")
+ raise Exception("No data on serial console socket, connection closed?")
if data:
if raw:
@@ -564,6 +573,7 @@
self.logger = logger
self.readsock = None
self.running = False
+ self.canexit = False
self.errorevents = select.POLLERR | select.POLLHUP | select.POLLNVAL
self.readevents = select.POLLIN | select.POLLPRI
@@ -597,6 +607,9 @@
self.close_ignore_error(self.writepipe)
self.running = False
+ def allowexit(self):
+ self.canexit = True
+
def eventloop(self):
poll = select.poll()
event_read_mask = self.errorevents | self.readevents
@@ -642,7 +655,7 @@
data = self.readsock.recv(count)
except socket.error as e:
if e.errno == errno.EAGAIN or e.errno == errno.EWOULDBLOCK:
- return ''
+ return b''
else:
raise
@@ -653,7 +666,9 @@
# happened. But for this code it counts as an
# error since the connection shouldn't go away
# until qemu exits.
- raise Exception("Console connection closed unexpectedly")
+ if not self.canexit:
+ raise Exception("Console connection closed unexpectedly")
+ return b''
return data
diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc
index 590deb8..6de683e 100644
--- a/poky/meta/recipes-bsp/grub/grub2.inc
+++ b/poky/meta/recipes-bsp/grub/grub2.inc
@@ -49,6 +49,8 @@
inherit autotools gettext texinfo pkgconfig
+CFLAGS_remove = "-O2"
+
EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \
--disable-grub-mkfont \
--program-prefix="" \
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 0000000..e2540fc
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/tls/pkcs1.c | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
++++ b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
++ hdr.payload, hdr.length);
+
+ pos = hdr.payload;
+ end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
++ hdr.payload, hdr.length);
+ da_end = hdr.payload + hdr.length;
+
+ if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
++ next, da_end - next);
++
++ /*
++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++ * omit the parameters, but there are implementation that encode these
++ * as a NULL element. Allow these two cases and reject anything else.
++ */
++ if (da_end > next &&
++ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++ !asn1_is_null(&hdr) ||
++ hdr.payload + hdr.length != da_end)) {
++ wpa_printf(MSG_DEBUG,
++ "PKCS #1: Unexpected digest algorithm parameters");
++ os_free(decrypted);
++ return -1;
++ }
+
+ if (!asn1_oid_equal(&oid, hash_alg)) {
+ char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
++++ b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+
+ pos = hdr.payload;
+ end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
++ hdr.payload, hdr.length);
+ da_end = hdr.payload + hdr.length;
+
+ if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
++ next, da_end - next);
++
++ /*
++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++ * omit the parameters, but there are implementation that encode these
++ * as a NULL element. Allow these two cases and reject anything else.
++ */
++ if (da_end > next &&
++ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++ !asn1_is_null(&hdr) ||
++ hdr.payload + hdr.length != da_end)) {
++ wpa_printf(MSG_DEBUG,
++ "X509: Unexpected digest algorithm parameters");
++ os_free(data);
++ return -1;
++ }
+
+ if (x509_sha1_oid(&oid)) {
+ if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+--
+2.17.1
+
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 357c286..cddcfb6 100644
--- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -32,6 +32,7 @@
file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
file://CVE-2021-0326.patch \
file://CVE-2021-27803.patch \
+ file://CVE-2021-30004.patch \
"
SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
diff --git a/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb b/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb
index 0021e45..3804f4f 100644
--- a/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb
+++ b/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb
@@ -44,9 +44,6 @@
fi
}
-do_install_append_qemuppc64 () {
- echo "9:12345:respawn:${base_sbindir}/getty 38400 hvc0" >> ${D}${sysconfdir}/inittab
-}
pkg_postinst_${PN} () {
# run this on host and on target
diff --git a/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000..67c9f18
--- /dev/null
+++ b/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,58 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
++++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+ * each table.
+ * t: table to free
+ */
++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
++#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+ huft_t *q;
+
++ /*
++ * If 'p' has the error bit set we have to clear it, otherwise we might run
++ * into a segmentation fault or an invalid pointer to free(p)
++ */
++ if (BAD_HUFT(p)) {
++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
++ }
++
+ /* Go through linked list, freeing from the malloced (t[-1]) address. */
+ while (p) {
+ q = (--p)->v.t;
+@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
+ * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
+ * is given: "fixed inflate" decoder feeds us such data.
+ */
+-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+-#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static huft_t* huft_build(const unsigned *b, const unsigned n,
+ const unsigned s, const struct cp_ext *cp_ext,
+ unsigned *m)
diff --git a/poky/meta/recipes-core/busybox/busybox/0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch b/poky/meta/recipes-core/busybox/busybox/0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch
new file mode 100644
index 0000000..e0a22c5
--- /dev/null
+++ b/poky/meta/recipes-core/busybox/busybox/0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch
@@ -0,0 +1,28 @@
+From bff7f16f7f41de8df67beb03722f235828ef2249 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 May 2021 15:48:19 -0700
+Subject: [PATCH] gen_build_files: Use C locale when calling sed on globbed files
+
+sort order is different based on chosen locale and also default shell
+being bash or dash
+
+This sets the environment variable LC_ALL to the value C, which will
+enforce bytewise sorting, irrespective of the shell
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ scripts/gen_build_files.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/gen_build_files.sh
++++ b/scripts/gen_build_files.sh
+@@ -4,6 +4,8 @@
+ # but users complain that many sed implementations
+ # are misinterpreting --.
+
++export LC_ALL=C
++
+ test $# -ge 2 || { echo "Syntax: $0 SRCTREE OBJTREE"; exit 1; }
+
+ # cd to objtree
diff --git a/poky/meta/recipes-core/busybox/busybox_1.33.0.bb b/poky/meta/recipes-core/busybox/busybox_1.33.0.bb
index 1a3f218..b2a30ba 100644
--- a/poky/meta/recipes-core/busybox/busybox_1.33.0.bb
+++ b/poky/meta/recipes-core/busybox/busybox_1.33.0.bb
@@ -46,7 +46,9 @@
file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
file://rev.cfg \
file://pgrep.cfg \
-"
+ file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+ file://0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch \
+ "
SRC_URI_append_libc-musl = " file://musl.cfg "
SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd"
diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch
new file mode 100644
index 0000000..e3def1a
--- /dev/null
+++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch
@@ -0,0 +1,32 @@
+From 48dd0d030a2b5240457472d40d8691b80bf5fa78 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:33:38 +0000
+Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+CVE: CVE-2021-28153
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ gio/glocalfileoutputstream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
+index f34c3e4..e3d31d6 100644
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -854,7 +854,7 @@ handle_overwrite_open (const char *filename,
+ mode = mode_from_flags_or_info (flags, reference_info);
+
+ /* We only need read access to the original file if we are creating a backup.
+- * We also add O_CREATE to avoid a race if the file was just removed */
++ * We also add O_CREAT to avoid a race if the file was just removed */
+ if (create_backup || readable)
+ open_flags = O_RDWR | O_CREAT | O_BINARY;
+ else
+--
+2.17.1
+
diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch
new file mode 100644
index 0000000..d8d4d51
--- /dev/null
+++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch
@@ -0,0 +1,47 @@
+From 3d7f54ae4cfdddaf1a807879d9263e16cd12ffd3 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:34:32 +0000
+Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since a following commit is going to add a new test which references
+Gitlab, so it’s best to move the URI bases inside the test cases.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+CVE: CVE-2021-28153
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ gio/tests/file.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/gio/tests/file.c b/gio/tests/file.c
+index d876965..39d51da 100644
+--- a/gio/tests/file.c
++++ b/gio/tests/file.c
+@@ -686,7 +686,7 @@ test_replace_cancel (void)
+ guint count;
+ GError *error = NULL;
+
+- g_test_bug ("629301");
++ g_test_bug ("https://bugzilla.gnome.org/629301");
+
+ path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error);
+ g_assert_no_error (error);
+@@ -1785,8 +1785,6 @@ main (int argc, char *argv[])
+ {
+ g_test_init (&argc, &argv, NULL);
+
+- g_test_bug_base ("http://bugzilla.gnome.org/");
+-
+ g_test_add_func ("/file/basic", test_basic);
+ g_test_add_func ("/file/build-filename", test_build_filename);
+ g_test_add_func ("/file/parent", test_parent);
+--
+2.17.1
+
diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0003-glocalfileoutputstream-Factor-out-a-flag-check.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0003-glocalfileoutputstream-Factor-out-a-flag-check.patch
new file mode 100644
index 0000000..425a1d4
--- /dev/null
+++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0003-glocalfileoutputstream-Factor-out-a-flag-check.patch
@@ -0,0 +1,60 @@
+From 8cc84a2f8c668541aaba584cb9b73c98afeb8e2d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 10 Mar 2021 16:05:55 +0000
+Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check
+
+This clarifies the code a little. It introduces no functional changes.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+CVE: CVE-2021-28153
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ gio/glocalfileoutputstream.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
+index e3d31d6..392d0b0 100644
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -850,6 +850,7 @@ handle_overwrite_open (const char *filename,
+ int res;
+ int mode;
+ int errsv;
++ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION);
+
+ mode = mode_from_flags_or_info (flags, reference_info);
+
+@@ -960,7 +961,7 @@ handle_overwrite_open (const char *filename,
+ * to a backup file and rewrite the contents of the file.
+ */
+
+- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) ||
++ if (replace_destination_set ||
+ (!(_g_stat_nlink (&original_stat) > 1) && !is_symlink))
+ {
+ char *dirname, *tmp_filename;
+@@ -979,7 +980,7 @@ handle_overwrite_open (const char *filename,
+
+ /* try to keep permissions (unless replacing) */
+
+- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) &&
++ if (!replace_destination_set &&
+ (
+ #ifdef HAVE_FCHOWN
+ fchown (tmpfd, _g_stat_uid (&original_stat), _g_stat_gid (&original_stat)) == -1 ||
+@@ -1120,7 +1121,7 @@ handle_overwrite_open (const char *filename,
+ }
+ }
+
+- if (flags & G_FILE_CREATE_REPLACE_DESTINATION)
++ if (replace_destination_set)
+ {
+ g_close (fd, NULL);
+
+--
+2.17.1
+
diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch
new file mode 100644
index 0000000..54a9f45
--- /dev/null
+++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch
@@ -0,0 +1,294 @@
+From ed8f2235da7d2a408bfa18c1003f4a07f90b05e8 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:36:07 +0000
+Subject: [PATCH 4/5] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION
+ with symlinks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking
+the destination file and re-creating it from scratch. That did
+previously work, but in the process the code would call `open(O_CREAT)`
+on the file. If the file was a dangling symlink, this would create the
+destination file (empty). That’s not an intended side-effect, and has
+security implications if the symlink is controlled by a lower-privileged
+process.
+
+Fix that by not opening the destination file if it’s a symlink, and
+adjusting the rest of the code to cope with
+ - the fact that `fd == -1` is not an error iff `is_symlink` is true,
+ - and that `original_stat` will contain the `lstat()` results for the
+ symlink now, rather than the `stat()` results for its target (again,
+ iff `is_symlink` is true).
+
+This means that the target of the dangling symlink is no longer created,
+which was the bug. The symlink itself continues to be replaced (as
+before) with the new file — this is the intended behaviour of
+`g_file_replace()`.
+
+The behaviour for non-symlink cases, or cases where the symlink was not
+dangling, should be unchanged.
+
+Includes a unit test.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2325
+
+CVE: CVE-2021-28153
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ gio/glocalfileoutputstream.c | 77 ++++++++++++++++++-------
+ gio/tests/file.c | 108 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 163 insertions(+), 22 deletions(-)
+
+diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
+index 392d0b0..a2c7e3c 100644
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -878,16 +878,22 @@ handle_overwrite_open (const char *filename,
+ /* Could be a symlink, or it could be a regular ELOOP error,
+ * but then the next open will fail too. */
+ is_symlink = TRUE;
+- fd = g_open (filename, open_flags, mode);
++ if (!replace_destination_set)
++ fd = g_open (filename, open_flags, mode);
+ }
+-#else
+- fd = g_open (filename, open_flags, mode);
+- errsv = errno;
++#else /* if !O_NOFOLLOW */
+ /* This is racy, but we do it as soon as possible to minimize the race */
+ is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK);
++
++ if (!is_symlink || !replace_destination_set)
++ {
++ fd = g_open (filename, open_flags, mode);
++ errsv = errno;
++ }
+ #endif
+
+- if (fd == -1)
++ if (fd == -1 &&
++ (!is_symlink || !replace_destination_set))
+ {
+ char *display_name = g_filename_display_name (filename);
+ g_set_error (error, G_IO_ERROR,
+@@ -898,15 +904,30 @@ handle_overwrite_open (const char *filename,
+ return -1;
+ }
+
+- res = g_local_file_fstat (fd,
+- G_LOCAL_FILE_STAT_FIELD_TYPE |
+- G_LOCAL_FILE_STAT_FIELD_MODE |
+- G_LOCAL_FILE_STAT_FIELD_UID |
+- G_LOCAL_FILE_STAT_FIELD_GID |
+- G_LOCAL_FILE_STAT_FIELD_MTIME |
+- G_LOCAL_FILE_STAT_FIELD_NLINK,
+- G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat);
+- errsv = errno;
++ if (!is_symlink)
++ {
++ res = g_local_file_fstat (fd,
++ G_LOCAL_FILE_STAT_FIELD_TYPE |
++ G_LOCAL_FILE_STAT_FIELD_MODE |
++ G_LOCAL_FILE_STAT_FIELD_UID |
++ G_LOCAL_FILE_STAT_FIELD_GID |
++ G_LOCAL_FILE_STAT_FIELD_MTIME |
++ G_LOCAL_FILE_STAT_FIELD_NLINK,
++ G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat);
++ errsv = errno;
++ }
++ else
++ {
++ res = g_local_file_lstat (filename,
++ G_LOCAL_FILE_STAT_FIELD_TYPE |
++ G_LOCAL_FILE_STAT_FIELD_MODE |
++ G_LOCAL_FILE_STAT_FIELD_UID |
++ G_LOCAL_FILE_STAT_FIELD_GID |
++ G_LOCAL_FILE_STAT_FIELD_MTIME |
++ G_LOCAL_FILE_STAT_FIELD_NLINK,
++ G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat);
++ errsv = errno;
++ }
+
+ if (res != 0)
+ {
+@@ -923,16 +944,27 @@ handle_overwrite_open (const char *filename,
+ if (!S_ISREG (_g_stat_mode (&original_stat)))
+ {
+ if (S_ISDIR (_g_stat_mode (&original_stat)))
+- g_set_error_literal (error,
+- G_IO_ERROR,
+- G_IO_ERROR_IS_DIRECTORY,
+- _("Target file is a directory"));
+- else
+- g_set_error_literal (error,
++ {
++ g_set_error_literal (error,
++ G_IO_ERROR,
++ G_IO_ERROR_IS_DIRECTORY,
++ _("Target file is a directory"));
++ goto err_out;
++ }
++ else if (!is_symlink ||
++#ifdef S_ISLNK
++ !S_ISLNK (_g_stat_mode (&original_stat))
++#else
++ FALSE
++#endif
++ )
++ {
++ g_set_error_literal (error,
+ G_IO_ERROR,
+ G_IO_ERROR_NOT_REGULAR_FILE,
+ _("Target file is not a regular file"));
+- goto err_out;
++ goto err_out;
++ }
+ }
+
+ if (etag != NULL)
+@@ -1015,7 +1047,8 @@ handle_overwrite_open (const char *filename,
+ }
+ }
+
+- g_close (fd, NULL);
++ if (fd >= 0)
++ g_close (fd, NULL);
+ *temp_filename = tmp_filename;
+ return tmpfd;
+ }
+diff --git a/gio/tests/file.c b/gio/tests/file.c
+index 39d51da..ddd1ffc 100644
+--- a/gio/tests/file.c
++++ b/gio/tests/file.c
+@@ -805,6 +805,113 @@ test_replace_cancel (void)
+ g_object_unref (tmpdir);
+ }
+
++static void
++test_replace_symlink (void)
++{
++#ifdef G_OS_UNIX
++ gchar *tmpdir_path = NULL;
++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL;
++ GFileOutputStream *stream = NULL;
++ const gchar *new_contents = "this is a test message which should be written to source and not target";
++ gsize n_written;
++ GFileEnumerator *enumerator = NULL;
++ GFileInfo *info = NULL;
++ gchar *contents = NULL;
++ gsize length = 0;
++ GError *local_error = NULL;
++
++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325");
++ g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks");
++
++ /* Create a fresh, empty working directory. */
++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error);
++ g_assert_no_error (local_error);
++ tmpdir = g_file_new_for_path (tmpdir_path);
++
++ g_test_message ("Using temporary directory %s", tmpdir_path);
++ g_free (tmpdir_path);
++
++ /* Create symlink `source` which points to `target`. */
++ source_file = g_file_get_child (tmpdir, "source");
++ target_file = g_file_get_child (tmpdir, "target");
++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error);
++ g_assert_no_error (local_error);
++
++ /* Ensure that `target` doesn’t exist */
++ g_assert_false (g_file_query_exists (target_file, NULL));
++
++ /* Replace the `source` symlink with a regular file using
++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without*
++ * following the symlink */
++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */,
++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error);
++ g_assert_no_error (local_error);
++
++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents),
++ &n_written, NULL, &local_error);
++ g_assert_no_error (local_error);
++ g_assert_cmpint (n_written, ==, strlen (new_contents));
++
++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error);
++ g_assert_no_error (local_error);
++
++ g_clear_object (&stream);
++
++ /* At this point, there should still only be one file: `source`. It should
++ * now be a regular file. `target` should not exist. */
++ enumerator = g_file_enumerate_children (tmpdir,
++ G_FILE_ATTRIBUTE_STANDARD_NAME ","
++ G_FILE_ATTRIBUTE_STANDARD_TYPE,
++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error);
++ g_assert_no_error (local_error);
++
++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
++ g_assert_no_error (local_error);
++ g_assert_nonnull (info);
++
++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source");
++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR);
++
++ g_clear_object (&info);
++
++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
++ g_assert_no_error (local_error);
++ g_assert_null (info);
++
++ g_file_enumerator_close (enumerator, NULL, &local_error);
++ g_assert_no_error (local_error);
++ g_clear_object (&enumerator);
++
++ /* Double-check that `target` doesn’t exist */
++ g_assert_false (g_file_query_exists (target_file, NULL));
++
++ /* Check the content of `source`. */
++ g_file_load_contents (source_file,
++ NULL,
++ &contents,
++ &length,
++ NULL,
++ &local_error);
++ g_assert_no_error (local_error);
++ g_assert_cmpstr (contents, ==, new_contents);
++ g_assert_cmpuint (length, ==, strlen (new_contents));
++ g_free (contents);
++
++ /* Tidy up. */
++ g_file_delete (source_file, NULL, &local_error);
++ g_assert_no_error (local_error);
++
++ g_file_delete (tmpdir, NULL, &local_error);
++ g_assert_no_error (local_error);
++
++ g_clear_object (&target_file);
++ g_clear_object (&source_file);
++ g_clear_object (&tmpdir);
++#else /* if !G_OS_UNIX */
++ g_test_skip ("Symlink replacement tests can only be run on Unix")
++#endif
++}
++
+ static void
+ on_file_deleted (GObject *object,
+ GAsyncResult *result,
+@@ -1798,6 +1905,7 @@ main (int argc, char *argv[])
+ g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete);
+ g_test_add_func ("/file/replace-load", test_replace_load);
+ g_test_add_func ("/file/replace-cancel", test_replace_cancel);
++ g_test_add_func ("/file/replace-symlink", test_replace_symlink);
+ g_test_add_func ("/file/async-delete", test_async_delete);
+ g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode);
