From 2bf388381ae3de76db288a859040c1130786d41b Mon Sep 17 00:00:00 2001 From: Zahir Hussain Date: Tue, 26 May 2026 12:17:23 +0530 Subject: [PATCH 01/96] libpng: Fix CVE-2026-33416 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backport fixes for CVE-2026-33416 Backport patches from security debian tracker [1] also mentioned at NVD Report [2] [1] https://security-tracker.debian.org/tracker/CVE-2026-33416 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-33416 Add below patches to fix the CVE: CVE-2026-33416-01.patch CVE-2026-33416-02.patch CVE-2026-33416-03.patch CVE-2026-33416-04.patch Signed-off-by: Sourav Kumar Pramanik Signed-off-by: Zahir Hussain Signed-off-by: Jérémy Rosen Signed-off-by: Jeremy Rosen --- .../libpng/files/CVE-2026-33416-01.patch | 143 +++++++++++++++ .../libpng/files/CVE-2026-33416-02.patch | 53 ++++++ .../libpng/files/CVE-2026-33416-03.patch | 163 ++++++++++++++++++ .../libpng/files/CVE-2026-33416-04.patch | 53 ++++++ .../libpng/libpng_1.6.42.bb | 4 + 5 files changed, 416 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch new file mode 100644 index 000000000000..a60a8d6b5b47 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch @@ -0,0 +1,143 @@ +From 23019269764e35ed8458e517f1897bd3c54820eb Mon Sep 17 00:00:00 2001 +From: Oblivionsage +Date: Sun, 15 Mar 2026 10:35:29 +0100 +Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->trans_alpha` + +The function `png_set_tRNS` sets `png_ptr->trans_alpha` to point at +`info_ptr->trans_alpha` directly, so both structs share the same heap +buffer. If the application calls `png_free_data(PNG_FREE_TRNS)`, or if +`png_set_tRNS` is called a second time, the buffer is freed through +`info_ptr` while `png_ptr` still holds a dangling reference. Any +subsequent row read that hits the function `png_do_expand_palette` will +dereference freed memory. + +The fix gives `png_struct` its own allocation instead of aliasing the +`info_ptr` pointer. This was already flagged with a TODO in +`png_handle_tRNS` ("horrible side effect ... Fix this.") but it was +never addressed. + +Verified with AddressSanitizer. All 34 existing tests pass without +regressions. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb] +Comment: Refreshed hunk to match latest scarthgap + +Reviewed-by: Cosmin Truta +Signed-off-by: Cosmin Truta +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngread.c | 11 +++++------ + pngrutil.c | 4 ---- + pngset.c | 31 +++++++++++++++++++------------ + pngwrite.c | 6 ++++++ + 4 files changed, 30 insertions(+), 22 deletions(-) + +diff --git a/pngread.c b/pngread.c +index 01b731d8eb..0086edf6cf 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -968,12 +968,11 @@ png_read_destroy(png_structrp png_ptr) + + #if defined(PNG_tRNS_SUPPORTED) || \ + defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) +- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0) +- { +- png_free(png_ptr, png_ptr->trans_alpha); +- png_ptr->trans_alpha = NULL; +- } +- png_ptr->free_me &= ~PNG_FREE_TRNS; ++ /* png_ptr->trans_alpha is always independently allocated (not aliased ++ * with info_ptr->trans_alpha), so free it unconditionally. ++ */ ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = NULL; + #endif + + inflateEnd(&png_ptr->zstream); +diff --git a/pngrutil.c b/pngrutil.c +index 366379b991..a19507bf1b 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -1905,10 +1905,6 @@ png_handle_tRNS(png_structrp png_ptr, pn + return; + } + +- /* TODO: this is a horrible side effect in the palette case because the +- * png_struct ends up with a pointer to the tRNS buffer owned by the +- * png_info. Fix this. +- */ + png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, + &(png_ptr->trans_color)); + } +diff --git a/pngset.c b/pngset.c +index 4b78b8960c..47883684e4 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -990,28 +990,36 @@ png_set_tRNS(png_structrp png_ptr, png_i + + if (trans_alpha != NULL) + { +- /* It may not actually be necessary to set png_ptr->trans_alpha here; +- * we do it for backward compatibility with the way the png_handle_tRNS +- * function used to do the allocation. +- * +- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively +- * relies on png_set_tRNS storing the information in png_struct +- * (otherwise it won't be there for the code in pngrtran.c). +- */ +- + png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); + + if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) + { +- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ ++ /* Allocate info_ptr's copy of the transparency data. */ + info_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); + memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); +- + info_ptr->free_me |= PNG_FREE_TRNS; + info_ptr->valid |= PNG_INFO_tRNS; ++ ++ ++ /* Allocate an independent copy for png_struct, so that the ++ * lifetime of png_ptr->trans_alpha is decoupled from the ++ * lifetime of info_ptr->trans_alpha. Previously these two ++ * pointers were aliased, which caused a use-after-free if ++ * png_free_data freed info_ptr->trans_alpha while ++ * png_ptr->trans_alpha was still in use by the row transform ++ * functions (e.g. png_do_expand_palette). ++ */ ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = png_voidcast(png_bytep, ++ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); ++ memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); ++ } ++ else ++ { ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = NULL; + } +- png_ptr->trans_alpha = info_ptr->trans_alpha; + } + + if (trans_color != NULL) +diff --git a/pngwrite.c b/pngwrite.c +index 5fc77d91f7..84af1e73fb 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -977,6 +977,12 @@ png_write_destroy(png_structrp png_ptr) + png_ptr->chunk_list = NULL; + #endif + ++#if defined(PNG_tRNS_SUPPORTED) ++ /* Free the independent copy of trans_alpha owned by png_struct. */ ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = NULL; ++#endif ++ + /* The error handling and memory handling information is left intact at this + * point: the jmp_buf may still have to be freed. See png_destroy_png_struct + * for how this happens. diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch new file mode 100644 index 000000000000..e746293bf2c8 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch @@ -0,0 +1,53 @@ +From a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 Mon Sep 17 00:00:00 2001 +From: Oblivionsage +Date: Tue, 17 Mar 2026 08:55:18 +0100 +Subject: [PATCH] fix: Initialize tail bytes in `trans_alpha` buffers + +Although the arrays `info_ptr->trans_alpha` and `png_ptr->trans_alpha` +are allocated 256 bytes, only `num_trans` bytes are copied. +The remaining entries were left uninitialized. Set them to 0xff (fully +opaque) before copying, which matches the conventional treatment of +entries beyond `num_trans`. + +This is a follow-up to the previous use-after-free fix. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25] +Comment: Refreshed hunk to match latest scarthgap + +Reported-by: Cosmin Truta +Reviewed-by: Cosmin Truta +Signed-off-by: Cosmin Truta +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngset.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/pngset.c b/pngset.c +index 47883684e4..dccc6498d7 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -994,9 +994,13 @@ png_set_tRNS(png_structrp png_ptr, png_i + + if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) + { +- /* Allocate info_ptr's copy of the transparency data. */ ++ /* Allocate info_ptr's copy of the transparency data. ++ * Initialize all entries to fully opaque (0xff), then overwrite ++ * the first num_trans entries with the actual values. ++ */ + info_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); ++ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); + memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); + info_ptr->free_me |= PNG_FREE_TRNS; + info_ptr->valid |= PNG_INFO_tRNS; +@@ -1013,6 +1017,7 @@ png_set_tRNS(png_structrp png_ptr, png_i + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); ++ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); + memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); + } + else diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch new file mode 100644 index 000000000000..21ce35dcd111 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch @@ -0,0 +1,163 @@ +From 7ea9eea884a2328cc7fdcb3c0c00246a50d90667 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 20 Mar 2026 17:37:22 +0200 +Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->palette` + +Give `png_struct` its own independently-allocated copy of the palette +buffer, decoupling it from `info_struct`'s palette. Allocate both +copies with `png_calloc` to zero-fill, because the ARM NEON palette +riffle reads all 256 entries unconditionally. + +In function `png_set_PLTE`, `png_ptr->palette` was aliased directly to +`info_ptr->palette`: a single heap buffer shared across two structs +with independent lifetimes. If the buffer was freed through `info_ptr` +(via `png_free_data(PNG_FREE_PLTE)` or a second call to `png_set_PLTE`), +`png_ptr->palette` became a dangling pointer. Subsequent row reads, +performed in `png_do_expand_palette` and in other transform functions, +dereferenced (and in the bit-shift path, wrote to) freed memory. + +Also fix `png_set_quantize` to allocate an owned copy of the caller's +palette rather than aliasing the user pointer, so that the unconditional +free in `png_read_destroy` does not free unmanaged memory. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667] +Comment: Refreshed hunk to match latest scarthgap + +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngread.c | 11 +++++------ + pngrtran.c | 8 +++++++- + pngrutil.c | 13 ------------- + pngset.c | 28 +++++++++++++++++++--------- + pngwrite.c | 4 ++++ + 5 files changed, 35 insertions(+), 29 deletions(-) + +diff --git a/pngread.c b/pngread.c +index 0086edf6cf..e1d38d578a 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr) + png_ptr->quantize_index = NULL; + #endif + +- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0) +- { +- png_zfree(png_ptr, png_ptr->palette); +- png_ptr->palette = NULL; +- } +- png_ptr->free_me &= ~PNG_FREE_PLTE; ++ /* png_ptr->palette is always independently allocated (not aliased ++ * with info_ptr->palette), so free it unconditionally. ++ */ ++ png_free(png_ptr, png_ptr->palette); ++ png_ptr->palette = NULL; + + #if defined(PNG_tRNS_SUPPORTED) || \ + defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) +diff --git a/pngrtran.c b/pngrtran.c +index bfb7d423b7..fd736ab672 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -750,7 +750,13 @@ png_set_quantize(png_structrp png_ptr, p + } + if (png_ptr->palette == NULL) + { +- png_ptr->palette = palette; ++ /* Allocate an owned copy rather than aliasing the caller's pointer, ++ * so that png_read_destroy can free png_ptr->palette unconditionally. ++ */ ++ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, ++ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); ++ memcpy(png_ptr->palette, palette, (unsigned int)num_palette * ++ (sizeof (png_color))); + } + png_ptr->num_palette = (png_uint_16)num_palette; + +diff --git a/pngrutil.c b/pngrutil.c +index a19507bf1b..3a35fe9de2 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -1047,14 +1047,6 @@ png_handle_PLTE(png_structrp png_ptr, pn + } + #endif + +- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its +- * own copy of the palette. This has the side effect that when png_start_row +- * is called (this happens after any call to png_read_update_info) the +- * info_ptr palette gets changed. This is extremely unexpected and +- * confusing. +- * +- * Fix this by not sharing the palette in this way. +- */ + png_set_PLTE(png_ptr, info_ptr, palette, num); + + /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before +diff --git a/pngset.c b/pngset.c +index dccc6498d7..b9ccb7fb15 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i + png_error(png_ptr, "Invalid palette"); + } + +- /* It may not actually be necessary to set png_ptr->palette here; +- * we do it for backward compatibility with the way the png_handle_tRNS +- * function used to do the allocation. +- * +- * 1.6.0: the above statement appears to be incorrect; something has to set +- * the palette inside png_struct on read. +- */ + png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); + + /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead + * of num_palette entries, in case of an invalid PNG file or incorrect + * call to png_set_PLTE() with too-large sample values. ++ * ++ * Allocate independent buffers for info_ptr and png_ptr so that the ++ * lifetime of png_ptr->palette is decoupled from the lifetime of ++ * info_ptr->palette. Previously, these two pointers were aliased, ++ * which caused a use-after-free vulnerability if png_free_data freed ++ * info_ptr->palette while png_ptr->palette was still in use by the ++ * row transform functions (e.g. png_do_expand_palette). ++ * ++ * Both buffers are allocated with png_calloc to zero-fill, because ++ * the ARM NEON palette riffle reads all 256 entries unconditionally, ++ * regardless of num_palette. + */ ++ png_free(png_ptr, png_ptr->palette); + png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); ++ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, ++ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); ++ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette; + + if (num_palette > 0) ++ { ++ memcpy(info_ptr->palette, palette, (unsigned int)num_palette * ++ (sizeof (png_color))); + memcpy(png_ptr->palette, palette, (unsigned int)num_palette * + (sizeof (png_color))); ++ } + +- info_ptr->palette = png_ptr->palette; +- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette; + info_ptr->free_me |= PNG_FREE_PLTE; + info_ptr->valid |= PNG_INFO_PLTE; + } +diff --git a/pngwrite.c b/pngwrite.c +index 84af1e73fb..348763e940 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr) + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = NULL; + #endif ++ ++ /* Free the independent copy of the palette owned by png_struct. */ ++ png_free(png_ptr, png_ptr->palette); ++ png_ptr->palette = NULL; + + /* The error handling and memory handling information is left intact at this + * point: the jmp_buf may still have to be freed. See png_destroy_png_struct diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch new file mode 100644 index 000000000000..ff7db53c8160 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch @@ -0,0 +1,53 @@ +From c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 20 Mar 2026 21:25:12 +0200 +Subject: [PATCH] fix: Sync `info_ptr->palette` after in-place transforms + +Copy `png_ptr->palette` into `info_ptr->palette` upon entering +the function that runs immediately after the in-place transforms. + +The palette decoupling in the previous commit gave `png_struct` +and `png_info` independently-allocated palette buffers, fixing a +use-after-free vulnerability. However, `png_init_read_transformations` +modifies `png_ptr->palette` in place (e.g. for gamma correction or +background compositing), and the old aliasing made those modifications +visible through `png_get_PLTE`. With independent buffers, +`info_ptr->palette` retained the original values, causing our tests to +fail on indexed-colour background compositing. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1] +Comment: Refreshed hunk to match latest scarthgap + +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngrtran.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/pngrtran.c b/pngrtran.c +index fd736ab672..978dac5888 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1984,6 +1984,21 @@ png_read_transform_info(png_structrp png + { + png_debug(1, "in png_read_transform_info"); + ++ if (png_ptr->transformations != 0) ++ { ++ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE && ++ info_ptr->palette != NULL && png_ptr->palette != NULL) ++ { ++ /* Sync info_ptr->palette with png_ptr->palette. ++ * The function png_init_read_transformations may have modified ++ * png_ptr->palette in place (e.g. for gamma correction or for ++ * background compositing). ++ */ ++ memcpy(info_ptr->palette, png_ptr->palette, ++ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))); ++ } ++ } ++ + #ifdef PNG_READ_EXPAND_SUPPORTED + if ((png_ptr->transformations & PNG_EXPAND) != 0) + { diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index 923ed798968a..e4cc63686e90 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb @@ -25,6 +25,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz file://CVE-2026-22801.patch \ file://CVE-2026-25646.patch \ file://CVE-2026-33636.patch \ + file://CVE-2026-33416-01.patch \ + file://CVE-2026-33416-02.patch \ + file://CVE-2026-33416-03.patch \ + file://CVE-2026-33416-04.patch \ " SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450" From ce830d67be738ffad413c15fbb6672d9c3a6edef Mon Sep 17 00:00:00 2001 From: "Hugo SIMELIERE (Schneider Electric)" Date: Wed, 20 May 2026 12:44:13 +0200 Subject: [PATCH 02/96] busybox: Fix CVE-2026-29004 Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a [2] https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409 [3] https://security-tracker.debian.org/tracker/CVE-2026-29004 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY Signed-off-by: Jeremy Rosen --- .../busybox/busybox/CVE-2026-29004-01.patch | 41 +++++++++++++++++ .../busybox/busybox/CVE-2026-29004-02.patch | 46 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.36.1.bb | 2 + 3 files changed, 89 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch new file mode 100644 index 000000000000..0423a7673069 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch @@ -0,0 +1,41 @@ +From e49fb0f6ad0a0f924ec2cfe6838d04c4f1f4c3ba Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 12 Mar 2026 07:25:38 +0100 +Subject: [PATCH 1/2] udhcpc6: fix buffer overflow + +CVE: CVE-2026-29004 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a] + +Signed-off-by: Denys Vlasenko +(cherry picked from commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + networking/udhcp/d6_dhcpc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index cdd06188e..62cc0f466 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + addrs = option[3] >> 4; + + /* Setup environment variable */ +- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1); ++ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1); + dlist = stpcpy(dlist, "dns="); + option_offset = 0; + +- while (addrs--) { ++ while (addrs-- != 0) { + sprint_nip6(dlist, option + 4 + option_offset); + dlist += 39; + option_offset += 16; +- if (addrs) ++ if (addrs != 0) + *dlist++ = ' '; + } + +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch new file mode 100644 index 000000000000..ac8c031cc6b2 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch @@ -0,0 +1,46 @@ +From 4d8d5b7c4426e62375235cf4903b6cb53bb193d3 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 12 Mar 2026 13:23:48 +0100 +Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option + +function old new delta +option_to_env 694 711 +17 + +CVE: CVE-2026-29004 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409] + +Signed-off-by: Denys Vlasenko +(cherry picked from commit d368f3f7836d1c2484c8f839316e5c93e76d4409) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + networking/udhcp/d6_dhcpc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index 62cc0f466..64a41c9d8 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | valid-lifetime | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ +- /* Make sure payload contains an address */ +- if (option[3] < 24) ++ /* Make sure payload exists */ ++ if (option[3] < (16 + 4 + 4)) + break; + + sprint_nip6(ipv6str, option + 4); +@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | | + * +-+-+-+-+-+-+-+-+ + */ ++ /* Make sure payload exists */ ++ if (option[3] < (4 + 4 + 1 + 16)) ++ break; + move_from_unaligned32(v32, option + 4 + 4); + v32 = ntohl(v32); + *new_env() = xasprintf("ipv6prefix_lease=%u", (unsigned)v32); +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 228bfdadd331..7929d396c850 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -64,6 +64,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2025-60876.patch \ file://CVE-2026-26157-CVE-2026-26158-01.patch \ file://CVE-2026-26157-CVE-2026-26158-02.patch \ + file://CVE-2026-29004-01.patch \ + file://CVE-2026-29004-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html From 3e239f3c7ff23694741c65cf8444215e3659d690 Mon Sep 17 00:00:00 2001 From: "Hugo SIMELIERE (Schneider Electric)" Date: Wed, 20 May 2026 12:08:48 +0200 Subject: [PATCH 03/96] xz: Fix CVE-2026-34743 Pick patch from [1] as 5.4.x upstream backport of [2] mentioned in Debian report in [3]. [1] https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32 [2] https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87 [3] https://security-tracker.debian.org/tracker/CVE-2026-34743 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY Signed-off-by: Jeremy Rosen --- .../xz/xz/CVE-2026-34743.patch | 68 +++++++++++++++++++ meta/recipes-extended/xz/xz_5.4.7.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-extended/xz/xz/CVE-2026-34743.patch diff --git a/meta/recipes-extended/xz/xz/CVE-2026-34743.patch b/meta/recipes-extended/xz/xz/CVE-2026-34743.patch new file mode 100644 index 000000000000..f890851cb26b --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2026-34743.patch @@ -0,0 +1,68 @@ +From ae7abca7c721c73bb4aadf41a82a720a842a4364 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 29 Mar 2026 19:11:21 +0300 +Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append() + +If lzma_index_decoder() was used to decode an Index that contained no +Records, the resulting lzma_index had an invalid internal "prealloc" +value. If lzma_index_append() was called on this lzma_index, too +little memory would be allocated and a buffer overflow would occur. + +While this combination of the API functions is meant to work, in the +real-world apps this call sequence is rare or might not exist at all. + +This bug is older than xz 5.0.0, so all stable releases are affected. + +CVE: CVE-2026-34743 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32] + +Reported-by: GitHub user christos-spearbit +(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87) +(cherry picked from commit 8538443d08591693a8c61f3a03656650f39c7c32) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + src/liblzma/common/index.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index 8a35f439..dae7cab5 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -434,6 +434,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records) + if (records > PREALLOC_MAX) + records = PREALLOC_MAX; + ++ // If index_decoder.c calls us with records == 0, it's decoding ++ // an Index that has no Records. In that case the decoder won't call ++ // lzma_index_append() at all, and i->prealloc isn't used during ++ // the Index decoding either. ++ // ++ // Normally the first lzma_index_append() call from the Index decoder ++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records, ++ // lzma_index_append() isn't called and the resetting of prealloc ++ // won't occur either. Thus, if records == 0, use the default value ++ // INDEX_GROUP_SIZE instead. ++ // ++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2 ++ // didn't have this check and could set i->prealloc = 0, which would ++ // result in a buffer overflow if the application called ++ // lzma_index_append() after decoding an empty Index. Appending ++ // Records after decoding an Index is a rare thing to do, but ++ // it is supposed to work. ++ if (records == 0) ++ records = INDEX_GROUP_SIZE; ++ + i->prealloc = (size_t)(records); + return; + } +@@ -686,6 +706,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + ++g->last; + } else { + // We need to allocate a new group. ++ assert(i->prealloc > 0); + g = lzma_alloc(sizeof(index_group) + + i->prealloc * sizeof(index_record), + allocator); +-- +2.43.0 + diff --git a/meta/recipes-extended/xz/xz_5.4.7.bb b/meta/recipes-extended/xz/xz_5.4.7.bb index 30a4c8e88cf7..72759edea003 100644 --- a/meta/recipes-extended/xz/xz_5.4.7.bb +++ b/meta/recipes-extended/xz/xz_5.4.7.bb @@ -30,6 +30,7 @@ SRC_URI = "https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${P file://CVE-2025-31115-02.patch \ file://CVE-2025-31115-03.patch \ file://CVE-2025-31115-04.patch \ + file://CVE-2026-34743.patch \ " SRC_URI[sha256sum] = "8db6664c48ca07908b92baedcfe7f3ba23f49ef2476864518ab5db6723836e71" UPSTREAM_CHECK_REGEX = "releases/tag/v(?P\d+(\.\d+)+)" From 9da42b7e29d39a2650d146d9e4a1ffcdb8c1f1ca Mon Sep 17 00:00:00 2001 From: "Hugo SIMELIERE (Schneider Electric)" Date: Wed, 20 May 2026 12:59:58 +0200 Subject: [PATCH 04/96] util-linux: Fix CVE-2026-27456 Pick patch from [1] as 2.39.x upstream backport of [2] mentioned in Debian report in [3]. [1] https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30 [2] https://github.com/util-linux/util-linux/commit/0ba0f14caa812349424df0da00ac2d97fee9d972 [3] https://security-tracker.debian.org/tracker/CVE-2026-27456 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY Signed-off-by: Jeremy Rosen --- meta/recipes-core/util-linux/util-linux.inc | 1 + .../util-linux/CVE-2026-27456.patch | 115 ++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 4797682c5d5f..838041963453 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -46,6 +46,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://sys-utils-hwclock-rtc-fix-pointer-usage.patch \ file://CVE-2025-14104-01.patch \ file://CVE-2025-14104-02.patch \ + file://CVE-2026-27456.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch b/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch new file mode 100644 index 000000000000..4a5fef26d3bd --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch @@ -0,0 +1,115 @@ +From af0b619f8eb15f738c69e33e0bb3a794e9cccf17 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 19 Feb 2026 13:59:46 +0100 +Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks + +Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that +prevents symlink following in both path canonicalization and file open. + +When set: +- loopcxt_set_backing_file() uses strdup() instead of + ul_canonicalize_path() (which calls realpath() and follows symlinks) +- loopcxt_setup_device() adds O_NOFOLLOW to open() flags + +The flag is set for non-root (restricted) mount operations in +libmount's loop device hook. This prevents a TOCTOU race condition +where an attacker could replace the backing file (specified in +/etc/fstab) with a symlink to an arbitrary root-owned file between +path resolution and open(). + +Vulnerable Code Flow: + + mount /mnt/point (non-root, SUID) + mount.c: sanitize_paths() on user args (mountpoint only) + mnt_context_mount() + mnt_context_prepare_mount() + mnt_context_apply_fstab() <-- source path from fstab + hooks run at MNT_STAGE_PREP_SOURCE + hook_loopdev.c: setup_loopdev() + backing_file = fstab source path ("/home/user/disk.img") + loopcxt_set_backing_file() <-- calls realpath() as ROOT + ul_canonicalize_path() <-- follows symlinks! + loopcxt_setup_device() + open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW + +Two vulnerabilities in the path: + +1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses + realpath() -- this follows symlinks as euid=0. If the attacker swaps + the file to a symlink before this call, lc->filename becomes the + resolved target path (e.g., /root/secret.img). + +2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even + if canonicalization happened correctly, the file can be swapped to a + symlink between canonicalize and open. + +CVE: CVE-2026-27456 +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30] + +Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g +Signed-off-by: Karel Zak +(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4) +(cherry picked from commit 79164668a412b71fcb1495c7d299cc5e9741fa30) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + include/loopdev.h | 3 ++- + lib/loopdev.c | 7 ++++++- + libmount/src/hook_loopdev.c | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/include/loopdev.h b/include/loopdev.h +index 903adc491..d03e9b65e 100644 +--- a/include/loopdev.h ++++ b/include/loopdev.h +@@ -139,7 +139,8 @@ enum { + LOOPDEV_FL_NOIOCTL = (1 << 6), + LOOPDEV_FL_DEVSUBDIR = (1 << 7), + LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */ +- LOOPDEV_FL_SIZELIMIT = (1 << 9) ++ LOOPDEV_FL_SIZELIMIT = (1 << 9), ++ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */ + }; + + /* +diff --git a/lib/loopdev.c b/lib/loopdev.c +index dd9ead3ee..4da251812 100644 +--- a/lib/loopdev.c ++++ b/lib/loopdev.c +@@ -1193,7 +1193,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename) + if (!lc) + return -EINVAL; + +- lc->filename = canonicalize_path(filename); ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ lc->filename = strdup(filename); ++ else ++ lc->filename = canonicalize_path(filename); + if (!lc->filename) + return -errno; + +@@ -1332,6 +1335,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc) + + if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO) + flags |= O_DIRECT; ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ flags |= O_NOFOLLOW; + + if ((file_fd = open(lc->filename, mode | flags)) < 0) { + if (mode != O_RDONLY && (errno == EROFS || errno == EACCES)) +diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c +index 8c8f7f218..ce39a7a70 100644 +--- a/libmount/src/hook_loopdev.c ++++ b/libmount/src/hook_loopdev.c +@@ -276,7 +276,8 @@ static int setup_loopdev(struct libmnt_context *cxt, + } + + DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device")); +- rc = loopcxt_init(&lc, 0); ++ rc = loopcxt_init(&lc, ++ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0); + if (rc) + goto done_no_deinit; + if (mnt_opt_has_value(loopopt)) { +-- +2.43.0 + From 7ac858c9fe1c08cf6fd91122d351c262a2a953cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Enrico=20J=C3=B6rns?= Date: Tue, 24 Mar 2026 00:19:31 +0100 Subject: [PATCH 05/96] devtool: prevent 'devtool modify -n' from corrupting kernel Git repos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Running 'devtool modify -n' on a kernel recipe that inherits 'kernel-yocto' can unintentionally corrupt an existing Git repo or worktree. The work-shared optimization introduced in 3c3a9bae ("devtool/standard.py: Update devtool modify to copy source from work-shared if its already downloaded") is not skipped when '--no-extract' ('args.no_extract') is set. As a result, for kernel builds where STAGING_KERNEL_DIR was already populated when running 'devtool modify -n', the existing source tree is overwritten (via oe.path.copyhardlinktree()) with the contents of STAGING_KERNEL_DIR. Fix by adding 'and not args.no_extract' to the kernel-yocto guard condition. (cherry picked from commit d383ea37e4987ecabe011226f1a8e658a52ede12) Signed-off-by: Enrico Jörns Signed-off-by: Richard Purdie Signed-off-by: Jeremy Rosen --- scripts/lib/devtool/standard.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py index 908869cc4f83..e1e519ce5b6c 100644 --- a/scripts/lib/devtool/standard.py +++ b/scripts/lib/devtool/standard.py @@ -841,7 +841,8 @@ def modify(args, config, basepath, workspace): commits = {} check_commits = False - if bb.data.inherits_class('kernel-yocto', rd): + if bb.data.inherits_class('kernel-yocto', rd) and not args.no_extract: + # Current set kernel version kernelVersion = rd.getVar('LINUX_VERSION') srcdir = rd.getVar('STAGING_KERNEL_DIR') From c6730245b14c094e3b210af785cda7caf4468163 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" Date: Thu, 21 May 2026 12:09:34 +0200 Subject: [PATCH 06/96] go: patch CVE-2026-27142 Backport patch from [1] [1] https://go.dev/cl/752081 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay Signed-off-by: Jeremy Rosen --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27142.patch | 386 ++++++++++++++++++ 2 files changed, 387 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27142.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 3fa421e223e7..8efa82f862a2 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2025-68121_p1.patch \ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ + file://CVE-2026-27142.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27142.patch b/meta/recipes-devtools/go/go/CVE-2026-27142.patch new file mode 100644 index 000000000000..e735abaf4bb2 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27142.patch @@ -0,0 +1,386 @@ +From 1ac19df75e9c25951c04008a52b23a1cd95e81cc Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Fri, 9 Jan 2026 11:12:01 -0800 +Subject: [PATCH] html/template: properly escape URLs in meta content + attributes + +The meta tag can include a content attribute that contains URLs, which +we currently don't escape if they are inserted via a template action. +This can plausibly lead to XSS vulnerabilities if untrusted data is +inserted there, the http-equiv attribute is set to "refresh", and the +content attribute contains an action like `url={{.}}`. + +Track whether we are inside of a meta element, if we are inside of a +content attribute, _and_ if the content attribute contains "url=". If +all of those are true, then we will apply the same URL escaping that we +use elsewhere. + +Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this +escaping for cases where this behavior is considered safe. The behavior +can be disabled by setting htmlmetacontenturlescape=0. + +Updates #77954 +Fixes #77972 +Fixes CVE-2026-27142 + +Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/752081 +Auto-Submit: Gopher Robot +Reviewed-by: Cherry Mui +TryBot-Bypass: Gopher Robot +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2026-27142 +Upstream-Status: Backport [https://github.com/golang/go/commit/994692847a2cd3efd319f0cb61a07c0012c8a4ff] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + doc/godebug.md | 5 +++ + src/html/template/attr_string.go | 5 +-- + src/html/template/context.go | 8 +++++ + src/html/template/element_string.go | 5 +-- + src/html/template/escape.go | 14 +++++++++ + src/html/template/escape_test.go | 34 +++++++++++++++++++++ + src/html/template/state_string.go | 8 +++-- + src/html/template/transition.go | 47 +++++++++++++++++++++++++---- + src/internal/godebugs/table.go | 1 + + src/runtime/metrics/doc.go | 5 +++ + 10 files changed, 119 insertions(+), 13 deletions(-) + +diff --git a/doc/godebug.md b/doc/godebug.md +index 635597e..07b63cb 100644 +--- a/doc/godebug.md ++++ b/doc/godebug.md +@@ -126,6 +126,11 @@ for example, + see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables) + and the [go command documentation](/cmd/go#hdr-Build_and_test_caching). + ++Go 1.26.1 added a new `htmlmetacontenturlescape` setting that controls whether ++html/template will escape URLs in the `url=` portion of the content attribute of ++HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be ++escaped. Setting `htmlmetacontentescape=0` disables this behavior. ++ + Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number + of query parameters that net/url will accept when parsing a URL-encoded query string. + If the number of parameters exceeds the number set in `urlmaxqueryparams`, +diff --git a/src/html/template/attr_string.go b/src/html/template/attr_string.go +index 51c3f26..7159fa9 100644 +--- a/src/html/template/attr_string.go ++++ b/src/html/template/attr_string.go +@@ -14,11 +14,12 @@ func _() { + _ = x[attrStyle-3] + _ = x[attrURL-4] + _ = x[attrSrcset-5] ++ _ = x[attrMetaContent-6] + } + +-const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcset" ++const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcsetattrMetaContent" + +-var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58} ++var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58, 73} + + func (i attr) String() string { + if i >= attr(len(_attr_index)-1) { +diff --git a/src/html/template/context.go b/src/html/template/context.go +index b78f0f7..8b3af2f 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -156,6 +156,10 @@ const ( + // stateError is an infectious error state outside any valid + // HTML/CSS/JS construct. + stateError ++ // stateMetaContent occurs inside a HTML meta element content attribute. ++ stateMetaContent ++ // stateMetaContentURL occurs inside a "url=" tag in a HTML meta element content attribute. ++ stateMetaContentURL + // stateDead marks unreachable code after a {{break}} or {{continue}}. + stateDead + ) +@@ -267,6 +271,8 @@ const ( + elementTextarea + // elementTitle corresponds to the RCDATA element. + elementTitle ++ // elementMeta corresponds to the HTML <meta> element. ++ elementMeta + ) + + //go:generate stringer -type attr +@@ -288,4 +294,6 @@ const ( + attrURL + // attrSrcset corresponds to a srcset attribute. + attrSrcset ++ // attrMetaContent corresponds to the content attribute in meta HTML element. ++ attrMetaContent + ) +diff --git a/src/html/template/element_string.go b/src/html/template/element_string.go +index db28665..bdf9da7 100644 +--- a/src/html/template/element_string.go ++++ b/src/html/template/element_string.go +@@ -13,11 +13,12 @@ func _() { + _ = x[elementStyle-2] + _ = x[elementTextarea-3] + _ = x[elementTitle-4] ++ _ = x[elementMeta-5] + } + +-const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle" ++const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta" + +-var _element_index = [...]uint8{0, 11, 24, 36, 51, 63} ++var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74} + + func (i element) String() string { + if i >= element(len(_element_index)-1) { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 1eace16..b368cab 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -165,6 +165,8 @@ func (e *escaper) escape(c context, n parse.Node) context { + + var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp") + ++var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape") ++ + // escapeAction escapes an action template node. + func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + if len(n.Pipe.Decl) != 0 { +@@ -222,6 +224,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + default: + panic(c.urlPart.String()) + } ++ case stateMetaContent: ++ // Handled below in delim check. ++ case stateMetaContentURL: ++ if htmlmetacontenturlescape.Value() != "0" { ++ s = append(s, "_html_template_urlfilter") ++ } else { ++ // We don't have a great place to increment this, since it's hard to ++ // know if we actually escape any urls in _html_template_urlfilter, ++ // since it has no information about what context it is being ++ // executed in etc. This is probably the best we can do. ++ htmlmetacontenturlescape.IncNonDefault() ++ } + case stateJS: + s = append(s, "_html_template_jsvalescaper") + // A slash after a value starts a div operator. +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 497ead8..1970db1 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -734,6 +734,16 @@ func TestEscape(t *testing.T) { + "<script>var a = `${ var a = \"{{\"a \\\" d\"}}\" }`</script>", + "<script>var a = `${ var a = \"a \\u0022 d\" }`</script>", + }, ++ { ++ "meta content attribute url", ++ `<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`, ++ `<meta http-equiv="refresh" content="asd; url=#ZgotmplZ; asd; url=#ZgotmplZ; asd">`, ++ }, ++ { ++ "meta content string", ++ `<meta http-equiv="refresh" content="{{"asd: 123"}}">`, ++ `<meta http-equiv="refresh" content="asd: 123">`, ++ }, + } + + for _, test := range tests { +@@ -1016,6 +1026,14 @@ func TestErrors(t *testing.T) { + "<script>var tmpl = `asd ${return \"{\"}`;</script>", + ``, + }, ++ { ++ `{{if eq "" ""}}<meta>{{end}}`, ++ ``, ++ }, ++ { ++ `{{if eq "" ""}}<meta content="url={{"asd"}}">{{end}}`, ++ ``, ++ }, + + // Error cases. + { +@@ -2194,3 +2212,19 @@ func TestAliasedParseTreeDoesNotOverescape(t *testing.T) { + t.Fatalf(`Template "foo" and "bar" rendered %q and %q respectively, expected equal values`, got1, got2) + } + } ++ ++func TestMetaContentEscapeGODEBUG(t *testing.T) { ++ savedGODEBUG := os.Getenv("GODEBUG") ++ os.Setenv("GODEBUG", savedGODEBUG+",htmlmetacontenturlescape=0") ++ defer func() { os.Setenv("GODEBUG", savedGODEBUG) }() ++ ++ tmpl := Must(New("").Parse(`<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`)) ++ var b strings.Builder ++ if err := tmpl.Execute(&b, nil); err != nil { ++ t.Fatalf("unexpected error: %s", err) ++ } ++ want := `<meta http-equiv="refresh" content="asd; url=javascript:alert(1); asd; url=vbscript:alert(1); asd">` ++ if got := b.String(); got != want { ++ t.Fatalf("got %q, want %q", got, want) ++ } ++} +diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go +index eed1e8b..f5a70b2 100644 +--- a/src/html/template/state_string.go ++++ b/src/html/template/state_string.go +@@ -36,12 +36,14 @@ func _() { + _ = x[stateCSSBlockCmt-25] + _ = x[stateCSSLineCmt-26] + _ = x[stateError-27] +- _ = x[stateDead-28] ++ _ = x[stateMetaContent-28] ++ _ = x[stateMetaContentURL-29] ++ _ = x[stateDead-30] + } + +-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" ++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateMetaContentstateMetaContentURLstateDead" + +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 356} ++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 363, 382, 391} + + func (i state) String() string { + if i >= state(len(_state_index)-1) { +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index d5a05f6..5aa3c35 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -23,6 +23,8 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateRCDATA: tSpecialTagEnd, + stateAttr: tAttr, + stateURL: tURL, ++ stateMetaContent: tMetaContent, ++ stateMetaContentURL: tMetaContentURL, + stateSrcset: tURL, + stateJS: tJS, + stateJSDqStr: tJSDelimited, +@@ -83,6 +85,7 @@ var elementContentType = [...]state{ + elementStyle: stateCSS, + elementTextarea: stateRCDATA, + elementTitle: stateRCDATA, ++ elementMeta: stateText, + } + + // tTag is the context transition function for the tag state. +@@ -93,6 +96,11 @@ func tTag(c context, s []byte) (context, int) { + return c, len(s) + } + if s[i] == '>' { ++ // Treat <meta> specially, because it doesn't have an end tag, and we ++ // want to transition into the correct state/element for it. ++ if c.element == elementMeta { ++ return context{state: stateText, element: elementNone}, i + 1 ++ } + return context{ + state: elementContentType[c.element], + element: c.element, +@@ -113,6 +121,8 @@ func tTag(c context, s []byte) (context, int) { + attrName := strings.ToLower(string(s[i:j])) + if c.element == elementScript && attrName == "type" { + attr = attrScriptType ++ } else if c.element == elementMeta && attrName == "content" { ++ attr = attrMetaContent + } else { + switch attrType(attrName) { + case contentTypeURL: +@@ -162,12 +172,13 @@ func tAfterName(c context, s []byte) (context, int) { + } + + var attrStartStates = [...]state{ +- attrNone: stateAttr, +- attrScript: stateJS, +- attrScriptType: stateAttr, +- attrStyle: stateCSS, +- attrURL: stateURL, +- attrSrcset: stateSrcset, ++ attrNone: stateAttr, ++ attrScript: stateJS, ++ attrScriptType: stateAttr, ++ attrStyle: stateCSS, ++ attrURL: stateURL, ++ attrSrcset: stateSrcset, ++ attrMetaContent: stateMetaContent, + } + + // tBeforeValue is the context transition function for stateBeforeValue. +@@ -203,6 +214,7 @@ var specialTagEndMarkers = [...][]byte{ + elementStyle: []byte("style"), + elementTextarea: []byte("textarea"), + elementTitle: []byte("title"), ++ elementMeta: []byte(""), + } + + var ( +@@ -612,6 +624,28 @@ func tError(c context, s []byte) (context, int) { + return c, len(s) + } + ++// tMetaContent is the context transition function for the meta content attribute state. ++func tMetaContent(c context, s []byte) (context, int) { ++ for i := 0; i < len(s); i++ { ++ if i+3 <= len(s)-1 && bytes.Equal(bytes.ToLower(s[i:i+4]), []byte("url=")) { ++ c.state = stateMetaContentURL ++ return c, i + 4 ++ } ++ } ++ return c, len(s) ++} ++ ++// tMetaContentURL is the context transition function for the "url=" part of a meta content attribute state. ++func tMetaContentURL(c context, s []byte) (context, int) { ++ for i := 0; i < len(s); i++ { ++ if s[i] == ';' { ++ c.state = stateMetaContent ++ return c, i + 1 ++ } ++ } ++ return c, len(s) ++} ++ + // eatAttrName returns the largest j such that s[i:j] is an attribute name. + // It returns an error if s[i:] does not look like it begins with an + // attribute name, such as encountering a quote mark without a preceding +@@ -638,6 +672,7 @@ var elementNameMap = map[string]element{ + "style": elementStyle, + "textarea": elementTextarea, + "title": elementTitle, ++ "meta": elementMeta, + } + + // asciiAlpha reports whether c is an ASCII letter. +diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go +index 7178df6..90311eb 100644 +--- a/src/internal/godebugs/table.go ++++ b/src/internal/godebugs/table.go +@@ -31,6 +31,7 @@ var All = []Info{ + {Name: "gocachetest", Package: "cmd/go"}, + {Name: "gocacheverify", Package: "cmd/go"}, + {Name: "gotypesalias", Package: "go/types"}, ++ {Name: "htmlmetacontenturlescape", Package: "html/template"}, + {Name: "http2client", Package: "net/http"}, + {Name: "http2debug", Package: "net/http", Opaque: true}, + {Name: "http2server", Package: "net/http"}, +diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go +index 335f787..f68e386 100644 +--- a/src/runtime/metrics/doc.go ++++ b/src/runtime/metrics/doc.go +@@ -255,6 +255,11 @@ Below is the full list of supported metrics, ordered lexicographically. + The number of non-default behaviors executed by the go/types + package due to a non-default GODEBUG=gotypesalias=... setting. + ++ /godebug/non-default-behavior/htmlmetacontenturlescape:events ++ The number of non-default behaviors executed by ++ the html/template package due to a non-default ++ GODEBUG=htmlmetacontenturlescape=... setting. ++ + /godebug/non-default-behavior/http2client:events + The number of non-default behaviors executed by the net/http + package due to a non-default GODEBUG=http2client=... setting. +-- +2.43.0 + From e52259f1d09c722390b49adf3d4e3d863fbde7e8 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:35 +0200 Subject: [PATCH 07/96] go: patch CVE-2026-32280 Backport patch from [1] [1] https://go.dev/cl/758320 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32280.patch | 289 ++++++++++++++++++ 2 files changed, 290 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32280.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 8efa82f862a2..0d4dff6c2129 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -42,6 +42,7 @@ SRC_URI += "\ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27142.patch \ + file://CVE-2026-32280.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32280.patch b/meta/recipes-devtools/go/go/CVE-2026-32280.patch new file mode 100644 index 000000000000..9a6f7950ae03 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32280.patch @@ -0,0 +1,289 @@ +From 1d71a2882078ea5057e68a7d2fedc83a5227c764 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 5 Mar 2026 14:28:44 -0800 +Subject: [PATCH] crypto/x509: fix signature checking limit + +We added the "is this cert already in the chain" check (alreadyInChain) +to considerCandidates before the signature limit. considerCandidates +bails out when we exceed the signature check, but buildChains keeps +calling considerCandidates until it exhausts all potential parents. In +the case where a large number of certificates look to have signed each +other (e.g. all have subject==issuerSubject and the same key), +alreadyInChain is not particularly cheap, meaning even though we hit our +"this is too much work" limit, we still do a lot of work. + +Move alreadyInChain after the signature limit, and also return a +sentinel error, and check it in buildChains so we can break out of the +loop early if we aren't actually going to do any more work. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78282 +Fixes CVE-2026-32280 + +Change-Id: Ie6f05c6ba3b0a40c21f64f7c4f846e74fae3b10e +Reviewed-on: https://go-review.googlesource.com/c/go/+/758320 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> + +CVE: CVE-2026-32280 +Upstream-Status: Backport [https://github.com/golang/go/commit/26d8a902002a2b41bc4c302044110f2eae8d597f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/x509/verify.go | 31 ++++--- + src/crypto/x509/verify_test.go | 150 ++++++++++++++++----------------- + 2 files changed, 96 insertions(+), 85 deletions(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 0ae8aef..1de06bc 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -939,6 +939,8 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { + // for failed checks due to different intermediates having the same Subject. + const maxChainSignatureChecks = 100 + ++var errSignatureLimit = errors.New("x509: signature check attempts limit reached while verifying certificate chain") ++ + func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) { + var ( + hintErr error +@@ -946,16 +948,16 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + ) + + considerCandidate := func(certType int, candidate potentialParent) { +- if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { +- return +- } +- + if sigChecks == nil { + sigChecks = new(int) + } + *sigChecks++ + if *sigChecks > maxChainSignatureChecks { +- err = errors.New("x509: signature check attempts limit reached while verifying certificate chain") ++ err = errSignatureLimit ++ return ++ } ++ ++ if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { + return + } + +@@ -996,11 +998,20 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + } + } + +- for _, root := range opts.Roots.findPotentialParents(c) { +- considerCandidate(rootCertificate, root) +- } +- for _, intermediate := range opts.Intermediates.findPotentialParents(c) { +- considerCandidate(intermediateCertificate, intermediate) ++candidateLoop: ++ for _, parents := range []struct { ++ certType int ++ potentials []potentialParent ++ }{ ++ {rootCertificate, opts.Roots.findPotentialParents(c)}, ++ {intermediateCertificate, opts.Intermediates.findPotentialParents(c)}, ++ } { ++ for _, parent := range parents.potentials { ++ considerCandidate(parents.certType, parent) ++ if err == errSignatureLimit { ++ break candidateLoop ++ } ++ } + } + + if len(chains) > 0 { +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 223c250..f3711ac 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -1765,10 +1765,13 @@ func TestValidHostname(t *testing.T) { + } + } + +-func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.PrivateKey) (*Certificate, crypto.PrivateKey, error) { +- priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) +- if err != nil { +- return nil, nil, err ++func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.PrivateKey, priv crypto.PrivateKey) (*Certificate, crypto.PrivateKey, error) { ++ if priv == nil { ++ var err error ++ priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ return nil, nil, err ++ } + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) +@@ -1779,6 +1782,7 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + Subject: pkix.Name{CommonName: cn}, + NotBefore: time.Now().Add(-1 * time.Hour), + NotAfter: time.Now().Add(24 * time.Hour), ++ DNSNames: []string{rand.Text()}, + + KeyUsage: KeyUsageKeyEncipherment | KeyUsageDigitalSignature | KeyUsageCertSign, + ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, +@@ -1790,7 +1794,7 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + issuerKey = priv + } + +- derBytes, err := CreateCertificate(rand.Reader, template, issuer, priv.Public(), issuerKey) ++ derBytes, err := CreateCertificate(rand.Reader, template, issuer, priv.(crypto.Signer).Public(), issuerKey) + if err != nil { + return nil, nil, err + } +@@ -1802,81 +1806,77 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + return cert, priv, nil + } + +-func TestPathologicalChain(t *testing.T) { +- if testing.Short() { +- t.Skip("skipping generation of a long chain of certificates in short mode") +- } +- +- // Build a chain where all intermediates share the same subject, to hit the +- // path building worst behavior. +- roots, intermediates := NewCertPool(), NewCertPool() +- +- parent, parentKey, err := generateCert("Root CA", true, nil, nil) +- if err != nil { +- t.Fatal(err) +- } +- roots.AddCert(parent) +- +- for i := 1; i < 100; i++ { +- parent, parentKey, err = generateCert("Intermediate CA", true, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- intermediates.AddCert(parent) +- } +- +- leaf, _, err := generateCert("Leaf", false, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- +- start := time.Now() +- _, err = leaf.Verify(VerifyOptions{ +- Roots: roots, +- Intermediates: intermediates, +- }) +- t.Logf("verification took %v", time.Since(start)) +- +- if err == nil || !strings.Contains(err.Error(), "signature check attempts limit") { +- t.Errorf("expected verification to fail with a signature checks limit error; got %v", err) +- } +-} +- +-func TestLongChain(t *testing.T) { ++func TestPathologicalChains(t *testing.T) { + if testing.Short() { +- t.Skip("skipping generation of a long chain of certificates in short mode") +- } +- +- roots, intermediates := NewCertPool(), NewCertPool() +- +- parent, parentKey, err := generateCert("Root CA", true, nil, nil) +- if err != nil { +- t.Fatal(err) +- } +- roots.AddCert(parent) ++ t.Skip("skipping generation of a long chains of certificates in short mode") ++ } ++ ++ // Test four pathological cases, where the intermediates in the chain have ++ // the same/different subjects and the same/different keys. This covers a ++ // number of cases where the chain building algorithm might be inefficient, ++ // such as when there are many intermediates with the same subject but ++ // different keys, many intermediates with the same key but different ++ // subjects, many intermediates with the same subject and key, or many ++ // intermediates with different subjects and keys. ++ // ++ // The worst case for our algorithm is when all of the intermediates share ++ // both subject and key, in which case all of the intermediates appear to ++ // have signed each other, causing us to see a large number of potential ++ // parents for each intermediate. ++ // ++ // All of these cases, Certificate.Verify should return errSignatureLimit. ++ // ++ // In all cases, don't have a root in the pool, so a valid chain cannot actually be built. ++ ++ for _, test := range []struct { ++ sameSubject bool ++ sameKey bool ++ }{ ++ {sameSubject: false, sameKey: false}, ++ {sameSubject: true, sameKey: false}, ++ {sameSubject: false, sameKey: true}, ++ {sameSubject: true, sameKey: true}, ++ } { ++ t.Run(fmt.Sprintf("sameSubject=%t,sameKey=%t", test.sameSubject, test.sameKey), func(t *testing.T) { ++ intermediates := NewCertPool() ++ ++ var intermediateKey crypto.PrivateKey ++ if test.sameKey { ++ var err error ++ intermediateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ t.Fatal(err) ++ } ++ } + +- for i := 1; i < 15; i++ { +- name := fmt.Sprintf("Intermediate CA #%d", i) +- parent, parentKey, err = generateCert(name, true, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- intermediates.AddCert(parent) +- } ++ var leafSigner crypto.PrivateKey ++ var intermediate *Certificate ++ for i := range 100 { ++ cn := "Intermediate CA" ++ if !test.sameSubject { ++ cn += fmt.Sprintf(" #%d", i) ++ } ++ var err error ++ intermediate, leafSigner, err = generateCert(cn, true, intermediate, leafSigner, intermediateKey) ++ if err != nil { ++ t.Fatal(err) ++ } ++ intermediates.AddCert(intermediate) ++ } + +- leaf, _, err := generateCert("Leaf", false, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } ++ leaf, _, err := generateCert("Leaf", false, intermediate, leafSigner, nil) ++ if err != nil { ++ t.Fatal(err) ++ } + +- start := time.Now() +- if _, err := leaf.Verify(VerifyOptions{ +- Roots: roots, +- Intermediates: intermediates, +- }); err != nil { +- t.Error(err) ++ start := time.Now() ++ _, err = leaf.Verify(VerifyOptions{ ++ Roots: NewCertPool(), ++ Intermediates: intermediates, ++ }) ++ t.Logf("verification took %v", time.Since(start)) ++ }) + } +- t.Logf("verification took %v", time.Since(start)) + } + + func TestSystemRootsError(t *testing.T) { +-- +2.43.0 + From bfba1601c099d7b68c4d9fcf07617d8310d4af66 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:36 +0200 Subject: [PATCH 08/96] go: patch CVE-2026-32283 Backport patch from [1] [1] https://go.dev/cl/763767 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32283.patch | 177 ++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32283.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 0d4dff6c2129..99c2945a8c44 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -43,6 +43,7 @@ SRC_URI += "\ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ + file://CVE-2026-32283.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32283.patch b/meta/recipes-devtools/go/go/CVE-2026-32283.patch new file mode 100644 index 000000000000..87bcc5816f7b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32283.patch @@ -0,0 +1,177 @@ +From f560f55d3f804dcc3002dfe963b37bfa3a67202c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 23 Mar 2026 11:54:41 -0700 +Subject: [PATCH] crypto/tls: prevent deadlock when client sends multiple key + update messages + +When we made setReadTrafficSecret send an alert when there are pending +handshake messages, we introduced a deadlock when the client sends +multiple key update messages that request a response, as handleKeyUpdate +will lock the mutex, and defer the unlocking until the end of the +function, but setReadTrafficSecret called sendAlert in the failure case, +which also tries to lock the mutex. + +Add an argument to setReadTrafficSecret which lets the caller indicate +if the mutex is already locked, and if so, call sendAlertLocked instead +of sendAlert. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78334 +Fixes CVE-2026-32283 + +Change-Id: Id8e56974233c910e0d66ba96eafbd2ea57832610 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3881 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763767 +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: David Chase <drchase@google.com> +Reviewed-by: Russ Cox <rsc@golang.org> +Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> + +CVE: CVE-2026-32283 +Upstream-Status: Backport [https://github.com/golang/go/commit/1ea7966042731bae941511fb2b261b9536ad268f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/tls/conn.go | 10 +++-- + src/crypto/tls/handshake_client_tls13.go | 4 +- + src/crypto/tls/handshake_server_tls13.go | 4 +- + src/crypto/tls/handshake_test.go | 48 ++++++++++++++++++++++++ + 4 files changed, 59 insertions(+), 7 deletions(-) + +diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go +index 08609ce..770d456 100644 +--- a/src/crypto/tls/conn.go ++++ b/src/crypto/tls/conn.go +@@ -1345,7 +1345,7 @@ func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error { + } + + newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret) +- if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret); err != nil { ++ if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret, keyUpdate.updateRequested); err != nil { + return err + } + +@@ -1675,12 +1675,16 @@ func (c *Conn) VerifyHostname(host string) error { + // setReadTrafficSecret sets the read traffic secret for the given encryption level. If + // being called at the same time as setWriteTrafficSecret, the caller must ensure the call + // to setWriteTrafficSecret happens first so any alerts are sent at the write level. +-func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error { ++func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte, locked bool) error { + // Ensure that there are no buffered handshake messages before changing the + // read keys, since that can cause messages to be parsed that were encrypted + // using old keys which are no longer appropriate. + if c.hand.Len() != 0 { +- c.sendAlert(alertUnexpectedMessage) ++ if locked { ++ c.sendAlertLocked(alertUnexpectedMessage) ++ } else { ++ c.sendAlert(alertUnexpectedMessage) ++ } + return errors.New("tls: handshake buffer not empty before setting read traffic secret") + } + c.in.setTrafficSecret(suite, level, secret) +diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go +index 68ff92b..2d58b21 100644 +--- a/src/crypto/tls/handshake_client_tls13.go ++++ b/src/crypto/tls/handshake_client_tls13.go +@@ -396,7 +396,7 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { + c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret) + serverSecret := hs.suite.deriveSecret(handshakeSecret, + serverHandshakeTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret, false); err != nil { + return err + } + +@@ -607,7 +607,7 @@ func (hs *clientHandshakeStateTLS13) readServerFinished() error { + clientApplicationTrafficLabel, hs.transcript) + serverSecret := hs.suite.deriveSecret(hs.masterSecret, + serverApplicationTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret, false); err != nil { + return err + } + +diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +index 1ecee3a..f73b536 100644 +--- a/src/crypto/tls/handshake_server_tls13.go ++++ b/src/crypto/tls/handshake_server_tls13.go +@@ -636,7 +636,7 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error { + c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret) + clientSecret := hs.suite.deriveSecret(hs.handshakeSecret, + clientHandshakeTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret, false); err != nil { + return err + } + +@@ -1005,7 +1005,7 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error { + return errors.New("tls: invalid client finished hash") + } + +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret, false); err != nil { + return err + } + +diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go +index 4991a0e..a95d751 100644 +--- a/src/crypto/tls/handshake_test.go ++++ b/src/crypto/tls/handshake_test.go +@@ -673,3 +673,51 @@ func concatHandshakeMessages(msgs ...handshakeMessage) ([]byte, error) { + outBuf = append(outBuf, marshalled...) + return outBuf, nil + } ++ ++func TestMultipleKeyUpdate(t *testing.T) { ++ for _, requestUpdate := range []bool{true, false} { ++ t.Run(fmt.Sprintf("requestUpdate=%t", requestUpdate), func(t *testing.T) { ++ ++ c, s := localPipe(t) ++ cfg := testConfig.Clone() ++ cfg.MinVersion = VersionTLS13 ++ cfg.MaxVersion = VersionTLS13 ++ client := Client(c, testConfig) ++ server := Server(s, testConfig) ++ ++ clientHandshakeDone := make(chan struct{}) ++ go func() { ++ if err := client.Handshake(); err != nil { ++ } ++ close(clientHandshakeDone) ++ io.Copy(io.Discard, server) ++ }() ++ ++ if err := server.Handshake(); err != nil { ++ t.Fatalf("server handshake failed: %v\n", err) ++ } ++ <-clientHandshakeDone ++ ++ c.SetReadDeadline(time.Now().Add(1 * time.Second)) ++ s.SetReadDeadline(time.Now().Add(1 * time.Second)) ++ ++ kuMsg, err := (&keyUpdateMsg{updateRequested: requestUpdate}).marshal() ++ if err != nil { ++ t.Fatalf("failed to marshal key update message: %v", err) ++ } ++ ++ client.out.Lock() ++ if _, err := client.writeRecordLocked(recordTypeHandshake, append(kuMsg, kuMsg...)); err != nil { ++ t.Fatalf("failed to write key update messages: %v", err) ++ } ++ client.out.Unlock() ++ ++ _, err = io.Copy(io.Discard, client) ++ if err == nil { ++ t.Fatal("expected multiple key update messages to cause an error, got nil") ++ } else if !strings.HasSuffix(err.Error(), "tls: unexpected message") { ++ t.Fatalf("unexpected error: %v", err) ++ } ++ }) ++ } ++} +-- +2.43.0 + From d0469c3a9d62a2ab3d6baef92e578f247d68318b Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:37 +0200 Subject: [PATCH 09/96] go: patch CVE-2026-32289 Backport patch from [1] [1] https://go.dev/cl/763762 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32289.patch | 217 ++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32289.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 99c2945a8c44..288cd5c95f69 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ + file://CVE-2026-32289.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32289.patch b/meta/recipes-devtools/go/go/CVE-2026-32289.patch new file mode 100644 index 000000000000..28ff0c00e0a6 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32289.patch @@ -0,0 +1,217 @@ +From 5291c6d3e6d0bc0a764a9a6bd6b3de1be64b8264 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 23 Mar 2026 13:34:23 -0700 +Subject: [PATCH] html/template: properly track JS template literal brace depth + across contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Properly track JS template literal brace depth across branches/ranges, +and prevent accidental re-use of escape analysis by including the +brace depth in the stringification/mangling for contexts. + +Fixes #78331 +Fixes CVE-2026-32289 + +Change-Id: I9f3f47c29e042220b18e4d3299db7a3fae4207fa +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3882 +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763762 +Reviewed-by: Russ Cox <rsc@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: David Chase <drchase@google.com> +Reviewed-by: Fan Mỹ Tâm Club <letrivien97@gmail.com> + +CVE: CVE-2026-32289 +Upstream-Status: Backport [https://github.com/golang/go/commit/199c4d1c3c9d509a51f777c81cb17d4b17728097] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/html/template/context.go | 14 +++++++++++- + src/html/template/escape.go | 4 ++-- + src/html/template/escape_test.go | 38 +++++++++++++++++++++----------- + 3 files changed, 40 insertions(+), 16 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 8b3af2feab..132ae2d28d 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -6,6 +6,7 @@ package template + + import ( + "fmt" ++ "slices" + "text/template/parse" + ) + +@@ -37,7 +38,7 @@ func (c context) String() string { + if c.err != nil { + err = c.err + } +- return fmt.Sprintf("{%v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.attr, c.element, err) ++ return fmt.Sprintf("{%v %v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.jsBraceDepth, c.attr, c.element, err) + } + + // eq reports whether two contexts are equal. +@@ -46,6 +47,7 @@ func (c context) eq(d context) bool { + c.delim == d.delim && + c.urlPart == d.urlPart && + c.jsCtx == d.jsCtx && ++ slices.Equal(c.jsBraceDepth, d.jsBraceDepth) && + c.attr == d.attr && + c.element == d.element && + c.err == d.err +@@ -68,6 +70,9 @@ func (c context) mangle(templateName string) string { + if c.jsCtx != jsCtxRegexp { + s += "_" + c.jsCtx.String() + } ++ if c.jsBraceDepth != nil { ++ s += fmt.Sprintf("_jsBraceDepth(%v)", c.jsBraceDepth) ++ } + if c.attr != attrNone { + s += "_" + c.attr.String() + } +@@ -77,6 +82,13 @@ func (c context) mangle(templateName string) string { + return s + } + ++// clone returns a copy of c with the same field values. ++func (c context) clone() context { ++ clone := c ++ clone.jsBraceDepth = slices.Clone(c.jsBraceDepth) ++ return clone ++} ++ + // state describes a high-level HTML parser state. + // + // It bounds the top of the element stack, and by extension the HTML insertion +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index b368cab38c..c031ed27b9 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -522,7 +522,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + if nodeName == "range" { + e.rangeContext = &rangeContext{outer: e.rangeContext} + } +- c0 := e.escapeList(c, n.List) ++ c0 := e.escapeList(c.clone(), n.List) + if nodeName == "range" { + if c0.state != stateError { + c0 = joinRange(c0, e.rangeContext) +@@ -553,7 +553,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + return c0 + } + } +- c1 := e.escapeList(c, n.ElseList) ++ c1 := e.escapeList(c.clone(), n.ElseList) + return join(c0, c1, n, nodeName) + } + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 1970db1695..435c83378f 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -1181,6 +1181,18 @@ func TestErrors(t *testing.T) { + // html is allowed since it is the last command in the pipeline, but urlquery is not. + `predefined escaper "urlquery" disallowed in template`, + }, ++ { ++ "<script>var a = `{{if .X}}`{{end}}", ++ `{{if}} branches end in different contexts`, ++ }, ++ { ++ "<script>var a = `{{if .X}}a{{else}}`{{end}}", ++ `{{if}} branches end in different contexts`, ++ }, ++ { ++ "<script>var a = `{{if .X}}a{{else}}b{{end}}`</script>", ++ ``, ++ }, + } + for _, test := range tests { + buf := new(bytes.Buffer) +@@ -1752,7 +1764,7 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var a = `${", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${}", +@@ -1760,27 +1772,27 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var a = `${`", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"`", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"}", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${``", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${`}", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>`${ {} } asd`</script><script>`${ {} }", +@@ -1788,7 +1800,7 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var foo = `${ (_ => { return \"x\" })() + \"${", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${ {</script><script>var b = `${ x }", +@@ -1816,23 +1828,23 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>`${ { `` }", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>`${ { }`", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var foo = `${ foo({ a: { c: `${", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{2, 0}}, + }, + { + "<script>var foo = `${ foo({ a: { c: `${ {{.}} }` }, b: ", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{1}}, + }, + { + "<script>`${ `}", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + } + +-- +2.43.0 + From e4137b29d7b3218ceef9973d57c179e5e2771a68 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:38 +0200 Subject: [PATCH 10/96] go: patch CVE-2026-33811 Backport patch from [1] [1] https://go.dev/cl/767860 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-33811.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-33811.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 288cd5c95f69..9a7695e75472 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -45,6 +45,7 @@ SRC_URI += "\ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ + file://CVE-2026-33811.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-33811.patch b/meta/recipes-devtools/go/go/CVE-2026-33811.patch new file mode 100644 index 000000000000..216b33ed8b1e --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-33811.patch @@ -0,0 +1,46 @@ +From 9082277a0a78af39190c1f23b622f02b89e46196 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 26 Mar 2026 12:17:06 -0700 +Subject: [PATCH] net: avoid double-free of cgo pointer when handling large DNS + response + +No test, unfortunately: I've had no luck triggering this without +the ability to override the local recursive resolver. + +Thanks to hamayanhamayan for reporting this issue. + +Fixes CVE-2026-33811 +Fixes #78803 + +Change-Id: I9e51410337316c20e4b9fd5b86657f436a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/767860 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-33811 +Upstream-Status: Backport [https://github.com/golang/go/commit/ab2c7eb1c43011dda118282c1e757d8c27cd7d4f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/cgo_unix.go | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/net/cgo_unix.go b/src/net/cgo_unix.go +index 7ed5daad73..bd694859ab 100644 +--- a/src/net/cgo_unix.go ++++ b/src/net/cgo_unix.go +@@ -343,7 +343,10 @@ func cgoResSearch(hostname string, rtype, class int) ([]dnsmessage.Resource, err + // useful in the response, even though there *is* a response. + bufSize := maxDNSPacketSize + buf := (*_C_uchar)(_C_malloc(uintptr(bufSize))) +- defer _C_free(unsafe.Pointer(buf)) ++ defer func() { ++ // Free in a closure which captures buf to pick up a reallocated buffer from below. ++ _C_free(unsafe.Pointer(buf)) ++ }() + + s, err := syscall.BytePtrFromString(hostname) + if err != nil { +-- +2.43.0 + From f88c0ff79cf5838f8d0c31ecacc35faf56059d03 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:39 +0200 Subject: [PATCH 11/96] go: patch CVE-2026-39817 Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/767520 [2] https://security-tracker.debian.org/tracker/CVE-2026-39817 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39817.patch | 105 ++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39817.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 9a7695e75472..f06b974e04b7 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -46,6 +46,7 @@ SRC_URI += "\ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ file://CVE-2026-33811.patch \ + file://CVE-2026-39817.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39817.patch b/meta/recipes-devtools/go/go/CVE-2026-39817.patch new file mode 100644 index 000000000000..103fbedb7a00 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39817.patch @@ -0,0 +1,105 @@ +From 7d35508ad684c808ec11fb6ef3ab27f9258a9418 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 15 Apr 2026 16:27:23 -0400 +Subject: [PATCH] cmd/pack: refuse to extract files with directory components + +Do not write to /etc/passwd when running "go tool pack x evil.a" +on an archive containing a file named /etc/passwd. + +Fixes #78778 + +Change-Id: I4cf69b81af62321ffbb41ace679672a86a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/767520 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-39817 +Upstream-Status: Backport [https://github.com/golang/go/commit/7409ada33f99c0d74db2b0389c51a15de116e48d] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/pack/pack.go | 5 +++++ + src/cmd/pack/pack_test.go | 44 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+) + +diff --git a/src/cmd/pack/pack.go b/src/cmd/pack/pack.go +index 412ea36d60..2fe0258f01 100644 +--- a/src/cmd/pack/pack.go ++++ b/src/cmd/pack/pack.go +@@ -135,6 +135,11 @@ func openArchive(name string, mode int, files []string) *Archive { + if err != nil { + log.Fatal(err) + } ++ for _, f := range a.Entries { ++ if !filepath.IsLocal(f.Name) || filepath.Base(f.Name) != f.Name { ++ log.Fatalf("%q: invalid name", f.Name) ++ } ++ } + return &Archive{ + a: a, + files: files, +diff --git a/src/cmd/pack/pack_test.go b/src/cmd/pack/pack_test.go +index c3a63424dd..c4a8c78cbf 100644 +--- a/src/cmd/pack/pack_test.go ++++ b/src/cmd/pack/pack_test.go +@@ -6,6 +6,7 @@ package main + + import ( + "bufio" ++ "bytes" + "cmd/internal/archive" + "fmt" + "internal/testenv" +@@ -409,6 +410,49 @@ func TestRWithNonexistentFile(t *testing.T) { + run(packPath(t), "r", "p.a", "p.o") // should succeed + } + ++func TestOutputPathSanitization(t *testing.T) { ++ dir := t.TempDir() ++ ++ // Create pack.a containing a file named "longpathname". ++ // Note that "go tool pack" requires that all files be at least 8 bytes long. ++ const validPathName = "longpathname" ++ if err := os.WriteFile(dir+"/"+validPathName, make([]byte, 8), 0o666); err != nil { ++ t.Fatal(err) ++ } ++ doRun(t, dir, packPath(t), "grc", "pack.a", validPathName) ++ ++ // Create evil.a from pack.a, replacing "longpathname" with "out/pathname". ++ b, err := os.ReadFile(dir + "/pack.a") ++ if err != nil { ++ t.Fatal(err) ++ } ++ idx := bytes.Index(b, []byte(validPathName)) ++ if idx < 0 { ++ t.Fatalf("%v not found in pack.a", validPathName) ++ } ++ copy(b[idx:], "out/") ++ os.WriteFile(dir+"/evil.a", b, 0o666) ++ ++ // Extract evil.a. It should fail and not extract a file to /out. ++ os.Mkdir(dir+"/out", 0o777) ++ ++ cmd := testenv.Command(t, packPath(t), "x", "evil.a") ++ cmd.Dir = dir ++ _, err = cmd.CombinedOutput() ++ if err == nil { ++ t.Errorf("pack x evil.a: unexpected success") ++ } ++ ++ ents, err := os.ReadDir(dir + "/out") ++ if err != nil { ++ t.Error(err) ++ } ++ for _, e := range ents { ++ t.Errorf("unexpected file in /out: %q", e.Name()) ++ } ++ ++} ++ + // doRun runs a program in a directory and returns the output. + func doRun(t *testing.T, dir string, args ...string) string { + cmd := testenv.Command(t, args[0], args[1:]...) +-- +2.43.0 + From 791de4922a5b342e3227713b053709a00400e1b5 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:40 +0200 Subject: [PATCH 12/96] go: patch CVE-2026-39819 Backport patch from [1] [1] https://go.dev/cl/763882 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39819.patch | 48 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39819.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f06b974e04b7..dba826011ba7 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -47,6 +47,7 @@ SRC_URI += "\ file://CVE-2026-32289.patch \ file://CVE-2026-33811.patch \ file://CVE-2026-39817.patch \ + file://CVE-2026-39819.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39819.patch b/meta/recipes-devtools/go/go/CVE-2026-39819.patch new file mode 100644 index 000000000000..cb767e13200e --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39819.patch @@ -0,0 +1,48 @@ +From db6ceacb046779c763f87060d8a1ba5c936309c9 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 8 Apr 2026 09:55:54 -0700 +Subject: [PATCH] cmd/go: use MkdirTemp to create temp directory for "go bug" + +Don't use a predictable, potentially attacker-controlled filename in /tmp. + +Fixes #78584 +Fixes CVE-2026-39819 + +Change-Id: I72116aa6dd8fa50f65b6dc0292a15a8c6a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763882 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39819 +Upstream-Status: Backport [https://github.com/golang/go/commit/5d6aa23e5b6151d25955a512532383c28c745e18] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/go/internal/bug/bug.