subtree updates
meta-raspberrypi: 8cffbf5e85..b601818301:
Changqing Li (1):
99-com.rules: fix error invalid substitution type
Khem Raj (2):
linux-firmware-rpidistro: Update to 20190114-1+rpt11
bluez-firmware-rpidistro: Update to 1.2-4+rpt8
Pierre-Jean Texier (1):
rpi-base: make SPLASH overridable from outside
SCVready (1):
rpi-config: comment updated
matt-hammond-bbc (1):
libva: Fix for when using `userland`
poky: 1203d1f24d..05a8aad57c:
Alejandro Enedino Hernandez Samaniego (2):
python3: Upgrade 3.9.2 -> 3.9.4
python3: Improve logging, syntax and update deprecated modules to create_manifest
Alexander Kanavin (6):
scripts/oe-debuginfod: correct several issues
oeqa: tear down oeqa decorators if one of them raises an exception in setup
meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the previous fix
Revert "oeqa: Set LD_LIBRARY_PATH when executing native commands"
diffoscope: add native libraries to LD_LIBRARY_PATH
linux-firmware: upgrade 20210208 -> 20210315
Anders Wallin (2):
lttng-tools: Fix missing legacy test files
lttng-tools: Fix path for test_python_looging
Anthony Bagwell (1):
systemd: upgrade 247.4 -> 247.6
Anuj Mittal (2):
qemu: fix CVE-2021-3392
lsb-release: fix reproducibility failure
Bruce Ashfield (19):
linux-yocto/5.4: update to v5.4.109
linux-yocto/5.10: update to v5.10.27
linux-yocto/5.10: BSP configuration fixes
linux-yocto/5.10: update to v5.10.29
linux-yocto/5.4: update to v5.4.111
linux-yocto/5.10: update to v5.10.30
linux-yocto-rt/5.10: update to -rt34
linux-yocto/5.4: update to v5.4.112
linux-yocto/5.4: fix arm defconfig warnings
linux-yocto/5.10: fix arm defconfig warnings
linux-yocto/5.10: aufs fixes
linux-yocto/5.10: qemuriscv32.cfg: RV32 only supports 1G physical memory
linux-yocto/5.10: update to v5.10.32
perf: fix python-audit RDEPENDS
linux-yocto/5.4: update to v5.4.114
linux-yocto/5.10: update to v5.10.34
linux-yocto/5.4: update to v5.4.116
linux-yocto/5.10: qemuppc32: reduce serial shutdown issues
linux-yocto/5.4: qemuppc32: reduce serial shutdown issues
Changqing Li (2):
cairo: fix CVE-2020-35492
gdk-pixbuf: fix CVE-2021-20240
Chen Qi (5):
busybox: fix CVE-2021-28831
glib-2.0: fix CVE-2021-28153
weston: fix build failure due to race condition
rsync: fix CVE-2020-14387
db: update CVE_PRODUCT
Christophe Chapuis (1):
rootfs.py: find .ko.gz and .ko.xz kernel modules as well
Daniel Ammann (1):
archiver: Fix typos
Douglas Royds (2):
Revert "externalsrc: Detect code changes in submodules"
externalsrc: Detect code changes in submodules
Gavin Li (1):
kmod: do not symlink config.guess/config.sub during autoreconf
He Zhe (1):
linux-yocto-dev: add features/scsi/scsi-debug.scc features/gpio/mockup.scc to KERNEL_FEATURES
Jon Mason (1):
oeqa/runtime: space needed
Jonas Höppner (1):
ltp: fix empty ltp-dev package
Jose Quaresma (1):
ptest-runner: libgcc must be installed for pthread_cancel to work
Joshua Watt (1):
classes/image: Use xargs to set file timestamps
Kai Kang (3):
kernel-yocto.bbclass: chdir to ${WORKDIR} for do_kernel_checkout
cmake.bbclass: remove ${B} before cmake_do_configure
grub2.inc: remove '-O2' from CFLAGS
Kevin Hao (3):
modutils-initscripts: Bail out when no module is installed
sysvinit-inittab/start_getty: Check /sys for the tty device existence
Revert "inittab: Add getty launch on hvc0 for qemuppc64"
Khairul Rohaizzat Jamaluddin (1):
qemu: Fix CVE-2020-35517
Khem Raj (6):
ca-certificates: Fix openssl runtime cert dependencies
systemd: Fix build on mips/musl
go: Use dl.google.com for SRC_URI
libjpeg-turbo: Use --reproducible option for nasm
busybox: Fix reproducibility
webkitgtk: Fix reproducibility in minibrowser
Konrad Weihmann (1):
cve-update-db-native: skip on empty cpe23Uri
Michael Opdenacker (1):
sanity.bbclass: mention CONNECTIVITY_CHECK_URIS in network failure message
Mikko Rapeli (2):
bitbake: bitbake: tests/fetch: fix test execution without .gitconfig
bitbake: bitbake: tests/fetch: remove write protected files too
Mingli Yu (6):
groff: not ship /usr/bin/grap2graph
libtool: make sure autoheader run before automake
packagegroup-core-tools-profile: Remove valgrind for riscv32
packagegroup-core-tools-testapps.bb: Remove kexec for riscv32
libxshmfence: Build fixes for riscv32
rpm: Upgrade to 4.16.1.3
Niels Avonds (1):
bitbake: fetch/gitsm: Fix crash when using git LFS and submodules
Peter Budny (1):
lib/oe/terminal: Fix tmux new-session on older tmux versions (<1.9)
Peter Kjellerstedt (1):
libcap: Configure Make variables correctly without a horrible hack
Randy MacLeod (1):
oe-time-dd-test.sh: increase timeout to 15 sec
Reto Schneider (2):
license_image.bbclass: Detect broken symlinks
license_image.bbclass: Fix symlink to generic license files
Richard Purdie (22):
oeqa/selftest: Hardcode test assumptions about heartbeat event timings
bitbake: runqueue: Fix deferred task issues
pseudo: Upgrade to add trailing slashes ignore path fix
oeqa/selftest: Ensure packages classes are set correctly for maintainers test
sanity: Add error check for '%' in build path
runqemu: Ensure we cleanup snapshot files after image run
yocto-check-layer: Avoid bug when iterating and autoadding dependencies
patchelf: Backport fix from upstream for note section overlap error
bitbake: runqueue: Fix multiconfig deferred task sstate validity caching issue
bitbake: runqueue: Handle deferred task rehashing in multiconfig builds
patchelf: Fix note section alignment issues
patchelf: Fix alignment patch
pybootchart/draw: Avoid divide by zero error
yocto-uninative: Update to 3.1 which includes a patchelf fix
lib/package_manager: Use shutil.copy instead of bb.utils.copyfile for intercepts
oeqa/qemurunner: Improve logging thread exit handling for qemu shutdown test
oeqa/qemurunner: Fix binary vs str issue
oeqa/qemurunner: Improve handling of run_serial for shutdown commands
puzzles: Upstream changed to main branch for development
poky.conf: Bump version for 3.3.1 hardknott release
build-appliance-image: Update to hardknott head revision
documentation: prepare for 3.3.1 release
Romain Naour (1):
dejagnu: needs expect at runtime
Ross Burton (4):
bitbake: bitbake-server: ensure server timeout is a float
insane: clean up some more warning messages
glslang: strip whitespace in pkgconfig file
oe-buildenv-internal: add BitBake's library to PYTHONPATH
Sakib Sajal (10):
oe-time-dd-test.sh: make executable
oe-time-dd-test.sh: provide more information from "top"
qemu: fix CVE-2021-20181
qemu: fix CVE-2020-29443
qemu: fix CVE-2021-20221
qemu: fix CVE-2021-3409
qemu: fix CVE-2021-3416
qemu: fix CVE-2021-20257
qemu: fix CVE-2020-27821
qemu: fix CVE-2021-20263
Saul Wold (1):
pango: re-enable ptest
Stefan Ghinea (3):
wpa-supplicant: fix CVE-2021-30004
libssh2: fix build failure with option no-ecdsa
xserver-xorg: fix CVE-2021-3472
Trevor Gamblin (1):
nettle: upgrade 3.7.1 -> 3.7.2
Ulrich Ölmann (1):
arch-armv6m.inc: fix access rights
Vinícius Ossanes Aquino (1):
lttng-modules: backport patches to fix build against 5.12+ kernel
Wes Lindauer (1):
oeqa/runtime/cases: Only disable/enable for current boot
Yanfei Xu (1):
parselogs: ignore floppy error on qemu-system-x86 at boot stage
Yann Dirson (1):
linux-firmware: include all relevant files in -bcm4356
Yi Fan Yu (1):
libevent: Increase ptest timing tolerance 50 ms -> 100 ms
hongxu (1):
deb: apply postinstall on sdk
wangmy (4):
mesa: upgrade 21.0.1 -> 21.0.2
go: update SRC_URI to use https protocol
go: upgrade 1.16.2 -> 1.16.3
mesa: upgrade 21.0.2 -> 21.0.3
zhengruoqin (2):
wireless-regdb: upgrade 2020.11.20 -> 2021.04.21
ruby: upgrade 3.0.0 -> 3.0.1
meta-openembedded: 98175fd0cc..bbe3855ec7:
Aditya.Tayade (1):
neon: Add ptest
Andreas Müller (17):
udisks2: upgrade 2.9.1 -> 2.9.2 / replace '_git' by version in recipe-name
poppler: upgrade 21.02.0 -> 21.03.0
xfce4-panel: upgrade 4.16.1 -> 4.16.2
xfce4-cpugraph-plugin: upgrade 1.2.1 -> 1.2.3
xfce4-time-out-plugin: upgrade 1.1.1 -> 1.1.2
mousepad: upgrade 0.5.2 -> 0.5.3
xfce4-panel-profiles: 1.0.12 -> 1.0.13
thunar: upgrade 4.16.2 -> 4.16.4
xfce4-taskmanager: upgrade 1.4.0 -> 1.4.2
networkmanager-openvpn: Fix packageing
mousepad: upgrade 0.5.3 -> 0.5.4
xfce4-battery-plugin: upgrade 1.1.3 -> 1.1.4
gigolo: upgrade 0.5.1 -> 0.5.2
thunar: upgrade 4.16.4 -> 4.16.6
poppler: upgrade 21.03.0 -> 21.04.0
catfish: add python3-dbus to RDEPENDS
fluidsynth: upgrade 2.1.7 -> 2.2.0
Andrei Gherzan (6):
python3-pep8: Fix HOMEPAGE
python3-mccabe: Fix HOMEPAGE
python3-ifaddr: Integrate a dependency of pysonos
python3-pysonos: Integrate the SONOS control HomeAssistant module
python3-aiohue: Integrate the hue control python module
packagegroup-meta-python: Add new modules (aiohue, ifaddr, pysonos)
Andrej Valek (1):
jsoncpp: Upgrade to 1.9.4
Andrew Geissler (1):
nodejs: ppc64le machine support
Armin Kuster (3):
wireguard: update to v1.0.20210219 +1
nostromo: Blacklist and exclude from world builds
packagegroup-meta-webserver: remove nostromo from pkg grp
Awais Belal (1):
libnet-ssleay-perl: add rdep on perl-module-autoloader
Bartosz Golaszewski (11):
pystemd: satisfy runtime dependencies
python3-pythonping: new package
python3-wpa-supplicant: new package
python3-txdbus: new package
python3-wpa-supplicant: add runtime dependencies
python3-wpa-supplicant: fix importing the cli submodule
python3-wpa-supplicant: replace DESCRIPTION with SUMMARY
libgpiod: update v1.6.2 -> v1.6.3
python3-txdbus: add missing runtime dependencies
python3-jmespath: new package
python3-docutils: new package
Ben Gampe (1):
python3-h11: new package
Carlos Rafael Giani (1):
pipewire: Upgrade to 0.3.24
Changqing Li (2):
php: allow php as empty
openldap: upgrade 2.4.57 -> 2.4.58
Chen Qi (2):
tigervnc: upgrade to 1.11.0
python3-django: upgrade to 2.2.20
Clément Péron (2):
grpc: move grpc plugins to a new grpc-compiler package
nodejs: 12.20.2 -> 12.21.0
Colin McAllister (1):
python3-gpsd-py3: Added recipe
Daniel Wagenknecht (1):
gnome-keyring: set file capabilities in pkg_postinst
Denys Dmytriyenko (1):
glmark2: also depend on wayland-protocols when wayland distro feature is on
Devon Pringle (1):
python3-pastedeploy: Add recipe
Fabio Berton (1):
python3-requests: Support idna version 3.1
Hermes Zhang (1):
gpsd: backport d-bus message time patch from upstream
Hongxu Jia (1):
debootstrap: 1.0.67 -> 1.0.123
INC@Cisco) (2):
bpftool: remove recipe from blacklist
bpftool: improve reproducibility
Jan Kaisrlik (1):
abseil-cpp: reorder content of packages
Joe Hershberger (1):
strongswan: Make PACKAGECONFIG a default value
Joshua Watt (1):
classes: Add Android sparse image class
Kai Kang (9):
python3-pillow: 8.1.0 -> 8.1.2
xfce4-cpufreq-plugin: 1.2.2 -> 1.2.5
exo: 4.16.0 -> 4.16.1
xfce4-netload-plugin: 1.3.2 -> 1.4.0
xfce4-genmon-plugin: 4.1.0 -> 4.1.1
xfce4-weather-plugin: 0.10.2 -> 0.11.0
xfce4-systemload-plugin: 1.2.4 -> 1.3.0
xfce4-taskmanager: 1.4.2 -> 1.5.2
freeradius: check existence of openssl's commands in bootstrap
Kamil Dziezyk (1):
bats: upgrade 1.1.0 -> 1.3.0
Kartikey Rameshbhai Parmar (1):
fluidsynth: update SRC_URI to remove non-existing 2.1.x branch
Khem Raj (77):
nss: Disable Werror
open-vm-tools: Do not use volatile qualifier
dconf-editor: Fix build with vala 0.50.4
libbacktrace: Add recipe
libleak: Add recipe
packagegroup-meta-oe: Add libleak to packagegroup-meta-oe-extended
mongodb: Upgrade to 4.4.4
packagegroup-meta-python: Add python3-semantic-version
python3-grpcio: Upgrade to 1.36.1
python3-grpcio: Fix build on mips and musl
mpv: Link libatomic on riscv64
glog: Link with libexecinfo on musl
musl-nscd: Make lex syntax posix'y
