1. meta-virtualization@lists.yoctoproject.org
  2. Messages
   Date   
[PATCHv2 1/2] uxen-guest-tools: fix build against kernels 5.15+

Martin Jansa
 

This is a compile only fix to update the uxen kernel modules to
work against newer kernels.

Signed-off-by: Martin Jansa <Martin.Jansa@...>
---
...-support-fix-build-for-kernel-s-5.15.patch | 46 +++++++++++++++++++
...-support-fix-build-for-kernel-s-5.14.patch | 32 +++++++++++++
.../uxen/uxen-guest-tools_4.1.8.bb | 4 +-
3 files changed, 81 insertions(+), 1 deletion(-)
create mode 100644 recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch
create mode 100644 recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch

diff --git a/recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch b/recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch
new file mode 100644
index 0000000..6b7f1f8
--- /dev/null
+++ b/recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch
@@ -0,0 +1,46 @@
+From f8a33a209498b32b0fc06d80baa071f0902b9a85 Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@...>
+Date: Tue, 30 Nov 2021 06:45:34 -0800
+Subject: [PATCH] vm-support: fix build for kernel's > 5.15
+
+* remove callback was changed to return void instead of int in:
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc7a6209d5710618eb4f72a77cd81b8d694ecf89
+
+Signed-off-by: Martin Jansa <Martin.Jansa@...>
+---
+ uxenplatform/platform.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/uxenplatform/platform.c b/uxenplatform/platform.c
+index 99fc76a..5225a00 100644
+--- a/uxenplatform/platform.c
++++ b/uxenplatform/platform.c
+@@ -4,6 +4,7 @@
+ #include <linux/random.h>
+ #include <linux/kthread.h>
+ #include <linux/delay.h>
++#include <linux/version.h>
+
+ #include <uxen-hypercall.h>
+ #include <uxen-platform.h>
+@@ -32,14 +33,20 @@ static int bus_probe(struct device *_dev)
+ return drv && drv->probe ? drv->probe(dev) : -ENODEV;
+ }
+
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,15,0))
+ static int bus_remove(struct device *_dev)
++#else
++static void bus_remove(struct device *_dev)
++#endif
+ {
+ struct uxen_device *dev = dev_to_uxen(_dev);
+ struct uxen_driver *drv = drv_to_uxen(_dev->driver);
+
+ if (dev && drv && drv->remove)
+ drv->remove(dev);
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,15,0))
+ return 0;
++#endif
+ }
+
+ static int bus_suspend(struct device *_dev, pm_message_t state)
diff --git a/recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch b/recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch
new file mode 100644
index 0000000..ec31eea
--- /dev/null
+++ b/recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch
@@ -0,0 +1,32 @@
+From 59986e91d807591f05dfbd57b459ba71670874f9 Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@...>
+Date: Tue, 30 Nov 2021 15:04:31 +0000
+Subject: [PATCH] vm-support: fix build for kernel's > 5.14
+
+* remove set_driver_byte call
+* not sure if it's still necessary here, but set_driver_byte as well as DRIVER_SENSE was killed in 5.14 with:
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=464a00c9e0ad45e3f42ff6ea705491a356df818e
+
+ in some cases it was replaced with set_status_byte(sc, SAM_STAT_CHECK_CONDITION), but I didn't
+ read the implementation carefully enough to decide if this is still needed, I was only interested
+ in fixing the build failure (and I don't use this at all to test it in runtime)
+
+Signed-off-by: Martin Jansa <Martin.Jansa@...>
+---
+ uxenstor/stor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/uxenstor/stor.c b/uxenstor/stor.c
+index e07b08e..6bf2184 100644
+--- a/uxenstor/stor.c
++++ b/uxenstor/stor.c
+@@ -109,7 +109,9 @@ static void uxenstor_softirq(unsigned long opaque)
+ sc->sense_buffer,
+ sizeof(hdr) + hdr.sense_size,
+ 0, sizeof(hdr));
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,14,0))
+ set_driver_byte(sc, DRIVER_SENSE);
++#endif
+ }
+
+ set_host_byte(sc, DID_ERROR);
diff --git a/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb b/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb
index 06dc376..841c71a 100644
--- a/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb
+++ b/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb
@@ -10,7 +10,9 @@ SRC_URI = " \
https://www.bromium.com/wp-content/uploads/2019/11/Bromium-4.1.8-Open-Source-Software.pdf;name=license \
file://fix-Makefile-for-OE-kernel-build.patch \
file://0001-vm-support-fix-build-for-kernel-s-5.4.patch \
- "
+ file://0002-vm-support-fix-build-for-kernel-s-5.15.patch \
+ file://0003-vm-support-fix-build-for-kernel-s-5.14.patch \
+"

SRC_URI[uxen.sha384sum] = "be2233bc6506a23350d76c03ac28ea7ea381e1dc6ed5ce996e8ac71e6a3316fcaa2ed070c622618bd226f43a4d6db5d4"
SRC_URI[license.sha384sum] = "92e48c614df3094cb52321d4c4e01f6df5526d46aee5c6fa36c43ee23d4c33f03baa1fc5f6f29efafff636b6d13bc92c"
--
2.32.0
Re: [dunfell][gatesgarth][hardknott][master][PATCH] uxen-guest-tools: inherit dos2unix to fix do_patch failure

Martin Jansa
 


On Thu, Jul 29, 2021 at 7:53 PM Christopher Clark <christopher.w.clark@...> wrote:
On Fri, Jul 23, 2021 at 9:55 AM Bruce Ashfield <bruce.ashfield@...> wrote:
>
> On Fri, Jul 23, 2021 at 9:29 AM Martin Jansa <Martin.Jansa@...> wrote:
> >
> > it builds ok with 5.4 in dunfell now, only gatesgarth with 5.8 and newer with 5.10 kernel are broken
> >
>
> I've applied your patch, and have pushed it to the repo.
>
> I'm also seeing the build failure now.
>
> I tried to bump the version of the package, but it still has the same
> kernel build issue. (my efforts are here:
> https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/commit/?h=master-test&id=3ae2e9b3036890968cb9b152d128db9b47f01c89)
>
> Christoper: did you want to take a look at the uprev / fix of the build ?

A quick update on this: I did take a look and repro'd the build
failure with the current Linux 5.10 kernel.
I've filed a ticket on the upstream project issue tracker with some
details and am waiting on a response.

