Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:
f53a3a480862 Linux 5.10.35
94c76056fc3f vfio: Depend on MMU
4348d3b5027b perf/core: Fix unconditional security_locked_down() call
399f9c18473c platform/x86: thinkpad_acpi: Correct thermal sensor allocation
ac2cd82c7609 USB: Add reset-resume quirk for WD19's Realtek Hub
d844aaa49ac8 USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet
59b3f88386b5 ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX
27c1936af506 ovl: allow upperdir inside lowerdir
71d58457a8af ovl: fix leaked dentry
2fa0387fa2d0 nvme-pci: set min_align_mask
f8e71c667ee1 swiotlb: respect min_align_mask
85a5a6875ca9 swiotlb: don't modify orig_addr in swiotlb_tbl_sync_single
25ed8827cfbf swiotlb: refactor swiotlb_tbl_map_single
9efd5df078a7 swiotlb: clean up swiotlb_tbl_unmap_single
1f2ef5a0f771 swiotlb: factor out a nr_slots helper
1bbcc985d195 swiotlb: factor out an io_tlb_offset helper
22163a8ec863 swiotlb: add a IO_TLB_SIZE define
2e8b3b0b8e2d driver core: add a min_align_mask field to struct device_dma_parameters
6995512a472f tools/cgroup/slabinfo.py: updated to work on current kernel
a7c37332afa8 perf ftrace: Fix access to pid in array when setting a pid filter
fb4c1c2e9fd1 capabilities: require CAP_SETFCAP to map uid 0
b571a6302a64 perf data: Fix error return code in perf_data__create_dir()
48ec949ac979 net: qrtr: Avoid potential use after free in MHI send
2fa15d61e4cb bpf: Fix leakage of uninitialized bpf stack under speculation
2cfa537674cd bpf: Fix masking negation logic upon negative dst register
a41c193d004e igb: Enable RSS for Intel I211 Ethernet Controller
2e68890993d0 net: usb: ax88179_178a: initialize local variables before use
d3598eb3915c netfilter: conntrack: Make global sysctls readonly in non-init netns
c239bfc2e4ac mips: Do not include hi and lo in clobber list for R6
(From OE-Core rev: 28410e7d84f71feb64d82461bf04364cb226eb4a)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 767e6755740204981e5789b7a3066eac855605e8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If an existing source date epoch file was found during do_unpack, it was
deleted and a new one would be written in its place. This causes a race
with check-before-use code in get_source_date_epoch_value. Resolve the
problem by making do_unpack write the new source date epoch to a
temporary file, then do an atomic rename to ensure it's always present,
and change the check-before-use code to use a EAFP exception instead of
checking for file existence.
[YOCTO #14384]
(From OE-Core rev: 8b2fd4e5e0841b81b4f709b061b655e2266dd4da)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b5e3b33187bf78a2d62cc886463e4b27d6bd228)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several of the valgrind tests (particulaly helgrind) are unreliable and
can fail with a different output.
Particularly, there is a higher chance of failure on QEMU instances with
SMP enabled and on systems with more interrupts such as laptops on powersave.
The tests have been reported upstream as being unreliable dating back
over 5 years, due in part to the ordering of threads during
an "unwinding" process in helgrind.
https://bugs.kde.org/show_bug.cgi?id=345121https://bugs.kde.org/show_bug.cgi?id=430321
A workaround to improve the reliability of such tests is to force them
to run on a single CPU core using taskset. This greatly reduces the
chance of a failure.
>From my testing, I have found it can help reduce the rate of failures
on both a laptop and QEMU by over 5x. Stress-testing in QEMU for several
hours did not result in a failure while running the test normally did.
The flaky or undeterministic thread-based tests are defined in the
taskset_nondeterministic_tests file. These test cases will be run with
taskset 0x00000001 to run on a single CPU core rather then the regular
test.
The edited run-ptest executes the flaky tests first, then ignores them
to not duplicate the results from the main tests. Everything modified is
restored when testing is complete.
The drawback is that this isn't a foolproof solution. It helps the tests
fail much less frequently, and considering how this issue has been documented
for a long time, a workaround such as this is needed.