libbpf: Depend on virtual/kernel:do_shared_workdir
waf-cross-answers: Add powerpc64le version
python3-grpcio,python3-grpcio-tools: Disable for ppc64le
openh264: Disable building for ppc64le
ufs-utils: Upgrade to 1.9
libhugetlbfs: Fix ARCH setting for ppc64 LE
nodejs: Set correct nodejs arch for ppc64le
libnma: Disbale vapi
xrdp: Upgrade to 0.9.15
ply: upgrade to latest
ply: Disable on ppc64
ltrace: Fix build on ppc64le/musl
oprofile: Fix build on musl
gperftools: Update SRCREV to point to 2.9.1 release
mongodb: Fix cross build on ppc64le
abseil-cpp: Fix build on musl and ppc64
mariadb: Fix build on musl/ppc
mongodb: Fix build on ppc64le
breakpad: Upgrade to latest
ssiapi: Disable for ppc64
kexec-tools-klibc: Use SITEINFO_BITS to construct includepath
breakpad: Exclude for ppc64
python3-grpcio,python3-grpcio-tools: Enable build on ppc64/glibc
breakpad: Do not fallback to android implementation for getcontext/setcontext on musl
oprofile: Upgrade to 1.4.0 release
vboxguestdrivers: Add __divmoddi4 builtin support
links-x11,links: Upgrade to 2.22
layers: Drop gatesgarth from LAYERSERIES_COMPAT
xxhash: Remove recipe
gsound: Use () instead of {} for makefile variable in gsound_play_VALAFLAGS
pipewire: Package systemd unit file for pipewire-media-session
packagegroup-meta-python: Add new package python3-pythonping
python3-spidev: Remove recipe for 3.2
python3-werkzeug: Clarify BSD license type
python3-werkzeug: Delete recipe for 1.0.0
python3-hexdump: Move cleanup_hexfile into install_append
cryptsetup: DEPEND on renamed util-linux-libuuid
tracker-miners: Check for commercial license to enable ffmpeg
gnome-settings-daemon: Do not generate meson.native
libb64: Add recipe
sysdig: Upgrade to 0.27.1
sysdig: Depend on system libb64
gimp: Disable vector iconn on rv32/musl
libcamera: Update the patch to upstreamed one
flashrom: Add remaining RISCV support
mpd: Check for commercial in LICENSE_FLAGS_WHITELIST
mpv: Exclude from world if commercial is not in inclusion list
sox: Exclude from world if commercial is not in inclusion list
vlc: Exclude from world if commercial is not in inclusion list
sox: Remove LICENSE_FLAGS = "commercial"
mariadb: Fix build on newer 32bit architectures
libmanette: Add recipe
pidgin-sipe: Fix build with glib-2.0 >= 2.68
gjs: Fix build with gcc11
poppler: Backport patches to fix build with glib-2.0 2.68+ and GCC11
opencv: Upgrade to 5.4.2
tbb: Fix build with musl
core-image-minimal-xfce: Use graphical.target as default
vnstat: Disable install parallism to fix a potential install race
open-vm-tools: Fix build with gcc 11
nss: Re-enable -Werror
gimp: Disable vector icon generation on mips/glibc too
tbb: Re-introduce PE
gimp: Disable vector icons on musl/x86
Leon Anavi (134):
python3-elementpath: Upgrade 2.1.4 -> 2.2.0
python3-twisted: Upgrade 20.3.0 -> 21.2.0
python3-ipython: Upgrade 7.20.0 -> 7.21.0
python3-yamlloader: Upgrade 0.5.5 -> 1.0.0
python3-astroid: Upgrade 2.5 -> 2.5.1
python3-portion: Upgrade 2.1.4 -> 2.1.5
python3-pandas: Upgrade 1.2.2 -> 1.2.3
python3-ruamel-yaml: Upgrade 0.16.12 -> 0.16.13
python3-prettytable: Upgrade 2.0.0 -> 2.1.0
python3-huey: Upgrade 2.3.0 -> 2.3.1
python3-pychromecast: Upgrade 8.1.0 -> 9.1.1
python3-incremental: Upgrade 17.5.0 -> 21.3.0
python3-waitress: Upgrade 1.4.4 -> 2.0.0
python3-pako: Upgrade 0.3.0 -> 0.3.1
python3-pyscaffold: Upgrade 3.3.1 -> 4.0
python3-croniter: Upgrade 1.0.6 -> 1.0.8
python3-prompt-toolkit: Upgrade 3.0.16 -> 3.0.17
python3-pymisp: Upgrade 2.4.138 -> 2.4.140
python3-jsonpatch: Upgrade 1.31 -> 1.32
python3-jsonpointer: Upgrade 2.0 -> 2.1
python3-configargparse: Upgrade 1.3 -> 1.4
python3-luma-core: Upgrade 2.2.0 -> 2.3.1
python3-pycodestyle: Upgrade 2.6.0 -> 2.7.0
python3-bitarray: Upgrade 1.7.0 -> 1.7.1
python3-alembic: Upgrade 1.5.5 -> 1.5.7
python3-pyflakes: Upgrade 2.2.0 -> 2.3.0
python3-autobahn: Upgrade 21.2.2 -> 21.3.1
python3-pulsectl: Upgrade 21.2.0 -> 21.3.4
python3-configparser: Upgrade 5.0.1 -> 5.0.2
python3-defusedxml: Upgrade 0.6.0 -> 0.7.1
python3-twine: Upgrade 3.3.0 -> 3.4.0
python3-socketio: Upgrade 5.0.4 -> 5.1.0
python3-soupsieve: Upgrade 2.2 -> 2.2.1
python3-cassandra-driver: Upgrade 3.24.0 -> 3.25.0
python3-urllib3: Upgrade 1.26.3 -> 1.26.4
python3-bitarray: Upgrade 1.7.1 -> 1.8.0
python3-pyscaffold: Upgrade 4.0 -> 4.0.1
python3-flask-migrate: Upgrade 2.6.0 -> 2.7.0
python3-grpcio-tools: Upgrade 1.35.0 -> 1.36.1
python3-humanize: Upgrade 3.2.0 -> 3.3.0
python3-regex: Upgrade 2020.11.13 -> 2021.3.17
python3-twine: Upgrade 3.4.0 -> 3.4.1
python3-isort: Upgrade 5.7.0 -> 5.8.0
python3-sqlalchemy: Upgrade 1.3.23 -> 1.4.2
python3-scrypt: Upgrade 0.8.6 -> 0.8.17
python3-colorlog: Upgrade 4.7.2 -> 4.8.0
python3-croniter: Upgrade 1.0.8 -> 1.0.9
python3-pyperf: Upgrade 2.1.0 -> 2.2.0
python3-lazy-object-proxy: Upgrade 1.5.2 -> 1.6.0
python3-prompt-toolkit: Upgrade 3.0.17 -> 3.0.18
python3-configshell-fb: Upgrade 1.1.28 -> 1.1.29
python3-backports-functools-lru-cache: Upgrade 1.6.1 -> 1.6.3
python3-pytest-helpers-namespace: Upgrade 2019.1.8 -> 2021.3.24
python3-elementpath: Upgrade 2.2.0 -> 2.2.1
python3-alembic: Upgrade 1.5.7 -> 1.5.8
python3-rfc3339-validator: Upgrade 0.1.2 -> 0.1.3
python3-pyflakes: Upgrade 2.3.0 -> 2.3.1
python3-pint: Upgrade 0.16.1 -> 0.17
python3-flask-sqlalchemy: Upgrade 2.4.4 -> 2.5.1
python3-django: Upgrade 3.1.1 -> 3.1.7
python3-djangorestframework: Upgrade 3.12.2 -> 3.12.3
python3-ruamel-yaml: Upgrade 0.16.13 -> 0.17.0
python3-bitarray: Upgrade 1.8.0 -> 1.8.1
python3-sqlalchemy: Upgrade 1.4.2 -> 1.4.3
python3-xmlschema: Upgrade 1.5.1 -> 1.5.3
python3-croniter: Upgrade 1.0.9 -> 1.0.10
python3-astroid: Upgrade 2.5.1 -> 2.5.2
python3-pyroute2: Upgrade 0.5.14 -> 0.5.15
python3-coverage: Upgrade 5.4 -> 5.5
python3-gunicorn: Upgrade 20.0.4 -> 20.1.0
python3-djangorestframework: Upgrade 3.12.3 -> 3.12.4
python3-ipython: Upgrade 7.21.0 -> 7.22.0
python3-openpyxl: Upgrade 3.0.6 -> 3.0.7
python3-ruamel-yaml: Upgrade 0.17.0 -> 0.17.2
python3-sqlalchemy: Upgrade 1.4.3 -> 1.4.4
python3-bitarray: Upgrade 1.8.1 -> 1.8.2
python3-httplib2: Upgrade 0.19.0 -> 0.19.1
python3-parso: Upgrade 0.8.1 -> 0.8.2
python3-matplotlib: Upgrade 3.3.4 -> 3.4.1
python3-pyroute2: Upgrade 0.5.15 -> 0.5.16
python3-h5py: Upgrade 3.1.0 -> 3.2.1
python3-cheetah: Upgrade 3.2.6 -> 3.2.6.post1
python3-google-api-python-client: Upgrade 2.0.2 -> 2.1.0
python3-xlsxwriter: Upgrade 1.3.7 -> 1.3.8
python3-pymisp: Upgrade 2.4.140 -> 2.4.141
python3-tqdm: Upgrade 4.58.0 -> 4.59.0
python3-contextlib2: Upgrade 0.6.0 -> 0.6.0.post1
python3-typeguard: Upgrade 2.11.1 -> 2.12.0
python3-decorator: Upgrade 4.4.2 -> 5.0.1
python3-pillow: Upgrade 8.1.2 -> 8.2.0
python3-aiohttp: Upgrade 3.7.4 -> 3.7.4.post0
python3-networkx: Upgrade 2.5 -> 2.5.1
python3-pysonos: Upgrade 0.0.40 -> 0.0.41
python3-docutils: Upgrade 0.16 -> 0.17
python3-bitarray: Upgrade 1.8.2 -> 1.9.0
python3-regex: Upgrade 2021.3.17 -> 2021.4.4
python3-sqlalchemy: Upgrade 1.4.4 -> 1.4.5
python3-pychromecast: Upgrade 9.1.1 -> 9.1.2
python3-decorator: Upgrade 5.0.1 -> 5.0.5
python3-pymisp: Upgrade 2.4.141 -> 2.4.141.1
python3-pyroute2: Upgrade 0.5.16 -> 0.5.17
python3-transitions: Upgrade 0.8.7 -> 0.8.8
python3-sqlalchemy: Upgrade 1.4.5 -> 1.4.6
python3-bitarray: Upgrade 1.9.0 -> 1.9.1
python3-pysonos: Upgrade 0.0.41 -> 0.0.42
python3-django: Upgrade 3.1.7 -> 3.2
python3-tqdm: Upgrade 4.59.0 -> 4.60.0
python3-xmlschema: Upgrade 1.5.3 -> 1.6.0
python3-ruamel-yaml: Upgrade 0.17.2 -> 0.17.4
python3-croniter: Upgrade 1.0.10 -> 1.0.11
python3-decorator: Upgrade 5.0.5 -> 5.0.6
python3-grpcio-tools: Upgrade 1.36.1 -> 1.37.0
python3-speedtest-cli: Upgrade 2.1.2 -> 2.1.3
python3-python-vlc: Upgrade 3.0.11115 -> 3.0.12117
python3-robotframework: Upgrade 4.0 -> 4.0.1
python3-grpcio: Upgrade 1.36.1 -> 1.37.0
python3-cerberus: Upgrade 1.3.2 -> 1.3.3
python3-humanize: Upgrade 3.3.0 -> 3.4.0
python3-monotonic: Upgrade 1.5 -> 1.6
python3-sqlalchemy: Upgrade 1.4.6 -> 1.4.7
python3-typed-ast: Upgrade 1.4.2 -> 1.4.3
python3-backports-functools-lru-cache: Upgrade 1.6.3 -> 1.6.4
python3-xmlschema: Upgrade 1.6.0 -> 1.6.1
python3-pyroute2: Upgrade 0.5.17 -> 0.5.18
python3-sympy: Upgrade 1.7.1 -> 1.8
python3-pandas: Upgrade 1.2.3 -> 1.2.4
python3-humanize: Upgrade 3.4.0 -> 3.4.1
python3-decorator: Upgrade 5.0.6 -> 5.0.7
python3-colorlog: Upgrade 4.8.0 -> 5.0.1
python3-google-api-python-client: Upgrade 2.1.0 -> 2.2.0
python3-croniter: Upgrade 1.0.11 -> 1.0.12
python3-pysonos: Upgrade 0.0.42 -> 0.0.43
python3-asttokens: Upgrade 2.0.4 -> 2.0.5
python3-hyperframe: Upgrade 6.0.0 -> 6.0.1
Luca Boccassi (3):
cryptsetup: depend on new util-linux-uuid to break cycle
dbus-broker: upgrade 26 -> 27
dbus-broker: upgrade 27 -> 28
Marius Kriegerowski (1):
tmate: add recipe version 2.4.0
Martin Jansa (25):
glog: fix searching for Libunwind
ceres-solver: prevent fetching git hook during do_configure
packagegroup-meta-oe: include abseil-cpp for all architectures
packagegroup-meta-oe: include nodejs without meta-python2 conditional
packagegroup-meta-oe: move the packages depending on meta-python2 to separate packages
mysql-python, lio-utils, openlmi-tools: add conditional PNBLACKLIST like meta-python2 does
conf/layer.conf: include .bbappend files in BBFILES_DYNAMIC
open-vm-tools: move to meta-networking
packagegroup-meta-{oe,multimedia}: move pipewire to the right packagegroup
packagegroup-meta-multimedia: include projucer only with x11 in DISTRO_FEATURES
packagegroup-meta-multimedia: include vlc only with x11 in DISTRO_FEATURES
packagegroup-meta-oe: include glfw, icewm, geis only with x11 in DISTRO_FEATURES
phonet-utils: remove
packagegroup-meta-oe: use 4 spaces for identation
telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
uml-utilities: fix installed-vs-shipped with usrmerge
libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error with usrmerge
libyui: switch to libyui-old repo which still has this SRCREV
libyui(-ncurses): upgrade to 4.1.1, libyui repo was rewritten completely
android-tools: use PN instead of BPN in RDEPENDS
pidgin-sipe: fix g_memdup2 changes to be backwards compatible with glib-1.67
pidgin: upgrade to 2.14.2
opencv: fetch wechat_qrcode files used by dnn PACKAGECONFIG
opencv: link sfm module with Glog
ostree: switch from default master branch to main to fix do_fetch failure
Matteo Croce (1):
libbpf: use pkg-config
Michael Vetter (1):
jasper: upgrade 2.0.25 -> 2.0.26
Ming Liu (1):
atftp: move atftpd.init from files to atftp subdirectory
Mingli Yu (10):
geoip: Switch to use the main branch
geoip-perl: Switch to use the main branch
bridge-utils: Switch to use the main branch
netkit-telnet: Update SRC_URI
quagga: Update SRC_URI
hostapd: fix CVE-2019-5061
freeradius: Upgrade to 3.0.21
hostapd: fix CVE-2021-0326 and CVE-2021-27803
php: Upgrade to 7.4.16
python3-cryptography: Upgrade to 3.3.2
Naveen Saini (2):
tbb: upgrade 2020.3 -> 2021.2.0
ocl-icd: upgrade 2.2.14 -> 2.3.0
Nisha Parrakat (1):
neon: use pkg-config instead of xml2-config to configure
Oleksandr Kravchuk (10):
ipset: update to 7.11
libnice: update to 0.1.18
nbdkit: update to 1.25.3
python3-bitarray: update to 1.7.0
python3-google-api-python-client: update to 2.0.2
python3-jsonpatch: update to 1.31
python3-websocket-client: update to 0.58.0
python3-robotframework: update to 4.0
python3-sentry-sdk: update to 1.0.0
aom: update to 3.0.0
Peace Lee (2):
guider: Upgrade 3.9.7 -> 3.9.8
guider: Upgrade 3.9.7 -> 3.9.8
Persian Prince (1):
tinymembench: Correct PV
Philip Balister (1):
fftw: Add support for ptest.