Christopher

>
> Bruce
>
>
> > On Fri, Jul 23, 2021 at 2:54 PM Martin Jansa via lists.yoctoproject.org <Martin.Jansa=gmail.com@...> wrote:
> >>
> >> Now with do_patch fixed it fails a bit later in do_compile with:
> >>
> >> | make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
> >> | make[1]: Entering directory '/OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source'
> >> | make[2]: Entering directory '/OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-build-artifacts'
> >> |   CC [M]  /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.o
> >> | /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.c: In function 'uxen_hypercall_init':
> >> | /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.c:127:24: error: too many arguments to function '__vmalloc'
> >> |   127 |         uxen_hcbase =  __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC);
> >> |       |                        ^~~~~~~~~
> >> | In file included from /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.c:9:
> >> | /OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source/include/linux/vmalloc.h:131:14: note: declared here
> >> |   131 | extern void *__vmalloc(unsigned long size, gfp_t gfp_mask);
> >> |       |              ^~~~~~~~~
> >> | In file included from /OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source/include/linux/module.h:21,
> >> |                  from /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.c:3:
> >> | /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.c: At top level:
> >> | /OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source/include/linux/module.h:182:43: error: expected ',' or ';' before 'KBUILD_MODFILE'
> >> |   182 | #define MODULE_FILE     MODULE_INFO(file, KBUILD_MODFILE);
> >> |       |                                           ^~~~~~~~~~~~~~
> >> | /OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source/include/linux/moduleparam.h:26:61: note: in definition of macro '__MODULE_INFO'
> >> |    26 |                 = __MODULE_INFO_PREFIX __stringify(tag) "=" info
> >> |       |                                                             ^~~~
> >> | /OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source/include/linux/module.h:182:25: note: in expansion of macro 'MODULE_INFO'
> >> |   182 | #define MODULE_FILE     MODULE_INFO(file, KBUILD_MODFILE);
> >> |       |                         ^~~~~~~~~~~
> >> | /OE/build/oe-core/tmp-glibc/work-shared/qemux86-64/kernel-source/include/linux/module.h:229:34: note: in expansion of macro 'MODULE_FILE'
> >> |   229 | #define MODULE_LICENSE(_license) MODULE_FILE MODULE_INFO(license, _license)
> >> |       |                                  ^~~~~~~~~~~
> >> | /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/uxen-vmsupport-linux-4.1.7/uxenhc/hypercall.c:156:1: note: in expansion of macro 'MODULE_LICENSE'
> >> |   156 | MODULE_LICENSE("GPL");
> >> |       | ^~~~~~~~~~~~~~
> >>
> >> at least with oe-core/master, will check with older kernel in dunfell next.
> >>
> >> On Fri, Jul 23, 2021 at 2:46 PM Martin Jansa via lists.yoctoproject.org <Martin.Jansa=gmail.com@...> wrote:
> >>>
> >>> * fixes:
> >>>   ERROR: uxen-guest-tools-4.1.7-r0 do_patch: Command Error: 'quilt --quiltrc /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/uxen-guest-tools/4.1.7-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0  Output:
> >>>   stdout: Applying patch fix-Makefile-for-OE-kernel-build.patch
> >>>   patching file Makefile
> >>>   Hunk #1 FAILED at 1 (different line endings).
> >>>   Hunk #2 FAILED at 19 (different line endings).
> >>>   2 out of 2 hunks FAILED -- rejects in file Makefile
> >>>   Patch fix-Makefile-for-OE-kernel-build.patch does not apply (enforce with -f)
> >>>
> >>> Signed-off-by: Martin Jansa <Martin.Jansa@...>
> >>> ---
> >>>  recipes-extended/uxen/uxen-guest-tools_4.1.7.bb | 2 +-
> >>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/recipes-extended/uxen/uxen-guest-tools_4.1.7.bb b/recipes-extended/uxen/uxen-guest-tools_4.1.7.bb
> >>> index 757f1e3..4dcfe51 100644
> >>> --- a/recipes-extended/uxen/uxen-guest-tools_4.1.7.bb
> >>> +++ b/recipes-extended/uxen/uxen-guest-tools_4.1.7.bb
> >>> @@ -19,4 +19,4 @@ LIC_FILES_CHKSUM = "file://../Bromium-4.1.8-Open-Source-Software.pdf;md5=cf120df
> >>>
> >>>  S = "${WORKDIR}/uxen-vmsupport-linux-${PV}"
> >>>
> >>> -inherit module
> >>> +inherit module dos2unix
> >>> --
> >>> 2.30.2
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
[PATCH] uxen-guest-tools: fix build against kernels 5.15+

Martin Jansa
 

This is a compile only fix to update the uxen kernel modules to
work against newer kernels.

There is one more issue with 5.15 and this applied:
ERROR: modpost: missing MODULE_LICENSE() in uxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/uxenhc/uxenhc.o

Bruce already tried to fix it in 0001-vm-support-fix-build-for-kernel-s-5.4.patch
but it isn't enough for 5.15 and if I remove his MODULE_LICENSE() and KBUILD_MODFILE
changes, then I get probably the same error he was originally trying to fix for 5.4:

| make -C work-shared/qemux86-64/kernel-source LX_TARGET_ATTOVM=n LX_TARGET_STANDARDVM=y M=uxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux EXTRA_CFLAGS="-DLX_TARGET_STANDARDVM -g -Wall" NOSTDINC_FLAGS="-Iuxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/include/ -Iuxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/include/uxen -Iuxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/include/uxen/xen"
| make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
| make[1]: Entering directory 'work-shared/qemux86-64/kernel-source'
| make[2]: Entering directory 'work-shared/qemux86-64/kernel-build-artifacts'
| CC [M] uxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/uxenhc/hypercall.o
| In file included from work-shared/qemux86-64/kernel-source/include/linux/module.h:22,
| from uxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/uxenhc/hypercall.c:3:
| work-shared/qemux86-64/kernel-source/include/linux/module.h:183:43: error: expected ',' or ';' before 'KBUILD_MODFILE'
| 183 | #define MODULE_FILE MODULE_INFO(file, KBUILD_MODFILE);
| | ^~~~~~~~~~~~~~
| work-shared/qemux86-64/kernel-source/include/linux/moduleparam.h:26:61: note: in definition of macro '__MODULE_INFO'
| 26 | = __MODULE_INFO_PREFIX __stringify(tag) "=" info
| | ^~~~
| work-shared/qemux86-64/kernel-source/include/linux/module.h:183:25: note: in expansion of macro 'MODULE_INFO'
| 183 | #define MODULE_FILE MODULE_INFO(file, KBUILD_MODFILE);
| | ^~~~~~~~~~~
| work-shared/qemux86-64/kernel-source/include/linux/module.h:230:34: note: in expansion of macro 'MODULE_FILE'
| 230 | #define MODULE_LICENSE(_license) MODULE_FILE MODULE_INFO(license, _license)
| | ^~~~~~~~~~~
| uxen-guest-tools/4.1.8-r0/uxen-4.1.8-72a4af9/vm-support/linux/uxenhc/hypercall.c:161:1: note: in expansion of macro 'MODULE_LICENSE'
| 161 | MODULE_LICENSE("GPL");
| | ^~~~~~~~~~~~~~