+ g_test_add_func ("/file/measure", test_measure);
+--
+2.17.1
+
diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch
new file mode 100644
index 0000000..0ab9a75
--- /dev/null
+++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch
@@ -0,0 +1,60 @@
+From ab4ee65fb5778964fa3cca9b3d6749711ef9ba19 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:42:24 +0000
+Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC flag to
+ replace()
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+CVE: CVE-2021-28153
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ gio/glocalfileoutputstream.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
+index a2c7e3c..4c512ea 100644
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -63,6 +63,12 @@
+ #define O_BINARY 0
+ #endif
+
++#ifndef O_CLOEXEC
++#define O_CLOEXEC 0
++#else
++#define HAVE_O_CLOEXEC 1
++#endif
++
+ struct _GLocalFileOutputStreamPrivate {
+ char *tmp_filename;
+ char *original_filename;
+@@ -1239,7 +1245,7 @@ _g_local_file_output_stream_replace (const char *filename,
+ sync_on_close = FALSE;
+
+ /* If the file doesn't exist, create it */
+- open_flags = O_CREAT | O_EXCL | O_BINARY;
++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
+ if (readable)
+ open_flags |= O_RDWR;
+ else
+@@ -1269,8 +1275,11 @@ _g_local_file_output_stream_replace (const char *filename,
+ set_error_from_open_errno (filename, error);
+ return NULL;
+ }
+-
+-
++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD)
++ else
++ fcntl (fd, F_SETFD, FD_CLOEXEC);
++#endif
++
+ stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL);
+ stream->priv->fd = fd;
+ stream->priv->sync_on_close = sync_on_close;
+--
+2.17.1
+
diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb
index 3909b76..e5e65a4 100644
--- a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb
+++ b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb
@@ -50,6 +50,16 @@
file://0028-gresource-Fix-a-pointer-mismatch-with-an-atomic-load.patch \
file://0029-docs-Document-not-to-use-volatile-qualifiers.patch \
"
+
+# Fix CVE-2021-28153
+SRC_URI += "\
+ file://0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch \
+ file://0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch \
+ file://0003-glocalfileoutputstream-Factor-out-a-flag-check.patch \
+ file://0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch \
+ file://0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch \
+"
+
SRC_URI_append_class-native = " file://relocate-modules.patch"
SRC_URI[sha256sum] = "09f158769f6f26b31074e15b1ac80ec39b13b53102dfae66cfe826fb2cc65502"
diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 1aeb952..fe1715f 100644
--- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,8 +24,8 @@
inherit core-image setuptools3
-SRCREV ?= "42514ade8bdb9502f49a56752561f6c2e9f23348"
-SRC_URI = "git://git.yoctoproject.org/poky \
+SRCREV ?= "96e8fcd6a24fd732e010607be347cbb3348ef725"
+SRC_URI = "git://git.yoctoproject.org/poky;branch=hardknott \
file://Yocto_Build_Appliance.vmx \
file://Yocto_Build_Appliance.vmxf \
file://README_VirtualBox_Guest_Additions.txt \
diff --git a/poky/meta/recipes-core/meta/cve-update-db-native.bb b/poky/meta/recipes-core/meta/cve-update-db-native.bb
index 25ec6ba..e5822ce 100644
--- a/poky/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/poky/meta/recipes-core/meta/cve-update-db-native.bb
@@ -139,7 +139,12 @@
for cpe in node.get('cpe_match', ()):
if not cpe['vulnerable']:
return
- cpe23 = cpe['cpe23Uri'].split(':')
+ cpe23 = cpe.get('cpe23Uri')
+ if not cpe23:
+ return
+ cpe23 = cpe23.split(':')
+ if len(cpe23) < 6:
+ return
vendor = cpe23[3]
product = cpe23[4]
version = cpe23[5]
diff --git a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb
index b8e2c71..194dca7 100644
--- a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb
+++ b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb
@@ -57,6 +57,7 @@
VALGRIND_armeb = ""
VALGRIND_aarch64 = ""
VALGRIND_riscv64 = ""
+VALGRIND_riscv32 = ""
VALGRIND_powerpc = "${@bb.utils.contains('TARGET_FPU', 'soft', '', 'valgrind', d)}"
VALGRIND_linux-gnux32 = ""
VALGRIND_linux-gnun32 = ""
diff --git a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb
index a5fc152..015810c 100644
--- a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb
+++ b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb
@@ -16,6 +16,7 @@
KEXECTOOLS_microblaze ?= ""
KEXECTOOLS_nios2 ?= ""
KEXECTOOLS_riscv64 ?= ""
+KEXECTOOLS_riscv32 ?= ""
GSTEXAMPLES ?= "gst-examples"
GSTEXAMPLES_riscv64 = ""
diff --git a/poky/meta/recipes-core/systemd/systemd-boot_247.4.bb b/poky/meta/recipes-core/systemd/systemd-boot_247.6.bb
similarity index 100%
rename from poky/meta/recipes-core/systemd/systemd-boot_247.4.bb
rename to poky/meta/recipes-core/systemd/systemd-boot_247.6.bb
diff --git a/poky/meta/recipes-core/systemd/systemd-conf_247.3.bb b/poky/meta/recipes-core/systemd/systemd-conf_247.6.bb
similarity index 100%
rename from poky/meta/recipes-core/systemd/systemd-conf_247.3.bb
rename to poky/meta/recipes-core/systemd/systemd-conf_247.6.bb
diff --git a/poky/meta/recipes-core/systemd/systemd.inc b/poky/meta/recipes-core/systemd/systemd.inc
index 098bca9..7d3b306 100644
--- a/poky/meta/recipes-core/systemd/systemd.inc
+++ b/poky/meta/recipes-core/systemd/systemd.inc
@@ -14,7 +14,7 @@
LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
-SRCREV = "069525e84a67375e27429cb490e8d28af78e673a"
+SRCREV = "17472dca0160cbe7b807ca648475fd70d0d62fe5"
SRCBRANCH = "v247-stable"
SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
diff --git a/poky/meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch b/poky/meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch
new file mode 100644
index 0000000..bbee6e6
--- /dev/null
+++ b/poky/meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch
@@ -0,0 +1,36 @@
+From 7b32582c066549fea0f7180a6c575e7fa37a867f Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 12 Apr 2021 23:44:53 -0700
+Subject: [PATCH] missing_syscall.h: Define MIPS ABI defines for musl
+
+musl does not define _MIPS_SIM_ABI32, _MIPS_SIM_NABI32, _MIPS_SIM_ABI64
+unlike glibc where these are provided by libc headers, therefore define
+them here in case they are undefined
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/basic/missing_syscall.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
+index 0594a1b930..495d161334 100644
+--- a/src/basic/missing_syscall.h
++++ b/src/basic/missing_syscall.h
+@@ -15,6 +15,12 @@
+ #include <asm/sgidefs.h>
+ #endif
+
++#ifndef _MIPS_SIM_ABI32
++#define _MIPS_SIM_ABI32 1
++#define _MIPS_SIM_NABI32 2
++#define _MIPS_SIM_ABI64 3
++#endif
++
+ #if defined(__x86_64__) && defined(__ILP32__)
+ # define systemd_SC_arch_bias(x) ((x) | /* __X32_SYSCALL_BIT */ 0x40000000)
+ #elif defined(__ia64__)
+--
+2.31.1
+
diff --git a/poky/meta/recipes-core/systemd/systemd_247.4.bb b/poky/meta/recipes-core/systemd/systemd_247.6.bb
similarity index 99%
rename from poky/meta/recipes-core/systemd/systemd_247.4.bb
rename to poky/meta/recipes-core/systemd/systemd_247.6.bb
index cd67e65..32afa15 100644
--- a/poky/meta/recipes-core/systemd/systemd_247.4.bb
+++ b/poky/meta/recipes-core/systemd/systemd_247.6.bb
@@ -55,6 +55,7 @@
file://0022-do-not-disable-buffer-in-writing-files.patch \
file://0025-Handle-__cpu_mask-usage.patch \
file://0026-Handle-missing-gshadow.patch \
+ file://0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch \
"
PAM_PLUGINS = " \
diff --git a/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty b/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty
index dfa799a..699a1ea 100644
--- a/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty
+++ b/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty
@@ -1,17 +1,4 @@
#!/bin/sh
-###############################################################################
-# This script is used to automatically set up the serial console(s) on startup.
-# The variable SERIAL_CONSOLES can be set in meta/conf/machine/*.conf.
-# Script enhancement has been done based on Bug YOCTO #10844.
-# Most of the information is retrieved from /proc virtual filesystem containing
-# all the runtime system information (eg. system memory, device mount, etc).
-###############################################################################
-
-# Get active serial filename.
-active_serial=$(grep "serial" /proc/tty/drivers | cut -d/ -f1 | sed "s/ *$//")
-
-# Rephrase input parameter from ttyS target index (ttyS1, ttyS2, ttyAMA0, etc).
-runtime_tty=$(echo $2 | grep -oh '[0-9]\+')
# busybox' getty does this itself, util-linux' agetty needs extra help
getty="/sbin/getty"
@@ -25,31 +12,6 @@
;;
esac
-# Backup $IFS.
-DEFAULT_IFS=$IFS
-# Customize Internal Field Separator.
-IFS="$(printf '\n\t')"
-
-for line in $active_serial; do
- # Check we have the file containing current active serial target index.
- if [ -e "/proc/tty/driver/$line" ]
- then
- # Remove all unknown entries and discard the first line (desc).
- activetty=$(grep -v "unknown" "/proc/tty/driver/$line" \
- | tail -n +2 | grep -oh "^\s*\S*[0-9]\+")
- for active in $activetty; do
- # If indexes do match then enable the serial console.
- if [ $active -eq $runtime_tty ]
- then
- if [ -c /dev/$2 ]
- then
- ${setsid:-} ${getty} -L $1 $2 $3
- fi
- break
- fi
- done
- fi
-done
-
-# Restore $IFS.
-IFS=$DEFAULT_IFS
+if [ -e /sys/class/tty/$2 -a -c /dev/$2 ]; then
+ ${setsid:-} ${getty} -L $1 $2 $3
+fi
diff --git a/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb b/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb
index 0af116f..d95d1a6 100644
--- a/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb
+++ b/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb
@@ -53,10 +53,6 @@
fi
}
-do_install_append_qemuppc64 () {
- echo "9:12345:respawn:${base_sbindir}/getty 38400 hvc0" >> ${D}${sysconfdir}/inittab
-}
-
pkg_postinst_${PN} () {
# run this on host and on target
if [ "${SERIAL_CONSOLES_CHECK}" = "" ]; then
diff --git a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
index 0a007bb..ce242c3 100644
--- a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
+++ b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
@@ -7,6 +7,7 @@
SECTION = "devel"
DEPENDS += "expect-native"
+RDEPENDS_${PN} = "expect"
inherit autotools
diff --git a/poky/meta/recipes-devtools/go/go-1.16.2.inc b/poky/meta/recipes-devtools/go/go-1.16.3.inc
similarity index 88%
rename from poky/meta/recipes-devtools/go/go-1.16.2.inc
rename to poky/meta/recipes-devtools/go/go-1.16.3.inc
index e65caf8..ebd25a5 100644
--- a/poky/meta/recipes-devtools/go/go-1.16.2.inc
+++ b/poky/meta/recipes-devtools/go/go-1.16.3.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.16"
-PV = "1.16.2"
+PV = "1.16.3"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -17,4 +17,4 @@
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \
"
-SRC_URI[main.sha256sum] = "37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea"
+SRC_URI[main.sha256sum] = "b298d29de9236ca47a023e382313bcc2d2eed31dfa706b60a04103ce83a71a25"
diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb
similarity index 83%
rename from poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb
index 4fb0601..d01a2bd 100644
--- a/poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb
+++ b/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb
@@ -8,8 +8,8 @@
PROVIDES = "go-native"
SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8"
-SRC_URI[go_linux_arm64.sha256sum] = "6924601d998a0917694fd14261347e3798bd2ad6b13c4d7f2edd70c9d57f62ab"
+SRC_URI[go_linux_amd64.sha256sum] = "951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2"
+SRC_URI[go_linux_arm64.sha256sum] = "566b1d6f17d2bc4ad5f81486f0df44f3088c3ed47a3bec4099d8ed9939e90d5d"
UPSTREAM_CHECK_URI = "https://golang.org/dl/"
UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/poky/meta/recipes-devtools/go/go-common.inc b/poky/meta/recipes-devtools/go/go-common.inc
index f18d928..c368b95 100644
--- a/poky/meta/recipes-devtools/go/go-common.inc
+++ b/poky/meta/recipes-devtools/go/go-common.inc
@@ -14,7 +14,7 @@
inherit goarch
-SRC_URI = "http://golang.org/dl/go${PV}.src.tar.gz;name=main"
+SRC_URI = "https://dl.google.com/go/go${PV}.src.tar.gz;name=main"
S = "${WORKDIR}/go"
B = "${S}"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.2.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-cross-canadian_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-cross_1.16.2.bb b/poky/meta/recipes-devtools/go/go-cross_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-cross_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-cross_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.2.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-crosssdk_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-native_1.16.2.bb b/poky/meta/recipes-devtools/go/go-native_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-native_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-native_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.16.2.bb b/poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-runtime_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go_1.16.2.bb b/poky/meta/recipes-devtools/go/go_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index 19a03d4..e9225e1 100644
--- a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -22,6 +22,7 @@
file://0001-libtool-Fix-support-for-NIOS2-processor.patch \
file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
+ file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \
"
SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
new file mode 100644
index 0000000..87f8492
--- /dev/null
+++ b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
@@ -0,0 +1,35 @@
+From e82c06584f02e3e4487aa73aa05981e2a35dc6d1 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Tue, 13 Apr 2021 07:17:29 +0000
+Subject: [PATCH] Makefile.am: make sure autoheader run before automake
+
+When use automake to generate Makefile.in from Makefile.am, there
+comes below race:
+ | configure.ac:45: error: required file 'config-h.in' not found
+
+It is because the file config-h.in in updating process by autoheader,
+so make automake run after autoheader to avoid the above race.
+
+Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 2752ecc..29950db 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -328,7 +328,7 @@ EXTRA_DIST += $(lt_aclocal_m4) \
+ $(lt_obsolete_m4) \
+ $(stamp_mk)
+
+-$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4)
++$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) $(lt_config_h_in)
+ $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOMAKE) Makefile
+
+ # Don't let unused scripts leak into the libltdl Makefile
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch b/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch
new file mode 100644
index 0000000..ba35ec6
--- /dev/null
+++ b/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch
@@ -0,0 +1,44 @@
+From 6edec83653ce1b5fc201ff6db93b966394766814 Mon Sep 17 00:00:00 2001
+From: rmnull <rmnull@users.noreply.github.com>
+Date: Tue, 18 Aug 2020 20:22:52 +0530
+Subject: [PATCH] mark phdrs synced with sections, avoid rechecking it when
+ syncing note sections to segments.
+
+This also serves as a bug fix when a previously synced note segment
+overlaps with another section and creates a false alarm.
+
+Upstream-Status: Backport
+---
+ src/patchelf.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/patchelf.cc b/src/patchelf.cc
+index 05ec793..622f0b6 100644
+--- a/src/patchelf.cc
++++ b/src/patchelf.cc
+@@ -669,6 +669,7 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff,
+ memset(contents + rdi(shdr.sh_offset), 'X', rdi(shdr.sh_size));
+ }
+
++ std::set<unsigned int> noted_phdrs = {};
+ for (auto & i : replacedSections) {
+ std::string sectionName = i.first;
+ auto & shdr = findSection(sectionName);
+@@ -721,7 +722,7 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff,
+ shdr.sh_addralign = orig_shdr.sh_addralign;
+
+ for (unsigned int j = 0; j < phdrs.size(); ++j)
+- if (rdi(phdrs[j].p_type) == PT_NOTE) {
++ if (rdi(phdrs[j].p_type) == PT_NOTE && noted_phdrs.find(j) == noted_phdrs.end()) {
+ Elf_Off p_start = rdi(phdrs[j].p_offset);
+ Elf_Off p_end = p_start + rdi(phdrs[j].p_filesz);
+ Elf_Off s_start = rdi(orig_shdr.sh_offset);
+@@ -739,6 +740,8 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff,
+ phdrs[j].p_offset = shdr.sh_offset;
+ phdrs[j].p_vaddr = phdrs[j].p_paddr = shdr.sh_addr;
+ phdrs[j].p_filesz = phdrs[j].p_memsz = shdr.sh_size;
++
++ noted_phdrs.insert(j);
+ }
+ }
+
diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch b/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch
new file mode 100644
index 0000000..a06876e
--- /dev/null
+++ b/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch
@@ -0,0 +1,44 @@
+If a binary has multiple SHT_NOTE sections and corresponding PT_NOTE
+headers, we can see the error:
+
+patchelf: cannot normalize PT_NOTE segment: non-contiguous SHT_NOTE sections
+
+if the SHT_NOTE sections aren't sized to end on aligned boundaries. An example
+would be a binary with:
+
+ [ 2] .note.ABI-tag NOTE 00000000000002f4 000002f4
+ 0000000000000020 0000000000000000 A 0 0 4
+ [ 3] .note.gnu.propert NOTE 0000000000000318 00000318
+ 0000000000000030 0000000000000000 A 0 0 8
+ [ 4] .note.gnu.build-i NOTE 0000000000000348 00000348
+ 0000000000000024 0000000000000000 A 0 0 4
+
+ NOTE 0x0000000000000318 0x0000000000000318 0x0000000000000318
+ 0x0000000000000030 0x0000000000000030 R 0x8
+ NOTE 0x00000000000002f4 0x00000000000002f4 0x00000000000002f4
+ 0x0000000000000078 0x0000000000000074 R 0x4
+
+since the PT_NOTE section at 2f4 covers [2] and [3] but the code
+calclates curr_off should be 314, not the 318 in the binary. This
+is an alignment issue.
+
+To fix this, we need to round curr_off to the next section alignment.
+
+Upstream-Status: Submitted [https://github.com/NixOS/patchelf/pull/274]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: git/src/patchelf.cc
+===================================================================
+--- git.orig/src/patchelf.cc
++++ git/src/patchelf.cc
+@@ -1010,8 +1010,9 @@ void ElfFile<ElfFileParamNames>::normali
+ size_t size = 0;
+ for (const auto & shdr : shdrs) {
+ if (rdi(shdr.sh_type) != SHT_NOTE) continue;
+- if (rdi(shdr.sh_offset) != curr_off) continue;
++ if (rdi(shdr.sh_offset) != roundUp(curr_off, rdi(shdr.sh_addralign))) continue;
+ size = rdi(shdr.sh_size);
++ curr_off = roundUp(curr_off, rdi(shdr.sh_addralign));
+ break;
+ }
+ if (size == 0)
diff --git a/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb b/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb
index 95886c6..7c97ea0 100644
--- a/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb
+++ b/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb
@@ -6,6 +6,8 @@
SRC_URI = "git://github.com/NixOS/patchelf;protocol=https \
file://handle-read-only-files.patch \
+ file://6edec83653ce1b5fc201ff6db93b966394766814.patch \
+ file://alignmentfix.patch \
"
SRCREV = "8d3a16e97294e3c5521c61b4c8835499c9918264"
diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb
index 17bd02c..4eab133 100644
--- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -6,7 +6,7 @@
file://fallback-group \
"
-SRCREV = "60e25a36558f1f07dcce1a044fe976b475bec42b"
+SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20"
S = "${WORKDIR}/git"
PV = "1.9.0+git${SRCPV}"
diff --git a/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
index 35b7e0c..c3d1e06 100644
--- a/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
+++ b/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
@@ -23,24 +23,24 @@
Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132]
+
+Rebased for 3.9.4, still not accepted upstream Signed-off-by: Alejandro Hernandez <alejandro@enedino.org>
+
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
Lib/test/test_locale.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py
-index e2c2178..558d63c 100644
---- a/Lib/test/test_locale.py
-+++ b/Lib/test/test_locale.py
-@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase):
+Index: Python-3.9.4/Lib/test/test_locale.py
+===================================================================
+--- Python-3.9.4.orig/Lib/test/test_locale.py
++++ Python-3.9.4/Lib/test/test_locale.py
+@@ -562,7 +562,7 @@ class TestMiscellaneous(unittest.TestCas
self.skipTest('test needs Turkish locale')
loc = locale.getlocale(locale.LC_CTYPE)
if verbose:
- print('testing with %a' % (loc,), end=' ', flush=True)
+ print('testing with %a...' % (loc,), end=' ', flush=True)
- locale.setlocale(locale.LC_CTYPE, loc)
- self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE))
-
---
-2.7.4
-
+ try:
+ locale.setlocale(locale.LC_CTYPE, loc)
+ except locale.Error as exc:
diff --git a/poky/meta/recipes-devtools/python/python3/create_manifest3.py b/poky/meta/recipes-devtools/python/python3/create_manifest3.py