Randy MacLeod (8):
gperftools: upgrade 2.8.1 -> 2.9.1
zabbix: upgrade 4.4.6 -> 5.2.5
nss: upgrade 3.60.1 -> 3.62
xterm: upgrade 362 -> 366
zstd: remove the recipe since it moved to oe-core
tclap: upgrade 1.2.2 -> 1.4.0
doxygen: Upgrade 1.8.20 -> 1.9.1
open-vm-tools: upgrade 11.0.1 -> 11.2.5
Ross Burton (4):
libxmlb: upgrade to 0.3.0
flashrom: recipe cleanup
openjpeg: add native/nativesdk class extension
fwts: upgrade to 21.03.00
Sakib Sajal (1):
grpc: upgrade 1.36.1 -> 1.36.2
Sam Van Den Berge (1):
libiio: fix build when python bindings are enabled
Sana Kazi (1):
mdns: Whitelisted CVE-2007-0613 for mdns
Sinan Kaya (1):
zram: add support for mem_limit
Stefan Ghinea (2):
hostapd: fix CVE-2021-30004
python3-django: fix CVE-2021-28658
Stefan Schmidt (2):
musl-rpmatch_git.bb: add new recipe to provide rpmatch() for musl libc builds
plymouth_0.9.5.bb: allow building with musl libc
Ulrich Ölmann (1):
v4l-utils: fix reproducibility
Valentin Longchamp (1):
libssh: add gcrypt to PACKAGECONFIG
Vinicius Aquino (1):
networkmanager: upgrade 1.28.0 -> 1.30.2
Vinícius Ossanes Aquino (2):
modemmanager: upgrade 1.14.10 -> 1.16.2
libqmi: upgrade 1.26.6 -> 1.28.2
Wang Mingyu (3):
czmq: Conflict resolution for sha1.h
python3-lxml: upgrade 4.6.2 -> 4.6.3
python3-zopeinterface: upgrade 5.2.0 -> 5.3.0
Yann Dirson (1):
mpv: remove explicit LICENSE_FLAGS
Yi Fan Yu (7):
librelp: update 1.6.0 -> 1.10.0
rsyslog: Fix rsyslog systemd service not starting
rsyslog: fix some of the ptests
redis: upgrade 6.0.9 -> 6.2.1
syslog-ng: upgrade 3.24.1 -> 3.31.2
syslog-ng: remove CONFIG_TLS override for arm DEBUG_BUILD
syslog-ng: Drop an obsolete patch to add --enable-libnet
Yi Zhao (3):
quagga: do not set PIDFile in service files
tclap: add pkg-config file
gvfs: rdepend on gsettings-desktop-schemas
Zang Ruochen (1):
gtkwave: upgrade 3.3.104 -> 3.3.108
akuster (1):
README: updated Maintainers list for Hardknott
hasan.men (2):
librdkafka: Add initial recipe v1.6.1
libcppkafka: Add initial recipe for cppkafka wrapper
persianpros (5):
PEP8 double aggressive E701, E70 and E502
PEP8 double aggressive E20 and E211
PEP8 double aggressive E22, E224, E241, E242 and E27
PEP8 double aggressive E301 ~ E306
PEP8 double aggressive W291 ~ W293 and W391
wangmy (2):
mariadb: upgrade 10.5.8 -> 10.5.9
uftrace: Fix error on aarch64 when binutils update to 2.35.1
zangrc (38):
dovecot: upgrade 2.3.13 -> 2.3.14
fetchmail: upgrade 6.4.16 -> 6.4.17
dialog: upgrade 1.3-20210117 -> 1.3-20210306
fio: upgrade 3.25 -> 3.26
xorriso: upgrade 1.5.3 -> 1.5.5
iscsi-initiator-utils: upgrade 2.1.3 -> 2.1.4
mosquitto: upgrade 2.0.8 -> 2.0.9
nbdkit: upgrade 1.25.3 -> 1.25.4
wireguard-tools: upgrade 1.0.20210223 -> 1.0.20210315
wireshark: upgrade 3.4.3 -> 3.4.4
live555: upgrade 20210129 -> 20210322
mg: upgrade 20200723 -> 20210314
nanopb: upgrade 0.4.4 -> 0.4.5
nss: upgrade 3.62 -> 3.63
uriparser: upgrade 0.9.4 -> 0.9.5
gnome-autoar: upgrade 0.2.4 -> 0.3.1
emacs: upgrade 27.1 -> 27.2
fbgrab: upgrade 1.4 -> 1.5
ostree: upgrade 2020.8 -> 2021.1
zabbix: upgrade 5.2.5 -> 5.2.6
libxaw: upgrade 1.0.13 -> 1.0.14
mosquitto: upgrade 2.0.9 -> 2.0.10
nbdkit: upgrade 1.25.4 -> 1.25.5
stunnel: upgrade 5.58 -> 5.59
usbredir: upgrade 0.8.0 -> 0.9.0
hwdata: upgrade 0.345 -> 0.346
live555: upgrade 20210322 -> 20210406
rabbitmq-c: upgrade 0.10.0 -> 0.11.0
xterm: upgrade 366 -> 367
fuse3: upgrade 3.10.2 -> 3.10.3
cifs-utils: upgrade 6.12 -> 6.13
dnsmasq: upgrade 2.84 -> 2.85
nbdkit: upgrade 1.25.5 -> 1.25.6
wolfssl: upgrade 4.7.0 -> 4.7.1
networkmanager: upgrade 1.30.2 -> 1.30.4
libdvdread: upgrade 6.1.1 -> 6.1.2
redis: upgrade 6.2.1 -> 6.2.2
nss: upgrade 3.63 -> 3.64
zhengruoqin (21):
phpmyadmin: upgrade 5.0.4 -> 5.1.0
uthash: upgrade 2.2.0 -> 2.3.0
gd: upgrade 2.3.1 -> 2.3.2
openocd: upgrade 0.10 -> 0.11
satyr: upgrade 0.36 -> 0.37
libcrypt-openssl-guess-perl: upgrade 0.11 -> 0.12
cryptsetup: upgrade 2.3.4 -> 2.3.5
glmark2: upgrade 20201114 -> 2021.02
grpc: upgrade 1.36.2 -> 1.36.3
dialog: upgrade 1.3-20210306 -> 1.3-20210319
grpc: upgrade 1.36.3 -> 1.36.4
libgee: upgrade 0.20.3 -> 0.20.4
fetchmail: upgrade 6.4.17 -> 6.4.18
lldpd: upgrade 1.0.4 -> 1.0.8
networkmanager-openvpn: upgrade 1.8.12 -> 1.8.14
snort: upgrade 2.9.17 -> 2.9.17.1
python3-absl: upgrade 0.10.0 -> 0.12.0
python3-astroid: upgrade 2.5.2 -> 2.5.3
python3-bitarray: upgrade 1.9.1 -> 1.9.2
irssi: upgrade 1.2.2 -> 1.2.3
librsync: upgrade 2.3.1 -> 2.3.2
meta-security: 775870980b..c6b1eec0e5:
Anton Antonov (5):
Use libest "main" branch instead of "master".
Add meta-parsec layer into meta-security.
Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
Clearly define clang toolchain in Parsec recipes
gitlab-ci: Move all parsec builds into a separate job
Armin Kuster (25):
packagegroup-core-security: drop clamav-cvd
clamav: upgrade 104.0
python3-privacyidea: upgrade 3.5.1 -> 3.5.2
clamav: fix systemd service install
swtpm: now need python-cryptography, pull in layer
swtpm: file pip3 issue
swtpm: fix check for tscd deamon on host
python3-suricata-update: update to 1.2.1
.gitlab-ci.yml: reorder to speed up builds
kas-security-base.yml: tweek build vars
gitlab-ci: fine tune order
clamav: remove rest of mirror.dat ref
lkrg-module: Add Linux Kernel Runtime Guard
kas-security-base: change branch to hardknott
kas-security-base: add hardknott local dirs
kas-security-base: Move some DISTRO_FEATURES around
*-tpm.yml: drop tpms jobs
gitlab-ci: move tpm build
.gitlab-ci: work on pipelime
gitlab-ci: cleanup after_script
gitlab-ci: add new before script
kas: cleanup some kas files
packagegroup-core-security: exclude apparmor in mips64
.gitlab-ci: use kas shell in some cases.
kas-security-base: fix feature namespace for tpm*
Ming Liu (2):
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I635e69c9d74af0c553cad5eadd972f26830c7add
diff --git a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
index 0a007bb..ce242c3 100644
--- a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
+++ b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
@@ -7,6 +7,7 @@
SECTION = "devel"
DEPENDS += "expect-native"
+RDEPENDS_${PN} = "expect"
inherit autotools
diff --git a/poky/meta/recipes-devtools/go/go-1.16.2.inc b/poky/meta/recipes-devtools/go/go-1.16.3.inc
similarity index 88%
rename from poky/meta/recipes-devtools/go/go-1.16.2.inc
rename to poky/meta/recipes-devtools/go/go-1.16.3.inc
index e65caf8..ebd25a5 100644
--- a/poky/meta/recipes-devtools/go/go-1.16.2.inc
+++ b/poky/meta/recipes-devtools/go/go-1.16.3.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.16"
-PV = "1.16.2"
+PV = "1.16.3"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -17,4 +17,4 @@
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \
"
-SRC_URI[main.sha256sum] = "37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea"
+SRC_URI[main.sha256sum] = "b298d29de9236ca47a023e382313bcc2d2eed31dfa706b60a04103ce83a71a25"
diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb
similarity index 83%
rename from poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb
index 4fb0601..d01a2bd 100644
--- a/poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb
+++ b/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb
@@ -8,8 +8,8 @@
PROVIDES = "go-native"
SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8"
-SRC_URI[go_linux_arm64.sha256sum] = "6924601d998a0917694fd14261347e3798bd2ad6b13c4d7f2edd70c9d57f62ab"
+SRC_URI[go_linux_amd64.sha256sum] = "951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2"
+SRC_URI[go_linux_arm64.sha256sum] = "566b1d6f17d2bc4ad5f81486f0df44f3088c3ed47a3bec4099d8ed9939e90d5d"
UPSTREAM_CHECK_URI = "https://golang.org/dl/"
UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/poky/meta/recipes-devtools/go/go-common.inc b/poky/meta/recipes-devtools/go/go-common.inc
index f18d928..c368b95 100644
--- a/poky/meta/recipes-devtools/go/go-common.inc
+++ b/poky/meta/recipes-devtools/go/go-common.inc
@@ -14,7 +14,7 @@
inherit goarch
-SRC_URI = "http://golang.org/dl/go${PV}.src.tar.gz;name=main"
+SRC_URI = "https://dl.google.com/go/go${PV}.src.tar.gz;name=main"
S = "${WORKDIR}/go"
B = "${S}"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.2.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-cross-canadian_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-cross_1.16.2.bb b/poky/meta/recipes-devtools/go/go-cross_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-cross_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-cross_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.2.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-crosssdk_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-native_1.16.2.bb b/poky/meta/recipes-devtools/go/go-native_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-native_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-native_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.16.2.bb b/poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go-runtime_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/go/go_1.16.2.bb b/poky/meta/recipes-devtools/go/go_1.16.3.bb
similarity index 100%
rename from poky/meta/recipes-devtools/go/go_1.16.2.bb
rename to poky/meta/recipes-devtools/go/go_1.16.3.bb
diff --git a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index 19a03d4..e9225e1 100644
--- a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -22,6 +22,7 @@
file://0001-libtool-Fix-support-for-NIOS2-processor.patch \
file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
+ file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \
"
SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
new file mode 100644
index 0000000..87f8492
--- /dev/null
+++ b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
@@ -0,0 +1,35 @@
+From e82c06584f02e3e4487aa73aa05981e2a35dc6d1 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Tue, 13 Apr 2021 07:17:29 +0000
+Subject: [PATCH] Makefile.am: make sure autoheader run before automake
+
+When use automake to generate Makefile.in from Makefile.am, there
+comes below race:
+ | configure.ac:45: error: required file 'config-h.in' not found
+
+It is because the file config-h.in in updating process by autoheader,
+so make automake run after autoheader to avoid the above race.