(From OE-Core rev: 79ec1d73a107277586d3d8e9c0d46dfc0ac2b0d8)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b318944dd72ca7b0408e955f3599381ab3ac3ba8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This test is flawed since multiple parts of the system can write to the log
and we obtain different numbers of log messages depending on factors we
can't control.
Drop the log testing component of the test.
[YOCTO #12465]
(From OE-Core rev: 6ca1047e98a1c8bc305a3f40ad1919c5038e1698)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default RPM uses the number of cores as the number of threads to use,
which can result in quite antisocial memory usage.
As we control the macros for compression anyway, we can pass XZ_THREADS
to limit the number of threads if needed.
(From OE-Core rev: 959e1faa911ee67d5d84a57b932135b76cac6a53)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The git repo for pkg-config was changed, so update the
SRC_URI accordingly with the new link.
(From OE-Core rev: 07f223048a5b8ac3cb828a68b6069825c8d656ae)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: Corrected license information
flex package is under two licenses:
- "BSD-3-Clause" is provided in top-level COPYING file; the license
actually include third obligation (without the actual "3" numbering)
- "LGPL-2.0+" is explained by src/gettext.h
(From OE-Core rev: f5c5763ae530f6c6b53d0ab510b62b9ae77a5f81)
Signed-off-by: Dmitry Kisil <d.kisil@inango-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream database uses both "expat" and "libexpat" to report CVEs
(From OE-Core rev: 30357a56df82d3ea11f7288a8c02dd2d201b498a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport and modify the patch for CVE-2021-22876 from curl 7.76 to
make it apply cleanly on 7.75.
CVE: CVE-2021-22876
(From OE-Core rev: 7c39b71b78ffc64a456872769b341cfc662e747d)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
it apply cleanly on 7.75.
CVE: CVE-2021-22890
(From OE-Core rev: b11dc35cce0449623182ecf044c4a49664119b9c)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O).
On Sparc32 it is the NCR89C100 part of the chip.
On Macintosh Quadra it is NCR53C96.
Both are not supported by yocto.
(From OE-Core rev: e3ded54f9fd089382e6304604ca02d2305f16f21)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We use the SUSE mirror of xinetd. The CVE fix was added to the main repo
after the latest release but is included in the version from the SUSE repo.
(From OE-Core rev: 14477263562fe683f914ae640e0ff30a4d54977a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The preferred methods for CVE resolution are:
1. Version upgrades where possible
2. Patches where not possible
3. Database updates where version info is incorrect
4. Exclusion from checking where it is determined that the CVE
does not apply to our environment
In some cases none of these methods are possible. For example the
CVE may be decades old with no apparent resolution, and with broken
links that make further research impractical. Some CVEs are vauge
with no specific action the project can take too.
This patch creates a mechanism for users to remove this type of
CVE from the cve-check results via an optional include file.
Based on an initial patch from Steve Sakoman <steve@sakoman.com>
but extended heavily by RP.
(From OE-Core rev: 4a70af7b89d2ddff341b724a97cb96987874a3b0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE only applies to RHEL.
(From OE-Core rev: a1130182a086eebeff5dfc5bebc708a3191fb5be)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're using a pre-release version of 2.06 so these issues are fixed but
continue to show up in the checks since it is pre-2.06 and the CPE
entries are "before but excluding 2.06".
Adding these will clean up CVE reports until the 2.06 release comes out.
(From OE-Core rev: 07451418e8ffef608e05b981bf7516bef5450d49)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A stray space made it into the command for verifying gpg signatures.
This caused verification to fail, at least on my host. Removing the
space makes it work as expected.
(From OE-Core rev: 4acd52e2111cbe783201dec42df027945dad62ee)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
What key is used to sign sstate artefacts should not affect the hash of
the object, otherwise everyone would need to use the same signing key.
(From OE-Core rev: 01a9358abe821c1da06c3243ccbcc93348042937)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When running:
execute_pre_post_process(d, d.getVar(ROOTFS_POSTPROCESS_COMMAND))
rootfs_update_timestamp is run, which assumes that rootfs/${sysconfdir}
is already created (usually done through the do_rootfs task on linux).