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/go/internal/bug/bug.go b/src/cmd/go/internal/bug/bug.go +index ed1813605e..9bf97dd511 100644 +--- a/src/cmd/go/internal/bug/bug.go ++++ b/src/cmd/go/internal/bug/bug.go +@@ -182,14 +182,14 @@ func firstLine(buf []byte) []byte { + // printGlibcVersion prints information about the glibc version. + // It ignores failures. + func printGlibcVersion(w io.Writer) { +- tempdir := os.TempDir() +- if tempdir == "" { ++ tempdir, err := os.MkdirTemp("", "") ++ if err != nil { + return + } + src := []byte(`int main() {}`) + srcfile := filepath.Join(tempdir, "go-bug.c") + outfile := filepath.Join(tempdir, "go-bug") +- err := os.WriteFile(srcfile, src, 0644) ++ err = os.WriteFile(srcfile, src, 0644) + if err != nil { + return + } +-- +2.43.0 + From f694d6cdd10c38a482d8c2a90f84c96da817ea51 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:41 +0200 Subject: [PATCH 13/96] go: patch CVE-2026-39820 Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/759940 [2] https://security-tracker.debian.org/tracker/CVE-2026-39820 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39820.patch | 112 ++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39820.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index dba826011ba7..002d44305977 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -48,6 +48,7 @@ SRC_URI += "\ file://CVE-2026-33811.patch \ file://CVE-2026-39817.patch \ file://CVE-2026-39819.patch \ + file://CVE-2026-39820.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39820.patch b/meta/recipes-devtools/go/go/CVE-2026-39820.patch new file mode 100644 index 000000000000..c5f84282a97a --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39820.patch @@ -0,0 +1,112 @@ +From e459f8fe1061679f866c599210466db386348f08 Mon Sep 17 00:00:00 2001 +From: mohammadmseet-hue <mohammadmseet@gmail.com> +Date: Sat, 4 Apr 2026 05:17:25 +0000 +Subject: [PATCH] net/mail: fix quadratic complexity in consumeComment + +consumeComment builds the comment string by repeated string +concatenation inside a loop. Each concatenation copies the +entire string built so far, making the function O(n^2) in the +depth of nested comments. + +Replace the concatenation with a strings.Builder, which +amortizes allocation by doubling its internal buffer. This +reduces consumeComment from O(n^2) to O(n). + +This is the same bug class as the consumeDomainLiteral fix +in CVE-2025-61725. + +Benchmark results (benchstat, 8 runs): + + name old time/op new time/op delta + ConsumeComment/depth10 2.481us 1.838us -25.92% + ConsumeComment/depth100 86.58us 6.498us -92.50% + ConsumeComment/depth1000 7.963ms 52.82us -99.34% + ConsumeComment/depth10000 897.8ms 521.3us -99.94% + +The quadratic cost becomes visible at depth 100 and dominant +by depth 1000. At depth 10000, the fix is roughly 1700x +faster. + +Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34 +GitHub-Last-Rev: 7742dad716ee371766543f88e82bd163bd9d7ac2 +GitHub-Pull-Request: golang/go#78393 +Reviewed-on: https://go-review.googlesource.com/c/go/+/759940 +Reviewed-by: Sean Liao <sean@liao.dev> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Sean Liao <sean@liao.dev> +Reviewed-by: David Chase <drchase@google.com> +Reviewed-by: Junyang Shao <shaojunyang@google.com> + +CVE: CVE-2026-39820 +Upstream-Status: Backport [https://github.com/golang/go/commit/0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/mail/message.go | 6 +++--- + src/net/mail/message_test.go | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index fc2a9e46f8..37d7ff5df1 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -780,7 +780,7 @@ func (p *addrParser) consumeComment() (string, bool) { + // '(' already consumed. + depth := 1 + +- var comment string ++ var comment strings.Builder + for { + if p.empty() || depth == 0 { + break +@@ -794,12 +794,12 @@ func (p *addrParser) consumeComment() (string, bool) { + depth-- + } + if depth > 0 { +- comment += p.s[:1] ++ comment.WriteByte(p.s[0]) + } + p.s = p.s[1:] + } + +- return comment, depth == 0 ++ return comment.String(), depth == 0 + } + + func (p *addrParser) decodeRFC2047Word(s string) (word string, isEncoded bool, err error) { +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1f2f62afbf..1b165317f9 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -6,6 +6,7 @@ package mail + + import ( + "bytes" ++ "fmt" + "io" + "mime" + "reflect" +@@ -1217,3 +1218,21 @@ func TestEmptyAddress(t *testing.T) { + t.Errorf(`ParseAddressList("") = %v, %v, want nil, error`, list, err) + } + } ++ ++func BenchmarkConsumeComment(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { ++ // Build a deeply nested comment: (((...a...))) ++ open := strings.Repeat("(", n) ++ close := strings.Repeat(")", n) ++ // consumeComment expects the leading '(' already consumed, ++ // so we start with one fewer opening paren and the parser ++ // will handle nesting from there. ++ input := open[:n-1] + "a" + close ++ for b.Loop() { ++ p := addrParser{s: input} ++ p.consumeComment() ++ } ++ }) ++ } ++} +-- +2.43.0 + From ae5b6a1b2bf80e73f18406153d314ff18a89a13f Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:42 +0200 Subject: [PATCH 14/96] go: patch CVE-2026-39825 Backport patch from [1] [1] https://go.dev/cl/770541 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39825.patch | 104 ++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39825.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 002d44305977..952c0e463856 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -49,6 +49,7 @@ SRC_URI += "\ file://CVE-2026-39817.patch \ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ + file://CVE-2026-39825.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39825.patch b/meta/recipes-devtools/go/go/CVE-2026-39825.patch new file mode 100644 index 000000000000..6082f5fc3721 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39825.patch @@ -0,0 +1,104 @@ +From 96b1a3f872971fc38d9f2c0ed4a3d1f3ceeb517f Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Fri, 24 Apr 2026 14:10:47 -0700 +Subject: [PATCH] net/http/httputil: reencode queries with many parameters in + proxy + +When ReverseProxy forwards a request containing more than +urlmaxqueryparams (GODEBUG) query parameters, reencode the +outbound query parameters. + +Avoids potential smuggling of query parameters, where the +sender sends many query parameters, the user's Rewrite hook +fails to observe those parameters due to the limit being +exceeded, and the request is forwarded with the full set +of parameters. + +Fixes #78948 +Fixes CVE-2026-39825 + +Change-Id: I691be7899c4b6208bf61f6b78dacfdf56a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/770541 +Reviewed-by: Nicholas Husin <nsh@golang.org> +Reviewed-by: Nicholas Husin <husin@google.com> +Auto-Submit: Damien Neil <dneil@google.com> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39825 +Upstream-Status: Backport [https://github.com/golang/go/commit/6795bb331782b33691f772d30c810b4c3a317aeb] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/http/httputil/reverseproxy.go | 14 ++++++++++++++ + src/net/http/httputil/reverseproxy_test.go | 6 ++++++ + src/net/url/url.go | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 5c70f0d27b..37b0eab6b0 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -10,6 +10,7 @@ import ( + "context" + "errors" + "fmt" ++ "internal/godebug" + "io" + "log" + "mime" +@@ -797,11 +798,24 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) { + errc <- err + } + ++var urlmaxqueryparams = godebug.New("urlmaxqueryparams") ++ ++// Keep this in sync with net/url. ++const defaultMaxParams = 10000 ++ + func cleanQueryParams(s string) string { + reencode := func(s string) string { + v, _ := url.ParseQuery(s) + return v.Encode() + } ++ if urlmaxqueryparams.Value() != "" { ++ // Always reencode when a non-default urlmaxqueryparams is set. ++ return reencode(s) ++ } ++ if numParams := strings.Count(s, "&") + 1; numParams > defaultMaxParams { ++ // Too many query parameters. ++ return reencode(s) ++ } + for i := 0; i < len(s); { + switch s[i] { + case ';': +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index dd3330b615..deb1ab9ce2 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -1845,6 +1845,12 @@ func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, + }, { + rawQuery: "a=1&a=%zz&b=3", + cleanQuery: "a=1&b=3", ++ }, { ++ rawQuery: "a=%zz", ++ cleanQuery: "", ++ }, { ++ rawQuery: strings.Repeat("a=1&", 10000) + "a=1", ++ cleanQuery: "", + }} { + res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery) + if err != nil { +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 5219e3c130..41f3bef1ee 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -961,6 +961,7 @@ func ParseQuery(query string) (Values, error) { + + var urlmaxqueryparams = godebug.New("urlmaxqueryparams") + ++// Keep this in sync with net/http/httputil. + const defaultMaxParams = 10000 + + func urlParamsWithinMax(params int) bool { +-- +2.43.0 + From 11203044b88ecca7bcdf32d58db5808949423de4 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:43 +0200 Subject: [PATCH 15/96] go: patch CVE-2026-39826 Backport patch from [1] [1] https://go.dev/cl/771180 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39826.patch | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39826.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 952c0e463856..77e6bcd59d41 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -50,6 +50,7 @@ SRC_URI += "\ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ + file://CVE-2026-39826.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39826.patch b/meta/recipes-devtools/go/go/CVE-2026-39826.patch new file mode 100644 index 000000000000..d9fa751adccf --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39826.patch @@ -0,0 +1,65 @@ +From 0d41a827f4d691be89c0285cd136cc45640341d4 Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Mon, 27 Apr 2026 17:34:58 -0400 +Subject: [PATCH] html/template: fix escaper bypass by treating empty script + type as JavaScript + +Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes #78981 +Fixes CVE-2026-39826 + +Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836 +Reviewed-on: https://go-review.googlesource.com/c/go/+/771180 +Reviewed-by: Roland Shoemaker <roland@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39826 +Upstream-Status: Backport [https://github.com/golang/go/commit/a63b23ffb2eebc9ca3a14c369b615ca623bb20f7] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/html/template/escape_test.go | 15 +++++++++++++++ + src/html/template/js.go | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 435c83378f..ce06440738 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -231,6 +231,21 @@ func TestEscape(t *testing.T) { + "<script>alert({{.A}})</script>", + `<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`, + }, ++ { ++ "scriptTypeSpace", ++ "<script type=\" \">{{.H}}</script>", ++ "<script type=\" \">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeTab", ++ "<script type=\"\t\">{{.H}}</script>", ++ "<script type=\"\t\">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeEmpty", ++ "<script type=\"\">{{.H}}</script>", ++ "<script type=\"\">\"\\u003cHello\\u003e\"</script>", ++ }, + { + "jsObjValueNotOverEscaped", + "<button onclick='alert({{.A | html}})'>", +diff --git a/src/html/template/js.go b/src/html/template/js.go +index d911ada26d..90cf2dc982 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -459,6 +459,7 @@ func isJSType(mimeType string) bool { + mimeType = strings.TrimSpace(mimeType) + switch mimeType { + case ++ "", + "application/ecmascript", + "application/javascript", + "application/json", +-- +2.43.0 + From 0a692a5f57c43fb478a4a0b771b528fb9cf0c14d Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:44 +0200 Subject: [PATCH 16/96] go: patch CVE-2026-42499 Backport patch from [1] [1] https://go.dev/cl/771520 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42499.patch | 91 +++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42499.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 77e6bcd59d41..85f75f0d890e 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -51,6 +51,7 @@ SRC_URI += "\ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ + file://CVE-2026-42499.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42499.patch b/meta/recipes-devtools/go/go/CVE-2026-42499.patch new file mode 100644 index 000000000000..d4ac9b3823b0 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42499.patch @@ -0,0 +1,91 @@ +From dd339e72189d59f249786afd4021b9fb391f3562 Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Tue, 28 Apr 2026 12:10:24 -0400 +Subject: [PATCH] net/mail: fix quadratic consumePhrase behavior + +Updates #78987 +Fixes CVE-2026-42499 + +Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f +Reviewed-on: https://go-review.googlesource.com/c/go/+/771520 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-42499 +Upstream-Status: Backport [https://github.com/golang/go/commit/2c59389fcc5194aeae742fb413e55b656c22343f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/mail/message.go | 23 +++++++++++++++++------ + src/net/mail/message_test.go | 11 +++++++++++ + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index 37d7ff5df1..f57742068e 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -567,8 +567,10 @@ func (p *addrParser) consumeAddrSpec() (spec string, err error) { + func (p *addrParser) consumePhrase() (phrase string, err error) { + debug.Printf("consumePhrase: [%s]", p.s) + // phrase = 1*word +- var words []string +- var isPrevEncoded bool ++ var ( ++ words []string ++ sb strings.Builder ++ ) + for { + // obs-phrase allows CFWS after one word + if len(words) > 0 { +@@ -600,13 +602,22 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { + break + } + debug.Printf("consumePhrase: consumed %q", word) +- if isPrevEncoded && isEncoded { +- words[len(words)-1] += word +- } else { ++ switch { ++ case isEncoded: ++ sb.WriteString(word) ++ case !isEncoded && sb.Len() > 0: ++ words = append(words, sb.String()) ++ sb.Reset() ++ words = append(words, word) ++ default: + words = append(words, word) + } +- isPrevEncoded = isEncoded + } ++ ++ if sb.Len() > 0 { ++ words = append(words, sb.String()) ++ } ++ + // Ignore any error if we got at least one word. + if err != nil && len(words) == 0 { + debug.Printf("consumePhrase: hit err: %v", err) +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1b165317f9..27837a9cbd 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -1219,6 +1219,17 @@ func TestEmptyAddress(t *testing.T) { + } + } + ++func BenchmarkConsumePhrase(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("words-%d", n), func(b *testing.B) { ++ input := strings.Repeat("=?utf-8?q?hello?= ", n) + "<user@example.com>" ++ for b.Loop() { ++ (&addrParser{s: input}).consumePhrase() ++ } ++ }) ++ } ++} ++ + func BenchmarkConsumeComment(b *testing.B) { + for _, n := range []int{10, 100, 1000, 10000} { + b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { +-- +2.43.0 + From c9cc7872b9ecb426e9cd5921e0bbc175f600964a Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:45 +0200 Subject: [PATCH 17/96] go: patch CVE-2026-42501 Backport patch from [1] [1] https://go.dev/cl/775321 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42501.patch | 127 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42501.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 85f75f0d890e..03a1a81fc391 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -52,6 +52,7 @@ SRC_URI += "\ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ file://CVE-2026-42499.patch \ + file://CVE-2026-42501.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42501.patch b/meta/recipes-devtools/go/go/CVE-2026-42501.patch new file mode 100644 index 000000000000..82b2fa02a192 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42501.patch @@ -0,0 +1,127 @@ +From 52d8958ce7e102a5ebd3b4748aa03989b5469084 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 30 Apr 2026 13:10:49 -0700 +Subject: [PATCH] cmd/go: reject sumdb response lacking module hash + +Report an error when a sumdb /lookup/ request does not +include a hash for the requested module, rather than +silently proceeding. + +Previously, we would verify that a returned sum matched +the expected module hash, but did not verify that the +response contained a sum. This permits a malicous +proxy to serve a corrupted module along with a +valid-but-irrelevant sumdb response for some other +module. We now ensure that the sumdb response contains +a valid hash for the module we are validating. + +Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes CVE-2026-42501 +Fixes #79070 + +Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/775321 +Reviewed-by: Michael Pratt <mpratt@google.com> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-42501 +Upstream-Status: Backport [https://github.com/golang/go/commit/1a9af07120312d368815712a4dce2dd2070342e5] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/go/internal/modfetch/fetch.go | 15 ++++++++++++++- + src/cmd/go/proxy_test.go | 17 +++++++++++++++++ + src/cmd/go/testdata/script/mod_sum_absent.txt | 17 +++++++++++++++++ + 3 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 src/cmd/go/testdata/script/mod_sum_absent.txt + +diff --git a/src/cmd/go/internal/modfetch/fetch.go b/src/cmd/go/internal/modfetch/fetch.go +index eeab6da62a..75769d7c61 100644 +--- a/src/cmd/go/internal/modfetch/fetch.go ++++ b/src/cmd/go/internal/modfetch/fetch.go +@@ -740,7 +740,7 @@ func checkSumDB(mod module.Version, h string) error { + return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum mismatch\n\tdownloaded: %v\n\t%s: %v"+sumdbMismatch, noun, h, db, line[len(prefix)-len("h1:"):])) + } + } +- return nil ++ return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum missing from sumdb response"+sumdbAbsent, noun)) + } + + // Sum returns the checksum for the downloaded copy of the given module, +@@ -931,6 +931,19 @@ have intercepted the download attempt. + For more information, see 'go help module-auth'. + ` + ++const sumdbAbsent = ` ++ ++SECURITY ERROR ++This download does NOT match one reported by the checksum server. ++The checksum server has provided checksums, but the checksums do ++not contain an entry for the download. ++The checksum server may be malfunctioning, or an attacker may have ++intercepted the checksum request. ++The download cannot be verified. ++ ++For more information, see 'go help module-auth'. ++` ++ + const hashVersionMismatch = ` + + SECURITY WARNING +diff --git a/src/cmd/go/proxy_test.go b/src/cmd/go/proxy_test.go +index cb3d9f92f1..88e5052b89 100644 +--- a/src/cmd/go/proxy_test.go ++++ b/src/cmd/go/proxy_test.go +@@ -172,6 +172,23 @@ func proxyHandler(w http.ResponseWriter, r *http.Request) { + return + } + ++ // Request for $GOPROXY/sumdb-redirect/module@version:/lookup/... ++ // performs a lookup for module@version rather than the requested module. ++ if strings.HasPrefix(path, "sumdb-redirect/") { ++ redirect, rest, ok := strings.Cut(path[len("sumdb-redirect"):], ":") ++ if !ok { ++ w.WriteHeader(500) ++ return ++ } ++ if strings.HasPrefix(rest, "/lookup/") { ++ r.URL.Path = "/lookup" + redirect ++ } else { ++ r.URL.Path = rest ++ } ++ sumdbServer.ServeHTTP(w, r) ++ return ++ } ++ + // Request for $GOPROXY/redirect/<count>/... goes to redirects. + if strings.HasPrefix(path, "redirect/") { + path = path[len("redirect/"):] +diff --git a/src/cmd/go/testdata/script/mod_sum_absent.txt b/src/cmd/go/testdata/script/mod_sum_absent.txt +new file mode 100644 +index 0000000000..c2dd814542 +--- /dev/null ++++ b/src/cmd/go/testdata/script/mod_sum_absent.txt +@@ -0,0 +1,17 @@ ++# When the sumdb returns a response which does not ++# include a sum for the requested module, ++# we should report an error. ++# Verifies CVE-2026-42501. ++env sumdb=$GOSUMDB ++env proxy=$GOPROXY ++env GOPROXY GONOPROXY GOSUMDB GONOSUMDB ++ ++# /sumdb-redirect/ causes the sumdb to return /lookup/ responses ++# for rsc.io/quote@v1.0.0, not for the requested module. ++env GOSUMDB=$sumdb' '$proxy/sumdb-redirect/rsc.io/quote@v1.0.0: ++ ++! go get rsc.io/fortune@v1.0.0 ++stderr 'SECURITY ERROR' ++! grep rsc.io go.sum ++-- go.mod -- ++module m +-- +2.43.0 + From 1556a34831b2d96c8a7862493494f3b9fa10d4a9 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:46 +0200 Subject: [PATCH 18/96] go: patch CVE-2026-42504 Backport patch from [1] [1] https://go.dev/cl/774481 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42504.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42504.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 03a1a81fc391..ba4fe9a734ce 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -53,6 +53,7 @@ SRC_URI += "\ file://CVE-2026-39826.patch \ file://CVE-2026-42499.patch \ file://CVE-2026-42501.patch \ + file://CVE-2026-42504.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42504.patch b/meta/recipes-devtools/go/go/CVE-2026-42504.patch new file mode 100644 index 000000000000..1ae104ae19f8 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42504.patch @@ -0,0 +1,58 @@ +From 41ca50d68cd74e0a68f3917cd902885c84fedbf7 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 5 May 2026 15:20:34 -0700 +Subject: [PATCH] mime: avoid quadratic complexity in WordDecoder.DecodeHeader + +When encountering an undecodable encoded-word, +skip over the entire word rather than just the initial "=?". + +Fixes #79217 +Fixes CVE-2026-42504 + +Change-Id: I28605faa235459d2ba71bd0f3ae3dce96a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/774481 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-42504 +Upstream-Status: Backport [https://github.com/golang/go/commit/f230dd8a1d0a63d73e92685e378dcd725f7aac00] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/mime/encodedword.go | 4 ++-- + src/mime/encodedword_test.go | 4 ++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/mime/encodedword.go b/src/mime/encodedword.go +index e6b470b1fb..a7059f3bc4 100644 +--- a/src/mime/encodedword.go ++++ b/src/mime/encodedword.go +@@ -275,8 +275,8 @@ func (d *WordDecoder) DecodeHeader(header string) (string, error) { + content, err := decode(encoding, text) + if err != nil { + betweenWords = false +- buf.WriteString(header[:start+2]) +- header = header[start+2:] ++ buf.WriteString(header[:end]) ++ header = header[end:] + continue + } + +diff --git a/src/mime/encodedword_test.go b/src/mime/encodedword_test.go +index 2a98794380..befc3cd996 100644 +--- a/src/mime/encodedword_test.go ++++ b/src/mime/encodedword_test.go +@@ -140,6 +140,10 @@ func TestDecodeHeader(t *testing.T) { + {"=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=", "ab"}, + {"=?ISO-8859-1?Q?a?= \r\n\t =?ISO-8859-1?Q?b?=", "ab"}, + {"=?ISO-8859-1?Q?a_b?=", "a b"}, ++ // Undecodable words ++ {"=?UTF-8?b?garbage?= =?UTF-8?b?QW5kcsOp?= =?UTF-8?b?garbage?=", "=?UTF-8?b?garbage?= André =?UTF-8?b?garbage?="}, ++ {"=?UTF-8?b?QW5kcsOp", "=?UTF-8?b?QW5kcsOp"}, ++ {"=?UTF-8?x?y?=?UTF-8?x?y=?", "=?UTF-8?x?y?=?UTF-8?x?y=?"}, + } + + for _, test := range tests { +-- +2.43.0 + From dfcc700ab9e1785a7ac09fafa8732d513202c70b Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Thu, 21 May 2026 12:09:47 +0200 Subject: [PATCH 19/96] go: patch CVE-2026-42507 Backport patch from [1] [1] https://go.dev/cl/777060 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42507.patch | 160 ++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42507.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index ba4fe9a734ce..f67da3e07883 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -54,6 +54,7 @@ SRC_URI += "\ file://CVE-2026-42499.patch \ file://CVE-2026-42501.patch \ file://CVE-2026-42504.patch \ + file://CVE-2026-42507.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42507.patch b/meta/recipes-devtools/go/go/CVE-2026-42507.patch new file mode 100644 index 000000000000..d48b2b53ebac --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42507.patch @@ -0,0 +1,160 @@ +From 943e53a7b667a1570648b5f1c4592b9d9d5b4aac Mon Sep 17 00:00:00 2001 +From: "Nicholas S. Husin" <nsh@golang.org> +Date: Mon, 11 May 2026 18:04:07 -0400 +Subject: [PATCH] net/textproto: escape arbitrary input when including them in + errors + +When returning errors, functions in the net/textproto package would +include its input as part of the error, without any escaping. Note that +said input is often controlled by external parties when using this +package naturally. For example, a net/http client uses ReadMIMEHeader +when parsing the headers it receive from a server. + +As a result, an attacker could inject arbitrary content into the error. +Practically, this can result in an attacker injecting misleading +content, terminal control bytes, etc. into a victim's output or logs. + +Fix this issue by making sure that ProtocolError usages within the +package are properly escaped, and that Error.String will escape its Msg. + +Fixes #79346 +Fixes CVE-2026-42507 + +Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/777060 +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Roland Shoemaker <roland@golang.org> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Damien Neil <dneil@google.com> + +CVE: CVE-2026-42507 +Upstream-Status: Backport [https://github.com/golang/go/commit/1a7e601d07b67aec8d795c8182ee7257ba7d1960] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/smtp/smtp_test.go | 6 +++--- + src/net/textproto/reader.go | 14 +++++++------- + src/net/textproto/reader_test.go | 6 ++++-- + src/net/textproto/textproto.go | 2 +- + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/src/net/smtp/smtp_test.go b/src/net/smtp/smtp_test.go +index 259b10b93d..3e03da5208 100644 +--- a/src/net/smtp/smtp_test.go ++++ b/src/net/smtp/smtp_test.go +@@ -664,7 +664,7 @@ func TestHello(t *testing.T) { + err = c.Hello("customhost") + case 1: + err = c.StartTLS(nil) +- if err.Error() == "502 Not implemented" { ++ if err.Error() == `502 "Not implemented"` { + err = nil + } + case 2: +@@ -922,8 +922,8 @@ func TestAuthFailed(t *testing.T) { + + if err == nil { + t.Error("Auth: expected error; got none") +- } else if err.Error() != "535 Invalid credentials\nplease see www.example.com" { +- t.Errorf("Auth: got error: %v, want: %s", err, "535 Invalid credentials\nplease see www.example.com") ++ } else if err.Error() != `535 "Invalid credentials\nplease see www.example.com"` { ++ t.Errorf("Auth: got error: %v, want: %s", err, `535 "Invalid credentials\nplease see www.example.com"`) + } + + bcmdbuf.Flush() +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 0027efe3ca..b4cd22a6ed 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -213,13 +213,13 @@ func (r *Reader) readCodeLine(expectCode int) (code int, continued bool, message + + func parseCodeLine(line string, expectCode int) (code int, continued bool, message string, err error) { + if len(line) < 4 || line[3] != ' ' && line[3] != '-' { +- err = ProtocolError("short response: " + line) ++ err = ProtocolError(fmt.Sprintf("short response: %q", line)) + return + } + continued = line[3] == '-' + code, err = strconv.Atoi(line[0:3]) + if err != nil || code < 100 { +- err = ProtocolError("invalid response code: " + line) ++ err = ProtocolError(fmt.Sprintf("invalid response code: %q", line)) + return + } + message = line[4:] +@@ -251,7 +251,7 @@ func parseCodeLine(line string, expectCode int) (code int, continued bool, messa + func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err error) { + code, continued, message, err := r.readCodeLine(expectCode) + if err == nil && continued { +- err = ProtocolError("unexpected multi-line response: " + message) ++ err = ProtocolError(fmt.Sprintf("unexpected multi-line response: %q", message)) + } + return + } +@@ -536,7 +536,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + if err != nil { + return m, err + } +- return m, ProtocolError("malformed MIME header initial line: " + string(line)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header initial line: %q", line)) + } + + for { +@@ -548,15 +548,15 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + // Key ends at first colon. + k, v, ok := bytes.Cut(kv, colon) + if !ok { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + key, ok := canonicalMIMEHeaderKey(k) + if !ok { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + for _, c := range v { + if !validHeaderValueByte(c) { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + } + +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 26ff617470..844069a4ad 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -409,6 +409,8 @@ func TestReadMultiLineError(t *testing.T) { + "Unexpected but legal text!\n" + + "5.1.1 https://support.google.com/mail/answer/6596 h20si25154304pfd.166 - gsmtp" + ++ wantError := `550 "5.1.1 The email account that you tried to reach does not exist. Please try\n5.1.1 double-checking the recipient's email address for typos or\n5.1.1 unnecessary spaces. Learn more at\nUnexpected but legal text!\n5.1.1 https://support.google.com/mail/answer/6596 h20si25154304pfd.166 - gsmtp"` ++ + code, msg, err := r.ReadResponse(250) + if err == nil { + t.Errorf("ReadResponse: no error, want error") +@@ -419,8 +421,8 @@ func TestReadMultiLineError(t *testing.T) { + if msg != wantMsg { + t.Errorf("ReadResponse: msg=%q, want %q", msg, wantMsg) + } +- if err != nil && err.Error() != "550 "+wantMsg { +- t.Errorf("ReadResponse: error=%q, want %q", err.Error(), "550 "+wantMsg) ++ if err != nil && err.Error() != wantError { ++ t.Errorf("ReadResponse: error=%q, want %q", err.Error(), wantError) + } + } + +diff --git a/src/net/textproto/textproto.go b/src/net/textproto/textproto.go +index 4ae3ecff74..a2291eff2b 100644 +--- a/src/net/textproto/textproto.go ++++ b/src/net/textproto/textproto.go +@@ -38,7 +38,7 @@ type Error struct { + } + + func (e *Error) Error() string { +- return fmt.Sprintf("%03d %s", e.Code, e.Msg) ++ return fmt.Sprintf("%03d %q", e.Code, e.Msg) + } + + // A ProtocolError describes a protocol violation such +-- +2.43.0 + From dd74c1388d5bfefd2adcdb6abd622297138e2eb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marcos=20Costa=20=28Schneider=20Electric=29?= <joaomarcos.costa@bootlin.com> Date: Fri, 22 May 2026 12:46:44 +0200 Subject: [PATCH 20/96] meta/lib/oe/package.py: fix path to kernel sources in save_debugsources_info MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is no more than a backport of the current (i.e., from 'master') version of this same chunk in save_debugsources_info(), where BP is used instead of PF to form the path to the kernel sources. This replacement in package.py is followed by a similar change in meta/classes/create-spdx-2.2.bbclass, so that 'BP' is also used in spdx_get_src() and we don't face any regressions in SPDX v2.2. As a matter of fact, SPDX3 also uses 'BP' in get_patched_src() (from spdx_common.py). Overall, this backport ensures a coherence between Scarthgap and master, namely regarding the how the kernel sources are provided by package.py and consumed by SPDX v2.2 and 3.0. Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Co-authored-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/classes/create-spdx-2.2.bbclass | 2 +- meta/lib/oe/package.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 037193bb4b96..61bad66ae064 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -933,7 +933,7 @@ def spdx_get_src(d): share_src = d.getVar('WORKDIR') d.setVar('WORKDIR', spdx_workdir) d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) - src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR') + src_dir = spdx_workdir + "/" + d.getVar('BP') bb.utils.mkdirhier(src_dir) if bb.data.inherits_class('kernel',d): share_src = d.getVar('STAGING_KERNEL_DIR') diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py index ba0d3267811b..fc5185ced45d 100644 --- a/meta/lib/oe/package.py +++ b/meta/lib/oe/package.py @@ -1055,13 +1055,13 @@ def save_debugsources_info(debugsrcdir, sources_raw, d): # we format the sources as expected by spdx by replacing /usr/src/kernel/ # into BP/ kernel_src = d.getVar('KERNEL_SRC_PATH') - pf = d.getVar('PF') + bp = d.getVar('BP') sources_dict = {} for file, src_files in sources_raw: file_clean = file.replace(f"{workdir}/package/","") sources_clean = [ src.replace(f"{debugsrcdir}/{pn}/", "") - if not kernel_src else src.replace(f"{kernel_src}/", f"{pf}/") + if not kernel_src else src.replace(f"{kernel_src}/", f"{bp}/") for src in src_files if not any(keyword in src for keyword in ("<internal>", "<built-in>")) and not src.endswith("/") ] From 4f5c4af9fa044a3e744f0c2d44aa101adcded0ff Mon Sep 17 00:00:00 2001 From: Prabhudasu Vatala <prabhudasuvatala@gmail.com> Date: Mon, 1 Jun 2026 05:40:57 +0530 Subject: [PATCH 21/96] conf/machine: fix typos in ARM and x86 README files Correct spelling errors in the machine include README documentation for both ARM and x86 architectures to improve clarity. ARM changes: - Fix TUNE_PKGACH -> TUNE_PKGARCH. - Fix "definiton" -> "definition". - Fix "Curently" -> "Currently". - Fix "specificed" -> "specified". x86 changes: - Fix "define" -> "defined". - Fix "to to" duplication. Signed-off-by: Prabhudasu Vatala <prabhudasuvatala@gmail.com> (cherry picked from commit a77dd221c31e44a17784c15f5402ef785fb9c1b7) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/conf/machine/include/arm/README | 6 +++--- meta/conf/machine/include/x86/README | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/conf/machine/include/arm/README b/meta/conf/machine/include/arm/README index c5637798e6fd..bccbb1bdee97 100644 --- a/meta/conf/machine/include/arm/README +++ b/meta/conf/machine/include/arm/README @@ -10,7 +10,7 @@ of the existence of the "bigendian" feature in a given tune. A small set of ARM specific variables have been defined to allow TUNE_PKGARCH to be automatically defined. Optimized tunings must NOT -change the definiton of TUNE_PKGARCH. TUNE_PKGACH:tune-<tune> will be +change the definition of TUNE_PKGARCH. TUNE_PKGARCH:tune-<tune> will be ignored. The format of the package arch is enforced by the TUNE_PKGARCH default. The format must be of the form: <armversion>[t][e][hf][b][-vfp][-neon] @@ -22,14 +22,14 @@ ARMPKGARCH - This is the core package arch component specified by each tuning. This is the primary identifier of a tuning. Usual values are: arm, armv4, armv5, armv6, armv7a, etc. -ARMPKGSFX_THUMB - This is the thumb specific suffix. Curently it is +ARMPKGSFX_THUMB - This is the thumb specific suffix. Currently it is defined in feature-arm-thumb.inc. ARMPKGSFX_DSP - This is the DSP specific suffix. Currently this is set to 'e' when on armv5 and the dsp feature is enabled. ARMPKGSFX_EABI - This is the eabi specific suffix. There are currently -two defined ABIs specificed, standard EABI and Hard Float (VFP) EABI. +two defined ABIs specified, standard EABI and Hard Float (VFP) EABI. When the callconvention-hard is enabled, "hf" is specified, otherwise it is blank. diff --git a/meta/conf/machine/include/x86/README b/meta/conf/machine/include/x86/README index 05aee533a71d..f0a1882d8184 100644 --- a/meta/conf/machine/include/x86/README +++ b/meta/conf/machine/include/x86/README @@ -4,7 +4,7 @@ Most of the items for the X86 architectures are defined in the single arch-x86 file. -Three ABIs are define, m32, mx32 and m64. +Three ABIs are defined, m32, mx32 and m64. The following is the list of X86 specific variables: @@ -17,7 +17,7 @@ The TUNE_PKGARCH is defined as follows: TUNE_PKGARCH = ${TUNE_PKGARCH:tune-${DEFAULTTUNE}} The package architecture for 32-bit targets is historical and generally -set to to match the core compatible processor type, i.e. i386. +set to match the core compatible processor type, i.e. i386. For 64-bit architectures, the architecture is expected to end in '_64'. From b0048d8bc8134c445a3352bfb631d41319a75331 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Tue, 12 May 2026 12:49:32 +0530 Subject: [PATCH 22/96] go 1.22.12: fix CVE-2026-27140 Pick patch from [1] also mentioned at Debian report in [2] [1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa [2] https://security-tracker.debian.org/tracker/CVE-2026-27140 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27140.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27140.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f67da3e07883..46d75d13b210 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2025-68121_p1.patch \ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ + file://CVE-2026-27140.patch \ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ diff --git a/meta/recipes-devtools/go/go/CVE-2026-27140.patch b/meta/recipes-devtools/go/go/CVE-2026-27140.patch new file mode 100644 index 000000000000..5c9fb31c23d3 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27140.patch @@ -0,0 +1,58 @@ +From abaa0cbb259e059ee60c33a7507eddc1fe7d20fa Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Tue, 24 Feb 2026 23:05:34 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/go: disallow cgo trust boundary + bypass +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cgo compiler implicitly trusts generated files +with 'cgo' prefixes; thus, SWIG files containing 'cgo' +in their names will cause bypass of the trust boundary, +leading to code smuggling or arbitrary code execution. + +The cgo compiler will now produce an error if it +encounters any SWIG files containing this prefix. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #78335 +Fixes CVE-2026-27140 + +Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763556 +Reviewed-by: David Chase <drchase@google.com> +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Reviewed-by: Junyang Shao <shaojunyang@google.com> +Auto-Submit: Gopher Robot <gobot@golang.org> + +CVE: CVE-2026-27140 +Upstream-Status: Backport [https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/go/internal/work/exec.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go +index 815942a..520c478 100644 +--- a/src/cmd/go/internal/work/exec.go ++++ b/src/cmd/go/internal/work/exec.go +@@ -3347,6 +3347,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) { + + // Run SWIG on one SWIG input file. + func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) (outGo, outC string, err error) { ++ if strings.HasPrefix(file, "cgo") { ++ return "", "", errors.New("SWIG file must not use prefix 'cgo'") ++ } ++ + p := a.Package + sh := b.Shell(a) + +-- +2.50.1 + From c4273fecc42ab643eea036651c79d968f0caaafd Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Tue, 12 May 2026 12:51:06 +0530 Subject: [PATCH 23/96] go 1.22.12: fix CVE-2026-27143, CVE-2026-27144 Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4] [1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc [2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3 [3] https://security-tracker.debian.org/tracker/CVE-2026-27143 [4] https://security-tracker.debian.org/tracker/CVE-2026-27144 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 2 + .../go/go/CVE-2026-27143.patch | 165 ++++++++++++++++++ .../go/go/CVE-2026-27144.patch | 125 +++++++++++++ 3 files changed, 292 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27143.patch create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27144.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 46d75d13b210..7016acd0616e 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -43,6 +43,8 @@ SRC_URI += "\ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27140.patch \ file://CVE-2026-27142.patch \ + file://CVE-2026-27143.patch \ + file://CVE-2026-27144.patch \ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ diff --git a/meta/recipes-devtools/go/go/CVE-2026-27143.patch b/meta/recipes-devtools/go/go/CVE-2026-27143.patch new file mode 100644 index 000000000000..99e7f7639ec6 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27143.patch @@ -0,0 +1,165 @@ +From 7d2dd3488cdfbddda14c18c455d3263df75a46fc Mon Sep 17 00:00:00 2001 +From: Junyang Shao <shaojunyang@google.com> +Date: Fri, 6 Mar 2026 00:03:45 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix loopbce overflow + check logic + +addWillOverflow and subWillOverflow has an implicit assumption that y is +positive, using it outside of addU and subU is really incorrect. This CL +fixes those incorrect usage to use the correct logic in place. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78333 +Fixes CVE-2026-27143 + +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3987 +Commit-Queue: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763553 +Reviewed-by: David Chase <drchase@google.com> +Auto-Submit: Gopher Robot <gobot@golang.org> +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Reviewed-by: Junyang Shao <shaojunyang@google.com> + +CVE: CVE-2026-27143 +Upstream-Status: Backport [https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/compile/internal/ssa/loopbce.go | 36 +++++++++++++++++-------- + test/loopbce.go | 28 +++++++++++++++++++ + 2 files changed, 53 insertions(+), 11 deletions(-) + +diff --git a/src/cmd/compile/internal/ssa/loopbce.go b/src/cmd/compile/internal/ssa/loopbce.go +index dd1f39d..1b3e567 100644 +--- a/src/cmd/compile/internal/ssa/loopbce.go ++++ b/src/cmd/compile/internal/ssa/loopbce.go +@@ -204,9 +204,11 @@ func findIndVar(f *Func) []indVar { + if init.AuxInt > v { + return false + } ++ // TODO(1.27): investigate passing a smaller-magnitude overflow limit to addU ++ // for addWillOverflow. + v = addU(init.AuxInt, diff(v, init.AuxInt)/uint64(step)*uint64(step)) + } +- if addWillOverflow(v, step) { ++ if addWillOverflow(v, step, maxSignedValue(ind.Type)) { + return false + } + if inclusive && v != limit.AuxInt || !inclusive && v+1 != limit.AuxInt { +@@ -235,7 +237,7 @@ func findIndVar(f *Func) []indVar { + // ind < knn - k cannot overflow if step is at most k+1 + return step <= k+1 && k != maxSignedValue(limit.Type) + } else { // step < 0 +- if limit.Op == OpConst64 { ++ if limit.isGenericIntConst() { + // Figure out the actual smallest value. + v := limit.AuxInt + if !inclusive { +@@ -249,9 +251,11 @@ func findIndVar(f *Func) []indVar { + if init.AuxInt < v { + return false + } ++ // TODO(1.27): investigate passing a smaller-magnitude underflow limit to subU ++ // for subWillUnderflow. + v = subU(init.AuxInt, diff(init.AuxInt, v)/uint64(-step)*uint64(-step)) + } +- if subWillUnderflow(v, -step) { ++ if subWillUnderflow(v, -step, minSignedValue(ind.Type)) { + return false + } + if inclusive && v != limit.AuxInt || !inclusive && v-1 != limit.AuxInt { +@@ -313,14 +317,22 @@ func findIndVar(f *Func) []indVar { + return iv + } + +-// addWillOverflow reports whether x+y would result in a value more than maxint. +-func addWillOverflow(x, y int64) bool { +- return x+y < x ++// subWillUnderflow checks if x - y underflows the min value. ++// y must be positive. ++func subWillUnderflow(x, y int64, min int64) bool { ++ if y < 0 { ++ base.Fatalf("expecting positive value") ++ } ++ return x < min+y + } + +-// subWillUnderflow reports whether x-y would result in a value less than minint. +-func subWillUnderflow(x, y int64) bool { +- return x-y > x ++// addWillOverflow checks if x + y overflows the max value. ++// y must be positive. ++func addWillOverflow(x, y int64, max int64) bool { ++ if y < 0 { ++ base.Fatalf("expecting positive value") ++ } ++ return x > max-y + } + + // diff returns x-y as a uint64. Requires x>=y. +@@ -341,7 +353,8 @@ func addU(x int64, y uint64) int64 { + x += 1 + y -= 1 << 63 + } +- if addWillOverflow(x, int64(y)) { ++ // TODO(1.27): investigate passing a smaller-magnitude overflow limit in here. ++ if addWillOverflow(x, int64(y), maxSignedValue(types.Types[types.TINT64])) { + base.Fatalf("addU overflowed %d + %d", x, y) + } + return x + int64(y) +@@ -357,7 +370,8 @@ func subU(x int64, y uint64) int64 { + x -= 1 + y -= 1 << 63 + } +- if subWillUnderflow(x, int64(y)) { ++ // TODO(1.27): investigate passing a smaller-magnitude underflow limit in here. ++ if subWillUnderflow(x, int64(y), minSignedValue(types.Types[types.TINT64])) { + base.Fatalf("subU underflowed %d - %d", x, y) + } + return x - int64(y) +diff --git a/test/loopbce.go b/test/loopbce.go +index 04c186b..a4b101b 100644 +--- a/test/loopbce.go ++++ b/test/loopbce.go +@@ -466,6 +466,34 @@ func stride2(x *[7]int) int { + return s + } + ++// This loop should not be proved anything. ++func smallIntUp(arr *[128]int) { ++ for i := int8(0); i <= int8(120); i += int8(10) { ++ arr[i] = int(i) ++ } ++} ++ ++// This loop should not be proved anything. ++func smallIntDown(arr *[128]int) { ++ for i := int8(0); i >= int8(-120); i -= int8(10) { ++ arr[127+i] = int(i) ++ } ++} ++ ++// This loop should not be proved anything. ++func smallUintUp(arr *[128]int) { ++ for i := uint8(0); i <= uint8(250); i += uint8(10) { ++ arr[i] = int(i) ++ } ++} ++ ++// This loop should not be proved anything. ++func smallUintDown(arr *[128]int) { ++ for i := uint8(255); i >= uint8(0); i -= uint8(10) { ++ arr[127+i] = int(i) ++ } ++} ++ + //go:noinline + func useString(a string) { + } +-- +2.50.1 + diff --git a/meta/recipes-devtools/go/go/CVE-2026-27144.patch b/meta/recipes-devtools/go/go/CVE-2026-27144.patch new file mode 100644 index 000000000000..3f791ea49183 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27144.patch @@ -0,0 +1,125 @@ +From 72cc33629a3b26e68f6e6e5564618a1d763896f3 Mon Sep 17 00:00:00 2001 +From: Junyang Shao <shaojunyang@google.com> +Date: Thu, 12 Mar 2026 21:36:33 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix mem access overlap + detection + +When a no-op interface conversion is wrapped around the rhs of an +assignment, the memory overlap detection logic in the compiler failed to +peel down conversion to see the actual pointer, causing an incorrect +no-overlapping determination. + +Thanks to Jakub Ciolek for reporting this issue. + + +Fixes #78371 +Fixes CVE-2026-27144 + +Change-Id: I55ff0806b099e1447bdbfba7fde6c6597db5d65c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3780 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4002 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763552 +Auto-Submit: Gopher Robot <gobot@golang.org> +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Reviewed-by: Junyang Shao <shaojunyang@google.com> +Reviewed-by: David Chase <drchase@google.com> + +CVE: CVE-2026-27144 +Upstream-Status: Backport [https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/compile/internal/ssagen/ssa.go | 20 ++++++--- + .../compile/internal/test/memoverlap_test.go | 41 +++++++++++++++++++ + 2 files changed, 55 insertions(+), 6 deletions(-) + create mode 100644 src/cmd/compile/internal/test/memoverlap_test.go + +diff --git a/src/cmd/compile/internal/ssagen/ssa.go b/src/cmd/compile/internal/ssagen/ssa.go +index c794d6f..0214621 100644 +--- a/src/cmd/compile/internal/ssagen/ssa.go ++++ b/src/cmd/compile/internal/ssagen/ssa.go +@@ -1427,6 +1427,16 @@ func (s *state) stmtList(l ir.Nodes) { + } + } + ++func peelConvNop(n ir.Node) ir.Node { ++ if n == nil { ++ return n ++ } ++ for n.Op() == ir.OCONVNOP { ++ n = n.(*ir.ConvExpr).X ++ } ++ return n ++} ++ + // stmt converts the statement n to SSA and adds it to s. + func (s *state) stmt(n ir.Node) { + s.pushLine(n.Pos()) +@@ -1598,12 +1608,10 @@ func (s *state) stmt(n ir.Node) { + // arrays referenced are strictly smaller parts of the same base array. + // If one side of the assignment is a full array, then partial overlap + // can't happen. (The arrays are either disjoint or identical.) +- mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && n.Y.Op() == ir.ODEREF) +- if n.Y != nil && n.Y.Op() == ir.ODEREF { +- p := n.Y.(*ir.StarExpr).X +- for p.Op() == ir.OCONVNOP { +- p = p.(*ir.ConvExpr).X +- } ++ ny := peelConvNop(n.Y) ++ mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && ny.Op() == ir.ODEREF) ++ if ny != nil && ny.Op() == ir.ODEREF { ++ p := peelConvNop(ny.(*ir.StarExpr).X) + if p.Op() == ir.OSPTR && p.(*ir.UnaryExpr).X.Type().IsString() { + // Pointer fields of strings point to unmodifiable memory. + // That memory can't overlap with the memory being written. +diff --git a/src/cmd/compile/internal/test/memoverlap_test.go b/src/cmd/compile/internal/test/memoverlap_test.go +new file mode 100644 +index 0000000..c53288e +--- /dev/null ++++ b/src/cmd/compile/internal/test/memoverlap_test.go +@@ -0,0 +1,41 @@ ++// Copyright 2026 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package test ++ ++import "testing" ++ ++const arrFooSize = 96 ++ ++type arrFoo [arrFooSize]int ++ ++//go:noinline ++func badCopy(dst, src []int) { ++ p := (*[arrFooSize]int)(dst[:arrFooSize]) ++ q := (*[arrFooSize]int)(src[:arrFooSize]) ++ *p = arrFoo(*q) ++} ++ ++//go:noinline ++func goodCopy(dst, src []int) { ++ p := (*[arrFooSize]int)(dst[:arrFooSize]) ++ q := (*[arrFooSize]int)(src[:arrFooSize]) ++ *p = *q ++} ++ ++func TestOverlapedMoveWithNoopIConv(t *testing.T) { ++ h1 := make([]int, arrFooSize+1) ++ h2 := make([]int, arrFooSize+1) ++ for i := range arrFooSize + 1 { ++ h1[i] = i ++ h2[i] = i ++ } ++ badCopy(h1[1:], h1[:arrFooSize]) ++ goodCopy(h2[1:], h2[:arrFooSize]) ++ for i := range arrFooSize + 1 { ++ if h1[i] != h2[i] { ++ t.Errorf("h1 and h2 differ at index %d, expect them to be the same", i) ++ } ++ } ++} +-- +2.50.1 + From 128af716be75ec76203f1d34a8448741e6573d9e Mon Sep 17 00:00:00 2001 From: "Benjamin Robin (Schneider Electric)" <benjamin.robin@bootlin.com> Date: Tue, 3 Mar 2026 17:46:15 +0100 Subject: [PATCH 24/96] avahi: Remove a reference to the rejected CVE-2021-36217 CVE-2021-36217 is rejected, and should no longer be referenced. CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already referenced in the local-ping.patch. The CVE database indicates the following reason: ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (cherry picked from commit bf41240132e2efa6b46aab46290eed9c53e312e9) Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-connectivity/avahi/files/local-ping.patch | 1 - 1 file changed, 1 deletion(-) diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch index 29c192d296e0..8f102815df04 100644 --- a/meta/recipes-connectivity/avahi/files/local-ping.patch +++ b/meta/recipes-connectivity/avahi/files/local-ping.patch @@ -1,4 +1,3 @@ -CVE: CVE-2021-36217 CVE: CVE-2021-3502 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> From 22e8bc2bcfe762c83c00b73a33384e63548e82c0 Mon Sep 17 00:00:00 2001 From: "Benjamin Robin (Schneider Electric)" <benjamin.robin@bootlin.com> Date: Tue, 3 Mar 2026 17:46:17 +0100 Subject: [PATCH 25/96] meta: fix generation of kernel CONFIG_ in SPDX3 With the current solution, using a separate task (do_create_kernel_config_spdx) there is a dependency issue. Sometimes the final rootfs SBOM does not contain the CONFIG_ values. do_create_kernel_config_spdx is executed after do_create_spdx which deploys the SPDX file. do_create_kernel_config_spdx calls oe.sbom30.find_root_obj_in_jsonld to read from the deploy directory, which is OK, but the do_create_kernel_config_spdx ends up writing to this deployed file (updating it). do_create_rootfs_spdx has an explicit dependency to all do_create_spdx tasks, but there is nothing that prevents executing do_create_kernel_config_spdx after do_create_rootfs_spdx. To fix it, instead, now read from the workdir, and write to the workdir, and do the processing from the do_create_spdx task: we append to the do_create_spdx task. Furthermore, update oeqa selftest to execute do_create_spdx instead of removed function. Also only execute this task if create-spdx-3.0 was inherited, previously this code could be executed if create-spdx-2.2 is inherited. (cherry picked from commit 8417f4a186e78a9d309541f5d0e711178bb80488) Fixes: 1fff29a04287 ("kernel.bbclass: Add task to export kernel configuration to SPDX") Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Reviewed-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/classes-recipe/kernel.bbclass | 27 +++++++++++++++------------ meta/lib/oeqa/selftest/cases/spdx.py | 2 +- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index 39e198864e40..618324f75ff6 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -870,14 +870,13 @@ addtask deploy after do_populate_sysroot do_packagedata EXPORT_FUNCTIONS do_deploy -python __anonymous() { - inherits = (d.getVar("INHERIT") or "") - if "create-spdx" in inherits: - bb.build.addtask('do_create_kernel_config_spdx', 'do_populate_lic do_deploy', 'do_create_spdx', d) -} +do_create_spdx:append() { + def create_kernel_config_spdx(d): + if not bb.data.inherits_class("create-spdx-3.0", d): + return + if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) != "1": + return -python do_create_kernel_config_spdx() { - if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) == "1": import oe.spdx30 import oe.spdx30_tasks from pathlib import Path @@ -909,9 +908,11 @@ python do_create_kernel_config_spdx() { except Exception as e: bb.error(f"Failed to parse kernel config file: {e}") - build, build_objset = oe.sbom30.find_root_obj_in_jsonld( - d, "recipes", f"recipe-{pn}", oe.spdx30.build_Build - ) + path = oe.sbom30.jsonld_arch_path(d, pkg_arch, "recipes", f"recipe-{pn}", deploydir=deploydir) + build_objset = oe.sbom30.load_jsonld(d, path, required=True) + build = build_objset.find_root(oe.spdx30.build_Build) + if not build: + bb.fatal("No root %s found in %s" % (oe.spdx30.build_Build.__name__, path)) kernel_build = build_objset.add_root( oe.spdx30.build_Build( @@ -930,9 +931,11 @@ python do_create_kernel_config_spdx() { [kernel_build] ) - oe.sbom30.write_jsonld_doc(d, build_objset, deploydir / pkg_arch / "recipes" / f"recipe-{pn}.spdx.json") + oe.sbom30.write_jsonld_doc(d, build_objset, path) + + create_kernel_config_spdx(d) } -do_create_kernel_config_spdx[depends] = "virtual/kernel:do_configure" +do_create_spdx[depends] += "virtual/kernel:do_configure" # Add using Device Tree support inherit kernel-devicetree diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py index 035f3fe33636..3373988ca403 100644 --- a/meta/lib/oeqa/selftest/cases/spdx.py +++ b/meta/lib/oeqa/selftest/cases/spdx.py @@ -298,7 +298,7 @@ def test_kernel_config_spdx(self): objset = self.check_recipe_spdx( kernel_recipe, spdx_path, - task="do_create_kernel_config_spdx", + task="do_create_spdx", extraconf="""\ INHERIT += "create-spdx" SPDX_INCLUDE_KERNEL_CONFIG = "1" From f8e3cdf31d6d613e54fe2ffaee875811c52754f5 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Fri, 20 Feb 2026 10:40:09 +0530 Subject: [PATCH 26/96] qemu: fix for CVE-2025-11234 This patch fix use after free in websocket handshake code. Backport patch from debian refer : https://security-tracker.debian.org/tracker/CVE-2025-11234 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++ .../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++ 3 files changed, 248 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 54644dd9241c..b688c2bd125b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -45,6 +45,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2025-12464.patch \ file://0001-python-backport-Remove-deprecated-get_event_loop-cal.patch \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ + file://CVE-2025-11234-01.patch \ + file://CVE-2025-11234-02.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch new file mode 100644 index 000000000000..c3797bc66f6a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch @@ -0,0 +1,72 @@ +From 911c814c8cc5f836286bd96694843036db83e99f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Tue, 30 Sep 2025 11:58:35 +0100 +Subject: [PATCH] io: move websock resource release to close method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The QIOChannelWebsock object releases all its resources in the +finalize callback. This is later than desired, as callers expect +to be able to call qio_channel_close() to fully close a channel +and release resources related to I/O. + +The logic in the finalize method is at most a failsafe to handle +cases where a consumer forgets to call qio_channel_close. + +This adds equivalent logic to the close method to release the +resources, using g_clear_handle_id/g_clear_pointer to be robust +against repeated invocations. The finalize method is tweaked +so that the GSource is removed before releasing the underlying +channel. + +Reviewed-by: Eric Blake <eblake@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +(cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63) +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> + +CVE: CVE-2025-11234 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + io/channel-websock.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/io/channel-websock.c b/io/channel-websock.c +index de39f0d18..1aac3c88a 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj) + buffer_free(&ioc->encinput); + buffer_free(&ioc->encoutput); + buffer_free(&ioc->rawinput); +- object_unref(OBJECT(ioc->master)); + if (ioc->io_tag) { + g_source_remove(ioc->io_tag); + } + if (ioc->io_err) { + error_free(ioc->io_err); + } ++ object_unref(OBJECT(ioc->master)); + } + + +@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc, + QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc); + + trace_qio_channel_websock_close(ioc); ++ buffer_free(&wioc->encinput); ++ buffer_free(&wioc->encoutput); ++ buffer_free(&wioc->rawinput); ++ if (wioc->io_tag) { ++ g_clear_handle_id(&wioc->io_tag, g_source_remove); ++ } ++ if (wioc->io_err) { ++ g_clear_pointer(&wioc->io_err, error_free); ++ } + return qio_channel_close(wioc->master, errp); + } + +-- +2.50.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch new file mode 100644 index 000000000000..364d19457dad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch @@ -0,0 +1,174 @@ +From cebdbd038e44af56e74272924dc2bf595a51fd8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Tue, 30 Sep 2025 12:03:15 +0100 +Subject: [PATCH] io: fix use after free in websocket handshake code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the QIOChannelWebsock object is freed while it is waiting to +complete a handshake, a GSource is leaked. This can lead to the +callback firing later on and triggering a use-after-free in the +use of the channel. This was observed in the VNC server with the +following trace from valgrind: + +==2523108== Invalid read of size 4 +==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296) +==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392) +==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105) +==2523108== by 0x44863B4: qio_task_complete (task.c:197) +==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588) +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249) +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) +==2523108== by 0x454F300: qemu_default_main (main.c:37) +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) +==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd +==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989) +==2523108== by 0x6EDC444: g_free (gmem.c:208) +==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153) +==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225) +==2523108== by 0x4042881: dpy_refresh (console.c:880) +==2523108== by 0x4042881: gui_update (console.c:90) +==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562) +=2523108== by 0x45EC765: main_loop_wait (main-loop.c:600) +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) +==2523108== by 0x454F300: qemu_default_main (main.c:37) +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) +==2523108== Block was alloc'd at +==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675) +==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133) +==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245) +==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54) +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249) +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) +==2523108== by 0x454F300: qemu_default_main (main.c:37) +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) +==2523108== + +The above can be reproduced by launching QEMU with + + $ qemu-system-x86_64 -vnc localhost:0,websocket=5700 + +and then repeatedly running: + + for i in {1..100}; do + (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 & + done + +CVE-2025-11234 +Reported-by: Grant Millar | Cylo <rid@cylo.io> +Reviewed-by: Eric Blake <eblake@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +(cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9) +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> + +CVE: CVE-2025-11234 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/io/channel-websock.h | 3 ++- + io/channel-websock.c | 22 ++++++++++++++++------ + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h +index e180827c5..6700cf894 100644 +--- a/include/io/channel-websock.h ++++ b/include/io/channel-websock.h +@@ -61,7 +61,8 @@ struct QIOChannelWebsock { + size_t payload_remain; + size_t pong_remain; + QIOChannelWebsockMask mask; +- guint io_tag; ++ guint hs_io_tag; /* tracking handshake task */ ++ guint io_tag; /* tracking watch task */ + Error *io_err; + gboolean io_eof; + uint8_t opcode; +diff --git a/io/channel-websock.c b/io/channel-websock.c +index 1aac3c88a..583ea8618 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc, + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err)); + qio_task_set_error(task, err); + qio_task_complete(task); ++ wioc->hs_io_tag = 0; + return FALSE; + } + +@@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc, + trace_qio_channel_websock_handshake_complete(ioc); + qio_task_complete(task); + } ++ wioc->hs_io_tag = 0; + return FALSE; + } + trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT); +@@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc, + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err)); + qio_task_set_error(task, err); + qio_task_complete(task); ++ wioc->hs_io_tag = 0; + return FALSE; + } + if (ret == 0) { +@@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc, + error_propagate(&wioc->io_err, err); + + trace_qio_channel_websock_handshake_reply(ioc); +- qio_channel_add_watch( ++ wioc->hs_io_tag = qio_channel_add_watch( + wioc->master, + G_IO_OUT, + qio_channel_websock_handshake_send, +@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock *ioc, + + trace_qio_channel_websock_handshake_start(ioc); + trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN); +- qio_channel_add_watch(ioc->master, +- G_IO_IN, +- qio_channel_websock_handshake_io, +- task, +- NULL); ++ ioc->hs_io_tag = qio_channel_add_watch( ++ ioc->master, ++ G_IO_IN, ++ qio_channel_websock_handshake_io, ++ task, ++ NULL); + } + + +@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj) + buffer_free(&ioc->encinput); + buffer_free(&ioc->encoutput); + buffer_free(&ioc->rawinput); ++ if (ioc->hs_io_tag) { ++ g_source_remove(ioc->hs_io_tag); ++ } + if (ioc->io_tag) { + g_source_remove(ioc->io_tag); + } +@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc, + buffer_free(&wioc->encinput); + buffer_free(&wioc->encoutput); + buffer_free(&wioc->rawinput); ++ if (wioc->hs_io_tag) { ++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove); ++ } + if (wioc->io_tag) { + g_clear_handle_id(&wioc->io_tag, g_source_remove); + } +-- +2.50.1 + From 2abf26e7551a8a306d6aaabc9653f655f66b15a1 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Tue, 24 Mar 2026 10:32:27 +0530 Subject: [PATCH 27/96] libxml-parser-perl: fix for CVE-2006-10003 Pick patch from [1]. [1] https://security-tracker.debian.org/tracker/CVE-2006-10003 More details : https://nvd.nist.gov/vuln/detail/CVE-2006-10003 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../libxml-parser-perl/CVE-2006-10003.patch | 73 +++++++++++++++++++ .../perl/libxml-parser-perl_2.47.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch diff --git a/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch new file mode 100644 index 000000000000..e9a4b692d2db --- /dev/null +++ b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch @@ -0,0 +1,73 @@ +From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001 +From: Toddr Bot <toddbot@rinaldo.us> +Date: Mon, 16 Mar 2026 22:16:11 +0000 +Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack + growth check + +When st_serial_stackptr == st_serial_stacksize - 1, the old check +(stackptr >= stacksize) would not trigger reallocation. The subsequent +++stackptr then writes at index stacksize, one element past the +allocated buffer. + +Fix by checking stackptr + 1 >= stacksize so the buffer is grown +before the pre-increment write. + +Add a deep nesting test (600 levels) to exercise this code path. + +Fixes #39 + +Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> + +CVE: CVE-2006-10003 +Upstream-Status: Backport [https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Expat/Expat.xs | 2 +- + t/deep_nesting.t | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + create mode 100644 t/deep_nesting.t + +diff --git a/Expat/Expat.xs b/Expat/Expat.xs +index dbad380..f04a0cf 100644 +--- a/Expat/Expat.xs ++++ b/Expat/Expat.xs +@@ -499,7 +499,7 @@ startElement(void *userData, const char *name, const char **atts) + } + } + +- if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) { ++ if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) { + unsigned int newsize = cbv->st_serial_stacksize + 512; + + Renew(cbv->st_serial_stack, newsize, unsigned int); +diff --git a/t/deep_nesting.t b/t/deep_nesting.t +new file mode 100644 +index 0000000..8237b5f +--- /dev/null ++++ b/t/deep_nesting.t +@@ -0,0 +1,22 @@ ++BEGIN { print "1..1\n"; } ++ ++# Test for deeply nested elements to exercise st_serial_stack reallocation. ++# This catches off-by-one errors in the stack growth check (GH #39). ++ ++use XML::Parser; ++ ++my $depth = 600; ++ ++my $xml = ''; ++for my $i (1 .. $depth) { ++ $xml .= "<e$i>"; ++} ++for my $i (reverse 1 .. $depth) { ++ $xml .= "</e$i>"; ++} ++ ++my $p = XML::Parser->new; ++eval { $p->parse($xml) }; ++ ++print "not " if $@; ++print "ok 1\n"; +-- +2.50.1 + diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb index 803164f713d1..6a36b763a833 100644 --- a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb +++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb @@ -8,6 +8,7 @@ DEPENDS += "expat" SRC_URI = "${CPAN_MIRROR}/authors/id/T/TO/TODDR/XML-Parser-${PV}.tar.gz \ file://0001-Makefile.PL-make-check_lib-cross-friendly.patch \ + file://CVE-2006-10003.patch \ " SRC_URI[sha256sum] = "ad4aae643ec784f489b956abe952432871a622d4e2b5c619e8855accbfc4d1d8" From fe96d5bee9c45344e98cda9bac85c9bd853d5a7e Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Wed, 29 Apr 2026 14:42:55 +0530 Subject: [PATCH 28/96] python3: fix for CVE-2026-1502 Pick patch from [1] also mentioned at NVD report in [2] [1] https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502 [3] https://security-tracker.debian.org/tracker/CVE-2026-1502 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python/python3/CVE-2026-1502.patch | 113 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-1502.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-1502.patch b/meta/recipes-devtools/python/python3/CVE-2026-1502.patch new file mode 100644 index 000000000000..be6a8379a85f --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-1502.patch @@ -0,0 +1,113 @@ +From 05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 Mon Sep 17 00:00:00 2001 +From: Seth Larson <seth@python.org> +Date: Fri, 10 Apr 2026 10:21:42 -0500 +Subject: [PATCH] gh-146211: Reject CR/LF in HTTP tunnel request headers + (#146212) + +Co-authored-by: Illia Volochii <illia.volochii@gmail.com> + +CVE: CVE-2026-1502 +Upstream-Status: Backport [https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Lib/http/client.py | 11 ++++- + Lib/test/test_httplib.py | 45 +++++++++++++++++++ + ...-03-20-09-29-42.gh-issue-146211.PQVbs7.rst | 2 + + 3 files changed, 57 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst + +diff --git a/Lib/http/client.py b/Lib/http/client.py +index 70451d6..7db4807 100644 +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -972,13 +972,22 @@ class HTTPConnection: + return ip + + def _tunnel(self): ++ if _contains_disallowed_url_pchar_re.search(self._tunnel_host): ++ raise ValueError('Tunnel host can\'t contain control characters %r' ++ % (self._tunnel_host,)) + connect = b"CONNECT %s:%d %s\r\n" % ( + self._wrap_ipv6(self._tunnel_host.encode("idna")), + self._tunnel_port, + self._http_vsn_str.encode("ascii")) + headers = [connect] + for header, value in self._tunnel_headers.items(): +- headers.append(f"{header}: {value}\r\n".encode("latin-1")) ++ header_bytes = header.encode("latin-1") ++ value_bytes = value.encode("latin-1") ++ if not _is_legal_header_name(header_bytes): ++ raise ValueError('Invalid header name %r' % (header_bytes,)) ++ if _is_illegal_header_value(value_bytes): ++ raise ValueError('Invalid header value %r' % (value_bytes,)) ++ headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes)) + headers.append(b"\r\n") + # Making a single send() call instead of one per line encourages + # the host OS to use a more optimal packet size instead of +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py +index e46dac0..e027d93 100644 +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -369,6 +369,51 @@ class HeaderTests(TestCase): + with self.assertRaisesRegex(ValueError, 'Invalid header'): + conn.putheader(name, value) + ++ def test_invalid_tunnel_headers(self): ++ cases = ( ++ ('Invalid\r\nName', 'ValidValue'), ++ ('Invalid\rName', 'ValidValue'), ++ ('Invalid\nName', 'ValidValue'), ++ ('\r\nInvalidName', 'ValidValue'), ++ ('\rInvalidName', 'ValidValue'), ++ ('\nInvalidName', 'ValidValue'), ++ (' InvalidName', 'ValidValue'), ++ ('\tInvalidName', 'ValidValue'), ++ ('Invalid:Name', 'ValidValue'), ++ (':InvalidName', 'ValidValue'), ++ ('ValidName', 'Invalid\r\nValue'), ++ ('ValidName', 'Invalid\rValue'), ++ ('ValidName', 'Invalid\nValue'), ++ ('ValidName', 'InvalidValue\r\n'), ++ ('ValidName', 'InvalidValue\r'), ++ ('ValidName', 'InvalidValue\n'), ++ ) ++ for name, value in cases: ++ with self.subTest((name, value)): ++ conn = client.HTTPConnection('example.com') ++ conn.set_tunnel('tunnel', headers={ ++ name: value ++ }) ++ conn.sock = FakeSocket('') ++ with self.assertRaisesRegex(ValueError, 'Invalid header'): ++ conn._tunnel() # Called in .connect() ++ ++ def test_invalid_tunnel_host(self): ++ cases = ( ++ 'invalid\r.host', ++ '\ninvalid.host', ++ 'invalid.host\r\n', ++ 'invalid.host\x00', ++ 'invalid host', ++ ) ++ for tunnel_host in cases: ++ with self.subTest(tunnel_host): ++ conn = client.HTTPConnection('example.com') ++ conn.set_tunnel(tunnel_host) ++ conn.sock = FakeSocket('') ++ with self.assertRaisesRegex(ValueError, 'Tunnel host can\'t contain control characters'): ++ conn._tunnel() # Called in .connect() ++ + def test_headers_debuglevel(self): + body = ( + b'HTTP/1.1 200 OK\r\n' +diff --git a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst +new file mode 100644 +index 0000000..4993633 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst +@@ -0,0 +1,2 @@ ++Reject CR/LF characters in tunnel request headers for the ++HTTPConnection.set_tunnel() method. +-- +2.50.1 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 5fa25235fe85..da7e3c604e00 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ + file://CVE-2026-1502.patch \ " SRC_URI:append:class-native = " \ From 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Wed, 29 Apr 2026 17:59:02 +0530 Subject: [PATCH 29/96] python3: fix CVE-2026-6100 Pick patch from [1] also mentioned at NVD report in [2] [1] https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100 [3] https://security-tracker.debian.org/tracker/CVE-2026-6100 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python/python3/CVE-2026-6100.patch | 75 +++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6100.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6100.patch b/meta/recipes-devtools/python/python3/CVE-2026-6100.patch new file mode 100644 index 000000000000..9084101434bf --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-6100.patch @@ -0,0 +1,75 @@ +From c3cf71c3366fe49acb776a639405c0eea6169c20 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 13 Apr 2026 03:35:24 +0200 +Subject: [PATCH] [3.13] gh-148395: Fix a possible UAF in + `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) (#148479) + +gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) + +Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress +(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2) + +Co-authored-by: Stan Ulbrych <stan@python.org> + +CVE: CVE-2026-6100 +Upstream-Status: Backport [https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++ + Modules/_bz2module.c | 1 + + Modules/_lzmamodule.c | 1 + + Modules/zlibmodule.c | 1 + + 4 files changed, 8 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst + +diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst +new file mode 100644 +index 0000000..9502189 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst +@@ -0,0 +1,5 @@ ++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, ++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` ++when memory allocation fails with :exc:`MemoryError`, which could let a ++subsequent :meth:`!decompress` call read or write through a stale pointer to ++the already-released caller buffer. +diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c +index 97bd44b..a732e89 100644 +--- a/Modules/_bz2module.c ++++ b/Modules/_bz2module.c +@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length) + return result; + + error: ++ bzs->next_in = NULL; + Py_XDECREF(result); + return NULL; + } +diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c +index 7bbd656..103a6ef 100644 +--- a/Modules/_lzmamodule.c ++++ b/Modules/_lzmamodule.c +@@ -1114,6 +1114,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length) + return result; + + error: ++ lzs->next_in = NULL; + Py_XDECREF(result); + return NULL; + } +diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c +index f94c57e..9759593 100644 +--- a/Modules/zlibmodule.c ++++ b/Modules/zlibmodule.c +@@ -1645,6 +1645,7 @@ decompress(ZlibDecompressor *self, uint8_t *data, + return result; + + error: ++ self->zst.next_in = NULL; + Py_XDECREF(result); + return NULL; + } +-- +2.50.1 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index da7e3c604e00..4865178572c2 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ file://CVE-2026-1502.patch \ + file://CVE-2026-6100.patch \ " SRC_URI:append:class-native = " \ From b66a3f975666d9074f0e377ccece1aad2c347da8 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Tue, 12 May 2026 14:29:19 +0530 Subject: [PATCH 30/96] xserver-xorg: Fix CVE-2026-33999 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-33999 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xserver-xorg/CVE-2026-33999.patch | 49 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch new file mode 100644 index 000000000000..cd3bf47397d5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch @@ -0,0 +1,49 @@ +From b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b Mon Sep 17 00:00:00 2001 +From: Peter Harris <pharris2@rocketsoftware.com> +Date: Thu, 15 Jan 2026 15:54:09 -0500 +Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap + +If the "compat" buffer has previously been truncated, there will be +unused space in the buffer. The code uses this space, but does not +update the number of valid entries in the buffer. + +In the best case, this leads to the new compat entries being ignored. In the +worst case, if there are any "skipped" compat entries, the number of +valid entries will be corrupted, potentially leading to a buffer read +overrun when processing a future request. + +Set the number of used "compat" entries when re-using previously +allocated space in the buffer. + +CVE-2026-33999, ZDI-CAN-28593 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Peter Harris <pharris2@rocketsoftware.com> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b] +CVE: CVE-2026-33999 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 137d70d..2b9004a 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + return BadAlloc; + } + } +- else if (req->truncateSI) { ++ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) { + compat->num_si = req->firstSI + req->nSI; + } + sym = &compat->sym_interpret[req->firstSI]; +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 7f6197a0b418..ef7f5c5bdb96 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \ file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \ file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ + file://CVE-2026-33999.