+
+Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 2752ecc..29950db 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -328,7 +328,7 @@ EXTRA_DIST += $(lt_aclocal_m4) \
+ $(lt_obsolete_m4) \
+ $(stamp_mk)
+
+-$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4)
++$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) $(lt_config_h_in)
+ $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOMAKE) Makefile
+
+ # Don't let unused scripts leak into the libltdl Makefile
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch b/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch
new file mode 100644
index 0000000..ba35ec6
--- /dev/null
+++ b/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch
@@ -0,0 +1,44 @@
+From 6edec83653ce1b5fc201ff6db93b966394766814 Mon Sep 17 00:00:00 2001
+From: rmnull <rmnull@users.noreply.github.com>
+Date: Tue, 18 Aug 2020 20:22:52 +0530
+Subject: [PATCH] mark phdrs synced with sections, avoid rechecking it when
+ syncing note sections to segments.
+
+This also serves as a bug fix when a previously synced note segment
+overlaps with another section and creates a false alarm.
+
+Upstream-Status: Backport
+---
+ src/patchelf.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/patchelf.cc b/src/patchelf.cc
+index 05ec793..622f0b6 100644
+--- a/src/patchelf.cc
++++ b/src/patchelf.cc
+@@ -669,6 +669,7 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff,
+ memset(contents + rdi(shdr.sh_offset), 'X', rdi(shdr.sh_size));
+ }
+
++ std::set<unsigned int> noted_phdrs = {};
+ for (auto & i : replacedSections) {
+ std::string sectionName = i.first;
+ auto & shdr = findSection(sectionName);
+@@ -721,7 +722,7 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff,
+ shdr.sh_addralign = orig_shdr.sh_addralign;
+
+ for (unsigned int j = 0; j < phdrs.size(); ++j)
+- if (rdi(phdrs[j].p_type) == PT_NOTE) {
++ if (rdi(phdrs[j].p_type) == PT_NOTE && noted_phdrs.find(j) == noted_phdrs.end()) {
+ Elf_Off p_start = rdi(phdrs[j].p_offset);
+ Elf_Off p_end = p_start + rdi(phdrs[j].p_filesz);
+ Elf_Off s_start = rdi(orig_shdr.sh_offset);
+@@ -739,6 +740,8 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff,
+ phdrs[j].p_offset = shdr.sh_offset;
+ phdrs[j].p_vaddr = phdrs[j].p_paddr = shdr.sh_addr;
+ phdrs[j].p_filesz = phdrs[j].p_memsz = shdr.sh_size;
++
++ noted_phdrs.insert(j);
+ }
+ }
+
diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch b/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch
new file mode 100644
index 0000000..a06876e
--- /dev/null
+++ b/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch
@@ -0,0 +1,44 @@
+If a binary has multiple SHT_NOTE sections and corresponding PT_NOTE
+headers, we can see the error:
+
+patchelf: cannot normalize PT_NOTE segment: non-contiguous SHT_NOTE sections
+
+if the SHT_NOTE sections aren't sized to end on aligned boundaries. An example
+would be a binary with:
+
+ [ 2] .note.ABI-tag NOTE 00000000000002f4 000002f4
+ 0000000000000020 0000000000000000 A 0 0 4
+ [ 3] .note.gnu.propert NOTE 0000000000000318 00000318
+ 0000000000000030 0000000000000000 A 0 0 8
+ [ 4] .note.gnu.build-i NOTE 0000000000000348 00000348
+ 0000000000000024 0000000000000000 A 0 0 4
+
+ NOTE 0x0000000000000318 0x0000000000000318 0x0000000000000318
+ 0x0000000000000030 0x0000000000000030 R 0x8
+ NOTE 0x00000000000002f4 0x00000000000002f4 0x00000000000002f4
+ 0x0000000000000078 0x0000000000000074 R 0x4
+
+since the PT_NOTE section at 2f4 covers [2] and [3] but the code
+calclates curr_off should be 314, not the 318 in the binary. This
+is an alignment issue.
+
+To fix this, we need to round curr_off to the next section alignment.
+
+Upstream-Status: Submitted [https://github.com/NixOS/patchelf/pull/274]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: git/src/patchelf.cc
+===================================================================
+--- git.orig/src/patchelf.cc
++++ git/src/patchelf.cc
+@@ -1010,8 +1010,9 @@ void ElfFile<ElfFileParamNames>::normali
+ size_t size = 0;
+ for (const auto & shdr : shdrs) {
+ if (rdi(shdr.sh_type) != SHT_NOTE) continue;
+- if (rdi(shdr.sh_offset) != curr_off) continue;
++ if (rdi(shdr.sh_offset) != roundUp(curr_off, rdi(shdr.sh_addralign))) continue;
+ size = rdi(shdr.sh_size);
++ curr_off = roundUp(curr_off, rdi(shdr.sh_addralign));
+ break;
+ }
+ if (size == 0)
diff --git a/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb b/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb
index 95886c6..7c97ea0 100644
--- a/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb
+++ b/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb
@@ -6,6 +6,8 @@
SRC_URI = "git://github.com/NixOS/patchelf;protocol=https \
file://handle-read-only-files.patch \
+ file://6edec83653ce1b5fc201ff6db93b966394766814.patch \
+ file://alignmentfix.patch \
"
SRCREV = "8d3a16e97294e3c5521c61b4c8835499c9918264"
diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb
index 17bd02c..4eab133 100644
--- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -6,7 +6,7 @@
file://fallback-group \
"
-SRCREV = "60e25a36558f1f07dcce1a044fe976b475bec42b"
+SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20"
S = "${WORKDIR}/git"
PV = "1.9.0+git${SRCPV}"
diff --git a/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
index 35b7e0c..c3d1e06 100644
--- a/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
+++ b/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
@@ -23,24 +23,24 @@
Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132]
+
+Rebased for 3.9.4, still not accepted upstream Signed-off-by: Alejandro Hernandez <alejandro@enedino.org>
+
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
Lib/test/test_locale.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py
-index e2c2178..558d63c 100644
---- a/Lib/test/test_locale.py
-+++ b/Lib/test/test_locale.py
-@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase):
+Index: Python-3.9.4/Lib/test/test_locale.py
+===================================================================
+--- Python-3.9.4.orig/Lib/test/test_locale.py
++++ Python-3.9.4/Lib/test/test_locale.py
+@@ -562,7 +562,7 @@ class TestMiscellaneous(unittest.TestCas
self.skipTest('test needs Turkish locale')
loc = locale.getlocale(locale.LC_CTYPE)
if verbose:
- print('testing with %a' % (loc,), end=' ', flush=True)
+ print('testing with %a...' % (loc,), end=' ', flush=True)
- locale.setlocale(locale.LC_CTYPE, loc)
- self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE))
-
---
-2.7.4
-
+ try:
+ locale.setlocale(locale.LC_CTYPE, loc)
+ except locale.Error as exc:
diff --git a/poky/meta/recipes-devtools/python/python3/create_manifest3.py b/poky/meta/recipes-devtools/python/python3/create_manifest3.py
index 4da02a2..045240e 100644
--- a/poky/meta/recipes-devtools/python/python3/create_manifest3.py
+++ b/poky/meta/recipes-devtools/python/python3/create_manifest3.py
@@ -36,7 +36,7 @@
# Tha method to handle cached files does not work when a module includes a folder which
# itself contains the pycache folder, gladly this is almost never the case.
#
-# Author: Alejandro Enedino Hernandez Samaniego "aehs29" <aehs29 at gmail dot com>
+# Author: Alejandro Enedino Hernandez Samaniego <alejandro at enedino dot org>
import sys
@@ -45,6 +45,11 @@
import os
import collections
+if '-d' in sys.argv:
+ debugFlag = '-d'
+else:
+ debugFlag = ''
+
# Get python version from ${PYTHON_MAJMIN}
pyversion = str(sys.argv[1])
@@ -84,6 +89,12 @@
manifest.seek(0, 0)
manifest.write(comments + json_contents)
+def print_indent(msg, offset):
+ for l in msg.splitlines():
+ msg = ' ' * offset + l
+ print(msg)
+
+
# Read existing JSON manifest
with open('python3-manifest.json') as manifest:
# The JSON format doesn't allow comments so we hack the call to keep the comments using a marker
@@ -99,7 +110,7 @@
# Not exactly the same so it should not be a function
#
-print ('Getting dependencies for package: core')
+print_indent('Getting dependencies for package: core', 0)
# This special call gets the core dependencies and
@@ -109,7 +120,7 @@
# on the new core package, they will still find them
# even when checking the old_manifest
-output = subprocess.check_output([sys.executable, 'get_module_deps3.py', 'python-core-package']).decode('utf8')
+output = subprocess.check_output([sys.executable, 'get_module_deps3.py', 'python-core-package', '%s' % debugFlag]).decode('utf8')
for coredep in output.split():
coredep = coredep.replace(pyversion,'${PYTHON_MAJMIN}')
if isCached(coredep):
@@ -149,17 +160,16 @@
# Get actual module name , shouldnt be affected by libdir/bindir, etc.
pymodule = os.path.splitext(os.path.basename(os.path.normpath(filedep)))[0]
-
# We now know that were dealing with a python module, so we can import it
# and check what its dependencies are.
# We launch a separate task for each module for deterministic behavior.
# Each module will only import what is necessary for it to work in specific.
# The output of each task will contain each module's dependencies
- print ('Getting dependencies for module: %s' % pymodule)
- output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule]).decode('utf8')
- print ('The following dependencies were found for module %s:\n' % pymodule)
- print (output)
+ print_indent('Getting dependencies for module: %s' % pymodule, 2)
+ output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule, '%s' % debugFlag]).decode('utf8')
+ print_indent('The following dependencies were found for module %s:\n' % pymodule, 4)
+ print_indent(output, 6)
for pymodule_dep in output.split():
@@ -178,12 +188,13 @@
# all others will use this a base.
+print('\n\nChecking for directories...\n')
# To improve the script speed, we check which packages contain directories
# since we will be looping through (only) those later.
for pypkg in old_manifest:
for filedep in old_manifest[pypkg]['files']:
if isFolder(filedep):
- print ('%s is a folder' % filedep)
+ print_indent('%s is a directory' % filedep, 2)
if pypkg not in hasfolders:
hasfolders.append(pypkg)
if filedep not in allfolders:
@@ -221,14 +232,14 @@
print('\n')
print('--------------------------')
- print ('Handling package %s' % pypkg)
+ print('Handling package %s' % pypkg)
print('--------------------------')
# Handle special cases, we assume that when they were manually added
# to the manifest we knew what we were doing.
special_packages = ['misc', 'modules', 'dev', 'tests']
if pypkg in special_packages or 'staticdev' in pypkg:
- print('Passing %s package directly' % pypkg)
+ print_indent('Passing %s package directly' % pypkg, 2)
new_manifest[pypkg] = old_manifest[pypkg]
continue
@@ -259,7 +270,7 @@
# Get actual module name , shouldnt be affected by libdir/bindir, etc.
# We need to check if the imported module comes from another (e.g. sqlite3.dump)
- path,pymodule = os.path.split(filedep)
+ path, pymodule = os.path.split(filedep)
path = os.path.basename(path)
pymodule = os.path.splitext(os.path.basename(pymodule))[0]
@@ -279,10 +290,10 @@
# Each module will only import what is necessary for it to work in specific.
# The output of each task will contain each module's dependencies
- print ('\nGetting dependencies for module: %s' % pymodule)
- output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule]).decode('utf8')
- print ('The following dependencies were found for module %s:\n' % pymodule)
- print (output)
+ print_indent('\nGetting dependencies for module: %s' % pymodule, 2)
+ output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule, '%s' % debugFlag]).decode('utf8')
+ print_indent('The following dependencies were found for module %s:\n' % pymodule, 4)
+ print_indent(output, 6)
reportFILES = []
reportRDEPS = []
@@ -325,7 +336,7 @@
# print('Checking folder %s on package %s' % (pymodule_dep,pypkg_with_folder))
for folder_dep in old_manifest[pypkg_with_folder]['files'] or folder_dep in old_manifest[pypkg_with_folder]['cached']:
if folder_dep == folder:
- print ('%s folder found in %s' % (folder, pypkg_with_folder))
+ print ('%s directory found in %s' % (folder, pypkg_with_folder))
folderFound = True
if pypkg_with_folder not in new_manifest[pypkg]['rdepends'] and pypkg_with_folder != pypkg:
new_manifest[pypkg]['rdepends'].append(pypkg_with_folder)
@@ -424,7 +435,7 @@
if (repeated):
error_msg = '\n\nERROR:\n'
- error_msg += 'The following files are repeated (contained in more than one package),\n'
+ error_msg += 'The following files were found in more than one package),\n'
error_msg += 'this is likely to happen when new files are introduced after an upgrade,\n'
error_msg += 'please check which package should get it,\n modify the manifest accordingly and re-run the create_manifest task:\n'
error_msg += '\n'.join(repeated)
diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py
index 6806f23..1f4c982 100644
--- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py
+++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py
@@ -3,14 +3,18 @@
# them out, the output of this execution will have all dependencies
# for a specific module, which will be parsed an dealt on create_manifest.py
#
-# Author: Alejandro Enedino Hernandez Samaniego "aehs29" <aehs29@gmail.com>
+# Author: Alejandro Enedino Hernandez Samaniego <alejandro at enedino dot org>
-# We can get a log per module, for all the dependencies that were found, but its messy.
-debug=False
import sys
import os
+# We can get a log per module, for all the dependencies that were found, but its messy.