index 4da02a2..045240e 100644
--- a/poky/meta/recipes-devtools/python/python3/create_manifest3.py
+++ b/poky/meta/recipes-devtools/python/python3/create_manifest3.py
@@ -36,7 +36,7 @@
# Tha method to handle cached files does not work when a module includes a folder which
# itself contains the pycache folder, gladly this is almost never the case.
#
-# Author: Alejandro Enedino Hernandez Samaniego "aehs29" <aehs29 at gmail dot com>
+# Author: Alejandro Enedino Hernandez Samaniego <alejandro at enedino dot org>
import sys
@@ -45,6 +45,11 @@
import os
import collections
+if '-d' in sys.argv:
+ debugFlag = '-d'
+else:
+ debugFlag = ''
+
# Get python version from ${PYTHON_MAJMIN}
pyversion = str(sys.argv[1])
@@ -84,6 +89,12 @@
manifest.seek(0, 0)
manifest.write(comments + json_contents)
+def print_indent(msg, offset):
+ for l in msg.splitlines():
+ msg = ' ' * offset + l
+ print(msg)
+
+
# Read existing JSON manifest
with open('python3-manifest.json') as manifest:
# The JSON format doesn't allow comments so we hack the call to keep the comments using a marker
@@ -99,7 +110,7 @@
# Not exactly the same so it should not be a function
#
-print ('Getting dependencies for package: core')
+print_indent('Getting dependencies for package: core', 0)
# This special call gets the core dependencies and
@@ -109,7 +120,7 @@
# on the new core package, they will still find them
# even when checking the old_manifest
-output = subprocess.check_output([sys.executable, 'get_module_deps3.py', 'python-core-package']).decode('utf8')
+output = subprocess.check_output([sys.executable, 'get_module_deps3.py', 'python-core-package', '%s' % debugFlag]).decode('utf8')
for coredep in output.split():
coredep = coredep.replace(pyversion,'${PYTHON_MAJMIN}')
if isCached(coredep):
@@ -149,17 +160,16 @@
# Get actual module name , shouldnt be affected by libdir/bindir, etc.
pymodule = os.path.splitext(os.path.basename(os.path.normpath(filedep)))[0]
-
# We now know that were dealing with a python module, so we can import it
# and check what its dependencies are.
# We launch a separate task for each module for deterministic behavior.
# Each module will only import what is necessary for it to work in specific.
# The output of each task will contain each module's dependencies
- print ('Getting dependencies for module: %s' % pymodule)
- output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule]).decode('utf8')
- print ('The following dependencies were found for module %s:\n' % pymodule)
- print (output)
+ print_indent('Getting dependencies for module: %s' % pymodule, 2)
+ output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule, '%s' % debugFlag]).decode('utf8')
+ print_indent('The following dependencies were found for module %s:\n' % pymodule, 4)
+ print_indent(output, 6)
for pymodule_dep in output.split():
@@ -178,12 +188,13 @@
# all others will use this a base.
+print('\n\nChecking for directories...\n')
# To improve the script speed, we check which packages contain directories
# since we will be looping through (only) those later.
for pypkg in old_manifest:
for filedep in old_manifest[pypkg]['files']:
if isFolder(filedep):
- print ('%s is a folder' % filedep)
+ print_indent('%s is a directory' % filedep, 2)
if pypkg not in hasfolders:
hasfolders.append(pypkg)
if filedep not in allfolders:
@@ -221,14 +232,14 @@
print('\n')
print('--------------------------')
- print ('Handling package %s' % pypkg)
+ print('Handling package %s' % pypkg)
print('--------------------------')
# Handle special cases, we assume that when they were manually added
# to the manifest we knew what we were doing.
special_packages = ['misc', 'modules', 'dev', 'tests']
if pypkg in special_packages or 'staticdev' in pypkg:
- print('Passing %s package directly' % pypkg)
+ print_indent('Passing %s package directly' % pypkg, 2)
new_manifest[pypkg] = old_manifest[pypkg]
continue
@@ -259,7 +270,7 @@
# Get actual module name , shouldnt be affected by libdir/bindir, etc.
# We need to check if the imported module comes from another (e.g. sqlite3.dump)
- path,pymodule = os.path.split(filedep)
+ path, pymodule = os.path.split(filedep)
path = os.path.basename(path)
pymodule = os.path.splitext(os.path.basename(pymodule))[0]
@@ -279,10 +290,10 @@
# Each module will only import what is necessary for it to work in specific.
# The output of each task will contain each module's dependencies
- print ('\nGetting dependencies for module: %s' % pymodule)
- output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule]).decode('utf8')
- print ('The following dependencies were found for module %s:\n' % pymodule)
- print (output)
+ print_indent('\nGetting dependencies for module: %s' % pymodule, 2)
+ output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule, '%s' % debugFlag]).decode('utf8')
+ print_indent('The following dependencies were found for module %s:\n' % pymodule, 4)
+ print_indent(output, 6)
reportFILES = []
reportRDEPS = []
@@ -325,7 +336,7 @@
# print('Checking folder %s on package %s' % (pymodule_dep,pypkg_with_folder))
for folder_dep in old_manifest[pypkg_with_folder]['files'] or folder_dep in old_manifest[pypkg_with_folder]['cached']:
if folder_dep == folder:
- print ('%s folder found in %s' % (folder, pypkg_with_folder))
+ print ('%s directory found in %s' % (folder, pypkg_with_folder))
folderFound = True
if pypkg_with_folder not in new_manifest[pypkg]['rdepends'] and pypkg_with_folder != pypkg:
new_manifest[pypkg]['rdepends'].append(pypkg_with_folder)
@@ -424,7 +435,7 @@
if (repeated):
error_msg = '\n\nERROR:\n'
- error_msg += 'The following files are repeated (contained in more than one package),\n'
+ error_msg += 'The following files were found in more than one package),\n'
error_msg += 'this is likely to happen when new files are introduced after an upgrade,\n'
error_msg += 'please check which package should get it,\n modify the manifest accordingly and re-run the create_manifest task:\n'
error_msg += '\n'.join(repeated)
diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py
index 6806f23..1f4c982 100644
--- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py
+++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py
@@ -3,14 +3,18 @@
# them out, the output of this execution will have all dependencies
# for a specific module, which will be parsed an dealt on create_manifest.py
#
-# Author: Alejandro Enedino Hernandez Samaniego "aehs29" <aehs29@gmail.com>
+# Author: Alejandro Enedino Hernandez Samaniego <alejandro at enedino dot org>
-# We can get a log per module, for all the dependencies that were found, but its messy.
-debug=False
import sys
import os
+# We can get a log per module, for all the dependencies that were found, but its messy.
+if '-d' in sys.argv:
+ debug = True
+else:
+ debug = False
+
# We can get a list of the modules which are currently required to run python
# so we run python-core and get its modules, we then import what we need
# and check what modules are currently running, if we substract them from the
@@ -19,13 +23,13 @@
# We use importlib to achieve this, so we also need to know what modules importlib needs
import importlib
-core_deps=set(sys.modules)
+core_deps = set(sys.modules)
def fix_path(dep_path):
import os
# We DONT want the path on our HOST system
- pivot='recipe-sysroot-native'
- dep_path=dep_path[dep_path.find(pivot)+len(pivot):]
+ pivot = 'recipe-sysroot-native'
+ dep_path = dep_path[dep_path.find(pivot)+len(pivot):]
if '/usr/bin' in dep_path:
dep_path = dep_path.replace('/usr/bin''${bindir}')
@@ -46,8 +50,8 @@
# Module to import was passed as an argument
current_module = str(sys.argv[1]).rstrip()
-if(debug==True):
- log = open('log_%s' % current_module,'w')
+if debug == True:
+ log = open('temp/log_%s' % current_module.strip('.*'),'w')
log.write('Module %s generated the following dependencies:\n' % current_module)
try:
m = importlib.import_module(current_module)
@@ -63,13 +67,13 @@
except:
pass # ignore all import or other exceptions raised during import
except ImportError as e:
- if (debug==True):
- log.write('Module was not found')
+ if debug == True:
+ log.write('Module was not found\n')
pass
# Get current module dependencies, dif will contain a list of specific deps for this module
-module_deps=set(sys.modules)
+module_deps = set(sys.modules)
# We handle the core package (1st pass on create_manifest.py) as a special case
if current_module == 'python-core-package':
@@ -81,14 +85,18 @@
# Check where each dependency came from
for item in dif:
- dep_path=''
+ # Main module returns script filename, __main matches mp_main__ as well
+ if 'main__' in item:
+ continue
+
+ dep_path = ''
try:
- if (debug==True):
- log.write('Calling: sys.modules[' + '%s' % item + '].__file__\n')
+ if debug == True:
+ log.write('\nCalling: sys.modules[' + '%s' % item + '].__file__\n')
dep_path = sys.modules['%s' % item].__file__
except AttributeError as e:
# Deals with thread (builtin module) not having __file__ attribute
- if debug==True:
+ if debug == True:
log.write(item + ' ')
log.write(str(e))
log.write('\n')
@@ -96,11 +104,16 @@
except NameError as e:
# Deals with NameError: name 'dep_path' is not defined
# because module is not found (wasn't compiled?), e.g. bddsm
- if (debug==True):
+ if debug == True:
log.write(item+' ')
log.write(str(e))
pass
+ if dep_path == '':
+ continue
+ if debug == True:
+ log.write('Dependency path found:\n%s\n' % dep_path)
+
# Site-customize is a special case since we (OpenEmbedded) put it there manually
if 'sitecustomize' in dep_path:
dep_path = '${libdir}/python${PYTHON_MAJMIN}/sitecustomize.py'
@@ -111,52 +124,51 @@
dep_path = fix_path(dep_path)
import sysconfig
- soabi=sysconfig.get_config_var('SOABI')
+ soabi = sysconfig.get_config_var('SOABI')
# Check if its a shared library and deconstruct it
if soabi in dep_path:
- if (debug==True):
- log.write('Shared library found in %s' % dep_path)
+ if debug == True:
+ log.write('Shared library found in %s\n' % dep_path)
dep_path = dep_path.replace(soabi,'*')
print (dep_path)
continue
if "_sysconfigdata" in dep_path:
dep_path = dep_path.replace(sysconfig._get_sysconfigdata_name(), "_sysconfigdata*")
- if (debug==True):
+ if debug == True:
log.write(dep_path+'\n')
# Prints out result, which is what will be used by create_manifest
print (dep_path)
- import imp
- cpython_tag = imp.get_tag()
- cached=''
+ cpython_tag = sys.implementation.cache_tag
+ cached = ''
# Theres no naive way to find *.pyc files on python3
try:
- if (debug==True):
- log.write('Calling: sys.modules[' + '%s' % item + '].__cached__\n')
+ if debug == True:
+ log.write('\nCalling: sys.modules[' + '%s' % item + '].__cached__\n')
cached = sys.modules['%s' % item].__cached__
except AttributeError as e:
# Deals with thread (builtin module) not having __cached__ attribute
- if debug==True:
+ if debug == True:
log.write(item + ' ')
log.write(str(e))
log.write('\n')
pass
except NameError as e:
# Deals with NameError: name 'cached' is not defined
- if (debug==True):
+ if debug == True:
log.write(item+' ')
log.write(str(e))
pass
if cached is not None:
- if (debug==True):
- log.write(cached)
+ if debug == True:
+ log.write(cached + '\n')
cached = fix_path(cached)
cached = cached.replace(cpython_tag,'*')
if "_sysconfigdata" in cached:
cached = cached.replace(sysconfig._get_sysconfigdata_name(), "_sysconfigdata*")
print (cached)
-if debug==True:
+if debug == True:
log.close()
diff --git a/poky/meta/recipes-devtools/python/python3_3.9.2.bb b/poky/meta/recipes-devtools/python/python3_3.9.4.bb
similarity index 98%
rename from poky/meta/recipes-devtools/python/python3_3.9.2.bb
rename to poky/meta/recipes-devtools/python/python3_3.9.4.bb
index fd11723..cb371ce 100644
--- a/poky/meta/recipes-devtools/python/python3_3.9.2.bb
+++ b/poky/meta/recipes-devtools/python/python3_3.9.4.bb
@@ -38,7 +38,7 @@
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = "3c2034c54f811448f516668dce09d24008a0716c3a794dd8639b5388cbde247d"
+SRC_URI[sha256sum] = "4b0e6644a76f8df864ae24ac500a51bbf68bd098f6a173e27d3b61cdca9aa134"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -69,7 +69,7 @@
ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
-DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2"
+DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive-native"
DEPENDS_append_class-target = " python3-native"
DEPENDS_append_class-nativesdk = " python3-native"
diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc
index a625809..8b8cecd 100644
--- a/poky/meta/recipes-devtools/qemu/qemu.inc
+++ b/poky/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,32 @@
file://determinism.patch \
file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
file://CVE-2021-20203.patch \
+ file://CVE-2020-35517_1.patch \
+ file://CVE-2020-35517_2.patch \
+ file://CVE-2020-35517_3.patch \
+ file://CVE-2021-20181.patch \
+ file://CVE-2020-29443.patch \
+ file://CVE-2021-20221.patch \
+ file://CVE-2021-3409_1.patch \
+ file://CVE-2021-3409_2.patch \
+ file://CVE-2021-3409_3.patch \
+ file://CVE-2021-3409_4.patch \
+ file://CVE-2021-3409_5.patch \
+ file://CVE-2021-3409_6.patch \
+ file://CVE-2021-3416_1.patch \
+ file://CVE-2021-3416_2.patch \
+ file://CVE-2021-3416_3.patch \
+ file://CVE-2021-3416_4.patch \
+ file://CVE-2021-3416_5.patch \
+ file://CVE-2021-3416_6.patch \
+ file://CVE-2021-3416_7.patch \
+ file://CVE-2021-3416_8.patch \
+ file://CVE-2021-3416_9.patch \
+ file://CVE-2021-3416_10.patch \
+ file://CVE-2021-20257.patch \
+ file://CVE-2020-27821.patch \
+ file://CVE-2021-20263.patch \
+ file://CVE-2021-3392.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
new file mode 100644
index 0000000..58622f0
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
@@ -0,0 +1,143 @@
+From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 09:29:56 -0500
+Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an
+ MMIO region
+
+In using the address_space_translate_internal API, address_space_cache_init
+forgot one piece of advice that can be found in the code for
+address_space_translate_internal:
+
+ /* MMIO registers can be expected to perform full-width accesses based only
+ * on their address, without considering adjacent registers that could
+ * decode to completely different MemoryRegions. When such registers
+ * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
+ * regions overlap wildly. For this reason we cannot clamp the accesses
+ * here.
+ *
+ * If the length is small (as is the case for address_space_ldl/stl),
+ * everything works fine. If the incoming length is large, however,
+ * the caller really has to do the clamping through memory_access_size.
+ */
+
+address_space_cache_init is exactly one such case where "the incoming length
+is large", therefore we need to clamp the resulting length---not to
+memory_access_size though, since we are not doing an access yet, but to
+the size of the resulting section. This ensures that subsequent accesses
+to the cached MemoryRegionSection will be in range.
+
+With this patch, the enclosed testcase notices that the used ring does
+not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
+error.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442]
+CVE: CVE-2020-27821
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ softmmu/physmem.c | 10 ++++++++
+ tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 3027747c0..2cd1de4a2 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+ AddressSpaceDispatch *d;
+ hwaddr l;
+ MemoryRegion *mr;
++ Int128 diff;
+
+ assert(len > 0);
+
+@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+ d = flatview_to_dispatch(cache->fv);
+ cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
+
++ /*
++ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
++ * Take that into account to compute how many bytes are there between
++ * cache->xlat and the end of the section.
++ */
++ diff = int128_sub(cache->mrs.size,
++ int128_make64(cache->xlat - cache->mrs.offset_within_region));
++ l = int128_get64(int128_min(diff, int128_make64(l)));
++
+ mr = cache->mrs.mr;
+ memory_region_ref(mr);
+ if (memory_access_is_direct(mr, is_write)) {
+diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
+index 9cb4c42bd..28739248e 100644
+--- a/tests/qtest/fuzz-test.c
++++ b/tests/qtest/fuzz-test.c
+@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
+ qtest_outl(s, 0x5d02, 0xebed205d);
+ }
+
++/*
++ * Here a MemoryRegionCache pointed to an MMIO region but had a
++ * larger size than the underlying region.
++ */
++static void test_mmio_oob_from_memory_region_cache(void)
++{
++ QTestState *s;
++
++ s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
++ "-device virtio-scsi,num_queues=8,addr=03.0 ");
++
++ qtest_outl(s, 0xcf8, 0x80001811);
++ qtest_outb(s, 0xcfc, 0x6e);
++ qtest_outl(s, 0xcf8, 0x80001824);
++ qtest_outl(s, 0xcf8, 0x80001813);
++ qtest_outl(s, 0xcfc, 0xa080000);
++ qtest_outl(s, 0xcf8, 0x80001802);
++ qtest_outl(s, 0xcfc, 0x5a175a63);
++ qtest_outb(s, 0x6e08, 0x9e);
++ qtest_writeb(s, 0x9f003, 0xff);
++ qtest_writeb(s, 0x9f004, 0x01);
++ qtest_writeb(s, 0x9e012, 0x0e);
++ qtest_writeb(s, 0x9e01b, 0x0e);
++ qtest_writeb(s, 0x9f006, 0x01);
++ qtest_writeb(s, 0x9f008, 0x01);
++ qtest_writeb(s, 0x9f00a, 0x01);
++ qtest_writeb(s, 0x9f00c, 0x01);
++ qtest_writeb(s, 0x9f00e, 0x01);
++ qtest_writeb(s, 0x9f010, 0x01);
++ qtest_writeb(s, 0x9f012, 0x01);
++ qtest_writeb(s, 0x9f014, 0x01);
++ qtest_writeb(s, 0x9f016, 0x01);
++ qtest_writeb(s, 0x9f018, 0x01);
++ qtest_writeb(s, 0x9f01a, 0x01);
++ qtest_writeb(s, 0x9f01c, 0x01);
++ qtest_writeb(s, 0x9f01e, 0x01);
++ qtest_writeb(s, 0x9f020, 0x01);
++ qtest_writeb(s, 0x9f022, 0x01);
++ qtest_writeb(s, 0x9f024, 0x01);
++ qtest_writeb(s, 0x9f026, 0x01);
++ qtest_writeb(s, 0x9f028, 0x01);
++ qtest_writeb(s, 0x9f02a, 0x01);
++ qtest_writeb(s, 0x9f02c, 0x01);
++ qtest_writeb(s, 0x9f02e, 0x01);
++ qtest_writeb(s, 0x9f030, 0x01);
++ qtest_outb(s, 0x6e10, 0x00);
++ qtest_quit(s);
++}
++
+ int main(int argc, char **argv)
+ {
+ const char *arch = qtest_get_arch();
+@@ -58,6 +107,8 @@ int main(int argc, char **argv)
+ test_lp1878263_megasas_zero_iov_cnt);
+ qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
+ test_lp1878642_pci_bus_get_irq_level_assert);
++ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
++ test_mmio_oob_from_memory_region_cache);
+ }
+
+ return g_test_run();
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000..c72324f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,107 @@
+From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Jan 2021 17:21:30 +0530
+Subject: [PATCH] ide: atapi: check logical block address and read size
+ (CVE-2020-29443)
+
+While processing ATAPI cmd_read/cmd_read_cd commands,
+Logical Block Address (LBA) maybe invalid OR closer to the last block,
+leading to an OOB access issues. Add range check to avoid it.
+
+Fixes: CVE-2020-29443
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
+CVE: CVE-2020-29443
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index e79157863..b626199e3 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
+ static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
+ int sector_size)
+ {
++ assert(0 <= lba && lba < (s->nb_sectors >> 2));
++
+ s->lba = lba;
+ s->packet_transfer_size = nb_sectors * sector_size;
+ s->elementary_transfer_size = 0;
+@@ -420,6 +422,8 @@ eot:
+ static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
+ int sector_size)
+ {
++ assert(0 <= lba && lba < (s->nb_sectors >> 2));
++
+ s->lba = lba;
+ s->packet_transfer_size = nb_sectors * sector_size;
+ s->io_buffer_size = 0;
+@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
+
+ static void cmd_read(IDEState *s, uint8_t* buf)
+ {
+- int nb_sectors, lba;
++ unsigned int nb_sectors, lba;
++
++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
++ uint64_t total_sectors = s->nb_sectors >> 2;
+
+ if (buf[0] == GPCMD_READ_10) {
+ nb_sectors = lduw_be_p(buf + 7);
+ } else {
+ nb_sectors = ldl_be_p(buf + 6);
+ }
+-
+- lba = ldl_be_p(buf + 2);
+ if (nb_sectors == 0) {
+ ide_atapi_cmd_ok(s);
+ return;
+ }
+
++ lba = ldl_be_p(buf + 2);
++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
++ return;
++ }
++
+ ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
+ }
+
+ static void cmd_read_cd(IDEState *s, uint8_t* buf)
+ {
+- int nb_sectors, lba, transfer_request;
++ unsigned int nb_sectors, lba, transfer_request;
+
+- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
+- lba = ldl_be_p(buf + 2);
++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
++ uint64_t total_sectors = s->nb_sectors >> 2;
+
++ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
+ if (nb_sectors == 0) {
+ ide_atapi_cmd_ok(s);
+ return;
+ }
+
++ lba = ldl_be_p(buf + 2);
++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
++ return;
++ }
++
+ transfer_request = buf[9] & 0xf8;
+ if (transfer_request == 0x00) {
+ /* nothing */
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
new file mode 100644
index 0000000..73a4cb2
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
@@ -0,0 +1,153 @@
+From 8afaaee976965b7fb90ec225a51d60f35c5f173c Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 4 Feb 2021 15:02:06 +0000
+Subject: [PATCH] virtiofsd: extract lo_do_open() from lo_open()
+
+Both lo_open() and lo_create() have similar code to open a file. Extract
+a common lo_do_open() function from lo_open() that will be used by
+lo_create() in a later commit.