This causes the build to fail if ${sysconfdir} does not exist.
This may be overlooked if debug-tweaks is enabled since some other
commands are added, one of which creates the required path
(see postinst_enable_logging).
See [1] for more info:
[1] https://github.com/aehs29/meta-freertos/issues/4
(From OE-Core rev: 179a912bf10ba02448e8d603043c454ca678ac60)
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've seen three hangs in cgroup_xattr and two in proc01 so far. The new
plan is just to disable any tests seen to hang. I've had enough of these
causing problems on our testing infrastructure.
(From OE-Core rev: 622b1a409aaa8fd895821a53ee5db33206b98825)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream commit:
This is related to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
CVE: CVE-2021-3541
Upstream-Status: Backport [8598060bac]
(From OE-Core rev: e1e04de65e24d1596d800d7f8e85f98bb7f72632)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch fixes CVE-2021-3518. The fix for the CVE is the
following 3 lines in 1098c30a:
- (cur->children->type != XML_ENTITY_DECL) &&
- (cur->children->type != XML_XINCLUDE_START) &&
- (cur->children->type != XML_XINCLUDE_END)) {
+ ((cur->type == XML_DOCUMENT_NODE) ||
+ (cur->type == XML_ELEMENT_NODE))) {
This relies on an updated version of xinclude.c from upstream which
also adds several new tests. Those changes are brought in first so
that the CVE patch can be applied cleanly.
The first patch updates xinclude.c and adds the new tests from
upstream, and the second applies the fix for the CVE.
CVE: CVE-2021-3518
Upstream-Status: Backport
[1098c30a04]
(From OE-Core rev: 6c59d33ee158129d5c0cca3cce65824f9bc4e7e3)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Parsing specially crafted Mixed Content while parsing XML data may
lead to invalid data structure being created, as errors were not
propagated. This could lead to several NULL Pointer Dereference when
post-validating documents parsed in recovery mode.
CVE: CVE-2021-3537
Upstream-Status: Backport [babe75030c]
(From OE-Core rev: 6d69f7453f78dcb19f472dcea183e859648c5243)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before, ccache's configure stage built HTML documentation and man pages
depending on if asciidoc is installed. This patch makes it configurable.
Pass the new cmake option ENABLE_DOCUMENTATION along and add the
asciidoc dependency if necessary.
This fixes an issue when ccache's configure stage found asciidoc/a2x on
the system outside of the sysroot (e.g. installed via 'apt install
asciidoc'). ccache would then decide to build docs and manual pages, but
would fail during compilation: the system's a2x could not find the
system's asciidoc because it did not reside in the set PATH.
By enabling/disabling docs/man page generation explicitly and adding
asciidoc to DEPENDS as necessary, this is no longer an issue.
[ This corresponds to commit b0aedd74 and parts of commit 1eedc5f8,
with the patch replaced by the upstream version. ]
(From OE-Core rev: 3ca3c890834152597d8440b77e3d2767ca72c7a6)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Under certain build patterns, warnings about missing manifests can appear. These
are real issues where the manifest was removed and shouldn't have been.
Martin Jansa was able to find a reproducer of:
MACHINE=qemux86 bitbake zlib-native
echo 'PR = "r1"' >> meta/recipes-core/zlib/zlib_1.2.11.bb
MACHINE=qemux86-64 bitbake zlib-native
MACHINE=qemux86 bitbake zlib-native
<the zlib-native manifest is now removed along with the sysroot-components contents>
The code maintains a per machine list of stamps but a per PACAGE_ARCH list of
stamp/manifest/workdir mappings. The latter is only appended to for speed with
the assumption that once stamps are gone, the code wouldn't trigger.
The code only ever appends to the mapping list (for speed/efficency under lock)
meaning that multiple entries can result where the stamp/workdir differs due to
version changes but the manifest remains the same.
By switching MACHINE part way through the build, the older stamp is referenced
and the manifest is incorrectly removed as it matches an now obsolete entry in
the mapping file.
There are two possible fixes, one is to rewrite the mapping file every time
which means adding regexs, iterating and generally complicating that code. The
second option is to only use the last mapping entry in the file for a given
manifest and ignore any earlier ones. This patch implments the latter.
Also drop the stale entries if we are rewriting it.
(From OE-Core rev: fe468802f697d0be41cf3407df2460e1473e35f8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE relates to bad ownership of /var/log/cups, which we don't have.
(From OE-Core rev: 60bca0789b9830fa27694c5d65042d1206a07fe2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've noticed that:
MACHINE=qemuarm oe-selftest -r glibc.GlibcSelfTest.test_glibc
ends up with one process growing to about the size of system memory
and triggering the OOM killer. This has been taking out other builds
running on the system on the autobuilders and is one cause of our
intermittent failures.
This was tracked down to:
WORKDIR=XXX/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/glibc-testsuite/2.33-r0
BUILDDIR=$WORKDIR/build-arm-poky-linux-gnueabi QEMU_SYSROOT=$WORKDIR/recipe-sysroot
QEMU_OPTIONS="$WORKDIR/recipe-sysroot-native/usr/bin/qemu-arm -r 3.2.0" \
$WORKDIR/check-test-wrapper user env GCONV_PATH=$BUILDDIR/iconvdata LOCPATH=$BUILDDIR/localedata LC_ALL=C $BUILDDIR/elf/ld-linux-armhf.so.3 \
--library-path $BUILDDIR:$BUILDDIR/math:$BUILDDIR/elf:$BUILDDIR/dlfcn:$BUILDDIR/nss:$BUILDDIR/nis:$BUILDDIR/rt:$BUILDDIR/resolv:$BUILDDIR/mathvec:$BUILDDIR/support:$BUILDDIR/nptl \
$BUILDDIR/nptl/tst-pthread-timedlock-lockloop
although other glibc tests appear to use 16GB of memory before failing
anyway. By capping the VM size to 8GB, we see the same number of failures
but no OOM situations. There may be some issue in qemu or the test which
could be improved to avoid this entirely but this provides a necessary
and useful safeguard to other builds and doensn't appear to make the
situation worse.
On a loaded system OOM may not occur as the test timeout may be triggered
first. An experiment with a 5GB limit showed an additional 7 failures.
(From OE-Core rev: 0dfbc94bb61095138c3d3ff026b2981f0061c1ca)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This upgrade builds unnative with gcc11 allowing it to work with newer distros
using gcc 11.
(From OE-Core rev: 700c00265f5b85e876b632df787a2e3121aee3a6)
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue only affects Debian and SUSE.
(From OE-Core rev: 37ff24c9ba0634e7b69dd9c2219b8fd8b2315de6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
(From OE-Core rev: 65124cac1ac1d0b746eacfe128da19c353f07eb0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs are fixed with kernel changes and don't affect the bluez recipe.
(From OE-Core rev: 21b6975cc6c785aa3bf7f7d4ea2400e11f1800bd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
(From OE-Core rev: e19caff111bcbd70e5e7507388a4aaea2d10f7e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.
(From OE-Core rev: a175059e678bf9a5e843d00ac1bbf65b49f97f32)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch mentioned as the fix for the CVE is applied to the 6.0 source
code. Zip versioning makes CPE entry changes hard.
(From OE-Core rev: f816be9387d4691dbacd17673749809fe125d35c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE only applies to some distributed RHEL binaries so irrelavent to us.
(From OE-Core rev: 416230b7236c391e89d0d7941b2d34b6234f993c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't build/use the OPIE PAM module, exclude the CVE from this recipe.
(From OE-Core rev: a7aba0f1226411f44f316cdced6b2b47621d1d3f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs apply to the way logrotate was installed on Gentoo, Debian
and SUSE, exclude from cve-check as they don't apply to OE.
(From OE-Core rev: 55b53c501e911df04bdff6fca54b11c3e54770c9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is non-specific and depends on the users of jquery, doesn't
make sense to have this flagged against jquery as there is nothing we can
do about it.
(From OE-Core rev: 6f422e966fdc1e62ff0e48d3382ec246ff8bd998)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The issues were investigated and found not to be an issue therefore
exclude from checks.
(From OE-Core rev: 7c7c3f3dd3bf7dc34f26d931acf562e93c45e807)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