+if '-d' in sys.argv:
+ debug = True
+else:
+ debug = False
+
# We can get a list of the modules which are currently required to run python
# so we run python-core and get its modules, we then import what we need
# and check what modules are currently running, if we substract them from the
@@ -19,13 +23,13 @@
# We use importlib to achieve this, so we also need to know what modules importlib needs
import importlib
-core_deps=set(sys.modules)
+core_deps = set(sys.modules)
def fix_path(dep_path):
import os
# We DONT want the path on our HOST system
- pivot='recipe-sysroot-native'
- dep_path=dep_path[dep_path.find(pivot)+len(pivot):]
+ pivot = 'recipe-sysroot-native'
+ dep_path = dep_path[dep_path.find(pivot)+len(pivot):]
if '/usr/bin' in dep_path:
dep_path = dep_path.replace('/usr/bin''${bindir}')
@@ -46,8 +50,8 @@
# Module to import was passed as an argument
current_module = str(sys.argv[1]).rstrip()
-if(debug==True):
- log = open('log_%s' % current_module,'w')
+if debug == True:
+ log = open('temp/log_%s' % current_module.strip('.*'),'w')
log.write('Module %s generated the following dependencies:\n' % current_module)
try:
m = importlib.import_module(current_module)
@@ -63,13 +67,13 @@
except:
pass # ignore all import or other exceptions raised during import
except ImportError as e:
- if (debug==True):
- log.write('Module was not found')
+ if debug == True:
+ log.write('Module was not found\n')
pass
# Get current module dependencies, dif will contain a list of specific deps for this module
-module_deps=set(sys.modules)
+module_deps = set(sys.modules)
# We handle the core package (1st pass on create_manifest.py) as a special case
if current_module == 'python-core-package':
@@ -81,14 +85,18 @@
# Check where each dependency came from
for item in dif:
- dep_path=''
+ # Main module returns script filename, __main matches mp_main__ as well
+ if 'main__' in item:
+ continue
+
+ dep_path = ''
try:
- if (debug==True):
- log.write('Calling: sys.modules[' + '%s' % item + '].__file__\n')
+ if debug == True:
+ log.write('\nCalling: sys.modules[' + '%s' % item + '].__file__\n')
dep_path = sys.modules['%s' % item].__file__
except AttributeError as e:
# Deals with thread (builtin module) not having __file__ attribute
- if debug==True:
+ if debug == True:
log.write(item + ' ')
log.write(str(e))
log.write('\n')
@@ -96,11 +104,16 @@
except NameError as e:
# Deals with NameError: name 'dep_path' is not defined
# because module is not found (wasn't compiled?), e.g. bddsm
- if (debug==True):
+ if debug == True:
log.write(item+' ')
log.write(str(e))
pass
+ if dep_path == '':
+ continue
+ if debug == True:
+ log.write('Dependency path found:\n%s\n' % dep_path)
+
# Site-customize is a special case since we (OpenEmbedded) put it there manually
if 'sitecustomize' in dep_path:
dep_path = '${libdir}/python${PYTHON_MAJMIN}/sitecustomize.py'
@@ -111,52 +124,51 @@
dep_path = fix_path(dep_path)
import sysconfig
- soabi=sysconfig.get_config_var('SOABI')
+ soabi = sysconfig.get_config_var('SOABI')
# Check if its a shared library and deconstruct it
if soabi in dep_path:
- if (debug==True):
- log.write('Shared library found in %s' % dep_path)
+ if debug == True:
+ log.write('Shared library found in %s\n' % dep_path)
dep_path = dep_path.replace(soabi,'*')
print (dep_path)
continue
if "_sysconfigdata" in dep_path:
dep_path = dep_path.replace(sysconfig._get_sysconfigdata_name(), "_sysconfigdata*")
- if (debug==True):
+ if debug == True:
log.write(dep_path+'\n')
# Prints out result, which is what will be used by create_manifest
print (dep_path)
- import imp
- cpython_tag = imp.get_tag()
- cached=''
+ cpython_tag = sys.implementation.cache_tag
+ cached = ''
# Theres no naive way to find *.pyc files on python3
try:
- if (debug==True):
- log.write('Calling: sys.modules[' + '%s' % item + '].__cached__\n')
+ if debug == True:
+ log.write('\nCalling: sys.modules[' + '%s' % item + '].__cached__\n')
cached = sys.modules['%s' % item].__cached__
except AttributeError as e:
# Deals with thread (builtin module) not having __cached__ attribute
- if debug==True:
+ if debug == True:
log.write(item + ' ')
log.write(str(e))
log.write('\n')
pass
except NameError as e:
# Deals with NameError: name 'cached' is not defined
- if (debug==True):
+ if debug == True:
log.write(item+' ')
log.write(str(e))
pass
if cached is not None:
- if (debug==True):
- log.write(cached)
+ if debug == True:
+ log.write(cached + '\n')
cached = fix_path(cached)
cached = cached.replace(cpython_tag,'*')
if "_sysconfigdata" in cached:
cached = cached.replace(sysconfig._get_sysconfigdata_name(), "_sysconfigdata*")
print (cached)
-if debug==True:
+if debug == True:
log.close()
diff --git a/poky/meta/recipes-devtools/python/python3_3.9.2.bb b/poky/meta/recipes-devtools/python/python3_3.9.4.bb
similarity index 98%
rename from poky/meta/recipes-devtools/python/python3_3.9.2.bb
rename to poky/meta/recipes-devtools/python/python3_3.9.4.bb
index fd11723..cb371ce 100644
--- a/poky/meta/recipes-devtools/python/python3_3.9.2.bb
+++ b/poky/meta/recipes-devtools/python/python3_3.9.4.bb
@@ -38,7 +38,7 @@
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = "3c2034c54f811448f516668dce09d24008a0716c3a794dd8639b5388cbde247d"
+SRC_URI[sha256sum] = "4b0e6644a76f8df864ae24ac500a51bbf68bd098f6a173e27d3b61cdca9aa134"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -69,7 +69,7 @@
ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
-DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2"
+DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive-native"
DEPENDS_append_class-target = " python3-native"
DEPENDS_append_class-nativesdk = " python3-native"
diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc
index a625809..8b8cecd 100644
--- a/poky/meta/recipes-devtools/qemu/qemu.inc
+++ b/poky/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,32 @@
file://determinism.patch \
file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
file://CVE-2021-20203.patch \
+ file://CVE-2020-35517_1.patch \
+ file://CVE-2020-35517_2.patch \
+ file://CVE-2020-35517_3.patch \
+ file://CVE-2021-20181.patch \
+ file://CVE-2020-29443.patch \
+ file://CVE-2021-20221.patch \
+ file://CVE-2021-3409_1.patch \
+ file://CVE-2021-3409_2.patch \
+ file://CVE-2021-3409_3.patch \
+ file://CVE-2021-3409_4.patch \
+ file://CVE-2021-3409_5.patch \
+ file://CVE-2021-3409_6.patch \
+ file://CVE-2021-3416_1.patch \
+ file://CVE-2021-3416_2.patch \
+ file://CVE-2021-3416_3.patch \
+ file://CVE-2021-3416_4.patch \
+ file://CVE-2021-3416_5.patch \
+ file://CVE-2021-3416_6.patch \
+ file://CVE-2021-3416_7.patch \
+ file://CVE-2021-3416_8.patch \
+ file://CVE-2021-3416_9.patch \
+ file://CVE-2021-3416_10.patch \
+ file://CVE-2021-20257.patch \
+ file://CVE-2020-27821.patch \
+ file://CVE-2021-20263.patch \
+ file://CVE-2021-3392.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
new file mode 100644
index 0000000..58622f0
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
@@ -0,0 +1,143 @@
+From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 09:29:56 -0500
+Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an
+ MMIO region
+
+In using the address_space_translate_internal API, address_space_cache_init
+forgot one piece of advice that can be found in the code for
+address_space_translate_internal:
+
+ /* MMIO registers can be expected to perform full-width accesses based only
+ * on their address, without considering adjacent registers that could
+ * decode to completely different MemoryRegions. When such registers
+ * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
+ * regions overlap wildly. For this reason we cannot clamp the accesses
+ * here.
+ *
+ * If the length is small (as is the case for address_space_ldl/stl),
+ * everything works fine. If the incoming length is large, however,
+ * the caller really has to do the clamping through memory_access_size.
+ */
+
+address_space_cache_init is exactly one such case where "the incoming length
+is large", therefore we need to clamp the resulting length---not to
+memory_access_size though, since we are not doing an access yet, but to
+the size of the resulting section. This ensures that subsequent accesses
+to the cached MemoryRegionSection will be in range.
+
+With this patch, the enclosed testcase notices that the used ring does
+not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
+error.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442]
+CVE: CVE-2020-27821
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ softmmu/physmem.c | 10 ++++++++
+ tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 3027747c0..2cd1de4a2 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+ AddressSpaceDispatch *d;
+ hwaddr l;
+ MemoryRegion *mr;
++ Int128 diff;
+
+ assert(len > 0);
+
+@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+ d = flatview_to_dispatch(cache->fv);
+ cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
+
++ /*
++ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
++ * Take that into account to compute how many bytes are there between
++ * cache->xlat and the end of the section.
++ */
++ diff = int128_sub(cache->mrs.size,
++ int128_make64(cache->xlat - cache->mrs.offset_within_region));
++ l = int128_get64(int128_min(diff, int128_make64(l)));
++
+ mr = cache->mrs.mr;
+ memory_region_ref(mr);
+ if (memory_access_is_direct(mr, is_write)) {
+diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
+index 9cb4c42bd..28739248e 100644
+--- a/tests/qtest/fuzz-test.c
++++ b/tests/qtest/fuzz-test.c
+@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
+ qtest_outl(s, 0x5d02, 0xebed205d);
+ }
+
++/*
++ * Here a MemoryRegionCache pointed to an MMIO region but had a
++ * larger size than the underlying region.
++ */
++static void test_mmio_oob_from_memory_region_cache(void)
++{
++ QTestState *s;
++
++ s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
++ "-device virtio-scsi,num_queues=8,addr=03.0 ");
++
++ qtest_outl(s, 0xcf8, 0x80001811);
++ qtest_outb(s, 0xcfc, 0x6e);
++ qtest_outl(s, 0xcf8, 0x80001824);
++ qtest_outl(s, 0xcf8, 0x80001813);
++ qtest_outl(s, 0xcfc, 0xa080000);
++ qtest_outl(s, 0xcf8, 0x80001802);
++ qtest_outl(s, 0xcfc, 0x5a175a63);
++ qtest_outb(s, 0x6e08, 0x9e);
++ qtest_writeb(s, 0x9f003, 0xff);
++ qtest_writeb(s, 0x9f004, 0x01);
++ qtest_writeb(s, 0x9e012, 0x0e);
++ qtest_writeb(s, 0x9e01b, 0x0e);
++ qtest_writeb(s, 0x9f006, 0x01);
++ qtest_writeb(s, 0x9f008, 0x01);
++ qtest_writeb(s, 0x9f00a, 0x01);
++ qtest_writeb(s, 0x9f00c, 0x01);
++ qtest_writeb(s, 0x9f00e, 0x01);
++ qtest_writeb(s, 0x9f010, 0x01);
++ qtest_writeb(s, 0x9f012, 0x01);
++ qtest_writeb(s, 0x9f014, 0x01);
++ qtest_writeb(s, 0x9f016, 0x01);
++ qtest_writeb(s, 0x9f018, 0x01);
++ qtest_writeb(s, 0x9f01a, 0x01);
++ qtest_writeb(s, 0x9f01c, 0x01);
++ qtest_writeb(s, 0x9f01e, 0x01);
++ qtest_writeb(s, 0x9f020, 0x01);
++ qtest_writeb(s, 0x9f022, 0x01);
++ qtest_writeb(s, 0x9f024, 0x01);
++ qtest_writeb(s, 0x9f026, 0x01);
++ qtest_writeb(s, 0x9f028, 0x01);
++ qtest_writeb(s, 0x9f02a, 0x01);
++ qtest_writeb(s, 0x9f02c, 0x01);
++ qtest_writeb(s, 0x9f02e, 0x01);
++ qtest_writeb(s, 0x9f030, 0x01);
++ qtest_outb(s, 0x6e10, 0x00);
++ qtest_quit(s);
++}
++
+ int main(int argc, char **argv)
+ {
+ const char *arch = qtest_get_arch();
+@@ -58,6 +107,8 @@ int main(int argc, char **argv)
+ test_lp1878263_megasas_zero_iov_cnt);
+ qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
+ test_lp1878642_pci_bus_get_irq_level_assert);
++ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
++ test_mmio_oob_from_memory_region_cache);
+ }
+
+ return g_test_run();
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000..c72324f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,107 @@
+From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Jan 2021 17:21:30 +0530
+Subject: [PATCH] ide: atapi: check logical block address and read size
+ (CVE-2020-29443)
+
+While processing ATAPI cmd_read/cmd_read_cd commands,
+Logical Block Address (LBA) maybe invalid OR closer to the last block,
+leading to an OOB access issues. Add range check to avoid it.
+
+Fixes: CVE-2020-29443
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
+CVE: CVE-2020-29443
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index e79157863..b626199e3 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
+ static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
+ int sector_size)
+ {
++ assert(0 <= lba && lba < (s->nb_sectors >> 2));
++
+ s->lba = lba;
+ s->packet_transfer_size = nb_sectors * sector_size;
+ s->elementary_transfer_size = 0;
+@@ -420,6 +422,8 @@ eot:
+ static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
+ int sector_size)
+ {
++ assert(0 <= lba && lba < (s->nb_sectors >> 2));
++
+ s->lba = lba;
+ s->packet_transfer_size = nb_sectors * sector_size;
+ s->io_buffer_size = 0;
+@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
+
+ static void cmd_read(IDEState *s, uint8_t* buf)
+ {
+- int nb_sectors, lba;
++ unsigned int nb_sectors, lba;
++
++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
++ uint64_t total_sectors = s->nb_sectors >> 2;
+
+ if (buf[0] == GPCMD_READ_10) {
+ nb_sectors = lduw_be_p(buf + 7);
+ } else {
+ nb_sectors = ldl_be_p(buf + 6);
+ }
+-
+- lba = ldl_be_p(buf + 2);
+ if (nb_sectors == 0) {
+ ide_atapi_cmd_ok(s);
+ return;
+ }
+
++ lba = ldl_be_p(buf + 2);
++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
++ return;
++ }
++
+ ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
+ }
+
+ static void cmd_read_cd(IDEState *s, uint8_t* buf)
+ {
+- int nb_sectors, lba, transfer_request;
++ unsigned int nb_sectors, lba, transfer_request;
+
+- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
+- lba = ldl_be_p(buf + 2);
++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
++ uint64_t total_sectors = s->nb_sectors >> 2;
+
++ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
+ if (nb_sectors == 0) {
+ ide_atapi_cmd_ok(s);
+ return;
+ }
+
++ lba = ldl_be_p(buf + 2);
++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
++ return;
++ }
++
+ transfer_request = buf[9] & 0xf8;
+ if (transfer_request == 0x00) {
+ /* nothing */
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
new file mode 100644
index 0000000..73a4cb2
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
@@ -0,0 +1,153 @@
+From 8afaaee976965b7fb90ec225a51d60f35c5f173c Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 4 Feb 2021 15:02:06 +0000
+Subject: [PATCH] virtiofsd: extract lo_do_open() from lo_open()
+
+Both lo_open() and lo_create() have similar code to open a file. Extract
+a common lo_do_open() function from lo_open() that will be used by
+lo_create() in a later commit.