+
+Since lo_do_open() does not otherwise need fuse_req_t req, convert
+lo_add_fd_mapping() to use struct lo_data *lo instead.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20210204150208.367837-2-stefanha@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/8afaaee976965b7fb90ec225a51d60f35c5f173c]
+
+CVE: CVE-2020-35517
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 73 +++++++++++++++++++++++++---------------
+ 1 file changed, 46 insertions(+), 27 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 5fb36d9..f14fa51 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -459,17 +459,17 @@ static void lo_map_remove(struct lo_map *map, size_t key)
+ }
+
+ /* Assumes lo->mutex is held */
+-static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd)
++static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd)
+ {
+ struct lo_map_elem *elem;
+
+- elem = lo_map_alloc_elem(&lo_data(req)->fd_map);
++ elem = lo_map_alloc_elem(&lo->fd_map);
+ if (!elem) {
+ return -1;
+ }
+
+ elem->fd = fd;
+- return elem - lo_data(req)->fd_map.elems;
++ return elem - lo->fd_map.elems;
+ }
+
+ /* Assumes lo->mutex is held */
+@@ -1651,6 +1651,38 @@ static void update_open_flags(int writeback, int allow_direct_io,
+ }
+ }
+
++static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
++ struct fuse_file_info *fi)
++{
++ char buf[64];
++ ssize_t fh;
++ int fd;
++
++ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
++
++ sprintf(buf, "%i", inode->fd);
++ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
++ if (fd == -1) {
++ return errno;
++ }
++
++ pthread_mutex_lock(&lo->mutex);
++ fh = lo_add_fd_mapping(lo, fd);
++ pthread_mutex_unlock(&lo->mutex);
++ if (fh == -1) {
++ close(fd);
++ return ENOMEM;
++ }
++
++ fi->fh = fh;
++ if (lo->cache == CACHE_NONE) {
++ fi->direct_io = 1;
++ } else if (lo->cache == CACHE_ALWAYS) {
++ fi->keep_cache = 1;
++ }
++ return 0;
++}
++
+ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ mode_t mode, struct fuse_file_info *fi)
+ {
+@@ -1691,7 +1723,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ ssize_t fh;
+
+ pthread_mutex_lock(&lo->mutex);
+- fh = lo_add_fd_mapping(req, fd);
++ fh = lo_add_fd_mapping(lo, fd);
+ pthread_mutex_unlock(&lo->mutex);
+ if (fh == -1) {
+ close(fd);
+@@ -1892,38 +1924,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync,
+
+ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
+ {
+- int fd;
+- ssize_t fh;
+- char buf[64];
+ struct lo_data *lo = lo_data(req);
++ struct lo_inode *inode = lo_inode(req, ino);
++ int err;
+
+ fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino,
+ fi->flags);
+
+- update_open_flags(lo->writeback, lo->allow_direct_io, fi);
+-
+- sprintf(buf, "%i", lo_fd(req, ino));
+- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
+- if (fd == -1) {
+- return (void)fuse_reply_err(req, errno);
+- }
+-
+- pthread_mutex_lock(&lo->mutex);
+- fh = lo_add_fd_mapping(req, fd);
+- pthread_mutex_unlock(&lo->mutex);
+- if (fh == -1) {
+- close(fd);
+- fuse_reply_err(req, ENOMEM);
++ if (!inode) {
++ fuse_reply_err(req, EBADF);
+ return;
+ }
+
+- fi->fh = fh;
+- if (lo->cache == CACHE_NONE) {
+- fi->direct_io = 1;
+- } else if (lo->cache == CACHE_ALWAYS) {
+- fi->keep_cache = 1;
++ err = lo_do_open(lo, inode, fi);
++ lo_inode_put(lo, &inode);
++ if (err) {
++ fuse_reply_err(req, err);
++ } else {
++ fuse_reply_open(req, fi);
+ }
+- fuse_reply_open(req, fi);
+ }
+
+ static void lo_release(fuse_req_t req, fuse_ino_t ino,
+--
+1.8.3.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
new file mode 100644
index 0000000..bf11bdb
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
@@ -0,0 +1,117 @@
+From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 4 Feb 2021 15:02:07 +0000
+Subject: [PATCH] virtiofsd: optionally return inode pointer from
+ lo_do_lookup()
+
+lo_do_lookup() finds an existing inode or allocates a new one. It
+increments nlookup so that the inode stays alive until the client
+releases it.
+
+Existing callers don't need the struct lo_inode so the function doesn't
+return it. Extend the function to optionally return the inode. The next
+commit will need it.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Message-Id: <20210204150208.367837-3-stefanha@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3]
+
+CVE: CVE-2020-35517
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index f14fa51..aa35fc6 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname,
+ }
+
+ /*
+- * Increments nlookup and caller must release refcount using
+- * lo_inode_put(&parent).
++ * Increments nlookup on the inode on success. unref_inode_lolocked() must be
++ * called eventually to decrement nlookup again. If inodep is non-NULL, the
++ * inode pointer is stored and the caller must call lo_inode_put().
+ */
+ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+- struct fuse_entry_param *e)
++ struct fuse_entry_param *e,
++ struct lo_inode **inodep)
+ {
+ int newfd;
+ int res;
+@@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+ struct lo_inode *inode = NULL;
+ struct lo_inode *dir = lo_inode(req, parent);
+
++ if (inodep) {
++ *inodep = NULL;
++ }
++
+ /*
+ * name_to_handle_at() and open_by_handle_at() can reach here with fuse
+ * mount point in guest, but we don't have its inode info in the
+@@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+ pthread_mutex_unlock(&lo->mutex);
+ }
+ e->ino = inode->fuse_ino;
+- lo_inode_put(lo, &inode);
++
++ /* Transfer ownership of inode pointer to caller or drop it */
++ if (inodep) {
++ *inodep = inode;
++ } else {
++ lo_inode_put(lo, &inode);
++ }
++
+ lo_inode_put(lo, &dir);
+
+ fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent,
+@@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ return;
+ }
+
+- err = lo_do_lookup(req, parent, name, &e);
++ err = lo_do_lookup(req, parent, name, &e, NULL);
+ if (err) {
+ fuse_reply_err(req, err);
+ } else {
+@@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
+ goto out;
+ }
+
+- saverr = lo_do_lookup(req, parent, name, &e);
++ saverr = lo_do_lookup(req, parent, name, &e, NULL);
+ if (saverr) {
+ goto out;
+ }
+@@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size,
+
+ if (plus) {
+ if (!is_dot_or_dotdot(name)) {
+- err = lo_do_lookup(req, ino, name, &e);
++ err = lo_do_lookup(req, ino, name, &e, NULL);
+ if (err) {
+ goto error;
+ }
+@@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ }
+
+ fi->fh = fh;
+- err = lo_do_lookup(req, parent, name, &e);
++ err = lo_do_lookup(req, parent, name, &e, NULL);
+ }
+ if (lo->cache == CACHE_NONE) {
+ fi->direct_io = 1;
+--
+1.8.3.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
new file mode 100644
index 0000000..f348f3f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
@@ -0,0 +1,303 @@
+From a3fdbbc7f271bff7d53d0501b29d910ece0b3789 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 4 Feb 2021 15:02:08 +0000
+Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
+
+A well-behaved FUSE client does not attempt to open special files with
+FUSE_OPEN because they are handled on the client side (e.g. device nodes
+are handled by client-side device drivers).
+
+The check to prevent virtiofsd from opening special files is missing in
+a few cases, most notably FUSE_OPEN. A malicious client can cause
+virtiofsd to open a device node, potentially allowing the guest to
+escape. This can be exploited by a modified guest device driver. It is
+not exploitable from guest userspace since the guest kernel will handle
+special files inside the guest instead of sending FUSE requests.
+
+This patch fixes this issue by introducing the lo_inode_open() function
+to check the file type before opening it. This is a short-term solution
+because it does not prevent a compromised virtiofsd process from opening
+device nodes on the host.
+
+Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
+| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
+necessary here. If the file exists and the user did not specify O_EXCL,
+open it via lo_do_open().
+
+Reported-by: Alex Xu <alex@alxu.ca>
+Fixes: CVE-2020-35517
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/a3fdbbc7f271bff7d53d0501b29d910ece0b3789]
+
+CVE: CVE-2020-35517
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++-----------
+ 1 file changed, 92 insertions(+), 52 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index aa35fc6ba5a5..147b59338a18 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -555,6 +555,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino)
+ return fd;
+ }
+
++/*
++ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a
++ * regular file or a directory.
++ *
++ * Use this helper function instead of raw openat(2) to prevent security issues
++ * when a malicious client opens special files such as block device nodes.
++ * Symlink inodes are also rejected since symlinks must already have been
++ * traversed on the client side.
++ */
++static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode,
++ int open_flags)
++{
++ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd);
++ int fd;
++
++ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) {
++ return -EBADF;
++ }
++
++ /*
++ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier
++ * that the inode is not a special file but if an external process races
++ * with us then symlinks are traversed here. It is not possible to escape
++ * the shared directory since it is mounted as "/" though.
++ */
++ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW);
++ if (fd < 0) {
++ return -errno;
++ }
++ return fd;
++}
++
+ static void lo_init(void *userdata, struct fuse_conn_info *conn)
+ {
+ struct lo_data *lo = (struct lo_data *)userdata;
+@@ -684,9 +716,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ if (fi) {
+ truncfd = fd;
+ } else {
+- sprintf(procname, "%i", ifd);
+- truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
++ truncfd = lo_inode_open(lo, inode, O_RDWR);
+ if (truncfd < 0) {
++ errno = -truncfd;
+ goto out_err;
+ }
+ }
+@@ -848,7 +880,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+ struct lo_inode *dir = lo_inode(req, parent);
+
+ if (inodep) {
+- *inodep = NULL;
++ *inodep = NULL; /* in case there is an error */
+ }
+
+ /*
+@@ -1664,19 +1696,26 @@ static void update_open_flags(int writeback, int allow_direct_io,
+ }
+ }
+
++/*
++ * Open a regular file, set up an fd mapping, and fill out the struct
++ * fuse_file_info for it. If existing_fd is not negative, use that fd instead
++ * opening a new one. Takes ownership of existing_fd.
++ *
++ * Returns 0 on success or a positive errno.
++ */
+ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+- struct fuse_file_info *fi)
++ int existing_fd, struct fuse_file_info *fi)
+ {
+- char buf[64];
+ ssize_t fh;
+- int fd;
++ int fd = existing_fd;
+
+ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
+
+- sprintf(buf, "%i", inode->fd);
+- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
+- if (fd == -1) {
+- return errno;
++ if (fd < 0) {
++ fd = lo_inode_open(lo, inode, fi->flags);
++ if (fd < 0) {
++ return -fd;
++ }
+ }
+
+ pthread_mutex_lock(&lo->mutex);
+@@ -1699,9 +1738,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ mode_t mode, struct fuse_file_info *fi)
+ {
+- int fd;
++ int fd = -1;
+ struct lo_data *lo = lo_data(req);
+ struct lo_inode *parent_inode;
++ struct lo_inode *inode = NULL;
+ struct fuse_entry_param e;
+ int err;
+ struct lo_cred old = {};
+@@ -1727,36 +1767,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+
+ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
+
+- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
+- mode);
++ /* Try to create a new file but don't open existing files */
++ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode);
+ err = fd == -1 ? errno : 0;
+- lo_restore_cred(&old);
+
+- if (!err) {
+- ssize_t fh;
++ lo_restore_cred(&old);
+
+- pthread_mutex_lock(&lo->mutex);
+- fh = lo_add_fd_mapping(lo, fd);
+- pthread_mutex_unlock(&lo->mutex);
+- if (fh == -1) {
+- close(fd);
+- err = ENOMEM;
+- goto out;
+- }
++ /* Ignore the error if file exists and O_EXCL was not given */
++ if (err && (err != EEXIST || (fi->flags & O_EXCL))) {
++ goto out;
++ }
+
+- fi->fh = fh;
+- err = lo_do_lookup(req, parent, name, &e, NULL);
++ err = lo_do_lookup(req, parent, name, &e, &inode);
++ if (err) {
++ goto out;
+ }
+- if (lo->cache == CACHE_NONE) {
+- fi->direct_io = 1;
+- } else if (lo->cache == CACHE_ALWAYS) {
+- fi->keep_cache = 1;
++
++ err = lo_do_open(lo, inode, fd, fi);
++ fd = -1; /* lo_do_open() takes ownership of fd */
++ if (err) {
++ /* Undo lo_do_lookup() nlookup ref */
++ unref_inode_lolocked(lo, inode, 1);
+ }
+
+ out:
++ lo_inode_put(lo, &inode);
+ lo_inode_put(lo, &parent_inode);
+
+ if (err) {
++ if (fd >= 0) {
++ close(fd);
++ }
++
+ fuse_reply_err(req, err);
+ } else {
+ fuse_reply_create(req, &e, fi);
+@@ -1770,7 +1812,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
+ pid_t pid, int *err)
+ {
+ struct lo_inode_plock *plock;
+- char procname[64];
+ int fd;
+
+ plock =
+@@ -1787,12 +1828,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
+ }
+
+ /* Open another instance of file which can be used for ofd locks. */
+- sprintf(procname, "%i", inode->fd);
+-
+ /* TODO: What if file is not writable? */
+- fd = openat(lo->proc_self_fd, procname, O_RDWR);
+- if (fd == -1) {
+- *err = errno;
++ fd = lo_inode_open(lo, inode, O_RDWR);
++ if (fd < 0) {
++ *err = -fd;
+ free(plock);
+ return NULL;
+ }
+@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
+ return;
+ }
+
+- err = lo_do_open(lo, inode, fi);
++ err = lo_do_open(lo, inode, -1, fi);
+ lo_inode_put(lo, &inode);
+ if (err) {
+ fuse_reply_err(req, err);
+@@ -2014,39 +2053,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
+ static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
+ struct fuse_file_info *fi)
+ {
++ struct lo_inode *inode = lo_inode(req, ino);
++ struct lo_data *lo = lo_data(req);
+ int res;
+ int fd;
+- char *buf;
+
+ fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino,
+ (void *)fi);
+
+- if (!fi) {
+- struct lo_data *lo = lo_data(req);
+-
+- res = asprintf(&buf, "%i", lo_fd(req, ino));
+- if (res == -1) {
+- return (void)fuse_reply_err(req, errno);
+- }
++ if (!inode) {
++ fuse_reply_err(req, EBADF);
++ return;
++ }
+
+- fd = openat(lo->proc_self_fd, buf, O_RDWR);
+- free(buf);
+- if (fd == -1) {
+- return (void)fuse_reply_err(req, errno);
++ if (!fi) {
++ fd = lo_inode_open(lo, inode, O_RDWR);
++ if (fd < 0) {
++ res = -fd;
++ goto out;
+ }
+ } else {
+ fd = lo_fi_fd(req, fi);
+ }
+
+ if (datasync) {
+- res = fdatasync(fd);
++ res = fdatasync(fd) == -1 ? errno : 0;
+ } else {
+- res = fsync(fd);
++ res = fsync(fd) == -1 ? errno : 0;
+ }
+ if (!fi) {
+ close(fd);
+ }
+- fuse_reply_err(req, res == -1 ? errno : 0);
++out:
++ lo_inode_put(lo, &inode);
++ fuse_reply_err(req, res);
+ }
+
+ static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset,
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000..1b8c77f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
+From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Thu, 14 Jan 2021 17:04:12 +0100
+Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
+
+Depending on the client activity, the server can be asked to open a huge
+number of file descriptors and eventually hit RLIMIT_NOFILE. This is
+currently mitigated using a reclaim logic : the server closes the file
+descriptors of idle fids, based on the assumption that it will be able
+to re-open them later. This assumption doesn't hold of course if the
+client requests the file to be unlinked. In this case, we loop on the
+entire fid list and mark all related fids as unreclaimable (the reclaim
+logic will just ignore them) and, of course, we open or re-open their
+file descriptors if needed since we're about to unlink the file.
+
+This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
+opening of a file can cause the coroutine to yield, another client
+request could possibly add a new fid that we may want to mark as
+non-reclaimable as well. The loop is thus restarted if the re-open
+request was actually transmitted to the backend. This is achieved
+by keeping a reference on the first fid (head) before traversing
+the list.
+
+This is wrong in several ways:
+- a potential clunk request from the client could tear the first
+ fid down and cause the reference to be stale. This leads to a
+ use-after-free error that can be detected with ASAN, using a
+ custom 9p client
+- fids are added at the head of the list : restarting from the
+ previous head will always miss fids added by a some other
+ potential request
+
+All these problems could be avoided if fids were being added at the
+end of the list. This can be achieved with a QSIMPLEQ, but this is
+probably too much change for a bug fix. For now let's keep it
+simple and just restart the loop from the current head.
+
+Fixes: CVE-2021-20181
+Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
+Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
+CVE: CVE-2021-20181
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/9pfs/9p.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 94df440fc..6026b51a1 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ {
+ int err;
+ V9fsState *s = pdu->s;
+- V9fsFidState *fidp, head_fid;
++ V9fsFidState *fidp;
+
+- head_fid.next = s->fid_list;
++again:
+ for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+ if (fidp->path.size != path->size) {
+ continue;
+@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ * switched to the worker thread
+ */
+ if (err == 0) {
+- fidp = &head_fid;
++ goto again;
+ }
+ }
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
new file mode 100644
index 0000000..d762a51
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,70 @@
+From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 31 Jan 2021 11:34:01 +0100
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+ - 4.3 Distributor register descriptions
+ - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+ - Table 4-21 GICD_SGIR bit assignments
+
+ The Interrupt ID of the SGI to forward to the specified CPU
+ interfaces. The value of this field is the Interrupt ID, in
+ the range 0-15, for example a value of 0b0011 specifies
+ Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+ $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+ [I 1612088147.116987] OPENED
+ [R +0.278293] writel 0x8000f00 0xff4affb0
+ ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a]
+CVE: CVE-2021-20221
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+index c60dc6b5e..fbde60de0 100644
+--- a/hw/intc/arm_gic.c
++++ b/hw/intc/arm_gic.c
+@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
+ int target_cpu;
+
+ cpu = gic_get_current_cpu(s);
+- irq = value & 0x3ff;
++ irq = value & 0xf;
+ switch ((value >> 24) & 3) {
+ case 0:
+ mask = (value >> 16) & ALL_CPU_MASK;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
new file mode 100644
index 0000000..7175b24
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
+From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:45:28 +0800
+Subject: [PATCH] e1000: fail early for evil descriptor
+
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
+CVE: CVE-2021-20257
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index cf22c4f07..c3564c7ce 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+ do {
+ bytes = split_size;
++ if (tp->size >= msh) {
++ goto eop;
++ }
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ tp->size += split_size;
+ }
+
++eop:
+ if (!(txd_lower & E1000_TXD_CMD_EOP))
+ return;
+ if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
new file mode 100644
index 0000000..4f9a91f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
@@ -0,0 +1,214 @@
+From aaa5f8e00c2e85a893b972f1e243fb14c26b70dc Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Wed, 24 Feb 2021 19:56:25 +0000
+Subject: [PATCH 2/2] virtiofs: drop remapped security.capability xattr as
+ needed
+
+On Linux, the 'security.capability' xattr holds a set of
+capabilities that can change when an executable is run, giving
+a limited form of privilege escalation to those programs that
+the writer of the file deemed worthy.
+
+Any write causes the 'security.capability' xattr to be dropped,
+stopping anyone from gaining privilege by modifying a blessed
+file.
+
+Fuse relies on the daemon to do this dropping, and in turn the
+daemon relies on the host kernel to drop the xattr for it. However,
+with the addition of -o xattrmap, the xattr that the guest
+stores its capabilities in is now not the same as the one that
+the host kernel automatically clears.
+
+Where the mapping changes 'security.capability', explicitly clear
+the remapped name to preserve the same behaviour.
+
+This bug is assigned CVE-2021-20263.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+
+Upstream-Status: Backport [e586edcb410543768ef009eaa22a2d9dd4a53846]
+CVE: CVE-2021-20263
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ docs/tools/virtiofsd.rst | 4 ++
+ tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
+ 2 files changed, 80 insertions(+), 1 deletion(-)
+
+diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
+index 866b7db3e..00554c75b 100644
+--- a/docs/tools/virtiofsd.rst
++++ b/docs/tools/virtiofsd.rst
+@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
+ to the matched **key** (or all attributes if **key** is empty).
+ There may be at most one 'map' rule and it must be the last rule in the set.