Signed-off-by: Martin Jansa <Martin.Jansa@...>
---
...-support-fix-build-for-kernel-s-5.15.patch | 47 +++++++++++++++++++
...-support-fix-build-for-kernel-s-5.14.patch | 32 +++++++++++++
.../uxen/uxen-guest-tools_4.1.8.bb | 4 +-
3 files changed, 82 insertions(+), 1 deletion(-)
create mode 100644 recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch
create mode 100644 recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch

diff --git a/recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch b/recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch
new file mode 100644
index 0000000..a8089f6
--- /dev/null
+++ b/recipes-extended/uxen/uxen-guest-tools/0002-vm-support-fix-build-for-kernel-s-5.15.patch
@@ -0,0 +1,47 @@
+From cc31e9648b76bfaa2f04825b5ef8c09fe79782f7 Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@...>
+Date: Tue, 30 Nov 2021 06:45:34 -0800
+Subject: [PATCH] vm-support: fix build for kernel's > 5.15
+
+* remove callback was changed to return void instead of int in:
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc7a6209d5710618eb4f72a77cd81b8d694ecf89
+
+Signed-off-by: Martin Jansa <Martin.Jansa@...>
+---
+ uxenplatform/platform.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/uxenplatform/platform.c b/uxenplatform/platform.c
+index 99fc76a..579be7a 100644
+--- a/uxenplatform/platform.c
++++ b/uxenplatform/platform.c
+@@ -4,6 +4,7 @@
+ #include <linux/random.h>
+ #include <linux/kthread.h>
+ #include <linux/delay.h>
++#include <linux/version.h>
+
+ #include <uxen-hypercall.h>
+ #include <uxen-platform.h>
+@@ -64,7 +65,11 @@ static int bus_resume(struct device *_dev)
+ return 0;
+ }
+
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,15,0))
+ static int device_remove(struct device *_dev, void *data)
++#else
++static void device_remove(struct device *_dev, void *data)
++#endif
+ {
+ struct uxen_device *dev = dev_to_uxen(_dev);
+ struct uxen_driver *drv = drv_to_uxen(_dev->driver);
+@@ -72,7 +77,9 @@ static int device_remove(struct device *_dev, void *data)
+ if (dev && drv && drv->remove)
+ drv->remove(dev);
+ device_unregister(_dev);
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,15,0))
+ return 0;
++#endif
+ }
+
+ int protvm_use_secure_keyboard = 0;
diff --git a/recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch b/recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch
new file mode 100644
index 0000000..ec31eea
--- /dev/null
+++ b/recipes-extended/uxen/uxen-guest-tools/0003-vm-support-fix-build-for-kernel-s-5.14.patch
@@ -0,0 +1,32 @@
+From 59986e91d807591f05dfbd57b459ba71670874f9 Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@...>
+Date: Tue, 30 Nov 2021 15:04:31 +0000
+Subject: [PATCH] vm-support: fix build for kernel's > 5.14
+
+* remove set_driver_byte call
+* not sure if it's still necessary here, but set_driver_byte as well as DRIVER_SENSE was killed in 5.14 with:
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=464a00c9e0ad45e3f42ff6ea705491a356df818e
+
+ in some cases it was replaced with set_status_byte(sc, SAM_STAT_CHECK_CONDITION), but I didn't
+ read the implementation carefully enough to decide if this is still needed, I was only interested
+ in fixing the build failure (and I don't use this at all to test it in runtime)
+
+Signed-off-by: Martin Jansa <Martin.Jansa@...>
+---
+ uxenstor/stor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/uxenstor/stor.c b/uxenstor/stor.c
+index e07b08e..6bf2184 100644
+--- a/uxenstor/stor.c
++++ b/uxenstor/stor.c
+@@ -109,7 +109,9 @@ static void uxenstor_softirq(unsigned long opaque)
+ sc->sense_buffer,
+ sizeof(hdr) + hdr.sense_size,
+ 0, sizeof(hdr));
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,14,0))
+ set_driver_byte(sc, DRIVER_SENSE);
++#endif
+ }
+
+ set_host_byte(sc, DID_ERROR);
diff --git a/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb b/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb
index 06dc376..841c71a 100644
--- a/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb
+++ b/recipes-extended/uxen/uxen-guest-tools_4.1.8.bb
@@ -10,7 +10,9 @@ SRC_URI = " \
https://www.bromium.com/wp-content/uploads/2019/11/Bromium-4.1.8-Open-Source-Software.pdf;name=license \
file://fix-Makefile-for-OE-kernel-build.patch \
file://0001-vm-support-fix-build-for-kernel-s-5.4.patch \
- "
+ file://0002-vm-support-fix-build-for-kernel-s-5.15.patch \
+ file://0003-vm-support-fix-build-for-kernel-s-5.14.patch \
+"

SRC_URI[uxen.sha384sum] = "be2233bc6506a23350d76c03ac28ea7ea381e1dc6ed5ce996e8ac71e6a3316fcaa2ed070c622618bd226f43a4d6db5d4"
SRC_URI[license.sha384sum] = "92e48c614df3094cb52321d4c4e01f6df5526d46aee5c6fa36c43ee23d4c33f03baa1fc5f6f29efafff636b6d13bc92c"
--
2.32.0
Re: [PATCH] singularity: fix build with automake-1.16.5

Bruce Ashfield
 

Looks good to me, fix confirmed on my builder.

Merged.