+
+Since lo_do_open() does not otherwise need fuse_req_t req, convert
+lo_add_fd_mapping() to use struct lo_data *lo instead.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20210204150208.367837-2-stefanha@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/8afaaee976965b7fb90ec225a51d60f35c5f173c]
+
+CVE: CVE-2020-35517
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 73 +++++++++++++++++++++++++---------------
+ 1 file changed, 46 insertions(+), 27 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 5fb36d9..f14fa51 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -459,17 +459,17 @@ static void lo_map_remove(struct lo_map *map, size_t key)
+ }
+
+ /* Assumes lo->mutex is held */
+-static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd)
++static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd)
+ {
+ struct lo_map_elem *elem;
+
+- elem = lo_map_alloc_elem(&lo_data(req)->fd_map);
++ elem = lo_map_alloc_elem(&lo->fd_map);
+ if (!elem) {
+ return -1;
+ }
+
+ elem->fd = fd;
+- return elem - lo_data(req)->fd_map.elems;
++ return elem - lo->fd_map.elems;
+ }
+
+ /* Assumes lo->mutex is held */
+@@ -1651,6 +1651,38 @@ static void update_open_flags(int writeback, int allow_direct_io,
+ }
+ }
+
++static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
++ struct fuse_file_info *fi)
++{
++ char buf[64];
++ ssize_t fh;
++ int fd;
++
++ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
++
++ sprintf(buf, "%i", inode->fd);
++ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
++ if (fd == -1) {
++ return errno;
++ }
++
++ pthread_mutex_lock(&lo->mutex);
++ fh = lo_add_fd_mapping(lo, fd);
++ pthread_mutex_unlock(&lo->mutex);
++ if (fh == -1) {
++ close(fd);
++ return ENOMEM;
++ }
++
++ fi->fh = fh;
++ if (lo->cache == CACHE_NONE) {
++ fi->direct_io = 1;
++ } else if (lo->cache == CACHE_ALWAYS) {
++ fi->keep_cache = 1;
++ }
++ return 0;
++}
++
+ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ mode_t mode, struct fuse_file_info *fi)
+ {
+@@ -1691,7 +1723,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ ssize_t fh;
+
+ pthread_mutex_lock(&lo->mutex);
+- fh = lo_add_fd_mapping(req, fd);
++ fh = lo_add_fd_mapping(lo, fd);
+ pthread_mutex_unlock(&lo->mutex);
+ if (fh == -1) {
+ close(fd);
+@@ -1892,38 +1924,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync,
+
+ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
+ {
+- int fd;
+- ssize_t fh;
+- char buf[64];
+ struct lo_data *lo = lo_data(req);
++ struct lo_inode *inode = lo_inode(req, ino);
++ int err;
+
+ fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino,
+ fi->flags);
+
+- update_open_flags(lo->writeback, lo->allow_direct_io, fi);
+-
+- sprintf(buf, "%i", lo_fd(req, ino));
+- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
+- if (fd == -1) {
+- return (void)fuse_reply_err(req, errno);
+- }
+-
+- pthread_mutex_lock(&lo->mutex);
+- fh = lo_add_fd_mapping(req, fd);
+- pthread_mutex_unlock(&lo->mutex);
+- if (fh == -1) {
+- close(fd);
+- fuse_reply_err(req, ENOMEM);
++ if (!inode) {
++ fuse_reply_err(req, EBADF);
+ return;
+ }
+
+- fi->fh = fh;
+- if (lo->cache == CACHE_NONE) {
+- fi->direct_io = 1;
+- } else if (lo->cache == CACHE_ALWAYS) {
+- fi->keep_cache = 1;
++ err = lo_do_open(lo, inode, fi);
++ lo_inode_put(lo, &inode);
++ if (err) {
++ fuse_reply_err(req, err);
++ } else {
++ fuse_reply_open(req, fi);
+ }
+- fuse_reply_open(req, fi);
+ }
+
+ static void lo_release(fuse_req_t req, fuse_ino_t ino,
+--
+1.8.3.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
new file mode 100644
index 0000000..bf11bdb
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
@@ -0,0 +1,117 @@
+From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 4 Feb 2021 15:02:07 +0000
+Subject: [PATCH] virtiofsd: optionally return inode pointer from
+ lo_do_lookup()
+
+lo_do_lookup() finds an existing inode or allocates a new one. It
+increments nlookup so that the inode stays alive until the client
+releases it.
+
+Existing callers don't need the struct lo_inode so the function doesn't
+return it. Extend the function to optionally return the inode. The next
+commit will need it.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Message-Id: <20210204150208.367837-3-stefanha@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3]
+
+CVE: CVE-2020-35517
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index f14fa51..aa35fc6 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname,
+ }
+
+ /*
+- * Increments nlookup and caller must release refcount using
+- * lo_inode_put(&parent).
++ * Increments nlookup on the inode on success. unref_inode_lolocked() must be
++ * called eventually to decrement nlookup again. If inodep is non-NULL, the
++ * inode pointer is stored and the caller must call lo_inode_put().
+ */
+ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+- struct fuse_entry_param *e)
++ struct fuse_entry_param *e,
++ struct lo_inode **inodep)
+ {
+ int newfd;
+ int res;
+@@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+ struct lo_inode *inode = NULL;
+ struct lo_inode *dir = lo_inode(req, parent);
+
++ if (inodep) {
++ *inodep = NULL;
++ }
++
+ /*
+ * name_to_handle_at() and open_by_handle_at() can reach here with fuse
+ * mount point in guest, but we don't have its inode info in the
+@@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+ pthread_mutex_unlock(&lo->mutex);
+ }
+ e->ino = inode->fuse_ino;
+- lo_inode_put(lo, &inode);
++
++ /* Transfer ownership of inode pointer to caller or drop it */
++ if (inodep) {
++ *inodep = inode;
++ } else {
++ lo_inode_put(lo, &inode);
++ }
++
+ lo_inode_put(lo, &dir);
+
+ fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent,
+@@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ return;
+ }
+
+- err = lo_do_lookup(req, parent, name, &e);
++ err = lo_do_lookup(req, parent, name, &e, NULL);
+ if (err) {
+ fuse_reply_err(req, err);
+ } else {
+@@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
+ goto out;
+ }
+
+- saverr = lo_do_lookup(req, parent, name, &e);
++ saverr = lo_do_lookup(req, parent, name, &e, NULL);
+ if (saverr) {
+ goto out;
+ }
+@@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size,
+
+ if (plus) {
+ if (!is_dot_or_dotdot(name)) {
+- err = lo_do_lookup(req, ino, name, &e);
++ err = lo_do_lookup(req, ino, name, &e, NULL);
+ if (err) {
+ goto error;
+ }
+@@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ }
+
+ fi->fh = fh;
+- err = lo_do_lookup(req, parent, name, &e);
++ err = lo_do_lookup(req, parent, name, &e, NULL);
+ }
+ if (lo->cache == CACHE_NONE) {
+ fi->direct_io = 1;
+--
+1.8.3.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
new file mode 100644
index 0000000..f348f3f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
@@ -0,0 +1,303 @@
+From a3fdbbc7f271bff7d53d0501b29d910ece0b3789 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 4 Feb 2021 15:02:08 +0000
+Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
+
+A well-behaved FUSE client does not attempt to open special files with
+FUSE_OPEN because they are handled on the client side (e.g. device nodes
+are handled by client-side device drivers).
+
+The check to prevent virtiofsd from opening special files is missing in
+a few cases, most notably FUSE_OPEN. A malicious client can cause
+virtiofsd to open a device node, potentially allowing the guest to
+escape. This can be exploited by a modified guest device driver. It is
+not exploitable from guest userspace since the guest kernel will handle
+special files inside the guest instead of sending FUSE requests.
+
+This patch fixes this issue by introducing the lo_inode_open() function
+to check the file type before opening it. This is a short-term solution
+because it does not prevent a compromised virtiofsd process from opening
+device nodes on the host.
+
+Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
+| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
+necessary here. If the file exists and the user did not specify O_EXCL,
+open it via lo_do_open().
+
+Reported-by: Alex Xu <alex@alxu.ca>
+Fixes: CVE-2020-35517
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/a3fdbbc7f271bff7d53d0501b29d910ece0b3789]
+
+CVE: CVE-2020-35517
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++-----------
+ 1 file changed, 92 insertions(+), 52 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index aa35fc6ba5a5..147b59338a18 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -555,6 +555,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino)
+ return fd;
+ }
+
++/*
++ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a
++ * regular file or a directory.
++ *
++ * Use this helper function instead of raw openat(2) to prevent security issues
++ * when a malicious client opens special files such as block device nodes.
++ * Symlink inodes are also rejected since symlinks must already have been
++ * traversed on the client side.
++ */
++static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode,
++ int open_flags)
++{
++ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd);
++ int fd;
++
++ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) {
++ return -EBADF;
++ }
++
++ /*
++ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier
++ * that the inode is not a special file but if an external process races
++ * with us then symlinks are traversed here. It is not possible to escape
++ * the shared directory since it is mounted as "/" though.
++ */
++ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW);
++ if (fd < 0) {
++ return -errno;
++ }
++ return fd;
++}
++
+ static void lo_init(void *userdata, struct fuse_conn_info *conn)
+ {
+ struct lo_data *lo = (struct lo_data *)userdata;
+@@ -684,9 +716,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ if (fi) {
+ truncfd = fd;
+ } else {
+- sprintf(procname, "%i", ifd);
+- truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
++ truncfd = lo_inode_open(lo, inode, O_RDWR);
+ if (truncfd < 0) {
++ errno = -truncfd;
+ goto out_err;
+ }
+ }
+@@ -848,7 +880,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
+ struct lo_inode *dir = lo_inode(req, parent);
+
+ if (inodep) {
+- *inodep = NULL;
++ *inodep = NULL; /* in case there is an error */
+ }
+
+ /*
+@@ -1664,19 +1696,26 @@ static void update_open_flags(int writeback, int allow_direct_io,
+ }
+ }
+
++/*
++ * Open a regular file, set up an fd mapping, and fill out the struct
++ * fuse_file_info for it. If existing_fd is not negative, use that fd instead
++ * opening a new one. Takes ownership of existing_fd.
++ *
++ * Returns 0 on success or a positive errno.
++ */
+ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+- struct fuse_file_info *fi)
++ int existing_fd, struct fuse_file_info *fi)
+ {
+- char buf[64];
+ ssize_t fh;
+- int fd;
++ int fd = existing_fd;
+
+ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
+
+- sprintf(buf, "%i", inode->fd);
+- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
+- if (fd == -1) {
+- return errno;
++ if (fd < 0) {
++ fd = lo_inode_open(lo, inode, fi->flags);
++ if (fd < 0) {
++ return -fd;
++ }
+ }
+
+ pthread_mutex_lock(&lo->mutex);
+@@ -1699,9 +1738,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+ mode_t mode, struct fuse_file_info *fi)
+ {
+- int fd;
++ int fd = -1;
+ struct lo_data *lo = lo_data(req);
+ struct lo_inode *parent_inode;
++ struct lo_inode *inode = NULL;
+ struct fuse_entry_param e;
+ int err;
+ struct lo_cred old = {};
+@@ -1727,36 +1767,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
+
+ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
+
+- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
+- mode);
++ /* Try to create a new file but don't open existing files */
++ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode);
+ err = fd == -1 ? errno : 0;
+- lo_restore_cred(&old);
+
+- if (!err) {
+- ssize_t fh;
++ lo_restore_cred(&old);
+
+- pthread_mutex_lock(&lo->mutex);
+- fh = lo_add_fd_mapping(lo, fd);
+- pthread_mutex_unlock(&lo->mutex);
+- if (fh == -1) {
+- close(fd);
+- err = ENOMEM;
+- goto out;
+- }
++ /* Ignore the error if file exists and O_EXCL was not given */
++ if (err && (err != EEXIST || (fi->flags & O_EXCL))) {
++ goto out;
++ }
+
+- fi->fh = fh;
+- err = lo_do_lookup(req, parent, name, &e, NULL);
++ err = lo_do_lookup(req, parent, name, &e, &inode);
++ if (err) {
++ goto out;
+ }
+- if (lo->cache == CACHE_NONE) {
+- fi->direct_io = 1;
+- } else if (lo->cache == CACHE_ALWAYS) {
+- fi->keep_cache = 1;
++
++ err = lo_do_open(lo, inode, fd, fi);
++ fd = -1; /* lo_do_open() takes ownership of fd */
++ if (err) {
++ /* Undo lo_do_lookup() nlookup ref */
++ unref_inode_lolocked(lo, inode, 1);
+ }
+
+ out:
++ lo_inode_put(lo, &inode);
+ lo_inode_put(lo, &parent_inode);
+
+ if (err) {
++ if (fd >= 0) {
++ close(fd);
++ }
++
+ fuse_reply_err(req, err);
+ } else {
+ fuse_reply_create(req, &e, fi);
+@@ -1770,7 +1812,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
+ pid_t pid, int *err)
+ {
+ struct lo_inode_plock *plock;
+- char procname[64];
+ int fd;
+
+ plock =
+@@ -1787,12 +1828,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
+ }
+
+ /* Open another instance of file which can be used for ofd locks. */
+- sprintf(procname, "%i", inode->fd);
+-
+ /* TODO: What if file is not writable? */
+- fd = openat(lo->proc_self_fd, procname, O_RDWR);
+- if (fd == -1) {
+- *err = errno;
++ fd = lo_inode_open(lo, inode, O_RDWR);
++ if (fd < 0) {
++ *err = -fd;
+ free(plock);
+ return NULL;
+ }
+@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
+ return;
+ }
+
+- err = lo_do_open(lo, inode, fi);
++ err = lo_do_open(lo, inode, -1, fi);
+ lo_inode_put(lo, &inode);
+ if (err) {
+ fuse_reply_err(req, err);
+@@ -2014,39 +2053,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
+ static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
+ struct fuse_file_info *fi)
+ {
++ struct lo_inode *inode = lo_inode(req, ino);
++ struct lo_data *lo = lo_data(req);
+ int res;
+ int fd;
+- char *buf;
+
+ fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino,
+ (void *)fi);
+
+- if (!fi) {
+- struct lo_data *lo = lo_data(req);
+-
+- res = asprintf(&buf, "%i", lo_fd(req, ino));
+- if (res == -1) {
+- return (void)fuse_reply_err(req, errno);
+- }
++ if (!inode) {
++ fuse_reply_err(req, EBADF);
++ return;
++ }
+
+- fd = openat(lo->proc_self_fd, buf, O_RDWR);
+- free(buf);
+- if (fd == -1) {
+- return (void)fuse_reply_err(req, errno);
++ if (!fi) {
++ fd = lo_inode_open(lo, inode, O_RDWR);
++ if (fd < 0) {
++ res = -fd;
++ goto out;
+ }
+ } else {
+ fd = lo_fi_fd(req, fi);
+ }
+
+ if (datasync) {
+- res = fdatasync(fd);
++ res = fdatasync(fd) == -1 ? errno : 0;
+ } else {
+- res = fsync(fd);
++ res = fsync(fd) == -1 ? errno : 0;
+ }
+ if (!fi) {
+ close(fd);
+ }
+- fuse_reply_err(req, res == -1 ? errno : 0);
++out:
++ lo_inode_put(lo, &inode);
++ fuse_reply_err(req, res);
+ }
+
+ static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset,
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000..1b8c77f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
+From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Thu, 14 Jan 2021 17:04:12 +0100
+Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
+
+Depending on the client activity, the server can be asked to open a huge
+number of file descriptors and eventually hit RLIMIT_NOFILE. This is
+currently mitigated using a reclaim logic : the server closes the file
+descriptors of idle fids, based on the assumption that it will be able
+to re-open them later. This assumption doesn't hold of course if the
+client requests the file to be unlinked. In this case, we loop on the
+entire fid list and mark all related fids as unreclaimable (the reclaim
+logic will just ignore them) and, of course, we open or re-open their
+file descriptors if needed since we're about to unlink the file.