+
++Note: When the 'security.capability' xattr is remapped, the daemon has to do
++extra work to remove it during many operations, which the host kernel normally
++does itself.
++
+ xattr-mapping Examples
+ ----------------------
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 03c5e0d13..c9197da86 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -160,6 +160,7 @@ struct lo_data {
+ int posix_lock;
+ int xattr;
+ char *xattrmap;
++ char *xattr_security_capability;
+ char *source;
+ char *modcaps;
+ double timeout;
+@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;
+
+ static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
+ uint64_t mnt_id);
++static int xattr_map_client(const struct lo_data *lo, const char *client_name,
++ char **out_name);
+
+ static int is_dot_or_dotdot(const char *name)
+ {
+@@ -365,6 +368,37 @@ out:
+ return ret;
+ }
+
++/*
++ * The host kernel normally drops security.capability xattr's on
++ * any write, however if we're remapping xattr names we need to drop
++ * whatever the clients security.capability is actually stored as.
++ */
++static int drop_security_capability(const struct lo_data *lo, int fd)
++{
++ if (!lo->xattr_security_capability) {
++ /* We didn't remap the name, let the host kernel do it */
++ return 0;
++ }
++ if (!fremovexattr(fd, lo->xattr_security_capability)) {
++ /* All good */
++ return 0;
++ }
++
++ switch (errno) {
++ case ENODATA:
++ /* Attribute didn't exist, that's fine */
++ return 0;
++
++ case ENOTSUP:
++ /* FS didn't support attribute anyway, also fine */
++ return 0;
++
++ default:
++ /* Hmm other error */
++ return errno;
++ }
++}
++
+ static void lo_map_init(struct lo_map *map)
+ {
+ map->elems = NULL;
+@@ -717,6 +751,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
+ gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
+
++ saverr = drop_security_capability(lo, ifd);
++ if (saverr) {
++ goto out_err;
++ }
++
+ res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+ if (res == -1) {
+ goto out_err;
+@@ -735,6 +774,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ }
+ }
+
++ saverr = drop_security_capability(lo, truncfd);
++ if (saverr) {
++ if (!fi) {
++ close(truncfd);
++ }
++ goto out_err;
++ }
++
+ res = ftruncate(truncfd, attr->st_size);
+ if (!fi) {
+ saverr = errno;
+@@ -1726,6 +1773,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+ if (fd < 0) {
+ return -fd;
+ }
++ if (fi->flags & (O_TRUNC)) {
++ int err = drop_security_capability(lo, fd);
++ if (err) {
++ close(fd);
++ return err;
++ }
++ }
+ }
+
+ pthread_mutex_lock(&lo->mutex);
+@@ -2114,6 +2168,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
+ "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,
+ out_buf.buf[0].size, (unsigned long)off);
+
++ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
++ if (res) {
++ fuse_reply_err(req, res);
++ return;
++ }
++
+ /*
+ * If kill_priv is set, drop CAP_FSETID which should lead to kernel
+ * clearing setuid/setgid on file.
+@@ -2353,6 +2413,7 @@ static void parse_xattrmap(struct lo_data *lo)
+ {
+ const char *map = lo->xattrmap;
+ const char *tmp;
++ int ret;
+
+ lo->xattr_map_nentries = 0;
+ while (*map) {
+@@ -2383,7 +2444,7 @@ static void parse_xattrmap(struct lo_data *lo)
+ * the last entry.
+ */
+ parse_xattrmap_map(lo, map, sep);
+- return;
++ break;
+ } else {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Unexpected type;"
+@@ -2452,6 +2513,19 @@ static void parse_xattrmap(struct lo_data *lo)
+ fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
+ exit(1);
+ }
++
++ ret = xattr_map_client(lo, "security.capability",
++ &lo->xattr_security_capability);
++ if (ret) {
++ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
++ strerror(ret));
++ exit(1);
++ }
++ if (!strcmp(lo->xattr_security_capability, "security.capability")) {
++ /* 1-1 mapping, don't need to do anything */
++ free(lo->xattr_security_capability);
++ lo->xattr_security_capability = NULL;
++ }
+ }
+
+ /*
+@@ -3480,6 +3554,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
+
+ free(lo->xattrmap);
+ free_xattrmap(lo);
++ free(lo->xattr_security_capability);
+ free(lo->source);
+ }
+
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000..af94cff
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,89 @@
+From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Mon, 19 Apr 2021 15:42:47 +0200
+Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field
+ (CVE-2021-3392)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
+the Megaraid emulator appends new MPTSASRequest object 'req' to
+the 's->pending' queue. In case of an error, this same object gets
+dequeued in mptsas_free_request() only if SCSIRequest object
+'req->sreq' is initialised. This may lead to a use-after-free issue.
+
+Since s->pending is actually not used, simply remove it from
+MPTSASState.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Message-id: 20210419134247.1467982-1-f4bug@amsat.org
+Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
+Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
+[PMD: Reworded description, added more tags]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+CVE: CVE-2021-3392
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ hw/scsi/mptsas.c | 6 ------
+ hw/scsi/mptsas.h | 1 -
+ 2 files changed, 7 deletions(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 7416e7870614..db3219e7d206 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+
+ static void mptsas_free_request(MPTSASRequest *req)
+ {
+- MPTSASState *s = req->dev;
+-
+ if (req->sreq != NULL) {
+ req->sreq->hba_private = NULL;
+ scsi_req_unref(req->sreq);
+ req->sreq = NULL;
+- QTAILQ_REMOVE(&s->pending, req, next);
+ }
+ qemu_sglist_destroy(&req->qsg);
+ g_free(req);
+@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+ }
+
+ req = g_new0(MPTSASRequest, 1);
+- QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
+
+@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
+
+ s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
+
+- QTAILQ_INIT(&s->pending);
+-
+ scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
+ }
+
+diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
+index b85ac1a5fcc7..c046497db719 100644
+--- a/hw/scsi/mptsas.h
++++ b/hw/scsi/mptsas.h
+@@ -79,7 +79,6 @@ struct MPTSASState {
+ uint16_t reply_frame_size;
+
+ SCSIBus bus;
+- QTAILQ_HEAD(, MPTSASRequest) pending;
+ };
+
+ void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
new file mode 100644
index 0000000..f9395ad
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
@@ -0,0 +1,56 @@
+From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Tue, 16 Feb 2021 11:46:52 +0800
+Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in
+ sdhci_sdma_transfer_multi_blocks()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+s->prnsts is updated in both branches of the if () else () statement.
+Move the common bits outside so that it is cleaner.
+
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 2f8b74a84..f83c5e295 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ page_aligned = true;
+ }
+
++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+ if (s->trnmod & SDHC_TRNS_READ) {
+- s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
+- SDHC_DAT_LINE_ACTIVE;
++ s->prnsts |= SDHC_DOING_READ;
+ while (s->blkcnt) {
+ if (s->data_count == 0) {
+ sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ }
+ }
+ } else {
+- s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
+- SDHC_DAT_LINE_ACTIVE;
++ s->prnsts |= SDHC_DOING_WRITE;
+ while (s->blkcnt) {
+ begin = s->data_count;
+ if (((boundary_count + begin) < block_size) && page_aligned) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
new file mode 100644
index 0000000..f3d2bb1
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
@@ -0,0 +1,92 @@
+From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:35 +0800
+Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
+ out
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+At the end of sdhci_send_command(), it starts a data transfer if the
+command register indicates data is associated. But the data transfer
+should only be initiated when the command execution has succeeded.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001810
+outl 0xcfc 0xe1068000
+outl 0xcf8 0x80001804
+outw 0xcfc 0x7
+write 0xe106802c 0x1 0x0f
+write 0xe1068004 0xc 0x2801d10101fffffbff28a384
+write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
+write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
+write 0xe1068003 0x1 0xfe
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
+ -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive \
+ -monitor none -serial none -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index f83c5e295..44f8a82ea 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
+ SDRequest request;
+ uint8_t response[16];
+ int rlen;
++ bool timeout = false;
+
+ s->errintsts = 0;
+ s->acmd12errsts = 0;
+@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
+ trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
+ s->rspreg[1], s->rspreg[0]);
+ } else {
++ timeout = true;
+ trace_sdhci_error("timeout waiting for command response");
+ if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+ s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
+
+ sdhci_update_irq(s);
+
+- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+ s->data_count = 0;
+ sdhci_data_transfer(s);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
new file mode 100644
index 0000000..c3b37ed
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
@@ -0,0 +1,109 @@
+From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:36 +0800
+Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
+ transfer is in progress
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per "SD Host Controller Standard Specification Version 7.00"
+chapter 2.2.1 SDMA System Address Register:
+
+This register can be accessed only if no transaction is executing
+(i.e., after a transaction has stopped).
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xfbefff00
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xfbefff2c 0x1 0x05
+write 0xfbefff0f 0x1 0x37
+write 0xfbefff0a 0x1 0x01
+write 0xfbefff0f 0x1 0x29
+write 0xfbefff0f 0x1 0x02
+write 0xfbefff0f 0x1 0x03
+write 0xfbefff04 0x1 0x01
+write 0xfbefff05 0x1 0x01
+write 0xfbefff07 0x1 0x02
+write 0xfbefff0c 0x1 0x33
+write 0xfbefff0e 0x1 0x20
+write 0xfbefff0f 0x1 0x00
+write 0xfbefff2a 0x1 0x01
+write 0xfbefff0c 0x1 0x00
+write 0xfbefff03 0x1 0x00
+write 0xfbefff05 0x1 0x00
+write 0xfbefff2a 0x1 0x02
+write 0xfbefff0c 0x1 0x32
+write 0xfbefff01 0x1 0x01
+write 0xfbefff02 0x1 0x01
+write 0xfbefff03 0x1 0x01
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 44f8a82ea..d8a46f307 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+
+ switch (offset & ~0x3) {
+ case SDHC_SYSAD:
+- s->sdmasysad = (s->sdmasysad & mask) | value;
+- MASKED_WRITE(s->sdmasysad, mask, value);
+- /* Writing to last byte of sdmasysad might trigger transfer */
+- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+- if (s->trnmod & SDHC_TRNS_MULTI) {
+- sdhci_sdma_transfer_multi_blocks(s);
+- } else {
+- sdhci_sdma_transfer_single_block(s);
++ if (!TRANSFERRING_DATA(s->prnsts)) {
++ s->sdmasysad = (s->sdmasysad & mask) | value;
++ MASKED_WRITE(s->sdmasysad, mask, value);
++ /* Writing to last byte of sdmasysad might trigger transfer */
++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
++ if (s->trnmod & SDHC_TRNS_MULTI) {
++ sdhci_sdma_transfer_multi_blocks(s);
++ } else {
++ sdhci_sdma_transfer_single_block(s);
++ }
+ }
+ }
+ break;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
new file mode 100644
index 0000000..d5be997
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
@@ -0,0 +1,75 @@
+From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:37 +0800
+Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for
+ ADMA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When an ADMA transfer is started, the codes forget to set the
+controller status to indicate a transfer is in progress.
+
+With this fix, the following 2 reproducers:
+
+https://paste.debian.net/plain/1185136
+https://paste.debian.net/plain/1185141
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index d8a46f307..7de03c6dd 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
+
+ switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
+ case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+ if (s->trnmod & SDHC_TRNS_READ) {
++ s->prnsts |= SDHC_DOING_READ;
+ while (length) {
+ if (s->data_count == 0) {
+ sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
+ }
+ }
+ } else {
++ s->prnsts |= SDHC_DOING_WRITE;
+ while (length) {
+ begin = s->data_count;
+ if ((length + begin) < block_size) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
new file mode 100644
index 0000000..7199056
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
@@ -0,0 +1,56 @@
+From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:38 +0800
+Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
+ register is writable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The codes to limit the maximum block size is only necessary when
+SDHC_BLKSIZE register is writable.
+
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 7de03c6dd..6c780126e 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ if (!TRANSFERRING_DATA(s->prnsts)) {
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+- }
+
+- /* Limit block size to the maximum buffer size */
+- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+- "the maximum buffer 0x%x\n", __func__, s->blksize,
+- s->buf_maxsz);
++ /* Limit block size to the maximum buffer size */
++ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
++ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
++ "the maximum buffer 0x%x\n", __func__, s->blksize,
++ s->buf_maxsz);
+
+- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++ }
+ }
+
+ break;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
new file mode 100644
index 0000000..624c1f6
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
@@ -0,0 +1,99 @@
+From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:39 +0800
+Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[]
+ when a different block size is programmed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the block size is programmed to a different value from the
+previous one, reset the data pointer of s->fifo_buffer[] so that
+s->fifo_buffer[] can be filled in using the new block size in
+the next transfer.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xe000002c 0x1 0x05
+write 0xe0000005 0x1 0x02
+write 0xe0000007 0x1 0x01
+write 0xe0000028 0x1 0x10
+write 0x0 0x1 0x23
+write 0x2 0x1 0x08
+write 0xe000000c 0x1 0x01
+write 0xe000000e 0x1 0x20
+write 0xe000000f 0x1 0x00
+write 0xe000000c 0x1 0x32
+write 0xe0000004 0x2 0x0200
+write 0xe0000028 0x1 0x00
+write 0xe0000003 0x1 0x40
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 6c780126e..216842420 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ break;
+ case SDHC_BLKSIZE:
+ if (!TRANSFERRING_DATA(s->prnsts)) {
++ uint16_t blksize = s->blksize;
++
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+
+@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+
+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+ }
++
++ /*
++ * If the block size is programmed to a different value from
++ * the previous one, reset the data pointer of s->fifo_buffer[]
++ * so that s->fifo_buffer[] can be filled in using the new block
++ * size in the next transfer.
++ */
++ if (blksize != s->blksize) {
++ s->data_count = 0;
++ }
+ }
+
+ break;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000..5bacd67
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
+From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 11:44:36 +0800
+Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some NIC supports loopback mode and this is done by calling
+nc->info->receive() directly which in fact suppresses the effort of
+reentrancy check that is done in qemu_net_queue_send().
+
+Unfortunately we can't use qemu_net_queue_send() here since for
+loopback there's no sender as peer, so this patch introduce a
+qemu_receive_packet() which is used for implementing loopback mode
+for a NIC with this check.
+
+NIC that supports loopback mode will be converted to this helper.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/net/net.h | 5 +++++
+ include/net/queue.h | 8 ++++++++
+ net/net.c | 38 +++++++++++++++++++++++++++++++-------
+ net/queue.c | 22 ++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index 778fc787c..03f058ecb 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
+ void qemu_del_net_client(NetClientState *nc);
+ typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
+ void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
++int qemu_can_receive_packet(NetClientState *nc);
+ int qemu_can_send_packet(NetClientState *nc);
+ ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
+ int iovcnt);
+ ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
+ int iovcnt, NetPacketSent *sent_cb);
+ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet_iov(NetClientState *nc,
++ const struct iovec *iov,
++ int iovcnt);
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
+ ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
+ int size, NetPacketSent *sent_cb);
+diff --git a/include/net/queue.h b/include/net/queue.h
+index c0269bb1d..9f2f289d7 100644
+--- a/include/net/queue.h
++++ b/include/net/queue.h
+@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
+
+ void qemu_del_net_queue(NetQueue *queue);
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size);
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt);
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+diff --git a/net/net.c b/net/net.c
+index 6a2c3d956..5e15e5d27 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
+ #endif
+ }
+
++int qemu_can_receive_packet(NetClientState *nc)
++{
++ if (nc->receive_disabled) {
++ return 0;
++ } else if (nc->info->can_receive &&
++ !nc->info->can_receive(nc)) {
++ return 0;
++ }
++ return 1;
++}
++
+ int qemu_can_send_packet(NetClientState *sender)
+ {
+ int vm_running = runstate_is_running();
+@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
+ return 1;
+ }
+
+- if (sender->peer->receive_disabled) {
+- return 0;
+- } else if (sender->peer->info->can_receive &&
+- !sender->peer->info->can_receive(sender->peer)) {
+- return 0;
+- }
+- return 1;
++ return qemu_can_receive_packet(sender->peer);
+ }
+
+ static ssize_t filter_receive_iov(NetClientState *nc,
+@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+ return qemu_send_packet_async(nc, buf, size, NULL);
+ }
+
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
++}
++
++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
++ int iovcnt)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
++}
++
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
+ {
+ return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
+diff --git a/net/queue.c b/net/queue.c
+index 19e32c80f..c872d51df 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
+ return ret;
+ }
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
++}
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
++}
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000..7deec1a
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,44 @@
+From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:35:30 -0500
+Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/lan9118.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
+index ab57c02c8..75f18ae2d 100644
+--- a/hw/net/lan9118.c
++++ b/hw/net/lan9118.c
+@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s)
+ /* FIXME: Honor TX disable, and allow queueing of packets. */
+ if (s->phy_control & 0x4000) {
+ /* This assumes the receive routine doesn't touch the VLANClient. */
+- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000..5e53e20
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
+From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:13:22 +0800
+Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index d7d05ae30..cf22c4f07 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
+
+ NetClientState *nc = qemu_get_queue(s->nic);
+ if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000..3fc469e
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
+From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:57:40 +0800
+Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
+ loopback packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/dp8393x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
+index 205c0decc..533a8304d 100644
+--- a/hw/net/dp8393x.c
++++ b/hw/net/dp8393x.c
+@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
+ s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
+ if (nc->info->can_receive(nc)) {
+ s->loopback_packet = 1;
+- nc->info->receive(nc, s->tx_buffer, tx_len);
++ qemu_receive_packet(nc, s->tx_buffer, tx_len);
+ }
+ } else {
+ /* Transmit packet */
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
new file mode 100644
index 0000000..e14f377
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
@@ -0,0 +1,43 @@
+From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:00:01 +0800
+Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/msf2-emac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
+index 32ba9e841..3e6206044 100644
+--- a/hw/net/msf2-emac.c
++++ b/hw/net/msf2-emac.c
+@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
+ * R_CFG1 bit 0 is set.
+ */
+ if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000..c3f8f97
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,45 @@
+From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:14:35 +0800
+Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/sungem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/sungem.c b/hw/net/sungem.c
+index 33c3722df..3684a4d73 100644
+--- a/hw/net/sungem.c
++++ b/hw/net/sungem.c
+@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
+ NetClientState *nc = qemu_get_queue(s->nic);
+
+ if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000..855c697
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,43 @@
+From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:27:52 +0800
+Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_receive_iov() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/net_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index da262edc3..1f9aa59ec 100644
+--- a/hw/net/net_tx_pkt.c
++++ b/hw/net/net_tx_pkt.c
+@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
+ NetClientState *nc, const struct iovec *iov, int iov_cnt)
+ {
+ if (pkt->is_loopback) {
+- nc->info->receive_iov(nc, iov, iov_cnt);
++ qemu_receive_packet_iov(nc, iov, iov_cnt);
+ } else {
+ qemu_sendv_packet(nc, iov, iov_cnt);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000..4e1115d
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,45 @@
+From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Fri, 26 Feb 2021 13:47:53 -0500
+Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index ba5ace1ab..d2dd03e6a 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
+ }
+
+ DPRINTF("+++ transmit loopback mode\n");
+- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
+
+ if (iov) {
+ g_free(buf2);
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000..ed71646
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
+From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 10:33:34 -0500
+Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/pcnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index f3f18d859..dcd3fc494 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1250,7 +1250,7 @@ txagain:
+ if (BCR_SWSTYLE(s) == 1)
+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ s->looptest = 0;
+ } else {
+ if (s->nic) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000..39d32b3
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,46 @@
+From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:33:43 -0500
+Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/cadence_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+index 7a534691f..43b760e3f 100644
+--- a/hw/net/cadence_gem.c
++++ b/hw/net/cadence_gem.c
+@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
+ /* Send the packet somewhere */
+ if (s->phy_loop || (s->regs[GEM_NWCTRL] &
+ GEM_NWCTRL_LOCALLOOP)) {
+- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
+- total_bytes);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
++ total_bytes);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
+ total_bytes);
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch b/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch
index 38d7552..d8fcc16 100644
--- a/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch
+++ b/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch
@@ -1,4 +1,4 @@
-From 9bbe3f8564705aafcdcc5f2f033f9241a97f47c6 Mon Sep 17 00:00:00 2001
+From 7b2dd83d8fcd06af8e583b53da79ed0033793d46 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 27 Feb 2017 09:43:30 +0200
Subject: [PATCH] Do not hardcode "lib/rpm" as the installation path for
@@ -14,7 +14,7 @@
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
-index 6c78568e4..76b1d40e4 100644
+index fe35a90fa..b2faec6f3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -966,7 +966,7 @@ else
@@ -40,7 +40,7 @@
%_infodir %{_datadir}/info
%_mandir %{_datadir}/man
diff --git a/rpm.am b/rpm.am
-index cd40a16be..e6941e09f 100644
+index 8e1dc2184..3d889ec86 100644
--- a/rpm.am
+++ b/rpm.am
@@ -1,10 +1,10 @@
@@ -55,4 +55,4 @@
+rpmconfigdir = $(libdir)/rpm
# Libtool version (current-revision-age) for all our libraries
- rpm_version_info = 10:2:1
+ rpm_version_info = 10:3:1
diff --git a/poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb b/poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
similarity index 98%
rename from poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb
rename to poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
index d369c70..7c03b41 100644
--- a/poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb
+++ b/poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
@@ -43,7 +43,7 @@
"
PE = "1"
-SRCREV = "278883a704ea36c97974d0f2d65d41abe78b0e2a"
+SRCREV = "3659b8a04f5b8bacf6535e0124e7fe23f15286bd"
S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
new file mode 100644
index 0000000..2d51ddf
--- /dev/null
+++ b/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
@@ -0,0 +1,31 @@
+From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 12:16:08 -0400
+Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
+ openssl.
+
+CVE: CVE-2020-14387
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ rsync-ssl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975..46701af 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+ else
+--
+2.17.1
+
diff --git a/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb
index 8b36a8e..cb18667 100644
--- a/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb
+++ b/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb
@@ -14,6 +14,7 @@
file://rsyncd.conf \
file://makefile-no-rebuild.patch \
file://determism.patch \
+ file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \
"
SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb b/poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb
similarity index 96%
rename from poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb
rename to poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb
index 28e12c3..944cb81 100644
--- a/poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb
+++ b/poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb
@@ -8,7 +8,7 @@
file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
"
-SRC_URI[sha256sum] = "a13ed141a1c18eb967aac1e33f4d6ad5f21be1ac543c344e0d6feeee54af8e28"
+SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
diff --git a/poky/meta/recipes-extended/groff/groff_1.22.4.bb b/poky/meta/recipes-extended/groff/groff_1.22.4.bb
index 983cb9a..f0e9eb6 100644
--- a/poky/meta/recipes-extended/groff/groff_1.22.4.bb
+++ b/poky/meta/recipes-extended/groff/groff_1.22.4.bb
@@ -62,6 +62,10 @@
rm -rf ${D}${bindir}/glilypond
rm -rf ${D}${libdir}/groff/glilypond
rm -rf ${D}${mandir}/man1/glilypond*
+
+ # not ship /usr/bin/grap2graph and its releated man files
+ rm -rf ${D}${bindir}/grap2graph
+ rm -rf ${D}${mandir}/man1/grap2graph*
}
do_install_append_class-native() {
diff --git a/poky/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch b/poky/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch
new file mode 100644
index 0000000..f32cd18
--- /dev/null
+++ b/poky/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch
@@ -0,0 +1,27 @@
+lsb-release maintains it's own copy of help2man. Include the support
+for specifying SOURCE_DATE_EPOCH from upstream.
+
+Upstream-Status: Pending
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff --git a/help2man b/help2man
+index 13015c2..63439db 100755
+--- a/help2man
++++ b/help2man
+@@ -173,7 +173,14 @@ my ($help_text, $version_text) = map {
+ or die "$this_program: can't get `--$_' info from $ARGV[0]\n"
+ } qw(help), $opt_version_key;
+
+-my $date = strftime "%B %Y", localtime;
++my $epoch_secs = time;
++if (exists $ENV{SOURCE_DATE_EPOCH} and $ENV{SOURCE_DATE_EPOCH} =~ /^(\d+)$/)
++{
++ $epoch_secs = $1;
++ $ENV{TZ} = 'UTC0';
++}
++
++my $date = strftime "%B %Y", localtime $epoch_secs;
+ (my $program = $ARGV[0]) =~ s!.*/!!;
+ my $package = $program;
+ my $version;
diff --git a/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb b/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb
index 3e8f7a1..bafc18f 100644
--- a/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb
+++ b/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb
@@ -11,6 +11,7 @@
SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \
file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \
file://0001-Remove-timestamp-from-manpage.patch \
+ file://help2man-reproducibility.patch \
"
SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4"
diff --git a/poky/meta/recipes-extended/ltp/ltp_20210121.bb b/poky/meta/recipes-extended/ltp/ltp_20210121.bb
index f58ca2e..d98c9fd 100644
--- a/poky/meta/recipes-extended/ltp/ltp_20210121.bb
+++ b/poky/meta/recipes-extended/ltp/ltp_20210121.bb
@@ -61,7 +61,7 @@
do_install(){
install -d ${D}${prefix}/
- oe_runmake DESTDIR=${D} SKIP_IDCHECK=1 install
+ oe_runmake DESTDIR=${D} SKIP_IDCHECK=1 install include-install
# fixup not deploy STPfailure_report.pl to avoid confusing about it fails to run
# as it lacks dependency on some perl moudle such as LWP::Simple
diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
new file mode 100644
index 0000000..fe594b2
--- /dev/null
+++ b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
@@ -0,0 +1,40 @@
+From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Wed, 1 Apr 2020 18:11:55 +0100
+Subject: [PATCH] Check the memset length argument
+
+Avoid overflows by using the checked multiplication macro for gsize.
+
+Fixes: #132
+
+Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e]
+CVE: CVE-2021-20240
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ gdk-pixbuf/io-gif-animation.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index c9db3c66e..49674fd2e 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+
+ /* If no rendered frame, render the first frame */
+ if (anim->last_frame == NULL) {
++ gsize len = 0;
+ if (anim->last_frame_data == NULL)
+ anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
+ if (anim->last_frame_data == NULL)
+ return NULL;
+- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
++ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
++ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
++ else
++ return NULL;
+ composite_frame (anim, g_list_nth_data (anim->frames, 0));
+ }
+
+--
+GitLab
diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index 226e1c7..f01da32 100644
--- a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -26,6 +26,7 @@
file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \
file://missing-test-data.patch \
file://CVE-2020-29385.patch \
+ file://CVE-2021-20240.patch \
"
SRC_URI_append_class-target = " \
diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
new file mode 100644
index 0000000..f8e69be
--- /dev/null
+++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,121 @@
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+
+CVE: CVE-2020-35492
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85]
+
+original patch from upstream has a binary file, it will cause
+do_patch failed with "git binary diffs are not supported".
+
+so add do_patch_append in recipe to add this binary source. when removing
+this patch, please also remove do_patch_append for this patch
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/cairo-image-compositor.c | 8 ++--
+ test/Makefile.sources | 1 +
+ test/bug-image-compositor.c | 39 ++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ unsigned num_spans)
+ {
+ cairo_image_span_renderer_t *r = abstract_renderer;
+- uint8_t *m;
++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+ int x0;
+
+ if (num_spans == 0)
+ return CAIRO_STATUS_SUCCESS;
+
+ x0 = spans[0].x;
+- m = r->_buf;
++ m = base;
+ do {
+ int len = spans[1].x - spans[0].x;
+ if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ spans[0].x, y,
+ spans[1].x - spans[0].x, h);
+
+- m = r->_buf;
++ m = base;
+ x0 = spans[1].x;
+ } else if (spans[0].coverage == 0x0) {
+ if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+ }
+
+- m = r->_buf;
++ m = base;
+ x0 = spans[1].x;
+ } else {
+ *m++ = spans[0].coverage;
+diff --git a/test/Makefile.sources b/test/Makefile.sources
+index 7eb73647f..86494348d 100644
+--- a/test/Makefile.sources
++++ b/test/Makefile.sources
+@@ -34,6 +34,7 @@ test_sources = \
+ bug-source-cu.c \
+ bug-extents.c \
+ bug-seams.c \
++ bug-image-compositor.c \
+ caps.c \
+ checkerboard.c \
+ caps-joins.c \
+diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
+new file mode 100644
+index 000000000..fc4fd370b
+--- /dev/null
++++ b/test/bug-image-compositor.c
+@@ -0,0 +1,39 @@
++#include "cairo-test.h"
++
++static cairo_test_status_t
++draw (cairo_t *cr, int width, int height)
++{
++ cairo_set_source_rgb (cr, 0., 0., 0.);
++ cairo_paint (cr);
++
++ cairo_set_source_rgb (cr, 1., 1., 1.);
++ cairo_set_line_width (cr, 1.);
++
++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height);
++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
++ cairo_set_source (cr, p);
++
++ cairo_move_to (cr, 0.5, -1);
++ for (int i = 0; i < width; i+=3) {
++ cairo_rel_line_to (cr, 2, 2);
++ cairo_rel_line_to (cr, 1, -2);
++ }
++
++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
++ cairo_stroke (cr);
++
++ cairo_pattern_destroy(p);
++
++ return CAIRO_TEST_SUCCESS;
++}
++
++
++CAIRO_TEST (bug_image_compositor,
++ "Crash in image-compositor",
++ "stroke, stress", /* keywords */
++ NULL, /* requirements */
++ 10000, 1,
++ NULL, draw)
++
++
+--
+GitLab
diff --git a/poky/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/poky/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
new file mode 100644
index 0000000..939f659
--- /dev/null
+++ b/poky/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
Binary files differ
diff --git a/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb
index 68f993d..d48da1a 100644
--- a/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb
+++ b/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb
@@ -27,6 +27,8 @@
file://CVE-2018-19876.patch \
file://CVE-2019-6461.patch \
file://CVE-2019-6462.patch \
+ file://CVE-2020-35492.patch \
+ file://bug-image-compositor.ref.png \
"
SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
@@ -64,6 +66,15 @@
# Ensure we don't depend on LZO
export ac_cv_lib_lzo2_lzo2a_decompress="no"
+#for CVE-2020-35492.patch
+do_patch_append() {
+ bb.build.exec_func('do_cp_binary_source', d)
+}
+
+do_cp_binary_source () {
+ cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/
+}
+
do_install_append () {
rm -rf ${D}${bindir}/cairo-sphinx
rm -rf ${D}${libdir}/cairo/cairo-fdr*
diff --git a/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch b/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch
index ef092f1..cddd330 100644
--- a/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch
+++ b/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch
@@ -34,14 +34,14 @@
--- /dev/null
+++ b/glslang/glslang.pc.cmake.in
@@ -0,0 +1,11 @@
-+ prefix=@CMAKE_INSTALL_PREFIX@
-+ exec_prefix=@CMAKE_INSTALL_PREFIX@
-+ libdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@
-+ includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
-+
-+ Name: @PROJECT_NAME@
-+ Description: OpenGL and OpenGL ES shader front end and validator
-+ Requires:
-+ Version: @GLSLANG_VERSION@
-+ Libs: -L${libdir} -lglslang -lOSDependent -lHLSL -lOGLCompiler -lSPVRemapper
-+ Cflags: -I${includedir}
++prefix=@CMAKE_INSTALL_PREFIX@
++exec_prefix=@CMAKE_INSTALL_PREFIX@
++libdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@
++includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
++
++Name: @PROJECT_NAME@
++Description: OpenGL and OpenGL ES shader front end and validator
++Requires:
++Version: @GLSLANG_VERSION@
++Libs: -L${libdir} -lglslang -lOSDependent -lHLSL -lOGLCompiler -lSPVRemapper
++Cflags: -I${includedir}
diff --git a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb
index b6efc6b..0bd6af8 100644
--- a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb
+++ b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb
@@ -29,7 +29,7 @@
inherit cmake pkgconfig
-export NASMENV = "--debug-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}"
+export NASMENV = "--reproducible --debug-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}"
# Add nasm-native dependency consistently for all build arches is hard
EXTRA_OECMAKE_append_class-native = " -DWITH_SIMD=False"
diff --git a/poky/meta/recipes-graphics/mesa/mesa-gl_21.0.1.bb b/poky/meta/recipes-graphics/mesa/mesa-gl_21.0.3.bb
similarity index 100%
rename from poky/meta/recipes-graphics/mesa/mesa-gl_21.0.1.bb
rename to poky/meta/recipes-graphics/mesa/mesa-gl_21.0.3.bb
diff --git a/poky/meta/recipes-graphics/mesa/mesa.inc b/poky/meta/recipes-graphics/mesa/mesa.inc
index caf3c62..a85f94c 100644
--- a/poky/meta/recipes-graphics/mesa/mesa.inc
+++ b/poky/meta/recipes-graphics/mesa/mesa.inc
@@ -21,7 +21,7 @@
file://0001-futex.h-Define-__NR_futex-if-it-does-not-exist.patch \
"
-SRC_URI[sha256sum] = "379fc984459394f2ab2d84049efdc3a659869dc1328ce72ef0598506611712bb"
+SRC_URI[sha256sum] = "565c6f4bd2d5747b919454fc1d439963024fc78ca56fd05158c3b2cde2f6912b"
UPSTREAM_CHECK_GITTAGREGEX = "mesa-(?P<pver>\d+(\.\d+)+)"
diff --git a/poky/meta/recipes-graphics/mesa/mesa_21.0.1.bb b/poky/meta/recipes-graphics/mesa/mesa_21.0.3.bb
similarity index 100%
rename from poky/meta/recipes-graphics/mesa/mesa_21.0.1.bb
rename to poky/meta/recipes-graphics/mesa/mesa_21.0.3.bb
diff --git a/poky/meta/recipes-graphics/pango/pango_1.48.2.bb b/poky/meta/recipes-graphics/pango/pango_1.48.2.bb
index 1dcb43b..aa279bb 100644
--- a/poky/meta/recipes-graphics/pango/pango_1.48.2.bb
+++ b/poky/meta/recipes-graphics/pango/pango_1.48.2.bb
@@ -18,6 +18,8 @@
GIR_MESON_ENABLE_FLAG = "enabled"
GIR_MESON_DISABLE_FLAG = "disabled"
+SRC_URI += "file://run-ptest"
+
SRC_URI[archive.sha256sum] = "d21f8b30dc8abdfc55de25656ecb88dc1105eeeb315e5e2a980dcef8010c2c80"
DEPENDS = "glib-2.0 glib-2.0-native fontconfig freetype virtual/libiconv cairo harfbuzz fribidi"
diff --git a/poky/meta/recipes-graphics/wayland/weston/0001-meson.build-fix-incorrect-header.patch b/poky/meta/recipes-graphics/wayland/weston/0001-meson.build-fix-incorrect-header.patch
new file mode 100644
index 0000000..06e0f7b
--- /dev/null
+++ b/poky/meta/recipes-graphics/wayland/weston/0001-meson.build-fix-incorrect-header.patch
@@ -0,0 +1,32 @@
+From a2ba4714a6872e547621d29d9ddcb0f374b88cf6 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Tue, 20 Apr 2021 20:42:18 -0700
+Subject: [PATCH] meson.build: fix incorrect header
+
+The wayland.c actually include 'xdg-shell-client-protocol.h' instead of
+the server one, so fix it. Otherwise, it's possible to get build failure
+due to race condition.
+
+Upstream-Status: Pending
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ libweston/backend-wayland/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libweston/backend-wayland/meson.build b/libweston/backend-wayland/meson.build
+index 7e82513..29270b5 100644
+--- a/libweston/backend-wayland/meson.build
++++ b/libweston/backend-wayland/meson.build
+@@ -10,7 +10,7 @@ srcs_wlwl = [
+ fullscreen_shell_unstable_v1_protocol_c,
+ presentation_time_protocol_c,
+ presentation_time_server_protocol_h,
+- xdg_shell_server_protocol_h,
++ xdg_shell_client_protocol_h,
+ xdg_shell_protocol_c,
+ ]
+
+--
+2.30.2
+
diff --git a/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb b/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb
index 50fbfa6..bcbac06 100644
--- a/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb
+++ b/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb
@@ -11,6 +11,7 @@
file://xwayland.weston-start \
file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \
file://0001-tests-include-fcntl.h-for-open-O_RDWR-O_CLOEXEC-and-.patch \
+ file://0001-meson.build-fix-incorrect-header.patch \
"
SRC_URI_append_libc-musl = " file://dont-use-plane-add-prop.patch "
diff --git a/poky/meta/recipes-graphics/xorg-lib/libxshmfence/0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch b/poky/meta/recipes-graphics/xorg-lib/libxshmfence/0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch
new file mode 100644
index 0000000..3e87794
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-lib/libxshmfence/0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch
@@ -0,0 +1,39 @@
+From 5827f6389a227157958d14a687fb29223cb3a03a Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 7 Apr 2021 07:48:42 +0000
+Subject: [PATCH] xshmfence_futex.h: Define SYS_futex if it does not exist
+
+_NR_futex is not defines by newer architectures e.g. riscv32 as
+they only have 64bit variant of time_t. Glibc defines SYS_futex
+interface based on __NR_futex, since this is used in applications,
+such applications start to fail to build for these newer architectures.
+This patch defines a fallback to alias __NR_futex to __NR_futex_time64
+to make SYS_futex keep working.
+
+Reference: https://git.openembedded.org/openembedded-core/commit/?id=7a218adf9990f5e18d0b6a33eb34091969f979c7
+
+Upstream-Status: Pending
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/xshmfence_futex.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/xshmfence_futex.h b/src/xshmfence_futex.h
+index 673ac0e..a71efa5 100644
+--- a/src/xshmfence_futex.h
++++ b/src/xshmfence_futex.h
+@@ -53,6 +53,10 @@ static inline int futex_wait(int32_t *addr, int32_t value) {
+ #include <sys/time.h>
+ #include <sys/syscall.h>
+
++#if !defined(SYS_futex) && defined(SYS_futex_time64)
++#define SYS_futex SYS_futex_time64
++#endif
++
+ static inline long sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3)
+ {
+ return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
+--
+2.29.2
+
diff --git a/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
index cc45696..d153c7a 100644
--- a/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
+++ b/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
@@ -13,7 +13,9 @@
EXTRA_OECONF += "--with-shared-memory-dir=/dev/shm"
-BBCLASSEXTEND = "native nativesdk"
+SRC_URI += "file://0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch"
SRC_URI[md5sum] = "42dda8016943dc12aff2c03a036e0937"
SRC_URI[sha256sum] = "b884300d26a14961a076fbebc762a39831cb75f92bed5ccf9836345b459220c7"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
new file mode 100644
index 0000000..5480f71
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
@@ -0,0 +1,43 @@
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3472
+
+Reference to upstream patch:
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9..7a597e4 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ break;
+ case StringFeedbackClass:
+ {
+- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
++ xStringFeedbackCtl *f;
+
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++ sizeof(xStringFeedbackCtl));
++ f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
+--
+2.17.1
+
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index 5c6dbac..755a762 100644
--- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -7,6 +7,7 @@
file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \
+ file://CVE-2021-3472.patch \
"
SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
diff --git a/poky/meta/recipes-kernel/kmod/kmod.inc b/poky/meta/recipes-kernel/kmod/kmod.inc
index ccda9f2..ba5ec7f 100644
--- a/poky/meta/recipes-kernel/kmod/kmod.inc
+++ b/poky/meta/recipes-kernel/kmod/kmod.inc
@@ -26,7 +26,6 @@
S = "${WORKDIR}/git"
-EXTRA_AUTORECONF += "--install --symlink"
EXTRA_OECONF +=" --enable-tools --with-zlib"
PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb
similarity index 99%
rename from poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb
rename to poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb
index 78856cb..bd1f177 100644
--- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb
+++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb
@@ -132,7 +132,7 @@
file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
- file://WHENCE;md5=ef0565762eac313c409567b59dff00b2 \
+ file://WHENCE;md5=e21a8cbddc1612bce56f06fe154a0743 \
"
# These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -205,7 +205,7 @@
SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "1bcb1a3944c361507754a7d26ccff40ffc28d1fb93bce711d67da26b33e785b7"
+SRC_URI[sha256sum] = "a2348f03492713dca9aef202496c6e58f5e63ee5bec6a7bdfcf8b18ce7155e70"
inherit allarch
@@ -645,8 +645,8 @@
"
FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin"
FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin"
-FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin \
- ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.bin \
+FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.* \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.* \
"
FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin"
FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb b/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb
index 8725473..ee41d61 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb
@@ -50,5 +50,7 @@
KERNEL_FEATURES_append_qemux86=" cfg/sound.scc cfg/paravirt_kvm.scc"
KERNEL_FEATURES_append_qemux86-64=" cfg/sound.scc cfg/paravirt_kvm.scc"
KERNEL_FEATURES_append = " ${@bb.utils.contains("TUNE_FEATURES", "mx32", " cfg/x32.scc", "", d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ptest", " features/scsi/scsi-debug.scc", "", d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ptest", " features/gpio/mockup.scc", "", d)}"
KERNEL_VERSION_SANITY_SKIP = "1"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index cb34887..08314ea 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "be2935bce35f9adb6d0e735d42651e81a5094adf"
-SRCREV_meta ?= "031f6c76e488a3563f35258c72ff1de3e25a512e"
+SRCREV_machine ?= "400fbf5b14a0c88afb7c31d65be56fb9d6214c81"
+SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.10.25"
+LINUX_VERSION ?= "5.10.34"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 2ffc8ed..f82c6b3 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "65bbe689d98a007848008be2c8edeb5fa8066829"
-SRCREV_meta ?= "19738ca97b999a3b150e2d34232bb44b6537348f"
+SRCREV_machine ?= "b62ae8bedb024e67e7c5cda51840454a4170c858"
+SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.107"
+LINUX_VERSION ?= "5.4.116"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 83e59b0..8bd674f 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.10.25"
+LINUX_VERSION ?= "5.10.34"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "0f87ec9fea7a5695cd063d9d11d89751efa53ddd"
-SRCREV_machine ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_meta ?= "031f6c76e488a3563f35258c72ff1de3e25a512e"
+SRCREV_machine_qemuarm ?= "bf33b78f5136873b6d2ec6274908cf688341bc9e"
+SRCREV_machine ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 2b6e35a..1c3fe73 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.107"
+LINUX_VERSION ?= "5.4.116"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "ac3cbab1d6692d4a032dfffe0a604f39a634d18a"
-SRCREV_machine ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_meta ?= "19738ca97b999a3b150e2d34232bb44b6537348f"
+SRCREV_machine_qemuarm ?= "80bd6016a9bdaed4b66ddffffa8c8e62d7c1f8a6"
+SRCREV_machine ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 026e695..2e7a452 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@
KBRANCH_qemux86-64 ?= "v5.10/standard/base"
KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "d8551cae1ccdbe062a5c6068ce39ea8f4e1c72db"
-SRCREV_machine_qemuarm64 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_machine_qemumips ?= "7f1f1ad2f2d90b1b070c6b0a82f0add9aa492e37"
-SRCREV_machine_qemuppc ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_machine_qemuriscv64 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_machine_qemuriscv32 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_machine_qemux86 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_machine_qemux86-64 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_machine_qemumips64 ?= "fd5ac097b891642eea13659bea536f3ec5910d6d"
-SRCREV_machine ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651"
-SRCREV_meta ?= "031f6c76e488a3563f35258c72ff1de3e25a512e"
+SRCREV_machine_qemuarm ?= "78e8e722eec4434024c5db3e0d59da0b128c7647"
+SRCREV_machine_qemuarm64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_machine_qemumips ?= "b5c0852a90709e77f7a3d185d1745e6a1f66b77c"
+SRCREV_machine_qemuppc ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_machine_qemuriscv64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_machine_qemuriscv32 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_machine_qemux86 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_machine_qemux86-64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_machine_qemumips64 ?= "bf264e264d2141a4fb61d515573c27935e67ecfa"
+SRCREV_machine ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a"
+SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91"
# remap qemuarm to qemuarma15 for the 5.8 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.25"
+LINUX_VERSION ?= "5.10.34"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 245c3d5..5245530 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "ea4097dbff5a148265018e1a998e02b5a05e3d27"
-SRCREV_machine_qemuarm64 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_machine_qemumips ?= "230ca33504faef6f40c5d3b24901aaacb901c9a6"
-SRCREV_machine_qemuppc ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_machine_qemuriscv64 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_machine_qemux86 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_machine_qemux86-64 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_machine_qemumips64 ?= "84e071a893ef9cea8a8ffbcd233b47a2bc9056b5"
-SRCREV_machine ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72"
-SRCREV_meta ?= "19738ca97b999a3b150e2d34232bb44b6537348f"
+SRCREV_machine_qemuarm ?= "e71df0530eefcac1b3248329e385bcefbad6336e"
+SRCREV_machine_qemuarm64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_machine_qemumips ?= "07445052fdd15e60b30dc5ae9d162c2e6bba47d1"
+SRCREV_machine_qemuppc ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_machine_qemuriscv64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_machine_qemux86 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_machine_qemux86-64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_machine_qemumips64 ?= "b36d79d6f2aaf9dadec352f611e7b9becf2b9a55"
+SRCREV_machine ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85"
+SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.107"
+LINUX_VERSION ?= "5.4.116"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch
new file mode 100644
index 0000000..3a2280c
--- /dev/null
+++ b/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch
@@ -0,0 +1,305 @@
+From 17cd2dc91cb82ed342b0da699f2b1a70c1bf6a03 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 15 Mar 2021 14:54:02 -0400
+Subject: [PATCH 2/4] fix: block: add a disk_uevent helper (v5.12)
+
+See upstream commit:
+
+ commit bc359d03c7ec1bf3b86d03bafaf6bbb21e6414fd
+ Author: Christoph Hellwig <hch@lst.de>
+ Date: Sun Jan 24 11:02:39 2021 +0100
+
+ block: add a disk_uevent helper
+
+ Add a helper to call kobject_uevent for the disk and all partitions, and
+ unexport the disk_part_iter_* helpers that are now only used in the core
+ block code.
+
+Upstream-status: Backport [2.12.6]
+
+Change-Id: If6e8797049642ab382d5699660ee1dd734e92c90
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ Makefile | 1 +
+ lttng-statedump-impl.c | 34 +++++++++----
+ src/wrapper/genhd.c | 111 +++++++++++++++++++++++++++++++++++++++++
+ wrapper/genhd.h | 62 +++++++++++++++++++++++
+ 4 files changed, 198 insertions(+), 10 deletions(-)
+ create mode 100644 src/wrapper/genhd.c
+
+diff --git a/Makefile b/Makefile
+index a9aff3f1..34043cfb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -80,6 +80,7 @@ ifneq ($(KERNELRELEASE),)
+ wrapper/kallsyms.o \
+ wrapper/irqdesc.o \
+ wrapper/fdtable.o \
++ wrapper/genhd.o \
+ lttng-wrapper-impl.o
+
+ ifneq ($(CONFIG_HAVE_SYSCALL_TRACEPOINTS),)
+diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c
+index 60b937c9..5511c7e8 100644
+--- a/lttng-statedump-impl.c
++++ b/lttng-statedump-impl.c
+@@ -250,13 +250,17 @@ int lttng_enumerate_block_devices(struct lttng_session *session)
+ struct device_type *ptr_disk_type;
+ struct class_dev_iter iter;
+ struct device *dev;
++ int ret = 0;
+
+ ptr_block_class = wrapper_get_block_class();
+- if (!ptr_block_class)
+- return -ENOSYS;
++ if (!ptr_block_class) {
++ ret = -ENOSYS;
++ goto end;
++ }
+ ptr_disk_type = wrapper_get_disk_type();
+ if (!ptr_disk_type) {
+- return -ENOSYS;
++ ret = -ENOSYS;
++ goto end;
+ }
+ class_dev_iter_init(&iter, ptr_block_class, NULL, ptr_disk_type);
+ while ((dev = class_dev_iter_next(&iter))) {
+@@ -272,22 +276,32 @@ int lttng_enumerate_block_devices(struct lttng_session *session)
+ (disk->flags & GENHD_FL_SUPPRESS_PARTITION_INFO))
+ continue;
+
+- disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0);
+- while ((part = disk_part_iter_next(&piter))) {
++ /*
++ * The original 'disk_part_iter_init' returns void, but our
++ * wrapper can fail to lookup the original symbol.
++ */
++ if (wrapper_disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0) < 0) {
++ ret = -ENOSYS;
++ goto iter_exit;
++ }
++
++ while ((part = wrapper_disk_part_iter_next(&piter))) {
+ char name_buf[BDEVNAME_SIZE];
+
+ if (lttng_get_part_name(disk, part, name_buf) == -ENOSYS) {
+- disk_part_iter_exit(&piter);
+- class_dev_iter_exit(&iter);
+- return -ENOSYS;
++ wrapper_disk_part_iter_exit(&piter);
++ ret = -ENOSYS;
++ goto iter_exit;
+ }
+ trace_lttng_statedump_block_device(session,
+ lttng_get_part_devt(part), name_buf);
+ }
+- disk_part_iter_exit(&piter);
++ wrapper_disk_part_iter_exit(&piter);
+ }
++iter_exit:
+ class_dev_iter_exit(&iter);
+- return 0;
++end:
++ return ret;
+ }
+
+ #ifdef CONFIG_INET
+diff --git a/src/wrapper/genhd.c b/src/wrapper/genhd.c
+new file mode 100644
+index 00000000..a5a6c410
+--- /dev/null
++++ b/src/wrapper/genhd.c
+@@ -0,0 +1,111 @@
++/* SPDX-License-Identifier: (GPL-2.0-only OR LGPL-2.1-only)
++ *
++ * wrapper/genhd.c
++ *
++ * Wrapper around disk_part_iter_(init|next|exit). Using KALLSYMS to get the
++ * addresses when available, else we need to have a kernel that exports this
++ * function to GPL modules. This export was removed in 5.12.
++ *
++ * Copyright (C) 2021 Michael Jeanson <mjeanson@efficios.com>
++ */
++
++#include <lttng/kernel-version.h>
++#include <linux/module.h>
++#include <wrapper/genhd.h>
++
++#if (defined(CONFIG_KALLSYMS) && \
++ (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0)))
++
++#include <wrapper/kallsyms.h>
++
++static
++void (*disk_part_iter_init_sym)(struct disk_part_iter *piter, struct gendisk *disk,
++ unsigned int flags);
++
++static
++LTTNG_DISK_PART_TYPE *(*disk_part_iter_next_sym)(struct disk_part_iter *piter);
++
++static
++void (*disk_part_iter_exit_sym)(struct disk_part_iter *piter);
++
++/*
++ * This wrapper has an 'int' return type instead of the original 'void', to be
++ * able to report the symbol lookup failure to the caller.
++ *
++ * Return 0 on success, -1 on error.
++ */
++int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk,
++ unsigned int flags)
++{
++ if (!disk_part_iter_init_sym)
++ disk_part_iter_init_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_init");
++
++ if (disk_part_iter_init_sym) {
++ disk_part_iter_init_sym(piter, disk, flags);
++ } else {
++ printk_once(KERN_WARNING "LTTng: disk_part_iter_init symbol lookup failed.\n");
++ return -1;
++ }
++ return 0;
++}
++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init);
++
++LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter)
++{
++ if (!disk_part_iter_next_sym)
++ disk_part_iter_next_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_next");
++
++ if (disk_part_iter_next_sym) {
++ return disk_part_iter_next_sym(piter);
++ } else {
++ printk_once(KERN_WARNING "LTTng: disk_part_iter_next symbol lookup failed.\n");
++ return NULL;
++ }
++}
++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next);
++
++/*
++ * We don't return an error on symbol lookup failure here because there is
++ * nothing the caller can do to cleanup the iterator.
++ */
++void wrapper_disk_part_iter_exit(struct disk_part_iter *piter)
++{
++ if (!disk_part_iter_exit_sym)
++ disk_part_iter_exit_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_exit");
++
++ if (disk_part_iter_exit_sym) {
++ disk_part_iter_exit_sym(piter);
++ } else {
++ printk_once(KERN_WARNING "LTTng: disk_part_iter_exit symbol lookup failed.\n");
++ }
++}
++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit);
++
++#else
++
++/*
++ * This wrapper has an 'int' return type instead of the original 'void', so the
++ * kallsyms variant can report the symbol lookup failure to the caller.
++ *
++ * This variant always succeeds and returns 0.
++ */
++int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk,
++ unsigned int flags)
++{
++ disk_part_iter_init(piter, disk, flags);
++ return 0;
++}
++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init);
++
++LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter)
++{
++ return disk_part_iter_next(piter);
++}
++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next);
++
++void wrapper_disk_part_iter_exit(struct disk_part_iter *piter)
++{
++ disk_part_iter_exit(piter);
++}
++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit);
++#endif
+diff --git a/wrapper/genhd.h b/wrapper/genhd.h
+index 98feb57b..6bae239d 100644
+--- a/wrapper/genhd.h
++++ b/wrapper/genhd.h
+@@ -13,6 +13,13 @@
+ #define _LTTNG_WRAPPER_GENHD_H
+
+ #include <linux/genhd.h>
++#include <lttng/kernel-version.h>
++
++#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0))
++#define LTTNG_DISK_PART_TYPE struct block_device
++#else
++#define LTTNG_DISK_PART_TYPE struct hd_struct
++#endif
+
+ #ifdef CONFIG_KALLSYMS_ALL
+
+@@ -94,4 +101,59 @@ struct device_type *wrapper_get_disk_type(void)
+
+ #endif
+
++/*
++ * This wrapper has an 'int' return type instead of the original 'void', to be
++ * able to report the symbol lookup failure to the caller.
++ *
++ * Return 0 on success, -1 on error.
++ */
++int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk,
++ unsigned int flags);
++LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter);
++void wrapper_disk_part_iter_exit(struct disk_part_iter *piter);
++
++/*
++ * Canary function to check for 'disk_part_iter_init()' at compile time.
++ *
++ * From 'include/linux/genhd.h':
++ *
++ * extern void disk_part_iter_init(struct disk_part_iter *piter,
++ * struct gendisk *disk, unsigned int flags);
++ *
++ */
++static inline
++void __canary__disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk,
++ unsigned int flags)
++{
++ disk_part_iter_init(piter, disk, flags);
++}
++
++/*
++ * Canary function to check for 'disk_part_iter_next()' at compile time.
++ *
++ * From 'include/linux/genhd.h':
++ *
++ * struct block_device *disk_part_iter_next(struct disk_part_iter *piter);
++ *
++ */
++static inline
++LTTNG_DISK_PART_TYPE *__canary__disk_part_iter_next(struct disk_part_iter *piter)
++{
++ return disk_part_iter_next(piter);
++}
++
++/*
++ * Canary function to check for 'disk_part_iter_exit()' at compile time.
++ *
++ * From 'include/linux/genhd.h':
++ *
++ * extern void disk_part_iter_exit(struct disk_part_iter *piter);
++ *
++ */
++static inline
++void __canary__disk_part_iter_exit(struct disk_part_iter *piter)
++{
++ return disk_part_iter_exit(piter);
++}
++
+ #endif /* _LTTNG_WRAPPER_GENHD_H */
+--
+2.25.1
+
diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch
new file mode 100644
index 0000000..e32b3e7
--- /dev/null
+++ b/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch
@@ -0,0 +1,48 @@
+From 127135b6a45d5fca828815c62308f72de97e5739 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Thu, 15 Apr 2021 13:56:24 -0400
+Subject: [PATCH 3/4] fix backport: block: add a disk_uevent helper (v5.12)
+
+Upstream-Status: Backport [2.12.6]
+
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I717162069990577abe78e5e7fed28816f32b2c84
+---
+ {src/wrapper => wrapper}/genhd.c | 2 +-
+ wrapper/genhd.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ rename {src/wrapper => wrapper}/genhd.c (98%)
+
+diff --git a/src/wrapper/genhd.c b/wrapper/genhd.c
+similarity index 98%
+rename from src/wrapper/genhd.c
+rename to wrapper/genhd.c
+index a5a6c410..cbec06f7 100644
+--- a/src/wrapper/genhd.c
++++ b/wrapper/genhd.c
+@@ -9,7 +9,7 @@
+ * Copyright (C) 2021 Michael Jeanson <mjeanson@efficios.com>
+ */
+
+-#include <lttng/kernel-version.h>
++#include <lttng-kernel-version.h>
+ #include <linux/module.h>
+ #include <wrapper/genhd.h>
+
+diff --git a/wrapper/genhd.h b/wrapper/genhd.h
+index 6bae239d..1b4a4201 100644
+--- a/wrapper/genhd.h
++++ b/wrapper/genhd.h
+@@ -13,7 +13,7 @@
+ #define _LTTNG_WRAPPER_GENHD_H
+
+ #include <linux/genhd.h>
+-#include <lttng/kernel-version.h>
++#include <lttng-kernel-version.h>
+
+ #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0))
+ #define LTTNG_DISK_PART_TYPE struct block_device
+--
+2.25.1
+
diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch
new file mode 100644
index 0000000..dfc9427
--- /dev/null
+++ b/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch
@@ -0,0 +1,71 @@
+From 853d5903a200d8a15b3f38780ddaea5c92fa1a03 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Mon, 19 Apr 2021 09:09:28 +0000
+Subject: [PATCH 4/4] fix: mm, tracing: kfree event name mismatching with
+ provider kmem (v5.12)
+
+a8bc8ae5c932 ("fix: mm, tracing: record slab name for kmem_cache_free() (v5.12)")
+introduces the following call trace for kfree. This is caused by mismatch
+between kfree event and its provider kmem.
+
+This patch maps kfree to kmem_kfree.
+
+WARNING: CPU: 2 PID: 42294 at src/lttng-probes.c:81 fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer]
+CPU: 2 PID: 42294 Comm: modprobe Tainted: G O 5.12.0-rc6-yoctodev-standard #1
+Hardware name: Intel Corporation JACOBSVILLE/JACOBSVILLE, BIOS JBVLCRB2.86B.0014.P20.2004020248 04/02/2020
+RIP: 0010:fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer]
+Code: 75 28 83 c3 01 3b 5d c4 74 22 48 8b 4d d0 48 63
+ c3 4c 89 e2 4c 89 f6 48 8b 04 c1 4c 8b 38 4c 89
+ ff e8 64 9f 4b de 85 c0 74 c3 <0f> 0b 48 8b 05 bf
+ f2 1e 00 48 8d 50 e8 48 3d f0 a0 98 c0 75 18 eb
+RSP: 0018:ffffb976807bfbe0 EFLAGS: 00010286
+RAX: 00000000ffffffff RBX: 0000000000000004 RCX: 0000000000000004
+RDX: 0000000000000066 RSI: ffffffffc03c10a7 RDI: ffffffffc03c11a1
+RBP: ffffb976807bfc28 R08: 0000000000000000 R09: 0000000000000001
+R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000004
+R13: ffffffffc03c2000 R14: ffffffffc03c10a7 R15: ffffffffc03c11a1
+FS: 00007f0ef9533740(0000) GS:ffffa100faa00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000561e8f0aa000 CR3: 000000015b318000 CR4: 0000000000350ee0
+Call Trace:
+ lttng_probe_register+0x38/0xe0 [lttng_tracer]
+ ? __event_probe__module_load+0x520/0x520 [lttng_probe_module]
+ __lttng_events_init__module+0x15/0x20 [lttng_probe_module]
+ do_one_initcall+0x68/0x310
+ ? kmem_cache_alloc_trace+0x2ad/0x4c0
+ ? do_init_module+0x28/0x280
+ do_init_module+0x62/0x280
+ load_module+0x26e4/0x2920
+ ? kernel_read_file+0x22e/0x290
+ __do_sys_finit_module+0xb1/0xf0
+ __x64_sys_finit_module+0x1a/0x20
+ do_syscall_64+0x38/0x50
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Upstream-Status: Backport [2.12.6]
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I00e8ee2b8c35f6f8602c88295f5113fbbd139709
+---
+ instrumentation/events/lttng-module/kmem.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/instrumentation/events/lttng-module/kmem.h b/instrumentation/events/lttng-module/kmem.h
+index d787ea54..c9edee61 100644
+--- a/instrumentation/events/lttng-module/kmem.h
++++ b/instrumentation/events/lttng-module/kmem.h
+@@ -88,7 +88,9 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_alloc_node, kmem_cache_alloc_node,
+ )
+
+ #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0))
+-LTTNG_TRACEPOINT_EVENT(kfree,
++LTTNG_TRACEPOINT_EVENT_MAP(kfree,
++
++ kmem_kfree,
+
+ TP_PROTO(unsigned long call_site, const void *ptr),
+
+--
+2.25.1
+
diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb b/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb
index 5b05c64..1a01cb0 100644
--- a/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb
+++ b/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb
@@ -15,6 +15,9 @@
file://0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch \
file://0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch \
file://0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch \
+ file://0005-fix-block-add-a-disk_uevent-helper-v5.12.patch \
+ file://0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch \
+ file://0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch \
"
SRC_URI[sha256sum] = "c4d1a1b42c728e37b6b7947ae16563a011c4b297311aa04d56f9a1791fb5a30a"
diff --git a/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb b/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb
index 7074096..6132daf 100644
--- a/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb
+++ b/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb
@@ -69,7 +69,7 @@
}
do_install_ptest () {
- for f in Makefile tests/Makefile tests/utils/utils.sh tests/regression/tools/save-load/load-42*.lttng tests/regression/tools/save-load/configuration/load-42*.lttng tests/regression/tools/health/test_health.sh tests/regression/tools/metadata/utils.sh tests/regression/tools/rotation/rotate_utils.sh; do
+ for f in Makefile tests/Makefile tests/utils/utils.sh tests/regression/tools/save-load/*.lttng tests/regression/tools/save-load/configuration/load-42*.lttng tests/regression/tools/health/test_health.sh tests/regression/tools/metadata/utils.sh tests/regression/tools/rotation/rotate_utils.sh; do
install -D "${B}/$f" "${D}${PTEST_PATH}/$f"
done
@@ -155,7 +155,7 @@
-i ${D}${PTEST_PATH}/tests/unit/Makefile
# Fix hardcoded build path
- sed -e 's#TESTAPP_PATH=.*/tests/regression/#TESTAPP_PATH=${PTEST_PATH}/tests/regression/#' \
+ sed -e 's#TESTAPP_PATH=.*/tests/regression/#TESTAPP_PATH="${PTEST_PATH}/tests/regression/#' \