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From 3611b45c3c0144172c032964bf0d601dba649b49 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Tue, 12 May 2026 14:29:20 +0530 Subject: [PATCH 31/96] xserver-xorg: Fix CVE-2026-34000 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34000 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xserver-xorg/CVE-2026-34000.patch | 72 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch new file mode 100644 index 000000000000..7ce7cfa80c0a --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch @@ -0,0 +1,72 @@ +From 81b6a34f90b28c32ad499a78a4f391b7c06daea2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 18 Feb 2026 16:03:11 +0100 +Subject: [PATCH] xkb: Fix bounds check in _CheckSetGeom() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585) + == by 0x5AC7D5: _CheckSetGeom (xkb.c:5607) + == by 0x5AC952: _XkbSetGeometry (xkb.c:5643) + == by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684) + == by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E13B0: AllocateInputBuffer (io.c:981) + == by 0x5E05CD: InsertFakeRequest (io.c:516) + == by 0x4AA860: NextAvailableClient (dispatch.c:3629) + == by 0x5DE0D7: AllocNewConnection (connection.c:628) + == by 0x5DE2C6: EstablishNewConnections (connection.c:692) + == by 0x5DE600: HandleNotifyFd (connection.c:809) + == by 0x5E2598: ospoll_wait (ospoll.c:660) + == by 0x5DA00C: WaitForSomething (WaitFor.c:208) + == by 0x4A26E5: Dispatch (dispatch.c:493) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +Each key alias entry contains two key names (the alias and the real key +name), each of size XkbKeyNameLength. + +The current bounds check only validates the first name, allowing +XkbAddGeomKeyAlias to potentially read uninitialized memory when +accessing the second name at &wire[XkbKeyNameLength]. + +To fix this, change the value to check to use 2 * XkbKeyNameLength to +validate the bounds. + +CVE-2026-34000, ZDI-CAN-28679 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f90b28c32ad499a78a4f391b7c06daea2] +CVE: CVE-2026-34000 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 2b9004a..1ba638b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5603,7 +5603,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + } + + for (i = 0; i < req->nKeyAliases; i++) { +- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength)) + return BadLength; + + if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index ef7f5c5bdb96..658a608b5ea0 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -6,6 +6,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \ file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ file://CVE-2026-33999.patch \ + file://CVE-2026-34000.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From b85d3abfc5a1fd05c3a82f1f03579df493094719 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Tue, 12 May 2026 14:29:21 +0530 Subject: [PATCH 32/96] xserver-xorg: Fix CVE-2026-34001 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34001 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xserver-xorg/CVE-2026-34001.patch | 104 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch new file mode 100644 index 000000000000..a438f5ffcdde --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch @@ -0,0 +1,104 @@ +From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 18 Feb 2026 16:23:23 +0100 +Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence() + +As reported by valgrind: + + == Invalid read of size 8 + == at 0x568C14: miSyncTriggerFence (misync.c:140) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd + == at 0x4843E43: free (vg_replace_malloc.c:990) + == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169) + == by 0x53F14D: FreeAwait (sync.c:1208) + == by 0x4DFB06: doFreeResource (resource.c:888) + == by 0x4DFC59: FreeResource (resource.c:918) + == by 0x53E349: SyncAwaitTriggerFired (sync.c:701) + == by 0x568C52: miSyncTriggerFence (misync.c:142) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Block was alloc'd at + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E50E1: XNFalloc (utils.c:1129) + == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206) + == by 0x53DCA8: SyncInitTrigger (sync.c:414) + == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089) + == by 0x540D04: ProcSyncDispatch (sync.c:2160) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +When walking the list of fences to trigger, miSyncTriggerFence() may +call TriggerFence() for the current trigger, which end up calling the +function SyncAwaitTriggerFired(). + +SyncAwaitTriggerFired() frees the entire await resource, which removes +all triggers from that await - including pNext which may be another +trigger from the same await attached to the same fence. + +On the next iteration, ptl = pNext points to freed memory... + +To avoid the issue, we need to restart the iteration from the beginning +of the list each time a trigger fires, since the callback can modify the +list. + +CVE-2026-34001, ZDI-CAN-28706 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0] +CVE: CVE-2026-34001 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + miext/sync/misync.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/miext/sync/misync.c b/miext/sync/misync.c +index 0931803..e11eba2 100644 +--- a/miext/sync/misync.c ++++ b/miext/sync/misync.c +@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence) + void + miSyncTriggerFence(SyncFence * pFence) + { +- SyncTriggerList *ptl, *pNext; ++ SyncTriggerList *ptl; ++ Bool triggered; + + pFence->funcs.SetTriggered(pFence); + + /* run through triggers to see if any fired */ +- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) { +- pNext = ptl->next; +- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) +- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); +- } ++ do { ++ triggered = FALSE; ++ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) { ++ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) { ++ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); ++ triggered = TRUE; ++ break; ++ } ++ } ++ } while (triggered); + } + + SyncScreenFuncsPtr +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 658a608b5ea0..dfed2c2437ca 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -7,6 +7,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ + file://CVE-2026-34001.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From 5c30b1e0dd0e1cb65091787c9c931d3d16c0f93c Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Tue, 12 May 2026 14:29:22 +0530 Subject: [PATCH 33/96] xserver-xorg: Fix CVE-2026-34002 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34002 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xserver-xorg/CVE-2026-34002.patch | 93 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch new file mode 100644 index 000000000000..131caefcd5ea --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch @@ -0,0 +1,93 @@ +From f056ce1cc96ed9261052c31524162c78e458f98c Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 18 Feb 2026 17:02:09 +0100 +Subject: [PATCH] xkb: Fix out-of-bounds read in CheckModifierMap() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x547E5B: CheckModifierMap (xkb.c:1972) + == by 0x54A086: _XkbSetMapChecks (xkb.c:2574) + == by 0x54A845: ProcXkbSetMap (xkb.c:2741) + == by 0x556EF4: ProcXkbDispatch (xkb.c:7048) + == by 0x454A8C: Dispatch (dispatch.c:553) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x592D5A: AllocateInputBuffer (io.c:981) + == by 0x591F77: InsertFakeRequest (io.c:516) + == by 0x45CA27: NextAvailableClient (dispatch.c:3629) + == by 0x58FA81: AllocNewConnection (connection.c:628) + == by 0x58FC70: EstablishNewConnections (connection.c:692) + == by 0x58FFAA: HandleNotifyFd (connection.c:809) + == by 0x593F42: ospoll_wait (ospoll.c:660) + == by 0x58B9B6: WaitForSomething (WaitFor.c:208) + == by 0x4548AC: Dispatch (dispatch.c:493) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + +The issue is that the loop in CheckModifierMap() reads from wire without +verifying that the data is within the request bounds. + +The req->totalModMapKeys value could exceed the actual data provided, +causing reads of uninitialized memory. + +To fix that issue, we add a bounds check using _XkbCheckRequestBounds, +but for that, we need to also pass a ClientPtr parameter, which is not +a problem since CheckModifierMap() is a private, static function. + +CVE-2026-34002, ZDI-CAN-28737 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c] +CVE: CVE-2026-34002 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 1ba638b..3fcc6c4 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + + static int +-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, +- int *errRtrn) ++CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, ++ CARD8 **wireRtrn, int *errRtrn) + { + register CARD8 *wire = *wireRtrn; + CARD8 *start; +@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, + } + start = wire; + for (i = 0; i < req->totalModMapKeys; i++, wire += 2) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errRtrn = _XkbErrCode4(0x63, first, last, wire[0]); + return 0; +@@ -2568,7 +2572,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + return BadValue; + } + if ((req->present & XkbModifierMapMask) && +- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index dfed2c2437ca..2f7edd16a19e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -8,6 +8,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ + file://CVE-2026-34002.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From 5faf37e3de47291cffed048ae20d91033d94d686 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Tue, 12 May 2026 14:29:23 +0530 Subject: [PATCH 34/96] xserver-xorg: Fix CVE-2026-34003 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34003 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xserver-xorg/CVE-2026-34003-1.patch | 113 +++++++++ .../xserver-xorg/CVE-2026-34003-2.patch | 223 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 2 + 3 files changed, 338 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch new file mode 100644 index 000000000000..3a1a9db8cb31 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch @@ -0,0 +1,113 @@ +From b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 23 Feb 2026 15:52:49 +0100 +Subject: [PATCH] xkb: Add additional bound checking in CheckKeyTypes() + +The function CheckKeyTypes() will loop over the client's request but +won't perform any additional bound checking to ensure that the data +read remains within the request bounds. + +As a result, a specifically crafted request may cause CheckKeyTypes() to +read past the request data, as reported by valgrind: + + == Invalid read of size 2 + == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 30 bytes after a block of size 28,672 in arena "client" + == + == Invalid read of size 2 + == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + == Invalid write of size 2 + == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + +To avoid that issue, add additional bounds checking within the loops by +calling _XkbCheckRequestBounds() and report an error if we are to read +past the client's request. + +CVE-2026-34003, ZDI-CAN-28736 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3fcc6c4..0ef634b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client, + for (i = 0; i < req->nTypes; i++) { + unsigned width; + ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->virtualMods); + } +@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client, + xkbModsWireDesc *preWire; + + mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1]; ++ if (!_XkbCheckRequestBounds(client, req, mapWire, ++ &mapWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries); ++ return 0; ++ } + preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries]; ++ if (wire->preserve && ++ !_XkbCheckRequestBounds(client, req, preWire, ++ &preWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries); ++ return 0; ++ } + for (n = 0; n < wire->nMapEntries; n++) { + if (client->swapped && doswap) { + swaps(&mapWire[n].virtualMods); +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch new file mode 100644 index 000000000000..15b2b946d504 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch @@ -0,0 +1,223 @@ +From d38c563fab5c4a554e0939da39e4d1dadef7cbae Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 2 Mar 2026 14:09:57 +0100 +Subject: [PATCH] xkb: Add more _XkbCheckRequestBounds() + +Similar to the recent fixes, add more _XkbCheckRequestBounds() to the +functions that loop over the request data, i.e.: + + * CheckKeySyms() + * CheckKeyActions() + * CheckKeyBehaviors() + * CheckVirtualMods() + * CheckKeyExplicit() + * CheckVirtualModMap() + * _XkbSetMapChecks() + +All these are static functions so we can add the client to the parameters +without breaking any API. + +See also: +CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737 + +v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives. + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 55 insertions(+), 14 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 0ef634b..6320914 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client, + KeySym *pSyms; + register unsigned nG; + ++ /* Check we received enough data to read the next xkbSymMapWireDesc */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->nSyms); + } +@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client, + return 0; + } + pSyms = (KeySym *) &wire[1]; ++ if (wire->nSyms != 0) { ++ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) { ++ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms); ++ return 0; ++ } ++ } + wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms]; + } + +@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client, + } + + static int +-CheckKeyActions(XkbDescPtr xkb, +- xkbSetMapReq * req, +- int nTypes, +- CARD8 *mapWidths, +- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) ++CheckKeyActions(ClientPtr client, ++ XkbDescPtr xkb, ++ xkbSetMapReq * req, ++ int nTypes, ++ CARD8 *mapWidths, ++ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) + { + int nActs; + CARD8 *wire = *wireRtrn; +@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb, + CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn), + 0); + for (nActs = i = 0; i < req->nKeyActs; i++) { ++ /* Check we received enough data to read the next byte on the wire */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i); ++ return 0; ++ } + if (wire[0] != 0) { + if (wire[0] == symsPerKey[i + req->firstKeyAct]) + nActs += wire[0]; +@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb, + } + + static int +-CheckKeyBehaviors(XkbDescPtr xkb, ++CheckKeyBehaviors(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn) + { +@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + for (i = 0; i < req->totalKeyBehaviors; i++, wire++) { ++ /* Check we received enough data to read the next behavior */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x36, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key); + return 0; +@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + static int +-CheckVirtualMods(XkbDescRec * xkb, ++CheckVirtualMods(ClientPtr client, ++ XkbDescRec * xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb, + if (req->virtualMods & bit) + nMods++; + } ++ /* Check we received enough data for the number of virtual mods expected */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) { ++ *errorRtrn = _XkbErrCode3(0x37, nMods, i); ++ return 0; ++ } + *wireRtrn = (wire + XkbPaddedSize(nMods)); + return 1; + } + + static int +-CheckKeyExplicit(XkbDescPtr xkb, ++CheckKeyExplicit(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + start = wire; + for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) { ++ /* Check we received enough data to read the next two bytes */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errorRtrn = _XkbErrCode4(0x54, first, last, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]); + return 0; +@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, + } + + static int +-CheckVirtualModMap(XkbDescPtr xkb, ++CheckVirtualModMap(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbVModMapWireDesc ** wireRtrn, int *errRtrn) + { +@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb, + return 0; + } + for (i = 0; i < req->totalVModMapKeys; i++, wire++) { ++ /* Check we received enough data to read the next virtual mod map key */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errRtrn = _XkbErrCode3(0x74, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errRtrn = _XkbErrCode4(0x73, first, last, wire->key); + return 0; +@@ -2563,7 +2604,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + + if ((req->present & XkbKeyActionsMask) && +- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey, ++ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey, + (CARD8 **) &values, &nActions))) { + client->errorValue = nActions; + return BadValue; +@@ -2571,18 +2612,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + + if ((req->present & XkbKeyBehaviorsMask) && + (!CheckKeyBehaviors +- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + + if ((req->present & XkbVirtualModsMask) && +- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + if ((req->present & XkbExplicitComponentsMask) && +- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +@@ -2593,7 +2634,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + if ((req->present & XkbVirtualModMapMask) && + (!CheckVirtualModMap +- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 2f7edd16a19e..110b3bbbdf0e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -9,6 +9,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ file://CVE-2026-34002.patch \ + file://CVE-2026-34003-1.patch \ + file://CVE-2026-34003-2.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From 9a32956dd5dcbcc380780bc25e4303280f2ca9f9 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Tue, 2 Jun 2026 10:09:38 +0200 Subject: [PATCH 35/96] setuptools3_legacy: ensure ${B} is clean We do builds in a separate directory in this class, so add it to cleandirs to ensure that it is empty. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2575adeceedae72f6359c0a35ec5c5325a4ec363) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/classes-recipe/setuptools3_legacy.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes-recipe/setuptools3_legacy.bbclass b/meta/classes-recipe/setuptools3_legacy.bbclass index 264b1f5cfb1e..45f567391db7 100644 --- a/meta/classes-recipe/setuptools3_legacy.bbclass +++ b/meta/classes-recipe/setuptools3_legacy.bbclass @@ -17,6 +17,7 @@ inherit setuptools3-base B = "${WORKDIR}/build" +do_configure[cleandirs] = "${B}" SETUPTOOLS_BUILD_ARGS ?= "" SETUPTOOLS_INSTALL_ARGS ?= "--root=${D} \ From a0151ab56cf3fcaa6587e240b5454fed5315a534 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Tue, 2 Jun 2026 10:09:39 +0200 Subject: [PATCH 36/96] setuptools3: clean the build directory in configure It's not currently possible to set the build tree to be somewhere we control, but we know it will always be in the build directory alongside the setup.py so we can [cleandirs] that. MJ: helps with build/lib directory being added when a recipe is rebuilt in the same WORKDIR multiple times, e.g.: Just rebuilding python3-tqdm in the same TMPDIR after cherry-picking this: $ buildhistory-diff -p buildhistory build-minus-1 | grep PKGSIZE python3-google-auth/python3-google-auth: PKGSIZE changed from 11752510 to 1315694 (-89%) python3-googleapis-common-protos/python3-googleapis-common-protos: PKGSIZE changed from 7108856 to 794024 (-89%) $ wc -l python3-google-auth/2.29.0*/image/usr/lib/python3.12/site-packages/google_auth-2.29.0.dist-info/RECORD 554 python3-google-auth/2.29.0-old/image/usr/lib/python3.12/site-packages/google_auth-2.29.0.dist-info/RECORD 66 python3-google-auth/2.29.0/image/usr/lib/python3.12/site-packages/google_auth-2.29.0.dist-info/RECORD $ wc -l python3-googleapis-common-protos/1.63.0*/image/usr/lib/python3.12/site-packages/googleapis_common_protos-1.63.0.dist-info/RECORD 1166 python3-googleapis-common-protos/1.63.0-old/image/usr/lib/python3.12/site-packages/googleapis_common_protos-1.63.0.dist-info/RECORD 134 python3-googleapis-common-protos/1.63.0/image/usr/lib/python3.12/site-packages/googleapis_common_protos-1.63.0.dist-info/RECORD Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> (cherry picked from commit f3854f4f60801e3b6788bee3a0a1850fc498d536) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/classes-recipe/setuptools3.bbclass | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/classes-recipe/setuptools3.bbclass b/meta/classes-recipe/setuptools3.bbclass index d71a08953980..c4fd30020aab 100644 --- a/meta/classes-recipe/setuptools3.bbclass +++ b/meta/classes-recipe/setuptools3.bbclass @@ -15,6 +15,9 @@ SETUPTOOLS_SETUP_PATH ?= "${S}" setuptools3_do_configure() { : } +# This isn't nice, but is the best solutions to ensure clean builds for now. +# https://github.com/pypa/setuptools/issues/4732 +do_configure[cleandirs] = "${SETUPTOOLS_SETUP_PATH}/build" setuptools3_do_compile() { cd ${SETUPTOOLS_SETUP_PATH} From d4950d6df0867dcd5c380d83ac4d138ec968e698 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Tue, 2 Jun 2026 10:09:40 +0200 Subject: [PATCH 37/96] python_setuptools_build_meta: clean the build directory in configure It's not currently possible to set the build tree to be somewhere we control, but we know it will always be in the build directory alongside the pyproject.toml so we can [cleandirs] that. MJ: this was later reverted in a532cb50151d773c1c351ffccf4d47a37f26f8aa: This is not needed: setuptools.build_meta does the build under a new temporary directory. but the builds in scarthgap aren't using new temporary directory yet, so this is still useful there: Just rebuilding python3-tqdm in the same TMPDIR after cherry-picking this: $ buildhistory-diff -p buildhistory build-minus-1 | grep PKGSIZE python3-tqdm/python3-tqdm: PKGSIZE changed from 3309408 to 426880 (-87%) $ wc -l python3-tqdm/4.66.3*/image/usr/lib/python3.12/site-packages/tqdm-4.66.3.dist-info/RECORD 297 python3-tqdm/4.66.3-old/image/usr/lib/python3.12/site-packages/tqdm-4.66.3.dist-info/RECORD 41 python3-tqdm/4.66.3/image/usr/lib/python3.12/site-packages/tqdm-4.66.3.dist-info/RECORD Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> (cherry picked from commit 383862cfe4c5acf04124080827c8bc6d00b2e86d) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/classes-recipe/python_setuptools_build_meta.bbclass | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/classes-recipe/python_setuptools_build_meta.bbclass b/meta/classes-recipe/python_setuptools_build_meta.bbclass index 4c84d1e8d0bb..046b4ffb74f0 100644 --- a/meta/classes-recipe/python_setuptools_build_meta.bbclass +++ b/meta/classes-recipe/python_setuptools_build_meta.bbclass @@ -7,3 +7,7 @@ inherit setuptools3-base python_pep517 DEPENDS += "python3-setuptools-native python3-wheel-native" + +# This isn't nice, but is the best solutions to ensure clean builds for now. +# https://github.com/pypa/setuptools/issues/4732 +do_configure[cleandirs] = "${PEP517_SOURCE_PATH}/build" From d716fe7e4f1dd2156be8773408611bb979a94d5d Mon Sep 17 00:00:00 2001 From: Mark Hatle <mark.hatle@kernel.crashing.org> Date: Wed, 3 Jun 2026 16:57:39 -0500 Subject: [PATCH 38/96] pseudo: Update to version 1.9.8 Changelog: Makefile.in: Bump to 1.9.8 pseudo_client.h: Fix typo in the comment client: permissions drop setuid and setgid tests: Add setuid permission check pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir tests: Add test that returned stat is correct pseudo_client.h: Make it clear both macros must be updated together Makefile.in: Add pseudo_client.h as a dependency Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index 1ca1ebd6bf23..3d7dd62448f8 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "5b7c4b59e7e198aab54b35ea194aeb6d99794f96" +SRCREV = "823895ba708c63f6ae4dcbfc266210f26c02c698" S = "${WORKDIR}/git" -PV = "1.9.7" +PV = "1.9.8" # largefile and 64bit time_t support adds these macros via compiler flags globally # remove them for pseudo since pseudo intercepts some of the functions which will be From 36ee08f01311253bca4c4f8387446d35a55cc840 Mon Sep 17 00:00:00 2001 From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Date: Thu, 11 Jun 2026 15:50:38 +0200 Subject: [PATCH 39/96] openssh: fix CVE-2026-35386 CVE-2026-35386 is already fixed by the existing CVE-2025-61984 backport. Rename CVE-2025-61984.patch to CVE-2025-61984_CVE-2026-35386.patch and add the second CVE tag to document that one patch covers both CVEs. https://nvd.nist.gov/vuln/detail/CVE-2026-35386 Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- ...CVE-2025-61984.patch => CVE-2025-61984_CVE-2026-35386.patch} | 2 +- meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-connectivity/openssh/openssh/{CVE-2025-61984.patch => CVE-2025-61984_CVE-2026-35386.patch} (99%) diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch similarity index 99% rename from meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch rename to meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch index f705410b2401..7fcb02d613ea 100644 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch @@ -32,7 +32,7 @@ Slightly modified since variable expansion of user names was first released in 10.0, commit bd30cf784d6e8" Upstream-Status: Backport [Upstream commit https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043] -CVE: CVE-2025-61984 +CVE: CVE-2025-61984 CVE-2026-35386 Signed-off-by: David Nyström <david.nystrom@est.tech> --- ssh.c | 26 +++++++++++++++++++++++--- diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index a1b5d4a55357..ea158b56b419 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -33,7 +33,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-26465.patch \ file://CVE-2025-32728.patch \ file://CVE-2025-61985.patch \ - file://CVE-2025-61984.patch \ + file://CVE-2025-61984_CVE-2026-35386.patch \ file://CVE-2026-35385.patch \ file://CVE-2026-35387.patch \ file://CVE-2026-35388.patch \ From 5a9bd4598fb446330c991fb51eaed372d96f39ff Mon Sep 17 00:00:00 2001 From: Naman Jain <nmjain23@gmail.com> Date: Fri, 12 Jun 2026 09:11:33 +0530 Subject: [PATCH 40/96] tiff: fix CVE-2026-4775 Fix CVE-2026-4775 Reference: https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c Signed-off-by: Naman Jain <namanj1@kpit.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../libtiff/tiff/CVE-2026-4775.patch | 59 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch new file mode 100644 index 000000000000..ed5f0714a614 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch @@ -0,0 +1,59 @@ +From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 22 Feb 2026 23:32:47 +0100 +Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap + overflow on images with huge width in YCbCr tile decoding functions + +Fixes https://gitlab.com/libtiff/libtiff/-/issues/787 + +CVE: CVE-2026-4775 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c] + +Signed-off-by: Naman Jain <namanj1@kpit.com> +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4543dddae..fa82d0910 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + uint32_t *cp1 = cp + w + toskew; + uint32_t *cp2 = cp1 + w + toskew; + uint32_t *cp3 = cp2 + w + toskew; +- int32_t incr = 3 * w + 4 * toskew; ++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew; + + (void)y; + /* adjust fromskew */ +@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + { + uint32_t *cp1 = cp + w + toskew; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + + (void)y; + fromskew = (fromskew / 4) * (4 * 2 + 2); +@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 2) * (2 * 2 + 2); + cp2 = cp + w + toskew; +@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 1) * (1 * 2 + 2); + cp2 = cp + w + toskew; +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 07540692fcf6..fca846589fdb 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-52356.patch \ file://CVE-2024-7006.patch \ file://CVE-2025-9900.patch \ + file://CVE-2026-4775.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" From e0285488a93cf3b369ad7424d55938791f57174f Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Fri, 12 Jun 2026 06:16:16 -0700 Subject: [PATCH 41/96] go: fix CVE-2025-58183 This patch applies the upstream fix [1], as referenced in [2], to address unbounded memory consumption when reading GNU tar pax 1.0 sparse file regions in archive/tar. [1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556 [2] https://security-tracker.debian.org/tracker/CVE-2025-58183 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-58183 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-58183.patch | 107 ++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58183.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 7016acd0616e..f6feb1d0b5f6 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -58,6 +58,7 @@ SRC_URI += "\ file://CVE-2026-42501.patch \ file://CVE-2026-42504.patch \ file://CVE-2026-42507.patch \ + file://CVE-2025-58183.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-58183.patch b/meta/recipes-devtools/go/go/CVE-2025-58183.patch new file mode 100644 index 000000000000..51a4f02ddcd5 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58183.patch @@ -0,0 +1,107 @@ +From c25bf45db0b232e8ad9d2bc53e61678ebc5efe90 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 11 Sep 2025 13:32:10 -0700 +Subject: [PATCH] [release-branch.go1.24] archive/tar: set a limit on the + size of GNU sparse file 1.0 regions + +Sparse files in tar archives contain only the non-zero components +of the file. There are several different encodings for sparse +files. When reading GNU tar pax 1.0 sparse files, archive/tar did +not set a limit on the size of the sparse region data. A malicious +archive containing a large number of sparse blocks could cause +archive/tar to read an unbounded amount of data from the archive +into memory. + +Since a malicious input can be highly compressable, a small +compressed input could cause very large allocations. + +Cap the size of the sparse block data to the same limit used +for PAX headers (1 MiB). + +Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/) +for reporting this issue. + +Fixes CVE-2025-58183 +For #75677 +Fixes #75710 + +CVE: CVE-2025-58183 +Upstream-Status: Backport [https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556] + +Backport Changes: +- The upstream fix includes a testdata tarball as a git binary diff. + However, quilt cannot apply git binary diffs and fails with the error: + "File src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2: + git binary diffs are not supported." +- As a result, the unnecessary bzip2 test file + src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2 + has been removed. +- Furthermore, in src/archive/tar/reader_test.go, within the TestReader() + function, the test vector entry for testdata/gnu-sparse-many-zeros.tar.bz2 + has been removed. + +Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2967 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/709843 +Reviewed-by: Carlos Amedee <carlos@golang.org> +TryBot-Bypass: Michael Pratt <mpratt@google.com> +Auto-Submit: Michael Pratt <mpratt@google.com> +(cherry picked from commit 613e746327381d820759ebea6ce722720b343556) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + src/archive/tar/common.go | 1 + + src/archive/tar/reader.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go +index 4910908f81e..ec1b8668547 100644 +--- a/src/archive/tar/common.go ++++ b/src/archive/tar/common.go +@@ -38,6 +38,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 0811779adda..71d0b20b76d 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.35.6 + From 913b9dc19ea14edbbaf4b7a677507949e454e685 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Fri, 12 Jun 2026 06:16:18 -0700 Subject: [PATCH 42/96] go: fix CVE-2026-25679 This patch applies the upstream fix [1], as referenced in [2], to address insufficient validation in `url.Parse`. Debian marks older Go branches as not affected because the vulnerable parseHost surface was introduced by the earlier CVE-2025-47912 fix. This Scarthgap recipe already carries CVE-2025-47912.patch, so the fix is applicable to the patched Go 1.22.12 source used here. [1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 [2] https://security-tracker.debian.org/tracker/CVE-2026-25679 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25679 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-25679.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-25679.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f6feb1d0b5f6..7d4274b4eb41 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -59,6 +59,7 @@ SRC_URI += "\ file://CVE-2026-42504.patch \ file://CVE-2026-42507.patch \ file://CVE-2025-58183.patch \ + file://CVE-2026-25679.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-25679.patch b/meta/recipes-devtools/go/go/CVE-2026-25679.patch new file mode 100644 index 000000000000..13800564f00f --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-25679.patch @@ -0,0 +1,74 @@ +From c8f96fce4d34123a920558a1a3f5c0ddf2bf678e Mon Sep 17 00:00:00 2001 +From: Ian Alexander <jitsu@google.com> +Date: Wed, 28 Jan 2026 15:29:52 -0500 +Subject: [PATCH] [release-branch.go1.25] net/url: reject IPv6 literal not + at start of host + +This change rejects IPv6 literals that do not appear at the start of the +host subcomponent of a URL. + +For example: + http://example.com[::1] -> rejects + http://[::1] -> accepts + +Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. + +Updates #77578 +Fixes #77969 +Fixes CVE-2026-25679 + +CVE: CVE-2026-25679 +Upstream-Status: Backport [https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803] + +Change-Id: I7109031880758f7c1eb4eca513323328feace33c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400 +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642 +Reviewed-on: https://go-review.googlesource.com/c/go/+/752100 +Reviewed-by: Cherry Mui <cherryyz@google.com> +Auto-Submit: Gopher Robot <gobot@golang.org> +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +(cherry picked from commit d8174a9500d53784594b198f6195d1fae8dfe803) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + src/net/url/url.go | 4 +++- + src/net/url/url_test.go | 6 ++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 5219e3c130b..ab59c63adfa 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -623,7 +623,9 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) { + // parseHost parses host as an authority without user + // information. That is, as host[:port]. + func parseHost(host string) (string, error) { +- if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 { ++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx > 0 { ++ return "", errors.New("invalid IP-literal") ++ } else if openBracketIdx == 0 { + // Parse an IP-Literal in RFC 3986 and RFC 6874. + // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80". + closeBracketIdx := strings.LastIndex(host, "]") +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index b2f8bd95fcf..8ffbf075cb8 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -1722,6 +1722,12 @@ func TestParseErrors(t *testing.T) { + {"http://[fe80::1", true}, // missing closing bracket + {"http://fe80::1]/", true}, // missing opening bracket + {"http://[test.com]/", true}, // domain name in brackets ++ {"http://example.com[::1]", true}, // IPv6 literal doesn't start with '[' ++ {"http://example.com[::1", true}, ++ {"http://[::1", true}, ++ {"http://.[::1]", true}, ++ {"http:// [::1]", true}, ++ {"hxxp://mathepqo[.]serveftp(.)com:9059", true}, + } + for _, tt := range tests { + u, err := Parse(tt.in) +-- +2.35.6 + From 775c3af36899eebe5612844accdfd2a8a2a9327a Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Fri, 12 Jun 2026 06:16:19 -0700 Subject: [PATCH 43/96] go: fix CVE-2026-32288 This patch applies the upstream fix [1], as referenced in [2], to address unbounded sparse map handling in `archive/tar`. [1] https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e [2] https://security-tracker.debian.org/tracker/CVE-2026-32288 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32288 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32288.patch | 162 ++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32288.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 7d4274b4eb41..f85104d6f15d 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -60,6 +60,7 @@ SRC_URI += "\ file://CVE-2026-42507.patch \ file://CVE-2025-58183.patch \ file://CVE-2026-25679.patch \ + file://CVE-2026-32288.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32288.patch b/meta/recipes-devtools/go/go/CVE-2026-32288.patch new file mode 100644 index 000000000000..a80029ede0af --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32288.patch @@ -0,0 +1,162 @@ +From 12bbeb57c20d32519c3f891b428c6f7765db8f55 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 23 Mar 2026 13:12:44 -0700 +Subject: [PATCH] [release-branch.go1.25] archive/tar: limit the number of + old GNU sparse format entries + +We did not set a limit on the maximum size of sparse maps in +the old GNU sparse format. Set a limit based on the cumulative +size of the extension blocks used to encode the map (consistent +with how we limit the sparse map size for other formats). + +Add an additional limit to the total number of sparse file entries, +regardless of encoding, to all sparse formats. + +Thanks to Colin Walters (walters@verbum.org), +Uuganbayar Lkhamsuren (https://github.com/uug4na), +and Jakub Ciolek for reporting this issue. + +Fixes #78301 +Fixes CVE-2026-32288 + +CVE: CVE-2026-32288 +Upstream-Status: Backport [https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e] + +Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4003 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763554 +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Auto-Submit: Gopher Robot <gobot@golang.org> +Reviewed-by: Junyang Shao <shaojunyang@google.com> +Reviewed-by: David Chase <drchase@google.com> +(cherry picked from commit 82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + src/archive/tar/format.go | 6 ++++++ + src/archive/tar/reader.go | 28 ++++++++++++++++++++++++---- + src/archive/tar/reader_test.go | 11 +++++++++++ + 3 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index 9954b4d9f55..32e58a9d9b4 100644 +--- a/src/archive/tar/format.go ++++ b/src/archive/tar/format.go +@@ -147,6 +147,12 @@ const ( + // Max length of a special file (PAX header, GNU long name or link). + // This matches the limit used by libarchive. + maxSpecialFileSize = 1 << 20 ++ ++ // Maximum number of sparse file entries. ++ // We should never actually hit this limit ++ // (every sparse encoding will first be limited by maxSpecialFileSize), ++ // but this adds an additional layer of defense. ++ maxSparseFileEntries = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 71d0b20b76d..3bb8d62106c 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -490,7 +490,8 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err + } + s := blk.toGNU().sparse() + spd := make(sparseDatas, 0, s.maxEntries()) +- for { ++ totalSize := len(s) ++ for totalSize < maxSpecialFileSize { + for i := 0; i < s.maxEntries(); i++ { + // This termination condition is identical to GNU and BSD tar. + if s.entry(i).offset()[0] == 0x00 { +@@ -501,7 +502,11 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err + if p.err != nil { + return nil, p.err + } +- spd = append(spd, sparseEntry{Offset: offset, Length: length}) ++ var err error ++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) ++ if err != nil { ++ return nil, err ++ } + } + + if s.isExtended()[0] > 0 { +@@ -510,10 +515,12 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err + return nil, err + } + s = blk.toSparse() ++ totalSize += len(s) + continue + } + return spd, nil // Done + } ++ return nil, errSparseTooLong + } + + // readGNUSparseMap1x0 reads the sparse map as stored in GNU's PAX sparse format +@@ -586,7 +593,10 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + if err1 != nil || err2 != nil { + return nil, ErrHeader + } +- spd = append(spd, sparseEntry{Offset: offset, Length: length}) ++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) ++ if err != nil { ++ return nil, err ++ } + } + return spd, nil + } +@@ -620,12 +630,22 @@ func readGNUSparseMap0x1(paxHdrs map[string]string) (sparseDatas, error) { + if err1 != nil || err2 != nil { + return nil, ErrHeader + } +- spd = append(spd, sparseEntry{Offset: offset, Length: length}) ++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) ++ if err != nil { ++ return nil, err ++ } + sparseMap = sparseMap[2:] + } + return spd, nil + } + ++func appendSparseEntry(spd sparseDatas, ent sparseEntry) (sparseDatas, error) { ++ if len(spd) >= maxSparseFileEntries { ++ return nil, errSparseTooLong ++ } ++ return append(spd, ent), nil ++} ++ + // Read reads from the current file in the tar archive. + // It returns (0, io.EOF) when it reaches the end of that file, + // until [Next] is called to advance to the next file. +diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go +index 7e0462c3f88..4a527766ba8 100644 +--- a/src/archive/tar/reader_test.go ++++ b/src/archive/tar/reader_test.go +@@ -1126,6 +1126,17 @@ func TestReadOldGNUSparseMap(t *testing.T) { + input: makeInput(FormatGNU, "", + makeSparseStrings(sparseDatas{{10 << 30, 512}, {20 << 30, 512}})...), + wantMap: sparseDatas{{10 << 30, 512}, {20 << 30, 512}}, ++ }, { ++ input: makeInput(FormatGNU, "", ++ makeSparseStrings(func() sparseDatas { ++ var datas sparseDatas ++ // This is more than enough entries to exceed our limit. ++ for i := range int64(1 << 20) { ++ datas = append(datas, sparseEntry{i * 2, (i * 2) + 1}) ++ } ++ return datas ++ }())...), ++ wantErr: errSparseTooLong, + }} + + for i, v := range vectors { +-- +2.35.6 + From 267ff299a6fe6f65e0dd86f5e59bb013921526ce Mon Sep 17 00:00:00 2001 From: Deepak Rathore <deeratho@cisco.com> Date: Fri, 12 Jun 2026 10:50:49 -0700 Subject: [PATCH 44/96] binutils: Fix CVE-2025-69644 This patch updates the existing CVE-2025-69647 backport metadata for CVE-2025-69644. NVD records for CVE-2025-69644 and CVE-2025-69647 reference the same upstream binutils fix commit [1], and the public CVE advisories are referenced in [2] and [3]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647 Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +- ...VE-2025-69647.patch => CVE-2025-69644-CVE-2025-69647.patch} | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) rename meta/recipes-devtools/binutils/binutils/{CVE-2025-69647.patch => CVE-2025-69644-CVE-2025-69647.patch} (96%) diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a865c45f4f5..7e83f72632fc 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -72,7 +72,7 @@ SRC_URI = "\ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ - file://CVE-2025-69647.patch \ + file://CVE-2025-69644-CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch similarity index 96% rename from meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch rename to meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch index 8e3c1c79e7d0..c6b3cefed2b0 100644 --- a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch @@ -12,11 +12,12 @@ length too. length too small to read header. Limit length to section size. Limit offset count similarly. -CVE: CVE-2025-69647 +CVE: CVE-2025-69644 CVE-2025-69647 Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7] Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> +Signed-off-by: Deepak Rathore <deeratho@cisco.com> --- binutils/dwarf.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) From ac763f139ba7f836d0fa9377295ef7d3b10f2238 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Sat, 13 Jun 2026 03:11:35 -0700 Subject: [PATCH 45/96] python3: Fix CVE-2026-3644 and CVE-2026-0672 Apply the upstream v3.13 fix [1], as referenced in [2], to address CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(), the |= operator, and unpickling paths. CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as Morsel.update(), |=, and unpickling could bypass input validation. The fix also adds output validation to BaseCookie.js_output(), matching the control-character safeguards already present in BaseCookie.output(). [1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd [2] https://security-tracker.debian.org/tracker/CVE-2026-3644 References: https://security-tracker.debian.org/tracker/CVE-2026-3644 https://security-tracker.debian.org/tracker/CVE-2026-0672 https://nvd.nist.gov/vuln/detail/CVE-2026-3644 https://nvd.nist.gov/vuln/detail/CVE-2026-0672 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python3/CVE-2026-3644_CVE-2026-0672.patch | 154 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 155 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch b/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch new file mode 100644 index 000000000000..42d8133a1831 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch @@ -0,0 +1,154 @@ +From 6e291d2eba0b6820bc924e68f1db750328bf6c75 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 16 Mar 2026 15:05:13 +0100 +Subject: [PATCH] [3.13] gh-145599, CVE 2026-3644: Reject control + characters in `http.cookies.Morsel.update()` (GH-145600) (#146024) + +gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600) + +Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`. + +CVE: CVE-2026-3644 CVE-2026-0672 +Upstream-Status: Backport [https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd] + +Backport Changes: +- This file is not present in the current version and is therefore omitted + Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst + +(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4) + +Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> +Co-authored-by: Victor Stinner <vstinner@python.org> +Co-authored-by: Victor Stinner <victor.stinner@gmail.com> +(cherry picked from commit d16ecc6c3626f0e2cc8f08c309c83934e8a979dd) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/http/cookies.py | 24 ++++++++++++++++++---- + Lib/test/test_http_cookies.py | 38 +++++++++++++++++++++++++++++++++++ + 2 files changed, 58 insertions(+), 4 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index d0a69cbe191..63d119ad46c 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -335,9 +335,16 @@ class Morsel(dict): + key = key.lower() + if key not in self._reserved: + raise CookieError("Invalid attribute %r" % (key,)) ++ if _has_control_character(key, val): ++ raise CookieError("Control characters are not allowed in " ++ f"cookies {key!r} {val!r}") + data[key] = val + dict.update(self, data) + ++ def __ior__(self, values): ++ self.update(values) ++ return self ++ + def isReservedKey(self, K): + return K.lower() in self._reserved + +@@ -363,9 +370,15 @@ class Morsel(dict): + } + + def __setstate__(self, state): +- self._key = state['key'] +- self._value = state['value'] +- self._coded_value = state['coded_value'] ++ key = state['key'] ++ value = state['value'] ++ coded_value = state['coded_value'] ++ if _has_control_character(key, value, coded_value): ++ raise CookieError("Control characters are not allowed in cookies " ++ f"{key!r} {value!r} {coded_value!r}") ++ self._key = key ++ self._value = value ++ self._coded_value = coded_value + + def output(self, attrs=None, header="Set-Cookie:"): + return "%s %s" % (header, self.OutputString(attrs)) +@@ -377,13 +390,16 @@ class Morsel(dict): + + def js_output(self, attrs=None): + # Print javascript ++ output_string = self.OutputString(attrs) ++ if _has_control_character(output_string): ++ raise CookieError("Control characters are not allowed in cookies") + return """ + <script type="text/javascript"> + <!-- begin hiding + document.cookie = \"%s\"; + // end hiding --> + </script> +- """ % (self.OutputString(attrs).replace('"', r'\"')) ++ """ % (output_string.replace('"', r'\"')) + + def OutputString(self, attrs=None): + # Build up our result +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index f196bcc48e3..2478a6c630f 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -573,6 +573,14 @@ class MorselTests(unittest.TestCase): + with self.assertRaises(cookies.CookieError): + morsel["path"] = c0 + ++ # .__setstate__() ++ with self.assertRaises(cookies.CookieError): ++ morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'}) ++ with self.assertRaises(cookies.CookieError): ++ morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'}) ++ with self.assertRaises(cookies.CookieError): ++ morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0}) ++ + # .setdefault() + with self.assertRaises(cookies.CookieError): + morsel.setdefault("path", c0) +@@ -587,6 +595,18 @@ class MorselTests(unittest.TestCase): + with self.assertRaises(cookies.CookieError): + morsel.set("path", "val", c0) + ++ # .update() ++ with self.assertRaises(cookies.CookieError): ++ morsel.update({"path": c0}) ++ with self.assertRaises(cookies.CookieError): ++ morsel.update({c0: "val"}) ++ ++ # .__ior__() ++ with self.assertRaises(cookies.CookieError): ++ morsel |= {"path": c0} ++ with self.assertRaises(cookies.CookieError): ++ morsel |= {c0: "val"} ++ + def test_control_characters_output(self): + # Tests that even if the internals of Morsel are modified + # that a call to .output() has control character safeguards. +@@ -607,6 +627,24 @@ class MorselTests(unittest.TestCase): + with self.assertRaises(cookies.CookieError): + cookie.output() + ++ # Tests that .js_output() also has control character safeguards. ++ for c0 in support.control_characters_c0(): ++ morsel = cookies.Morsel() ++ morsel.set("key", "value", "coded-value") ++ morsel._key = c0 # Override private variable. ++ cookie = cookies.SimpleCookie() ++ cookie["cookie"] = morsel ++ with self.assertRaises(cookies.CookieError): ++ cookie.js_output() ++ ++ morsel = cookies.Morsel() ++ morsel.set("key", "value", "coded-value") ++ morsel._coded_value = c0 # Override private variable. ++ cookie = cookies.SimpleCookie() ++ cookie["cookie"] = morsel ++ with self.assertRaises(cookies.CookieError): ++ cookie.js_output() ++ + + def load_tests(loader, tests, pattern): + tests.addTest(doctest.DocTestSuite(cookies)) +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 4865178572c2..c59d9fba80d5 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_readline-skip-limited-history-test.patch \ file://CVE-2026-1502.patch \ file://CVE-2026-6100.patch \ + file://CVE-2026-3644_CVE-2026-0672.patch \ " SRC_URI:append:class-native = " \ From e6d81b3be531e97058366c81056a38c0b6fa7380 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Sat, 13 Jun 2026 03:11:37 -0700 Subject: [PATCH 46/96] python3: Fix CVE-2026-4519 and CVE-2026-4786 Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2], and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with leading dashes when invoking browser commands, as referenced in [5]. CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in [5], to revalidate the URL after %action expansion. [1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48 [2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03 [3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c [4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769 [5] https://security-tracker.debian.org/tracker/CVE-2026-4519 [6] https://security-tracker.debian.org/tracker/CVE-2026-4786 References: https://nvd.nist.gov/vuln/detail/CVE-2026-4519 https://nvd.nist.gov/vuln/detail/CVE-2026-4786 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python3/CVE-2026-4519_CVE-2026-4786.patch | 66 ++++++++ .../python/python3/CVE-2026-4519_p1.patch | 107 ++++++++++++ .../python/python3/CVE-2026-4519_p2.patch | 159 ++++++++++++++++++ .../python/python3_3.12.13.bb | 3 + 4 files changed, 335 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch new file mode 100644 index 000000000000..6a4714f25aec --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch @@ -0,0 +1,66 @@ +From b9af29b9f2f880cdcdc49a1460743680f59dcb4e Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych <stan@python.org> +Date: Mon, 13 Apr 2026 22:41:51 +0100 +Subject: [PATCH] [3.11] gh-148169: Fix webbrowser `%action` substitution + bypass of dash-prefix check (GH-148170) (#148520) + +CVE: CVE-2026-4519 CVE-2026-4786 +Upstream-Status: Backport [https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769] + +Backport Changes: +- This file is not present in the current version and is therefore omitted. + Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst + +(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff) +(cherry picked from commit f4654824ae0850ac87227fb270f9057477946769) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/test/test_webbrowser.py | 8 ++++++++ + Lib/webbrowser.py | 5 +++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index c9bf525360d..1d21f133725 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -103,6 +103,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + ++ def test_reject_action_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaises(ValueError): ++ browser.open('%action--incognito') ++ # new=1: action is "--new-window", so "%action" itself expands to ++ # a dash-prefixed flag even with no dash in the original URL. ++ with self.assertRaises(ValueError): ++ browser.open('%action', new=1) + + class EdgeCommandTest(CommandTestMixin, unittest.TestCase): + +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 000e89275b7..97c4eec9080 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -268,7 +268,6 @@ class UnixBrowser(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) +- self._check_url(url) + if new == 0: + action = self.remote_action + elif new == 1: +@@ -282,7 +281,9 @@ class UnixBrowser(BaseBrowser): + raise Error("Bad 'new' parameter to open(); " + + "expected 0, 1, or 2, got %s" % new) + +- args = [arg.replace("%s", url).replace("%action", action) ++ self._check_url(url.replace("%action", action)) ++ ++ args = [arg.replace("%action", action).replace("%s", url) + for arg in self.remote_args] + args = [arg for arg in args if arg] + success = self._invoke(args, True, autoraise, url) +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch new file mode 100644 index 000000000000..1514d2c54149 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch @@ -0,0 +1,107 @@ +From 7df48dd3c6330611a04d85a5159c0ea424dc1e62 Mon Sep 17 00:00:00 2001 +From: Pinky <pinky00ch@gmail.com> +Date: Wed, 25 Mar 2026 01:02:37 +0530 +Subject: [PATCH] [3.12] gh-143930: Reject leading dashes in webbrowser + URLs (GH-146360) + +CVE: CVE-2026-4519 +Upstream-Status: Backport [https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48] + +Backport Changes: +- This file is not present in the current version and is therefore omitted + Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst + +(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) + +Co-authored-by: Seth Michael Larson <seth@python.org> +(cherry picked from commit cbba6119391112aba9c5aebf7b94aea447922c48) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/test/test_webbrowser.py | 5 +++++ + Lib/webbrowser.py | 12 ++++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index 2d695bc8831..60f094fd6a1 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + ++ def test_reject_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaises(ValueError): ++ browser.open(f"--key=val {URL}") ++ + + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 13b9e85f9e1..0bdb644d7db 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -158,6 +158,12 @@ class BaseBrowser(object): + def open_new_tab(self, url): + return self.open(url, 2) + ++ @staticmethod ++ def _check_url(url): ++ """Ensures that the URL is safe to pass to subprocesses as a parameter""" ++ if url and url.lstrip().startswith("-"): ++ raise ValueError(f"Invalid URL: {url}") ++ + + class GenericBrowser(BaseBrowser): + """Class for all browsers started with a command +@@ -175,6 +181,7 @@ class GenericBrowser(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + cmdline = [self.name] + [arg.replace("%s", url) + for arg in self.args] + try: +@@ -195,6 +202,7 @@ class BackgroundBrowser(GenericBrowser): + cmdline = [self.name] + [arg.replace("%s", url) + for arg in self.args] + sys.audit("webbrowser.open", url) ++ self._check_url(url) + try: + if sys.platform[:3] == 'win': + p = subprocess.Popen(cmdline) +@@ -260,6 +268,7 @@ class UnixBrowser(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + if new == 0: + action = self.remote_action + elif new == 1: +@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + # XXX Currently I know no way to prevent KFM from opening a new win. + if new == 2: + action = "newTab" +@@ -554,6 +564,7 @@ if sys.platform[:3] == "win": + class WindowsDefault(BaseBrowser): + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + try: + os.startfile(url) + except OSError: +@@ -638,6 +649,7 @@ if sys.platform == 'darwin': + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + if self.name == 'default': + script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser + else: +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch new file mode 100644 index 000000000000..7ee145e5e802 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch @@ -0,0 +1,159 @@ +From 3ca64ff1722d2410a4e50e760de70f6279fa99fa Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sat, 4 Apr 2026 00:53:49 +0200 +Subject: [PATCH] [3.11] gh-143930: Tweak the exception message and + increase test coverage (GH-146476) (GH-148045) (GH-148051) (GH-148052) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE: CVE-2026-4519 +Upstream-Status: Backport [https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c] + +Backport Changes: +- This file is not present in the current version and is therefore omitted. + Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst +- The file introduced in v3.12 by this commit; + https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48 + +(cherry picked from commit cc023511238ad93ecc8796157c6f9139a2bb2932) +(cherry picked from commit 89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4) +(cherry picked from commit 3681d47a440865aead912a054d4599087b4270dd) + +Co-authored-by: Łukasz Langa <lukasz@langa.pl> +(cherry picked from commit 96fc5048605863c7b6fd6289643feb0e97edd96c) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/test/test_webbrowser.py | 81 ++++++++++++++++++++++++++++++++++--- + Lib/webbrowser.py | 2 +- + 2 files changed, 76 insertions(+), 7 deletions(-) + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index 60f094fd6a1..c9bf525360d 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -1,6 +1,7 @@ ++import io ++import os + import webbrowser + import unittest +-import os + import sys + import subprocess + from unittest import mock +@@ -49,6 +50,14 @@ class CommandTestMixin: + popen_args.pop(popen_args.index(option)) + self.assertEqual(popen_args, arguments) + ++ def test_reject_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaisesRegex( ++ ValueError, ++ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$" ++ ): ++ browser.open(f"--key=val {URL}") ++ + + class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +@@ -59,11 +68,6 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + +- def test_reject_dash_prefixes(self): +- browser = self.browser_class(name=CMD_NAME) +- with self.assertRaises(ValueError): +- browser.open(f"--key=val {URL}") +- + + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +@@ -224,6 +228,71 @@ class ELinksCommandTest(CommandTestMixin, unittest.TestCase): + arguments=['openURL({},new-tab)'.format(URL)]) + + ++class MockPopenPipe: ++ def __init__(self, cmd, mode): ++ self.cmd = cmd ++ self.mode = mode ++ self.pipe = io.StringIO() ++ self._closed = False ++ ++ def write(self, buf): ++ self.pipe.write(buf) ++ ++ def close(self): ++ self._closed = True ++ return None ++ ++ ++@unittest.skipUnless(sys.platform == "darwin", "macOS specific test") ++class MacOSXOSAScriptTest(unittest.TestCase): ++ def setUp(self): ++ # Ensure that 'BROWSER' is not set to 'open' or something else. ++ # See: https://github.com/python/cpython/issues/131254. ++ env = self.enterContext(os_helper.EnvironmentVarGuard()) ++ env.unset("BROWSER") ++ ++ support.patch(self, os, "popen", self.mock_popen) ++ self.browser = webbrowser.MacOSXOSAScript("default") ++ ++ def mock_popen(self, cmd, mode): ++ self.popen_pipe = MockPopenPipe(cmd, mode) ++ return self.popen_pipe ++ ++ def test_default(self): ++ browser = webbrowser.get() ++ assert isinstance(browser, webbrowser.MacOSXOSAScript) ++ self.assertEqual(browser.name, "default") ++ ++ def test_default_open(self): ++ url = "https://python.org" ++ self.browser.open(url) ++ self.assertTrue(self.popen_pipe._closed) ++ self.assertEqual(self.popen_pipe.cmd, "osascript") ++ script = self.popen_pipe.pipe.getvalue() ++ self.assertEqual(script.strip(), f'open location "{url}"') ++ ++ def test_url_quote(self): ++ self.browser.open('https://python.org/"quote"') ++ script = self.popen_pipe.pipe.getvalue() ++ self.assertEqual( ++ script.strip(), 'open location "https://python.org/%22quote%22"' ++ ) ++ ++ def test_explicit_browser(self): ++ browser = webbrowser.MacOSXOSAScript("safari") ++ browser.open("https://python.org") ++ script = self.popen_pipe.pipe.getvalue() ++ self.assertIn('tell application "safari"', script) ++ self.assertIn('open location "https://python.org"', script) ++ ++ def test_reject_dash_prefixes(self): ++ with self.assertRaisesRegex( ++ ValueError, ++ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$" ++ ): ++ self.browser.open(f"--key=val {URL}") ++ ++ + class BrowserRegistrationTest(unittest.TestCase): + + def setUp(self): +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 0bdb644d7db..000e89275b7 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -162,7 +162,7 @@ class BaseBrowser(object): + def _check_url(url): + """Ensures that the URL is safe to pass to subprocesses as a parameter""" + if url and url.lstrip().startswith("-"): +- raise ValueError(f"Invalid URL: {url}") ++ raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}") + + + class GenericBrowser(BaseBrowser): +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index c59d9fba80d5..ec9ea94824e7 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -37,6 +37,9 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-1502.patch \ file://CVE-2026-6100.patch \ file://CVE-2026-3644_CVE-2026-0672.patch \ + file://CVE-2026-4519_p1.patch \ + file://CVE-2026-4519_p2.patch \ + file://CVE-2026-4519_CVE-2026-4786.patch \ " SRC_URI:append:class-native = " \ From e17af14ae72e21f7f63407ba5c88da160c73bea9 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Sat, 13 Jun 2026 03:11:39 -0700 Subject: [PATCH 47/96] python3: Fix CVE-2026-6019 This patch applies the upstream fix [1] and follow-up fix [2], as referenced in [3] and [4], to address an http.cookies.Morsel.js_output() flaw where inline JavaScript output escaped quotes but did not neutralize the HTML parser-sensitive </script> sequence. [1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c [2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802 [3] https://github.com/python/cpython/issues/149144 [4] https://security-tracker.debian.org/tracker/CVE-2026-6019 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-6019 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python/python3/CVE-2026-6019_p1.patch | 133 ++++++++++++++++++ .../python/python3/CVE-2026-6019_p2.patch | 129 +++++++++++++++++ .../python/python3_3.12.13.bb | 2 + 3 files changed, 264 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch b/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch new file mode 100644 index 000000000000..78b01574c91c --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch @@ -0,0 +1,133 @@ +From be751c3f3a11d40c2133bee5fb6ab6931df31936 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Thu, 23 Apr 2026 15:05:17 +0200 +Subject: [PATCH] [3.13] gh-90309: Base64-encode cookie values embedded in + JS (GH-148888) + +CVE: CVE-2026-6019 +Upstream-Status: Backport [https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c] + +Backport Changes: +- This file is not present in the current version and is therefore omitted. + Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst + +(cherry picked from commit 76b3923d688c0efc580658476c5f525ec8735104) + +Co-authored-by: Seth Larson <seth@python.org> +(cherry picked from commit 3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/http/cookies.py | 8 ++++++-- + Lib/test/test_http_cookies.py | 29 ++++++++++++++++++----------- + 2 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 63d119ad46c..aebc2a163e4 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -389,17 +389,21 @@ class Morsel(dict): + return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) + + def js_output(self, attrs=None): ++ import base64 + # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") ++ # Base64-encode value to avoid template ++ # injection in cookie values. ++ output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") + return """ + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = \"%s\"; ++ document.cookie = atob(\"%s\"); + // end hiding --> + </script> +- """ % (output_string.replace('"', r'\"')) ++ """ % (output_encoded,) + + def OutputString(self, attrs=None): + # Build up our result +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 2478a6c630f..6aa5df068f9 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -1,5 +1,5 @@ + # Simple test suite for http/cookies.py +- ++import base64 + import copy + import unittest + import doctest +@@ -152,17 +152,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- self.assertEqual(C.js_output(), r""" ++ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') ++ self.assertEqual(C.js_output(), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1"; ++ document.cookie = atob("{cookie_encoded}"); + // end hiding --> + </script> + """) +- self.assertEqual(C.js_output(['path']), r""" ++ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') ++ self.assertEqual(C.js_output(['path']), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme"; ++ document.cookie = atob("{cookie_encoded}"); + // end hiding --> + </script> + """) +@@ -259,17 +261,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- self.assertEqual(C.js_output(), r""" ++ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') ++ self.assertEqual(C.js_output(), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1"; ++ document.cookie = atob("{expected_encoded_cookie}"); + // end hiding --> + </script> + """) +- self.assertEqual(C.js_output(['path']), r""" ++ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') ++ self.assertEqual(C.js_output(['path']), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme"; ++ document.cookie = atob("{expected_encoded_cookie}"); + // end hiding --> + </script> + """) +@@ -360,13 +364,16 @@ class MorselTests(unittest.TestCase): + self.assertEqual( + M.output(), + "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) ++ expected_encoded_cookie = base64.b64encode( ++ ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") ++ ).decode('ascii') + expected_js_output = """ + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = "%s=%s; Path=/foo"; ++ document.cookie = atob("%s"); + // end hiding --> + </script> +- """ % (i, "%s_coded_val" % i) ++ """ % (expected_encoded_cookie,) + self.assertEqual(M.js_output(), expected_js_output) + for i in ["foo bar", "foo@bar"]: + # Try some illegal characters +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch b/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch new file mode 100644 index 000000000000..0646bd2133f6 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch @@ -0,0 +1,129 @@ +From de449bbc6ff4ce869c17fb551dacc69de25d73a9 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych <stan@python.org> +Date: Mon, 8 Jun 2026 20:15:21 +0100 +Subject: [PATCH] [3.13] gh-149144: Use `decodeURIComponent()` for UTF-8 + support in `js_output()` (GH-149157) (#150949) + +CVE: CVE-2026-6019 +Upstream-Status: Backport [https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802] + +Co-authored-by: Seth Larson <seth@python.org> +(cherry picked from commit e7d4c3ff421916986223690a8425d2383f6f3802) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/http/cookies.py | 6 +++--- + Lib/test/test_http_cookies.py | 27 ++++++++++++++------------- + 2 files changed, 17 insertions(+), 16 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index aebc2a163e4..2cffa2a9ad6 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -389,18 +389,18 @@ class Morsel(dict): + return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) + + def js_output(self, attrs=None): +- import base64 ++ import urllib.parse + # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") + # Base64-encode value to avoid template + # injection in cookie values. +- output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") ++ output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8') + return """ + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = atob(\"%s\"); ++ document.cookie = decodeURIComponent(\"%s\"); + // end hiding --> + </script> + """ % (output_encoded,) +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 6aa5df068f9..b9cc59cd1db 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -1,10 +1,10 @@ + # Simple test suite for http/cookies.py +-import base64 + import copy + import unittest + import doctest + from http import cookies + import pickle ++import urllib.parse + from test import support + + +@@ -152,19 +152,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') ++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme; Version=1', safe='', encoding='utf-8') + self.assertEqual(C.js_output(), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = atob("{cookie_encoded}"); ++ document.cookie = decodeURIComponent("{cookie_encoded}"); + // end hiding --> + </script> + """) +- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') ++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme', safe='', encoding='utf-8') + self.assertEqual(C.js_output(['path']), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = atob("{cookie_encoded}"); ++ document.cookie = decodeURIComponent("{cookie_encoded}"); + // end hiding --> + </script> + """) +@@ -261,19 +261,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', safe='', encoding='utf-8') + self.assertEqual(C.js_output(), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = atob("{expected_encoded_cookie}"); ++ document.cookie = decodeURIComponent("{expected_encoded_cookie}"); + // end hiding --> + </script> + """) +- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', encoding='utf-8') + self.assertEqual(C.js_output(['path']), fr""" + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = atob("{expected_encoded_cookie}"); ++ document.cookie = decodeURIComponent("{expected_encoded_cookie}"); + // end hiding --> + </script> + """) +@@ -364,13 +364,14 @@ class MorselTests(unittest.TestCase): + self.assertEqual( + M.output(), + "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) +- expected_encoded_cookie = base64.b64encode( +- ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") +- ).decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote( ++ "%s=%s; Path=/foo" % (i, "%s_coded_val" % i), ++ safe='', encoding='utf-8', ++ ) + expected_js_output = """ + <script type="text/javascript"> + <!-- begin hiding +- document.cookie = atob("%s"); ++ document.cookie = decodeURIComponent("%s"); + // end hiding --> + </script> + """ % (expected_encoded_cookie,) +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index ec9ea94824e7..be080c6a3625 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -40,6 +40,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-4519_p1.patch \ file://CVE-2026-4519_p2.patch \ file://CVE-2026-4519_CVE-2026-4786.patch \ + file://CVE-2026-6019_p1.patch \ + file://CVE-2026-6019_p2.patch \ " SRC_URI:append:class-native = " \ From 0b990a354ef858d903d4bed937b1233537c2c478 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Sat, 13 Jun 2026 03:11:41 -0700 Subject: [PATCH 48/96] python3: Fix CVE-2025-13462 Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2], to address incorrect tarfile handling where GNU long name follow-up headers could be normalized as directories, as referenced in [3]. [1] https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084 [2] https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7 [3] https://security-tracker.debian.org/tracker/CVE-2025-13462 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-13462 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python/python3/CVE-2025-13462.patch | 142 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 143 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13462.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13462.patch b/meta/recipes-devtools/python/python3/CVE-2025-13462.patch new file mode 100644 index 000000000000..36d492338ba3 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2025-13462.patch @@ -0,0 +1,142 @@ +From 14d7d2e8f51a17c23c98f13f33743253a0b7a18a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 May 2026 19:43:51 +0200 +Subject: [PATCH] [3.12] gh-141707: Skip TarInfo DIRTYPE normalization during + GNU long name handling (#145817) + +gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling + +CVE: CVE-2025-13462 +Upstream-Status: Backport [https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084] + +Backport Changes: +- This file is not present in the current version and is therefore omitted + Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst + +(cherry picked from commit 42d754e34c06e57ad6b8e7f92f32af679912d8ab) + +Co-authored-by: Seth Michael Larson <seth@python.org> +Co-authored-by: Eashwar Ranganathan <eashwar@eashwar.com> +(cherry picked from commit d10950739a78f54d0718d88fb5a868374603c084) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + Lib/tarfile.py | 29 +++++++++++++++++++++++++---- + Lib/test/test_tarfile.py | 19 +++++++++++++++++++ + Misc/ACKS | 1 + + 3 files changed, 45 insertions(+), 4 deletions(-) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 99451aa765..70fdbe85b0 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1246,6 +1246,20 @@ class TarInfo(object): + @classmethod + def frombuf(cls, buf, encoding, errors): + """Construct a TarInfo object from a 512 byte bytes object. ++ ++ To support the old v7 tar format AREGTYPE headers are ++ transformed to DIRTYPE headers if their name ends in '/'. ++ """ ++ return cls._frombuf(buf, encoding, errors) ++ ++ @classmethod ++ def _frombuf(cls, buf, encoding, errors, *, dircheck=True): ++ """Construct a TarInfo object from a 512 byte bytes object. ++ ++ If ``dircheck`` is set to ``True`` then ``AREGTYPE`` headers will ++ be normalized to ``DIRTYPE`` if the name ends in a trailing slash. ++ ``dircheck`` must be set to ``False`` if this function is called ++ on a follow-up header such as ``GNUTYPE_LONGNAME``. + """ + if len(buf) == 0: + raise EmptyHeaderError("empty header") +@@ -1276,7 +1290,7 @@ class TarInfo(object): + + # Old V7 tar format represents a directory as a regular + # file with a trailing slash. +- if obj.type == AREGTYPE and obj.name.endswith("/"): ++ if dircheck and obj.type == AREGTYPE and obj.name.endswith("/"): + obj.type = DIRTYPE + + # The old GNU sparse format occupies some of the unused +@@ -1311,8 +1325,15 @@ class TarInfo(object): + """Return the next TarInfo object from TarFile object + tarfile. + """ ++ return cls._fromtarfile(tarfile) ++ ++ @classmethod ++ def _fromtarfile(cls, tarfile, *, dircheck=True): ++ """ ++ See dircheck documentation in _frombuf(). ++ """ + buf = tarfile.fileobj.read(BLOCKSIZE) +- obj = cls.frombuf(buf, tarfile.encoding, tarfile.errors) ++ obj = cls._frombuf(buf, tarfile.encoding, tarfile.errors, dircheck=dircheck) + obj.offset = tarfile.fileobj.tell() - BLOCKSIZE + return obj._proc_member(tarfile) + +@@ -1370,7 +1391,7 @@ class TarInfo(object): + + # Fetch the next header and process it. + try: +- next = self.fromtarfile(tarfile) ++ next = self._fromtarfile(tarfile, dircheck=False) + except HeaderError as e: + raise SubsequentHeaderError(str(e)) from None + +@@ -1505,7 +1526,7 @@ class TarInfo(object): + + # Fetch the next header. + try: +- next = self.fromtarfile(tarfile) ++ next = self._fromtarfile(tarfile, dircheck=False) + except HeaderError as e: + raise SubsequentHeaderError(str(e)) from None + +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 759fa03ead..82637841ed 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -1134,6 +1134,25 @@ class LongnameTest: + self.assertIsNotNone(tar.getmember(longdir)) + self.assertIsNotNone(tar.getmember(longdir.removesuffix('/'))) + ++ def test_longname_file_not_directory(self): ++ # Test reading a longname file and ensure it is not handled as a directory ++ # Issue #141707 ++ buf = io.BytesIO() ++ with tarfile.open(mode='w', fileobj=buf, format=self.format) as tar: ++ ti = tarfile.TarInfo() ++ ti.type = tarfile.AREGTYPE ++ ti.name = ('a' * 99) + '/' + ('b' * 3) ++ tar.addfile(ti) ++ ++ expected = {t.name: t.type for t in tar.getmembers()} ++ ++ buf.seek(0) ++ with tarfile.open(mode='r', fileobj=buf) as tar: ++ actual = {t.name: t.type for t in tar.getmembers()} ++ ++ self.assertEqual(expected, actual) ++ ++ + class GNUReadTest(LongnameTest, ReadTest, unittest.TestCase): + + subdir = "gnu" +diff --git a/Misc/ACKS b/Misc/ACKS +index a6e63a991f..30d5f99ebb 100644 +--- a/Misc/ACKS ++++ b/Misc/ACKS +@@ -1492,6 +1492,7 @@ Dhushyanth Ramasamy + Ashwin Ramaswami + Jeff Ramnani + Bayard Randel ++Eashwar Ranganathan + Varpu Rantala + Brodie Rao + Rémi Rampin +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index be080c6a3625..3e28a3942bdd 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -42,6 +42,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-4519_CVE-2026-4786.patch \ file://CVE-2026-6019_p1.patch \ file://CVE-2026-6019_p2.patch \ + file://CVE-2025-13462.patch \ " SRC_URI:append:class-native = " \ From bb5a1f9c6562038d422ea0efd4e975737c9374c3 Mon Sep 17 00:00:00 2001 From: Deepak Rathore <deeratho@cisco.com> Date: Mon, 15 Jun 2026 10:30:49 -0700 Subject: [PATCH 49/96] qemu: Fix CVE-2024-6519 This patch applies the upstream v11.0.0-rc2 backport for CVE-2024-6519. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit link is recorded in the embedded patch header. [1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9 [2] https://security-tracker.debian.org/tracker/CVE-2024-6519 Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-6519.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b688c2bd125b..ff8877e54b73 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ file://CVE-2025-11234-01.patch \ file://CVE-2025-11234-02.patch \ + file://CVE-2024-6519.