+
+This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
+opening of a file can cause the coroutine to yield, another client
+request could possibly add a new fid that we may want to mark as
+non-reclaimable as well. The loop is thus restarted if the re-open
+request was actually transmitted to the backend. This is achieved
+by keeping a reference on the first fid (head) before traversing
+the list.
+
+This is wrong in several ways:
+- a potential clunk request from the client could tear the first
+ fid down and cause the reference to be stale. This leads to a
+ use-after-free error that can be detected with ASAN, using a
+ custom 9p client
+- fids are added at the head of the list : restarting from the
+ previous head will always miss fids added by a some other
+ potential request
+
+All these problems could be avoided if fids were being added at the
+end of the list. This can be achieved with a QSIMPLEQ, but this is
+probably too much change for a bug fix. For now let's keep it
+simple and just restart the loop from the current head.
+
+Fixes: CVE-2021-20181
+Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
+Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
+CVE: CVE-2021-20181
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/9pfs/9p.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 94df440fc..6026b51a1 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ {
+ int err;
+ V9fsState *s = pdu->s;
+- V9fsFidState *fidp, head_fid;
++ V9fsFidState *fidp;
+
+- head_fid.next = s->fid_list;
++again:
+ for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+ if (fidp->path.size != path->size) {
+ continue;
+@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ * switched to the worker thread
+ */
+ if (err == 0) {
+- fidp = &head_fid;
++ goto again;
+ }
+ }
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
new file mode 100644
index 0000000..d762a51
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,70 @@
+From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 31 Jan 2021 11:34:01 +0100
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+ - 4.3 Distributor register descriptions
+ - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+ - Table 4-21 GICD_SGIR bit assignments
+
+ The Interrupt ID of the SGI to forward to the specified CPU
+ interfaces. The value of this field is the Interrupt ID, in
+ the range 0-15, for example a value of 0b0011 specifies
+ Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+ $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+ [I 1612088147.116987] OPENED
+ [R +0.278293] writel 0x8000f00 0xff4affb0
+ ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a]
+CVE: CVE-2021-20221
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+index c60dc6b5e..fbde60de0 100644
+--- a/hw/intc/arm_gic.c
++++ b/hw/intc/arm_gic.c
+@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
+ int target_cpu;
+
+ cpu = gic_get_current_cpu(s);
+- irq = value & 0x3ff;
++ irq = value & 0xf;
+ switch ((value >> 24) & 3) {
+ case 0:
+ mask = (value >> 16) & ALL_CPU_MASK;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
new file mode 100644
index 0000000..7175b24
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
+From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:45:28 +0800
+Subject: [PATCH] e1000: fail early for evil descriptor
+
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
+CVE: CVE-2021-20257
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index cf22c4f07..c3564c7ce 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+ do {
+ bytes = split_size;
++ if (tp->size >= msh) {
++ goto eop;
++ }
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ tp->size += split_size;
+ }
+
++eop:
+ if (!(txd_lower & E1000_TXD_CMD_EOP))
+ return;
+ if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
new file mode 100644
index 0000000..4f9a91f
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
@@ -0,0 +1,214 @@
+From aaa5f8e00c2e85a893b972f1e243fb14c26b70dc Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Wed, 24 Feb 2021 19:56:25 +0000
+Subject: [PATCH 2/2] virtiofs: drop remapped security.capability xattr as
+ needed
+
+On Linux, the 'security.capability' xattr holds a set of
+capabilities that can change when an executable is run, giving
+a limited form of privilege escalation to those programs that
+the writer of the file deemed worthy.
+
+Any write causes the 'security.capability' xattr to be dropped,
+stopping anyone from gaining privilege by modifying a blessed
+file.
+
+Fuse relies on the daemon to do this dropping, and in turn the
+daemon relies on the host kernel to drop the xattr for it. However,
+with the addition of -o xattrmap, the xattr that the guest
+stores its capabilities in is now not the same as the one that
+the host kernel automatically clears.
+
+Where the mapping changes 'security.capability', explicitly clear
+the remapped name to preserve the same behaviour.
+
+This bug is assigned CVE-2021-20263.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+
+Upstream-Status: Backport [e586edcb410543768ef009eaa22a2d9dd4a53846]
+CVE: CVE-2021-20263
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ docs/tools/virtiofsd.rst | 4 ++
+ tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
+ 2 files changed, 80 insertions(+), 1 deletion(-)
+
+diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
+index 866b7db3e..00554c75b 100644
+--- a/docs/tools/virtiofsd.rst
++++ b/docs/tools/virtiofsd.rst
+@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
+ to the matched **key** (or all attributes if **key** is empty).
+ There may be at most one 'map' rule and it must be the last rule in the set.
+
++Note: When the 'security.capability' xattr is remapped, the daemon has to do
++extra work to remove it during many operations, which the host kernel normally
++does itself.
++
+ xattr-mapping Examples
+ ----------------------
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 03c5e0d13..c9197da86 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -160,6 +160,7 @@ struct lo_data {
+ int posix_lock;
+ int xattr;
+ char *xattrmap;
++ char *xattr_security_capability;
+ char *source;
+ char *modcaps;
+ double timeout;
+@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;
+
+ static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
+ uint64_t mnt_id);
++static int xattr_map_client(const struct lo_data *lo, const char *client_name,
++ char **out_name);
+
+ static int is_dot_or_dotdot(const char *name)
+ {
+@@ -365,6 +368,37 @@ out:
+ return ret;
+ }
+
++/*
++ * The host kernel normally drops security.capability xattr's on
++ * any write, however if we're remapping xattr names we need to drop
++ * whatever the clients security.capability is actually stored as.
++ */
++static int drop_security_capability(const struct lo_data *lo, int fd)
++{
++ if (!lo->xattr_security_capability) {
++ /* We didn't remap the name, let the host kernel do it */
++ return 0;
++ }
++ if (!fremovexattr(fd, lo->xattr_security_capability)) {
++ /* All good */
++ return 0;
++ }
++
++ switch (errno) {
++ case ENODATA:
++ /* Attribute didn't exist, that's fine */
++ return 0;
++
++ case ENOTSUP:
++ /* FS didn't support attribute anyway, also fine */
++ return 0;
++
++ default:
++ /* Hmm other error */
++ return errno;
++ }
++}
++
+ static void lo_map_init(struct lo_map *map)
+ {
+ map->elems = NULL;
+@@ -717,6 +751,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
+ gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
+
++ saverr = drop_security_capability(lo, ifd);
++ if (saverr) {
++ goto out_err;
++ }
++
+ res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+ if (res == -1) {
+ goto out_err;
+@@ -735,6 +774,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ }
+ }
+
++ saverr = drop_security_capability(lo, truncfd);
++ if (saverr) {
++ if (!fi) {
++ close(truncfd);
++ }
++ goto out_err;
++ }
++
+ res = ftruncate(truncfd, attr->st_size);
+ if (!fi) {
+ saverr = errno;
+@@ -1726,6 +1773,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+ if (fd < 0) {
+ return -fd;
+ }
++ if (fi->flags & (O_TRUNC)) {
++ int err = drop_security_capability(lo, fd);
++ if (err) {
++ close(fd);
++ return err;
++ }
++ }
+ }
+
+ pthread_mutex_lock(&lo->mutex);
+@@ -2114,6 +2168,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
+ "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,
+ out_buf.buf[0].size, (unsigned long)off);
+
++ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
++ if (res) {
++ fuse_reply_err(req, res);
++ return;
++ }
++
+ /*
+ * If kill_priv is set, drop CAP_FSETID which should lead to kernel
+ * clearing setuid/setgid on file.
+@@ -2353,6 +2413,7 @@ static void parse_xattrmap(struct lo_data *lo)
+ {
+ const char *map = lo->xattrmap;
+ const char *tmp;
++ int ret;
+
+ lo->xattr_map_nentries = 0;
+ while (*map) {
+@@ -2383,7 +2444,7 @@ static void parse_xattrmap(struct lo_data *lo)
+ * the last entry.
+ */
+ parse_xattrmap_map(lo, map, sep);
+- return;
++ break;
+ } else {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Unexpected type;"
+@@ -2452,6 +2513,19 @@ static void parse_xattrmap(struct lo_data *lo)
+ fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
+ exit(1);
+ }
++
++ ret = xattr_map_client(lo, "security.capability",
++ &lo->xattr_security_capability);
++ if (ret) {
++ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
++ strerror(ret));
++ exit(1);
++ }
++ if (!strcmp(lo->xattr_security_capability, "security.capability")) {
++ /* 1-1 mapping, don't need to do anything */
++ free(lo->xattr_security_capability);
++ lo->xattr_security_capability = NULL;
++ }
+ }
+
+ /*
+@@ -3480,6 +3554,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
+
+ free(lo->xattrmap);
+ free_xattrmap(lo);
++ free(lo->xattr_security_capability);
+ free(lo->source);
+ }
+
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000..af94cff
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,89 @@
+From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Mon, 19 Apr 2021 15:42:47 +0200
+Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field
+ (CVE-2021-3392)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
+the Megaraid emulator appends new MPTSASRequest object 'req' to
+the 's->pending' queue. In case of an error, this same object gets
+dequeued in mptsas_free_request() only if SCSIRequest object
+'req->sreq' is initialised. This may lead to a use-after-free issue.
+
+Since s->pending is actually not used, simply remove it from
+MPTSASState.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Message-id: 20210419134247.1467982-1-f4bug@amsat.org
+Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
+Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
+[PMD: Reworded description, added more tags]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+CVE: CVE-2021-3392
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ hw/scsi/mptsas.c | 6 ------
+ hw/scsi/mptsas.h | 1 -
+ 2 files changed, 7 deletions(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 7416e7870614..db3219e7d206 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+
+ static void mptsas_free_request(MPTSASRequest *req)
+ {
+- MPTSASState *s = req->dev;
+-
+ if (req->sreq != NULL) {
+ req->sreq->hba_private = NULL;
+ scsi_req_unref(req->sreq);
+ req->sreq = NULL;
+- QTAILQ_REMOVE(&s->pending, req, next);
+ }
+ qemu_sglist_destroy(&req->qsg);
+ g_free(req);
+@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+ }
+
+ req = g_new0(MPTSASRequest, 1);
+- QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
+
+@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
+
+ s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
+
+- QTAILQ_INIT(&s->pending);
+-
+ scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
+ }
+
+diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
+index b85ac1a5fcc7..c046497db719 100644
+--- a/hw/scsi/mptsas.h
++++ b/hw/scsi/mptsas.h
+@@ -79,7 +79,6 @@ struct MPTSASState {
+ uint16_t reply_frame_size;
+
+ SCSIBus bus;
+- QTAILQ_HEAD(, MPTSASRequest) pending;
+ };
+
+ void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
new file mode 100644
index 0000000..f9395ad
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
@@ -0,0 +1,56 @@
+From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Tue, 16 Feb 2021 11:46:52 +0800
+Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in
+ sdhci_sdma_transfer_multi_blocks()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+s->prnsts is updated in both branches of the if () else () statement.
+Move the common bits outside so that it is cleaner.
+
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 2f8b74a84..f83c5e295 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ page_aligned = true;
+ }
+
++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+ if (s->trnmod & SDHC_TRNS_READ) {
+- s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
+- SDHC_DAT_LINE_ACTIVE;
++ s->prnsts |= SDHC_DOING_READ;
+ while (s->blkcnt) {
+ if (s->data_count == 0) {
+ sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ }
+ }
+ } else {
+- s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
+- SDHC_DAT_LINE_ACTIVE;
++ s->prnsts |= SDHC_DOING_WRITE;
+ while (s->blkcnt) {
+ begin = s->data_count;
+ if (((boundary_count + begin) < block_size) && page_aligned) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
new file mode 100644
index 0000000..f3d2bb1
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
@@ -0,0 +1,92 @@
+From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:35 +0800
+Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
+ out
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+At the end of sdhci_send_command(), it starts a data transfer if the
+command register indicates data is associated. But the data transfer
+should only be initiated when the command execution has succeeded.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001810
+outl 0xcfc 0xe1068000
+outl 0xcf8 0x80001804
+outw 0xcfc 0x7
+write 0xe106802c 0x1 0x0f
+write 0xe1068004 0xc 0x2801d10101fffffbff28a384
+write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
+write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
+write 0xe1068003 0x1 0xfe
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
+ -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive \
+ -monitor none -serial none -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index f83c5e295..44f8a82ea 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
+ SDRequest request;
+ uint8_t response[16];
+ int rlen;
++ bool timeout = false;
+
+ s->errintsts = 0;
+ s->acmd12errsts = 0;
+@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
+ trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
+ s->rspreg[1], s->rspreg[0]);
+ } else {
++ timeout = true;
+ trace_sdhci_error("timeout waiting for command response");
+ if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+ s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
+
+ sdhci_update_irq(s);
+
+- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+ s->data_count = 0;
+ sdhci_data_transfer(s);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
new file mode 100644
index 0000000..c3b37ed
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
@@ -0,0 +1,109 @@
+From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:36 +0800
+Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
+ transfer is in progress
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per "SD Host Controller Standard Specification Version 7.00"
+chapter 2.2.1 SDMA System Address Register:
+
+This register can be accessed only if no transaction is executing
+(i.e., after a transaction has stopped).
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xfbefff00
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xfbefff2c 0x1 0x05
+write 0xfbefff0f 0x1 0x37
+write 0xfbefff0a 0x1 0x01
+write 0xfbefff0f 0x1 0x29
+write 0xfbefff0f 0x1 0x02
+write 0xfbefff0f 0x1 0x03
+write 0xfbefff04 0x1 0x01
+write 0xfbefff05 0x1 0x01
+write 0xfbefff07 0x1 0x02
+write 0xfbefff0c 0x1 0x33
+write 0xfbefff0e 0x1 0x20
+write 0xfbefff0f 0x1 0x00
+write 0xfbefff2a 0x1 0x01
+write 0xfbefff0c 0x1 0x00
+write 0xfbefff03 0x1 0x00
+write 0xfbefff05 0x1 0x00
+write 0xfbefff2a 0x1 0x02
+write 0xfbefff0c 0x1 0x32
+write 0xfbefff01 0x1 0x01
+write 0xfbefff02 0x1 0x01
+write 0xfbefff03 0x1 0x01
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 44f8a82ea..d8a46f307 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+
+ switch (offset & ~0x3) {
+ case SDHC_SYSAD:
+- s->sdmasysad = (s->sdmasysad & mask) | value;
+- MASKED_WRITE(s->sdmasysad, mask, value);
+- /* Writing to last byte of sdmasysad might trigger transfer */
+- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+- if (s->trnmod & SDHC_TRNS_MULTI) {
+- sdhci_sdma_transfer_multi_blocks(s);
+- } else {
+- sdhci_sdma_transfer_single_block(s);
++ if (!TRANSFERRING_DATA(s->prnsts)) {
++ s->sdmasysad = (s->sdmasysad & mask) | value;
++ MASKED_WRITE(s->sdmasysad, mask, value);
++ /* Writing to last byte of sdmasysad might trigger transfer */
++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
++ if (s->trnmod & SDHC_TRNS_MULTI) {
++ sdhci_sdma_transfer_multi_blocks(s);
++ } else {
++ sdhci_sdma_transfer_single_block(s);
++ }
+ }
+ }
+ break;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
new file mode 100644
index 0000000..d5be997
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
@@ -0,0 +1,75 @@
+From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:37 +0800
+Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for
+ ADMA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When an ADMA transfer is started, the codes forget to set the
+controller status to indicate a transfer is in progress.
+
+With this fix, the following 2 reproducers:
+
+https://paste.debian.net/plain/1185136
+https://paste.debian.net/plain/1185141
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index d8a46f307..7de03c6dd 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
+
+ switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
+ case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+ if (s->trnmod & SDHC_TRNS_READ) {
++ s->prnsts |= SDHC_DOING_READ;
+ while (length) {
+ if (s->data_count == 0) {
+ sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
+ }
+ }
+ } else {
++ s->prnsts |= SDHC_DOING_WRITE;
+ while (length) {
+ begin = s->data_count;
+ if ((length + begin) < block_size) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
new file mode 100644
index 0000000..7199056
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
@@ -0,0 +1,56 @@
+From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:38 +0800
+Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
+ register is writable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The codes to limit the maximum block size is only necessary when
+SDHC_BLKSIZE register is writable.
+
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 7de03c6dd..6c780126e 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ if (!TRANSFERRING_DATA(s->prnsts)) {
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+- }
+
+- /* Limit block size to the maximum buffer size */
+- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+- "the maximum buffer 0x%x\n", __func__, s->blksize,
+- s->buf_maxsz);
++ /* Limit block size to the maximum buffer size */
++ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
++ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
++ "the maximum buffer 0x%x\n", __func__, s->blksize,
++ s->buf_maxsz);
+
+- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++ }
+ }
+
+ break;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
new file mode 100644
index 0000000..624c1f6
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
@@ -0,0 +1,99 @@
+From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:39 +0800
+Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[]
+ when a different block size is programmed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the block size is programmed to a different value from the
+previous one, reset the data pointer of s->fifo_buffer[] so that
+s->fifo_buffer[] can be filled in using the new block size in
+the next transfer.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xe000002c 0x1 0x05
+write 0xe0000005 0x1 0x02
+write 0xe0000007 0x1 0x01
+write 0xe0000028 0x1 0x10
+write 0x0 0x1 0x23
+write 0x2 0x1 0x08
+write 0xe000000c 0x1 0x01
+write 0xe000000e 0x1 0x20
+write 0xe000000f 0x1 0x00
+write 0xe000000c 0x1 0x32
+write 0xe0000004 0x2 0x0200
+write 0xe0000028 0x1 0x00
+write 0xe0000003 0x1 0x40
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9]
+CVE: CVE-2021-3409
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 6c780126e..216842420 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ break;
+ case SDHC_BLKSIZE:
+ if (!TRANSFERRING_DATA(s->prnsts)) {
++ uint16_t blksize = s->blksize;
++
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+
+@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+
+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+ }
++
++ /*
++ * If the block size is programmed to a different value from
++ * the previous one, reset the data pointer of s->fifo_buffer[]
++ * so that s->fifo_buffer[] can be filled in using the new block
++ * size in the next transfer.
++ */
++ if (blksize != s->blksize) {
++ s->data_count = 0;
++ }
+ }
+
+ break;
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000..5bacd67
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
+From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 11:44:36 +0800
+Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some NIC supports loopback mode and this is done by calling
+nc->info->receive() directly which in fact suppresses the effort of
+reentrancy check that is done in qemu_net_queue_send().
+
+Unfortunately we can't use qemu_net_queue_send() here since for
+loopback there's no sender as peer, so this patch introduce a
+qemu_receive_packet() which is used for implementing loopback mode
+for a NIC with this check.
+
+NIC that supports loopback mode will be converted to this helper.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/net/net.h | 5 +++++
+ include/net/queue.h | 8 ++++++++
+ net/net.c | 38 +++++++++++++++++++++++++++++++-------
+ net/queue.c | 22 ++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index 778fc787c..03f058ecb 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
+ void qemu_del_net_client(NetClientState *nc);
+ typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
+ void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
++int qemu_can_receive_packet(NetClientState *nc);
+ int qemu_can_send_packet(NetClientState *nc);
+ ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
+ int iovcnt);
+ ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
+ int iovcnt, NetPacketSent *sent_cb);
+ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet_iov(NetClientState *nc,
++ const struct iovec *iov,
++ int iovcnt);
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
+ ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
+ int size, NetPacketSent *sent_cb);
+diff --git a/include/net/queue.h b/include/net/queue.h
+index c0269bb1d..9f2f289d7 100644
+--- a/include/net/queue.h
++++ b/include/net/queue.h
+@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
+
+ void qemu_del_net_queue(NetQueue *queue);
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size);
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt);
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+diff --git a/net/net.c b/net/net.c
+index 6a2c3d956..5e15e5d27 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
+ #endif
+ }
+
++int qemu_can_receive_packet(NetClientState *nc)
++{
++ if (nc->receive_disabled) {
++ return 0;
++ } else if (nc->info->can_receive &&
++ !nc->info->can_receive(nc)) {
++ return 0;
++ }
++ return 1;
++}
++
+ int qemu_can_send_packet(NetClientState *sender)
+ {
+ int vm_running = runstate_is_running();
+@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
+ return 1;
+ }
+
+- if (sender->peer->receive_disabled) {
+- return 0;
+- } else if (sender->peer->info->can_receive &&
+- !sender->peer->info->can_receive(sender->peer)) {
+- return 0;
+- }
+- return 1;
++ return qemu_can_receive_packet(sender->peer);
+ }
+
+ static ssize_t filter_receive_iov(NetClientState *nc,
+@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+ return qemu_send_packet_async(nc, buf, size, NULL);
+ }
+
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
++}
++
++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
++ int iovcnt)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
++}
++
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
+ {
+ return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
+diff --git a/net/queue.c b/net/queue.c
+index 19e32c80f..c872d51df 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
+ return ret;
+ }
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
++}
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
++}
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000..7deec1a
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,44 @@
+From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:35:30 -0500
+Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/lan9118.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
+index ab57c02c8..75f18ae2d 100644
+--- a/hw/net/lan9118.c
++++ b/hw/net/lan9118.c
+@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s)
+ /* FIXME: Honor TX disable, and allow queueing of packets. */
+ if (s->phy_control & 0x4000) {
+ /* This assumes the receive routine doesn't touch the VLANClient. */
+- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000..5e53e20
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
+From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:13:22 +0800
+Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index d7d05ae30..cf22c4f07 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
+
+ NetClientState *nc = qemu_get_queue(s->nic);
+ if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000..3fc469e
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
+From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:57:40 +0800
+Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
+ loopback packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/dp8393x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
+index 205c0decc..533a8304d 100644
+--- a/hw/net/dp8393x.c
++++ b/hw/net/dp8393x.c
+@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
+ s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
+ if (nc->info->can_receive(nc)) {
+ s->loopback_packet = 1;
+- nc->info->receive(nc, s->tx_buffer, tx_len);
++ qemu_receive_packet(nc, s->tx_buffer, tx_len);
+ }
+ } else {
+ /* Transmit packet */
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
new file mode 100644
index 0000000..e14f377
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
@@ -0,0 +1,43 @@
+From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:00:01 +0800
+Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/msf2-emac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
+index 32ba9e841..3e6206044 100644
+--- a/hw/net/msf2-emac.c
++++ b/hw/net/msf2-emac.c
+@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
+ * R_CFG1 bit 0 is set.
+ */
+ if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000..c3f8f97
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,45 @@
+From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:14:35 +0800
+Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/sungem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/sungem.c b/hw/net/sungem.c
+index 33c3722df..3684a4d73 100644
+--- a/hw/net/sungem.c
++++ b/hw/net/sungem.c
+@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
+ NetClientState *nc = qemu_get_queue(s->nic);
+
+ if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000..855c697
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,43 @@
+From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:27:52 +0800
+Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_receive_iov() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/net_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index da262edc3..1f9aa59ec 100644
+--- a/hw/net/net_tx_pkt.c
++++ b/hw/net/net_tx_pkt.c
+@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
+ NetClientState *nc, const struct iovec *iov, int iov_cnt)
+ {
+ if (pkt->is_loopback) {
+- nc->info->receive_iov(nc, iov, iov_cnt);
++ qemu_receive_packet_iov(nc, iov, iov_cnt);
+ } else {
+ qemu_sendv_packet(nc, iov, iov_cnt);
+ }
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000..4e1115d
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,45 @@
+From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Fri, 26 Feb 2021 13:47:53 -0500
+Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index ba5ace1ab..d2dd03e6a 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
+ }
+
+ DPRINTF("+++ transmit loopback mode\n");
+- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
+
+ if (iov) {
+ g_free(buf2);
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000..ed71646
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
+From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 10:33:34 -0500
+Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/pcnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index f3f18d859..dcd3fc494 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1250,7 +1250,7 @@ txagain:
+ if (BCR_SWSTYLE(s) == 1)
+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ s->looptest = 0;
+ } else {
+ if (s->nic) {
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000..39d32b3
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,46 @@
+From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:33:43 -0500
+Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/cadence_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+index 7a534691f..43b760e3f 100644
+--- a/hw/net/cadence_gem.c
++++ b/hw/net/cadence_gem.c
+@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
+ /* Send the packet somewhere */
+ if (s->phy_loop || (s->regs[GEM_NWCTRL] &
+ GEM_NWCTRL_LOCALLOOP)) {
+- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
+- total_bytes);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
++ total_bytes);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
+ total_bytes);
+--
+2.29.2
+
diff --git a/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch b/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch
index 38d7552..d8fcc16 100644
--- a/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch
+++ b/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch
@@ -1,4 +1,4 @@
-From 9bbe3f8564705aafcdcc5f2f033f9241a97f47c6 Mon Sep 17 00:00:00 2001
+From 7b2dd83d8fcd06af8e583b53da79ed0033793d46 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 27 Feb 2017 09:43:30 +0200
Subject: [PATCH] Do not hardcode "lib/rpm" as the installation path for
@@ -14,7 +14,7 @@
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
-index 6c78568e4..76b1d40e4 100644
+index fe35a90fa..b2faec6f3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -966,7 +966,7 @@ else
@@ -40,7 +40,7 @@
%_infodir %{_datadir}/info
%_mandir %{_datadir}/man
diff --git a/rpm.am b/rpm.am
-index cd40a16be..e6941e09f 100644
+index 8e1dc2184..3d889ec86 100644
--- a/rpm.am
+++ b/rpm.am
@@ -1,10 +1,10 @@
@@ -55,4 +55,4 @@
+rpmconfigdir = $(libdir)/rpm
# Libtool version (current-revision-age) for all our libraries
- rpm_version_info = 10:2:1
+ rpm_version_info = 10:3:1
diff --git a/poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb b/poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
similarity index 98%
rename from poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb
rename to poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
index d369c70..7c03b41 100644
--- a/poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb
+++ b/poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
@@ -43,7 +43,7 @@
"
PE = "1"
-SRCREV = "278883a704ea36c97974d0f2d65d41abe78b0e2a"
+SRCREV = "3659b8a04f5b8bacf6535e0124e7fe23f15286bd"
S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
new file mode 100644
index 0000000..2d51ddf
--- /dev/null
+++ b/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
@@ -0,0 +1,31 @@
+From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 12:16:08 -0400
+Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
+ openssl.
+
+CVE: CVE-2020-14387
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ rsync-ssl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975..46701af 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+ else
+--
+2.17.1
+
diff --git a/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb
index 8b36a8e..cb18667 100644
--- a/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb
+++ b/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb
@@ -14,6 +14,7 @@
file://rsyncd.conf \
file://makefile-no-rebuild.patch \
file://determism.patch \
+ file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \
"
SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb b/poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb
similarity index 96%
rename from poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb
rename to poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb
index 28e12c3..944cb81 100644
--- a/poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb
+++ b/poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb
@@ -8,7 +8,7 @@
file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
"
-SRC_URI[sha256sum] = "a13ed141a1c18eb967aac1e33f4d6ad5f21be1ac543c344e0d6feeee54af8e28"
+SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"