Bruce

On Tue, Nov 30, 2021 at 9:09 AM Martin Jansa <Martin.Jansa@...> wrote:

Signed-off-by: Martin Jansa <Martin.Jansa@...>
---
...nfigure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch | 34 +++++++++++++++++++
.../singularity/singularity_git.bb | 1 +
2 files changed, 35 insertions(+)
create mode 100644 recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch

diff --git a/recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch b/recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch
new file mode 100644
index 0000000..d5744a2
--- /dev/null
+++ b/recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch
@@ -0,0 +1,34 @@
+From 13ee3e016490e74868b64e3a07dcccf9feafebdf Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@...>
+Date: Tue, 30 Nov 2021 05:59:06 -0800
+Subject: [PATCH] configure.ac: drop 2nd AM_INIT_AUTOMAKE
+
+* automake-1.16.5 introduced in oe-core:
+ https://git.openembedded.org/openembedded-core/commit/?id=851167b3a41b1728407d331c1666827fb730daa1
+ doesn't like this after:
+ http://git.savannah.gnu.org/cgit/automake.git/commit/?id=f4a3a70f69e1dbccb6578f39ef47835098a04624
+
+ and do_configure fails with:
+ configure.ac:38: error: AM_INIT_AUTOMAKE expanded multiple times
+
+ There is no point in upstreaming this, because singularity-2.3.1 is very old and
+ whole autotools support is removed in version 3 (currently 3.8.5) with:
+ https://github.com/hpcng/singularity/commit/a06e3d13a822080d7a9bc55085ee1bb32026a96e
+
+Signed-off-by: Martin Jansa <Martin.Jansa@...>
+---
+ configure.ac | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 8ffa5ab32..a5a35c43a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,7 +35,6 @@ AC_GNU_SOURCE
+ AC_PROG_INSTALL
+ AC_PROG_LIBTOOL
+ AC_PROG_CC
+-AM_INIT_AUTOMAKE
+ AM_PROG_CC_C_O
+ AC_ENABLE_SHARED
+ AC_PROG_LIBTOOL(libtool)
diff --git a/recipes-containers/singularity/singularity_git.bb b/recipes-containers/singularity/singularity_git.bb
index f729657..321a9a6 100644
--- a/recipes-containers/singularity/singularity_git.bb
+++ b/recipes-containers/singularity/singularity_git.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT.md;md5=be78c34e483dd7d8439358b1e024b294 \

SRC_URI = "git://github.com/singularityware/singularity.git;protocol=https;branch=master \
file://0001-Use-python3.patch \
+ file://0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch \
"
PV = "2.3.1+git${SRCPV}"
SRCREV = "e214d4ebf0a1274b1c63b095fd55ae61c7e92947"
--
2.32.0



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
Re: [PATCH] xvisor: set PV

Bruce Ashfield
 

On Tue, Nov 30, 2021 at 9:21 AM Martin Jansa <Martin.Jansa@...> wrote:

* use something more reasonable than default 'git' from filename
* there wasn't a new tag for a long time, so this is quite far
from 0.3.0 as git describe shows:
v0.3.0-231-g6b23764a
but 0.3.0 is still the closest release I've found
and matches PROJECT_VERSION in Makefile:
https://github.com/avpatel/xvisor-next/blob/6b23764a1439f9d08b2ed2f363da522460d8a22b/Makefile#L29
I had noticed this as well (I struggled on the commit message so just
went for 'tip') and had meant to circle back to it.

Thanks for the patch, it is now merged.

Bruce


Signed-off-by: Martin Jansa <Martin.Jansa@...>
---
recipes-extended/xvisor/xvisor_git.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-extended/xvisor/xvisor_git.bb b/recipes-extended/xvisor/xvisor_git.bb
index 4d2a719..26b4e0f 100644
--- a/recipes-extended/xvisor/xvisor_git.bb
+++ b/recipes-extended/xvisor/xvisor_git.bb
@@ -8,6 +8,8 @@ require xvisor-configs.inc

inherit autotools-brokensep

+PV = "0.3.0+git${SRCPV}"
+
# This version support the RISC-V v0.5.0 Hypervisor extensions
SRCREV = "6b23764a1439f9d08b2ed2f363da522460d8a22b"
SRC_URI = "git://github.com/avpatel/xvisor-next.git;branch=master;protocol=https \
--
2.32.0




--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
[PATCH] xvisor: set PV

Martin Jansa
 

* use something more reasonable than default 'git' from filename
* there wasn't a new tag for a long time, so this is quite far
from 0.3.0 as git describe shows:
v0.3.0-231-g6b23764a
but 0.3.0 is still the closest release I've found
and matches PROJECT_VERSION in Makefile:
https://github.com/avpatel/xvisor-next/blob/6b23764a1439f9d08b2ed2f363da522460d8a22b/Makefile#L29

Signed-off-by: Martin Jansa <Martin.Jansa@...>
---
recipes-extended/xvisor/xvisor_git.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-extended/xvisor/xvisor_git.bb b/recipes-extended/xvisor/xvisor_git.bb
index 4d2a719..26b4e0f 100644
--- a/recipes-extended/xvisor/xvisor_git.bb
+++ b/recipes-extended/xvisor/xvisor_git.bb
@@ -8,6 +8,8 @@ require xvisor-configs.inc

inherit autotools-brokensep

+PV = "0.3.0+git${SRCPV}"
+
# This version support the RISC-V v0.5.0 Hypervisor extensions
SRCREV = "6b23764a1439f9d08b2ed2f363da522460d8a22b"
SRC_URI = "git://github.com/avpatel/xvisor-next.git;branch=master;protocol=https \
--
2.32.0
[PATCH] singularity: fix build with automake-1.16.5

Martin Jansa
 

Signed-off-by: Martin Jansa <Martin.Jansa@...>
---
...nfigure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch | 34 +++++++++++++++++++
.../singularity/singularity_git.bb | 1 +
2 files changed, 35 insertions(+)
create mode 100644 recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch

diff --git a/recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch b/recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch
new file mode 100644
index 0000000..d5744a2
--- /dev/null
+++ b/recipes-containers/singularity/singularity/0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch
@@ -0,0 +1,34 @@
+From 13ee3e016490e74868b64e3a07dcccf9feafebdf Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@...>
+Date: Tue, 30 Nov 2021 05:59:06 -0800
+Subject: [PATCH] configure.ac: drop 2nd AM_INIT_AUTOMAKE
+
+* automake-1.16.5 introduced in oe-core:
+ https://git.openembedded.org/openembedded-core/commit/?id=851167b3a41b1728407d331c1666827fb730daa1
+ doesn't like this after:
+ http://git.savannah.gnu.org/cgit/automake.git/commit/?id=f4a3a70f69e1dbccb6578f39ef47835098a04624
+
+ and do_configure fails with:
+ configure.ac:38: error: AM_INIT_AUTOMAKE expanded multiple times
+
+ There is no point in upstreaming this, because singularity-2.3.1 is very old and
+ whole autotools support is removed in version 3 (currently 3.8.5) with:
+ https://github.com/hpcng/singularity/commit/a06e3d13a822080d7a9bc55085ee1bb32026a96e
+
+Signed-off-by: Martin Jansa <Martin.Jansa@...>
+---
+ configure.ac | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 8ffa5ab32..a5a35c43a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,7 +35,6 @@ AC_GNU_SOURCE
+ AC_PROG_INSTALL
+ AC_PROG_LIBTOOL
+ AC_PROG_CC
+-AM_INIT_AUTOMAKE
+ AM_PROG_CC_C_O
+ AC_ENABLE_SHARED
+ AC_PROG_LIBTOOL(libtool)
diff --git a/recipes-containers/singularity/singularity_git.bb b/recipes-containers/singularity/singularity_git.bb
index f729657..321a9a6 100644
--- a/recipes-containers/singularity/singularity_git.bb
+++ b/recipes-containers/singularity/singularity_git.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT.md;md5=be78c34e483dd7d8439358b1e024b294 \

SRC_URI = "git://github.com/singularityware/singularity.git;protocol=https;branch=master \
file://0001-Use-python3.patch \
+ file://0001-configure.ac-drop-2nd-AM_INIT_AUTOMAKE.patch \
"
PV = "2.3.1+git${SRCPV}"
SRCREV = "e214d4ebf0a1274b1c63b095fd55ae61c7e92947"
--
2.32.0
Re: [meta-cloud-services][PATCH 1/3] openstack-image-compute: fix warning of operator append combined with +=

Bruce Ashfield
 

merged.

Bruce

In message: [meta-virtualization] [meta-cloud-services][PATCH 1/3] openstack-image-compute: fix warning of operator append combined with +=
on 20/11/2021 Yi Zhao wrote:

Fixes:
WARNING: openstack-image-compute.bb: IMAGE_ROOTFS_EXTRA_SPACE:append +=
is not a recommended operator combination, please replace it.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../recipes-extended/images/openstack-image-compute.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-openstack/recipes-extended/images/openstack-image-compute.bb b/meta-openstack/recipes-extended/images/openstack-image-compute.bb
index 15726fd..a725e2e 100644
--- a/meta-openstack/recipes-extended/images/openstack-image-compute.bb
+++ b/meta-openstack/recipes-extended/images/openstack-image-compute.bb
@@ -19,6 +19,6 @@ inherit monitor

# Ensure extra space for guest images, and rabbit MQ has a hard coded
# check for 2G of free space, so we use 3G as a starting point.
-IMAGE_ROOTFS_EXTRA_SPACE:append += "+ 3000000"
+IMAGE_ROOTFS_EXTRA_SPACE:append = " + 3000000"

# ROOTFS_POSTPROCESS_COMMAND += "remove_packaging_data_files ; "
--
2.25.1
Re: [m-c-s][PATCH] concurrent-ruby: 1.1.6 -> 1.1.9

Bruce Ashfield
 

merged.

Bruce

In message: [meta-virtualization][m-c-s][PATCH] concurrent-ruby: 1.1.6 -> 1.1.9
on 22/11/2021 kai wrote:

From: Kai Kang <kai.kang@...>

Upgrade concurrent-ruby from 1.1.6 to 1.1.9:

* it changed license file to txt, so the license file name and checksum changed
* remove 'tag=' from SRC_URI and use SRCREV instead

Signed-off-by: Kai Kang <kai.kang@...>
---
...urrent-ruby_1.1.6.bb => concurrent-ruby_1.1.9.bb} | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
rename meta-openstack/recipes-devtools/ruby/{concurrent-ruby_1.1.6.bb => concurrent-ruby_1.1.9.bb} (50%)

diff --git a/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.6.bb b/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.9.bb
similarity index 50%
rename from meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.6.bb
rename to meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.9.bb
index a328203e..e2c99d7d 100644
--- a/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.6.bb
+++ b/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.9.bb
@@ -2,11 +2,17 @@ SUMMARY = "Modern concurrency tools including agents, futures, promises, thread
HOMEPAGE = "http://www.concurrent-ruby.com"

LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fde65ae93d18826f70c6fe125aa04297"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e319104fe1435b64fc0a67032db44f02"

-SRC_URI = "git://github.com/ruby-concurrency/concurrent-ruby.git;protocol=https;tag=v1.1.6\
- file://0001-Removed-check-for-concurrent_ruby.jar.patch"
+SRC_URI = "git://github.com/ruby-concurrency/concurrent-ruby.git;protocol=https;branch=master \
+ file://0001-Removed-check-for-concurrent_ruby.jar.patch \
+ "
+SRCREV = "52c08fca13cc3811673ea2f6fdb244a0e42e0ebe"

S = "${WORKDIR}/git"

+do_install:append () {
+ rmdir --ignore-fail-on-non-empty ${D}${libdir}/ruby/gems/${RUBY_GEM_VERSION}/plugins
+}
+
inherit ruby
--
2.17.1
Re: [PATCH] libvirt: fix CVE-2021-3667

Bruce Ashfield
 

In master, I tend to favour uprev's versus specific CVE patches.

That being said, I have a lot of pending changes right now, and
won't have time to uprev for a few more weeks, so I've gone ahead
and merged the change.

Bruce

In message: [meta-virtualization][PATCH] libvirt: fix CVE-2021-3667
on 23/11/2021 Xu, Yanfei wrote:

Backport a fix for CVE-2021-3667.

The CVE discription: An improper locking issue was found in the
virStoragePoolLookupByTargetPath API of libvirt. It occurs in the
storagePoolLookupByTargetPath function where a locked virStoragePoolObj
object is not properly released on ACL permission failure. Clients
connecting to the read-write socket with limited ACL permissions could
use this flaw to acquire the lock and prevent other users from accessing
storage pool/volume APIs, resulting in a denial of service condition.
The highest threat from this vulnerability is to system availability.

Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094

Signed-off-by: Yanfei Xu <yanfei.xu@...>
---
...nlock-object-on-ACL-fail-in-storageP.patch | 40 +++++++++++++++++++
recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
new file mode 100644
index 00000000..608322d9
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
@@ -0,0 +1,40 @@
+From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@...>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@...>
+Reviewed-by: Michal Privoznik <mprivozn@...>
+
+Upstream-status: Backport
+CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
+Signed-off-by: Yanfei Xu <yanfei.xu@...>
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index ecb5b86b4f..de66f1f9e5 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+ storagePoolLookupByTargetPathCallback,
+ cleanpath))) {
+ def = virStoragePoolObjGetDef(obj);
+- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++ virStoragePoolObjEndAPI(&obj);
+ return NULL;
++ }
+
+ pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+ virStoragePoolObjEndAPI(&obj);
+--
+2.27.0
+
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index cc7bb2cb..4ec11fb5 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://gnutls-helper.py \
file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
file://0001-security-fix-SELinux-label-generation-logic.patch \
+ file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
"

SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
--
2.27.0
[hardknott][PATCH] libvirt: fix CVE-2021-3667

Xu, Yanfei
 

Backport a fix for CVE-2021-3667.

The CVE discription: An improper locking issue was found in the
virStoragePoolLookupByTargetPath API of libvirt. It occurs in the
storagePoolLookupByTargetPath function where a locked virStoragePoolObj
object is not properly released on ACL permission failure. Clients
connecting to the read-write socket with limited ACL permissions could
use this flaw to acquire the lock and prevent other users from accessing
storage pool/volume APIs, resulting in a denial of service condition.
The highest threat from this vulnerability is to system availability.

Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094

Signed-off-by: Yanfei Xu <yanfei.xu@...>
---
...nlock-object-on-ACL-fail-in-storageP.patch | 40 +++++++++++++++++++
recipes-extended/libvirt/libvirt_6.3.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
new file mode 100644
index 00000000..608322d9
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
@@ -0,0 +1,40 @@
+From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@...>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@...>
+Reviewed-by: Michal Privoznik <mprivozn@...>
+
+Upstream-status: Backport
+CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
+Signed-off-by: Yanfei Xu <yanfei.xu@...>
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index ecb5b86b4f..de66f1f9e5 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+ storagePoolLookupByTargetPathCallback,
+ cleanpath))) {
+ def = virStoragePoolObjGetDef(obj);
+- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++ virStoragePoolObjEndAPI(&obj);
+ return NULL;
++ }
+
+ pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+ virStoragePoolObjEndAPI(&obj);
+--
+2.27.0
+
diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb
index e68053a7..d028366d 100644
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://CVE-2020-25637_3.patch \
file://CVE-2020-25637_4.patch \
file://CVE-2021-3631.patch \
+ file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
"

SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"
--
2.27.0
[PATCH] libvirt: fix CVE-2021-3667

Xu, Yanfei
 

Backport a fix for CVE-2021-3667.

The CVE discription: An improper locking issue was found in the
virStoragePoolLookupByTargetPath API of libvirt. It occurs in the
storagePoolLookupByTargetPath function where a locked virStoragePoolObj
object is not properly released on ACL permission failure. Clients
connecting to the read-write socket with limited ACL permissions could
use this flaw to acquire the lock and prevent other users from accessing
storage pool/volume APIs, resulting in a denial of service condition.
The highest threat from this vulnerability is to system availability.

Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094

Signed-off-by: Yanfei Xu <yanfei.xu@...>
---
...nlock-object-on-ACL-fail-in-storageP.patch | 40 +++++++++++++++++++
recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
new file mode 100644
index 00000000..608322d9
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
@@ -0,0 +1,40 @@
+From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@...>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@...>
+Reviewed-by: Michal Privoznik <mprivozn@...>
+
+Upstream-status: Backport
+CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
+Signed-off-by: Yanfei Xu <yanfei.xu@...>
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index ecb5b86b4f..de66f1f9e5 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+ storagePoolLookupByTargetPathCallback,
+ cleanpath))) {
+ def = virStoragePoolObjGetDef(obj);
+- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++ virStoragePoolObjEndAPI(&obj);
+ return NULL;
++ }
+
+ pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+ virStoragePoolObjEndAPI(&obj);
+--
+2.27.0
+
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index cc7bb2cb..4ec11fb5 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://gnutls-helper.py \
file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
file://0001-security-fix-SELinux-label-generation-logic.patch \
+ file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
"

SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
--
2.27.0
Re: [hardknott][PATCH] containerd-opencontainers: bump to v1.4.12

Chen Qi
 

Thanks 🙂

Regards,
Qi

From: Bruce Ashfield <bruce.ashfield@...>
Sent: Monday, November 22, 2021 22:02
To: Bruce Ashfield <bruce.ashfield@...>
Cc: Chen, Qi <Qi.Chen@...>; meta-virtualization@... <meta-virtualization@...>
Subject: Re: [meta-virtualization][hardknott][PATCH] containerd-opencontainers: bump to v1.4.12
 
On Mon, Nov 22, 2021 at 8:54 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:
>
> I already have version bumps for all of the related components under
> test, they'll show up in master-next shortly, and should cover this.
>

Aha. My mistake, I didn't see the branch you specified. I'll merge
this to hardknott shortly.

Bruce



> Cheers,
>
> Bruce
>
> On Mon, Nov 22, 2021 at 2:37 AM Chen Qi <Qi.Chen@...> wrote:
> >
> > Bump from v1.4.4 to v.1.4.12 so that some CVEs are resolved,
> > e.g. CVE-2021-41103.
> >
> > Signed-off-by: Chen Qi <Qi.Chen@...>
> > ---
> >  .../containerd/containerd-opencontainers_git.bb               | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> > index 774a28c..7f6c75d 100644
> > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> > @@ -5,7 +5,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
> >                 support as well as checkpoint and restore for cloning and live migration of containers."
> >
> >
> > -SRCREV = "409c87ba59dd96965239573aa9458a3585c05468"
> > +SRCREV = "7b11cfaabd73bb80907dd23182b9347b4245eb5d"
> >  SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
> >             file://0001-build-use-oe-provided-GO-and-flags.patch \
> >             file://0001-Add-build-option-GODEBUG-1.patch \
> > @@ -15,7 +15,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
> >  LICENSE = "Apache-2.0"
> >  LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89"
> >
> > -CONTAINERD_VERSION = "v1.4.4"
> > +CONTAINERD_VERSION = "v1.4.12"
> >
> >  EXTRA_OEMAKE += "GODEBUG=1"
> >
> > --
> > 2.33.0
> >
> >
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
>
>


--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
Re: Building xen-image-minimal for RPi4 Compute Module

Patrick Godwin
 

Just a small update to this thread: I finally got a Xen image booting to dom0 with ethernet on the Raspberry Pi Compute Module 4. Unfortunately, my config is very ugly and still has some issues (such as USB not working...), but I can at least outline what I did to get booted into Xen:
- Added the meta-virt-rpi layer (https://github.com/aananthcn/meta-virt-rpi) and switched to their dom0-image. This probably wasn't necessary, but this image had some nice quality of life changes I was going to need anyways,
- Use a kernel that contains the device tree blob for the CM4; I ended up using Raspberry Pi's 5.15 kernel.
- I couldn't get my local.conf to override the kernel selected in meta-virt's inc file without commenting it out, but I'm assuming this is still user error on my part.
- It looks like support for the CM4 is hitting upstream in 5.16 so yocto-dev will probably work fine starting around then
- Use a more recent u-boot with fixes for CM4. I ended up using 2021.10, though I think the necessary fixes were made in April of this year.
- I still ended up using the boot script from meta-virtualization instead of the one in meta-virt-rpi; this was easier to modify for my needs

Hopefully these notes help anyone else who decides to try this out. My next goals are to get USB working and then get the configuration cleaned up good enough to share.