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch new file mode 100644 index 000000000000..431afbbc60a4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch @@ -0,0 +1,51 @@ +From 86bc714d9d02a23ea6be878febdc327bbfc9ff50 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Fri, 27 Mar 2026 17:37:31 +0100 +Subject: [PATCH] lsi53c895a: keep a reference to the device while SCRIPTS + execute + +SCRIPTS execution can trigger PCI device unplug and consequently +a use-after-free after the unplug returns. Avoid this by keeping +the device alive. + +Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090 + +CVE: CVE-2024-6519 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9] + +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9) +Signed-off-by: Deepak Rathore <deeratho@cisco.com> +--- + hw/scsi/lsi53c895a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 4d0c5fcd9b7..37dd38d7a87 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1158,6 +1158,7 @@ static void lsi_execute_script(LSIState *s) + s->waiting = LSI_NOWAIT; + } + ++ object_ref(s); + reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; +@@ -1177,6 +1178,7 @@ again: + s->waiting = LSI_WAIT_SCRIPTS; + lsi_scripts_timer_start(s); + reentrancy_level--; ++ object_unref(s); + return; + } + insn = read_dword(s, s->dsp); +@@ -1625,6 +1627,7 @@ again: + trace_lsi_execute_script_stop(); + + reentrancy_level--; ++ object_unref(s); + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) From 66055d7f179d0d838c2139d9d2399a968c6f6529 Mon Sep 17 00:00:00 2001 From: Shubham Pushpkar <spushpka@cisco.com> Date: Mon, 15 Jun 2026 13:13:21 -0700 Subject: [PATCH 50/96] dpkg: Fix CVE-2026-2219 This patch applies the upstream fix as referenced in [2], using the commit shown in [1]. [1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219 Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../dpkg/dpkg/CVE-2026-2219.patch | 47 +++++++++++++++++++ meta/recipes-devtools/dpkg/dpkg_1.22.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch diff --git a/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch new file mode 100644 index 000000000000..779ab924de6c --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch @@ -0,0 +1,47 @@ +From 6610297a62c0780dd0e80b0e302ef64fdcc9d313 Mon Sep 17 00:00:00 2001 +From: Guillem Jover <guillem@debian.org> +Date: Sat, 7 Feb 2026 00:57:55 +0100 +Subject: [PATCH] libdpkg: Terminate zstd decompression when we have no more + data + +We should be checking whether the input buffer is zero-sized, and then +mark the stream as finished. Otherwise the zstd implementation does not +detect that as an end of stream situation and we get stuck in an +infinite loop spinning the CPU. This means the decompression process +in dpkg-deb does not terminate, so no EPIPE gets generated and the +other processes that are part of the unpacking do not stop either. + +Reported-by: Yashashree Gund <yash_gund@live.com> +Fixes: commit 2c2f7066bd8c3209762762fa6905fa567b08ca5a +Fixes: CVE-2026-2219 +Closes: #1129722 +Stable-Candidate: 1.21.x 1.22.x + +CVE: CVE-2026-2219 +Upstream-Status: Backport [https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313] + +(cherry picked from commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313) +Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> +--- + lib/dpkg/compress.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/dpkg/compress.c b/lib/dpkg/compress.c +index adf26ea7..bf73affe 100644 +--- a/lib/dpkg/compress.c ++++ b/lib/dpkg/compress.c +@@ -1070,6 +1070,11 @@ filter_unzstd_code(struct io_zstd *io, struct io_zstd_stream *s) + ZSTD_outBuffer buf_out = { s->next_out, s->avail_out, 0 }; + size_t ret; + ++ if (buf_in.size == 0) { ++ s->status = DPKG_STREAM_END; ++ return; ++ } ++ + ret = ZSTD_decompressStream(s->ctx.d, &buf_out, &buf_in); + if (ZSTD_isError(ret)) + filter_zstd_error(io, ret); +-- +2.35.6 + diff --git a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb index 41f512350851..16162ca926f1 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb @@ -15,6 +15,7 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=main file://pager.patch \ file://0001-Add-support-for-riscv32-CPU.patch \ file://CVE-2025-6297.patch \ + file://CVE-2026-2219.patch \ " SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch" From 42214e12ad205e1da59cb839849e8bfb5c300de5 Mon Sep 17 00:00:00 2001 From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Date: Mon, 8 Jun 2026 14:24:58 +0200 Subject: [PATCH 51/96] libsolv: fix CVE-2026-9150 Backport patch to fix CVE-2026-9150. https://nvd.nist.gov/vuln/detail/CVE-2026-9150 Upstream fix: https://github.com/openSUSE/libsolv/pull/616 Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../libsolv/libsolv/CVE-2026-9150.patch | 68 +++++++++++++++++++ .../libsolv/libsolv_0.7.28.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch diff --git a/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch new file mode 100644 index 000000000000..4903edb5998f --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch @@ -0,0 +1,68 @@ +From bea261fd0924ecd5c7e5579f460133ec023c6def Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Wed, 22 Apr 2026 09:18:29 +0200 +Subject: [PATCH] Fix a buffer overflow when copying SHA-384/512 checksum from + a Debian repository + +When parsing Debian repository, control2solvable() copies a package +checksum string from the repository into a stack-allocated "char +checksum[32 * 2 + 1]" array. + +If the repository defined a SHA384 or SHA512 tag, a buffer overflow +occured (as can be seen when compiling libsolv with CFLAGS='-O0 -g +-fsanitize=address') because those tag values are longer: + + $ cat /tmp/Packages + Package: p + Version: 1 + Architecture: all + SHA512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + + $ /tmp/b/tools/deb2solv -r /tmp/Packages + ================================================================= + ==3695==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7b685ecf0071 at pc 0x7f6861683722 b + p 0x7fff37e3e7a0 sp 0x7fff37e3df60 + WRITE of size 129 at 0x7b685ecf0071 thread T0 + #0 0x7f6861683721 in strcpy.part.0 (/lib64/libasan.so.8+0x83721) (BuildId: 80bfc4ae44fdec6ef5fecfb01e2b57d28660991c) + #1 0x7f6861d7f34d in control2solvable /home/test/libsolv/ext/repo_deb.c:491 + #2 0x7f6861d804ea in repo_add_debpackages /home/test/libsolv/ext/repo_deb.c:622 + #3 0x000000400fd5 in main /home/test/libsolv/tools/deb2solv.c:134 + #4 0x7f686123c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9) + #5 0x7f686123c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9) + #6 0x000000400694 in _start (/tmp/b/tools/deb2solv+0x400694) (BuildId: a3350337819a51edd0c75293970d3458b5033bc9) + + Address 0x7b685ecf0071 is located in stack of thread T0 at offset 113 in frame + #0 0x7f6861d7de2a in control2solvable /home/test/libsolv/ext/repo_deb.c:365 + + This frame has 1 object(s): + [48, 113) 'checksum' (line 371) <== Memory access at offset 113 overflows this variable + +This patch fixes it by enlarging the buffer to accomodate the longest +supported digest string. + +This flaw was introduced with c8164bfecf2ba8bcf4c24329534d3104f19da73c +commit ("[ABI BREAKAGE] add support for SHA224/384/512"). + +Reported by Aisle Research. + +CVE: CVE-2026-9150 +Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d] + +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> +--- + ext/repo_deb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/repo_deb.c b/ext/repo_deb.c +index d400f959..25eaf8cb 100644 +--- a/ext/repo_deb.c ++++ b/ext/repo_deb.c +@@ -368,7 +368,7 @@ control2solvable(Solvable *s, Repodata *data, char *control) + char *p, *q, *end, *tag; + int x, l; + int havesource = 0; +- char checksum[32 * 2 + 1]; ++ char checksum[64 * 2 + 1]; + Id checksumtype = 0; + Id newtype; + diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb index 201059323aa7..63534dce260e 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb @@ -10,6 +10,7 @@ DEPENDS = "expat zlib zstd" SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \ file://0001-utils-Conside-musl-when-wrapping-qsort_r.patch \ + file://CVE-2026-9150.patch \ " SRCREV = "c8dbb3a77c86600ce09d4f80a504cf4e78a3c359" From ed3353c07f6a8a6e55d244c0039e37fb62c81712 Mon Sep 17 00:00:00 2001 From: Peter Marko <peter.marko@siemens.com> Date: Tue, 16 Jun 2026 18:56:23 +0200 Subject: [PATCH 52/96] openssl: upgrade 3.5.6 -> 3.5.7 Release information [1]: OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447) * Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182) * Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183) * Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764) * Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445) * Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383) * Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076) * Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180) * Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181) * Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766) * Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767) * Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768) * Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769) * Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770) * Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446) Refreshed patches. Installed new test files to pass ptests. [1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-356-and-openssl-357-9-jun-2026 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: 9365ac47f994a7d6be92b8c011c51ecf48e8ef87) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch | 2 +- .../openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-connectivity/openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index cf5ff356ee78..cd8906df675f 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -20,7 +20,7 @@ diff --git a/Configure b/Configure index fff97bd..5ee54c1 100755 --- a/Configure +++ b/Configure -@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) +@@ -1557,16 +1557,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_3.5.6.bb rename to meta/recipes-connectivity/openssl/openssl_3.5.7.bb index 3bf78eff5c26..0b8e8afec81e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736" +SRC_URI[sha256sum] = "a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -215,7 +215,7 @@ do_install_ptest() { ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps cd ${S} - find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; + find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs test/smime-eml -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; From 19fc681a3fca99801e2e50d6a9c6c921c66a2ce9 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Wed, 17 Jun 2026 12:03:03 +0530 Subject: [PATCH 53/96] libinput: fix for CVE-2026-50292 Pick patch from [1] & [2] also mentioned at Debian report in [3]. [1] https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc [2] https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b [3] https://security-tracker.debian.org/tracker/CVE-2026-50292 More details : 1. https://nvd.nist.gov/vuln/detail/CVE-2026-50292 2. https://www.openwall.com/lists/oss-security/2026/06/04/5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../wayland/libinput/CVE-2026-50292-01.patch | 109 ++++++++++++++++++ .../wayland/libinput/CVE-2026-50292-02.patch | 99 ++++++++++++++++ .../wayland/libinput_1.25.0.bb | 2 + 3 files changed, 210 insertions(+) create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch new file mode 100644 index 000000000000..35b2734d7a5d --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch @@ -0,0 +1,109 @@ +From fc2262e1c1847021239065e84f39f15492ef05cc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 1 Jun 2026 10:12:29 +1000 +Subject: [PATCH] util: sanitize control characters in str_sanitize() + +str_sanitize() only escaped '%' characters for format string safety. +Device names from uinput devices can contain arbitrary bytes including +ANSI escape sequences (ESC, 0x1b) and other control characters. When +these strings are included in log messages and printed to a terminal, +the escape sequences are interpreted by the terminal emulator. This +could allow an attacker to manipulate terminal output (change colors, +set window title, clear screen) when an administrator views libinput +logs. + +Replace all control characters (0x00-0x1f and 0x7f) with '?' in +addition to the existing '%' escaping. This prevents terminal escape +sequence injection through device names in log output. + +Assisted-by: Claude:claude-opus-4-6 +(cherry picked from commit 71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb) + +Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489> + +CVE: CVE-2026-50292 +Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/util-strings.h | 30 +++++++++++++++++++++++------- + test/test-utils.c | 10 ++++++++++ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/src/util-strings.h b/src/util-strings.h +index b0916815..3429ec9c 100644 +--- a/src/util-strings.h ++++ b/src/util-strings.h +@@ -456,26 +456,42 @@ trunkname(const char *filename); + + /** + * Return a copy of str with all % converted to %% to make the string +- * acceptable as printf format. ++ * acceptable as printf format, and all non-NUL control characters ++ * (bytes 0x01-0x1f, 0x7f) replaced with '?' to prevent terminal ++ * escape sequence injection. NUL bytes are excluded implicitly ++ * because the string is null-terminated. + */ + static inline char * + str_sanitize(const char *str) + { + if (!str) + return NULL; ++ size_t slen = strlen(str); ++ slen = min(slen, 512); + +- if (!strchr(str, '%')) ++ bool needs_sanitization = false; ++ for (size_t i = 0; i < slen; i++) { ++ unsigned char c = str[i]; ++ if (c == '%' || c < 0x20 || c == 0x7f) { ++ needs_sanitization = true; ++ break; ++ } ++ } ++ if (!needs_sanitization) + return strdup(str); +- +- size_t slen = min(strlen(str), 512); + char *sanitized = zalloc(2 * slen + 1); + const char *src = str; + char *dst = sanitized; +- + for (size_t i = 0; i < slen; i++) { +- if (*src == '%') ++ unsigned char c = *src++; ++ if (c == '%') { + *dst++ = '%'; +- *dst++ = *src++; ++ *dst++ = '%'; ++ } else if (c < 0x20 || c == 0x7f) { ++ *dst++ = '?'; ++ } else { ++ *dst++ = c; ++ } + } + *dst = '\0'; + +diff --git a/test/test-utils.c b/test/test-utils.c +index fa307031..88aede23 100644 +--- a/test/test-utils.c ++++ b/test/test-utils.c +@@ -1388,6 +1388,16 @@ START_TEST(strsanitize_test) + { "x %", "x %%" }, + { "%sx", "%%sx" }, + { "%s%s", "%%s%%s" }, ++ { "\t", "?" }, ++ { "\n", "?" }, ++ { "\r", "?" }, ++ { "\x1b[31m", "?[31m" }, ++ { "foo\tbar", "foo?bar" }, ++ { "foo\nbar", "foo?bar" }, ++ { "\x01\x1f\x7f", "???" }, ++ { "clean", "clean" }, ++ { "a\x1b[0mb", "a?[0mb" }, ++ { "%\n", "%%?" }, + { NULL, NULL }, + }; + +-- +2.50.1 + diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch new file mode 100644 index 000000000000..f78c9f906634 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch @@ -0,0 +1,99 @@ +From b2bde9504d42a5976d76e1f27c640dc561fbd99b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 1 Jun 2026 10:48:24 +1000 +Subject: [PATCH] libinput-device-group: sanitize phys before printing it + +Bug: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-50292 + +A malicious uinput device could set the phys value (via UI_SET_PHYS) +to contain a '\n'. When the value is printed as part of the device group +the udev rules will interpret it as separate property. + +Depending on the property this can cause local privilege escalation. + +Closes #1296 + +Found-by: Csome +(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55) + +Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489> + +CVE: CVE-2026-50292 +Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + udev/libinput-device-group.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c +index 3da904e0..d0522685 100644 +--- a/udev/libinput-device-group.c ++++ b/udev/libinput-device-group.c +@@ -109,7 +109,8 @@ wacom_handle_ekr(struct udev_device *device, + + udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) { + struct udev_device *d; +- const char *path, *phys; ++ char *phys = NULL; ++ const char *path; + const char *pidstr, *vidstr; + int pid, vid, dist; + +@@ -124,7 +125,7 @@ wacom_handle_ekr(struct udev_device *device, + + vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID"); + pidstr = udev_device_get_property_value(d, "ID_MODEL_ID"); +- phys = udev_device_get_sysattr_value(d, "phys"); ++ phys = str_sanitize(udev_device_get_sysattr_value(d, "phys")); + + if (vidstr && pidstr && phys && + safe_atoi_base(vidstr, &vid, 16) && +@@ -138,11 +139,13 @@ wacom_handle_ekr(struct udev_device *device, + best_dist = dist; + + free(*phys_attr); +- *phys_attr = safe_strdup(phys); ++ *phys_attr = phys; ++ phys = NULL; + } + } + + udev_device_unref(d); ++ free(phys); + } + + udev_enumerate_unref(e); +@@ -154,8 +157,8 @@ int main(int argc, char **argv) + int rc = 1; + struct udev *udev = NULL; + struct udev_device *device = NULL; +- const char *syspath, +- *phys = NULL; ++ char *phys = NULL; ++ const char *syspath = NULL; + const char *product; + int bustype, vendor_id, product_id, version; + char group[1024]; +@@ -179,8 +182,7 @@ int main(int argc, char **argv) + * bit and use the remainder as device group identifier */ + while (device != NULL) { + struct udev_device *parent; +- +- phys = udev_device_get_sysattr_value(device, "phys"); ++ phys = str_sanitize(udev_device_get_sysattr_value(device, "phys")); + if (phys) + break; + +@@ -249,6 +251,8 @@ int main(int argc, char **argv) + + printf("LIBINPUT_DEVICE_GROUP=%s\n", group); + ++ free(phys); ++ + rc = 0; + out: + if (device) +-- +2.50.1 + diff --git a/meta/recipes-graphics/wayland/libinput_1.25.0.bb b/meta/recipes-graphics/wayland/libinput_1.25.0.bb index 894858e36175..1a33d16f3a6c 100644 --- a/meta/recipes-graphics/wayland/libinput_1.25.0.bb +++ b/meta/recipes-graphics/wayland/libinput_1.25.0.bb @@ -14,6 +14,8 @@ DEPENDS = "libevdev udev mtdev" SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=main \ file://run-ptest \ + file://CVE-2026-50292-01.patch \ + file://CVE-2026-50292-02.patch \ " SRCREV = "3fd38d89276b679ac3565efd7c2150fd047902cb" S = "${WORKDIR}/git" From 92a57b28a4e8e4fe917e4aa3d58079257ee9a41f Mon Sep 17 00:00:00 2001 From: Yoann Congal <yoann.congal@smile.fr> Date: Thu, 18 Jun 2026 23:30:02 +0200 Subject: [PATCH 54/96] gdb: backport a patch to fix static_assert in recent GCC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert is a keyword, and not a macro to define like with older GCC. This make MIPS64 code in gdb fail to compile with: | In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25: | ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’: | ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’ | 86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ | | ^~~~~~~~~~~~~ | ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’ | 52 | case '.': MAPPED_REG (0, 0, GP, reg_0_map); | | ^~~~~~~~~~ Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/gdb/gdb.inc | 1 + ...gnu23-compatibility-wrt-static_asser.patch | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 81ac441462a9..d806a66ac435 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -13,5 +13,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0006-resolve-restrict-keyword-conflict.patch \ file://0007-Fix-invalid-sigprocmask-call.patch \ file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ + file://0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch \ " SRC_URI[sha256sum] = "2d4dd8061d8ded12b6c63f55e45344881e8226105f4d2a9b234040efa5ce7772" diff --git a/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch b/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch new file mode 100644 index 000000000000..d0d4aa5bd207 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch @@ -0,0 +1,75 @@ +From 2b8d72efbe1af100ea4dad4c976b2d3a1fbad676 Mon Sep 17 00:00:00 2001 +From: Sam James <sam@gentoo.org> +Date: Sat, 16 Nov 2024 05:03:52 +0000 +Subject: [PATCH] opcodes: fix -std=gnu23 compatibility wrt static_assert + + +static_assert is declared in C23 so we can't reuse that identifier: +* Define our own static_assert conditionally; + +* Rename "static assert" hacks to _N as we do already in some places + to avoid a conflict. + +ChangeLog: + PR ld/32372 + + * i386-gen.c (static_assert): Define conditionally. + * mips-formats.h (MAPPED_INT): Rename identifier. + (MAPPED_REG): Rename identifier. + (OPTIONAL_MAPPED_REG): Rename identifier. + * s390-opc.c (static_assert): Define conditionally. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8ebe62f3f0d27806b1bf69f301f5e188b4acd2b4] +Backport: +* No static_assert to patch in this version of s390-opc.c. +Signed-off-by: Yoann Congal <yoann.congal@smile.fr> +--- + opcodes/i386-gen.c | 2 ++ + opcodes/mips-formats.h | 6 +++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/opcodes/i386-gen.c b/opcodes/i386-gen.c +index cfc5a7a6172..d5901b9667d 100644 +--- a/opcodes/i386-gen.c ++++ b/opcodes/i386-gen.c +@@ -30,7 +30,9 @@ + + /* Build-time checks are preferrable over runtime ones. Use this construct + in preference where possible. */ ++#ifndef static_assert + #define static_assert(e) ((void)sizeof (struct { int _:1 - 2 * !(e); })) ++#endif + + static const char *program_name = NULL; + static int debug = 0; +diff --git a/opcodes/mips-formats.h b/opcodes/mips-formats.h +index ac73f060a3e..790e23f1783 100644 +--- a/opcodes/mips-formats.h ++++ b/opcodes/mips-formats.h +@@ -49,7 +49,7 @@ + #define MAPPED_INT(SIZE, LSB, MAP, PRINT_HEX) \ + { \ + typedef char ATTRIBUTE_UNUSED \ +- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ ++ static_assert_3[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ + static const struct mips_mapped_int_operand op = { \ + { OP_MAPPED_INT, SIZE, LSB }, MAP, PRINT_HEX \ + }; \ +@@ -83,7 +83,7 @@ + #define MAPPED_REG(SIZE, LSB, BANK, MAP) \ + { \ + typedef char ATTRIBUTE_UNUSED \ +- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ ++ static_assert_4[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ + static const struct mips_reg_operand op = { \ + { OP_REG, SIZE, LSB }, OP_REG_##BANK, MAP \ + }; \ +@@ -93,7 +93,7 @@ + #define OPTIONAL_MAPPED_REG(SIZE, LSB, BANK, MAP) \ + { \ + typedef char ATTRIBUTE_UNUSED \ +- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ ++ static_assert_5[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ + static const struct mips_reg_operand op = { \ + { OP_OPTIONAL_REG, SIZE, LSB }, OP_REG_##BANK, MAP \ + }; \ From 9105e2bbf3245bfa02d2f4c55a010a7d2c3da6c2 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Mon, 17 Jun 2024 13:42:40 +0000 Subject: [PATCH 55/96] oeqa/core/runner: stub addDuration in OETestResult We have a custom TestResult implementation, and Python 3.12 added a new method addDuration() to the TestResult interface. This would be useful to implement correctly, but for now stub it out to silence the warning when running under Python 3.12: /usr/lib64/python3.12/unittest/case.py:580: RuntimeWarning: TestResult has no addDuration method warnings.warn("TestResult has no addDuration method", Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2d6fff81b34476b890f6943997615fbf8d3d133f) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/lib/oeqa/core/runner.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/lib/oeqa/core/runner.py b/meta/lib/oeqa/core/runner.py index b683d9b80a76..0d2bc3a3ed0f 100644 --- a/meta/lib/oeqa/core/runner.py +++ b/meta/lib/oeqa/core/runner.py @@ -78,6 +78,10 @@ def stopTest(self, test): self.shownmsg.append(test.id()) break + # Python 3.12 added this, stub it out for now + def addDuration(self, test, elapsed): + pass + def logSummary(self, component, context_msg=''): elapsed_time = self.tc._run_end_time - self.tc._run_start_time self.tc.logger.info("SUMMARY:") From cd46a25fa3f7ffe5518c7c95f280a7760455aac8 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Fri, 22 May 2026 17:04:51 +0100 Subject: [PATCH 56/96] classes/gtk-icon-cache: fix libdir passed to the postrm intercept Back in 2015[1] I fixed the libdir passed to the postinst intercept, but I forgot to also update the postrm intercept. This should also be libdir_native, not libdir. [ YOCTO #13896 ] [1] oe-core 0fe8400717 ("gtk-icon-cache: pass the native libdir to the intercept") Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 92dd67114be325e019c149bddaf5f874f6917094) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/classes-recipe/gtk-icon-cache.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes-recipe/gtk-icon-cache.bbclass b/meta/classes-recipe/gtk-icon-cache.bbclass index 9ecb49916c2a..2ff10c211815 100644 --- a/meta/classes-recipe/gtk-icon-cache.bbclass +++ b/meta/classes-recipe/gtk-icon-cache.bbclass @@ -46,7 +46,7 @@ gtk_icon_cache_postrm() { if [ "x$D" != "x" ]; then $INTERCEPT_DIR/postinst_intercept update_gtk_icon_cache ${PKG} \ mlprefix=${MLPREFIX} \ - libdir=${libdir} + libdir_native=${libdir_native} else for icondir in /usr/share/icons/* ; do if [ -d $icondir ] ; then From 96efecfbb2d1eaa24e1c96fbd6593a7087464844 Mon Sep 17 00:00:00 2001 From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Date: Wed, 3 Jun 2026 12:38:11 +0200 Subject: [PATCH 57/96] python3: CVE-2026-3087 not applicable CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087 The CVE is only applicable to Windows OS Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/python/python3_3.12.13.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 3e28a3942bdd..bf0e1702d54a 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -63,6 +63,7 @@ CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Win # The module will be removed in the future and flaws documented. CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way" CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour" +CVE_STATUS[CVE-2026-3087] = "not-applicable-platform: Issue only applies on Windows" PYTHON_MAJMIN = "3.12" From b976aed4282df6becec170ba6085e54df281603f Mon Sep 17 00:00:00 2001 From: Jonas Munsin <jonas.munsin@gehealthcare.com> Date: Tue, 2 Jun 2026 08:18:25 -0700 Subject: [PATCH 58/96] bzip2: set CVE_PRODUCT Add CVE_PRODUCT to bzip2 Signed-off-by: Jonas Munsin <jonas.munsin@gehealthcare.com> Signed-off-by: Maxin John <maxin.john@gehealthcare.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bc889ea799cc82f7fa018baabca0b821c1209897) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-extended/bzip2/bzip2_1.0.8.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb index 4e3a06f24081..f92249086850 100644 --- a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb +++ b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb @@ -66,5 +66,7 @@ FILES:libbz2 = "${libdir}/lib*${SOLIBS}" RDEPENDS:${PN}-ptest += "make bash" +CVE_PRODUCT = "bzip:bzip2" + PROVIDES:append:class-native = " bzip2-replacement-native" BBCLASSEXTEND = "native nativesdk" From 3a157840148e14ec9019a008ab94e7f708baac05 Mon Sep 17 00:00:00 2001 From: Himanshu Jadon <hjadon@cisco.com> Date: Tue, 2 Jun 2026 06:31:14 -0700 Subject: [PATCH 59/96] apr-util: Add CVE_PRODUCT to support product name apr-util is tracked in NVD under apache:apr-util, while a smaller set of newer CVEs also appears under apache:portable_runtime_utility. Set CVE_PRODUCT accordingly so cve-check can cover both the historical and current NVD product identities used for APR-util. Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> (cherry picked from commit 927b505c982ed7443aed348ca54b0073ac63d938) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-support/apr/apr-util_1.6.3.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/apr/apr-util_1.6.3.bb b/meta/recipes-support/apr/apr-util_1.6.3.bb index 1371e262ddb5..3a5f52d25015 100644 --- a/meta/recipes-support/apr/apr-util_1.6.3.bb +++ b/meta/recipes-support/apr/apr-util_1.6.3.bb @@ -95,3 +95,6 @@ do_install_ptest() { cp -r ${B}/test/$i $t; \ done } + +# Add CVE_PRODUCT to match the NVD CPE product name +CVE_PRODUCT = "apache:apr-util apache:portable_runtime_utility" From d93c564790a51b53347bde257151c778e8867624 Mon Sep 17 00:00:00 2001 From: Himanshu Jadon <hjadon@cisco.com> Date: Tue, 2 Jun 2026 06:29:29 -0700 Subject: [PATCH 60/96] apr: Add CVE_PRODUCT to support product name apr is tracked in NVD under apache:portable_runtime rather than the recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the correct NVD product identity for APR. No additional alias was found to be necessary for this recipe. Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> (cherry picked from commit bc3803e12d4938e2de514c39bd5d0f011f883ace) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-support/apr/apr_1.7.5.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/apr/apr_1.7.5.bb b/meta/recipes-support/apr/apr_1.7.5.bb index 78796476e225..7a3445aa2017 100644 --- a/meta/recipes-support/apr/apr_1.7.5.bb +++ b/meta/recipes-support/apr/apr_1.7.5.bb @@ -136,3 +136,6 @@ do_install_ptest() { } export CONFIG_SHELL="/bin/bash" + +# Add CVE_PRODUCT to match the NVD CPE product name +CVE_PRODUCT = "apache:portable_runtime" From 8aab8b31425b3820ef65fc40061b9377c574607b Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Tue, 2 Jun 2026 23:09:39 -0700 Subject: [PATCH 61/96] go-binary-native: set status for CVE-2026-39836 This issue affects Windows only. The net.Dial and net.LookupPort functions can panic when given input containing a NUL byte. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-39836 https://security-tracker.debian.org/tracker/CVE-2026-39836 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-binary-native_1.22.12.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb index 7688a090f40e..dd84021cc9e3 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb @@ -19,6 +19,7 @@ UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" CVE_PRODUCT = "golang:go" CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2026-39836] = "not-applicable-platform: Issue only applies on Windows" S = "${WORKDIR}/go" From 324359dcb7cbeb15ef51f5cc18924f590c81b1de Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Tue, 2 Jun 2026 03:26:17 -0700 Subject: [PATCH 62/96] go: set status for CVE-2026-39836 This issue affects Windows only. The net.Dial and net.LookupPort functions can panic when given input containing a NUL byte. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-39836 https://security-tracker.debian.org/tracker/CVE-2026-39836 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f85104d6f15d..c825ebd25a3d 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -65,3 +65,4 @@ SRC_URI += "\ SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2026-39836] = "not-applicable-platform: Issue only applies on Windows" From 8c56e85dd02063da5630c9b73fb242686a970e20 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Mon, 1 Jun 2026 10:44:25 -0700 Subject: [PATCH 63/96] rust,libstd-rs: set status for CVE-2024-3566 The vulnerability is Windows-specific and depends on command-line handling through CreateProcess, which does not apply to Linux/Yocto builds. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3566 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/rust/rust-source.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc index 5b433ceae78c..318c7f0e2936 100644 --- a/meta/recipes-devtools/rust/rust-source.inc +++ b/meta/recipes-devtools/rust/rust-source.inc @@ -23,3 +23,4 @@ UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src" CVE_STATUS[CVE-2024-24576] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-2024-43402] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows" From 004fc06a7792592f3847d92fc464347a279f998c Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Tue, 6 Aug 2024 14:55:51 -0400 Subject: [PATCH 64/96] oeqa/runtime/parselogs: update pci BAR ignore for kernel 6.10 The format of the pci BAR warnings we get on qemu boots has changed in 6.10+ via the following kernel commit: commit dc4e6f21c3f844ebc1c52b6920b8ec5dfc73f4e8 Author: Puranjay Mohan <puranjay@kernel.org> Date: Sat Nov 6 16:56:06 2021 +0530 PCI: Use resource names in PCI log messages Use the pci_resource_name() to get the name of the resource and use it while printing log messages. [bhelgaas: rename to match struct resource * names, also use names in other BAR messages] Link: https://lore.kernel.org/r/20211106112606.192563-3-puranjay12@gmail.com Signed-off-by: Puranjay Mohan <puranjay12@gmail.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Since it doesn't appear that we can do regex's in parselogs and the bar number is now in the middle of the message, we go with a slightly wider format of the message to ignore. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0a7126604b6536868600d43aff000a426384995c) [YC: In scarthgap, the breaking backported commit is in >=6.6.130: fffdb0fece19 ("PCI: Use resource names in PCI log messages")] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/lib/oeqa/runtime/cases/parselogs-ignores-qemuall.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/meta/lib/oeqa/runtime/cases/parselogs-ignores-qemuall.txt b/meta/lib/oeqa/runtime/cases/parselogs-ignores-qemuall.txt index b0c0fc9ddf46..143db40d63b2 100644 --- a/meta/lib/oeqa/runtime/cases/parselogs-ignores-qemuall.txt +++ b/meta/lib/oeqa/runtime/cases/parselogs-ignores-qemuall.txt @@ -13,6 +13,14 @@ FBIOPUT_VSCREENINFO failed, double buffering disabled # pci 0000:00:00.0: [Firmware Bug]: reg 0x20: invalid BAR (can't size) # pci 0000:00:00.0: [Firmware Bug]: reg 0x24: invalid BAR (can't size) invalid BAR (can't size) +# 6.10+ the invalid BAR warnings are of this format: +# pci 0000:00:00.0: [Firmware Bug]: BAR 0: invalid; can't size +# pci 0000:00:00.0: [Firmware Bug]: BAR 1: invalid; can't size +# pci 0000:00:00.0: [Firmware Bug]: BAR 2: invalid; can't size +# pci 0000:00:00.0: [Firmware Bug]: BAR 3: invalid; can't size +# pci 0000:00:00.0: [Firmware Bug]: BAR 4: invalid; can't size +# pci 0000:00:00.0: [Firmware Bug]: BAR 5: invalid; can't size +invalid; can't size # These should be reviewed to see if they are still needed wrong ELF class From 620a32621b5e7c33609fc6dbff01758303f41189 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:49:58 -0400 Subject: [PATCH 65/96] linux-yocto/6.6: update to v6.6.129 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 4fc00fe35d46 Linux 6.6.129 acf7c8972775 Revert "x86/kexec: add a sanity check on previous kernel's ima kexec buffer" 682d8e2f892b Linux 6.6.128 0ac0e02183c5 arm64: Fix sampling the "stable" virtual counter in preemptible section 18845fb30921 drm/i915/wakeref: clean up INTEL_WAKEREF_PUT_* flag macros fe418ef21efd NTB: ntb_transport: Fix too small buffer for debugfs_name 1cdff5d564fe tracing: Wake up poll waiters for hist files when removing an event e4e5026252b4 tracing: Fix checking of freed trace_event_file for hist files ad058a4317db net: nfc: nci: Fix parameter validation for packet data dc99b25ed4f7 arm64: Force the use of CNTVCT_EL0 in __delay() ad3640895956 x86/kexec: Copy ACPI root pointer address from config table 9c735a7d98c9 net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() 1e300c33ef3c net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle 6ccfcad1b582 ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR c854ab481ece cifs: some missing initializations on replay 6a3ce8c8ad80 fbcon: Remove struct fbcon_display.inverse b6de6d481cc2 fbdev: ffb: fix corrupted video output on Sun FFB1 3ed019654234 fbdev: of: display_timing: fix refcount leak in of_get_display_timings() e8c5d5f6cd66 fbdev: vt8500lcdfb: fix missing dma_free_coherent() a785c4e2a999 fbcon: check return value of con2fb_acquire_newinfo() 632d233cf2e6 ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() e075ec9b08f8 atm: fore200e: fix use-after-free in tasklets during device removal 9f8ad199844c net: intel: fix PCI device ID conflict between i40e and ipw2200 6eb571a37631 io_uring/filetable: clamp alloc_hint to the configured alloc range 0f4dcba31bf4 tracing: Fix to set write permission to per-cpu buffer_size_kb ec4445ae9e58 net: macb: Fix tx/rx malfunction after phy link down and up 013ac469596a octeontx2-af: CGX: fix bitmap leaks 0f85a9655445 net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean() 63afc078bba6 net: ethernet: marvell: skge: remove incorrect conflicting PCI ID 710657d3d31f LoongArch: Disable instrumentation for setup_ptwalker() 6868bd64dc90 LoongArch: Guard percpu handler under !CONFIG_PREEMPT_RT a50371c6ad99 LoongArch: Prefer top-down allocation after arch_mem_init() bb1a54f7f011 LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE 9efa154609cd ceph: supply snapshot context in ceph_zero_partial_object() 103e9d1d43e6 MIPS: rb532: Fix MMIO UART resource registration 953953abb66e cifs: Fix locking usage for tcon fields cc3f83b6fb37 staging: rtl8723bs: fix null dereference in find_network 369d369ed08f parisc: kernel: replace kfree() with put_device() in create_tree_node() a19b61fdb958 PCI: Fix pci_slot_trylock() error handling 65e794574069 net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe() error path 4857c37c7ba9 drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() 7a4fd19c567f tipc: fix RCU dereference race in tipc_aead_users_dec() 8e875cf8851b mtd: rawnand: pl353: Fix software ECC support f5da4c24aa6d usb: dwc2: fix resume failure if dr_mode is host 76c1123ffccf usb: dwc3: gadget: Move vbus draw to workqueue context aa8d68d97c7f scsi: ufs: core: Flush exception handling work when RPM level is zero d3e837e11ee9 perf/arm-cmn: Reject unsupported hardware configurations 9bd98d088f47 remoteproc: imx_rproc: Fix invalid loaded resource table detection d99a08c2b4d5 btrfs: continue trimming remaining devices on failure 41a09925ec68 arm64: Fix non-atomic __READ_ONCE() with CONFIG_LTO=y 1047ca2d8169 PCI/IOV: Fix race between SR-IOV enable/disable and hotplug 639265296fe6 Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV" cfccd3b8c51b kexec: derive purgatory entry from symbol bb273b68c171 ocfs2: fix reflink preserve cleanup issue 649c2e853608 rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net() 81c44a4bc168 mm/highmem: fix __kmap_to_page() build error 1eabfd2c437b iio: gyro: itg3200: Fix unchecked return value in read_raw 9d0ca11258e7 powerpc/smp: Add check for kcalloc() failure in parse_thread_groups() 442f5db91317 tools: Fix bitfield dependency failure e4709950acd4 dm mpath: make pg_init_delay_msecs settable 542dd6da35eb bus: fsl-mc: fix an error handling in fsl_mc_device_add() 65f5a17b6d56 usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN 22e460b6333a x86/kexec: add a sanity check on previous kernel's ima kexec buffer 57c4fd0f4b02 nvmem: Drop OF node reference on nvmem_add_one_cell() failure 13c1f31f777c nfsd: fix return error code for nfsd_map_name_to_[ug]id d92b8fac294b md/bitmap: fix GPF in write_page caused by resize race 142b1bba3299 PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions 708e20c66b27 KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() a6f660d62bc1 xfs: fix remote xattr valuelblk check 38613c01f69e xfs: fix freemap adjustments when adding xattrs to leaf blocks ffaf5c99d0f8 xfs: delete attr leaf freemap entries when empty e2e7c275f557 mfd: core: Add locking around 'mfd_of_node_list' 01aed2f1d7cb iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode a5b1ddbe31f4 media: verisilicon: AV1: Fix tile info buffer size 8be53110395e xfs: mark data structures corrupt on EIO and ENODATA 297bb8b1db60 selftests/mm/charge_reserved_hugetlb: drop mount size for hugetlbfs aa5f25d55cda mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations 8dcff1979381 drm: of: drm_of_panel_bridge_remove(): fix device_node leak 52920a853381 media: venus: vdec: restrict EOS addr quirk to IRIS2 only 225f2221b422 media: venus: vdec: fix error state assignment for zero bytesused 272d44fa7bce arm64: dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro ed36f6ae0039 dm-unstripe: fix mapping bug when there are multiple targets in a table fb49f209995f dm-integrity: fix recalculation in bitmap mode de7934627cc4 s390/pci: Handle futile config accesses of disabled devices directly 1c7c87cf18da clk: tegra: tegra124-emc: Fix potential memory leak in tegra124_clk_register_emc() 0f0809bfe4fa media: i2c: ov01a10: Fix digital gain range 85cc6574f21b clk: clk-apple-nco: Add "apple,t8103-nco" compatible 3880e331b0b3 KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation e113339cc7d2 soc: ti: pruss: Fix double free in pruss_clk_mux_setup() d451bf970a0c soc: ti: k3-socinfo: Fix regmap leak on probe failure 7daf279c674d dm: clear cloned request bio pointer when last clone bio completes 2d10a3dad8d6 dm-integrity: fix a typo in the code for write/discard race d03a29cb36d6 media: i2c: ov5647: use our own mutex for the ctrl lock 089625cccd7e media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode c146483bad46 media: i2c: ov5647: Sensor should report RAW color space e5f4aad2627d media: i2c: ov5647: Correct minimum VBLANK value 1f413dac763a media: i2c: ov5647: Correct pixel array offset cabd025182cf media: i2c: ov5647: Initialize subdev before controls c9af1818387f media: ccs: Avoid possible division by zero 0c074e80921f media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() 8de39720e7a3 media: i2c: ov01a10: Fix test-pattern disabling a14a3cef8017 media: i2c: ov01a10: Add missing v4l2_subdev_cleanup() calls 567a03fe8d08 media: i2c: ov01a10: Fix analogue gain range e2f6d78dc3a8 media: i2c: ov01a10: Fix reported pixel-rate value bb2b049f75f1 media: i2c: ov01a10: Fix the horizontal flip control ccb92def042a media: i2c/tw9906: Fix potential memory leak in tw9906_probe() 9cb9eca33d20 media: i2c/tw9903: Fix potential memory leak in tw9903_probe() 046c5db6bbba media: cx25821: Add missing unmap in snd_cx25821_hw_params() 544215cc37d0 media: cx23885: Add missing unmap in snd_cx23885_hw_params() 10ab64f8efc2 media: cx88: Add missing unmap in snd_cx88_hw_params() 27c508f61963 media: radio-keene: fix memory leak in error path dd8508820246 media: verisilicon: AV1: Set IDR flag for intra_only frame type 8305902ac038 arm64: dts: apple: t8112-j473: Keep the HDMI port powered on b74bf7d0d01f HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() 3f1b21cc67a1 HID: prodikeys: Check presence of pm->input_ep82 243e1165eb03 HID: magicmouse: Do not crash on missing msc->input 449004434e1f HID: hid-pl: handle probe errors cad7442ff23b arm64: Disable branch profiling for all arm64 code deb8f6dfd31d KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding 275e15fd1cf7 ARM: omap2: Fix reference count leaks in omap_control_init() b44eb959159f media: verisilicon: AV1: Fix tx mode bit setting 8ad7e6ea46a9 media: verisilicon: AV1: Fix enable cdef computation 564fd3a63efc media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() 12cafc15d246 media: mtk-mdp: Fix error handling in probe function 637510cb5bed media: mediatek: encoder: Fix uninitialized scalar variable issue 031f2adc1499 dm-verity: correctly handle dm_bufio_client_create() failure a9ddc035050a fpga: dfl: use subsys_initcall to allow built-in drivers to be added d6f5aed42760 ASoC: SOF: ipc4-control: Keep the payload size up to date e1dd7092fa8f ASoC: SOF: ipc4-control: Use the correct size for scontrol->ipc_control_data 59fe643f21b9 ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls 3a5a4b066329 ASoC: SOF: ipc4-control: If there is no data do not send bytes update 955e2d6e5e0a clk: renesas: rzg2l: Select correct div round macro a4be3b90ba9d clk: renesas: rzg2l: Fix intin variable size 90c8353f4718 rpmsg: core: fix race in driver_override_show() and use core helper 7ef82863d422 netfilter: nf_conntrack_h323: fix OOB read in decode_choice() b690635d4719 dpaa2-switch: validate num_ifs to prevent out-of-bounds write 9ac6aebef4b4 net: consume xmit errors of GSO frames 175881094756 net/mlx5: Fix missing devlink lock in SRIOV enable error path 54fb0577ebe7 net/mlx5: DR, Fix circular locking dependency in dump b324327ff6f4 RDMA/umem: Fix double dma_buf_unpin in failure path 35854ed5c40b net: usb: pegasus: enable basic endpoint checking df001db47708 RDMA/efa: Fix typo in efa_alloc_mr() 337d7b4112a4 net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets 52d469319ced RDMA/core: Fix stale RoCE GIDs during netdev events at registration 0b7d596da5de tipc: fix duplicate publication key in tipc_service_insert_publ() 481ea39b342c Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ efcdb4da480c Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ 1a138921ce56 Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ 1d93a369b5aa Bluetooth: hci_qca: Cleanup on all setup failures 7247f340f824 Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ 2983b39f8c0d Remove WARN_ALL_UNSEEDED_RANDOM kernel config option 1f40fde29349 wifi: cfg80211: wext: fix IGTK key ID off-by-one 322437972f0a net: ethernet: xscale: Check for PTP support properly 854f5997df49 net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set() 19f359963ae8 net: usb: lan78xx: scan all MDIO addresses on LAN7801 ef9b10a02050 net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode 166801e49a5b xfrm: always flush state and policy upon NETDEV_UNREGISTER event 56d5c0557e53 ipmi: ipmb: initialise event handler read bytes f13e4fe961a7 xfrm: skip templates check for packet offload tunnel mode 719918fc88df xfrm6: fix uninitialized saddr in xfrm6_get_saddr() d0559d07afab ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut 85c9daa1f831 ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access a4557dc20df4 rtc: zynqmp: correct frequency value 61bd8787c605 drm/amd/display: Remove conditional for shaper 3DLUT power-on 0b284a7ce311 btrfs: replace BUG() with error handling in __btrfs_balance() 8995fc0e00b3 ALSA: usb-audio: Add sanity check for OOB writes at silencing 6a997eb80644 drm/radeon: Add HAINAN clock adjustment 5b9af0342402 drm/amdgpu: Add HAINAN clock adjustment c26bde6301f2 ALSA: usb-audio: Update the number of packets properly at receiving d2e92247b24a drm/amdgpu: Adjust usleep_range in fence wait 068dee782c8c drm/amd/display: Avoid updating surface with the same surface under MPO 1a7f1116c7f8 ARM: 9467/1: mm: Don't use %pK through printk 44373b1e9c12 include: uapi: netfilter_bridge.h: Cover for musl libc 9f33e83c8393 thermal: int340x: Fix sysfs group leak on DLVR registration failure e1dc45d97975 libceph: define and enforce CEPH_MAX_KEY_LEN a87a445ac1d9 ceph: supply snapshot context in ceph_uninline_data() 2f5c626ea792 fs/ntfs3: avoid calling run_get_entry() when run == NULL in ntfs_read_run_nb_ra() ad0d779cdc26 fs/ntfs3: drop preallocated clusters for sparse and compressed files 8d8c70b57dbe fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST af839013c70a fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata 68e32694be23 fs: ntfs3: check return value of indx_find to avoid infinite loop 6dedf0369f2a MIPS: Loongson: Make cpumask_of_node() robust against NUMA_NO_NODE da08099d5f7a iio: magnetometer: Remove IRQF_ONESHOT 53f2152b48d5 iio: Use IRQF_NO_THREAD be5465701341 Revert "mfd: da9052-spi: Change read-mask to write-mask" dc3bc979814b phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature afb941338c8e phy: mvebu-cp110-utmi: fix dr_mode property read from dts d476130e53d3 watchdog: imx7ulp_wdt: handle the nowayout option 0883ddd583ed binder: don't use %pK through printk 1d7120244b54 fix it87_wdt early reboot by reporting running timer 4ff5ab3e7141 serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA termination is done 8311bb40698b staging: rtl8723bs: fix memory leak on failure path 03a2f7f9864c misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66 ece3722169ba misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() c219c20cc357 dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings f89324e2e09d dmaengine: sun6i: Choose appropriate burst length under maxburst f9305dda5015 fpga: of-fpga-region: Fail if any bridge is missing b2bbcaa36c1a usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs 32ccda4895ba serial: 8250_dw: handle clock enable errors in runtime_resume 52b42c24750a staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure cd496527efa8 soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of NUC15) 3be7beef4a05 m68k: nommu: fix memmove() with differently aligned src and dest for 68000 6ce681cf8082 clk: microchip: core: correct return value on *_get_parent() e2809ad08252 mailbox: sprd: clear delivery flag before handling TX done 4c4679b31b9d remoteproc: mediatek: Break lock dependency to `prepare_lock` 332fb842181e mailbox: sprd: mask interrupts that are not handled 17ee46882b3e mailbox: imx: Skip the suspend flag for i.MX7ULP 51edcbd17c8d mailbox: pcc: Remove spurious IRQF_ONESHOT usage f720e653aa1a remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX channel is uninitialized cb6c4aa73491 tracing: Fix false sharing in hwlat get_sample() 9566c87101b2 vhost: fix caching attributes of MMIO regions by setting them explicitly f1bf5ebd5fda scsi: buslogic: Reduce stack usage d16337560750 hisi_acc_vfio_pci: update status after RAS error 559e227b1df7 ata: libata: avoid long timeouts on hot-unplugged SATA DAS 55de264a4d32 RDMA/rtrs-clt: For conn rejection use actual err number 3819890d6ab2 nfc: nxp-nci: remove interrupt trigger type 392e3d44841d myri10ge: avoid uninitialized variable use 6e2a6100ac5b PCI: Mark Nvidia GB10 to avoid bus reset 846b226065fe PCI: Add ACS quirk for Qualcomm Hamoa & Glymur ec494c0260bf PCI: Enable ACS after configuring IOMMU for OF platforms a2376e912723 PCI: Fix pci_slot_lock () device locking f5ea62163a78 PCI: Mark ASM1164 SATA controller to avoid bus reset 391200c274e9 net/rds: Clear reconnect pending bit f713dcd2ce83 vmw_vsock: bypass false-positive Wnonnull warning with gcc-16 7a8acafd45a9 net: usb: sr9700: remove code to drive nonexistent multicast filter 87465580215c wifi: ath10k: fix lock protection in ath10k_wmi_event_peer_sta_ps_state_chg() b015d4c70c9a wifi: rtw89: pci: restore LDO setting after device resume d9b549b6951b octeontx2-af: Workaround SQM/PSE stalls by disabling sticky 37f4e6804d98 Bluetooth: btusb: Add device ID for Realtek RTL8761BU c051ef2f61f4 Bluetooth: btusb: Add new VID/PID for RTL8852CE 07960da05c0d Bluetooth: hci_conn: use mod_delayed_work for active mode timeout c06dbfd954c9 Bluetooth: hci_conn: Set link_policy on incoming ACL connections 9eaeba5600e5 ipv4: fib: Annotate access to struct fib_alias.fa_state. 31d4bb68f436 wifi: iwlegacy: add missing mutex protection in il3945_store_measurement() 941e3066441c wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power() 2ace7ac88cb0 net: hns3: extend HCLGE_FD_AD_QID to 11 bits d5cd3bb7794e ipv4: igmp: annotate data-races around idev->mr_maxdelay ab2848d3783a gro: change the BUG_ON() in gro_pull_from_frag0() f0f729bdffb0 net/rds: No shortcut out of RDS_CONN_ERROR db62e9f44838 wifi: iwlwifi: mvm: check the validity of noa_len 116bc0980e91 net: usb: r8152: fix transmit queue timeout f4bf64072c36 openrisc: define arch-specific version of nop() 07a9b32eaae7 netfilter: xt_tcpmss: check remaining length before reading optlen 89f50775d883 netfilter: nf_conntrack: Add allow_clash to generic protocol handler 99c75e53cec0 ext4: mark group extend fast-commit ineligible 0d5fcb063cda ext4: move ext4_percpu_param_init() before ext4_mb_init() 83b074b69022 ext4: mark group add fast-commit ineligible 46ed4e9c8d30 ipv6: exthdrs: annotate data-race over multiple sysctl 55170230de66 ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}() f73528f140f1 wifi: ath12k: fix preferred hardware mode calculation c5547727bd1c wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1 ddfe47664cc6 PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port d880c9b73890 wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode f2f65b28d802 iommu/amd: move wait_on_sem() out of spinlock 5bfb25495e39 wifi: libertas: fix WARNING in usb_tx_block 9ff4843e6ea3 iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency 4f9e7ca933a9 dm: remove fake timeout to avoid leak request df379f57c2cd dm: replace -EEXIST with -EBUSY dd181178c245 wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H a96d161cfdb1 wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() 9fdce77e38c1 wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero f70fcbc2ac7c jfs: nlink overflow in jfs_rename 68f7fc769243 jfs: Add missing set_freezable() for freezable kthread 34506cb119bb ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio 8fb5c4c979ae modpost: Amend ppc64 save/restfpr symnames for -Os build fecfe41f7ed0 ASoC: es8328: Add error unwind in resume 18c67fb3750b hwmon: (f71882fg) Add F81968 support f8ddbe303419 hwmon: (nct6775) Add ASUS Pro WS WRX90E-SAGE SE 2d48f60307e6 ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional() in max98390_i2c_probe() 3383271464b7 spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end 19513daa8d13 ASoC: sunxi: sun50i-dmic: Add missing check for devm_regmap_init_mmio d1b6536ac20d gpio: aspeed-sgpio: Change the macro to support deferred probe 98c0e07dc7d6 ALSA: hda/conexant: Add headset mic fix for MECHREVO Wujie 15X Pro 49afc2e5bfae HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK 4df1e6252d07 HID: multitouch: add eGalaxTouch EXC3188 support 876bb1eabdb1 media: rkisp1: Fix filter mode register configuration ac2d898da509 drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release 80b8b0df370f drm/atmel-hlcdc: don't reject the commit if the src rect has fractional parts ec40702029b0 drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback af67b50311e7 virt: vbox: uapi: Mark inner unions in packed structs as packed 34eae7e0ab61 hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed bbfaa5761f58 drm: Account property blob allocations to memcg e97de3e924b3 drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map() 30aaed311f97 media: v4l2-async: Fix error handling on steps after finding a match 4010e596d23c media: cx25821: Fix a resource leak in cx25821_dev_setup() 33af366211ee media: solo6x10: Check for out of bounds chip_id 4ba5c7a1aade media: pvrusb2: fix URB leak in pvr2_send_request_ex 45d9a0cd1b88 media: adv7180: fix frame interval in progressive mode f5a5a824f0ac media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START 81bc7d5e7897 spi: spi-mem: Limit octal DTR constraints to octal DTR situations 822530fb85d8 ASoC: wm8962: Don't report a microphone if it's shorted to ground on plug 21f6e02a1910 ASoC: wm8962: Add WM8962_ADC_MONOMIX to "3D Coefficients" mask 04184bcb50f5 HID: apple: Add "SONiX KN85 Keyboard" to the list of non-apple keyboards 55462d16cb9c drm/amdgpu: avoid a warning in timedout job handler 40e0b938db37 drm/amdgpu: add support for HDP IP version 6.1.1 b0d35bc9c159 media: mediatek: vcodec: Don't try to decode 422/444 VP9 38ef3e1e1e9b media: omap3isp: set initial format d490523d2374 media: omap3isp: isppreview: always clamp in preview_try_format() a9d1d7d27151 media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes 2663ef70c612 drm/v3d: Set DMA segment size to avoid debug warnings 50e8aac244e7 spi: stm32: fix Overrun issue at < 8bpw 8b971c21603a media: dvb-core: dmxdevfilter must always flush bufs b2a97f2259f6 spi-geni-qcom: use xfer->bits_per_word for can_dma() 5d0814ad6654 spi-geni-qcom: initialize mode related registers to 0 ac9a7c329a56 drm/display/dp_mst: Add protection against 0 vcpi afa0bfe1437d parisc: Prevent interrupts during reboot 12535a5d5d64 arm64: tegra: smaug: Add usb-role-switch support 1da904e84de6 pstore: ram_core: fix incorrect success return when vmap() fails a4345acbe390 char: tpm: cr50: Remove IRQF_ONESHOT 3e656f767407 mailbox: bcm-ferxrm-mailbox: Use default primary handler 7b9394e49720 crypto: hisilicon/qm - move the barrier before writing to the mailbox register 5f007c6acaa7 PCI/MSI: Unmap MSI-X region on error f557c206c32e clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency on OF 6f113ab549b8 clocksource/drivers/sh_tmu: Always leave device running after probe c8a34bceefbc bpf: verifier improvement in 32bit shift sign extension pattern 47bbd0cb7db3 sparc: don't reference obsolete termio struct for TC* constants 6aa04820dbfe sparc: Synchronize user stack on fork and clone 648aa7ce0bd8 blk-mq-debugfs: add missing debugfs_mutex in blk_mq_debugfs_register_hctxs() 9150176cbf71 xenbus: Use .freeze/.thaw to handle xenbus devices 2050a5cff32c perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD 84a17b7b292d s390/perf: Disable register readout on sampling events bafd4aa1908a cpufreq: dt-platdev: Block the driver from probing on more QC platforms a61c1bc84c4a md-cluster: fix NULL pointer dereference in process_metadata_update b4a0b646cc28 ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP 01e8751b37a3 ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() 64eb63f573f4 EFI/CPER: don't go past the ARM processor CPER record buffer e0ec99115e13 APEI/GHES: ensure that won't go past CPER allocated record 5a9b1dda8481 EFI/CPER: don't dump the entire memory region 6ea4b7bc2e7b x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE is set 30868a6a5238 rnbd-srv: Zero the rsp buffer before using it fd7e360845d3 arm64: Add support for TSV110 Spectre-BHB mitigation 94ab05af1d96 perf/arm-cmn: Support CMN-600AE 61cd0b287fb9 s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS 7823e09a68b5 tools/power cpupower: Reset errno before strtoull() 93e8e3ee165a smb: client: prevent races in ->query_interfaces() e428670cfb29 gfs2: fiemap page fault fix 048b58edc57d smb: client: add proper locking around ses->iface_last_update 8b5dcfa97bf3 btrfs: handle user interrupt properly in btrfs_trim_fs() 2bb588cede1c minix: Add required sanity checking to minix_check_superblock() 43ccadb866de i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr() de9affb698d5 hfsplus: pretend special inodes as regular files f5d27ad99fca audit: add missing syscalls to read class c1b6227555c5 fs/buffer: add alert in try_to_free_buffers() for folios without buffers bccd4ebbdac3 hfsplus: fix volume corruption issue for generic/498 91e27bc79c3b audit: add fchmodat2() to change attributes class 4bde6678bc54 rtc: interface: Alarm race handling should not discard preceding error 4927e2d29b74 libperf build: Always place libperf includes first 5cf6e76e4f4f libperf: Don't remove -g when EXTRA_CFLAGS are used 66e9b70c64df libsubcmd: Fix null intersection case in exclude_cmds() 56042755b72f perf callchain: Fix srcline printing with inlines eddddf4ed7f6 perf unwind-libdw: Fix invalid reference counts 985d844a5997 perf test stat tests: Fix for virtualized machines fa99e8717a68 perf test stat: Update test expectations and events 8f36abf181c2 ASoC: dt-bindings: asahi-kasei,ak5558: Fix the supply names f939f666ec02 ASoC: dt-bindings: asahi-kasei,ak4458: Fix the supply names ce18fa88b154 ASoC: dt-bindings: asahi-kasei,ak4458: set unevaluatedProperties:false 655c9ba9915f SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path df10f23defff SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths 97503a852d3b ata: libata-scsi: refactor ata_scsi_translate() 51680e9a1680 ata: pata_ftide010: Fix some DMA timings f18f70123962 ext4: use optimized mballoc scanning regardless of inode format 4a79fde8db7e ext4: fix memory leak in ext4_ext_shift_extents() 93b2ebbbcb2e ext4: don't cache extent during splitting extent c0155dee51b9 MIPS: Work around LLVM bug when gp is used as global register variable c941c268ad00 drm/amd/display: Use same max plane scaling limits for all 64 bpp formats da0959402742 ASoC: rockchip: i2s-tdm: Use param rate if not provided by set_sysclk 5fed5f6c6a02 x86/hyperv: Fix error pointer dereference 1ee1d006c9fe btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found b7bc182ec184 efi: Fix reservation of unaccepted memory table 3222c8020aeb s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n 9e5cb7e67fbd spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe() a98d73dcc339 spi: wpcm-fiu: Simplify with dev_err_probe() 978137e940de spi: wpcm-fiu: Fix uninitialized res 87e463136302 spi: wpcm-fiu: Use devm_platform_ioremap_resource_byname() 971bf8e61e9b drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 17e94789c216 drm/amdkfd: fix debug watchpoints for logical devices e975148b2c29 ASoC: codecs: aw88261: Fix erroneous bitmask logic in Awinic init 3a2f5a21285b drm/i915/acpi: free _DSM package when no connectors 29b2fbe3498d ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put() f8a5426652bd drm/amdgpu: Fix memory leak in amdgpu_ras_init() e87c73a80a12 drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc() 8dc6beca70f0 apparmor: fix aa_label to return state from compount and component match b25298e89a29 apparmor: fix invalid deref of rawdata when export_binary is unset dbbe0a2e3e4b apparmor: make label_match return a consistent value 0563743d3f70 apparmor: remove apply_modes_to_perms from label_match 32928c1749e8 apparmor: refcount the pdb f89b657e1785 apparmor: provide separate audit messages for file and policy checks e78e00cf9eba apparmor: use passed in gfp flags in aa_alloc_null() 1f736dfe27c8 apparmor: fix rlimit for posix cpu timers 24bb7d11dc30 apparmor: return -ENOMEM in unpack_perms_table upon alloc failure 0dc19bca2260 apparmor: fix NULL sock in aa_sock_file_perm a4ff9e4f4ad4 net/mlx5: Fix multiport device check over light SFs f94a0de7b9f3 bonding: alb: fix UAF in rlb_arp_recv during bond up/down 8bc48c4fb636 octeontx2-af: Fix default entries mcam entry action 3f483a90634d inet: move icmp_global_{credit,stamp} to a separate cache line c9141a794fdc cache: add __cacheline_group_{begin, end}_aligned() (+ couple more) 8dacf34eb427 netns-ipv4: reorganize netns_ipv4 fast path variables 1402ebe132a9 cache: enforce cache groups 4ec8a98b3dc3 tcp: Set pingpong threshold via sysctl b4d5e97679bc tcp: defer regular ACK while processing socket backlog 22023ffad74c icmp: prevent possible overflow in icmp_global_allow() b0da61015db2 icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns e0987b6c3b34 icmp: move icmp_global.credit and icmp_global.stamp to per netns storage 19c7d8ac5198 macvlan: observe an RCU grace period in macvlan_common_newlink() error path b5c84070333a ping: annotate data-races in ping_lookup() 6b6b2fbd66d8 bpftool: Fix truncated netlink dumps db4636748c22 ipv6: fix a race in ip6_sock_set_v6only() 7017745068a9 netfilter: nf_tables: fix use-after-free in nf_tables_addchain() 9464ca7a6e56 net: remove WARN_ON_ONCE when accessing forward path array 60e921703943 netfilter: nf_conntrack_h323: don't pass uninitialised l3num value f199874c199b selftests: forwarding: vxlan_bridge_1d_ipv6: fix test failure with br_netfilter enabled 3c2b767a8ae2 selftests: forwarding: vxlan_bridge_1d: fix test failure with br_netfilter enabled d0fdad1bdd21 net: bridge: mcast: always update mdb_n_entries for vlan contexts 779a9ae0ef22 net/rds: rds_sendmsg should not discard payload_len 88b0fced1bbb xen-netback: reject zero-queue configuration from guest 163d04897e57 net: usb: catc: enable basic endpoint checking b067e6c7973b net: sparx5/lan969x: fix PTP clock max_adj value bcc60ad129ae ipv6: Fix out-of-bound access in fib6_add_rt2node(). cc1b179f778f net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj() 357a3544a385 net: mscc: ocelot: split xmit into FDMA and register injection paths 487fac2388ad net: mscc: ocelot: extract ocelot_xmit_timestamp() helper d6f03772d9c0 net: sparx5/lan969x: fix DWRR cost max to match hardware register width 9eefda7a03ef selftests: mlxsw: tc_restrictions: Fix test failure with new iproute2 5c577ac939bc cpuidle: Skip governor when only one idle state is available 7bb9178df6f0 ACPI: PM: Add unused power resource quirk for THUNDEROBOT ZERO d389943443c5 selftests/memfd: use IPC semaphore instead of SIGSTOP/SIGCONT 2efc98314a61 selftests/memfd: delete unused declarations d809ee17c0d1 kbuild: Add objtool to top-level clean target e156a104ba26 powercap: intel_rapl_tpmi: Remove FW_BUG from invalid version check 727992102836 ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs a584b9d1059b fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot 71c8b966ec56 fs/ntfs3: prevent infinite loops caused by the next valid being the same fb2d7c30d030 io_uring/cancel: de-unionize file and user_data in struct io_cancel_data 533d495f15e4 dmaengine: fsl-edma: don't explicitly disable clocks in .remove() 592833ea0051 dmaengine: fsl-edma-main: Convert to platform remove callback returning void a489f1fd52bc backlight: qcom-wled: Change PM8950 WLED configurations 82f2eaab2f94 backlight: qcom-wled: Support ovp values for PMI8994 97790c9b255d leds: qcom-lpg: Check the return value of regmap_bulk_write() 99cc7352156c pinctrl: single: fix refcount leak in pcs_add_gpio_func() eccf17c0a801 pinctrl: qcom: sm8250-lpass-lpi: Fix i2s2_data_groups definition e8e960c3d23f iio: sca3000: Fix a resource leak in sca3000_probe() 43b6f69e1806 ovl: Fix uninit-value in ovl_fill_real d26685b2d9ad pinctrl: equilibrium: Fix device node reference leak in pinbank_init() 4f531b1a5468 usb: bdc: fix sleep during atomic c5bde5357e10 drivers: iio: mpu3050: use dev_err_probe for regulator request 29040d42d641 mfd: simple-mfd-i2c: Add Delta TN48M CPLD support fd1a3a0b98a9 mfd: simple-mfd-i2c: Keep compatible strings in alphabetical order d9e5d3e1924a mfd: simple-mfd-i2c: Add SpacemiT P1 support 07fb61ff35fd mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA b07aa526d053 mfd: simple-mfd-i2c: Add MAX77705 support 3ea01691738b mfd: arizona: Fix regulator resource leak on wm5102_clear_write_sequencer() failure 9c858ef369bb Revert "mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms" b359ca27c589 coresight: etm3x: Fix cpulocked warning on cpuhp 2fad88d7760c watchdog: starfive-wdt: Fix PM reference leak in probe error path 7281a0c907cc iio: pressure: mprls0025pa: fix scan_type struct 6dd1e95cc554 mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms 24ec8015beca serial: SH_SCI: improve "DMA support" prompt c233e1e81873 serial: imx: change SERIAL_IMX_CONSOLE to bool 65f2c608096d staging: greybus: lights: avoid NULL deref e230aee60444 dma: dma-axi-dmac: fix SW cyclic transfers 6be32baf6541 dmaengine: mediatek: uart-apdma: Fix above 4G addressing TX/RX 06c8ed283635 clk: mediatek: Fix error handling in runtime PM setup 547ae2f17349 clk: qcom: gfx3d: add parent to parent request map bb5de8aca640 clk: qcom: dispcc-sdm845: Enable parents for pixel clocks ae56e2c27f6d clk: Move clk_{save,restore}_context() to COMMON_CLK section d81b51c8a7ed clk: qcom: gcc-ipq5018: flag sleep clock as critical 048fbee3e431 clk: qcom: gcc-msm8917: Remove ALWAYS_ON flag from cpp_gdsc df1c437bfca4 clk: qcom: gcc-msm8953: Remove ALWAYS_ON flag from cpp_gdsc 915e7579855e clk: qcom: gcc-qdu1000: Update the SDCC RCGs to use shared_floor_ops d31b1b143819 clk: qcom: gcc-sdx75: Update the SDCC RCGs to use shared_floor_ops 45a013dabc5f clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops ac003c1a80d9 clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs 1e1664eb6f24 clk: qcom: rcg2: compute 2d using duty fraction directly 8cb92d27454e clk: qcom: gcc-sm8550: Use floor ops for SDCC RCGs 3e5349e54113 fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() 68dae7b64c31 fbdev: of_display_timing: Fix device node reference leak in of_get_display_timings() ca81f7811dfe tracing: Remove duplicate ENABLE_EVENT_STR and DISABLE_EVENT_STR macros 7e6556e9329b tracing: Properly process error handling in event_hist_trigger_parse() aa6e847e2795 fs/nfs: Fix readdir slow-start regression c1f244f7868c nvdimm: virtio_pmem: serialize flush requests 25d623f0d77c scsi: csiostor: Fix dereference of null pointer rn 94a6c85a68bc scsi: ufs: host: mediatek: Require CONFIG_PM fdf1188cfa80 scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() 8e3d91135417 pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN 34276d267742 RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc 685163733ed1 power: supply: qcom_battmgr: Recognize "LiP" as lithium-polymer d2a6ca4c0748 mtd: spinand: Fix kernel doc 9fbbd62436ce mtd: parsers: ofpart: fix OF node refcount leak in parse_fixed_partitions() 5f1a84bb4a95 cxl: Fix premature commit_end increment on decoder commit failure db830aea65e4 RDMA/core: add rdma_rw_max_sge() helper for SQ sizing 6faf28106ea1 svcrdma: Reduce the number of rdma_rw contexts per-QP 63a45e2a1264 svcrdma: Increase the per-transport rw_ctx count 46ccddede7be svcrdma: Clean up comment in svc_rdma_accept() 4965711d22a0 svcrdma: Remove queue-shortening warnings 91cb7ff68604 RDMA/core: Fix a couple of obvious typos in comments 756c93d6df7c RDMA/rxe: Fix race condition in QP timer handlers bf1feed1a788 RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send 0f5e62ea5c43 mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse() 1733d168099e crypto: ccp - Send PSP_CMD_TEE_RING_DESTROY when PSP_CMD_TEE_RING_INIT fails 2abf05a122cf crypto: ccp - Factor out ring destroy handling to a helper b2e7e269aba9 crypto: ccp - Move direct access to some PSP registers out of TEE 54541017ac6a crypto: ccp - Add an S4 restore flow 21f422a86ded mtd: rawnand: cadence: Fix return type of CDMA send-and-wait helper bc779d426ef1 tools/power/x86/intel-speed-select: Fix file descriptor leak in isolate_cpus() 26793db60925 RDMA/rxe: Fix double free in rxe_srq_from_init 9a0323f5e54e RDMA/rtrs-srv: fix SG mapping 86183153c299 power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed() 3af85f239648 power: supply: bq27xxx: fix wrong errno when bus ops are unsupported 7ac6501b587c power: reset: nvmem-reboot-mode: respect cell size for nvmem_cell_write 2078830c32d1 power: supply: sbs-battery: Fix use-after-free in power_supply_changed() af261f218a76 power: supply: rt9455: Fix use-after-free in power_supply_changed() 77ea437faa4c power: supply: goldfish: Fix use-after-free in power_supply_changed() cbb9b07f88a9 power: supply: cpcap-battery: Fix use-after-free in power_supply_changed() 0de95d29d847 power: supply: bq25980: Fix use-after-free in power_supply_changed() cb5c743936ed power: supply: bq256xx: Fix use-after-free in power_supply_changed() 697bb5dc0cb4 power: supply: act8945a: Fix use-after-free in power_supply_changed() f50433f2603d power: supply: ab8500: Fix use-after-free in power_supply_changed() 2ad50784c9eb RDMA/hns: Notify ULP of remaining soft-WCs during reset 70a5eb757ace RDMA/hns: Fix WQ_MEM_RECLAIM warning 2fb573fa9d71 IB/cache: update gid cache on client reregister event 04b41f1d0e33 RDMA/rtrs: server: remove dead code d858a1d814d3 octeontx2-pf: Unregister devlink on probe failure 320b54651a59 ionic: Rate limit unknown xcvr type messages 69042a930eae octeon_ep: ensure dbell BADDR updation 664355e6f130 octeon_ep: set backpressure watermark for RX queues dc4d11c5f316 octeon_ep: disable per ring interrupts 2c33c53a9c8c octeon_ep: support Octeon CN10K devices a40e276b9696 octeon_ep: restructured interrupt handlers 77c641b3bd4e octeon_ep: support to fetch firmware info 331e2b705163 serial: caif: fix use-after-free in caif_serial ldisc_close() 2c1f59005da9 xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path d621dd67a72d net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers 31ca4fbf56d1 net: Add skb_dstref_steal and skb_dstref_restore dea1465394ff net: sunhme: Fix sbus regression e3f80666c273 net: atm: fix crash due to unvalidated vcc pointer in sigd_send() e131aac543cd smb: client: correct value for smbd_max_fragmented_recv_size 0e64bd46a04a procfs: fix missing RCU protection when reading real_parent in do_task_stat() 6dc10494cfe2 net: hns3: fix double free issue for tx spare buffer 44b2256b17f1 PCI: Add ACS quirk for Pericom PI7C9X2G404 switches [12d8:b404] f1535d56fc3f netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets f7eb1903c6e0 netfilter: nft_counter: fix reset of counters on 32bit archs cfe35cb86256 netfilter: nft_set_hash: fix get operation on big endian 77eef9f2eef0 nfc: hci: shdlc: Stop timers and work before freeing context db76b75ede38 inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP 43f4661e9b2c bonding: only set speed/duplex to unknown, if getting speed failed 8b5ed7c5417b octeontx2-af: Fix PF driver crash with kexec kernel booting cf5967514735 mptcp: fix receive space timestamp initialization 2622f355e621 of: unittest: fix possible null-pointer dereferences in of_unittest_property_copy() e7c1e60802d8 ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit() 7dc4778ee848 ipc: don't audit capability check in ipc_permissions() 2c80b0974047 PCI/ACPI: Restrict program_hpx_type2() to AER bits 89db6475c0b4 PCI: Add defines for bridge window indexing 82bd7f9d08ce PCI: Add PCIE_MSG_CODE_ASSERT_INTx message macros 1f5438cb5d78 PCI: Log bridge info when first enumerating bridge f49c44723a70 PCI: Log bridge windows conditionally 988b8b98103c PCI: Supply bridge device, not secondary bus, to read window details 7fd6672a1bb0 PCI: Move pci_read_bridge_windows() below individual window accessors a79a3d1fd32c PCI: Initialize RCB from pci_configure_device() a7c08278f2d0 wifi: ath10k: sdio: add missing lock protection in ath10k_sdio_fw_crashed_dump() 62c2290dc976 tcp: tcp_tx_timestamp() must look at the rtx queue d3b7ffa90f61 fat: avoid parent link count underflow in rmdir 243f71ed873f nfsd: never defer requests during idmap lookup 0114244ec49a dm: use bio_clone_blkg_association c93f23375d8c iommu/vt-d: Flush cache for PASID table before using it bff7ac6b98fa PCI: Mark 3ware-9650SA Root Port Extended Tags as broken af0f0d30fd02 kallsyms/ftrace: set module buildid in ftrace_mod_address_lookup() ecb0af907733 module: add helper function for reading module_buildid() 767f1a8c8483 netfilter: nf_conncount: fix tracking of connections from localhost abaa1508d5db netfilter: nft_compat: add more restrictions on netlink attributes 0792ad077d77 netfilter: nf_conncount: increase the connection clean up limit to 64 d12e9e90632c netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH 5802782366ba netfilter: nf_tables: reset table validation state on abort 4d7a05da767e wifi: cfg80211: stop NAN and P2P in cfg80211_leave 11f832532440 mctp i2c: initialise event handler read bytes f03666259d22 net: mctp-i2c: fix duplicate reception of old data 37ccd48cf35f quota: fix livelock between quotactl and freeze_super 96ac80ce22bc PCI/portdrv: Fix potential resource leak cf7e6dbb51a7 PCI: Do not attempt to set ExtTag for VFs a4176432d41e Documentation: tracing: Add PCI tracepoint documentation 60b896647d88 Documentation: trace: Refactor toctree b2f972293451 docs: fix WARNING document not included in any toctree bd43a6e85779 Documentation: tracing: Add ring-buffer mapping baa42b756d18 PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails d8e7624e2113 PCI/PM: Avoid redundant delays on D3hot->D3cold 63d3556c9a8e Documentation: PCI: endpoint: Fix ntb/vntb copy & paste errors 24c190a5a24e PCI: mediatek: Fix IRQ domain leak when MSI allocation fails f448acd86835 Revert "hwmon: (ibmpex) fix use-after-free in high/low store" 1ae5fd122398 spi: tools: Add include folder to .gitignore 169ae51f31b0 platform/chrome: cros_ec_lightbar: Fix response size initialization e3311645c7c1 media: uvcvideo: Fix allocation for small frame sizes 01fe5a26ccc6 platform/chrome: cros_typec_switch: Don't touch struct fwnode_handle::dev 0347548ccf07 drm/msm/a2xx: fix pixel shader start on A225 661152ffb0f2 media: ccs: Accommodate C-PHY into the calculation e7815709bc97 drm/msm/dpu: fix CMD panels on DPU 1.x - 3.x 33acf9a4d6eb HID: playstation: Add missing check for input_ff_create_memless f0a6e4b27bad regulator: core: move supply check earlier in set_machine_constraints() 2d5b17e8364b drm/msm/disp/dpu: add merge3d support for sc7280 83d3d9ec347a drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init f721f873d3e1 ASoC: nau8821: Fixup nau8821_enable_jack_detect() 88a6bed89eb8 ASoC: nau8821: Avoid unnecessary blocking in IRQ handler e19f5b5d1059 ASoC: nau8821: Consistently clear interrupts before unmasking 1c7ee23dfcd1 smack: /smack/doi: accept previously used values 661d87242dd6 smack: /smack/doi must be > 0 34bacb3cc343 workqueue: Process rescuer work items one-by-one using a cursor c906c9d81fdf workqueue: Only assign rescuer work when really needed c17f947a6fca workqueue: Factor out assign_rescuer_work() e3b15841172e arm64: dts: qcom: sm6115: Add CX_MEM/DBGC GPU regions 4ffe98b89c9c arm64: dts: qcom: sdm845-db845c: specify power for WiFi CH1 c77d1b2f5e51 arm64: dts: qcom: sdm845-db845c: drop CS from SPIO0 1895ad99349e arm64: dts: amlogic: g12: assign the MMC A signal clock 44cd81bbb21b arm64: dts: amlogic: g12: assign the MMC B and C signal clocks 6a47c69a8bba arm64: dts: amlogic: gx: assign the MMC signal clocks 59f3138d11cc arm64: dts: amlogic: axg: assign the MMC signal clocks 716c8ebe0409 arm: dts: lpc32xx: add clocks property to Motor Control PWM device tree node 8461f646f68a ARM: dts: lpc32xx: Set motor PWM #pwm-cells property value to 3 cells 87a1f93986aa powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling 06195456c4e4 soc: mediatek: svs: Fix memory leak in svs_enable_debug_write() 993d41578772 soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in cmd_db_dev_probe c43e0a0353e5 powerpc/uaccess: Move barrier_nospec() out of allow_read_{from/write}_user() ac2c85d2a2f6 ARM: dts: allwinner: sun5i-a13-utoo-p66: delete "power-gpios" property dc62cf0814fa arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on 1aeb4ed95c3f arm64: dts: qcom: sdm845-oneplus: Don't mark ts supply boot-on 93aaa53ecf20 arm64: dts: qcom: sdm630: fix gpu_speed_bin size e15f1e18cdf4 clk: qcom: Return correct error code in qcom_cc_probe_by_index() 458f7417fae0 arm64: dts: tqma8mpql-mba8mpxl: Fix HDMI CEC pad control settings 063898a3f9ac EDAC/i5400: Fix snprintf() limit calculation in calculate_dimm_size() e37f5e05b5bc EDAC/i5000: Fix snprintf() size calculation in calculate_dimm_size() 8afa17757873 soc: qcom: smem: handle ENOMEM error during probe cff0ef043e16 pstore/ram: fix buffer overflow in persistent_ram_save_old() 8ad5577b2d4a sched/rt: Skip currently executing CPU in rto_next_cpu() 322154c3981e mfd: wm8350-core: Use IRQF_ONESHOT 3db9471b23f5 EDAC/altera: Remove IRQF_ONESHOT adb69cc223d7 scsi: efct: Use IRQF_ONESHOT and default primary handler ddc34a1b8550 bpf: Fix bpf_xdp_store_bytes proto for read-only arg 74081d6c1da1 crypto: hisilicon/trng - support tfms sharing the device 260a9e382996 crypto: hisilicon/trng - modifying the order of header files 9681044e45c9 bpf, sockmap: Fix FIONREAD for sockmap acaf1ea47bbf bpf, sockmap: Fix incorrect copied_seq calculation 7111701a09cc hrtimer: Fix trace oddity 33a30bf9e0d4 crypto: hisilicon/sec2 - support skcipher/aead fallback for hardware queue unavailable 6eae58af0c31 crypto: hisilicon/zip - adjust the way to obtain the req in the callback function ab8b2eaf7add crypto: hisilicon/zip - remove zlib and gzip 70b2f4fc1ede crypto: hisilicon/zip - support deflate algorithm 0aa430f4661d crypto: octeontx - fix dma_free_coherent() size 53e97a309cc3 crypto: cavium - fix dma_free_coherent() size 2b757fea9f4f ARM: VDSO: Patch out __vdso_clock_getres() if unavailable e1767524765e libbpf: Fix OOB read in btf_dump_get_bitfield_value 542bf32cf757 selftests/bpf: veristat: fix printing order in output_stats() 6e6abc72accf crypto: qat - fix warning on adf_pfvf_pf_proto.c abb6e07f46a7 s390/cio: Fix device lifecycle handling in css_alloc_subchannel() 27d7a35b8052 PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races 70e8af620210 perf: arm_spe: Properly set hw.state on failures 3deb7b6a2e31 PM: wakeup: Handle empty list in wakeup_sources_walk_start() d6749d0b8ddc Partial revert "x86/xen: fix balloon target initialization for PVH dom0" ef3b74d20f5e x86/xen: make some functions static 31cac6acf77e ublk: Validate SQE128 flag before accessing the cmd 8f3d79abdec0 iomap: fix submission side handling of completion side errors 597ec9e7f5cc md/raid10: fix any_working flag handling in raid10_sync_request 72b2db83705b cpuidle: governors: menu: Always check timers with tick stopped 0add3e6f91aa cpuidle: menu: Cleanup after loadavg removal ca762fa01f64 io_uring/sync: validate passed in offset f2cf475d23b8 ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch() 9cc9efa703f0 xen/virtio: Don't use grant-dma-ops when running as Dom0 7425453ea16d smb: client: fix potential UAF and double free in smb2_open_file() e3d1fd084319 btrfs: fix block_group_tree dirty_list corruption 46fb7ee9f852 btrfs: qgroup: return correct error when deleting qgroup relation item a51cff9be046 tpm: st33zp24: Fix missing cleanup on get_burstcount() error 948966e546f2 tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure 20ac431e02dc i3c: dw: Initialize spinlock to avoid upsetting lockdep d87268326b27 gfs2: Fix use-after-free in iomap inline data write path 4991b13cc9f1 gfs2: Add metapath_dibh helper 7e3b7a47867a gfs2: Retries missing in gfs2_{rename,exchange} b68be2b8b564 i3c: master: Update hot-join flag only on success 5560116126da fs: add <linux/init_task.h> for 'init_fs' 4b2a0a4e9428 i3c: Move device name assignment after i3c_bus_init e2647d540bea audit: move the compat_xxx_class[] extern declarations to audit_arch.h 979c708e6c9d rcu: Fix rcu_read_unlock() deadloop due to softirq dffd52d0d14e rcu: Remove local_irq_save/restore() in rcu_preempt_deferred_qs_handler() 3ccd035ef99d rcu: Refactor expedited handling check in rcu_read_unlock_special() 6cc7a424a39a rcu/exp: Move expedited kthread worker creation functions above rcutree_prepare_cpu() cb9eaff659dd rcu: s/boost_kthread_mutex/kthread_mutex 7b57ada854b3 hfsplus: return error when node already exists in hfs_bnode_create 2e000d8a5306 auxdisplay: arm-charlcd: fix release_mem_region() size a6a3e4af1099 RDMA/umad: Reject negative data_len in ib_umad_write ffba40b67663 RDMA/siw: Fix potential NULL pointer dereference in header processing Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 8685e5cbf6d9..8250679ed0f3 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "c45743dc8dc2ddfbe7bd165997e1f7cf887fa6b7" -SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e" +SRCREV_machine ?