-i ${D}${PTEST_PATH}/tests/regression/ust/python-logging/test_python_logging
# Substitute links to installed binaries.
diff --git a/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh b/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh
index 28fe6f9..67e1dcd 100755
--- a/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh
+++ b/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh
@@ -13,6 +13,7 @@
LOAD_MODULE=modprobe
[ -f /proc/modules ] || exit 0
+[ -d /lib/modules/`uname -r` ] || exit 0
# Test if modules.dep exists and has a size greater than zero
if [ ! -s /lib/modules/`uname -r`/modules.dep ]; then
diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb
index b468372..28d0c6a 100644
--- a/poky/meta/recipes-kernel/perf/perf.bb
+++ b/poky/meta/recipes-kernel/perf/perf.bb
@@ -322,7 +322,7 @@
RDEPENDS_${PN} += "elfutils bash"
RDEPENDS_${PN}-archive =+ "bash"
-RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python3', '', d)}"
+RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python', '', d)}"
RDEPENDS_${PN}-perl =+ "bash perl perl-modules"
RDEPENDS_${PN}-tests =+ "python3 bash"
diff --git a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.04.21.bb
similarity index 94%
rename from poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb
rename to poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.04.21.bb
index b3567bc..f79c0b2 100644
--- a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb
+++ b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.04.21.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "b4164490d82ff7b0086e812ac42ab27baf57be24324d4c0ee1c5dd6ba27f2a52"
+SRC_URI[sha256sum] = "9e4c02b2a9710df4dbdb327c39612e8cbbae6495987afeddaebab28c1ea3d8fa"
inherit bin_package allarch
diff --git a/poky/meta/recipes-sato/puzzles/puzzles_git.bb b/poky/meta/recipes-sato/puzzles/puzzles_git.bb
index 16a0858..a1788cf 100644
--- a/poky/meta/recipes-sato/puzzles/puzzles_git.bb
+++ b/poky/meta/recipes-sato/puzzles/puzzles_git.bb
@@ -9,7 +9,7 @@
# The libxt requires x11 in DISTRO_FEATURES
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI = "git://git.tartarus.org/simon/puzzles.git \
+SRC_URI = "git://git.tartarus.org/simon/puzzles.git;branch=main \
file://fix-compiling-failure-with-option-g-O.patch \
file://0001-palisade-Fix-warnings-with-clang-on-arm.patch \
file://0001-Use-Wno-error-format-overflow-if-the-compiler-suppor.patch \
diff --git a/poky/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch b/poky/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
new file mode 100644
index 0000000..98d2d1de
--- /dev/null
+++ b/poky/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
@@ -0,0 +1,31 @@
+From dcf9ae0dc0b4510eddbeeea09e11edfb123f95af Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 2 May 2021 13:10:49 -0700
+Subject: [PATCH] MiniBrowser: Fix reproduciblity
+
+Do not emit references to source dir in generated sourcecode
+
+Upstream-Status: Submitted [https://bugs.webkit.org/show_bug.cgi?id=225283]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ Tools/MiniBrowser/gtk/CMakeLists.txt | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Tools/MiniBrowser/gtk/CMakeLists.txt b/Tools/MiniBrowser/gtk/CMakeLists.txt
+index 93b62521..482d3b00 100644
+--- a/Tools/MiniBrowser/gtk/CMakeLists.txt
++++ b/Tools/MiniBrowser/gtk/CMakeLists.txt
+@@ -51,8 +51,8 @@ add_custom_command(
+ OUTPUT ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.c
+ ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.h
+ MAIN_DEPENDENCY ${MiniBrowser_DIR}/browser-marshal.list
+- COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --body > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.c
+- COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --header > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.h
++ COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --body --skip-source > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.c
++ COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --header --skip-source > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.h
+ VERBATIM)
+
+ if (USE_GTK4)
+--
+2.31.1
+
diff --git a/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb b/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
index cdc3f9b..1fefc75 100644
--- a/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
+++ b/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
@@ -20,6 +20,7 @@
file://reduce-memory-overheads.patch \
file://0001-Extend-atomics-check-to-include-1-byte-CAS-test.patch \
file://musl-lower-stack-usage.patch \
+ file://0001-MiniBrowser-Fix-reproduciblity.patch \
"
SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f"
diff --git a/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
index 888a235..7dcc86f 100644
--- a/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
+++ b/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
@@ -83,8 +83,8 @@
SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
}
-RDEPENDS_${PN}_class-target = "openssl-bin"
-RDEPENDS_${PN}_class-native = "openssl-native"
-RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
+RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
+RDEPENDS_${PN}_append_class-native = " openssl-native"
+RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
BBCLASSEXTEND = "native nativesdk"
diff --git a/poky/meta/recipes-support/db/db_5.3.28.bb b/poky/meta/recipes-support/db/db_5.3.28.bb
index 9cb57e6..b2ae98f 100644
--- a/poky/meta/recipes-support/db/db_5.3.28.bb
+++ b/poky/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@
LICENSE = "Sleepycat"
RCONFLICTS_${PN} = "db3"
-CVE_PRODUCT = "oracle_berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
CVE_VERSION = "11.2.${PV}"
PR = "r1"
diff --git a/poky/meta/recipes-support/diffoscope/diffoscope_172.bb b/poky/meta/recipes-support/diffoscope/diffoscope_172.bb
index bf4726e..86dd5d8 100644
--- a/poky/meta/recipes-support/diffoscope/diffoscope_172.bb
+++ b/poky/meta/recipes-support/diffoscope/diffoscope_172.bb
@@ -23,6 +23,7 @@
create_wrapper ${D}${bindir}/diffoscope \
MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
+ LD_LIBRARY_PATH=${STAGING_LIBDIR_NATIVE} \
RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE}
}
diff --git a/poky/meta/recipes-support/libcap/libcap_2.48.bb b/poky/meta/recipes-support/libcap/libcap_2.48.bb
index a12738d..2f83acf 100644
--- a/poky/meta/recipes-support/libcap/libcap_2.48.bb
+++ b/poky/meta/recipes-support/libcap/libcap_2.48.bb
@@ -20,15 +20,6 @@
inherit lib_package
-# do NOT pass target cflags to host compilations
-#
-do_configure() {
- # libcap uses := for compilers, fortunately, it gives us a hint
- # on what should be replaced with ?=
- sed -e 's,:=,?=,g' -i Make.Rules
- sed -e 's,^BUILD_CFLAGS ?= ,BUILD_CFLAGS := $(BUILD_CFLAGS) ,' -i Make.Rules
-}
-
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
PACKAGECONFIG_class-native ??= ""
@@ -44,11 +35,15 @@
EXTRA_OEMAKE_append_class-target = " SYSTEM_HEADERS=${STAGING_INCDIR}"
-# these are present in the libcap defaults, so include in our CFLAGS too
-CFLAGS += "-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
-
do_compile() {
- oe_runmake ${PACKAGECONFIG_CONFARGS}
+ unset CFLAGS BUILD_CFLAGS
+ oe_runmake \
+ ${PACKAGECONFIG_CONFARGS} \
+ AR="${AR}" \
+ CC="${CC}" \
+ RANLIB="${RANLIB}" \
+ COPTS="${CFLAGS}" \
+ BUILD_COPTS="${BUILD_CFLAGS}"
}
do_install() {
diff --git a/poky/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch b/poky/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch
new file mode 100644
index 0000000..0b20eda
--- /dev/null
+++ b/poky/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch
@@ -0,0 +1,33 @@
+From dff8fd27edb23bc1486809186c6a4fe1f75f2179 Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Thu, 22 Apr 2021 22:35:59 -0400
+Subject: [PATCH] test/regress.h: Increase default timeval tolerance 50 ms ->
+ 100 ms
+
+The default timeout tolerance is 50 ms,
+which causes intermittent failure in many the
+related tests in arm64 QEMU.
+
+See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14163
+(The root cause seems to be a heavy load)
+
+Upstream-Status: Submitted [https://github.com/libevent/libevent/pull/1157]
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ test/regress.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/regress.h b/test/regress.h
+index f06a7669..829af4a7 100644
+--- a/test/regress.h
++++ b/test/regress.h
+@@ -127,7 +127,7 @@ int test_ai_eq_(const struct evutil_addrinfo *ai, const char *sockaddr_port,
+ tt_int_op(labs(timeval_msec_diff((tv1), (tv2)) - diff), <=, tolerance)
+
+ #define test_timeval_diff_eq(tv1, tv2, diff) \
+- test_timeval_diff_leq((tv1), (tv2), (diff), 50)
++ test_timeval_diff_leq((tv1), (tv2), (diff), 100)
+
+ long timeval_msec_diff(const struct timeval *start, const struct timeval *end);
+
diff --git a/poky/meta/recipes-support/libevent/libevent_2.1.12.bb b/poky/meta/recipes-support/libevent/libevent_2.1.12.bb
index dd4533c..6d53fea 100644
--- a/poky/meta/recipes-support/libevent/libevent_2.1.12.bb
+++ b/poky/meta/recipes-support/libevent/libevent_2.1.12.bb
@@ -15,6 +15,7 @@
file://Makefile-missing-test-dir.patch \
file://run-ptest \
file://0001-test-regress_dns.c-patch-out-tests-that-require-a-wo.patch \
+ file://0002-test-regress.h-Increase-default-timeval-tolerance-50.patch \
"
SRC_URI[sha256sum] = "92e6de1be9ec176428fd2367677e61ceffc2ee1cb119035037a27d346b0403bb"
diff --git a/poky/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch b/poky/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch
new file mode 100644
index 0000000..b331c1b
--- /dev/null
+++ b/poky/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch
@@ -0,0 +1,112 @@
+From 1f76151c92e1b52e9c24ebf06adc77fbd6c062bc Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Tue, 26 Jan 2021 11:41:21 -0800
+Subject: [PATCH] kex.c: move EC macro outside of if check #549 (#550)
+
+File: kex.c
+
+Notes:
+Moved the macro LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY outside of the LIBSSH2_ECDSA since it's also now used by the ED25519 code.
+
+Sha 256, 384 and 512 need to be defined for all backends now even if they aren't used directly. I believe this is already the case, but just a heads up.
+
+Credit:
+Stefan-Ghinea
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://github.com/libssh2/libssh2/commit/1f76151c92e1b52e9c24ebf06adc77fbd6c062bc
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/kex.c | 66 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 33 insertions(+), 33 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index cb16639..19ab6ec 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1885,39 +1885,6 @@ kex_method_diffie_hellman_group_exchange_sha256_key_exchange
+ }
+
+
+-#if LIBSSH2_ECDSA
+-
+-/* kex_session_ecdh_curve_type
+- * returns the EC curve type by name used in key exchange
+- */
+-
+-static int
+-kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type)
+-{
+- int ret = 0;
+- libssh2_curve_type type;
+-
+- if(name == NULL)
+- return -1;
+-
+- if(strcmp(name, "ecdh-sha2-nistp256") == 0)
+- type = LIBSSH2_EC_CURVE_NISTP256;
+- else if(strcmp(name, "ecdh-sha2-nistp384") == 0)
+- type = LIBSSH2_EC_CURVE_NISTP384;
+- else if(strcmp(name, "ecdh-sha2-nistp521") == 0)
+- type = LIBSSH2_EC_CURVE_NISTP521;
+- else {
+- ret = -1;
+- }
+-
+- if(ret == 0 && out_type) {
+- *out_type = type;
+- }
+-
+- return ret;
+-}
+-
+-
+ /* LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY
+ *
+ * Macro that create and verifies EC SHA hash with a given digest bytes
+@@ -2027,6 +1994,39 @@ kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type)
+ } \
+
+
++#if LIBSSH2_ECDSA
++
++/* kex_session_ecdh_curve_type
++ * returns the EC curve type by name used in key exchange
++ */
++
++static int
++kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type)
++{
++ int ret = 0;
++ libssh2_curve_type type;
++
++ if(name == NULL)
++ return -1;
++
++ if(strcmp(name, "ecdh-sha2-nistp256") == 0)
++ type = LIBSSH2_EC_CURVE_NISTP256;
++ else if(strcmp(name, "ecdh-sha2-nistp384") == 0)
++ type = LIBSSH2_EC_CURVE_NISTP384;
++ else if(strcmp(name, "ecdh-sha2-nistp521") == 0)
++ type = LIBSSH2_EC_CURVE_NISTP521;
++ else {
++ ret = -1;
++ }
++
++ if(ret == 0 && out_type) {
++ *out_type = type;
++ }
++
++ return ret;
++}
++
++
+ /* ecdh_sha2_nistp
+ * Elliptic Curve Diffie Hellman Key Exchange
+ */
+--
+2.17.1
+
diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb
index 0b8ccbd..a545162 100644
--- a/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb
+++ b/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb
@@ -11,6 +11,7 @@
file://CVE-2019-17498.patch \
file://0001-configure-Conditionally-undefine-backend-m4-macro.patch \
file://run-ptest \
+ file://0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch \
"
SRC_URI_append_ptest = " file://0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch"
diff --git a/poky/meta/recipes-support/nettle/nettle_3.7.1.bb b/poky/meta/recipes-support/nettle/nettle_3.7.2.bb
similarity index 95%
rename from poky/meta/recipes-support/nettle/nettle_3.7.1.bb
rename to poky/meta/recipes-support/nettle/nettle_3.7.2.bb
index 3bbcf17..f8f3360 100644
--- a/poky/meta/recipes-support/nettle/nettle_3.7.1.bb
+++ b/poky/meta/recipes-support/nettle/nettle_3.7.2.bb
@@ -24,7 +24,7 @@
file://dlopen-test.patch \
"
-SRC_URI[sha256sum] = "156621427c7b00a75ff9b34b770b95d34f80ef7a55c3407de94b16cbf436c42e"
+SRC_URI[sha256sum] = "8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162"
UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb b/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb
index 57a3ae0..6bd10d2 100644
--- a/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb
+++ b/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb
@@ -26,3 +26,5 @@
do_install () {
install -D -m 0755 ${S}/ptest-runner ${D}${bindir}/ptest-runner
}
+
+RDEPENDS_${PN}_append_libc-glibc = " libgcc"
diff --git a/poky/scripts/oe-buildenv-internal b/poky/scripts/oe-buildenv-internal
index ba0a9b4..e0d920f 100755
--- a/poky/scripts/oe-buildenv-internal
+++ b/poky/scripts/oe-buildenv-internal
@@ -88,6 +88,10 @@
return 1
fi
+# Add BitBake's library to PYTHONPATH
+PYTHONPATH=$BITBAKEDIR/lib:$PYTHONPATH
+export PYTHONPATH
+
# Make sure our paths are at the beginning of $PATH
for newpath in "$BITBAKEDIR/bin" "$OEROOT/scripts"; do
# Remove any existences of $newpath from $PATH
diff --git a/poky/scripts/oe-debuginfod b/poky/scripts/oe-debuginfod
index 967dd58..5560769 100755
--- a/poky/scripts/oe-debuginfod
+++ b/poky/scripts/oe-debuginfod
@@ -20,12 +20,7 @@
package_classes_var = "DEPLOY_DIR_" + tinfoil.config_data.getVar("PACKAGE_CLASSES").split()[0].replace("package_", "").upper()
feed_dir = tinfoil.config_data.getVar(package_classes_var, expand=True)
- try:
- if package_classes_var == "DEPLOY_DIR_RPM":
- subprocess.check_output(subprocess.run(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-R', feed_dir]))
- else:
- subprocess.check_output(subprocess.run(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-U', feed_dir]))
- except subprocess.CalledProcessError:
- print("\nTo use the debuginfod server Please ensure that this variable PACKAGECONFIG_pn-elfutils-native = \"debuginfod libdebuginfod\" is set in the local.conf")
- except KeyboardInterrupt:
- sys.exit(1)
+ subprocess.call(['bitbake', '-c', 'addto_recipe_sysroot', 'elfutils-native'])
+
+ subprocess.call(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-R', '-U', feed_dir])
+ print("\nTo use the debuginfod server please ensure that this variable PACKAGECONFIG_pn-elfutils-native = \"debuginfod libdebuginfod\" is set in the local.conf")
diff --git a/poky/scripts/oe-time-dd-test.sh b/poky/scripts/oe-time-dd-test.sh
old mode 100644
new mode 100755
index 970a86d..459071e
--- a/poky/scripts/oe-time-dd-test.sh
+++ b/poky/scripts/oe-time-dd-test.sh
@@ -13,11 +13,16 @@
echo "Usage: $0 <count>"
}
+TIMEOUT=15
+
if [ $# -ne 1 ]; then
usage
exit 1
fi
uptime
-/usr/bin/time -f "%e" dd if=/dev/zero of=foo bs=1024 count=$1 conv=fsync
-top -b -n 1 | grep -v "0 0 0" | grep -E ' [RSD] ' | cut -c 46-47 | sort | uniq -c
+timeout ${TIMEOUT} dd if=/dev/zero of=oe-time-dd-test.dat bs=1024 count=$1 conv=fsync
+if [ $? -ne 0 ]; then
+ echo "Timeout used: ${TIMEOUT}"
+ top -c -b -n1 -w 512
+fi
diff --git a/poky/scripts/pybootchartgui/pybootchartgui/draw.py b/poky/scripts/pybootchartgui/pybootchartgui/draw.py
index 53324b9..29eb750 100644
--- a/poky/scripts/pybootchartgui/pybootchartgui/draw.py
+++ b/poky/scripts/pybootchartgui/pybootchartgui/draw.py
@@ -271,7 +271,7 @@
# If data_range is given, scale the chart so that the value range in
# data_range matches the chart bounds exactly.
# Otherwise, scale so that the actual data matches the chart bounds.
- if data_range:
+ if data_range and (data_range[1] - data_range[0]):
yscale = float(chart_bounds[3]) / (data_range[1] - data_range[0])
ybase = data_range[0]
else:
diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu
index ba0b701..edd17d0 100755
--- a/poky/scripts/runqemu
+++ b/poky/scripts/runqemu
@@ -145,7 +145,6 @@
self.qemu_opt = ''
self.qemu_opt_script = ''
self.qemuparams = ''
- self.clean_nfs_dir = False
self.nfs_server = ''
self.rootfs = ''
# File name(s) of a OVMF firmware file or variable store,
@@ -210,6 +209,8 @@
self.qemupid = None
# avoid cleanup twice
self.cleaned = False
+ # Files to cleanup after run
+ self.cleanup_files = []
def acquire_taplock(self, error=True):
logger.debug("Acquiring lockfile %s..." % self.taplock)
@@ -1020,8 +1021,9 @@
logger.info('Running %s...' % str(cmd))
if subprocess.call(cmd) != 0:
raise RunQemuError('Failed to run %s' % cmd)
- self.clean_nfs_dir = True
self.rootfs = dest
+ self.cleanup_files.append(self.rootfs)
+ self.cleanup_files.append('%s.pseudo_state' % self.rootfs)
# Start the userspace NFS server
cmd = ('runqemu-export-rootfs', 'start', self.rootfs)
@@ -1204,6 +1206,7 @@
self.rootfs = newrootfs
# Don't need a second copy now!
self.snapshot = False
+ self.cleanup_files.append(newrootfs)
qb_rootfs_opt = self.get('QB_ROOTFS_OPT')
if qb_rootfs_opt:
@@ -1476,10 +1479,13 @@
if self.saved_stty:
subprocess.check_call(("stty", self.saved_stty))
- if self.clean_nfs_dir:
- logger.info('Removing %s' % self.rootfs)
- shutil.rmtree(self.rootfs)
- shutil.rmtree('%s.pseudo_state' % self.rootfs)
+ if self.cleanup_files:
+ for ent in self.cleanup_files:
+ logger.info('Removing %s' % ent)
+ if os.path.isfile(ent):
+ os.remove(ent)
+ else:
+ shutil.rmtree(ent)
self.cleaned = True
diff --git a/poky/scripts/yocto-check-layer b/poky/scripts/yocto-check-layer
index b7c83c8..deba3cb 100755
--- a/poky/scripts/yocto-check-layer
+++ b/poky/scripts/yocto-check-layer
@@ -138,6 +138,9 @@
layer['type'] == LayerType.ERROR_BSP_DISTRO:
continue
+ # Reset to a clean backup copy for each run
+ shutil.copyfile(bblayersconf + '.backup', bblayersconf)
+
if check_bblayers(bblayersconf, layer['path'], logger):
logger.info("%s already in %s. To capture initial signatures, layer under test should not present "
"in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name']))