-----Original Message-----
From: meta-virtualization@... <meta-virtualization@...> On Behalf Of Patrick Godwin
Sent: Sunday, November 14, 2021 11:30 PM
To: Bruce Ashfield <bruce.ashfield@...>
Cc: meta-virtualization@...
Subject: Re: [meta-virtualization] Building xen-image-minimal for RPi4 Compute Module

No worries, now it's my turn to apologize :) Got pulled away from this over the last week and haven't had a chance to fully dive back on in, but I really appreciate you taking the time to reply here! Now that I've had more time with Yocto and the meta-virt layer I think I'm closing the knowledge gaps that are blocking me, I just have a few more edges to sort out. I think that you're right that a patch shouldn't be needed, I think it's just been a lot of user error on my part.

I'll be sure to update this thread once I have the device up and running; I think I'm close. Thanks again!

-----Original Message-----
From: Bruce Ashfield <bruce.ashfield@...>
Sent: Thursday, November 11, 2021 6:53 AM
To: Patrick Godwin <pbg.dev@...>
Cc: meta-virtualization@...
Subject: Re: [meta-virtualization] Building xen-image-minimal for RPi4 Compute Module

Sorry for the slow reply,

On Fri, Nov 5, 2021 at 11:45 PM Patrick Godwin <pbg.dev@...> wrote:

I'm in the process of building xen-image-minimal for my Raspberry Pi 4 Compute Module and am hitting some issues when running the image on physical hardware. Upon inspecting the boot partition of the sd-card, I noticed that the image only contained the dtb for the Raspberry Pi 4B; this makes sense when I look at xen-raspberrypi4-64.inc:
Not sure if you've sorted this out yet.

We do have reference images that booted on the RPI, but I can't say that I've been testing them myself. I'm hoping that my reply will catch the attention of those that do have the h/w and they can comment in more detail.

# Override the meta-raspberrypi default kernel preference
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
KERNEL_DEVICETREE ?= "broadcom/bcm2711-rpi-4-b.dtb"

Compared with the device tree blobs declared in meta-raspberrypi's raspberrypi4-64.conf:

RPI_KERNEL_DEVICETREE = " \
broadcom/bcm2711-rpi-4-b.dtb \
broadcom/bcm2711-rpi-400.dtb \
broadcom/bcm2711-rpi-cm4.dtb \
"

Looking into it further, it seems that the device tree listing in the kernel used in the xen-image-minimal build doesn't contain the newer firmware blobs contained in meta-raspberrypi, which causes devices like ethernet to fail to start up when the image finally boots.
There's a different level of support on the h/w between linux-yocto and the 'vendor' rpi tree. We use linux-yocto for the core enablement because the branches are stable/not rebased and have a cadence we can predict (all mentioned things are breakages we've hit before!).

That being said, you can change the kernel provider to the linux-rpi, and the rest of the meta-virt settings, etc, are still applicable and should work.

I've tried adding the bcm2711-rpi-cm4 firmware blob to the SD card manually, but that causes u-boot to fail with the error "Bad Linux ARM64 Image Magic!" after the Boot Xen step in output. I also tried manually replacing the bootfiles written by the xen sd card image with the latest blobs from meta-raspberrypi's packages, but once the OS boots I find that xen is no longer running, making me suspect I screwed up the configuration somewhere.
It could be a kernel configuration issue between the two images, if the Xen packages are on the image, but nothing is running. Can you interact with the Xen support via the xen cli at all ? Just to get a better error message ?

Is this something I can trivially fix? Is there a way for me to override the device tree selection used by the minimal xen image in my local.conf? Or do I need to investigate patching one of the meta-virtualization recipes?
Anything that needs changing, should be overridable via variable or through bbappends, so hopefully no patching is required.

Bruce


(Apologies if I've used any of the wrong lingo/terms here; still new
to RasPi/Yocto/Xen :D)




--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
[m-c-s][PATCH] concurrent-ruby: 1.1.6 -> 1.1.9

kai
 

From: Kai Kang <kai.kang@...>

Upgrade concurrent-ruby from 1.1.6 to 1.1.9:

* it changed license file to txt, so the license file name and checksum changed
* remove 'tag=' from SRC_URI and use SRCREV instead

Signed-off-by: Kai Kang <kai.kang@...>
---
...urrent-ruby_1.1.6.bb => concurrent-ruby_1.1.9.bb} | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
rename meta-openstack/recipes-devtools/ruby/{concurrent-ruby_1.1.6.bb => concurrent-ruby_1.1.9.bb} (50%)

diff --git a/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.6.bb b/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.9.bb
similarity index 50%
rename from meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.6.bb
rename to meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.9.bb
index a328203e..e2c99d7d 100644
--- a/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.6.bb
+++ b/meta-openstack/recipes-devtools/ruby/concurrent-ruby_1.1.9.bb
@@ -2,11 +2,17 @@ SUMMARY = "Modern concurrency tools including agents, futures, promises, thread
HOMEPAGE = "http://www.concurrent-ruby.com"

LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fde65ae93d18826f70c6fe125aa04297"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e319104fe1435b64fc0a67032db44f02"

-SRC_URI = "git://github.com/ruby-concurrency/concurrent-ruby.git;protocol=https;tag=v1.1.6\
- file://0001-Removed-check-for-concurrent_ruby.jar.patch"
+SRC_URI = "git://github.com/ruby-concurrency/concurrent-ruby.git;protocol=https;branch=master \
+ file://0001-Removed-check-for-concurrent_ruby.jar.patch \
+ "
+SRCREV = "52c08fca13cc3811673ea2f6fdb244a0e42e0ebe"

S = "${WORKDIR}/git"

+do_install:append () {
+ rmdir --ignore-fail-on-non-empty ${D}${libdir}/ruby/gems/${RUBY_GEM_VERSION}/plugins
+}
+
inherit ruby
--
2.17.1
Re: [hardknott][PATCH] containerd-opencontainers: bump to v1.4.12

Bruce Ashfield
 

On Mon, Nov 22, 2021 at 8:54 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:

I already have version bumps for all of the related components under
test, they'll show up in master-next shortly, and should cover this.
Aha. My mistake, I didn't see the branch you specified. I'll merge
this to hardknott shortly.