= "8751b899ea5af349e8570e8985365290efa5e7d6" +SRCREV_meta ?= "fdd48963e673d657f0df21b4b1fb6b18dbaa96bc" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.127" +LINUX_VERSION ?= "6.6.129" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index d6a9afdf17e2..bd4a10b56409 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.127" +LINUX_VERSION ?= "6.6.129" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "8247922ff493e4fef938ce36562cac9c0cce86aa" -SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e" +SRCREV_machine ?= "d82c6cc64c037058c6bfd630f2d2604a38684c7d" +SRCREV_meta ?= "fdd48963e673d657f0df21b4b1fb6b18dbaa96bc" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 92ad6afa3a5d..58a72979c53c 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "aa66687c1abe2afe2ee6c00c36bfaaf3d5d9636c" -SRCREV_machine:qemuarm64 ?= "cf88783fdb92901d9d228afb7d700c6575742f1b" -SRCREV_machine:qemuloongarch64 ?= "70af2998be31b72a111de67966b7816b3d54d472" -SRCREV_machine:qemumips ?= "cbd6f9a670486dcd83ef0f8b90a75b2b7b44b447" -SRCREV_machine:qemuppc ?= "bce75aa765505d7db3bb1bfefb5d3f524a1a5b64" -SRCREV_machine:qemuriscv64 ?= "70af2998be31b72a111de67966b7816b3d54d472" -SRCREV_machine:qemuriscv32 ?= "70af2998be31b72a111de67966b7816b3d54d472" -SRCREV_machine:qemux86 ?= "70af2998be31b72a111de67966b7816b3d54d472" -SRCREV_machine:qemux86-64 ?= "70af2998be31b72a111de67966b7816b3d54d472" -SRCREV_machine:qemumips64 ?= "4cc6d51a6f63436a37c3ba4ea2da93c7fd3240b4" -SRCREV_machine ?= "70af2998be31b72a111de67966b7816b3d54d472" -SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e" +SRCREV_machine:qemuarm ?= "539bf858552c12417a449646d0cad5e53e038aa0" +SRCREV_machine:qemuarm64 ?= "e4153b3c5bff6c503990c35826d84a034d2d7a33" +SRCREV_machine:qemuloongarch64 ?= "3dbf485808fc7be82368f70f385fead9735b5904" +SRCREV_machine:qemumips ?= "d5da07b097555f20280b2484da875c93f1494d48" +SRCREV_machine:qemuppc ?= "9434ddc68ebc90e9336d4cc6f642aa82c0da023c" +SRCREV_machine:qemuriscv64 ?= "3dbf485808fc7be82368f70f385fead9735b5904" +SRCREV_machine:qemuriscv32 ?= "3dbf485808fc7be82368f70f385fead9735b5904" +SRCREV_machine:qemux86 ?= "3dbf485808fc7be82368f70f385fead9735b5904" +SRCREV_machine:qemux86-64 ?= "3dbf485808fc7be82368f70f385fead9735b5904" +SRCREV_machine:qemumips64 ?= "e6f498c7aa6909c17b90b50267d1577ddc19c0d6" +SRCREV_machine ?= "3dbf485808fc7be82368f70f385fead9735b5904" +SRCREV_meta ?= "fdd48963e673d657f0df21b4b1fb6b18dbaa96bc" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "7a137e9bfa0e1919555d60f9dc0c05a7a5ba75d0" +SRCREV_machine:class-devupstream ?= "4fc00fe35d46b4fc8dac2eb543a0e3d44bb15f47" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.127" +LINUX_VERSION ?= "6.6.129" PV = "${LINUX_VERSION}+git" From 5a3cfb5dd393656dae18eece3c006fb1a3dc244a Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:49:59 -0400 Subject: [PATCH 66/96] linux-yocto/6.6: update to v6.6.130 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: c09fbcd31ae6 Linux 6.6.130 1dacf6b3718a xen/privcmd: add boot control for restricted usage in domU 1879319d790f xen/privcmd: restrict usage in unprivileged domU 2cf5eff223fc tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure c1bfc25d62d8 lib/bootconfig: check xbc_init_node() return in override path df1f4a7d9cf6 drm/i915/gt: Check set_default_submission() before deferencing b0158d9d6f4e ksmbd: fix use-after-free in durable v2 replay of active file handles 806f13752652 ksmbd: fix use-after-free of share_conf in compound request 87158a633e9a drm/amd/display: Fix DisplayID not-found handling in parse_edid_displayid_vrr() 6ec8f8ebd023 mtd: rawnand: brcmnand: skip DMA during panic write a80291e577b4 mtd: rawnand: serialize lock/unlock against other NAND operations 69aece634a7e i2c: cp2615: fix serial string NULL-deref at probe 2aeb380c731f i2c: cp2615: replace deprecated strncpy with strscpy 7864c667aed0 netfilter: nft_set_pipapo: split gc into unlink and reclaim phase c51957601d32 x86/platform/uv: Handle deconfigured sockets 197fc4dda1c0 i2c: pxa: defer reset on Armada 3700 when recovery is used c40387488be0 i2c: fsi: Fix a potential leak in fsi_i2c_probe() 994b301a217f USB: serial: f81232: fix incomplete serial port generation 2124d82fd25e Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ eec4d5758f33 drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug 5b0578a9a9ec hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit() 5fcef2e370f3 hwmon: (pmbus/mp2975) Add error check for pmbus_read_word_data() return value b61529c357f1 icmp: fix NULL pointer dereference in icmp_tag_validation() 1a0c3c7b5b14 net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths ff0c54f088f7 net: mvpp2: guard flow control update with global_tx_fc in buffer switching 224f4678812e nfnetlink_osf: validate individual option lengths in fingerprints adee3436ccd2 netfilter: nf_tables: release flowtable after rcu grace period on error d016c216bc75 netfilter: bpf: defer hook memory release until rcu readers are done 0a3f8cd3f370 net: bonding: fix NULL deref in bond_debug_rlb_hash_show a05a2149386f udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n 3dffc083292e net/mlx5e: Fix race condition during IPSec ESN update 99aaee927800 net/mlx5e: Prevent concurrent access to IPSec ASO context 7712b5ff6967 net/mlx5: qos: Restrict RTNL area to avoid a lock cycle 5da8009be419 net: macb: fix uninitialized rx_fs_lock edf4c2aaee08 ACPI: processor: Fix previous acpi_processor_errata_piix4() fix a6dc74209462 wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom 0a4da176ae4b wifi: mac80211: fix NULL deref in mesh_matches_local() 58f74dc73d1b iavf: fix VLAN filter lost on add/delete race fb602ed4b19e igc: fix missing update of skb->tail in igc_xmit_frame() 4de6a43e8ecf net: usb: aqc111: Do not perform PM inside suspend callback a73d95b57bf9 clsact: Fix use-after-free in init/destroy rollback asymmetry 125f932a76a9 net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check f1c7701d3ac9 net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check 21c89a0a8de7 net/sched: teql: Fix double-free in teql_master_xmit f00fc26c8a06 net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() 39f2d86f2ddd PM: runtime: Fix a race condition related to device removal fd8278ffba49 sched: idle: Consolidate the handling of two special cases 249e90557158 net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown fcdf56bbdade net: bcmgenet: increase WoL poll timeout f5e4f4e4cdb7 netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() 262beb78e95e netfilter: xt_time: use unsigned int for monthday bit shift 63b8097cea19 netfilter: xt_CT: drop pending enqueued packets on template removal e68a8db3a054 netfilter: nft_ct: drop pending enqueued packets on removal b477ef7fa612 netfilter: nft_ct: add seqadj extension for natted connections 52235bf88159 netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case 528b4509c9df netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() f04cc86d5990 netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() 9e5021a90653 netfilter: ctnetlink: remove refcounting in expectation dumpers a75d3be96d70 mpls: add missing unregister_netdevice_notifier to mpls_init 0c9fb70a206a net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect e160b869b0a8 Bluetooth: qca: fix ROM version reading on WCN3998 chips 11a87dd5df42 Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user 45ebe5b90020 Bluetooth: HIDP: Fix possible UAF f35209cf4826 Bluetooth: hci_sync: Fix hci_le_create_conn_sync 2d3deaa162a7 Bluetooth: ISO: Fix defer tests being unstable e7899dc538f3 Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy c02860835673 Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU b5c20c899246 Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU d30acb4ecbe2 firmware: arm_scpi: Fix device_node reference leak in probe path 37e776e2e0a5 wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down 256f7d4c1123 wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. d21923a8059f soc: fsl: qbman: fix race condition in qman_destroy_fq d0a466caf4ac cache: ax45mp: Fix device node reference leak in ax45mp_cache_init() ccb2262681d6 btrfs: tree-checker: fix misleading root drop_level error message 56e72c8b02d9 btrfs: log new dentries when logging parent dir of a conflicting inode df656e45774f drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START, END} 9085ad02eff0 drm/amdgpu: apply state adjust rules to some additional HAINAN vairants 41b0edc1be8d drm/radeon: apply state adjust rules to some additional HAINAN vairants 2a28ad57d12e drm/amdgpu/mmhub3.0: add bounds checking for cid 46411902afd1 drm/amdgpu/mmhub3.0.2: add bounds checking for cid 0fabdcd12c29 drm/amdgpu/mmhub3.0.1: add bounds checking for cid 6b257be5d3ad drm/amdgpu/mmhub2.3: add bounds checking for cid aa3c80150b0e drm/amdgpu/mmhub2.0: add bounds checking for cid 9f41b9f82ecf drm/amdgpu/gmc9.0: add bounds checking for cid 447f2c6ef11c serial: uartlite: fix PM runtime usage count underflow on probe 59e13f1c9a8c serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY d2719a0a9c34 serial: 8250: Fix TX deadlock when using DMA 092cb022a454 serial: 8250_pci: add support for the AX99100 85654456e394 iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry d8570211a2b1 mtd: Avoid boot crash in RedBoot partition table parser 2a79fd98b961 mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() d55ff6f213be mtd: rawnand: pl353: make sure optimal timings are applied f13100b1f5f1 spi: fix statistics allocation 6bbd385b30c7 spi: fix use-after-free on controller registration failure 9443202d9138 pmdomain: bcm: bcm2835-power: Increase ASB control timeout 4ada013fd7da mmc: sdhci: fix timing selection for 1-bit bus width 451816d430b3 mmc: sdhci-pci-gli: fix GL9750 DMA write corruption 0c5026178856 net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume fbbd4c07a537 net: macb: Introduce gem_init_rx_ring() 2fd0bdd49e57 net: macb: queue tie-off or disable during WOL suspend 8afb437ea1f7 nfsd: fix heap overflow in NFSv4.0 LOCK replay cache 1ada20331f2d batman-adv: avoid OGM aggregation when skb tailroom is insufficient fc77e0a5600e iio: light: bh1780: fix PM runtime leak on error path 64ad49597d14 btrfs: fix transaction abort on file creation due to name hash collision b19c0465e4da btrfs: fix transaction abort on set received ioctl due to item overflow 6bce705b699c btrfs: fix transaction abort when snapshotting received subvolumes 3f04f871a1d4 kprobes: Remove unneeded warnings from __arm_kprobe_ftrace() 61cfa81f19b9 kprobes: Remove unneeded goto 6ebef4a220a1 ksmbd: unset conn->binding on failed binding request 9229709ec8bf smb: client: fix krb5 mount with username option 807bd1258453 Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access dd3b221e2107 Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() 935c716be860 parisc: Flush correct cache in cacheflush() syscall 5653af416a48 net: macb: fix use-after-free access to PTP clock 70662874f646 NFC: nxp-nci: allow GPIOs to sleep 67f2796354bf LoongArch: Give more information if kmem access failed e48bf8f1d2b1 nvdimm/bus: Fix potential use after free in asynchronous initialization 41f6ba6c98a6 sunrpc: fix cache_request leak in cache_release d1a19217995d NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd 439a6728ec46 io_uring/kbuf: check if target buffer list is still legacy on recycle d77401968c78 mm/mempolicy: fix wrong mmap_read_unlock() in migrate_to_node() 8e7715193e5a s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute 2c5c0f4dc8cc s390/stackleak: Fix __stackleak_poison() inline assembly constraint 3e0619a2a61b s390/xor: Fix xor_xc_2() inline assembly constraints 1b3ff4d88b50 mptcp: pm: in-kernel: always set ID as avail when rm endp 268fd5502281 net: stmmac: remove support for lpi_intr_o fbab8c08e1a6 binfmt_misc: restore write access before closing files opened by open_exec() 8c1befea57db sched/fair: Fix pelt clock sync when entering idle d1365d2abfaf f2fs: zone: fix to avoid inconsistence in between SIT and SSA 3da45ec1e485 rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access 8af210df4f71 platform/x86/amd/pmc: Add support for Van Gogh SoC 9c05cd8f4232 x86/uprobes: Fix XOL allocation failure for 32-bit tasks 1b24d3e8792b drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free 2e147aa3169b drm/exynos: vidi: fix to avoid directly dereferencing user pointer 21ca24ba51a2 drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() e1903358b215 drm/amdgpu: Add basic validation for RAS header ce63943f9bce l2tp: do not use sock_hold() in pppol2tp_session_get_sock() da249eb3206c drm/amd/pm: Use pm_display_cfg in legacy DPM (v2) b3367ee3e557 drm/amd/display: Add pixel_clock to amd_pp_display_configuration ec2b34acb189 net: dsa: properly keep track of conduit reference 0643aa246819 bpf: Forget ranges when refining tnum after JSET 2cbef9ea5a0a net: fix segmentation of forwarding fraglist GRO e19201b0c67d net: gso: fix tcp fraglist segmentation after pull from frag_list 1f2b859225eb net: add support for segmenting TCP fraglist GSO packets 9b03768037d9 tracing: Add recursion protection in kernel stack trace recording eba0c75670c0 dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() 33743ec6679a riscv: Sanitize syscall table indexing under speculation 4357e02cafab btrfs: do not strictly require dirty metadata threshold for metadata writepages bfc717be833f iomap: allocate s_dio_done_wq for async reads as well a426f29ac3fa rxrpc: Fix data-race warning and potential load/store tearing fc3454a20bef x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler 03c29d6d3719 x86/sev: Harden #VC instruction emulation somewhat f69fec628756 ipv6: use RCU in ip6_xmit() 897d9006e75f dm-verity: disable recursive forward error correction 0464bf75590d rxrpc: Fix recvmsg() unconditional requeue 1b0edd6022a3 ext4: always allocate blocks only from groups inode can use 90336fc3d6f5 eth: bnxt: always recalculate features after XDP clearing, fix null-deref 1e3769aa0946 usb: typec: ucsi: Move unregister out of atomic section c57387d447a2 pNFS: Fix a deadlock when returning a delegation during open() a4810f8beb01 NFS: Fix a deadlock involving nfs_release_folio() 1562138b9cab nfs: pass explicit offset/count to trace events 815db2363e51 dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() 64d8abd8c530 btrfs: fix NULL dereference on root when tracing inode eviction 54322d95309d arm64: mm: Don't remap pgtables for allocate vs populate 6a36c8e88af7 arm64: mm: Batch dsb and isb when populating pgtables 37413d064396 arm64: mm: Don't remap pgtables per-cont(pte|pmd) block 7d115eb231a6 net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz 9dcd86cb22e1 btrfs: always fallback to buffered write if the inode requires checksum dbc4e10619ed ext4: fix dirtyclusters double decrement on fs shutdown db489778e6f2 f2fs: fix to avoid migrating empty section 5d305a95130a net/tcp-md5: Fix MAC comparison to be constant-time 307afccb751f ksmbd: Compare MACs in constant time 946054b773ed smb: client: Compare MACs in constant time 26a29582980b xfs: ensure dquot item is deleted from AIL only after log shutdown 50c0e03072fc xfs: fix integer overflow in bmap intent sort comparator 2bfc83cee05f crypto: atmel-sha204a - Fix OOM ->tfm_count leak 0629a1a187e4 cifs: open files should not hold ref on superblock 0a47c3889fcd net: macb: Shuffle the tx ring before enabling tx 0bc70491e466 drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output 920467466d2d drm/msm: Fix dma_free_attrs() buffer size fec5c70b82af ksmbd: Don't log keys in SMB3 signing and encryption key generation d1cdf0c63947 iomap: reject delalloc mappings during writeback 0ba544dacec2 mm/kfence: fix KASAN hardware tag faults during late enablement 816fa1dfae45 KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated 5d1e72015b90 KVM: SVM: Add a helper to look up the max physical ID for AVIC 32ca7117e153 KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids d146f2775804 usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling c24c06ed1849 can: gs_usb: gs_can_open(): always configure bitrates before starting device dfc314d7c767 net/sched: act_gate: snapshot parameters with RCU on replace 0be8c9627556 kbuild: Leave objtool binary around with 'make clean' 2d53b863b401 selftests: mptcp: join: check RM_ADDR not sent over same subflow 1ec68e2096ef selftests: mptcp: add a check for 'add_addr_accepted' 05799c2f1ca5 mptcp: pm: in-kernel: always mark signal+subflow endp as used a29641dc1267 mptcp: pm: avoid sending RM_ADDR over same subflow 7f3b7dc8c6ca drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink c33523b8fd2d net: phy: register phy led_triggers during probe to avoid AB-BA deadlock 71511dae56a7 gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL f9f1660b7ffc x86/sev: Allow IBPB-on-Entry feature for SNP guests c8ddb2d30d03 platform/x86: hp-bioscfg: Support allocations of larger data 3c5c818c78b0 wifi: libertas: fix use-after-free in lbs_free_adapter() cf29329a13df ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths ca049ef5c8c7 gve: defer interrupt enabling until NAPI registration 212b9632718c drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD 3161ae587816 i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor 0911fd8e400e i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort dcd66a0c0388 i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors 5c485bc32551 iio: imu: inv_icm42600: fix odr switch to the same value 27c324ef1638 iio: gyro: mpu3050-i2c: fix pm_runtime error handling 2a86a396aa00 iio: gyro: mpu3050-core: fix pm_runtime error handling 10ea2df061f3 iio: buffer: Fix wait_queue not being removed dd7b7093bb77 iio: chemical: bme680: Fix measurement wait duration calculation 342e5f67fb99 iio: potentiometer: mcp4131: fix double application of wiper shift dcdf1e92674e iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() 5a3952ba82f8 iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() fa87bb35b917 iio: frequency: adf4377: Fix duplicated soft reset mask 8f9fca12f2f3 iio: dac: ds4424: reject -128 RAW value fa6fd9aec721 btrfs: abort transaction on failure to update root in the received subvol ioctl 40f7c69eb00d smb: client: fix iface port assignment in parse_server_interfaces 438e77435aee smb: client: fix in-place encryption corruption in SMB2_write() dcd1f1321034 smb: client: fix atomic open with O_DIRECT & O_SYNC 2ca6bdf449b1 lib/bootconfig: check bounds before writing in __xbc_open_brace() bbdb80f29ee9 lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() f59193807211 x86/apic: Disable x2apic on resume if the kernel expects so 35e3ec8e589b scsi: core: Fix error handling for scsi_alloc_sdev() cc7d44c59ea5 lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error b373ff56ed2d s390/dasd: Copy detected format information to secondary device 3a67baa8eec4 s390/dasd: Move quiesce state with pprc swap 41e91dff2d39 xfs: fix undersized l_iclog_roundoff values eaaaa3abbb20 cifs: make default value of retrans as zero e9311e199ac6 tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G aeb7255531ba drm/i915: Fix potential overflow of shmem scatterlist length 624f991cac21 drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding 2550d63cc350 drm/amd: Set num IP blocks to 0 if discovery fails c658c1c85ec2 drm/amdgpu: Fix use-after-free race in VM acquire 3704ac6a0d9a net: dsa: microchip: Fix error path in PTP IRQ setup 81431da77792 net: ethernet: arc: emac: quiesce interrupts before requesting IRQ 599625881978 net: ncsi: fix skb leak in error paths 302fef75512b ksmbd: fix use-after-free by using call_rcu() for oplock_info b720c84087cb smb: server: fix use-after-free in smb2_open() bf4d66d72e4a ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() d156b1c24f72 pmdomain: bcm: bcm2835-power: Fix broken reset status read 57e35502faa9 parisc: Check kernel mapping earlier at bootup 344fde7a3dc0 parisc: Fix initial page table creation for boot 52db5ef163c9 hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read 7003352d4327 arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation fad178ae8949 nouveau/dpcd: return EBUSY for aux xfer if the device is asleep 5699359529c6 parisc: Increase initial mapping to 64 MB with KALLSYMS f3ca45673dab batman-adv: Avoid double-rtnl_lock ELP metric worker 422b4524320c tracing: Fix syscall events activation by ensuring refcount hits zero 9298b0806923 ice: fix retry for AQ command 0x06EE 5138cd978bab net: mana: Ring doorbell at 4 CQ wraparounds 1a6da3dbb998 media: dvb-net: fix OOB access in ULE extension header tables 768f25613a9f staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie 740bca8bbdb7 staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() 627cf4d1f0ea ixgbevf: fix link setup issue aac3ac27e6da ice: reintroduce retry mechanism for indirect AQ 1fc8c3a0d249 irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports 3cfdf8d27b66 device property: Allow secondary lookup in fwnode_get_next_child_node() 54f2f0591216 drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used 98310fe3a2a7 drm/bridge: samsung-dsim: Fix memory leak in error path f3333543326c Revert "tcpm: allow looking for role_sw device in the main node" 70c78429ef38 scsi: hisi_sas: Fix NULL pointer exception during user_scan() 8be15087d037 scsi: hisi_sas: Use macro instead of magic number 228c626df8d5 scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec a6a894413b04 scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend 069307ae8cb9 i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach 7d86de3847c5 time/jiffies: Mark jiffies_64_to_clock_t() notrace 657dc653b06a ceph: fix memory leaks in ceph_mdsc_build_path() b3f5513141ec ceph: fix i_nlink underrun during async unlink 59c7bf668c20 libceph: admit message frames only in CEPH_CON_S_OPEN state 5f2806684b05 libceph: Use u32 for non-negative values in ceph_monmap_decode() 50156622eb08 libceph: prevent potential out-of-bounds reads in process_message_header() 3e2e36e9b9f3 libceph: reject preamble if control segment is empty 8bb87547e92d libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() 8b6767e4141b kprobes: avoid crash when rmmod/insmod after ftrace killed a360d3815aae tipc: fix divide-by-zero in tipc_sk_filter_connect() a8e9cab16771 ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start 270277c2ab63 mmc: core: Avoid bitfield RMW for claim/retune flags d8f20b282418 mm/kfence: disable KFENCE upon KASAN HW tags enablement f36ab071abd0 mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() b88ce81232bb mm/tracing: rss_stat: ensure curr is false from kthread context 155f471e38aa usb: image: mdc800: kill download URB on timeout e7b3d154eb08 usb: mdc800: handle signal and read racing 9c6159d5b72d usb: renesas_usbhs: fix use-after-free in ISR during device removal 4ee3062bf2c9 usb: class: cdc-wdm: fix reordering issue in read code path 659c0c7d50a4 USB: core: Limit the length of unkillable synchronous timeouts 39bd4097292f USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts fc26e98b6cb8 USB: usbcore: Introduce usb_bulk_msg_killable() 2872b67951fe usb: roles: get usb role switch from parent only for usb-b-connector 52950203880b usb: cdc-acm: Restore CAP_BRK functionnality to CH343 24aa4caf7f95 usb: core: don't power off roothub PHYs if phy_set_mode() fails 19ef3da0a82d usb: misc: uss720: properly clean up reference in uss720_probe() f1c8b8183abc usb: dwc3: pci: add support for the Intel Nova Lake -H 939e3d17b843 usb: yurex: fix race in probe b2dd9abf8c06 usb: xhci: Prevent interrupt storm on host controller error (HCE) 2e2baa8fb5aa usb: xhci: Fix memory leak in xhci_disable_slot() 2f2418efd495 USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed 9105f4d74762 usb/core/quirks: Add Huawei ME906S-device to wakeup quirk 551f82df759c USB: add QUIRK_NO_BOS for video capture several devices ad4394f269dc KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC 22bd6fea06bc ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA af834b026bfc net: usb: lan78xx: skip LTM configuration for LAN7850 2aaf0a7be0b8 net: usb: lan78xx: fix TX byte statistics for small packets e94d81319259 net: usb: lan78xx: fix silent drop of packets with checksum errors c5c5a6c53cf3 ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces 629cf09464cf ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() 3dfd1328c052 cgroup: fix race between task migration and iteration 343d4b4a21a5 Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" ce0caaed5940 usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() 3e2f1628faa3 octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status e4a4ca0b69c5 octeontx2-af: devlink health: use retained error fmsg API fa3183e7c748 octeontx2-af: devlink: fix NIX RAS reporter recovery condition cf6099ef493b net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled 764039ff6515 ASoC: detect empty DMI strings 35c7624d30cb ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition e15b56da10b5 ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() 0a1fc25deaba e1000/e1000e: Fix leak in DMA error cleanup e611b36efca1 i40e: fix src IP mask checks and memcpy argument names in cloud filter 628773eba024 nvme-pci: Fix race bug in nvme_poll_irqdisable() 83e6edd63583 nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set f691272c3e8c sched: idle: Make skipping governor callbacks more consistent ac8f2dfcecbd regulator: pca9450: Correct interrupt type 28986d1c093f regulator: pca9450: Make IRQ optional 540803559993 netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels 4a1f6ee69267 netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() 47b1c5d1b094 netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path 9b94f0e42ed2 netfilter: x_tables: guard option walkers against 1-byte tail reads 0a55d62cdb62 netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() 61243ff7e757 amd-xgbe: prevent CRC errors during RX adaptation with AN disabled df65ae0f1330 amd-xgbe: fix link status handling in xgbe_rx_adaptation 86f5334fcb48 mctp: route: hold key->lock in mctp_flow_prepare_output() a3a1ea5d1f8d can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value d7900a43b0a3 mctp: i2c: fix skb memory leak in receive path 8460187b4852 serial: caif: hold tty->link reference in ldisc_open and ser_release bba6c0806a8c net: sfp: improve Huawei MA5671a fixup 17f69ee2ed08 net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick 2369830617a5 net: sfp: improve Nokia GPON sfp fixup 783025a3babb net: sfp: re-implement ignoring the hardware TX_FAULT signal d9744892b8ed ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays e03f8d141911 ASoC: simple-card-utils: use __free(device_node) for device node 317a9298c54b ASoC: soc-core: flush delayed work before removing DAIs and widgets 8b76136bd446 ASoC: soc-core: drop delayed_work_pending() check before flush 59b06d8b9bdb net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit 383b37c04a48 net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery 957d2a58f7f8 net/mlx5: Fix deadlock between devlink lock and esw->wq 87db2efa8327 net/mlx5: Query to see if host PF is disabled 0e4dd5078b0c net/mlx5: IFC updates for disabled host PF 11762a893ffc bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states 43723dff1a59 drm/msm/dsi: fix pclk rate calculation for bonded dsi 7c370f2cb7fc drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations c58dcaac49b6 net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets 74c39a47856b xprtrdma: Decrement re_receiving on the early exit paths 2f91ef68d0ed smb/server: Fix another refcount leak in smb2_open() fd4ff8c64639 powerpc: 83xx: km83xx: Fix keymile vendor prefix a971ce3a39e5 remoteproc: mediatek: Unprepare SCP clock during system suspend f3394234b849 remoteproc: sysmon: Correct subsys_name_len type in QMI request 80bc3c57dd32 powerpc/uaccess: Fix inline assembly for clang build on PPC32 9e5df7e19c44 ALSA: usb-audio: Check max frame size for implicit feedback mode, too 8d66e46ff0f4 ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 32af15506450 scsi: ufs: core: Fix shift out of bounds when MAXQ=32 0614f5618c24 scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() 7b640a732689 ASoC: cs42l43: Report insert for exotic peripherals f43a420065f0 ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table 80e35a0a8ab5 scsi: ses: Fix devices attaching to different hosts 486519660bd9 ACPI: OSI: Add DMI quirk for Acer Aspire One D255 b006c61a5d97 wifi: mac80211: set default WMM parameters on all links d7963d6997fe unshare: fix unshare_fs() handling 7da755e0d02e scsi: mpi3mr: Add NULL checks when resetting request and reply queues 5bb47c03024e ACPI: PM: Save NVS memory on Lenovo G70-35 e7919a293f9b scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT ae10787d955f apparmor: fix race between freeing data and fs accessing it 6ef1f2926c41 apparmor: fix race on rawdata dereference f90e3ecd9e1e apparmor: fix differential encoding verification 17debf558602 apparmor: fix unprivileged local user can do privileged policy management 55ef2af7490a apparmor: Fix double free of ns_name in aa_replace_profiles() 7c7cf05e0606 apparmor: fix missing bounds check on DEFAULT table in verify_dfa() 5a184f7cbdea apparmor: fix side-effect bug in match_char() macro usage 3f8699b3ee0c apparmor: fix: limit the number of levels of policy namespaces 33959a491e9f apparmor: replace recursive profile removal with iterative approach 663ce34786e7 apparmor: fix memory leak in verify_header 07cf6320f40e apparmor: validate DFA start states are in bounds in unpack_pdb 7f4d6a5d3429 net: tcp: accept old ack during closing 5a110ddcc99b net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks 59c15b9cc453 tracing: Add NULL pointer check to trigger_data_free() c7919c1c1d80 selftest/arm64: Fix sve2p1_sigill() to hwcap test a0fb59f527d0 xdp: produce a warning when calculated tailroom is negative d5f7daed130c i40e: use xdp.frame_sz as XDP RxQ info frag_size 7b9c0ee7fed9 i40e: fix registering XDP RxQ info 183f940bdf90 xsk: introduce helper to determine rxq->frag_size 8701504563fa xdp: use modulo operation to calculate XDP frag tailroom 5b1449301ca0 net/sched: act_ife: Fix metalist update behavior b299121e7453 net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop 5f93e6b4d12b net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled a12cdaa3375f net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 29629dd7d373 net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() 3cdb52d6eba0 net: stmmac: Fix error handling in VLAN add and delete paths 722a28b635ec nfc: rawsock: cancel tx_work before socket teardown edc188322caa nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback dcbcccfc5195 nfc: nci: free skb on nci_transceive early error paths f7d8b5d649dd net: nfc: nci: Fix zero-length proprietary notifications dbd58b0730aa net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs e42ff5abbd14 nvme: fix memory allocation in nvme_pr_read_keys() be3b61ebcafe nvme: reject invalid pr_read_keys() num_keys values 5d53fe502ef4 drm/sched: Fix kernel-doc warning for drm_sched_job_done() 0c3dce09e8ef amd-xgbe: fix sleep while atomic on suspend/resume 581800298313 ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() db93ff008d2e smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info() 99acd1ea3499 smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op() 9b02c5c4147f bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim 4bb55e430d82 bpf: export bpf_link_inc_not_zero. 39959a7d3efe xen/acpi-processor: fix _CST detection using undersized evaluation buffer 8babb2714033 net/rds: Fix circular locking dependency in rds_tcp_tune 11fc15378e87 indirect_call_wrapper: do not reevaluate function pointer 7ae7b093b7db wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() a6605f619131 wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() aca4c9e4901b wifi: wlcore: Fix a locking bug 78bb63bbabb3 wifi: cw1200: Fix locking in error paths 3bf4ee25f051 octeon_ep: avoid compiler and IQ/OQ reordering 4818b80d20de octeon_ep: Relocate counter updates before NAPI 5c262bd0e393 bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded f8db044a0a47 net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value 14cecde3eb07 kunit: tool: copy caller args in run_kernel to prevent mutation eb5632fae6a3 rust: kunit: fix warning when !CONFIG_PRINTK b73832292cd9 can: mcp251x: fix deadlock in error path of mcp251x_open 70e951afad4c can: bcm: fix locking for bcm_op runtime updates b4d1e6d27f93 amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds 622062f24644 atm: lec: fix null-ptr-deref in lec_arp_clear_vccs c7becfe3e604 dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler 420bc92cc966 dpaa2-switch: do not clear any interrupts automatically fb64be8e20dc xsk: Fix zero-copy AF_XDP fragment drop 5172adf9efb8 xsk: Fix fragment node deletion to prevent buffer leak eb66c67b0847 xsk: s/free_list_node/list_node/ 560c974b7ccd xsk: Get rid of xdp_buff_xsk::xskb_list_node 4e58b99c3c33 net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table 391396b5052d drm/solomon: Fix page start when updating rectangle in page addressing mode 352d940bcdbd drm/ssd130x: Replace .page_height field in device info with a constant 3327bb9d474d drm/ssd130x: Store the HW buffer in the driver-private CRTC state be3079b7a328 drm/ssd130x: Use bool for ssd130x_deviceinfo flags 9328cc4e511c e1000e: clear DPG_EN after reset to avoid autonomous power-gating 337ecf555a4b hwmon: (it87) Check the it87_lock() return value 95b14ecc5688 pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() cc06e3f73390 platform/x86: thinkpad_acpi: Fix errors reading battery thresholds 896449ad9053 pinctrl: equilibrium: fix warning trace on load 27fad3a507d6 pinctrl: equilibrium: rename irq_chip function callbacks 70cde1f24ffb hwmon: (aht10) Fix initialization commands for AHT20 166678027ad4 hwmon: (aht10) Add support for dht20 cc7f6f0a2666 ARM: clean up the memset64() C wrapper ec312cb9bd97 selftests: mptcp: join: check removing signal+subflow endp 047de213219d selftests: mptcp: more stable simult_flows tests 7c01b680beaf scsi: core: Fix refcount leak for tagset_refcnt 3990f352bb0a smb: client: Don't log plaintext credentials in cifs_set_cifscreds f65c92e81cb4 smb: client: fix broken multichannel with krb5+signing 874c47503e0f smb: client: fix cifs_pick_channel when channels are equally loaded 6f1d1614f841 drbd: fix null-pointer dereference on local read error e91d8d6565b7 drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() 6b847d65f5b0 Squashfs: check metadata block offset is within range e8ef82cb6443 scsi: target: Fix recursive locking in __configfs_open_file() 7dbffffd5761 net/sched: ets: fix divide by zero in the offload path 1b1fac4c7a3a RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() d0148965dbca IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() 22a9adea7e26 wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() 650981e718e6 wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration fa18639deab4 wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() 129c8bb320a7 wifi: radiotap: reject radiotap with unknown bits a0c6ae2ea845 ALSA: usb-audio: Use correct version for UAC3 header validation cf48c2d1db3a platform/x86: dell-wmi: Add audio/mic mute key codes 411ba3cd837f platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data 6a25e2527928 x86/efi: defer freeing of boot services memory 6e330889e6c8 HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them 888f164453f2 can: usb: f81604: handle bulk write errors properly 9b740ff5bc64 can: usb: f81604: handle short interrupt urb messages properly f6e90c113c92 can: usb: etas_es58x: correctly anchor the urb in the read bulk callback 13b646eec3ba can: ucan: Fix infinite loop from zero-length messages 54ee74307165 can: usb: f81604: correctly anchor the urb in the read bulk callback 1818974e1b5e can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message 7f8505c7ce3f net: usb: pegasus: validate USB endpoints 12c0243de0ae net: usb: kalmia: validate USB endpoints 72f90f481c6a net: usb: kaweth: validate USB endpoints d1f6d20b3c26 nfc: pn533: properly drop the usb interface reference on disconnect af050ab44fa1 media: dvb-core: fix wrong reinitialization of ringbuffer on reopen 5f8463e43720 eventpoll: Fix integer overflow in ep_loop_check_proc() 1b3ae721257e drm/amdgpu: keep vga memory on MacBooks with switchable graphics aa7f9ef72eae drm/amd: Drop special case for yellow carp without discovery 4b4eee6d0c00 net: arcnet: com20020-pci: fix support for 2.5Mbit cards efc159492b5c ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 f3cb23e1fcf3 hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race 020bfaac6cb4 ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 c676ab65519c drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected() d637f6ec149f usb: cdns3: fix role switching during resume 3de5fd27af5b usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() 3097fb95e244 usb: cdns3: remove redundant if branch 7b900a94d716 clk: tegra: tegra124-emc: fix device leak on set_rate() 8acf534d5a58 arm64: dts: rockchip: Fix rk356x PCIe range mappings 3469112edc5c mfd: omap-usb-host: Fix OF populate on driver rebind 1d4ea57730bf mfd: omap-usb-host: Convert to platform remove callback returning void 59b76ae68764 mfd: qcom-pm8xxx: Fix OF populate on driver rebind a97ff3b70ff5 mfd: qcom-pm8xxx: Convert to platform remove callback returning void 57e83bfbe1e4 ext4: fix e4b bitmap inconsistency reports e33256b2f927 ext4: convert bd_buddy_page to bd_buddy_folio ccab2af6c19f ext4: convert bd_bitmap_page to bd_bitmap_folio ceee57fd7207 ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() 31c4c67dec33 mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() c42ffd816c0f mailbox: Allow controller specific mapping using fwnode cfdb216691ec mailbox: Use guard/scoped_guard for con_mutex bef5ecf09d70 mailbox: Use dev_err when there is error 5e99cbdfcd15 mailbox: remove unused header files 235359afbe0a mailbox: sort headers alphabetically 97b60acdca6f mailbox: don't protect of_parse_phandle_with_args with con_mutex 49ada773c180 mailbox: Use of_property_match_string() instead of open-coding dc7c9b9d03a5 ext4: drop extent cache when splitting extent fails f0931a5c1700 ext4: drop extent cache after doing PARTIAL_VALID1 zeroout 67cdb7bd7442 ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O 11406eb96a19 ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT ed0096fc86b2 ext4: get rid of ppath in ext4_ext_handle_unwritten_extents() d7b04ea31c6e ext4: get rid of ppath in ext4_ext_convert_to_initialized() c24ce099bea9 ext4: get rid of ppath in ext4_convert_unwritten_extents_endio() 147a6a2725b1 ext4: get rid of ppath in ext4_split_convert_extents() cda8a34348d7 ext4: get rid of ppath in ext4_split_extent() 58ddae5d77b1 ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 e766534911b3 ext4: subdivide EXT4_EXT_DATA_VALID1 ffb68fc57207 ext4: get rid of ppath in ext4_split_extent_at() fb138df7d886 ext4: get rid of ppath in ext4_ext_insert_extent() 8f6e910852d8 ext4: get rid of ppath in ext4_ext_create_new_leaf() cafb151eb180 ext4: get rid of ppath in ext4_find_extent() a4a7024448ab bus: omap-ocp2scp: fix OF populate on driver rebind e4be2bd01a76 bus: omap-ocp2scp: Convert to platform remove callback returning void 43bb0a265b26 drm/tegra: dsi: fix device leak on probe ec3be7dc9391 KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() 5e8bf325ed12 KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject ca921be7a117 media: tegra-video: Fix memory leak in __tegra_channel_try_format() 7a9c901edcaf media: tegra-video: Use accessors for pad config 'try_*' fields 32a1889f7bb0 KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR 469a8a038d8b KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED 626ccc6daa7a KVM: x86: Fix KVM_GET_MSRS stack info leak fa0e278a1230 PCI: Use resource_set_range() that correctly sets ->end ffe8617e2e5b resource: Add resource set range and size helpers fffdb0fece19 PCI: Use resource names in PCI log messages bc440d87e655 PCI: Update BAR # and window messages b9eccd59697f memory: mtk-smi: fix device leak on larb probe b16599fedf49 memory: mtk-smi: fix device leaks on common probe 646ac65db6c1 memory: mtk-smi: Convert to platform remove callback returning void 5f5997339cf0 PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value 8a95fb9df110 bpf: Fix stack-out-of-bounds write in devmap dfe079bb6ab3 btrfs: fix compat mask in error messages in btrfs_check_features() a1b82706c233 btrfs: fix warning in scrub_verify_one_metadata() 6eac621b2deb btrfs: fix objectid value in error message in check_extent_data_ref() ad567ccfd90c btrfs: fix incorrect key offset in error message in check_dev_extent_item() ab69bf6f8970 btrfs: add support for inserting raid stripe extents cbca08a23773 btrfs: read raid stripe tree from disk fff272a83847 btrfs: add raid stripe tree definitions 9895ddc5efec btrfs: move btrfs_extref_hash into inode-item.h d928f8aec88d btrfs: remove btrfs_crc32c wrapper 971658d3932b btrfs: move btrfs_crc32c_final into free-space-cache.c 37fc52528383 ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put() 996d43a72d11 ALSA: pci: hda: use snd_kcontrol_chip() 4f8d58123378 perf: Fix __perf_event_overflow() vs perf_remove_from_context() race 949e15a8dbde ALSA: usb-audio: Use inclusive terms 6ec99e9c90f4 ALSA: usb-audio: Cap the packet size pre-calculations 133c3f3dde72 scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume 0990188985f5 rseq: Clarify rseq registration rseq_size bound check comment 7b2c39f7bada ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices 8b00427317ba scsi: pm8001: Fix use-after-free in pm8001_queue_command() be4c63507aca scsi: lpfc: Properly set WC for DPP mapping 2edbd1733091 irqchip/sifive-plic: Fix frozen interrupt due to affinity setting 0bd326dffd9e drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() 7e55d0788b36 drm/vmwgfx: Return the correct value in vmw_translate_ptr functions 2106a0153b5d drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 8250679ed0f3..ae78c91f64c7 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "8751b899ea5af349e8570e8985365290efa5e7d6" -SRCREV_meta ?= "fdd48963e673d657f0df21b4b1fb6b18dbaa96bc" +SRCREV_machine ?= "aa09ac001c2f96bd4ba32ba47e84e02db0f6ceed" +SRCREV_meta ?= "a5d680f4986edab4c2c4636c0dc80ca559fc70ef" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.129" +LINUX_VERSION ?= "6.6.130" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index bd4a10b56409..0bc45ffd6427 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.129" +LINUX_VERSION ?= "6.6.130" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "d82c6cc64c037058c6bfd630f2d2604a38684c7d" -SRCREV_meta ?= "fdd48963e673d657f0df21b4b1fb6b18dbaa96bc" +SRCREV_machine ?= "2bf97eeefd96e27a2195cb4757c13110e92afcc6" +SRCREV_meta ?= "a5d680f4986edab4c2c4636c0dc80ca559fc70ef" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 58a72979c53c..ce5994054464 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "539bf858552c12417a449646d0cad5e53e038aa0" -SRCREV_machine:qemuarm64 ?= "e4153b3c5bff6c503990c35826d84a034d2d7a33" -SRCREV_machine:qemuloongarch64 ?= "3dbf485808fc7be82368f70f385fead9735b5904" -SRCREV_machine:qemumips ?= "d5da07b097555f20280b2484da875c93f1494d48" -SRCREV_machine:qemuppc ?= "9434ddc68ebc90e9336d4cc6f642aa82c0da023c" -SRCREV_machine:qemuriscv64 ?= "3dbf485808fc7be82368f70f385fead9735b5904" -SRCREV_machine:qemuriscv32 ?= "3dbf485808fc7be82368f70f385fead9735b5904" -SRCREV_machine:qemux86 ?= "3dbf485808fc7be82368f70f385fead9735b5904" -SRCREV_machine:qemux86-64 ?= "3dbf485808fc7be82368f70f385fead9735b5904" -SRCREV_machine:qemumips64 ?= "e6f498c7aa6909c17b90b50267d1577ddc19c0d6" -SRCREV_machine ?= "3dbf485808fc7be82368f70f385fead9735b5904" -SRCREV_meta ?= "fdd48963e673d657f0df21b4b1fb6b18dbaa96bc" +SRCREV_machine:qemuarm ?= "b4e8a23613e117b5803dae49e8d4d562c37bd8a3" +SRCREV_machine:qemuarm64 ?= "236dabe34ed663918803f17cbda90a1d6ac39922" +SRCREV_machine:qemuloongarch64 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" +SRCREV_machine:qemumips ?= "8022cb3ada420a7a3508dcd0a00e7367a0b08e52" +SRCREV_machine:qemuppc ?= "77817988bcc71ba230e44d14e2d1c66837543dc9" +SRCREV_machine:qemuriscv64 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" +SRCREV_machine:qemuriscv32 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" +SRCREV_machine:qemux86 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" +SRCREV_machine:qemux86-64 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" +SRCREV_machine:qemumips64 ?= "7ffb3cfb496703be3c0951bf54eb6ce69fdd1a1e" +SRCREV_machine ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" +SRCREV_meta ?= "a5d680f4986edab4c2c4636c0dc80ca559fc70ef" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "4fc00fe35d46b4fc8dac2eb543a0e3d44bb15f47" +SRCREV_machine:class-devupstream ?= "c09fbcd31ae6d71e7c69545839bec92d8e15c13b" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.129" +LINUX_VERSION ?= "6.6.130" PV = "${LINUX_VERSION}+git" From f95c69b567abe9a87b15ac38b98b2836cb9a8f0c Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:00 -0400 Subject: [PATCH 67/96] linux-yocto/6.6: update to v6.6.132 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 08667c1437c07 Linux 6.6.132 866c39b567bde Revert "rust: pin-init: add references to previously initialized fields" e7ccb57fe7164 Revert "rust: pin-init: internal: init: document load-bearing fact of field accessors" 29242a6238213 Linux 6.6.131 e10af36ac3f7b tcp: Fix bind() regression for v6-only wildcard and v4-mapped-v6 non-wildcard addresses. de7c0c04ad868 futex: Clear stale exiting pointer in futex_lock_pi() retry path 37cf97e37498a dmaengine: idxd: Fix freeing the allocated ida too late 509ff03a3f188 dmaengine: idxd: Remove usage of the deprecated ida_simple_xx() API e3387416ad6b2 btrfs: fix lost error when running device stats on multiple devices fs 94054ffd311a1 btrfs: fix leak of kobject name for sub-group space_info 1ddab07bf2ed5 btrfs: fix super block offset in error message in btrfs_validate_super() 5a0538380d29e dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA ab4a8624b999a dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction 26271695302c8 dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA a3142cc1581a5 dmaengine: xilinx: xilinx_dma: Fix dma_device directions 4b6e1da50b22e dmaengine: xilinx: xdma: Fix regmap init error handling afc39537cddcb dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA. 5893ae3b4591b phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types() 54d77cc0c40ca dmaengine: idxd: Fix memory leak when a wq is reset 2bb9e9e93adff dmaengine: idxd: Fix not releasing workqueue on .release() cfadf46a67b68 erofs: fix "BUG: Bad page state in z_erofs_do_read_page" 75669e987137f xfs: save ailp before dropping the AIL lock in push callbacks 7121b22b0bac8 xfs: avoid dereferencing log items after push callbacks aba546061341b mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] 2efbc838a26d3 nvme: fix admin queue leak on controller reset 5a1e865e51063 xattr: switch to CLASS(fd) bb42e9627aa92 libbpf: Fix -Wdiscarded-qualifiers under C23 4913592a3358f gfs2: Fix unlikely race in gdlm_put_lock 8c93e73af8563 mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D mode 8cdc84415a4d2 mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D mode 0890fba6129dc rust: pin-init: internal: init: document load-bearing fact of field accessors c28fc9b0dbc7a rust: pin-init: add references to previously initialized fields ef41a85a55022 tracing: Fix potential deadlock in cpu hotplug with osnoise 5a9f33294cc04 tracing: Switch trace_osnoise.c code over to use guard() and __free() c9b95ef6f5039 ksmbd: fix memory leaks and NULL deref in smb2_lock() 9e785f004cbc5 ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() d3c4458707e70 powerpc64/bpf: do not increment tailcall count when prog is NULL d419788a834f7 arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off 1c82f863f090a ext4: always drain queued discard work in ext4_mb_release() ca99cbcc316cd ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths c84c0272e0b66 ext4: fix the might_sleep() warnings in kvfree() 9449f99ba04f5 ext4: fix use-after-free in update_super_work when racing with umount b77de3fceafbb ext4: reject mount if bigalloc with s_first_data_block != 0 2d31a5073f86a ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() ecc50bfca9b5c ext4: avoid infinite loops caused by residual data 65c6c30ce6362 ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio df3cecfc5036f ext4: make recently_deleted() properly work with lazy itable initialization 2b7bf66a09873 ext4: fix fsync(2) for nojournal mode 850e68a1d3b06 ext4: fix stale xarray tags after writeback 699bac4d4c951 ext4: convert inline data to extents when truncate exceeds inline size 17c21b951e87c ext4: fix journal credit check when setting fscrypt context 813f372a3b8aa xfs: fix ri_total validation in xlog_recover_attri_commit_pass2 d38135af04a3a xfs: stop reclaim before pushing AIL during unmount f458dceaa6a35 LoongArch: Workaround LS2K/LS7A GPU DMA hang bug ebf6860ef7093 dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock 79c4796b2711e dmaengine: sh: rz-dmac: Protect the driver specific lists 75552b2c17124 irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment d536a00f1b451 jbd2: gracefully abort on checkpointing state corruptions fd28c56186991 KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE 78c8b090a3d5c net: macb: Use dev_consume_skb_any() to free TX SKBs d20d3eedbd04e scsi: ses: Handle positive SCSI error from ses_recv_diag() 4ed727e35b0ab scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() c9e137c26cd45 alarmtimer: Fix argument order in alarm_timer_forward() 5c8ecdcfbfb0b erofs: add GFP_NOIO in the bio completion if needed a58d298a83a3a s390/entry: Scrub r12 register on kernel entry fedd2e1630cac virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false 1a0d9083c24fb media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex ebdd28353b958 hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible() 7c0666a26b290 hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature 844a18493173f hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes d4f4364974460 KVM: arm64: Discard PC update state on vcpu reset 501559fbe2097 platform/x86: ISST: Correct locked bit width 2e2c7a6b2958e cpufreq: conservative: Reset requested_freq on limits change cb3d6efa78460 can: isotp: fix tx.buf use-after-free in isotp_sendmsg() 54ecdf76a55e7 can: gw: fix OOB heap access in cgw_csum_crc8_rel() 9e7f353710f85 ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload a2842de6856a7 ALSA: firewire-lib: fix uninitialized local variable 6fafc4c4238e5 ksmbd: do not expire session on binding failure 358cdaa1f7fbf ksmbd: fix potencial OOB in get_file_all_info() for compound requests c3a89e3ec1ccf ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() a11911d94c032 s390/barrier: Make array_index_mask_nospec() __always_inline 7a5260fbc6e79 s390/syscalls: Add spectre boundary for syscall dispatch table adb25339b6611 spi: spi-fsl-lpspi: fix teardown order issue (UAF) ffd860907d0cb ASoC: adau1372: Fix clock leak on PLL lock failure 94577b2e936f0 ASoC: adau1372: Fix unchecked clk_prepare_enable() return value 227b7e14ae408 sysctl: fix uninitialized variable in proc_do_large_bitmap 6ec394998c42a hwmon: (adm1177) fix sysfs ABI violation and current unit conversion e23602eb07797 drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib 9c886e63b6965 ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() d997deaa7de36 ASoC: Intel: catpt: Fix the device initialization 9014a30df4365 spi: sn-f-ospi: Fix resource leak in f_ospi_probe() b5f87d8493f54 PM: hibernate: Drain trailing zero pages on userspace restore 8dda015822771 PM: hibernate: Don't ignore return from set_memory_ro() 6a492d10c2f88 drm/i915/gmbus: fix spurious timeout on 512-byte burst reads daf1396e8f42a x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size 8212295549e47 scsi: scsi_transport_sas: Fix the maximum channel scanning issue ad5085d7ef1c5 RDMA/irdma: Return EINVAL for invalid arp index error acb060bc2609c RDMA/irdma: Fix deadlock during netdev reset with active connections 45897c22a93ec RDMA/irdma: Remove reset check from irdma_modify_qp_to_err() 2175c64d27e27 RDMA/irdma: Clean up unnecessary dereference of event->cm_node 18386d84d2ad3 RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce() d783393d2122b RDMA/irdma: Update ibqp state to error if QP is already in error state af310407f79d5 RDMA/irdma: Initialize free_qp completion before using it e82f2775b50cc RDMA/rw: Fall back to direct SGE on MR pool exhaustion 96c60fb6896e6 regmap: Synchronize cache for the page selector 9524634194516 net: macb: use the current queue number for stats fcec5ce2d73a4 netfilter: ctnetlink: use netlink policy range checks fe463e76c9b4b netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp 168145c874446 netfilter: nf_conntrack_expect: skip expectations in other netns via proc c6a503a9f4deb netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() a8365d1064ded netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD 2dcf324855c34 tls: Purge async_hold in tls_decrypt_async_wait() 6fba3c3d48c92 Bluetooth: btusb: clamp SCO altsetting table indices 52667c859fe33 Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop 5f84e845648df Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock 8d83194e8a880 Bluetooth: hci_sync: Remove remaining dependencies of hci_request 0ee469ba7c58c Bluetooth: Remove 3 repeated macro definitions 50c1e5fc7c444 Bluetooth: L2CAP: Fix send LE flow credits in ACL link acfb29f82223e dma-mapping: add missing `inline` for `dma_free_attrs` 47d5f290fab3c net: enetc: fix the output issue of 'ethtool --show-ring' 2297e38114316 udp: Fix wildcard bind conflict check when using hash2 5b5af243e566b tcp: optimize inet_use_bhash2_on_bind() 79a5c9344eaaf tcp: Rearrange tests in inet_csk_bind_conflict(). 34f5fe33e43bc tcp: Use bhash2 for v4-mapped-v6 non-wildcard address. 654386baef228 net: fix fanout UAF in packet_release() via NETDEV_UP race a8ec35bb7b503 ipv6: Don't remove permanent routes with exceptions from tb6_gc_hlist. 9241d441feb40 ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire. 6ae421f59bf80 ice: use ice_update_eth_stats() for representor stats 0677d6bf6e853 platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen b04420f5b9315 rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size 81acbd345d405 net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer c1f97152df8df openvswitch: validate MPLS set/set_masked payload length 42f0d3d812096 openvswitch: defer tunnel netdev_put to RCU release 4c3e25a7b711a net: openvswitch: Avoid releasing netdev before teardown completes eb435d150ca74 nfc: nci: fix circular locking dependency in nci_close_device cfd863d4a3f2e ionic: fix persistent MAC address override on PF a4fd36bb000db pinctrl: mediatek: common: Fix probe failure for devices without EINT a04a760c06bb5 Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb 28904375d54b4 Bluetooth: hci_ll: Fix firmware leak on error path 45aaca995e4a7 Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold 477ad49760720 Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() a4bda464c0deb can: statistics: add missing atomic access in hot path d6923498e972b dma: swiotlb: add KMSAN annotations to swiotlb_bounce() d3225e6b9bd51 af_key: validate families in pfkey_send_migrate() 6a3ec6efbc4f9 esp: fix skb leak with espintcp and async crypto e17b0106447ed xfrm: Fix the usage of skb->sk 86f130cf52504 xfrm: call xdo_dev_state_delete during state update 7aac2b997e614 spi: intel-pci: Add support for Nova Lake mobile SPI flash 56bc8de780720 usb: core: new quirk to handle devices with zero configurations 1eed0199dbf41 objtool: Handle Clang RSP musical chairs 006ce15577e76 ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390 f264d4e3a9261 ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk c57276ced3c32 btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create 2635d0c715f3f HID: apple: avoid memory leak in apple_report_fixup() d9365789a6fd7 dma-buf: Include ioctl.h in UAPI header 9d43a897a9122 ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits() cb4954fc2520d ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg() 082f15d288732 module: Fix kernel panic when a symbol st_shndx is out of bounds f18c38cb24c9c HID: asus: add xg mobile 2023 external hardware support 4d36b7ad2c18b HID: mcp2221: cancel last I2C command on read error 952e41b0f9238 net: usb: r8152: add TRENDnet TUC-ET2G 7edfe4346b052 HID: magicmouse: avoid memory leak in magicmouse_report_fixup() eac08882569bc HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2 6f12734c4b619 nvme-pci: ensure we're polling a polled queue 50063c576c6ed platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10 0ab508ace30c7 platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1 94cfabcf28209 nvme-fabrics: use kfree_sensitive() for DHCHAP secrets c69b5dd587f6f nvme-pci: cap queue creation to used queues 79dc4ced3bb62 platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list f20f17cffbe34 HID: asus: avoid memory leak in asus_report_fixup() 694ea55f1b1c7 bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN d47bba0cfdd4c bpf: Release module BTF IDR before module unload 0f46fd10de29e sh: platform_early: remove pdev->driver_override check 0af982240b8f4 hwmon: axi-fan: don't use driver_override as IRQ name e73121faf530e hwmon: (axi-fan-control) Make use of dev_err_probe() 50fe5fbf98290 hwmon: (axi-fan-control) Use device firmware agnostic API bd738f986f6a0 cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled 656f35b463995 perf: Make sure to use pmu_ctx->pmu for groups 79cda13757901 perf: Extract a few helpers Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index ae78c91f64c7..c58279873e6d 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "aa09ac001c2f96bd4ba32ba47e84e02db0f6ceed" -SRCREV_meta ?= "a5d680f4986edab4c2c4636c0dc80ca559fc70ef" +SRCREV_machine ?= "a6a88382093932d5f963f38334035221c0b8344e" +SRCREV_meta ?= "8cfac9f000ccc138d1a11ed500406c4394d803d6" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.130" +LINUX_VERSION ?= "6.6.132" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 0bc45ffd6427..58fd5a57b846 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.130" +LINUX_VERSION ?= "6.6.132" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "2bf97eeefd96e27a2195cb4757c13110e92afcc6" -SRCREV_meta ?= "a5d680f4986edab4c2c4636c0dc80ca559fc70ef" +SRCREV_machine ?= "ff381816e34f3ed488248a69843227160f7ede06" +SRCREV_meta ?= "8cfac9f000ccc138d1a11ed500406c4394d803d6" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index ce5994054464..633abb36ddbc 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "b4e8a23613e117b5803dae49e8d4d562c37bd8a3" -SRCREV_machine:qemuarm64 ?= "236dabe34ed663918803f17cbda90a1d6ac39922" -SRCREV_machine:qemuloongarch64 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" -SRCREV_machine:qemumips ?= "8022cb3ada420a7a3508dcd0a00e7367a0b08e52" -SRCREV_machine:qemuppc ?= "77817988bcc71ba230e44d14e2d1c66837543dc9" -SRCREV_machine:qemuriscv64 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" -SRCREV_machine:qemuriscv32 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" -SRCREV_machine:qemux86 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" -SRCREV_machine:qemux86-64 ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" -SRCREV_machine:qemumips64 ?= "7ffb3cfb496703be3c0951bf54eb6ce69fdd1a1e" -SRCREV_machine ?= "cc107ef0945033f98a169bf1294dad3b574bfc60" -SRCREV_meta ?= "a5d680f4986edab4c2c4636c0dc80ca559fc70ef" +SRCREV_machine:qemuarm ?= "ecff059b6885829e70f8a0fa96956e330b3dc8a4" +SRCREV_machine:qemuarm64 ?= "a2808cd3d14323f1be06f83c084f7ccc19346305" +SRCREV_machine:qemuloongarch64 ?= "81aa29cd11159e96623449efb43a609e1a814c87" +SRCREV_machine:qemumips ?= "e785bf4e3c24d0f6a02c1c12c4b636eaaa539f19" +SRCREV_machine:qemuppc ?= "f1e47cb079d5fa8a5f22f795bd4130dc001babab" +SRCREV_machine:qemuriscv64 ?= "81aa29cd11159e96623449efb43a609e1a814c87" +SRCREV_machine:qemuriscv32 ?= "81aa29cd11159e96623449efb43a609e1a814c87" +SRCREV_machine:qemux86 ?= "81aa29cd11159e96623449efb43a609e1a814c87" +SRCREV_machine:qemux86-64 ?= "81aa29cd11159e96623449efb43a609e1a814c87" +SRCREV_machine:qemumips64 ?= "6357451678385be03d1f7d60d0f8868aa7514418" +SRCREV_machine ?= "81aa29cd11159e96623449efb43a609e1a814c87" +SRCREV_meta ?= "8cfac9f000ccc138d1a11ed500406c4394d803d6" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "c09fbcd31ae6d71e7c69545839bec92d8e15c13b" +SRCREV_machine:class-devupstream ?= "08667c1437c07ce2e5d323165031ae152d6f061a" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.130" +LINUX_VERSION ?= "6.6.132" PV = "${LINUX_VERSION}+git" From 65242fa5eaa679398d2cb782aea5219e49054cfb Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:01 -0400 Subject: [PATCH 68/96] linux-yocto/6.6: update to v6.6.134 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 8cee53b8eaeb5 Linux 6.6.134 6b63a54a790a6 net: sfp: Fix Ubiquiti U-Fiber Instant SFP module on mvneta 79bc854d44f9f MPTCP: fix lock class name family in pm_nl_create_listen_socket 83170a05908b6 ext4: handle wraparound when searching for blocks for indirect mapped blocks a070d5a872ffe ext4: publish jinode after initialization e2316c5d759d3 dmaengine: fsl-edma: fix channel parameter config for fixed channel requests 72c0f5de91098 dmaengine: fsl-edma: change to guard(mutex) within fsl_edma3_xlate() 892ba47ef7140 x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() 7ddcf4a245c1c mm/huge_memory: fix folio isn't locked in softleaf_to_folio() 15f5241d5a523 scsi: target: tcm_loop: Drain commands in target_reset handler d88541ffd56d6 net: mana: fix use-after-free in add_adev() error path ed71cf465c75f net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback a2d3c892115e1 net: macb: Move devm_{free,request}_irq() out of spin lock area 9e7d5b7581ce1 iio: imu: inv_icm42600: fix odr switch when turning buffer off d1e3aa80e6e04 wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free c6da4fed7537a usb: gadget: f_uac1_legacy: validate control request size cb5316b37288a usb: gadget: f_rndis: Protect RNDIS options with mutex 75776a055b656 usb: gadget: f_subset: Fix unbalanced refcnt in geth_free c78e463ee134b usb: gadget: uvc: fix NULL pointer dereference during unbind race f6813c2b2ae78 usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop 3db70e16fccb4 LoongArch: vDSO: Emit GNU_EH_FRAME correctly cddea0c721106 gfs2: Validate i_depth for exhash directories 514784b8951e7 gfs2: Improve gfs2_consist_inode() usage 3a9fd45afadec btrfs: do not free data reservation in fallback from inline due to -ENOSPC 681377e4e229d btrfs: fix the qgroup data free range for inline data extents f5b469a84400a usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial transfer 5aa776c8615be USB: dummy-hcd: Fix interrupt synchronization error 791966f85b439 USB: dummy-hcd: Fix locking/synchronization error 2516336e825fc thunderbolt: Fix property read in nhi_wake_supported() 4b8e527aca357 misc: fastrpc: possible double-free of cctx->remote_heap 9e796001af97a thermal: core: Fix thermal zone device registration error path e208c45c63258 gpio: mxc: map Both Edge pad wakeup to Rising Edge da39ee627fd82 cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path 8a71911fc7eee net: ftgmac100: fix ring allocation unwind on open failure 602596c69a70e vxlan: validate ND option lengths in vxlan_na_create 28a371be901ef counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member 885aa739a07ab counter: rz-mtu3-cnt: prevent counter from being toggled multiple times 6cea34d7ec682 netfilter: ipset: drop logically empty buckets in mtype_del aca0938d0bb44 nvmem: imx: assign nvmem_cell_info::raw_len eeb496e82b916 dt-bindings: connector: add pd-disable dependency 1603dd471f477 comedi: me4000: Fix potential overrun of firmware buffer c16ac4e173a05 comedi: me_daq: Fix potential overrun of firmware buffer f517646e008fe comedi: ni_atmio16d: Fix invalid clean-up after failed attach c01bcc67a9a69 comedi: Reinit dev->spinlock between attachments to low-level drivers d5d9df8b08d68 comedi: dt2815: add hardware detection to prevent crash 787c21d2cc13b cdc-acm: new quirk for EPSON HMD e0bfd6d4dc77a bridge: br_nd_send: validate ND option lengths 2e5cbab8ccbfc fork: defer linking file vma until vma is fully initialized 13e8e5bd99849 vfio/pci: Insert full vma on mmap'd MMIO fault 1a0a115843ec4 vfio/pci: Use unmap_mapping_range() 764438b5c5d15 vfio: Create vfio_fs_type with inode per device cfca84f5986af usb: cdns3: gadget: fix state inconsistency on gadget init failure 9ab9b0e5fcdac usb: cdns3: gadget: fix NULL pointer dereference in ep_queue beab10429439e usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() af1e68c43ed88 usb: ehci-brcm: fix sleep during atomic 95e09b07e5029 usb: usbtmc: Flush anchored URBs in usbtmc_release aaeae6533d77e usb: ulpi: fix double free in ulpi_register_interface() error path a6f374ba81dde usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive 1f83e4f8509aa iio: gyro: mpu3050: Fix out-of-sequence free_irq() 2a4537653d200 iio: gyro: mpu3050: Move iio_device_register() to correct location 8f237c408f300 iio: gyro: mpu3050: Fix irq resource leak a09171d3f23e1 iio: gyro: mpu3050: Fix incorrect free_irq() variable 4cda5db84e917 iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only 11aaba2824a14 iio: imu: bmi160: Remove potential undefined behavior in bmi160_config_pin() dae6048cb63fe iio: light: vcnl4035: fix scan buffer on big-endian 13f4f2d046661 iio: dac: ad5770r: fix error return in ad5770r_read_raw() 97d908087e85c iio: accel: fix ADXL355 temperature signature value 81b90c03dd65f Input: xpad - add support for Razer Wolverine V3 Pro 6260b66c005fa Input: xpad - add support for BETOP BTP-KP50B/C controller's wireless mode 92b1a92857002 Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table a6d5d972460ca Input: synaptics-rmi4 - fix a locking bug in an error path fa64aab25aba4 iio: adc: ti-adc161s626: use DMA-safe memory for spi_read() 624e292e74769 USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam 619d8d1cc4688 USB: serial: option: add support for Rolling Wireless RW135R-GL d3f78e9cd0bbe USB: serial: io_edgeport: add support for Blackbox IC135A beadc871ccf86 drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU eDP 32ac48642e71e drm/ast: dp501: Fix initialization of SCU2C 7759f105e9c89 iio: adc: ti-adc161s626: fix buffer read on big-endian 43fa022b56dcd mips: mm: Allocate tlb_vpn array atomically 37ae8fadc74ed hwmon: (occ) Fix division by zero in occ_show_power_1() 4c10f326f628e MIPS: Fix the GCC version check for `__multi3' workaround 91649c02c1baa Bluetooth: SMP: force responder MITM requirements before building the pairing response b1c6a8e554a39 Bluetooth: SMP: derive legacy responder STK authentication from MITM state c8859675f1cf9 ALSA: ctxfi: Fix missing SPDIFI1 index handling a82c1bce2d129 ALSA: caiaq: fix stack out-of-bounds read in init_card 2de70a6149e03 USB: serial: option: add MeiG Smart SRM825WN ffbed27ba15ef wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() 9907ac9b9a18b wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation 489f2ef2b9088 drm/ioc32: stop speculation on the drm_compat_ioctl path 0320474d92c69 riscv: kgdb: fix several debug register assignment bugs e01779a5c0283 mips: ralink: update CPU clock index 649ceac79c831 hwmon: (occ) Fix missing newline in occ_show_extended() 164a1b397da0c hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify() cb048be568a85 dt-bindings: gpio: fix microchip #interrupt-cells 220f29e819244 hwmon: (pxe1610) Check return value of page-select write in probe 2dd67966f39a2 accel/qaic: Handle DBC deactivation if the owner went away 690509a2eea89 iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one 8755066f7bd0f bpf: reject direct access to nullable PTR_TO_BUF pointers 5e4ee5dbea134 ipv6: avoid overflows in ip6_datagram_send_ctl() 36a5d17d7ddad net: hsr: fix VLAN add unwind on slave errors 4a09f72007201 net/sched: cls_flow: fix NULL pointer dereference on shared blocks 18328eff2f97d net/sched: cls_fw: fix NULL pointer dereference on shared blocks 1734bd85c5e0a net/x25: Fix overflow when accumulating packets 143d4fa68ae9e net/x25: Fix potential double free of skb 1fc7fbac8b98f net/mlx5: Avoid "No data available" when FW version queries fail 7129632cab3e4 net/mlx5: lag: Check for LAG device before creating debugfs e1f6f47d6e60d net: macb: properly unregister fixed rate clocks b3f799cdf830d net: macb: fix clk handling on PCI glue driver removal a14b568633486 net/sched: sch_netem: fix out-of-bounds access in packet corruption 8d597e3e74027 bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready(). 6b0a8de67ac0c rds: ib: reject FRMR registration before IB connection is established 244b639e6a3a8 Bluetooth: MGMT: validate mesh send advertising payload length 5fb69e1eeea9d Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt f71695e81f4cb Bluetooth: MGMT: validate LTK enc_size on load adb90cd0f9f7a Bluetooth: SCO: fix race conditions in sco_sock_connect() 2504ce3fc39ed Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if immediate 4b12a3cc3f075 netfilter: nf_tables: reject immediate NF_QUEUE verdict f00ac65c90ea4 netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP 2ea0f35f235f7 netfilter: ctnetlink: ignore explicit helper on new expectations a76157a1eee5f netfilter: nf_conntrack_expect: store netns and zone in expectation e7ccaa0a62a8f netfilter: nf_conntrack_expect: use expect->helper d81c3205085b5 netfilter: nf_conntrack_expect: honor expectation helper field 2898080c054ea netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent 2cf2737c85a2b netfilter: nf_conntrack_helper: pass helper to expect cleanup 1b842ade214b9 netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr c2d4a3abb15ca netfilter: x_tables: ensure names are nul-terminated 607245c4dbb86 netfilter: nfnetlink_log: account for netlink header size 5382bb03e9c33 netfilter: flowtable: strictly check for maximum number of actions 6c7fbdb8ffde6 net: ipv6: flowlabel: defer exclusive option free until RCU teardown b99d82706bd15 bpf: Fix regsafe() for pointers to packet 236b564165b49 net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec 2c1fadd221b21 NFC: pn533: bound the UART receive buffer e35f5195cd44f net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak 7d9f2f4aabd11 ipv6: prevent possible UaF in addrconf_permanent_addr() 584d8648f859f ASoC: ep93xx: Fix unchecked clk_prepare_enable() and add rollback on failure c56f78614e778 net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() 658261898130d bridge: br_nd_send: linearize skb before parsing ND options a0c4ce9900a10 ip6_tunnel: clear skb2->cb[] in ip4ip6_err() 3d5127d998de6 ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() c64dc67d70da6 tg3: Fix race for querying speed/duplex d1b041080086e net/ipv6: ioam6: prevent schema length wraparound in trace fill 7f56d87e527bb net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak 0fda873092b54 net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak 3e52e1b121c28 net: fec: fix the PTP periodic output sysfs interface 7cdf2c6381b21 crypto: af-alg - fix NULL pointer dereference in scatterwalk 31022cfde5235 crypto: caam - fix overflow on long hmac keys a7ecf06d3ee06 crypto: caam - fix DMA corruption on long hmac keys 4073217be3df0 wifi: ath11k: Pass the correct value of each TID during a stop AMPDU session 18e28353074a3 wifi: ath11k: Use dma_alloc_noncoherent for rx_tid buffer allocation 12322d8654cf9 wifi: ath11k: skip status ring entry processing 90afe0af4452b dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common property warning ea553dfb630e1 spi: geni-qcom: Check DMA interrupts early in ISR 295f8075d0044 btrfs: reject root items with drop_progress and zero drop_level b404e6b9863ea i2c: tegra: Don't mark devices with pins as IRQ safe c7a27bb4d0f65 HID: multitouch: Check to ensure report responses match the request e9126544fd779 objtool: Fix Clang jump table detection 960159a9f8468 tg3: replace placeholder MAC address with device property c9fc98beeedf0 btrfs: don't take device_list_mutex when querying zone info b256d055da472 atm: lec: fix use-after-free in sock_def_readable() 8bd690ac12423 HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq 7b56b67776520 arm64/scs: Fix handling of advance_loc4 80de0a9581338 Linux 6.6.133 9a3a2ae5efbbc xattr: switch to CLASS(fd) 16d41d32b7c76 Revert "xattr: switch to CLASS(fd)" Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index c58279873e6d..6440d0babbec 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "a6a88382093932d5f963f38334035221c0b8344e" -SRCREV_meta ?= "8cfac9f000ccc138d1a11ed500406c4394d803d6" +SRCREV_machine ?= "fda570bd42ccafdd93a2bc4eae0ab36a4084031e" +SRCREV_meta ?= "888e60b42c251c492d6f41f154bb8c4eef5f8875" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.132" +LINUX_VERSION ?= "6.6.134" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 58fd5a57b846..deb594314544 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.132" +LINUX_VERSION ?= "6.6.134" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "ff381816e34f3ed488248a69843227160f7ede06" -SRCREV_meta ?= "8cfac9f000ccc138d1a11ed500406c4394d803d6" +SRCREV_machine ?= "990b12e4095890d00a1c42ee5643443f1491dc0e" +SRCREV_meta ?= "888e60b42c251c492d6f41f154bb8c4eef5f8875" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 633abb36ddbc..11efb351e974 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "ecff059b6885829e70f8a0fa96956e330b3dc8a4" -SRCREV_machine:qemuarm64 ?= "a2808cd3d14323f1be06f83c084f7ccc19346305" -SRCREV_machine:qemuloongarch64 ?= "81aa29cd11159e96623449efb43a609e1a814c87" -SRCREV_machine:qemumips ?= "e785bf4e3c24d0f6a02c1c12c4b636eaaa539f19" -SRCREV_machine:qemuppc ?= "f1e47cb079d5fa8a5f22f795bd4130dc001babab" -SRCREV_machine:qemuriscv64 ?= "81aa29cd11159e96623449efb43a609e1a814c87" -SRCREV_machine:qemuriscv32 ?= "81aa29cd11159e96623449efb43a609e1a814c87" -SRCREV_machine:qemux86 ?= "81aa29cd11159e96623449efb43a609e1a814c87" -SRCREV_machine:qemux86-64 ?= "81aa29cd11159e96623449efb43a609e1a814c87" -SRCREV_machine:qemumips64 ?= "6357451678385be03d1f7d60d0f8868aa7514418" -SRCREV_machine ?= "81aa29cd11159e96623449efb43a609e1a814c87" -SRCREV_meta ?= "8cfac9f000ccc138d1a11ed500406c4394d803d6" +SRCREV_machine:qemuarm ?= "55c82e0b84e8892add226263bb00dfaef810f487" +SRCREV_machine:qemuarm64 ?= "c3b5dcdca64f2d9d5dfd9808b2ec4d1363ddc5c2" +SRCREV_machine:qemuloongarch64 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" +SRCREV_machine:qemumips ?= "065d9d6fa1db8f762b740b0fac999e8d68b3afcf" +SRCREV_machine:qemuppc ?= "dd0d7b2a25b1fc953887f6d32247c58b19f23e73" +SRCREV_machine:qemuriscv64 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" +SRCREV_machine:qemuriscv32 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" +SRCREV_machine:qemux86 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" +SRCREV_machine:qemux86-64 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" +SRCREV_machine:qemumips64 ?= "5546a26cb003a61697b9c748e80c964188dbde1b" +SRCREV_machine ?= "3db526a0348edbb162b13d91e788eb270bcbb934" +SRCREV_meta ?= "888e60b42c251c492d6f41f154bb8c4eef5f8875" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "08667c1437c07ce2e5d323165031ae152d6f061a" +SRCREV_machine:class-devupstream ?= "8cee53b8eaeb5d1f7c97b7f2381653ed00ffc26b" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.132" +LINUX_VERSION ?= "6.6.134" PV = "${LINUX_VERSION}+git" From 4536d25fbba2ce23dfb91b25729efe83ac102f61 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:02 -0400 Subject: [PATCH 69/96] linux-yocto/6.6: update to v6.6.135 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 9760bf04666d Linux 6.6.135 53b86879e92b Revert "PCI: Enable ACS after configuring IOMMU for OF platforms" 9853917f9edf rxrpc: Fix missing error checks for rxkad encryption/decryption failure 1355eb244aa5 rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) 9ce36d28f67c rxrpc: fix reference count leak in rxrpc_server_keyring() 47073aab8a3a rxrpc: reject undecryptable rxkad response tickets b8f66447448d rxrpc: Only put the call ref if one was acquired f1a7a3ab0f35 rxrpc: Fix key reference count leak from call->key 93fc15be44a3 rxrpc: Fix call removal to use RCU safe deletion e63265f188ea net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() 88591194df73 mm: filemap: fix nr_pages calculation overflow in filemap_map_pages() b7b8012193fd net: stmmac: fix integer underflow in chain mode 9a56735581d5 net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure 6468cab1173f mmc: vub300: fix NULL-deref on disconnect 80fd0de89805 pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled 0985b18c95eb net/mlx5: Update the list of the PCI supported devices ca3f48c3567d drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat 2f55b58b5a0b batman-adv: hold claim backbone gateways by reference 2eb9d67704ca net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() 0e43e0a3c940 net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption d3de72e2a2b9 EDAC/mc: Fix error path ordering in edac_mc_alloc() 672b526def1f X.509: Fix out-of-bounds access when parsing extensions 69d61639bc7e batman-adv: reject oversized global TT response buffers 07cb6c72e66b nfc: pn533: allocate rx skb before consuming bytes 0f36273a4b24 arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges e3d84395a16d arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity e85ee7bd042c arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V 03c00ef6d6df Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" 4bf41c2731a0 wifi: brcmsmac: Fix dma_free_coherent() size 3bcf7aca63f0 tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG c221ed63a276 xfrm: clear trailing padding in build_polexpire() 070abdf1b043 netfilter: nft_ct: fix use-after-free in timeout object destroy 533e0a0454d0 Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" 32bad10de347 netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR 84d458018b14 seg6: separate dst_cache for input and output paths in seg6 lwtunnel 3e9bf8c3ba89 Revert "mptcp: add needs_id for netlink appending addr" 8ec6a58586f1 usb: gadget: f_hid: move list and spinlock inits from bind to alloc e8984f068e90 virtio_net: clamp rss_max_key_size to NETDEV_RSS_KEY_LEN 0dc539b888fb scsi: ufs: core: Fix use-after free in init error and remove paths 146e25625378 ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai() 811b3dccfb0a MIPS: mm: Rewrite TLB uniquification for the hidden bit feature 591f030449ad MIPS: mm: Suppress TLB uniquification on EHINV hardware 8a4de6bcaf01 MIPS: Always record SEGBITS in cpu_data.vmbits 00a4b91f8fac Input: uinput - take event lock when submitting FF request "event" 546c18a14924 Input: uinput - fix circular locking dependency with ff-core 3fd6547f5b8a mptcp: fix slab-use-after-free in __inet_lookup_established 673d2a3eef6e net: rfkill: prevent unlimited numbers of rfkill events from being created e0c8542c3d09 xfrm_user: fix info leak in build_report() 1de5c76bf40e wifi: rt2x00usb: fix devres lifetime 066c760acead lib/crypto: chacha: Zeroize permuted_state before it leaves scope 91f02726b220 x86/CPU: Fix FPDSS on Zen1 Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 6440d0babbec..fab90bcc14d9 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "fda570bd42ccafdd93a2bc4eae0ab36a4084031e" -SRCREV_meta ?= "888e60b42c251c492d6f41f154bb8c4eef5f8875" +SRCREV_machine ?= "796ebf5cd0bb25e473fead08d0e3c8c1b68f0676" +SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.134" +LINUX_VERSION ?= "6.6.135" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index deb594314544..80234909a326 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.134" +LINUX_VERSION ?= "6.6.135" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "990b12e4095890d00a1c42ee5643443f1491dc0e" -SRCREV_meta ?= "888e60b42c251c492d6f41f154bb8c4eef5f8875" +SRCREV_machine ?= "8c3e42c1177c1cf7f4b028ffe1ddacf5a7e8b018" +SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 11efb351e974..43d0ad9c8ee9 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "55c82e0b84e8892add226263bb00dfaef810f487" -SRCREV_machine:qemuarm64 ?= "c3b5dcdca64f2d9d5dfd9808b2ec4d1363ddc5c2" -SRCREV_machine:qemuloongarch64 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" -SRCREV_machine:qemumips ?= "065d9d6fa1db8f762b740b0fac999e8d68b3afcf" -SRCREV_machine:qemuppc ?= "dd0d7b2a25b1fc953887f6d32247c58b19f23e73" -SRCREV_machine:qemuriscv64 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" -SRCREV_machine:qemuriscv32 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" -SRCREV_machine:qemux86 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" -SRCREV_machine:qemux86-64 ?= "3db526a0348edbb162b13d91e788eb270bcbb934" -SRCREV_machine:qemumips64 ?= "5546a26cb003a61697b9c748e80c964188dbde1b" -SRCREV_machine ?= "3db526a0348edbb162b13d91e788eb270bcbb934" -SRCREV_meta ?= "888e60b42c251c492d6f41f154bb8c4eef5f8875" +SRCREV_machine:qemuarm ?= "e3d837b99e32b26f86c7e0c956787aa7ac11cbc8" +SRCREV_machine:qemuarm64 ?= "440d78702ecd1f42162acba37434033a5ca903cb" +SRCREV_machine:qemuloongarch64 ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_machine:qemumips ?= "8692ec9071ca8f4432c2c3409bf79240f34a7af5" +SRCREV_machine:qemuppc ?= "d49f40c6896b5d1ac37a84564ed7ab5b7a839519" +SRCREV_machine:qemuriscv64 ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_machine:qemuriscv32 ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_machine:qemux86 ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_machine:qemux86-64 ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_machine:qemumips64 ?= "91b8fff701cdc434e211a58915886224eb6e0d1a" +SRCREV_machine ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "8cee53b8eaeb5d1f7c97b7f2381653ed00ffc26b" +SRCREV_machine:class-devupstream ?= "9760bf04666dfe154161d49b6207c3486685bf29" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.134" +LINUX_VERSION ?= "6.6.135" PV = "${LINUX_VERSION}+git" From e1b84d7426c14f41676c40bc3056fb4636ea7900 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:03 -0400 Subject: [PATCH 70/96] linux-yocto/6.6: update to v6.6.136 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 142cd8382222 Linux 6.6.136 deeaba4c54ae md/raid1: fix data lost for writemostly rdev 1fa36cf495b0 rxrpc: Fix missing validation of ticket length in non-XDR key preparsing 09427bcb1715 crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed b5c14bd4da1f crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed 607ba280f2ad crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed c89c768734f3 crypto: testmgr - Hide ENOENT errors better 695cac6ed284 crypto: testmgr - Hide ENOENT errors 74e2db36fe50 net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() f6634af5de72 ALSA: caiaq: take a reference on the USB device in create_card() 86fc28191418 ALSA: usb-audio: apply quirk for MOONDROP JU Jiu ef57cd3329b4 f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() 8d5729350b23 ksmbd: use check_add_overflow() to prevent u16 DACL size overflow ffbce350c6fd ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment a34d456934fe smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path b53b8e98c233 smb: client: require a full NFS mode SID before reading mode bits 0521a67e4b0f smb: server: fix max_connections off-by-one in tcp accept path 97f8d2648ef4 smb: server: fix active_num_conn leak on transport allocation failure b3e0e7dd53f1 fuse: quiet down complaints in fuse_conn_limit_write f1441a1ecace fuse: Check for large folio with SPLICE_F_MOVE d23ad78bfd20 fuse: reject oversized dirents in page cache a76c1cad4e80 f2fs: fix to avoid memory leak in f2fs_rename() f90b8a1798b7 fs/ntfs3: validate rec->used in journal-replay file record check a6bcf8010af0 rxrpc: only handle RESPONSE during service challenge d6a76b3600e1 rxrpc: Fix anonymous key handling 6669cf805940 scripts/dtc: Remove unused dts_version in dtc-lexer.l cf044df0901f Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" e2c9dc6b6e96 ocfs2: fix out-of-bounds write in ocfs2_write_end_inline 37f074e65f24 ocfs2: validate inline data i_size during inode read 4bf8cd09f427 ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() c98b6fa86b33 rxrpc: Fix key quota calculation for multitoken keys e297bb2c2568 KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs f363c496e203 scripts: generate_rust_analyzer.py: define scripts ceb73484e720 PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup 7ad01905831c net: annotate data-races around sk->sk_{data_ready,write_space} fa5d5baf67f6 i40e: Fix preempt count leak in napi poll tracepoint 71ca90c26eef net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers f77b51bcee7b wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure 10f4ff4baeb6 md/raid1,raid10: don't ignore IO flags 50352fc10392 ipv6: add NULL checks for idev in SRv6 paths e238ab12556b PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown ebc8815a917f Revert "perf unwind-libdw: Fix invalid reference counts" 45cbaf5c7cdc media: hackrf: fix to not free memory after the device is registered in hackrf_probe() e3957eb26a3d media: vidtv: fix pass-by-value structs causing MSAN warnings 7318e3549518 nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map cb8092038e95 media: as102: fix to not free memory after the device is registered in as102_usb_probe() 47fa09fe7f3e bcache: fix cached_dev.sb_bio use-after-free and crash e88354b381e2 ALSA: 6fire: fix use-after-free on disconnect b5d141ea15f1 media: em28xx: fix use-after-free in em28xx_v4l2_open() 9a9bdaf9dc42 media: mediatek: vcodec: fix use-after-free in encoder release path 17cb7957c979 media: vidtv: fix nfeeds state corruption on start_streaming failure 115a5266749d mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() cec74b2ab7df mm/kasan: fix double free for kasan pXds 887632163b54 ASoC: qcom: q6apm: move component registration to unmanaged version dc6a6c3db3a4 KVM: x86: Use scratch field in MMIO fragment to hold small write values 24b1e0d5d254 checkpatch: add support for Assisted-by tag e0c211a0c261 ice: Fix memory leak in ice_set_ringparam() e6661add2d9c nf_tables: nft_dynset: fix possible stateful expression memleak in error path aaba6ee63ba6 blktrace: fix __this_cpu_read/write in preemptible context 9df613ef6e8e nfc: nci: complete pending data exchange on device close 4604b7b4eee6 net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() 5afb9356a2e5 KVM: nVMX: Fold requested virtual interrupt check into has_nested_events() 002a73470b56 net: add proper RCU protection to /proc/net/ptype f9d4b618f1b9 iio: common: st_sensors: Fix use of uninitialize device structs 36f127b971c0 btrfs: merge btrfs_orig_bbio_end_io() into btrfs_bio_end_io() 128b03ccb258 net: skb: fix cross-cache free of KFENCE-allocated skb head b670833749ff KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION 6575f9fbf084 ocfs2: handle invalid dinode in ocfs2_group_extend 6f072daefcab ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY 4b80b5a838a3 ocfs2: fix possible deadlock between unlink and dio_end_io_write b7efb4c94797 media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections 426ef05e82ee dcache: Limit the minimal number of bucket to two 452894005b4a ALSA: ctxfi: Limit PTP to a single page 6718df49e5a7 Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race 554391e7da68 USB: serial: option: add Telit Cinterion FN990A MBIM composition 779412e0e391 staging: sm750fb: fix division by zero in ps_to_hz() f632987306bc wifi: rtw88: fix device leak on probe failure e2f8c5d134f7 scripts: generate_rust_analyzer.py: avoid FD leak cce24f70090e fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO 301857c5ac27 usb: port: add delay after usb_hub_set_port_power() 8fb82e3555a7 USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen 9dec3276d122 usb: storage: Expand range of matched versions for VL817 quirks entry 885c8591784d usbip: validate number_of_packets in usbip_pack_ret_submit() 745a535461bb ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc b5b5d5936a50 ksmbd: require 3 sub-authorities before reading sub_auth[2] 4b73376feecb ksmbd: validate EaNameLength in smb2_get_ea() bfbc74df8bbe smb: client: fix off-by-8 bounds check in check_wsl_eas() 1b2bfedccc4f usb: gadget: renesas_usb3: validate endpoint index in standard request handlers 9ceff1251904 usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() 0f156bb5334e usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() 859a239d58a8 fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO f856f4b6efd5 ALSA: fireworks: bound device-supplied status before string array lookup 63c11b19cdc1 drm/vc4: platform_get_irq_byname() returns an int 2819f34e08bd NFC: digital: Bounds check NFC-A cascade depth in SDD response handler d4e1946bea8d net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() 932ae5309e53 HID: core: clamp report_size in s32ton() to avoid undefined shift c8cc765253ad HID: alps: fix NULL pointer dereference in alps_raw_event() c65ee4d3be5d staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() fa00738ab30b i2c: s3c24xx: check the size of the SMBUS message before using it 5e9cfffad898 can: raw: fix ro->uniq use-after-free in raw_rcv() 0eb1263a3b8c nfc: llcp: add missing return after LLCP_CLOSED checks e2e0e7884314 drm/i915/psr: Do not use pipe_src as borders for SU area 7ab1832fe163 objtool: Remove max symbol name length limitation 29d39948ce52 ALSA: usb-audio: Improve Focusrite sample rate filtering c5e918390002 netfilter: conntrack: add missing netlink policy validations e86ab1e56613 crypto: algif_aead - Fix minimum RX size check for decryption cfab2c817d2e perf/x86/intel/uncore: Skip discovery table for offline dies 1981e469558b gpio: tegra: fix irq_release_resources calling enable instead of disable 9ccce02d5013 l2tp: Drop large packets with UDP encap ae8343a19ccb net: ipa: fix event ring index not programmed for IPA v5.0+ a7d326dfb13b net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ b9232421a77a af_unix: read UNIX_DIAG_VFS data under unix_state_lock 00e1d650fa4b net: txgbe: leave space for null terminators on property_entry 288138418bef netfilter: ip6t_eui64: reject invalid MAC header for all packets 36bf0d98e180 netfilter: xt_multiport: validate range encoding in checkentry 368c22aea490 netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator 730663352c91 ipvs: fix NULL deref in ip_vs_add_service error path c4d93470aff0 selftests: net: bridge_vlan_mcast: wait for h1 before querier check d3125c541a96 xfrm_user: fix info leak in build_mapping() b66920a3348c xfrm: Wait for RCU readers during policy netns exit a55793e5a97d xsk: validate MTU against usable frame size on bind 81ab60836b27 xsk: fix XDP_UMEM_SG_FLAG issues cfcc8a82ad03 xsk: respect tailroom for ZC setups a03975beb9f6 xsk: tighten UMEM headroom validation to account for tailroom and min frame c9eef0760db4 e1000: check return value of e1000_read_eeprom d8a747057a17 ixgbevf: add missing negotiate_features op to Hyper-V ops table feba4907c302 tracing/probe: reject non-closed empty immediate strings 7a01c81120f5 dt-bindings: net: Fix Tegra234 MGBE PTP clock 366f890831ff net: stmmac: Fix PTP ref clock for Tegra234 d8c2aa3c4a1e nfc: s3fwrn5: allocate rx skb before consuming bytes 47a8bf52156a ipv4: icmp: fix null-ptr-deref in icmp_build_probe() 363a38044b8c net: lapbether: handle NETDEV_PRE_TYPE_CHANGE eb3765b90eb8 net: sched: act_csum: validate nested VLAN headers a6566cd33f6f eventpoll: defer struct eventpoll free to RCU grace period 34160cca50ec drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock dd5c49787a32 drm/vc4: Fix a memory leak in hang state error path a812008fe3a0 drm/vc4: Fix memory leak of BO array in hang state 5befb65dca90 drm/vc4: Release runtime PM reference after binding V3D 96f71e3a7f9b PCI: hv: Set default NUMA node to 0 for devices without affinity info 6948caaff66d arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency d4d11b70a30f soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching f0288da67320 ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J 3ec7437e9d11 wifi: brcmfmac: validate bsscfg indices in IF events cf50a1178dfc ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 e6a445513fbc HID: roccat: fix use-after-free in roccat_report_event 40f40229baa7 ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 e73692e0e271 HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 a9098b43562f platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug 36af81124ca8 pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) b17dcf3c9cb4 ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx 5d4fe469fe7d fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath 7b73bea718fe ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex e51cd8954919 ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list b6ba1eacf276 wifi: wl1251: validate packet IDs before indexing tx_frames d7b59c2e6109 ALSA: hda/realtek: add quirk for Framework F111:000F fa4f1f52528c netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry b345586c9fe8 ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx c09a7446aab5 btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() aa77bd6d08f0 can: mcp251x: add error handling for power enable in open and resume 5c37bd025068 ASoC: SOF: topology: reject invalid vendor array size in token parser 64e4ced7dd47 ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF 719df67c2003 ALSA: asihpi: avoid write overflow check warning 384c3f844f53 media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() e0c656cbb2a7 ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC 1e1015643535 ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk 2cd86c2cd771 ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA 62298a48f8b8 RDMA/irdma: Fix double free related to rereg_user_mr Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 4 +-- .../linux/linux-yocto-tiny_6.6.bb | 4 +-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 26 +++++++++---------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index fab90bcc14d9..22af5c2a99e2 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "796ebf5cd0bb25e473fead08d0e3c8c1b68f0676" +SRCREV_machine ?= "99c037f00af27169304f268e388fa3fc65688633" SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.135" +LINUX_VERSION ?= "6.6.136" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 80234909a326..1153249b8d8b 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.135" +LINUX_VERSION ?= "6.6.136" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,7 +17,7 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "8c3e42c1177c1cf7f4b028ffe1ddacf5a7e8b018" +SRCREV_machine ?= "4aa4f6df28cc4541355f39ce0c40237408690c14" SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 43d0ad9c8ee9..f2307dd6e054 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,17 +18,17 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "e3d837b99e32b26f86c7e0c956787aa7ac11cbc8" -SRCREV_machine:qemuarm64 ?= "440d78702ecd1f42162acba37434033a5ca903cb" -SRCREV_machine:qemuloongarch64 ?= "97fc5acdc890a23017140ff16705091544b0ab09" -SRCREV_machine:qemumips ?= "8692ec9071ca8f4432c2c3409bf79240f34a7af5" -SRCREV_machine:qemuppc ?= "d49f40c6896b5d1ac37a84564ed7ab5b7a839519" -SRCREV_machine:qemuriscv64 ?= "97fc5acdc890a23017140ff16705091544b0ab09" -SRCREV_machine:qemuriscv32 ?= "97fc5acdc890a23017140ff16705091544b0ab09" -SRCREV_machine:qemux86 ?= "97fc5acdc890a23017140ff16705091544b0ab09" -SRCREV_machine:qemux86-64 ?= "97fc5acdc890a23017140ff16705091544b0ab09" -SRCREV_machine:qemumips64 ?= "91b8fff701cdc434e211a58915886224eb6e0d1a" -SRCREV_machine ?= "97fc5acdc890a23017140ff16705091544b0ab09" +SRCREV_machine:qemuarm ?= "9d8556efa4dbd3ee1cfac4af6426a8476637fcef" +SRCREV_machine:qemuarm64 ?= "aaa7c5002cfdf0f46dcf9239f3074aee1e29741d" +SRCREV_machine:qemuloongarch64 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" +SRCREV_machine:qemumips ?= "d9adf59334edff1b09b883ea5717895e9735aa13" +SRCREV_machine:qemuppc ?= "52b968d255a67240a548e64e784d3f5269ca3894" +SRCREV_machine:qemuriscv64 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" +SRCREV_machine:qemuriscv32 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" +SRCREV_machine:qemux86 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" +SRCREV_machine:qemux86-64 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" +SRCREV_machine:qemumips64 ?= "746738b15a00d5d36105d09ea0f259f44be48ad5" +SRCREV_machine ?= "59f5af18d31e596ec928a48848bd837d53e06c26" SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll @@ -36,7 +36,7 @@ SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "9760bf04666dfe154161d49b6207c3486685bf29" +SRCREV_machine:class-devupstream ?= "142cd8382222d9b135e0029da6830e5e30444d34" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.135" +LINUX_VERSION ?= "6.6.136" PV = "${LINUX_VERSION}+git" From 2c23f41118253f10fa63897b4587bd83421cec55 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:04 -0400 Subject: [PATCH 71/96] linux-yocto/6.6: update to v6.6.137 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 258cf62a6dfde Linux 6.6.137 4b4defd2fce3f Buffer overflow in drivers/xen/sys-hypervisor.c 402d84ad9e89b xen/privcmd: fix double free via VMA splitting 710a4ce5d7afd crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl 3ef530ef5585f crypto: authencesn - Fix src offset when decrypting in-place d0c4ff6812386 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption 60c798725c966 crypto: authenc - use memcpy_sglist() instead of null skcipher c2138c9bd02af crypto: algif_aead - snapshot IV for async AEAD requests 3115af9644c34 crypto: algif_aead - Revert to operating out-of-place dbea57c08acfc crypto: algif_aead - use memcpy_sglist() instead of null skcipher 9ec26b5d193c9 crypto: scatterwalk - Backport memcpy_sglist() Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 22af5c2a99e2..bbcf3122ea1b 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "99c037f00af27169304f268e388fa3fc65688633" -SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" +SRCREV_machine ?= "da5f16c9d10d53af703c809e864c09df336edfb7" +SRCREV_meta ?= "7d4cafa710da4e27a86cb015e50d91cf458af06f" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.136" +LINUX_VERSION ?= "6.6.137" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 1153249b8d8b..c5c6f88781ca 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.136" +LINUX_VERSION ?= "6.6.137" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "4aa4f6df28cc4541355f39ce0c40237408690c14" -SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" +SRCREV_machine ?= "cd2288c19d6b729b3c7b2b620eb9c311116c72f1" +SRCREV_meta ?= "7d4cafa710da4e27a86cb015e50d91cf458af06f" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index f2307dd6e054..358b6a7760b1 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "9d8556efa4dbd3ee1cfac4af6426a8476637fcef" -SRCREV_machine:qemuarm64 ?= "aaa7c5002cfdf0f46dcf9239f3074aee1e29741d" -SRCREV_machine:qemuloongarch64 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" -SRCREV_machine:qemumips ?= "d9adf59334edff1b09b883ea5717895e9735aa13" -SRCREV_machine:qemuppc ?= "52b968d255a67240a548e64e784d3f5269ca3894" -SRCREV_machine:qemuriscv64 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" -SRCREV_machine:qemuriscv32 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" -SRCREV_machine:qemux86 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" -SRCREV_machine:qemux86-64 ?= "59f5af18d31e596ec928a48848bd837d53e06c26" -SRCREV_machine:qemumips64 ?= "746738b15a00d5d36105d09ea0f259f44be48ad5" -SRCREV_machine ?= "59f5af18d31e596ec928a48848bd837d53e06c26" -SRCREV_meta ?= "b162eec5fa39c4658181073e741efe3a9d498454" +SRCREV_machine:qemuarm ?= "eb708bdc972fc5dc22cdcbf3d3dbdb81e1450fd9" +SRCREV_machine:qemuarm64 ?= "eafa49201e224e87ad20cf849dead88aec204e68" +SRCREV_machine:qemuloongarch64 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" +SRCREV_machine:qemumips ?= "b75949027e1e8c8c90998ee144c6b97aa2fbf561" +SRCREV_machine:qemuppc ?= "1b302e1b1463e28dd8d446754cc3140e935ceec6" +SRCREV_machine:qemuriscv64 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" +SRCREV_machine:qemuriscv32 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" +SRCREV_machine:qemux86 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" +SRCREV_machine:qemux86-64 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" +SRCREV_machine:qemumips64 ?= "620abbeb29fcd44655d2de94ae7a7fff7656ed01" +SRCREV_machine ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" +SRCREV_meta ?= "7d4cafa710da4e27a86cb015e50d91cf458af06f" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "142cd8382222d9b135e0029da6830e5e30444d34" +SRCREV_machine:class-devupstream ?= "258cf62a6dfde3c6a39d120a56a298f2ed6a8901" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.136" +LINUX_VERSION ?= "6.6.137" PV = "${LINUX_VERSION}+git" From c5695ca3eef548ac0a2ce9dd933b8c776707c6d8 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:05 -0400 Subject: [PATCH 72/96] linux-yocto/6.6: update to v6.6.138 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 3b9f64db04968 Linux 6.6.138 50ed1e7873100 xfrm: esp: avoid in-place decrypt on shared skb frags Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index bbcf3122ea1b..68c3c07ef63c 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "da5f16c9d10d53af703c809e864c09df336edfb7" -SRCREV_meta ?= "7d4cafa710da4e27a86cb015e50d91cf458af06f" +SRCREV_machine ?= "9708fab99d7eb8962dda82d642c468a32b6682fa" +SRCREV_meta ?= "0a6ad7549c97f8703f1f742f73ee65d29d121958" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.137" +LINUX_VERSION ?= "6.6.138" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index c5c6f88781ca..52d89c713df3 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.137" +LINUX_VERSION ?= "6.6.138" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "cd2288c19d6b729b3c7b2b620eb9c311116c72f1" -SRCREV_meta ?= "7d4cafa710da4e27a86cb015e50d91cf458af06f" +SRCREV_machine ?= "72c2c9b6014dd199bb70e07e19931b8691fa08e1" +SRCREV_meta ?= "0a6ad7549c97f8703f1f742f73ee65d29d121958" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 358b6a7760b1..e077808f2880 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "eb708bdc972fc5dc22cdcbf3d3dbdb81e1450fd9" -SRCREV_machine:qemuarm64 ?= "eafa49201e224e87ad20cf849dead88aec204e68" -SRCREV_machine:qemuloongarch64 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" -SRCREV_machine:qemumips ?= "b75949027e1e8c8c90998ee144c6b97aa2fbf561" -SRCREV_machine:qemuppc ?= "1b302e1b1463e28dd8d446754cc3140e935ceec6" -SRCREV_machine:qemuriscv64 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" -SRCREV_machine:qemuriscv32 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" -SRCREV_machine:qemux86 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" -SRCREV_machine:qemux86-64 ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" -SRCREV_machine:qemumips64 ?= "620abbeb29fcd44655d2de94ae7a7fff7656ed01" -SRCREV_machine ?= "f14907570fc0bb7285c62bc9d5146180bafffbae" -SRCREV_meta ?= "7d4cafa710da4e27a86cb015e50d91cf458af06f" +SRCREV_machine:qemuarm ?= "9d8edc5598e5c5f17ce696ce032e8dc654858450" +SRCREV_machine:qemuarm64 ?= "c6600bc98dbafed4fcbd6f1204da6b41ef5feec2" +SRCREV_machine:qemuloongarch64 ?= "ad053e3390f755311a4d87911c13039387767122" +SRCREV_machine:qemumips ?= "97c272b944970f93ef93eb87f54899ccb26671f1" +SRCREV_machine:qemuppc ?= "8dfba699cafc5b5d5f50cb8f270db9b8ae112571" +SRCREV_machine:qemuriscv64 ?= "ad053e3390f755311a4d87911c13039387767122" +SRCREV_machine:qemuriscv32 ?= "ad053e3390f755311a4d87911c13039387767122" +SRCREV_machine:qemux86 ?= "ad053e3390f755311a4d87911c13039387767122" +SRCREV_machine:qemux86-64 ?= "ad053e3390f755311a4d87911c13039387767122" +SRCREV_machine:qemumips64 ?= "2744d8ab5ccca406c0acc17c414ff4c8e186708f" +SRCREV_machine ?= "ad053e3390f755311a4d87911c13039387767122" +SRCREV_meta ?= "0a6ad7549c97f8703f1f742f73ee65d29d121958" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "258cf62a6dfde3c6a39d120a56a298f2ed6a8901" +SRCREV_machine:class-devupstream ?= "3b9f64db049687c0d38b4b3ef2f297f0642179af" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.137" +LINUX_VERSION ?= "6.6.138" PV = "${LINUX_VERSION}+git" From be37c8721aacb0e9b05b5c6f24f2f28ada746740 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:06 -0400 Subject: [PATCH 73/96] linux-yocto/6.6: update to v6.6.140 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: eac8889a3a1c Linux 6.6.140 4c3ed344a970 smb: client: use kzalloc to zero-initialize security descriptor buffer 2074dfffad76 Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete b94588f5a697 crypto: nx - fix context leak in nx842_crypto_free_ctx d7e42dc47beb Bluetooth: MGMT: Fix memory leak in set_ssp_complete f7c14993dc2f mtd: spi-nor: sst: Fix SST write failure 5bb5faff4837 drm/amdgpu/vcn4: Avoid overflow on msg bound check 1936310f68c5 drm/amdgpu/vcn3: Avoid overflow on msg bound check 9b2c795bb2c6 vsock/virtio: fix length and offset in tap skb for split packets 65c484726e74 vsock/virtio: fix accept queue count leak on transport mismatch a998a7e250bf vsock: fix buffer size clamping order 944d76f749dd KVM: arm64: Wake-up from WFI when iqrchip is in userspace 83ce43a21bb7 ceph: only d_add() negative dentries when they are unhashed 09a69a3d8f97 usb: dwc3: Move GUID programming after PHY initialization 033c80d80fd1 tracing/probes: Limit size of event probe to 3K f5ee467b5676 btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak 6b57d6e4c302 batman-adv: tp_meter: fix tp_num leak on kmalloc failure 79bc0eaeef2c batman-adv: stop tp_meter sessions during mesh teardown c2287250ba69 pwm: imx-tpm: Count the number of enabled channels in probe 3666c037fbde mtd: spi-nor: sst: Fix write enable before AAI sequence b7cd63d13fae mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` 0000a7780e0e ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger b32f4cd81ef5 mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values 8e7317598d72 usb: typec: tcpm: reset internal port states on soft reset AMS 2b26b1ec4c1d mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values 0dd8917f35da mm/damon/core: implement damon_kdamond_pid() 7c504ffab3ef rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present cfa4267b5075 mm/damon/core: disallow time-quota setting zero esz 172dcb67dd35 bonding: fix use-after-free due to enslave fail after slave array update cf1fd517f892 Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() c0428a22daf6 rxrpc: Fix conn-level packet handling to unshare RESPONSE packets 594973a2e549 fbcon: Avoid OOB font access if console rotation fails f4b177f96955 spi: microchip-core-qspi: fix controller deregistration 091499f90e09 spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() 420d6f5e3fb4 mm/hugetlb_cma: round up per_node before logging it fa7aaaed583a spi: uniphier: fix controller deregistration 3e272e6be1a2 spi: uniphier: Simplify clock handling with devm_clk_get_enabled() c9577d966503 spi: uniphier: switch to use modern name 664b60985a77 spi: tegra20-sflash: fix controller deregistration 4541a6cbec27 spi: tegra114: fix controller deregistration df771f250402 spi: sun6i: fix controller deregistration 9da85b209f26 spi: sun6i: switch to use modern name 7fd0c4fd2185 spi: zynq-qspi: fix controller deregistration dc2044ef3647 spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() ae6ee9f16538 spi: zynq-qspi: switch to use modern name db96551920e2 spi: ti-qspi: fix controller deregistration 25ba53c43f30 spi: spi-ti-qspi: switch to use modern name 3b6cededf65a spi: spi-ti-qspi: Convert to platform remove callback returning void 1cdba535877d spi: sun4i: fix controller deregistration 79a38ff2bd3d spi: sun4i: switch to use modern name 904ff4e79961 spi: syncuacer: fix controller deregistration 5bbe69946620 spi: synquacer: switch to use modern name 6823f730bf19 Bluetooth: hci_conn: fix potential UAF in create_big_sync b4a53add2fa8 xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete 0555d4f52623 xfrm: ah: account for ESN high bits in async callbacks 9d3968c48367 net: ipv6: stop checking crypto_ahash_alignmask 0841fc6a36c3 net: ipv4: stop checking crypto_ahash_alignmask 7e78a5bcbd65 ALSA: seq: Fix UMP group 16 filtering dbacde3d4755 ALSA: seq: Notify client and port info changes 3915715273cd ALSA: core: Serialize deferred fasync state checks fe337552143f ALSA: misc: Use guard() for spin locks 409fb34c1860 ALSA: hda: cs35l56: Propagate ASP TX source control errors 247ed8a969f9 tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() e1c50b273298 net: stmmac: Prevent NULL deref when RX memory exhausted 8a2c91de61ff net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() 6a74af77eba5 net: stmmac: avoid shadowing global buf_sz 2adbfca7452e crypto: caam - guard HMAC key hex dumps in hash_digest_key f3a3e2dac5ec printk: add print_hex_dump_devel() 43a878639b90 erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() 6923cde8dc1d crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx 268ae55a4c4f crypto: nx - Migrate to scomp API c5fa7465794c crypto: nx - Avoid -Wflex-array-member-not-at-end warning bf96052d617b ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() e1c24ce7573d wifi: rtl8xxxu: fix potential use of uninitialized value 3ca80e3012c8 hfsplus: fix held lock freed on hfsplus_fill_super() 61a790974ff7 hfsplus: fix uninit-value by validating catalog record size 82fb9da6477d xfs: fix a resource leak in xfs_alloc_buftarg() b58baa1d50aa mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs 058b451b1039 udf: fix partition descriptor append bookkeeping 401a49b7f26e firmware: google: framebuffer: Do not unregister platform device 2a40f8bc9bb7 fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info a2c817c62943 spi: fix resource leaks on device setup failure 4c4641366143 net: qrtr: ns: Limit the total number of nodes 0dbec101a707 net: qrtr: ns: Limit the maximum number of lookups e6f6cd501fb5 net: qrtr: ns: Limit the maximum server registration per node 0b9e4bbfb7c9 net: bridge: use a stable FDB dst snapshot in RCU readers 218b772e4815 net: mctp: fix don't require received header reserved bits to be zero 6a2d6273b6c3 RDMA/mana_ib: Disable RX steering on RSS QP destroy 8d4edc89bf71 sched: Use u64 for bandwidth ratio calculations ede9eca9701d block: relax pgmap check in bio_add_page for compatible zone device pages 18d6a7c9e4e6 media: rc: igorplugusb: heed coherency rules 69b3a50dee62 ALSA: aoa: Skip devices with no codecs in i2sbus_resume() 32fbdb6d6718 media: rc: ttusbir: respect DMA coherency rules 35bcafc82254 ALSA: aoa: i2sbus: clear stale prepared state a045146109ea ALSA: aoa: Use guard() for mutex locks 07f9bff69da8 ipmi:ssif: Clean up kthread on errors 1f5e011fc8c8 ipmi:ssif: Fix a shutdown race 37a430a2d4e6 thermal: core: Fix thermal zone governor cleanup issues 78509c488c5d PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete 801000afc9c9 wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling b3303d6e92f6 wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor b968db3b8b4f wifi: mt76: connac: introduce helper for mt7925 chipset 8dc5b98c20aa arm64/mm: Enable batched TLB flush in unmap_hotplug_range() bf477abd448c lib: test_hmm: evict device pages on file close to avoid use-after-free 11869ce402d9 wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() 7edd983e42ee f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally 35baa66a8cd7 ksmbd: replace connection list with hash table b0b3d62d7230 ksmbd: use msleep instaed of schedule_timeout_interruptible() 1171f329cf1c f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() 8e47d297e7cf smb: client: validate the whole DACL before rewriting it in cifsacl 325d4ac11f52 ksmbd: require minimum ACE size in smb_check_perm_dacl() 1593ddb37bd1 smb: common: change the data type of num_aces to le16 795dddb10687 smb: move some duplicate definitions to common/smbacl.h 65419eb4259a batman-adv: bla: put backbone reference on failed claim hash insert 7b8fbcee3184 batman-adv: bla: only purge non-released claims 368449e467d5 batman-adv: bla: prevent use-after-free when deleting claims aafcbaf1159e batman-adv: stop caching unowned originator pointers in BAT IV e4a3c4a4c8f6 batman-adv: reject new tp_meter sessions during teardown f61499359fa5 batman-adv: fix integer overflow on buff_pos 1bfb06ecb00f sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL ee4c7a919761 drm/amdgpu/pm: align Hawaii mclk workaround with radeon a103f1192dc7 drm/amdgpu/pm: add missing revision check for CI 4f7ca00fa91d drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission b5de35bafcd3 drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ 91fbb5e635c8 drm/amdgpu: zero-initialize GART table on allocation b8cbc52c73fa drm/radeon: add missing revision check for CI 91c6dc5a4169 drm/amdkfd: validate SVM ioctl nattr against buffer size 6b992591e04f drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() 638d3e0b9eb7 drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg c72a8b4dc6d5 drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg 944db9cfa537 drm/amdgpu/vce: Prevent partial address patches 1dc005775fb5 drm/amdgpu/vcn4: Prevent OOB reads when parsing IB 0fb5cb556b24 drm/amdgpu: Add bounds checking to ib_{get,set}_value 4a8093c7def1 drm/amdkfd: Add upper bound check for num_of_nodes 1db431380879 drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure 01eea4d12fb6 spi: cadence: fix unclocked access on unbind 31e7dd252bf7 spi: cadence: fix controller deregistration bb6b50f709c5 spi: mpc52xx: fix use-after-free on unbind 59abb878f5a6 spi: orion: fix clock imbalance on registration failure 678a461af304 spi: orion: fix runtime pm leak on unbind 1f120e1a3e1e spi: imx: fix runtime pm leak on probe deferral 17aa64b8fe3e spi: img-spfi: fix controller deregistration 77defd64b405 spi: rspi: fix controller deregistration c6f82bd90a71 spi: sprd: fix controller deregistration 6dd37ce42ac7 spi: coldfire-qspi: fix controller deregistration 3ad32a7140eb spi: bcmbca-hsspi: fix controller deregistration 562d954a1449 spi: fsl: fix controller deregistration 59da4cdd0c7b spi: sh-hspi: fix controller deregistration 863edec24c1d spi: mtk-nor: fix controller deregistration 4ea9a1ad663c spi: omap2-mcspi: fix controller deregistration 89c0a7762104 spi: fsl-espi: fix controller deregistration 2be39222d6ca spi: s3c64xx: fix controller deregistration b9d4b9c3457c spi: dln2: fix controller deregistration 951694f9fab9 media: omap3isp: drop the use count of v4l2 pipeline e85f1e23168f media: i2c: ov08d10: fix image vertical start setting 0b49f5dabc3a media: staging: imx: request mbus_config in csi_start 2dde85b42abd media: i2c: imx412: Assert reset GPIO during probe 97dbf8e69f3a media: dib8000: avoid division by 0 in dib8000_set_dds() 492c5292540f media: pci: zoran: fix potential memory leak in zoran_probe() f3290d970bbe platform/x86: hp-wmi: Ignore backlight and FnLock events 3ce8f3057c51 media: saa7164: add ioremap return checks and cleanups 55be73783f11 spi: at91-usart: fix controller deregistration 70c2ee9cab5c spi: qup: fix controller deregistration 5a531cbb3bce spi: lantiq-ssc: fix controller deregistration 38321b03b8c2 regulator: bd9571mwv: fix OF node reference imbalance 0da216314247 regulator: act8945a: fix OF node reference imbalance feb17524aa4e media: videobuf2: Set vma_flags in vb2_dma_sg_mmap da769e8f8e34 regulator: rk808: fix OF node reference imbalance 5b7471dce523 media: rc: streamzap: Error handling in probe 0cc9251833bf media: rc: xbox_remote: heed DMA restrictions cd8f1633c3e8 regulator: max77650: fix OF node reference imbalance e46b3b0c9c44 regulator: mt6357: fix OF node reference imbalance 8c7a281a9922 staging: media: atomisp: Disallow all private IOCTLs f367ddf1299e spi: atmel: fix controller deregistration 725b90ce70a7 spi: bcm63xx: fix controller deregistration fd10fb4c33bd media: i2c: ov8856: free control handler on error in ov8856_init_controls() 6467d656e689 media: uvcvideo: Enable VB2_DMABUF for metadata stream 0bc4cf1a6ba0 HID: playstation: Clamp num_touch_reports df870e104571 exit: Sleep at TASK_IDLE when waiting for application core dump 0b8167e83647 LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup 07d190e4ec68 LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() db7f65df10bd KVM: arm64: Fix initialisation order in __pkvm_init_finalise() 70d12291805a KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value 42dd1c91f993 f2fs: fix node_cnt race between extent node destroy and writeback 88b98e3cfb92 f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() 72ec0749a1ba f2fs: fix fiemap boundary handling when read extent cache is incomplete a2bcf16cdf79 f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() ebeb70e29e37 mptcp: fix scheduling with atomic in timestamp sockopt a79bafdd4b63 mptcp: sockopt: set timestamp flags on subflow socket, not msk bd36fb4f9446 mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure 23e881c7fedb mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure 114b4a6d4ede mptcp: fastclose msk when linger time is 0 ecc36a82ecfc RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path e3dc3a2fb05f RDMA/rxe: Reject unknown opcodes before ICRC processing 539cabb7b2d8 RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads e01a957561f6 RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() a13c2ac4d480 RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() c5dc30da9900 RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() 92582c6978d9 power: supply: max17042: avoid overflow when determining health 27f7c024ede4 PCI/AER: Stop ruling out unbound devices as error source 3937fa851992 PCI/AER: Clear only error bits in PCIe Device Status b1e9f2d58707 mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock 971f17f5d910 KVM: x86: check for nEPT/nNPT in slow flush hypercalls ba7f71b6161c smb: client: validate dacloffset before building DACL pointers ef6495d4df6e smb/client: fix out-of-bounds read in symlink_data() dffb44b2e06a smb/client: fix out-of-bounds read in smb2_compound_op() e5c93847bf03 s390/debug: Reject zero-length input in debug_input_flush_fn() fb4ae739811d RDMA/hns: Fix unlocked call to hns_roce_qp_remove() c741433f6c8d openvswitch: vport: fix self-deadlock on release of tunnel ports 9a4d7222c095 nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free d525ecf92228 nvme-apple: drop invalid put of admin queue reference count 4af2e558e6fd md/raid10: fix divide-by-zero in setup_geo() with zero far_copies 2ae0afd98432 libceph: Fix slab-out-of-bounds access in auth message processing 470822125b62 lib/scatterlist: fix temp buffer in extract_user_to_sg() 3f17500e86d7 lib/scatterlist: fix length calculations in extract_kvec_to_sg 2aa77a18dc7f lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() bb0988ed4f2e isofs: validate block number from NFS file handle in isofs_export_iget c9b37c8b73f6 isofs: validate Rock Ridge CE continuation extent against volume size 5489c98bc681 dm-verity-fec: correctly reject too-small hash devices 2e28bb9cc39f dm-verity-fec: correctly reject too-small FEC devices ae9cd0b46b18 eventfs: Hold eventfs_mutex and SRCU when remount walks events f0b0b09d9840 dm: fix a buffer overflow in ioctl processing 16fc9f57b5d7 dm: don't report warning when doing deferred remove 12161e03d33a dm-thin: fix metadata refcount underflow c2670ec4aa49 btrfs: fix double free in create_space_info() error path f7126b0b2455 ASoC: qcom: q6apm: remove child devices when apm is removed 3141d8b00cad ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens cb25b46a8dbe ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop ef1b78a68675 ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error a06bd365a587 ASoC: fsl_easrc: fix comment typo d91e616474c6 ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table 88f32a6806c8 cpuidle: powerpc: avoid double clear when breaking snooze 47bc7a03449c clk: microchip: mpfs-ccc: fix out of bounds access during output registration be8af24ff376 clk: imx: imx8-acm: fix flags for acm clocks d79e92161b65 spi: topcliff-pch: fix use-after-free on unbind 5f08cbdce0f3 thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp c040f6c5402c thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata 50dfaf4a0277 udf: reject descriptors with oversized CRC length 82bc89fbb82d ibmveth: Disable GSO for packets with small MSS 9415a3fbf677 hv_sock: fix ARM64 support a0ea2ee6ec05 gpio: of: clear OF_POPULATED on hog nodes in remove path 476254a6c87c extcon: ptn5150: handle pending IRQ events during system resume 2a5ed5055d1e cifs: change_conf needs to be called for session setup ff519f87c36b cifs: abort open_cached_dir if we don't request leases 3d2ecbd444b0 block: add pgmap check to biovec_phys_mergeable 0d7e7235bc54 af_unix: Reject SIOCATMARK on non-stream sockets d6c7f32094d6 hwmon: (corsair-psu) Close HID device on probe errors 39f0604bf1ae clk: rk808: fix OF node reference imbalance 0fc5303fa33d hwmon: (ltc2992) Fix u32 overflow in power read path 66daaf79de20 hwmon: (ltc2992) Clamp threshold writes to hardware range c9a3b2fb4003 parisc: Fix IRQ leak in LASI driver f94450ce5053 net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler 21d70744e6d3 net/rds: handle zerocopy send cleanup before the message is queued eca62bb0569d ip6_gre: Use cached t->net in ip6erspan_changelink(). d3bd80404979 net: libwx: fix VF illegal register access 6162e8212e88 sound: ua101: fix division by zero at probe 0653c0516234 net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo 9a80c458320e mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() 895ebbedf883 fanotify: fix false positive on permission events f39501ea776f staging: vme_user: fix root device leak on init failure 1108b8722b9f spi: s3c64xx: fix NULL-deref on driver unbind 487f65651549 spi: zynqmp-gqspi: fix controller deregistration 5105f3e6b2df Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() ab77c8bc3026 Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() 6cb7f67bc28d Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt 1e1e509b6fd2 Bluetooth: virtio_bt: validate rx pkt_type header length ed41c81d30b2 Bluetooth: virtio_bt: clamp rx length before skb_put 4aec732807c5 selinux: prune /sys/fs/selinux/disable 01231051fa45 selinux: shrink critical section in sel_write_load() ebd425067290 selinux: don't reserve xattr slot when we won't fill it c2efc4956981 ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() 3bf4e93ed085 xfrm: provide message size for XFRM_MSG_MAPPING 0f39c2626617 powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o cdbd10975b96 ALSA: firewire-tascam: Do not drop unread control events b0c0d44adb55 usb: ulpi: fix memory leak on ulpi_register() error paths 20284bf5cc84 USB: serial: option: add Telit Cinterion LE910Cx compositions 9b92535cb729 USB: omap_udc: DMA: Don't enable burst 4 mode 91c3634bc6ac ALSA: usb-audio: Fix UAC3 cluster descriptor size check e0e3dcf48189 ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() a3c42466f45c ALSA: usb-audio: midi2: Restart output URBs on resume d06d937b0a4c usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl 6e29c32a2721 usb: usblp: fix heap leak in IEEE 1284 device ID via short response ed4168d1a50f wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task c3d7b90dc950 wifi: b43: enforce bounds check on firmware key index in b43_rx() fe75fa1ac9a9 wifi: mac80211: remove station if connection prep fails 83226c71af53 wifi: ath5k: do not access array OOB 95fcb436586d wifi: rsi: fix kthread lifetime race between self-exit and external-stop 03584528bfff wifi: mac80211: drop stray 'static' from fast-RX rx_result 1baaeb6adecb wifi: b43legacy: enforce bounds check on firmware key index in RX path d04bc2355392 wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work e451c325b000 wifi: mt76: mt7921: fix a potential clc buffer length underflow 640b4c00fb0e exit: prevent preemption of oopsing TASK_DEAD task e4bbd3521db0 bpf: Don't mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc aa71ab2cc929 selftests/bpf: validate fake register spill/fill precision backtracking logic 2fcd619caecb bpf: handle fake register spill to stack with BPF_ST_MEM instruction f013c1dafe93 selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros c05c8db19cd3 bpf: track aligned STACK_ZERO cases as imprecise spilled registers 9d2cf5a4a378 selftests/bpf: validate zero preservation for sub-slot loads d3b398ee3404 bpf: preserve constant zero when doing partial register restore 6d40191708e1 selftests/bpf: validate STACK_ZERO is preserved on subreg spill 57f41f1eac13 bpf: preserve STACK_ZERO slots on partial reg spills c994886689fe selftests/bpf: add stack access precision test e4da60feca4d bpf: support non-r10 register spill/fill to/from stack in precision tracking 36aa34f42cb6 net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked 898a1751b620 KVM: SVM: check validity of VMCB controls when returning from SMM 695b491dc3f2 dmaengine: idxd: Fix leaking event log memory 5ba95b119aa7 dmaengine: idxd: Fix crash when the event log is disabled 0305e7118451 net: txgbe: fix RTNL assertion warning when remove module db104b0d8a78 flow_dissector: do not dissect PPPoE PFC frames da54b3039d43 net: Fix icmp host relookup triggering ip_rt_bug d51bf43193b1 iommu/amd: serialize sequence allocation under concurrent TLB invalidations c28c87d9a389 iommu/amd: Use atomic64_inc_return() in iommu.c 488e386484ec KVM: x86: Fix shadow paging use-after-free due to unexpected GFN 4772032a2c62 rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets 4d08401aa13f ext4: validate p_idx bounds in ext4_ext_correct_indexes e3bf143b1e98 rxrpc: Fix potential UAF after skb_unshare() failure 0d645c6d13fa spi: meson-spicc: Fix double-put in remove path e2c2b044458c x86/shstk: Prevent deadlock during shstk sigreturn 21159d8b335a drm/amd/display: Do not skip unrelated mode changes in DSC validation c79cf4232160 x86: shadow stacks: proper error handling for mmap lock 4a0bb8f9f71b spi: rockchip: fix controller deregistration 327a64241f30 ASoC: SOF: Don't allow pointer operations on unconfigured streams cf3eb7c8e705 iommufd: Fix a race with concurrent allocation and unmap 3bb92bac4e27 ACPI: video: force native backlight on HP OMEN 16 (8A44) 95242430c136 ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug 419d6c640da7 ACPI: scan: Use acpi_dev_put() in object add error paths 4f312c30f036 fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free ce905b65e649 ipmi:si: Return state to normal if message allocation fails 2418e4b21fb1 ipmi: Check event message buffer response for bad data 67c44e0deba9 ipmi: Add limits to event and receive message requests 1f678d13e939 scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() bffef0acec9c netfilter: reject zero shift in nft_bitwise 6bd17925bd68 net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels 50c6a1f05973 ALSA: caiaq: fix usb_dev refcount leak on probe failure be0376affcaf drm/amdgpu: fix zero-size GDS range init on RDNA4 8e8be63465a5 ipv6: rpl: reserve mac_len headroom when recompressed SRH grows e4389fb74cec ALSA: caiaq: Don't abort when no input device is available be62c8bb03b6 ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path 68532b09cbfc driver core: Add kernel-doc for DEV_FLAG_COUNT enum value b69933e97efe crypto: authencesn - reject short ahash digests during instance creation e3cebcde0114 seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode 262152ec3710 scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails 8a1fc8d698ac rtmutex: Use waiter::task instead of current in remove_waiter() a954061b334e ntfs3: fix integer overflow in run_unpack() volume boundary check bf7ac4a1d3bf ntfs3: add buffer boundary checks to run_unpack() 98f4ba3480b9 ktest: Fix the month in the name of the failure directory 9d8fd84aab19 IB/core: Fix zero dmac race in neighbor resolution 35f6b3281efd dm mirror: fix integer overflow in create_dirty_log() c5a45d14234b crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path 5281e6e23023 crypto: atmel-tdes - fix DMA sync direction 3061c9bfb3f5 crypto: ccree - fix a memory leak in cc_mac_digest() 5b71db0780f1 crypto: hisilicon - Fix dma_unmap_single() direction 3f92c1de3bf1 crypto: atmel-ecc - Release client on allocation failure b63f1e2f0e31 crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup d78ee361b365 crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit 4b7d07747400 can: ucan: fix devres lifetime 204028af77a2 Bluetooth: hci_event: fix potential UAF in SSP passkey handlers 6cbf21775ee6 taskstats: set version in TGID exit notifications ab5fdcd53564 tcp: call sk_data_ready() after listener migration 8bcc1cd237ab inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails 33698bd1b2db md/raid5: validate payload size before accessing journal metadata 09880592f5a9 md/raid5: fix soft lockup in retry_aligned_read() 1bc1107a3a40 ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() ab6da97bc310 ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access 8bbed28f6b42 io_uring/poll: fix multishot recv missing EOF on wakeup race d26f8c361f75 mtd: docg3: fix use-after-free in docg3_release() 980d6ba22747 mtd: docg3: Convert to platform remove callback returning void ddb188b88d55 KVM: nSVM: Add missing consistency check for nCR3 validity 23ccf4affa6c KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS de6d8562a9cf KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT c0095cef7303 KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT 83754e459c4b KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) ddc242a7bb44 KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN d218a0e8a63c KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT 263640149d81 KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode 36f36a6e4e74 KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts 3ac9d4241d20 KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 1709418535a8 KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 702ce67817de KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 15003179c74d KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state 35053cdec119 KVM: x86: Defer non-architectural deliver of exception payload to userspace read f3deabe0f5ac userfaultfd: allow registration of ranges below mmap_min_addr 14c643ecdc42 mm/damon/core: use time_in_range_open() for damos quota window start d975c077fbdc rtc: ntxec: fix OF node reference imbalance f92cc1d2c0b4 tpm: tpm_tis: stop transmit if retries are exhausted 2e0fd1cb4de4 tpm: tpm_tis: add error logging for data transfer a866e2b1c65e crypto: talitos - rename first/last to first_desc/last_desc 00463d5f864a crypto: talitos - fix SEC1 32k ahash request limitation a72815210182 arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins 00b1d0f4e7bb mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration 0aaa43198645 mmc: block: use single block write in retry fdabbc881930 randomize_kstack: Maintain kstack_offset per task c03556448d47 power: supply: axp288_charger: Do not cancel work before initializing it 703fb43600c2 LoongArch: Show CPU vulnerabilites correctly 41aec1d85b88 tpm: avoid -Wunused-but-set-variable 64282a745897 extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE' 4b2738b93eda libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() 92e7c209036d ipv4: icmp: validate reply type before using icmp_pointers 2fd4f8b74930 RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv 3e75d06cf3e4 drm/arcpgu: fix device node leak fa0c4283efef net: ks8851: Avoid excess softirq scheduling 640a7631d31d net: ks8851: Reinstate disabling of BHs around IRQ handler f0858e1d5624 net/smc: avoid early lgr access in smc_clc_wait_msg e98bd8888e3f net: txgbe: fix firmware version check 8fdbb6262a4a net: rds: fix MR cleanup on copy error ff78ed177a66 net: qrtr: ns: Free the node during ctrl_cmd_bye() 4069329eeba0 tools/accounting: handle truncated taskstats netlink messages d61482be4aae rxrpc: Fix re-decryption of RESPONSE packets f1c6bd0cc786 rxrpc: Fix rxkad crypto unalignment handling c4b8f32e73ea rxrpc: Fix memory leaks in rxkad_verify_response() 97a97090872f iio: adc: ad7768-1: fix one-shot mode data acquisition 528763fd6bb8 ALSA: pcmtest: Fix resource leaks in module init error paths c21ef73713eb ALSA: pcmtest: fix reference leak on failed device registration 99c8060c3b33 ALSA: 6fire: Fix input volume change detection f537e3ad6960 ALSA: caiaq: Handle probe errors properly f4dfbdc1be34 ALSA: caiaq: Fix control_put() result and cache rollback e794e1763e80 ALSA: core: Fix potential data race at fasync handling fafab8b3cd57 io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE cf522703d4f1 io_uring/poll: fix signed comparison in io_poll_get_ownership() 89ca27d6d3b2 iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() 44100ed1bdce io_uring/timeout: check unused sqe fields 2f4809a879f0 rbd: fix null-ptr-deref when device_add_disk() fails 1627d6060b45 selftests/mqueue: Fix incorrectly named file 5d1451cb2cf6 remoteproc: xlnx: Only access buffer information if IPI is buffered c9d2f7b9c38c parisc: _llseek syscall is only available for 32-bit userspace 1b4039d8f4f6 nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set 86bffea0b9f2 nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 ec7f47706269 mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused 965d6162dd88 md/raid10: fix deadlock with check operation and nowait requests 222055e6b406 erofs: fix the out-of-bounds nameoff handling for trailing dirents 8555d6990432 ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes 25ded535ee26 ALSA: ctxfi: Add fallback to default RSR for S/PDIF 831074ec21b4 ALSA: aoa: i2sbus: fix OF node lifetime handling 32e0b9255726 ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() 0f313eb6a8f6 net: qrtr: ns: Fix use-after-free in driver remove() 3a5023627ab9 media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() 4a34fd6b04f9 lib/ts_kmp: fix integer overflow in pattern length calculation a34d96381bf8 Revert "ALSA: usb: Increase volume range that triggers a warning" 72099f015d3c PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown 2209fdae5c2f media: mtk-jpeg: fix use-after-free in release path due to uncancelled work e9ae00490d47 net: strparser: fix skb_head leak in strp_abort_strp() 914c6456fcfc net: caif: clear client service pointer on teardown 1fbe46d2b727 ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() 42dc622776f3 media: amphion: Fix race between m2m job_abort and device_run 0ba03e06f037 of: unittest: fix use-after-free in testdrv_probe() 9f1cbca178c0 crypto: pcrypt - Fix handling of MAY_BACKLOG requests 9337ed5e777e f2fs: fix to detect potential corrupted nid in free_nid_list f99165ef0677 spi: imx: fix use-after-free on unbind 8c43ed08643a um: drivers: call kernel_strrchr() explicitly in cow_user.c cc9b6303e7ea wifi: rtw88: check for PCI upstream bridge existence 2d1f18efccdb zram: do not forget to endio for partial discard requests 108f2cd13577 LoongArch: Add spectre boundry for syscall dispatch table 29166a0e732f driver core: Don't let a device probe until it's ready 886f97fa59d0 ocfs2: split transactions in dio completion to avoid credit exhaustion 17b399cbb9fa device property: Make modifications of fwnode "flags" thread safe abc6bdcbc045 regset: use kvzalloc() for regset_get_alloc() e620378aab78 drm/amdgpu: Limit BO list entry count to prevent resource exhaustion be7c5dcfd3c7 drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array c7f4dad62813 padata: Remove comment for reorder_work a11a12a9880a padata: Fix pd UAF once and for all 0b60eb04b852 Bluetooth: MGMT: Fix possible UAFs d0b27c41aa09 firmware: google: framebuffer: Do not mark framebuffer as busy fd19eb1c7504 ibmasm: fix heap over-read in ibmasm_send_i2o_message() a672682d39dd ibmasm: fix OOB reads in command_file_write due to missing size checks fc7e9a74e322 misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() 28a2e047d037 leds: qcom-lpg: Check for array overflow when selecting the high resolution fa297e919d16 drm/nouveau: fix u32 overflow in pushbuf reloc bounds check 8775fa6e2914 ALSA: usb-audio: Evaluate packsize caps at the right place e3a0ebd80ae6 usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change 82d050713073 usb: chipidea: otg: not wait vbus drop if use role_switch 8429841d12ca usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() d1905dbbb7c0 ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch 610ba605a4f7 ALSA: usb-audio: Avoid false E-MU sample-rate notifications ab5ba9fd1387 ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES 4d922539ad7d Linux 6.6.139 ff6fc65b3bf7 x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache 8f907d345bae ptrace: slightly saner 'get_dumpable()' logic Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 68c3c07ef63c..d8d3d69f1973 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "9708fab99d7eb8962dda82d642c468a32b6682fa" -SRCREV_meta ?= "0a6ad7549c97f8703f1f742f73ee65d29d121958" +SRCREV_machine ?= "742fd3c3537c966272314e48f67397f0e1d622d7" +SRCREV_meta ?= "b043ea37245d4c669239b28a30c78c390bdafdcc" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.138" +LINUX_VERSION ?= "6.6.140" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 52d89c713df3..0fd9c36bd805 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.138" +LINUX_VERSION ?= "6.6.140" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "72c2c9b6014dd199bb70e07e19931b8691fa08e1" -SRCREV_meta ?= "0a6ad7549c97f8703f1f742f73ee65d29d121958" +SRCREV_machine ?= "cd0d6d62e0e4ff344241d89f37cd6d305e1afb85" +SRCREV_meta ?= "b043ea37245d4c669239b28a30c78c390bdafdcc" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index e077808f2880..dc978f240e6a 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "9d8edc5598e5c5f17ce696ce032e8dc654858450" -SRCREV_machine:qemuarm64 ?= "c6600bc98dbafed4fcbd6f1204da6b41ef5feec2" -SRCREV_machine:qemuloongarch64 ?= "ad053e3390f755311a4d87911c13039387767122" -SRCREV_machine:qemumips ?= "97c272b944970f93ef93eb87f54899ccb26671f1" -SRCREV_machine:qemuppc ?= "8dfba699cafc5b5d5f50cb8f270db9b8ae112571" -SRCREV_machine:qemuriscv64 ?= "ad053e3390f755311a4d87911c13039387767122" -SRCREV_machine:qemuriscv32 ?= "ad053e3390f755311a4d87911c13039387767122" -SRCREV_machine:qemux86 ?= "ad053e3390f755311a4d87911c13039387767122" -SRCREV_machine:qemux86-64 ?= "ad053e3390f755311a4d87911c13039387767122" -SRCREV_machine:qemumips64 ?= "2744d8ab5ccca406c0acc17c414ff4c8e186708f" -SRCREV_machine ?= "ad053e3390f755311a4d87911c13039387767122" -SRCREV_meta ?= "0a6ad7549c97f8703f1f742f73ee65d29d121958" +SRCREV_machine:qemuarm ?= "0aa210fedb89bfb9577bc20b56cc674437f85843" +SRCREV_machine:qemuarm64 ?= "655d3dc028f830d71d9565ec8302a0e339a2de2f" +SRCREV_machine:qemuloongarch64 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" +SRCREV_machine:qemumips ?= "b547c71f2db45462626f69a4e4bffad43ffaeddc" +SRCREV_machine:qemuppc ?= "c1de905a03cfd9cf9de51657e7fd20ec6fb7d078" +SRCREV_machine:qemuriscv64 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" +SRCREV_machine:qemuriscv32 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" +SRCREV_machine:qemux86 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" +SRCREV_machine:qemux86-64 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" +SRCREV_machine:qemumips64 ?= "6f0fadc3449cfed9ceac3cce845dfb9b70f9affd" +SRCREV_machine ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" +SRCREV_meta ?= "b043ea37245d4c669239b28a30c78c390bdafdcc" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "3b9f64db049687c0d38b4b3ef2f297f0642179af" +SRCREV_machine:class-devupstream ?= "eac8889a3a1c81d7113cc4656b9420e84c379cf5" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.138" +LINUX_VERSION ?= "6.6.140" PV = "${LINUX_VERSION}+git" From 050911a7705f3bb17d30034f3f16372b2e79b85d Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:07 -0400 Subject: [PATCH 74/96] linux-yocto/6.6: update to v6.6.141 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 0a40c6fbd105 Linux 6.6.141 f9957ea12103 netfs: Fix potential uninitialised var in netfs_extract_user_iter() 989214c66884 net: skbuff: propagate shared-frag marker through frag-transfer helpers 78bf6b6bb195 net: skbuff: preserve shared-frag marker during coalescing 9115669faedc net/rds: reset op_nents when zerocopy page pin fails 864889ea15f0 mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker 013dcdc19615 mptcp: pm: ADD_ADDR rtx: fix potential data-race b21823f637e0 spi: sifive: fix controller deregistration 524202b00b91 spi: sifive: Simplify clock handling with devm_clk_get_enabled() bf76b4a58c1a media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 9c7c941d2242 spi: st-ssc4: fix controller deregistration d8cd9fb5e655 spi: st-ssc4: switch to use modern name a7fb771314fb ksmbd: validate inherited ACE SID length 190e570cc0fc RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() 8358a142f2a1 f2fs: fix false alarm of lockdep on cp_global_sem lock 6b050c4cfade f2fs: fix incorrect file address mapping when inline inode is unwritten f63201f674ee mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 93a9014029e4 mptcp: pm: prio: skip closed subflows 0750c7935feb mptcp: fix rx timestamp corruption on fastopen 11fdbd033e4c mptcp: drop __mptcp_fastopen_gen_msk_ackseq() 7d7c9f0fcd19 RDMA/mana: Validate rx_hash_key_len cc3c0a0f9657 btrfs: fix missing last_unlink_trans update when removing a directory 397418a9456c btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() 546ca2e3e55a btrfs: use inode already stored in local variable at btrfs_rmdir() 39aba0e6d5aa smb: client: Use FullSessionKey for AES-256 encryption key derivation cea7d2688ded drm/v3d: Reject empty multisync extension to prevent infinite loop 958e032618c8 eventfs: Use list_add_tail_rcu() for SRCU-protected children list d2a675f2e238 btrfs: fix double free in create_space_info_sub_group() error path 1ce1ec384486 btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() 707cb5df3eab pmdomain: core: Fix detach procedure for virtual devices in genpd c7d1eb27cf37 drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init 4e04b564c005 drm/gma500/oaktrail_lvds: fix hang on init failure 63a2b5906e15 drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup 4eb9d07b219f drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() e5eb0a29a8aa drm/i915: skip __i915_request_skip() for already signaled requests 2776f9016f1b iommu/vt-d: Disable DMAR for Intel Q35 IGFX 534ebc08df97 libceph: handle rbtree insertion error in decode_choose_args() ea0d42137f0c libceph: Fix potential out-of-bounds access in crush_decode() d7a65a34d245 libceph: Fix potential null-ptr-deref in decode_choose_args() 0d2dd7e6bb74 libceph: Fix potential out-of-bounds access in osdmap_decode() bcbbdae1b88f netfs: fix error handling in netfs_extract_user_iter() cad72955f8fb powerpc/warp: Fix error handling in pika_dtm_thread d6bda9df0c0a io-wq: check that the predecessor is hashed in io_wq_remove_pending() 4bfdcefdaa60 ceph: fix a buffer leak in __ceph_setxattr() 3d3b2b01a3e7 ALSA: usb-audio: Bound MIDI endpoint descriptor scans fafc97bd01e4 ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans 7eaa514be4c0 drm/i915/dp: Fix VSC dynamic range signaling for RGB formats b41598bf54b3 smb/client: fix possible infinite loop and oob read in symlink_data() a1d4f3d3c0dc ASoC: SOF: Intel: hda: Fix NULL pointer dereference 0f9ac21618c0 ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio 1eda406a9432 ASoC: SOF: Intel: hda-dai: remove dspless special case e3ccb11fc824 netfilter: nf_tables: unconditionally bump set->nelems before insertion dde6eca9afae KVM: x86: Fix Xen hypercall tracepoint argument assignment a99a25db131e KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic 01b71b930f15 KVM: Reject wrapped offset in kvm_reset_dirty_gfn() 5b6da42fd804 audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV 810d382802a5 net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled ecca618e1e33 netfilter: nft_ct: fix missing expect put in obj eval 151ee470edc3 audit: fix incorrect inheritable capability in CAPSET records b92e124ef30a netfilter: nf_conntrack_sip: get helper before allocating expectation 0088b3328a6f workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path a5712dc25d14 i40e: Cleanup PTP pins on probe failure e4c4a5074532 crypto: af_alg - Cap AEAD AD length to 0x80000000 fa6794c968d4 bonding: fix NULL pointer dereference in actor_port_prio setting 044dcbcb19c3 netconsole: avoid out-of-bounds access on empty string in trim_newline() feb754bde3ef net/sched: sch_pie: annotate more data-races in pie_dump_stats() bf3962084183 ksmbd: validate response sizes in ipc_validate_msg() 52b9f8099369 net: bcmgenet: fix leaking free_bds dda1a2e898ad net: bcmgenet: Initialize u64 stats seq counter f17a4850d1ce crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx d65a64755a3d smb: client: fix OOB reads parsing symlink error response ba302d3abb82 smb: client: correctly handle ErrorContextData as a flexible array 2c7d07892ef8 Revert "crypto: nx - Migrate to scomp API" 6c9970847516 Revert "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx" cb4634cb537b Revert "crypto: nx - fix context leak in nx842_crypto_free_ctx" 02ecc0978c45 ntfs: ->d_compare() must not block 9ccd0c1686c3 net/sched: cls_flower: revert unintended changes 131e50acfeed sfc: fix error code in efx_devlink_info_running_versions() 688f12aa4451 net: tls: fix strparser anchor skb leak on offload RX setup failure 3ad2471e61e9 ice: fix NULL pointer dereference in ice_reset_all_vfs() bee6158b8a36 iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler b90697dd4b45 iavf: wait for PF confirmation before removing VLAN filters 5936b7f29a38 iavf: stop removing VLAN filters from PF on interface down ee587b3b97b7 iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING 3b7265b3a82f bonding: 3ad: implement proper RCU rules for port->aggregator 2353f43d7ee7 bonding: print churn state via netlink fcf04d6f6943 bonding: add support for per-port LACP actor priority 60fcd5af8279 net: bonding: add broadcast_neighbor option for 802.3ad ee2217012b3a bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner 71d591d33dc4 drm/amd/display: Read EDID from VBIOS embedded panel info 3dce88cf11d7 drm/amd/display: Allow DCE link encoder without AUX registers e3f95b1ba242 futex: Prevent lockup in requeue-PI during signal/ timeout wakeup d68f753d89f4 ALSA: hda/conexant: Fix missing error check for jack detection 539604dcbf41 ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 35b7210e15a6 ALSA: hda/conexant: fix some typos 3eaf81c3553e netconsole: propagate device name truncation in dev_name_store() 3bc2c51a9ba1 net: netconsole: move newline trimming to function 003b52afba79 net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) a0f4e4e8e0f5 bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() 0928f17e86a5 ipv6: rename and move ip6_dst_lookup_tunnel() 3bab544ae1e1 ipv4: add new arguments to udp_tunnel_dst_lookup() f933e5a43732 ipv4: remove "proto" argument from udp_tunnel_dst_lookup() 0379c21610f0 ipv4: rename and move ip_route_output_tunnel() 5cb1dd7093d3 sctp: discard stale INIT after handshake completion 043e4b649b4b netfilter: skip recording stale or retransmitted INIT e3610ad82ebd ASoC: codecs: ab8500: Fix casting of private data b884ff67d62e drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring d4e0172a1b61 drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring ee035a9d3eed drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring 63691e396105 drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring f675801889b2 drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring c12a5d35033c drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring e74fc9c72c1b drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings 2c6fb056567e drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings f264019be80d drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings b233ba52fd2e net: phy: dp83869: fix setting CLK_O_SEL field. 