Bruce



Cheers,

Bruce

On Mon, Nov 22, 2021 at 2:37 AM Chen Qi <Qi.Chen@...> wrote:

Bump from v1.4.4 to v.1.4.12 so that some CVEs are resolved,
e.g. CVE-2021-41103.

Signed-off-by: Chen Qi <Qi.Chen@...>
---
.../containerd/containerd-opencontainers_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 774a28c..7f6c75d 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -5,7 +5,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
support as well as checkpoint and restore for cloning and live migration of containers."


-SRCREV = "409c87ba59dd96965239573aa9458a3585c05468"
+SRCREV = "7b11cfaabd73bb80907dd23182b9347b4245eb5d"
SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
file://0001-build-use-oe-provided-GO-and-flags.patch \
file://0001-Add-build-option-GODEBUG-1.patch \
@@ -15,7 +15,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89"

-CONTAINERD_VERSION = "v1.4.4"
+CONTAINERD_VERSION = "v1.4.12"

EXTRA_OEMAKE += "GODEBUG=1"

--
2.33.0




--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
Re: [hardknott][PATCH] containerd-opencontainers: bump to v1.4.12

Bruce Ashfield
 

I already have version bumps for all of the related components under
test, they'll show up in master-next shortly, and should cover this.

Cheers,

Bruce

On Mon, Nov 22, 2021 at 2:37 AM Chen Qi <Qi.Chen@...> wrote:

Bump from v1.4.4 to v.1.4.12 so that some CVEs are resolved,
e.g. CVE-2021-41103.

Signed-off-by: Chen Qi <Qi.Chen@...>
---
.../containerd/containerd-opencontainers_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 774a28c..7f6c75d 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -5,7 +5,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
support as well as checkpoint and restore for cloning and live migration of containers."


-SRCREV = "409c87ba59dd96965239573aa9458a3585c05468"
+SRCREV = "7b11cfaabd73bb80907dd23182b9347b4245eb5d"
SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
file://0001-build-use-oe-provided-GO-and-flags.patch \
file://0001-Add-build-option-GODEBUG-1.patch \
@@ -15,7 +15,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89"

-CONTAINERD_VERSION = "v1.4.4"
+CONTAINERD_VERSION = "v1.4.12"

EXTRA_OEMAKE += "GODEBUG=1"

--
2.33.0



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
[hardknott][PATCH] containerd-opencontainers: bump to v1.4.12

Chen Qi
 

Bump from v1.4.4 to v.1.4.12 so that some CVEs are resolved,
e.g. CVE-2021-41103.

Signed-off-by: Chen Qi <Qi.Chen@...>
---
.../containerd/containerd-opencontainers_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 774a28c..7f6c75d 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -5,7 +5,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
support as well as checkpoint and restore for cloning and live migration of containers."


-SRCREV = "409c87ba59dd96965239573aa9458a3585c05468"
+SRCREV = "7b11cfaabd73bb80907dd23182b9347b4245eb5d"
SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
file://0001-build-use-oe-provided-GO-and-flags.patch \
file://0001-Add-build-option-GODEBUG-1.patch \
@@ -15,7 +15,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89"

-CONTAINERD_VERSION = "v1.4.4"
+CONTAINERD_VERSION = "v1.4.12"

EXTRA_OEMAKE += "GODEBUG=1"

--
2.33.0
[meta-cloud-services][PATCH 3/3] meta-openstack/README: fix for operator append combined with +=

Yi Zhao
 

Signed-off-by: Yi Zhao <yi.zhao@...>
---
meta-openstack/Documentation/README.OpenLDAP | 2 +-
meta-openstack/README.setup | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta-openstack/Documentation/README.OpenLDAP b/meta-openstack/Documentation/README.OpenLDAP
index a45b769..95c2227 100644
--- a/meta-openstack/Documentation/README.OpenLDAP
+++ b/meta-openstack/Documentation/README.OpenLDAP
@@ -6,7 +6,7 @@ OpenLDAP into DISTRO_FEATURES

e.g. in conf/local.conf

-DISTRO_FEATURES:append += " OpenLDAP"
+DISTRO_FEATURES:append = " OpenLDAP"

A number of variables can be specified during the build phase that configures
OpenLDAP specific options:
diff --git a/meta-openstack/README.setup b/meta-openstack/README.setup
index d1a4703..f837f63 100644
--- a/meta-openstack/README.setup
+++ b/meta-openstack/README.setup
@@ -95,7 +95,7 @@ systemd will be used in your images:

Additionally activiate the meta-virtualization layer:

- DISTRO_FEATURES:append += "virtualization kvm"
+ DISTRO_FEATURES:append = " virtualization kvm"


Package configurations
--
2.25.1
[meta-cloud-services][PATCH 1/3] openstack-image-compute: fix warning of operator append combined with +=

Yi Zhao
 

Fixes:
WARNING: openstack-image-compute.bb: IMAGE_ROOTFS_EXTRA_SPACE:append +=
is not a recommended operator combination, please replace it.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../recipes-extended/images/openstack-image-compute.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-openstack/recipes-extended/images/openstack-image-compute.bb b/meta-openstack/recipes-extended/images/openstack-image-compute.bb
index 15726fd..a725e2e 100644
--- a/meta-openstack/recipes-extended/images/openstack-image-compute.bb
+++ b/meta-openstack/recipes-extended/images/openstack-image-compute.bb
@@ -19,6 +19,6 @@ inherit monitor

# Ensure extra space for guest images, and rabbit MQ has a hard coded
# check for 2G of free space, so we use 3G as a starting point.
-IMAGE_ROOTFS_EXTRA_SPACE:append += "+ 3000000"
+IMAGE_ROOTFS_EXTRA_SPACE:append = " + 3000000"

# ROOTFS_POSTPROCESS_COMMAND += "remove_packaging_data_files ; "
--
2.25.1
481 - 500 of 7403