47d017fe3159 net: mctp i2c: check length before marking flow active 924b961d293c ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams 9247d59ca15b neigh: let neigh_xmit take skb ownership dbe42409bfeb neighbour: add RCU protection to neigh_tables[] ec2501e361b0 net/sched: taprio: fix NULL pointer dereference in class dump 0d0dd383ac4d NFC: trf7970a: Ignore antenna noise when checking for RF field 17e23e815008 net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit 5db090ca07b2 net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() 3db8d078f7f6 vrf: Fix a potential NPD when removing a port from a VRF d4f8505517ff net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() 229ad4b2dd86 net/sched: sch_choke: annotate data-races in choke_dump_stats() bd426bda5741 net/sched: netem: check for negative latency and jitter 5c4fe716511d net/sched: netem: fix slot delay calculation overflow 3a3698b96688 net/sched: netem: validate slot configuration 116f10027e61 net/sched: netem: only reseed PRNG when seed is explicitly provided 39a66e83ea41 net/sched: netem: fix queue limit check to include reordered packets d2a74e0ea346 net/sched: netem: fix probability gaps in 4-state loss model 818f7673ed7f netdevsim: zero initialize struct iphdr in dummy sk_buff 47421f8401fc cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() ea6e650b079e arm64/scs: Fix potential sign extension issue of advance_loc4 b933de804c84 drm/sysfb: ofdrm: fix PCI device reference leaks 8524b1c04adc spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ ea2ecd29b8f4 netfilter: nf_conntrack_sip: don't use simple_strtoul 82664d0f1ba2 netfilter: xt_policy: fix strict mode inbound policy matching f60bc289c555 drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) da602e831334 drm/amdgpu/uvd3.1: Don't validate the firmware when already validated 03011db69f5e drm/amdgpu: fix spelling typos 8c4254c8f583 drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG 1b8595d126ea nvme-pci: fix missed admin queue sq doorbell write ad9973df8e0e netfilter: arp_tables: fix IEEE1394 ARP payload parsing d7c8f95f599b nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers cbf460bf9492 tracing: branch: Fix inverted check on stat tracer registration f8f643d5ebef btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() 03d3739a830e mailbox: mailbox-test: make data_ready a per-instance variable 75a365c69bb7 mailbox: mailbox-test: initialize struct earlier 3afca89fae50 mailbox: mailbox-test: don't free the reused channel 14aed0d4e583 mailbox: add sanity check for channel array 0a0ac6cd2e46 cgroup/rdma: fix integer overflow in rdmacg_try_charge() 81c9e7e4030e mailbox: mailbox-test: free channels on probe error 0d2edd20b61b fbdev: offb: fix PCI device reference leak on probe failure 86094f62ba21 rtc: abx80x: Disable alarm feature if no interrupt attached a11372a8b1ce fs/adfs: validate nzones in adfs_validate_bblk() 0897ccf6e930 vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() 0274f24485fc tipc: fix double-free in tipc_buf_append() 0ace0ce02911 nfp: fix swapped arguments in nfp_encode_basic_qdr() calls 6bedc3ff4ba4 net: dsa: realtek: rtl8365mb: fix mode mask calculation d394093ed06e net/sched: sch_sfb: annotate data-races in sfb_dump_stats() 86a6243d8654 net/sched: sch_red: annotate data-races in red_dump_stats() 717bec018ce1 net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() 7bdb2b038c35 net/sched: sch_pie: annotate data-races in pie_dump_stats() 046b2d8c9606 net_sched: sch_hhf: annotate data-races in hhf_dump_stats() b6ba93a7b71e net/rds: zero per-item info buffer before handing it to visitors 1ff46c9915c1 ksmbd: scope conn->binding slowpath to bound sessions only 407b6e699ba8 ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open 27fca12b9c2c ksmbd: destroy async_ida in ksmbd_conn_free() 8a3cd890fd2a ksmbd: add support for supplementary groups 234681c54581 ksmbd: Use struct_size() to improve smb_direct_rdma_xmit() 1f3235364037 ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() 8db8727ea8d1 arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number 37537e42e6df slip: bound decode() reads against the compressed packet length c6980e8b1a86 slip: reject VJ receive packets on instances with no rstate array 5d05de2f0928 netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check 32e50f92c7cf netfilter: nfnetlink_osf: fix out-of-bounds read on option matching 5241a3ab2c77 ipvs: fix MTU check for GSO packets in tunnel mode cbeb259f3138 netfilter: xtables: restrict several matches to inet family 1c9fb8aeed06 netfilter: conntrack: remove sprintf usage 8def8fbd23f4 netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO 554cc061ca13 netfilter: nft_osf: restrict it to ipv4 f9ef3db77a38 openvswitch: cap upcall PID array size and pre-size vport replies 8a5e840babc5 pppoe: drop PFC frames d67fbc6dea5d sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks 0069813e6ca9 ipv6: fix possible UAF in icmpv6_rcv() 733a1b310297 e1000e: Unroll PTP in probe error handling 8a254c6db3ee i40e: don't advertise IFF_SUPP_NOFCS ca6f9d9aee54 ice: fix double-free of tx_buf skb a753619ffecf ice: Remove jumbo_remove step from TX path 982a56c888d3 tcp: annotate data-races around tp->plb_rehash 993847e92765 tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) a445beb84c83 tcp: annotate data-races around tp->dsack_dups 60db862ea01e tcp: annotate data-races around tp->bytes_retrans 3e1b40e4f186 tcp: annotate data-races around tp->bytes_sent 409a02760834 tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans eee072fe16c6 net/sched: taprio: fix use-after-free in advance_sched() on schedule switch aaac3bed0342 nexthop: fix IPv6 route referencing IPv4 nexthop 616db97e3aff net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys 497925275838 macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF f250c3772dd7 arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT 0fa0bcdebeb0 arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT 3098c905af2f arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT 6d9f35fe4638 PCMCIA: Fix garbled log messages for KERN_CONT ca962d175543 arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT 7adb32513191 arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT 640aea541eba arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT 1f285713fb8d arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT 827ccceff758 arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT eecee15e263c crypto: ccp - copy IV using skcipher ivsize f19a744d5271 crypto: sa2ul - Fix AEAD fallback algorithm names 424df78c8a64 drm/i915/wm: Verify the correct plane DDB entry ed5ca5d5b97c drm/i915: Loop over all active pipes in intel_mbus_dbox_update c2577b18c6e2 drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() c5de9ff7939b drm/i915: Simplify watermark state checker calling convention 73abb7c1fffd drm/i915: Constify watermark state checker cea15f66b7b6 f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() 756d1a3954fe f2fs: Use sysfs_emit_at() to simplify code 21fe517179f3 clk: visconti: pll: initialize clk_init_data to zero caa74d80d749 lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() db62a24a07b3 clk: qcom: dispcc-sc7180: Add missing MDSS resets 5db0537ddef4 dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets 166db4ebae34 clk: xgene: Fix mapping leak in xgene_pllclk_init() bf94322387ab clk: qoriq: avoid format string warning 4ba394f83b3c clk: imx8mq: Correct the CSI PHY sels a778bbd3ab28 clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() 0d2ba7e2e4c6 clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() 235c36a86cb7 clk: qcom: dispcc-sm8250: Enable parents for pixel clocks 081d334fe42d clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk d18b05a09142 clk: qcom: gcc-sc8180x: Use retention for PCIe power domains 9b54ebbe5d2f clk: qcom: gcc-sc8180x: Use retention for USB power domains a4cee425ae6b clk: qcom: gcc-sc8180x: Add missing GDSCs 9109efceb709 dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs d7aef29573c7 scsi: target: core: Fix integer overflow in UNMAP bounds check b6007cfea4ed clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers c5f4a211e82d scsi: sg: Resolve soft lockup issue when opening /dev/sgX d85a906b4e51 scsi: sg: Fix sysctl sg-big-buff register during sg_init() f9c921fd5264 scsi: sg: Make sg_sysfs_class constant fa4e1c583c9d clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source 137b5918931d RDMA/core: Prefer NLA_NUL_STRING ba0843c19558 platform/x86: dell-wmi-sysman: bound enumeration string aggregation 622754397ac5 platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() 0b11fcbe80a5 fs/ntfs3: terminate the cached volume label after UTF-8 conversion a7fd0d0cb43f nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() ccfa51ea8a40 mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() 3d0e610c43cb platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup fed8b8f33a46 tty: hvc_iucv: fix off-by-one in number of supported devices 61599d438e2d leds: lgm-sso: Remove duplicate assignments for priv->mmap bc7998e70fa7 platform/surface: surfacepro3_button: Drop wakeup source on remove e87c4c0095ac backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() c5be52529ad8 dev_printk: add new dev_err_probe() helpers 10bb319b0b18 i3c: mipi-i3c-hci: fix IBI payload length calculation for final status 54dc499e5cb3 perf util: Kill die() prototype, dead for a long time 2f3548314715 ipmi: ssif_bmc: change log level to dbg in irq callback bffedb7a72e6 ipmi: ssif_bmc: fix message desynchronization after truncated response 7d2a487c275c ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure 128845823138 perf expr: Return -EINVAL for syntax error in expr__find_ids() ea0078135c6a perf lock: Fix option value type in parse_max_stack 9bab7d2a2850 pinctrl: abx500: Fix type of 'argument' variable 92170bd2eadd perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace aceabce300c3 perf branch: Avoid incrementing NULL 8fe5240c7bd8 pinctrl: cy8c95x0: Avoid returning positive values to user space 03e71cc07cba pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() 091709439f88 pinctrl: cy8c95x0: remove duplicate error message a79fdd593c84 pinctrl: pinctrl-pic32: Fix resource leak d216b34a9f69 bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT 699e16e65962 bpf: allow UTF-8 literals in bpf_bprintf_prepare() 520454e83971 bpf: Fix NULL deref in map_kptr_match_type for scalar regs 2f954f8a04b7 bpf: Fix precedence bug in convert_bpf_ld_abs alignment check d0d124dbcef9 bpf, sockmap: Take state lock for af_unix iter a94d3dd78ee8 bpf, sockmap: Fix af_unix null-ptr-deref in proto update 3cef33b9813b bpf, sockmap: Fix af_unix iter deadlock 7fd3b41260c6 bpf, arm64: Fix off-by-one in check_imm signed range check ad4505d2ab3a HID: usbhid: fix deadlock in hid_post_reset() 5897c1dd1bfe mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob 295757c3b9de mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions 560c0456e613 mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path cca2c083cfcb mtd: spi-nor: swp: check SR_TB flag when getting tb_mask b194ae62e9e7 mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation 301e85ff299b mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook 2e472d2bdc14 mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook 036a794e7d7f mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations fab6b870dfe6 dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range ba91de4f0f98 mtd: physmap_of_gemini: Fix disabled pinctrl state check 033939479b10 HID: asus: do not abort probe when not necessary 08c4fa3f5a9b HID: asus: make asus_resume adhere to linux kernel coding standards 5dcb51558e78 ima: check return value of crypto_shash_final() in boot aggregate 9399a9298935 tracing: Rebuild full_name on each hist_field_name() call c258fbf57113 soundwire: cadence: Clear message complete before signaling waiting thread 0b73d5dfa3fe dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() 5acbbb205a1c soundwire: bus: demote UNATTACHED state warnings to dev_dbg() faa66f358d30 dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function b9ae3942deec ocfs2: validate group add input before caching bb3c54d1e715 ocfs2: validate bg_bits during freefrag scan d919b905939e ocfs2: fix listxattr handling when the buffer is full f1e38ba97b1a ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended 064494145a70 arm64/xor: fix conflicting attributes for xor_block_template 08c073e8f8d5 ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX 96a30f7cb8e0 arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP ccff9145cd52 soc: qcom: aoss: compare against normalized cooling state d672c7623306 soc: qcom: llcc: fix v1 SB syndrome register offset 819d8ebad320 ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison f37de46149db ocfs2/dlm: validate qr_numregions in dlm_match_regions() 813a47b03090 unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure 39a8c0df2d5a soc/tegra: cbb: Set ERD on resume for err interrupt b87992ddf49a arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual 7d6481cf2987 arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot 03d523e50662 arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl a37e61cde05a arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes 7ce6aa2eca26 arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes 1563a05cf920 arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller 4322d8c7af96 arm64: dts: qcom: sm8550: Fix GIC_ITS range length 97bacd872319 arm64: dts: qcom: sm8450: Fix GIC_ITS range length 1e014285a3cd soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available 9f54516bce15 soc: qcom: ocmem: register reasons for probe deferrals d45c46c0e84f soc: qcom: ocmem: use scoped device node handling to simplify error paths 1637ce361b1d soc: qcom: ocmem: make the core clock optional 2ecad03d6c5d arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight 5a0dcba6178f arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value 5b94fe0879bc arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count 167e5fa8feee arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count fe1d1423c524 iommufd: vfio compatibility extension check for noiommu mode 700e54a2beba arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) 036f599234e4 arm64: dts: imx8-apalis: Fix LEDs name collision cecc17692ebf memory: tegra30-emc: Fix dll_change check 7e19e72f3064 memory: tegra124-emc: Fix dll_change check c13c938a8058 ARM: dts: mediatek: mt7623: fix efuse fallback compatible 8fcefe840fa8 ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine 8be69e9245f8 efi/capsule-loader: fix incorrect sizeof in phys array reallocation 233a0945a4b1 gfs2: prevent NULL pointer dereference during unmount bf5fcd9c37c2 gfs2: add some missing log locking 6678dde26570 quota: Fix race of dquot_scan_active() with quota deactivation f57b68b36571 ktest: Run POST_KTEST hooks on failure and cancellation aa6b9e38086c ktest: Honor empty per-test option overrides 5bddd0d3a926 ktest: Avoid undef warning when WARNINGS_FILE is unset 232d67974a61 gfs2: Call unlock_new_inode before d_instantiate 18216b8ab690 crypto: jitterentropy - replace long-held spinlock with mutex f57498d2bf16 dm cache: fix missing return in invalidate_committed's error path 3a77b05ff2c4 ALSA: sc6000: Keep the programmed board state in card-private data dcbc2e2b2434 ALSA: sc6000: Use standard print API 3e79a563377a spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback fa7881f3b627 PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well bf98711d2f33 PCI: tegra194: Use DWC IP core version 5d9c9dfef907 PCI: tegra194: Allow system suspend when the Endpoint link is not up 2c87f49f2082 PCI: tegra194: Disable direct speed change for Endpoint mode 272e9c4bcae8 PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" 997122b96544 PCI: tegra194: Disable PERST# IRQ only in Endpoint mode 39564f51567e PCI: tegra194: Don't force the device into the D0 state before L2 e81f33968542 PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0() fdb9c5a3a627 PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down 8aa59b1e53a7 PCI: tegra194: Increase LTSSM poll time on surprise link down 8f26b92dc606 PCI: tegra194: Fix polling delay for L2 state 9e225563c5a9 ASoC: SOF: compress: return the configured codec from get_params 2721d23db2e9 ALSA: scarlett2: Add missing sentinel initializer field 7e805fdb16dc selftest: memcg: skip memcg_sock test if address family not supported 05a3fd57cdfa Documentation: fix a hugetlbfs reservation statement 11a810989a4d selftests/mm: skip migration tests if NUMA is unavailable 07a5ecb94768 PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found 0afb2eca25be PCI: Enable AtomicOps only if Root Port supports them 9f1daac27ca2 ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] 5f1035ba3ed9 crypto: qat - use swab32 macro 1ac96689ce29 ASoC: qcom: qdsp6: topology: check widget type before accessing data d39e8c3724a6 ASoC: fsl_easrc: Change the type for iec958 channel status controls 4d427d3f507a ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() a2e9527bc88e ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() 4428887805ef ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() 0dddb5642d64 ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() ceb388682ea1 ASoC: fsl_micfil: Fix event generation in micfil_quality_set() 4605327fd688 ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() a6bc5432055b ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() 62c4ab11840d ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() 6adc82ff2f20 ASoC: fsl_micfil: Add access property for "VAD Detected" 4ba05463862c pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() 3a73abb39037 pmdomain: ti: omap_prm: Fix a reference leak on device node bad87bdd52f5 drm/msm/a6xx: Use barriers while updating HFI Q headers 98fce340ec48 drm/msm/shrinker: Fix can_block() logic 679a533d2235 drm/msm/a6xx: Fix HLSQ register dumping f101e4ebf1fc ASoC: SOF: Intel: hda: Place check before dereference 2958b391d9c5 ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}') ad08dd4476eb drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board ef1c7aaa1319 drm/amd/pm/ci: Fill DW8 fields from SMC 9e6d83f651ac drm/amd/pm/ci: Clear EnabledForActivity field for memory levels 4cf77e3298e4 drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 37f93b3159fa drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock cc88a98c873b drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs 33da7d5b6a50 drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled 9a7f12105f0e ALSA: core: Validate compress device numbers without dynamic minors 0558d1b0b5f0 drm/panel: simple: Correct G190EAN01 prepare timing c4fc7ed73a0a drm/panel: sharp-ls043t1le01: make use of prepare_prev_first 97d360a0112e drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 af6825d3e446 drm/msm/dsi: add the missing parameter description 9830999c9e06 drm/msm/dpu: fix mismatch between power and frequency 94d99e853617 spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo 8ebaa3deb04f drm/amdgpu/gfx10: look at the right prop for gfx queue priority a6d44f477000 padata: Put CPU offline callback in ONLINE section to allow failure 0e664e99abb4 padata: Remove cpu online check from cpu add and removal 39024f54f098 crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs 59fce560694d crypto: atmel - Use unregister_{aeads,ahashes,skciphers} 60c571a7d8d0 crypto: atmel - Remove cfb and ofb 3cd5cae11afa fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break 6f866e941a7e dm init: ensure device probing has finished in dm-mod.waitfor= 5af3d8f2acb6 drm/amdgpu: Add default case in DVI mode validation ef0d045ebbaf drm/sun4i: Fix resource leaks 6040b24095a8 spi: fsl-qspi: Use reinit_completion() for repeated operations dc97ec849559 drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check b01a582c8c6f drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs 5302015daf26 drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() d4ac87567f86 dm log: fix out-of-bounds write due to region_count overflow 15c30997dca6 dm cache metadata: fix memory leak on metadata abort retry 2ebe1ab83292 platform/chrome: chromeos_tbmc: Drop wakeup source on remove 12105c7f1837 dm cache: fix dirty mapping checking in passthrough mode switching 89e04987574a dm cache: support shrinking the origin device d90accff225f dm cache: fix concurrent write failure in passthrough mode ac5ee9944389 dm cache policy smq: fix missing locks in invalidating cache blocks ecb10c193cbe dm cache: fix write hang in passthrough mode ceff6df26691 dm cache: fix write path cache coherency in passthrough mode 0aa745fea1f8 dm cache: fix null-deref with concurrent writes in passthrough mode 002a5f925d42 ASoC: sti: use managed regmap_field allocations 686a6b305ec8 ASoC: sti: Return errors from regmap_field_alloc() cf615b90a11a drm/sun4i: backend: fix error pointer dereference d8a541906860 drm/komeda: fix integer overflow in AFBC framebuffer size check 866d3d9b8775 net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master 1943e71a0d6a sctp: fix missing encap_port propagation for GSO fragments cc4dead22ede net: phy: qcom: at803x: Use the correct bit to disable extended next page 22f22f1346b4 net: phy: move at803x PHY driver to dedicated directory e30356c3cf2f net: phy: add Rust Asix PHY driver 014860036d1f net: phy: aquantia: move to separate directory 77a853aec710 Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp 6b4d226d01ab Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER a673cf6c4ac7 Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error 315acf971d75 Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU 0a04db240eff bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb 61a9b216ca5b net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() 02c1256f1990 net/mlx5e: Fix features not applied during netdev registration 4f1ca61e5311 dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 b3682e7ad450 net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ f7361841d0ce net: ipa: Fix programming of QTIME_TIMESTAMP_CFG 954745d0223e ppp: require CAP_NET_ADMIN in target netns for unattached ioctls e19c5ed9f192 bpf: Fix OOB in pcpu_init_value 07035306bf72 net/rds: Restrict use of RDS/IB to the initial network namespace 2c7883d606aa net/rds: Optimize rds_ib_laddr_check f23424a0ddad net/sched: act_ct: Only release RCU read lock after ct_ft e9cf4018d742 net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf f4ed5d750b4a 6pack: propagage new tty types b1f7158a86f3 bpf: Fix RCU stall in bpf_fd_array_map_clear() 8849b50e81a2 netfilter: nft_fwd_netdev: check ttl/hl before forwarding 9ca570236cc0 netfilter: xt_socket: enable defrag after all other checks e8206538cbaf net: bcmgenet: fix racing timeout handler 1b0865a6efce net: bcmgenet: switch to use 64bit statistics 991cd78f95f2 net: bcmgenet: support reclaiming unsent Tx packets 355b61569e84 net: bcmgenet: move DESC_INDEX flow to ring 0 df3a1bb0ae1a net: bcmgenet: add bcmgenet_has_* helpers d650d12d58ef net: bcmgenet: Remove custom ndo_poll_controller() 2a7459017042 net: bcmgenet: fix off-by-one in bcmgenet_put_txcb 03d97b558d80 arm64: kexec: Remove duplicate allocation for trans_pgd 0e72fd7f05ae ACPI: AGDI: fix missing newline in error message 3ff85ae79e1a bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() 26b380a3ca0b bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks d3f280be48f1 wifi: brcmfmac: Fix error pointer dereference a713b72ff88c bpf: Fix stale offload->prog pointer after constant blinding b4b5a20bed82 bpf: fix end-of-list detection in cgroup_storage_get_next_key() 1aa61a6f42ad macvlan: annotate data-races around port->bc_queue_len_used 0adec27bde44 selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 81bc3a2ccc37 selftests/powerpc: Re-order *FLAGS to follow lib.mk 7ca35863213c powerpc/crash: fix backup region offset update to elfcorehdr 6e474972b85e r8152: fix incorrect register write to USB_UPHY_XTAL ea04b9881534 wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() 571a05ea1baa bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path eefe0c2ea2c3 bpf, devmap: Remove unnecessary if check in for loop 6d5202409467 wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() 66f2a0becd35 wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event 6cf44608d5e6 arm64: cpufeature: Make PMUVer and PerfMon unsigned 63fe66f10283 wifi: mt76: mt7996: fix FCS error flag check in RX descriptor 4dd75a78cdfb wifi: mt76: mt7915: fix use_cts_prot support 382cbdf6e484 wifi: mt76: mt7615: fix use_cts_prot support c8e46d0664c4 wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() 231b895daa02 module: Fix freeing of charp module parameters when CONFIG_SYSFS=n e6962cb18a89 params: Replace __modinit with __init_or_module edc90a12073b s390/bpf: Zero-extend bpf prog return values and kfunc arguments e70b9c2292cc dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n 6e8d309bc69b dpaa2: add independent dependencies for FSL_DPAA2_SWITCH c7ad31fb948f bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap 5d81743ee3cc bpf: Add CHECKSUM_COMPLETE to bpf test progs 008c456b76e9 wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet 255cc1d30f32 wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() a5af71c6181e firmware: dmi: Correct an indexing error in dmi.h 240f832a9c20 locking: Fix rwlock support in <linux/spinlock_up.h> ca2d280b9b38 hrtimer: Reduce trace noise in hrtimer_start() ece8be21d8c9 hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() 16774f7333fc hrtimers: Update the return type of enqueue_hrtimer() b54f14e1460c irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter c4295487124f s390/cio: use generic driver_override infrastructure 9d606425a752 s390/cio: convert sprintf()/snprintf() to sysfs_emit() 3d0cfecf4ff7 s390/cio: make sch->lock spinlock pointer a member 6325eea40a95 debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() f9c489418b8e debugfs: check for NULL pointer in debugfs_create_str() fc6ecb4b8ef9 thermal/drivers/spear: Fix error condition for reading st,thermal-flags f75ea8cdca54 devres: fix missing node debug info in devm_krealloc() d172f1c8a8b3 ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver 9a6f4d85a016 ACPI: x86: cmos_rtc: Clean up address space handler driver da8255040938 pstore/ram: fix resource leak when ioremap() fails 4048ed98860d blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() b88f905d4449 nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() 5dd9d864eb96 loop: fix partition scan race between udev and loop_reread_partitions() 282e06e6d494 drbd: Balance RCU calls in drbd_adm_dump_devices() 131ea3e57fc2 fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START 467289e0d0f2 blk-cgroup: wait for blkcg cleanup before initializing new disk Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index d8d3d69f1973..5fcf0f81d7c3 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "742fd3c3537c966272314e48f67397f0e1d622d7" -SRCREV_meta ?= "b043ea37245d4c669239b28a30c78c390bdafdcc" +SRCREV_machine ?= "7bb6512fc5dc7b1191867beadc83b3ce216a2037" +SRCREV_meta ?= "020f8355dc905686f3c125ec87ce4d21a5966750" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.140" +LINUX_VERSION ?= "6.6.141" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 0fd9c36bd805..0bd1ae9ad2d3 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.140" +LINUX_VERSION ?= "6.6.141" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "cd0d6d62e0e4ff344241d89f37cd6d305e1afb85" -SRCREV_meta ?= "b043ea37245d4c669239b28a30c78c390bdafdcc" +SRCREV_machine ?= "90e2be4f80d73789176eab3679ef12ec164d594f" +SRCREV_meta ?= "020f8355dc905686f3c125ec87ce4d21a5966750" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index dc978f240e6a..f684fac72427 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "0aa210fedb89bfb9577bc20b56cc674437f85843" -SRCREV_machine:qemuarm64 ?= "655d3dc028f830d71d9565ec8302a0e339a2de2f" -SRCREV_machine:qemuloongarch64 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" -SRCREV_machine:qemumips ?= "b547c71f2db45462626f69a4e4bffad43ffaeddc" -SRCREV_machine:qemuppc ?= "c1de905a03cfd9cf9de51657e7fd20ec6fb7d078" -SRCREV_machine:qemuriscv64 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" -SRCREV_machine:qemuriscv32 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" -SRCREV_machine:qemux86 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" -SRCREV_machine:qemux86-64 ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" -SRCREV_machine:qemumips64 ?= "6f0fadc3449cfed9ceac3cce845dfb9b70f9affd" -SRCREV_machine ?= "c46ce4bd9d6b7fc0c1d6ca2a519ee3d07fa753a9" -SRCREV_meta ?= "b043ea37245d4c669239b28a30c78c390bdafdcc" +SRCREV_machine:qemuarm ?= "b3697b53304c9f2c0e7e46a22549ed9d64a110ca" +SRCREV_machine:qemuarm64 ?= "302113f65bb9cbd9afdb476222cc1fa596e36855" +SRCREV_machine:qemuloongarch64 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" +SRCREV_machine:qemumips ?= "a6b8c8416a2074c8e14eeeeb36a0e5bd0f2add92" +SRCREV_machine:qemuppc ?= "413e2245480aec98a737ab657322180581a496f5" +SRCREV_machine:qemuriscv64 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" +SRCREV_machine:qemuriscv32 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" +SRCREV_machine:qemux86 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" +SRCREV_machine:qemux86-64 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" +SRCREV_machine:qemumips64 ?= "257558ce69f7bdbc571cb1b2d9eb35890747fd02" +SRCREV_machine ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" +SRCREV_meta ?= "020f8355dc905686f3c125ec87ce4d21a5966750" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "eac8889a3a1c81d7113cc4656b9420e84c379cf5" +SRCREV_machine:class-devupstream ?= "0a40c6fbd105802fbbcaadca249e0948fbf8095a" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.140" +LINUX_VERSION ?= "6.6.141" PV = "${LINUX_VERSION}+git" From ba0f120f6cdbcc1d2782bef27c101e20a11f0f19 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Wed, 10 Jun 2026 12:50:08 -0400 Subject: [PATCH 75/96] linux-yocto/6.6: update to v6.6.142 Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 924b4a879cbb Linux 6.6.142 cefa4265b111 security/keys: fix missed RCU read section on lookup 105c6a594b3f LoongArch: kprobes: Fix handling of fatal unrecoverable recursions 1f9c82855641 net: gro: don't merge zcopy skbs f504118252af pds_core: ensure null-termination for firmware version strings d3f3d6fa0cad pds_core: add an error code check in pdsc_dl_info_get 01f7f893d5e1 net: mana: validate rx_req_idx to prevent out-of-bounds array access 3dee2fe0c818 ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() d798b25c24f4 gpio: cdev: check if uAPI v2 config attributes are correctly zeroed 0f1fd5e83f0b gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) cd87492b79d1 string: add mem_is_zero() helper to check if memory area is all zeros c9ea01768903 bpf, skmsg: fix verdict sk_data_ready racing with ktls rx 40fc66218ad1 net: ag71xx: check error for platform_get_irq 2a1905730e0c Bluetooth: btmtk: fix urb->setup_packet leak in error paths f04578422154 Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c 73377cf3056a Bluetooth: btmtk: rename btmediatek_data aa58d8366269 Bluetooth: btusb: mediatek: refactor the function btusb_mtk_reset b748250d778e Bluetooth: btmtk: add the function to get the fw name e91687643c44 tracing: Avoid NULL return from hist_field_name() on truncation 8ba1c4ddbb1c ALSA: seq: Serialize UMP output teardown with event_input e5604a480487 ALSA: seq: ump: Use guard() for locking b6d3d3816c67 ptrace: Convert ptrace_attach() to use lock guards 60ef1675b652 pds_core: fix debugfs_lookup dentry leak and error handling 3231aff8ab26 pds_core: fix error handling in pdsc_devcmd_wait 1900ca8acb92 bridge: mcast: Fix a possible use-after-free when removing a bridge port 6e79715b7b8a net: bridge: Flush multicast groups when snooping is disabled 00904a73272b RDMA/rtrs: Fix use-after-free in path file creation cleanup a7685f4d90c1 platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL 527a7990e663 platform/x86: intel-hid: Check ACPI_HANDLE() against NULL 6ea1690b24e9 platform/x86: hp_accel: Check ACPI_COMPANION() against NULL 32ba2ce2b15f platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL 566f42fb67a7 net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer 314a94c47d28 net: dsa: mt7530: preserve VLAN tags on trapped link-local frames 1bddf306212a net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw d2be607d042d net: dsa: mt7530: fix FDB entries not aging out with short timeout 69a0885079c9 wifi: ath11k: fix peer resolution on rx path when peer_id=0 070e40acc59e drm/msm/snapshot: fix dumping of the unaligned regions dd844b31f4ea spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() 5c54c482934b net/mlx5: Do not restore destination-less TC rules d65b279a1898 tls: Preserve sk_err across recvmsg() when data has been copied 1822997aa8c2 x86/xen: Fix xen_e820_swap_entry_with_ram() 06cc5ad2c112 net: phy: DP83TC811: add reading of abilities d04494596b5e net: phy: c45: add genphy_c45_pma_read_ext_abilities() function acdc12b71c9a net: tls: prevent chain-after-chain in plain text SG 131ef12057d9 net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring d38ba387244e net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot a09d07ac45e2 powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() 7256e54583ae drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN 567b5e976e2e drm/msm/dsi: don't dump registers past the mapped region b40e10c72df5 ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics 720c76b930c5 net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint 9baafc2fea09 accel/qaic: Add overflow check to remap_pfn_range during mmap f775be13d342 HID: quirks: really enable the intended work around for appledisplay a5db6a7c062f wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() 3d675896ea03 wifi: ath11k: fix error path leaks in some WMI WOW calls b77be98447c4 net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference 78cf08b3be47 net: ethernet: cortina: Carry over frag counter 68c9c3ac9ce5 net: ethernet: cortina: Drop half-assembled SKB 3b249988d774 net: ethernet: cortina: Make RX SKB per-port 00efe58bbdcc netfs: Fix overrun check in netfs_extract_user_iter() 0df68fd72b2a zonefs: handle integer overflow in zonefs_fname_to_fno eef4f71b46a9 irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT 6760af11a26e irqchip/ath79-cpu: Remove unused function 6af5fd2ffda1 phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access b0cc58e8f749 net: lan966x: avoid unregistering netdev on register failure 9e1c9b957344 ice: fix locking in ice_dcb_rebuild() 07d77d774f71 tcp: Fix imbalanced icsk_accept_queue count. 08d355936fcf test_kprobes: clear kprobes between test runs 8a5f01446021 kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() 99948d73a8c7 netfilter: x_tables: unregister the templates first 26b2290baaf6 btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() 542b49d2cf12 ALSA: hda: cs35l56: Put ACPI device after setting companion 508b1193d63b ARM: integrator: Fix early initialization fb3ff02dd444 pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 7d694570281a kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS 0df3f3031517 kunit: config: Enable KUNIT_DEBUGFS by default 8b0f4e3b7ad6 firmware: arm_ffa: Skip free_pages on RX buffer alloc failure adfff93d08a2 firmware: arm_ffa: Check for NULL FF-A ID table while driver registration 58ab91af4124 HID: uclogic: Fix regression of input name assignment a2d1c819348b hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors 20d626463e3f hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() cba4f1122dfb hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() 6b5573b63e30 hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple 4d1da9a6be5a hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR 60c4b9fe1a3d hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer d94ceb16e55b hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer f85c81e93dbd hwmon: (pmbus/adm1266) reject implausible blackbox record_count 025cfc7a09c5 hwmon: (pmbus/adm1266) seed timestamp from the real-time clock 32edd2a28e11 batman-adv: tt: fix negative tt_buff_len 22d59c72f4a4 batman-adv: tt: fix negative last_changeset_len c2c88736022c batman-adv: tp_meter: fix race condition in send error reporting 0b1bedf114ea batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown 53f931e0146a batman-adv: tp_meter: avoid use of uninit sender vars 48663158222b batman-adv: bla: fix report_work leak on backbone_gw purge b54e459cf869 batman-adv: frag: disallow unicast fragment in fragment c1bac194733a batman-adv: fix tp_meter counter underflow during shutdown f653b040dad1 batman-adv: fix fragment reassembly length accounting 866ac1d57040 batman-adv: dat: handle forward allocation error 6de089b545db batman-adv: clear current gateway during teardown 70bcb678561f batman-adv: mcast: fix use-after-free in orig_node RCU release 90c398e822ca drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async fb30a3890d62 drm/amd/display: Validate GPIO pin LUT table size before iterating 266b21b57fbb drm/amd/display: Fix integer overflow in bios_get_image() e4d3d33ab7bd drm/bridge: megachips: remove bridge when irq request fails 25473edcdaef drm/bridge: it66121: acquire reset GPIO in probe 21ab64c77a30 drm/virtio: use uninterruptible resv lock for plane updates 371f53925a67 device property: set fwnode->secondary to NULL in fwnode_init() fb3539b367f5 LoongArch: Remove unused code to avoid build warning 14553be882d9 RDMA/siw: Reject MPA FPDU length underflow before signed receive math f2dc841d7dc9 spi: ti-qspi: fix use-after-free after DMA setup failure 450c319dd04d spi: sprd: fix error pointer deref after DMA setup failure 309c6058622d scsi: isci: Fix use-after-free in device removal path 9d5ae6b8d9ec phy: tegra: xusb: Fix per-pad high-speed termination calibration 45760b72e84c spi: qup: fix error pointer deref after DMA setup failure 3c83a6912c24 drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe dab9f93251b2 KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits e0790046f6be arm64: probes: Handle probes on hinted conditional branch instructions f383cff9fb38 tracing: Do not call map->ops->elt_free() if elt_alloc() fails bdc349a87f1f cifs: Fix busy dentry used after unmounting 1ced0f5a851f wifi: cfg80211: advance loop vars in cfg80211_merge_profile() a3a4366731a5 ice: fix setting promisc mode while adding VID filter add70e2682c0 ixgbevf: fix use-after-free in VEPA multicast source pruning 3c5411fa4944 ipv4: raw: reject IP_HDRINCL packets with ihl < 5 f50c3ff97c83 wifi: ath11k: clear shared SRNG pointer state on restart ce29d3bf79a2 vsock/virtio: reset connection on receiving queue overflow cc27e989a5df vsock/vmci: fix UAF when peer resets connection during handshake 273a1481c556 ring-buffer: Fix reporting of missed events in iterator 3904b993cc17 qed: fix double free in qed_cxt_tables_alloc() c161ad9157f5 netfilter: nft_inner: Fix IPv6 inner_thoff desync c281e018af98 netfilter: ipset: stop hash:* range iteration at end 1e5e20031c5e netfilter: nf_queue: hold bridge skb->dev while queued 41ec2e242f17 netfilter: ip6t_hbh: reject oversized option lists 16bd798cb6d8 net: ifb: report ethtool stats over num_tx_queues 289499907399 net: bcmgenet: keep RBUF EEE/PM disabled 8420aa490041 phonet/pep: disable BH around forwarded sk_receive_skb() be43e6b40431 Bluetooth: serialize accept_q access a143ce77a529 Bluetooth: MGMT: validate Add Extended Advertising Data length 9d20d48be2c4 Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths fe69f634b076 Bluetooth: bnep: Fix UAF read of dev->name 3af41ee7ebec Bluetooth: ISO: drop ISO_END frames received without prior ISO_START 5d86d2f1b4d9 Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 6f63a60580eb net: wwan: iosm: fix potential memory leaks in ipc_imem_init() 686b4283f82c drivers/base/memory: fix memory block reference leak in poison accounting 29cd94e678fc efi: Allocate runtime workqueue before ACPI init 7b6f8c8eb93f ALSA: asihpi: Fix potential OOB array access at reading cache 41a766c64729 ALSA: pcm: Don't setup bogus iov_iter for silencing dade81458966 ALSA: ua101: Reject too-short USB descriptors 0dbf64c50244 hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX adcfb16ae402 smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close 7df1df6f40c0 smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() 9d378e17c864 ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow e43cb36d4d78 ksmbd: fix null pointer dereference in compare_guid_key() 082351f9d400 mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() 31527d80234c sysfs: don't remove existing directory on update failure ad7520628c74 Revert "af_unix: Reject SIOCATMARK on non-stream sockets" f624070c322d Revert "s390/cio: Update purge function to unregister the unused subchannels" 7963b6141b4c Revert "ice: Remove jumbo_remove step from TX path" 6331b0f7b71e Revert "ice: fix double-free of tx_buf skb" 2035acfb1722 smb: client: reject userspace cifs.spnego descriptions 3106f326f67c af_unix: Give up GC if MSG_PEEK intervened. 3a436932eb39 ksmbd: close durable scavenger races against m_fp_list lookups 712cdf917e77 ksmbd: validate owner of durable handle on reconnect 7f0cb478703c ksmbd: add durable scavenger timer 50a23fa28e76 ksmbd: avoid reclaiming expired durable opens by the client 2682bf9a804b Revert "x86/vdso: Fix output operand size of RDPID" ba5b43db126a wifi: mac80211: check tdls flag in ieee80211_tdls_oper a052c2d8399a s390/debug: Reject zero-length input before trimming a newline 492349e5e4a3 driver core: platform: use generic driver_override infrastructure 64a3ee535bd7 driver core: generalize driver_override in struct device fabfed1afe27 spi: spidev: fix lock inversion between spi_lock and buf_lock 6a3af482188f mptcp: pm: ADD_ADDR rtx: free sk if last 9426265e157d mptcp: pm: ADD_ADDR rtx: always decrease sk refcount 19a3ec9ef176 mptcp: pm: ADD_ADDR rtx: allow ID 0 b386aa38b81d mptcp: sync the msk->sndbuf at accept() time Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 5fcf0f81d7c3..c7f8b73fa942 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "7bb6512fc5dc7b1191867beadc83b3ce216a2037" -SRCREV_meta ?= "020f8355dc905686f3c125ec87ce4d21a5966750" +SRCREV_machine ?= "422bdbd919836dc6565f5bbeb5b662b9c52dc038" +SRCREV_meta ?= "113d5637ef24d6ca9e43d64dec47efa3f7548c89" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.141" +LINUX_VERSION ?= "6.6.142" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 0bd1ae9ad2d3..151d63c8a200 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.141" +LINUX_VERSION ?= "6.6.142" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "90e2be4f80d73789176eab3679ef12ec164d594f" -SRCREV_meta ?= "020f8355dc905686f3c125ec87ce4d21a5966750" +SRCREV_machine ?= "597d6818e83dc368f871fccf981a2a54a93196d0" +SRCREV_meta ?= "113d5637ef24d6ca9e43d64dec47efa3f7548c89" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index f684fac72427..4288688afede 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "b3697b53304c9f2c0e7e46a22549ed9d64a110ca" -SRCREV_machine:qemuarm64 ?= "302113f65bb9cbd9afdb476222cc1fa596e36855" -SRCREV_machine:qemuloongarch64 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" -SRCREV_machine:qemumips ?= "a6b8c8416a2074c8e14eeeeb36a0e5bd0f2add92" -SRCREV_machine:qemuppc ?= "413e2245480aec98a737ab657322180581a496f5" -SRCREV_machine:qemuriscv64 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" -SRCREV_machine:qemuriscv32 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" -SRCREV_machine:qemux86 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" -SRCREV_machine:qemux86-64 ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" -SRCREV_machine:qemumips64 ?= "257558ce69f7bdbc571cb1b2d9eb35890747fd02" -SRCREV_machine ?= "2c57d38b7d1560691a786d2daf5be0e25d200dfb" -SRCREV_meta ?= "020f8355dc905686f3c125ec87ce4d21a5966750" +SRCREV_machine:qemuarm ?= "860f859f5e469702d108e6ce9d3affaca072cfa3" +SRCREV_machine:qemuarm64 ?= "60caa07a883ec933fad7aadaa2eb67a16c207906" +SRCREV_machine:qemuloongarch64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_machine:qemumips ?= "6895489ba64aa274deea1687100068d4afddaec4" +SRCREV_machine:qemuppc ?= "5a29f898aaae6bd0e12bdaeed596f40ab6fec468" +SRCREV_machine:qemuriscv64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_machine:qemuriscv32 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_machine:qemux86 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_machine:qemux86-64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_machine:qemumips64 ?= "44180b7d240f83de490ab570bc092afe5d123207" +SRCREV_machine ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_meta ?= "113d5637ef24d6ca9e43d64dec47efa3f7548c89" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "0a40c6fbd105802fbbcaadca249e0948fbf8095a" +SRCREV_machine:class-devupstream ?= "924b4a879cbb75aef37c160b955b92f6894b11a4" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.141" +LINUX_VERSION ?= "6.6.142" PV = "${LINUX_VERSION}+git" From e0598e2bbf9513ad71dea185a540de16996c4114 Mon Sep 17 00:00:00 2001 From: He Zhe <zhe.he@windriver.com> Date: Fri, 29 May 2026 12:34:38 +0800 Subject: [PATCH 76/96] lttng-modules: Fix trace_hrtimer_start build failure Fix the following build failure probes/../../include/lttng/tracepoint-event-impl.h:133:6: error: conflicting types for 'trace_hrtimer_start'; have 'void(struct hrtimer *, enum hrtimer_mode)' 133 | void trace_##_name(_proto); | ^~~~~~ Signed-off-by: He Zhe <zhe.he@windriver.com> [YC: backported from wrynose commit e32cbc177dae ("lttng-modules: Fix trace_hrtimer_start build failure"). This is a partial backport of commit 7dae5f40e394 ("lttng-modules: fix build against kernel 7.1+")] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- ...ce-trace-noise-in-hrtimer_start-v7.1.patch | 103 ++++++++++++++++++ .../lttng/lttng-modules_2.13.12.bb | 6 +- 2 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-hrtimer-Reduce-trace-noise-in-hrtimer_start-v7.1.patch diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-fix-hrtimer-Reduce-trace-noise-in-hrtimer_start-v7.1.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-fix-hrtimer-Reduce-trace-noise-in-hrtimer_start-v7.1.patch new file mode 100644 index 000000000000..e9124b4f87a3 --- /dev/null +++ b/meta/recipes-kernel/lttng/lttng-modules/0001-fix-hrtimer-Reduce-trace-noise-in-hrtimer_start-v7.1.patch @@ -0,0 +1,103 @@ +From c370026b0a077ba9491b07c559b343fde6353074 Mon Sep 17 00:00:00 2001 +From: Michael Jeanson <mjeanson@efficios.com> +Date: Mon, 25 May 2026 10:38:18 -0400 +Subject: [PATCH] fix: hrtimer: Reduce trace noise in hrtimer_start() (v7.1) + + +See upstream commit: + + commit f2e388a019e4cf83a15883a3d1f1384298e9a6aa + Author: Thomas Gleixner <tglx@kernel.org> + Date: Tue Feb 24 17:36:59 2026 +0100 + + hrtimer: Reduce trace noise in hrtimer_start() + + hrtimer_start() when invoked with an already armed timer traces like: + + <comm>-.. [032] d.h2. 5.002263: hrtimer_cancel: hrtimer= .... + <comm>-.. [032] d.h1. 5.002263: hrtimer_start: hrtimer= .... + + Which is incorrect as the timer doesn't get canceled. Just the expiry time + changes. The internal dequeue operation which is required for that is not + really interesting for trace analysis. But it makes it tedious to keep real + cancellations and the above case apart. + + Remove the cancel tracing in hrtimer_start() and add a 'was_armed' + indicator to the hrtimer start tracepoint, which clearly indicates what the + state of the hrtimer is when hrtimer_start() is invoked: + + <comm>-.. [032] d.h1. 6.200103: hrtimer_start: hrtimer= .... was_armed=0 + <comm>-.. [032] d.h1. 6.200558: hrtimer_start: hrtimer= .... was_armed=1 + +Change-Id: I37ee0ae0af665a51fd4f92adffb6b1dcb2ecd9d2 +Signed-off-by: Michael Jeanson <mjeanson@efficios.com> +Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Upstream-Status: Backport [https://github.com/lttng/lttng-modules/commit/b77f94c7a7109e70a97bf936b72d66d611187d61] +Signed-off-by: He Zhe <zhe.he@windriver.com> +[YC: Backport: revert usage of non-defined-yet ctf_enum] +Signed-off-by: Yoann Congal <yoann.congal@smile.fr> +--- + include/instrumentation/events/timer.h | 39 ++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/include/instrumentation/events/timer.h b/include/instrumentation/events/timer.h +index bd21c03..9d4476a 100644 +--- a/include/instrumentation/events/timer.h ++++ b/include/instrumentation/events/timer.h +@@ -203,12 +203,43 @@ LTTNG_TRACEPOINT_EVENT_MAP(hrtimer_init, + ) + ) + ++#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(7,1,0) || \ ++ LTTNG_KERNEL_RANGE(7,0,10, 7,1,0) || \ ++ LTTNG_KERNEL_RANGE(6,18,33, 6,19,0) || \ ++ LTTNG_KERNEL_RANGE(6,12,91, 6,13,0) || \ ++ LTTNG_KERNEL_RANGE(6,6,141, 6,7,0)) + /** + * hrtimer_start - called when the hrtimer is started +- * @timer: pointer to struct hrtimer ++ * @hrtimer: pointer to struct hrtimer ++ * @mode: the hrtimers mode ++ * @was_armed: Was armed when hrtimer_start*() was invoked + */ +-#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(4,16,0) || \ ++LTTNG_TRACEPOINT_EVENT_MAP(hrtimer_start, ++ ++ timer_hrtimer_start, ++ ++ TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode, bool was_armed), ++ ++ TP_ARGS(hrtimer, mode, was_armed), ++ ++ TP_FIELDS( ++ ctf_integer_hex(void *, hrtimer, hrtimer) ++ ctf_integer_hex(void *, function, hrtimer->function) ++ ctf_integer(s64, expires, ++ lttng_ktime_get_tv64(hrtimer_get_expires(hrtimer))) ++ ctf_integer(s64, softexpires, ++ lttng_ktime_get_tv64(hrtimer_get_softexpires(hrtimer))) ++ ctf_integer(enum hrtimer_mode, mode, mode) ++ ctf_integer(bool, was_armed, was_armed) ++ ) ++) ++#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(4,16,0) || \ + LTTNG_RT_KERNEL_RANGE(4,14,0,0, 4,15,0,0)) ++/** ++ * hrtimer_start - called when the hrtimer is started ++ * @hrtimer: pointer to struct hrtimer ++ * @mode: the hrtimers mode ++ */ + LTTNG_TRACEPOINT_EVENT_MAP(hrtimer_start, + + timer_hrtimer_start, +@@ -228,6 +259,10 @@ LTTNG_TRACEPOINT_EVENT_MAP(hrtimer_start, + ) + ) + #else ++/** ++ * hrtimer_start - called when the hrtimer is started ++ * @hrtimer: pointer to struct hrtimer ++ */ + LTTNG_TRACEPOINT_EVENT_MAP(hrtimer_start, + + timer_hrtimer_start, diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.13.12.bb b/meta/recipes-kernel/lttng/lttng-modules_2.13.12.bb index 34aff1ba8dfd..b29d73aa89eb 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.13.12.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.13.12.bb @@ -15,10 +15,12 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0003-Fix-mm_compaction_migratepages-changed-in-linux-6.9-.patch \ file://0004-Fix-dev_base_lock-removed-in-linux-6.9-rc1.patch \ file://0001-Fix-sched_stat_runtime-changed-in-Linux-6.6.66.patch \ - " + " # Use :append here so that the patch is applied also when using devupstream -SRC_URI:append = " file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch" +SRC_URI:append = " file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch \ + file://0001-fix-hrtimer-Reduce-trace-noise-in-hrtimer_start-v7.1.patch \ + " SRC_URI[sha256sum] = "d85fcb66c7bd31003ab8735e8c77700e5e4f417b4c22fe1f20112cf435abad79" From 535c5940d92c39d220ab2d36b15c2dc31b41b8e0 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Fri, 19 Jun 2026 13:52:48 -0400 Subject: [PATCH 77/96] linux-yocto/6.6: genericarm64 fix configuration audit warning Integrating the following commit(s) to linux-yocto/.: 1/1 [ Author: Bruce Ashfield Email: bruce.ashfield@gmail.com Subject: genericarm64/serial: change SERIAL_IMX_CONSOLE to =y Date: Fri, 19 Jun 2026 00:54:55 +0200 With the following upstream commit, this option is no longer tristate, so we set it to =y instead: commit 3f8b835a63341163da0400befb3c6e8f6d4085da Author: Randy Dunlap <rdunlap@infradead.org> Date: Sat Jan 10 15:26:40 2026 -0800 serial: imx: change SERIAL_IMX_CONSOLE to bool [ Upstream commit 79527d86ba91c2d9354832d19fd12b3baa66bd10 ] SERIAL_IMX_CONSOLE is a build option for the imx driver (SERIAL_IMX). It does not build a separate console driver file, so it can't be built as a module since it isn't built at all. Change the Kconfig symbol from tristate to bool and update the help text accordingly. Fixes: 0db4f9b91c86 ("tty: serial: imx: enable imx serial console port as module") Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Link: https://patch.msgid.link/20260110232643.3533351-2-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> (cherry picked from commit 465cb5bcefd72f429e0b3ad6ab5b3fcff5b390fc) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> ] Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb | 2 +- meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb | 2 +- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index c7f8b73fa942..67fb5141ce03 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -15,7 +15,7 @@ python () { } SRCREV_machine ?= "422bdbd919836dc6565f5bbeb5b662b9c52dc038" -SRCREV_meta ?= "113d5637ef24d6ca9e43d64dec47efa3f7548c89" +SRCREV_meta ?= "4a6f16d14b76e28ab7615c88e2fbdf95ee15fc98" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 151d63c8a200..7b4f0430a605 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -18,7 +18,7 @@ KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" SRCREV_machine ?= "597d6818e83dc368f871fccf981a2a54a93196d0" -SRCREV_meta ?= "113d5637ef24d6ca9e43d64dec47efa3f7548c89" +SRCREV_meta ?= "4a6f16d14b76e28ab7615c88e2fbdf95ee15fc98" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 4288688afede..3261ad6ac3f4 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -29,7 +29,7 @@ SRCREV_machine:qemux86 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" SRCREV_machine:qemux86-64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" SRCREV_machine:qemumips64 ?= "44180b7d240f83de490ab570bc092afe5d123207" SRCREV_machine ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" -SRCREV_meta ?= "113d5637ef24d6ca9e43d64dec47efa3f7548c89" +SRCREV_meta ?= "4a6f16d14b76e28ab7615c88e2fbdf95ee15fc98" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same From 737293bead3e7b994347e47f09bc69437479d50c Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@gmail.com> Date: Tue, 23 Jun 2026 13:30:18 -0400 Subject: [PATCH 78/96] linux-yocto/6.6: address ltp hang Integrating the following commit(s) to linux-yocto/6.6: 1/1 [ Author: Baokun Li Email: libaokun1@huawei.com Subject: ext4: get rid of ppath in get_ext_path() Date: Thu, 22 Aug 2024 10:35:32 +0800 The use of path and ppath is now very confusing, so to make the code more readable, pass path between functions uniformly, and get rid of ppath. After getting rid of ppath in get_ext_path(), its caller may pass an error pointer to ext4_free_ext_path(), so it needs to teach ext4_free_ext_path() and ext4_ext_drop_refs() to skip the error pointer. No functional changes. Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Link: https://patch.msgid.link/20240822023545.1994557-13-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> ] Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> [YC: more detail at https://lore.kernel.org/openembedded-core/DJGKEQF8GRU1.RF7JY64COTAA@smile.fr/T/#u] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../linux/linux-yocto-rt_6.6.bb | 2 +- .../linux/linux-yocto-tiny_6.6.bb | 2 +- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 22 +++++++++---------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 67fb5141ce03..c3200cfd3fea 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,7 +14,7 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "422bdbd919836dc6565f5bbeb5b662b9c52dc038" +SRCREV_machine ?= "1ceada58731a98237f70384921758a4df3951960" SRCREV_meta ?= "4a6f16d14b76e28ab7615c88e2fbdf95ee15fc98" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 7b4f0430a605..563598a2bdee 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -17,7 +17,7 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "597d6818e83dc368f871fccf981a2a54a93196d0" +SRCREV_machine ?= "66e051144e21d531fa26ef67476dfdefbfc119a2" SRCREV_meta ?= "4a6f16d14b76e28ab7615c88e2fbdf95ee15fc98" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 3261ad6ac3f4..07a06f185299 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,17 +18,17 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "860f859f5e469702d108e6ce9d3affaca072cfa3" -SRCREV_machine:qemuarm64 ?= "60caa07a883ec933fad7aadaa2eb67a16c207906" -SRCREV_machine:qemuloongarch64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" -SRCREV_machine:qemumips ?= "6895489ba64aa274deea1687100068d4afddaec4" -SRCREV_machine:qemuppc ?= "5a29f898aaae6bd0e12bdaeed596f40ab6fec468" -SRCREV_machine:qemuriscv64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" -SRCREV_machine:qemuriscv32 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" -SRCREV_machine:qemux86 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" -SRCREV_machine:qemux86-64 ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" -SRCREV_machine:qemumips64 ?= "44180b7d240f83de490ab570bc092afe5d123207" -SRCREV_machine ?= "a9288bf8eb270b824e3f92ee54df9dcd72a6052f" +SRCREV_machine:qemuarm ?= "d81ffd8843535762fecf5aa5fb2ca7d2c4343038" +SRCREV_machine:qemuarm64 ?= "1f7f3a52dacadfcc75863f25252a534b06fdaeeb" +SRCREV_machine:qemuloongarch64 ?= "a8a7d078f151a24e01d4501853c88c6b08c9cad9" +SRCREV_machine:qemumips ?= "4410226fddf113b89cceb26e7ee5ca5bb70c55fb" +SRCREV_machine:qemuppc ?= "8f8faf1fe9183f295901f8f2b8916ff54f4a4bfb" +SRCREV_machine:qemuriscv64 ?= "a8a7d078f151a24e01d4501853c88c6b08c9cad9" +SRCREV_machine:qemuriscv32 ?= "a8a7d078f151a24e01d4501853c88c6b08c9cad9" +SRCREV_machine:qemux86 ?= "a8a7d078f151a24e01d4501853c88c6b08c9cad9" +SRCREV_machine:qemux86-64 ?= "a8a7d078f151a24e01d4501853c88c6b08c9cad9" +SRCREV_machine:qemumips64 ?= "14ca63e9f1ce2090e189c16b1024ed3df8f833f0" +SRCREV_machine ?= "a8a7d078f151a24e01d4501853c88c6b08c9cad9" SRCREV_meta ?= "4a6f16d14b76e28ab7615c88e2fbdf95ee15fc98" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll From 288ecfd7d9cd24222cc0f1277105c15cf0889718 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Fri, 21 Nov 2025 13:22:49 +0100 Subject: [PATCH 79/96] gawk: use native gawk when building glibc and grub Different versions of gawk can produce different output, so depending on which version is installed on the build host, reproducibility issues can occur: https://bugzilla.yoctoproject.org/show_bug.cgi?id=16072 So far only glibc and grub have been identified to have the issue; probably more fixes of similar nature will be required going forward. Adjust the gawk recipe to apply target-only tweaks (particularly the removal of awk symlink to allow for alternatives) to only target and nativesdk variants, so that native installs both awk and gawk executables. [YOCTO #16072] Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c5bbf0a60b1d63e68f849a63e5d3872954e7cd3f) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-bsp/grub/grub2.inc | 2 +- meta/recipes-core/glibc/glibc.inc | 2 +- meta/recipes-extended/gawk/gawk_5.3.0.bb | 11 ++++++++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113e9..a2173bee04b3 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -51,7 +51,7 @@ CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedo CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" CVE_STATUS[CVE-2024-2312] = "not-applicable-platform: Applies only to Ubuntu" -DEPENDS = "flex-native bison-native gettext-native" +DEPENDS = "flex-native bison-native gettext-native gawk-replacement-native" GRUB_COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|riscv.*)-(linux.*|freebsd.*)' COMPATIBLE_HOST = "${GRUB_COMPATIBLE_HOST}" diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc index 225d0539a01a..60e3daaf3263 100644 --- a/meta/recipes-core/glibc/glibc.inc +++ b/meta/recipes-core/glibc/glibc.inc @@ -1,7 +1,7 @@ require glibc-common.inc require glibc-ld.inc -DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers" +DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers gawk-replacement-native" PROVIDES = "virtual/libc" PROVIDES += "virtual/libintl virtual/libiconv" diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb index ac9d8500d609..a05ec3b34bca 100644 --- a/meta/recipes-extended/gawk/gawk_5.3.0.bb +++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb @@ -34,13 +34,21 @@ ALTERNATIVE:${PN} = "awk" ALTERNATIVE_TARGET[awk] = "${bindir}/gawk" ALTERNATIVE_PRIORITY = "100" -do_install:append() { +target_tweaks() { # remove the link since we don't package it rm ${D}${bindir}/awk # Strip non-reproducible build flags (containing build paths) sed -i -e 's|^CC.*|CC=""|g' -e 's|^CFLAGS.*|CFLAGS=""|g' ${D}${bindir}/gawkbug } +do_install:append:class-target() { + target_tweaks +} + +do_install:append:class-nativesdk() { + target_tweaks +} + inherit ptest do_install_ptest() { @@ -87,4 +95,5 @@ RDEPENDS:${PN}-ptest += "make locale-base-en-us coreutils" RDEPENDS:${PN}-ptest:append:libc-glibc = " locale-base-en-us.iso-8859-1" RDEPENDS:${PN}-ptest:append:libc-musl = " musl-locales" +PROVIDES:append:class-native = " gawk-replacement-native" BBCLASSEXTEND = "native nativesdk" From a455b21f9170b3f2d74763b5bf99625dbda81ff9 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Tue, 25 Nov 2025 13:46:12 +0000 Subject: [PATCH 80/96] grub/glibc: Bump versions to resolve hashequiv/reproducibility issues After the gawk dependency change, we need to change PR/hashequiv version to replace the corrupted sstate/hashequiv data. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f0f7632595792a73ea0a935b924e8bdf9954ec7b) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-bsp/grub/grub2.inc | 4 ++++ meta/recipes-core/glibc/glibc.inc | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index a2173bee04b3..dfc87eaa94d5 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -44,6 +44,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-61663_61664.patch \ " +# remove at next version upgrade or when output changes +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc index 60e3daaf3263..a3d0bb40713f 100644 --- a/meta/recipes-core/glibc/glibc.inc +++ b/meta/recipes-core/glibc/glibc.inc @@ -3,6 +3,10 @@ require glibc-ld.inc DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers gawk-replacement-native" +# remove at next version upgrade or when output changes +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + PROVIDES = "virtual/libc" PROVIDES += "virtual/libintl virtual/libiconv" inherit autotools texinfo systemd From c80a422c9c1392127a431c2dd38b203266b0b1ed Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Wed, 4 Feb 2026 15:34:22 +0000 Subject: [PATCH 81/96] gawk: trim native build configuration When we build gawk-native it is only for use in builds where the host gawk output isn't reproducible across versions[1]. As such it doesn't need support for readline or mprf, and by removing those from gawk-native we can get building gawk-native sooner. [1] oe-core c5bbf0a60b ("gawk: use native gawk when building glibc and grub") Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1e6b810f60fd45856fc6a57270bf85342bcd9415) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-extended/gawk/gawk_5.3.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb index a05ec3b34bca..e38c1f843662 100644 --- a/meta/recipes-extended/gawk/gawk_5.3.0.bb +++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb @@ -12,6 +12,9 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" PACKAGECONFIG ??= "readline" +# Make native builds lean +PACKAGECONFIG:class-native = "" + PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" From 790bccfd8b82809e87311b24f71cf9f8e6a02b5e Mon Sep 17 00:00:00 2001 From: Yoann Congal <yoann.congal@smile.fr> Date: Wed, 24 Jun 2026 15:02:44 +0200 Subject: [PATCH 82/96] gawk-native: fix gcc-15/C23 compilation issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Ubuntu 26.04, GCC 15 defaults to std=c23 and that results in build failure: | ../gawk-5.3.0/io.c: In function ‘iop_alloc’: | ../gawk-5.3.0/io.c:3389:31: error: assignment to ‘ssize_t (*)(int, void *, size_t)’ {aka ‘long int (*)(int, void *, long unsigned int)’} from incompatible pointer type ‘ssize_t (*)(void)’ {aka ‘long int (*)(void)’} [-Wincompatible-pointer-types] | 3389 | iop->public.read_func = ( ssize_t(*)() ) read; | | ^ Fix this by (partially) backporting an upstream patch. Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../0001-Fix-some-C23-compilatio-issues.patch | 35 +++++++++++++++++++ meta/recipes-extended/gawk/gawk_5.3.0.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch diff --git a/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch b/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch new file mode 100644 index 000000000000..7082e62beb61 --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch @@ -0,0 +1,35 @@ +From e4015d209ddc31bd1256fa568612372407e0b9c5 Mon Sep 17 00:00:00 2001 +From: Arnold D. Robbins <arnold@skeeve.com> +Date: Mon, 12 Aug 2024 06:33:28 +0300 +Subject: [PATCH] Fix some C23 compilatio issues. + + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/gawk.git/commit/?id=7a521fe4b37f8554ca53ef3236f0352e391aaa1d (in v5.3.1)] +Backport: Only kept the code change, dropped comment changes +Signed-off-by: Yoann Congal <yoann.congal@smile.fr> +--- + io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io.c b/io.c +index c595c009e..44671ebd1 100644 +--- a/io.c ++++ b/io.c +@@ -3386,7 +3386,7 @@ iop_alloc(int fd, const char *name, int errno_val) + + iop->public.fd = fd; + iop->public.name = name; +- iop->public.read_func = ( ssize_t(*)() ) read; ++ iop->public.read_func = ( ssize_t(*)(int, void *, size_t) ) read; + iop->valid = false; + iop->errcode = errno_val; + +@@ -4446,7 +4446,7 @@ get_read_timeout(IOBUF *iop) + tmout = read_default_timeout; /* initialized from env. variable in init_io() */ + + /* overwrite read routine only if an extension has not done so */ +- if ((iop->public.read_func == ( ssize_t(*)() ) read) && tmout > 0) ++ if ((iop->public.read_func == ( ssize_t(*)(int, void *, size_t) ) read) && tmout > 0) + iop->public.read_func = read_with_timeout; + + return tmout; diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb index e38c1f843662..b1d1fe7ae471 100644 --- a/meta/recipes-extended/gawk/gawk_5.3.0.bb +++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb @@ -21,6 +21,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ file://0001-m4-readline-add-missing-includes.patch \ file://run-ptest \ + file://0001-Fix-some-C23-compilatio-issues.patch \ " SRC_URI[sha256sum] = "378f8864ec21cfceaa048f7e1869ac9b4597b449087caf1eb55e440d30273336" From f360fdedfb500cecf6d4e860d599c57b11d6e31d Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Wed, 10 Jun 2026 11:52:02 +0530 Subject: [PATCH 83/96] libsoup: fix for CVE-2025-11021 Pick patch from [1] also mentioned at Debian report in [2] [1] https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788 [2] https://security-tracker.debian.org/tracker/CVE-2025-11021 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> [YC: The CVE fixing patch is d010b0bbd in 3.6.6 (current master/wrynose)] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../libsoup-3.4.4/CVE-2025-11021.patch | 57 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch new file mode 100644 index 000000000000..9bba0929b7d5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch @@ -0,0 +1,57 @@ +From 9e1a427d2f047439d0320defe1593e6352595788 Mon Sep 17 00:00:00 2001 +From: Alynx Zhou <alynx.zhou@gmail.com> +Date: Sat, 11 Oct 2025 15:52:47 +0800 +Subject: [PATCH] cookies: Avoid expires attribute if date is invalid + +According to CVE-2025-11021, we may get invalid on processing date +string with timezone offset, this commit will ignore it. + +Closes #459 + +CVE: CVE-2025-11021 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + libsoup/cookies/soup-cookie.c | 9 +++++---- + libsoup/soup-date-utils.c | 3 +++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c +index 7c41b1d..5af154d 100644 +--- a/libsoup/cookies/soup-cookie.c ++++ b/libsoup/cookies/soup-cookie.c +@@ -726,12 +726,13 @@ serialize_cookie (SoupCookie *cookie, GString *header, gboolean set_cookie) + + if (cookie->expires) { + char *timestamp; +- +- g_string_append (header, "; expires="); + timestamp = soup_date_time_to_string (cookie->expires, + SOUP_DATE_COOKIE); +- g_string_append (header, timestamp); +- g_free (timestamp); ++ if (timestamp) { ++ g_string_append (header, "; expires="); ++ g_string_append (header, timestamp); ++ g_free (timestamp); ++ } + } + if (cookie->path) { + g_string_append (header, "; path="); +diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c +index 34ca995..ae5504d 100644 +--- a/libsoup/soup-date-utils.c ++++ b/libsoup/soup-date-utils.c +@@ -95,6 +95,9 @@ soup_date_time_to_string (GDateTime *date, + char *date_format; + char *formatted_date; + ++ if (!utcdate) ++ return NULL; ++ + // We insert days/months ourselves to avoid locale specific formatting + if (format == SOUP_DATE_HTTP) { + /* "Sun, 06 Nov 1994 08:49:37 GMT" */ +-- +2.50.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index fc4a286dcf08..8fe3775e1e44 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -51,6 +51,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32049-2.patch \ file://CVE-2025-32049-3.patch \ file://CVE-2025-32049-4.patch \ + file://CVE-2025-11021.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From 6ca4635dfe2c7fb277af3409931c66f7863af890 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Wed, 10 Jun 2026 17:34:26 +0530 Subject: [PATCH 84/96] libsoup: fix for CVE-2026-2369 Pick patch from [1] also mentioned at Debian report in [2] [1] https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f [2] https://security-tracker.debian.org/tracker/CVE-2026-2369 Note: Issue introduced by the fix for CVE-2025-32052. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../libsoup/libsoup-3.4.4/CVE-2026-2369.patch | 32 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch new file mode 100644 index 000000000000..bee8a35323ba --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch @@ -0,0 +1,32 @@ +From af4bde990270b825b7d110a495cc65de9e2ec32f Mon Sep 17 00:00:00 2001 +From: Samuel Dainard <> +Date: Wed, 11 Feb 2026 10:19:04 -0600 +Subject: [PATCH] sniffer: Handle potential underflow + +Closes #498 + +CVE: CVE-2026-2369 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + libsoup/content-sniffer/soup-content-sniffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index a5e18d5..594d0bb 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -524,6 +524,10 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + if (!sniff_scriptable && type_row->scriptable) + continue; + ++ /* Ensure we have data to sniff - prevents underflow in resource_length - 1 */ ++ if (resource_length == 0) ++ continue; ++ + if (type_row->has_ws) { + guint index_stream = 0; + guint index_pattern = 0; +-- +2.50.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 8fe3775e1e44..15164d940c14 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -52,6 +52,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32049-3.patch \ file://CVE-2025-32049-4.patch \ file://CVE-2025-11021.patch \ + file://CVE-2026-2369.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From 209a1b3a48b8e3996e1b53f2d7efe335855b7375 Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Date: Fri, 19 Jun 2026 09:51:18 +0200 Subject: [PATCH 85/96] go: patch CVE-2026-27145 Backport patch from [1] [1] https://go.dev/cl/783621 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27145.patch | 96 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27145.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index c825ebd25a3d..99c5f8b63b68 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -61,6 +61,7 @@ SRC_URI += "\ file://CVE-2025-58183.patch \ file://CVE-2026-25679.patch \ file://CVE-2026-32288.patch \ + file://CVE-2026-27145.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27145.patch b/meta/recipes-devtools/go/go/CVE-2026-27145.patch new file mode 100644 index 000000000000..f231aab458bb --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27145.patch @@ -0,0 +1,96 @@ +From 612753600a0184c8b792425dea62e530170ca811 Mon Sep 17 00:00:00 2001 +From: Ian Alexander <jitsu@google.com> +Date: Wed, 27 May 2026 04:22:31 -0400 +Subject: [PATCH] crypto/x509: split candidate hostname only once + +(*x509.Certificate).VerifyHostname previously called matchHostnames in a +loop over all DNS Subject Alternative Name (SAN) entries. This caused +strings.Split(host, ".") to execute repeatedly on the same input +hostname. + +With a large DNS SAN list, verification costs scaled quadratically based +on the number of SAN entries multiplied by the hostname's label count. +Because x509.Verify validates hostnames before building the certificate +chain, this overhead occurred even for untrusted certificates. + +Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue. + +Fixes #79694 +Fixes CVE-2026-27145 + +Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74 +Reviewed-on: https://go-review.googlesource.com/c/go/+/783621 +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: David Chase <drchase@google.com> +Reviewed-by: Neal Patel <neal@golang.org> + +CVE: CVE-2026-27145 +Upstream-Status: Backport [https://github.com/golang/go/commit/d01955d5d50ccb5f46c215f88c1781742b3f117d] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/x509/verify.go | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 1de06bc95b..4c423a5fca 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -102,7 +102,7 @@ func (h HostnameError) Error() string { + c := h.Certificate + maxNamesIncluded := 100 + +- if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) { ++ if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, splitHostname(h.Host)) { + return "x509: certificate relies on legacy Common Name field, use SANs instead" + } + +@@ -1081,16 +1081,14 @@ func matchExactly(hostA, hostB string) bool { + return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB) + } + +-func matchHostnames(pattern, host string) bool { ++func matchHostnames(pattern string, hostParts []string) bool { + pattern = toLowerCaseASCII(pattern) +- host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) + +- if len(pattern) == 0 || len(host) == 0 { ++ if len(pattern) == 0 || len(hostParts) == 0 { + return false + } + + patternParts := strings.Split(pattern, ".") +- hostParts := strings.Split(host, ".") + + if len(patternParts) != len(hostParts) { + return false +@@ -1168,6 +1166,7 @@ func (c *Certificate) VerifyHostname(h string) error { + + candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. + validCandidateName := validHostnameInput(candidateName) ++ hostParts := splitHostname(candidateName) + + for _, match := range c.DNSNames { + // Ideally, we'd only match valid hostnames according to RFC 6125 like +@@ -1176,7 +1175,7 @@ func (c *Certificate) VerifyHostname(h string) error { + // always allow perfect matches, and only apply wildcard and trailing + // dot processing to valid hostnames. + if validCandidateName && validHostnamePattern(match) { +- if matchHostnames(match, candidateName) { ++ if matchHostnames(match, hostParts) { + return nil + } + } else { +@@ -1189,6 +1188,10 @@ func (c *Certificate) VerifyHostname(h string) error { + return HostnameError{c, h} + } + ++func splitHostname(host string) []string { ++ return strings.Split(toLowerCaseASCII(strings.TrimSuffix(host, ".")), ".") ++} ++ + func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool { + usages := make([]ExtKeyUsage, len(keyUsages)) + copy(usages, keyUsages) +-- +2.43.0 + From 7060d5970c1c80631ac0c5857fe6b76176f535c9 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Fri, 19 Jun 2026 19:37:46 +0530 Subject: [PATCH 86/96] xwayland: Fix CVE-2026-33999 Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-33999 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xwayland/xwayland/CVE-2026-33999.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch new file mode 100644 index 000000000000..cd3bf47397d5 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch @@ -0,0 +1,49 @@ +From b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b Mon Sep 17 00:00:00 2001 +From: Peter Harris <pharris2@rocketsoftware.com> +Date: Thu, 15 Jan 2026 15:54:09 -0500 +Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap + +If the "compat" buffer has previously been truncated, there will be +unused space in the buffer. The code uses this space, but does not +update the number of valid entries in the buffer. + +In the best case, this leads to the new compat entries being ignored. In the +worst case, if there are any "skipped" compat entries, the number of +valid entries will be corrupted, potentially leading to a buffer read +overrun when processing a future request. + +Set the number of used "compat" entries when re-using previously +allocated space in the buffer. + +CVE-2026-33999, ZDI-CAN-28593 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Peter Harris <pharris2@rocketsoftware.com> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b] +CVE: CVE-2026-33999 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 137d70d..2b9004a 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + return BadAlloc; + } + } +- else if (req->truncateSI) { ++ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) { + compat->num_si = req->firstSI + req->nSI; + } + sym = &compat->sym_interpret[req->firstSI]; +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 362b110a0bb9..65f1ed2ae077 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -35,6 +35,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62230-0001.patch \ file://CVE-2025-62230-0002.patch \ file://CVE-2025-62231.patch \ + file://CVE-2026-33999.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From af54fbd683bf8a143b2327a74babe372e1b6f909 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Fri, 19 Jun 2026 19:37:47 +0530 Subject: [PATCH 87/96] xwayland: Fix CVE-2026-34000 Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34000 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xwayland/xwayland/CVE-2026-34000.patch | 72 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch new file mode 100644 index 000000000000..7ce7cfa80c0a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch @@ -0,0 +1,72 @@ +From 81b6a34f90b28c32ad499a78a4f391b7c06daea2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 18 Feb 2026 16:03:11 +0100 +Subject: [PATCH] xkb: Fix bounds check in _CheckSetGeom() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585) + == by 0x5AC7D5: _CheckSetGeom (xkb.c:5607) + == by 0x5AC952: _XkbSetGeometry (xkb.c:5643) + == by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684) + == by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E13B0: AllocateInputBuffer (io.c:981) + == by 0x5E05CD: InsertFakeRequest (io.c:516) + == by 0x4AA860: NextAvailableClient (dispatch.c:3629) + == by 0x5DE0D7: AllocNewConnection (connection.c:628) + == by 0x5DE2C6: EstablishNewConnections (connection.c:692) + == by 0x5DE600: HandleNotifyFd (connection.c:809) + == by 0x5E2598: ospoll_wait (ospoll.c:660) + == by 0x5DA00C: WaitForSomething (WaitFor.c:208) + == by 0x4A26E5: Dispatch (dispatch.c:493) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +Each key alias entry contains two key names (the alias and the real key +name), each of size XkbKeyNameLength. + +The current bounds check only validates the first name, allowing +XkbAddGeomKeyAlias to potentially read uninitialized memory when +accessing the second name at &wire[XkbKeyNameLength]. + +To fix this, change the value to check to use 2 * XkbKeyNameLength to +validate the bounds. + +CVE-2026-34000, ZDI-CAN-28679 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f90b28c32ad499a78a4f391b7c06daea2] +CVE: CVE-2026-34000 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 2b9004a..1ba638b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5603,7 +5603,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + } + + for (i = 0; i < req->nKeyAliases; i++) { +- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength)) + return BadLength; + + if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 65f1ed2ae077..1a076ab552fd 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -36,6 +36,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62230-0002.patch \ file://CVE-2025-62231.patch \ file://CVE-2026-33999.patch \ + file://CVE-2026-34000.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From 1411caa0781811b7ee452edb04ffdcf3acc92a91 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Fri, 19 Jun 2026 19:37:48 +0530 Subject: [PATCH 88/96] xwayland: Fix CVE-2026-34001 Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34001 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xwayland/xwayland/CVE-2026-34001.patch | 104 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch new file mode 100644 index 000000000000..a438f5ffcdde --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch @@ -0,0 +1,104 @@ +From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 18 Feb 2026 16:23:23 +0100 +Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence() + +As reported by valgrind: + + == Invalid read of size 8 + == at 0x568C14: miSyncTriggerFence (misync.c:140) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd + == at 0x4843E43: free (vg_replace_malloc.c:990) + == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169) + == by 0x53F14D: FreeAwait (sync.c:1208) + == by 0x4DFB06: doFreeResource (resource.c:888) + == by 0x4DFC59: FreeResource (resource.c:918) + == by 0x53E349: SyncAwaitTriggerFired (sync.c:701) + == by 0x568C52: miSyncTriggerFence (misync.c:142) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Block was alloc'd at + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E50E1: XNFalloc (utils.c:1129) + == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206) + == by 0x53DCA8: SyncInitTrigger (sync.c:414) + == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089) + == by 0x540D04: ProcSyncDispatch (sync.c:2160) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +When walking the list of fences to trigger, miSyncTriggerFence() may +call TriggerFence() for the current trigger, which end up calling the +function SyncAwaitTriggerFired(). + +SyncAwaitTriggerFired() frees the entire await resource, which removes +all triggers from that await - including pNext which may be another +trigger from the same await attached to the same fence. + +On the next iteration, ptl = pNext points to freed memory... + +To avoid the issue, we need to restart the iteration from the beginning +of the list each time a trigger fires, since the callback can modify the +list. + +CVE-2026-34001, ZDI-CAN-28706 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0] +CVE: CVE-2026-34001 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + miext/sync/misync.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/miext/sync/misync.c b/miext/sync/misync.c +index 0931803..e11eba2 100644 +--- a/miext/sync/misync.c ++++ b/miext/sync/misync.c +@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence) + void + miSyncTriggerFence(SyncFence * pFence) + { +- SyncTriggerList *ptl, *pNext; ++ SyncTriggerList *ptl; ++ Bool triggered; + + pFence->funcs.SetTriggered(pFence); + + /* run through triggers to see if any fired */ +- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) { +- pNext = ptl->next; +- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) +- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); +- } ++ do { ++ triggered = FALSE; ++ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) { ++ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) { ++ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); ++ triggered = TRUE; ++ break; ++ } ++ } ++ } while (triggered); + } + + SyncScreenFuncsPtr +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 1a076ab552fd..800d0a8f6342 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -37,6 +37,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62231.patch \ file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ + file://CVE-2026-34001.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From 0df72cf8effda9d82088062aa57159df2b197945 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Fri, 19 Jun 2026 19:37:49 +0530 Subject: [PATCH 89/96] xwayland: Fix CVE-2026-34002 Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34002 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xwayland/xwayland/CVE-2026-34002.patch | 93 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch new file mode 100644 index 000000000000..131caefcd5ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch @@ -0,0 +1,93 @@ +From f056ce1cc96ed9261052c31524162c78e458f98c Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 18 Feb 2026 17:02:09 +0100 +Subject: [PATCH] xkb: Fix out-of-bounds read in CheckModifierMap() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x547E5B: CheckModifierMap (xkb.c:1972) + == by 0x54A086: _XkbSetMapChecks (xkb.c:2574) + == by 0x54A845: ProcXkbSetMap (xkb.c:2741) + == by 0x556EF4: ProcXkbDispatch (xkb.c:7048) + == by 0x454A8C: Dispatch (dispatch.c:553) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x592D5A: AllocateInputBuffer (io.c:981) + == by 0x591F77: InsertFakeRequest (io.c:516) + == by 0x45CA27: NextAvailableClient (dispatch.c:3629) + == by 0x58FA81: AllocNewConnection (connection.c:628) + == by 0x58FC70: EstablishNewConnections (connection.c:692) + == by 0x58FFAA: HandleNotifyFd (connection.c:809) + == by 0x593F42: ospoll_wait (ospoll.c:660) + == by 0x58B9B6: WaitForSomething (WaitFor.c:208) + == by 0x4548AC: Dispatch (dispatch.c:493) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + +The issue is that the loop in CheckModifierMap() reads from wire without +verifying that the data is within the request bounds. + +The req->totalModMapKeys value could exceed the actual data provided, +causing reads of uninitialized memory. + +To fix that issue, we add a bounds check using _XkbCheckRequestBounds, +but for that, we need to also pass a ClientPtr parameter, which is not +a problem since CheckModifierMap() is a private, static function. + +CVE-2026-34002, ZDI-CAN-28737 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c] +CVE: CVE-2026-34002 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 1ba638b..3fcc6c4 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + + static int +-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, +- int *errRtrn) ++CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, ++ CARD8 **wireRtrn, int *errRtrn) + { + register CARD8 *wire = *wireRtrn; + CARD8 *start; +@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, + } + start = wire; + for (i = 0; i < req->totalModMapKeys; i++, wire += 2) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errRtrn = _XkbErrCode4(0x63, first, last, wire[0]); + return 0; +@@ -2568,7 +2572,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + return BadValue; + } + if ((req->present & XkbModifierMapMask) && +- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 800d0a8f6342..e7412e201169 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -38,6 +38,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ + file://CVE-2026-34002.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From 798e81f20e73b07255bdd6e669c146da905f6c00 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri <vanusuri@mvista.com> Date: Fri, 19 Jun 2026 19:37:50 +0530 Subject: [PATCH 90/96] xwayland: Fix CVE-2026-34003 Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34003 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../xwayland/xwayland/CVE-2026-34003-1.patch | 113 +++++++++ .../xwayland/xwayland/CVE-2026-34003-2.patch | 223 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 338 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch new file mode 100644 index 000000000000..3a1a9db8cb31 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch @@ -0,0 +1,113 @@ +From b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 23 Feb 2026 15:52:49 +0100 +Subject: [PATCH] xkb: Add additional bound checking in CheckKeyTypes() + +The function CheckKeyTypes() will loop over the client's request but +won't perform any additional bound checking to ensure that the data +read remains within the request bounds. + +As a result, a specifically crafted request may cause CheckKeyTypes() to +read past the request data, as reported by valgrind: + + == Invalid read of size 2 + == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 30 bytes after a block of size 28,672 in arena "client" + == + == Invalid read of size 2 + == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + == Invalid write of size 2 + == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + +To avoid that issue, add additional bounds checking within the loops by +calling _XkbCheckRequestBounds() and report an error if we are to read +past the client's request. + +CVE-2026-34003, ZDI-CAN-28736 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3fcc6c4..0ef634b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client, + for (i = 0; i < req->nTypes; i++) { + unsigned width; + ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->virtualMods); + } +@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client, + xkbModsWireDesc *preWire; + + mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1]; ++ if (!_XkbCheckRequestBounds(client, req, mapWire, ++ &mapWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries); ++ return 0; ++ } + preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries]; ++ if (wire->preserve && ++ !_XkbCheckRequestBounds(client, req, preWire, ++ &preWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries); ++ return 0; ++ } + for (n = 0; n < wire->nMapEntries; n++) { + if (client->swapped && doswap) { + swaps(&mapWire[n].virtualMods); +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch new file mode 100644 index 000000000000..15b2b946d504 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch @@ -0,0 +1,223 @@ +From d38c563fab5c4a554e0939da39e4d1dadef7cbae Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 2 Mar 2026 14:09:57 +0100 +Subject: [PATCH] xkb: Add more _XkbCheckRequestBounds() + +Similar to the recent fixes, add more _XkbCheckRequestBounds() to the +functions that loop over the request data, i.e.: + + * CheckKeySyms() + * CheckKeyActions() + * CheckKeyBehaviors() + * CheckVirtualMods() + * CheckKeyExplicit() + * CheckVirtualModMap() + * _XkbSetMapChecks() + +All these are static functions so we can add the client to the parameters +without breaking any API. + +See also: +CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737 + +v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives. + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 55 insertions(+), 14 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 0ef634b..6320914 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client, + KeySym *pSyms; + register unsigned nG; + ++ /* Check we received enough data to read the next xkbSymMapWireDesc */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->nSyms); + } +@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client, + return 0; + } + pSyms = (KeySym *) &wire[1]; ++ if (wire->nSyms != 0) { ++ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) { ++ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms); ++ return 0; ++ } ++ } + wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms]; + } + +@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client, + } + + static int +-CheckKeyActions(XkbDescPtr xkb, +- xkbSetMapReq * req, +- int nTypes, +- CARD8 *mapWidths, +- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) ++CheckKeyActions(ClientPtr client, ++ XkbDescPtr xkb, ++ xkbSetMapReq * req, ++ int nTypes, ++ CARD8 *mapWidths, ++ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) + { + int nActs; + CARD8 *wire = *wireRtrn; +@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb, + CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn), + 0); + for (nActs = i = 0; i < req->nKeyActs; i++) { ++ /* Check we received enough data to read the next byte on the wire */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i); ++ return 0; ++ } + if (wire[0] != 0) { + if (wire[0] == symsPerKey[i + req->firstKeyAct]) + nActs += wire[0]; +@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb, + } + + static int +-CheckKeyBehaviors(XkbDescPtr xkb, ++CheckKeyBehaviors(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn) + { +@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + for (i = 0; i < req->totalKeyBehaviors; i++, wire++) { ++ /* Check we received enough data to read the next behavior */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x36, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key); + return 0; +@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + static int +-CheckVirtualMods(XkbDescRec * xkb, ++CheckVirtualMods(ClientPtr client, ++ XkbDescRec * xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb, + if (req->virtualMods & bit) + nMods++; + } ++ /* Check we received enough data for the number of virtual mods expected */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) { ++ *errorRtrn = _XkbErrCode3(0x37, nMods, i); ++ return 0; ++ } + *wireRtrn = (wire + XkbPaddedSize(nMods)); + return 1; + } + + static int +-CheckKeyExplicit(XkbDescPtr xkb, ++CheckKeyExplicit(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + start = wire; + for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) { ++ /* Check we received enough data to read the next two bytes */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errorRtrn = _XkbErrCode4(0x54, first, last, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]); + return 0; +@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, + } + + static int +-CheckVirtualModMap(XkbDescPtr xkb, ++CheckVirtualModMap(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbVModMapWireDesc ** wireRtrn, int *errRtrn) + { +@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb, + return 0; + } + for (i = 0; i < req->totalVModMapKeys; i++, wire++) { ++ /* Check we received enough data to read the next virtual mod map key */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errRtrn = _XkbErrCode3(0x74, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errRtrn = _XkbErrCode4(0x73, first, last, wire->key); + return 0; +@@ -2563,7 +2604,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + + if ((req->present & XkbKeyActionsMask) && +- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey, ++ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey, + (CARD8 **) &values, &nActions))) { + client->errorValue = nActions; + return BadValue; +@@ -2571,18 +2612,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + + if ((req->present & XkbKeyBehaviorsMask) && + (!CheckKeyBehaviors +- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + + if ((req->present & XkbVirtualModsMask) && +- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + if ((req->present & XkbExplicitComponentsMask) && +- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +@@ -2593,7 +2634,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + if ((req->present & XkbVirtualModMapMask) && + (!CheckVirtualModMap +- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index e7412e201169..8d5cb05beb9a 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -39,6 +39,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ file://CVE-2026-34002.patch \ + file://CVE-2026-34003-1.patch \ + file://CVE-2026-34003-2.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From c4d5735228e83c3a9afce48a39707b2ff5460fde Mon Sep 17 00:00:00 2001 From: Anil Dongare <adongare@cisco.com> Date: Tue, 23 Jun 2026 07:04:28 +0000 Subject: [PATCH 91/96] libusb1: fix CVE-2026-23679 and CVE-2026-47104 - Pick the upstream patch [1] as mentioned in [2] and [3]. - To successfully apply the fixed commit, apply the dependent commits [4], which are included in v1.0.28. [1] https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231 [2] https://security-tracker.debian.org/tracker/CVE-2026-23679. [3] https://security-tracker.debian.org/tracker/CVE-2026-47104. [4] https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- ...-2026-23679_CVE-2026-47104-dependent.patch | 46 ++++++++++ .../CVE-2026-23679_CVE-2026-47104.patch | 88 +++++++++++++++++++ meta/recipes-support/libusb/libusb1_1.0.27.bb | 2 + 3 files changed, 136 insertions(+) create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch new file mode 100644 index 000000000000..04f1e6842631 --- /dev/null +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch @@ -0,0 +1,46 @@ +From 2c1bb758e3b61355f50df61b6eb474d90bec2fab Mon Sep 17 00:00:00 2001 +From: Sean McBride <sean@rogue-research.com> +Date: Sat, 3 Feb 2024 22:32:52 -0500 +Subject: [PATCH] descriptor: Fix potential offsetting of pointer by too + much + +This was checking that `size` is at least `LIBUSB_DT_CONFIG_SIZE` (9) +bytes long, but then increments the pointer with `buf += +header.bLength`. That could end up pointing past of the end of the +buffer. There is a subsequent check that would prevent dereferencing it, +but it's still undefined behaviour to even create such a pointer. + +Add a check with a similar pattern as elsewhere in this file. + +CVE: CVE-2026-23679 CVE-2026-47104 +Upstream-Status: Backport [https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68] + +Backport Changes: +- The upstream version_nano.h bump is omitted because this is a security + backport to libusb 1.0.27, not a version upgrade. + +(cherry picked from commit 016a0de33ac94b19c7772d6c20fbea7fec23bf68) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + libusb/descriptor.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libusb/descriptor.c b/libusb/descriptor.c +index 4623ad1..4862c69 100644 +--- a/libusb/descriptor.c ++++ b/libusb/descriptor.c +@@ -1233,6 +1233,11 @@ static int parse_iad_array(struct libusb_context *ctx, + header.bLength); + return LIBUSB_ERROR_IO; + } ++ else if (header.bLength > size) { ++ usbi_warn(ctx, "short config descriptor read %d/%u", ++ size, header.bLength); ++ return LIBUSB_ERROR_IO; ++ } + if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) + iad_array->length++; + buf += header.bLength; +-- +2.43.7 + diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch new file mode 100644 index 000000000000..d868207e9aac --- /dev/null +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch @@ -0,0 +1,88 @@ +From 0735213e5118d5c9c732b7c891446b35e0d6b8d5 Mon Sep 17 00:00:00 2001 +From: MarkLee131 <kaixuan.li@ntu.edu.sg> +Date: Sat, 25 Apr 2026 18:33:17 +0800 +Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed + config descriptor handling + +Two issues reachable from a malformed config descriptor returned by an +attached USB device, both surfaced by the same libFuzzer + ASan run. + +1) parse_interface() reads bNumEndpoints from the interface descriptor and + increments usb_interface->num_altsetting before entering the inner loop + that skips class/vendor specific descriptors ahead of the endpoint + array. If that loop's bLength > size short-read branch fires, the + function returns before the endpoint array is allocated, leaving the + caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents + endpoint as an array sized by bNumEndpoints, and the testlibusb and + xusb examples both iterate it accordingly, so a NULL deref follows. + Reset bNumEndpoints to 0 before returning so the invariant holds. + +2) The first-pass loop in parse_iad_array() compares header.bLength + against the original size argument instead of the remaining bytes, + so a single descriptor with bLength == size - 1 lets consumed reach + size - 1 and the next iteration enters with only one byte of buffer + left. The buf[1] read on the second line of the loop body lands one + byte past the malloc allocation that backs the descriptor data. The + sibling parsers parse_configuration() and parse_interface() in the + same file already use the remaining-bytes form. Switch the IAD parser + loop guard and bound check to match. + +Both code paths are reachable from public APIs (libusb_get_*_config_descriptor +and libusb_get_*_interface_association_descriptors), with the malformed +input supplied by the attached device. Minimal reproducers are 20 and +9 bytes respectively. + +Fixes #1813 + +CVE: CVE-2026-23679 CVE-2026-47104 +Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231] + +Backport Changes: +- The upstream version_nano.h bump is omitted because this is a security + backport to libusb 1.0.27, not a version upgrade. + +Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg> +(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + libusb/descriptor.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libusb/descriptor.c b/libusb/descriptor.c +index 4862c69..97143bb 100644 +--- a/libusb/descriptor.c ++++ b/libusb/descriptor.c +@@ -260,6 +260,10 @@ static int parse_interface(libusb_context *ctx, + usbi_warn(ctx, + "short extra intf desc read %d/%u", + size, header->bLength); ++ /* Keep the invariant: bNumEndpoints > 0 implies ++ * endpoint != NULL. The endpoint array isn't ++ * allocated yet on this early return. */ ++ ifp->bNumEndpoints = 0; + return parsed; + } + +@@ -1226,16 +1230,16 @@ static int parse_iad_array(struct libusb_context *ctx, + + // First pass: Iterate through desc list, count number of IADs + iad_array->length = 0; +- while (consumed < size) { ++ while (size - consumed >= DESC_HEADER_LENGTH) { + parse_descriptor(buf, "bb", &header); + if (header.bLength < 2) { + usbi_err(ctx, "invalid descriptor bLength %d", + header.bLength); + return LIBUSB_ERROR_IO; + } +- else if (header.bLength > size) { ++ else if (header.bLength > size - consumed) { + usbi_warn(ctx, "short config descriptor read %d/%u", +- size, header.bLength); ++ size - consumed, header.bLength); + return LIBUSB_ERROR_IO; + } + if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) +-- +2.43.7 + diff --git a/meta/recipes-support/libusb/libusb1_1.0.27.bb b/meta/recipes-support/libusb/libusb1_1.0.27.bb index 5bf854f95d46..3c4633016448 100644 --- a/meta/recipes-support/libusb/libusb1_1.0.27.bb +++ b/meta/recipes-support/libusb/libusb1_1.0.27.bb @@ -14,6 +14,8 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2026-23679_CVE-2026-47104-dependent.patch \ + file://CVE-2026-23679_CVE-2026-47104.patch \ " GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases" From a866d0438d30b1625450f68fea19e9315a4e4b36 Mon Sep 17 00:00:00 2001 From: Sudhir Dumbhare <sudumbha@cisco.com> Date: Tue, 23 Jun 2026 03:25:41 -0700 Subject: [PATCH 92/96] nfs-utils: fix CVE-2025-12801 - This patch applies the upstream fix [5] as referenced in [7]. - To successfully apply the fixed commit, apply the dependent commits [2] to [4] which are included in v2.8.6, as referenced in [7]. - Additionally, include dependent commit [1] from v2.8.3, as referenced in [8] under the [2.5.4-38.2] description, along with compilation fix commit [6] from v2.7.1 - Reference: [1] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f2925790 [2] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58 [3] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fe [4] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d92 [5] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899 [6] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a [7] https://security-tracker.debian.org/tracker/CVE-2025-12801 [8] https://linux.oracle.com/errata/ELSA-2026-3940.html Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../nfs-utils/CVE-2025-12801-build-fix.patch | 44 ++ .../CVE-2025-12801-dependent_p1.patch | 450 +++++++++++++++++ .../CVE-2025-12801-dependent_p2.patch | 81 +++ .../CVE-2025-12801-dependent_p3.patch | 181 +++++++ .../CVE-2025-12801-dependent_p4.patch | 468 ++++++++++++++++++ .../nfs-utils/nfs-utils/CVE-2025-12801.patch | 254 ++++++++++ .../nfs-utils/nfs-utils_2.6.4.bb | 6 + 7 files changed, 1484 insertions(+) create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch new file mode 100644 index 000000000000..d7aaca224253 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch @@ -0,0 +1,44 @@ +From 30e0f57fff545b0bb3071fa071c7b12c2923bac8 Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Mon, 22 Jan 2024 13:23:57 -0500 +Subject: [PATCH] reexport.c: Some Distros need the following include to + avoid the following error + +reexport.c: In function ‘connect_fsid_service’: +reexport.c:41:28: error: implicit declaration of function ‘offsetof’ [-Werror=implicit-function-declaration] + 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path); + | ^~~~~~~~ +reexport.c:19:1: note: ‘offsetof’ is defined in header ‘<stddef.h>’; did you forget to ‘#include <stddef.h>’? + 18 | #include "xlog.h" + +++ |+#include <stddef.h> + 19 | +reexport.c:41:37: error: expected expression before ‘struct’ + 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path); + | ^~~~~~ +cc1: some warnings being treated as errors + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a71b482bb62bad6d93ddde51e5dc6] + +Signed-off-by: Steve Dickson <steved@redhat.com> +(cherry picked from commit a2c95e4f557a71b482bb62bad6d93ddde51e5dc6) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + support/reexport/reexport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/support/reexport/reexport.c b/support/reexport/reexport.c +index 78516586..16dde0fb 100644 +--- a/support/reexport/reexport.c ++++ b/support/reexport/reexport.c +@@ -8,6 +8,7 @@ + #include <sys/types.h> + #include <sys/vfs.h> + #include <errno.h> ++#include <stddef.h> + + #include "nfsd_path.h" + #include "conffile.h" +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch new file mode 100644 index 000000000000..c1fb7c2f12e4 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch @@ -0,0 +1,450 @@ +From bbec1c68cbf9a9b3b28aad213b4573d288879a6f Mon Sep 17 00:00:00 2001 +From: Christopher Bii <christopherbii@hyub.org> +Date: Wed, 15 Jan 2025 12:10:48 -0500 +Subject: [PATCH] NFS export symlink vulnerability fix + +Replaced dangerous use of realpath within support/nfs/export.c with +nfsd_realpath variant that is executed within the chrooted thread +rather than main thread. + +Implemented nfsd_path.h methods to work securely within chrooted +thread using nfsd_run_task() help + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a] + +Signed-off-by: Christopher Bii <christopherbii@hyub.org> +Signed-off-by: Steve Dickson <steved@redhat.com> +(cherry picked from commit cd90f29257904f36509ea5a04a86f42398fbe94a) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + support/export/cache.c | 2 +- + support/include/nfsd_path.h | 5 +- + support/misc/nfsd_path.c | 257 +++++++++++------------------------- + support/nfs/exports.c | 3 +- + 4 files changed, 83 insertions(+), 184 deletions(-) + +diff --git a/support/export/cache.c b/support/export/cache.c +index 6c0a44a3..a4c339f2 100644 +--- a/support/export/cache.c ++++ b/support/export/cache.c +@@ -65,7 +65,7 @@ static ssize_t cache_read(int fd, char *buf, size_t len) + return nfsd_path_read(fd, buf, len); + } + +-static ssize_t cache_write(int fd, const char *buf, size_t len) ++static ssize_t cache_write(int fd, void *buf, size_t len) + { + return nfsd_path_write(fd, buf, len); + } +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index aa1e1dd0..f600fb5a 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -8,6 +8,7 @@ + + struct file_handle; + struct statfs; ++struct nfsd_task_t; + + void nfsd_path_init(void); + +@@ -23,8 +24,8 @@ int nfsd_path_statfs(const char *pathname, + + char * nfsd_realpath(const char *path, char *resolved_path); + +-ssize_t nfsd_path_read(int fd, char *buf, size_t len); +-ssize_t nfsd_path_write(int fd, const char *buf, size_t len); ++ssize_t nfsd_path_read(int fd, void* buf, size_t len); ++ssize_t nfsd_path_write(int fd, void* buf, size_t len); + + int nfsd_name_to_handle_at(int fd, const char *path, + struct file_handle *fh, +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index c3dea4f0..caec33ca 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -19,7 +19,20 @@ + #include "nfsd_path.h" + #include "workqueue.h" + +-static struct xthread_workqueue *nfsd_wq; ++static struct xthread_workqueue *nfsd_wq = NULL; ++ ++struct nfsd_task_t { ++ int ret; ++ void* data; ++}; ++/* Function used to offload tasks that must be ran within the correct ++ * chroot environment. ++ */ ++static void ++nfsd_run_task(void (*func)(void*), void* data){ ++ nfsd_wq ? xthread_work_run_sync(nfsd_wq, func, data) : func(data); ++}; ++ + + static int + nfsd_path_isslash(const char *path) +@@ -124,224 +137,119 @@ nfsd_path_init(void) + } + + struct nfsd_stat_data { +- const char *pathname; +- struct stat *statbuf; +- int ret; +- int err; ++ const char *pathname; ++ struct stat *statbuf; ++ int (*stat_handler)(const char*, struct stat*); + }; + + static void +-nfsd_statfunc(void *data) +-{ +- struct nfsd_stat_data *d = data; +- +- d->ret = xstat(d->pathname, d->statbuf); +- if (d->ret < 0) +- d->err = errno; +-} +- +-static void +-nfsd_lstatfunc(void *data) ++nfsd_handle_stat(void *data) + { +- struct nfsd_stat_data *d = data; +- +- d->ret = xlstat(d->pathname, d->statbuf); +- if (d->ret < 0) +- d->err = errno; ++ struct nfsd_task_t* t = data; ++ struct nfsd_stat_data* d = t->data; ++ t->ret = d->stat_handler(d->pathname, d->statbuf); + } + + static int +-nfsd_run_stat(struct xthread_workqueue *wq, +- void (*func)(void *), +- const char *pathname, +- struct stat *statbuf) ++nfsd_run_stat(const char *pathname, ++ struct stat *statbuf, ++ int (*handler)(const char*, struct stat*)) + { +- struct nfsd_stat_data data = { +- pathname, +- statbuf, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, func, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; ++ struct nfsd_task_t t; ++ struct nfsd_stat_data d = { pathname, statbuf, handler }; ++ t.data = &d; ++ nfsd_run_task(nfsd_handle_stat, &t); ++ return t.ret; + } + + int + nfsd_path_stat(const char *pathname, struct stat *statbuf) + { +- if (!nfsd_wq) +- return xstat(pathname, statbuf); +- return nfsd_run_stat(nfsd_wq, nfsd_statfunc, pathname, statbuf); ++ return nfsd_run_stat(pathname, statbuf, stat); + } + + int +-nfsd_path_lstat(const char *pathname, struct stat *statbuf) +-{ +- if (!nfsd_wq) +- return xlstat(pathname, statbuf); +- return nfsd_run_stat(nfsd_wq, nfsd_lstatfunc, pathname, statbuf); +-} +- +-struct nfsd_statfs_data { +- const char *pathname; +- struct statfs *statbuf; +- int ret; +- int err; ++nfsd_path_lstat(const char* pathname, struct stat* statbuf){ ++ return nfsd_run_stat(pathname, statbuf, lstat); + }; + +-static void +-nfsd_statfsfunc(void *data) +-{ +- struct nfsd_statfs_data *d = data; +- +- d->ret = statfs(d->pathname, d->statbuf); +- if (d->ret < 0) +- d->err = errno; +-} +- +-static int +-nfsd_run_statfs(struct xthread_workqueue *wq, +- const char *pathname, +- struct statfs *statbuf) +-{ +- struct nfsd_statfs_data data = { +- pathname, +- statbuf, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, nfsd_statfsfunc, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; +-} +- + int +-nfsd_path_statfs(const char *pathname, struct statfs *statbuf) ++nfsd_path_statfs(const char* pathname, struct statfs* statbuf) + { +- if (!nfsd_wq) +- return statfs(pathname, statbuf); +- return nfsd_run_statfs(nfsd_wq, pathname, statbuf); +-} ++ return nfsd_run_stat(pathname, (struct stat*)statbuf, (int (*)(const char*, struct stat*))statfs); ++}; + +-struct nfsd_realpath_data { +- const char *pathname; +- char *resolved; +- int err; ++struct nfsd_realpath_t { ++ const char* path; ++ char* resolved_buf; ++ char* res_ptr; + }; + + static void + nfsd_realpathfunc(void *data) + { +- struct nfsd_realpath_data *d = data; +- +- d->resolved = realpath(d->pathname, d->resolved); +- if (!d->resolved) +- d->err = errno; ++ struct nfsd_realpath_t *d = data; ++ d->res_ptr = realpath(d->path, d->resolved_buf); + } + +-char * +-nfsd_realpath(const char *path, char *resolved_path) ++char* ++nfsd_realpath(const char *path, char *resolved_buf) + { +- struct nfsd_realpath_data data = { +- path, +- resolved_path, +- 0 +- }; +- +- if (!nfsd_wq) +- return realpath(path, resolved_path); +- +- xthread_work_run_sync(nfsd_wq, nfsd_realpathfunc, &data); +- if (!data.resolved) +- errno = data.err; +- return data.resolved; ++ struct nfsd_realpath_t realpath_buf = { ++ .path = path, ++ .resolved_buf = resolved_buf ++ }; ++ nfsd_run_task(nfsd_realpathfunc, &realpath_buf); ++ return realpath_buf.res_ptr; + } + +-struct nfsd_read_data { +- int fd; +- char *buf; +- size_t len; +- ssize_t ret; +- int err; ++struct nfsd_rw_data { ++ int fd; ++ void* buf; ++ size_t len; ++ ssize_t bytes_read; + }; + + static void + nfsd_readfunc(void *data) + { +- struct nfsd_read_data *d = data; +- +- d->ret = read(d->fd, d->buf, d->len); +- if (d->ret < 0) +- d->err = errno; ++ struct nfsd_rw_data* t = (struct nfsd_rw_data*)data; ++ t->bytes_read = read(t->fd, t->buf, t->len); + } + + static ssize_t +-nfsd_run_read(struct xthread_workqueue *wq, int fd, char *buf, size_t len) ++nfsd_run_read(int fd, void* buf, size_t len) + { +- struct nfsd_read_data data = { +- fd, +- buf, +- len, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, nfsd_readfunc, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; ++ struct nfsd_rw_data d = { .fd = fd, .buf = buf, .len = len }; ++ nfsd_run_task(nfsd_readfunc, &d); ++ return d.bytes_read; + } + + ssize_t +-nfsd_path_read(int fd, char *buf, size_t len) ++nfsd_path_read(int fd, void* buf, size_t len) + { +- if (!nfsd_wq) +- return read(fd, buf, len); +- return nfsd_run_read(nfsd_wq, fd, buf, len); ++ return nfsd_run_read(fd, buf, len); + } + +-struct nfsd_write_data { +- int fd; +- const char *buf; +- size_t len; +- ssize_t ret; +- int err; +-}; +- + static void + nfsd_writefunc(void *data) + { +- struct nfsd_write_data *d = data; +- +- d->ret = write(d->fd, d->buf, d->len); +- if (d->ret < 0) +- d->err = errno; ++ struct nfsd_rw_data* d = data; ++ d->bytes_read = write(d->fd, d->buf, d->len); + } + + static ssize_t +-nfsd_run_write(struct xthread_workqueue *wq, int fd, const char *buf, size_t len) ++nfsd_run_write(int fd, void* buf, size_t len) + { +- struct nfsd_write_data data = { +- fd, +- buf, +- len, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, nfsd_writefunc, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; ++ struct nfsd_rw_data d = { .fd = fd, .buf = buf, .len = len }; ++ nfsd_run_task(nfsd_writefunc, &d); ++ return d.bytes_read; + } + + ssize_t +-nfsd_path_write(int fd, const char *buf, size_t len) ++nfsd_path_write(int fd, void* buf, size_t len) + { +- if (!nfsd_wq) +- return write(fd, buf, len); +- return nfsd_run_write(nfsd_wq, fd, buf, len); ++ return nfsd_run_write(fd, buf, len); + } + + #if defined(HAVE_NAME_TO_HANDLE_AT) +@@ -352,23 +260,18 @@ struct nfsd_handle_data { + int *mount_id; + int flags; + int ret; +- int err; + }; + + static void + nfsd_name_to_handle_func(void *data) + { + struct nfsd_handle_data *d = data; +- +- d->ret = name_to_handle_at(d->fd, d->path, +- d->fh, d->mount_id, d->flags); +- if (d->ret < 0) +- d->err = errno; ++ d->ret = name_to_handle_at(d->fd, d->path, d->fh, d->mount_id, d->flags); + } + + static int +-nfsd_run_name_to_handle_at(struct xthread_workqueue *wq, +- int fd, const char *path, struct file_handle *fh, ++nfsd_run_name_to_handle_at(int fd, const char *path, ++ struct file_handle *fh, + int *mount_id, int flags) + { + struct nfsd_handle_data data = { +@@ -377,25 +280,19 @@ nfsd_run_name_to_handle_at(struct xthread_workqueue *wq, + fh, + mount_id, + flags, +- 0, + 0 + }; + +- xthread_work_run_sync(wq, nfsd_name_to_handle_func, &data); +- if (data.ret < 0) +- errno = data.err; ++ nfsd_run_task(nfsd_name_to_handle_func, &data); + return data.ret; + } + + int +-nfsd_name_to_handle_at(int fd, const char *path, struct file_handle *fh, ++nfsd_name_to_handle_at(int fd, const char *path, ++ struct file_handle *fh, + int *mount_id, int flags) + { +- if (!nfsd_wq) +- return name_to_handle_at(fd, path, fh, mount_id, flags); +- +- return nfsd_run_name_to_handle_at(nfsd_wq, fd, path, fh, +- mount_id, flags); ++ return nfsd_run_name_to_handle_at(fd, path, fh, mount_id, flags); + } + #else + int +diff --git a/support/nfs/exports.c b/support/nfs/exports.c +index 15dc574c..c47e3d0a 100644 +--- a/support/nfs/exports.c ++++ b/support/nfs/exports.c +@@ -32,6 +32,7 @@ + #include "xio.h" + #include "pseudoflavors.h" + #include "reexport.h" ++#include "nfsd_path.h" + + #define EXPORT_DEFAULT_FLAGS \ + (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK) +@@ -200,7 +201,7 @@ getexportent(int fromkernel, int fromexports) + return NULL; + } + /* resolve symlinks */ +- if (realpath(ee.e_path, rpath) != NULL) { ++ if (nfsd_realpath(ee.e_path, rpath) != NULL) { + rpath[sizeof (rpath) - 1] = '\0'; + strncpy(ee.e_path, rpath, sizeof (ee.e_path) - 1); + ee.e_path[sizeof (ee.e_path) - 1] = '\0'; +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch new file mode 100644 index 000000000000..f088eadb4bd7 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch @@ -0,0 +1,81 @@ +From a6ddd0e9594884cf61816478e8c561f1b3aac709 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Mon, 10 Nov 2025 11:26:03 -0500 +Subject: [PATCH] mountd: Minor refactor of get_rootfh() + +Perform the mountpoint checks before checking the user path. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58657359c6842119fc516c6dd1baa4] + +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +(cherry picked from commit 7e8b36522f58657359c6842119fc516c6dd1baa4) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + utils/mountd/mountd.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index dbd5546d..39afd4aa 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -412,6 +412,23 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } ++ if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { ++ xlog(L_WARNING, "can't stat export point %s: %s", ++ p, strerror(errno)); ++ *error = MNT3ERR_NOENT; ++ return NULL; ++ } ++ if (exp->m_export.e_mountpoint && ++ !check_is_mountpoint(exp->m_export.e_mountpoint[0]? ++ exp->m_export.e_mountpoint: ++ exp->m_export.e_path, ++ nfsd_path_lstat)) { ++ xlog(L_WARNING, "request to export an unmounted filesystem: %s", ++ p); ++ *error = MNT3ERR_NOENT; ++ return NULL; ++ } ++ + if (nfsd_path_stat(p, &stb) < 0) { + xlog(L_WARNING, "can't stat exported dir %s: %s", + p, strerror(errno)); +@@ -426,12 +443,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_NOTDIR; + return NULL; + } +- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { +- xlog(L_WARNING, "can't stat export point %s: %s", +- p, strerror(errno)); +- *error = MNT3ERR_NOENT; +- return NULL; +- } + if (estb.st_dev != stb.st_dev + && !(exp->m_export.e_flags & NFSEXP_CROSSMOUNT)) { + xlog(L_WARNING, "request to export directory %s below nearest filesystem %s", +@@ -439,17 +450,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } +- if (exp->m_export.e_mountpoint && +- !check_is_mountpoint(exp->m_export.e_mountpoint[0]? +- exp->m_export.e_mountpoint: +- exp->m_export.e_path, +- nfsd_path_lstat)) { +- xlog(L_WARNING, "request to export an unmounted filesystem: %s", +- p); +- *error = MNT3ERR_NOENT; +- return NULL; +- } +- + /* This will be a static private nfs_export with just one + * address. We feed it to kernel then extract the filehandle, + */ +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch new file mode 100644 index 000000000000..901069e3b9fc --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch @@ -0,0 +1,181 @@ +From 57732919d26ce523161392d688e3b67d6fc50839 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Mon, 10 Nov 2025 11:28:39 -0500 +Subject: [PATCH] mountd: Separate lookup of the exported directory and the + mount path + +When the caller asks to mount a path that does not terminate with an +exported directory, we want to split up the lookups so that we can +look up the exported directory using the mountd privileged credential, +and the remaining subdirectory lookups using the RPC caller's +credential. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fed98f12437ac8b28cfb12b6bad056] + +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +(cherry picked from commit 42f01e6a78fed98f12437ac8b28cfb12b6bad056) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + support/include/nfsd_path.h | 1 + + support/misc/nfsd_path.c | 31 ++++++++++++++++++ + utils/mountd/mountd.c | 63 +++++++++++++++++++++++++++++++------ + 3 files changed, 86 insertions(+), 9 deletions(-) + +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index f600fb5a..3e5a2f5d 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -18,6 +18,7 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); + + int nfsd_path_stat(const char *pathname, struct stat *statbuf); + int nfsd_path_lstat(const char *pathname, struct stat *statbuf); ++int nfsd_openat(int dirfd, const char *path, int flags); + + int nfsd_path_statfs(const char *pathname, + struct statfs *statbuf); +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index caec33ca..dfe88e4f 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -203,6 +203,37 @@ nfsd_realpath(const char *path, char *resolved_buf) + return realpath_buf.res_ptr; + } + ++struct nfsd_openat_t { ++ const char *path; ++ int dirfd; ++ int flags; ++ int res_fd; ++ int res_error; ++}; ++ ++static void nfsd_openatfunc(void *data) ++{ ++ struct nfsd_openat_t *d = data; ++ ++ d->res_fd = openat(d->dirfd, d->path, d->flags); ++ if (d->res_fd == -1) ++ d->res_error = errno; ++} ++ ++int nfsd_openat(int dirfd, const char *path, int flags) ++{ ++ struct nfsd_openat_t open_buf = { ++ .path = path, ++ .dirfd = dirfd, ++ .flags = flags, ++ }; ++ ++ nfsd_run_task(nfsd_openatfunc, &open_buf); ++ if (open_buf.res_fd == -1) ++ errno = open_buf.res_error; ++ return open_buf.res_fd; ++} ++ + struct nfsd_rw_data { + int fd; + void* buf; +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index 39afd4aa..f43ebef5 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -392,7 +392,10 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + struct nfs_fh_len *fh; + char rpath[MAXPATHLEN+1]; + char *p = *path; ++ char *subpath; + char buf[INET6_ADDRSTRLEN]; ++ size_t epathlen; ++ int dirfd; + + if (*p == '\0') + p = "/"; +@@ -412,12 +415,21 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } +- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { +- xlog(L_WARNING, "can't stat export point %s: %s", ++ ++ dirfd = nfsd_openat(AT_FDCWD, exp->m_export.e_path, O_PATH); ++ if (dirfd == -1) { ++ xlog(L_WARNING, "can't open export point %s: %s", + p, strerror(errno)); + *error = MNT3ERR_NOENT; + return NULL; + } ++ if (fstat(dirfd, &estb) == -1) { ++ xlog(L_WARNING, "can't stat export point %s: %s", ++ p, strerror(errno)); ++ *error = MNT3ERR_ACCES; ++ close(dirfd); ++ return NULL; ++ } + if (exp->m_export.e_mountpoint && + !check_is_mountpoint(exp->m_export.e_mountpoint[0]? + exp->m_export.e_mountpoint: +@@ -426,18 +438,51 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + xlog(L_WARNING, "request to export an unmounted filesystem: %s", + p); + *error = MNT3ERR_NOENT; ++ close(dirfd); + return NULL; + } + +- if (nfsd_path_stat(p, &stb) < 0) { +- xlog(L_WARNING, "can't stat exported dir %s: %s", +- p, strerror(errno)); +- if (errno == ENOENT) +- *error = MNT3ERR_NOENT; +- else +- *error = MNT3ERR_ACCES; ++ epathlen = strlen(exp->m_export.e_path); ++ if (epathlen > strlen(p)) { ++ xlog(L_WARNING, "raced with change of exported path: %s", p); ++ *error = MNT3ERR_NOENT; ++ close(dirfd); + return NULL; + } ++ subpath = &p[epathlen]; ++ while (*subpath == '/') ++ subpath++; ++ if (*subpath != '\0') { ++ int fd; ++ ++ /* Just perform a lookup of the path */ ++ fd = nfsd_openat(dirfd, subpath, O_PATH); ++ close(dirfd); ++ if (fd == -1) { ++ xlog(L_WARNING, "can't open exported dir %s: %s", p, ++ strerror(errno)); ++ if (errno == ENOENT) ++ *error = MNT3ERR_NOENT; ++ else ++ *error = MNT3ERR_ACCES; ++ return NULL; ++ } ++ if (fstat(fd, &stb) == -1) { ++ xlog(L_WARNING, "can't open exported dir %s: %s", p, ++ strerror(errno)); ++ if (errno == ENOENT) ++ *error = MNT3ERR_NOENT; ++ else ++ *error = MNT3ERR_ACCES; ++ close(fd); ++ return NULL; ++ } ++ close(fd); ++ } else { ++ close(dirfd); ++ stb = estb; ++ } ++ + if (!S_ISDIR(stb.st_mode) && !S_ISREG(stb.st_mode)) { + xlog(L_WARNING, "%s is not a directory or regular file", p); + *error = MNT3ERR_NOTDIR; +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch new file mode 100644 index 000000000000..4ef529e73736 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch @@ -0,0 +1,468 @@ +From 7eef498b6bd01adc45415b03ddf321c84f82aa45 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Mon, 10 Nov 2025 12:18:38 -0500 +Subject: [PATCH] support: Add a mini-library to extract and apply RPC + credentials + +Add server functionality to extract the credentials from the client RPC +call, and apply them. This is needed in order to perform access checking +on the requested path in the mountd daemon. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d922d4961e60dad73ad1c2d97d8d99b] + +Backport Changes: +- In support/misc/Makefile.am, the non-essential file.c was omitted + as it does not exist in the current nfs-utils version. + +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +(cherry picked from commit 51738ae56d922d4961e60dad73ad1c2d97d8d99b) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + aclocal/libtirpc.m4 | 11 +++ + support/include/Makefile.am | 1 + + support/include/nfs_ucred.h | 44 ++++++++++ + support/misc/Makefile.am | 2 +- + support/misc/ucred.c | 162 ++++++++++++++++++++++++++++++++++++ + support/nfs/Makefile.am | 2 +- + support/nfs/ucred.c | 147 ++++++++++++++++++++++++++++++++ + 7 files changed, 367 insertions(+), 2 deletions(-) + create mode 100644 support/include/nfs_ucred.h + create mode 100644 support/misc/ucred.c + create mode 100644 support/nfs/ucred.c + +diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4 +index bddae022..84e18f7e 100644 +--- a/aclocal/libtirpc.m4 ++++ b/aclocal/libtirpc.m4 +@@ -26,6 +26,17 @@ AC_DEFUN([AC_LIBTIRPC], [ + [Define to 1 if your tirpc library provides libtirpc_set_debug])],, + [${LIBS}])]) + ++ AS_IF([test -n "${LIBTIRPC}"], ++ [AC_CHECK_LIB([tirpc], [rpc_gss_getcred], ++ [AC_DEFINE([HAVE_TIRPC_GSS_GETCRED], [1], ++ [Define to 1 if your tirpc library provides rpc_gss_getcred])],, ++ [${LIBS}])]) ++ ++ AS_IF([test -n "${LIBTIRPC}"], ++ [AC_CHECK_LIB([tirpc], [authdes_getucred], ++ [AC_DEFINE([HAVE_TIRPC_AUTHDES_GETUCRED], [1], ++ [Define to 1 if your tirpc library provides authdes_getucred])],, ++ [${LIBS}])]) + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST(LIBTIRPC) + +diff --git a/support/include/Makefile.am b/support/include/Makefile.am +index 1373891a..631a84f8 100644 +--- a/support/include/Makefile.am ++++ b/support/include/Makefile.am +@@ -10,6 +10,7 @@ noinst_HEADERS = \ + misc.h \ + nfs_mntent.h \ + nfs_paths.h \ ++ nfs_ucred.h \ + nfsd_path.h \ + nfslib.h \ + nfsrpc.h \ +diff --git a/support/include/nfs_ucred.h b/support/include/nfs_ucred.h +new file mode 100644 +index 00000000..d58b61e4 +--- /dev/null ++++ b/support/include/nfs_ucred.h +@@ -0,0 +1,44 @@ ++#ifndef _NFS_UCRED_H ++#define _NFS_UCRED_H ++ ++#include <sys/types.h> ++ ++struct nfs_ucred { ++ uid_t uid; ++ gid_t gid; ++ int ngroups; ++ gid_t *groups; ++}; ++ ++struct svc_req; ++struct exportent; ++ ++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst, ++ const struct exportent *ep); ++ ++void nfs_ucred_squash_groups(struct nfs_ucred *cred, ++ const struct exportent *ep); ++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep); ++int nfs_ucred_swap_effective(const struct nfs_ucred *cred, ++ struct nfs_ucred **savedp); ++ ++static inline void nfs_ucred_free(struct nfs_ucred *cred) ++{ ++ free(cred->groups); ++ free(cred); ++} ++ ++static inline void nfs_ucred_init_groups(struct nfs_ucred *cred, gid_t *groups, ++ int ngroups) ++{ ++ cred->groups = groups; ++ cred->ngroups = ngroups; ++} ++ ++static inline void nfs_ucred_free_groups(struct nfs_ucred *cred) ++{ ++ free(cred->groups); ++ nfs_ucred_init_groups(cred, NULL, 0); ++} ++ ++#endif /* _NFS_UCRED_H */ +diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am +index 8b0e9db9..ea970064 100644 +--- a/support/misc/Makefile.am ++++ b/support/misc/Makefile.am +@@ -2,6 +2,6 @@ + + noinst_LIBRARIES = libmisc.a + libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \ +- nfsd_path.c workqueue.c xstat.c ++ nfsd_path.c ucred.c workqueue.c xstat.c + + MAINTAINERCLEANFILES = Makefile.in +diff --git a/support/misc/ucred.c b/support/misc/ucred.c +new file mode 100644 +index 00000000..92d97912 +--- /dev/null ++++ b/support/misc/ucred.c +@@ -0,0 +1,162 @@ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <alloca.h> ++#include <errno.h> ++#include <pwd.h> ++#include <stdlib.h> ++#include <unistd.h> ++#include <grp.h> ++ ++#include "exportfs.h" ++#include "nfs_ucred.h" ++ ++#include "xlog.h" ++ ++void nfs_ucred_squash_groups(struct nfs_ucred *cred, const struct exportent *ep) ++{ ++ int i; ++ ++ if (!(ep->e_flags & NFSEXP_ROOTSQUASH)) ++ return; ++ if (cred->gid == 0) ++ cred->gid = ep->e_anongid; ++ for (i = 0; i < cred->ngroups; i++) { ++ if (cred->groups[i] == 0) ++ cred->groups[i] = ep->e_anongid; ++ } ++} ++ ++static int nfs_ucred_init_effective(struct nfs_ucred *cred) ++{ ++ int ngroups = getgroups(0, NULL); ++ ++ if (ngroups > 0) { ++ size_t sz = ngroups * sizeof(gid_t); ++ gid_t *groups = malloc(sz); ++ if (groups == NULL) ++ return ENOMEM; ++ if (getgroups(ngroups, groups) == -1) { ++ free(groups); ++ return errno; ++ } ++ nfs_ucred_init_groups(cred, groups, ngroups); ++ } else ++ nfs_ucred_init_groups(cred, NULL, 0); ++ cred->uid = geteuid(); ++ cred->gid = getegid(); ++ return 0; ++} ++ ++static size_t nfs_ucred_getpw_r_size_max(void) ++{ ++ long buflen = sysconf(_SC_GETPW_R_SIZE_MAX); ++ ++ if (buflen == -1) ++ return 16384; ++ return buflen; ++} ++ ++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep) ++{ ++ struct passwd pwd, *pw; ++ uid_t uid = cred->uid; ++ gid_t gid = cred->gid; ++ size_t buflen; ++ char *buf; ++ int ngroups = 0; ++ int ret; ++ ++ if (ep->e_flags & (NFSEXP_ALLSQUASH | NFSEXP_ROOTSQUASH) && ++ (int)uid == ep->e_anonuid) ++ return 0; ++ buflen = nfs_ucred_getpw_r_size_max(); ++ buf = alloca(buflen); ++ ret = getpwuid_r(uid, &pwd, buf, buflen, &pw); ++ if (ret != 0) ++ return ret; ++ if (!pw) ++ return ENOENT; ++ if (getgrouplist(pw->pw_name, gid, NULL, &ngroups) == -1 && ++ ngroups > 0) { ++ gid_t *groups = malloc(ngroups * sizeof(groups[0])); ++ if (groups == NULL) ++ return ENOMEM; ++ if (getgrouplist(pw->pw_name, gid, groups, &ngroups) == -1) { ++ free(groups); ++ return ENOMEM; ++ } ++ free(cred->groups); ++ nfs_ucred_init_groups(cred, groups, ngroups); ++ nfs_ucred_squash_groups(cred, ep); ++ } else ++ nfs_ucred_free_groups(cred); ++ return 0; ++} ++ ++static int nfs_ucred_set_effective(const struct nfs_ucred *cred, ++ const struct nfs_ucred *saved) ++{ ++ uid_t suid = saved ? saved->uid : geteuid(); ++ gid_t sgid = saved ? saved->gid : getegid(); ++ int ret; ++ ++ /* Start with a privileged effective user */ ++ if (setresuid(-1, 0, -1) < 0) { ++ xlog(L_WARNING, "can't change privileged user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ return errno; ++ } ++ ++ if (setgroups(cred->ngroups, cred->groups) == -1) { ++ xlog(L_WARNING, "can't change groups for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ return errno; ++ } ++ if (setresgid(-1, cred->gid, sgid) == -1) { ++ xlog(L_WARNING, "can't change gid for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ ret = errno; ++ goto restore_groups; ++ } ++ if (setresuid(-1, cred->uid, suid) == -1) { ++ xlog(L_WARNING, "can't change uid for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ ret = errno; ++ goto restore_gid; ++ } ++ return 0; ++restore_gid: ++ if (setresgid(-1, sgid, -1) < 0) { ++ xlog(L_WARNING, "can't restore privileged user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ } ++restore_groups: ++ if (saved) ++ setgroups(saved->ngroups, saved->groups); ++ else ++ setgroups(0, NULL); ++ return ret; ++} ++ ++int nfs_ucred_swap_effective(const struct nfs_ucred *cred, ++ struct nfs_ucred **savedp) ++{ ++ struct nfs_ucred *saved = malloc(sizeof(*saved)); ++ int ret; ++ ++ if (saved == NULL) ++ return ENOMEM; ++ ret = nfs_ucred_init_effective(saved); ++ if (ret != 0) { ++ free(saved); ++ return ret; ++ } ++ ret = nfs_ucred_set_effective(cred, saved); ++ if (savedp == NULL || ret != 0) ++ nfs_ucred_free(saved); ++ else ++ *savedp = saved; ++ return ret; ++} +diff --git a/support/nfs/Makefile.am b/support/nfs/Makefile.am +index 2e1577cc..f6921265 100644 +--- a/support/nfs/Makefile.am ++++ b/support/nfs/Makefile.am +@@ -7,7 +7,7 @@ libnfs_la_SOURCES = exports.c rmtab.c xio.c rpcmisc.c rpcdispatch.c \ + xcommon.c wildmat.c mydaemon.c \ + rpc_socket.c getport.c \ + svc_socket.c cacheio.c closeall.c nfs_mntent.c \ +- svc_create.c atomicio.c strlcat.c strlcpy.c ++ svc_create.c atomicio.c strlcat.c strlcpy.c ucred.c + libnfs_la_LIBADD = libnfsconf.la + libnfs_la_CPPFLAGS = $(AM_CPPFLAGS) $(CPPFLAGS) -I$(top_srcdir)/support/reexport + +diff --git a/support/nfs/ucred.c b/support/nfs/ucred.c +new file mode 100644 +index 00000000..6ea8efdf +--- /dev/null ++++ b/support/nfs/ucred.c +@@ -0,0 +1,147 @@ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <errno.h> ++#include <stdlib.h> ++#include <unistd.h> ++#include <rpc/rpc.h> ++ ++#include "exportfs.h" ++#include "nfs_ucred.h" ++ ++#ifdef HAVE_TIRPC_GSS_GETCRED ++#include <rpc/rpcsec_gss.h> ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++#include <rpc/auth_des.h> ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ ++static int nfs_ucred_copy_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid, ++ const gid_t *groups, int ngroups) ++{ ++ if (ngroups > 0) { ++ size_t sz = ngroups * sizeof(groups[0]); ++ cred->groups = malloc(sz); ++ if (cred->groups == NULL) ++ return ENOMEM; ++ cred->ngroups = ngroups; ++ memcpy(cred->groups, groups, sz); ++ } else ++ nfs_ucred_init_groups(cred, NULL, 0); ++ cred->uid = uid; ++ cred->gid = gid; ++ return 0; ++} ++ ++static int nfs_ucred_init_cred_squashed(struct nfs_ucred *cred, ++ const struct exportent *ep) ++{ ++ cred->uid = ep->e_anonuid; ++ cred->gid = ep->e_anongid; ++ nfs_ucred_init_groups(cred, NULL, 0); ++ return 0; ++} ++ ++static int nfs_ucred_init_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid, ++ const gid_t *groups, int ngroups, ++ const struct exportent *ep) ++{ ++ if (ep->e_flags & NFSEXP_ALLSQUASH) { ++ nfs_ucred_init_cred_squashed(cred, ep); ++ } else if (ep->e_flags & NFSEXP_ROOTSQUASH && uid == 0) { ++ nfs_ucred_init_cred_squashed(cred, ep); ++ if (gid != 0) ++ cred->gid = gid; ++ } else { ++ int ret = nfs_ucred_copy_cred(cred, uid, gid, groups, ngroups); ++ if (ret != 0) ++ return ret; ++ nfs_ucred_squash_groups(cred, ep); ++ } ++ return 0; ++} ++ ++static int nfs_ucred_init_null(struct nfs_ucred *cred, ++ const struct exportent *ep) ++{ ++ return nfs_ucred_init_cred_squashed(cred, ep); ++} ++ ++static int nfs_ucred_init_unix(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct authunix_parms *aup; ++ ++ aup = (struct authunix_parms *)rqst->rq_clntcred; ++ return nfs_ucred_init_cred(cred, aup->aup_uid, aup->aup_gid, ++ aup->aup_gids, aup->aup_len, ep); ++} ++ ++#ifdef HAVE_TIRPC_GSS_GETCRED ++static int nfs_ucred_init_gss(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ rpc_gss_ucred_t *gss_ucred = NULL; ++ ++ if (!rpc_gss_getcred(rqst, NULL, &gss_ucred, NULL) || gss_ucred == NULL) ++ return EINVAL; ++ return nfs_ucred_init_cred(cred, gss_ucred->uid, gss_ucred->gid, ++ gss_ucred->gidlist, gss_ucred->gidlen, ep); ++} ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++int authdes_getucred(struct authdes_cred *adc, uid_t *uid, gid_t *gid, ++ int *grouplen, gid_t *groups); ++ ++static int nfs_ucred_init_des(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct authdes_cred *des_cred; ++ uid_t uid; ++ gid_t gid; ++ int grouplen; ++ gid_t groups[NGROUPS]; ++ ++ des_cred = (struct authdes_cred *)rqst->rq_clntcred; ++ if (!authdes_getucred(des_cred, &uid, &gid, &grouplen, &groups[0])) ++ return EINVAL; ++ return nfs_ucred_init_cred(cred, uid, gid, groups, grouplen, ep); ++} ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ ++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct nfs_ucred *cred = malloc(sizeof(*cred)); ++ int ret; ++ ++ *credp = NULL; ++ if (cred == NULL) ++ return ENOMEM; ++ switch (rqst->rq_cred.oa_flavor) { ++ case AUTH_UNIX: ++ ret = nfs_ucred_init_unix(cred, rqst, ep); ++ break; ++#ifdef HAVE_TIRPC_GSS_GETCRED ++ case RPCSEC_GSS: ++ ret = nfs_ucred_init_gss(cred, rqst, ep); ++ break; ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++ case AUTH_DES: ++ ret = nfs_ucred_init_des(cred, rqst, ep); ++ break; ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ default: ++ ret = nfs_ucred_init_null(cred, ep); ++ break; ++ } ++ if (ret == 0) { ++ *credp = cred; ++ return 0; ++ } ++ free(cred); ++ return ret; ++} +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch new file mode 100644 index 000000000000..9f01604af0fa --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch @@ -0,0 +1,254 @@ +From a94b2b6002f31acc5a66893b7c6d368c6b7b8806 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Thu, 5 Mar 2026 10:41:02 -0500 +Subject: [PATCH] Fix access checks when mounting subdirectories in NFSv3 + +If a NFSv3 client asks to mount a subdirectory of one of the exported +directories, then apply the RPC credential together with any root +or all squash rules that would apply to the client in question. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899088ca1925de079bd58d6205a1f3c] + +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Signed-off-by: Scott Mayhew <smayhew@redhat.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +(cherry picked from commit f36bd900a899088ca1925de079bd58d6205a1f3c) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + nfs.conf | 1 + + support/include/nfsd_path.h | 9 ++++++++- + support/misc/nfsd_path.c | 32 ++++++++++++++++++++++++++++++-- + utils/mountd/mountd.c | 28 ++++++++++++++++++++++++++-- + utils/mountd/mountd.man | 26 ++++++++++++++++++++++++++ + 5 files changed, 91 insertions(+), 5 deletions(-) + +diff --git a/nfs.conf b/nfs.conf +index 323f072b..e08cd9a9 100644 +--- a/nfs.conf ++++ b/nfs.conf +@@ -45,6 +45,7 @@ + # ttl=1800 + [mountd] + # debug="all|auth|call|general|parse" ++# apply-root-cred=n + # manage-gids=n + # descriptors=0 + # port=0 +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index 3e5a2f5d..06c0f2f4 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -9,6 +9,7 @@ + struct file_handle; + struct statfs; + struct nfsd_task_t; ++struct nfs_ucred; + + void nfsd_path_init(void); + +@@ -18,7 +19,8 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); + + int nfsd_path_stat(const char *pathname, struct stat *statbuf); + int nfsd_path_lstat(const char *pathname, struct stat *statbuf); +-int nfsd_openat(int dirfd, const char *path, int flags); ++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, ++ const char *path, int flags); + + int nfsd_path_statfs(const char *pathname, + struct statfs *statbuf); +@@ -31,4 +33,9 @@ ssize_t nfsd_path_write(int fd, void* buf, size_t len); + int nfsd_name_to_handle_at(int fd, const char *path, + struct file_handle *fh, + int *mount_id, int flags); ++ ++static inline int nfsd_openat(int dirfd, const char *path, int flags) ++{ ++ return nfsd_cred_openat(NULL, dirfd, path, flags); ++} + #endif +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index dfe88e4f..6466666d 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -17,6 +17,7 @@ + #include "xstat.h" + #include "nfslib.h" + #include "nfsd_path.h" ++#include "nfs_ucred.h" + #include "workqueue.h" + + static struct xthread_workqueue *nfsd_wq = NULL; +@@ -204,6 +205,7 @@ nfsd_realpath(const char *path, char *resolved_buf) + } + + struct nfsd_openat_t { ++ const struct nfs_ucred *cred; + const char *path; + int dirfd; + int flags; +@@ -220,15 +222,41 @@ static void nfsd_openatfunc(void *data) + d->res_error = errno; + } + +-int nfsd_openat(int dirfd, const char *path, int flags) ++static void nfsd_cred_openatfunc(void *data) ++{ ++ struct nfsd_openat_t *d = data; ++ struct nfs_ucred *saved = NULL; ++ int ret; ++ ++ ret = nfs_ucred_swap_effective(d->cred, &saved); ++ if (ret != 0) { ++ d->res_fd = -1; ++ d->res_error = ret; ++ return; ++ } ++ ++ nfsd_openatfunc(data); ++ ++ if (saved != NULL) { ++ nfs_ucred_swap_effective(saved, NULL); ++ nfs_ucred_free(saved); ++ } ++} ++ ++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, const char *path, ++ int flags) + { + struct nfsd_openat_t open_buf = { ++ .cred = cred, + .path = path, + .dirfd = dirfd, + .flags = flags, + }; + +- nfsd_run_task(nfsd_openatfunc, &open_buf); ++ if (cred) ++ nfsd_run_task(nfsd_cred_openatfunc, &open_buf); ++ else ++ nfsd_run_task(nfsd_openatfunc, &open_buf); + if (open_buf.res_fd == -1) + errno = open_buf.res_error; + return open_buf.res_fd; +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index f43ebef5..6e6777cd 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -31,6 +31,7 @@ + #include "nfsd_path.h" + #include "nfslib.h" + #include "export.h" ++#include "nfs_ucred.h" + + extern void my_svc_run(void); + +@@ -40,6 +41,7 @@ static struct nfs_fh_len *get_rootfh(struct svc_req *, dirpath *, nfs_export **, + + int reverse_resolve = 0; + int manage_gids; ++int apply_root_cred; + int use_ipaddr = -1; + + /* PRC: a high-availability callout program can be specified with -H +@@ -74,9 +76,10 @@ static struct option longopts[] = + { "log-auth", 0, 0, 'l'}, + { "cache-use-ipaddr", 0, 0, 'i'}, + { "ttl", 1, 0, 'T'}, ++ { "apply-root-cred", 0, 0, 'c' }, + { NULL, 0, 0, 0 } + }; +-static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:"; ++static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:c"; + + #define NFSVERSBIT(vers) (0x1 << (vers - 1)) + #define NFSVERSBIT_ALL (NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4)) +@@ -453,11 +456,27 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + while (*subpath == '/') + subpath++; + if (*subpath != '\0') { ++ struct nfs_ucred *cred = NULL; + int fd; + ++ /* Load the user cred */ ++ if (!apply_root_cred) { ++ nfs_ucred_get(&cred, rqstp, &exp->m_export); ++ if (cred == NULL) { ++ xlog(L_WARNING, "can't retrieve credential"); ++ *error = MNT3ERR_ACCES; ++ close(dirfd); ++ return NULL; ++ } ++ if (manage_gids) ++ nfs_ucred_reload_groups(cred, &exp->m_export); ++ } ++ + /* Just perform a lookup of the path */ +- fd = nfsd_openat(dirfd, subpath, O_PATH); ++ fd = nfsd_cred_openat(cred, dirfd, subpath, O_PATH); + close(dirfd); ++ if (cred) ++ nfs_ucred_free(cred); + if (fd == -1) { + xlog(L_WARNING, "can't open exported dir %s: %s", p, + strerror(errno)); +@@ -681,6 +700,8 @@ read_mountd_conf(char **argv) + ttl = conf_get_num("mountd", "ttl", default_ttl); + if (ttl > 0) + default_ttl = ttl; ++ apply_root_cred = conf_get_bool("mountd", "apply-root-cred", ++ apply_root_cred); + } + + int +@@ -794,6 +815,9 @@ main(int argc, char **argv) + } + default_ttl = ttl; + break; ++ case 'c': ++ apply_root_cred = 1; ++ break; + case 0: + break; + case '?': +diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man +index a206a3e2..f4f1fc23 100644 +--- a/utils/mountd/mountd.man ++++ b/utils/mountd/mountd.man +@@ -242,6 +242,32 @@ can support both NFS version 2 and the newer version 3. + Print the version of + .B rpc.mountd + and exit. ++.TP ++.B \-c " or " \-\-apply-root-cred ++When mountd is asked to allow a NFSv3 mount to a subdirectory of the ++exported directory, then it will check if the user asking to mount has ++lookup rights to the directories below that exported directory. When ++performing the check, mountd will apply any root squash or all squash ++rules that were specified for that client. ++ ++Performing lookup checks as the user requires that the mountd daemon ++be run as root or that it be given CAP_SETUID and CAP_SETGID privileges ++so that it can change its own effective user and effective group settings. ++When troubleshooting, please also note that LSM frameworks such as SELinux ++can sometimes prevent the daemon from changing the effective user/groups ++despite the capability settings. ++ ++In earlier versions of mountd, the same checks were performed using the ++mountd daemon's root privileges, meaning that it could authorise access ++to directories that are not normally accessible to the user requesting ++to mount them. This option enables that legacy behaviour. ++ ++.BR Note: ++If there is a need to provide access to specific subdirectories that ++are not normally accessible to a client, it is always possible to add ++export entries that explicitly grant such access. That ability does ++not depend on this option being enabled. ++ + .TP + .B \-g " or " \-\-manage-gids + Accept requests from the kernel to map user id numbers into lists of +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb index 2f2644f9a831..91c74fe5ef78 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb @@ -33,6 +33,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \ + file://CVE-2025-12801-dependent_p1.patch \ + file://CVE-2025-12801-dependent_p2.patch \ + file://CVE-2025-12801-dependent_p3.patch \ + file://CVE-2025-12801-dependent_p4.patch \ + file://CVE-2025-12801.patch \ + file://CVE-2025-12801-build-fix.patch \ " SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d" From 736dd8c8f90d43e4bcdb0954a99764a62fccc20e Mon Sep 17 00:00:00 2001 From: Amaury Couderc <amaury.couderc@est.tech> Date: Fri, 26 Jun 2026 16:28:08 +0200 Subject: [PATCH 93/96] python3: fix CVE-2026-4224 Backport patch to fix CVE-2026-4224. https://nvd.nist.gov/vuln/detail/CVE-2026-4224 Upstream fix: https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785 Tested with ptest: Before: PASSED: 40007, FAILED: 0, SKIPPED: 1877 After: PASSED: 40006, FAILED: 0, SKIPPED: 1877 Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- .../python/python3/CVE-2026-4224.patch | 121 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 122 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4224.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4224.patch b/meta/recipes-devtools/python/python3/CVE-2026-4224.patch new file mode 100644 index 000000000000..09dd2dda0033 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4224.patch @@ -0,0 +1,121 @@ +From ca301e24e20d1d9d58bbd432ff103cab2cb87128 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych <stan@python.org> +Date: Wed, 8 Apr 2026 11:27:39 +0100 +Subject: [PATCH] gh-145986: Avoid unbound C recursion in `conv_content_model` + in `pyexpat.c` (CVE-2026-4224) (GH-145987) (#146000) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* [3.11] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE-2026-4224) (GH-145987) + +Fix C stack overflow (CVE-2026-4224) when an Expat parser +with a registered `ElementDeclHandler` parses inline DTD +containing deeply nested content model. + +--------- +(cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768) +(cherry picked from commit e5caf45faac74b0ed869e3336420cffd3510ce6e) + +Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> +Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> + +* Update Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst + +--------- + +Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> + +CVE: CVE-2026-4224 +Upstream-Status: Backport [https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785] + +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> +--- + Lib/test/test_pyexpat.py | 18 ++++++++++++++++++ + ...6-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++++ + Modules/pyexpat.c | 9 ++++++++- + 3 files changed, 30 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst + +diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py +index 38f951573f0..37d9086f40a 100644 +--- a/Lib/test/test_pyexpat.py ++++ b/Lib/test/test_pyexpat.py +@@ -675,6 +675,24 @@ class ChardataBufferTest(unittest.TestCase): + parser.Parse(xml2, True) + self.assertEqual(self.n, 4) + ++class ElementDeclHandlerTest(unittest.TestCase): ++ def test_deeply_nested_content_model(self): ++ # This should raise a RecursionError and not crash. ++ # See https://github.com/python/cpython/issues/145986. ++ N = 500_000 ++ data = ( ++ b'<!DOCTYPE root [\n<!ELEMENT root ' ++ + b'(a, ' * N + b'a' + b')' * N ++ + b'>\n]>\n<root/>\n' ++ ) ++ ++ parser = expat.ParserCreate() ++ parser.ElementDeclHandler = lambda _1, _2: None ++ with support.infinite_recursion(): ++ with self.assertRaises(RecursionError): ++ parser.Parse(data) ++ ++ + class MalformedInputTest(unittest.TestCase): + def test1(self): + xml = b"\0\r\n" +diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst +new file mode 100644 +index 00000000000..cb9dbadb72d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst +@@ -0,0 +1,4 @@ ++:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when ++converting deeply nested XML content models with ++:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`. ++This addresses `CVE-2026-4224 <https://www.cve.org/CVERecord?id=CVE-2026-4224>`_. +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 79492ca5c4f..8673540f358 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -3,6 +3,7 @@ + #endif + + #include "Python.h" ++#include "pycore_ceval.h" // _Py_EnterRecursiveCall() + #include "pycore_runtime.h" // _Py_ID() + #include <ctype.h> + +@@ -578,6 +579,10 @@ static PyObject * + conv_content_model(XML_Content * const model, + PyObject *(*conv_string)(const XML_Char *)) + { ++ if (_Py_EnterRecursiveCall(" in conv_content_model")) { ++ return NULL; ++ } ++ + PyObject *result = NULL; + PyObject *children = PyTuple_New(model->numchildren); + int i; +@@ -589,7 +594,7 @@ conv_content_model(XML_Content * const model, + conv_string); + if (child == NULL) { + Py_XDECREF(children); +- return NULL; ++ goto done; + } + PyTuple_SET_ITEM(children, i, child); + } +@@ -597,6 +602,8 @@ conv_content_model(XML_Content * const model, + model->type, model->quant, + conv_string,model->name, children); + } ++done: ++ _Py_LeaveRecursiveCall(); + return result; + } + +-- +2.34.1 diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index bf0e1702d54a..06dbc8e892d9 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -43,6 +43,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-6019_p1.patch \ file://CVE-2026-6019_p2.patch \ file://CVE-2025-13462.patch \ + file://CVE-2026-4224.patch \ " SRC_URI:append:class-native = " \ From 50f40609b27c169e9da1f076172daabbf55732d0 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Wed, 8 Apr 2026 08:13:13 +0100 Subject: [PATCH 94/96] oeqa: Drop /git/ from our urls Using /git/ in our urls is rather old school and not the preferred format now. Update the urls to the preferred form even if the other ones still work. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8ac7c0c3493a6141476093bb2c1c79004c55857d) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- meta-selftest/recipes-test/gitrepotest/gitrepotest.bb | 2 +- .../recipes-test/gitunpackoffline/gitunpackoffline.inc | 4 ++-- meta/lib/oeqa/manual/toaster-managed-mode.json | 6 +++--- meta/lib/oeqa/sdkext/cases/devtool.py | 4 ++-- meta/lib/oeqa/selftest/cases/devtool.py | 4 ++-- meta/lib/oeqa/selftest/cases/recipetool.py | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb index f1b6c55833bf..fa61fdce0bc9 100644 --- a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb +++ b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb @@ -7,7 +7,7 @@ INHIBIT_DEFAULT_DEPS = "1" PATCHTOOL="git" -SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https \ +SRC_URI = "git://git.yoctoproject.org/matchbox-panel-2;branch=master;protocol=https \ file://0001-testpatch.patch \ " diff --git a/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc b/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc index 602e895199b3..245c0bbdeef3 100644 --- a/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc +++ b/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc @@ -1,5 +1,5 @@ SUMMARY = "Test recipe for fetching git submodules" -HOMEPAGE = "https://git.yoctoproject.org/git/matchbox-panel-2" +HOMEPAGE = "https://git.yoctoproject.org/matchbox-panel-2" LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" @@ -8,7 +8,7 @@ INHIBIT_DEFAULT_DEPS = "1" TAGVALUE = "2.10" # Deliberately have a tag which has to be resolved but ensure do_unpack doesn't access the network again. -SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https" +SRC_URI = "git://git.yoctoproject.org/matchbox-panel-2;branch=master;protocol=https" SRC_URI:append:gitunpack-enable-recipe = ";tag=${TAGVALUE}" SRCREV = "f82ca3f42510fb3ef10f598b393eb373a2c34ca7" SRCREV:gitunpack-enable-recipe = "" diff --git a/meta/lib/oeqa/manual/toaster-managed-mode.json b/meta/lib/oeqa/manual/toaster-managed-mode.json index 1a71985c3c16..d1d500864e5c 100644 --- a/meta/lib/oeqa/manual/toaster-managed-mode.json +++ b/meta/lib/oeqa/manual/toaster-managed-mode.json @@ -2176,7 +2176,7 @@ ], "execution": { "1": { - "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky", + "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky", "expected_results": "" }, "2": { @@ -2458,7 +2458,7 @@ ], "execution": { "1": { - "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky", + "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky", "expected_results": "" }, "2": { @@ -2496,7 +2496,7 @@ ], "execution": { "1": { - "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky\n", + "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky\n", "expected_results": "" }, "2": { diff --git a/meta/lib/oeqa/sdkext/cases/devtool.py b/meta/lib/oeqa/sdkext/cases/devtool.py index d0746e68ebaa..a28d5b020c57 100644 --- a/meta/lib/oeqa/sdkext/cases/devtool.py +++ b/meta/lib/oeqa/sdkext/cases/devtool.py @@ -71,14 +71,14 @@ def test_devtool_build_cmake(self): def test_extend_autotools_recipe_creation(self): recipe = "test-dbus-wait" self._run('devtool sdk-install dbus') - self._run('devtool add %s https://git.yoctoproject.org/git/dbus-wait' % (recipe) ) + self._run('devtool add %s https://git.yoctoproject.org/dbus-wait' % (recipe) ) try: self._run('devtool build %s' % recipe) finally: self._run('devtool reset %s' % recipe) def test_devtool_kernelmodule(self): - docfile = 'https://git.yoctoproject.org/git/kernel-module-hello-world' + docfile = 'https://git.yoctoproject.org/kernel-module-hello-world' recipe = 'kernel-module-hello-world' self._run('devtool add %s %s' % (recipe, docfile) ) try: diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py index d56696c10dd5..6af3e2417a31 100644 --- a/meta/lib/oeqa/selftest/cases/devtool.py +++ b/meta/lib/oeqa/selftest/cases/devtool.py @@ -440,7 +440,7 @@ def test_devtool_add_git_local(self): pn = 'dbus-wait' srcrev = '6cc6077a36fe2648a5f993fe7c16c9632f946517' # We choose an https:// git URL here to check rewriting the URL works - url = 'https://git.yoctoproject.org/git/dbus-wait' + url = 'https://git.yoctoproject.org/dbus-wait' # Force fetching to "noname" subdir so we verify we're picking up the name from autoconf # instead of the directory name result = runCmd('git clone %s noname' % url, cwd=tempdir) @@ -467,7 +467,7 @@ def test_devtool_add_git_local(self): checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263' checkvars['S'] = '${WORKDIR}/git' checkvars['PV'] = '0.1+git' - checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https;branch=master' + checkvars['SRC_URI'] = 'git://git.yoctoproject.org/dbus-wait;protocol=https;branch=master' checkvars['SRCREV'] = srcrev checkvars['DEPENDS'] = set(['dbus']) self._test_recipe_contents(recipefile, checkvars, []) diff --git a/meta/lib/oeqa/selftest/cases/recipetool.py b/meta/lib/oeqa/selftest/cases/recipetool.py index 126906df5026..8c54e65ad629 100644 --- a/meta/lib/oeqa/selftest/cases/recipetool.py +++ b/meta/lib/oeqa/selftest/cases/recipetool.py @@ -738,7 +738,7 @@ def _test_recipetool_create_git(self, srcuri, branch=None): self._test_recipe_contents(recipefile, checkvars, []) def test_recipetool_create_git_http(self): - self._test_recipetool_create_git('http://git.yoctoproject.org/git/matchbox-keyboard') + self._test_recipetool_create_git('http://git.yoctoproject.org/matchbox-keyboard') def test_recipetool_create_git_srcuri_master(self): self._test_recipetool_create_git('git://git.yoctoproject.org/matchbox-keyboard;branch=master;protocol=https') From be8b46f3a31b679b5ab532dd6e16888f868ce076 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Wed, 8 Apr 2026 22:43:17 +0100 Subject: [PATCH 95/96] recipetool: Recognise https://git. as git urls If a url has git. in it, assume it is likely to be a git cloneable url and should be treated as such. This allows us to switch from https://git.yoctoproject.org/git/XXX urls to the preferred https://git.yoctoproject.org/XXX form. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cedc9209e3bae0da8d61423b16c74c49a132aa63) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> --- scripts/lib/recipetool/create.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/recipetool/create.py b/scripts/lib/recipetool/create.py index 8e9ff38db6cc..b6005b64766c 100644 --- a/scripts/lib/recipetool/create.py +++ b/scripts/lib/recipetool/create.py @@ -366,7 +366,7 @@ def supports_srcrev(uri): def reformat_git_uri(uri): '''Convert any http[s]://....git URI into git://...;protocol=http[s]''' checkuri = uri.split(';', 1)[0] - if checkuri.endswith('.git') or '/git/' in checkuri or re.match('https?://git(hub|lab).com/[^/]+/[^/]+/?$', checkuri): + if checkuri.endswith('.git') or '/git/' in checkuri or re.match('https?://git(hub|lab).com/[^/]+/[^/]+/?$', checkuri) or re.match(r'https?://git\..*', checkuri): # Appends scheme if the scheme is missing if not '://' in uri: uri = 'git://' + uri From 2814f0962f56c8d1afa4de76d2895ba9b5cb767d Mon Sep 17 00:00:00 2001 From: Paul Barker <paul@pbarker.dev> Date: Thu, 2 Jul 2026 13:50:35 +0100 Subject: [PATCH 96/96] build-appliance-image: Update to scarthgap head revisions Signed-off-by: Paul Barker <paul@pbarker.dev> --- meta/recipes-core/images/build-appliance-image_15.0.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 83ac41577925..b94cd2adba7f 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check REQUIRED_DISTRO_FEATURES += "xattr" -SRCREV ?= "3a813d72a872c2ab2b7f02035a73ae3def21f565" +SRCREV ?= "ba193efe202b808f7fc114fb17f4f06c02d50fb9" SRC_URI = "git://git.yoctoproject.org/poky;branch=scarthgap;protocol=https \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \