343 files changed, 11858 insertions, 3429 deletions
diff --git a/bitbake/bin/bitbake-server b/bitbake/bin/bitbake-server
index ffbc7894ef..65796be747 100755
--- a/bitbake/bin/bitbake-server
+++ b/bitbake/bin/bitbake-server
@@ -26,7 +26,7 @@ readypipeinfd = int(sys.argv[3])
 logfile = sys.argv[4]
 lockname = sys.argv[5]
 sockname = sys.argv[6]
-timeout = sys.argv[7]
+timeout = float(sys.argv[7])
 xmlrpcinterface = (sys.argv[8], int(sys.argv[9]))
 if xmlrpcinterface[0] == "None":
    xmlrpcinterface = (None, xmlrpcinterface[1])
diff --git a/bitbake/lib/bb/__init__.py b/bitbake/lib/bb/__init__.py
index 09e161fef1..c7bc372ec8 100644
--- a/bitbake/lib/bb/__init__.py
+++ b/bitbake/lib/bb/__init__.py
@@ -49,7 +49,7 @@ class BBLoggerMixin(object):
        if not bb.event.worker_pid:
            if self.name in bb.msg.loggerDefaultDomains and loglevel > (bb.msg.loggerDefaultDomains[self.name]):
                return
-            if loglevel > bb.msg.loggerDefaultLogLevel:
+            if loglevel < bb.msg.loggerDefaultLogLevel:
                return
        return self.log(loglevel, msg, *args, **kwargs)
diff --git a/bitbake/lib/bb/cache.py b/bitbake/lib/bb/cache.py
index 9e0c931a07..029753fea0 100644
--- a/bitbake/lib/bb/cache.py
+++ b/bitbake/lib/bb/cache.py
@@ -26,7 +26,7 @@ import re
 logger = logging.getLogger("BitBake.Cache")
-__cache_version__ = "153"
+__cache_version__ = "154"
 def getCacheFile(path, filename, mc, data_hash):
    mcspec = ''
@@ -94,6 +94,7 @@ class CoreRecipeInfo(RecipeInfoCommon):
        if not self.packages:
            self.packages.append(self.pn)
        self.packages_dynamic = self.listvar('PACKAGES_DYNAMIC', metadata)
+        self.rprovides_pkg = self.pkgvar('RPROVIDES', self.packages, metadata)
        self.skipreason = self.getvar('__SKIPPED', metadata)
        if self.skipreason:
@@ -120,7 +121,6 @@ class CoreRecipeInfo(RecipeInfoCommon):
        self.depends          = self.depvar('DEPENDS', metadata)
        self.rdepends         = self.depvar('RDEPENDS', metadata)
        self.rrecommends      = self.depvar('RRECOMMENDS', metadata)
-        self.rprovides_pkg    = self.pkgvar('RPROVIDES', self.packages, metadata)
        self.rdepends_pkg     = self.pkgvar('RDEPENDS', self.packages, metadata)
        self.rrecommends_pkg  = self.pkgvar('RRECOMMENDS', self.packages, metadata)
        self.inherits         = self.getvar('__inherit_cache', metadata, expand=False)
diff --git a/bitbake/lib/bb/cooker.py b/bitbake/lib/bb/cooker.py
index 1f4cc1e96d..4b5ef07eaa 100644
--- a/bitbake/lib/bb/cooker.py
+++ b/bitbake/lib/bb/cooker.py
@@ -73,7 +73,9 @@ class SkippedPackage:
            self.pn = info.pn
            self.skipreason = info.skipreason
            self.provides = info.provides
-            self.rprovides = info.rprovides
+            self.rprovides = info.packages + info.rprovides
+            for package in info.packages:
+                self.rprovides += info.rprovides_pkg[package]
        elif reason:
            self.skipreason = reason
@@ -2207,18 +2209,18 @@ class CookerParser(object):
        except bb.BBHandledException as exc:
            self.error += 1
            logger.error('Failed to parse recipe: %s' % exc.recipe)
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
            return False
        except ParsingFailure as exc:
            self.error += 1
            logger.error('Unable to parse %s: %s' %
                     (exc.recipe, bb.exceptions.to_string(exc.realexception)))
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
            return False
        except bb.parse.ParseError as exc:
            self.error += 1
            logger.error(str(exc))
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
            return False
        except bb.data_smart.ExpansionError as exc:
            self.error += 1
@@ -2227,7 +2229,7 @@ class CookerParser(object):
            tb = list(itertools.dropwhile(lambda e: e.filename.startswith(bbdir), exc.traceback))
            logger.error('ExpansionError during parsing %s', value.recipe,
                         exc_info=(etype, value, tb))
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
            return False
        except Exception as exc:
            self.error += 1
@@ -2239,7 +2241,7 @@ class CookerParser(object):
                # Most likely, an exception occurred during raising an exception
                import traceback
                logger.error('Exception during parse: %s' % traceback.format_exc())
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
            return False
        self.current += 1
diff --git a/bitbake/lib/bb/data_smart.py b/bitbake/lib/bb/data_smart.py
index c559102cf5..b4ed62a4e5 100644
--- a/bitbake/lib/bb/data_smart.py
+++ b/bitbake/lib/bb/data_smart.py
@@ -28,7 +28,7 @@ logger = logging.getLogger("BitBake.Data")
 __setvar_keyword__ = ["_append", "_prepend", "_remove"]
 __setvar_regexp__ = re.compile(r'(?P<base>.*?)(?P<keyword>_append|_prepend|_remove)(_(?P<add>[^A-Z]*))?$')
-__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~]+?}")
+__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~:]+?}")
 __expand_python_regexp__ = re.compile(r"\${@.+?}")
 __whitespace_split__ = re.compile(r'(\s)')
 __override_regexp__ = re.compile(r'[a-z0-9]+')
@@ -481,6 +481,7 @@ class DataSmart(MutableMapping):
    def setVar(self, var, value, **loginfo):
        #print("var=" + str(var) + "  val=" + str(value))
+        var = var.replace(":", "_")
        self.expand_cache = {}
        parsing=False
        if 'parsing' in loginfo:
@@ -589,6 +590,8 @@ class DataSmart(MutableMapping):
        """
        Rename the variable key to newkey
        """
+        key = key.replace(":", "_")
+        newkey = newkey.replace(":", "_")
        if key == newkey:
            bb.warn("Calling renameVar with equivalent keys (%s) is invalid" % key)
            return
@@ -637,6 +640,7 @@ class DataSmart(MutableMapping):
        self.setVar(var + "_prepend", value, ignore=True, parsing=True)
    def delVar(self, var, **loginfo):
+        var = var.replace(":", "_")
        self.expand_cache = {}
        loginfo['detail'] = ""
@@ -664,6 +668,7 @@ class DataSmart(MutableMapping):
                         override = None
    def setVarFlag(self, var, flag, value, **loginfo):
+        var = var.replace(":", "_")
        self.expand_cache = {}
        if 'op' not in loginfo:
@@ -687,6 +692,7 @@ class DataSmart(MutableMapping):
            self.dict["__exportlist"]["_content"].add(var)
    def getVarFlag(self, var, flag, expand=True, noweakdefault=False, parsing=False, retparser=False):
+        var = var.replace(":", "_")
        if flag == "_content":
            cachename = var
        else:
@@ -814,6 +820,7 @@ class DataSmart(MutableMapping):
        return value
    def delVarFlag(self, var, flag, **loginfo):
+        var = var.replace(":", "_")
        self.expand_cache = {}
        local_var, _ = self._findVar(var)
@@ -831,6 +838,7 @@ class DataSmart(MutableMapping):
            del self.dict[var][flag]
    def appendVarFlag(self, var, flag, value, **loginfo):
+        var = var.replace(":", "_")
        loginfo['op'] = 'append'
        loginfo['flag'] = flag
        self.varhistory.record(**loginfo)
@@ -838,6 +846,7 @@ class DataSmart(MutableMapping):
        self.setVarFlag(var, flag, newvalue, ignore=True)
    def prependVarFlag(self, var, flag, value, **loginfo):
+        var = var.replace(":", "_")
        loginfo['op'] = 'prepend'
        loginfo['flag'] = flag
        self.varhistory.record(**loginfo)
@@ -845,6 +854,7 @@ class DataSmart(MutableMapping):
        self.setVarFlag(var, flag, newvalue, ignore=True)
    def setVarFlags(self, var, flags, **loginfo):
+        var = var.replace(":", "_")
        self.expand_cache = {}
        infer_caller_details(loginfo)
        if not var in self.dict:
@@ -859,6 +869,7 @@ class DataSmart(MutableMapping):
            self.dict[var][i] = flags[i]
    def getVarFlags(self, var, expand = False, internalflags=False):
+        var = var.replace(":", "_")
        local_var, _ = self._findVar(var)
        flags = {}
@@ -875,6 +886,7 @@ class DataSmart(MutableMapping):
    def delVarFlags(self, var, **loginfo):
+        var = var.replace(":", "_")
        self.expand_cache = {}
        if not var in self.dict:
            self._makeShadowCopy(var)
@@ -1005,7 +1017,7 @@ class DataSmart(MutableMapping):
            else:
                data.update({key:value})
-            varflags = d.getVarFlags(key, internalflags = True)
+            varflags = d.getVarFlags(key, internalflags = True, expand=["vardepvalue"])
            if not varflags:
                continue
            for f in varflags:
diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index 551bfb70f2..524165bd5f 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -853,11 +853,6 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
        if val:
            cmd = 'export ' + var + '=\"%s\"; %s' % (val, cmd)
-    # Ensure that a _PYTHON_SYSCONFIGDATA_NAME value set by a recipe
-    # (for example via python3native.bbclass since warrior) is not set for
-    # host Python (otherwise tools like git-make-shallow will fail)
-    cmd = 'unset _PYTHON_SYSCONFIGDATA_NAME; ' + cmd
    # Disable pseudo as it may affect ssh, potentially causing it to hang.
    cmd = 'export PSEUDO_DISABLED=1; ' + cmd
diff --git a/bitbake/lib/bb/fetch2/git.py b/bitbake/lib/bb/fetch2/git.py
index b97967b487..f2cc02258e 100644
--- a/bitbake/lib/bb/fetch2/git.py
+++ b/bitbake/lib/bb/fetch2/git.py
@@ -141,6 +141,10 @@ class Git(FetchMethod):
            ud.proto = 'file'
        else:
            ud.proto = "git"
+        if ud.host == "github.com" and ud.proto == "git":
+            # github stopped supporting git protocol
+            # https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git
+            ud.proto = "https"
        if not ud.proto in ('git', 'file', 'ssh', 'http', 'https', 'rsync'):
            raise bb.fetch2.ParameterError("Invalid protocol type", ud.url)
@@ -379,6 +383,35 @@ class Git(FetchMethod):
            if missing_rev:
                raise bb.fetch2.FetchError("Unable to find revision %s even from upstream" % missing_rev)
+        if self._contains_lfs(ud, d, ud.clonedir) and self._need_lfs(ud):
+            # Unpack temporary working copy, use it to run 'git checkout' to force pre-fetching
+            # of all LFS blobs needed at the the srcrev.
+            #
+            # It would be nice to just do this inline here by running 'git-lfs fetch'
+            # on the bare clonedir, but that operation requires a working copy on some
+            # releases of Git LFS.
+            tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR'))
+            try:
+                # Do the checkout. This implicitly involves a Git LFS fetch.
+                Git.unpack(self, ud, tmpdir, d)
+                # Scoop up a copy of any stuff that Git LFS downloaded. Merge them into
+                # the bare clonedir.
+                #
+                # As this procedure is invoked repeatedly on incremental fetches as
+                # a recipe's SRCREV is bumped throughout its lifetime, this will
+                # result in a gradual accumulation of LFS blobs in <ud.clonedir>/lfs
+                # corresponding to all the blobs reachable from the different revs
+                # fetched across time.
+                #
+                # Only do this if the unpack resulted in a .git/lfs directory being
+                # created; this only happens if at least one blob needed to be
+                # downloaded.
+                if os.path.exists(os.path.join(tmpdir, "git", ".git", "lfs")):
+                    runfetchcmd("tar -cf - lfs | tar -xf - -C %s" % ud.clonedir, d, workdir="%s/git/.git" % tmpdir)
+            finally:
+                bb.utils.remove(tmpdir, recurse=True)
    def build_mirror_data(self, ud, d):
        if ud.shallow and ud.write_shallow_tarballs:
            if not os.path.exists(ud.fullshallow):
@@ -474,7 +507,7 @@ class Git(FetchMethod):
        if os.path.exists(destdir):
            bb.utils.prunedir(destdir)
-        need_lfs = ud.parm.get("lfs", "1") == "1"
+        need_lfs = self._need_lfs(ud)
        if not need_lfs:
            ud.basecmd = "GIT_LFS_SKIP_SMUDGE=1 " + ud.basecmd
@@ -563,6 +596,9 @@ class Git(FetchMethod):
            raise bb.fetch2.FetchError("The command '%s' gave output with more then 1 line unexpectedly, output: '%s'" % (cmd, output))
        return output.split()[0] != "0"
+    def _need_lfs(self, ud):
+        return ud.parm.get("lfs", "1") == "1"
    def _contains_lfs(self, ud, d, wd):
        """
        Check if the repository has 'lfs' (large file) content
@@ -573,8 +609,14 @@ class Git(FetchMethod):
        else:
            branchname = "master"
-        cmd = "%s grep lfs origin/%s:.gitattributes | wc -l" % (
+        # The bare clonedir doesn't use the remote names; it has the branch immediately.
-            ud.basecmd, ud.branches[ud.names[0]])
+        if wd == ud.clonedir:
+            refname = ud.branches[ud.names[0]]
+        else:
+            refname = "origin/%s" % ud.branches[ud.names[0]]
+        cmd = "%s grep lfs %s:.gitattributes | wc -l" % (
+            ud.basecmd, refname)
        try:
            output = runfetchcmd(cmd, d, quiet=True, workdir=wd)
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index e6d9f528d0..83acd85bae 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -316,7 +316,7 @@ class Wget(FetchMethod):
            except (TypeError, ImportError, IOError, netrc.NetrcParseError):
                pass
-            with opener.open(r) as response:
+            with opener.open(r, timeout=30) as response:
                pass
        except urllib.error.URLError as e:
            if try_again:
diff --git a/bitbake/lib/bb/parse/ast.py b/bitbake/lib/bb/parse/ast.py
index 0714296af2..c8802c0587 100644
--- a/bitbake/lib/bb/parse/ast.py
+++ b/bitbake/lib/bb/parse/ast.py
@@ -97,6 +97,7 @@ class DataNode(AstNode):
    def eval(self, data):
        groupd = self.groupd
        key = groupd["var"]
+        key = key.replace(":", "_")
        loginfo = {
            'variable': key,
            'file': self.filename,
@@ -207,6 +208,7 @@ class ExportFuncsNode(AstNode):
    def eval(self, data):
        for func in self.n:
+            func = func.replace(":", "_")
            calledfunc = self.classname + "_" + func
            if data.getVar(func, False) and not data.getVarFlag(func, 'export_func', False):
diff --git a/bitbake/lib/bb/parse/parse_py/BBHandler.py b/bitbake/lib/bb/parse/parse_py/BBHandler.py
index 215f940b60..12a78b6502 100644
--- a/bitbake/lib/bb/parse/parse_py/BBHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/BBHandler.py
@@ -22,7 +22,7 @@ from .ConfHandler import include, init
 # For compatibility
 bb.deprecate_import(__name__, "bb.parse", ["vars_from_file"])
-__func_start_regexp__    = re.compile(r"(((?P<py>python)|(?P<fr>fakeroot))\s*)*(?P<func>[\w\.\-\+\{\}\$]+)?\s*\(\s*\)\s*{$" )
+__func_start_regexp__    = re.compile(r"(((?P<py>python(?=(\s|\()))|(?P<fr>fakeroot(?=\s)))\s*)*(?P<func>[\w\.\-\+\{\}\$:]+)?\s*\(\s*\)\s*{$" )
 __inherit_regexp__       = re.compile(r"inherit\s+(.+)" )
 __export_func_regexp__   = re.compile(r"EXPORT_FUNCTIONS\s+(.+)" )
 __addtask_regexp__       = re.compile(r"addtask\s+(?P<func>\w+)\s*((before\s*(?P<before>((.*(?=after))|(.*))))|(after\s*(?P<after>((.*(?=before))|(.*)))))*")
diff --git a/bitbake/lib/bb/parse/parse_py/ConfHandler.py b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
index af64d3446e..a7e81bd6ad 100644
--- a/bitbake/lib/bb/parse/parse_py/ConfHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
@@ -20,7 +20,7 @@ from bb.parse import ParseError, resolve_file, ast, logger, handle
 __config_regexp__  = re.compile( r"""
    ^
    (?P<exp>export\s+)?
-    (?P<var>[a-zA-Z0-9\-_+.${}/~]+?)
+    (?P<var>[a-zA-Z0-9\-_+.${}/~:]+?)
    (\[(?P<flag>[a-zA-Z0-9\-_+.]+)\])?
    \s* (
diff --git a/bitbake/lib/bb/providers.py b/bitbake/lib/bb/providers.py
index 81459c36d5..484e1ea4f3 100644
--- a/bitbake/lib/bb/providers.py
+++ b/bitbake/lib/bb/providers.py
@@ -151,7 +151,7 @@ def findPreferredProvider(pn, cfgData, dataCache, pkg_pn = None, item = None):
        if item:
            itemstr = " (for item %s)" % item
        if preferred_file is None:
-            logger.info("preferred version %s of %s not available%s", pv_str, pn, itemstr)
+            logger.warning("preferred version %s of %s not available%s", pv_str, pn, itemstr)
            available_vers = []
            for file_set in pkg_pn:
                for f in file_set:
@@ -163,7 +163,7 @@ def findPreferredProvider(pn, cfgData, dataCache, pkg_pn = None, item = None):
                        available_vers.append(ver_str)
            if available_vers:
                available_vers.sort()
-                logger.info("versions of %s available: %s", pn, ' '.join(available_vers))
+                logger.warning("versions of %s available: %s", pn, ' '.join(available_vers))
        else:
            logger.debug(1, "selecting %s as PREFERRED_VERSION %s of package %s%s", preferred_file, pv_str, pn, itemstr)
diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py
index 28bdadb45e..aa1d6b2711 100644
--- a/bitbake/lib/bb/runqueue.py
+++ b/bitbake/lib/bb/runqueue.py
@@ -1942,6 +1942,10 @@ class RunQueueExecute:
            logger.error("Scenequeue had holdoff tasks: %s" % pprint.pformat(self.holdoff_tasks))
            err = True
+        for tid in self.scenequeue_covered.intersection(self.scenequeue_notcovered):
+            # No task should end up in both covered and uncovered, that is a bug.
+            logger.error("Setscene task %s in both covered and notcovered." % tid)
        for tid in self.rqdata.runq_setscene_tids:
            if tid not in self.scenequeue_covered and tid not in self.scenequeue_notcovered:
                err = True
@@ -2430,6 +2434,9 @@ class RunQueueExecute:
        for dep in sorted(self.sqdata.sq_deps[task]):
            if fail and task in self.sqdata.sq_harddeps and dep in self.sqdata.sq_harddeps[task]:
+                if dep in self.scenequeue_covered or dep in self.scenequeue_notcovered:
+                    # dependency could be already processed, e.g. noexec setscene task
+                    continue
                logger.debug(2, "%s was unavailable and is a hard dependency of %s so skipping" % (task, dep))
                self.sq_task_failoutright(dep)
                continue
@@ -2791,6 +2798,7 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s
    sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary)
    sqdata.hashes = {}
+    sqrq.sq_deferred = {}
    for mc in sorted(sqdata.multiconfigs):
        for tid in sorted(sqdata.sq_revdeps):
            if mc_from_tid(tid) != mc:
@@ -2803,6 +2811,9 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s
                continue
            if tid in sqrq.scenequeue_notcovered:
                continue
+            if tid in sqrq.scenequeue_covered:
+                continue
            sqdata.outrightfail.add(tid)
            h = pending_hash_index(tid, rqdata)
diff --git a/bitbake/lib/bb/server/process.py b/bitbake/lib/bb/server/process.py
index b27b4aefe0..3e99bcef8f 100644
--- a/bitbake/lib/bb/server/process.py
+++ b/bitbake/lib/bb/server/process.py
@@ -509,7 +509,7 @@ class BitBakeServer(object):
        os.set_inheritable(self.bitbake_lock.fileno(), True)
        os.set_inheritable(self.readypipein, True)
        serverscript = os.path.realpath(os.path.dirname(__file__) + "/../../../bin/bitbake-server")
-        os.execl(sys.executable, "bitbake-server", serverscript, "decafbad", str(self.bitbake_lock.fileno()), str(self.readypipein), self.logfile, self.bitbake_lock.name, self.sockname,  str(self.server_timeout), str(self.xmlrpcinterface[0]), str(self.xmlrpcinterface[1]))
+        os.execl(sys.executable, "bitbake-server", serverscript, "decafbad", str(self.bitbake_lock.fileno()), str(self.readypipein), self.logfile, self.bitbake_lock.name, self.sockname,  str(self.server_timeout or 0), str(self.xmlrpcinterface[0]), str(self.xmlrpcinterface[1]))
 def execServer(lockfd, readypipeinfd, lockname, sockname, server_timeout, xmlrpcinterface):
diff --git a/bitbake/lib/bb/tests/codeparser.py b/bitbake/lib/bb/tests/codeparser.py
index 826a2d2f6d..f485204791 100644
--- a/bitbake/lib/bb/tests/codeparser.py
+++ b/bitbake/lib/bb/tests/codeparser.py
@@ -111,9 +111,9 @@ ${D}${libdir}/pkgconfig/*.pc
        self.assertExecs(set(["sed"]))
    def test_parameter_expansion_modifiers(self):
-        # - and + are also valid modifiers for parameter expansion, but are
+        # -,+ and : are also valid modifiers for parameter expansion, but are
        # valid characters in bitbake variable names, so are not included here
-        for i in ('=', ':-', ':=', '?', ':?', ':+', '#', '%', '##', '%%'):
+        for i in ('=', '?', '#', '%', '##', '%%'):
            name = "foo%sbar" % i
            self.parseExpression("${%s}" % name)
            self.assertNotIn(name, self.references)
diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
index da17d7f281..4671532f2b 100644
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -939,7 +939,7 @@ class FetcherNetworkTest(FetcherTest):
    @skipIfNoNetwork()
    def test_git_submodule_CLI11(self):
-        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=bd4dc911847d0cde7a6b41dfa626a85aab213baf"
+        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=bd4dc911847d0cde7a6b41dfa626a85aab213baf;branch=main"
        fetcher = bb.fetch.Fetch([url], self.d)
        fetcher.download()
        # Previous cwd has been deleted
@@ -954,12 +954,12 @@ class FetcherNetworkTest(FetcherTest):
    @skipIfNoNetwork()
    def test_git_submodule_update_CLI11(self):
        """ Prevent regression on update detection not finding missing submodule, or modules without needed commits """
-        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=cf6a99fa69aaefe477cc52e3ef4a7d2d7fa40714"
+        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=cf6a99fa69aaefe477cc52e3ef4a7d2d7fa40714;branch=main"
        fetcher = bb.fetch.Fetch([url], self.d)
        fetcher.download()
        # CLI11 that pulls in a newer nlohmann-json
-        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=49ac989a9527ee9bb496de9ded7b4872c2e0e5ca"
+        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=49ac989a9527ee9bb496de9ded7b4872c2e0e5ca;branch=main"
        fetcher = bb.fetch.Fetch([url], self.d)
        fetcher.download()
        # Previous cwd has been deleted
@@ -993,7 +993,7 @@ class FetcherNetworkTest(FetcherTest):
        """ Prevent regression on deeply nested submodules not being checked out properly, even though they were fetched. """
        # This repository also has submodules where the module (name), path and url do not align
-        url = "gitsm://github.com/azure/iotedge.git;protocol=git;rev=d76e0316c6f324345d77c48a83ce836d09392699"
+        url = "gitsm://github.com/azure/iotedge.git;protocol=git;rev=d76e0316c6f324345d77c48a83ce836d09392699;branch=main"
        fetcher = bb.fetch.Fetch([url], self.d)
        fetcher.download()
        # Previous cwd has been deleted
@@ -1180,7 +1180,7 @@ class FetchLatestVersionTest(FetcherTest):
        ("presentproto", "git://git.yoctoproject.org/bbfetchtests-presentproto", "24f3a56e541b0a9e6c6ee76081f441221a120ef9", "")
            : "1.0",
        # version pattern "pkg_name-vX.Y.Z"
-        ("dtc", "git://git.qemu.org/dtc.git", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "")
+        ("dtc", "git://git.yoctoproject.org/bbfetchtests-dtc.git", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "")
            : "1.4.0",
        # combination version pattern
        ("sysprof", "git://gitlab.gnome.org/GNOME/sysprof.git;protocol=https", "cd44ee6644c3641507fb53b8a2a69137f2971219", "")
@@ -2051,13 +2051,14 @@ class GitLfsTest(FetcherTest):
            cwd = self.gitdir
        return bb.process.run(cmd, cwd=cwd)[0]
-    def fetch(self, uri=None):
+    def fetch(self, uri=None, download=True):
        uris = self.d.getVar('SRC_URI').split()
        uri = uris[0]
        d = self.d
        fetcher = bb.fetch2.Fetch(uris, d)
-        fetcher.download()
+        if download:
+            fetcher.download()
        ud = fetcher.ud[uri]
        return fetcher, ud
@@ -2067,16 +2068,21 @@ class GitLfsTest(FetcherTest):
        uri = 'git://%s;protocol=file;subdir=${S};lfs=1' % self.srcdir
        self.d.setVar('SRC_URI', uri)
-        fetcher, ud = self.fetch()
+        # Careful: suppress initial attempt at downloading until
+        # we know whether git-lfs is installed.
+        fetcher, ud = self.fetch(uri=None, download=False)
        self.assertIsNotNone(ud.method._find_git_lfs)
-        # If git-lfs can be found, the unpack should be successful
+        # If git-lfs can be found, the unpack should be successful. Only
-        ud.method._find_git_lfs = lambda d: True
+        # attempt this with the real live copy of git-lfs installed.
-        shutil.rmtree(self.gitdir, ignore_errors=True)
+        if ud.method._find_git_lfs(self.d):
-        fetcher.unpack(self.d.getVar('WORKDIR'))
+            fetcher.download()
+            shutil.rmtree(self.gitdir, ignore_errors=True)
+            fetcher.unpack(self.d.getVar('WORKDIR'))
        # If git-lfs cannot be found, the unpack should throw an error
        with self.assertRaises(bb.fetch2.FetchError):
+            fetcher.download()
            ud.method._find_git_lfs = lambda d: False
            shutil.rmtree(self.gitdir, ignore_errors=True)
            fetcher.unpack(self.d.getVar('WORKDIR'))
@@ -2087,10 +2093,16 @@ class GitLfsTest(FetcherTest):
        uri = 'git://%s;protocol=file;subdir=${S};lfs=0' % self.srcdir
        self.d.setVar('SRC_URI', uri)
+        # In contrast to test_lfs_enabled(), allow the implicit download
+        # done by self.fetch() to occur here. The point of this test case
+        # is to verify that the fetcher can survive even if the source
+        # repository has Git LFS usage configured.
        fetcher, ud = self.fetch()
        self.assertIsNotNone(ud.method._find_git_lfs)
-        # If git-lfs can be found, the unpack should be successful
+        # If git-lfs can be found, the unpack should be successful. A
+        # live copy of git-lfs is not required for this case, so
+        # unconditionally forge its presence.
        ud.method._find_git_lfs = lambda d: True
        shutil.rmtree(self.gitdir, ignore_errors=True)
        fetcher.unpack(self.d.getVar('WORKDIR'))
diff --git a/documentation/conf.py b/documentation/conf.py
index ed8c5c0330..fe27e3e0d2 100644
--- a/documentation/conf.py
+++ b/documentation/conf.py
@@ -15,8 +15,27 @@
 import os
 import sys
 import datetime
+try:
+    import yaml
+except ImportError:
+    sys.stderr.write("The Yocto Project Sphinx documentation requires PyYAML.\
+    \nPlease make sure to install pyyaml python package.\n")
+    sys.exit(1)
-current_version = "3.2"
+# current_version = "dev"
+# bitbake_version = "" # Leave empty for development branch
+# Obtain versions from poky.yaml instead
+with open("poky.yaml") as data:
+    buff = data.read()
+    subst_vars = yaml.safe_load(buff)
+    if "DOCCONF_VERSION" not in subst_vars:
+        sys.stderr.write("Please set DOCCONF_VERSION in poky.yaml")
+        sys.exit(1)
+    current_version = subst_vars["DOCCONF_VERSION"]
+    if "BITBAKE_SERIES" not in subst_vars:
+        sys.stderr.write("Please set BITBAKE_SERIES in poky.yaml")
+        sys.exit(1)
+    bitbake_version = subst_vars["BITBAKE_SERIES"]
 # String used in sidebar
 version = 'Version: ' + current_version
diff --git a/documentation/poky.yaml b/documentation/poky.yaml
index e184fa8299..fb567a11dc 100644
--- a/documentation/poky.yaml
+++ b/documentation/poky.yaml
@@ -1,11 +1,13 @@
-DISTRO : "3.2"
+DISTRO : "3.2.4"
 DISTRO_NAME_NO_CAP : "gatesgarth"
 DISTRO_NAME : "Gatesgarth"
 DISTRO_NAME_NO_CAP_MINUS_ONE : "dunfell"
-YOCTO_DOC_VERSION : "3.2"
+YOCTO_DOC_VERSION : "3.2.4"
-YOCTO_DOC_VERSION_MINUS_ONE : "3.1.3"
+YOCTO_DOC_VERSION_MINUS_ONE : "3.1.7"
-DISTRO_REL_TAG : "yocto-3.2"
+DISTRO_REL_TAG : "yocto-3.2.4"
-POKYVERSION : "24.0.0"
+DOCCONF_VERSION : "3.2.4"
+BITBAKE_SERIES : "1.48"
+POKYVERSION : "24.0.4"
 YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;"
 YOCTO_DL_URL : "https://downloads.yoctoproject.org"
 YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
diff --git a/documentation/releases.rst b/documentation/releases.rst
index 536c3a6d2c..3e95ab9e23 100644
--- a/documentation/releases.rst
+++ b/documentation/releases.rst
@@ -4,6 +4,16 @@
 Current Release Manuals
 =========================
+*******************************
+3.2 'gatesgarth' Release Series
+*******************************
+- :yocto_docs:`3.2 Documentation </3.2>`
+- :yocto_docs:`3.2.1 Documentation </3.2.1>`
+- :yocto_docs:`3.2.2 Documentation </3.2.2>`
+- :yocto_docs:`3.2.3 Documentation </3.2.3>`
+- :yocto_docs:`3.2.4 Documentation </3.2.4>`
 ****************************
 3.1 'dunfell' Release Series
 ****************************
@@ -11,6 +21,11 @@
 - :yocto_docs:`3.1 Documentation </3.1>`
 - :yocto_docs:`3.1.1 Documentation </3.1.1>`
 - :yocto_docs:`3.1.2 Documentation </3.1.2>`
+- :yocto_docs:`3.1.3 Documentation </3.1.3>`
+- :yocto_docs:`3.1.4 Documentation </3.1.4>`
+- :yocto_docs:`3.1.5 Documentation </3.1.5>`
+- :yocto_docs:`3.1.6 Documentation </3.1.6>`
+- :yocto_docs:`3.1.7 Documentation </3.1.7>`
 ==========================
 Previous Release Manuals
@@ -24,6 +39,7 @@
 - :yocto_docs:`3.0.1 Documentation </3.0.1>`
 - :yocto_docs:`3.0.2 Documentation </3.0.2>`
 - :yocto_docs:`3.0.3 Documentation </3.0.3>`
+- :yocto_docs:`3.0.4 Documentation </3.0.4>`
 ****************************
 2.7 'warrior' Release Series
diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 5fbd55032d..ccfbf6dba4 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "3.2"
+DISTRO_VERSION = "3.2.4"
 DISTRO_CODENAME = "gatesgarth"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}"
diff --git a/meta-selftest/lib/pseudo_pyc_test1.py b/meta-selftest/lib/pseudo_pyc_test1.py
new file mode 100644
index 0000000000..b59abdd536
--- /dev/null
+++ b/meta-selftest/lib/pseudo_pyc_test1.py
@@ -0,0 +1 @@
+STRING = "pseudo_pyc_test1"
diff --git a/meta-selftest/lib/pseudo_pyc_test2.py b/meta-selftest/lib/pseudo_pyc_test2.py
new file mode 100644
index 0000000000..fb67a978e0
--- /dev/null
+++ b/meta-selftest/lib/pseudo_pyc_test2.py
@@ -0,0 +1 @@
+STRING = "pseudo_pyc_test2"
diff --git a/meta-selftest/recipes-test/pseudo-pyc-test/pseudo-pyc-test.bb b/meta-selftest/recipes-test/pseudo-pyc-test/pseudo-pyc-test.bb
new file mode 100644
index 0000000000..12dc91a8f3
--- /dev/null
+++ b/meta-selftest/recipes-test/pseudo-pyc-test/pseudo-pyc-test.bb
@@ -0,0 +1,15 @@
+SUMMARY = "pseudo env test"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+INHIBIT_DEFAULT_DEPS = "1"
+python do_compile() {
+    import pseudo_pyc_test1
+    print(pseudo_pyc_test1.STRING)
+}
+python do_install() {
+    import pseudo_pyc_test2
+    print(pseudo_pyc_test2.STRING)
+}
diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
index 4ee895dbdc..35147d2da8 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
@@ -7,8 +7,8 @@ KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 KMACHINE_beaglebone-yocto ?= "beaglebone"
-SRCREV_machine_genericx86 ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
+SRCREV_machine_genericx86 ?= "31db2b47ac7d8508080fbb7344399b501216de66"
-SRCREV_machine_genericx86-64 ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
+SRCREV_machine_genericx86-64 ?= "31db2b47ac7d8508080fbb7344399b501216de66"
 SRCREV_machine_edgerouter ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
 SRCREV_machine_beaglebone-yocto ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
@@ -17,7 +17,7 @@ COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
-LINUX_VERSION_genericx86 = "5.4.69"
+LINUX_VERSION_genericx86 = "5.4.94"
-LINUX_VERSION_genericx86-64 = "5.4.69"
+LINUX_VERSION_genericx86-64 = "5.4.94"
 LINUX_VERSION_edgerouter = "5.4.58"
 LINUX_VERSION_beaglebone-yocto = "5.4.58"
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index 598298ef6f..858507b343 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -590,6 +590,7 @@ addtask do_dumpdata
 addtask do_ar_recipe
 addtask do_deploy_archives
 do_build[recrdeptask] += "do_deploy_archives"
+do_rootfs[recrdeptask] += "do_deploy_archives"
 do_populate_sdk[recrdeptask] += "do_deploy_archives"
 python () {
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 5a0b0c6b3e..78ae28bb0f 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -231,6 +231,7 @@ python base_eventhandler() {
    if isinstance(e, bb.event.ConfigParsed):
        if not d.getVar("NATIVELSBSTRING", False):
            d.setVar("NATIVELSBSTRING", lsb_distro_identifier(d))
+        d.setVar("ORIGNATIVELSBSTRING", d.getVar("NATIVELSBSTRING", False))
        d.setVar('BB_VERSION', bb.__version__)
    # There might be no bb.event.ConfigParsed event if bitbake server is
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 7d5e3eb8fd..726f17a946 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -674,13 +674,16 @@ IMAGE_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_imageinfo"
 POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;"
 POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;"
 POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;"
+POPULATE_SDK_POST_TARGET_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_target buildhistory_get_sdk_installed_target"
 POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;"
 POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;"
 POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;"
+POPULATE_SDK_POST_HOST_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_host buildhistory_get_sdk_installed_host"
 SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
 SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
+SDK_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_sdkinfo buildhistory_get_extra_sdkinfo"
 python buildhistory_write_sigs() {
    if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
@@ -855,7 +858,7 @@ END
 }
 python buildhistory_eventhandler() {
-    if e.data.getVar('BUILDHISTORY_FEATURES').strip():
+    if (e.data.getVar('BUILDHISTORY_FEATURES') or "").strip():
        reset = e.data.getVar("BUILDHISTORY_RESET")
        olddir = e.data.getVar("BUILDHISTORY_OLD_DIR")
        if isinstance(e, bb.event.BuildStarted):
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 25cefda92e..112ee3379d 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -53,6 +53,16 @@ CVE_CHECK_PN_WHITELIST ?= ""
 #
 CVE_CHECK_WHITELIST ?= ""
+# Layers to be excluded
+CVE_CHECK_LAYER_EXCLUDELIST ??= ""
+# Layers to be included 
+CVE_CHECK_LAYER_INCLUDELIST ??= ""
+# set to "alphabetical" for version using single alphabetical character as increament release
+CVE_VERSION_SUFFIX ??= ""
 python cve_save_summary_handler () {
    import shutil
    import datetime
@@ -206,7 +216,11 @@ def check_cves(d, patched_cves):
    """
    Connect to the NVD database and find unpatched cves.
    """
-    from distutils.version import LooseVersion
+    from oe.cve_check import Version
+    pn = d.getVar("PN")
+    real_pv = d.getVar("PV")
+    suffix = d.getVar("CVE_VERSION_SUFFIX")
    cves_unpatched = []
    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -217,7 +231,7 @@ def check_cves(d, patched_cves):
    pv = d.getVar("CVE_VERSION").split("+git")[0]
    # If the recipe has been whitlisted we return empty lists
-    if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
+    if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
        bb.note("Recipe has been whitelisted, skipping check")
        return ([], [], [])
@@ -260,8 +274,8 @@ def check_cves(d, patched_cves):
                else:
                    if operator_start:
                        try:
-                            vulnerable_start =  (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+                            vulnerable_start =  (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
-                            vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+                            vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_start, version_start, cve))
@@ -271,8 +285,8 @@ def check_cves(d, patched_cves):
                    if operator_end:
                        try:
-                            vulnerable_end  = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+                            vulnerable_end  = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
-                            vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+                            vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_end, version_end, cve))
@@ -286,12 +300,12 @@ def check_cves(d, patched_cves):
                        vulnerable = vulnerable_start or vulnerable_end
                if vulnerable:
-                    bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
+                    bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
                    cves_unpatched.append(cve)
                    break
            if not vulnerable:
-                bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
                # TODO: not patched but not vulnerable
                patched_cves.add(cve)
@@ -327,7 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
    CVE manifest if enabled.
    """
    cve_file = d.getVar("CVE_CHECK_LOG")
+    fdir_name  = d.getVar("FILE_DIRNAME")
+    layer = fdir_name.split("/")[-3]
+    include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+    exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+    if exclude_layers and layer in exclude_layers:
+        return
+    if include_layers and layer not in include_layers:
+        return
    nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
    write_string = ""
    unpatched_cves = []
@@ -337,6 +364,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
        is_patched = cve in patched
        if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
            continue
+        write_string += "LAYER: %s\n" % layer
        write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
        write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
        write_string += "CVE: %s\n" % cve
diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass
index fdf7dc100f..76dd0b42ee 100644
--- a/meta/classes/devshell.bbclass
+++ b/meta/classes/devshell.bbclass
@@ -128,6 +128,7 @@ def devpyshell(d):
                    more = i.runsource(source, "<pyshell>")
                    if not more:
                        buf = []
+                    sys.stderr.flush()
                    prompt(more)
            except KeyboardInterrupt:
                i.write("\nKeyboardInterrupt\n")
diff --git a/meta/classes/distutils-common-base.bbclass b/meta/classes/distutils-common-base.bbclass
index 94b5fd426d..43a38e5a3a 100644
--- a/meta/classes/distutils-common-base.bbclass
+++ b/meta/classes/distutils-common-base.bbclass
@@ -11,7 +11,7 @@ export LDCXXSHARED  = "${CXX} -shared"
 export CCSHARED  = "-fPIC -DPIC"
 # LINKFORSHARED are the flags passed to the $(CC) command that links
 # the python executable
-export LINKFORSHARED = "{SECURITY_CFLAGS} -Xlinker -export-dynamic"
+export LINKFORSHARED = "${SECURITY_CFLAGS} -Xlinker -export-dynamic"
 FILES_${PN} += "${libdir}/* ${libdir}/${PYTHON_DIR}/*"
diff --git a/meta/classes/distutils3-base.bbclass b/meta/classes/distutils3-base.bbclass
index 7dbf07ac4b..a277d1c7bc 100644
--- a/meta/classes/distutils3-base.bbclass
+++ b/meta/classes/distutils3-base.bbclass
@@ -1,5 +1,5 @@
 DEPENDS  += "${@["${PYTHON_PN}-native ${PYTHON_PN}", ""][(d.getVar('PACKAGES') == '')]}"
 RDEPENDS_${PN} += "${@['', '${PYTHON_PN}-core']['${CLASSOVERRIDE}' == 'class-target']}"
-inherit distutils-common-base python3native
+inherit distutils-common-base python3native python3targetconfig
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index dd09395788..3d6b80bee2 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -68,6 +68,7 @@ python () {
            url_data = fetch.ud[url]
            parm = url_data.parm
            if (url_data.type == 'file' or
+                    url_data.type == 'npmsw' or
                    'type' in parm and parm['type'] == 'kmeta'):
                local_srcuri.append(url)
@@ -190,6 +191,7 @@ def srctree_hash_files(d, srcdir=None):
    import shutil
    import subprocess
    import tempfile
+    import hashlib
    s_dir = srcdir or d.getVar('EXTERNALSRC')
    git_dir = None
@@ -197,6 +199,10 @@ def srctree_hash_files(d, srcdir=None):
    try:
        git_dir = os.path.join(s_dir,
            subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
+        top_git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'],
+            stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
+        if git_dir == top_git_dir:
+            git_dir = None
    except subprocess.CalledProcessError:
        pass
@@ -210,7 +216,17 @@ def srctree_hash_files(d, srcdir=None):
            env = os.environ.copy()
            env['GIT_INDEX_FILE'] = tmp_index.name
            subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env)
-            sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
+            git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
+            submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8")
+            for line in submodule_helper.splitlines():
+                module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1])
+                if os.path.isdir(module_dir):
+                    proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+                    proc.communicate()
+                    proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+                    stdout, _ = proc.communicate()
+                    git_sha1 += stdout.decode("utf-8")
+            sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest()
        with open(oe_hash_file, 'w') as fobj:
            fobj.write(sha1)
        ret = oe_hash_file + ':True'
diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index a9e31b50ea..5b26378a4e 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -40,6 +40,7 @@ GO_RPATH_LINK_class-native = "${@'-Wl,-rpath-link=${STAGING_LIBDIR_NATIVE}/go/pk
 GO_EXTLDFLAGS ?= "${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} ${GO_RPATH_LINK} ${LDFLAGS}"
 GO_LINKMODE ?= ""
 GO_LINKMODE_class-nativesdk = "--linkmode=external"
+GO_LINKMODE_class-native = "--linkmode=external"
 GO_LDFLAGS ?= '-ldflags="${GO_RPATH} ${GO_LINKMODE} -extldflags '${GO_EXTLDFLAGS}'"'
 export GOBUILDFLAGS ?= "-v ${GO_LDFLAGS} -trimpath"
 export GOPATH_OMIT_IN_ACTIONID ?= "1"
diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index 9ea5ddc312..47c44b4aad 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
                        virtual/kernel:do_deploy \
                        ${MLPREFIX}syslinux:do_populate_sysroot \
                        syslinux-native:do_populate_sysroot \
-                        ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \
+                        ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \
                        "
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 045f4494c8..2f1d5cfb46 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -112,7 +112,7 @@ def rootfs_command_variables(d):
            'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS']
 python () {
-    variables = rootfs_command_variables(d) + sdk_command_variables(d)
+    variables = rootfs_command_variables(d)
    for var in variables:
        if d.getVar(var, False):
            d.setVarFlag(var, 'func', '1')
@@ -180,6 +180,8 @@ IMAGE_LOCALES_ARCHIVE ?= '1'
 # aren't yet available.
 PSEUDO_PASSWD = "${IMAGE_ROOTFS}:${STAGING_DIR_NATIVE}"
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/intercept_scripts,${WORKDIR}/oe-rootfs-repo,${WORKDIR}/sstate-build-image_complete"
 PACKAGE_EXCLUDE ??= ""
 PACKAGE_EXCLUDE[type] = "list"
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 66884af8e0..30951ae366 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -108,19 +108,9 @@ IMAGE_CMD_squashfs-xz = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAME
 IMAGE_CMD_squashfs-lzo = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.squashfs-lzo ${EXTRA_IMAGECMD} -noappend -comp lzo"
 IMAGE_CMD_squashfs-lz4 = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.squashfs-lz4 ${EXTRA_IMAGECMD} -noappend -comp lz4"
-# By default, tar from the host is used, which can be quite old. If
-# you need special parameters (like --xattrs) which are only supported
-# by GNU tar upstream >= 1.27, then override that default:
-# IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
-# do_image_tar[depends] += "tar-replacement-native:do_populate_sysroot"
-# EXTRANATIVEPATH += "tar-native"
-#
-# The GNU documentation does not specify whether --xattrs-include is necessary.
-# In practice, it turned out to be not needed when creating archives and
-# required when extracting, but it seems prudent to use it in both cases.
 IMAGE_CMD_TAR ?= "tar"
 # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
-IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=posix --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
 do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
 IMAGE_CMD_cpio () {
diff --git a/meta/classes/image_types_wic.bbclass b/meta/classes/image_types_wic.bbclass
index 286e0f5d54..49be1da77a 100644
--- a/meta/classes/image_types_wic.bbclass
+++ b/meta/classes/image_types_wic.bbclass
@@ -3,7 +3,7 @@
 WICVARS ?= "\
           BBLAYERS IMGDEPLOYDIR DEPLOY_DIR_IMAGE FAKEROOTCMD IMAGE_BASENAME IMAGE_EFI_BOOT_FILES IMAGE_BOOT_FILES \
           IMAGE_LINK_NAME IMAGE_ROOTFS INITRAMFS_FSTYPES INITRD INITRD_LIVE ISODIR RECIPE_SYSROOT_NATIVE \
-           ROOTFS_SIZE STAGING_DATADIR STAGING_DIR STAGING_LIBDIR TARGET_SYS \
+           ROOTFS_SIZE STAGING_DATADIR STAGING_DIR STAGING_LIBDIR TARGET_SYS HOSTTOOLS_DIR \
           KERNEL_IMAGETYPE MACHINE INITRAMFS_IMAGE INITRAMFS_IMAGE_BUNDLE INITRAMFS_LINK_NAME APPEND \
           ASSUME_PROVIDED PSEUDO_IGNORE_PATHS"
@@ -29,11 +29,17 @@ WIC_CREATE_EXTRA_ARGS ?= ""
 IMAGE_CMD_wic () {
        out="${IMGDEPLOYDIR}/${IMAGE_NAME}"
        build_wic="${WORKDIR}/build-wic"
+        tmp_wic="${WORKDIR}/tmp-wic"
        wks="${WKS_FULL_PATH}"
+        if [ -e "$tmp_wic" ]; then
+                # Ensure we don't have any junk leftover from a previously interrupted
+                # do_image_wic execution
+                rm -rf "$tmp_wic"
+        fi
        if [ -z "$wks" ]; then
                bbfatal "No kickstart files from WKS_FILES were found: ${WKS_FILES}. Please set WKS_FILE or WKS_FILES appropriately."
        fi
-        BUILDDIR="${TOPDIR}" PSEUDO_UNLOAD=1 wic create "$wks" --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -e "${IMAGE_BASENAME}" -o "$build_wic/" ${WIC_CREATE_EXTRA_ARGS}
+        BUILDDIR="${TOPDIR}" PSEUDO_UNLOAD=1 wic create "$wks" --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -e "${IMAGE_BASENAME}" -o "$build_wic/" -w "$tmp_wic" ${WIC_CREATE_EXTRA_ARGS}
        mv "$build_wic/$(basename "${wks%.wks}")"*.direct "$out${IMAGE_NAME_SUFFIX}.wic"
 }
 IMAGE_CMD_wic[vardepsexclude] = "WKS_FULL_PATH WKS_FILES TOPDIR"
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index c6dff9659c..44dbed875b 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -175,7 +175,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages):
            if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir):
                # The dynamic linker searches both these places anyway.  There is no point in
                # looking there again.
-                package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath))
+                package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath))
 QAPATHTEST[dev-so] = "package_qa_check_dev"
 def package_qa_check_dev(path, name, d, elf, messages):
@@ -184,8 +184,8 @@ def package_qa_check_dev(path, name, d, elf, messages):
    """
    if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path):
-        package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \
+        package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \
-                 (name, package_qa_clean_path(path,d)))
+                 (name, package_qa_clean_path(path, d, name)))
 QAPATHTEST[dev-elf] = "package_qa_check_dev_elf"
 def package_qa_check_dev_elf(path, name, d, elf, messages):
@@ -195,8 +195,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages):
    install link-time .so files that are linker scripts.
    """
    if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf:
-        package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \
+        package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \
-                 (name, package_qa_clean_path(path,d)))
+                 (name, package_qa_clean_path(path, d, name)))
 QAPATHTEST[staticdev] = "package_qa_check_staticdev"
 def package_qa_check_staticdev(path, name, d, elf, messages):
@@ -209,7 +209,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages):
    if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path:
        package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \
-                 (name, package_qa_clean_path(path,d)))
+                 (name, package_qa_clean_path(path,d, name)))
 QAPATHTEST[mime] = "package_qa_check_mime"
 def package_qa_check_mime(path, name, d, elf, messages):
diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index 81dda8003f..3c5def1041 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -1,8 +1,11 @@
 # Support for device tree generation
-PACKAGES_append = " \
+python () {
-    ${KERNEL_PACKAGE_NAME}-devicetree \
+    if not bb.data.inherits_class('nopackages', d):
-    ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \
+        d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree")
-"
+        if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1':
+            d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
+}
 FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
 FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
diff --git a/meta/classes/kernel-module-split.bbclass b/meta/classes/kernel-module-split.bbclass
index c8ede26996..baa32e0a90 100644
--- a/meta/classes/kernel-module-split.bbclass
+++ b/meta/classes/kernel-module-split.bbclass
@@ -120,7 +120,10 @@ python split_kernel_module_packages () {
        files = d.getVar('FILES_%s' % pkg)
        files = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (files, basename, basename)
        d.setVar('FILES_%s' % pkg, files)
-        d.setVar('CONFFILES_%s' % pkg, files)
+        conffiles = d.getVar('CONFFILES_%s' % pkg)
+        conffiles = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (conffiles, basename, basename)
+        d.setVar('CONFFILES_%s' % pkg, conffiles)
        if "description" in vals:
            old_desc = d.getVar('DESCRIPTION_' + pkg) or ""
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 1a444efabf..b03a286ed4 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -90,6 +90,8 @@ python __anonymous () {
    imagedest = d.getVar('KERNEL_IMAGEDEST')
    for type in types.split():
+        if bb.data.inherits_class('nopackages', d):
+            continue
        typelower = type.lower()
        d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
        d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type)
@@ -743,7 +745,7 @@ kernel_do_deploy() {
        fi
        if [ ! -z "${INITRAMFS_IMAGE}" -a x"${INITRAMFS_IMAGE_BUNDLE}" = x1 ]; then
-                for imageType in ${KERNEL_IMAGETYPES} ; do
+                for imageType in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
                        if [ "$imageType" = "fitImage" ] ; then
                                continue
                        fi
diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index f90176d6c0..dc91118340 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -31,6 +31,7 @@ python do_populate_lic() {
            f.write("%s: %s\n" % (key, info[key]))
 }
+PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}"
 # it would be better to copy them in do_install_append, but find_license_filesa is python
 python perform_packagecopy_prepend () {
    enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d)
diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass
index 702e9f9c55..6f478ce22c 100644
--- a/meta/classes/license_image.bbclass
+++ b/meta/classes/license_image.bbclass
@@ -125,7 +125,6 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
                licenses = os.listdir(pkg_license_dir)
                for lic in licenses:
-                    rootfs_license = os.path.join(rootfs_license_dir, lic)
                    pkg_license = os.path.join(pkg_license_dir, lic)
                    pkg_rootfs_license = os.path.join(pkg_rootfs_license_dir, lic)
@@ -144,6 +143,8 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
                                bad_licenses) == False:
                            continue
+                        # Make sure we use only canonical name for the license file
+                        rootfs_license = os.path.join(rootfs_license_dir, "generic_%s" % generic_lic)
                        if not os.path.exists(rootfs_license):
                            oe.path.copyhardlink(pkg_license, rootfs_license)
@@ -209,7 +210,8 @@ def license_deployed_manifest(d):
            os.unlink(lic_manifest_symlink_dir)
        # create the image dir symlink
-        os.symlink(lic_manifest_dir, lic_manifest_symlink_dir)
+        if lic_manifest_dir != lic_manifest_symlink_dir:
+            os.symlink(lic_manifest_dir, lic_manifest_symlink_dir)
 def get_deployed_dependencies(d):
    """
diff --git a/meta/classes/linuxloader.bbclass b/meta/classes/linuxloader.bbclass
index 720e5dfad4..b161c51a50 100644
--- a/meta/classes/linuxloader.bbclass
+++ b/meta/classes/linuxloader.bbclass
@@ -1,6 +1,6 @@
 def get_musl_loader_arch(d):
    import re
-    ldso_arch = None
+    ldso_arch = "NotSupported"
    targetarch = d.getVar("TARGET_ARCH")
    if targetarch.startswith("microblaze"):
@@ -32,7 +32,7 @@ def get_musl_loader(d):
 def get_glibc_loader(d):
    import re
-    dynamic_loader = None
+    dynamic_loader = "NotSupported"
    targetarch = d.getVar("TARGET_ARCH")
    if targetarch in ["powerpc", "microblaze"]:
        dynamic_loader = "${base_libdir}/ld.so.1"
@@ -58,7 +58,7 @@ def get_linuxloader(d):
    overrides = d.getVar("OVERRIDES").split(":")
    if "libc-baremetal" in overrides:
-        return None
+        return "NotSupported"
    if "libc-musl" in overrides:
        dynamic_loader = get_musl_loader(d)
diff --git a/meta/classes/npm.bbclass b/meta/classes/npm.bbclass
index 068032a1e5..55a6985fb0 100644
--- a/meta/classes/npm.bbclass
+++ b/meta/classes/npm.bbclass
@@ -17,8 +17,10 @@
 #  NPM_INSTALL_DEV:
 #       Set to 1 to also install devDependencies.
+inherit python3native
 DEPENDS_prepend = "nodejs-native "
-RDEPENDS_${PN}_prepend = "nodejs "
+RDEPENDS_${PN}_append_class-target = " nodejs"
 NPM_INSTALL_DEV ?= "0"
@@ -130,11 +132,17 @@ python npm_do_configure() {
    cached_manifest.pop("dependencies", None)
    cached_manifest.pop("devDependencies", None)
-    with open(orig_shrinkwrap_file, "r") as f:
+    has_shrinkwrap_file = True
-        orig_shrinkwrap = json.load(f)
+    try:
+        with open(orig_shrinkwrap_file, "r") as f:
+            orig_shrinkwrap = json.load(f)
+    except IOError:
+        has_shrinkwrap_file = False
-    cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap)
+    if has_shrinkwrap_file:
-    cached_shrinkwrap.pop("dependencies", None)
+       cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap)
+       cached_shrinkwrap.pop("dependencies", None)
    # Manage the dependencies
    progress = OutOfProgressHandler(d, r"^(\d+)/(\d+)$")
@@ -165,8 +173,10 @@ python npm_do_configure() {
            progress.write("%d/%d" % (progress_done, progress_total))
    dev = bb.utils.to_boolean(d.getVar("NPM_INSTALL_DEV"), False)
-    foreach_dependencies(orig_shrinkwrap, _count_dependency, dev)
-    foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev)
+    if has_shrinkwrap_file:
+        foreach_dependencies(orig_shrinkwrap, _count_dependency, dev)
+        foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev)
    # Configure the main package
    with tempfile.TemporaryDirectory() as tmpdir:
@@ -181,16 +191,19 @@ python npm_do_configure() {
                cached_manifest[depkey] = {}
            cached_manifest[depkey][name] = version
-    _update_manifest("dependencies")
+    if has_shrinkwrap_file:
+        _update_manifest("dependencies")
    if dev:
-        _update_manifest("devDependencies")
+        if has_shrinkwrap_file:
+            _update_manifest("devDependencies")
    with open(cached_manifest_file, "w") as f:
        json.dump(cached_manifest, f, indent=2)
-    with open(cached_shrinkwrap_file, "w") as f:
+    if has_shrinkwrap_file:
-        json.dump(cached_shrinkwrap, f, indent=2)
+        with open(cached_shrinkwrap_file, "w") as f:
+            json.dump(cached_shrinkwrap, f, indent=2)
 }
 python npm_do_compile() {
@@ -237,9 +250,7 @@ python npm_do_compile() {
        sysroot = d.getVar("RECIPE_SYSROOT_NATIVE")
        nodedir = os.path.join(sysroot, d.getVar("prefix_native").strip("/"))
        configs.append(("nodedir", nodedir))
-        bindir = os.path.join(sysroot, d.getVar("bindir_native").strip("/"))
+        configs.append(("python", d.getVar("PYTHON")))
-        pythondir = os.path.join(bindir, "python-native", "python")
-        configs.append(("python", pythondir))
        # Add node-pre-gyp configuration
        args.append(("target_arch", d.getVar("NPM_ARCH")))
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index e6236c0bb2..5a32e5c2e3 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -2340,7 +2340,7 @@ python do_package () {
    # cache.  This is useful if an item this class depends on changes in a
    # way that the output of this class changes.  rpmdeps is a good example
    # as any change to rpmdeps requires this to be rerun.
-    # PACKAGE_BBCLASS_VERSION = "2"
+    # PACKAGE_BBCLASS_VERSION = "4"
    # Init cachedpath
    global cpath
@@ -2446,6 +2446,7 @@ python do_packagedata () {
    bb.build.exec_func("packagedata_translate_pr_autoinc", d)
 }
+do_packagedata[cleandirs] += "${WORKDIR}/pkgdata-pdata-input"
 # Translate the EXTENDPRAUTO and AUTOINC to the final values
 packagedata_translate_pr_autoinc() {
diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index 53b4700cdd..89b4c6bbfc 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -687,6 +687,7 @@ python do_package_rpm () {
    cmd = cmd + " --define '_binary_payload w6T.xzdio'"
    cmd = cmd + " --define '_source_payload w6T.xzdio'"
    cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
+    cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
    cmd = cmd + " --define '_buildhost reproducible'"
    if perfiledeps:
        cmd = cmd + " --define '__find_requires " + outdepends + "'"
diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass
index 49b1833265..635b3a6b80 100644
--- a/meta/classes/populate_sdk_base.bbclass
+++ b/meta/classes/populate_sdk_base.bbclass
@@ -178,7 +178,7 @@ do_populate_sdk[sstate-inputdirs] = "${SDKDEPLOYDIR}"
 do_populate_sdk[sstate-outputdirs] = "${SDK_DEPLOY}"
 do_populate_sdk[stamp-extra-info] = "${MACHINE_ARCH}${SDKMACHINE}"
-PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR}"
+PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR},${WORKDIR}/oe-sdk-repo,${WORKDIR}/sstate-build-populate_sdk"
 fakeroot create_sdk_files() {
        cp ${COREBASE}/scripts/relocate_sdk.py ${SDK_OUTPUT}/${SDKPATH}/
@@ -329,6 +329,13 @@ def sdk_variables(d):
 do_populate_sdk[vardeps] += "${@sdk_variables(d)}"
+python () {
+    variables = sdk_command_variables(d)
+    for var in variables:
+        if d.getVar(var, False):
+            d.setVarFlag(var, 'func', '1')
+}
 do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \
                                    ${TOOLCHAIN_SHAR_EXT_TMPL}:True"
diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index 6f35b612c2..14689ec6ac 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -24,6 +24,7 @@ SDK_INCLUDE_NATIVESDK ?= "0"
 SDK_INCLUDE_BUILDTOOLS ?= '1'
 SDK_RECRDEP_TASKS ?= ""
+SDK_CUSTOM_TEMPLATECONF ?= "0"
 SDK_LOCAL_CONF_WHITELIST ?= ""
 SDK_LOCAL_CONF_BLACKLIST ?= "CONF_VERSION \
@@ -199,6 +200,9 @@ python copy_buildsystem () {
    buildsystem = oe.copy_buildsystem.BuildSystem('extensible SDK', d)
    baseoutpath = d.getVar('SDK_OUTPUT') + '/' + d.getVar('SDKPATH')
+    #check if custome templateconf path is set
+    use_custom_templateconf = d.getVar('SDK_CUSTOM_TEMPLATECONF')
    # Determine if we're building a derivative extensible SDK (from devtool build-sdk)
    derivative = (d.getVar('SDK_DERIVATIVE') or '') == '1'
    if derivative:
@@ -247,7 +251,9 @@ python copy_buildsystem () {
    # Create a layer for new recipes / appends
    bbpath = d.getVar('BBPATH')
-    bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')])
+    env = os.environ.copy()
+    env['PYTHONDONTWRITEBYTECODE'] = '1'
+    bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')], env=env)
    # Create bblayers.conf
    bb.utils.mkdirhier(baseoutpath + '/conf')
@@ -360,6 +366,9 @@ python copy_buildsystem () {
            # Hide the config information from bitbake output (since it's fixed within the SDK)
            f.write('BUILDCFG_HEADER = ""\n\n')
+            # Write METADATA_REVISION
+            f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION'))
            f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
            f.write('WITHIN_EXT_SDK = "1"\n\n')
@@ -390,7 +399,7 @@ python copy_buildsystem () {
        shutil.copyfile(builddir + '/cache/bb_unihashes.dat', baseoutpath + '/cache/bb_unihashes.dat')
    # Use templateconf.cfg file from builddir if exists
-    if os.path.exists(builddir + '/conf/templateconf.cfg'):
+    if os.path.exists(builddir + '/conf/templateconf.cfg') and use_custom_templateconf == '1':
        shutil.copyfile(builddir + '/conf/templateconf.cfg', baseoutpath + '/conf/templateconf.cfg')
    else:
        # Write a templateconf.cfg
diff --git a/meta/classes/python3native.bbclass b/meta/classes/python3native.bbclass
index d98fb4c758..2e3a88c126 100644
--- a/meta/classes/python3native.bbclass
+++ b/meta/classes/python3native.bbclass
@@ -17,8 +17,6 @@ export STAGING_LIBDIR
 export PYTHON_LIBRARY="${STAGING_LIBDIR}/lib${PYTHON_DIR}${PYTHON_ABI}.so"
 export PYTHON_INCLUDE_DIR="${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}"
-export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
 # suppress host user's site-packages dirs.
 export PYTHONNOUSERSITE = "1"
diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
new file mode 100644
index 0000000000..fc1025c207
--- /dev/null
+++ b/meta/classes/python3targetconfig.bbclass
@@ -0,0 +1,17 @@
+inherit python3native
+EXTRA_PYTHON_DEPENDS ?= ""
+EXTRA_PYTHON_DEPENDS_class-target = "python3"
+DEPENDS_append = " ${EXTRA_PYTHON_DEPENDS}"
+do_configure_prepend_class-target() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+do_compile_prepend_class-target() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+do_install_prepend_class-target() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 1a12db1206..9cb6b0bd31 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -6,6 +6,8 @@
 #
 # Licensed under the MIT license, see COPYING.MIT for details
+inherit base
 ERR_REPORT_DIR ?= "${LOG_DIR}/error-report"
 def errorreport_getdata(e):
@@ -64,6 +66,8 @@ python errorreport_handler () {
            data['failures'] = []
            data['component'] = " ".join(e.getPkgs())
            data['branch_commit'] = str(base_detect_branch(e.data)) + ": " + str(base_detect_revision(e.data))
+            data['bitbake_version'] = e.data.getVar("BB_VERSION")
+            data['layer_version'] = get_layers_branch_rev(e.data)
            data['local_conf'] = get_conf_data(e, 'local.conf')
            data['auto_conf'] = get_conf_data(e, 'auto.conf')
            lock = bb.utils.lockfile(datafile + '.lock')
diff --git a/meta/classes/rootfs_deb.bbclass b/meta/classes/rootfs_deb.bbclass
index ef616da229..0469ba7059 100644
--- a/meta/classes/rootfs_deb.bbclass
+++ b/meta/classes/rootfs_deb.bbclass
@@ -32,4 +32,8 @@ python () {
         d.setVar('DEB_SDK_ARCH', 'amd64')
    elif darch == "arm":
         d.setVar('DEB_SDK_ARCH', 'armel')
+    elif darch == "aarch64":
+         d.setVar('DEB_SDK_ARCH', 'arm64')
+    else:
+         bb.fatal("Unhandled SDK_ARCH %s" % darch)
 }
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 3262d08fbf..03a9792f68 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -703,6 +703,23 @@ def check_sanity_version_change(status, d):
    if (tmpdirmode & stat.S_ISUID):
        status.addresult("TMPDIR is setuid, please don't build in a setuid directory")
+    # Check that a user isn't building in a path in PSEUDO_IGNORE_PATHS
+    pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+    workdir = d.getVar('WORKDIR', expand=True)
+    for i in pseudoignorepaths:
+        if i and workdir.startswith(i):
+            status.addresult("You are building in a path included in PSEUDO_IGNORE_PATHS " + str(i) + " please locate the build outside this path.\n")
+    # Check if PSEUDO_IGNORE_PATHS and and paths under pseudo control overlap
+    pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+    pseudo_control_dir = "${D},${PKGD},${PKGDEST},${IMAGEROOTFS},${SDK_OUTPUT}"
+    pseudocontroldir = d.expand(pseudo_control_dir).split(",")
+    for i in pseudoignorepaths:
+        for j in pseudocontroldir:
+            if i and j:
+                if j.startswith(i):
+                    status.addresult("A path included in PSEUDO_IGNORE_PATHS " + str(i) + " and the path " + str(j) + " overlap and this will break pseudo permission and ownership tracking. Please set the path " + str(j) + " to a different directory which does not overlap with pseudo controlled directories. \n")
    # Some third-party software apparently relies on chmod etc. being suid root (!!)
    import stat
    suid_check_bins = "chown chmod mknod".split()
@@ -787,6 +804,11 @@ def check_sanity_everybuild(status, d):
    if "." in paths or "./" in paths or "" in paths:
        status.addresult("PATH contains '.', './' or '' (empty element), which will break the build, please remove this.\nParsed PATH is " + str(paths) + "\n")
+    #Check if bitbake is present in PATH environment variable
+    bb_check = bb.utils.which(d.getVar('PATH'), 'bitbake')
+    if not bb_check:
+        bb.warn("bitbake binary is not found in PATH, did you source the script?")
    # Check whether 'inherit' directive is found (used for a class to inherit)
    # in conf file it's supposed to be uppercase INHERIT
    inherit = d.getVar('inherit')
@@ -860,13 +882,18 @@ def check_sanity_everybuild(status, d):
        except:
            pass
-    oeroot = d.getVar('COREBASE')
+    for checkdir in ['COREBASE', 'TMPDIR']:
-    if oeroot.find('+') != -1:
+        val = d.getVar(checkdir)
-        status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.")
+        if val.find('..') != -1:
-    if oeroot.find('@') != -1:
+            status.addresult("Error, you have '..' in your %s directory path. Please ensure the variable contains an absolute path as this can break some recipe builds in obtuse ways." % checkdir)
-        status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.")
+        if val.find('+') != -1:
-    if oeroot.find(' ') != -1:
+            status.addresult("Error, you have an invalid character (+) in your %s directory path. Please move the installation to a directory which doesn't include any + characters." % checkdir)
-        status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.")
+        if val.find('@') != -1:
+            status.addresult("Error, you have an invalid character (@) in your %s directory path. Please move the installation to a directory which doesn't include any @ characters." % checkdir)
+        if val.find(' ') != -1:
+            status.addresult("Error, you have a space in your %s directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this." % checkdir)
+        if val.find('%') != -1:
+            status.addresult("Error, you have an invalid character (%) in your %s directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters." % checkdir)
    # Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS
    import re
diff --git a/meta/classes/scons.bbclass b/meta/classes/scons.bbclass
index 6b171ca8df..4f3ae502ef 100644
--- a/meta/classes/scons.bbclass
+++ b/meta/classes/scons.bbclass
@@ -5,7 +5,6 @@ DEPENDS += "python3-scons-native"
 EXTRA_OESCONS ?= ""
 do_configure() {
-        unset _PYTHON_SYSCONFIGDATA_NAME
        if [ -n "${CONFIGURESTAMPFILE}" ]; then
                if [ -e "${CONFIGURESTAMPFILE}" -a "`cat ${CONFIGURESTAMPFILE}`" != "${BB_TASKHASH}" -a "${CLEANBROKEN}" != "1" ]; then
                        ${STAGING_BINDIR_NATIVE}/scons --clean PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS}
@@ -17,13 +16,11 @@ do_configure() {
 }
 scons_do_compile() {
-        unset _PYTHON_SYSCONFIGDATA_NAME
        ${STAGING_BINDIR_NATIVE}/scons ${PARALLEL_MAKE} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} || \
        die "scons build execution failed."
 }
 scons_do_install() {
-        unset _PYTHON_SYSCONFIGDATA_NAME
        ${STAGING_BINDIR_NATIVE}/scons install_root=${D}${prefix} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} install || \
        die "scons install execution failed."
 }
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index a8ae75101d..d08d950e76 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -72,6 +72,7 @@ BB_HASHFILENAME = "False ${SSTATE_PKGSPEC} ${SSTATE_SWSPEC}"
 SSTATE_ARCHS = " \
    ${BUILD_ARCH} \
+    ${BUILD_ARCH}_${ORIGNATIVELSBSTRING} \
    ${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS} \
    ${BUILD_ARCH}_${TARGET_ARCH} \
    ${SDK_ARCH}_${SDK_OS} \
@@ -80,6 +81,7 @@ SSTATE_ARCHS = " \
    ${PACKAGE_ARCH} \
    ${PACKAGE_EXTRA_ARCHS} \
    ${MACHINE_ARCH}"
+SSTATE_ARCHS[vardepsexclude] = "ORIGNATIVELSBSTRING"
 SSTATE_MANMACH ?= "${SSTATE_PKGARCH}"
@@ -121,6 +123,8 @@ SSTATE_HASHEQUIV_REPORT_TASKDATA[doc] = "Report additional useful data to the \
 python () {
    if bb.data.inherits_class('native', d):
        d.setVar('SSTATE_PKGARCH', d.getVar('BUILD_ARCH', False))
+        if d.getVar("PN") == "pseudo-native":
+            d.appendVar('SSTATE_PKGARCH', '_${ORIGNATIVELSBSTRING}')
    elif bb.data.inherits_class('crosssdk', d):
        d.setVar('SSTATE_PKGARCH', d.expand("${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS}"))
    elif bb.data.inherits_class('cross', d):
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index f0a619b35b..8165ab268e 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -27,11 +27,15 @@ SYSROOT_DIRS_BLACKLIST = " \
    ${mandir} \
    ${docdir} \
    ${infodir} \
+    ${datadir}/X11/locale \
    ${datadir}/applications \
+    ${datadir}/bash-completion \
    ${datadir}/fonts \
    ${datadir}/gtk-doc/html \
+    ${datadir}/installed-tests \
    ${datadir}/locale \
    ${datadir}/pixmaps \
+    ${datadir}/terminfo \
    ${libdir}/${BPN}/ptest \
 "
diff --git a/meta/classes/systemd.bbclass b/meta/classes/systemd.bbclass
index 9e8a82c9f1..a4bff732b9 100644
--- a/meta/classes/systemd.bbclass
+++ b/meta/classes/systemd.bbclass
@@ -174,7 +174,8 @@ python systemd_populate_packages() {
                if path_found != '':
                    systemd_add_files_and_parse(pkg_systemd, path_found, service, keys)
                else:
-                    bb.fatal("SYSTEMD_SERVICE_%s value %s does not exist" % (pkg_systemd, service))
+                    bb.fatal("Didn't find service unit '{0}', specified in SYSTEMD_SERVICE_{1}. {2}".format(
+                        service, pkg_systemd, "Also looked for service unit '{0}'.".format(base) if base is not None else ""))
    def systemd_create_presets(pkg, action):
        presetf = oe.path.join(d.getVar("PKGD"), d.getVar("systemd_unitdir"), "system-preset/98-%s.preset" % pkg)
diff --git a/meta/conf/abi_version.conf b/meta/conf/abi_version.conf
index 5318a10190..251d43bb21 100644
--- a/meta/conf/abi_version.conf
+++ b/meta/conf/abi_version.conf
@@ -12,4 +12,4 @@ OELAYOUT_ABI = "14"
 # a reset of the equivalence, for example when reproducibility issues break the
 # existing match data. Distros can also append to this value for the same effect.
 #
-HASHEQUIV_HASH_VERSION  = "3"
+HASHEQUIV_HASH_VERSION  = "4"
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 0d38eac094..eb282d1741 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -685,17 +685,21 @@ SRC_URI = ""
 PSEUDO_LOCALSTATEDIR ?= "${WORKDIR}/pseudo/"
 PSEUDO_PASSWD ?= "${STAGING_DIR_TARGET}:${PSEUDO_SYSROOT}"
 PSEUDO_SYSROOT = "${COMPONENTS_DIR}/${BUILD_ARCH}/pseudo-native"
-PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR},${WORKDIR}/pkgdata-sysroot,${TMPDIR}/sstate-control,${DEPLOY_DIR},${WORKDIR}/deploy-,${TMPDIR}/buildstats,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/sstate-build-image_complete,${TMPDIR}/sysroots-components,${BUILDHISTORY_DIR},${TMPDIR}/pkgdata,${TOPDIR}/cache,${COREBASE}/scripts,${COREBASE}/meta,${CCACHE_DIR}"
+PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR}"
+PSEUDO_IGNORE_PATHS .= ",${TMPDIR}/sstate-control,${TMPDIR}/buildstats,${TMPDIR}/sysroots-components,${TMPDIR}/pkgdata"
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/deploy-,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/pkgdata-sysroot"
+PSEUDO_IGNORE_PATHS .= ",${DEPLOY_DIR},${BUILDHISTORY_DIR},${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}"
 export PSEUDO_DISABLED = "1"
 #export PSEUDO_PREFIX = "${STAGING_DIR_NATIVE}${prefix_native}"
 #export PSEUDO_BINDIR = "${STAGING_DIR_NATIVE}${bindir_native}"
 #export PSEUDO_LIBDIR = "${STAGING_DIR_NATIVE}$PSEUDOBINDIR/../lib/pseudo/lib
-FAKEROOTBASEENV = "PSEUDO_BINDIR=${PSEUDO_SYSROOT}${bindir_native} PSEUDO_LIBDIR=${PSEUDO_SYSROOT}${prefix_native}/lib/pseudo/lib PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_IGNORE_PATHS=${PSEUDO_IGNORE_PATHS} PSEUDO_DISABLED=1"
+FAKEROOTBASEENV = "PSEUDO_BINDIR=${PSEUDO_SYSROOT}${bindir_native} PSEUDO_LIBDIR=${PSEUDO_SYSROOT}${prefix_native}/lib/pseudo/lib PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_IGNORE_PATHS=${@oe.path.canonicalize(d.getVar('PSEUDO_IGNORE_PATHS'))} PSEUDO_DISABLED=1 PYTHONDONTWRITEBYTECODE=1"
 FAKEROOTCMD = "${PSEUDO_SYSROOT}${bindir_native}/pseudo"
-FAKEROOTENV = "PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_LOCALSTATEDIR=${PSEUDO_LOCALSTATEDIR} PSEUDO_PASSWD=${PSEUDO_PASSWD} PSEUDO_NOSYMLINKEXP=1 PSEUDO_IGNORE_PATHS=${PSEUDO_IGNORE_PATHS} PSEUDO_DISABLED=0"
+FAKEROOTENV = "PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_LOCALSTATEDIR=${PSEUDO_LOCALSTATEDIR} PSEUDO_PASSWD=${PSEUDO_PASSWD} PSEUDO_NOSYMLINKEXP=1 PSEUDO_IGNORE_PATHS=${@oe.path.canonicalize(d.getVar('PSEUDO_IGNORE_PATHS'))} PSEUDO_DISABLED=0"
 FAKEROOTNOENV = "PSEUDO_UNLOAD=1"
 FAKEROOTDIRS = "${PSEUDO_LOCALSTATEDIR}"
+FAKEROOTLOGS = "${WORKDIR}/pseudo/pseudo.log"
 PREFERRED_PROVIDER_virtual/fakeroot-native ?= "pseudo-native"
 ##################################################################
diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc
index ce13368c2e..e0a876dbdc 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -60,6 +60,7 @@ PTESTS_FAST_remove_mips64 = "qemu-ptest"
 #    bash-ptest \ # Test outcomes are non-deterministic by design
 #    ifupdown-ptest \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py
 #    mdadm-ptest \ # Tests rely on non-deterministic sleep() amounts
+#    libinput-ptest \ # Tests need an unloaded system to be reliable
 #"
 PTESTS_SLOW = "\
@@ -72,7 +73,6 @@ PTESTS_SLOW = "\
    glib-2.0-ptest \
    gstreamer1.0-ptest \
    libevent-ptest \
-    libinput-ptest \
    lttng-tools-ptest \
    openssh-ptest \
    openssl-ptest \
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 69b6edee5f..a2a2dd18ec 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
 # to the distro running on the build machine.
 #
-UNINATIVE_MAXGLIBCVERSION = "2.32"
+UNINATIVE_MAXGLIBCVERSION = "2.33"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.0/"
-UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
+UNINATIVE_CHECKSUM[aarch64] ?= "1c668909098c5b56132067adc69a249cb771f4560428e5822de903a12d97bf33"
-UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
+UNINATIVE_CHECKSUM[i686] ?= "e6cc2fc056234cffa6a2ff084cce27d544ea3f487a62b5e253351cefd4421900"
-UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
+UNINATIVE_CHECKSUM[x86_64] ?= "5ec5a9276046e7eceeac749a18b175667384e1f445cd4526300a41404d985a5b"
diff --git a/meta/conf/machine/include/qemu.inc b/meta/conf/machine/include/qemu.inc
index 8dedb1a42d..7d0a6fe458 100644
--- a/meta/conf/machine/include/qemu.inc
+++ b/meta/conf/machine/include/qemu.inc
@@ -21,7 +21,7 @@ RDEPENDS_${KERNEL_PACKAGE_NAME}-base = ""
 # Use a common kernel recipe for all QEMU machines
 PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto"
-EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"
+EXTRA_IMAGEDEPENDS += "qemu-system-native qemu-helper-native"
 # Provide the nfs server kernel module for all qemu images
 KERNEL_FEATURES_append_pn-linux-yocto = " features/nfsd/nfsd-enable.scc"
diff --git a/meta/files/fs-perms-persistent-log.txt b/meta/files/fs-perms-persistent-log.txt
index 3a7cf3ab94..518c1be3c9 100644
--- a/meta/files/fs-perms-persistent-log.txt
+++ b/meta/files/fs-perms-persistent-log.txt
@@ -41,7 +41,7 @@ ${includedir}		0755	root	root	true	0644	root	root
 ${oldincludedir}        0755    root    root    true    0644    root    root
 # Cleanup debug src
-/usr/src/debug          0755    root    root    true    -       root    root
+/usr/src/debug          0755    root    root    true    0644    root    root
 # Items from base-files
 # Links
diff --git a/meta/files/fs-perms.txt b/meta/files/fs-perms.txt
index c8c3ac5dbe..daa4aed840 100644
--- a/meta/files/fs-perms.txt
+++ b/meta/files/fs-perms.txt
@@ -41,7 +41,7 @@ ${includedir}		0755	root	root	true	0644	root	root
 ${oldincludedir}        0755    root    root    true    0644    root    root
 # Cleanup debug src
-/usr/src/debug          0755    root    root    true    -       root    root
+/usr/src/debug          0755    root    root    true    0644    root    root
 # Items from base-files
 # Links
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index bea6d4189a..dd9342758b 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -95,7 +95,7 @@ while getopts ":yd:npDRSl" OPT; do
                listcontents=1
                ;;
        *)
-                echo "Usage: $(basename $0) [-y] [-d <dir>]"
+                echo "Usage: $(basename "$0") [-y] [-d <dir>]"
                echo "  -y         Automatic yes to all prompts"
                echo "  -d <dir>   Install the SDK to <dir>"
                echo "======== Extensible SDK only options ============"
@@ -111,17 +111,17 @@ while getopts ":yd:npDRSl" OPT; do
        esac
 done
-payload_offset=$(($(grep -na -m1 "^MARKER:$" $0|cut -d':' -f1) + 1))
+payload_offset=$(($(grep -na -m1 "^MARKER:$" "$0"|cut -d':' -f1) + 1))
 if [ "$listcontents" = "1" ] ; then
    if [ @SDK_ARCHIVE_TYPE@ = "zip" ]; then
-        tail -n +$payload_offset $0 > sdk.zip
+        tail -n +$payload_offset "$0" > sdk.zip
        if unzip -l sdk.zip;then
            rm sdk.zip
        else
            rm sdk.zip && exit 1
        fi
    else
-        tail -n +$payload_offset $0| tar tvJ || exit 1
+        tail -n +$payload_offset "$0"| tar tvJ || exit 1
    fi
    exit
 fi
@@ -242,14 +242,14 @@ fi
 printf "Extracting SDK..."
 if [ @SDK_ARCHIVE_TYPE@ = "zip" ]; then
-    tail -n +$payload_offset $0 > sdk.zip
+    tail -n +$payload_offset "$0" > sdk.zip
    if $SUDO_EXEC unzip $EXTRA_TAR_OPTIONS sdk.zip -d $target_sdk_dir;then
        rm sdk.zip
    else
        rm sdk.zip && exit 1
    fi
 else
-    tail -n +$payload_offset $0| $SUDO_EXEC tar mxJ -C $target_sdk_dir --checkpoint=.2500 $EXTRA_TAR_OPTIONS || exit 1
+    tail -n +$payload_offset "$0"| $SUDO_EXEC tar mxJ -C $target_sdk_dir --checkpoint=.2500 $EXTRA_TAR_OPTIONS || exit 1
 fi
 echo "done"
diff --git a/meta/files/toolchain-shar-relocate.sh b/meta/files/toolchain-shar-relocate.sh
index e3c10018ef..5433741296 100644
--- a/meta/files/toolchain-shar-relocate.sh
+++ b/meta/files/toolchain-shar-relocate.sh
@@ -55,8 +55,11 @@ fi
 for replace in "$target_sdk_dir -maxdepth 1" "$native_sysroot"; do
        $SUDO_EXEC find $replace -type f
 done | xargs -n100 file | grep ":.*\(ASCII\|script\|source\).*text" | \
-    awk -F':' '{printf "\"%s\"\n", $1}' | \
+    awk -F': ' '{printf "\"%s\"\n", $1}' | \
-    grep -Ev "$target_sdk_dir/(environment-setup-*|relocate_sdk*|${0##*/})" | \
+    grep -Fv -e "$target_sdk_dir/environment-setup-" \
+             -e "$target_sdk_dir/relocate_sdk" \
+             -e "$target_sdk_dir/post-relocate-setup" \
+             -e "$target_sdk_dir/${0##*/}" | \
    xargs -n100 $SUDO_EXEC sed -i \
        -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:g" \
        -e "s:^#! */usr/bin/perl.*:#! /usr/bin/env perl:g" \
diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py
index 31a84f5b06..d97bf9d1b9 100644
--- a/meta/lib/oe/copy_buildsystem.py
+++ b/meta/lib/oe/copy_buildsystem.py
@@ -20,7 +20,7 @@ def _smart_copy(src, dest):
    mode = os.stat(src).st_mode
    if stat.S_ISDIR(mode):
        bb.utils.mkdirhier(dest)
-        cmd = "tar --exclude='.git' --xattrs --xattrs-include='*' -chf - -C %s -p . \
+        cmd = "tar --exclude='.git' --exclude='__pycache__' --xattrs --xattrs-include='*' -chf - -C %s -p . \
        | tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest)
        subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
    else:
@@ -259,7 +259,7 @@ def create_locked_sstate_cache(lockedsigs, input_sstate_cache, output_sstate_cac
    bb.note('Generating sstate-cache...')
    nativelsbstring = d.getVar('NATIVELSBSTRING')
-    bb.process.run("gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
+    bb.process.run("PYTHONDONTWRITEBYTECODE=1 gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
    if fixedlsbstring and nativelsbstring != fixedlsbstring:
        nativedir = output_sstate_cache + '/' + nativelsbstring
        if os.path.isdir(nativedir):
@@ -286,7 +286,7 @@ def check_sstate_task_list(d, targets, filteroutfile, cmdprefix='', cwd=None, lo
        logparam = '-l %s' % logfile
    else:
        logparam = ''
-    cmd = "%sBB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
+    cmd = "%sPYTHONDONTWRITEBYTECODE=1 BB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
    env = dict(d.getVar('BB_ORIGENV', False))
    env.pop('BUILDDIR', '')
    env.pop('BBPATH', '')
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
new file mode 100644
index 0000000000..a1d7c292af
--- /dev/null
+++ b/meta/lib/oe/cve_check.py
@@ -0,0 +1,65 @@
+import collections
+import re
+import itertools
+import functools
+_Version = collections.namedtuple(
+    "_Version", ["release", "patch_l", "pre_l", "pre_v"]
+)
+@functools.total_ordering
+class Version():
+    def __init__(self, version, suffix=None):
+        suffixes = ["alphabetical", "patch"]
+        if str(suffix) == "alphabetical":
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        elif str(suffix) == "patch":
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        else:
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
+        match = regex.search(version)
+        if not match:
+            raise Exception("Invalid version: '{0}'".format(version))
+        self._version = _Version(
+            release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
+            patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
+            pre_l=match.group("pre_l"),
+            pre_v=match.group("pre_v")
+        )
+        self._key = _cmpkey(
+            self._version.release,
+            self._version.patch_l,
+            self._version.pre_l,
+            self._version.pre_v
+        )
+    def __eq__(self, other):
+        if not isinstance(other, Version):
+            return NotImplemented
+        return self._key == other._key
+    def __gt__(self, other):
+        if not isinstance(other, Version):
+            return NotImplemented
+        return self._key > other._key
+def _cmpkey(release, patch_l, pre_l, pre_v):
+    # remove leading 0
+    _release = tuple(
+        reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
+    )
+    _patch = patch_l.upper()
+    if pre_l is None and pre_v is None:
+        _pre = float('inf')
+    else:
+        _pre = float(pre_v) if pre_v else float('-inf')
+    return _release, _patch, _pre
diff --git a/meta/lib/oe/package_manager/__init__.py b/meta/lib/oe/package_manager/__init__.py
index 42225a3b2e..26f9f82aaa 100644
--- a/meta/lib/oe/package_manager/__init__.py
+++ b/meta/lib/oe/package_manager/__init__.py
@@ -189,7 +189,7 @@ class PackageManager(object, metaclass=ABCMeta):
        bb.utils.remove(self.intercepts_dir, True)
        bb.utils.mkdirhier(self.intercepts_dir)
        for intercept in postinst_intercepts:
-            bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
+            shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
    @abstractmethod
    def _handle_intercept_failure(self, failed_script):
diff --git a/meta/lib/oe/package_manager/deb/__init__.py b/meta/lib/oe/package_manager/deb/__init__.py
index 26157f591a..0f9b27f831 100644
--- a/meta/lib/oe/package_manager/deb/__init__.py
+++ b/meta/lib/oe/package_manager/deb/__init__.py
@@ -312,6 +312,12 @@ class DpkgPM(OpkgDpkgPM):
        if not pkgs:
            return
+        os.environ['D'] = self.target_rootfs
+        os.environ['OFFLINE_ROOT'] = self.target_rootfs
+        os.environ['IPKG_OFFLINE_ROOT'] = self.target_rootfs
+        os.environ['OPKG_OFFLINE_ROOT'] = self.target_rootfs
+        os.environ['INTERCEPT_DIR'] = self.intercepts_dir
        if with_dependencies:
            os.environ['APT_CONFIG'] = self.apt_conf_file
            cmd = "%s purge %s" % (self.apt_get_cmd, ' '.join(pkgs))
diff --git a/meta/lib/oe/package_manager/deb/sdk.py b/meta/lib/oe/package_manager/deb/sdk.py
index b25eb70b00..76548b06f0 100644
--- a/meta/lib/oe/package_manager/deb/sdk.py
+++ b/meta/lib/oe/package_manager/deb/sdk.py
@@ -65,6 +65,8 @@ class DpkgSdk(Sdk):
        self.target_pm.install_complementary(self.d.getVar('SDKIMAGE_INSTALL_COMPLEMENTARY'))
+        self.target_pm.run_pre_post_installs()
        self.target_pm.run_intercepts(populate_sdk='target')
        execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_TARGET_COMMAND"))
@@ -78,6 +80,8 @@ class DpkgSdk(Sdk):
        self._populate_sysroot(self.host_pm, self.host_manifest)
        self.install_locales(self.host_pm)
+        self.host_pm.run_pre_post_installs()
        self.host_pm.run_intercepts(populate_sdk='host')
        execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND"))
diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index 40755fbb03..8ad70f53f1 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -38,15 +38,19 @@ def runcmd(args, dir = None):
        args = [ pipes.quote(str(arg)) for arg in args ]
        cmd = " ".join(args)
        # print("cmd: %s" % cmd)
-        (exitstatus, output) = subprocess.getstatusoutput(cmd)
+        proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+        stdout, stderr = proc.communicate()
+        stdout = stdout.decode('utf-8')
+        stderr = stderr.decode('utf-8')
+        exitstatus = proc.returncode
        if exitstatus != 0:
-            raise CmdError(cmd, exitstatus >> 8, output)
+            raise CmdError(cmd, exitstatus >> 8, "stdout: %s\nstderr: %s" % (stdout, stderr))
-        if " fuzz " in output and "Hunk " in output:
+        if " fuzz " in stdout and "Hunk " in stdout:
            # Drop patch fuzz info with header and footer to log file so
            # insane.bbclass can handle to throw error/warning
-            bb.note("--- Patch fuzz start ---\n%s\n--- Patch fuzz end ---" % format(output))
+            bb.note("--- Patch fuzz start ---\n%s\n--- Patch fuzz end ---" % format(stdout))
-        return output
+        return stdout
    finally:
        if dir:
diff --git a/meta/lib/oe/path.py b/meta/lib/oe/path.py
index 082972457b..c8d8ad05b9 100644
--- a/meta/lib/oe/path.py
+++ b/meta/lib/oe/path.py
@@ -320,3 +320,24 @@ def which_wild(pathname, path=None, mode=os.F_OK, *, reverse=False, candidates=F
    return files
+def canonicalize(paths, sep=','):
+    """Given a string with paths (separated by commas by default), expand
+    each path using os.path.realpath() and return the resulting paths as a
+    string (separated using the same separator a the original string).
+    """
+    # Ignore paths containing "$" as they are assumed to be unexpanded bitbake
+    # variables. Normally they would be ignored, e.g., when passing the paths
+    # through the shell they would expand to empty strings. However, when they
+    # are passed through os.path.realpath(), it will cause them to be prefixed
+    # with the absolute path to the current directory and thus not be empty
+    # anymore.
+    #
+    # Also maintain trailing slashes, as the paths may actually be used as
+    # prefixes in sting compares later on, where the slashes then are important.
+    canonical_paths = []
+    for path in (paths or '').split(sep):
+        if '$' not in path:
+            trailing_slash = path.endswith('/') and '/' or ''
+            canonical_paths.append(os.path.realpath(path) + trailing_slash)
+    return sep.join(canonical_paths)
diff --git a/meta/lib/oe/prservice.py b/meta/lib/oe/prservice.py
index 2d3c9c7e50..fcdbe66c19 100644
--- a/meta/lib/oe/prservice.py
+++ b/meta/lib/oe/prservice.py
@@ -3,10 +3,6 @@
 #
 def prserv_make_conn(d, check = False):
-    # Otherwise this fails when called from recipes which e.g. inherit python3native (which sets _PYTHON_SYSCONFIGDATA_NAME) with:
-    # No module named '_sysconfigdata'
-    if '_PYTHON_SYSCONFIGDATA_NAME' in os.environ:
-        del os.environ['_PYTHON_SYSCONFIGDATA_NAME']
    import prserv.serv
    host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f])
    try:
diff --git a/meta/lib/oe/recipeutils.py b/meta/lib/oe/recipeutils.py
index ef69ef207f..407d168894 100644
--- a/meta/lib/oe/recipeutils.py
+++ b/meta/lib/oe/recipeutils.py
@@ -409,7 +409,7 @@ def copy_recipe_files(d, tgt_dir, whole_dir=False, download=True, all_variants=F
                fetch.download()
            for pth in fetch.localpaths():
                if pth not in localpaths:
-                    localpaths.append(pth)
+                    localpaths.append(os.path.abspath(pth))
            uri_values.append(srcuri)
    fetch_urls(d)
diff --git a/meta/lib/oe/reproducible.py b/meta/lib/oe/reproducible.py
index 421bb12f54..0fb02ccdb0 100644
--- a/meta/lib/oe/reproducible.py
+++ b/meta/lib/oe/reproducible.py
@@ -47,7 +47,7 @@ def find_git_folder(d, sourcedir):
    return None
 def get_source_date_epoch_from_git(d, sourcedir):
-    if not "git://" in d.getVar('SRC_URI'):
+    if not "git://" in d.getVar('SRC_URI') and not "gitsm://" in d.getVar('SRC_URI'):
        return None
    gitpath = find_git_folder(d, sourcedir)
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index 64fb84ec92..31a6140984 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -439,7 +439,7 @@ def find_sstate_manifest(taskdata, taskdata2, taskname, d, multilibcache):
        d2 = multilibcache[variant]
    if taskdata.endswith("-native"):
-        pkgarchs = ["${BUILD_ARCH}"]
+        pkgarchs = ["${BUILD_ARCH}", "${BUILD_ARCH}_${ORIGNATIVELSBSTRING}"]
    elif taskdata.startswith("nativesdk-"):
        pkgarchs = ["${SDK_ARCH}_${SDK_OS}", "allarch"]
    elif "-cross-canadian" in taskdata:
@@ -557,9 +557,11 @@ def OEOuthashBasic(path, sigfile, task, d):
                    try:
                        update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name)
                        update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name)
-                    except KeyError:
+                    except KeyError as e:
                        bb.warn("KeyError in %s" % path)
-                        raise
+                        msg = ("KeyError: %s\nPath %s is owned by uid %d, gid %d, which doesn't match "
+                            "any user/group on target. This may be due to host contamination." % (e, path, s.st_uid, s.st_gid))
+                        raise Exception(msg).with_traceback(e.__traceback__)
                if include_timestamps:
                    update_hash(" %10d" % s.st_mtime)
diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py
index eb10a6e33e..2ac39df9e1 100644
--- a/meta/lib/oe/terminal.py
+++ b/meta/lib/oe/terminal.py
@@ -163,7 +163,12 @@ class Tmux(Terminal):
        # devshells, if it's already there, add a new window to it.
        window_name = 'devshell-%i' % os.getpid()
-        self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name)
+        self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'
+        if not check_tmux_version('1.9'):
+            # `tmux new-session -c` was added in 1.9;
+            # older versions fail with that flag
+            self.command = 'tmux new -d -s {0} -n {0} "{{command}}"'
+        self.command = self.command.format(window_name)
        Terminal.__init__(self, sh_cmd, title, env, d)
        attach_cmd = 'tmux att -t {0}'.format(window_name)
@@ -253,13 +258,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None):
        except OSError:
           return
+def check_tmux_version(desired):
+    vernum = check_terminal_version("tmux")
+    if vernum and LooseVersion(vernum) < desired:
+        return False
+    return vernum
 def check_tmux_pane_size(tmux):
    import subprocess as sub
    # On older tmux versions (<1.9), return false. The reason
    # is that there is no easy way to get the height of the active panel
    # on current window without nested formats (available from version 1.9)
-    vernum = check_terminal_version("tmux")
+    if not check_tmux_version('1.9'):
-    if vernum and LooseVersion(vernum) < '1.9':
        return False
    try:
        p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux,
diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py
index 468c76f30f..9a2187e36f 100644
--- a/meta/lib/oe/utils.py
+++ b/meta/lib/oe/utils.py
@@ -193,7 +193,7 @@ def parallel_make(d, makeinst=False):
        return int(v)
-    return None
+    return ''
 def parallel_make_argument(d, fmt, limit=None, makeinst=False):
    """
diff --git a/meta/lib/oeqa/manual/oe-core.json b/meta/lib/oeqa/manual/oe-core.json
index fb47c5ec36..4ad524d89b 100644
--- a/meta/lib/oeqa/manual/oe-core.json
+++ b/meta/lib/oeqa/manual/oe-core.json
@@ -80,7 +80,7 @@
          "expected_results": ""
        },
        "7": {
-          "action": "Run command:./configure && make ",
+          "action": "Run command:./configure ${CONFIGUREOPTS} && make ",
          "expected_results": "Verify that \"matchbox-desktop\" binary file was created successfully under \"src/\" directory "
        },
        "8": {
diff --git a/meta/lib/oeqa/runtime/cases/df.py b/meta/lib/oeqa/runtime/cases/df.py
index 89fd0fb901..bb155c9cf9 100644
--- a/meta/lib/oeqa/runtime/cases/df.py
+++ b/meta/lib/oeqa/runtime/cases/df.py
@@ -4,12 +4,14 @@
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfDataVar, skipIfInDataVar
 from oeqa.runtime.decorator.package import OEHasPackage
 class DfTest(OERuntimeTestCase):
    @OETestDepends(['ssh.SSHTest.test_ssh'])
    @OEHasPackage(['coreutils', 'busybox'])
+    @skipIfInDataVar('IMAGE_FEATURES', 'read-only-rootfs', 'Test case df requires a writable rootfs')
    def test_df(self):
        cmd = "df -P / | sed -n '2p' | awk '{print $4}'"
        (status,output) = self.target.run(cmd)
diff --git a/meta/lib/oeqa/runtime/cases/pam.py b/meta/lib/oeqa/runtime/cases/pam.py
index 271a1943e3..a482ded945 100644
--- a/meta/lib/oeqa/runtime/cases/pam.py
+++ b/meta/lib/oeqa/runtime/cases/pam.py
@@ -8,11 +8,14 @@
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
 from oeqa.core.decorator.data import skipIfNotFeature
+from oeqa.runtime.decorator.package import OEHasPackage
 class PamBasicTest(OERuntimeTestCase):
    @skipIfNotFeature('pam', 'Test requires pam to be in DISTRO_FEATURES')
    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @OEHasPackage(['shadow'])
+    @OEHasPackage(['shadow-base'])
    def test_pam(self):
        status, output = self.target.run('login --help')
        msg = ('login command does not work as expected. '
diff --git a/meta/lib/oeqa/selftest/cases/buildoptions.py b/meta/lib/oeqa/selftest/cases/buildoptions.py
index e91f0bd18f..b1b9ea7e55 100644
--- a/meta/lib/oeqa/selftest/cases/buildoptions.py
+++ b/meta/lib/oeqa/selftest/cases/buildoptions.py
@@ -57,15 +57,15 @@ class ImageOptionsTests(OESelftestTestCase):
 class DiskMonTest(OESelftestTestCase):
    def test_stoptask_behavior(self):
-        self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"')
+        self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
        res = bitbake("delay -c delay", ignore_status = True)
        self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output)
        self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
-        self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"')
+        self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
        res = bitbake("delay -c delay", ignore_status = True)
        self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output)
        self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
-        self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"')
+        self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
        res = bitbake("delay -c delay")
        self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
new file mode 100644
index 0000000000..d1947baffc
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -0,0 +1,44 @@
+from oe.cve_check import Version
+from oeqa.selftest.case import OESelftestTestCase
+class CVECheck(OESelftestTestCase):
+    def test_version_compare(self):
+        result = Version("100") > Version("99")
+        self.assertTrue( result, msg="Failed to compare version '100' > '99'")
+        result = Version("2.3.1") > Version("2.2.3")
+        self.assertTrue( result, msg="Failed to compare version '2.3.1' > '2.2.3'")
+        result = Version("2021-01-21") > Version("2020-12-25")
+        self.assertTrue( result, msg="Failed to compare version '2021-01-21' > '2020-12-25'")
+        result = Version("1.2-20200910") < Version("1.2-20200920")
+        self.assertTrue( result, msg="Failed to compare version '1.2-20200910' < '1.2-20200920'")
+        result = Version("1.0") >= Version("1.0beta")
+        self.assertTrue( result, msg="Failed to compare version '1.0' >= '1.0beta'")
+        result = Version("1.0-rc2") > Version("1.0-rc1")
+        self.assertTrue( result, msg="Failed to compare version '1.0-rc2' > '1.0-rc1'")
+        result = Version("1.0.alpha1") < Version("1.0")
+        self.assertTrue( result, msg="Failed to compare version '1.0.alpha1' < '1.0'")
+        result = Version("1.0_dev") <= Version("1.0")
+        self.assertTrue( result, msg="Failed to compare version '1.0_dev' <= '1.0'")
+        # ignore "p1" and "p2", so these should be equal
+        result = Version("1.0p2") == Version("1.0p1")
+        self.assertTrue( result ,msg="Failed to compare version '1.0p2' to '1.0p1'")
+        # ignore the "b" and "r"
+        result = Version("1.0b") == Version("1.0r")
+        self.assertTrue( result ,msg="Failed to compare version '1.0b' to '1.0r'")
+        # consider the trailing alphabet as patched level when comparing
+        result = Version("1.0b","alphabetical") < Version("1.0r","alphabetical")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
+        result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
+        # consider the trailing "p" and "patch" as patched released when comparing
+        result = Version("1.0","patch") < Version("1.0p1","patch")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'")
+        result = Version("1.0p2","patch") > Version("1.0p1","patch")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'")
+        result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index d3d2e04c20..4eba23890f 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -57,7 +57,7 @@ def setUpModule():
                        if relpth.endswith('/'):
                            destdir = os.path.join(corecopydir, relpth)
                            # avoid race condition by not copying .pyc files YPBZ#13421,13803
-                            shutil.copytree(pth, destdir, ignore=ignore_patterns('*.pyc', '__pycache__'))
+                            shutil.copytree(pth, destdir, ignore=shutil.ignore_patterns('*.pyc', '__pycache__'))
                        else:
                            destdir = os.path.join(corecopydir, os.path.dirname(relpth))
                            bb.utils.mkdirhier(destdir)
@@ -269,7 +269,7 @@ class DevtoolAddTests(DevtoolBase):
        self.track_for_cleanup(tempdir)
        pn = 'pv'
        pv = '1.5.3'
-        url = 'http://www.ivarch.com/programs/sources/pv-1.5.3.tar.bz2'
+        url = 'http://downloads.yoctoproject.org/mirror/sources/pv-1.5.3.tar.bz2'
        result = runCmd('wget %s' % url, cwd=tempdir)
        result = runCmd('tar xfv %s' % os.path.basename(url), cwd=tempdir)
        srcdir = os.path.join(tempdir, '%s-%s' % (pn, pv))
diff --git a/meta/lib/oeqa/selftest/cases/pseudo.py b/meta/lib/oeqa/selftest/cases/pseudo.py
new file mode 100644
index 0000000000..33593d5ce9
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/pseudo.py
@@ -0,0 +1,27 @@
+#
+# SPDX-License-Identifier: MIT
+#
+import glob
+import os
+import shutil
+from oeqa.utils.commands import bitbake, get_test_layer
+from oeqa.selftest.case import OESelftestTestCase
+class Pseudo(OESelftestTestCase):
+    def test_pseudo_pyc_creation(self):
+        self.write_config("")
+        metaselftestpath = get_test_layer()
+        pycache_path = os.path.join(metaselftestpath, 'lib/__pycache__')
+        if os.path.exists(pycache_path):
+            shutil.rmtree(pycache_path)
+        bitbake('pseudo-pyc-test -c install')
+        test1_pyc_present = len(glob.glob(os.path.join(pycache_path, 'pseudo_pyc_test1.*.pyc')))
+        self.assertTrue(test1_pyc_present, 'test1 pyc file missing, should be created outside of pseudo context.')
+        test2_pyc_present = len(glob.glob(os.path.join(pycache_path, 'pseudo_pyc_test2.*.pyc')))
+        self.assertFalse(test2_pyc_present, 'test2 pyc file present, should not be created in pseudo context.')
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index a7ef336143..cd7be7d436 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -68,7 +68,7 @@ def compare_file(reference, test, diffutils_sysroot):
        result.status = MISSING
        return result
-    r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True)
+    r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True, sync=False)
    if r.status:
        result.status = DIFFERENT
@@ -184,9 +184,10 @@ class ReproducibleTests(OESelftestTestCase):
            # mirror, forcing a complete build from scratch
            config += textwrap.dedent('''\
                SSTATE_DIR = "${TMPDIR}/sstate"
-                SSTATE_MIRROR = ""
+                SSTATE_MIRRORS = ""
                ''')
+        self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT'))
        self.write_config(config)
        d = get_bb_vars(capture_vars)
        bitbake(' '.join(self.images))
@@ -213,6 +214,7 @@ class ReproducibleTests(OESelftestTestCase):
            self.logger.info('Non-reproducible packages will be copied to %s', save_dir)
        vars_A = self.do_test_build('reproducibleA', self.build_from_sstate)
        vars_B = self.do_test_build('reproducibleB', False)
        # NOTE: The temp directories from the reproducible build are purposely
@@ -227,6 +229,7 @@ class ReproducibleTests(OESelftestTestCase):
                deploy_A = vars_A['DEPLOY_DIR_' + c.upper()]
                deploy_B = vars_B['DEPLOY_DIR_' + c.upper()]
+                self.logger.info('Checking %s packages for differences...' % c)
                result = self.compare_packages(deploy_A, deploy_B, diffutils_sysroot)
                self.logger.info('Reproducibility summary for %s: %s' % (c, result))
diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py
index 206168ed00..a51c6048d3 100644
--- a/meta/lib/oeqa/selftest/cases/tinfoil.py
+++ b/meta/lib/oeqa/selftest/cases/tinfoil.py
@@ -100,9 +100,11 @@ class TinfoilTests(OESelftestTestCase):
            eventreceived = False
            commandcomplete = False
            start = time.time()
-            # Wait for 10s in total so we'd detect spurious heartbeat events for example
+            # Wait for maximum 60s in total so we'd detect spurious heartbeat events for example
            # The test is IO load sensitive too
-            while time.time() - start < 10:
+            while (not (eventreceived == True and commandcomplete == True) 
+                    and (time.time() - start < 60)):
+                # if we received both events (on let's say a good day), we are done  
                event = tinfoil.wait_event(1)
                if event:
                    if isinstance(event, bb.command.CommandCompleted):
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index 714637ec1e..39c6828f59 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -318,6 +318,7 @@ class Wic(WicTestCase):
                                   "--image-name=core-image-minimal "
                                   "-D -o %s" % self.resultdir)
        self.assertEqual(1, len(glob(self.resultdir + "wictestdisk-*.direct")))
+        self.assertEqual(1, len(glob(self.resultdir + "tmp.wic*")))
    def test_debug_long(self):
        """Test --debug option"""
@@ -325,6 +326,7 @@ class Wic(WicTestCase):
                                   "--image-name=core-image-minimal "
                                   "--debug -o %s" % self.resultdir)
        self.assertEqual(1, len(glob(self.resultdir + "wictestdisk-*.direct")))
+        self.assertEqual(1, len(glob(self.resultdir + "tmp.wic*")))
    def test_skip_build_check_short(self):
        """Test -s option"""
@@ -588,6 +590,9 @@ part / --source rootfs  --fstype=ext4 --include-path %s --include-path core-imag
    def test_permissions(self):
        """Test permissions are respected"""
+        # prepare wicenv and rootfs
+        bitbake('core-image-minimal core-image-minimal-mtdutils -c do_rootfs_wicenv')
        oldpath = os.environ['PATH']
        os.environ['PATH'] = get_bb_var("PATH", "wic-tools")
@@ -621,6 +626,19 @@ part /etc --source rootfs --fstype=ext4 --change-directory=etc
                    res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
                    self.assertEqual(True, files_own_by_root(res.output))
+                config = 'IMAGE_FSTYPES += "wic"\nWKS_FILE = "%s"\n' % wks_file
+                self.append_config(config)
+                bitbake('core-image-minimal')
+                tmpdir = os.path.join(get_bb_var('WORKDIR', 'core-image-minimal'),'build-wic')
+                # check each partition for permission
+                for part in glob(os.path.join(tmpdir, 'temp-*.direct.p*')):
+                    res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
+                    self.assertTrue(files_own_by_root(res.output)
+                        ,msg='Files permission incorrect using wks set "%s"' % test)
+                # clean config and result directory for next cases
+                self.remove_config(config)
                rmtree(self.resultdir, ignore_errors=True)
        finally:
@@ -961,14 +979,18 @@ class Wic2(WicTestCase):
    @only_for_arch(['i586', 'i686', 'x86_64'])
    def test_rawcopy_plugin_qemu(self):
        """Test rawcopy plugin in qemu"""
-        # build ext4 and wic images
+        # build ext4 and then use it for a wic image
-        for fstype in ("ext4", "wic"):
+        config = 'IMAGE_FSTYPES = "ext4"\n'
-            config = 'IMAGE_FSTYPES = "%s"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' % fstype
+        self.append_config(config)
-            self.append_config(config)
+        self.assertEqual(0, bitbake('core-image-minimal').status)
-            self.assertEqual(0, bitbake('core-image-minimal').status)
+        self.remove_config(config)
-            self.remove_config(config)
-        with runqemu('core-image-minimal', ssh=False, image_fstype='wic') as qemu:
+        config = 'IMAGE_FSTYPES = "wic"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n'
+        self.append_config(config)
+        self.assertEqual(0, bitbake('core-image-minimal-mtdutils').status)
+        self.remove_config(config)
+        with runqemu('core-image-minimal-mtdutils', ssh=False, image_fstype='wic') as qemu:
            cmd = "grep sda. /proc/partitions  |wc -l"
            status, output = qemu.run_serial(cmd)
            self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
diff --git a/meta/lib/oeqa/selftest/context.py b/meta/lib/oeqa/selftest/context.py
index dd3609c1d6..1659926975 100644
--- a/meta/lib/oeqa/selftest/context.py
+++ b/meta/lib/oeqa/selftest/context.py
@@ -34,7 +34,7 @@ class NonConcurrentTestSuite(unittest.TestSuite):
        (builddir, newbuilddir) = self.setupfunc("-st", None, self.suite)
        ret = super().run(result)
        os.chdir(builddir)
-        if newbuilddir and ret.wasSuccessful():
+        if newbuilddir and ret.wasSuccessful() and self.removefunc:
            self.removefunc(newbuilddir)
 def removebuilddir(d):
@@ -54,7 +54,7 @@ def removebuilddir(d):
    bb.utils.prunedir(d, ionice=True)
 class OESelftestTestContext(OETestContext):
-    def __init__(self, td=None, logger=None, machines=None, config_paths=None, newbuilddir=None):
+    def __init__(self, td=None, logger=None, machines=None, config_paths=None, newbuilddir=None, keep_builddir=None):
        super(OESelftestTestContext, self).__init__(td, logger)
        self.machines = machines
@@ -62,6 +62,11 @@ class OESelftestTestContext(OETestContext):
        self.config_paths = config_paths
        self.newbuilddir = newbuilddir
+        if keep_builddir:
+            self.removebuilddir = None
+        else:
+            self.removebuilddir = removebuilddir
    def setup_builddir(self, suffix, selftestdir, suite):
        builddir = os.environ['BUILDDIR']
        if not selftestdir:
@@ -119,9 +124,9 @@ class OESelftestTestContext(OETestContext):
        if processes:
            from oeqa.core.utils.concurrencytest import ConcurrentTestSuite
-            return ConcurrentTestSuite(suites, processes, self.setup_builddir, removebuilddir)
+            return ConcurrentTestSuite(suites, processes, self.setup_builddir, self.removebuilddir)
        else:
-            return NonConcurrentTestSuite(suites, processes, self.setup_builddir, removebuilddir)
+            return NonConcurrentTestSuite(suites, processes, self.setup_builddir, self.removebuilddir)
    def runTests(self, processes=None, machine=None, skips=[]):
        if machine:
@@ -179,6 +184,9 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
                action='append', default=None,
                help='Exclude all (unhidden) tests that match any of the specified tag(s). (exclude applies before select)')
+        parser.add_argument('-K', '--keep-builddir', action='store_true',
+                help='Keep the test build directory even if all tests pass')
        parser.add_argument('-B', '--newbuilddir', help='New build directory to use for tests.')
        parser.add_argument('-v', '--verbose', action='store_true')
        parser.set_defaults(func=self.run)
@@ -236,6 +244,7 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
        self.tc_kwargs['init']['config_paths']['localconf'] = os.path.join(builddir, "conf/local.conf")
        self.tc_kwargs['init']['config_paths']['bblayers'] = os.path.join(builddir, "conf/bblayers.conf")
        self.tc_kwargs['init']['newbuilddir'] = args.newbuilddir
+        self.tc_kwargs['init']['keep_builddir'] = args.keep_builddir
        def tag_filter(tags):
            if args.exclude_tags:
diff --git a/meta/lib/oeqa/utils/commands.py b/meta/lib/oeqa/utils/commands.py
index 8059cbce3e..a71c16ab14 100644
--- a/meta/lib/oeqa/utils/commands.py
+++ b/meta/lib/oeqa/utils/commands.py
@@ -125,11 +125,11 @@ class Command(object):
    def stop(self):
        for thread in self.threads:
-            if thread.isAlive():
+            if thread.is_alive():
                self.process.terminate()
            # let's give it more time to terminate gracefully before killing it
            thread.join(5)
-            if thread.isAlive():
+            if thread.is_alive():
                self.process.kill()
                thread.join()
@@ -188,7 +188,10 @@ def runCmd(command, ignore_status=False, timeout=None, assert_error=True, sync=T
    # call sync around the tests to ensure the IO queue doesn't get too large, taking any IO
    # hit here rather than in bitbake shutdown.
    if sync:
+        p = os.environ['PATH']
+        os.environ['PATH'] = "/usr/bin:/bin:/usr/sbin:/sbin:" + p
        os.system("sync")
+        os.environ['PATH'] = p
    result.command = command
    result.status = cmd.status
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
index 896a2145d4..7214ead9a7 100644
--- a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -30,7 +30,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Upstream-Status: Backport
-CVE: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+CVE: CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
 Reference to upstream patch:
 https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch
new file mode 100644
index 0000000000..3c1f562c71
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -0,0 +1,56 @@
+The output in moddep.lst generated from syminfo.lst using genmoddep.awk is
+not deterministic since the order of the dependencies on each line can vary
+depending on how awk sorts the values in the array.
+Be deterministic in the output by sorting the dependencies on each line.
+Also, the output of the SOURCES lines in grub-core/Makefile.core.am, generated
+from grub-core/Makefile.core.def with gentpl.py is not deterministic due to
+missing sorting of the list used to generate it. Add such a sort.
+Also ensure the generated unidata.c file is deterministic by sorting the
+keys of the dict.
+Upstream-Status: Pending
+Richard Purdie <richard.purdie@linuxfoundation.org>
+Index: grub-2.04/grub-core/genmoddep.awk
+===================================================================
+--- grub-2.04.orig/grub-core/genmoddep.awk
+++ grub-2.04/grub-core/genmoddep.awk
+@@ -59,7 +59,9 @@ END {
+     }
+     modlist = ""
+     depcount[mod] = 0
+-    for (depmod in uniqmods) {
+    n = asorti(uniqmods, w)
+    for (i = 1; i <= n; i++) {
+      depmod = w[i]
+       modlist = modlist " " depmod;
+       inverse_dependencies[depmod] = inverse_dependencies[depmod] " " mod
+       depcount[mod]++
+Index: grub-2.04/gentpl.py
+===================================================================
+--- grub-2.04.orig/gentpl.py
+++ grub-2.04/gentpl.py
+@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platfor
+     for group in RMAP[platform]:
+         for value in defn.find_all(group + suffix):
+             r.append(closure(value))
+    r.sort()
+     return ''.join(r)
+ 
+ def platform_conditional(platform, closure):
+Index: grub-2.04/util/import_unicode.py
+===================================================================
+--- grub-2.04.orig/util/import_unicode.py
+++ grub-2.04/util/import_unicode.py
+@@ -174,7 +174,7 @@ infile.close ()
+ 
+ outfile.write ("struct grub_unicode_arabic_shape grub_unicode_arabic_shapes[] = {\n ")
+ 
+-for x in arabicsubst:
+for x in sorted(arabicsubst):
+     try:
+         if arabicsubst[x]['join'] == "DUAL":
+             outfile.write ("{0x%x, 0x%x, 0x%x, 0x%x, 0x%x},\n " % (arabicsubst[x][0], arabicsubst[x][1], arabicsubst[x][2], arabicsubst[x][3], arabicsubst[x][4]))
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index ff17dbe8b7..95c25d78f9 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -27,6 +27,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://script-Remove-unused-fields-from-grub_script_functio.patch \
           file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
           file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
+           file://determinism.patch \
 "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
diff --git a/meta/recipes-bsp/u-boot/u-boot-tools.inc b/meta/recipes-bsp/u-boot/u-boot-tools.inc
index 8ae290acc6..4ed936a70d 100644
--- a/meta/recipes-bsp/u-boot/u-boot-tools.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-tools.inc
@@ -23,6 +23,21 @@ SED_CONFIG_EFI_armeb = ''
 SED_CONFIG_EFI_aarch64 = ''
 do_compile () {
+        # Yes, this is crazy. If you build on a system with git < 2.14 from scratch, the tree will
+        # be marked as "dirty" and the version will include "-dirty", leading to a reproducibility problem.
+        # The issue is the inode count for Licnses/README changing due to do_populate_lic hardlinking a
+        # copy of the file. We avoid this by ensuring the index is updated with a "git diff" before the
+        # u-boot machinery tries to determine the version.
+        #
+        # build$ ../git/scripts/setlocalversion ../git
+        # ""
+        # build$ ln ../git/
+        # build$ ln ../git/README ../foo
+        # build$ ../git/scripts/setlocalversion ../git
+        # ""-dirty
+        # (i.e. creating a hardlink dirties the index)
+        cd ${S}; git diff; cd ${B}
        oe_runmake -C ${S} sandbox_defconfig O=${B}
        # Disable CONFIG_CMD_LICENSE, license.h is not used by tools and
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch b/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch
new file mode 100644
index 0000000000..98b8623139
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch
@@ -0,0 +1,29 @@
+From 5b671538216af78a0a7ef7464dc52ab2241ea7db Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Tue, 2 Mar 2021 14:03:49 +0000
+Subject: [PATCH] BIND Operational Notification: Zone journal (.jnl) file
+ incompatibility
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch]
+CVE: CVE-2020-8625
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ lib/dns/spnego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index 671838c..82fd49a 100644
+--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
+@@ -846,7 +846,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+                return (ASN1_OVERRUN);
+        }
+ 
+-       data->components = malloc(len * sizeof(*data->components));
+       data->components = malloc((len + 1) * sizeof(*data->components));
+        if (data->components == NULL) {
+                return (ENOMEM);
+        }
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/bind/bind_9.16.7.bb b/meta/recipes-connectivity/bind/bind_9.16.7.bb
index 5fc2c1d3cd..82c1bb66df 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.7.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
           file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2020-8625.patch \
           "
 SRC_URI[sha256sum] = "9f7d1812ebbd26a699f62b6fa8522d5dec57e4bf43af0042a0d60d39ed8314d1"
diff --git a/meta/recipes-connectivity/connman/connman_1.38.bb b/meta/recipes-connectivity/connman/connman_1.39.bb
index 027c41e9af..df42e9ffb8 100644
--- a/meta/recipes-connectivity/connman/connman_1.38.bb
+++ b/meta/recipes-connectivity/connman/connman_1.39.bb
@@ -9,8 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-SRC_URI[md5sum] = "1ed8745354c7254bdfd4def54833ee94"
+SRC_URI[sha256sum] = "9f62a7169b7491c670a1ff2e335b0d966308fb2f62e285c781105eb90f181af3"
-SRC_URI[sha256sum] = "cb30aca97c2f79ccaed8802aa2909ac5100a3969de74c0af8a9d73b85fc4932b"
 RRECOMMENDS_${PN} = "connman-conf"
 RCONFLICTS_${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch b/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch
new file mode 100644
index 0000000000..226bc5b311
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch
@@ -0,0 +1,27 @@
+From 9985a03f13da4d7bb0a433f7305d2ffae3d82a27 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 15:57:03 +0000
+Subject: [PATCH] src/lib/log/logger_unittest_support.cc: do not write build
+ path into binary
+This breaks reproducibility and is needed only in unit testing.
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ src/lib/log/logger_unittest_support.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/lib/log/logger_unittest_support.cc b/src/lib/log/logger_unittest_support.cc
+index 58dbef8..9a2929c 100644
+--- a/src/lib/log/logger_unittest_support.cc
+++ b/src/lib/log/logger_unittest_support.cc
+@@ -84,7 +84,7 @@ void initLogger(isc::log::Severity severity, int dbglevel) {
+     const char* localfile = getenv("KEA_LOGGER_LOCALMSG");
+ 
+     // Set a directory for creating lockfiles when running tests
+-    setenv("KEA_LOCKFILE_DIR", TOP_BUILDDIR, 0);
+    //setenv("KEA_LOCKFILE_DIR", TOP_BUILDDIR, 0);
+ 
+     // Initialize logging
+     initLogger(root, isc::log::DEBUG, isc::log::MAX_DEBUG_LEVEL, localfile);
diff --git a/meta/recipes-connectivity/kea/kea_1.7.10.bb b/meta/recipes-connectivity/kea/kea_1.7.10.bb
index c9a5819e47..dc4482adcc 100644
--- a/meta/recipes-connectivity/kea/kea_1.7.10.bb
+++ b/meta/recipes-connectivity/kea/kea_1.7.10.bb
@@ -7,18 +7,18 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=68d95543d2096459290a4e6b9ceccffa"
 DEPENDS = "boost log4cplus openssl"
-SRC_URI = "\
+SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
-    http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
+           file://0001-keactrl.in-create-var-lib-kea-and-var-run-kea-folder.patch \
-    file://0001-keactrl.in-create-var-lib-kea-and-var-run-kea-folder.patch \
+           file://kea-dhcp4.service \
-    file://kea-dhcp4.service \
+           file://kea-dhcp6.service \
-    file://kea-dhcp6.service \
+           file://kea-dhcp-ddns.service \
-    file://kea-dhcp-ddns.service \
+           file://kea-dhcp4-server \
-    file://kea-dhcp4-server \
+           file://kea-dhcp6-server \
-    file://kea-dhcp6-server \
+           file://kea-dhcp-ddns-server \
-    file://kea-dhcp-ddns-server \
+           file://fix-multilib-conflict.patch \
-    file://fix-multilib-conflict.patch \
+           file://fix_pid_keactrl.patch \
-    file://fix_pid_keactrl.patch \
+           file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \
-"
+           "
 SRC_URI[sha256sum] = "4e121f0e58b175a827581c69cb1d60778647049fa47f142940dddc9ce58f3c82"
 inherit autotools systemd update-rc.d
@@ -50,6 +50,11 @@ do_configure_prepend() {
    sed -i "s:@abs_top_srcdir@:@abs_top_srcdir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
 }
+# patch out build host paths for reproducibility
+do_compile_prepend_class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/config.report
+}
 do_install_append() {
    install -d ${D}${sysconfdir}/init.d
    install -d ${D}${systemd_system_unitdir}
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 0b0bbab168..7dccc15e03 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -3,8 +3,8 @@ HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProvider
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "22b49d86fb7aded2c195a9d49e5924da696b3228"
+SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a"
-PV = "20190618"
+PV = "20201225"
 PE = "1"
 SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
diff --git a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
new file mode 100644
index 0000000000..b88bc18f12
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
@@ -0,0 +1,28 @@
+From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Fri, 20 Nov 2020 13:37:54 +1100
+Subject: [PATCH] Add new pselect6_time64 syscall on ARM.
+This is apparently needed on armhfp/armv7hl.  bz#3232, patch from
+jjelen at redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+Upstream-Status: Backport
+[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33]
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c063..5065ae7ef 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+        SC_ALLOW(__NR_pselect6),
+ #endif
+#ifdef __NR_pselect6_time64
+       SC_ALLOW(__NR_pselect6_time64),
+#endif
+ #ifdef __NR_read
+        SC_ALLOW(__NR_read),
+ #endif
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..0046ee1a51
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,90 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 05:23:03 +0000
+Subject: [PATCH] upstream: tweak the client hostkey preference ordering
+ algorithm to
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+feedback and ok markus@
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+Upstream-Status: Backport
+[https://github.com/openssh/openssh-portable/commit/b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+CVE: CVE-2020-14145
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c60..f64aae66af 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+        return 0;
+ }
+ 
+/* Returns the first item from a comma-separated algorithm list */
+static char *
+first_alg(const char *algs)
+{
+       char *ret, *cp;
+
+       ret = xstrdup(algs);
+       if ((cp = strchr(ret, ',')) != NULL)
+               *cp = '\0';
+       return ret;
+}
+
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+-       char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+       char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
+       char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+        size_t maxlen;
+-       struct hostkeys *hostkeys;
+       struct hostkeys *hostkeys = NULL;
+        int ktype;
+        u_int i;
+ 
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        for (i = 0; i < options.num_system_hostfiles; i++)
+                load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
+       /*
+        * If a plain public key exists that matches the type of the best
+        * preference HostkeyAlgorithms, then use the whole list as is.
+        * Note that we ignore whether the best preference algorithm is a
+        * certificate type, as sshconnect.c will downgrade certs to
+        * plain keys if necessary.
+        */
+       best = first_alg(options.hostkeyalgorithms);
+       if (lookup_key_in_hostkeys_by_type(hostkeys,
+           sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
+               debug3("%s: have matching best-preference key type %s, "
+                   "using HostkeyAlgorithms verbatim", __func__, best);
+               ret = xstrdup(options.hostkeyalgorithms);
+               goto out;
+       }
+
+       /*
+        * Otherwise, prefer the host key algorithms that match known keys
+        * while keeping the ordering of HostkeyAlgorithms as much as possible.
+        */
+        oavail = avail = xstrdup(options.hostkeyalgorithms);
+        maxlen = strlen(avail) + 1;
+        first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        if (*first != '\0')
+                debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ 
+ out:
+       free(best);
+        free(first);
+        free(last);
+        free(hostname);
diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
index 2aa1df20bd..a1e34a9379 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
@@ -24,6 +24,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
           file://sshd_check_keys \
           file://add-test-support-for-busybox.patch \
+           file://0f90440ca70abab947acbd77795e9f130967956c.patch \
+           file://CVE-2020-14145.patch \
           "
 SRC_URI[sha256sum] = "f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2"
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
index 815955837b..5f281197c9 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
@@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \
           file://environment.d-openssl.sh \
           "
-SRC_URI[sha256sum] = "ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
+SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5"
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -210,6 +210,8 @@ BBCLASSEXTEND = "native nativesdk"
 CVE_PRODUCT = "openssl:openssl"
+CVE_VERSION_SUFFIX = "alphabetical"
 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
 CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+        dev->info.config_methods = cli->config_methods;
+        os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+        dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+       if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+               dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+        os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+                  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+                        goto out;
+                }
+ 
+               dev = p2p_get_device(p2p, sa);
+                if (!dev) {
+-                       dev = p2p_get_device(p2p, sa);
+-                       if (!dev) {
+-                               p2p_dbg(p2p,
+-                                       "Provision Discovery device not found "
+-                                       MACSTR, MAC2STR(sa));
+-                               goto out;
+-                       }
+                       p2p_dbg(p2p,
+                               "Provision Discovery device not found "
+                               MACSTR, MAC2STR(sa));
+                       goto out;
+                }
+        } else if (msg.wfd_subelems) {
+                wpabuf_free(dev->info.wfd_subelems);
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 0000000000..e2540fc26b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/tls/pkcs1.c  | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
+                   hdr.payload, hdr.length);
+ 
+        pos = hdr.payload;
+        end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
+                   hdr.payload, hdr.length);
+        da_end = hdr.payload + hdr.length;
+ 
+        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
+                   next, da_end - next);
+
+       /*
+        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
+        * omit the parameters, but there are implementation that encode these
+        * as a NULL element. Allow these two cases and reject anything else.
+        */
+       if (da_end > next &&
+           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
+            !asn1_is_null(&hdr) ||
+            hdr.payload + hdr.length != da_end)) {
+               wpa_printf(MSG_DEBUG,
+                          "PKCS #1: Unexpected digest algorithm parameters");
+               os_free(decrypted);
+               return -1;
+       }
+ 
+        if (!asn1_oid_equal(&oid, hash_alg)) {
+                char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+ 
+        pos = hdr.payload;
+        end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
+                   hdr.payload, hdr.length);
+        da_end = hdr.payload + hdr.length;
+ 
+        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
+                   next, da_end - next);
+
+       /*
+        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
+        * omit the parameters, but there are implementation that encode these
+        * as a NULL element. Allow these two cases and reject anything else.
+        */
+       if (da_end > next &&
+           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
+            !asn1_is_null(&hdr) ||
+            hdr.payload + hdr.length != da_end)) {
+               wpa_printf(MSG_DEBUG,
+                          "X509: Unexpected digest algorithm parameters");
+               os_free(data);
+               return -1;
+       }
+ 
+        if (x509_sha1_oid(&oid)) {
+                if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..915b326b81 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -29,6 +29,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
           file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
           file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
           file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
+           file://CVE-2021-0326.patch \
+           file://CVE-2021-27803.patch \
+           file://CVE-2021-30004.patch \
          "
 SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
 SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..67c9f189cc
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,58 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+  * each table.
+  * t: table to free
+  */
+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+#define ERR_RET     ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+        huft_t *q;
+ 
+       /*
+        * If 'p' has the error bit set we have to clear it, otherwise we might run
+        * into a segmentation fault or an invalid pointer to free(p)
+        */
+       if (BAD_HUFT(p)) {
+               p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
+       }
+
+        /* Go through linked list, freeing from the malloced (t[-1]) address. */
+        while (p) {
+                q = (--p)->v.t;
+@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
+  * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
+  * is given: "fixed inflate" decoder feeds us such data.
+  */
+-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+-#define ERR_RET     ((huft_t*)(uintptr_t)1)
+ static huft_t* huft_build(const unsigned *b, const unsigned n,
+                        const unsigned s, const struct cp_ext *cp_ext,
+                        unsigned *m)
diff --git a/meta/recipes-core/busybox/busybox_1.32.0.bb b/meta/recipes-core/busybox/busybox_1.32.0.bb
index 8e23b0d4a2..b91f7cf711 100644
--- a/meta/recipes-core/busybox/busybox_1.32.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.32.0.bb
@@ -46,7 +46,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0001-hwclock-make-glibc-2.31-compatible.patch \
           file://rev.cfg \
           file://pgrep.cfg \
-"
+           file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+           "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 SRC_URI[tarball.md5sum] = "9576986f1a960da471d03b72a62f13c7"
diff --git a/meta/recipes-core/coreutils/coreutils_8.32.bb b/meta/recipes-core/coreutils/coreutils_8.32.bb
index 9d1eceef54..320f93bdc2 100644
--- a/meta/recipes-core/coreutils/coreutils_8.32.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.32.bb
@@ -39,6 +39,9 @@ PACKAGECONFIG_class-target ??= "\
 # The lib/oe/path.py requires xattr
 PACKAGECONFIG_class-native ??= "xattr"
+# oe-core builds need xattr support
+PACKAGECONFIG_class-nativesdk ??= "xattr"
 # with, without, depends, rdepends
 #
 PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl,"
@@ -199,3 +202,6 @@ do_install_ptest () {
 }
 FILES_${PN}-ptest += "${bindir}/getlimits"
+# These are specific to Opensuse
+CVE_WHITELIST += "CVE-2013-0221 CVE-2013-0222 CVE-2013-0223"
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-35457.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-35457.patch
new file mode 100644
index 0000000000..828f9fcb96
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-35457.patch
@@ -0,0 +1,41 @@
+From 63c5b62f0a984fac9a9700b12f54fe878e016a5d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <withnall@endlessm.com>
+Date: Wed, 2 Sep 2020 12:38:09 +0100
+Subject: [PATCH] goption: Add a precondition to avoid GOptionEntry list
+ overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If the calling code adds more option entries than `G_MAXSIZE` then
+there’ll be an integer overflow. This seems vanishingly unlikely (given
+that all callers use static option entry lists), but add a precondition
+anyway.
+Signed-off-by: Philip Withnall <withnall@endlessm.com>
+Fixes: #2197
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/63c5b62f0a984fac9a9700b12f54fe878e016a5d]
+CVE: CVE-2020-35457
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ glib/goption.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/glib/goption.c b/glib/goption.c
+index 9f5b977c4..bb9093a33 100644
+--- a/glib/goption.c
+++ b/glib/goption.c
+@@ -2422,6 +2422,8 @@ g_option_group_add_entries (GOptionGroup       *group,
+ 
+   for (n_entries = 0; entries[n_entries].long_name != NULL; n_entries++) ;
+ 
+  g_return_if_fail (n_entries <= G_MAXSIZE - group->n_entries);
+
+   group->entries = g_renew (GOptionEntry, group->entries, group->n_entries + n_entries);
+ 
+   /* group->entries could be NULL in the trivial case where we add no
+-- 
+2.25.1
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch
new file mode 100644
index 0000000000..a4ec01134a
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch
@@ -0,0 +1,1444 @@
+commit b70039028b4a39ea071f6ed368a58ad5b5b90ba3
+Author: Anatol Belski <anbelski@microsoft.com>
+Date:   Sun Mar 14 17:51:53 2021 +0000
+    backport: 2.64.5_CVE-2021-27219
+CVE: CVE-2021-27219
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1926]
+Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
+diff --git a/docs/reference/glib/meson.build b/docs/reference/glib/meson.build
+index 62d95f78d..7eebb04ac 100644
+--- a/docs/reference/glib/meson.build
+++ b/docs/reference/glib/meson.build
+@@ -22,6 +22,7 @@ if get_option('gtk_doc')
+     'gprintfint.h',
+     'gmirroringtable.h',
+     'gscripttable.h',
+    'gstrfuncsprivate.h',
+     'glib-mirroring-tab',
+     'gnulib',
+     'pcre',
+diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c
+index 2e7750cb5..2cdcbda19 100644
+--- a/gio/gdatainputstream.c
+++ b/gio/gdatainputstream.c
+@@ -27,6 +27,7 @@
+ #include "gioenumtypes.h"
+ #include "gioerror.h"
+ #include "glibintl.h"
+#include "gstrfuncsprivate.h"
+ 
+ #include <string.h>
+ 
+@@ -856,7 +857,7 @@ static gssize
+ scan_for_chars (GDataInputStream *stream,
+                gsize            *checked_out,
+                const char       *stop_chars,
+-                gssize            stop_chars_len)
+                gsize             stop_chars_len)
+ {
+   GBufferedInputStream *bstream;
+   const char *buffer;
+@@ -952,7 +953,7 @@ typedef struct
+   gsize checked;
+ 
+   gchar *stop_chars;
+-  gssize stop_chars_len;
+  gsize stop_chars_len;
+   gsize length;
+ } GDataInputStreamReadData;
+ 
+@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream    *stream,
+ {
+   GDataInputStreamReadData *data;
+   GTask *task;
+  gsize stop_chars_len_unsigned;
+ 
+   data = g_slice_new0 (GDataInputStreamReadData);
+-  if (stop_chars_len == -1)
+-    stop_chars_len = strlen (stop_chars);
+-  data->stop_chars = g_memdup (stop_chars, stop_chars_len);
+-  data->stop_chars_len = stop_chars_len;
+
+  if (stop_chars_len < 0)
+    stop_chars_len_unsigned = strlen (stop_chars);
+  else
+    stop_chars_len_unsigned = (gsize) stop_chars_len;
+
+  data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned);
+  data->stop_chars_len = stop_chars_len_unsigned;
+   data->last_saw_cr = FALSE;
+ 
+   task = g_task_new (stream, cancellable, callback, user_data);
+@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream  *stream,
+   gssize found_pos;
+   gssize res;
+   char *data_until;
+  gsize stop_chars_len_unsigned;
+ 
+   g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL);
+ 
+   if (stop_chars_len < 0)
+-    stop_chars_len = strlen (stop_chars);
+    stop_chars_len_unsigned = strlen (stop_chars);
+  else
+    stop_chars_len_unsigned = (gsize) stop_chars_len;
+ 
+   bstream = G_BUFFERED_INPUT_STREAM (stream);
+ 
+   checked = 0;
+ 
+-  while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1)
+  while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1)
+     {
+       if (g_buffered_input_stream_get_available (bstream) ==
+           g_buffered_input_stream_get_buffer_size (bstream))
+diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
+index 1a4dae3bd..9de661bde 100644
+--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
+@@ -110,6 +110,7 @@
+ #include "gasyncinitable.h"
+ #include "giostream.h"
+ #include "gasyncresult.h"
+#include "gstrfuncsprivate.h"
+ #include "gtask.h"
+ #include "gmarshal-internal.h"
+ 
+@@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable)
+   /* Don't waste memory by copying padding - remember to update this
+    * when changing struct _GDBusInterfaceVTable in gdbusconnection.h
+    */
+-  return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
+  return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
+ }
+ 
+ static void
+@@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable)
+   /* Don't waste memory by copying padding - remember to update this
+    * when changing struct _GDBusSubtreeVTable in gdbusconnection.h
+    */
+-  return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
+  return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
+ }
+ 
+ static void
+diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c
+index 4a06516c1..4a4b719a5 100644
+--- a/gio/gdbusinterfaceskeleton.c
+++ b/gio/gdbusinterfaceskeleton.c
+@@ -28,6 +28,7 @@
+ #include "gdbusmethodinvocation.h"
+ #include "gdbusconnection.h"
+ #include "gmarshal-internal.h"
+#include "gstrfuncsprivate.h"
+ #include "gtask.h"
+ #include "gioerror.h"
+ 
+@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_,
+        * properly before building the hooked_vtable, so we create it
+        * once at the last minute.
+        */
+-      interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
+      interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
+       interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call;
+     }
+ 
+diff --git a/gio/gfile.c b/gio/gfile.c
+index a2ded14ea..25930435f 100644
+--- a/gio/gfile.c
+++ b/gio/gfile.c
+@@ -60,6 +60,7 @@
+ #include "gasyncresult.h"
+ #include "gioerror.h"
+ #include "glibintl.h"
+#include "gstrfuncsprivate.h"
+ 
+ 
+ /**
+@@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean reporting,
+   g_main_context_invoke_full (g_task_get_context (task),
+                               g_task_get_priority (task),
+                               measure_disk_usage_invoke_progress,
+-                              g_memdup (&progress, sizeof progress),
+                              g_memdup2 (&progress, sizeof progress),
+                               g_free);
+ }
+ 
+@@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask        *task,
+                                  data->progress_callback ? measure_disk_usage_progress : NULL, task,
+                                  &result.disk_usage, &result.num_dirs, &result.num_files,
+                                  &error))
+-    g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free);
+    g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free);
+   else
+     g_task_return_error (task, error);
+ }
+@@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GFile                        *file,
+ 
+   task = g_task_new (file, cancellable, callback, user_data);
+   g_task_set_source_tag (task, g_file_real_measure_disk_usage_async);
+-  g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free);
+  g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free);
+   g_task_set_priority (task, io_priority);
+ 
+   g_task_run_in_thread (task, measure_disk_usage_thread);
+diff --git a/gio/giowin32-private.c b/gio/giowin32-private.c
+index 7120ae0ea..47e840805 100644
+--- a/gio/giowin32-private.c
+++ b/gio/giowin32-private.c
+@@ -16,11 +16,12 @@
+  * along with this library; if not, see <http://www.gnu.org/licenses/>.
+  */
+ 
+#include "gstrfuncsprivate.h"
+ 
+-static gssize
+static gsize
+ g_utf16_len (const gunichar2 *str)
+ {
+-  gssize result;
+  gsize result;
+ 
+   for (result = 0; str[0] != 0; str++, result++)
+     ;
+@@ -31,17 +32,20 @@ g_utf16_len (const gunichar2 *str)
+ static gunichar2 *
+ g_wcsdup (const gunichar2 *str, gssize str_len)
+ {
+-  gssize str_size;
+  gsize str_len_unsigned;
+  gsize str_size;
+ 
+   g_return_val_if_fail (str != NULL, NULL);
+ 
+-  if (str_len == -1)
+-    str_len = g_utf16_len (str);
+  if (str_len < 0)
+    str_len_unsigned = g_utf16_len (str);
+  else
+    str_len_unsigned = (gsize) str_len;
+ 
+-  g_assert (str_len <= G_MAXSIZE / sizeof (gunichar2) - 1);
+-  str_size = (str_len + 1) * sizeof (gunichar2);
+  g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
+  str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
+ 
+-  return g_memdup (str, str_size);
+  return g_memdup2 (str, str_size);
+ }
+ 
+ static const gunichar2 *
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index cd5765afd..de216e615 100644
+--- a/gio/gkeyfilesettingsbackend.c
+++ b/gio/gkeyfilesettingsbackend.c
+@@ -33,6 +33,7 @@
+ #include "gfilemonitor.h"
+ #include "gsimplepermission.h"
+ #include "gsettingsbackendinternal.h"
+#include "gstrfuncsprivate.h"
+ #include "giomodule-priv.h"
+ #include "gportalsupport.h"
+ 
+@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+               gchar                   **group,
+               gchar                   **basename)
+ {
+-  gint key_len = strlen (key);
+-  gint i;
+  gsize key_len = strlen (key);
+  const gchar *last_slash;
+ 
+   if (key_len < kfsb->prefix_len ||
+       memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
+@@ -155,38 +156,48 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+   key_len -= kfsb->prefix_len;
+   key += kfsb->prefix_len;
+ 
+-  for (i = key_len; i >= 0; i--)
+-    if (key[i] == '/')
+-      break;
+  last_slash = strrchr (key, '/');
+
+  /* Disallow empty group names or key names */
+  if (key_len == 0 ||
+      (last_slash != NULL &&
+       (*(last_slash + 1) == '\0' ||
+        last_slash == key)))
+    return FALSE;
+ 
+   if (kfsb->root_group)
+     {
+       /* if a root_group was specified, make sure the user hasn't given
+        * a path that ghosts that group name
+        */
+-      if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0)
+      if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0)
+         return FALSE;
+     }
+   else
+     {
+       /* if no root_group was given, ensure that the user gave a path */
+-      if (i == -1)
+      if (last_slash == NULL)
+         return FALSE;
+     }
+ 
+   if (group)
+     {
+-      if (i >= 0)
+      if (last_slash != NULL)
+         {
+-          *group = g_memdup (key, i + 1);
+-          (*group)[i] = '\0';
+          *group = g_memdup2 (key, (last_slash - key) + 1);
+          (*group)[(last_slash - key)] = '\0';
+         }
+       else
+         *group = g_strdup (kfsb->root_group);
+     }
+ 
+   if (basename)
+-    *basename = g_memdup (key + i + 1, key_len - i);
+    {
+      if (last_slash != NULL)
+        *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
+      else
+        *basename = g_strdup (key);
+    }
+ 
+   return TRUE;
+ }
+diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c
+index 0b94f76f6..eb5a3b846 100644
+--- a/gio/gsettingsschema.c
+++ b/gio/gsettingsschema.c
+@@ -20,6 +20,7 @@
+ 
+ #include "gsettingsschema-internal.h"
+ #include "gsettings.h"
+#include "gstrfuncsprivate.h"
+ 
+ #include "gvdb/gvdb-reader.h"
+ #include "strinfo.c"
+@@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettingsSchema *schema)
+ 
+       if (g_str_has_suffix (key, "/"))
+         {
+-          gint length = strlen (key);
+          gsize length = strlen (key);
+ 
+-          strv[j] = g_memdup (key, length);
+          strv[j] = g_memdup2 (key, length);
+           strv[j][length - 1] = '\0';
+           j++;
+         }
+diff --git a/gio/gsocket.c b/gio/gsocket.c
+index 2a15bdd22..554af026b 100644
+--- a/gio/gsocket.c
+++ b/gio/gsocket.c
+@@ -75,6 +75,7 @@
+ #include "gcredentialsprivate.h"
+ #include "glibintl.h"
+ #include "gioprivate.h"
+#include "gstrfuncsprivate.h"
+ 
+ #ifdef G_OS_WIN32
+ /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */
+@@ -174,7 +175,7 @@ static gboolean     g_socket_datagram_based_condition_wait       (GDatagramBased
+                                                                   GError          **error);
+ 
+ static GSocketAddress *
+-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len);
+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len);
+ 
+ static gssize
+ g_socket_receive_message_with_timeout  (GSocket                 *socket,
+@@ -260,7 +261,7 @@ struct _GSocketPrivate
+   struct {
+     GSocketAddress *addr;
+     struct sockaddr *native;
+-    gint native_len;
+    gsize native_len;
+     guint64 last_used;
+   } recv_addr_cache[RECV_ADDR_CACHE_SIZE];
+ };
+@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSocket        *socket,
+ }
+ 
+ static GSocketAddress *
+-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len)
+ {
+   GSocketAddress *saddr;
+   gint i;
+   guint64 oldest_time = G_MAXUINT64;
+   gint oldest_index = 0;
+ 
+-  if (native_len <= 0)
+  if (native_len == 0)
+     return NULL;
+ 
+   saddr = NULL;
+@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
+     {
+       GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr;
+       gpointer tmp_native = socket->priv->recv_addr_cache[i].native;
+-      gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
+      gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
+ 
+       if (!tmp)
+         continue;
+@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
+       g_free (socket->priv->recv_addr_cache[oldest_index].native);
+     }
+ 
+-  socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len);
+  socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len);
+   socket->priv->recv_addr_cache[oldest_index].native_len = native_len;
+   socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr);
+   socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time ();
+@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (GSocket                 *socket,
+     /* do it */
+     while (1)
+       {
+        /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */
+        G_STATIC_ASSERT (sizeof addr <= G_MAXINT);
+
+        addrlen = sizeof addr;
+        if (address)
+          result = WSARecvFrom (socket->priv->fd,
+diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
+index 1e437a7b6..bd86a6dfe 100644
+--- a/gio/gtlspassword.c
+++ b/gio/gtlspassword.c
+@@ -23,6 +23,7 @@
+ #include "glibintl.h"
+ 
+ #include "gioenumtypes.h"
+#include "gstrfuncsprivate.h"
+ #include "gtlspassword.h"
+ 
+ #include <string.h>
+@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword  *password,
+   g_return_if_fail (G_IS_TLS_PASSWORD (password));
+ 
+   if (length < 0)
+-    length = strlen ((gchar *)value);
+    {
+      /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
+      gsize length_unsigned = strlen ((gchar *) value);
+      g_return_if_fail (length_unsigned <= G_MAXSSIZE);
+      length = (gssize) length_unsigned;
+    }
+ 
+-  g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free);
+  g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free);
+ }
+ 
+ /**
+diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c
+index aa7819294..efb9ae713 100644
+--- a/gio/gwin32registrykey.c
+++ b/gio/gwin32registrykey.c
+@@ -28,6 +28,8 @@
+ #include <ntstatus.h>
+ #include <winternl.h>
+ 
+#include "gstrfuncsprivate.h"
+
+ #ifndef _WDMDDK_
+ typedef enum _KEY_INFORMATION_CLASS {
+   KeyBasicInformation,
+@@ -125,16 +127,34 @@ typedef enum
+   G_WIN32_REGISTRY_UPDATED_PATH = 1,
+ } GWin32RegistryKeyUpdateFlag;
+ 
+static gsize
+g_utf16_len (const gunichar2 *str)
+{
+  gsize result;
+
+  for (result = 0; str[0] != 0; str++, result++)
+    ;
+
+  return result;
+}
+
+ static gunichar2 *
+-g_wcsdup (const gunichar2 *str,
+-          gssize           str_size)
+g_wcsdup (const gunichar2 *str, gssize str_len)
+ {
+-  if (str_size == -1)
+-    {
+-      str_size = wcslen (str) + 1;
+-      str_size *= sizeof (gunichar2);
+-    }
+-  return g_memdup (str, str_size);
+  gsize str_len_unsigned;
+  gsize str_size;
+
+  g_return_val_if_fail (str != NULL, NULL);
+
+  if (str_len < 0)
+    str_len_unsigned = g_utf16_len (str);
+  else
+    str_len_unsigned = (gsize) str_len;
+
+  g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
+  str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
+
+  return g_memdup2 (str, str_size);
+ }
+ 
+ /**
+@@ -247,7 +267,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter)
+   new_iter->value_name_size = iter->value_name_size;
+ 
+   if (iter->value_data != NULL)
+-    new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size);
+    new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size);
+ 
+   new_iter->value_data_size = iter->value_data_size;
+ 
+@@ -268,8 +288,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter)
+   new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize;
+ 
+   if (iter->value_data_expanded_u8 != NULL)
+-    new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8,
+-                                                 iter->value_data_expanded_charsize);
+    new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8,
+                                                  iter->value_data_expanded_charsize);
+ 
+   new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize;
+ 
+diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c
+index 5f6620275..d3f97a119 100644
+--- a/gio/tests/async-close-output-stream.c
+++ b/gio/tests/async-close-output-stream.c
+@@ -24,6 +24,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
+#include "gstrfuncsprivate.h"
+
+ #define DATA_TO_WRITE "Hello world\n"
+ 
+ typedef struct
+@@ -147,9 +149,9 @@ prepare_data (SetupData *data,
+ 
+   data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream));
+ 
+-  g_assert_cmpint (data->expected_size, >, 0);
+  g_assert_cmpuint (data->expected_size, >, 0);
+ 
+-  data->expected_output = g_memdup (written, (guint)data->expected_size);
+  data->expected_output = g_memdup2 (written, data->expected_size);
+ 
+   /* then recreate the streams and prepare them for the asynchronous close */
+   destroy_streams (data);
+diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c
+index fda654c44..10dd6d82f 100644
+--- a/gio/tests/gdbus-export.c
+++ b/gio/tests/gdbus-export.c
+@@ -23,6 +23,7 @@
+ #include <string.h>
+ 
+ #include "gdbus-tests.h"
+#include "gstrfuncsprivate.h"
+ 
+ /* all tests rely on a shared mainloop */
+ static GMainLoop *loop = NULL;
+@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection       *connection,
+       g_assert_not_reached ();
+     }
+ 
+-  return g_memdup (interfaces, 2 * sizeof (void *));
+  return g_memdup2 (interfaces, 2 * sizeof (void *));
+ }
+ 
+ static const GDBusInterfaceVTable *
+@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnection       *connection,
+ {
+   const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL };
+ 
+-  return g_memdup (interfaces, 2 * sizeof (void *));
+  return g_memdup2 (interfaces, 2 * sizeof (void *));
+ }
+ 
+ static const GDBusInterfaceVTable *
+diff --git a/gio/tests/gsettings.c b/gio/tests/gsettings.c
+index baadca8f5..afe594a23 100644
+--- a/gio/tests/gsettings.c
+++ b/gio/tests/gsettings.c
+@@ -1,3 +1,4 @@
+#include <errno.h>
+ #include <stdlib.h>
+ #include <locale.h>
+ #include <libintl.h>
+@@ -1740,6 +1741,14 @@ key_changed_cb (GSettings *settings, const gchar *key, gpointer data)
+   (*b) = TRUE;
+ }
+ 
+typedef struct
+{
+  const gchar *path;
+  const gchar *root_group;
+  const gchar *keyfile_group;
+  const gchar *root_path;
+} KeyfileTestData;
+
+ /*
+  * Test that using a keyfile works
+  */
+@@ -1834,7 +1843,11 @@ test_keyfile (Fixture       *fixture,
+   g_free (str);
+ 
+   g_settings_set (settings, "farewell", "s", "cheerio");
+-  
+
+  /* Check that empty keys/groups are not allowed. */
+  g_assert_false (g_settings_is_writable (settings, ""));
+  g_assert_false (g_settings_is_writable (settings, "/"));
+
+   /* When executing as root, changing the mode of the keyfile will have
+    * no effect on the writability of the settings.
+    */
+@@ -1866,6 +1879,149 @@ test_keyfile (Fixture       *fixture,
+   g_free (keyfile_path);
+ }
+ 
+/*
+ * Test that using a keyfile works with a schema with no path set.
+ */
+static void
+test_keyfile_no_path (Fixture       *fixture,
+                      gconstpointer  user_data)
+{
+  const KeyfileTestData *test_data = user_data;
+  GSettingsBackend *kf_backend;
+  GSettings *settings;
+  GKeyFile *keyfile;
+  gboolean writable;
+  gchar *key = NULL;
+  GError *error = NULL;
+  gchar *keyfile_path = NULL, *store_path = NULL;
+
+  keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
+  store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
+  kf_backend = g_keyfile_settings_backend_new (store_path, test_data->root_path, test_data->root_group);
+  settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, test_data->path);
+  g_object_unref (kf_backend);
+
+  g_settings_reset (settings, "test-boolean");
+  g_assert_true (g_settings_get_boolean (settings, "test-boolean"));
+
+  writable = g_settings_is_writable (settings, "test-boolean");
+  g_assert_true (writable);
+  g_settings_set (settings, "test-boolean", "b", FALSE);
+
+  g_assert_false (g_settings_get_boolean (settings, "test-boolean"));
+
+  g_settings_delay (settings);
+  g_settings_set (settings, "test-boolean", "b", TRUE);
+  g_settings_apply (settings);
+
+  keyfile = g_key_file_new ();
+  g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
+
+  g_assert_true (g_key_file_get_boolean (keyfile, test_data->keyfile_group, "test-boolean", NULL));
+
+  g_key_file_free (keyfile);
+
+  g_settings_reset (settings, "test-boolean");
+  g_settings_apply (settings);
+  keyfile = g_key_file_new ();
+  g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
+
+  g_assert_false (g_key_file_get_string (keyfile, test_data->keyfile_group, "test-boolean", &error));
+  g_assert_error (error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_KEY_NOT_FOUND);
+  g_clear_error (&error);
+
+  /* Check that empty keys/groups are not allowed. */
+  g_assert_false (g_settings_is_writable (settings, ""));
+  g_assert_false (g_settings_is_writable (settings, "/"));
+
+  /* Keys which ghost the root group name are not allowed. This can only be
+   * tested when the path is `/` as otherwise it acts as a prefix and prevents
+   * any ghosting. */
+  if (g_str_equal (test_data->path, "/"))
+    {
+      key = g_strdup_printf ("%s/%s", test_data->root_group, "");
+      g_assert_false (g_settings_is_writable (settings, key));
+      g_free (key);
+
+      key = g_strdup_printf ("%s/%s", test_data->root_group, "/");
+      g_assert_false (g_settings_is_writable (settings, key));
+      g_free (key);
+
+      key = g_strdup_printf ("%s/%s", test_data->root_group, "test-boolean");
+      g_assert_false (g_settings_is_writable (settings, key));
+      g_free (key);
+    }
+
+  g_key_file_free (keyfile);
+  g_object_unref (settings);
+
+  /* Clean up the temporary directory. */
+  g_assert_cmpint (g_chmod (keyfile_path, 0777) == 0 ? 0 : errno, ==, 0);
+  g_assert_cmpint (g_remove (store_path) == 0 ? 0 : errno, ==, 0);
+  g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
+  g_free (store_path);
+  g_free (keyfile_path);
+}
+
+/*
+ * Test that a keyfile rejects writes to keys outside its root path.
+ */
+static void
+test_keyfile_outside_root_path (Fixture       *fixture,
+                                gconstpointer  user_data)
+{
+  GSettingsBackend *kf_backend;
+  GSettings *settings;
+  gchar *keyfile_path = NULL, *store_path = NULL;
+
+  keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
+  store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
+  kf_backend = g_keyfile_settings_backend_new (store_path, "/tests/basic-types/", "root");
+  settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/tests/");
+  g_object_unref (kf_backend);
+
+  g_assert_false (g_settings_is_writable (settings, "test-boolean"));
+
+  g_object_unref (settings);
+
+  /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
+   * don’t error on failure. */
+  g_remove (store_path);
+  g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
+  g_free (store_path);
+  g_free (keyfile_path);
+}
+
+/*
+ * Test that a keyfile rejects writes to keys in the root if no root group is set.
+ */
+static void
+test_keyfile_no_root_group (Fixture       *fixture,
+                            gconstpointer  user_data)
+{
+  GSettingsBackend *kf_backend;
+  GSettings *settings;
+  gchar *keyfile_path = NULL, *store_path = NULL;
+
+  keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
+  store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
+  kf_backend = g_keyfile_settings_backend_new (store_path, "/", NULL);
+  settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/");
+  g_object_unref (kf_backend);
+
+  g_assert_false (g_settings_is_writable (settings, "test-boolean"));
+  g_assert_true (g_settings_is_writable (settings, "child/test-boolean"));
+
+  g_object_unref (settings);
+
+  /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
+   * don’t error on failure. */
+  g_remove (store_path);
+  g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
+  g_free (store_path);
+  g_free (keyfile_path);
+}
+
+ /* Test that getting child schemas works
+  */
+ static void
+@@ -2844,6 +3000,14 @@ main (int argc, char *argv[])
+   gchar *override_text;
+   gchar *enums;
+   gint result;
+  const KeyfileTestData keyfile_test_data_explicit_path = { "/tests/", "root", "tests", "/" };
+  const KeyfileTestData keyfile_test_data_empty_path = { "/", "root", "root", "/" };
+  const KeyfileTestData keyfile_test_data_long_path = {
+    "/tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch/",
+    "root",
+    "tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch",
+    "/"
+  };
+ 
+ /* Meson build sets this */
+ #ifdef TEST_LOCALE_PATH
+@@ -2967,6 +3131,11 @@ main (int argc, char *argv[])
+     }
+ 
+   g_test_add ("/gsettings/keyfile", Fixture, NULL, setup, test_keyfile, teardown);
+  g_test_add ("/gsettings/keyfile/explicit-path", Fixture, &keyfile_test_data_explicit_path, setup, test_keyfile_no_path, teardown);
+  g_test_add ("/gsettings/keyfile/empty-path", Fixture, &keyfile_test_data_empty_path, setup, test_keyfile_no_path, teardown);
+  g_test_add ("/gsettings/keyfile/long-path", Fixture, &keyfile_test_data_long_path, setup, test_keyfile_no_path, teardown);
+  g_test_add ("/gsettings/keyfile/outside-root-path", Fixture, NULL, setup, test_keyfile_outside_root_path, teardown);
+  g_test_add ("/gsettings/keyfile/no-root-group", Fixture, NULL, setup, test_keyfile_no_root_group, teardown);
+   g_test_add_func ("/gsettings/child-schema", test_child_schema);
+   g_test_add_func ("/gsettings/strinfo", test_strinfo);
+   g_test_add_func ("/gsettings/enums", test_enums);
+diff --git a/gio/tests/tls-interaction.c b/gio/tests/tls-interaction.c
+index 4f0737d7e..5661e8e0d 100644
+--- a/gio/tests/tls-interaction.c
+++ b/gio/tests/tls-interaction.c
+@@ -174,6 +174,38 @@ test_interaction_ask_password_finish_failure (GTlsInteraction    *interaction,
+ }
+ 
+ 
+/* Return a copy of @str that is allocated in a silly way, to exercise
+ * custom free-functions. The returned pointer points to a copy of @str
+ * in a buffer of the form "BEFORE \0 str \0 AFTER". */
+static guchar *
+special_dup (const char *str)
+{
+  GString *buf = g_string_new ("BEFORE");
+  guchar *ret;
+
+  g_string_append_c (buf, '\0');
+  g_string_append (buf, str);
+  g_string_append_c (buf, '\0');
+  g_string_append (buf, "AFTER");
+  ret = (guchar *) g_string_free (buf, FALSE);
+  return ret + strlen ("BEFORE") + 1;
+}
+
+
+/* Free a copy of @str that was made with special_dup(), after asserting
+ * that it has not been corrupted. */
+static void
+special_free (gpointer p)
+{
+  gchar *s = p;
+  gchar *buf = s - strlen ("BEFORE") - 1;
+
+  g_assert_cmpstr (buf, ==, "BEFORE");
+  g_assert_cmpstr (s + strlen (s) + 1, ==, "AFTER");
+  g_free (buf);
+}
+
+
+ static GTlsInteractionResult
+ test_interaction_ask_password_sync_success (GTlsInteraction    *interaction,
+                                             GTlsPassword       *password,
+@@ -181,6 +213,8 @@ test_interaction_ask_password_sync_success (GTlsInteraction    *interaction,
+                                             GError            **error)
+ {
+   TestInteraction *self;
+  const guchar *value;
+  gsize len;
+ 
+   g_assert (TEST_IS_INTERACTION (interaction));
+   self = TEST_INTERACTION (interaction);
+@@ -192,6 +226,27 @@ test_interaction_ask_password_sync_success (GTlsInteraction    *interaction,
+   g_assert (error != NULL);
+   g_assert (*error == NULL);
+ 
+  /* Exercise different ways to set the value */
+  g_tls_password_set_value (password, (const guchar *) "foo", 4);
+  len = 0;
+  value = g_tls_password_get_value (password, &len);
+  g_assert_cmpmem (value, len, "foo", 4);
+
+  g_tls_password_set_value (password, (const guchar *) "bar", -1);
+  len = 0;
+  value = g_tls_password_get_value (password, &len);
+  g_assert_cmpmem (value, len, "bar", 3);
+
+  g_tls_password_set_value_full (password, special_dup ("baa"), 4, special_free);
+  len = 0;
+  value = g_tls_password_get_value (password, &len);
+  g_assert_cmpmem (value, len, "baa", 4);
+
+  g_tls_password_set_value_full (password, special_dup ("baz"), -1, special_free);
+  len = 0;
+  value = g_tls_password_get_value (password, &len);
+  g_assert_cmpmem (value, len, "baz", 3);
+
+   /* Don't do this in real life. Include a null terminator for testing */
+   g_tls_password_set_value (password, (const guchar *)"the password", 13);
+   return G_TLS_INTERACTION_HANDLED;
+diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c
+index cf5eed31d..246ec0578 100644
+--- a/gio/win32/gwinhttpfile.c
+++ b/gio/win32/gwinhttpfile.c
+@@ -29,6 +29,7 @@
+ #include "gio/gfile.h"
+ #include "gio/gfileattribute.h"
+ #include "gio/gfileinfo.h"
+#include "gstrfuncsprivate.h"
+ #include "gwinhttpfile.h"
+ #include "gwinhttpfileinputstream.h"
+ #include "gwinhttpfileoutputstream.h"
+@@ -393,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile      *file,
+   child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
+   child->vfs = winhttp_file->vfs;
+   child->url = winhttp_file->url;
+-  child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
+-  child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
+-  child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
+-  child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
+  child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2);
+  child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2);
+  child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2);
+  child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2);
+   child->url.lpszUrlPath = wnew_path;
+   child->url.dwUrlPathLength = wcslen (wnew_path);
+   child->url.lpszExtraInfo = NULL;
+diff --git a/glib/gbytes.c b/glib/gbytes.c
+index ec6923188..6f17d104c 100644
+--- a/glib/gbytes.c
+++ b/glib/gbytes.c
+@@ -34,6 +34,8 @@
+ 
+ #include <string.h>
+ 
+#include "gstrfuncsprivate.h"
+
+ /**
+  * GBytes:
+  *
+@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data,
+ {
+   g_return_val_if_fail (data != NULL || size == 0, NULL);
+ 
+-  return g_bytes_new_take (g_memdup (data, size), size);
+  return g_bytes_new_take (g_memdup2 (data, size), size);
+ }
+ 
+ /**
+@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes,
+        * Copy: Non g_malloc (or compatible) allocator, or static memory,
+        * so we have to copy, and then unref.
+        */
+-      result = g_memdup (bytes->data, bytes->size);
+      result = g_memdup2 (bytes->data, bytes->size);
+       *size = bytes->size;
+       g_bytes_unref (bytes);
+     }
+diff --git a/glib/gdir.c b/glib/gdir.c
+index 6b85e99c8..6747a8c6f 100644
+--- a/glib/gdir.c
+++ b/glib/gdir.c
+@@ -37,6 +37,7 @@
+ #include "gconvert.h"
+ #include "gfileutils.h"
+ #include "gstrfuncs.h"
+#include "gstrfuncsprivate.h"
+ #include "gtestutils.h"
+ #include "glibintl.h"
+ 
+@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path,
+     return NULL;
+ #endif
+ 
+-  return g_memdup (&dir, sizeof dir);
+  return g_memdup2 (&dir, sizeof dir);
+ }
+ 
+ /**
+diff --git a/glib/ghash.c b/glib/ghash.c
+index 0f1562a06..c1e15c957 100644
+--- a/glib/ghash.c
+++ b/glib/ghash.c
+@@ -34,6 +34,7 @@
+ #include "gmacros.h"
+ #include "glib-private.h"
+ #include "gstrfuncs.h"
+#include "gstrfuncsprivate.h"
+ #include "gatomic.h"
+ #include "gtestutils.h"
+ #include "gslice.h"
+@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer
+       if (hash_table->have_big_keys)
+         {
+           if (key != value)
+-            hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
+            hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
+           /* Keys and values are both big now, so no need for further checks */
+           return;
+         }
+@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer
+         {
+           if (key != value)
+             {
+-              hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size);
+              hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size);
+               is_a_set = FALSE;
+             }
+         }
+@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer
+ 
+   /* Just split if necessary */
+   if (is_a_set && key != value)
+-    hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
+    hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
+ 
+ #endif
+ }
+diff --git a/glib/giochannel.c b/glib/giochannel.c
+index d16399846..b41381d38 100644
+--- a/glib/giochannel.c
+++ b/glib/giochannel.c
+@@ -37,6 +37,7 @@
+ #include "giochannel.h"
+ 
+ #include "gstrfuncs.h"
+#include "gstrfuncsprivate.h"
+ #include "gtestutils.h"
+ #include "glibintl.h"
+ 
+@@ -886,17 +887,26 @@ g_io_channel_set_line_term (GIOChannel    *channel,
+                             const gchar        *line_term,
+                            gint         length)
+ {
+  guint length_unsigned;
+
+   g_return_if_fail (channel != NULL);
+   g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */
+ 
+   if (line_term == NULL)
+-    length = 0;
+-  else if (length < 0)
+-    length = strlen (line_term);
+    length_unsigned = 0;
+  else if (length >= 0)
+    length_unsigned = (guint) length;
+  else
+    {
+      /* FIXME: We’re constrained by line_term_len being a guint here */
+      gsize length_size = strlen (line_term);
+      g_return_if_fail (length_size <= G_MAXUINT);
+      length_unsigned = (guint) length_size;
+    }
+ 
+   g_free (channel->line_term);
+-  channel->line_term = line_term ? g_memdup (line_term, length) : NULL;
+-  channel->line_term_len = length;
+  channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL;
+  channel->line_term_len = length_unsigned;
+ }
+ 
+ /**
+@@ -1673,10 +1683,10 @@ g_io_channel_read_line (GIOChannel  *channel,
+ 
+       /* Copy the read bytes (including any embedded nuls) and nul-terminate.
+        * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a
+-       * #GString, so it’s safe to call g_memdup() with +1 length to allocate
+       * #GString, so it’s safe to call g_memdup2() with +1 length to allocate
+        * a nul-terminator. */
+       g_assert (USE_BUF (channel));
+-      line = g_memdup (USE_BUF (channel)->str, got_length + 1);
+      line = g_memdup2 (USE_BUF (channel)->str, got_length + 1);
+       line[got_length] = '\0';
+       *str_return = g_steal_pointer (&line);
+       g_string_erase (USE_BUF (channel), 0, got_length);
+diff --git a/glib/gslice.c b/glib/gslice.c
+index 4c758c3be..bcdbb8853 100644
+--- a/glib/gslice.c
+++ b/glib/gslice.c
+@@ -41,6 +41,7 @@
+ #include "gmain.h"
+ #include "gmem.h"               /* gslice.h */
+ #include "gstrfuncs.h"
+#include "gstrfuncsprivate.h"
+ #include "gutils.h"
+ #include "gtrashstack.h"
+ #include "gtestutils.h"
+@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig ckey,
+       array[i++] = allocator->contention_counters[address];
+       array[i++] = allocator_get_magazine_threshold (allocator, address);
+       *n_values = i;
+-      return g_memdup (array, sizeof (array[0]) * *n_values);
+      return g_memdup2 (array, sizeof (array[0]) * *n_values);
+     default:
+       return NULL;
+     }
+diff --git a/glib/gstrfuncsprivate.h b/glib/gstrfuncsprivate.h
+new file mode 100644
+index 000000000..85c88328a
+--- /dev/null
+++ b/glib/gstrfuncsprivate.h
+@@ -0,0 +1,55 @@
+/* GLIB - Library of useful routines for C programming
+ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <glib.h>
+#include <string.h>
+
+/*
+ * g_memdup2:
+ * @mem: (nullable): the memory to copy.
+ * @byte_size: the number of bytes to copy.
+ *
+ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it
+ * from @mem. If @mem is %NULL it returns %NULL.
+ *
+ * This replaces g_memdup(), which was prone to integer overflows when
+ * converting the argument from a #gsize to a #guint.
+ *
+ * This static inline version is a backport of the new public API from
+ * GLib 2.68, kept internal to GLib for backport to older stable releases.
+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
+ *
+ * Returns: (nullable): a pointer to the newly-allocated copy of the memory,
+ *    or %NULL if @mem is %NULL.
+ * Since: 2.68
+ */
+static inline gpointer
+g_memdup2 (gconstpointer mem,
+           gsize         byte_size)
+{
+  gpointer new_mem;
+
+  if (mem && byte_size != 0)
+    {
+      new_mem = g_malloc (byte_size);
+      memcpy (new_mem, mem, byte_size);
+    }
+  else
+    new_mem = NULL;
+
+  return new_mem;
+}
+diff --git a/glib/gtestutils.c b/glib/gtestutils.c
+index 18b117285..26d46ad75 100644
+--- a/glib/gtestutils.c
+++ b/glib/gtestutils.c
+@@ -49,6 +49,7 @@
+ #include "gpattern.h"
+ #include "grand.h"
+ #include "gstrfuncs.h"
+#include "gstrfuncsprivate.h"
+ #include "gtimer.h"
+ #include "gslice.h"
+ #include "gspawn.h"
+@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer)
+       if (p <= tbuffer->data->str + mlength)
+         {
+           g_string_erase (tbuffer->data, 0, mlength);
+-          tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg)));
+          tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg)));
+           return TRUE;
+         }
+ 
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index 77d7e746b..ef4257f6d 100644
+--- a/glib/gvariant.c
+++ b/glib/gvariant.c
+@@ -33,6 +33,7 @@
+ 
+ #include <string.h>
+ 
+#include "gstrfuncsprivate.h"
+ 
+ /**
+  * SECTION:gvariant
+@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value)
+   g_variant_ref_sink (value);
+ 
+   return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT,
+-                                      g_memdup (&value, sizeof value),
+                                      g_memdup2 (&value, sizeof value),
+                                       1, g_variant_is_trusted (value));
+ }
+ 
+@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVariantType  *element_type,
+       return NULL;
+     }
+ 
+-  data = g_memdup (elements, n_elements * element_size);
+  data = g_memdup2 (elements, n_elements * element_size);
+   value = g_variant_new_from_data (array_type, data,
+                                    n_elements * element_size,
+                                    FALSE, g_free, data);
+@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *value,
+   if (length)
+     *length = size;
+ 
+-  return g_memdup (original, size + 1);
+  return g_memdup2 (original, size + 1);
+ }
+ 
+ /**
+diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c
+index c46f1a2c6..585e29ab2 100644
+--- a/glib/gvarianttype.c
+++ b/glib/gvarianttype.c
+@@ -28,6 +28,7 @@
+ 
+ #include <string.h>
+ 
+#include "gstrfuncsprivate.h"
+ 
+ /**
+  * SECTION:gvarianttype
+@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariantType * const *items,
+   g_assert (offset < sizeof buffer);
+   buffer[offset++] = ')';
+ 
+-  return (GVariantType *) g_memdup (buffer, offset);
+  return (GVariantType *) g_memdup2 (buffer, offset);
+ }
+ 
+ /**
+diff --git a/glib/meson.build b/glib/meson.build
+index 456e0c2a1..2e5cd77bb 100644
+--- a/glib/meson.build
+++ b/glib/meson.build
+@@ -268,6 +268,7 @@ glib_sources = files(
+   'gslist.c',
+   'gstdio.c',
+   'gstrfuncs.c',
+  'gstrfuncsprivate.h',
+   'gstring.c',
+   'gstringchunk.c',
+   'gtestutils.c',
+diff --git a/glib/tests/array-test.c b/glib/tests/array-test.c
+index 1da514a3e..88f22de80 100644
+--- a/glib/tests/array-test.c
+++ b/glib/tests/array-test.c
+@@ -29,6 +29,8 @@
+ #include <string.h>
+ #include "glib.h"
+ 
+#include "gstrfuncsprivate.h"
+
+ /* Test data to be passed to any function which calls g_array_new(), providing
+  * the parameters for that call. Most #GArray tests should be repeated for all
+  * possible values of #ArrayTestData. */
+@@ -1917,7 +1919,7 @@ byte_array_new_take (void)
+   GByteArray *gbarray;
+   guint8 *data;
+ 
+-  data = g_memdup ("woooweeewow", 11);
+  data = g_memdup2 ("woooweeewow", 11);
+   gbarray = g_byte_array_new_take (data, 11);
+   g_assert (gbarray->data == data);
+   g_assert_cmpuint (gbarray->len, ==, 11);
+diff --git a/glib/tests/io-channel.c b/glib/tests/io-channel.c
+index ff53fcef7..4a1b10876 100644
+--- a/glib/tests/io-channel.c
+++ b/glib/tests/io-channel.c
+@@ -49,8 +49,10 @@ test_read_line_embedded_nuls (void)
+   channel = g_io_channel_new_file (filename, "r", &local_error);
+   g_assert_no_error (local_error);
+ 
+-  /* Only break on newline characters, not nuls. */
+-  g_io_channel_set_line_term (channel, "\n", 1);
+  /* Only break on newline characters, not nuls.
+   * Use length -1 here to exercise glib#2323; the case where length > 0
+   * is covered in glib/tests/protocol.c. */
+  g_io_channel_set_line_term (channel, "\n", -1);
+   g_io_channel_set_encoding (channel, NULL, &local_error);
+   g_assert_no_error (local_error);
+ 
+diff --git a/glib/tests/option-context.c b/glib/tests/option-context.c
+index 149d22353..88d2b80d1 100644
+--- a/glib/tests/option-context.c
+++ b/glib/tests/option-context.c
+@@ -27,6 +27,8 @@
+ #include <string.h>
+ #include <locale.h>
+ 
+#include "gstrfuncsprivate.h"
+
+ static GOptionEntry main_entries[] = {
+   { "main-switch", 0, 0,
+     G_OPTION_ARG_NONE, NULL,
+@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv)
+ static char **
+ copy_stringv (char **argv, int argc)
+ {
+-  return g_memdup (argv, sizeof (char *) * (argc + 1));
+  return g_memdup2 (argv, sizeof (char *) * (argc + 1));
+ }
+ 
+ static void
+@@ -2323,7 +2325,7 @@ test_group_parse (void)
+   g_option_context_add_group (context, group);
+ 
+   argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc);
+-  orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *));
+  orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *));
+ 
+   retval = g_option_context_parse (context, &argc, &argv, &error);
+ 
+diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c
+index e1f9619c7..d968afff9 100644
+--- a/glib/tests/strfuncs.c
+++ b/glib/tests/strfuncs.c
+@@ -32,6 +32,8 @@
+ #include <string.h>
+ #include "glib.h"
+ 
+#include "gstrfuncsprivate.h"
+
+ #if defined (_MSC_VER) && (_MSC_VER <= 1800)
+ #define isnan(x) _isnan(x)
+ 
+@@ -219,6 +221,26 @@ test_memdup (void)
+   g_free (str_dup);
+ }
+ 
+/* Testing g_memdup2() function with various positive and negative cases */
+static void
+test_memdup2 (void)
+{
+  gchar *str_dup = NULL;
+  const gchar *str = "The quick brown fox jumps over the lazy dog";
+
+  /* Testing negative cases */
+  g_assert_null (g_memdup2 (NULL, 1024));
+  g_assert_null (g_memdup2 (str, 0));
+  g_assert_null (g_memdup2 (NULL, 0));
+
+  /* Testing normal usage cases */
+  str_dup = g_memdup2 (str, strlen (str) + 1);
+  g_assert_nonnull (str_dup);
+  g_assert_cmpstr (str, ==, str_dup);
+
+  g_free (str_dup);
+}
+
+ /* Testing g_strpcpy() function with various positive and negative cases */
+ static void
+ test_stpcpy (void)
+@@ -2523,6 +2545,7 @@ main (int   argc,
+   g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
+   g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
+   g_test_add_func ("/strfuncs/memdup", test_memdup);
+  g_test_add_func ("/strfuncs/memdup2", test_memdup2);
+   g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
+   g_test_add_func ("/strfuncs/str_match_string", test_str_match_string);
+   g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold);
+diff --git a/gobject/gsignal.c b/gobject/gsignal.c
+index 45effa92d..effbfec62 100644
+--- a/gobject/gsignal.c
+++ b/gobject/gsignal.c
+@@ -28,6 +28,7 @@
+ #include <signal.h>
+ 
+ #include "gsignal.h"
+#include "gstrfuncsprivate.h"
+ #include "gtype-private.h"
+ #include "gbsearcharray.h"
+ #include "gvaluecollector.h"
+@@ -1809,7 +1810,7 @@ g_signal_newv (const gchar       *signal_name,
+   node->single_va_closure_is_valid = FALSE;
+   node->flags = signal_flags & G_SIGNAL_FLAGS_MASK;
+   node->n_params = n_params;
+-  node->param_types = g_memdup (param_types, sizeof (GType) * n_params);
+  node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params);
+   node->return_type = return_type;
+   node->class_closure_bsa = NULL;
+   if (accumulator)
+diff --git a/gobject/gtype.c b/gobject/gtype.c
+index b5ef2d11e..8d152dccc 100644
+--- a/gobject/gtype.c
+++ b/gobject/gtype.c
+@@ -33,6 +33,7 @@
+ 
+ #include "glib-private.h"
+ #include "gconstructor.h"
+#include "gstrfuncsprivate.h"
+ 
+ #ifdef G_OS_WIN32
+ #include <windows.h>
+@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode             *node,
+   iholder->next = iface_node_get_holders_L (iface);
+   iface_node_set_holders_W (iface, iholder);
+   iholder->instance_type = NODE_TYPE (node);
+-  iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL;
+  iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL;
+   iholder->plugin = plugin;
+ 
+   /* create an iface entry for this type */
+@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface,
+         INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface));
+       
+       check_interface_info_I (iface, instance_type, &tmp_info);
+-      iholder->info = g_memdup (&tmp_info, sizeof (tmp_info));
+      iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info));
+     }
+   
+   return iholder;      /* we don't modify write lock upon returning NULL */
+@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface,
+       IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface);
+       
+       if (pentry)
+-       vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size);
+       vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size);
+     }
+   if (!vtable)
+-    vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
+    vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
+   entry->vtable = vtable;
+   vtable->g_type = NODE_TYPE (iface);
+   vtable->g_instance_type = NODE_TYPE (node);
+diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c
+index 4ecaf8c88..20911fafd 100644
+--- a/gobject/gtypemodule.c
+++ b/gobject/gtypemodule.c
+@@ -19,6 +19,7 @@
+ 
+ #include <stdlib.h>
+ 
+#include "gstrfuncsprivate.h"
+ #include "gtypeplugin.h"
+ #include "gtypemodule.h"
+ 
+@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule     *module,
+   module_type_info->loaded = TRUE;
+   module_type_info->info = *type_info;
+   if (type_info->value_table)
+-    module_type_info->info.value_table = g_memdup (type_info->value_table,
+    module_type_info->info.value_table = g_memdup2 (type_info->value_table,
+                                                   sizeof (GTypeValueTable));
+ 
+   return module_type_info->type;
+diff --git a/gobject/tests/param.c b/gobject/tests/param.c
+index 93c3f4b94..0a77e51b7 100644
+--- a/gobject/tests/param.c
+++ b/gobject/tests/param.c
+@@ -2,6 +2,8 @@
+ #include <glib-object.h>
+ #include <stdlib.h>
+ 
+#include "gstrfuncsprivate.h"
+
+ static void
+ test_param_value (void)
+ {
+@@ -874,7 +876,7 @@ main (int argc, char *argv[])
+             test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d",
+                                          data.change_this_flag, data.change_this_type,
+                                          data.use_this_flag, data.use_this_type);
+-            test_data = g_memdup (&data, sizeof (TestParamImplementData));
+            test_data = g_memdup2 (&data, sizeof (TestParamImplementData));
+             g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free);
+             g_free (test_path);
+           }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb
index a30c5215be..ed7b649dc6 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb
@@ -17,6 +17,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://0001-meson-Run-atomics-test-on-clang-as-well.patch \
           file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
           file://tzdata-update.patch \
+           file://CVE-2020-35457.patch \
+           file://CVE-2021-27219.patch \
           "
 SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index a0055d81b0..71777bc459 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -34,10 +34,6 @@ DEPENDS_append_class-target = "${@' gtk-doc' if d.getVar('GTKDOC_ENABLED') == 'T
 GTKDOC_MESON_OPTION = "gtk_doc"
-# This avoids the need to depend on target python3, which in case of mingw is not even possible.
-# meson's python configuration pokes into python3 configuration, so this provides the native config to it.
-unset _PYTHON_SYSCONFIGDATA_NAME
 S = "${WORKDIR}/glib-${PV}"
 PACKAGECONFIG ??= "system-pcre libmount \
@@ -170,7 +166,7 @@ RDEPENDS_${PN}-ptest += "\
            ${PN}-locale-th \
            python3-core \
            python3-modules \
-            python3-dbusmock \
+            ${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-dbusmock', '', d)} \
            ${PN}-codegen \
           "
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 1566056297..84d199bb1d 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.32/master"
 PV = "2.32"
-SRCREV_glibc ?= "3de512be7ea6053255afed6154db9ee31d4e557a"
+SRCREV_glibc ?= "44b395932961a29825da4ad025124a6760858d9c"
 SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28"
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch b/meta/recipes-core/glibc/glibc/0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch
new file mode 100644
index 0000000000..a458a2a223
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch
@@ -0,0 +1,110 @@
+From 75a193b7611bade31a150dfcc528b973e3d46231 Mon Sep 17 00:00:00 2001
+From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Mon, 2 Nov 2020 16:18:29 -0300
+Subject: [PATCH] linux: Allow adjtime with NULL argument [BZ #26833]
+The adjtime interface allows return the amount of time remaining
+from any previous adjustment that has not yet been completed by
+passing a NULL as first argument.  This was introduced with y2038
+support 0308077e3a.
+Checked on i686-linux-gnu.
+Reviewed-by: Lukasz Majewski <lukma@denx.de>
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=75a193b7611bade31a150dfcc528b973e3d46231]
+Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
+---
+ sysdeps/unix/sysv/linux/adjtime.c | 11 +++++---
+ time/Makefile                     |  3 ++-
+ time/tst-adjtime.c                | 44 +++++++++++++++++++++++++++++++
+ 3 files changed, 54 insertions(+), 4 deletions(-)
+ create mode 100644 time/tst-adjtime.c
+diff --git a/sysdeps/unix/sysv/linux/adjtime.c b/sysdeps/unix/sysv/linux/adjtime.c
+index 3f9a4ea2eb..6d1d1b6af2 100644
+--- a/sysdeps/unix/sysv/linux/adjtime.c
+++ b/sysdeps/unix/sysv/linux/adjtime.c
+@@ -68,11 +68,16 @@ libc_hidden_def (__adjtime64)
+ int
+ __adjtime (const struct timeval *itv, struct timeval *otv)
+ {
+-  struct __timeval64 itv64, otv64;
+  struct __timeval64 itv64, *pitv64 = NULL;
+  struct __timeval64 otv64;
+   int retval;
+ 
+-  itv64 = valid_timeval_to_timeval64 (*itv);
+-  retval = __adjtime64 (&itv64, otv != NULL ? &otv64 : NULL);
+  if (itv != NULL)
+    {
+      itv64 = valid_timeval_to_timeval64 (*itv);
+      pitv64 = &itv64;
+    }
+  retval = __adjtime64 (pitv64, otv != NULL ? &otv64 : NULL);
+   if (otv != NULL)
+     *otv = valid_timeval64_to_timeval (otv64);
+ 
+diff --git a/time/Makefile b/time/Makefile
+index 26aa835166..f27a75a115 100644
+--- a/time/Makefile
+++ b/time/Makefile
+@@ -47,7 +47,8 @@ tests := test_time clocktest tst-posixtz tst-strptime tst_wcsftime \
+           tst-mktime3 tst-strptime2 bug-asctime bug-asctime_r bug-mktime1 \
+           tst-strptime3 bug-getdate1 tst-strptime-whitespace tst-ftime \
+           tst-tzname tst-y2039 bug-mktime4 tst-strftime2 tst-strftime3 \
+-          tst-clock tst-clock2 tst-clock_nanosleep tst-cpuclock1
+          tst-clock tst-clock2 tst-clock_nanosleep tst-cpuclock1 \
+          tst-adjtime
+ 
+ include ../Rules
+ 
+diff --git a/time/tst-adjtime.c b/time/tst-adjtime.c
+new file mode 100644
+index 0000000000..ae2b37cdab
+--- /dev/null
+++ b/time/tst-adjtime.c
+@@ -0,0 +1,44 @@
+/* Basic tests for adjtime.
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <sys/time.h>
+#include <stdlib.h>
+
+#include <errno.h>
+#include <support/check.h>
+
+
+static int
+do_test (void)
+{
+  /* Check if the interface allows getting the amount of time remaining
+     from any previous adjustment that has not yet been completed.  This
+     is a non-privileged function of adjtime.  */
+  struct timeval tv;
+  int r = adjtime (NULL, &tv);
+  if (r == -1)
+    {
+      if (errno == ENOSYS)
+       FAIL_UNSUPPORTED ("adjtime unsupported");
+      FAIL_EXIT1 ("adjtime (NULL, ...) failed: %m");
+    }
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
new file mode 100644
index 0000000000..134b4e3613
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
@@ -0,0 +1,155 @@
+From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
+From: Michael Colavita <mcolavita@fb.com>
+Date: Thu, 19 Nov 2020 11:44:40 -0500
+Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
+Previously, in UCS4 conversion routines we limit the number of
+characters we examine to the minimum of the number of characters in the
+input and the number of characters in the output. This is not the
+correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
+an output character when we skip a code unit. Instead, track the input
+and output pointers and terminate the loop when either reaches its
+limit.
+This resolves assertion failures when resetting the input buffer in a step of
+iconv, which assumes that the input will be fully consumed given sufficient
+output space.
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+CVE: CVE-2020-29562
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iconv/Makefile       |  2 +-
+ iconv/gconv_simple.c | 16 ++++----------
+ iconv/tst-iconv8.c   | 50 ++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 55 insertions(+), 13 deletions(-)
+ create mode 100644 iconv/tst-iconv8.c
+diff --git a/iconv/Makefile b/iconv/Makefile
+index 30bf996d3a..f9b51e23ec 100644
+--- a/iconv/Makefile
+++ b/iconv/Makefile
+@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
+ CFLAGS-simple-hash.c += -I../locale
+ 
+ tests  = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
+-         tst-iconv7 tst-iconv-mt tst-iconv-opt
+         tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
+ 
+ others         = iconv_prog iconvconfig
+ install-others-programs        = $(inst_bindir)/iconv
+diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
+index d4797fba17..963b29f246 100644
+--- a/iconv/gconv_simple.c
+++ b/iconv/gconv_simple.c
+@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
+   int flags = step_data->__flags;
+   const unsigned char *inptr = *inptrp;
+   unsigned char *outptr = *outptrp;
+-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+   int result;
+-  size_t cnt;
+ 
+-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+     {
+       uint32_t inval;
+ 
+@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
+   int flags = step_data->__flags;
+   const unsigned char *inptr = *inptrp;
+   unsigned char *outptr = *outptrp;
+-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+   int result;
+-  size_t cnt;
+ 
+-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+     {
+       if (__glibc_unlikely (inptr[0] > 0x80))
+        {
+@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
+   int flags = step_data->__flags;
+   const unsigned char *inptr = *inptrp;
+   unsigned char *outptr = *outptrp;
+-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+   int result;
+-  size_t cnt;
+ 
+-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+     {
+       uint32_t inval;
+ 
+@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
+   int flags = step_data->__flags;
+   const unsigned char *inptr = *inptrp;
+   unsigned char *outptr = *outptrp;
+-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+   int result;
+-  size_t cnt;
+ 
+-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+     {
+       if (__glibc_unlikely (inptr[3] > 0x80))
+        {
+diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
+new file mode 100644
+index 0000000000..0b92b19f66
+--- /dev/null
+++ b/iconv/tst-iconv8.c
+@@ -0,0 +1,50 @@
+/* Test iconv behavior on UCS4 conversions with //IGNORE.
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* Derived from BZ #26923 */
+#include <errno.h>
+#include <iconv.h>
+#include <stdio.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+  /*
+   * Convert sequence beginning with an irreversible character into buffer that
+   * is too small.
+   */
+  char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
+  char *inptr = input;
+  size_t insize = sizeof (input);
+  char output[6];
+  char *outptr = output;
+  size_t outsize = sizeof (output);
+
+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
+  TEST_VERIFY (errno == E2BIG);
+
+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+-- 
+2.17.0
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29573.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29573.patch
new file mode 100644
index 0000000000..0f54d72cad
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-29573.patch
@@ -0,0 +1,56 @@
+From 681900d29683722b1cb0a8e565a0585846ec5a61 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 22 Sep 2020 19:07:48 +0200
+Subject: [PATCH] x86: Harden printf against non-normal long double values (bug
+ 26649)
+The behavior of isnan/__builtin_isnan on bit patterns that do not
+correspond to something that the CPU would produce from valid inputs
+is currently under-defined in the toolchain. (The GCC built-in and
+glibc disagree.)
+The isnan check in PRINTF_FP_FETCH in stdio-common/printf_fp.c
+assumes the GCC behavior that returns true for non-normal numbers
+which are not specified as NaN. (The glibc implementation returns
+false for such numbers.)
+At present, passing non-normal numbers to __mpn_extract_long_double
+causes this function to produce irregularly shaped multi-precision
+integers, triggering undefined behavior in __printf_fp_l.
+With GCC 10 and glibc 2.32, this behavior is not visible because
+__builtin_isnan is used, which avoids calling
+__mpn_extract_long_double in this case.  This commit updates the
+implementation of __mpn_extract_long_double so that regularly shaped
+multi-precision integers are produced in this case, avoiding
+undefined behavior in __printf_fp_l.
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+CVE: CVE-2020-29573
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ sysdeps/i386/ldbl2mpn.c                  |  8 ++++
+ 1 files changed, 8 insertions(+)
+diff --git a/sysdeps/i386/ldbl2mpn.c b/sysdeps/i386/ldbl2mpn.c
+index ec8464eef7..23afedfb67 100644
+--- a/sysdeps/i386/ldbl2mpn.c
+++ b/sysdeps/i386/ldbl2mpn.c
+@@ -115,6 +115,14 @@ __mpn_extract_long_double (mp_ptr res_ptr, mp_size_t size,
+           && res_ptr[N - 1] == 0)
+     /* Pseudo zero.  */
+     *expt = 0;
+  else
+    /* Unlike other floating point formats, the most significant bit
+       is explicit and expected to be set for normal numbers.  Set it
+       in case it is cleared in the input.  Otherwise, callers will
+       not be able to produce the expected multi-precision integer
+       layout by shifting.  */
+    res_ptr[N - 1] |= (mp_limb_t) 1 << (LDBL_MANT_DIG - 1
+                                       - ((N - 1) * BITS_PER_MP_LIMB));
+ 
+   return N;
+ }
+-- 
+2.17.0
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index 2a0e464385..03aea52508 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -1,7 +1,8 @@
 require glibc.inc
 require glibc-version.inc
-CVE_CHECK_WHITELIST += "CVE-2020-10029"
+# whitelist CVE's with fixes in latest release/2.32/master branch
+CVE_CHECK_WHITELIST += "CVE-2019-25013 CVE-2020-10029 CVE-2020-27618 CVE-2021-27645 CVE-2021-3326"
 DEPENDS += "gperf-native bison-native make-native"
@@ -43,6 +44,9 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \
           file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
           file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
+           file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \
+           file://CVE-2020-29562.patch \
+           file://CVE-2020-29573.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 8390b8389d..9e944a2534 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,10 +22,10 @@ APPEND += "rootfstype=ext4 quiet"
 DEPENDS = "zip-native python3-pip-native"
 IMAGE_FSTYPES = "wic.vmdk"
-inherit core-image module-base setuptools3
+inherit core-image setuptools3
-SRCREV ?= "1dfd37d30953208fd998cef79483f371330a754e"
+SRCREV ?= "79c4792da2b400431c09d9a2f53efd4443812281"
-SRC_URI = "git://git.yoctoproject.org/poky \
+SRC_URI = "git://git.yoctoproject.org/poky;branch=gatesgarth \
           file://Yocto_Build_Appliance.vmx \
           file://Yocto_Build_Appliance.vmxf \
           file://README_VirtualBox_Guest_Additions.txt \
@@ -61,12 +61,6 @@ fakeroot do_populate_poky_src () {
        # Place the README_VirtualBox_Toaster file in builders home folder.
        cp ${WORKDIR}/README_VirtualBox_Toaster.txt ${IMAGE_ROOTFS}/home/builder/
-        # Create a symlink, needed for out-of-tree kernel modules build
-        if [ ! -e ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build ]; then
-                rm -f  ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
-                lnr ${IMAGE_ROOTFS}${KERNEL_SRC_PATH} ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
-        fi
        echo "INHERIT += \"rm_work\"" >> ${IMAGE_ROOTFS}/home/builder/poky/build/conf/auto.conf
        echo "export LC_ALL=en_US.utf8" >> ${IMAGE_ROOTFS}/home/builder/.bashrc
diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
index b6855b5aac..f667518b89 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
@@ -279,6 +279,11 @@ fi
 umount /tgt_root
+# copy any extra files needed for ESP
+if [ -d /run/media/$1/esp ]; then
+    cp -r /run/media/$1/esp/* /boot
+fi
 # Copy kernel artifacts. To add more artifacts just add to types
 # For now just support kernel types already being used by something in OE-core
 for types in bzImage zImage vmlinux vmlinuz fitImage; do
diff --git a/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh b/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh
index 02f0351fcb..a63e71b780 100755
--- a/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh
@@ -74,7 +74,7 @@ test "$VERBOSE" != no && echo "Activating swap"
 #
 # Check the root filesystem.
 #
-if test -f /fastboot || test $rootcheck = no
+if test -f /fastboot || test "$rootcheck" = "no"
 then
  test $rootcheck = yes && echo "Fast boot, no filesystem check"
 else
diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb
index c32d0107c3..83e3fddccc 100644
--- a/meta/recipes-core/meta/buildtools-extended-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb
@@ -28,8 +28,21 @@ TOOLCHAIN_HOST_TASK += "\
    nativesdk-libtool \
    nativesdk-pkgconfig \
    nativesdk-glibc-utils \
+    nativesdk-glibc-gconv-ibm850 \
+    nativesdk-glibc-gconv-iso8859-1 \
+    nativesdk-glibc-gconv-utf-16 \
+    nativesdk-glibc-gconv-cp1250 \
+    nativesdk-glibc-gconv-cp1251 \
+    nativesdk-glibc-gconv-cp1252 \
+    nativesdk-glibc-gconv-euc-jp \
+    nativesdk-glibc-gconv-libjis \
    nativesdk-libxcrypt-dev \
+    nativesdk-parted \
+    nativesdk-dosfstools \
+    nativesdk-gptfdisk \
    "
+# gconv-cp1250, cp1251 and euc-jp needed for iconv to work in vim builds
+# also copied list from uninative
 TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index cf2b251e21..b073936298 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -138,14 +138,24 @@ def parse_node_and_insert(c, node, cveId):
        for cpe in node.get('cpe_match', ()):
            if not cpe['vulnerable']:
                return
-            cpe23 = cpe['cpe23Uri'].split(':')
+            cpe23 = cpe.get('cpe23Uri')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
            vendor = cpe23[3]
            product = cpe23[4]
            version = cpe23[5]
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
            if version != '*' and version != '-':
                # Version is defined, this is a '=' match
-                yield [cveId, vendor, product, version, '=', '', '']
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
            elif version == '-':
                # no version information is available
                yield [cveId, vendor, product, version, '', '', '']
@@ -172,7 +182,12 @@ def parse_node_and_insert(c, node, cveId):
                    op_end = '<'
                    v_end = cpe['versionEndExcluding']
-                yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
    c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator())
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 4b61889668..ef59bc3b0a 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -312,7 +312,7 @@ FILES_${PN}-tools = "\
 "
 # 'reset' is a symlink to 'tset' which is in the 'ncurses' package
-RDEPENDS_${PN}-tools = "${PN}"
+RDEPENDS_${PN}-tools = "${PN} ${PN}-terminfo-base"
 FILES_${PN}-terminfo = "\
  ${datadir}/terminfo \
@@ -324,3 +324,8 @@ FILES_${PN}-terminfo-base = "\
 RSUGGESTS_${PN}-libtinfo = "${PN}-terminfo"
 RRECOMMENDS_${PN}-libtinfo = "${PN}-terminfo-base"
+# Putting terminfo into the sysroot adds around 2800 files to
+# each recipe specific sysroot. We can live without this, particularly
+# as many recipes may have native and target copies.
+SYSROOT_DIRS_remove = "${datadir}"
diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb
index 0d2b8bf52f..fd4fb5b732 100644
--- a/meta/recipes-core/ovmf/ovmf-shell-image.bb
+++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb
@@ -1,4 +1,5 @@
 DESCRIPTION = "boot image with UEFI shell and tools"
+COMPATIBLE_HOST_class-target='(i.86|x86_64).*'
 # For this image recipe, only the wic format with a
 # single vfat partition makes sense. Because we have no
diff --git a/meta/recipes-core/systemd/systemd-boot_246.2.bb b/meta/recipes-core/systemd/systemd-boot_246.9.bb
index f92c639810..f92c639810 100644
--- a/meta/recipes-core/systemd/systemd-boot_246.2.bb
+++ b/meta/recipes-core/systemd/systemd-boot_246.9.bb
diff --git a/meta/recipes-core/systemd/systemd-conf/wired.network b/meta/recipes-core/systemd/systemd-conf/wired.network
index dcf3534596..06d00ea1ba 100644
--- a/meta/recipes-core/systemd/systemd-conf/wired.network
+++ b/meta/recipes-core/systemd/systemd-conf/wired.network
@@ -1,6 +1,7 @@
 [Match]
 Name=en* eth*
 KernelCommandLine=!nfsroot
+KernelCommandLine=!ip
 [Network]
 DHCP=yes
diff --git a/meta/recipes-core/systemd/systemd-conf_246.1.bb b/meta/recipes-core/systemd/systemd-conf_246.9.bb
index d9ec023bfd..9b797a91f4 100644
--- a/meta/recipes-core/systemd/systemd-conf_246.1.bb
+++ b/meta/recipes-core/systemd/systemd-conf_246.9.bb
@@ -23,9 +23,6 @@ do_install() {
 # Based on change from YP bug 8141, OE commit 5196d7bacaef1076c361adaa2867be31759c1b52
 do_install_append_qemuall() {
        install -D -m0644 ${WORKDIR}/system.conf-qemuall ${D}${systemd_unitdir}/system.conf.d/01-${PN}.conf
-        # Do not install wired.network for qemu bsps
-        rm -rf ${D}${systemd_unitdir}/network
 }
 PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 1733565fc0..b0f8a72bbe 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -14,7 +14,7 @@ LICENSE = "GPLv2 & LGPLv2.1"
 LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
                    file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
-SRCREV = "2ee1c57c4ff4fd3349cf03c2e89fbd18ca0b3a4a"
+SRCREV = "90f7f6c5777e9e2a4990f299474f730459054bf4"
 SRCBRANCH = "v246-stable"
 SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
diff --git a/meta/recipes-core/systemd/systemd/0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch b/meta/recipes-core/systemd/systemd/0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch
index 2676c144f2..643b9547b7 100644
--- a/meta/recipes-core/systemd/systemd/0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch
+++ b/meta/recipes-core/systemd/systemd/0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch
@@ -1,4 +1,4 @@
-From 564830719be2017c4953589d50f21a9e856a4ecc Mon Sep 17 00:00:00 2001
+From ad5b89a366785d8a19ba970f5b0c97b4de848fa3 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Thu, 21 Feb 2019 16:23:24 +0800
 Subject: [PATCH] binfmt: Don't install dependency links at install time for
@@ -18,17 +18,16 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 [rebased for systemd 243]
 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
 ---
 units/meson.build                       | 6 ++----
 units/proc-sys-fs-binfmt_misc.automount | 3 +++
 units/systemd-binfmt.service.in         | 4 ++++
 3 files changed, 9 insertions(+), 4 deletions(-)
-Index: systemd-stable/units/meson.build
+diff --git a/units/meson.build b/units/meson.build
-===================================================================
+index 031237c..0d43bdb 100644
--- systemd-stable.orig/units/meson.build
+--- a/units/meson.build
-+++ systemd-stable/units/meson.build
+++ b/units/meson.build
 @@ -54,8 +54,7 @@ units = [
         ['poweroff.target',                     '',
          (with_runlevels ? 'runlevel0.target' : '')],
@@ -38,8 +37,8 @@ Index: systemd-stable/units/meson.build
 +        ['proc-sys-fs-binfmt_misc.automount',   'ENABLE_BINFMT'],
         ['proc-sys-fs-binfmt_misc.mount',       'ENABLE_BINFMT'],
         ['reboot.target',                       '',
-          (with_runlevels ? 'runlevel6.target ctrl-alt-del.target' : 'ctrl-alt-del.target')],
+          'ctrl-alt-del.target' + (with_runlevels ? ' runlevel6.target' : '')],
-@@ -162,8 +161,7 @@ in_units = [
+@@ -164,8 +163,7 @@ in_units = [
         ['rc-local.service',                     'HAVE_SYSV_COMPAT'],
         ['rescue.service',                       ''],
         ['systemd-backlight@.service',           'ENABLE_BACKLIGHT'],
@@ -49,10 +48,10 @@ Index: systemd-stable/units/meson.build
         ['systemd-bless-boot.service',           'ENABLE_EFI HAVE_BLKID'],
         ['systemd-boot-check-no-failures.service', ''],
         ['systemd-coredump@.service',            'ENABLE_COREDUMP'],
-Index: systemd-stable/units/proc-sys-fs-binfmt_misc.automount
+diff --git a/units/proc-sys-fs-binfmt_misc.automount b/units/proc-sys-fs-binfmt_misc.automount
-===================================================================
+index 30a6bc9..4231f3b 100644
--- systemd-stable.orig/units/proc-sys-fs-binfmt_misc.automount
+--- a/units/proc-sys-fs-binfmt_misc.automount
-+++ systemd-stable/units/proc-sys-fs-binfmt_misc.automount
+++ b/units/proc-sys-fs-binfmt_misc.automount
 @@ -18,3 +18,6 @@ ConditionPathIsReadWrite=/proc/sys/
 
 [Automount]
@@ -60,11 +59,11 @@ Index: systemd-stable/units/proc-sys-fs-binfmt_misc.automount
 +
 +[Install]
 +WantedBy=sysinit.target
-Index: systemd-stable/units/systemd-binfmt.service.in
+diff --git a/units/systemd-binfmt.service.in b/units/systemd-binfmt.service.in
-===================================================================
+index e54e95e..372a598 100644
--- systemd-stable.orig/units/systemd-binfmt.service.in
+--- a/units/systemd-binfmt.service.in
-+++ systemd-stable/units/systemd-binfmt.service.in
+++ b/units/systemd-binfmt.service.in
-@@ -14,6 +14,7 @@ Documentation=https://www.kernel.org/doc
+@@ -14,6 +14,7 @@ Documentation=https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.htm
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 Conflicts=shutdown.target
@@ -79,3 +78,6 @@ Index: systemd-stable/units/systemd-binfmt.service.in
 +
 +[Install]
 +WantedBy=sysinit.target
+-- 
+2.7.4
diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
new file mode 100644
index 0000000000..89ef39bc3e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
@@ -0,0 +1,227 @@
+From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Fri, 30 Oct 2020 08:15:43 -0500
+Subject: [PATCH] logind: Restore chvt as non-root user without polkit
+4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
+the ability to write user sessions that run graphical sessions (e.g.
+weston/X11). This was partially amended in 19bb87fbfa ("login: allow
+non-console sessions to change vt") by changing the default PolicyKit
+policy so that non-root users are again allowed to switch the VT. This
+makes the policy when PolKit is not enabled (as on many embedded
+systems) match the default PolKit policy and allows launching graphical
+sessions as a non-root user.
+Closes #17473
+---
+ src/login/logind-dbus.c         | 11 ++-------
+ src/login/logind-polkit.c       | 26 +++++++++++++++++++++
+ src/login/logind-polkit.h       | 10 ++++++++
+ src/login/logind-seat-dbus.c    | 41 ++++-----------------------------
+ src/login/logind-session-dbus.c | 11 ++-------
+ src/login/meson.build           |  1 +
+ 6 files changed, 46 insertions(+), 54 deletions(-)
+ create mode 100644 src/login/logind-polkit.c
+ create mode 100644 src/login/logind-polkit.h
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 0f83ed99bc..a3765d88ba 100644
+--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
+@@ -30,6 +30,7 @@
+ #include "format-util.h"
+ #include "fs-util.h"
+ #include "logind-dbus.h"
+#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-user-dbus.h"
+@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
+                 return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
+                                          "Session %s not on seat %s", session_name, seat_name);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &m->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, m, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
+new file mode 100644
+index 0000000000..9072570cc6
+--- /dev/null
+++ b/src/login/logind-polkit.c
+@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "bus-polkit.h"
+#include "logind-polkit.h"
+#include "missing_capability.h"
+#include "user-util.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
+#if ENABLE_POLKIT
+        return bus_verify_polkit_async(
+                        message,
+                        CAP_SYS_ADMIN,
+                        "org.freedesktop.login1.chvt",
+                        NULL,
+                        false,
+                        UID_INVALID,
+                        &manager->polkit_registry,
+                        error);
+#else
+        /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
+         * non-root user when polkit is not compiled in, matching the default polkit policy */
+        return 1;
+#endif
+}
+
+
+diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
+new file mode 100644
+index 0000000000..476c077a8a
+--- /dev/null
+++ b/src/login/logind-polkit.h
+@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#include "sd-bus.h"
+
+#include "bus-object.h"
+#include "logind.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
+
+diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
+index a945132284..f22e9e2734 100644
+--- a/src/login/logind-seat-dbus.c
+++ b/src/login/logind-seat-dbus.c
+@@ -9,6 +9,7 @@
+ #include "bus-polkit.h"
+ #include "bus-util.h"
+ #include "logind-dbus.h"
+#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-seat.h"
+ #include "logind-session-dbus.h"
+@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
+         if (session->seat != s)
+                 return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
+         if (to <= 0)
+                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
+         assert(message);
+         assert(s);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
+         assert(message);
+         assert(s);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
+index ccc5ac8df2..57c8a4e900 100644
+--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
+@@ -11,6 +11,7 @@
+ #include "fd-util.h"
+ #include "logind-brightness.h"
+ #include "logind-dbus.h"
+#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-session-device.h"
+@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
+         assert(message);
+         assert(s);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+diff --git a/src/login/meson.build b/src/login/meson.build
+index 0a7d3d5440..7e46be2add 100644
+--- a/src/login/meson.build
+++ b/src/login/meson.build
+@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
+         logind-device.h
+         logind-inhibit.c
+         logind-inhibit.h
+        logind-polkit.c
+         logind-seat-dbus.c
+         logind-seat-dbus.h
+         logind-seat.c
+-- 
+2.28.0
diff --git a/meta/recipes-core/systemd/systemd/0002-don-t-use-glibc-specific-qsort_r.patch b/meta/recipes-core/systemd/systemd/0002-don-t-use-glibc-specific-qsort_r.patch
index 30fe9a14df..3be5095f07 100644
--- a/meta/recipes-core/systemd/systemd/0002-don-t-use-glibc-specific-qsort_r.patch
+++ b/meta/recipes-core/systemd/systemd/0002-don-t-use-glibc-specific-qsort_r.patch
@@ -1,4 +1,4 @@
-From 3eb12a6ba0bce149717eaabeb1505d379b3d705a Mon Sep 17 00:00:00 2001
+From 263e4100a849f28f62fcfcc1456e9e6de8ee836b Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 13:41:41 +0800
 Subject: [PATCH] don't use glibc-specific qsort_r
@@ -12,16 +12,16 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
 ---
- src/basic/sort-util.h              | 14 ------------
+ src/basic/sort-util.h              | 14 --------------
- src/libsystemd/sd-hwdb/hwdb-util.c | 19 +++++++++++-----
+ src/libsystemd/sd-hwdb/hwdb-util.c | 19 ++++++++++++++-----
- src/shared/format-table.c          | 36 ++++++++++++++++++++----------
+ src/shared/format-table.c          | 36 ++++++++++++++++++++++++------------
 3 files changed, 38 insertions(+), 31 deletions(-)
-Index: systemd-stable/src/basic/sort-util.h
+diff --git a/src/basic/sort-util.h b/src/basic/sort-util.h
-===================================================================
+index a8dc3bb..9541061 100644
--- systemd-stable.orig/src/basic/sort-util.h
+--- a/src/basic/sort-util.h
-+++ systemd-stable/src/basic/sort-util.h
+++ b/src/basic/sort-util.h
-@@ -54,17 +54,3 @@ static inline void _qsort_safe(void *bas
+@@ -54,17 +54,3 @@ static inline void _qsort_safe(void *base, size_t nmemb, size_t size, __compar_f
                 int (*_func_)(const typeof(p[0])*, const typeof(p[0])*) = func; \
                 _qsort_safe((p), (n), sizeof((p)[0]), (__compar_fn_t) _func_); \
         })
@@ -39,11 +39,11 @@ Index: systemd-stable/src/basic/sort-util.h
 -                int (*_func_)(const typeof(p[0])*, const typeof(p[0])*, typeof(userdata)) = func; \
 -                qsort_r_safe((p), (n), sizeof((p)[0]), (__compar_d_fn_t) _func_, userdata); \
 -        })
-Index: systemd-stable/src/libsystemd/sd-hwdb/hwdb-util.c
+diff --git a/src/libsystemd/sd-hwdb/hwdb-util.c b/src/libsystemd/sd-hwdb/hwdb-util.c
-===================================================================
+index 5c75216..3986fc8 100644
--- systemd-stable.orig/src/libsystemd/sd-hwdb/hwdb-util.c
+--- a/src/libsystemd/sd-hwdb/hwdb-util.c
-+++ systemd-stable/src/libsystemd/sd-hwdb/hwdb-util.c
+++ b/src/libsystemd/sd-hwdb/hwdb-util.c
-@@ -128,9 +128,13 @@ static void trie_free(struct trie *trie)
+@@ -128,9 +128,13 @@ static void trie_free(struct trie *trie) {
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(struct trie*, trie_free);
 
@@ -60,7 +60,7 @@ Index: systemd-stable/src/libsystemd/sd-hwdb/hwdb-util.c
 }
 
 static int trie_node_add_value(struct trie *trie, struct trie_node *node,
-@@ -158,7 +162,10 @@ static int trie_node_add_value(struct tr
+@@ -158,7 +162,10 @@ static int trie_node_add_value(struct trie *trie, struct trie_node *node,
                         .value_off = v,
                 };
 
@@ -72,7 +72,7 @@ Index: systemd-stable/src/libsystemd/sd-hwdb/hwdb-util.c
                 if (val) {
                         /* At this point we have 2 identical properties on the same match-string.
                          * Since we process files in order, we just replace the previous value. */
-@@ -184,7 +191,9 @@ static int trie_node_add_value(struct tr
+@@ -184,7 +191,9 @@ static int trie_node_add_value(struct trie *trie, struct trie_node *node,
                 .line_number = line_number,
         };
         node->values_count++;
@@ -83,11 +83,11 @@ Index: systemd-stable/src/libsystemd/sd-hwdb/hwdb-util.c
         return 0;
 }
 
-Index: systemd-stable/src/shared/format-table.c
+diff --git a/src/shared/format-table.c b/src/shared/format-table.c
-===================================================================
+index 612402c..04638b2 100644
--- systemd-stable.orig/src/shared/format-table.c
+--- a/src/shared/format-table.c
-+++ systemd-stable/src/shared/format-table.c
+++ b/src/shared/format-table.c
-@@ -1246,31 +1246,33 @@ static int cell_data_compare(TableData *
+@@ -1243,30 +1243,32 @@ static int cell_data_compare(TableData *a, size_t index_a, TableData *b, size_t
         return CMP(index_a, index_b);
 }
 
@@ -95,7 +95,6 @@ Index: systemd-stable/src/shared/format-table.c
 +static Table *user_table;
 +static int table_data_compare(const void *x, const void *y) {
 +        const size_t *a = x, *b=y;
-         size_t i;
         int r;
 
 -        assert(t);
@@ -115,8 +114,8 @@ Index: systemd-stable/src/shared/format-table.c
                 return 1;
 
         /* Order other lines by the sorting map */
-        for (i = 0; i < t->n_sort_map; i++) {
+-        for (size_t i = 0; i < t->n_sort_map; i++) {
-+        for (i = 0; i < user_table->n_sort_map; i++) {
+        for (size_t i = 0; i < user_table->n_sort_map; i++) {
                 TableData *d, *dd;
 
 -                d = t->data[*a + t->sort_map[i]];
@@ -131,8 +130,8 @@ Index: systemd-stable/src/shared/format-table.c
         }
 
         /* Order identical lines by the order there were originally added in */
-@@ -1798,7 +1800,12 @@ int table_print(Table *t, FILE *f) {
+@@ -1844,7 +1846,12 @@ int table_print(Table *t, FILE *f) {
-                 for (i = 0; i < n_rows; i++)
+                 for (size_t i = 0; i < n_rows; i++)
                         sorted[i] = i * t->n_columns;
 
 -                typesafe_qsort_r(sorted, n_rows, table_data_compare, t);
@@ -145,8 +144,8 @@ Index: systemd-stable/src/shared/format-table.c
         }
 
         if (t->display_map)
-@@ -2375,7 +2382,12 @@ int table_to_json(Table *t, JsonVariant
+@@ -2440,7 +2447,12 @@ int table_to_json(Table *t, JsonVariant **ret) {
-                 for (i = 0; i < n_rows; i++)
+                 for (size_t i = 0; i < n_rows; i++)
                         sorted[i] = i * t->n_columns;
 
 -                typesafe_qsort_r(sorted, n_rows, table_data_compare, t);
diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.9.bb
index 9215adf8dc..6524b8216a 100644
--- a/meta/recipes-core/systemd/systemd_246.6.bb
+++ b/meta/recipes-core/systemd/systemd_246.9.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
           file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
           file://0003-implment-systemd-sysv-install-for-OE.patch \
           file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
+           file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
           "
 # patches needed by musl
@@ -134,7 +135,7 @@ PACKAGECONFIG[hibernate] = "-Dhibernate=true,-Dhibernate=false"
 PACKAGECONFIG[hostnamed] = "-Dhostnamed=true,-Dhostnamed=false"
 PACKAGECONFIG[idn] = "-Didn=true,-Didn=false"
 PACKAGECONFIG[ima] = "-Dima=true,-Dima=false"
-# importd requires curl/xz/zlib/bzip2/gcrypt
+# importd requires journal-upload/xz/zlib/bzip2/gcrypt
 PACKAGECONFIG[importd] = "-Dimportd=true,-Dimportd=false"
 # Update NAT firewall rules
 PACKAGECONFIG[iptc] = "-Dlibiptc=true,-Dlibiptc=false,iptables"
@@ -357,15 +358,15 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \
                    ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \
 "
 GROUPADD_PARAM_${PN} = "-r systemd-journal"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /bin/nologin systemd-network;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /sbin/nologin systemd-resolve;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /bin/nologin systemd-timesync;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /sbin/nologin systemd-timesync;', '', d)}"
-USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /bin/nologin systemd-bus-proxy"
+USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /sbin/nologin systemd-bus-proxy"
-USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /bin/nologin systemd-journal-gateway"
+USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /sbin/nologin systemd-journal-gateway"
-USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /bin/nologin systemd-journal-remote"
+USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /sbin/nologin systemd-journal-remote"
-USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /bin/nologin systemd-journal-upload"
+USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /sbin/nologin systemd-journal-upload"
 FILES_${PN}-analyze = "${bindir}/systemd-analyze"
diff --git a/meta/recipes-core/sysvinit/sysvinit/rc b/meta/recipes-core/sysvinit/sysvinit/rc
index fd1fdd26ba..d0d3149821 100755
--- a/meta/recipes-core/sysvinit/sysvinit/rc
+++ b/meta/recipes-core/sysvinit/sysvinit/rc
@@ -63,7 +63,7 @@ startup() {
  stty onlcr 0>&1
  # Limit stack size for startup scripts
-  [ "$STACK_SIZE" == "" ] || ulimit -S -s $STACK_SIZE
+  [ "$STACK_SIZE" = "" ] || ulimit -S -s $STACK_SIZE
  # Now find out what the current and what the previous runlevel are.
diff --git a/meta/recipes-core/udev/eudev/init b/meta/recipes-core/udev/eudev/init
index 0455ade258..c60dbbf6d5 100644
--- a/meta/recipes-core/udev/eudev/init
+++ b/meta/recipes-core/udev/eudev/init
@@ -52,7 +52,7 @@ case "$1" in
    kill_udevd > "/dev/null" 2>&1
    # trigger the sorted events
-    [ -e /proc/sys/kernel/hotplug ] && echo -e '\000' >/proc/sys/kernel/hotplug
+    [ -e /proc/sys/kernel/hotplug ] && printf '\0\n' >/proc/sys/kernel/hotplug
    @UDEVD@ -d
    udevadm control --env=STARTUP=1
diff --git a/meta/recipes-devtools/binutils/binutils-2.35.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
index bc9107b084..6290d5b191 100644
--- a/meta/recipes-devtools/binutils/binutils-2.35.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
@@ -16,15 +16,15 @@ def binutils_branch_version(d):
 # When upgrading to 2.35, please make sure there is no trailing .0, so
 # that upstream version check can work correctly.
-PV = "2.35"
+PV = "2.35.1"
-CVE_VERSION = "2.35"
+CVE_VERSION = "2.35.1"
 BINUPV = "${@binutils_branch_version(d)}"
 #BRANCH = "binutils-${BINUPV}-branch"
 BRANCH ?= "binutils-2_35-branch"
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
-SRCREV ?= "89a9065674a14a8bd94bb326b27d19a2f3583efb"
+SRCREV ?= "7e46a74aa3713c563940960e361e08defda019c2"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${BRANCH};protocol=git"
 SRC_URI = "\
     ${BINUTILS_GIT_URI} \
@@ -42,5 +42,8 @@ SRC_URI = "\
     file://0015-sync-with-OE-libtool-changes.patch \
     file://0016-Check-for-clang-before-checking-gcc-version.patch \
     file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \
+     file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \
+     file://CVE-2020-35448.patch \
+     file://0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils-cross-canadian_2.35.bb b/meta/recipes-devtools/binutils/binutils-cross-canadian_2.35.1.bb
index 5dbaa03017..5dbaa03017 100644
--- a/meta/recipes-devtools/binutils/binutils-cross-canadian_2.35.bb
+++ b/meta/recipes-devtools/binutils/binutils-cross-canadian_2.35.1.bb
diff --git a/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.35.bb b/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.35.1.bb
index 07a8e7c417..07a8e7c417 100644
--- a/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.35.bb
+++ b/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.35.1.bb
diff --git a/meta/recipes-devtools/binutils/binutils-cross_2.35.bb b/meta/recipes-devtools/binutils/binutils-cross_2.35.1.bb
index fbd1f7d25a..fbd1f7d25a 100644
--- a/meta/recipes-devtools/binutils/binutils-cross_2.35.bb
+++ b/meta/recipes-devtools/binutils/binutils-cross_2.35.1.bb
diff --git a/meta/recipes-devtools/binutils/binutils-crosssdk_2.35.bb b/meta/recipes-devtools/binutils/binutils-crosssdk_2.35.1.bb
index 37f4d6d2e9..37f4d6d2e9 100644
--- a/meta/recipes-devtools/binutils/binutils-crosssdk_2.35.bb
+++ b/meta/recipes-devtools/binutils/binutils-crosssdk_2.35.1.bb
diff --git a/meta/recipes-devtools/binutils/binutils/0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch b/meta/recipes-devtools/binutils/binutils/0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch
new file mode 100644
index 0000000000..f46ddab415
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch
@@ -0,0 +1,135 @@
+From c7cd291722779c9d4703ed0010388fe394c644c8 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddesh.poyarekar@arm.com>
+Date: Tue, 1 Sep 2020 14:25:52 +0530
+Subject: [PATCH] aarch64: Return an error on conditional branch to an undefined symbol
+The fix in 7e05773767820b441b23a16628b55c98cb1aef46 introduced a PLT
+for conditional jumps when the target symbol is undefined.  This is
+incorrect because conditional branch relocations are not allowed to
+clobber IP0/IP1 and hence, should not result in a dynamic relocation.
+Revert that change and in its place, issue an error when the target
+symbol is undefined.
+bfd/
+        2020-09-10  Siddhesh Poyarekar  <siddesh.poyarekar@arm.com>
+        * elfnn-aarch64.c (elfNN_aarch64_final_link_relocate): Revert
+        changes in 7e05773767820b441b23a16628b55c98cb1aef46.  Set
+        error for undefined symbol in BFD_RELOC_AARCH64_BRANCH19 and
+        BFD_RELOC_AARCH64_TSTBR14 relocations.
+ld/
+        2020-09-10  Siddhesh Poyarekar  <siddesh.poyarekar@arm.com>
+        * testsuite/ld-aarch64/emit-relocs-560.d: Expect error instead
+        of valid output.
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c7cd291722779c9d4703ed0010388fe394c644c8]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+ bfd/ChangeLog                             |  7 +++++
+ bfd/elfnn-aarch64.c                       | 37 ++++++++++++-----------
+ ld/ChangeLog                              |  5 +++
+ ld/testsuite/ld-aarch64/emit-relocs-560.d |  7 +----
+ 4 files changed, 32 insertions(+), 24 deletions(-)
+diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
+index 5b4c189b593..a9924e7ec56 100644
+--- a/bfd/elfnn-aarch64.c
+++ b/bfd/elfnn-aarch64.c
+@@ -5447,7 +5447,6 @@ elfNN_aarch64_final_link_relocate (reloc_howto_type *howto,
+   bfd_vma orig_value = value;
+   bfd_boolean resolved_to_zero;
+   bfd_boolean abs_symbol_p;
+-  bfd_boolean via_plt_p;
+ 
+   globals = elf_aarch64_hash_table (info);
+ 
+@@ -5469,8 +5468,6 @@ elfNN_aarch64_final_link_relocate (reloc_howto_type *howto,
+                  : bfd_is_und_section (sym_sec));
+   abs_symbol_p = h != NULL && bfd_is_abs_symbol (&h->root);
+ 
+-  via_plt_p = (globals->root.splt != NULL && h != NULL
+-              && h->plt.offset != (bfd_vma) - 1);
+ 
+   /* Since STT_GNU_IFUNC symbol must go through PLT, we handle
+      it here if it is defined in a non-shared object.  */
+@@ -5806,23 +5803,12 @@ elfNN_aarch64_final_link_relocate (reloc_howto_type *howto,
+        value += signed_addend;
+       break;
+ 
+-    case BFD_RELOC_AARCH64_BRANCH19:
+-    case BFD_RELOC_AARCH64_TSTBR14:
+-      /* A conditional branch to an undefined weak symbol is converted to a
+-        branch to itself.  */
+-      if (weak_undef_p && !via_plt_p)
+-       {
+-         value = _bfd_aarch64_elf_resolve_relocation (input_bfd, bfd_r_type,
+-                                                      place, value,
+-                                                      signed_addend,
+-                                                      weak_undef_p);
+-         break;
+-       }
+-      /* Fall through.  */
+     case BFD_RELOC_AARCH64_CALL26:
+     case BFD_RELOC_AARCH64_JUMP26:
+       {
+        asection *splt = globals->root.splt;
+       bfd_boolean via_plt_p =
+         splt != NULL && h != NULL && h->plt.offset != (bfd_vma) - 1;
+ 
+        /* A call to an undefined weak symbol is converted to a jump to
+           the next instruction unless a PLT entry will be created.
+@@ -5903,6 +5889,23 @@ elfNN_aarch64_final_link_relocate (reloc_howto_type *howto,
+          bfd_set_error (bfd_error_bad_value);
+          return bfd_reloc_notsupported;
+        }
+      value = _bfd_aarch64_elf_resolve_relocation (input_bfd, bfd_r_type,
+                                                  place, value,
+                                                  signed_addend,
+                                                  weak_undef_p);
+      break;
+
+    case BFD_RELOC_AARCH64_BRANCH19:
+    case BFD_RELOC_AARCH64_TSTBR14:
+      if (h && h->root.type == bfd_link_hash_undefined)
+       {
+         _bfd_error_handler
+           /* xgettext:c-format */
+           (_("%pB: conditional branch to undefined symbol `%s' "
+              "not allowed"), input_bfd, h->root.root.string);
+         bfd_set_error (bfd_error_bad_value);
+         return bfd_reloc_notsupported;
+       }
+       /* Fall through.  */
+ 
+     case BFD_RELOC_AARCH64_16:
+@@ -7968,8 +7971,6 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info,
+            break;
+          }
+ 
+-       case BFD_RELOC_AARCH64_BRANCH19:
+-       case BFD_RELOC_AARCH64_TSTBR14:
+        case BFD_RELOC_AARCH64_CALL26:
+        case BFD_RELOC_AARCH64_JUMP26:
+          /* If this is a local symbol then we resolve it
+diff --git a/ld/testsuite/ld-aarch64/emit-relocs-560.d b/ld/testsuite/ld-aarch64/emit-relocs-560.d
+index 153532457b4..8751b743bd4 100644
+--- a/ld/testsuite/ld-aarch64/emit-relocs-560.d
+++ b/ld/testsuite/ld-aarch64/emit-relocs-560.d
+@@ -1,8 +1,3 @@
+ #source: emit-relocs-560.s
+ #ld: -shared
+-#readelf: -r
+-
+-Relocation section '.rela.plt' at offset 0x[0-9a-f]+ contains 2 entries:
+-  Offset          Info           Type           Sym. Value    Sym. Name \+ Addend
+-[0-9a-f]+  000100000402 R_AARCH64_JUMP_SL 0000000000000000 baz \+ 0
+-[0-9a-f]+  000200000402 R_AARCH64_JUMP_SL 0000000000000000 bar \+ 0
+#error: .*: conditional branch to undefined symbol `bar' not allowed
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch
new file mode 100644
index 0000000000..f46415f440
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch
@@ -0,0 +1,41 @@
+From de24fc96bf24fca470a9ca13176ad9ad9cc4d5a9 Mon Sep 17 00:00:00 2001
+From: Nick Gasson <nick.gasson@arm.com>
+Date: Mon, 2 Nov 2020 12:02:05 +0800
+Subject: [PATCH] gold: ensure file_counts_lock is initialized before using
+Since upgrading to binutils 2.35 I've been experiencing random memory
+corruption related crashes with ld.gold --threads. It's caused by
+multiple threads concurrently pushing elements onto the shared
+std::vector in File_read::record_file_read(). This vector is supposed to
+be protected by file_counts_lock, but that is initialized lazily and
+might be NULL when File_read::open() is called, in which case
+Hold_optional_lock silently skips locking it.
+Fix by calling the initialize() method before attempting to acquire the
+lock, the same as other places that use file_counts_lock.
+        PR 26827
+        * fileread.cc (File_read::open): Ensure file_counts_lock is
+        initialized.
+        * testsuite/Makefile.am (check_PROGRAMS): Add a test that passes
+        -Wl,--threads.
+        * testsuite/Makefile.in: Regenerate.
+Upstream-Status: Backport [af61e84fd2d from 2.36.0]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ gold/fileread.cc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/gold/fileread.cc b/gold/fileread.cc
+index f5ca719360d..0b5228e2afd 100644
+--- a/gold/fileread.cc
+++ b/gold/fileread.cc
+@@ -212,6 +212,7 @@ File_read::open(const Task* task, const std::string& name)
+       gold_debug(DEBUG_FILES, "Attempt to open %s succeeded",
+                 this->name_.c_str());
+       this->token_.add_writer(task);
+      file_counts_initialize_lock.initialize();
+       Hold_optional_lock hl(file_counts_lock);
+       record_file_read(this->name_);
+     }
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
new file mode 100644
index 0000000000..3bc64776e5
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
@@ -0,0 +1,85 @@
+From 6caa41daeb7aa17c400b7300fb78d207cf064d70 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 4 Sep 2020 19:19:18 +0930
+Subject: [PATCH] PR26574, heap buffer overflow in
+ _bfd_elf_slurp_secondary_reloc_section
+A horribly fuzzed object with section headers inside the ELF header.
+Disallow that, and crazy reloc sizes.
+        PR 26574
+        * elfcode.h (elf_object_p): Sanity check section header offset.
+        * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
+        sh_entsize.
+Upstream-Status: Backport
+CVE: CVE-2020-35448
+Reference to upstream patch:
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
+    h=8642dafaef21aa6747cec01df1977e9c52eb4679
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ bfd/elf.c     | 4 +++-
+ bfd/elfcode.h | 8 ++++----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+diff --git a/bfd/elf.c b/bfd/elf.c
+index fe375e7346..9f29166399 100644
+--- a/bfd/elf.c
+++ b/bfd/elf.c
+@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
+       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+ 
+       if (hdr->sh_type == SHT_SECONDARY_RELOC
+-         && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+         && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+         && (hdr->sh_entsize == ebd->s->sizeof_rel
+             || hdr->sh_entsize == ebd->s->sizeof_rela))
+        {
+          bfd_byte * native_relocs;
+          bfd_byte * native_reloc;
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index f4a7829f27..54ef890637 100644
+--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+ 
+   /* If this is a relocatable file and there is no section header
+      table, then we're hosed.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+     goto got_wrong_format_error;
+ 
+   /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+     goto got_wrong_format_error;
+ 
+   /* Further sanity check.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+     goto got_wrong_format_error;
+ 
+   ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+       && ebd->elf_osabi != ELFOSABI_NONE)
+     goto got_wrong_format_error;
+ 
+-  if (i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+ 
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+        }
+     }
+ 
+-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       unsigned int num_sec;
+ 
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/binutils/binutils_2.35.bb b/meta/recipes-devtools/binutils/binutils_2.35.1.bb
index 2e645e1ed8..2e645e1ed8 100644
--- a/meta/recipes-devtools/binutils/binutils_2.35.bb
+++ b/meta/recipes-devtools/binutils/binutils_2.35.1.bb
diff --git a/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch b/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch
new file mode 100644
index 0000000000..568ee4df19
--- /dev/null
+++ b/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch
@@ -0,0 +1,62 @@
+From 2a3db4e3b8d33bad5577c2fcfe124ee7a202ef4f Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Mon, 15 Feb 2021 20:39:57 -0600
+Subject: [PATCH] Use mapped file name for symbols
+Applies the file name mapping before exporting it as a symbol. This
+allows the symbols to correctly respect the --file-prefix-map command
+line option.
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bison-patches/2021-02/msg00014.html]
+---
+ src/muscle-tab.c | 4 +++-
+ src/output.c     | 8 ++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+diff --git a/src/muscle-tab.c b/src/muscle-tab.c
+index b610d0b8..3e7657ca 100644
+--- a/src/muscle-tab.c
+++ b/src/muscle-tab.c
+@@ -204,8 +204,10 @@ static void
+ muscle_syncline_grow (char const *key, location loc)
+ {
+   obstack_printf (&muscle_obstack, "]b4_syncline(%d, ", loc.start.line);
+  char *f = map_file_name (loc.start.file);
+   obstack_quote (&muscle_obstack,
+-                 quotearg_style (c_quoting_style, loc.start.file));
+                 quotearg_style (c_quoting_style, f));
+  free (f);
+   obstack_sgrow (&muscle_obstack, ")dnl\n[");
+   char const *extension = obstack_finish0 (&muscle_obstack);
+   muscle_grow (key, extension, "", "");
+diff --git a/src/output.c b/src/output.c
+index 391d8e65..34dbc671 100644
+--- a/src/output.c
+++ b/src/output.c
+@@ -531,7 +531,9 @@ user_actions_output (FILE *out)
+           {
+             fprintf (out, "b4_syncline(%d, ",
+                      rules[r].action_loc.start.line);
+-            string_output (out, rules[r].action_loc.start.file);
+            char *f = map_file_name (rules[r].action_loc.start.file);
+            string_output (out, f);
+            free(f);
+             fprintf (out, ")dnl\n");
+           }
+         fprintf (out, "[%*s%s]],\n[[",
+@@ -629,8 +631,10 @@ prepare_symbol_definitions (void)
+ 
+           if (p->code)
+             {
+              char *f = map_file_name (p->location.start.file);
+               SET_KEY2 (pname, "file");
+-              MUSCLE_INSERT_C_STRING (key, p->location.start.file);
+              MUSCLE_INSERT_C_STRING (key, f);
+              free (f);
+ 
+               SET_KEY2 (pname, "line");
+               MUSCLE_INSERT_INT (key, p->location.start.line);
+-- 
+2.30.0
diff --git a/meta/recipes-devtools/bison/bison_3.7.2.bb b/meta/recipes-devtools/bison/bison_3.7.2.bb
index ace4ea5c3f..6fd9d288e0 100644
--- a/meta/recipes-devtools/bison/bison_3.7.2.bb
+++ b/meta/recipes-devtools/bison/bison_3.7.2.bb
@@ -11,6 +11,7 @@ DEPENDS = "bison-native flex-native"
 SRC_URI = "${GNU_MIRROR}/bison/bison-${PV}.tar.xz \
           file://add-with-bisonlocaledir.patch \
+           file://0001-Use-mapped-file-name-for-symbols.patch \
           "
 SRC_URI[sha256sum] = "7948d193104d979c0fb0294a1854c73c89d72ae41acfc081826142578a78a91b"
diff --git a/meta/recipes-devtools/diffstat/diffstat_1.63.bb b/meta/recipes-devtools/diffstat/diffstat_1.63.bb
index 61b2ea5dc2..863f924b22 100644
--- a/meta/recipes-devtools/diffstat/diffstat_1.63.bb
+++ b/meta/recipes-devtools/diffstat/diffstat_1.63.bb
@@ -5,7 +5,7 @@ reviewing large, complex patch files."
 HOMEPAGE = "http://invisible-island.net/diffstat/"
 SECTION = "devel"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://install-sh;endline=42;md5=b3549726c1022bee09c174c72a0ca4a5"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a3d0bb117493e804b0c1a868ddf23321"
 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
           file://run-ptest \
@@ -16,8 +16,6 @@ SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
 SRC_URI[md5sum] = "b9272ec8af6257103261ec3622692991"
 SRC_URI[sha256sum] = "7eddd53401b99b90bac3f7ebf23dd583d7d99c6106e67a4f1161b7a20110dc6f"
-S = "${WORKDIR}/diffstat-${PV}"
 inherit autotools gettext ptest
 EXTRA_AUTORECONF += "--exclude=aclocal"
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.6.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.6.bb
index 15054768dd..e6a4bd1f8c 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.6.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.6.bb
@@ -125,6 +125,8 @@ do_compile_ptest() {
 }
 do_install_ptest() {
+        # This file's permissions depends on the host umask so be deterministic
+        chmod 0644 ${B}/tests/test_data.tmp
        cp -R --no-dereference --preserve=mode,links -v ${B}/tests ${D}${PTEST_PATH}/test
        cp -R --no-dereference --preserve=mode,links -v ${S}/tests/* ${D}${PTEST_PATH}/test
        sed -e 's!../e2fsck/e2fsck!e2fsck!g' \
diff --git a/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch
new file mode 100644
index 0000000000..c8202b6bd5
--- /dev/null
+++ b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch
@@ -0,0 +1,32 @@
+From 440f3f55739468cd26e22f31871eca8cbbd53294 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 6 Jan 2021 06:12:14 -0800
+Subject: [PATCH] Emit no #line directives if gen_line_dirs is false
+If we set --noline we should not print line directives.
+But setting --noline means gen_line_dirs is false.
+Upstream-Status: Submitted
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ src/buf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/buf.c b/src/buf.c
+index 185083c..4439e28 100644
+--- a/src/buf.c
+++ b/src/buf.c
+@@ -95,8 +95,8 @@ struct Buf *buf_linedir (struct Buf *buf, const char* filename, int lineno)
+     const char *src;
+     size_t tsz;
+ 
+-    if (gen_line_dirs)
+-       return buf;
+    if (!gen_line_dirs)
+        return buf;
+ 
+     tsz = strlen("#line \"\"\n")                +   /* constant parts */
+                2 * strlen (filename)            +   /* filename with possibly all backslashes escaped */
+-- 
+2.26.2.Cisco
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 3d57572865..1d43d2228a 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/westes/flex/releases/download/v${PV}/flex-${PV}.ta
           ${@bb.utils.contains('PTEST_ENABLED', '1', '', 'file://disable-tests.patch', d)} \
           file://0001-build-AC_USE_SYSTEM_EXTENSIONS-in-configure.ac.patch \
           file://check-funcs.patch \
+           file://0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch \
           "
 SRC_URI[md5sum] = "2882e3179748cc9f9c23ec593d6adc8d"
diff --git a/meta/recipes-devtools/gcc/gcc-10.2.inc b/meta/recipes-devtools/gcc/gcc-10.2.inc
index 7625af5110..82f180db77 100644
--- a/meta/recipes-devtools/gcc/gcc-10.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-10.2.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
           file://0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch \
           file://0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch \
           file://0001-aarch64-Fix-up-__aarch64_cas16_acq_rel-fallback.patch \
+           file://0001-libatomic-libgomp-libitc-Fix-bootstrap-PR70454.patch \
 "
 SRC_URI[sha256sum] = "b8dd4368bb9c7f0b98188317ee0254dd8cc99d1e3a18d0ff146c855fe16c1d8c"
diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers.inc b/meta/recipes-devtools/gcc/gcc-sanitizers.inc
index 668e14a59f..9e643ee277 100644
--- a/meta/recipes-devtools/gcc/gcc-sanitizers.inc
+++ b/meta/recipes-devtools/gcc/gcc-sanitizers.inc
@@ -35,6 +35,11 @@ do_compile () {
 do_install () {
    cd ${B}/${TARGET_SYS}/libsanitizer/
    oe_runmake 'DESTDIR=${D}' MULTIBUILDTOP=${B}/${TARGET_SYS}/libsanitizer/ install
+    if [ -d ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include ]; then
+        install -d ${D}${libdir}/${TARGET_SYS}/${BINV}/include
+        mv ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include/* ${D}${libdir}/${TARGET_SYS}/${BINV}/include
+        rmdir --ignore-fail-on-non-empty -p ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include
+    fi
    if [ -d ${D}${infodir} ]; then
        rmdir --ignore-fail-on-non-empty -p ${D}${infodir}
    fi
@@ -109,4 +114,4 @@ FILES_libtsan-dev += "\
 "
 FILES_libtsan-staticdev += "${libdir}/libtsan.a"
-FILES_${PN} = "${libdir}/*.spec ${libdir}/gcc/${TARGET_SYS}/${BINV}/include/sanitizer/*.h"
+FILES_${PN} = "${libdir}/*.spec ${libdir}/${TARGET_SYS}/${BINV}/include/sanitizer/*.h"
diff --git a/meta/recipes-devtools/gcc/gcc/0001-libatomic-libgomp-libitc-Fix-bootstrap-PR70454.patch b/meta/recipes-devtools/gcc/gcc/0001-libatomic-libgomp-libitc-Fix-bootstrap-PR70454.patch
new file mode 100644
index 0000000000..addecb4bd8
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc/0001-libatomic-libgomp-libitc-Fix-bootstrap-PR70454.patch
@@ -0,0 +1,208 @@
+From 2824d2418605e092899117e77bc8ebf332321807 Mon Sep 17 00:00:00 2001
+From: Jakub Jelinek <jakub@redhat.com>
+Date: Fri, 15 Jan 2021 13:12:59 +0100
+Subject: [PATCH] libatomic, libgomp, libitc: Fix bootstrap [PR70454]
+The recent changes to error on mixing -march=i386 and -fcf-protection broke
+bootstrap.  This patch changes lib{atomic,gomp,itm} configury, so that it
+only adds -march=i486 to flags if really needed (i.e. when 486 or later isn't
+on by default already).  Similarly, it will not use ifuncs if -mcx16
+(or -march=i686 for 32-bit) is on by default.
+2021-01-15  Jakub Jelinek  <jakub@redhat.com>
+        PR target/70454
+libatomic/
+        * configure.tgt: For i?86 and x86_64 determine if -march=i486 needs to
+        be added through preprocessor check on
+        __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4.  Determine if try_ifunc is needed
+        based on preprocessor check on __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
+        or __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8.
+libgomp/
+        * configure.tgt: For i?86 and x86_64 determine if -march=i486 needs to
+        be added through preprocessor check on
+        __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4.
+libitm/
+        * configure.tgt: For i?86 and x86_64 determine if -march=i486 needs to
+        be added through preprocessor check on
+        __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4.
+Upstream-Status: Backport [master post 10.x release]
+---
+ libatomic/configure.tgt | 56 +++++++++++++++++++++++------------------
+ libgomp/configure.tgt   | 35 +++++++++++---------------
+ libitm/configure.tgt    | 37 +++++++++++++--------------
+ 3 files changed, 64 insertions(+), 64 deletions(-)
+diff --git a/libatomic/configure.tgt b/libatomic/configure.tgt
+index 5dd0926d20..6ea082a29b 100644
+--- a/libatomic/configure.tgt
+++ b/libatomic/configure.tgt
+@@ -81,32 +81,40 @@ case "${target_cpu}" in
+        ARCH=sparc
+        ;;
+ 
+-  i[3456]86)
+-       case " ${CC} ${CFLAGS} " in
+-         *" -m64 "*|*" -mx32 "*)
+-           ;;
+-         *)
+-           if test -z "$with_arch"; then
+-             XCFLAGS="${XCFLAGS} -march=i486 -mtune=${target_cpu}"
+-             XCFLAGS="${XCFLAGS} -fomit-frame-pointer"
+-           fi
+-       esac
+-       ARCH=x86
+-       # ??? Detect when -march=i686 is already enabled.
+-       try_ifunc=yes
+-       ;;
+-  x86_64)
+-       case " ${CC} ${CFLAGS} " in
+-         *" -m32 "*)
+  i[3456]86 | x86_64)
+       cat > conftestx.c <<EOF
+#ifndef __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
+#error need -march=i486
+#endif
+EOF
+       if ${CC} ${CFLAGS} -E conftestx.c > /dev/null 2>&1; then
+         :
+       else
+         if test "${target_cpu}" = x86_64; then
+            XCFLAGS="${XCFLAGS} -march=i486 -mtune=generic"
+-           XCFLAGS="${XCFLAGS} -fomit-frame-pointer"
+-           ;;
+-         *)
+-           ;;
+-       esac
+         else
+           XCFLAGS="${XCFLAGS} -march=i486 -mtune=${target_cpu}"
+         fi
+         XCFLAGS="${XCFLAGS} -fomit-frame-pointer"
+       fi
+       cat > conftestx.c <<EOF
+#ifdef __x86_64__
+#ifndef __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
+#error need -mcx16
+#endif
+#else
+#ifndef __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
+#error need -march=i686
+#endif
+#endif
+EOF
+       if ${CC} ${CFLAGS} -E conftestx.c > /dev/null 2>&1; then
+         try_ifunc=no
+       else
+         try_ifunc=yes
+       fi
+       rm -f conftestx.c
+        ARCH=x86
+-       # ??? Detect when -mcx16 is already enabled.
+-       try_ifunc=yes
+        ;;
+ 
+   *)                   ARCH="${target_cpu}" ;;
+diff --git a/libgomp/configure.tgt b/libgomp/configure.tgt
+index 4790a31e39..761ef2a7db 100644
+--- a/libgomp/configure.tgt
+++ b/libgomp/configure.tgt
+@@ -70,28 +70,23 @@ if test x$enable_linux_futex = xyes; then
+        ;;
+ 
+     # Note that bare i386 is not included here.  We need cmpxchg.
+-    i[456]86-*-linux*)
+    i[456]86-*-linux* | x86_64-*-linux*)
+        config_path="linux/x86 linux posix"
+-       case " ${CC} ${CFLAGS} " in
+-         *" -m64 "*|*" -mx32 "*)
+-           ;;
+-         *)
+-           if test -z "$with_arch"; then
+-             XCFLAGS="${XCFLAGS} -march=i486 -mtune=${target_cpu}"
+-           fi
+-       esac
+-       ;;
+-
+-    # Similar jiggery-pokery for x86_64 multilibs, except here we
+-    # can't rely on the --with-arch configure option, since that
+-    # applies to the 64-bit side.
+-    x86_64-*-linux*)
+-       config_path="linux/x86 linux posix"
+-       case " ${CC} ${CFLAGS} " in
+-         *" -m32 "*)
+       cat > conftestx.c <<EOF
+#ifndef __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
+#error need -march=i486
+#endif
+EOF
+       if ${CC} ${CFLAGS} -E conftestx.c > /dev/null 2>&1; then
+         :
+       else
+         if test "${target_cpu}" = x86_64; then
+            XCFLAGS="${XCFLAGS} -march=i486 -mtune=generic"
+-           ;;
+-       esac
+         else
+           XCFLAGS="${XCFLAGS} -march=i486 -mtune=${target_cpu}"
+         fi
+       fi
+       rm -f conftestx.c
+        ;;
+ 
+     # Note that sparcv7 and sparcv8 is not included here.  We need cas.
+diff --git a/libitm/configure.tgt b/libitm/configure.tgt
+index 04109160e9..ca62bac627 100644
+--- a/libitm/configure.tgt
+++ b/libitm/configure.tgt
+@@ -58,16 +58,23 @@ case "${target_cpu}" in
+ 
+   arm*)                ARCH=arm ;;
+ 
+-  i[3456]86)
+-       case " ${CC} ${CFLAGS} " in
+-         *" -m64 "*|*" -mx32 "*)
+-           ;;
+-         *)
+-           if test -z "$with_arch"; then
+-             XCFLAGS="${XCFLAGS} -march=i486 -mtune=${target_cpu}"
+-             XCFLAGS="${XCFLAGS} -fomit-frame-pointer"
+-           fi
+-       esac
+  i[3456]86 | x86_64)
+       cat > conftestx.c <<EOF
+#ifndef __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
+#error need -march=i486
+#endif
+EOF
+       if ${CC} ${CFLAGS} -E conftestx.c > /dev/null 2>&1; then
+         :
+       else
+         if test "${target_cpu}" = x86_64; then
+           XCFLAGS="${XCFLAGS} -march=i486 -mtune=generic"
+         else
+           XCFLAGS="${XCFLAGS} -march=i486 -mtune=${target_cpu}"
+         fi
+         XCFLAGS="${XCFLAGS} -fomit-frame-pointer"
+       fi
+       rm -f conftestx.c
+        XCFLAGS="${XCFLAGS} -mrtm"
+        ARCH=x86
+        ;;
+@@ -102,16 +109,6 @@ case "${target_cpu}" in
+        ARCH=sparc
+        ;;
+ 
+-  x86_64)
+-       case " ${CC} ${CFLAGS} " in
+-         *" -m32 "*)
+-           XCFLAGS="${XCFLAGS} -march=i486 -mtune=generic"
+-           XCFLAGS="${XCFLAGS} -fomit-frame-pointer"
+-           ;;
+-       esac
+-       XCFLAGS="${XCFLAGS} -mrtm"
+-       ARCH=x86
+-       ;;
+   s390|s390x)
+        XCFLAGS="${XCFLAGS} -mzarch -mhtm"
+        ARCH=s390
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 544e23c844..3e78254eec 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,10 @@ DEPENDS = "openssl curl zlib expat"
 PROVIDES_append_class-native = " git-replacement-native"
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
-           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+           file://fixsort.patch \
+           file://CVE-2021-21300.patch \
+"
 S = "${WORKDIR}/git-${PV}"
diff --git a/meta/recipes-devtools/git/git/CVE-2021-21300.patch b/meta/recipes-devtools/git/git/CVE-2021-21300.patch
new file mode 100644
index 0000000000..390570fe78
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2021-21300.patch
@@ -0,0 +1,304 @@
+From ba07d31bd2140190c4d8c197c9b8a503544b4c29 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowrgom@gmail.com>
+Date: Sat, 27 Mar 2021 14:05:56 +0900
+Subject: [PATCH] checkout: fix bug that makes checkout follow symlinks in
+ leading path
+Before checking out a file, we have to confirm that all of its leading
+components are real existing directories. And to reduce the number of
+lstat() calls in this process, we cache the last leading path known to
+contain only directories. However, when a path collision occurs (e.g.
+when checking out case-sensitive files in case-insensitive file
+systems), a cached path might have its file type changed on disk,
+leaving the cache on an invalid state. Normally, this doesn't bring
+any bad consequences as we usually check out files in index order, and
+therefore, by the time the cached path becomes outdated, we no longer
+need it anyway (because all files in that directory would have already
+been written).
+But, there are some users of the checkout machinery that do not always
+follow the index order. In particular: checkout-index writes the paths
+in the same order that they appear on the CLI (or stdin); and the
+delayed checkout feature -- used when a long-running filter process
+replies with "status=delayed" -- postpones the checkout of some entries,
+thus modifying the checkout order.
+When we have to check out an out-of-order entry and the lstat() cache is
+invalid (due to a previous path collision), checkout_entry() may end up
+using the invalid data and thrusting that the leading components are
+real directories when, in reality, they are not. In the best case
+scenario, where the directory was replaced by a regular file, the user
+will get an error: "fatal: unable to create file 'foo/bar': Not a
+directory". But if the directory was replaced by a symlink, checkout
+could actually end up following the symlink and writing the file at a
+wrong place, even outside the repository. Since delayed checkout is
+affected by this bug, it could be used by an attacker to write
+arbitrary files during the clone of a maliciously crafted repository.
+Some candidate solutions considered were to disable the lstat() cache
+during unordered checkouts or sort the entries before passing them to
+the checkout machinery. But both ideas include some performance penalty
+and they don't future-proof the code against new unordered use cases.
+Instead, we now manually reset the lstat cache whenever we successfully
+remove a directory. Note: We are not even checking whether the directory
+was the same as the lstat cache points to because we might face a
+scenario where the paths refer to the same location but differ due to
+case folding, precomposed UTF-8 issues, or the presence of `..`
+components in the path. Two regression tests, with case-collisions and
+utf8-collisions, are also added for both checkout-index and delayed
+checkout.
+Note: to make the previously mentioned clone attack unfeasible, it would
+be sufficient to reset the lstat cache only after the remove_subtree()
+call inside checkout_entry(). This is the place where we would remove a
+directory whose path collides with the path of another entry that we are
+currently trying to check out (possibly a symlink). However, in the
+interest of a thorough fix that does not leave Git open to
+similar-but-not-identical attack vectors, we decided to intercept
+all `rmdir()` calls in one fell swoop.
+This addresses CVE-2021-21300.
+Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br>
+Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592]
+CVE: CVE-2021-21300
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ cache.h                         |  1 +
+ compat/mingw.c                  |  2 ++
+ git-compat-util.h               |  5 +++++
+ symlinks.c                      | 24 ++++++++++++++++++++
+ t/t0021-conversion.sh           | 39 ++++++++++++++++++++++++++++++++
+ t/t0021/rot13-filter.pl         | 21 ++++++++++++++---
+ t/t2006-checkout-index-basic.sh | 40 +++++++++++++++++++++++++++++++++
+ 7 files changed, 129 insertions(+), 3 deletions(-)
+diff --git a/cache.h b/cache.h
+index 6544264..64226c3 100644
+--- a/cache.h
+++ b/cache.h
+@@ -1733,6 +1733,7 @@ int has_symlink_leading_path(const char *name, int len);
+ int threaded_has_symlink_leading_path(struct cache_def *, const char *, int);
+ int check_leading_path(const char *name, int len);
+ int has_dirs_only_path(const char *name, int len, int prefix_len);
+extern void invalidate_lstat_cache(void);
+ void schedule_dir_for_removal(const char *name, int len);
+ void remove_scheduled_dirs(void);
+ 
+diff --git a/compat/mingw.c b/compat/mingw.c
+index 8ee0b64..be2b88e 100644
+--- a/compat/mingw.c
+++ b/compat/mingw.c
+@@ -364,6 +364,8 @@ int mingw_rmdir(const char *pathname)
+               ask_yes_no_if_possible("Deletion of directory '%s' failed. "
+                        "Should I try again?", pathname))
+               ret = _wrmdir(wpathname);
+       if (!ret)
+               invalidate_lstat_cache();
+        return ret;
+ }
+ 
+diff --git a/git-compat-util.h b/git-compat-util.h
+index 5637114..d983853 100644
+--- a/git-compat-util.h
+++ b/git-compat-util.h
+@@ -345,6 +345,11 @@ static inline int noop_core_config(const char *var, const char *value, void *cb)
+ #define platform_core_config noop_core_config
+ #endif
+ 
+int lstat_cache_aware_rmdir(const char *path);
+#if !defined(__MINGW32__) && !defined(_MSC_VER)
+#define rmdir lstat_cache_aware_rmdir
+#endif
+
+ #ifndef has_dos_drive_prefix
+ static inline int git_has_dos_drive_prefix(const char *path)
+ {
+diff --git a/symlinks.c b/symlinks.c
+index 69d458a..7dbb6b2 100644
+--- a/symlinks.c
+++ b/symlinks.c
+@@ -267,6 +267,13 @@ int has_dirs_only_path(const char *name, int len, int prefix_len)
+  */
+ static int threaded_has_dirs_only_path(struct cache_def *cache, const char *name, int len, int prefix_len)
+ {
+       /*
+        * Note: this function is used by the checkout machinery, which also
+        * takes care to properly reset the cache when it performs an operation
+        * that would leave the cache outdated. If this function starts caching
+        * anything else besides FL_DIR, remember to also invalidate the cache
+        * when creating or deleting paths that might be in the cache.
+        */
+        return lstat_cache(cache, name, len,
+                           FL_DIR|FL_FULLPATH, prefix_len) &
+                FL_DIR;
+@@ -321,3 +328,20 @@ void remove_scheduled_dirs(void)
+ {
+        do_remove_scheduled_dirs(0);
+ }
+
+void invalidate_lstat_cache(void)
+{
+       reset_lstat_cache(&default_cache);
+}
+
+#undef rmdir
+int lstat_cache_aware_rmdir(const char *path)
+{
+       /* Any change in this function must be made also in `mingw_rmdir()` */
+       int ret = rmdir(path);
+
+       if (!ret)
+               invalidate_lstat_cache();
+
+       return ret;
+}
+diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh
+index 4bfffa9..c42f51e 100755
+--- a/t/t0021-conversion.sh
+++ b/t/t0021-conversion.sh
+@@ -957,4 +957,43 @@ test_expect_success PERL 'invalid file in delayed checkout' '
+        grep "error: external filter .* signaled that .unfiltered. is now available although it has not been delayed earlier" git-stderr.log
+ '
+ 
+for mode in 'case' 'utf-8'
+do
+       case "$mode" in
+       case)   dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;;
+       utf-8)
+               dir=$(printf "\141\314\210") symlink=$(printf "\303\244")
+               mode_prereq='UTF8_NFD_TO_NFC' ;;
+       esac
+
+       test_expect_success PERL,SYMLINKS,$mode_prereq \
+       "delayed checkout with $mode-collision don't write to the wrong place" '
+               test_config_global filter.delay.process \
+                       "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" &&
+               test_config_global filter.delay.required true &&
+               git init $mode-collision &&
+               (
+                       cd $mode-collision &&
+                       mkdir target-dir &&
+                       empty_oid=$(printf "" | git hash-object -w --stdin) &&
+                       symlink_oid=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) &&
+                       attr_oid=$(echo "$dir/z filter=delay" | git hash-object -w --stdin) &&
+                       cat >objs <<-EOF &&
+                       100644 blob $empty_oid  $dir/x
+                       100644 blob $empty_oid  $dir/y
+                       100644 blob $empty_oid  $dir/z
+                       120000 blob $symlink_oid        $symlink
+                       100644 blob $attr_oid   .gitattributes
+                       EOF
+                       git update-index --index-info <objs &&
+                       git commit -m "test commit"
+               ) &&
+               git clone $mode-collision $mode-collision-cloned &&
+               # Make sure z was really delayed
+               grep "IN: smudge $dir/z .* \\[DELAYED\\]" $mode-collision-cloned/delayed.log &&
+               # Should not create $dir/z at $symlink/z
+               test_path_is_missing $mode-collision/target-dir/z
+       '
+done
+
+ test_done
+diff --git a/t/t0021/rot13-filter.pl b/t/t0021/rot13-filter.pl
+index cd32a82..7bb9376 100644
+--- a/t/t0021/rot13-filter.pl
+++ b/t/t0021/rot13-filter.pl
+@@ -2,9 +2,15 @@
+ # Example implementation for the Git filter protocol version 2
+ # See Documentation/gitattributes.txt, section "Filter Protocol"
+ #
+-# The first argument defines a debug log file that the script write to.
+-# All remaining arguments define a list of supported protocol
+-# capabilities ("clean", "smudge", etc).
+# Usage: rot13-filter.pl [--always-delay] <log path> <capabilities>
+#
+# Log path defines a debug log file that the script writes to. The
+# subsequent arguments define a list of supported protocol capabilities
+# ("clean", "smudge", etc).
+#
+# When --always-delay is given all pathnames with the "can-delay" flag
+# that don't appear on the list bellow are delayed with a count of 1
+# (see more below).
+ #
+ # This implementation supports special test cases:
+ # (1) If data with the pathname "clean-write-fail.r" is processed with
+@@ -53,6 +59,13 @@ sub gitperllib {
+ use Git::Packet;
+ 
+ my $MAX_PACKET_CONTENT_SIZE = 65516;
+
+my $always_delay = 0;
+if ( $ARGV[0] eq '--always-delay' ) {
+       $always_delay = 1;
+       shift @ARGV;
+}
+
+ my $log_file                = shift @ARGV;
+ my @capabilities            = @ARGV;
+ 
+@@ -134,6 +147,8 @@ sub rot13 {
+                        if ( $buffer eq "can-delay=1" ) {
+                                if ( exists $DELAY{$pathname} and $DELAY{$pathname}{"requested"} == 0 ) {
+                                        $DELAY{$pathname}{"requested"} = 1;
+                               } elsif ( !exists $DELAY{$pathname} and $always_delay ) {
+                                       $DELAY{$pathname} = { "requested" => 1, "count" => 1 };
+                                }
+                        } elsif ($buffer =~ /^(ref|treeish|blob)=/) {
+                                print $debug " $buffer";
+diff --git a/t/t2006-checkout-index-basic.sh b/t/t2006-checkout-index-basic.sh
+index 57cbdfe..f223a02 100755
+--- a/t/t2006-checkout-index-basic.sh
+++ b/t/t2006-checkout-index-basic.sh
+@@ -21,4 +21,44 @@ test_expect_success 'checkout-index -h in broken repository' '
+        test_i18ngrep "[Uu]sage" broken/usage
+ '
+ 
+for mode in 'case' 'utf-8'
+do
+       case "$mode" in
+       case)   dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;;
+       utf-8)
+               dir=$(printf "\141\314\210") symlink=$(printf "\303\244")
+               mode_prereq='UTF8_NFD_TO_NFC' ;;
+       esac
+
+       test_expect_success SYMLINKS,$mode_prereq \
+       "checkout-index with $mode-collision don't write to the wrong place" '
+               git init $mode-collision &&
+               (
+                       cd $mode-collision &&
+                       mkdir target-dir &&
+                       empty_obj_hex=$(git hash-object -w --stdin </dev/null) &&
+                       symlink_hex=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) &&
+                       cat >objs <<-EOF &&
+                       100644 blob ${empty_obj_hex}    ${dir}/x
+                       100644 blob ${empty_obj_hex}    ${dir}/y
+                       100644 blob ${empty_obj_hex}    ${dir}/z
+                       120000 blob ${symlink_hex}      ${symlink}
+                       EOF
+                       git update-index --index-info <objs &&
+                       # Note: the order is important here to exercise the
+                       # case where the file at ${dir} has its type changed by
+                       # the time Git tries to check out ${dir}/z.
+                       #
+                       # Also, we use core.precomposeUnicode=false because we
+                       # want Git to treat the UTF-8 paths transparently on
+                       # Mac OS, matching what is in the index.
+                       #
+                       git -c core.precomposeUnicode=false checkout-index -f \
+                               ${dir}/x ${dir}/y ${symlink} ${dir}/z &&
+                       # Should not create ${dir}/z at ${symlink}/z
+                       test_path_is_missing target-dir/z
+               )
+       '
+done
+
+ test_done
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/git/git/fixsort.patch b/meta/recipes-devtools/git/git/fixsort.patch
new file mode 100644
index 0000000000..07a487e8ca
--- /dev/null
+++ b/meta/recipes-devtools/git/git/fixsort.patch
@@ -0,0 +1,31 @@
+[PATCH] generate-configlist.sh: Fix determinism issue
+Currently git binaries are not entirely reproducible, at least partly 
+due to config-list.h differing in order depending on the system's
+locale settings. Under different locales, the entries:
+"sendemail.identity",
+"sendemail.<identity>.*",
+would differ in order for example and this leads to differences in 
+the debug symbols for the binaries.
+This can be fixed by specifying the C locale for the sort in the
+shell script generating the header.
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Submitted [https://public-inbox.org/git/f029a942dd3d50d85e60bd37d8e454524987842f.camel@linuxfoundation.org/T/#u]
+Index: git-2.30.0/generate-configlist.sh
+===================================================================
+--- git-2.30.0.orig/generate-configlist.sh
+++ git-2.30.0/generate-configlist.sh
+@@ -9,7 +9,7 @@ static const char *config_name_list[] =
+ EOF
+        grep -h '^[a-zA-Z].*\..*::$' Documentation/*config.txt Documentation/config/*.txt |
+        sed '/deprecated/d; s/::$//; s/,  */\n/g' |
+-       sort |
+       LC_ALL=C sort |
+        sed 's/^.*$/    "&",/'
+        cat <<EOF
+        NULL,
diff --git a/meta/recipes-devtools/go/go-1.15.inc b/meta/recipes-devtools/go/go-1.15.inc
index 97d748b922..7c8190f68c 100644
--- a/meta/recipes-devtools/go/go-1.15.inc
+++ b/meta/recipes-devtools/go/go-1.15.inc
@@ -1,8 +1,7 @@
 require go-common.inc
 GO_BASEVERSION = "1.15"
-GO_MINOR = ".2"
+PV = "1.15.8"
-PV .= "${GO_MINOR}"
 FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -17,4 +16,4 @@ SRC_URI += "\
    file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
    file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
 "
-SRC_URI[main.sha256sum] = "28bf9d0bcde251011caae230a4a05d917b172ea203f2a62f2c2f9533589d4b4d"
+SRC_URI[main.sha256sum] = "540c0ab7781084d124991321ed1458e479982de94454a98afab6acadf38497c2"
diff --git a/meta/recipes-devtools/go/go-binary-native_1.15.2.bb b/meta/recipes-devtools/go/go-binary-native_1.15.8.bb
index ccd2d5ebad..df697e2781 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.15.2.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.15.8.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
 PROVIDES = "go-native"
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "b49fda1ca29a1946d6bb2a5a6982cf07ccd2aba849289508ee0f9918f6bb4552"
+SRC_URI[go_linux_amd64.sha256sum] = "d3379c32a90fdf9382166f8f48034c459a8cc433730bc9476d39d9082c94583b"
-SRC_URI[go_linux_arm64.sha256sum] = "c8ec460cc82d61604b048f9439c06bd591722efce5cd48f49e19b5f6226bd36d"
+SRC_URI[go_linux_arm64.sha256sum] = "0e31ea4bf53496b0f0809730520dee98c0ae5c530f3701a19df0ba0a327bf3d2"
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/meta/recipes-devtools/go/go-runtime_1.15.bb b/meta/recipes-devtools/go/go-runtime_1.15.bb
index 4eeee65e0c..d6ddb31ed4 100644
--- a/meta/recipes-devtools/go/go-runtime_1.15.bb
+++ b/meta/recipes-devtools/go/go-runtime_1.15.bb
@@ -1,3 +1,4 @@
 export CGO_ENABLED_riscv64 = ""
 require go-${PV}.inc
 require go-runtime.inc
diff --git a/meta/recipes-devtools/go/go_1.15.bb b/meta/recipes-devtools/go/go_1.15.bb
index 4bf9dd50b2..d4812c0f0a 100644
--- a/meta/recipes-devtools/go/go_1.15.bb
+++ b/meta/recipes-devtools/go/go_1.15.bb
@@ -6,6 +6,8 @@ inherit linuxloader
 export GOBUILDMODE=""
 export CGO_ENABLED_riscv64 = ""
 export GO_LDSO = "${@get_linuxloader(d)}"
+export CC_FOR_TARGET = "gcc"
+export CXX_FOR_TARGET = "g++"
 # mips/rv64 doesn't support -buildmode=pie, so skip the QA checking for mips/riscv and its
 # variants.
@@ -13,3 +15,4 @@ python() {
    if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True):
        d.appendVar('INSANE_SKIP_%s' % d.getVar('PN',True), " textrel")
 }
diff --git a/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index 8e17b56d46..19a03d4733 100644
--- a/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \
           file://unwind-opt-parsing.patch \
           file://0001-libtool-Fix-support-for-NIOS2-processor.patch \
           file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
+           file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
          "
 SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
new file mode 100644
index 0000000000..2e9908725e
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
@@ -0,0 +1,35 @@
+From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 24 Mar 2021 03:04:13 +0000
+Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf
+autoheader will update ../libtool-2.4.6/libltdl/config-h.in which
+autoconf needs, so there comes a race sometimes as below:
+ | configure.ac:45: error: required file 'config-h.in' not found
+ | touch '../libtool-2.4.6/libltdl/config-h.in'
+So make sure autoheader run before autoconf to avoid this race.
+Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Makefile.am b/Makefile.am
+index 4142c90..fe1a9fc 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps)
+ $(lt_aclocal_m4): $(lt_aclocal_m4_deps)
+        $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4
+ 
+-$(lt_configure): $(lt_configure_deps)
+$(lt_configure): $(lt_configure_deps) $(lt_config_h_in)
+        $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF)
+ 
+ $(lt_config_h_in): $(lt_configure_deps)
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/llvm/llvm_git.bb b/meta/recipes-devtools/llvm/llvm_git.bb
index 4c2d490315..b146d0e6e3 100644
--- a/meta/recipes-devtools/llvm/llvm_git.bb
+++ b/meta/recipes-devtools/llvm/llvm_git.bb
@@ -99,6 +99,11 @@ do_configure_prepend() {
        sed -ri "s#lib/${LLVM_DIR}#${baselib}/${LLVM_DIR}#g" ${S}/tools/llvm-config/llvm-config.cpp
 }
+# patch out build host paths for reproducibility
+do_compile_prepend_class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/tools/llvm-config/BuildVariables.inc
+}
 do_compile() {
        ninja -v ${PARALLEL_MAKE}
 }
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index 8d6bbfca3f..ff42219513 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -42,11 +42,9 @@ ALTERNATIVE_PRIORITY = "100"
 ALTERNATIVE_${PN} = "flashcp flash_eraseall flash_lock flash_unlock nanddump nandwrite"
 ALTERNATIVE_${PN}-ubifs = "ubiattach ubidetach ubimkvol ubirename ubirmvol ubirsvol ubiupdatevol"
-ALTERNATIVE_LINK_NAME[flash_eraseall] = "${sbindir}/flash_eraseall"
 ALTERNATIVE_LINK_NAME[nandwrite] = "${sbindir}/nandwrite"
 ALTERNATIVE_LINK_NAME[nanddump] = "${sbindir}/nanddump"
 ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
-ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
 ALTERNATIVE_LINK_NAME[ubidetach] = "${sbindir}/ubidetach"
 ALTERNATIVE_LINK_NAME[ubimkvol] = "${sbindir}/ubimkvol"
 ALTERNATIVE_LINK_NAME[ubirename] = "${sbindir}/ubirename"
diff --git a/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch
new file mode 100644
index 0000000000..4578fa33be
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch
@@ -0,0 +1,24 @@
+Having CLEAN_DATE come from the current date doesn't allow for build
+reproducibility. Add the option of using SOURCE_DATE_EPOCH if set
+which for OE, it will be.
+Upstream-Status: Pending
+RP 2021/2/2
+Index: opkg-0.4.4/configure.ac
+===================================================================
+--- opkg-0.4.4.orig/configure.ac
+++ opkg-0.4.4/configure.ac
+@@ -281,7 +281,11 @@ AC_FUNC_UTIME_NULL
+ AC_FUNC_VPRINTF
+ AC_CHECK_FUNCS([memmove memset mkdir regcomp strchr strcspn strdup strerror strndup strrchr strstr strtol strtoul sysinfo utime])
+ 
+-CLEAN_DATE=`date +"%B %Y" | tr -d '\n'`
+if ! test -z "$SOURCE_DATE_EPOCH" ; then
+    CLEAN_DATE=`LC_ALL=C date -d @$SOURCE_DATE_EPOCH +"%B %Y" | tr -d '\n'`
+else
+    CLEAN_DATE=`date +"%B %Y" | tr -d '\n'`
+fi
+ 
+ AC_SUBST([CLEAN_DATE])
+ 
diff --git a/meta/recipes-devtools/opkg/opkg_0.4.3.bb b/meta/recipes-devtools/opkg/opkg_0.4.3.bb
index 46b7aa2523..ea01d473fc 100644
--- a/meta/recipes-devtools/opkg/opkg_0.4.3.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.4.3.bb
@@ -14,6 +14,7 @@ PE = "1"
 SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \
           file://opkg.conf \
           file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
+           file://sourcedateepoch.patch \
           file://run-ptest \
 "
diff --git a/meta/recipes-devtools/patch/patch/CVE-2019-20633.patch b/meta/recipes-devtools/patch/patch/CVE-2019-20633.patch
new file mode 100644
index 0000000000..03988a179c
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/CVE-2019-20633.patch
@@ -0,0 +1,31 @@
+From 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 19:10:02 +0200
+Subject: Avoid invalid memory access in context format diffs
+* src/pch.c (another_hunk): Avoid invalid memory access in context format
+diffs.
+CVE: CVE-2019-20633
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ src/pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
+++ b/src/pch.c
+@@ -1328,6 +1328,7 @@ another_hunk (enum diff difftype, bool rev)
+                  ptrn_prefix_context = context;
+                ptrn_suffix_context = context;
+                if (repl_beginning
+                   || p_end <= 0
+                    || (p_end
+                        != p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+                  {
+-- 
+cgit v1.2.1
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index b5897b357a..1997af0c25 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
            file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
            file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
+            file://CVE-2019-20633.patch \
 "
 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
diff --git a/meta/recipes-devtools/perl/perl_5.32.0.bb b/meta/recipes-devtools/perl/perl_5.32.0.bb
index bba8263b90..3815dd44b1 100644
--- a/meta/recipes-devtools/perl/perl_5.32.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.32.0.bb
@@ -137,8 +137,9 @@ do_install() {
    install lib/ExtUtils/typemap ${D}${libdir}/perl5/${PV}/ExtUtils/
    # Fix up shared library
-    rm ${D}/${libdir}/perl5/${PV}/*/CORE/libperl.so
+    dir=$(echo ${D}/${libdir}/perl5/${PV}/*/CORE)
-    ln -sf ../../../../libperl.so.${PERL_LIB_VER} $(echo ${D}/${libdir}/perl5/${PV}/*/CORE)/libperl.so
+    rm $dir/libperl.so
+    ln -sf ../../../../libperl.so.${PERL_LIB_VER} $dir/libperl.so
    # Try to catch Bug #13946
    if [ -e ${D}/${libdir}/perl5/${PV}/Storable.pm ]; then
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 2e13fec540..4eab133128 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
           file://fallback-group \
           "
-SRCREV = "cca0d7f15b7197095cd587420d31b187620c3093"
+SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20"
 S = "${WORKDIR}/git"
 PV = "1.9.0+git${SRCPV}"
diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
index 89538d2f27..9d0666a5c1 100644
--- a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
+++ b/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
@@ -7,6 +7,8 @@ SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c65
 PYPI_PACKAGE = "Jinja2"
+CVE_PRODUCT = "jinja2 jinja"
 CLEANBROKEN = "1"
 inherit pypi setuptools3
diff --git a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
index 34c8543bce..1734610d12 100644
--- a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
+++ b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
@@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "2c143183280feb67f5beb4e543fd49990c28e7df427301ede04fc550d3
 S = "${WORKDIR}/pycairo-${PV}"
-inherit meson pkgconfig
+inherit meson pkgconfig python3targetconfig
 CFLAGS += "-fPIC"
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-23336.patch b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch
new file mode 100644
index 0000000000..27893f69fb
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch
@@ -0,0 +1,548 @@
+From e3110c3cfbb7daa690d54d0eff6c264c870a71bf Mon Sep 17 00:00:00 2001
+From: Senthil Kumaran <senthil@uthcode.com>
+Date: Mon, 15 Feb 2021 10:15:02 -0800
+Subject: [PATCH] [3.8] bpo-42967: only use '&' as a query string separator
+ (GH-24297)  (#24529)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+* bpo-42967: only use '&' as a query string separator (#24297)
+bpo-42967: [security] Address a web cache-poisoning issue reported in
+urllib.parse.parse_qsl().
+urllib.parse will only us "&" as query string separator by default
+instead of both ";" and "&" as allowed in earlier versions. An optional
+argument seperator with default value "&" is added to specify the
+separator.
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
+Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
+* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
+bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
+urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
+Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
+Co-authored-by: Éric Araujo <merwok@netwok.org>.
+(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
+Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
+* Update correct version information.
+* fix docs and make logic clearer
+Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
+Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
+Upstream-Status: Backport [https://github.com/python/cpython/commit/e3110c3cfbb7daa690d54d0eff6c264c870a71bf]
+CVE: CVE-2020-23336
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ Doc/library/cgi.rst                           | 11 ++-
+ Doc/library/urllib.parse.rst                  | 22 +++++-
+ Doc/whatsnew/3.6.rst                          | 13 ++++
+ Doc/whatsnew/3.7.rst                          | 13 ++++
+ Doc/whatsnew/3.8.rst                          | 13 ++++
+ Lib/cgi.py                                    | 23 ++++---
+ Lib/test/test_cgi.py                          | 29 ++++++--
+ Lib/test/test_urlparse.py                     | 68 +++++++++++++------
+ Lib/urllib/parse.py                           | 19 ++++--
+ .../2021-02-14-15-59-16.bpo-42967.YApqDS.rst  |  1 +
+ 10 files changed, 166 insertions(+), 46 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
+index 4048592e7361f..880074bed6026 100644
+--- a/Doc/library/cgi.rst
+++ b/Doc/library/cgi.rst
+@@ -277,14 +277,16 @@ These are useful if you want more control, or if you want to employ some of the
+ algorithms implemented in this module in other circumstances.
+ 
+ 
+-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False)
+.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&")
+ 
+    Parse a query in the environment or from a file (the file defaults to
+-   ``sys.stdin``).  The *keep_blank_values* and *strict_parsing* parameters are
+   ``sys.stdin``).  The *keep_blank_values*, *strict_parsing* and *separator* parameters are
+    passed to :func:`urllib.parse.parse_qs` unchanged.
+ 
+   .. versionchanged:: 3.8.8
+      Added the *separator* parameter.
+ 
+-.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace")
+.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator="&")
+ 
+    Parse input of type :mimetype:`multipart/form-data` (for  file uploads).
+    Arguments are *fp* for the input file, *pdict* for a dictionary containing
+@@ -303,6 +305,9 @@ algorithms implemented in this module in other circumstances.
+       Added the *encoding* and *errors* parameters.  For non-file fields, the
+       value is now a list of strings, not bytes.
+ 
+   .. versionchanged:: 3.8.8
+      Added the *separator* parameter.
+
+ 
+ .. function:: parse_header(string)
+ 
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index 25e5cc1a6ce0b..fcad7076e6c77 100644
+--- a/Doc/library/urllib.parse.rst
+++ b/Doc/library/urllib.parse.rst
+@@ -165,7 +165,7 @@ or on combining URL components into a URL string.
+       now raise :exc:`ValueError`.
+ 
+ 
+-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
+.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
+ 
+    Parse a query string given as a string argument (data of type
+    :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a
+@@ -190,6 +190,9 @@ or on combining URL components into a URL string.
+    read. If set, then throws a :exc:`ValueError` if there are more than
+    *max_num_fields* fields read.
+ 
+   The optional argument *separator* is the symbol to use for separating the
+   query arguments. It defaults to ``&``.
+
+    Use the :func:`urllib.parse.urlencode` function (with the ``doseq``
+    parameter set to ``True``) to convert such dictionaries into query
+    strings.
+@@ -201,8 +204,14 @@ or on combining URL components into a URL string.
+    .. versionchanged:: 3.8
+       Added *max_num_fields* parameter.
+ 
+   .. versionchanged:: 3.8.8
+      Added *separator* parameter with the default value of ``&``. Python
+      versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
+      query parameter separator. This has been changed to allow only a single
+      separator key, with ``&`` as the default separator.
+
+ 
+-.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
+.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
+ 
+    Parse a query string given as a string argument (data of type
+    :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a list of
+@@ -226,6 +235,9 @@ or on combining URL components into a URL string.
+    read. If set, then throws a :exc:`ValueError` if there are more than
+    *max_num_fields* fields read.
+ 
+   The optional argument *separator* is the symbol to use for separating the
+   query arguments. It defaults to ``&``.
+
+    Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into
+    query strings.
+ 
+@@ -235,6 +247,12 @@ or on combining URL components into a URL string.
+    .. versionchanged:: 3.8
+       Added *max_num_fields* parameter.
+ 
+   .. versionchanged:: 3.8.8
+      Added *separator* parameter with the default value of ``&``. Python
+      versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
+      query parameter separator. This has been changed to allow only a single
+      separator key, with ``&`` as the default separator.
+
+ 
+ .. function:: urlunparse(parts)
+ 
+diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst
+index 85a6657fdfbda..03a877a3d9178 100644
+--- a/Doc/whatsnew/3.6.rst
+++ b/Doc/whatsnew/3.6.rst
+@@ -2443,3 +2443,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more
+ details, see the documentation for ``loop.create_datagram_endpoint()``.
+ (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
+ :issue:`37228`.)
+
+Notable changes in Python 3.6.13
+================================
+
+Earlier Python versions allowed using both ``;`` and ``&`` as
+query parameter separators in :func:`urllib.parse.parse_qs` and
+:func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
+newer W3C recommendations, this has been changed to allow only a single
+separator key, with ``&`` as the default.  This change also affects
+:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+functions internally. For more details, please see their respective
+documentation.
+(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
+index 4933cba3990b1..824dc13e0c6fd 100644
+--- a/Doc/whatsnew/3.7.rst
+++ b/Doc/whatsnew/3.7.rst
+@@ -2556,3 +2556,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more
+ details, see the documentation for ``loop.create_datagram_endpoint()``.
+ (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
+ :issue:`37228`.)
+
+Notable changes in Python 3.7.10
+================================
+
+Earlier Python versions allowed using both ``;`` and ``&`` as
+query parameter separators in :func:`urllib.parse.parse_qs` and
+:func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
+newer W3C recommendations, this has been changed to allow only a single
+separator key, with ``&`` as the default.  This change also affects
+:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+functions internally. For more details, please see their respective
+documentation.
+(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst
+index 1a192800b2f02..632ccc1f2c40a 100644
+--- a/Doc/whatsnew/3.8.rst
+++ b/Doc/whatsnew/3.8.rst
+@@ -2251,3 +2251,16 @@ The constant values of future flags in the :mod:`__future__` module
+ are updated in order to prevent collision with compiler flags. Previously
+ ``PyCF_ALLOW_TOP_LEVEL_AWAIT`` was clashing with ``CO_FUTURE_DIVISION``.
+ (Contributed by Batuhan Taskaya in :issue:`39562`)
+
+Notable changes in Python 3.8.8
+===============================
+
+Earlier Python versions allowed using both ``;`` and ``&`` as
+query parameter separators in :func:`urllib.parse.parse_qs` and
+:func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
+newer W3C recommendations, this has been changed to allow only a single
+separator key, with ``&`` as the default.  This change also affects
+:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+functions internally. For more details, please see their respective
+documentation.
+(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Lib/cgi.py b/Lib/cgi.py
+index 77ab703cc0360..1e880e51848af 100755
+--- a/Lib/cgi.py
+++ b/Lib/cgi.py
+@@ -115,7 +115,8 @@ def closelog():
+ # 0 ==> unlimited input
+ maxlen = 0
+ 
+-def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+def parse(fp=None, environ=os.environ, keep_blank_values=0,
+          strict_parsing=0, separator='&'):
+     """Parse a query in the environment or from a file (default stdin)
+ 
+         Arguments, all optional:
+@@ -134,6 +135,9 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+         strict_parsing: flag indicating what to do with parsing errors.
+             If false (the default), errors are silently ignored.
+             If true, errors raise a ValueError exception.
+
+        separator: str. The symbol to use for separating the query arguments.
+            Defaults to &.
+     """
+     if fp is None:
+         fp = sys.stdin
+@@ -154,7 +158,7 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+     if environ['REQUEST_METHOD'] == 'POST':
+         ctype, pdict = parse_header(environ['CONTENT_TYPE'])
+         if ctype == 'multipart/form-data':
+-            return parse_multipart(fp, pdict)
+            return parse_multipart(fp, pdict, separator=separator)
+         elif ctype == 'application/x-www-form-urlencoded':
+             clength = int(environ['CONTENT_LENGTH'])
+             if maxlen and clength > maxlen:
+@@ -178,10 +182,10 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+             qs = ""
+         environ['QUERY_STRING'] = qs    # XXX Shouldn't, really
+     return urllib.parse.parse_qs(qs, keep_blank_values, strict_parsing,
+-                                 encoding=encoding)
+                                 encoding=encoding, separator=separator)
+ 
+ 
+-def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"):
+def parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator='&'):
+     """Parse multipart input.
+ 
+     Arguments:
+@@ -205,7 +209,7 @@ def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"):
+     except KeyError:
+         pass
+     fs = FieldStorage(fp, headers=headers, encoding=encoding, errors=errors,
+-        environ={'REQUEST_METHOD': 'POST'})
+        environ={'REQUEST_METHOD': 'POST'}, separator=separator)
+     return {k: fs.getlist(k) for k in fs}
+ 
+ def _parseparam(s):
+@@ -315,7 +319,7 @@ class FieldStorage:
+     def __init__(self, fp=None, headers=None, outerboundary=b'',
+                  environ=os.environ, keep_blank_values=0, strict_parsing=0,
+                  limit=None, encoding='utf-8', errors='replace',
+-                 max_num_fields=None):
+                 max_num_fields=None, separator='&'):
+         """Constructor.  Read multipart/* until last part.
+ 
+         Arguments, all optional:
+@@ -363,6 +367,7 @@ def __init__(self, fp=None, headers=None, outerboundary=b'',
+         self.keep_blank_values = keep_blank_values
+         self.strict_parsing = strict_parsing
+         self.max_num_fields = max_num_fields
+        self.separator = separator
+         if 'REQUEST_METHOD' in environ:
+             method = environ['REQUEST_METHOD'].upper()
+         self.qs_on_post = None
+@@ -589,7 +594,7 @@ def read_urlencoded(self):
+         query = urllib.parse.parse_qsl(
+             qs, self.keep_blank_values, self.strict_parsing,
+             encoding=self.encoding, errors=self.errors,
+-            max_num_fields=self.max_num_fields)
+            max_num_fields=self.max_num_fields, separator=self.separator)
+         self.list = [MiniFieldStorage(key, value) for key, value in query]
+         self.skip_lines()
+ 
+@@ -605,7 +610,7 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
+             query = urllib.parse.parse_qsl(
+                 self.qs_on_post, self.keep_blank_values, self.strict_parsing,
+                 encoding=self.encoding, errors=self.errors,
+-                max_num_fields=self.max_num_fields)
+                max_num_fields=self.max_num_fields, separator=self.separator)
+             self.list.extend(MiniFieldStorage(key, value) for key, value in query)
+ 
+         klass = self.FieldStorageClass or self.__class__
+@@ -649,7 +654,7 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
+                 else self.limit - self.bytes_read
+             part = klass(self.fp, headers, ib, environ, keep_blank_values,
+                          strict_parsing, limit,
+-                         self.encoding, self.errors, max_num_fields)
+                         self.encoding, self.errors, max_num_fields, self.separator)
+ 
+             if max_num_fields is not None:
+                 max_num_fields -= 1
+diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
+index 101942de947fb..4e1506a6468b9 100644
+--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
+@@ -53,12 +53,9 @@ def do_test(buf, method):
+     ("", ValueError("bad query field: ''")),
+     ("&", ValueError("bad query field: ''")),
+     ("&&", ValueError("bad query field: ''")),
+-    (";", ValueError("bad query field: ''")),
+-    (";&;", ValueError("bad query field: ''")),
+     # Should the next few really be valid?
+     ("=", {}),
+     ("=&=", {}),
+-    ("=;=", {}),
+     # This rest seem to make sense
+     ("=a", {'': ['a']}),
+     ("&=a", ValueError("bad query field: ''")),
+@@ -73,8 +70,6 @@ def do_test(buf, method):
+     ("a=a+b&b=b+c", {'a': ['a b'], 'b': ['b c']}),
+     ("a=a+b&a=b+a", {'a': ['a b', 'b a']}),
+     ("x=1&y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+-    ("x=1;y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+-    ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+     ("Hbc5161168c542333633315dee1182227:key_store_seqid=400006&cuyer=r&view=bustomer&order_id=0bb2e248638833d48cb7fed300000f1b&expire=964546263&lobale=en-US&kid=130003.300038&ss=env",
+      {'Hbc5161168c542333633315dee1182227:key_store_seqid': ['400006'],
+       'cuyer': ['r'],
+@@ -201,6 +196,30 @@ def test_strict(self):
+                     else:
+                         self.assertEqual(fs.getvalue(key), expect_val[0])
+ 
+    def test_separator(self):
+        parse_semicolon = [
+            ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}),
+            ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+            (";", ValueError("bad query field: ''")),
+            (";;", ValueError("bad query field: ''")),
+            ("=;a", ValueError("bad query field: 'a'")),
+            (";b=a", ValueError("bad query field: ''")),
+            ("b;=a", ValueError("bad query field: 'b'")),
+            ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
+            ("a=a+b;a=b+a", {'a': ['a b', 'b a']}),
+        ]
+        for orig, expect in parse_semicolon:
+            env = {'QUERY_STRING': orig}
+            fs = cgi.FieldStorage(separator=';', environ=env)
+            if isinstance(expect, dict):
+                for key in expect.keys():
+                    expect_val = expect[key]
+                    self.assertIn(key, fs)
+                    if len(expect_val) > 1:
+                        self.assertEqual(fs.getvalue(key), expect_val)
+                    else:
+                        self.assertEqual(fs.getvalue(key), expect_val[0])
+
+     def test_log(self):
+         cgi.log("Testing")
+ 
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 4ae6ed33858ce..90c8d6922629e 100644
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -32,16 +32,10 @@
+     (b"&a=b", [(b'a', b'b')]),
+     (b"a=a+b&b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+     (b"a=1&a=2", [(b'a', b'1'), (b'a', b'2')]),
+-    (";", []),
+-    (";;", []),
+-    (";a=b", [('a', 'b')]),
+-    ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]),
+-    ("a=1;a=2", [('a', '1'), ('a', '2')]),
+-    (b";", []),
+-    (b";;", []),
+-    (b";a=b", [(b'a', b'b')]),
+-    (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+-    (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]),
+    (";a=b", [(';a', 'b')]),
+    ("a=a+b;b=b+c", [('a', 'a b;b=b c')]),
+    (b";a=b", [(b';a', b'b')]),
+    (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]),
+ ]
+ 
+ # Each parse_qs testcase is a two-tuple that contains
+@@ -68,16 +62,10 @@
+     (b"&a=b", {b'a': [b'b']}),
+     (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+     (b"a=1&a=2", {b'a': [b'1', b'2']}),
+-    (";", {}),
+-    (";;", {}),
+-    (";a=b", {'a': ['b']}),
+-    ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
+-    ("a=1;a=2", {'a': ['1', '2']}),
+-    (b";", {}),
+-    (b";;", {}),
+-    (b";a=b", {b'a': [b'b']}),
+-    (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+-    (b"a=1;a=2", {b'a': [b'1', b'2']}),
+    (";a=b", {';a': ['b']}),
+    ("a=a+b;b=b+c", {'a': ['a b;b=b c']}),
+    (b";a=b", {b';a': [b'b']}),
+    (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}),
+ ]
+ 
+ class UrlParseTestCase(unittest.TestCase):
+@@ -884,10 +872,46 @@ def test_parse_qsl_encoding(self):
+     def test_parse_qsl_max_num_fields(self):
+         with self.assertRaises(ValueError):
+             urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10)
+-        with self.assertRaises(ValueError):
+-            urllib.parse.parse_qs(';'.join(['a=a']*11), max_num_fields=10)
+         urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10)
+ 
+    def test_parse_qs_separator(self):
+        parse_qs_semicolon_cases = [
+            (";", {}),
+            (";;", {}),
+            (";a=b", {'a': ['b']}),
+            ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
+            ("a=1;a=2", {'a': ['1', '2']}),
+            (b";", {}),
+            (b";;", {}),
+            (b";a=b", {b'a': [b'b']}),
+            (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+            (b"a=1;a=2", {b'a': [b'1', b'2']}),
+        ]
+        for orig, expect in parse_qs_semicolon_cases:
+            with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"):
+                result = urllib.parse.parse_qs(orig, separator=';')
+                self.assertEqual(result, expect, "Error parsing %r" % orig)
+
+
+    def test_parse_qsl_separator(self):
+        parse_qsl_semicolon_cases = [
+            (";", []),
+            (";;", []),
+            (";a=b", [('a', 'b')]),
+            ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]),
+            ("a=1;a=2", [('a', '1'), ('a', '2')]),
+            (b";", []),
+            (b";;", []),
+            (b";a=b", [(b'a', b'b')]),
+            (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+            (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]),
+        ]
+        for orig, expect in parse_qsl_semicolon_cases:
+            with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"):
+                result = urllib.parse.parse_qsl(orig, separator=';')
+                self.assertEqual(result, expect, "Error parsing %r" % orig)
+
+
+     def test_urlencode_sequences(self):
+         # Other tests incidentally urlencode things; test non-covered cases:
+         # Sequence and object values.
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 95be7181133b4..0c1c94f5fc986 100644
+--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
+@@ -650,7 +650,7 @@ def unquote(string, encoding='utf-8', errors='replace'):
+ 
+ 
+ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+-             encoding='utf-8', errors='replace', max_num_fields=None):
+             encoding='utf-8', errors='replace', max_num_fields=None, separator='&'):
+     """Parse a query given as a string argument.
+ 
+         Arguments:
+@@ -674,12 +674,15 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+         max_num_fields: int. If set, then throws a ValueError if there
+             are more than n fields read by parse_qsl().
+ 
+        separator: str. The symbol to use for separating the query arguments.
+            Defaults to &.
+
+         Returns a dictionary.
+     """
+     parsed_result = {}
+     pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
+                       encoding=encoding, errors=errors,
+-                      max_num_fields=max_num_fields)
+                      max_num_fields=max_num_fields, separator=separator)
+     for name, value in pairs:
+         if name in parsed_result:
+             parsed_result[name].append(value)
+@@ -689,7 +692,7 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+ 
+ 
+ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
+-              encoding='utf-8', errors='replace', max_num_fields=None):
+              encoding='utf-8', errors='replace', max_num_fields=None, separator='&'):
+     """Parse a query given as a string argument.
+ 
+         Arguments:
+@@ -712,19 +715,25 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
+         max_num_fields: int. If set, then throws a ValueError
+             if there are more than n fields read by parse_qsl().
+ 
+        separator: str. The symbol to use for separating the query arguments.
+            Defaults to &.
+
+         Returns a list, as G-d intended.
+     """
+     qs, _coerce_result = _coerce_args(qs)
+ 
+    if not separator or (not isinstance(separator, (str, bytes))):
+        raise ValueError("Separator must be of type string or bytes.")
+
+     # If max_num_fields is defined then check that the number of fields
+     # is less than max_num_fields. This prevents a memory exhaustion DOS
+     # attack via post bodies with many fields.
+     if max_num_fields is not None:
+-        num_fields = 1 + qs.count('&') + qs.count(';')
+        num_fields = 1 + qs.count(separator)
+         if max_num_fields < num_fields:
+             raise ValueError('Max number of fields exceeded')
+ 
+-    pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')]
+    pairs = [s1 for s1 in qs.split(separator)]
+     r = []
+     for name_value in pairs:
+         if not name_value and not strict_parsing:
+diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+new file mode 100644
+index 0000000000000..f08489b41494e
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+@@ -0,0 +1 @@
+Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator.
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
new file mode 100644
index 0000000000..43d678db46
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
@@ -0,0 +1,191 @@
+From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 18 Jan 2021 13:28:52 -0800
+Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (GH-24248)
+(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
+Co-authored-by: Benjamin Peterson <benjamin@python.org>
+Co-authored-by: Benjamin Peterson <benjamin@python.org>
+CVE: CVE-2021-3177
+Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/ctypes/test/test_parameters.py            | 43 ++++++++++++++++
+ .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst  |  2 +
+ Modules/_ctypes/callproc.c                    | 51 +++++++------------
+ 3 files changed, 64 insertions(+), 32 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
+index e4c25fd880cef..531894fdec838 100644
+--- a/Lib/ctypes/test/test_parameters.py
+++ b/Lib/ctypes/test/test_parameters.py
+@@ -201,6 +201,49 @@ def __dict__(self):
+         with self.assertRaises(ZeroDivisionError):
+             WorseStruct().__setstate__({}, b'foo')
+ 
+    def test_parameter_repr(self):
+        from ctypes import (
+            c_bool,
+            c_char,
+            c_wchar,
+            c_byte,
+            c_ubyte,
+            c_short,
+            c_ushort,
+            c_int,
+            c_uint,
+            c_long,
+            c_ulong,
+            c_longlong,
+            c_ulonglong,
+            c_float,
+            c_double,
+            c_longdouble,
+            c_char_p,
+            c_wchar_p,
+            c_void_p,
+        )
+        self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
+        self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
+        self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
+        self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
+        self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
+        self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
+        self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
+        self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+        self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+        self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+        self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+        self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
+        self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
+        self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
+        self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
+        self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
+        self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
+        self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
+        self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
+        self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
+
+ ################################################################
+ 
+ if __name__ == '__main__':
+diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+new file mode 100644
+index 0000000000000..7df65a156feab
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+@@ -0,0 +1,2 @@
+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
+:class:`ctypes.c_longdouble` values.
+diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
+index a9b8675cd951b..de75918d49f37 100644
+--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
+@@ -484,58 +484,47 @@ is_literal_char(unsigned char c)
+ static PyObject *
+ PyCArg_repr(PyCArgObject *self)
+ {
+-    char buffer[256];
+     switch(self->tag) {
+     case 'b':
+     case 'B':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
+        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.b);
+-        break;
+     case 'h':
+     case 'H':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
+        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.h);
+-        break;
+     case 'i':
+     case 'I':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
+        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.i);
+-        break;
+     case 'l':
+     case 'L':
+-        sprintf(buffer, "<cparam '%c' (%ld)>",
+        return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
+             self->tag, self->value.l);
+-        break;
+ 
+     case 'q':
+     case 'Q':
+-        sprintf(buffer,
+-#ifdef MS_WIN32
+-            "<cparam '%c' (%I64d)>",
+-#else
+-            "<cparam '%c' (%lld)>",
+-#endif
+        return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
+             self->tag, self->value.q);
+-        break;
+     case 'd':
+-        sprintf(buffer, "<cparam '%c' (%f)>",
+-            self->tag, self->value.d);
+-        break;
+-    case 'f':
+-        sprintf(buffer, "<cparam '%c' (%f)>",
+-            self->tag, self->value.f);
+-        break;
+-
+    case 'f': {
+        PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
+        if (f == NULL) {
+            return NULL;
+        }
+        PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
+        Py_DECREF(f);
+        return result;
+    }
+     case 'c':
+         if (is_literal_char((unsigned char)self->value.c)) {
+-            sprintf(buffer, "<cparam '%c' ('%c')>",
+            return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
+                 self->tag, self->value.c);
+         }
+         else {
+-            sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
+            return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
+                 self->tag, (unsigned char)self->value.c);
+         }
+-        break;
+ 
+ /* Hm, are these 'z' and 'Z' codes useful at all?
+    Shouldn't they be replaced by the functionality of c_string
+@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self)
+     case 'z':
+     case 'Z':
+     case 'P':
+-        sprintf(buffer, "<cparam '%c' (%p)>",
+        return PyUnicode_FromFormat("<cparam '%c' (%p)>",
+             self->tag, self->value.p);
+         break;
+ 
+     default:
+         if (is_literal_char((unsigned char)self->tag)) {
+-            sprintf(buffer, "<cparam '%c' at %p>",
+            return PyUnicode_FromFormat("<cparam '%c' at %p>",
+                 (unsigned char)self->tag, (void *)self);
+         }
+         else {
+-            sprintf(buffer, "<cparam 0x%02x at %p>",
+            return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
+                 (unsigned char)self->tag, (void *)self);
+         }
+-        break;
+     }
+-    return PyUnicode_FromString(buffer);
+ }
+ 
+ static PyMemberDef PyCArgType_members[] = {
diff --git a/meta/recipes-devtools/python/python3_3.8.5.bb b/meta/recipes-devtools/python/python3_3.8.5.bb
index 3720b364bb..418d35acfe 100644
--- a/meta/recipes-devtools/python/python3_3.8.5.bb
+++ b/meta/recipes-devtools/python/python3_3.8.5.bb
@@ -33,6 +33,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
           file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
           file://CVE-2020-27619.patch \
+           file://CVE-2021-3177.patch \
+           file://CVE-2021-23336.patch \
           "
 SRC_URI_append_class-native = " \
@@ -50,6 +52,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 CVE_PRODUCT = "python"
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
 # This is not exploitable when glibc has CVE-2016-10739 fixed.
 CVE_CHECK_WHITELIST += "CVE-2019-18348"
@@ -166,6 +170,10 @@ do_install_append() {
 }
 do_install_append_class-nativesdk () {
+    # Make sure we use /usr/bin/env python
+    for PYTHSCRIPT in `grep -rIl ${bindir}/python ${D}${bindir}`; do
+         sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT
+    done
    create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
 }
@@ -304,11 +312,8 @@ do_create_manifest() {
 }
 # bitbake python -c create_manifest
-addtask do_create_manifest
 # Make sure we have native python ready when we create a new manifest
-do_create_manifest[depends] += "${PN}:do_prepare_recipe_sysroot"
+addtask do_create_manifest after do_patch do_prepare_recipe_sysroot
-do_create_manifest[depends] += "${PN}:do_patch"
 # manual dependency additions
 RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules"
@@ -361,3 +366,9 @@ RDEPENDS_${PN}-dev = ""
 RDEPENDS_${PN}-tests_append_class-target = " ${MLPREFIX}bash"
 RDEPENDS_${PN}-tests_append_class-nativesdk = " ${MLPREFIX}bash"
+# Python's tests contain large numbers of files we don't need in the recipe sysroots
+SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup"
+py3_sysroot_cleanup () {
+        rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
+}
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 84f600cec0..482ca3d6e5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -32,6 +32,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://find_datadir.patch \
           file://usb-fix-setup_len-init.patch \
           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+           file://CVE-2020-24352.patch \
+           file://CVE-2020-29129-CVE-2020-29130.patch \
+           file://CVE-2020-25624.patch \
+           file://CVE-2020-25723.patch \
+           file://CVE-2020-28916.patch \
+           file://CVE-2020-35517.patch \
+           file://CVE-2020-29443.patch \
+           file://CVE-2021-20203.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 0000000000..861ff6c3b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
+From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 16:08:18 +0530
+Subject: [PATCH 1/1] ati: check x y display parameter values
+The source and destination x,y display parameters in ati_2d_blt()
+may run off the vga limits if either of s->regs.[src|dst]_[xy] is
+zero. Check the parameter values to avoid potential crash.
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20201021103818.1704030-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
+CVE: CVE-2020-24352
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
+@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride *= bpp;
+     }
+     uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+-    if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+-        dst_stride >= end) {
+    if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
+        || dst_bits + dst_x
+         + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+         qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+         return;
+     }
+@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+             src_bits += s->regs.crtc_offset & 0x07ffffff;
+             src_stride *= bpp;
+         }
+-        if (src_bits >= end || src_bits + src_x +
+-            (src_y + s->regs.dst_height) * src_stride >= end) {
+        if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
+            || src_bits + src_x
+             + (src_y + s->regs.dst_height) * src_stride >= end) {
+             qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+             return;
+         }
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
new file mode 100644
index 0000000000..7631bab39f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
@@ -0,0 +1,101 @@
+From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:58 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
+While servicing the OHCI transfer descriptors(TD), OHCI host
+controller derives variables 'start_addr', 'end_addr', 'len'
+etc. from values supplied by the host controller driver.
+Host controller driver may supply values such that using
+above variables leads to out-of-bounds access issues.
+Add checks to avoid them.
+AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
+  READ of size 2 at 0x7ffd53af76a0 thread T0
+  #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
+  #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
+  #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
+  #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
+  #4 timerlist_run_timers ../util/qemu-timer.c:572
+  #5 qemu_clock_run_timers ../util/qemu-timer.c:586
+  #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
+  #7 main_loop_wait ../util/main-loop.c:527
+  #8 qemu_main_loop ../softmmu/vl.c:1676
+  #9 main ../softmmu/main.c:50
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <j_kangel@163.com>
+Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20200915182259.68522-2-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-25624
+[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1e6e85e..9dc5910 100644
+--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
+@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     }
+ 
+     start_offset = iso_td.offset[relative_frame_number];
+-    next_offset = iso_td.offset[relative_frame_number + 1];
+    if (relative_frame_number < frame_count) {
+        next_offset = iso_td.offset[relative_frame_number + 1];
+    } else {
+        next_offset = iso_td.be;
+    }
+ 
+     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
+         ((relative_frame_number < frame_count) && 
+@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+         }
+     } else {
+         /* Last packet in the ISO TD */
+-        end_addr = iso_td.be;
+        end_addr = next_offset;
+    }
+
+    if (start_addr > end_addr) {
+        trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
+        return 1;
+     }
+ 
+     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     } else {
+         len = end_addr - start_addr + 1;
+     }
+    if (len > sizeof(ohci->usb_buf)) {
+        len = sizeof(ohci->usb_buf);
+    }
+ 
+     if (len && dir != OHCI_TD_DIR_IN) {
+         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
+         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+         } else {
+            if (td.cbp > td.be) {
+                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
+                ohci_die(ohci);
+                return 1;
+            }
+             len = (td.be - td.cbp) + 1;
+         }
+        if (len > sizeof(ohci->usb_buf)) {
+            len = sizeof(ohci->usb_buf);
+        }
+ 
+         pktlen = len;
+         if (len && dir != OHCI_TD_DIR_IN) {
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000000..90b3a2f41c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,51 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-25723
+[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 1495e8f..1fbb02a 100644
+--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+         spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+         usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+                          (p->qtd.token & QTD_TOKEN_IOC) != 0);
+-        usb_packet_map(&p->packet, &p->sgl);
+        if (usb_packet_map(&p->packet, &p->sgl)) {
+            qemu_sglist_destroy(&p->sgl);
+            return -1;
+        }
+         p->async = EHCI_ASYNC_INITIALIZED;
+     }
+ 
+@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci,
+             if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+                 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+                                  (itd->transact[i] & ITD_XACT_IOC) != 0);
+-                usb_packet_map(&ehci->ipacket, &ehci->isgl);
+                if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
+                    qemu_sglist_destroy(&ehci->isgl);
+                    return -1;
+                }
+                 usb_handle_packet(dev, &ehci->ipacket);
+                 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+             } else {
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 0000000000..5212196837
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,49 @@
+From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Nov 2020 18:36:36 +0530
+Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null
+descriptor
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-28916
+[https://git.qemu.org/?p=qemu.git;a=commit;h=c2cb511634012344e3d0fe49a037a33b12d8a98a]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/e1000e_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index bcd186c..d3e3cdc 100644
+--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
+@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+                           (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+                 }
+             }
+-            desc_offset += desc_size;
+-            if (desc_offset >= total_size) {
+-                is_last = true;
+-            }
+         } else { /* as per intel docs; skip descriptors with null buf addr */
+             trace_e1000e_rx_null_descriptor();
+         }
+        desc_offset += desc_size;
+        if (desc_offset >= total_size) {
+            is_last = true;
+        }
+ 
+         e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+                            rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
new file mode 100644
index 0000000000..e5829f6dad
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
@@ -0,0 +1,64 @@
+From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 26 Nov 2020 19:27:06 +0530
+Subject: [PATCH] slirp: check pkt_len before reading protocol header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
+routines, ensure that pkt_len is large enough to accommodate the
+respective protocol headers, lest it should do an OOB access.
+Add check to avoid it.
+CVE-2020-29129 CVE-2020-29130
+  QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
+ -> https://www.openwall.com/lists/oss-security/2020/11/27/1
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
+Reviewed-by: Marc-AndrÃ Lureau <marcandre.lureau@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-29129 CVE-2020-29130
+[https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ slirp/src/ncsi.c  | 4 ++++
+ slirp/src/slirp.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c
+index 3c1dfef..75dcc08 100644
+--- a/slirp/src/ncsi.c
+++ b/slirp/src/ncsi.c
+@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
+     uint32_t checksum;
+     uint32_t *pchecksum;
+ 
+    if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
+        return; /* packet too short */
+    }
+
+     memset(ncsi_reply, 0, sizeof(ncsi_reply));
+ 
+     memset(reh->h_dest, 0xff, ETH_ALEN);
+diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c
+index dba7c98..9be58e2 100644
+--- a/slirp/src/slirp.c
+++ b/slirp/src/slirp.c
+@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
+         return;
+     }
+ 
+    if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
+        return; /* packet too short */
+    }
+
+     ar_op = ntohs(ah->ar_op);
+     switch (ar_op) {
+     case ARPOP_REQUEST:
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..5a3b99bb23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,46 @@
+m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 13:09:26 +0100
+Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
+A case was reported where s->io_buffer_index can be out of range.
+The report skimped on the details but it seems to be triggered
+by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
+ATAPI command with LBA = 0xFFFFFFFF).  For now paper over it
+with assertions.  The first one ensures that there is no overflow
+when incrementing s->io_buffer_index, the second checks for the
+buffer overrun.
+Note that the buffer overrun is only a read, so I am not sure
+if the assertion failure is actually less harmful than the overrun.
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20201201120926.56559-1-pbonzini@redhat.com
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6]
+CVE: CVE-2020-29443
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/ide/atapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 14a2b0b..e791578 100644
+--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
+@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+         s->packet_transfer_size -= size;
+         s->elementary_transfer_size -= size;
+         s->io_buffer_index += size;
+        assert(size <= s->io_buffer_total_len);
+        assert(s->io_buffer_index <= s->io_buffer_total_len);
+ 
+         /* Some adapters process PIO data right away.  In that case, we need
+          * to avoid mutual recursion between ide_transfer_start
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
new file mode 100644
index 0000000000..f818eb3bf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
+From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 6 Oct 2020 10:58:26 +0100
+Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
+In order to prevent /proc/self/fd escapes a temporary directory is
+created where /proc/self/fd is bind-mounted. This doesn't work on
+read-only file systems.
+Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
+This does not affect other processes since we remounted / with MS_REC |
+MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
+do this.
+Path traversal can be tested with the following function:
+  static void test_proc_fd_escape(struct lo_data *lo)
+  {
+      int fd;
+      int level = 0;
+      ino_t last_ino = 0;
+      fd = lo->proc_self_fd;
+      for (;;) {
+          struct stat st;
+          if (fstat(fd, &st) != 0) {
+              perror("fstat");
+              return;
+          }
+          if (last_ino && st.st_ino == last_ino) {
+              fprintf(stderr, "inode number unchanged, stopping\n");
+              return;
+          }
+          last_ino = st.st_ino;
+          fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
+                  (unsigned long)st.st_dev,
+                  (unsigned long)last_ino);
+          fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
+          level++;
+      }
+  }
+Before and after this patch only Level 0 is displayed. Without
+/proc/self/fd bind-mount protection it is possible to traverse parent
+directories.
+Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
+Cc: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Tested-by: Jens Freimann <jfreimann@redhat.com>
+Reviewed-by: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
+CVE: CVE-2020-35517
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 34 +++++++++++---------------------
+ 1 file changed, 11 insertions(+), 23 deletions(-)
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 477e6ee0b53..ff53df44510 100644
+--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
+@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
+ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+ {
+     pid_t child;
+-    char template[] = "virtiofsd-XXXXXX";
+-    char *tmpdir;
+ 
+     /*
+      * Create a new pid namespace for *child* processes.  We'll have to
+@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+         exit(1);
+     }
+ 
+-    tmpdir = mkdtemp(template);
+-    if (!tmpdir) {
+-        fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
+-        exit(1);
+-    }
+-
+-    if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
+-                 tmpdir);
+    /*
+     * We only need /proc/self/fd. Prevent ".." from accessing parent
+     * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
+     * previously remounted with MS_REC | MS_SLAVE this mount change only
+     * affects our process.
+     */
+    if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
+        fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
+         exit(1);
+     }
+ 
+-    /* Now we can get our /proc/self/fd directory file descriptor */
+-    lo->proc_self_fd = open(tmpdir, O_PATH);
+    /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
+    lo->proc_self_fd = open("/proc", O_PATH);
+     if (lo->proc_self_fd == -1) {
+-        fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
+        fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
+         exit(1);
+     }
+-
+-    if (umount2(tmpdir, MNT_DETACH) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
+-        exit(1);
+-    }
+-
+-    if (rmdir(tmpdir) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
+-    }
+ }
+ 
+ /*
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
new file mode 100644
index 0000000000..31440af0bd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
@@ -0,0 +1,74 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+While activating device in vmxnet3_acticate_device(), it does not
+validate guest supplied configuration values against predefined
+minimum - maximum limits. This may lead to integer overflow or
+OOB access issues. Add checks to avoid it.
+Fixes: CVE-2021-20203
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html]
+CVE: CVE-2021-20203
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ hw/net/vmxnet3.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index eff299f629..4a910ca971 100644
+--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
+@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+     vmxnet3_setup_rx_filtering(s);
+     /* Cache fields from shared memory */
+     s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
+     VMW_CFPRN("MTU is %u", s->mtu);
+ 
+     s->max_rx_frags =
+@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         /* Read rings memory locations for TX queues */
+         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
+         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
+        if (size > VMXNET3_TX_RING_MAX_SIZE) {
+            size = VMXNET3_TX_RING_MAX_SIZE;
+        }
+ 
+         vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
+                           sizeof(struct Vmxnet3_TxDesc), false);
+@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         /* TXC ring */
+         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
+         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
+        if (size > VMXNET3_TC_RING_MAX_SIZE) {
+            size = VMXNET3_TC_RING_MAX_SIZE;
+        }
+         vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
+                           sizeof(struct Vmxnet3_TxCompDesc), true);
+         VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+             /* RX rings */
+             pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
+             size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
+            if (size > VMXNET3_RX_RING_MAX_SIZE) {
+                size = VMXNET3_RX_RING_MAX_SIZE;
+            }
+             vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
+                               sizeof(struct Vmxnet3_RxDesc), false);
+             VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         /* RXC ring */
+         pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
+         size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
+        if (size > VMXNET3_RC_RING_MAX_SIZE) {
+            size = VMXNET3_RC_RING_MAX_SIZE;
+        }
+         vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
+                           sizeof(struct Vmxnet3_RxCompDesc), true);
+         VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/quilt/quilt.inc b/meta/recipes-devtools/quilt/quilt.inc
index d6d06c049c..d7ecda7aaa 100644
--- a/meta/recipes-devtools/quilt/quilt.inc
+++ b/meta/recipes-devtools/quilt/quilt.inc
@@ -30,7 +30,7 @@ EXTRA_OECONF = "--with-perl='${USRBINPATH}/env perl' --with-patch=patch"
 EXTRA_OECONF_append_class-native = " --disable-nls"
 EXTRA_AUTORECONF += "--exclude=aclocal"
-CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash"
+CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash ac_cv_path_COLUMN=column"
 # Make sure we don't have "-w" in shebang lines: it breaks using
 # "/usr/bin/env perl" as parser
diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
new file mode 100644
index 0000000000..2d51ddf965
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
@@ -0,0 +1,31 @@
+From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 12:16:08 -0400
+Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
+ openssl.
+CVE: CVE-2020-14387
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ rsync-ssl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975..46701af 100755
+--- a/rsync-ssl
+++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+     fi
+ 
+     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+-       exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+       exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+     elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+        exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+     else
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/rsync/files/determism.patch b/meta/recipes-devtools/rsync/files/determism.patch
new file mode 100644
index 0000000000..53a4ca7505
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/determism.patch
@@ -0,0 +1,28 @@
+The Makefile calls awk on a "*.c" glob. The results of this glob are sorted
+but the order depends on the locale settings, particularly whether
+"util.c" and "util2.c" sort before or after each other. In en_US.UTF-8
+they sort one way, in C, they sort the other. The sorting order changes 
+the output binaries. The behaviour also changes dependning on whether
+SHELL (/bin/sh) is dash or bash.
+Specify a C locale setting to be deterministic.
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending
+Index: rsync-3.2.3/Makefile.in
+===================================================================
+--- rsync-3.2.3.orig/Makefile.in
+++ rsync-3.2.3/Makefile.in
+@@ -26,6 +26,11 @@ MKDIR_P=@MKDIR_P@
+ VPATH=$(srcdir)
+ SHELL=/bin/sh
+ 
+# We use globbing in commands, need to be deterministic
+unexport LC_ALL
+LC_COLLATE=C
+export LC_COLLATE
+
+ .SUFFIXES:
+ .SUFFIXES: .c .o
+ 
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
index 375efa0dea..df4fbbd0d2 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
@@ -12,6 +12,8 @@ DEPENDS = "popt"
 SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
           file://rsyncd.conf \
           file://makefile-no-rebuild.patch \
+           file://determism.patch \
+           file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \
           "
 SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
@@ -38,7 +40,7 @@ PACKAGECONFIG[zstd] = "--enable-zstd,--disable-zstd,zstd"
 CACHED_CONFIGUREVARS += "rsync_cv_can_hardlink_special=yes rsync_cv_can_hardlink_symlink=yes"
 EXTRA_OEMAKE = 'STRIP=""'
-EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm"
+EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm --with-nobody-group=nogroup"
 # rsync 3.0 uses configure.sh instead of configure, and
 # makefile checks the existence of configure.sh
diff --git a/meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch b/meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch
new file mode 100644
index 0000000000..826daf2cda
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch
@@ -0,0 +1,32 @@
+From 2368d07660a93a2c41d63f3ab6054ca4daeef820 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 17 Nov 2020 18:31:40 +0000
+Subject: [PATCH] template/Makefile.in: do not write host cross-cc items into
+ target config
+This helps reproducibility.
+Upstream-Status: Inapproppriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ template/Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/template/Makefile.in b/template/Makefile.in
+index 10dc826..940ee07 100644
+--- a/template/Makefile.in
+++ b/template/Makefile.in
+@@ -657,11 +657,11 @@ mjit_config.h:
+        echo '#endif'; \
+        quote MJIT_MIN_HEADER_NAME "$(MJIT_MIN_HEADER_NAME)"; \
+        sep=,; \
+-       quote "MJIT_CC_COMMON  " $(MJIT_CC); \
+       quote "MJIT_CC_COMMON  " ; \
+        quote "MJIT_CFLAGS      MJIT_ARCHFLAG" $(MJIT_CFLAGS); \
+        quote "MJIT_OPTFLAGS   " $(MJIT_OPTFLAGS); \
+        quote "MJIT_DEBUGFLAGS " $(MJIT_DEBUGFLAGS); \
+-       quote "MJIT_LDSHARED   " $(MJIT_LDSHARED); \
+       quote "MJIT_LDSHARED   " ; \
+        quote "MJIT_DLDFLAGS    MJIT_ARCHFLAG" $(MJIT_DLDFLAGS); \
+        quote "MJIT_LIBS       " $(LIBRUBYARG_SHARED); \
+        quote 'PRELOADENV       "@PRELOADENV@"'; \
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.1.bb
index f87686f6f7..a6c65e887b 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.1.bb
@@ -7,6 +7,7 @@ SRC_URI += " \
           file://run-ptest \
           file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
           file://CVE-2020-25613.patch \
+           file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
           "
 SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909"
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
index f84a7e18c8..95dccb9cae 100755
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
@@ -72,12 +72,12 @@ exec_postinst_scriptlets() {
                else
                        echo "ERROR: postinst $i failed."
                        [ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log
-                        remove_pi_dir=0
+                        remove_rcsd_link=0
                fi
        done
 }
-remove_pi_dir=1
+remove_rcsd_link=1
 if $pm_installed; then
        case $pm in
                "ipk")
@@ -92,9 +92,7 @@ else
        exec_postinst_scriptlets
 fi
-# since all postinstalls executed successfully, remove the postinstalls directory
+# since all postinstalls executed successfully, remove the rcS.d link
-# and the rcS.d link
+if [ $remove_rcsd_link = 1 ]; then
-if [ $remove_pi_dir = 1 ]; then
-        rm -rf $pi_dir
        remove_rcsd_link
 fi
diff --git a/meta/recipes-devtools/strace/strace/run-ptest b/meta/recipes-devtools/strace/strace/run-ptest
index 4660207220..3a51fb0be9 100755
--- a/meta/recipes-devtools/strace/strace/run-ptest
+++ b/meta/recipes-devtools/strace/strace/run-ptest
@@ -1,5 +1,5 @@
 #!/bin/sh
-export TIMEOUT_DURATION=120
+export TIMEOUT_DURATION=240
 chown nobody tests
 chown nobody tests/*
 chown nobody ../ptest
diff --git a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
index ed14fe66b1..c1b05691b8 100644
--- a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
+++ b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
@@ -48,6 +48,7 @@ CFLAGS_append_libc-musl = " ${LCL_STOP_SERVICES}"
 CFLAGS_append_powerpc64 = " ${LCL_STOP_SERVICES}"
 CFLAGS_append_powerpc64le = " ${LCL_STOP_SERVICES}"
 CFLAGS_append_riscv64 = " ${LCL_STOP_SERVICES}"
+CFLAGS_append_riscv32 = " ${LCL_STOP_SERVICES}"
 do_install() {
        oe_runmake install INSTALLROOT=${D}
diff --git a/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch b/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch
new file mode 100644
index 0000000000..0bd8273cd8
--- /dev/null
+++ b/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch
@@ -0,0 +1,36 @@
+From d8c19e0bb9ca2fd48f223e1fdeffcafeb0aa1745 Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Wed, 17 Feb 2021 14:53:44 -0500
+Subject: [PATCH] gdbserver_tests: Disable nlcontrolc.vgtest for x86-64
+Test hangs after glibc 2.33 uprev
+Using gdb to modify the timeout argument no longer
+affects how long `select` wait.
+https://bugs.kde.org/show_bug.cgi?id=432870
+Upstream-Status: Pending
+Waiting for upstream to take action.
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ gdbserver_tests/nlcontrolc.vgtest | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/gdbserver_tests/nlcontrolc.vgtest b/gdbserver_tests/nlcontrolc.vgtest
+index bb5308403..96d2b52bb 100644
+--- a/gdbserver_tests/nlcontrolc.vgtest
+++ b/gdbserver_tests/nlcontrolc.vgtest
+@@ -13,7 +13,8 @@ args: 1000000000 1000000000 1000000000 BSBSBSBS 1
+ vgopts: --tool=none --vgdb=yes --vgdb-error=0 --vgdb-prefix=./vgdb-prefix-nlcontrolc
+ stderr_filter: filter_stderr
+ # Bug 338633 nlcontrol hangs on arm64 currently.
+-prereq: test -e gdb -a -f vgdb.invoker && ! ../tests/arch_test arm64 && ! ../tests/os_test solaris
+# Bug 432870 nlcontrolc hangs on x86-64 starting with glibc 2.33
+prereq: test -e gdb -a -f vgdb.invoker && ! ../tests/arch_test arm64 && ! ../tests/os_test solaris && ! ../tests/arch_test amd64
+ progB: gdb
+ argsB: --quiet -l 60 --nx ./sleepers
+ stdinB: nlcontrolc.stdinB.gdb
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/valgrind/valgrind/0001-helgrind-Intercept-libc-functions.patch b/meta/recipes-devtools/valgrind/valgrind/0001-helgrind-Intercept-libc-functions.patch
new file mode 100644
index 0000000000..f66df3d2d2
--- /dev/null
+++ b/meta/recipes-devtools/valgrind/valgrind/0001-helgrind-Intercept-libc-functions.patch
@@ -0,0 +1,54 @@
+From cdec010444df5a4328e90d07a2024fdeefcc74b5 Mon Sep 17 00:00:00 2001
+From: Paul Floyd <paulf@free.fr>
+Date: Wed, 18 Nov 2020 12:49:20 -0400
+Subject: [PATCH] helgrind: Intercept libc functions
+PTH_FUNC definition needs to be modified in order to
+intercept posix thread functions in both libc and
+libpthread. In order to handle this in helgrind, weak alias
+the pthread functions in glibc.
+Upstream-Status: Submitted
+Signed-off-by: Paul Floyd <paulf@free.fr>
+Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
+---
+ helgrind/hg_intercepts.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/helgrind/hg_intercepts.c b/helgrind/hg_intercepts.c
+index a10c3a4a3..316140ca6 100644
+--- a/helgrind/hg_intercepts.c
+++ b/helgrind/hg_intercepts.c
+@@ -77,6 +77,11 @@
+ /*---                                                          ---*/
+ /*----------------------------------------------------------------*/
+ 
+#define hg_expand(tok) #tok
+#define hg_str(tok) hg_expand(tok)
+# define hg_weak_alias(name, aliasname) \
+  extern __typeof (name) aliasname __attribute__ ((weak, alias(hg_str(name))))
+
+ #if defined(VGO_solaris)
+ /* On Solaris, libpthread is just a filter library on top of libc.
+  * Threading and synchronization functions in runtime linker are not
+@@ -91,9 +96,16 @@
+ #define CREQ_PTHREAD_T Word
+ #define SEM_ERROR ret
+ #else
+#ifdef MUSL_LIBC
+#define PTH_FUNC(ret_ty, f, args...) \
+   ret_ty I_WRAP_SONAME_FNNAME_ZZ(VG_Z_LIBPTHREAD_SONAME,f)(args); \
+   ret_ty I_WRAP_SONAME_FNNAME_ZZ(VG_Z_LIBPTHREAD_SONAME,f)(args)
+#else
+ #define PTH_FUNC(ret_ty, f, args...) \
+    ret_ty I_WRAP_SONAME_FNNAME_ZZ(VG_Z_LIBPTHREAD_SONAME,f)(args); \
+   hg_weak_alias(I_WRAP_SONAME_FNNAME_ZZ(VG_Z_LIBPTHREAD_SONAME,f), I_WRAP_SONAME_FNNAME_ZZ(VG_Z_LIBC_SONAME,f)); \
+    ret_ty I_WRAP_SONAME_FNNAME_ZZ(VG_Z_LIBPTHREAD_SONAME,f)(args)
+#endif
+ #define CREQ_PTHREAD_T pthread_t
+ #define SEM_ERROR errno
+ #endif /* VGO_solaris */
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
index 7985308e41..0c399ef52c 100644
--- a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
+++ b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
@@ -19,6 +19,11 @@ Upstream-Status: Pending
 Signed-off-by: Dave Lerner <dave.lerner@windriver.com>
 Signed-off-by: Tudor Florea <tudor.florea@enea.com>
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+Increase time limit to 90 s.
+(double of the expected time of drd/tests/std_list on qemuarm64)
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
 ---
 tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 55 insertions(+), 20 deletions(-)
@@ -66,7 +71,7 @@ index a441f42..cb05b52 100755
 # Since most of the program time is spent in system() calls, need this to
 # propagate a Ctrl-C enabling us to quit.
 -sub mysystem($) 
-+# Enforce 30 seconds limit for the test.
+# Enforce 90 seconds limit for the test.
 +# This resume execution of the remaining tests if valgrind hangs.
 +sub mysystem($)
 {
@@ -76,7 +81,7 @@ index a441f42..cb05b52 100755
 +    my $exit_code=0;
 +    eval {
 +        local $SIG{'ALRM'} = sub { die "timed out\n" };
-+        alarm(30);
+        alarm(90);
 +        $exit_code = system($_[0]);
 +        alarm (0);
 +        ($exit_code == 2) and die "SIGINT\n";   # 2 is SIGINT
diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
index a3a0c6e50f..93bfd45a4e 100644
--- a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
+++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
@@ -31,8 +31,6 @@ drd/tests/annotate_static
 drd/tests/annotate_trace_memory
 drd/tests/annotate_trace_memory_xml
 drd/tests/atomic_var
-drd/tests/bar_bad
-drd/tests/bar_bad_xml
 drd/tests/bar_trivial
 drd/tests/bug-235681
 drd/tests/bug322621
diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/meta/recipes-devtools/valgrind/valgrind/remove-for-all
new file mode 100644
index 0000000000..d6a85c4735
--- /dev/null
+++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-all
@@ -0,0 +1,2 @@
+drd/tests/bar_bad
+drd/tests/bar_bad_xml
diff --git a/meta/recipes-devtools/valgrind/valgrind/run-ptest b/meta/recipes-devtools/valgrind/valgrind/run-ptest
index 97b0a85dbf..7217dfca5d 100755
--- a/meta/recipes-devtools/valgrind/valgrind/run-ptest
+++ b/meta/recipes-devtools/valgrind/valgrind/run-ptest
@@ -17,6 +17,12 @@ EXP_TOOLS="exp-bbv exp-dhat exp-sgcheck"
 GDB_BIN=@bindir@/gdb
 cd ${VALGRIND_LIB}/ptest && ./gdbserver_tests/make_local_links ${GDB_BIN}
+echo "Hide valgrind tests that are non-deterministic"
+echo "Reported at https://bugs.kde.org/show_bug.cgi?id=430321"
+for i in `cat remove-for-all`; do
+   mv $i.vgtest $i.IGNORE;
+done
 arch=`arch`
 if [ "$arch" = "aarch64" ]; then
   echo "Aarch64: Hide valgrind tests that result in defunct process and then out of memory"
@@ -44,6 +50,10 @@ if [ "$arch" = "aarch64" ]; then
   done
 fi
+echo "Restore valgrind tests that are non-deterministc"
+for i in `cat remove-for-all`; do
+   mv $i.IGNORE $i.vgtest;
+done
 passed=`grep PASS: ${LOG}|wc -l`
 failed=`grep FAIL: ${LOG}|wc -l`
diff --git a/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb b/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb
index bcba55f327..fc070dec78 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \
           file://Added-support-for-PPC-instructions-mfatbu-mfatbl.patch \
           file://run-ptest \
           file://remove-for-aarch64 \
+           file://remove-for-all \
           file://0004-Fix-out-of-tree-builds.patch \
           file://0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch \
           file://0001-Remove-tests-that-fail-to-build-on-some-PPC32-config.patch \
@@ -42,6 +43,8 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \
           file://0001-memcheck-tests-Fix-timerfd-syscall-test.patch \
           file://0001-drd-Port-to-Fedora-33.patch \
           file://0001-drd-musl-fix.patch \
+           file://0001-helgrind-Intercept-libc-functions.patch \
+           file://0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch \
           "
 SRC_URI[md5sum] = "d1b153f1ab17cf1f311705e7a83ef589"
 SRC_URI[sha256sum] = "c91f3a2f7b02db0f3bc99479861656154d241d2fdb265614ba918cc6720a33ca"
@@ -185,6 +188,7 @@ do_install_ptest() {
    # The scripts reference config.h so add it to the top ptest dir.
    cp ${B}/config.h ${D}${PTEST_PATH}
    install -D ${WORKDIR}/remove-for-aarch64 ${D}${PTEST_PATH}
+    install -D ${WORKDIR}/remove-for-all ${D}${PTEST_PATH}
    # Add an executable need by none/tests/bigcode
    mkdir ${D}${PTEST_PATH}/perf
diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
index 7d27c43c83..5ed2709e31 100644
--- a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
+++ b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
@@ -29,7 +29,7 @@ RDEPENDS_${PN}_append_class-target = " \
                  libxslt-bin \
                  coreutils \
 "
-CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail"
+CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail ac_cv_path_GREP=grep"
 BBCLASSEXTEND = "native"
diff --git a/meta/recipes-extended/acpica/acpica_20200717.bb b/meta/recipes-extended/acpica/acpica_20200717.bb
index d1d06c0c24..e3c8c2bdfb 100644
--- a/meta/recipes-extended/acpica/acpica_20200717.bb
+++ b/meta/recipes-extended/acpica/acpica_20200717.bb
@@ -34,6 +34,8 @@ EXTRA_OEMAKE = "CC='${CC}' \
                PREFIX=${prefix} \
                INSTALLDIR=${bindir} \
                INSTALLFLAGS= \
+                YACC=bison \
+                YFLAGS='-y --file-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}' \
                "
 do_install() {
diff --git a/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb b/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb
index 711bfbfb9b..5fd3832ef9 100644
--- a/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb
+++ b/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb
@@ -8,7 +8,7 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=4e5d1baf6f20559e3bec172226a47e4e \
                    file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 "
-SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https \
+SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https;branch=main \
           file://auto-catalogs.patch"
 SRCREV = "9a407dc9a497364c91421fd961954eddb565baf1"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 87870e4aba..244c87001f 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,11 +15,19 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
           file://0004-cups-fix-multilib-install-file-conflicts.patch \
           file://volatiles.99_cups \
           file://cups-volatiles.conf \
+           file://CVE-2020-10001.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
 UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
+# Issue only applies to MacOS
+CVE_CHECK_WHITELIST += "CVE-2008-1033"
+# Issue affects pdfdistiller plugin used with but not part of cups
+CVE_CHECK_WHITELIST += "CVE-2009-0032"
+# This is an Ubuntu only issue.
+CVE_CHECK_WHITELIST += "CVE-2018-6553"
 LEAD_SONAME = "libcupsdriver.so"
 CLEANBROKEN = "1"
@@ -47,6 +55,8 @@ EXTRA_OECONF = " \
               --enable-debug \
               --disable-relro \
               --enable-libusb \
+               --with-system-groups=lpadmin \
+               --with-cups-group=lp \
               --with-domainsocket=/run/cups/cups.sock \
               DSOFLAGS='${LDFLAGS}' \
               "
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
new file mode 100644
index 0000000000..09a0a5765d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+Upstream-Status: Backport
+CVE: CVE-2020-10001
+Reference to upstream patch:
+[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
+[SG: Addapted for version 2.3.3]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ CHANGES.md | 2 ++
+ cups/ipp.c | 8 +++++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+diff --git a/CHANGES.md b/CHANGES.md
+index df72892..5ca12da 100644
+--- a/CHANGES.md
+++ b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
+ Changes in CUPS v2.3.3
+ ----------------------
+ 
+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
+  (CVE-2020-10001)
+ - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
+   constraint.  `ppdcSource::get_resolution` function did not handle
+   invalid resolution strings.
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d52934..adbb26f 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,                /* I - Data source */
+   unsigned char                *buffer,        /* Data buffer */
+                        string[IPP_MAX_TEXT],
+                                        /* Small string buffer */
+-                       *bufptr;        /* Pointer into buffer */
+                       *bufptr,        /* Pointer into buffer */
+                       *bufend;        /* End of buffer */
+   ipp_attribute_t      *attr;          /* Current attribute */
+   ipp_tag_t            tag;            /* Current tag */
+   ipp_tag_t            value_tag;      /* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,                /* I - Data source */
+                }
+ 
+                 bufptr = buffer;
+                bufend = buffer + n;
+ 
+               /*
+                * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,                /* I - Data source */
+ 
+                n = (bufptr[0] << 8) | bufptr[1];
+ 
+-               if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+               if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+                {
+                  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+                                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,                /* I - Data source */
+                 bufptr += 2 + n;
+                n = (bufptr[0] << 8) | bufptr[1];
+ 
+-               if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+               if ((bufptr + 2 + n) > bufend)
+                {
+                  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+                                _("IPP string length overflows value."), 1);
+-- 
+2.17.1
diff --git a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
index 65a99fc28d..02b016fdf1 100644
--- a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
+++ b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
@@ -13,7 +13,7 @@ do_configure() {
 }
 do_install() {
-        oe_runmake CWAUTOMACROSPREFIX=${D}${prefix} install
+        oe_runmake LABEL=`date -d @${SOURCE_DATE_EPOCH} +%Y%m%d` CWAUTOMACROSPREFIX=${D}${prefix} install
        # cleanup buildpaths in autogen.sh
        sed -i -e 's,${D},,g' ${D}${prefix}/share/cwautomacros/scripts/autogen.sh
diff --git a/meta/recipes-extended/groff/files/0001-Include-config.h.patch b/meta/recipes-extended/groff/files/0001-Include-config.h.patch
index 348a61d9df..46065bc513 100644
--- a/meta/recipes-extended/groff/files/0001-Include-config.h.patch
+++ b/meta/recipes-extended/groff/files/0001-Include-config.h.patch
@@ -17,6 +17,9 @@ In file included from TOPDIR/build/tmp/work/aarch64-yoe-linux-musl/groff/1.22.4-
  ^
 ./lib/math.h:40:1: error: unknown type name '_GL_INLINE_HEADER_BEGIN'
+We delete eqn.cpp and qen.hpp in do_configure
+to ensure they're regenerated and deterministic.
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
@@ -140,1029 +143,6 @@ index f95c05e..d875045 100644
 #include <string.h>
 #include <stdlib.h>
 
-diff --git a/src/preproc/eqn/eqn.cpp b/src/preproc/eqn/eqn.cpp
-index 4ede465..fdd9484 100644
--- a/src/preproc/eqn/eqn.cpp
-+++ b/src/preproc/eqn/eqn.cpp
-@@ -1,8 +1,9 @@
-/* A Bison parser, made by GNU Bison 3.2.  */
-+/* A Bison parser, made by GNU Bison 3.4.1.  */
- 
- /* Bison implementation for Yacc-like parsers in C
- 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
-+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-+   Inc.
- 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-@@ -47,7 +48,7 @@
- #define YYBISON 1
- 
- /* Bison version.  */
-#define YYBISON_VERSION "3.2"
-+#define YYBISON_VERSION "3.4.1"
- 
- /* Skeleton name.  */
- #define YYSKELETON_NAME "yacc.c"
-@@ -65,7 +66,11 @@
- 
- 
- /* First part of user prologue.  */
-#line 18 "../src/preproc/eqn/eqn.ypp" /* yacc.c:338  */
-+#line 18 "src/preproc/eqn/eqn.ypp"
-+
-+#if HAVE_CONFIG_H
-+# include <config.h>
-+#endif
- 
- #include <stdio.h>
- #include <string.h>
-@@ -77,7 +82,8 @@ extern int non_empty_flag;
- int yylex();
- void yyerror(const char *);
- 
-#line 81 "src/preproc/eqn/eqn.cpp" /* yacc.c:338  */
-+#line 86 "src/preproc/eqn/eqn.cpp"
-+
- # ifndef YY_NULLPTR
- #  if defined __cplusplus
- #   if 201103L <= __cplusplus
-@@ -98,8 +104,8 @@ void yyerror(const char *);
- # define YYERROR_VERBOSE 0
- #endif
- 
-/* In a future release of Bison, this section will be replaced
-   by #include "y.tab.h".  */
-+/* Use api.header.include to #include this header
-+   instead of duplicating it here.  */
- #ifndef YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED
- # define YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED
- /* Debug traces.  */
-@@ -237,10 +243,9 @@ extern int yydebug;
- 
- /* Value type.  */
- #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-
- union YYSTYPE
- {
-#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:353  */
-+#line 34 "src/preproc/eqn/eqn.ypp"
- 
-        char *str;
-        box *b;
-@@ -249,9 +254,9 @@ union YYSTYPE
-        int n;
-        column *col;
- 
-#line 253 "src/preproc/eqn/eqn.cpp" /* yacc.c:353  */
-};
-+#line 258 "src/preproc/eqn/eqn.cpp"
- 
-+};
- typedef union YYSTYPE YYSTYPE;
- # define YYSTYPE_IS_TRIVIAL 1
- # define YYSTYPE_IS_DECLARED 1
-@@ -366,6 +371,8 @@ typedef short yytype_int16;
- #endif
- 
- 
-+#define YY_ASSERT(E) ((void) (0 && (E)))
-+
- #if ! defined yyoverflow || YYERROR_VERBOSE
- 
- /* The parser invokes alloca or malloc; define the necessary symbols.  */
-@@ -508,16 +515,16 @@ union yyalloc
- /* YYNSTATES -- Number of states.  */
- #define YYNSTATES  142
- 
-/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
-   by yylex, with out-of-bounds checking.  */
- #define YYUNDEFTOK  2
- #define YYMAXUTOK   315
- 
-+/* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM
-+   as returned by yylex, with out-of-bounds checking.  */
- #define YYTRANSLATE(YYX)                                                \
-   ((unsigned) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
- 
- /* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
-   as returned by yylex, without out-of-bounds checking.  */
-+   as returned by yylex.  */
- static const yytype_uint8 yytranslate[] =
- {
-        0,     2,     2,     2,     2,     2,     2,     2,     2,    63,
-@@ -558,14 +565,14 @@ static const yytype_uint8 yytranslate[] =
-   /* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
- static const yytype_uint16 yyrline[] =
- {
-       0,   121,   121,   123,   128,   130,   141,   143,   145,   150,
-     152,   154,   156,   158,   163,   165,   167,   169,   174,   176,
-     181,   183,   185,   190,   192,   194,   196,   198,   200,   202,
-     204,   206,   208,   210,   212,   214,   216,   218,   220,   222,
-     224,   226,   228,   230,   232,   234,   236,   238,   240,   242,
-     244,   246,   248,   250,   252,   254,   259,   269,   271,   276,
-     278,   283,   285,   290,   292,   297,   299,   304,   306,   308,
-     310,   314,   316,   321,   323,   325
-+       0,   125,   125,   127,   132,   134,   145,   147,   149,   154,
-+     156,   158,   160,   162,   167,   169,   171,   173,   178,   180,
-+     185,   187,   189,   194,   196,   198,   200,   202,   204,   206,
-+     208,   210,   212,   214,   216,   218,   220,   222,   224,   226,
-+     228,   230,   232,   234,   236,   238,   240,   242,   244,   246,
-+     248,   250,   252,   254,   256,   258,   263,   273,   275,   280,
-+     282,   287,   289,   294,   296,   301,   303,   308,   310,   312,
-+     314,   318,   320,   325,   327,   329
- };
- #endif
- 
-@@ -818,22 +825,22 @@ static const yytype_uint8 yyr2[] =
- 
- #define YYRECOVERING()  (!!yyerrstatus)
- 
-#define YYBACKUP(Token, Value)                                  \
-do                                                              \
-  if (yychar == YYEMPTY)                                        \
-    {                                                           \
-      yychar = (Token);                                         \
-      yylval = (Value);                                         \
-      YYPOPSTACK (yylen);                                       \
-      yystate = *yyssp;                                         \
-      goto yybackup;                                            \
-    }                                                           \
-  else                                                          \
-    {                                                           \
-      yyerror (YY_("syntax error: cannot back up")); \
-      YYERROR;                                                  \
-    }                                                           \
-while (0)
-+#define YYBACKUP(Token, Value)                                    \
-+  do                                                              \
-+    if (yychar == YYEMPTY)                                        \
-+      {                                                           \
-+        yychar = (Token);                                         \
-+        yylval = (Value);                                         \
-+        YYPOPSTACK (yylen);                                       \
-+        yystate = *yyssp;                                         \
-+        goto yybackup;                                            \
-+      }                                                           \
-+    else                                                          \
-+      {                                                           \
-+        yyerror (YY_("syntax error: cannot back up")); \
-+        YYERROR;                                                  \
-+      }                                                           \
-+  while (0)
- 
- /* Error token number */
- #define YYTERROR        1
-@@ -948,7 +955,7 @@ yy_reduce_print (yytype_int16 *yyssp, YYSTYPE *yyvsp, int yyrule)
-       YYFPRINTF (stderr, "   $%d = ", yyi + 1);
-       yy_symbol_print (stderr,
-                        yystos[yyssp[yyi + 1 - yynrhs]],
-                       &(yyvsp[(yyi + 1) - (yynrhs)])
-+                       &yyvsp[(yyi + 1) - (yynrhs)]
-                                               );
-       YYFPRINTF (stderr, "\n");
-     }
-@@ -1052,7 +1059,10 @@ yytnamerr (char *yyres, const char *yystr)
-           case '\\':
-             if (*++yyp != '\\')
-               goto do_not_strip_quotes;
-            /* Fall through.  */
-+            else
-+              goto append;
-+
-+          append:
-           default:
-             if (yyres)
-               yyres[yyn] = *yyp;
-@@ -1148,10 +1158,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
-                 yyarg[yycount++] = yytname[yyx];
-                 {
-                   YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULLPTR, yytname[yyx]);
-                  if (! (yysize <= yysize1
-                         && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
-+                  if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)
-+                    yysize = yysize1;
-+                  else
-                     return 2;
-                  yysize = yysize1;
-                 }
-               }
-         }
-@@ -1175,9 +1185,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
- 
-   {
-     YYSIZE_T yysize1 = yysize + yystrlen (yyformat);
-    if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
-+    if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)
-+      yysize = yysize1;
-+    else
-       return 2;
-    yysize = yysize1;
-   }
- 
-   if (*yymsg_alloc < yysize)
-@@ -1303,23 +1314,33 @@ yyparse (void)
-   yychar = YYEMPTY; /* Cause a token to be read.  */
-   goto yysetstate;
- 
-+
- /*------------------------------------------------------------.
-| yynewstate -- Push a new state, which is found in yystate.  |
-+| yynewstate -- push a new state, which is found in yystate.  |
- `------------------------------------------------------------*/
- yynewstate:
-+yynewstate:
-   /* In all cases, when you get here, the value and location stacks
-      have just been pushed.  So pushing a state here evens the stacks.  */
-   yyssp++;
- 
- yysetstate:
-+
-+/*--------------------------------------------------------------------.
-+| yynewstate -- set current state (the top of the stack) to yystate.  |
-+`--------------------------------------------------------------------*/
-+yysetstate:
-+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-+  YY_ASSERT (0 <= yystate && yystate < YYNSTATES);
-   *yyssp = (yytype_int16) yystate;
- 
-   if (yyss + yystacksize - 1 <= yyssp)
-+#if !defined yyoverflow && !defined YYSTACK_RELOCATE
-+    goto yyexhaustedlab;
-+#else
-     {
-       /* Get the current used size of the three stacks, in elements.  */
-       YYSIZE_T yysize = (YYSIZE_T) (yyssp - yyss + 1);
- 
-#ifdef yyoverflow
-+# if defined yyoverflow
-       {
-         /* Give user a chance to reallocate the stack.  Use copies of
-            these so that the &'s don't force the real ones into
-@@ -1338,10 +1359,7 @@ yyparse (void)
-         yyss = yyss1;
-         yyvs = yyvs1;
-       }
-#else /* no yyoverflow */
-# ifndef YYSTACK_RELOCATE
-      goto yyexhaustedlab;
-# else
-+# else /* defined YYSTACK_RELOCATE */
-       /* Extend the stack our own way.  */
-       if (YYMAXDEPTH <= yystacksize)
-         goto yyexhaustedlab;
-@@ -1357,12 +1375,11 @@ yyparse (void)
-           goto yyexhaustedlab;
-         YYSTACK_RELOCATE (yyss_alloc, yyss);
-         YYSTACK_RELOCATE (yyvs_alloc, yyvs);
-#  undef YYSTACK_RELOCATE
-+# undef YYSTACK_RELOCATE
-         if (yyss1 != yyssa)
-           YYSTACK_FREE (yyss1);
-       }
- # endif
-#endif /* no yyoverflow */
- 
-       yyssp = yyss + yysize - 1;
-       yyvsp = yyvs + yysize - 1;
-@@ -1373,19 +1390,18 @@ yyparse (void)
-       if (yyss + yystacksize - 1 <= yyssp)
-         YYABORT;
-     }
-
-  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-+#endif /* !defined yyoverflow && !defined YYSTACK_RELOCATE */
- 
-   if (yystate == YYFINAL)
-     YYACCEPT;
- 
-   goto yybackup;
- 
-+
- /*-----------.
- | yybackup.  |
- `-----------*/
- yybackup:
-
-   /* Do appropriate processing given the current state.  Read a
-      lookahead token if we need one and don't already have one.  */
- 
-@@ -1443,7 +1459,6 @@ yybackup:
-   YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-   *++yyvsp = yylval;
-   YY_IGNORE_MAYBE_UNINITIALIZED_END
-
-   goto yynewstate;
- 
- 
-@@ -1458,7 +1473,7 @@ yydefault:
- 
- 
- /*-----------------------------.
-| yyreduce -- Do a reduction.  |
-+| yyreduce -- do a reduction.  |
- `-----------------------------*/
- yyreduce:
-   /* yyn is the number of a rule to reduce with.  */
-@@ -1478,20 +1493,20 @@ yyreduce:
-   YY_REDUCE_PRINT (yyn);
-   switch (yyn)
-     {
-        case 3:
-#line 124 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+  case 3:
-+#line 128 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].b)->top_level(); non_empty_flag = 1; }
-#line 1485 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1500 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 4:
-#line 129 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 133 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
-#line 1491 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1506 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 5:
-#line 131 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 135 "src/preproc/eqn/eqn.ypp"
-     {
-                  list_box *lb = (yyvsp[-1].b)->to_list_box();
-                  if (!lb)
-@@ -1499,436 +1514,437 @@ yyreduce:
-                  lb->append((yyvsp[0].b));
-                  (yyval.b) = lb;
-                }
-#line 1503 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1518 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 6:
-#line 142 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 146 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
-#line 1509 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1524 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 7:
-#line 144 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 148 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_mark_box((yyvsp[0].b)); }
-#line 1515 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1530 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 8:
-#line 146 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 150 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_lineup_box((yyvsp[0].b)); }
-#line 1521 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1536 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 9:
-#line 151 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 155 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
-#line 1527 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1542 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 10:
-#line 153 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 157 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-2].b), 0, (yyvsp[0].b)); }
-#line 1533 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1548 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 11:
-#line 155 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 159 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0); }
-#line 1539 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1554 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 12:
-#line 157 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 161 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); }
-#line 1545 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1560 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 13:
-#line 159 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 163 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-4].b), make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0), 0); }
-#line 1551 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1566 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 14:
-#line 164 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 168 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
-#line 1557 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1572 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 15:
-#line 166 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 170 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_sqrt_box((yyvsp[0].b)); }
-#line 1563 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1578 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 16:
-#line 168 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 172 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_over_box((yyvsp[-2].b), (yyvsp[0].b)); }
-#line 1569 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1584 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 17:
-#line 170 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 174 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_small_over_box((yyvsp[-2].b), (yyvsp[0].b)); }
-#line 1575 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1590 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 18:
-#line 175 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 179 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
-#line 1581 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1596 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 19:
-#line 177 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 181 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_script_box((yyvsp[-2].b), 0, (yyvsp[0].b)); }
-#line 1587 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1602 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 20:
-#line 182 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 186 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
-#line 1593 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1608 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 21:
-#line 184 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 188 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_script_box((yyvsp[-2].b), (yyvsp[0].b), 0); }
-#line 1599 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1614 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 22:
-#line 186 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 190 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_script_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); }
-#line 1605 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1620 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 23:
-#line 191 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 195 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = split_text((yyvsp[0].str)); }
-#line 1611 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1626 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 24:
-#line 193 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 197 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new quoted_text_box((yyvsp[0].str)); }
-#line 1617 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1632 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 25:
-#line 195 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 199 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = split_text((yyvsp[0].str)); }
-#line 1623 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1638 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 26:
-#line 197 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 201 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new quoted_text_box((yyvsp[0].str)); }
-#line 1629 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1644 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 27:
-#line 199 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 203 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new half_space_box; }
-#line 1635 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1650 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 28:
-#line 201 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 205 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new space_box; }
-#line 1641 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1656 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 29:
-#line 203 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 207 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new tab_box; }
-#line 1647 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1662 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 30:
-#line 205 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 209 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[-1].b); }
-#line 1653 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1668 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 31:
-#line 207 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 211 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); }
-#line 1659 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1674 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 32:
-#line 209 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 213 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(LEFT_ALIGN); (yyval.b) = (yyvsp[0].pb); }
-#line 1665 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1680 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 33:
-#line 211 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 215 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(RIGHT_ALIGN); (yyval.b) = (yyvsp[0].pb); }
-#line 1671 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1686 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 34:
-#line 213 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 217 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); }
-#line 1677 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1692 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 35:
-#line 215 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 219 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[-1].mb); }
-#line 1683 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1698 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 36:
-#line 217 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 221 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_delim_box((yyvsp[-3].str), (yyvsp[-2].b), (yyvsp[0].str)); }
-#line 1689 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1704 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 37:
-#line 219 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 223 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_delim_box((yyvsp[-1].str), (yyvsp[0].b), 0); }
-#line 1695 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1710 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 38:
-#line 221 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 225 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_overline_box((yyvsp[-1].b)); }
-#line 1701 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1716 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 39:
-#line 223 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 227 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_underline_box((yyvsp[-1].b)); }
-#line 1707 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1722 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 40:
-#line 225 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 229 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_prime_box((yyvsp[-1].b)); }
-#line 1713 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1728 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 41:
-#line 227 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 231 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_accent_box((yyvsp[-2].b), (yyvsp[0].b)); }
-#line 1719 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1734 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 42:
-#line 229 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 233 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_uaccent_box((yyvsp[-2].b), (yyvsp[0].b)); }
-#line 1725 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1740 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 43:
-#line 231 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 235 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box(strsave(get_grfont()), (yyvsp[0].b)); }
-#line 1731 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1746 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 44:
-#line 233 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 237 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box(strsave(get_gbfont()), (yyvsp[0].b)); }
-#line 1737 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1752 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 45:
-#line 235 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 239 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box(strsave(get_gfont()), (yyvsp[0].b)); }
-#line 1743 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1758 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 46:
-#line 237 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 241 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new fat_box((yyvsp[0].b)); }
-#line 1749 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1764 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 47:
-#line 239 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 243 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box((yyvsp[-1].str), (yyvsp[0].b)); }
-#line 1755 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1770 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 48:
-#line 241 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 245 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new size_box((yyvsp[-1].str), (yyvsp[0].b)); }
-#line 1761 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1776 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 49:
-#line 243 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 247 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new hmotion_box((yyvsp[-1].n), (yyvsp[0].b)); }
-#line 1767 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1782 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 50:
-#line 245 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 249 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new hmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); }
-#line 1773 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1788 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 51:
-#line 247 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 251 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new vmotion_box((yyvsp[-1].n), (yyvsp[0].b)); }
-#line 1779 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1794 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 52:
-#line 249 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 253 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new vmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); }
-#line 1785 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1800 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 53:
-#line 251 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 255 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].b)->set_spacing_type((yyvsp[-1].str)); (yyval.b) = (yyvsp[0].b); }
-#line 1791 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1806 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 54:
-#line 253 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 257 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new vcenter_box((yyvsp[0].b)); }
-#line 1797 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1812 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 55:
-#line 255 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 259 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_special_box((yyvsp[-1].str), (yyvsp[0].b)); }
-#line 1803 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1818 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 56:
-#line 260 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 264 "src/preproc/eqn/eqn.ypp"
-     {
-                  int n;
-                  if (sscanf((yyvsp[0].str), "%d", &n) == 1)
-                    (yyval.n) = n;
-                  a_delete (yyvsp[0].str);
-                }
-#line 1814 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1829 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 57:
-#line 270 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 274 "src/preproc/eqn/eqn.ypp"
-     { (yyval.pb) = new pile_box((yyvsp[0].b)); }
-#line 1820 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1835 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 58:
-#line 272 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 276 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-2].pb)->append((yyvsp[0].b)); (yyval.pb) = (yyvsp[-2].pb); }
-#line 1826 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1841 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 59:
-#line 277 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 281 "src/preproc/eqn/eqn.ypp"
-     { (yyval.pb) = (yyvsp[-1].pb); }
-#line 1832 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1847 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 60:
-#line 279 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 283 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-1].pb)->set_space((yyvsp[-3].n)); (yyval.pb) = (yyvsp[-1].pb); }
-#line 1838 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1853 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 61:
-#line 284 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 288 "src/preproc/eqn/eqn.ypp"
-     { (yyval.mb) = new matrix_box((yyvsp[0].col)); }
-#line 1844 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1859 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 62:
-#line 286 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 290 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-1].mb)->append((yyvsp[0].col)); (yyval.mb) = (yyvsp[-1].mb); }
-#line 1850 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1865 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 63:
-#line 291 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 295 "src/preproc/eqn/eqn.ypp"
-     { (yyval.col) = new column((yyvsp[0].b)); }
-#line 1856 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1871 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 64:
-#line 293 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 297 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-2].col)->append((yyvsp[0].b)); (yyval.col) = (yyvsp[-2].col); }
-#line 1862 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1877 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 65:
-#line 298 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 302 "src/preproc/eqn/eqn.ypp"
-     { (yyval.col) = (yyvsp[-1].col); }
-#line 1868 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1883 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 66:
-#line 300 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 304 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-1].col)->set_space((yyvsp[-3].n)); (yyval.col) = (yyvsp[-1].col); }
-#line 1874 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1889 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 67:
-#line 305 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 309 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); }
-#line 1880 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1895 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 68:
-#line 307 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 311 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(LEFT_ALIGN); (yyval.col) = (yyvsp[0].col); }
-#line 1886 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1901 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 69:
-#line 309 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 313 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(RIGHT_ALIGN); (yyval.col) = (yyvsp[0].col); }
-#line 1892 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1907 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 70:
-#line 311 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 315 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); }
-#line 1898 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1913 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 71:
-#line 315 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 319 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = (yyvsp[0].str); }
-#line 1904 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1919 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 72:
-#line 317 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 321 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = (yyvsp[0].str); }
-#line 1910 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1925 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 73:
-#line 322 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 326 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = (yyvsp[0].str); }
-#line 1916 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1931 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 74:
-#line 324 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 328 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = strsave("{"); }
-#line 1922 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1937 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 75:
-#line 326 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 330 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = strsave("}"); }
-#line 1928 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1943 "src/preproc/eqn/eqn.cpp"
-     break;
- 
- 
-#line 1932 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1947 "src/preproc/eqn/eqn.cpp"
-+
-       default: break;
-     }
-   /* User semantic actions sometimes alter yychar, and that requires
-@@ -2042,12 +2058,10 @@ yyerrlab:
- | yyerrorlab -- error raised explicitly by YYERROR.  |
- `---------------------------------------------------*/
- yyerrorlab:
-
-  /* Pacify compilers like GCC when the user code never invokes
-     YYERROR and the label yyerrorlab therefore never appears in user
-     code.  */
-  if (/*CONSTCOND*/ 0)
-     goto yyerrorlab;
-+  /* Pacify compilers when the user code never invokes YYERROR and the
-+     label yyerrorlab therefore never appears in user code.  */
-+  if (0)
-+    YYERROR;
- 
-   /* Do not reclaim the symbols of the rule whose action triggered
-      this YYERROR.  */
-@@ -2109,6 +2123,7 @@ yyacceptlab:
-   yyresult = 0;
-   goto yyreturn;
- 
-+
- /*-----------------------------------.
- | yyabortlab -- YYABORT comes here.  |
- `-----------------------------------*/
-@@ -2116,6 +2131,7 @@ yyabortlab:
-   yyresult = 1;
-   goto yyreturn;
- 
-+
- #if !defined yyoverflow || YYERROR_VERBOSE
- /*-------------------------------------------------.
- | yyexhaustedlab -- memory exhaustion comes here.  |
-@@ -2126,6 +2142,10 @@ yyexhaustedlab:
-   /* Fall through.  */
- #endif
- 
-+
-+/*-----------------------------------------------------.
-+| yyreturn -- parsing is finished, return the result.  |
-+`-----------------------------------------------------*/
- yyreturn:
-   if (yychar != YYEMPTY)
-     {
-@@ -2155,5 +2175,5 @@ yyreturn:
- #endif
-   return yyresult;
- }
-#line 329 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1903  */
-+#line 333 "src/preproc/eqn/eqn.ypp"
- 
-diff --git a/src/preproc/eqn/eqn.hpp b/src/preproc/eqn/eqn.hpp
-index 32a32a5..9a092c1 100644
--- a/src/preproc/eqn/eqn.hpp
-+++ b/src/preproc/eqn/eqn.hpp
-@@ -1,8 +1,9 @@
-/* A Bison parser, made by GNU Bison 3.2.  */
-+/* A Bison parser, made by GNU Bison 3.4.1.  */
- 
- /* Bison interface for Yacc-like parsers in C
- 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
-+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-+   Inc.
- 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-@@ -170,10 +171,9 @@ extern int yydebug;
- 
- /* Value type.  */
- #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-
- union YYSTYPE
- {
-#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1906  */
-+#line 34 "src/preproc/eqn/eqn.ypp"
- 
-        char *str;
-        box *b;
-@@ -182,9 +182,9 @@ union YYSTYPE
-        int n;
-        column *col;
- 
-#line 186 "src/preproc/eqn/eqn.hpp" /* yacc.c:1906  */
-};
-+#line 186 "src/preproc/eqn/eqn.hpp"
- 
-+};
- typedef union YYSTYPE YYSTYPE;
- # define YYSTYPE_IS_TRIVIAL 1
- # define YYSTYPE_IS_DECLARED 1
 diff --git a/src/preproc/eqn/eqn.ypp b/src/preproc/eqn/eqn.ypp
 index fb318c3..b7b647e 100644
 --- a/src/preproc/eqn/eqn.ypp
diff --git a/meta/recipes-extended/groff/groff_1.22.4.bb b/meta/recipes-extended/groff/groff_1.22.4.bb
index e398478349..7bb393e09c 100644
--- a/meta/recipes-extended/groff/groff_1.22.4.bb
+++ b/meta/recipes-extended/groff/groff_1.22.4.bb
@@ -18,6 +18,10 @@ SRC_URI = "${GNU_MIRROR}/groff/groff-${PV}.tar.gz \
 SRC_URI[md5sum] = "08fb04335e2f5e73f23ea4c3adbf0c5f"
 SRC_URI[sha256sum] = "e78e7b4cb7dec310849004fa88847c44701e8d133b5d4c13057d876c1bad0293"
+# Remove at the next upgrade
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
 DEPENDS = "bison-native"
 RDEPENDS_${PN} += "perl sed"
@@ -28,7 +32,14 @@ MULTILIB_SCRIPTS = "${PN}:${bindir}/gpinyin ${PN}:${bindir}/groffer ${PN}:${bind
 EXTRA_OECONF = "--without-x --without-doc"
 PARALLEL_MAKE = ""
-CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl' ac_cv_path_BASH_PROG='no'"
+CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl' ac_cv_path_BASH_PROG='no' PAGE=A4"
+# Delete these generated files since we depend on bison-native
+# and regenerate them. Do it deterministically (always).
+do_configure_prepend() {
+        rm -f ${S}/src/preproc/eqn/eqn.cpp
+        rm -f ${S}/src/preproc/eqn/eqn.hpp
+}
 do_install_append() {
        # Some distros have both /bin/perl and /usr/bin/perl, but we set perl location
diff --git a/meta/recipes-extended/man-db/man-db_2.9.3.bb b/meta/recipes-extended/man-db/man-db_2.9.3.bb
index 0e6016a73c..e8da92bd19 100644
--- a/meta/recipes-extended/man-db/man-db_2.9.3.bb
+++ b/meta/recipes-extended/man-db/man-db_2.9.3.bb
@@ -11,6 +11,7 @@ SRC_URI[sha256sum] = "fa5aa11ab0692daf737e76947f45669225db310b2801a5911bceb7551c
 DEPENDS = "libpipeline gdbm groff-native base-passwd"
 RDEPENDS_${PN} += "base-passwd"
+PACKAGE_WRITE_DEPS += "base-passwd"
 # | /usr/src/debug/man-db/2.8.0-r0/man-db-2.8.0/src/whatis.c:939: undefined reference to `_nl_msg_cat_cntr'
 USE_NLS_libc-musl = "no"
@@ -20,6 +21,11 @@ inherit gettext pkgconfig autotools systemd
 EXTRA_OECONF = "--with-pager=less --with-systemdsystemunitdir=${systemd_unitdir}/system"
 EXTRA_AUTORECONF += "-I ${S}/gl/m4"
+# Can be dropped when the output next changes, avoids failures after
+# reproducibility issues
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
 do_install() {
        autotools_do_install
diff --git a/meta/recipes-extended/minicom/minicom_2.7.1.bb b/meta/recipes-extended/minicom/minicom_2.7.1.bb
index 03034864c8..6d61684e69 100644
--- a/meta/recipes-extended/minicom/minicom_2.7.1.bb
+++ b/meta/recipes-extended/minicom/minicom_2.7.1.bb
@@ -29,3 +29,5 @@ do_install() {
 }
 RRECOMMENDS_${PN} += "lrzsz"
+RDEPENDS_${PN} += "ncurses-terminfo-base"
diff --git a/meta/recipes-extended/parted/parted_3.3.bb b/meta/recipes-extended/parted/parted_3.3.bb
index a1fd3ef07b..915ab05b65 100644
--- a/meta/recipes-extended/parted/parted_3.3.bb
+++ b/meta/recipes-extended/parted/parted_3.3.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.gnu.org/software/parted/parted.html"
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=2f31b266d3440dd7ee50f92cf67d8e6c"
 SECTION = "console/tools"
-DEPENDS = "ncurses readline util-linux virtual/libiconv"
+DEPENDS = "ncurses util-linux virtual/libiconv"
 SRC_URI = "${GNU_MIRROR}/parted/parted-${PV}.tar.xz \
           file://no_check.patch \
@@ -22,6 +22,9 @@ EXTRA_OECONF = "--disable-device-mapper"
 inherit autotools pkgconfig gettext texinfo ptest
+PACKAGECONFIG ?= "readline"
+PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 BBCLASSEXTEND = "native nativesdk"
 do_compile_ptest() {
@@ -39,6 +42,7 @@ do_install_ptest() {
        sed -i "s|^abs_srcdir =.*|abs_srcdir = \.|g" $t/tests/Makefile
        sed -i "s|^abs_top_srcdir =.*|abs_top_srcdir = \.\.|g" $t/tests/Makefile
        sed -i "s|^Makefile:.*|Makefile:|g" $t/tests/Makefile
+        sed -i "/^BUILDINFO.*$/d" $t/tests/Makefile
        for i in print-align print-max print-flags dup-clobber duplicate fs-resize; \
          do cp ${B}/tests/.libs/$i $t/tests/; \
        done
diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
new file mode 100644
index 0000000000..983b35c1b0
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
@@ -0,0 +1,68 @@
+Description: [CVE-2021-26937] Fix out of bounds array access
+Author: Michael Schröder <mls@suse.de>
+Bug-Debian: https://bugs.debian.org/982435
+Bug: https://savannah.gnu.org/bugs/?60030
+Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
+Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3
+Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html
+CVE: CVE-2021-26937
+Upstream-Status: Pending
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+--- a/encoding.c
+++ b/encoding.c
+@@ -43,7 +43,7 @@
+ # ifdef UTF8
+ static int   recode_char __P((int, int, int));
+ static int   recode_char_to_encoding __P((int, int));
+-static void  comb_tofront __P((int, int));
+static void  comb_tofront __P((int));
+ #  ifdef DW_CHARS
+ static int   recode_char_dw __P((int, int *, int, int));
+ static int   recode_char_dw_to_encoding __P((int, int *, int));
+@@ -1263,6 +1263,8 @@
+     {0x30000, 0x3FFFD},
+   };
+ 
+  if (c >= 0xdf00 && c <= 0xdfff)
+    return 1;          /* dw combining sequence */
+   return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) ||
+           (cjkwidth &&
+            bisearch(c, ambiguous,
+@@ -1330,11 +1332,12 @@
+ }
+ 
+ static void
+-comb_tofront(root, i)
+-int root, i;
+comb_tofront(i)
+int i;
+ {
+   for (;;)
+     {
+      int root = i >= 0x700 ? 0x801 : 0x800;
+       debug1("bring to front: %x\n", i);
+       combchars[combchars[i]->prev]->next = combchars[i]->next;
+       combchars[combchars[i]->next]->prev = combchars[i]->prev;
+@@ -1396,9 +1399,9 @@
+     {
+       /* full, recycle old entry */
+       if (c1 >= 0xd800 && c1 < 0xe000)
+-        comb_tofront(root, c1 - 0xd800);
+        comb_tofront(c1 - 0xd800);
+       i = combchars[root]->prev;
+-      if (c1 == i + 0xd800)
+      if (i == 0x800 || i == 0x801 || c1 == i + 0xd800)
+        {
+          /* completely full, can't recycle */
+          debug("utf8_handle_comp: completely full!\n");
+@@ -1422,7 +1425,7 @@
+   mc->font  = (i >> 8) + 0xd8;
+   mc->fontx = 0;
+   debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800);
+-  comb_tofront(root, i);
+  comb_tofront(i);
+ }
+ 
+ #else /* !UTF8 */
diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb
index 4772eb6c7a..fe640c262b 100644
--- a/meta/recipes-extended/screen/screen_4.8.0.bb
+++ b/meta/recipes-extended/screen/screen_4.8.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
           file://0002-comm.h-now-depends-on-term.h.patch \
           file://0001-fix-for-multijob-build.patch \
           file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2021-26937.patch \
          "
 SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e"
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index c975395ff8..ff4aad926f 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb
@@ -6,5 +6,6 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 BBCLASSEXTEND = "native nativesdk"
+# Severity is low and marked as closed and won't fix.
+# https://bugzilla.redhat.com/show_bug.cgi?id=884658
+CVE_CHECK_WHITELIST += "CVE-2013-4235"
diff --git a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
new file mode 100644
index 0000000000..f7ccfdd623
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
@@ -0,0 +1,52 @@
+sudo.conf.in: fix conflict with multilib
+When pass ${libdir} to --libexecdir of sudo, it fails to install sudo
+and lib32-sudo at same time:
+| Error: Transaction test error:
+|  file /etc/sudo.conf conflicts between attempted installs of
+     sudo-1.9.3p1-r0.core2_64 and lib32-sudo-1.9.3p1-r0.core2_32
+Update the comments in sudo.conf.in to avoid the conflict.
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Upstream-Status: Inappropriate [OE configuration specific]
+---
+ examples/sudo.conf.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in
+index 19e33ff..af78235 100644
+--- a/examples/sudo.conf.in
+++ b/examples/sudo.conf.in
+@@ -4,7 +4,7 @@
+ # Sudo plugins:
+ #   Plugin plugin_name plugin_path plugin_options ...
+ #
+-# The plugin_path is relative to @plugindir@ unless
+# The plugin_path is relative to $plugindir such as /usr/lib/sudo unless
+ #   fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ #   that contains the plugin interface structure.
+@@ -50,7 +50,7 @@ Plugin sudoers_audit sudoers.so
+ # The compiled-in value is usually sufficient and should only be changed
+ # if you rename or move the sudo_noexec.so file.
+ #
+-#Path noexec @plugindir@/sudo_noexec.so
+#Path noexec $plugindir/sudo_noexec.so
+ 
+ #
+ # Sudo plugin directory:
+@@ -59,7 +59,7 @@ Plugin sudoers_audit sudoers.so
+ # The default directory to use when searching for plugins that are
+ # specified without a fully qualified path name.
+ #
+-#Path plugin_dir @plugindir@
+#Path plugin_dir $plugindir
+ 
+ #
+ # Sudo developer mode:
+--
+2.17.1
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
new file mode 100644
index 0000000000..e16baecd5a
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
@@ -0,0 +1,62 @@
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1609953360 25200
+# Node ID ea19d0073c02951bbbf35342dd63304da83edce8
+# Parent  f1ca39a0d87089d005b78a2556e2b1a2dc17f672
+Fix potential directory existing info leak in sudoedit.
+When creating a new file, sudoedit checks to make sure the parent
+directory exists so it can provide the user with a sensible error
+message.  However, this could be used to test for the existence of
+directories not normally accessible to the user by pointing to them
+with a symbolic link when the parent directory is controlled by the
+user.  Problem reported by Matthias Gerstner of SUSE.
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02]
+CVE: CVE-2021-23239
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c
+--- a/src/sudo_edit.c   Wed Jan 06 10:16:00 2021 -0700
+++ b/src/sudo_edit.c   Wed Jan 06 10:16:00 2021 -0700
+@@ -541,14 +541,33 @@
+            S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
+        if (ofd != -1 || errno == ENOENT) {
+            if (ofd == -1) {
+-               /* New file, verify parent dir exists unless in cwd. */
+               /*
+                * New file, verify parent dir exists unless in cwd.
+                * This fails early so the user knows ahead of time if the
+                * edit won't succeed.  Additional checks are performed
+                * when copying the temporary file back to the origin.
+                */
+                char *slash = strrchr(files[i], '/');
+                if (slash != NULL && slash != files[i]) {
+-                   int serrno = errno;
+                   const int sflags = command_details->flags;
+                   const int serrno = errno;
+                   int dfd;
+
+                   /*
+                    * The parent directory is allowed to be a symbolic
+                    * link as long as *its* parent is not writable.
+                    */
+                    *slash = '\0';
+-                   if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) {
+-                       memset(&sb, 0, sizeof(sb));
+-                       rc = 0;
+                   SET(command_details->flags, CD_SUDOEDIT_FOLLOW);
+                   dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS,
+                       S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
+                   command_details->flags = sflags;
+                   if (dfd != -1) {
+                       if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) {
+                           memset(&sb, 0, sizeof(sb));
+                           rc = 0;
+                       }
+                       close(dfd);
+                    }
+                    *slash = '/';
+                    errno = serrno;
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23240.patch b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch
new file mode 100644
index 0000000000..740a13cd90
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch
@@ -0,0 +1,419 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/8fcb36ef422a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-23240
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1609953360 25200
+# Node ID 8fcb36ef422a251fe33738a347551439944a4a37
+# Parent  ea19d0073c02951bbbf35342dd63304da83edce8
+Add security checks before using temp files for SELinux RBAC sudoedit.
+Otherwise, it may be possible for the user running sudoedit to
+replace the newly-created temporary files with a symbolic link and
+have sudoedit set the owner of an arbitrary file.
+Problem reported by Matthias Gerstner of SUSE.
+diff -r ea19d0073c02 -r 8fcb36ef422a src/copy_file.c
+--- a/src/copy_file.c   Wed Jan 06 10:16:00 2021 -0700
+++ b/src/copy_file.c   Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -23,6 +23,8 @@
+ 
+ #include <config.h>
+ 
+#include <sys/stat.h>
+
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <errno.h>
+@@ -134,3 +136,34 @@
+     sudo_warn(U_("unable to write to %s"), dst);
+     debug_return_int(-1);
+ }
+
+#ifdef HAVE_SELINUX
+bool
+sudo_check_temp_file(int tfd, const char *tfile, uid_t uid, struct stat *sb)
+{
+    struct stat sbuf;
+    debug_decl(sudo_check_temp_file, SUDO_DEBUG_UTIL);
+
+    if (sb == NULL)
+       sb = &sbuf;
+
+    if (fstat(tfd, sb) == -1) {
+       sudo_warn(U_("unable to stat %s"), tfile);
+       debug_return_bool(false);
+    }
+    if (!S_ISREG(sb->st_mode)) {
+       sudo_warnx(U_("%s: not a regular file"), tfile);
+       debug_return_bool(false);
+    }
+    if ((sb->st_mode & ALLPERMS) != (S_IRUSR|S_IWUSR)) {
+       sudo_warnx(U_("%s: bad file mode: 0%o"), tfile, sb->st_mode & ALLPERMS);
+       debug_return_bool(false);
+    }
+    if (sb->st_uid != uid) {
+       sudo_warnx(U_("%s is owned by uid %u, should be %u"),
+           tfile, (unsigned int)sb->st_uid, (unsigned int)uid);
+       debug_return_bool(false);
+    }
+    debug_return_bool(true);
+}
+#endif /* SELINUX */
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sesh.c
+--- a/src/sesh.c        Wed Jan 06 10:16:00 2021 -0700
+++ b/src/sesh.c        Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2008, 2010-2018, 2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2008, 2010-2018, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -132,7 +132,7 @@
+ static int
+ sesh_sudoedit(int argc, char *argv[])
+ {
+-    int i, oflags_dst, post, ret = SESH_ERR_FAILURE;
+    int i, oflags_src, oflags_dst, post, ret = SESH_ERR_FAILURE;
+     int fd_src = -1, fd_dst = -1, follow = 0;
+     struct stat sb;
+     struct timespec times[2];
+@@ -174,10 +174,12 @@
+        debug_return_int(SESH_ERR_BAD_PATHS);
+ 
+     /*
+-     * Use O_EXCL if we are not in the post editing stage
+-     * so that it's ensured that the temporary files are
+-     * created by us and that we are not opening any symlinks.
+     * In the pre-editing stage, use O_EXCL to ensure that the temporary
+     * files are created by us and that we are not opening any symlinks.
+     * In the post-editing stage, use O_NOFOLLOW so we don't follow symlinks
+     * when opening the temporary files.
+      */
+    oflags_src = O_RDONLY|(post ? O_NONBLOCK|O_NOFOLLOW : follow);
+     oflags_dst = O_WRONLY|O_CREAT|(post ? follow : O_EXCL);
+     for (i = 0; i < argc - 1; i += 2) {
+        const char *path_src = argv[i];
+@@ -187,7 +189,7 @@
+         * doesn't exist, that's OK, we'll create an empty
+         * destination file.
+         */
+-       if ((fd_src = open(path_src, O_RDONLY|follow, S_IRUSR|S_IWUSR)) < 0) {
+       if ((fd_src = open(path_src, oflags_src, S_IRUSR|S_IWUSR)) < 0) {
+            if (errno != ENOENT) {
+                sudo_warn("%s", path_src);
+                if (post) {
+@@ -197,6 +199,14 @@
+                    goto cleanup_0;
+            }
+        }
+       if (post) {
+           /* Make sure the temporary file is safe and has the proper owner. */
+           if (!sudo_check_temp_file(fd_src, path_src, geteuid(), &sb)) {
+               ret = SESH_ERR_SOME_FILES;
+               goto nocleanup;
+           }
+           fcntl(fd_src, F_SETFL, fcntl(fd_src, F_GETFL, 0) & ~O_NONBLOCK);
+       }
+ 
+        if ((fd_dst = open(path_dst, oflags_dst, post ?
+            (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) : (S_IRUSR|S_IWUSR))) < 0) {
+@@ -214,10 +224,7 @@
+            off_t len_dst = -1;
+ 
+            if (post) {
+-               if (fstat(fd_src, &sb) != 0) {
+-                   ret = SESH_ERR_SOME_FILES;
+-                   goto nocleanup;
+-               }
+               /* sudo_check_temp_file() filled in sb for us. */
+                len_src = sb.st_size;
+                if (fstat(fd_dst, &sb) != 0) {
+                    ret = SESH_ERR_SOME_FILES;
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_edit.c
+--- a/src/sudo_edit.c   Wed Jan 06 10:16:00 2021 -0700
+++ b/src/sudo_edit.c   Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2004-2008, 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2004-2008, 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -259,8 +259,10 @@
+     } else {
+        len = asprintf(tfile, "%s/%s.XXXXXXXX", edit_tmpdir, cp);
+     }
+-    if (len == -1)
+-       sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+    if (len == -1) {
+       sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+       debug_return_int(-1);
+    }
+     tfd = mkstemps(*tfile, suff ? strlen(suff) : 0);
+     sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+        "%s -> %s, fd %d", ofile, *tfile, tfd);
+@@ -735,7 +737,8 @@
+ 
+ #ifdef HAVE_SELINUX
+ static int
+-selinux_run_helper(char *argv[], char *envp[])
+selinux_run_helper(uid_t uid, gid_t gid, int ngroups, GETGROUPS_T *groups,
+    char *const argv[], char *const envp[])
+ {
+     int status, ret = SESH_ERR_FAILURE;
+     const char *sesh;
+@@ -755,8 +758,10 @@
+        break;
+     case 0:
+        /* child runs sesh in new context */
+-       if (selinux_setcon() == 0)
+       if (selinux_setcon() == 0) {
+           switch_user(uid, gid, ngroups, groups);
+            execve(sesh, argv, envp);
+       }
+        _exit(SESH_ERR_FAILURE);
+     default:
+        /* parent waits */
+@@ -775,7 +780,7 @@
+     struct tempfile *tf, char *files[], int nfiles)
+ {
+     char **sesh_args, **sesh_ap;
+-    int i, rc, sesh_nargs;
+    int i, error, sesh_nargs, ret = -1;
+     struct stat sb;
+     debug_decl(selinux_edit_create_tfiles, SUDO_DEBUG_EDIT);
+     
+@@ -787,7 +792,7 @@
+     sesh_args = sesh_ap = reallocarray(NULL, sesh_nargs, sizeof(char *));
+     if (sesh_args == NULL) {
+        sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-       debug_return_int(-1);
+       goto done;
+     }
+     *sesh_ap++ = "sesh";
+     *sesh_ap++ = "-e";
+@@ -795,7 +800,6 @@
+        *sesh_ap++ = "-h";
+     *sesh_ap++ = "0";
+ 
+-    /* XXX - temp files should be created with user's context */
+     for (i = 0; i < nfiles; i++) {
+        char *tfile, *ofile = files[i];
+        int tfd;
+@@ -813,8 +817,7 @@
+        if (tfd == -1) {
+            sudo_warn("mkstemps");
+            free(tfile);
+-           free(sesh_args);
+-           debug_return_int(-1);
+           goto done;
+        }
+        /* Helper will re-create temp file with proper security context. */
+        close(tfd);
+@@ -825,8 +828,10 @@
+     *sesh_ap = NULL;
+ 
+     /* Run sesh -e [-h] 0 <o1> <t1> ... <on> <tn> */
+-    rc = selinux_run_helper(sesh_args, command_details->envp);
+-    switch (rc) {
+    error = selinux_run_helper(command_details->uid, command_details->gid,
+       command_details->ngroups, command_details->groups, sesh_args,
+       command_details->envp);
+    switch (error) {
+     case SESH_SUCCESS:
+        break;
+     case SESH_ERR_BAD_PATHS:
+@@ -836,21 +841,35 @@
+     case SESH_ERR_KILLED:
+        sudo_fatalx("%s", U_("sesh: killed by a signal"));
+     default:
+-       sudo_fatalx(U_("sesh: unknown error %d"), rc);
+       sudo_warnx(U_("sesh: unknown error %d"), error);
+       goto done;
+     }
+ 
+-    /* Chown to user's UID so they can edit the temporary files. */
+     for (i = 0; i < nfiles; i++) {
+-       if (chown(tf[i].tfile, user_details.uid, user_details.gid) != 0) {
+       int tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
+       if (tfd == -1) {
+           sudo_warn(U_("unable to open %s"), tf[i].tfile);
+           goto done;
+       }
+       if (!sudo_check_temp_file(tfd, tf[i].tfile, command_details->uid, NULL)) {
+           close(tfd);
+           goto done;
+       }
+       if (fchown(tfd, user_details.uid, user_details.gid) != 0) {
+            sudo_warn("unable to chown(%s) to %d:%d for editing",
+                tf[i].tfile, user_details.uid, user_details.gid);
+           close(tfd);
+           goto done;
+        }
+       close(tfd);
+     }
+    ret = nfiles;
+ 
+done:
+     /* Contents of tf will be freed by caller. */
+     free(sesh_args);
+ 
+-    return (nfiles);
+    debug_return_int(ret);
+ }
+ 
+ static int
+@@ -858,7 +877,8 @@
+     struct tempfile *tf, int nfiles, struct timespec *times)
+ {
+     char **sesh_args, **sesh_ap;
+-    int i, rc, sesh_nargs, ret = 1;
+    int i, error, sesh_nargs, ret = 1;
+    int tfd = -1;
+     struct timespec ts;
+     struct stat sb;
+     debug_decl(selinux_edit_copy_tfiles, SUDO_DEBUG_EDIT);
+@@ -879,33 +899,43 @@
+ 
+     /* Construct args for sesh -e 1 */
+     for (i = 0; i < nfiles; i++) {
+-       if (stat(tf[i].tfile, &sb) == 0) {
+-           mtim_get(&sb, ts);
+-           if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) {
+-               /*
+-                * If mtime and size match but the user spent no measurable
+-                * time in the editor we can't tell if the file was changed.
+-                */
+-               if (sudo_timespeccmp(&times[0], &times[1], !=)) {
+-                   sudo_warnx(U_("%s unchanged"), tf[i].ofile);
+-                   unlink(tf[i].tfile);
+-                   continue;
+-               }
+       if (tfd != -1)
+           close(tfd);
+       if ((tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW)) == -1) {
+           sudo_warn(U_("unable to open %s"), tf[i].tfile);
+           continue;
+       }
+       if (!sudo_check_temp_file(tfd, tf[i].tfile, user_details.uid, &sb))
+           continue;
+       mtim_get(&sb, ts);
+       if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) {
+           /*
+            * If mtime and size match but the user spent no measurable
+            * time in the editor we can't tell if the file was changed.
+            */
+           if (sudo_timespeccmp(&times[0], &times[1], !=)) {
+               sudo_warnx(U_("%s unchanged"), tf[i].ofile);
+               unlink(tf[i].tfile);
+               continue;
+            }
+        }
+        *sesh_ap++ = tf[i].tfile;
+        *sesh_ap++ = tf[i].ofile;
+-       if (chown(tf[i].tfile, command_details->uid, command_details->gid) != 0) {
+       if (fchown(tfd, command_details->uid, command_details->gid) != 0) {
+            sudo_warn("unable to chown(%s) back to %d:%d", tf[i].tfile,
+                command_details->uid, command_details->gid);
+        }
+     }
+     *sesh_ap = NULL;
+    if (tfd != -1)
+       close(tfd);
+ 
+     if (sesh_ap - sesh_args > 3) {
+        /* Run sesh -e 1 <t1> <o1> ... <tn> <on> */
+-       rc = selinux_run_helper(sesh_args, command_details->envp);
+-       switch (rc) {
+       error = selinux_run_helper(command_details->uid, command_details->gid,
+           command_details->ngroups, command_details->groups, sesh_args,
+           command_details->envp);
+       switch (error) {
+        case SESH_SUCCESS:
+            ret = 0;
+            break;
+@@ -921,7 +951,7 @@
+            sudo_warnx("%s", U_("sesh: killed by a signal"));
+            break;
+        default:
+-           sudo_warnx(U_("sesh: unknown error %d"), rc);
+           sudo_warnx(U_("sesh: unknown error %d"), error);
+            break;
+        }
+        if (ret != 0)
+@@ -943,7 +973,7 @@
+ {
+     struct command_details saved_command_details;
+     char **nargv = NULL, **ap, **files = NULL;
+-    int errors, i, ac, nargc, rc;
+    int errors, i, ac, nargc, ret;
+     int editor_argc = 0, nfiles = 0;
+     struct timespec times[2];
+     struct tempfile *tf = NULL;
+@@ -1038,7 +1068,7 @@
+     command_details->ngroups = user_details.ngroups;
+     command_details->groups = user_details.groups;
+     command_details->argv = nargv;
+-    rc = run_command(command_details);
+    ret = run_command(command_details);
+     if (sudo_gettime_real(&times[1]) == -1) {
+        sudo_warn("%s", U_("unable to read the clock"));
+        goto cleanup;
+@@ -1062,14 +1092,14 @@
+        errors = sudo_edit_copy_tfiles(command_details, tf, nfiles, times);
+     if (errors) {
+        /* Preserve the edited temporary files. */
+-       rc = W_EXITCODE(1, 0);
+       ret = W_EXITCODE(1, 0);
+     }
+ 
+     for (i = 0; i < nfiles; i++)
+        free(tf[i].tfile);
+     free(tf);
+     free(nargv);
+-    debug_return_int(rc);
+    debug_return_int(ret);
+ 
+ cleanup:
+     /* Clean up temp files and return. */
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_exec.h
+--- a/src/sudo_exec.h   Wed Jan 06 10:16:00 2021 -0700
+++ b/src/sudo_exec.h   Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2010-2017, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -84,9 +84,11 @@
+  */
+ struct command_details;
+ struct command_status;
+struct stat;
+ 
+ /* copy_file.c */
+ int sudo_copy_file(const char *src, int src_fd, off_t src_len, const char *dst, int dst_fd, off_t dst_len);
+bool sudo_check_temp_file(int tfd, const char *tname, uid_t uid, struct stat *sb);
+ 
+ /* exec.c */
+ void exec_cmnd(struct command_details *details, int errfd);
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
new file mode 100644
index 0000000000..83c277575e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
+# Parent  90aba6ba6e03f3bc33b4eabf16358396ed83642d
+Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
+This is consistent with how the -e option is handled.
+Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
+Found by Qualys, this is part of the fix for CVE-2021-3156.
+diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
+--- a/src/parse_args.c  Mon Jan 18 12:30:52 2021 +0100
+++ b/src/parse_args.c  Sat Jan 23 08:43:59 2021 -0700
+@@ -117,7 +117,10 @@
+ /*
+  * Default flags allowed when running a command.
+  */
+-#define DEFAULT_VALID_FLAGS    (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
+#define DEFAULT_VALID_FLAGS    (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
+#define EDIT_VALID_FLAGS       MODE_NONINTERACTIVE
+#define LIST_VALID_FLAGS       (MODE_NONINTERACTIVE|MODE_LONG_LIST)
+#define VALIDATE_VALID_FLAGS   MODE_NONINTERACTIVE
+ 
+ /* Option number for the --host long option due to ambiguity of the -h flag. */
+ #define OPT_HOSTNAME   256
+@@ -262,6 +265,7 @@
+        progname = "sudoedit";
+        mode = MODE_EDIT;
+        sudo_settings[ARG_SUDOEDIT].value = "true";
+       valid_flags = EDIT_VALID_FLAGS;
+     }
+ 
+     /* Load local IP addresses and masks. */
+@@ -365,7 +369,7 @@
+                        usage_excl();
+                    mode = MODE_EDIT;
+                    sudo_settings[ARG_SUDOEDIT].value = "true";
+-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = EDIT_VALID_FLAGS;
+                    break;
+                case 'g':
+                    assert(optarg != NULL);
+@@ -377,6 +381,7 @@
+                    break;
+                case 'H':
+                    sudo_settings[ARG_SET_HOME].value = "true";
+                   SET(flags, MODE_RESET_HOME);
+                    break;
+                case 'h':
+                    if (optarg == NULL) {
+@@ -431,7 +436,7 @@
+                            usage_excl();
+                    }
+                    mode = MODE_LIST;
+-                   valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
+                   valid_flags = LIST_VALID_FLAGS;
+                    break;
+                case 'n':
+                    SET(flags, MODE_NONINTERACTIVE);
+@@ -439,6 +444,7 @@
+                    break;
+                case 'P':
+                    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
+                   SET(flags, MODE_PRESERVE_GROUPS);
+                    break;
+                case 'p':
+                    /* An empty prompt is allowed. */
+@@ -505,7 +511,7 @@
+                    if (mode && mode != MODE_VALIDATE)
+                        usage_excl();
+                    mode = MODE_VALIDATE;
+-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = VALIDATE_VALID_FLAGS;
+                    break;
+                case 'V':
+                    if (mode && mode != MODE_VERSION)
+@@ -533,7 +539,7 @@
+     if (!mode) {
+        /* Defer -k mode setting until we know whether it is a flag or not */
+        if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
+-           if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
+           if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
+                mode = MODE_INVALIDATE; /* -k by itself */
+                sudo_settings[ARG_IGNORE_TICKET].value = NULL;
+                valid_flags = 0;
+@@ -601,7 +607,7 @@
+     /*
+      * For shell mode we need to rewrite argv
+      */
+-    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
+    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
+        char **av, *cmnd = NULL;
+        int ac = 1;
+ 
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
new file mode 100644
index 0000000000..6d051252cb
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
+From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
+From: Anuj Mittal <anuj.mittal@intel.com>
+Date: Sat, 6 Feb 2021 15:57:55 +0800
+Subject: [PATCH] sudo: fix CVE-2021-3156
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID a97dc92eae6b60ae285055441341d493c17262ff
+# Parent  9b97f1787804aedccaec63c379053b1a91a0e409
+Add sudoedit flag checks in plugin that are consistent with front-end.
+Don't assume the sudo front-end is sending reasonable mode flags.
+These checks need to be kept consistent between the sudo front-end
+and the sudoers plugin.
+---
+ plugins/sudoers/policy.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index c4749a6..2f18fe1 100644
+--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
+@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
+ int
+ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ {
+    const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
+     struct sudoers_open_info *info = v;
+-    char * const *cur;
+     const char *p, *errstr, *groups = NULL;
+     const char *remhost = NULL;
+    char * const *cur;
+     int flags = 0;
+     debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
+ 
+@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ #endif
+     }
+ 
+    /* Sudo front-end should restrict mode flags for sudoedit. */
+    if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
+       sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
+       goto bad;
+    }
+
+     user_gid = (gid_t)-1;
+     user_sid = (pid_t)-1;
+     user_uid = (gid_t)-1;
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
new file mode 100644
index 0000000000..30a574d05c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+# Parent  a97dc92eae6b60ae285055441341d493c17262ff
+Fix potential buffer overflow when unescaping backslashes in user_args.
+Also, do not try to unescaping backslashes unless in run mode *and*
+we are running the command via a shell.
+Found by Qualys, this fixes CVE-2021-3156.
+diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c
+--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
+++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
+@@ -547,7 +547,7 @@
+ 
+     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
+     /* XXX - causes confusion when root is not listed in sudoers */
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
+        if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
+            struct passwd *pw;
+ 
+@@ -932,8 +932,8 @@
+     if (user_cmnd == NULL)
+        user_cmnd = NewArgv[0];
+ 
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
+-       if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
+       if (!ISSET(sudo_mode, MODE_EDIT)) {
+            const char *runchroot = user_runchroot;
+            if (runchroot == NULL && def_runchroot != NULL &&
+                    strcmp(def_runchroot, "*") != 0)
+@@ -961,7 +961,8 @@
+                sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+                debug_return_int(NOT_FOUND_ERROR);
+            }
+-           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
+           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
+                   ISSET(sudo_mode, MODE_RUN)) {
+                /*
+                 * When running a command via a shell, the sudo front-end
+                 * escapes potential meta chars.  We unescape non-spaces
+@@ -969,10 +970,22 @@
+                 */
+                for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
+                    while (*from) {
+-                       if (from[0] == '\\' && !isspace((unsigned char)from[1]))
+                       if (from[0] == '\\' && from[1] != '\0' &&
+                               !isspace((unsigned char)from[1])) {
+                            from++;
+                       }
+                       if (size - (to - user_args) < 1) {
+                           sudo_warnx(U_("internal error, %s overflow"),
+                               __func__);
+                           debug_return_int(NOT_FOUND_ERROR);
+                       }
+                        *to++ = *from++;
+                    }
+                   if (size - (to - user_args) < 1) {
+                       sudo_warnx(U_("internal error, %s overflow"),
+                           __func__);
+                       debug_return_int(NOT_FOUND_ERROR);
+                   }
+                    *to++ = ' ';
+                }
+                *--to = '\0';
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
new file mode 100644
index 0000000000..c1b00c740e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID 09f98816fc8978f1d8623a857073d2d5746f0379
+# Parent  049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL.
+We want to zero the struct starting at flags, not type (which was just set).
+Found by Qualys.
+diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c
+--- a/plugins/sudoers/timestamp.c       Sat Jan 23 08:43:59 2021 -0700
+++ b/plugins/sudoers/timestamp.c       Sat Jan 23 08:44:00 2021 -0700
+@@ -643,8 +643,8 @@
+        if (entry.size == sizeof(struct timestamp_entry_v1)) {
+            /* Old sudo record, convert it to TS_LOCKEXCL. */
+            entry.type = TS_LOCKEXCL;
+-           memset((char *)&entry + offsetof(struct timestamp_entry, type), 0,
+-               nread - offsetof(struct timestamp_entry, type));
+           memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
+               nread - offsetof(struct timestamp_entry, flags));
+            if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
+                debug_return_bool(false);
+        } else {
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
new file mode 100644
index 0000000000..c04b8e72a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
+# Parent  09f98816fc8978f1d8623a857073d2d5746f0379
+Don't assume that argv is allocated as a single flat buffer.
+While this is how the kernel behaves it is not a portable assumption.
+The assumption may also be violated if getopt_long(3) permutes arguments.
+Found by Qualys.
+diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
+--- a/src/parse_args.c  Sat Jan 23 08:44:00 2021 -0700
+++ b/src/parse_args.c  Sat Jan 23 08:44:00 2021 -0700
+@@ -614,16 +614,16 @@
+        if (argc != 0) {
+            /* shell -c "command" */
+            char *src, *dst;
+-           size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
+-               strlen(argv[argc - 1]) + 1;
+           size_t size = 0;
+ 
+-           cmnd = dst = reallocarray(NULL, cmnd_size, 2);
+-           if (cmnd == NULL)
+           for (av = argv; *av != NULL; av++)
+               size += strlen(*av) + 1;
+           if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
+                sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+            if (!gc_add(GC_PTR, cmnd))
+                exit(EXIT_FAILURE);
+ 
+-           for (av = argv; *av != NULL; av++) {
+           for (dst = cmnd, av = argv; *av != NULL; av++) {
+                for (src = *av; *src != '\0'; src++) {
+                    /* quote potential meta characters */
+                    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index 86a18be7e2..8b50f5eee5 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -49,3 +49,5 @@ do_compile_prepend () {
 do_install_prepend (){
        mkdir -p ${D}/${localstatedir}/lib
 }
+CVE_VERSION_SUFFIX = "patch"
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb
index 270625ebe8..37fd6386dd 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.3.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -2,6 +2,14 @@ require sudo.inc
 SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
+           file://CVE-2021-23239.patch \
+           file://CVE-2021-23240.patch \
+           file://CVE-2021-3156-1.patch \
+           file://CVE-2021-3156-2.patch \
+           file://CVE-2021-3156-3.patch \
+           file://CVE-2021-3156-4.patch \
+           file://CVE-2021-3156-5.patch \
           "
 PAM_SRC_URI = "file://sudo.pam"
@@ -24,6 +32,7 @@ EXTRA_OECONF += " \
             ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-tmpfiles.d=${nonarch_libdir}/tmpfiles.d', '--disable-tmpfiles.d', d)} \
             --with-rundir=/run/sudo \
             --with-vardir=/var/lib/sudo \
+             --libexecdir=${libdir} \
             "
 do_install_append () {
@@ -43,5 +52,5 @@ do_install_append () {
 }
 FILES_${PN} += "${nonarch_libdir}/tmpfiles.d"
-FILES_${PN}-dev += "${libexecdir}/${BPN}/lib*${SOLIBSDEV} ${libexecdir}/${BPN}/*.la \
+FILES_${PN}-dev += "${libdir}/${BPN}/lib*${SOLIBSDEV} ${libdir}/${BPN}/*.la \
-                    ${libexecdir}/lib*${SOLIBSDEV} ${libexecdir}/*.la"
+                    ${libdir}/lib*${SOLIBSDEV} ${libdir}/*.la"
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
new file mode 100644
index 0000000000..89e8e20844
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
@@ -0,0 +1,133 @@
+From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sun, 17 Jan 2021 20:41:11 +0200
+Subject: Fix memory leak in read_header
+Bug reported in https://savannah.gnu.org/bugs/?59897
+* src/list.c (read_header): Don't return directly from the loop.
+Instead set the status and break.  Return the status.  Free
+next_long_name and next_long_link before returning.
+CVE: CVE-2021-20193
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777]
+Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
+---
+ src/list.c | 40 ++++++++++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+diff --git a/src/list.c b/src/list.c
+index e40a5c8..d7ef441 100644
+--- a/src/list.c
+++ b/src/list.c
+@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info,
+             enum read_header_mode mode)
+ {
+   union block *header;
+-  union block *header_copy;
+   char *bp;
+   union block *data_block;
+   size_t size, written;
+-  union block *next_long_name = 0;
+-  union block *next_long_link = 0;
+  union block *next_long_name = NULL;
+  union block *next_long_link = NULL;
+   size_t next_long_name_blocks = 0;
+   size_t next_long_link_blocks = 0;
+-
+  enum read_header status = HEADER_SUCCESS;
+  
+   while (1)
+     {
+-      enum read_header status;
+-
+       header = find_next_block ();
+       *return_block = header;
+       if (!header)
+-       return HEADER_END_OF_FILE;
+       {
+         status = HEADER_END_OF_FILE;
+         break;
+       }
+ 
+       if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
+-       return status;
+       break;
+ 
+       /* Good block.  Decode file size and return.  */
+ 
+@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+        {
+          info->stat.st_size = OFF_FROM_HEADER (header->header.size);
+          if (info->stat.st_size < 0)
+-           return HEADER_FAILURE;
+           {
+             status = HEADER_FAILURE;
+             break;
+           }
+        }
+ 
+       if (header->header.typeflag == GNUTYPE_LONGNAME
+@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info,
+          || header->header.typeflag == SOLARIS_XHDTYPE)
+        {
+          if (mode == read_header_x_raw)
+-           return HEADER_SUCCESS_EXTENDED;
+           {
+             status = HEADER_SUCCESS_EXTENDED;
+             break;
+           }
+          else if (header->header.typeflag == GNUTYPE_LONGNAME
+                   || header->header.typeflag == GNUTYPE_LONGLINK)
+            {
+             union block *header_copy;
+              size_t name_size = info->stat.st_size;
+              size_t n = name_size % BLOCKSIZE;
+              size = name_size + BLOCKSIZE;
+@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+              xheader_decode_global (&xhdr);
+              xheader_destroy (&xhdr);
+              if (mode == read_header_x_global)
+-               return HEADER_SUCCESS_EXTENDED;
+               {
+                 status = HEADER_SUCCESS_EXTENDED;
+                 break;
+               }
+            }
+ 
+          /* Loop!  */
+@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+              name = next_long_name->buffer + BLOCKSIZE;
+              recent_long_name = next_long_name;
+              recent_long_name_blocks = next_long_name_blocks;
+             next_long_name = NULL;
+            }
+          else
+            {
+@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+              name = next_long_link->buffer + BLOCKSIZE;
+              recent_long_link = next_long_link;
+              recent_long_link_blocks = next_long_link_blocks;
+             next_long_link = NULL;
+            }
+          else
+            {
+@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info,
+            }
+          assign_string (&info->link_name, name);
+ 
+-         return HEADER_SUCCESS;
+         break;
+        }
+     }
+  free (next_long_name);
+  free (next_long_link);
+  return status;
+ }
+ 
+ #define ISOCTAL(c) ((c)>='0'&&(c)<='7')
+-- 
+cgit v1.2.1
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index ebe6cb0dbd..3ae6d674a5 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
           file://musl_dirent.patch \
+           file://CVE-2021-20193.patch \
 "
 SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index 8eb17c5eaf..a89560b424 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2020b"
+PV = "2021a"
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
           http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
@@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "47eff8944de4a64f7629b851e4a32338ab12c9b73edd62063795167ff1fe43da"
+SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0"
-SRC_URI[tzdata.sha256sum] = "9b053f951d245ce89d850b96ee4711d82d833559b1fc96ba19f90bc4d745e809"
+SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08"
diff --git a/meta/recipes-extended/watchdog/watchdog_5.16.bb b/meta/recipes-extended/watchdog/watchdog_5.16.bb
index 1988952603..a44a459c20 100644
--- a/meta/recipes-extended/watchdog/watchdog_5.16.bb
+++ b/meta/recipes-extended/watchdog/watchdog_5.16.bb
@@ -18,6 +18,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/watchdog/watchdog-${PV}.tar.gz \
 SRC_URI[md5sum] = "1b4f51cabc64d1bee2fce7cdd626831f"
 SRC_URI[sha256sum] = "b8e7c070e1b72aee2663bdc13b5cc39f76c9232669cfbb1ac0adc7275a3b019d"
+# Can be dropped when the output next changes, avoids failures after
+# reproducibility issues
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/"
 UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/"
@@ -28,6 +33,7 @@ CFLAGS += "-I${STAGING_INCDIR}/tirpc"
 LDFLAGS += "-ltirpc"
 EXTRA_OECONF += " --disable-nfs "
+CACHED_CONFIGUREVARS += "ac_cv_path_PATH_SENDMAIL=${sbindir}/sendmail"
 INITSCRIPT_PACKAGES = "${PN} ${PN}-keepalive"
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index c00a932763..97e5e57533 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -19,6 +19,12 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
+# Disputed and also Debian doesn't consider a vulnerability
+CVE_CHECK_WHITELIST += "CVE-2018-13410"
+# Not for zip but for smart contract implementation for it
+CVE_CHECK_WHITELIST += "CVE-2018-13684"
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
 # whatever we set.
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb
index 4c3b18331a..0c22a67bde 100644
--- a/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb
@@ -13,6 +13,8 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl"
 SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \
           file://0002-help-meson.build-disable-the-use-of-yelp.patch \
+           file://migrator.patch \
+           file://distributor.patch \
           "
 SRC_URI[archive.sha256sum] = "588a75b1588f5a509c33cf0be6a38a0f4fc1748eeb499a51d991ddef485242bf"
diff --git a/meta/recipes-gnome/epiphany/files/distributor.patch b/meta/recipes-gnome/epiphany/files/distributor.patch
new file mode 100644
index 0000000000..b09c9b38d2
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/distributor.patch
@@ -0,0 +1,17 @@
+Don't encode the distro from /etc/os-release into the binaries.
+Upstream-Status: Pending
+RP 2021/2/26
+Index: epiphany-3.38.2/meson.build
+===================================================================
+--- epiphany-3.38.2.orig/meson.build
+++ epiphany-3.38.2/meson.build
+@@ -15,6 +15,7 @@ if r.returncode() == 0
+ else
+   distributor_name = 'GNOME Web'
+ endif
+distributor_name = 'OpenEmbedded'
+ 
+ prefix = get_option('prefix')
+ datadir = join_paths(prefix, get_option('datadir'))
diff --git a/meta/recipes-gnome/epiphany/files/migrator.patch b/meta/recipes-gnome/epiphany/files/migrator.patch
new file mode 100644
index 0000000000..a9a650a64a
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/migrator.patch
@@ -0,0 +1,24 @@
+We don't want to encide BUILD_ROOT into target packages. This is used
+for build time tests but in our case those would be on target anyway
+do use the target paths.
+Upstream-Status: Pending
+RP 2021/2/25
+Index: epiphany-3.38.2/lib/ephy-profile-utils.c
+===================================================================
+--- epiphany-3.38.2.orig/lib/ephy-profile-utils.c
+++ epiphany-3.38.2/lib/ephy-profile-utils.c
+@@ -130,10 +130,10 @@ ephy_profile_utils_do_migration (const c
+   argv[i++] = NULL;
+ 
+ #if DEVELOPER_MODE
+-  argv[0] = BUILD_ROOT "/src/" EPHY_PROFILE_MIGRATOR;
+  argv[0] = PKGLIBEXECDIR "/" EPHY_PROFILE_MIGRATOR;
+ #else
+   if (debug)
+-    argv[0] = BUILD_ROOT "/src/" EPHY_PROFILE_MIGRATOR;
+    argv[0] = PKGLIBEXECDIR "/" EPHY_PROFILE_MIGRATOR;
+ #endif
+ 
+   g_spawn_sync (NULL, (char **)argv, envp, G_SPAWN_SEARCH_PATH,
diff --git a/meta/recipes-gnome/gcr/gcr_3.36.0.bb b/meta/recipes-gnome/gcr/gcr_3.36.0.bb
index ff455a68ec..567ca8b774 100644
--- a/meta/recipes-gnome/gcr/gcr_3.36.0.bb
+++ b/meta/recipes-gnome/gcr/gcr_3.36.0.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605"
 DEPENDS = "gtk+3 p11-kit glib-2.0 libgcrypt gnupg-native \
           ${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'libxslt-native', '', d)}"
+CACHED_CONFIGUREVARS += "ac_cv_path_GPG='gpg2'"
 GNOMEBASEBUILDCLASS = "meson"
 GTKDOC_MESON_OPTION = "gtk_doc"
 inherit gnomebase gtk-icon-cache gtk-doc features_check upstream-version-is-even vala gobject-introspection gettext mime mime-xdg
@@ -32,3 +34,11 @@ FILES_${PN} += " \
 ARM_INSTRUCTION_SET_armv4 = "arm"
 ARM_INSTRUCTION_SET_armv5 = "arm"
 ARM_INSTRUCTION_SET_armv6 = "arm"
+EXTRA_OEMESON += "--cross-file ${WORKDIR}/meson-${PN}.cross"
+do_write_config_append() {
+    cat >${WORKDIR}/meson-${PN}.cross <<EOF
+[binaries]
+gpg2 = '${bindir}/gpg2'
+EOF
+}
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch
new file mode 100644
index 0000000000..3fef2bc1eb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch
@@ -0,0 +1,55 @@
+From bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Mon, 30 Nov 2020 12:26:12 +1300
+Subject: [PATCH 02/13] gif: Fix LZW decoder accepting invalid LZW code.
+The code value after a reset wasn't being validated, which means we would
+accept invalid codes. This could cause an infinite loop in the decoder.
+Fixes CVE-2020-29385
+Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81]
+CVE: CVE-2020-29385
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ gdk-pixbuf/lzw.c                    |  13 +++++++------
+ 1 files changed, 7 insertions(+), 6 deletions(-)
+ create mode 100644 tests/test-images/fail/hang_114.gif
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 9e052a6f7..105daf2b1 100644
+--- a/gdk-pixbuf/lzw.c
+++ b/gdk-pixbuf/lzw.c
+@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self,
+                                 if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) {
+                                         if (self->code < self->code_table_size)
+                                                 add_code (self, self->code);
+-                                        else if (self->code == self->code_table_size)
+                                        else
+                                                 add_code (self, self->last_code);
+-                                        else {
+-                                                /* Invalid code received - just stop here */
+-                                                self->last_code = self->eoi_code;
+-                                                return output_length;
+-                                        }
+ 
+                                         /* When table is full increase code size */
+                                         if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX)
+                                                 self->code_size++;
+                                 }
+ 
+                                /* Invalid code received - just stop here */
+                                if (self->code >= self->code_table_size) {
+                                        self->last_code = self->eoi_code;
+                                        return output_length;
+                                }
+
+                                 /* Convert codeword into indexes */
+                                 n_written += write_indexes (self, output + n_written, output_length - n_written);
+                         }
+-- 
+2.25.1
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
new file mode 100644
index 0000000000..fe594b24bb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
@@ -0,0 +1,40 @@
+From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Wed, 1 Apr 2020 18:11:55 +0100
+Subject: [PATCH] Check the memset length argument
+Avoid overflows by using the checked multiplication macro for gsize.
+Fixes: #132
+Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e]
+CVE: CVE-2021-20240
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ gdk-pixbuf/io-gif-animation.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index c9db3c66e..49674fd2e 100644
+--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
+@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+ 
+         /* If no rendered frame, render the first frame */
+         if (anim->last_frame == NULL) {
+                gsize len = 0;
+                 if (anim->last_frame_data == NULL)
+                         anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
+                 if (anim->last_frame_data == NULL)
+                         return NULL;
+-                memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
+                if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
+                        memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
+                else
+                        return NULL;
+                 composite_frame (anim, g_list_nth_data (anim->frames, 0));
+         }
+ 
+-- 
+GitLab
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index 3dec5ed052..32af2de1e8 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -24,6 +24,8 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
           file://0004-Do-not-run-tests-when-building.patch \
           file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \
           file://missing-test-data.patch \
+           file://CVE-2020-29385.patch \
+           file://CVE-2021-20240.patch \
           "
 SRC_URI_append_class-target = " \
diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb
index 4d80f00e10..0f0f7a82c4 100644
--- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb
+++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb
@@ -29,14 +29,14 @@ GTKDOC_MESON_OPTION = "gtk_doc"
 MULTILIB_SCRIPTS = "${PN}:${bindir}/g-ir-annotation-tool ${PN}:${bindir}/g-ir-scanner"
-DEPENDS_append = " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive"
+DEPENDS += " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive"
 # target build needs qemu to run temporary introspection binaries created
 # on the fly by g-ir-scanner and a native version of itself to run
 # native versions of its own tools during build.
 # Also prelink-rtld is used to find out library dependencies of introspection binaries
 # (standard ldd doesn't work when cross-compiling).
-DEPENDS_class-target_append = " gobject-introspection-native qemu-native prelink-native"
+DEPENDS_append_class-target = " gobject-introspection-native qemu-native prelink-native"
 # needed for writing out the qemu wrapper script
 export STAGING_DIR_HOST
diff --git a/meta/recipes-gnome/libsecret/libsecret/determinism.patch b/meta/recipes-gnome/libsecret/libsecret/determinism.patch
new file mode 100644
index 0000000000..ad96e8f59b
--- /dev/null
+++ b/meta/recipes-gnome/libsecret/libsecret/determinism.patch
@@ -0,0 +1,37 @@
+secret-enum-types.c/h.template: Fix reproducibility issue 
+When full filenames are used in generated sources it makes the resulting
+debug packages non-reproducible. Best practise is to use basename in
+comments instead.
+Signed-off-by: Richard Purdie richard.purdie@linuxfoundation.org
+Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/68]
+Index: libsecret-0.20.4/libsecret/secret-enum-types.c.template
+===================================================================
+--- libsecret-0.20.4.orig/libsecret/secret-enum-types.c.template
+++ libsecret-0.20.4/libsecret/secret-enum-types.c.template
+@@ -23,8 +23,8 @@
+ /*** END file-header ***/
+ 
+ /*** BEGIN file-production ***/
+-#include "@filename@"
+-/* enumerations from "@filename@" */
+#include "@basename@"
+/* enumerations from "@basename@" */
+ /*** END file-production ***/
+ 
+ /*** BEGIN value-header ***/
+Index: libsecret-0.20.4/libsecret/secret-enum-types.h.template
+===================================================================
+--- libsecret-0.20.4.orig/libsecret/secret-enum-types.h.template
+++ libsecret-0.20.4/libsecret/secret-enum-types.h.template
+@@ -27,7 +27,7 @@ G_BEGIN_DECLS
+ 
+ /*** BEGIN file-production ***/
+ 
+-/* enumerations from "@filename@" */
+/* enumerations from "@basename@" */
+ /*** END file-production ***/
+ 
+ /*** BEGIN value-header ***/
diff --git a/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb b/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb
index 533015a1e4..b72206535f 100644
--- a/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb
+++ b/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb
@@ -13,7 +13,8 @@ inherit gnomebase gtk-doc vala gobject-introspection manpages
 DEPENDS += "glib-2.0 libgcrypt gettext-native"
-SRC_URI += "file://0001-meson-add-option-introspection.patch"
+SRC_URI += "file://0001-meson-add-option-introspection.patch \
+            file://determinism.patch"
 SRC_URI[archive.md5sum] = "47c3fdfeb111a87b509ad271e4a6f496"
 SRC_URI[archive.sha256sum] = "4fcb3c56f8ac4ab9c75b66901fb0104ec7f22aa9a012315a14c0d6dffa5290e4"
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
new file mode 100644
index 0000000000..f8e69beb0b
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,121 @@
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+CVE: CVE-2020-35492
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85]
+original patch from upstream has a binary file, it will cause
+do_patch failed with "git binary diffs are not supported".
+so add do_patch_append in recipe to add this binary source. when removing
+this patch, please also remove do_patch_append for this patch
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/cairo-image-compositor.c                |   8 ++--
+ test/Makefile.sources                       |   1 +
+ test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
+@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+                    unsigned num_spans)
+ {
+     cairo_image_span_renderer_t *r = abstract_renderer;
+-    uint8_t *m;
+    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+     int x0;
+ 
+     if (num_spans == 0)
+        return CAIRO_STATUS_SUCCESS;
+ 
+     x0 = spans[0].x;
+-    m = r->_buf;
+    m = base;
+     do {
+        int len = spans[1].x - spans[0].x;
+        if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+                                      spans[0].x, y,
+                                      spans[1].x - spans[0].x, h);
+ 
+-           m = r->_buf;
+           m = base;
+            x0 = spans[1].x;
+        } else if (spans[0].coverage == 0x0) {
+            if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+            }
+ 
+-           m = r->_buf;
+           m = base;
+            x0 = spans[1].x;
+        } else {
+            *m++ = spans[0].coverage;
+diff --git a/test/Makefile.sources b/test/Makefile.sources
+index 7eb73647f..86494348d 100644
+--- a/test/Makefile.sources
+++ b/test/Makefile.sources
+@@ -34,6 +34,7 @@ test_sources = \
+        bug-source-cu.c                                 \
+        bug-extents.c                                   \
+        bug-seams.c                                     \
+       bug-image-compositor.c                          \
+        caps.c                                          \
+        checkerboard.c                                  \
+        caps-joins.c                                    \
+diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
+new file mode 100644
+index 000000000..fc4fd370b
+--- /dev/null
+++ b/test/bug-image-compositor.c
+@@ -0,0 +1,39 @@
+#include "cairo-test.h"
+
+static cairo_test_status_t
+draw (cairo_t *cr, int width, int height)
+{
+    cairo_set_source_rgb (cr, 0., 0., 0.);
+    cairo_paint (cr);
+
+    cairo_set_source_rgb (cr, 1., 1., 1.);
+    cairo_set_line_width (cr, 1.);
+
+    cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height);
+    cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
+    cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
+    cairo_set_source (cr, p);
+
+    cairo_move_to (cr, 0.5, -1);
+    for (int i = 0; i < width; i+=3) {
+       cairo_rel_line_to (cr, 2, 2);
+       cairo_rel_line_to (cr, 1, -2);
+    }
+
+    cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
+    cairo_stroke (cr);
+
+    cairo_pattern_destroy(p);
+
+    return CAIRO_TEST_SUCCESS;
+}
+
+
+CAIRO_TEST (bug_image_compositor,
+           "Crash in image-compositor",
+           "stroke, stress", /* keywords */
+           NULL, /* requirements */
+           10000, 1,
+           NULL, draw)
+           
+           
+-- 
+GitLab
diff --git a/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
new file mode 100644
index 0000000000..939f659d2c
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
Binary files differ
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
index 68f993d7ca..d48da1a4c7 100644
--- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
           file://CVE-2018-19876.patch \
           file://CVE-2019-6461.patch \
           file://CVE-2019-6462.patch \
+           file://CVE-2020-35492.patch \
+           file://bug-image-compositor.ref.png \
          "
 SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
@@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no"
 # Ensure we don't depend on LZO
 export ac_cv_lib_lzo2_lzo2a_decompress="no"
+#for CVE-2020-35492.patch
+do_patch_append() {
+    bb.build.exec_func('do_cp_binary_source', d)
+}
+do_cp_binary_source () {
+        cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/
+}
 do_install_append () {
        rm -rf ${D}${bindir}/cairo-sphinx
        rm -rf ${D}${libdir}/cairo/cairo-fdr*
diff --git a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch
new file mode 100644
index 0000000000..39e36d8737
--- /dev/null
+++ b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch
@@ -0,0 +1,38 @@
+meson: Allow source location to be configurable
+Hardcoding a build source path into a binary when cross compiling isn't
+appropriate and breaks build reproducibility. Allow the srcdir to be
+specified by an optional configuration option to meson.
+Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
+Upstream-Status: Submitted [https://lists.freedesktop.org/archives/igt-dev/2021-February/029443.html]
+Index: git/lib/meson.build
+===================================================================
+--- git.orig/lib/meson.build
+++ git/lib/meson.build
+@@ -122,7 +122,11 @@ if chamelium.found()
+        lib_sources += 'igt_chamelium_stream.c'
+ endif
+ 
+-srcdir = join_paths(meson.source_root(), 'tests')
+if get_option('srcdir') != ''
+    srcdir = join_paths(get_option('srcdir'), 'tests')
+else
+    srcdir = join_paths(meson.source_root(), 'tests')
+endif
+ 
+ lib_version = vcs_tag(input : 'version.h.in', output : 'version.h',
+                      fallback : 'NO-GIT',
+Index: git/meson_options.txt
+===================================================================
+--- git.orig/meson_options.txt
+++ git/meson_options.txt
+@@ -50,3 +50,7 @@ option('use_rpath',
+        type : 'boolean',
+        value : false,
+        description : 'Set runpath on installed executables for libigt.so')
+
+option('srcdir',
+       type : 'string',
+       description : 'Path to source code to be compiled into binaries (optional)')
diff --git a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb
index 89480d79d2..f25cbc0603 100644
--- a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb
+++ b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb
@@ -10,7 +10,8 @@ inherit meson
 SRCREV = "d16ad07e7f2a028e14d61f570931c87fa5ce404c"
 PV = "1.25+git${SRCPV}"
-SRC_URI = "git://gitlab.freedesktop.org/drm/igt-gpu-tools.git;protocol=https"
+SRC_URI = "git://gitlab.freedesktop.org/drm/igt-gpu-tools.git;protocol=https \
+           file://reproducibility.patch"
 S = "${WORKDIR}/git"
@@ -22,7 +23,7 @@ PACKAGE_BEFORE_PN = "${PN}-benchmarks ${PN}-tests"
 PACKAGECONFIG[chamelium] = "-Dchamelium=enabled,-Dchamelium=disabled,gsl xmlrpc-c"
-EXTRA_OEMESON = "-Ddocs=disabled -Drunner=enabled"
+EXTRA_OEMESON = "-Ddocs=disabled -Drunner=enabled -Dsrcdir=/usr/src/debug/${PN}/${PV}-${PR}/git/"
 COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64).*-linux"
 COMPATIBLE_HOST_libc-musl_class-target = "null"
 SECURITY_LDFLAGS = "${SECURITY_X_LDFLAGS}"
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
new file mode 100644
index 0000000000..d8fa24bc65
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
@@ -0,0 +1,79 @@
+From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Wed, 17 Jun 2020 08:44:45 -0700
+Subject: [PATCH] Fixed overflow in surface pitch calculation
+Upstream-Status: Backport
+[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
+CVE: CVE-2020-14409 CVE-2020-14410
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/video/SDL_surface.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index 085d9ff1e..bff826f7c 100644
+--- a/src/video/SDL_surface.c
+++ b/src/video/SDL_surface.c
+@@ -28,24 +28,23 @@
+ #include "SDL_yuv_c.h"
+ 
+ 
+-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+-    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
+ 
+ /* Public routines */
+ 
+ /*
+  * Calculate the pad-aligned scanline width of a surface
+  */
+-static int
+static Sint64
+ SDL_CalculatePitch(Uint32 format, int width)
+ {
+-    int pitch;
+    Sint64 pitch;
+ 
+     if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
+-        pitch = (width * SDL_BYTESPERPIXEL(format));
+        pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
+     } else {
+-        pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+        pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+     }
+     pitch = (pitch + 3) & ~3;   /* 4-byte aligning for speed */
+     return pitch;
+@@ -59,11 +58,19 @@ SDL_Surface *
+ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+                                Uint32 format)
+ {
+    Sint64 pitch;
+     SDL_Surface *surface;
+ 
+     /* The flags are no longer used, make the compiler happy */
+     (void)flags;
+ 
+    pitch = SDL_CalculatePitch(format, width);
+    if (pitch < 0 || pitch > SDL_MAX_SINT32) {
+        /* Overflow... */
+        SDL_OutOfMemory();
+        return NULL;
+    }
+
+     /* Allocate the surface */
+     surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
+     if (surface == NULL) {
+@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+     }
+     surface->w = width;
+     surface->h = height;
+-    surface->pitch = SDL_CalculatePitch(format, width);
+    surface->pitch = (int)pitch;
+     SDL_SetClipRect(surface, NULL);
+ 
+     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index 0b75eb0c1d..639a465567 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
           file://more-gen-depends.patch \
           file://directfb-spurious-curly-brace-missing-e.patch \
           file://directfb-renderfillrect-fix.patch \
+           file://CVE-2020-14409-14410.patch \
 "
 S = "${WORKDIR}/SDL2-${PV}"
@@ -57,7 +58,7 @@ PACKAGECONFIG ??= " \
 "
 PACKAGECONFIG[alsa]       = "--enable-alsa --disable-alsatest,--disable-alsa,alsa-lib,"
 PACKAGECONFIG[arm-neon]   = "--enable-arm-neon,--disable-arm-neon"
-PACKAGECONFIG[directfb]   = "--enable-video-directfb,--disable-video-directfb,directfb"
+PACKAGECONFIG[directfb]   = "--enable-video-directfb,--disable-video-directfb,directfb,directfb"
 PACKAGECONFIG[gles2]      = "--enable-video-opengles,--disable-video-opengles,virtual/libgles2"
 PACKAGECONFIG[jack]       = "--enable-jack,--disable-jack,jack"
 PACKAGECONFIG[kmsdrm]     = "--enable-video-kmsdrm,--disable-video-kmsdrm,libdrm virtual/libgbm"
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc
index 9fc62e95e1..a4c7007157 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -48,11 +48,6 @@ PROVIDES = " \
 inherit meson pkgconfig python3native gettext features_check
-# Unset these to stop python trying to report the target Python setup
-_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
-STAGING_INCDIR[unexport] = "1"
-STAGING_LIBDIR[unexport] = "1"
 BBCLASSEXTEND = "native nativesdk"
 ANY_OF_DISTRO_FEATURES_class-target = "opengl vulkan"
diff --git a/meta/recipes-graphics/wayland/libinput/run-ptest b/meta/recipes-graphics/wayland/libinput/run-ptest
index 5a84c568b9..d11e6eb25b 100644
--- a/meta/recipes-graphics/wayland/libinput/run-ptest
+++ b/meta/recipes-graphics/wayland/libinput/run-ptest
@@ -1,6 +1,6 @@
 #!/bin/sh
-/usr/libexec/libinput/libinput-test-suite
+/usr/libexec/libinput/libinput-test-suite -j1
 if [ $? -eq 0 ]; then
  echo 'PASS: libinput-test-suite'
 else
diff --git a/meta/recipes-graphics/wayland/weston-init/weston.ini b/meta/recipes-graphics/wayland/weston-init/weston.ini
index b48726d59c..6bd5aef55a 100644
--- a/meta/recipes-graphics/wayland/weston-init/weston.ini
+++ b/meta/recipes-graphics/wayland/weston-init/weston.ini
@@ -42,7 +42,7 @@ require-input=false
 #path=/build/weston-0lEgCh/weston-1.11.0/weston-flower
 #[input-method]
-#path=/usr/lib/weston/weston-keyboard
+#path=/usr/libexec/weston-keyboard
 #[output]
 #name=LVDS1
diff --git a/meta/recipes-graphics/wayland/weston_9.0.0.bb b/meta/recipes-graphics/wayland/weston_9.0.0.bb
index 75f9fb05fd..d60b5e1a35 100644
--- a/meta/recipes-graphics/wayland/weston_9.0.0.bb
+++ b/meta/recipes-graphics/wayland/weston_9.0.0.bb
@@ -73,7 +73,7 @@ PACKAGECONFIG[colord] = "-Dcolor-management-colord=true,-Dcolor-management-color
 # Clients support
 PACKAGECONFIG[clients] = "-Dsimple-clients=all -Ddemo-clients=true,-Dsimple-clients= -Ddemo-clients=false"
 # Virtual remote output with GStreamer on DRM backend
-PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0"
+PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0 gstreamer1.0-plugins-base"
 # Weston with PAM support
 PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam"
 # Weston with screen-share support
diff --git a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
index 1ea08a6c99..bf8385fe6d 100644
--- a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
+++ b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
@@ -10,8 +10,12 @@ LIC_FILES_CHKSUM = "file://../misc/fonts.dir;md5=82a143d94d6a974aafe97132d2d519a
 SRC_URI = "file://misc"
+SOURCE_DATE_EPOCH = "1613559011"
 PE = "1"
-PR = "r2"
+PR = "r3"
+HASHEQUIV_HASH_VERSION .= ".1"
 inherit allarch features_check
@@ -27,6 +31,8 @@ RDEPENDS_${PN} += "font-alias"
 do_install() {
        install -d ${D}/${datadir}/fonts/X11/misc
        install -m 0644 ${S}/* ${D}/${datadir}/fonts/X11/misc/
+        # Pick a date/time as otherwise it would be the git checkout/modify time
+        touch -d @1613559011 ${D}/${datadir}/fonts/X11/misc/*
        install -d ${D}/${libdir}/X11
        ln -sf ${datadir}/fonts/X11/ ${D}/${libdir}/X11/fonts -s
 }
diff --git a/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb b/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb
index 6de30098d6..52e474a2e9 100644
--- a/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb
+++ b/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb
@@ -11,8 +11,8 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d763b081cb10c223435b01e00dc0aba7 \
                    file://src/dri2.xml;beginline=2;endline=28;md5=f8763b13ff432e8597e0d610cf598e65"
-SRC_URI = "http://xcb.freedesktop.org/dist/${BP}.tar.xz"
+SRC_URI = "https://xorg.freedesktop.org/archive/individual/proto/${BP}.tar.xz"
-SRC_URI[sha256sum] = "186a3ceb26f9b4a015f5a44dcc814c93033a5fc39684f36f1ecc79834416a605"
+SRC_URI[sha256sum] = "f04add9a972ac334ea11d9d7eb4fc7f8883835da3e4859c9afa971efdf57fcc3"
 inherit autotools pkgconfig python3native
diff --git a/meta/recipes-kernel/dtc/dtc.inc b/meta/recipes-kernel/dtc/dtc.inc
index 0650e3c82e..5da6c24fbf 100644
--- a/meta/recipes-kernel/dtc/dtc.inc
+++ b/meta/recipes-kernel/dtc/dtc.inc
@@ -7,7 +7,9 @@ DEPENDS = "flex-native bison-native"
 SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git \
           file://make_install.patch \
+           file://0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch \
           "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 EXTRA_OEMAKE='NO_PYTHON=1 PREFIX="${prefix}" LIBDIR="${libdir}" DESTDIR="${D}"'
diff --git a/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch
new file mode 100644
index 0000000000..a2deb12d4b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch
@@ -0,0 +1,36 @@
+From f0119060ef1b9bd80e2cae487df1e4aedffb0e9b Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Fri, 22 Jan 2021 09:12:48 +0200
+Subject: [PATCH] dtc: Fix Makefile to add CFLAGS not override
+Makefile override CFLAGS not extend them, so some of them
+missing. Sources builds out of kernel tree and probably not all
+options could be used (?). We need at least -fmacro-prefix-map/
+debug-prefix-map to eliminate absolute path in binaries.
+Upstream-Status: Pending
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/Makefile b/Makefile
+index 35d936f..b5b13cf 100644
+--- a/Makefile
+++ b/Makefile
+@@ -20,10 +20,10 @@ CONFIG_LOCALVERSION =
+ # See libfdt_internal.h for details
+ ASSUME_MASK ?= 0
+ 
+-CPPFLAGS = -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK)
+CPPFLAGS += -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK)
+ WARNINGS = -Wall -Wpointer-arith -Wcast-qual -Wnested-externs \
+        -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wshadow
+-CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS)
+CFLAGS += -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS)
+ 
+ BISON = bison
+ LEX = flex
+-- 
+2.25.1
diff --git a/meta/recipes-kernel/kmod/kmod.inc b/meta/recipes-kernel/kmod/kmod.inc
index 646dff9a97..10a319ac9f 100644
--- a/meta/recipes-kernel/kmod/kmod.inc
+++ b/meta/recipes-kernel/kmod/kmod.inc
@@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \
 S = "${WORKDIR}/git"
-EXTRA_AUTORECONF += "--install --symlink"
 EXTRA_OECONF +=" --enable-tools --with-zlib"
 PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20200817.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb
index 49417e9932..1a9374d0b4 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20200817.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb
@@ -31,6 +31,7 @@ LICENSE = "\
    & Firmware-iwlwifi_firmware \
    & Firmware-IntcSST2 \
    & Firmware-kaweth \
+    & Firmware-Lontium \
    & Firmware-Marvell \
    & Firmware-moxa \
    & Firmware-myri10ge_firmware \
@@ -94,6 +95,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                    file://LICENCE.it913x;md5=1fbf727bfb6a949810c4dbfa7e6ce4f8 \
                    file://LICENCE.iwlwifi_firmware;md5=3fd842911ea93c29cd32679aa23e1c88 \
                    file://LICENCE.kaweth;md5=b1d876e562f4b3b8d391ad8395dfe03f \
+                    file://LICENSE.Lontium;md5=4ec8dc582ff7295f39e2ca6a7b0be2b6 \
                    file://LICENCE.Marvell;md5=28b6ed8bd04ba105af6e4dcd6e997772 \
                    file://LICENCE.mediatek;md5=7c1976b63217d76ce47d0a11d8a79cf2 \
                    file://LICENCE.moxa;md5=1086614767d8ccf744a923289d3d4261 \
@@ -126,7 +128,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                    file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
                    file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
                    file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
-                    file://WHENCE;md5=4d229f79f8770b5b2c4aac655b9fabef \
+                    file://WHENCE;md5=ef0565762eac313c409567b59dff00b2 \
                    "
 # These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -161,6 +163,7 @@ NO_GENERIC_LICENSE[Firmware-IntcSST2] = "LICENCE.IntcSST2"
 NO_GENERIC_LICENSE[Firmware-it913x] = "LICENCE.it913x"
 NO_GENERIC_LICENSE[Firmware-iwlwifi_firmware] = "LICENCE.iwlwifi_firmware"
 NO_GENERIC_LICENSE[Firmware-kaweth] = "LICENCE.kaweth"
+NO_GENERIC_LICENSE[Firmware-Lontium] = "LICENSE.Lontium"
 NO_GENERIC_LICENSE[Firmware-Marvell] = "LICENCE.Marvell"
 NO_GENERIC_LICENSE[Firmware-mediatek] = "LICENCE.mediatek"
 NO_GENERIC_LICENSE[Firmware-moxa] = "LICENCE.moxa"
@@ -198,7 +201,7 @@ PE = "1"
 SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "76d05d5f1eff268d3b80675245fa596f557bd55ee2e16ddd54d18ffeae943887"
+SRC_URI[sha256sum] = "1bcb1a3944c361507754a7d26ccff40ffc28d1fb93bce711d67da26b33e785b7"
 inherit allarch
@@ -222,6 +225,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
             ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \
             ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \
             ${PN}-vt6656-license ${PN}-vt6656 \
+             ${PN}-rs9113 ${PN}-rs9116 \
             ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \
             ${PN}-rtl8168 \
             ${PN}-cypress-license \
@@ -261,7 +265,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
             ${PN}-bcm43xx-hdr \
             ${PN}-atheros-license ${PN}-ar9170 ${PN}-ath6k ${PN}-ath9k \
             ${PN}-gplv2-license ${PN}-carl9170 \
-             ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-qca \
+             ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-ath11k ${PN}-qca \
             \
             ${PN}-imx-sdma-license ${PN}-imx-sdma-imx6q ${PN}-imx-sdma-imx7d \
             \
@@ -298,6 +302,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
             ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 ${PN}-qcom-adreno-a630 \
             ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \
             ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \
+             ${PN}-lt9611uxc ${PN}-lontium-license \
             ${PN}-whence-license \
             ${PN}-license \
             "
@@ -356,12 +361,17 @@ FILES_${PN}-ath10k = " \
  ${nonarch_base_libdir}/firmware/ath10k \
 "
+FILES_${PN}-ath11k = " \
+  ${nonarch_base_libdir}/firmware/ath11k \
+"
 FILES_${PN}-qca = " \
  ${nonarch_base_libdir}/firmware/qca \
 "
 RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license"
 RDEPENDS_${PN}-ath10k += "${PN}-ath10k-license"
+RDEPENDS_${PN}-ath11k += "${PN}-ath10k-license"
 RDEPENDS_${PN}-qca += "${PN}-ath10k-license"
 # For ralink
@@ -397,6 +407,12 @@ FILES_${PN}-radeon = " \
 RDEPENDS_${PN}-radeon += "${PN}-radeon-license"
+# For lontium
+LICENSE_${PN}-lt9611uxc = "Firmware-Lontium"
+FILES_${PN}-lontium-license = "${nonarch_base_libdir}/firmware/LICENSE.Lontium"
+FILES_${PN}-lt9611uxc = "${nonarch_base_libdir}/firmware/lt9611uxc_fw.bin"
 # For marvell
 LICENSE_${PN}-pcie8897 = "Firmware-Marvell"
 LICENSE_${PN}-pcie8997 = "Firmware-Marvell"
@@ -477,6 +493,13 @@ FILES_${PN}-netronome = " \
  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \
  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \
  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/bpf \
+  ${nonarch_base_libdir}/firmware/netronome/flower \
+  ${nonarch_base_libdir}/firmware/netronome/nic \
+  ${nonarch_base_libdir}/firmware/netronome/nic-sriov \
 "
 RDEPENDS_${PN}-netronome += "${PN}-netronome-license"
@@ -503,6 +526,16 @@ RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license"
 RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license"
 RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license"
+# For RSI RS911x WiFi
+LICENSE_${PN}-rs9113 = "WHENCE"
+LICENSE_${PN}-rs9116 = "WHENCE"
+FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps "
+FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps "
+RDEPENDS_${PN}-rs9113 += "${PN}-whence-license"
+RDEPENDS_${PN}-rs9116 += "${PN}-whence-license"
 # For rtl
 LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware"
@@ -603,7 +636,9 @@ FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bi
 FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*"
 FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin"
 FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin"
-FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin"
+FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \
+"
 FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin"
 FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin"
 FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin"
@@ -612,12 +647,18 @@ FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \
  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \
 "
 FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*"
-FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.*"
+FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \
+"
 FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin"
 FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin"
-FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin"
+FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.bin \
+"
 FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin"
-FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin"
+FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \
+"
 FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin"
 FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \
  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \
@@ -688,13 +729,21 @@ LICENSE_${PN}-cypress-license = "Firmware-cypress"
 FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress"
 FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd"
-FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.*"
+FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \
-FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.*"
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*"
-FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.*"
+FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \
-FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin"
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*"
-FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.*"
+FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*"
+FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \
+"
+FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \
+"
 FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \
  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \
 "
 LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress"
diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 8373c97a31..8a900ed182 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -119,6 +119,10 @@ do_install() {
        # but without this file, we get a forced syncconfig run in v5.8+, which prompts and
        # breaks workflows.
        cp -a --parents include/generated/autoconf.h $kerneldir/build 2>/dev/null || :
+        if [ -e $kerneldir/include/generated/.vdso-offsets.h.cmd ]; then
+            rm $kerneldir/include/generated/.vdso-offsets.h.cmd
+        fi
    )
    # now grab the chunks from the source tree that we need
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 183acce226..da1d5b72da 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
        raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
-SRCREV_machine ?= "e500e89811e268ab5c420744c41b10d12c9844a0"
+SRCREV_machine ?= "324e77d816cf6434507ab29140beb24044009efa"
-SRCREV_meta ?= "8d0ed83a864cc91eef4d2abbc90f13d4ecd1c213"
+SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642"
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
           git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.75"
+LINUX_VERSION ?= "5.4.112"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.8.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.8.bb
index 203ddf6684..d20b8b10ab 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.8.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.8.bb
@@ -11,8 +11,8 @@ python () {
        raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
-SRCREV_machine ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_meta ?= "7883b60d324029d26020c0b3f826b35c52fd9674"
+SRCREV_meta ?= "b976de4f41df1a50dc84839b64fb0ce2c6f9fb21"
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
           git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.8;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index f6190be8da..1edc632de7 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.75"
+LINUX_VERSION ?= "5.4.112"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "2c7da912c6b5bd36d84f75e0aff4afd0814f1bd3"
+SRCREV_machine_qemuarm ?= "8463db325b93f0669446f68c19334cfe11ffb9c2"
-SRCREV_machine ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_meta ?= "8d0ed83a864cc91eef4d2abbc90f13d4ecd1c213"
+SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642"
 PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.8.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.8.bb
index f37f525cc3..a5135155d5 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.8.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.8.bb
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "aa614dcf182db126013b255968ab125afd96eb88"
+SRCREV_machine_qemuarm ?= "9509db6e3ed6a23b1f7495b53248d1cbfe22710b"
-SRCREV_machine ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_meta ?= "7883b60d324029d26020c0b3f826b35c52fd9674"
+SRCREV_meta ?= "b976de4f41df1a50dc84839b64fb0ce2c6f9fb21"
 PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 23fc5ea819..53cfabb3a7 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "dbac8d2939bca0a92226cfd55543331715dd642d"
+SRCREV_machine_qemuarm ?= "133328e5d558f6060a5633d71506a6b716bb4fc6"
-SRCREV_machine_qemuarm64 ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine_qemuarm64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_machine_qemumips ?= "819cf265755f21768f6bb98312cb568c6db8b1e8"
+SRCREV_machine_qemumips ?= "eef7365804592f95bceefa143cdb3cc19e8c6b66"
-SRCREV_machine_qemuppc ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine_qemuppc ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_machine_qemuriscv64 ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine_qemuriscv64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_machine_qemux86 ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine_qemux86 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_machine_qemux86-64 ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine_qemux86-64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_machine_qemumips64 ?= "bb9110d96ce8a2c56466e5b4314b93175af3d80d"
+SRCREV_machine_qemumips64 ?= "996fe040c8d8d01a9af6be42dae3844d127471bf"
-SRCREV_machine ?= "d0096198f08dd2aa4222ef5480d2fcdaf520b65b"
+SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
-SRCREV_meta ?= "8d0ed83a864cc91eef4d2abbc90f13d4ecd1c213"
+SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642"
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
           git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.75"
+LINUX_VERSION ?= "5.4.112"
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.8.bb b/meta/recipes-kernel/linux/linux-yocto_5.8.bb
index c0cdffce73..f6ebefbf1b 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.8.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.8.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.8/standard/base"
 KBRANCH_qemux86-64 ?= "v5.8/standard/base"
 KBRANCH_qemumips64 ?= "v5.8/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "cd6c8c74317d2f9504c25e28e37f4140deec2d19"
+SRCREV_machine_qemuarm ?= "14b463d0e5c1e2ff354244420f9bbc7f0ab80533"
-SRCREV_machine_qemuarm64 ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine_qemuarm64 ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_machine_qemumips ?= "c610a204d0821f5abc253e72894fd32b41b92db3"
+SRCREV_machine_qemumips ?= "8d8d9afb396f154f366f32948fdff3cf4e269841"
-SRCREV_machine_qemuppc ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine_qemuppc ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_machine_qemuriscv64 ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine_qemuriscv64 ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_machine_qemux86 ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine_qemux86 ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_machine_qemux86-64 ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine_qemux86-64 ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_machine_qemumips64 ?= "86cc0d9a3f6751ada12fa4630b3e3c23221d6da7"
+SRCREV_machine_qemumips64 ?= "01a02b058f9a8941032b298b8d25c673526152f4"
-SRCREV_machine ?= "64fd51cbe98ae4a0e05e59ed9abd9135f1b4cf64"
+SRCREV_machine ?= "3c5d210805d61bea8f8a8081e0e3a89ea8a61f3f"
-SRCREV_meta ?= "7883b60d324029d26020c0b3f826b35c52fd9674"
+SRCREV_meta ?= "b976de4f41df1a50dc84839b64fb0ce2c6f9fb21"
 # remap qemuarm to qemuarma15 for the 5.8 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
diff --git a/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb b/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb
index c65882581d..32ba75bf36 100644
--- a/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb
+++ b/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb
@@ -17,7 +17,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>2(\.\d+)+)$"
 S = "${WORKDIR}/git"
-inherit autotools pkgconfig ptest
+inherit autotools pkgconfig ptest python3targetconfig
 EXTRA_OECONF = "--disable-debug-info"
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-Kconfig-fix-dependency-issue-when-building-in-tree-w.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-Kconfig-fix-dependency-issue-when-building-in-tree-w.patch
deleted file mode 100644
index ae8bec45de..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0001-Kconfig-fix-dependency-issue-when-building-in-tree-w.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From ff4d1d7e85be94ef43709cd698f0ec9a12f247d1 Mon Sep 17 00:00:00 2001
-From: Beniamin Sandu <beniaminsandu@gmail.com>
-Date: Thu, 13 Aug 2020 16:24:39 +0300
-Subject: [PATCH 01/10] Kconfig: fix dependency issue when building in-tree
- without CONFIG_FTRACE
-When building in-tree, one could disable CONFIG_FTRACE from kernel
-config which will leave CONFIG_TRACEPOINTS selected by LTTNG modules,
-but generate a lot of linker errors like below because it leaves out
-other stuff, e.g.:
-trace.c:(.text+0xd86b): undefined reference to `trace_event_buffer_reserve'
-ld: trace.c:(.text+0xd8de): undefined reference to `trace_event_buffer_commit'
-ld: trace.c:(.text+0xd926): undefined reference to `event_triggers_call'
-ld: trace.c:(.text+0xd942): undefined reference to `trace_event_ignore_this_pid'
-ld: net/mac80211/trace.o: in function `trace_event_raw_event_drv_tdls_cancel_channel_switch':
-It appears to be caused by the fact that TRACE_EVENT macros in the Linux
-kernel depend on the Ftrace ring buffer as soon as CONFIG_TRACEPOINTS is
-enabled.
-Steps to reproduce:
- Get a clone of an upstream stable kernel and use scripts/built-in.sh on it
- Configure a standard x86-64 build, enable built-in LTTNG but disable
-  CONFIG_FTRACE from Kernel Hacking-->Tracers using menuconfig
- Build will fail at linking stage
-Upstream-Status: Backport
-Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
- Kconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/Kconfig b/Kconfig
-index acdab73..10eccff 100644
--- a/Kconfig
-+++ b/Kconfig
-@@ -2,7 +2,7 @@
- 
- config LTTNG
-        tristate "LTTng support"
-       select TRACEPOINTS
-+       select TRACING
-        help
-          LTTng is an open source tracing framework for Linux.
- 
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch
new file mode 100644
index 0000000000..956f53d7b7
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0001-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch
@@ -0,0 +1,318 @@
+From e13a7d262928984154fcf89feb14098e0cd1ad31 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Tue, 27 Oct 2020 11:42:23 -0400
+Subject: [PATCH 04/11] fix: btrfs: tracepoints: output proper root owner for
+ trace_find_free_extent() (v5.10)
+See upstream commit :
+  commit 437490fed3b0c9ae21af8f70e0f338d34560842b
+  Author: Qu Wenruo <wqu@suse.com>
+  Date:   Tue Jul 28 09:42:49 2020 +0800
+    btrfs: tracepoints: output proper root owner for trace_find_free_extent()
+    The current trace event always output result like this:
+     find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA)
+     find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA)
+     find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA)
+     find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA)
+     find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA)
+     find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA)
+    T's saying we're allocating data extent for EXTENT tree, which is not
+    even possible.
+    It's because we always use EXTENT tree as the owner for
+    trace_find_free_extent() without using the @root from
+    btrfs_reserve_extent().
+    This patch will change the parameter to use proper @root for
+    trace_find_free_extent():
+    Now it looks much better:
+     find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+     find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA)
+     find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=1(DATA)
+     find_free_extent: root=5(FS_TREE) len=4096 empty_size=0 flags=1(DATA)
+     find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA)
+     find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+     find_free_extent: root=7(CSUM_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+     find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+     find_free_extent: root=1(ROOT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I1d674064d29b31417e2acffdeb735f5052a87032
+Upstream-Status: Backport
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ instrumentation/events/lttng-module/btrfs.h | 206 ++++++++++++--------
+ 1 file changed, 122 insertions(+), 84 deletions(-)
+diff --git a/instrumentation/events/lttng-module/btrfs.h b/instrumentation/events/lttng-module/btrfs.h
+index 7b29008..52fcfd0 100644
+--- a/instrumentation/events/lttng-module/btrfs.h
+++ b/instrumentation/events/lttng-module/btrfs.h
+@@ -1856,7 +1856,29 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserved_extent,  btrfs_reserved_extent_f
+ 
+ #endif /* #else #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)) */
+ 
+-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0) || \
+       LTTNG_KERNEL_RANGE(5,9,6, 5,10,0) || \
+       LTTNG_KERNEL_RANGE(5,4,78, 5,5,0))
+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+
+       btrfs_find_free_extent,
+
+       TP_PROTO(const struct btrfs_root *root, u64 num_bytes, u64 empty_size,
+                u64 data),
+
+       TP_ARGS(root, num_bytes, empty_size, data),
+
+       TP_FIELDS(
+               ctf_array(u8, fsid, root->lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+               ctf_integer(u64, root_objectid, root->root_key.objectid)
+               ctf_integer(u64, num_bytes, num_bytes)
+               ctf_integer(u64, empty_size, empty_size)
+               ctf_integer(u64, data, data)
+       )
+)
+
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
+
+ LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+ 
+        btrfs_find_free_extent,
+@@ -1874,6 +1896,105 @@ LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+        )
+ )
+ 
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0))
+
+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+
+       btrfs_find_free_extent,
+
+       TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
+                u64 data),
+
+       TP_ARGS(fs_info, num_bytes, empty_size, data),
+
+       TP_FIELDS(
+               ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+               ctf_integer(u64, num_bytes, num_bytes)
+               ctf_integer(u64, empty_size, empty_size)
+               ctf_integer(u64, data, data)
+       )
+)
+
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0))
+
+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+
+       btrfs_find_free_extent,
+
+       TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
+                u64 data),
+
+       TP_ARGS(fs_info, num_bytes, empty_size, data),
+
+       TP_FIELDS(
+               ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+               ctf_integer(u64, num_bytes, num_bytes)
+               ctf_integer(u64, empty_size, empty_size)
+               ctf_integer(u64, data, data)
+       )
+)
+
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0))
+
+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+
+       btrfs_find_free_extent,
+
+       TP_PROTO(struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
+                u64 data),
+
+       TP_ARGS(fs_info, num_bytes, empty_size, data),
+
+       TP_FIELDS(
+               ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+               ctf_integer(u64, num_bytes, num_bytes)
+               ctf_integer(u64, empty_size, empty_size)
+               ctf_integer(u64, data, data)
+       )
+)
+
+#elif (LTTNG_SLE_KERNEL_RANGE(4,4,73,5,0,0, 4,4,73,6,0,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,82,6,0,0, 4,4,82,7,0,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,103,6,0,0, 4,5,0,0,0,0))
+
+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+
+       btrfs_find_free_extent,
+
+       TP_PROTO(const struct btrfs_root *root, u64 num_bytes, u64 empty_size,
+                u64 data),
+
+       TP_ARGS(root, num_bytes, empty_size, data),
+
+       TP_FIELDS(
+               ctf_integer(u64, root_objectid, root->root_key.objectid)
+               ctf_integer(u64, num_bytes, num_bytes)
+               ctf_integer(u64, empty_size, empty_size)
+               ctf_integer(u64, data, data)
+       )
+)
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0))
+
+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+
+       btrfs_find_free_extent,
+
+       TP_PROTO(struct btrfs_root *root, u64 num_bytes, u64 empty_size,
+                u64 data),
+
+       TP_ARGS(root, num_bytes, empty_size, data),
+
+       TP_FIELDS(
+               ctf_integer(u64, root_objectid, root->root_key.objectid)
+               ctf_integer(u64, num_bytes, num_bytes)
+               ctf_integer(u64, empty_size, empty_size)
+               ctf_integer(u64, data, data)
+       )
+)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
+ 
+        TP_PROTO(const struct btrfs_block_group *block_group, u64 start,
+@@ -1907,22 +2028,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
+ )
+ 
+ #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0))
+-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+-
+-       btrfs_find_free_extent,
+-
+-       TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
+-                u64 data),
+-
+-       TP_ARGS(fs_info, num_bytes, empty_size, data),
+-
+-       TP_FIELDS(
+-               ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+-               ctf_integer(u64, num_bytes, num_bytes)
+-               ctf_integer(u64, empty_size, empty_size)
+-               ctf_integer(u64, data, data)
+-       )
+-)
+ 
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
+ 
+@@ -1957,22 +2062,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
+ )
+ 
+ #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0))
+-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+-
+-       btrfs_find_free_extent,
+-
+-       TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
+-                u64 data),
+-
+-       TP_ARGS(fs_info, num_bytes, empty_size, data),
+-
+-       TP_FIELDS(
+-               ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+-               ctf_integer(u64, num_bytes, num_bytes)
+-               ctf_integer(u64, empty_size, empty_size)
+-               ctf_integer(u64, data, data)
+-       )
+-)
+ 
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
+ 
+@@ -2011,23 +2100,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
+ 
+ #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0))
+ 
+-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+-
+-       btrfs_find_free_extent,
+-
+-       TP_PROTO(struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
+-                u64 data),
+-
+-       TP_ARGS(fs_info, num_bytes, empty_size, data),
+-
+-       TP_FIELDS(
+-               ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+-               ctf_integer(u64, num_bytes, num_bytes)
+-               ctf_integer(u64, empty_size, empty_size)
+-               ctf_integer(u64, data, data)
+-       )
+-)
+-
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
+ 
+        TP_PROTO(struct btrfs_fs_info *fs_info,
+@@ -2066,23 +2138,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
+        LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
+        LTTNG_SLE_KERNEL_RANGE(4,4,103,6,0,0, 4,5,0,0,0,0))
+ 
+-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+-
+-       btrfs_find_free_extent,
+-
+-       TP_PROTO(const struct btrfs_root *root, u64 num_bytes, u64 empty_size,
+-                u64 data),
+-
+-       TP_ARGS(root, num_bytes, empty_size, data),
+-
+-       TP_FIELDS(
+-               ctf_integer(u64, root_objectid, root->root_key.objectid)
+-               ctf_integer(u64, num_bytes, num_bytes)
+-               ctf_integer(u64, empty_size, empty_size)
+-               ctf_integer(u64, data, data)
+-       )
+-)
+-
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
+ 
+        TP_PROTO(const struct btrfs_root *root,
+@@ -2120,23 +2175,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
+ 
+ #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0))
+ 
+-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
+-
+-       btrfs_find_free_extent,
+-
+-       TP_PROTO(struct btrfs_root *root, u64 num_bytes, u64 empty_size,
+-                u64 data),
+-
+-       TP_ARGS(root, num_bytes, empty_size, data),
+-
+-       TP_FIELDS(
+-               ctf_integer(u64, root_objectid, root->root_key.objectid)
+-               ctf_integer(u64, num_bytes, num_bytes)
+-               ctf_integer(u64, empty_size, empty_size)
+-               ctf_integer(u64, data, data)
+-       )
+-)
+-
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
+ 
+        TP_PROTO(struct btrfs_root *root,
+-- 
+2.17.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0002-fix-Move-mmutrace.h-into-the-mmu-sub-directory-v5.9.patch b/meta/recipes-kernel/lttng/lttng-modules/0002-fix-Move-mmutrace.h-into-the-mmu-sub-directory-v5.9.patch
deleted file mode 100644
index fab673b854..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0002-fix-Move-mmutrace.h-into-the-mmu-sub-directory-v5.9.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From e10ab43dd0e425df5bc0ac763447664ed075ba05 Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Mon, 10 Aug 2020 11:22:05 -0400
-Subject: [PATCH 02/10] fix: Move mmutrace.h into the mmu/ sub-directory (v5.9)
-  commit 33e3042dac6bcc33b80835f7d7b502b1d74c457c
-  Author: Sean Christopherson <sean.j.christopherson@intel.com>
-  Date:   Mon Jun 22 13:20:29 2020 -0700
-    KVM: x86/mmu: Move mmu_audit.c and mmutrace.h into the mmu/ sub-directory
-    Move mmu_audit.c and mmutrace.h under mmu/ where they belong.
-Upstream-Status: Backport
-Change-Id: I582525ccca34e1e3bd62870364108a7d3e9df2e4
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
- probes/lttng-probe-kvm-x86-mmu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-diff --git a/probes/lttng-probe-kvm-x86-mmu.c b/probes/lttng-probe-kvm-x86-mmu.c
-index 37384a2..5a7ef1e 100644
--- a/probes/lttng-probe-kvm-x86-mmu.c
-+++ b/probes/lttng-probe-kvm-x86-mmu.c
-@@ -24,7 +24,11 @@
-  */
- #include <wrapper/tracepoint.h>
- 
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+#include <../../arch/x86/kvm/mmu/mmutrace.h>
-+#else
- #include <../../arch/x86/kvm/mmutrace.h>
-+#endif
- 
- #undef TRACE_INCLUDE_PATH
- #undef TRACE_INCLUDE_FILE
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0003-fix-KVM-x86-mmu-Make-kvm_mmu_page-definition-and-acc.patch b/meta/recipes-kernel/lttng/lttng-modules/0003-fix-KVM-x86-mmu-Make-kvm_mmu_page-definition-and-acc.patch
deleted file mode 100644
index 524631cc72..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0003-fix-KVM-x86-mmu-Make-kvm_mmu_page-definition-and-acc.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f16315cc45c4c6b880de541bb092ca18a13952b7 Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Mon, 10 Aug 2020 11:36:03 -0400
-Subject: [PATCH 03/10] fix: KVM: x86/mmu: Make kvm_mmu_page definition and
- accessor internal-only (v5.9)
-  commit 985ab2780164698ec6e7d73fad523d50449261dd
-  Author: Sean Christopherson <sean.j.christopherson@intel.com>
-  Date:   Mon Jun 22 13:20:32 2020 -0700
-    KVM: x86/mmu: Make kvm_mmu_page definition and accessor internal-only
-    Make 'struct kvm_mmu_page' MMU-only, nothing outside of the MMU should
-    be poking into the gory details of shadow pages.
-Upstream-Status: Backport
-Change-Id: Ia5c1b9c49c2b00dad1d5b17c50c3dc730dafda20
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
- probes/lttng-probe-kvm-x86-mmu.c | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/probes/lttng-probe-kvm-x86-mmu.c b/probes/lttng-probe-kvm-x86-mmu.c
-index 5a7ef1e..8f98186 100644
--- a/probes/lttng-probe-kvm-x86-mmu.c
-+++ b/probes/lttng-probe-kvm-x86-mmu.c
-@@ -25,6 +25,7 @@
- #include <wrapper/tracepoint.h>
- 
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+#include <../../arch/x86/kvm/mmu/mmu_internal.h>
- #include <../../arch/x86/kvm/mmu/mmutrace.h>
- #else
- #include <../../arch/x86/kvm/mmutrace.h>
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0004-fix-ext4-limit-the-length-of-per-inode-prealloc-list.patch b/meta/recipes-kernel/lttng/lttng-modules/0004-fix-ext4-limit-the-length-of-per-inode-prealloc-list.patch
deleted file mode 100644
index e29c07252c..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0004-fix-ext4-limit-the-length-of-per-inode-prealloc-list.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 8fe742807e65af29dac3fea568ff93cbc5dd9a56 Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Mon, 24 Aug 2020 15:26:04 -0400
-Subject: [PATCH 04/10] fix: ext4: limit the length of per-inode prealloc list
- (v5.9)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-See upstream commit:
-  commit 27bc446e2def38db3244a6eb4bb1d6312936610a
-  Author: brookxu <brookxu.cn@gmail.com>
-  Date:   Mon Aug 17 15:36:15 2020 +0800
-    ext4: limit the length of per-inode prealloc list
-    In the scenario of writing sparse files, the per-inode prealloc list may
-    be very long, resulting in high overhead for ext4_mb_use_preallocated().
-    To circumvent this problem, we limit the maximum length of per-inode
-    prealloc list to 512 and allow users to modify it.
-    After patching, we observed that the sys ratio of cpu has dropped, and
-    the system throughput has increased significantly. We created a process
-    to write the sparse file, and the running time of the process on the
-    fixed kernel was significantly reduced, as follows:
-    Running time on unfixed kernel：
-    [root@TENCENT64 ~]# time taskset 0x01 ./sparse /data1/sparce.dat
-    real    0m2.051s
-    user    0m0.008s
-    sys     0m2.026s
-    Running time on fixed kernel：
-    [root@TENCENT64 ~]# time taskset 0x01 ./sparse /data1/sparce.dat
-    real    0m0.471s
-    user    0m0.004s
-    sys     0m0.395s
-Upstream-Status: Backport
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Change-Id: I5169cb24853d4da32e2862a6626f1f058689b053
---
- instrumentation/events/lttng-module/ext4.h | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-diff --git a/instrumentation/events/lttng-module/ext4.h b/instrumentation/events/lttng-module/ext4.h
-index 5f7ab28..72ad4c9 100644
--- a/instrumentation/events/lttng-module/ext4.h
-+++ b/instrumentation/events/lttng-module/ext4.h
-@@ -460,6 +460,20 @@ LTTNG_TRACEPOINT_EVENT(ext4_mb_release_group_pa,
- )
- #endif
- 
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+LTTNG_TRACEPOINT_EVENT(ext4_discard_preallocations,
-+       TP_PROTO(struct inode *inode, unsigned int len, unsigned int needed),
-+
-+       TP_ARGS(inode, len, needed),
-+
-+       TP_FIELDS(
-+               ctf_integer(dev_t, dev, inode->i_sb->s_dev)
-+               ctf_integer(ino_t, ino, inode->i_ino)
-+               ctf_integer(unsigned int, len, len)
-+               ctf_integer(unsigned int, needed, needed)
-+       )
-+)
-+#else
- LTTNG_TRACEPOINT_EVENT(ext4_discard_preallocations,
-        TP_PROTO(struct inode *inode),
- 
-@@ -470,6 +484,7 @@ LTTNG_TRACEPOINT_EVENT(ext4_discard_preallocations,
-                ctf_integer(ino_t, ino, inode->i_ino)
-        )
- )
-+#endif
- 
- LTTNG_TRACEPOINT_EVENT(ext4_mb_discard_preallocations,
-        TP_PROTO(struct super_block *sb, int needed),
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-indicate-via-a-block-bitmap-read-is-prefetc.patch b/meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-indicate-via-a-block-bitmap-read-is-prefetc.patch
deleted file mode 100644
index f76e9698c8..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-indicate-via-a-block-bitmap-read-is-prefetc.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 52563d02a9234215b62c5f519aa1b5d8589ccd0a Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Mon, 24 Aug 2020 15:37:50 -0400
-Subject: [PATCH 05/10] =?UTF-8?q?fix:=20ext4:=20indicate=20via=20a=20block?=
- =?UTF-8?q?=20bitmap=20read=20is=20prefetched=E2=80=A6=20(v5.9)?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-See upstream commit:
-  commit ab74c7b23f3770935016e3eb3ecdf1e42b73efaa
-  Author: Theodore Ts'o <tytso@mit.edu>
-  Date:   Wed Jul 15 11:48:55 2020 -0400
-    ext4: indicate via a block bitmap read is prefetched via a tracepoint
-    Modify the ext4_read_block_bitmap_load tracepoint so that it tells us
-    whether a block bitmap is being prefetched.
-Upstream-Status: Backport
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Change-Id: I0e5e2c5b8004223d0928235c092449ee16a940e1
---
- instrumentation/events/lttng-module/ext4.h | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-diff --git a/instrumentation/events/lttng-module/ext4.h b/instrumentation/events/lttng-module/ext4.h
-index 72ad4c9..4476abb 100644
--- a/instrumentation/events/lttng-module/ext4.h
-+++ b/instrumentation/events/lttng-module/ext4.h
-@@ -893,12 +893,26 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(ext4__bitmap_load, ext4_mb_buddy_bitmap_load,
-        TP_ARGS(sb, group)
- )
- 
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+LTTNG_TRACEPOINT_EVENT(ext4_read_block_bitmap_load,
-+       TP_PROTO(struct super_block *sb, unsigned long group, bool prefetch),
-+
-+       TP_ARGS(sb, group, prefetch),
-+
-+       TP_FIELDS(
-+               ctf_integer(dev_t, dev, sb->s_dev)
-+               ctf_integer(__u32, group, group)
-+               ctf_integer(bool, prefetch, prefetch)
-+       )
-+)
-+#else
- LTTNG_TRACEPOINT_EVENT_INSTANCE(ext4__bitmap_load, ext4_read_block_bitmap_load,
- 
-        TP_PROTO(struct super_block *sb, unsigned long group),
- 
-        TP_ARGS(sb, group)
- )
-+#endif
- 
- LTTNG_TRACEPOINT_EVENT_INSTANCE(ext4__bitmap_load, ext4_load_inode_bitmap,
- 
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0006-fix-removal-of-smp_-read_barrier_depends-v5.9.patch b/meta/recipes-kernel/lttng/lttng-modules/0006-fix-removal-of-smp_-read_barrier_depends-v5.9.patch
deleted file mode 100644
index 0970dd30aa..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0006-fix-removal-of-smp_-read_barrier_depends-v5.9.patch
+++ /dev/null
@@ -1,391 +0,0 @@
-From 57ccbfa6a8a79c7b84394c2097efaf7935607aa5 Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Tue, 25 Aug 2020 10:56:29 -0400
-Subject: [PATCH 06/10] fix: removal of [smp_]read_barrier_depends (v5.9)
-See upstream commits:
-  commit 76ebbe78f7390aee075a7f3768af197ded1bdfbb
-  Author: Will Deacon <will@kernel.org>
-  Date:   Tue Oct 24 11:22:47 2017 +0100
-    locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE()
-    In preparation for the removal of lockless_dereference(), which is the
-    same as READ_ONCE() on all architectures other than Alpha, add an
-    implicit smp_read_barrier_depends() to READ_ONCE() so that it can be
-    used to head dependency chains on all architectures.
-  commit 76ebbe78f7390aee075a7f3768af197ded1bdfbb
-  Author: Will Deacon <will.deacon@arm.com>
-  Date:   Tue Oct 24 11:22:47 2017 +0100
-    locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE()
-    In preparation for the removal of lockless_dereference(), which is the
-    same as READ_ONCE() on all architectures other than Alpha, add an
-    implicit smp_read_barrier_depends() to READ_ONCE() so that it can be
-    used to head dependency chains on all architectures.
-Upstream-Status: Backport
-Change-Id: Ife8880bd9378dca2972da8838f40fc35ccdfaaac
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
- instrumentation/events/lttng-module/i2c.h |  4 ++--
- lib/ringbuffer/backend.h                  |  2 +-
- lib/ringbuffer/backend_internal.h         |  2 +-
- lib/ringbuffer/frontend.h                 |  4 ++--
- lib/ringbuffer/ring_buffer_frontend.c     |  4 ++--
- lib/ringbuffer/ring_buffer_iterator.c     |  2 +-
- lttng-events.c                            |  8 ++++----
- probes/lttng-kprobes.c                    |  6 +++---
- probes/lttng-kretprobes.c                 |  6 +++---
- probes/lttng-tracepoint-event-impl.h      | 12 ++++++------
- probes/lttng-uprobes.c                    |  6 +++---
- wrapper/compiler.h                        | 18 ++++++++++++++++++
- wrapper/trace-clock.h                     | 15 +++++----------
- 13 files changed, 51 insertions(+), 38 deletions(-)
-diff --git a/instrumentation/events/lttng-module/i2c.h b/instrumentation/events/lttng-module/i2c.h
-index dcbabf6..131d134 100644
--- a/instrumentation/events/lttng-module/i2c.h
-+++ b/instrumentation/events/lttng-module/i2c.h
-@@ -23,7 +23,7 @@ LTTNG_TRACEPOINT_EVENT_CODE(i2c_write,
- 
-        TP_code_pre(
-                tp_locvar->extract_sensitive_payload =
-                       READ_ONCE(extract_sensitive_payload);
-+                       LTTNG_READ_ONCE(extract_sensitive_payload);
-        ),
- 
-        TP_FIELDS(
-@@ -78,7 +78,7 @@ LTTNG_TRACEPOINT_EVENT_CODE(i2c_reply,
- 
-        TP_code_pre(
-                tp_locvar->extract_sensitive_payload =
-                       READ_ONCE(extract_sensitive_payload);
-+                       LTTNG_READ_ONCE(extract_sensitive_payload);
-        ),
- 
-        TP_FIELDS(
-diff --git a/lib/ringbuffer/backend.h b/lib/ringbuffer/backend.h
-index da937f2..43e1d47 100644
--- a/lib/ringbuffer/backend.h
-+++ b/lib/ringbuffer/backend.h
-@@ -156,7 +156,7 @@ size_t lib_ring_buffer_do_strcpy(const struct lib_ring_buffer_config *config,
-                 * Only read source character once, in case it is
-                 * modified concurrently.
-                 */
-               c = READ_ONCE(src[count]);
-+               c = LTTNG_READ_ONCE(src[count]);
-                if (!c)
-                        break;
-                lib_ring_buffer_do_copy(config, &dest[count], &c, 1);
-diff --git a/lib/ringbuffer/backend_internal.h b/lib/ringbuffer/backend_internal.h
-index 2d6a345..1226fd8 100644
--- a/lib/ringbuffer/backend_internal.h
-+++ b/lib/ringbuffer/backend_internal.h
-@@ -367,7 +367,7 @@ void lib_ring_buffer_clear_noref(const struct lib_ring_buffer_config *config,
-         * Performing a volatile access to read the sb_pages, because we want to
-         * read a coherent version of the pointer and the associated noref flag.
-         */
-       id = READ_ONCE(bufb->buf_wsb[idx].id);
-+       id = LTTNG_READ_ONCE(bufb->buf_wsb[idx].id);
-        for (;;) {
-                /* This check is called on the fast path for each record. */
-                if (likely(!subbuffer_id_is_noref(config, id))) {
-diff --git a/lib/ringbuffer/frontend.h b/lib/ringbuffer/frontend.h
-index 6f516d9..41382fe 100644
--- a/lib/ringbuffer/frontend.h
-+++ b/lib/ringbuffer/frontend.h
-@@ -79,7 +79,7 @@ void *channel_destroy(struct channel *chan);
- #define for_each_channel_cpu(cpu, chan)                                        \
-        for ((cpu) = -1;                                                \
-                ({ (cpu) = cpumask_next(cpu, (chan)->backend.cpumask);  \
-                  smp_read_barrier_depends(); (cpu) < nr_cpu_ids; });)
-+                  smp_rmb(); (cpu) < nr_cpu_ids; });)
- 
- extern struct lib_ring_buffer *channel_get_ring_buffer(
-                                const struct lib_ring_buffer_config *config,
-@@ -155,7 +155,7 @@ static inline
- int lib_ring_buffer_is_finalized(const struct lib_ring_buffer_config *config,
-                                 struct lib_ring_buffer *buf)
- {
-       int finalized = READ_ONCE(buf->finalized);
-+       int finalized = LTTNG_READ_ONCE(buf->finalized);
-        /*
-         * Read finalized before counters.
-         */
-diff --git a/lib/ringbuffer/ring_buffer_frontend.c b/lib/ringbuffer/ring_buffer_frontend.c
-index 3cab365..4980d20 100644
--- a/lib/ringbuffer/ring_buffer_frontend.c
-+++ b/lib/ringbuffer/ring_buffer_frontend.c
-@@ -1074,7 +1074,7 @@ int lib_ring_buffer_snapshot(struct lib_ring_buffer *buf,
-        int finalized;
- 
- retry:
-       finalized = READ_ONCE(buf->finalized);
-+       finalized = LTTNG_READ_ONCE(buf->finalized);
-        /*
-         * Read finalized before counters.
-         */
-@@ -1245,7 +1245,7 @@ int lib_ring_buffer_get_subbuf(struct lib_ring_buffer *buf,
-                return -EBUSY;
-        }
- retry:
-       finalized = READ_ONCE(buf->finalized);
-+       finalized = LTTNG_READ_ONCE(buf->finalized);
-        /*
-         * Read finalized before counters.
-         */
-diff --git a/lib/ringbuffer/ring_buffer_iterator.c b/lib/ringbuffer/ring_buffer_iterator.c
-index d25db72..7b4f20a 100644
--- a/lib/ringbuffer/ring_buffer_iterator.c
-+++ b/lib/ringbuffer/ring_buffer_iterator.c
-@@ -46,7 +46,7 @@ restart:
-        switch (iter->state) {
-        case ITER_GET_SUBBUF:
-                ret = lib_ring_buffer_get_next_subbuf(buf);
-               if (ret && !READ_ONCE(buf->finalized)
-+               if (ret && !LTTNG_READ_ONCE(buf->finalized)
-                    && config->alloc == RING_BUFFER_ALLOC_GLOBAL) {
-                        /*
-                         * Use "pull" scheme for global buffers. The reader
-diff --git a/lttng-events.c b/lttng-events.c
-index be7e389..d719294 100644
--- a/lttng-events.c
-+++ b/lttng-events.c
-@@ -1719,7 +1719,7 @@ int lttng_metadata_printf(struct lttng_session *session,
-        size_t len;
-        va_list ap;
- 
-       WARN_ON_ONCE(!READ_ONCE(session->active));
-+       WARN_ON_ONCE(!LTTNG_READ_ONCE(session->active));
- 
-        va_start(ap, fmt);
-        str = kvasprintf(GFP_KERNEL, fmt, ap);
-@@ -2305,7 +2305,7 @@ int _lttng_event_metadata_statedump(struct lttng_session *session,
- {
-        int ret = 0;
- 
-       if (event->metadata_dumped || !READ_ONCE(session->active))
-+       if (event->metadata_dumped || !LTTNG_READ_ONCE(session->active))
-                return 0;
-        if (chan->channel_type == METADATA_CHANNEL)
-                return 0;
-@@ -2377,7 +2377,7 @@ int _lttng_channel_metadata_statedump(struct lttng_session *session,
- {
-        int ret = 0;
- 
-       if (chan->metadata_dumped || !READ_ONCE(session->active))
-+       if (chan->metadata_dumped || !LTTNG_READ_ONCE(session->active))
-                return 0;
- 
-        if (chan->channel_type == METADATA_CHANNEL)
-@@ -2604,7 +2604,7 @@ int _lttng_session_metadata_statedump(struct lttng_session *session)
-        struct lttng_event *event;
-        int ret = 0;
- 
-       if (!READ_ONCE(session->active))
-+       if (!LTTNG_READ_ONCE(session->active))
-                return 0;
- 
-        lttng_metadata_begin(session);
-diff --git a/probes/lttng-kprobes.c b/probes/lttng-kprobes.c
-index a44eaa1..38fb72e 100644
--- a/probes/lttng-kprobes.c
-+++ b/probes/lttng-kprobes.c
-@@ -31,11 +31,11 @@ int lttng_kprobes_handler_pre(struct kprobe *p, struct pt_regs *regs)
-        int ret;
-        unsigned long data = (unsigned long) p->addr;
- 
-       if (unlikely(!READ_ONCE(chan->session->active)))
-+       if (unlikely(!LTTNG_READ_ONCE(chan->session->active)))
-                return 0;
-       if (unlikely(!READ_ONCE(chan->enabled)))
-+       if (unlikely(!LTTNG_READ_ONCE(chan->enabled)))
-                return 0;
-       if (unlikely(!READ_ONCE(event->enabled)))
-+       if (unlikely(!LTTNG_READ_ONCE(event->enabled)))
-                return 0;
- 
-        lib_ring_buffer_ctx_init(&ctx, chan->chan, &lttng_probe_ctx, sizeof(data),
-diff --git a/probes/lttng-kretprobes.c b/probes/lttng-kretprobes.c
-index ab98ff2..a6bcd21 100644
--- a/probes/lttng-kretprobes.c
-+++ b/probes/lttng-kretprobes.c
-@@ -51,11 +51,11 @@ int _lttng_kretprobes_handler(struct kretprobe_instance *krpi,
-                unsigned long parent_ip;
-        } payload;
- 
-       if (unlikely(!READ_ONCE(chan->session->active)))
-+       if (unlikely(!LTTNG_READ_ONCE(chan->session->active)))
-                return 0;
-       if (unlikely(!READ_ONCE(chan->enabled)))
-+       if (unlikely(!LTTNG_READ_ONCE(chan->enabled)))
-                return 0;
-       if (unlikely(!READ_ONCE(event->enabled)))
-+       if (unlikely(!LTTNG_READ_ONCE(event->enabled)))
-                return 0;
- 
-        payload.ip = (unsigned long) krpi->rp->kp.addr;
-diff --git a/probes/lttng-tracepoint-event-impl.h b/probes/lttng-tracepoint-event-impl.h
-index 77b8638..72a669e 100644
--- a/probes/lttng-tracepoint-event-impl.h
-+++ b/probes/lttng-tracepoint-event-impl.h
-@@ -1132,11 +1132,11 @@ static void __event_probe__##_name(void *__data, _proto)                      \
-                                                                              \
-        if (!_TP_SESSION_CHECK(session, __session))                           \
-                return;                                                       \
-       if (unlikely(!READ_ONCE(__session->active)))                          \
-+       if (unlikely(!LTTNG_READ_ONCE(__session->active)))                    \
-                return;                                                       \
-       if (unlikely(!READ_ONCE(__chan->enabled)))                            \
-+       if (unlikely(!LTTNG_READ_ONCE(__chan->enabled)))                      \
-                return;                                                       \
-       if (unlikely(!READ_ONCE(__event->enabled)))                           \
-+       if (unlikely(!LTTNG_READ_ONCE(__event->enabled)))                     \
-                return;                                                       \
-        __lf = lttng_rcu_dereference(__session->pid_tracker.p);               \
-        if (__lf && likely(!lttng_id_tracker_lookup(__lf, current->tgid)))    \
-@@ -1225,11 +1225,11 @@ static void __event_probe__##_name(void *__data)                              \
-                                                                              \
-        if (!_TP_SESSION_CHECK(session, __session))                           \
-                return;                                                       \
-       if (unlikely(!READ_ONCE(__session->active)))                          \
-+       if (unlikely(!LTTNG_READ_ONCE(__session->active)))                    \
-                return;                                                       \
-       if (unlikely(!READ_ONCE(__chan->enabled)))                            \
-+       if (unlikely(!LTTNG_READ_ONCE(__chan->enabled)))                      \
-                return;                                                       \
-       if (unlikely(!READ_ONCE(__event->enabled)))                           \
-+       if (unlikely(!LTTNG_READ_ONCE(__event->enabled)))                     \
-                return;                                                       \
-        __lf = lttng_rcu_dereference(__session->pid_tracker.p);               \
-        if (__lf && likely(!lttng_id_tracker_lookup(__lf, current->tgid)))    \
-diff --git a/probes/lttng-uprobes.c b/probes/lttng-uprobes.c
-index bc10128..bda1d9b 100644
--- a/probes/lttng-uprobes.c
-+++ b/probes/lttng-uprobes.c
-@@ -40,11 +40,11 @@ int lttng_uprobes_handler_pre(struct uprobe_consumer *uc, struct pt_regs *regs)
-                unsigned long ip;
-        } payload;
- 
-       if (unlikely(!READ_ONCE(chan->session->active)))
-+       if (unlikely(!LTTNG_READ_ONCE(chan->session->active)))
-                return 0;
-       if (unlikely(!READ_ONCE(chan->enabled)))
-+       if (unlikely(!LTTNG_READ_ONCE(chan->enabled)))
-                return 0;
-       if (unlikely(!READ_ONCE(event->enabled)))
-+       if (unlikely(!LTTNG_READ_ONCE(event->enabled)))
-                return 0;
- 
-        lib_ring_buffer_ctx_init(&ctx, chan->chan, &lttng_probe_ctx,
-diff --git a/wrapper/compiler.h b/wrapper/compiler.h
-index 1496f33..b9f8c51 100644
--- a/wrapper/compiler.h
-+++ b/wrapper/compiler.h
-@@ -9,6 +9,7 @@
- #define _LTTNG_WRAPPER_COMPILER_H
- 
- #include <linux/compiler.h>
-+#include <linux/version.h>
- 
- /*
-  * Don't allow compiling with buggy compiler.
-@@ -39,4 +40,21 @@
- # define WRITE_ONCE(x, val)    ({ ACCESS_ONCE(x) = val; })
- #endif
- 
-+/*
-+ * In v4.15 a smp read barrier was added to READ_ONCE to replace
-+ * lockless_dereference(), replicate this behavior on prior kernels
-+ * and remove calls to smp_read_barrier_depends which was dropped
-+ * in v5.9.
-+ */
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,15,0))
-+#define LTTNG_READ_ONCE(x)     READ_ONCE(x)
-+#else
-+#define LTTNG_READ_ONCE(x)                     \
-+({                                             \
-+       typeof(x) __val = READ_ONCE(x);         \
-+       smp_read_barrier_depends();             \
-+       __val;                                  \
-+})
-+#endif
-+
- #endif /* _LTTNG_WRAPPER_COMPILER_H */
-diff --git a/wrapper/trace-clock.h b/wrapper/trace-clock.h
-index 9f4e366..187fc82 100644
--- a/wrapper/trace-clock.h
-+++ b/wrapper/trace-clock.h
-@@ -160,33 +160,30 @@ static inline void put_trace_clock(void)
- 
- static inline u64 trace_clock_read64(void)
- {
-       struct lttng_trace_clock *ltc = READ_ONCE(lttng_trace_clock);
-+       struct lttng_trace_clock *ltc = LTTNG_READ_ONCE(lttng_trace_clock);
- 
-        if (likely(!ltc)) {
-                return trace_clock_read64_monotonic();
-        } else {
-               read_barrier_depends(); /* load ltc before content */
-                return ltc->read64();
-        }
- }
- 
- static inline u64 trace_clock_freq(void)
- {
-       struct lttng_trace_clock *ltc = READ_ONCE(lttng_trace_clock);
-+       struct lttng_trace_clock *ltc = LTTNG_READ_ONCE(lttng_trace_clock);
- 
-        if (!ltc) {
-                return trace_clock_freq_monotonic();
-        } else {
-               read_barrier_depends(); /* load ltc before content */
-                return ltc->freq();
-        }
- }
- 
- static inline int trace_clock_uuid(char *uuid)
- {
-       struct lttng_trace_clock *ltc = READ_ONCE(lttng_trace_clock);
-+       struct lttng_trace_clock *ltc = LTTNG_READ_ONCE(lttng_trace_clock);
- 
-       read_barrier_depends(); /* load ltc before content */
-        /* Use default UUID cb when NULL */
-        if (!ltc || !ltc->uuid) {
-                return trace_clock_uuid_monotonic(uuid);
-@@ -197,24 +194,22 @@ static inline int trace_clock_uuid(char *uuid)
- 
- static inline const char *trace_clock_name(void)
- {
-       struct lttng_trace_clock *ltc = READ_ONCE(lttng_trace_clock);
-+       struct lttng_trace_clock *ltc = LTTNG_READ_ONCE(lttng_trace_clock);
- 
-        if (!ltc) {
-                return trace_clock_name_monotonic();
-        } else {
-               read_barrier_depends(); /* load ltc before content */
-                return ltc->name();
-        }
- }
- 
- static inline const char *trace_clock_description(void)
- {
-       struct lttng_trace_clock *ltc = READ_ONCE(lttng_trace_clock);
-+       struct lttng_trace_clock *ltc = LTTNG_READ_ONCE(lttng_trace_clock);
- 
-        if (!ltc) {
-                return trace_clock_description_monotonic();
-        } else {
-               read_barrier_depends(); /* load ltc before content */
-                return ltc->description();
-        }
- }
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0007-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch
new file mode 100644
index 0000000000..fde9398394
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0007-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch
@@ -0,0 +1,88 @@
+From 37b9cb0e6cb92181b7a25583849a9d161a558982 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 26 Oct 2020 13:41:02 -0400
+Subject: [PATCH 07/19] fix: objtool: Rename frame.h -> objtool.h (v5.10)
+See upstream commit :
+  commit 00089c048eb4a8250325efb32a2724fd0da68cce
+  Author: Julien Thierry <jthierry@redhat.com>
+  Date:   Fri Sep 4 16:30:25 2020 +0100
+    objtool: Rename frame.h -> objtool.h
+    Header frame.h is getting more code annotations to help objtool analyze
+    object files.
+    Rename the file to objtool.h.
+Upstream-Status: Backport
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: Ic2283161bebcbf1e33b72805eb4d2628f4ae3e89
+---
+ lttng-filter-interpreter.c     |  2 +-
+ wrapper/{frame.h => objtool.h} | 19 ++++++++++++-------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+ rename wrapper/{frame.h => objtool.h} (50%)
+diff --git a/lttng-filter-interpreter.c b/lttng-filter-interpreter.c
+index 21169f01..5d572437 100644
+--- a/lttng-filter-interpreter.c
+++ b/lttng-filter-interpreter.c
+@@ -8,7 +8,7 @@
+  */
+ 
+ #include <wrapper/uaccess.h>
+-#include <wrapper/frame.h>
+#include <wrapper/objtool.h>
+ #include <wrapper/types.h>
+ #include <linux/swab.h>
+ 
+diff --git a/wrapper/frame.h b/wrapper/objtool.h
+similarity index 50%
+rename from wrapper/frame.h
+rename to wrapper/objtool.h
+index 6e6dc811..3b997cae 100644
+--- a/wrapper/frame.h
+++ b/wrapper/objtool.h
+@@ -1,18 +1,23 @@
+-/* SPDX-License-Identifier: (GPL-2.0 or LGPL-2.1)
+/* SPDX-License-Identifier: (GPL-2.0-only or LGPL-2.1-only)
+  *
+- * wrapper/frame.h
+ * wrapper/objtool.h
+  *
+  * Copyright (C) 2016 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+  */
+ 
+-#ifndef _LTTNG_WRAPPER_FRAME_H
+-#define _LTTNG_WRAPPER_FRAME_H
+#ifndef _LTTNG_WRAPPER_OBJTOOL_H
+#define _LTTNG_WRAPPER_OBJTOOL_H
+ 
+ #include <linux/version.h>
+ 
+-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
+-
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+#include <linux/objtool.h>
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
+ #include <linux/frame.h>
+#endif
+
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
+ 
+ #define LTTNG_STACK_FRAME_NON_STANDARD(func) \
+        STACK_FRAME_NON_STANDARD(func)
+@@ -23,4 +28,4 @@
+ 
+ #endif
+ 
+-#endif /* _LTTNG_WRAPPER_FRAME_H */
+#endif /* _LTTNG_WRAPPER_OBJTOOL_H */
+-- 
+2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-writeback-Drop-I_DIRTY_TIME_EXPIRE-v5.9.patch b/meta/recipes-kernel/lttng/lttng-modules/0007-fix-writeback-Drop-I_DIRTY_TIME_EXPIRE-v5.9.patch
deleted file mode 100644
index 2843c9cb62..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-writeback-Drop-I_DIRTY_TIME_EXPIRE-v5.9.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From eae02feb58064eee5ce15a9f6bdffd107c47da05 Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Mon, 31 Aug 2020 11:41:38 -0400
-Subject: [PATCH 07/10] fix: writeback: Drop I_DIRTY_TIME_EXPIRE (v5.9)
-See upstream commit:
-  commit 5fcd57505c002efc5823a7355e21f48dd02d5a51
-  Author: Jan Kara <jack@suse.cz>
-  Date:   Fri May 29 16:24:43 2020 +0200
-    writeback: Drop I_DIRTY_TIME_EXPIRE
-    The only use of I_DIRTY_TIME_EXPIRE is to detect in
-    __writeback_single_inode() that inode got there because flush worker
-    decided it's time to writeback the dirty inode time stamps (either
-    because we are syncing or because of age). However we can detect this
-    directly in __writeback_single_inode() and there's no need for the
-    strange propagation with I_DIRTY_TIME_EXPIRE flag.
-Upstream-Status: Backport
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Change-Id: I92e37c2ff3ec36d431e8f9de5c8e37c5a2da55ea
---
- instrumentation/events/lttng-module/writeback.h | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-diff --git a/instrumentation/events/lttng-module/writeback.h b/instrumentation/events/lttng-module/writeback.h
-index affb4eb..ece67ad 100644
--- a/instrumentation/events/lttng-module/writeback.h
-+++ b/instrumentation/events/lttng-module/writeback.h
-@@ -46,7 +46,21 @@ static inline struct backing_dev_info *lttng_inode_to_bdi(struct inode *inode)
- 
- #endif
- 
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,0,0))
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+#define show_inode_state(state)                                        \
-+       __print_flags(state, "|",                               \
-+               {I_DIRTY_SYNC,          "I_DIRTY_SYNC"},        \
-+               {I_DIRTY_DATASYNC,      "I_DIRTY_DATASYNC"},    \
-+               {I_DIRTY_PAGES,         "I_DIRTY_PAGES"},       \
-+               {I_NEW,                 "I_NEW"},               \
-+               {I_WILL_FREE,           "I_WILL_FREE"},         \
-+               {I_FREEING,             "I_FREEING"},           \
-+               {I_CLEAR,               "I_CLEAR"},             \
-+               {I_SYNC,                "I_SYNC"},              \
-+               {I_DIRTY_TIME,          "I_DIRTY_TIME"},        \
-+               {I_REFERENCED,          "I_REFERENCED"}         \
-+       )
-+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,0,0))
- #define show_inode_state(state)                                        \
-        __print_flags(state, "|",                               \
-                {I_DIRTY_SYNC,          "I_DIRTY_SYNC"},        \
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0008-fix-writeback-Fix-sync-livelock-due-to-b_dirty_time-.patch b/meta/recipes-kernel/lttng/lttng-modules/0008-fix-writeback-Fix-sync-livelock-due-to-b_dirty_time-.patch
deleted file mode 100644
index 7a0d9a38b8..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0008-fix-writeback-Fix-sync-livelock-due-to-b_dirty_time-.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 87b2affc3eb06f3fb2d0923f18af37713eb6814b Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Mon, 31 Aug 2020 14:16:01 -0400
-Subject: [PATCH 08/10] fix: writeback: Fix sync livelock due to b_dirty_time
- processing (v5.9)
-See upstream commit:
-  commit f9cae926f35e8230330f28c7b743ad088611a8de
-  Author: Jan Kara <jack@suse.cz>
-  Date:   Fri May 29 16:08:58 2020 +0200
-    writeback: Fix sync livelock due to b_dirty_time processing
-    When we are processing writeback for sync(2), move_expired_inodes()
-    didn't set any inode expiry value (older_than_this). This can result in
-    writeback never completing if there's steady stream of inodes added to
-    b_dirty_time list as writeback rechecks dirty lists after each writeback
-    round whether there's more work to be done. Fix the problem by using
-    sync(2) start time is inode expiry value when processing b_dirty_time
-    list similarly as for ordinarily dirtied inodes. This requires some
-    refactoring of older_than_this handling which simplifies the code
-    noticeably as a bonus.
-Upstream-Status: Backport
-Change-Id: I8b894b13ccc14d9b8983ee4c2810a927c319560b
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
- .../events/lttng-module/writeback.h           | 39 ++++++++++++-------
- 1 file changed, 26 insertions(+), 13 deletions(-)
-diff --git a/instrumentation/events/lttng-module/writeback.h b/instrumentation/events/lttng-module/writeback.h
-index ece67ad..e9018dd 100644
--- a/instrumentation/events/lttng-module/writeback.h
-+++ b/instrumentation/events/lttng-module/writeback.h
-@@ -384,34 +384,48 @@ LTTNG_TRACEPOINT_EVENT_WBC_INSTANCE(wbc_balance_dirty_wait, writeback_wbc_balanc
- #endif
- LTTNG_TRACEPOINT_EVENT_WBC_INSTANCE(wbc_writepage, writeback_wbc_writepage)
- 
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,1,0))
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+LTTNG_TRACEPOINT_EVENT(writeback_queue_io,
-+       TP_PROTO(struct bdi_writeback *wb,
-+                struct wb_writeback_work *work,
-+                unsigned long dirtied_before,
-+                int moved),
-+       TP_ARGS(wb, work, dirtied_before, moved),
-+       TP_FIELDS(
-+               ctf_array_text(char, name, dev_name(wb->bdi->dev), 32)
-+               ctf_integer(unsigned long, older, dirtied_before)
-+               ctf_integer(int, moved, moved)
-+       )
-+)
-+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0))
- LTTNG_TRACEPOINT_EVENT(writeback_queue_io,
-        TP_PROTO(struct bdi_writeback *wb,
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0))
-                 struct wb_writeback_work *work,
-#else
-                unsigned long *older_than_this,
-#endif
-                 int moved),
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0))
-        TP_ARGS(wb, work, moved),
-#else
-+       TP_FIELDS(
-+               ctf_array_text(char, name, dev_name(wb->bdi->dev), 32)
-+               ctf_integer(int, moved, moved)
-+       )
-+)
-+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,1,0))
-+LTTNG_TRACEPOINT_EVENT(writeback_queue_io,
-+       TP_PROTO(struct bdi_writeback *wb,
-+                unsigned long *older_than_this,
-+                int moved),
-        TP_ARGS(wb, older_than_this, moved),
-#endif
-        TP_FIELDS(
-                ctf_array_text(char, name, dev_name(wb->bdi->dev), 32)
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0))
-#else
-                ctf_integer(unsigned long, older,
-                        older_than_this ? *older_than_this : 0)
-                ctf_integer(long, age,
-                        older_than_this ?
-                                (jiffies - *older_than_this) * 1000 / HZ
-                                : -1)
-#endif
-                ctf_integer(int, moved, moved)
-        )
- )
-+#endif
- 
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,8,0))
- LTTNG_TRACEPOINT_EVENT_MAP(global_dirty_state,
-@@ -460,7 +474,7 @@ LTTNG_TRACEPOINT_EVENT_MAP(global_dirty_state,
-                ctf_integer(unsigned long, dirty_limit, global_dirty_limit)
-        )
- )
-#else
-+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,1,0))
- LTTNG_TRACEPOINT_EVENT_MAP(global_dirty_state,
- 
-        writeback_global_dirty_state,
-@@ -485,7 +499,6 @@ LTTNG_TRACEPOINT_EVENT_MAP(global_dirty_state,
-        )
- )
- #endif
-#endif
- 
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0))
- 
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0009-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch b/meta/recipes-kernel/lttng/lttng-modules/0009-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch
new file mode 100644
index 0000000000..bc87c7174e
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0009-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch
@@ -0,0 +1,179 @@
+From ddad4e82bc2cc48c0eb56d2daf69409026e8b31a Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Tue, 27 Oct 2020 12:10:05 -0400
+Subject: [PATCH 09/19] fix: btrfs: make ordered extent tracepoint take
+ btrfs_inode (v5.10)
+See upstream commit :
+  commit acbf1dd0fcbd10c67826a19958f55a053b32f532
+  Author: Nikolay Borisov <nborisov@suse.com>
+  Date:   Mon Aug 31 14:42:40 2020 +0300
+    btrfs: make ordered extent tracepoint take btrfs_inode
+Upstream-Status: Backport
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I096d0801ffe0ad826cfe414cdd1c0857cbd2b624
+---
+ instrumentation/events/lttng-module/btrfs.h | 120 +++++++++++++++-----
+ 1 file changed, 90 insertions(+), 30 deletions(-)
+diff --git a/instrumentation/events/lttng-module/btrfs.h b/instrumentation/events/lttng-module/btrfs.h
+index 52fcfd0d..d47f3280 100644
+--- a/instrumentation/events/lttng-module/btrfs.h
+++ b/instrumentation/events/lttng-module/btrfs.h
+@@ -346,7 +346,29 @@ LTTNG_TRACEPOINT_EVENT(btrfs_handle_em_exist,
+ )
+ #endif
+ 
+-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0))
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__ordered_extent,
+
+       TP_PROTO(const struct btrfs_inode *inode,
+                const struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered),
+
+       TP_FIELDS(
+               ctf_array(u8, fsid, inode->root->lttng_fs_info_fsid, BTRFS_UUID_SIZE)
+               ctf_integer(ino_t, ino, btrfs_ino(inode))
+               ctf_integer(u64, file_offset, ordered->file_offset)
+               ctf_integer(u64, start, ordered->disk_bytenr)
+               ctf_integer(u64, len, ordered->num_bytes)
+               ctf_integer(u64, disk_len, ordered->disk_num_bytes)
+               ctf_integer(u64, bytes_left, ordered->bytes_left)
+               ctf_integer(unsigned long, flags, ordered->flags)
+               ctf_integer(int, compress_type, ordered->compress_type)
+               ctf_integer(int, refs, refcount_read(&ordered->refs))
+               ctf_integer(u64, root_objectid, inode->root->root_key.objectid)
+       )
+)
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0))
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__ordered_extent,
+ 
+        TP_PROTO(const struct inode *inode,
+@@ -458,7 +480,39 @@ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__ordered_extent,
+ )
+ #endif
+ 
+-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) || \
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_add,
+
+       TP_PROTO(const struct btrfs_inode *inode,
+                const struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_remove,
+
+       TP_PROTO(const struct btrfs_inode *inode,
+                const struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_start,
+
+       TP_PROTO(const struct btrfs_inode *inode,
+                const struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
+
+       TP_PROTO(const struct btrfs_inode *inode,
+                const struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) || \
+        LTTNG_SLE_KERNEL_RANGE(4,4,73,5,0,0, 4,4,73,6,0,0) || \
+        LTTNG_SLE_KERNEL_RANGE(4,4,82,6,0,0, 4,4,82,7,0,0) || \
+        LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
+@@ -494,7 +548,41 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
+ 
+        TP_ARGS(inode, ordered)
+ )
+#else
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_add,
+
+       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_remove,
+
+       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_start,
+
+       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+ 
+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
+
+       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+
+       TP_ARGS(inode, ordered)
+)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,73,5,0,0, 4,4,73,6,0,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,82,6,0,0, 4,4,82,7,0,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
+       LTTNG_SLE_KERNEL_RANGE(4,4,103,6,0,0, 4,5,0,0,0,0))
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__writepage,
+ 
+        TP_PROTO(const struct page *page, const struct inode *inode,
+@@ -563,34 +651,6 @@ LTTNG_TRACEPOINT_EVENT(btrfs_sync_file,
+        )
+ )
+ #else
+-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_add,
+-
+-       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+-
+-       TP_ARGS(inode, ordered)
+-)
+-
+-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_remove,
+-
+-       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+-
+-       TP_ARGS(inode, ordered)
+-)
+-
+-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_start,
+-
+-       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+-
+-       TP_ARGS(inode, ordered)
+-)
+-
+-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
+-
+-       TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
+-
+-       TP_ARGS(inode, ordered)
+-)
+-
+ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__writepage,
+ 
+        TP_PROTO(struct page *page, struct inode *inode,
+-- 
+2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0009-fix-version-ranges-for-ext4_discard_preallocations-a.patch b/meta/recipes-kernel/lttng/lttng-modules/0009-fix-version-ranges-for-ext4_discard_preallocations-a.patch
deleted file mode 100644
index 346e1d63ad..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0009-fix-version-ranges-for-ext4_discard_preallocations-a.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b74b25f349e92d7b5bdc8684e406d6a889f13773 Mon Sep 17 00:00:00 2001
-From: Michael Jeanson <mjeanson@efficios.com>
-Date: Fri, 4 Sep 2020 11:52:51 -0400
-Subject: [PATCH 09/10] fix: version ranges for ext4_discard_preallocations and
- writeback_queue_io
-Upstream-Status: Backport
-Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Change-Id: Id4fa53cb2e713cbda651e1a75deed91013115592
---
- instrumentation/events/lttng-module/ext4.h      | 3 ++-
- instrumentation/events/lttng-module/writeback.h | 8 +++++++-
- 2 files changed, 9 insertions(+), 2 deletions(-)
-diff --git a/instrumentation/events/lttng-module/ext4.h b/instrumentation/events/lttng-module/ext4.h
-index 4476abb..b172c8d 100644
--- a/instrumentation/events/lttng-module/ext4.h
-+++ b/instrumentation/events/lttng-module/ext4.h
-@@ -460,7 +460,8 @@ LTTNG_TRACEPOINT_EVENT(ext4_mb_release_group_pa,
- )
- #endif
- 
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0) || \
-+       LTTNG_KERNEL_RANGE(5,8,6, 5,9,0))
- LTTNG_TRACEPOINT_EVENT(ext4_discard_preallocations,
-        TP_PROTO(struct inode *inode, unsigned int len, unsigned int needed),
- 
-diff --git a/instrumentation/events/lttng-module/writeback.h b/instrumentation/events/lttng-module/writeback.h
-index e9018dd..09637d7 100644
--- a/instrumentation/events/lttng-module/writeback.h
-+++ b/instrumentation/events/lttng-module/writeback.h
-@@ -384,7 +384,13 @@ LTTNG_TRACEPOINT_EVENT_WBC_INSTANCE(wbc_balance_dirty_wait, writeback_wbc_balanc
- #endif
- LTTNG_TRACEPOINT_EVENT_WBC_INSTANCE(wbc_writepage, writeback_wbc_writepage)
- 
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0))
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0) || \
-+       LTTNG_KERNEL_RANGE(5,8,6, 5,9,0) || \
-+       LTTNG_KERNEL_RANGE(5,4,62, 5,5,0) || \
-+       LTTNG_KERNEL_RANGE(4,19,143, 4,20,0) || \
-+       LTTNG_KERNEL_RANGE(4,14,196, 4,15,0) || \
-+       LTTNG_KERNEL_RANGE(4,9,235, 4,10,0) || \
-+       LTTNG_KERNEL_RANGE(4,4,235, 4,5,0))
- LTTNG_TRACEPOINT_EVENT(writeback_queue_io,
-        TP_PROTO(struct bdi_writeback *wb,
-                 struct wb_writeback_work *work,
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0010-Fix-system-call-filter-table.patch b/meta/recipes-kernel/lttng/lttng-modules/0010-Fix-system-call-filter-table.patch
deleted file mode 100644
index a16750ddb3..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0010-Fix-system-call-filter-table.patch
+++ /dev/null
@@ -1,918 +0,0 @@
-From ad594e3a953db1b0c3c059fde45b5a5494f6be78 Mon Sep 17 00:00:00 2001
-From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Date: Tue, 28 Jan 2020 16:02:44 -0500
-Subject: [PATCH 10/10] Fix: system call filter table
-The system call filter table has effectively been unused for a long
-time due to system call name prefix mismatch. This means the overhead of
-selective system call tracing was larger than it should have been because
-the event payload preparation would be done for all system calls as soon
-as a single system call is traced.
-However, fixing this underlying issue unearths several issues that crept
-unnoticed when the "enabler" concept was introduced (after the original
-implementation of the system call filter table).
-Here is a list of the issues which are resolved here:
- Split lttng_syscalls_unregister into an unregister and destroy
-  function, thus awaiting for a grace period (and therefore quiescence
-  of the users) after unregistering the system call tracepoints before
-  freeing the system call filter data structures. This effectively fixes
-  a use-after-free.
- The state for enabling "all" system calls vs enabling specific system
-  calls (and sequences of enable-disable) was incorrect with respect to
-  the "enablers" semantic. This is solved by always tracking the
-  bitmap of enabled system calls, and keeping this bitmap even when
-  enabling all system calls. The sc_filter is now always allocated
-  before system call tracing is registered to tracepoints, which means
-  it does not need to be RCU dereferenced anymore.
-Padding fields in the ABI are reserved to select whether to:
- Trace either native or compat system call (or both, which is the
-  behavior currently implemented),
- Trace either system call entry or exit (or both, which is the
-  behavior currently implemented),
- Select the system call to trace by name (behavior currently
-  implemented) or by system call number,
-Upstream-Status: Backport
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
- lttng-abi.c      |  43 ++++++
- lttng-abi.h      |  26 ++++
- lttng-events.c   | 112 +++++++++++++--
- lttng-events.h   |  31 ++++-
- lttng-syscalls.c | 348 +++++++++++++++++++++++++----------------------
- 5 files changed, 380 insertions(+), 180 deletions(-)
-diff --git a/lttng-abi.c b/lttng-abi.c
-index 64ea99d..b33879d 100644
--- a/lttng-abi.c
-+++ b/lttng-abi.c
-@@ -1264,6 +1264,46 @@ nomem:
-        return ret;
- }
- 
-+static
-+int lttng_abi_validate_event_param(struct lttng_kernel_event *event_param)
-+{
-+       /* Limit ABI to implemented features. */
-+       switch (event_param->instrumentation) {
-+       case LTTNG_KERNEL_SYSCALL:
-+               switch (event_param->u.syscall.entryexit) {
-+               case LTTNG_KERNEL_SYSCALL_ENTRYEXIT:
-+                       break;
-+               default:
-+                       return -EINVAL;
-+               }
-+               switch (event_param->u.syscall.abi) {
-+               case LTTNG_KERNEL_SYSCALL_ABI_ALL:
-+                       break;
-+               default:
-+                       return -EINVAL;
-+               }
-+               switch (event_param->u.syscall.match) {
-+               case LTTNG_SYSCALL_MATCH_NAME:
-+                       break;
-+               default:
-+                       return -EINVAL;
-+               }
-+               break;
-+
-+       case LTTNG_KERNEL_TRACEPOINT:   /* Fallthrough */
-+       case LTTNG_KERNEL_KPROBE:       /* Fallthrough */
-+       case LTTNG_KERNEL_KRETPROBE:    /* Fallthrough */
-+       case LTTNG_KERNEL_NOOP:         /* Fallthrough */
-+       case LTTNG_KERNEL_UPROBE:
-+               break;
-+
-+       case LTTNG_KERNEL_FUNCTION:     /* Fallthrough */
-+       default:
-+               return -EINVAL;
-+       }
-+       return 0;
-+}
-+
- static
- int lttng_abi_create_event(struct file *channel_file,
-                           struct lttng_kernel_event *event_param)
-@@ -1305,6 +1345,9 @@ int lttng_abi_create_event(struct file *channel_file,
-                ret = -EOVERFLOW;
-                goto refcount_error;
-        }
-+       ret = lttng_abi_validate_event_param(event_param);
-+       if (ret)
-+               goto event_error;
-        if (event_param->instrumentation == LTTNG_KERNEL_TRACEPOINT
-                        || event_param->instrumentation == LTTNG_KERNEL_SYSCALL) {
-                struct lttng_enabler *enabler;
-diff --git a/lttng-abi.h b/lttng-abi.h
-index 1d356ab..51d60e5 100644
--- a/lttng-abi.h
-+++ b/lttng-abi.h
-@@ -90,6 +90,31 @@ struct lttng_kernel_event_callsite {
-        } u;
- } __attribute__((packed));
- 
-+enum lttng_kernel_syscall_entryexit {
-+       LTTNG_KERNEL_SYSCALL_ENTRYEXIT = 0,
-+       LTTNG_KERNEL_SYSCALL_ENTRY = 1,         /* Not implemented. */
-+       LTTNG_KERNEL_SYSCALL_EXIT = 2,          /* Not implemented. */
-+};
-+
-+enum lttng_kernel_syscall_abi {
-+       LTTNG_KERNEL_SYSCALL_ABI_ALL = 0,
-+       LTTNG_KERNEL_SYSCALL_ABI_NATIVE = 1,    /* Not implemented. */
-+       LTTNG_KERNEL_SYSCALL_ABI_COMPAT = 2,    /* Not implemented. */
-+};
-+
-+enum lttng_kernel_syscall_match {
-+       LTTNG_SYSCALL_MATCH_NAME = 0,
-+       LTTNG_SYSCALL_MATCH_NR = 1,             /* Not implemented. */
-+};
-+
-+struct lttng_kernel_syscall {
-+       uint8_t entryexit;      /* enum lttng_kernel_syscall_entryexit */
-+       uint8_t abi;            /* enum lttng_kernel_syscall_abi */
-+       uint8_t match;          /* enum lttng_kernel_syscall_match */
-+       uint8_t padding;
-+       uint32_t nr;            /* For LTTNG_SYSCALL_MATCH_NR */
-+} __attribute__((packed));
-+
- /*
-  * For syscall tracing, name = "*" means "enable all".
-  */
-@@ -106,6 +131,7 @@ struct lttng_kernel_event {
-                struct lttng_kernel_kprobe kprobe;
-                struct lttng_kernel_function_tracer ftrace;
-                struct lttng_kernel_uprobe uprobe;
-+               struct lttng_kernel_syscall syscall;
-                char padding[LTTNG_KERNEL_EVENT_PADDING2];
-        } u;
- } __attribute__((packed));
-diff --git a/lttng-events.c b/lttng-events.c
-index d719294..4c0b04a 100644
--- a/lttng-events.c
-+++ b/lttng-events.c
-@@ -201,6 +201,10 @@ void lttng_session_destroy(struct lttng_session *session)
-                WARN_ON(ret);
-        }
-        synchronize_trace();    /* Wait for in-flight events to complete */
-+       list_for_each_entry(chan, &session->chan, list) {
-+               ret = lttng_syscalls_destroy(chan);
-+               WARN_ON(ret);
-+       }
-        list_for_each_entry_safe(enabler, tmpenabler,
-                        &session->enablers_head, node)
-                lttng_enabler_destroy(enabler);
-@@ -740,6 +744,28 @@ struct lttng_event *_lttng_event_create(struct lttng_channel *chan,
-                event->enabled = 0;
-                event->registered = 0;
-                event->desc = event_desc;
-+               switch (event_param->u.syscall.entryexit) {
-+               case LTTNG_KERNEL_SYSCALL_ENTRYEXIT:
-+                       ret = -EINVAL;
-+                       goto register_error;
-+               case LTTNG_KERNEL_SYSCALL_ENTRY:
-+                       event->u.syscall.entryexit = LTTNG_SYSCALL_ENTRY;
-+                       break;
-+               case LTTNG_KERNEL_SYSCALL_EXIT:
-+                       event->u.syscall.entryexit = LTTNG_SYSCALL_EXIT;
-+                       break;
-+               }
-+               switch (event_param->u.syscall.abi) {
-+               case LTTNG_KERNEL_SYSCALL_ABI_ALL:
-+                       ret = -EINVAL;
-+                       goto register_error;
-+               case LTTNG_KERNEL_SYSCALL_ABI_NATIVE:
-+                       event->u.syscall.abi = LTTNG_SYSCALL_ABI_NATIVE;
-+                       break;
-+               case LTTNG_KERNEL_SYSCALL_ABI_COMPAT:
-+                       event->u.syscall.abi = LTTNG_SYSCALL_ABI_COMPAT;
-+                       break;
-+               }
-                if (!event->desc) {
-                        ret = -EINVAL;
-                        goto register_error;
-@@ -826,8 +852,7 @@ void register_event(struct lttng_event *event)
-                                                  event);
-                break;
-        case LTTNG_KERNEL_SYSCALL:
-               ret = lttng_syscall_filter_enable(event->chan,
-                       desc->name);
-+               ret = lttng_syscall_filter_enable(event->chan, event);
-                break;
-        case LTTNG_KERNEL_KPROBE:
-        case LTTNG_KERNEL_UPROBE:
-@@ -870,8 +895,7 @@ int _lttng_event_unregister(struct lttng_event *event)
-                ret = 0;
-                break;
-        case LTTNG_KERNEL_SYSCALL:
-               ret = lttng_syscall_filter_disable(event->chan,
-                       desc->name);
-+               ret = lttng_syscall_filter_disable(event->chan, event);
-                break;
-        case LTTNG_KERNEL_NOOP:
-                ret = 0;
-@@ -1203,39 +1227,87 @@ int lttng_desc_match_enabler(const struct lttng_event_desc *desc,
-                struct lttng_enabler *enabler)
- {
-        const char *desc_name, *enabler_name;
-+       bool compat = false, entry = false;
- 
-        enabler_name = enabler->event_param.name;
-        switch (enabler->event_param.instrumentation) {
-        case LTTNG_KERNEL_TRACEPOINT:
-                desc_name = desc->name;
-+               switch (enabler->type) {
-+               case LTTNG_ENABLER_STAR_GLOB:
-+                       return lttng_match_enabler_star_glob(desc_name, enabler_name);
-+               case LTTNG_ENABLER_NAME:
-+                       return lttng_match_enabler_name(desc_name, enabler_name);
-+               default:
-+                       return -EINVAL;
-+               }
-                break;
-        case LTTNG_KERNEL_SYSCALL:
-                desc_name = desc->name;
-               if (!strncmp(desc_name, "compat_", strlen("compat_")))
-+               if (!strncmp(desc_name, "compat_", strlen("compat_"))) {
-                        desc_name += strlen("compat_");
-+                       compat = true;
-+               }
-                if (!strncmp(desc_name, "syscall_exit_",
-                                strlen("syscall_exit_"))) {
-                        desc_name += strlen("syscall_exit_");
-                } else if (!strncmp(desc_name, "syscall_entry_",
-                                strlen("syscall_entry_"))) {
-                        desc_name += strlen("syscall_entry_");
-+                       entry = true;
-                } else {
-                        WARN_ON_ONCE(1);
-                        return -EINVAL;
-                }
-+               switch (enabler->event_param.u.syscall.entryexit) {
-+               case LTTNG_KERNEL_SYSCALL_ENTRYEXIT:
-+                       break;
-+               case LTTNG_KERNEL_SYSCALL_ENTRY:
-+                       if (!entry)
-+                               return 0;
-+                       break;
-+               case LTTNG_KERNEL_SYSCALL_EXIT:
-+                       if (entry)
-+                               return 0;
-+                       break;
-+               default:
-+                       return -EINVAL;
-+               }
-+               switch (enabler->event_param.u.syscall.abi) {
-+               case LTTNG_KERNEL_SYSCALL_ABI_ALL:
-+                       break;
-+               case LTTNG_KERNEL_SYSCALL_ABI_NATIVE:
-+                       if (compat)
-+                               return 0;
-+                       break;
-+               case LTTNG_KERNEL_SYSCALL_ABI_COMPAT:
-+                       if (!compat)
-+                               return 0;
-+                       break;
-+               default:
-+                       return -EINVAL;
-+               }
-+               switch (enabler->event_param.u.syscall.match) {
-+               case LTTNG_SYSCALL_MATCH_NAME:
-+                       switch (enabler->type) {
-+                       case LTTNG_ENABLER_STAR_GLOB:
-+                               return lttng_match_enabler_star_glob(desc_name, enabler_name);
-+                       case LTTNG_ENABLER_NAME:
-+                               return lttng_match_enabler_name(desc_name, enabler_name);
-+                       default:
-+                               return -EINVAL;
-+                       }
-+                       break;
-+               case LTTNG_SYSCALL_MATCH_NR:
-+                       return -EINVAL; /* Not implemented. */
-+               default:
-+                       return -EINVAL;
-+               }
-                break;
-        default:
-                WARN_ON_ONCE(1);
-                return -EINVAL;
-        }
-       switch (enabler->type) {
-       case LTTNG_ENABLER_STAR_GLOB:
-               return lttng_match_enabler_star_glob(desc_name, enabler_name);
-       case LTTNG_ENABLER_NAME:
-               return lttng_match_enabler_name(desc_name, enabler_name);
-       default:
-               return -EINVAL;
-       }
- }
- 
- static
-@@ -1361,9 +1433,21 @@ void lttng_create_event_if_missing(struct lttng_enabler *enabler)
- static
- int lttng_enabler_ref_events(struct lttng_enabler *enabler)
- {
-       struct lttng_session *session = enabler->chan->session;
-+       struct lttng_channel *chan = enabler->chan;
-+       struct lttng_session *session = chan->session;
-        struct lttng_event *event;
- 
-+       if (enabler->event_param.instrumentation == LTTNG_KERNEL_SYSCALL &&
-+                       enabler->event_param.u.syscall.entryexit == LTTNG_KERNEL_SYSCALL_ENTRYEXIT &&
-+                       enabler->event_param.u.syscall.abi == LTTNG_KERNEL_SYSCALL_ABI_ALL &&
-+                       enabler->event_param.u.syscall.match == LTTNG_SYSCALL_MATCH_NAME &&
-+                       !strcmp(enabler->event_param.name, "*")) {
-+               if (enabler->enabled)
-+                       WRITE_ONCE(chan->syscall_all, 1);
-+               else
-+                       WRITE_ONCE(chan->syscall_all, 0);
-+       }
-+
-        /* First ensure that probe events are created for this enabler. */
-        lttng_create_event_if_missing(enabler);
- 
-diff --git a/lttng-events.h b/lttng-events.h
-index a36a312..d4d9976 100644
--- a/lttng-events.h
-+++ b/lttng-events.h
-@@ -292,6 +292,16 @@ struct lttng_uprobe_handler {
-        struct list_head node;
- };
- 
-+enum lttng_syscall_entryexit {
-+       LTTNG_SYSCALL_ENTRY,
-+       LTTNG_SYSCALL_EXIT,
-+};
-+
-+enum lttng_syscall_abi {
-+       LTTNG_SYSCALL_ABI_NATIVE,
-+       LTTNG_SYSCALL_ABI_COMPAT,
-+};
-+
- /*
-  * lttng_event structure is referred to by the tracing fast path. It must be
-  * kept small.
-@@ -318,6 +328,11 @@ struct lttng_event {
-                        struct inode *inode;
-                        struct list_head head;
-                } uprobe;
-+               struct {
-+                       char *syscall_name;
-+                       enum lttng_syscall_entryexit entryexit;
-+                       enum lttng_syscall_abi abi;
-+               } syscall;
-        } u;
-        struct list_head list;          /* Event list in session */
-        unsigned int metadata_dumped:1;
-@@ -457,10 +472,10 @@ struct lttng_channel {
-        struct lttng_syscall_filter *sc_filter;
-        int header_type;                /* 0: unset, 1: compact, 2: large */
-        enum channel_type channel_type;
-+       int syscall_all;
-        unsigned int metadata_dumped:1,
-                sys_enter_registered:1,
-                sys_exit_registered:1,
-               syscall_all:1,
-                tstate:1;               /* Transient enable state */
- };
- 
-@@ -653,10 +668,11 @@ void lttng_clock_unref(void);
- #if defined(CONFIG_HAVE_SYSCALL_TRACEPOINTS)
- int lttng_syscalls_register(struct lttng_channel *chan, void *filter);
- int lttng_syscalls_unregister(struct lttng_channel *chan);
-+int lttng_syscalls_destroy(struct lttng_channel *chan);
- int lttng_syscall_filter_enable(struct lttng_channel *chan,
-               const char *name);
-+               struct lttng_event *event);
- int lttng_syscall_filter_disable(struct lttng_channel *chan,
-               const char *name);
-+               struct lttng_event *event);
- long lttng_channel_syscall_mask(struct lttng_channel *channel,
-                struct lttng_kernel_syscall_mask __user *usyscall_mask);
- #else
-@@ -670,14 +686,19 @@ static inline int lttng_syscalls_unregister(struct lttng_channel *chan)
-        return 0;
- }
- 
-+static inline int lttng_syscalls_destroy(struct lttng_channel *chan)
-+{
-+       return 0;
-+}
-+
- static inline int lttng_syscall_filter_enable(struct lttng_channel *chan,
-               const char *name)
-+               struct lttng_event *event);
- {
-        return -ENOSYS;
- }
- 
- static inline int lttng_syscall_filter_disable(struct lttng_channel *chan,
-               const char *name)
-+               struct lttng_event *event);
- {
-        return -ENOSYS;
- }
-diff --git a/lttng-syscalls.c b/lttng-syscalls.c
-index 97f1ba9..26cead6 100644
--- a/lttng-syscalls.c
-+++ b/lttng-syscalls.c
-@@ -367,8 +367,10 @@ const struct trace_syscall_entry compat_sc_exit_table[] = {
- #undef CREATE_SYSCALL_TABLE
- 
- struct lttng_syscall_filter {
-       DECLARE_BITMAP(sc, NR_syscalls);
-       DECLARE_BITMAP(sc_compat, NR_compat_syscalls);
-+       DECLARE_BITMAP(sc_entry, NR_syscalls);
-+       DECLARE_BITMAP(sc_exit, NR_syscalls);
-+       DECLARE_BITMAP(sc_compat_entry, NR_compat_syscalls);
-+       DECLARE_BITMAP(sc_compat_exit, NR_compat_syscalls);
- };
- 
- static void syscall_entry_unknown(struct lttng_event *event,
-@@ -391,29 +393,23 @@ void syscall_entry_probe(void *__data, struct pt_regs *regs, long id)
-        size_t table_len;
- 
-        if (unlikely(in_compat_syscall())) {
-               struct lttng_syscall_filter *filter;
-
-               filter = lttng_rcu_dereference(chan->sc_filter);
-               if (filter) {
-                       if (id < 0 || id >= NR_compat_syscalls
-                               || !test_bit(id, filter->sc_compat)) {
-                               /* System call filtered out. */
-                               return;
-                       }
-+               struct lttng_syscall_filter *filter = chan->sc_filter;
-+
-+               if (id < 0 || id >= NR_compat_syscalls
-+                       || (!READ_ONCE(chan->syscall_all) && !test_bit(id, filter->sc_compat_entry))) {
-+                       /* System call filtered out. */
-+                       return;
-                }
-                table = compat_sc_table;
-                table_len = ARRAY_SIZE(compat_sc_table);
-                unknown_event = chan->sc_compat_unknown;
-        } else {
-               struct lttng_syscall_filter *filter;
-
-               filter = lttng_rcu_dereference(chan->sc_filter);
-               if (filter) {
-                       if (id < 0 || id >= NR_syscalls
-                               || !test_bit(id, filter->sc)) {
-                               /* System call filtered out. */
-                               return;
-                       }
-+               struct lttng_syscall_filter *filter = chan->sc_filter;
-+
-+               if (id < 0 || id >= NR_syscalls
-+                       || (!READ_ONCE(chan->syscall_all) && !test_bit(id, filter->sc_entry))) {
-+                       /* System call filtered out. */
-+                       return;
-                }
-                table = sc_table;
-                table_len = ARRAY_SIZE(sc_table);
-@@ -545,29 +541,23 @@ void syscall_exit_probe(void *__data, struct pt_regs *regs, long ret)
- 
-        id = syscall_get_nr(current, regs);
-        if (unlikely(in_compat_syscall())) {
-               struct lttng_syscall_filter *filter;
-
-               filter = lttng_rcu_dereference(chan->sc_filter);
-               if (filter) {
-                       if (id < 0 || id >= NR_compat_syscalls
-                               || !test_bit(id, filter->sc_compat)) {
-                               /* System call filtered out. */
-                               return;
-                       }
-+               struct lttng_syscall_filter *filter = chan->sc_filter;
-+
-+               if (id < 0 || id >= NR_compat_syscalls
-+                       || (!READ_ONCE(chan->syscall_all) && !test_bit(id, filter->sc_compat_exit))) {
-+                       /* System call filtered out. */
-+                       return;
-                }
-                table = compat_sc_exit_table;
-                table_len = ARRAY_SIZE(compat_sc_exit_table);
-                unknown_event = chan->compat_sc_exit_unknown;
-        } else {
-               struct lttng_syscall_filter *filter;
-
-               filter = lttng_rcu_dereference(chan->sc_filter);
-               if (filter) {
-                       if (id < 0 || id >= NR_syscalls
-                               || !test_bit(id, filter->sc)) {
-                               /* System call filtered out. */
-                               return;
-                       }
-+               struct lttng_syscall_filter *filter = chan->sc_filter;
-+
-+               if (id < 0 || id >= NR_syscalls
-+                       || (!READ_ONCE(chan->syscall_all) && !test_bit(id, filter->sc_exit))) {
-+                       /* System call filtered out. */
-+                       return;
-                }
-                table = sc_exit_table;
-                table_len = ARRAY_SIZE(sc_exit_table);
-@@ -713,27 +703,23 @@ int fill_table(const struct trace_syscall_entry *table, size_t table_len,
-                memset(&ev, 0, sizeof(ev));
-                switch (type) {
-                case SC_TYPE_ENTRY:
-                       strncpy(ev.name, SYSCALL_ENTRY_STR,
-                               LTTNG_KERNEL_SYM_NAME_LEN);
-+                       ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
-+                       ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
-                        break;
-                case SC_TYPE_EXIT:
-                       strncpy(ev.name, SYSCALL_EXIT_STR,
-                               LTTNG_KERNEL_SYM_NAME_LEN);
-+                       ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
-+                       ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
-                        break;
-                case SC_TYPE_COMPAT_ENTRY:
-                       strncpy(ev.name, COMPAT_SYSCALL_ENTRY_STR,
-                               LTTNG_KERNEL_SYM_NAME_LEN);
-+                       ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
-+                       ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
-                        break;
-                case SC_TYPE_COMPAT_EXIT:
-                       strncpy(ev.name, COMPAT_SYSCALL_EXIT_STR,
-                               LTTNG_KERNEL_SYM_NAME_LEN);
-                       break;
-               default:
-                       BUG_ON(1);
-+                       ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
-+                       ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
-                        break;
-                }
-               strncat(ev.name, desc->name,
-                       LTTNG_KERNEL_SYM_NAME_LEN - strlen(ev.name) - 1);
-+               strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN);
-                ev.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
-                ev.instrumentation = LTTNG_KERNEL_SYSCALL;
-                chan_table[i] = _lttng_event_create(chan, &ev, filter,
-@@ -803,6 +789,8 @@ int lttng_syscalls_register(struct lttng_channel *chan, void *filter)
-                strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN);
-                ev.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
-                ev.instrumentation = LTTNG_KERNEL_SYSCALL;
-+               ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
-+               ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
-                chan->sc_unknown = _lttng_event_create(chan, &ev, filter,
-                                                desc,
-                                                ev.instrumentation);
-@@ -820,6 +808,8 @@ int lttng_syscalls_register(struct lttng_channel *chan, void *filter)
-                strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN);
-                ev.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
-                ev.instrumentation = LTTNG_KERNEL_SYSCALL;
-+               ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_ENTRY;
-+               ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
-                chan->sc_compat_unknown = _lttng_event_create(chan, &ev, filter,
-                                                desc,
-                                                ev.instrumentation);
-@@ -837,6 +827,8 @@ int lttng_syscalls_register(struct lttng_channel *chan, void *filter)
-                strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN);
-                ev.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
-                ev.instrumentation = LTTNG_KERNEL_SYSCALL;
-+               ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
-+               ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
-                chan->compat_sc_exit_unknown = _lttng_event_create(chan, &ev,
-                                                filter, desc,
-                                                ev.instrumentation);
-@@ -854,6 +846,8 @@ int lttng_syscalls_register(struct lttng_channel *chan, void *filter)
-                strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN);
-                ev.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
-                ev.instrumentation = LTTNG_KERNEL_SYSCALL;
-+               ev.u.syscall.entryexit = LTTNG_KERNEL_SYSCALL_EXIT;
-+               ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_NATIVE;
-                chan->sc_exit_unknown = _lttng_event_create(chan, &ev, filter,
-                                                desc, ev.instrumentation);
-                WARN_ON_ONCE(!chan->sc_exit_unknown);
-@@ -883,6 +877,14 @@ int lttng_syscalls_register(struct lttng_channel *chan, void *filter)
-        if (ret)
-                return ret;
- #endif
-+
-+       if (!chan->sc_filter) {
-+               chan->sc_filter = kzalloc(sizeof(struct lttng_syscall_filter),
-+                               GFP_KERNEL);
-+               if (!chan->sc_filter)
-+                       return -ENOMEM;
-+       }
-+
-        if (!chan->sys_enter_registered) {
-                ret = lttng_wrapper_tracepoint_probe_register("sys_enter",
-                                (void *) syscall_entry_probe, chan);
-@@ -930,7 +932,11 @@ int lttng_syscalls_unregister(struct lttng_channel *chan)
-                        return ret;
-                chan->sys_exit_registered = 0;
-        }
-       /* lttng_event destroy will be performed by lttng_session_destroy() */
-+       return 0;
-+}
-+
-+int lttng_syscalls_destroy(struct lttng_channel *chan)
-+{
-        kfree(chan->sc_table);
-        kfree(chan->sc_exit_table);
- #ifdef CONFIG_COMPAT
-@@ -993,136 +999,150 @@ uint32_t get_sc_tables_len(void)
-        return ARRAY_SIZE(sc_table) + ARRAY_SIZE(compat_sc_table);
- }
- 
-int lttng_syscall_filter_enable(struct lttng_channel *chan,
-               const char *name)
-+static
-+const char *get_syscall_name(struct lttng_event *event)
- {
-       int syscall_nr, compat_syscall_nr, ret;
-       struct lttng_syscall_filter *filter;
-+       size_t prefix_len = 0;
- 
-       WARN_ON_ONCE(!chan->sc_table);
-+       WARN_ON_ONCE(event->instrumentation != LTTNG_KERNEL_SYSCALL);
- 
-       if (!name) {
-               /* Enable all system calls by removing filter */
-               if (chan->sc_filter) {
-                       filter = chan->sc_filter;
-                       rcu_assign_pointer(chan->sc_filter, NULL);
-                       synchronize_trace();
-                       kfree(filter);
-+       switch (event->u.syscall.entryexit) {
-+       case LTTNG_SYSCALL_ENTRY:
-+               switch (event->u.syscall.abi) {
-+               case LTTNG_SYSCALL_ABI_NATIVE:
-+                       prefix_len = strlen(SYSCALL_ENTRY_STR);
-+                       break;
-+               case LTTNG_SYSCALL_ABI_COMPAT:
-+                       prefix_len = strlen(COMPAT_SYSCALL_ENTRY_STR);
-+                       break;
-                }
-               chan->syscall_all = 1;
-               return 0;
-       }
-
-       if (!chan->sc_filter) {
-               if (chan->syscall_all) {
-                       /*
-                        * All syscalls are already enabled.
-                        */
-                       return -EEXIST;
-+               break;
-+       case LTTNG_SYSCALL_EXIT:
-+               switch (event->u.syscall.abi) {
-+               case LTTNG_SYSCALL_ABI_NATIVE:
-+                       prefix_len = strlen(SYSCALL_EXIT_STR);
-+                       break;
-+               case LTTNG_SYSCALL_ABI_COMPAT:
-+                       prefix_len = strlen(COMPAT_SYSCALL_EXIT_STR);
-+                       break;
-                }
-               filter = kzalloc(sizeof(struct lttng_syscall_filter),
-                               GFP_KERNEL);
-               if (!filter)
-                       return -ENOMEM;
-       } else {
-               filter = chan->sc_filter;
-+               break;
-        }
-       syscall_nr = get_syscall_nr(name);
-       compat_syscall_nr = get_compat_syscall_nr(name);
-       if (syscall_nr < 0 && compat_syscall_nr < 0) {
-               ret = -ENOENT;
-               goto error;
-+       WARN_ON_ONCE(prefix_len == 0);
-+       return event->desc->name + prefix_len;
-+}
-+
-+int lttng_syscall_filter_enable(struct lttng_channel *chan,
-+               struct lttng_event *event)
-+{
-+       struct lttng_syscall_filter *filter = chan->sc_filter;
-+       const char *syscall_name;
-+       unsigned long *bitmap;
-+       int syscall_nr;
-+
-+       WARN_ON_ONCE(!chan->sc_table);
-+
-+       syscall_name = get_syscall_name(event);
-+
-+       switch (event->u.syscall.abi) {
-+       case LTTNG_SYSCALL_ABI_NATIVE:
-+               syscall_nr = get_syscall_nr(syscall_name);
-+               break;
-+       case LTTNG_SYSCALL_ABI_COMPAT:
-+               syscall_nr = get_compat_syscall_nr(syscall_name);
-+               break;
-+       default:
-+               return -EINVAL;
-        }
-       if (syscall_nr >= 0) {
-               if (test_bit(syscall_nr, filter->sc)) {
-                       ret = -EEXIST;
-                       goto error;
-+       if (syscall_nr < 0)
-+               return -ENOENT;
-+
-+
-+       switch (event->u.syscall.entryexit) {
-+       case LTTNG_SYSCALL_ENTRY:
-+               switch (event->u.syscall.abi) {
-+               case LTTNG_SYSCALL_ABI_NATIVE:
-+                       bitmap = filter->sc_entry;
-+                       break;
-+               case LTTNG_SYSCALL_ABI_COMPAT:
-+                       bitmap = filter->sc_compat_entry;
-+                       break;
-                }
-               bitmap_set(filter->sc, syscall_nr, 1);
-       }
-       if (compat_syscall_nr >= 0) {
-               if (test_bit(compat_syscall_nr, filter->sc_compat)) {
-                       ret = -EEXIST;
-                       goto error;
-+               break;
-+       case LTTNG_SYSCALL_EXIT:
-+               switch (event->u.syscall.abi) {
-+               case LTTNG_SYSCALL_ABI_NATIVE:
-+                       bitmap = filter->sc_exit;
-+                       break;
-+               case LTTNG_SYSCALL_ABI_COMPAT:
-+                       bitmap = filter->sc_compat_exit;
-+                       break;
-                }
-               bitmap_set(filter->sc_compat, compat_syscall_nr, 1);
-+               break;
-+       default:
-+               return -EINVAL;
-        }
-       if (!chan->sc_filter)
-               rcu_assign_pointer(chan->sc_filter, filter);
-+       if (test_bit(syscall_nr, bitmap))
-+               return -EEXIST;
-+       bitmap_set(bitmap, syscall_nr, 1);
-        return 0;
-
-error:
-       if (!chan->sc_filter)
-               kfree(filter);
-       return ret;
- }
- 
- int lttng_syscall_filter_disable(struct lttng_channel *chan,
-               const char *name)
-+               struct lttng_event *event)
- {
-       int syscall_nr, compat_syscall_nr, ret;
-       struct lttng_syscall_filter *filter;
-+       struct lttng_syscall_filter *filter = chan->sc_filter;
-+       const char *syscall_name;
-+       unsigned long *bitmap;
-+       int syscall_nr;
- 
-        WARN_ON_ONCE(!chan->sc_table);
- 
-       if (!chan->sc_filter) {
-               if (!chan->syscall_all)
-                       return -EEXIST;
-               filter = kzalloc(sizeof(struct lttng_syscall_filter),
-                               GFP_KERNEL);
-               if (!filter)
-                       return -ENOMEM;
-               /* Trace all system calls, then apply disable. */
-               bitmap_set(filter->sc, 0, NR_syscalls);
-               bitmap_set(filter->sc_compat, 0, NR_compat_syscalls);
-       } else {
-               filter = chan->sc_filter;
-+       syscall_name = get_syscall_name(event);
-+
-+       switch (event->u.syscall.abi) {
-+       case LTTNG_SYSCALL_ABI_NATIVE:
-+               syscall_nr = get_syscall_nr(syscall_name);
-+               break;
-+       case LTTNG_SYSCALL_ABI_COMPAT:
-+               syscall_nr = get_compat_syscall_nr(syscall_name);
-+               break;
-+       default:
-+               return -EINVAL;
-        }
-+       if (syscall_nr < 0)
-+               return -ENOENT;
- 
-       if (!name) {
-               /* Fail if all syscalls are already disabled. */
-               if (bitmap_empty(filter->sc, NR_syscalls)
-                       && bitmap_empty(filter->sc_compat,
-                               NR_compat_syscalls)) {
-                       ret = -EEXIST;
-                       goto error;
-               }
- 
-               /* Disable all system calls */
-               bitmap_clear(filter->sc, 0, NR_syscalls);
-               bitmap_clear(filter->sc_compat, 0, NR_compat_syscalls);
-               goto apply_filter;
-       }
-       syscall_nr = get_syscall_nr(name);
-       compat_syscall_nr = get_compat_syscall_nr(name);
-       if (syscall_nr < 0 && compat_syscall_nr < 0) {
-               ret = -ENOENT;
-               goto error;
-       }
-       if (syscall_nr >= 0) {
-               if (!test_bit(syscall_nr, filter->sc)) {
-                       ret = -EEXIST;
-                       goto error;
-+       switch (event->u.syscall.entryexit) {
-+       case LTTNG_SYSCALL_ENTRY:
-+               switch (event->u.syscall.abi) {
-+               case LTTNG_SYSCALL_ABI_NATIVE:
-+                       bitmap = filter->sc_entry;
-+                       break;
-+               case LTTNG_SYSCALL_ABI_COMPAT:
-+                       bitmap = filter->sc_compat_entry;
-+                       break;
-                }
-               bitmap_clear(filter->sc, syscall_nr, 1);
-       }
-       if (compat_syscall_nr >= 0) {
-               if (!test_bit(compat_syscall_nr, filter->sc_compat)) {
-                       ret = -EEXIST;
-                       goto error;
-+               break;
-+       case LTTNG_SYSCALL_EXIT:
-+               switch (event->u.syscall.abi) {
-+               case LTTNG_SYSCALL_ABI_NATIVE:
-+                       bitmap = filter->sc_exit;
-+                       break;
-+               case LTTNG_SYSCALL_ABI_COMPAT:
-+                       bitmap = filter->sc_compat_exit;
-+                       break;
-                }
-               bitmap_clear(filter->sc_compat, compat_syscall_nr, 1);
-+               break;
-+       default:
-+               return -EINVAL;
-        }
-apply_filter:
-       if (!chan->sc_filter)
-               rcu_assign_pointer(chan->sc_filter, filter);
-       chan->syscall_all = 0;
-       return 0;
-+       if (!test_bit(syscall_nr, bitmap))
-+               return -EEXIST;
-+       bitmap_clear(bitmap, syscall_nr, 1);
- 
-error:
-       if (!chan->sc_filter)
-               kfree(filter);
-       return ret;
-+       return 0;
- }
- 
- static
-@@ -1236,6 +1256,9 @@ const struct file_operations lttng_syscall_list_fops = {
-        .release = seq_release,
- };
- 
-+/*
-+ * A syscall is enabled if it is traced for either entry or exit.
-+ */
- long lttng_channel_syscall_mask(struct lttng_channel *channel,
-                struct lttng_kernel_syscall_mask __user *usyscall_mask)
- {
-@@ -1262,8 +1285,9 @@ long lttng_channel_syscall_mask(struct lttng_channel *channel,
-                char state;
- 
-                if (channel->sc_table) {
-                       if (filter)
-                               state = test_bit(bit, filter->sc);
-+                       if (!READ_ONCE(channel->syscall_all) && filter)
-+                               state = test_bit(bit, filter->sc_entry)
-+                                       || test_bit(bit, filter->sc_exit);
-                        else
-                                state = 1;
-                } else {
-@@ -1275,9 +1299,11 @@ long lttng_channel_syscall_mask(struct lttng_channel *channel,
-                char state;
- 
-                if (channel->compat_sc_table) {
-                       if (filter)
-+                       if (!READ_ONCE(channel->syscall_all) && filter)
-                                state = test_bit(bit - ARRAY_SIZE(sc_table),
-                                               filter->sc_compat);
-+                                               filter->sc_compat_entry)
-+                                       || test_bit(bit - ARRAY_SIZE(sc_table),
-+                                               filter->sc_compat_exit);
-                        else
-                                state = 1;
-                } else {
-- 
-2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0010-fix-ext4-fast-commit-recovery-path-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0010-fix-ext4-fast-commit-recovery-path-v5.10.patch
new file mode 100644
index 0000000000..fb00a44b31
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0010-fix-ext4-fast-commit-recovery-path-v5.10.patch
@@ -0,0 +1,99 @@
+From a28235f8ffa3c961640a835686dddb5ca600dfaf Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 26 Oct 2020 17:03:23 -0400
+Subject: [PATCH 10/19] fix: ext4: fast commit recovery path (v5.10)
+See upstream commit :
+  commit 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2
+  Author: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+  Date:   Thu Oct 15 13:37:59 2020 -0700
+    ext4: fast commit recovery path
+    This patch adds fast commit recovery path support for Ext4 file
+    system. We add several helper functions that are similar in spirit to
+    e2fsprogs journal recovery path handlers. Example of such functions
+    include - a simple block allocator, idempotent block bitmap update
+    function etc. Using these routines and the fast commit log in the fast
+    commit area, the recovery path (ext4_fc_replay()) performs fast commit
+    log recovery.
+Upstream-Status: Backport
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: Ia65cf44e108f2df0b458f0d335f33a8f18f50baa
+---
+ instrumentation/events/lttng-module/ext4.h | 41 ++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+diff --git a/instrumentation/events/lttng-module/ext4.h b/instrumentation/events/lttng-module/ext4.h
+index b172c8d9..6e74abad 100644
+--- a/instrumentation/events/lttng-module/ext4.h
+++ b/instrumentation/events/lttng-module/ext4.h
+@@ -1274,6 +1274,18 @@ LTTNG_TRACEPOINT_EVENT(ext4_ext_load_extent,
+        )
+ )
+ 
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+LTTNG_TRACEPOINT_EVENT(ext4_load_inode,
+       TP_PROTO(struct super_block *sb, unsigned long ino),
+
+       TP_ARGS(sb, ino),
+
+       TP_FIELDS(
+               ctf_integer(dev_t, dev, sb->s_dev)
+               ctf_integer(ino_t, ino, ino)
+       )
+)
+#else
+ LTTNG_TRACEPOINT_EVENT(ext4_load_inode,
+        TP_PROTO(struct inode *inode),
+ 
+@@ -1284,6 +1296,7 @@ LTTNG_TRACEPOINT_EVENT(ext4_load_inode,
+                ctf_integer(ino_t, ino, inode->i_ino)
+        )
+ )
+#endif
+ 
+ #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
+ 
+@@ -1895,6 +1908,34 @@ LTTNG_TRACEPOINT_EVENT(ext4_es_shrink_exit,
+ 
+ #endif
+ 
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+LTTNG_TRACEPOINT_EVENT(ext4_fc_replay_scan,
+       TP_PROTO(struct super_block *sb, int error, int off),
+
+       TP_ARGS(sb, error, off),
+
+       TP_FIELDS(
+               ctf_integer(dev_t, dev, sb->s_dev)
+               ctf_integer(int, error, error)
+               ctf_integer(int, off, off)
+       )
+)
+
+LTTNG_TRACEPOINT_EVENT(ext4_fc_replay,
+       TP_PROTO(struct super_block *sb, int tag, int ino, int priv1, int priv2),
+
+       TP_ARGS(sb, tag, ino, priv1, priv2),
+
+       TP_FIELDS(
+               ctf_integer(dev_t, dev, sb->s_dev)
+               ctf_integer(int, tag, tag)
+               ctf_integer(int, ino, ino)
+               ctf_integer(int, priv1, priv1)
+               ctf_integer(int, priv2, priv2)
+       )
+)
+#endif
+
+ #endif /* LTTNG_TRACE_EXT4_H */
+ 
+ /* This part must be outside protection */
+-- 
+2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0012-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0012-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch
new file mode 100644
index 0000000000..8651bded99
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0012-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch
@@ -0,0 +1,82 @@
+From e30866f96b3ab02639f429e4bd34e59b3a336579 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 26 Oct 2020 14:28:35 -0400
+Subject: [PATCH 12/19] fix: kvm: x86/mmu: Add TDP MMU PF handler (v5.10)
+See upstream commit :
+  commit bb18842e21111a979e2e0e1c5d85c09646f18d51
+  Author: Ben Gardon <bgardon@google.com>
+  Date:   Wed Oct 14 11:26:50 2020 -0700
+    kvm: x86/mmu: Add TDP MMU PF handler
+    Add functions to handle page faults in the TDP MMU. These page faults
+    are currently handled in much the same way as the x86 shadow paging
+    based MMU, however the ordering of some operations is slightly
+    different. Future patches will add eager NX splitting, a fast page fault
+    handler, and parallel page faults.
+    Tested by running kvm-unit-tests and KVM selftests on an Intel Haswell
+    machine. This series introduced no new failures.
+Upstream-Status: Backport
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: Ie56959cb6c77913d2f1188b0ca15da9114623a4e
+---
+ .../lttng-module/arch/x86/kvm/mmutrace.h      | 20 ++++++++++++++++++-
+ probes/lttng-probe-kvm-x86-mmu.c              |  5 +++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+diff --git a/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h b/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
+index e5470400..86717835 100644
+--- a/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
+++ b/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
+@@ -163,7 +163,25 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kvm_mmu_page_class, kvm_mmu_prepare_zap_page,
+        TP_ARGS(sp)
+ )
+ 
+-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0))
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+
+LTTNG_TRACEPOINT_EVENT_MAP(
+       mark_mmio_spte,
+
+       kvm_mmu_mark_mmio_spte,
+
+       TP_PROTO(u64 *sptep, gfn_t gfn, u64 spte),
+       TP_ARGS(sptep, gfn, spte),
+
+       TP_FIELDS(
+               ctf_integer_hex(void *, sptep, sptep)
+               ctf_integer(gfn_t, gfn, gfn)
+               ctf_integer(unsigned, access, spte & ACC_ALL)
+               ctf_integer(unsigned int, gen, get_mmio_spte_generation(spte))
+       )
+)
+
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0))
+ 
+ LTTNG_TRACEPOINT_EVENT_MAP(
+        mark_mmio_spte,
+diff --git a/probes/lttng-probe-kvm-x86-mmu.c b/probes/lttng-probe-kvm-x86-mmu.c
+index 8f981865..5043c776 100644
+--- a/probes/lttng-probe-kvm-x86-mmu.c
+++ b/probes/lttng-probe-kvm-x86-mmu.c
+@@ -31,6 +31,11 @@
+ #include <../../arch/x86/kvm/mmutrace.h>
+ #endif
+ 
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+#include <../arch/x86/kvm/mmu.h>
+#include <../arch/x86/kvm/mmu/spte.h>
+#endif
+
+ #undef TRACE_INCLUDE_PATH
+ #undef TRACE_INCLUDE_FILE
+ 
+-- 
+2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0014-fix-tracepoint-Optimize-using-static_call-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0014-fix-tracepoint-Optimize-using-static_call-v5.10.patch
new file mode 100644
index 0000000000..5892a408b3
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0014-fix-tracepoint-Optimize-using-static_call-v5.10.patch
@@ -0,0 +1,196 @@
+From bb346792c2cb6995ffc08d2084121935c6384865 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 26 Oct 2020 17:09:05 -0400
+Subject: [PATCH 14/19] fix: tracepoint: Optimize using static_call() (v5.10)
+See upstream commit :
+  commit d25e37d89dd2f41d7acae0429039d2f0ae8b4a07
+  Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
+  Date:   Tue Aug 18 15:57:52 2020 +0200
+    tracepoint: Optimize using static_call()
+    Currently the tracepoint site will iterate a vector and issue indirect
+    calls to however many handlers are registered (ie. the vector is
+    long).
+    Using static_call() it is possible to optimize this for the common
+    case of only having a single handler registered. In this case the
+    static_call() can directly call this handler. Otherwise, if the vector
+    is longer than 1, call a function that iterates the whole vector like
+    the current code.
+Upstream-Status: Backport
+Change-Id: I739dd84d62cc1a821b8bd8acff74fa29aa25d22f
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ lttng-statedump-impl.c    | 80 +++++++++++++++++++++++++++++++--------
+ probes/lttng.c            |  7 +++-
+ tests/probes/lttng-test.c |  7 +++-
+ wrapper/tracepoint.h      |  8 ++++
+ 4 files changed, 84 insertions(+), 18 deletions(-)
+diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c
+index a6fa71a5..67ecd33c 100644
+--- a/lttng-statedump-impl.c
+++ b/lttng-statedump-impl.c
+@@ -55,26 +55,76 @@
+ #define LTTNG_INSTRUMENTATION
+ #include <instrumentation/events/lttng-module/lttng-statedump.h>
+ 
+-DEFINE_TRACE(lttng_statedump_block_device);
+-DEFINE_TRACE(lttng_statedump_end);
+-DEFINE_TRACE(lttng_statedump_interrupt);
+-DEFINE_TRACE(lttng_statedump_file_descriptor);
+-DEFINE_TRACE(lttng_statedump_start);
+-DEFINE_TRACE(lttng_statedump_process_state);
+-DEFINE_TRACE(lttng_statedump_process_pid_ns);
+LTTNG_DEFINE_TRACE(lttng_statedump_block_device,
+       TP_PROTO(struct lttng_session *session,
+               dev_t dev, const char *diskname),
+       TP_ARGS(session, dev, diskname));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_end,
+       TP_PROTO(struct lttng_session *session),
+       TP_ARGS(session));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_interrupt,
+       TP_PROTO(struct lttng_session *session,
+               unsigned int irq, const char *chip_name,
+               struct irqaction *action),
+       TP_ARGS(session, irq, chip_name, action));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_file_descriptor,
+       TP_PROTO(struct lttng_session *session,
+               struct files_struct *files,
+               int fd, const char *filename,
+               unsigned int flags, fmode_t fmode),
+       TP_ARGS(session, files, fd, filename, flags, fmode));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_start,
+       TP_PROTO(struct lttng_session *session),
+       TP_ARGS(session));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_process_state,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               int type, int mode, int submode, int status,
+               struct files_struct *files),
+       TP_ARGS(session, p, type, mode, submode, status, files));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_process_pid_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct pid_namespace *pid_ns),
+       TP_ARGS(session, p, pid_ns));
+
+ #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
+-DEFINE_TRACE(lttng_statedump_process_cgroup_ns);
+LTTNG_DEFINE_TRACE(lttng_statedump_process_cgroup_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct cgroup_namespace *cgroup_ns),
+       TP_ARGS(session, p, cgroup_ns));
+ #endif
+-DEFINE_TRACE(lttng_statedump_process_ipc_ns);
+
+LTTNG_DEFINE_TRACE(lttng_statedump_process_ipc_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct ipc_namespace *ipc_ns),
+       TP_ARGS(session, p, ipc_ns));
+
+ #ifndef LTTNG_MNT_NS_MISSING_HEADER
+-DEFINE_TRACE(lttng_statedump_process_mnt_ns);
+LTTNG_DEFINE_TRACE(lttng_statedump_process_mnt_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct mnt_namespace *mnt_ns),
+       TP_ARGS(session, p, mnt_ns));
+ #endif
+-DEFINE_TRACE(lttng_statedump_process_net_ns);
+-DEFINE_TRACE(lttng_statedump_process_user_ns);
+-DEFINE_TRACE(lttng_statedump_process_uts_ns);
+-DEFINE_TRACE(lttng_statedump_network_interface);
+
+LTTNG_DEFINE_TRACE(lttng_statedump_network_interface,
+       TP_PROTO(struct lttng_session *session,
+               struct net_device *dev, struct in_ifaddr *ifa),
+       TP_ARGS(session, dev, ifa));
+
+ #ifdef LTTNG_HAVE_STATEDUMP_CPU_TOPOLOGY
+-DEFINE_TRACE(lttng_statedump_cpu_topology);
+LTTNG_DEFINE_TRACE(lttng_statedump_cpu_topology,
+       TP_PROTO(struct lttng_session *session, struct cpuinfo_x86 *c),
+       TP_ARGS(session, c));
+ #endif
+ 
+ struct lttng_fd_ctx {
+diff --git a/probes/lttng.c b/probes/lttng.c
+index 05bc1388..7ddaa69f 100644
+--- a/probes/lttng.c
+++ b/probes/lttng.c
+@@ -8,7 +8,7 @@
+  */
+ 
+ #include <linux/module.h>
+-#include <linux/tracepoint.h>
+#include <wrapper/tracepoint.h>
+ #include <linux/uaccess.h>
+ #include <linux/gfp.h>
+ #include <linux/fs.h>
+@@ -32,7 +32,10 @@
+ #define LTTNG_LOGGER_COUNT_MAX 1024
+ #define LTTNG_LOGGER_FILE      "lttng-logger"
+ 
+-DEFINE_TRACE(lttng_logger);
+LTTNG_DEFINE_TRACE(lttng_logger,
+       PARAMS(const char __user *text, size_t len),
+       PARAMS(text, len)
+);
+ 
+ static struct proc_dir_entry *lttng_logger_dentry;
+ 
+diff --git a/tests/probes/lttng-test.c b/tests/probes/lttng-test.c
+index b450e7d7..a4fa0645 100644
+--- a/tests/probes/lttng-test.c
+++ b/tests/probes/lttng-test.c
+@@ -25,7 +25,12 @@
+ #define LTTNG_INSTRUMENTATION
+ #include <instrumentation/events/lttng-module/lttng-test.h>
+ 
+-DEFINE_TRACE(lttng_test_filter_event);
+LTTNG_DEFINE_TRACE(lttng_test_filter_event,
+       PARAMS(int anint, int netint, long *values,
+               char *text, size_t textlen,
+               char *etext, uint32_t * net_values),
+       PARAMS(anint, netint, values, text, textlen, etext, net_values)
+);
+ 
+ #define LTTNG_TEST_FILTER_EVENT_FILE   "lttng-test-filter-event"
+ 
+diff --git a/wrapper/tracepoint.h b/wrapper/tracepoint.h
+index c4ba0123..bc19d8c1 100644
+--- a/wrapper/tracepoint.h
+++ b/wrapper/tracepoint.h
+@@ -14,6 +14,14 @@
+ #include <linux/tracepoint.h>
+ #include <linux/module.h>
+ 
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
+#define LTTNG_DEFINE_TRACE(name, proto, args)          \
+       DEFINE_TRACE(name, PARAMS(proto), PARAMS(args))
+#else
+#define LTTNG_DEFINE_TRACE(name, proto, args)          \
+       DEFINE_TRACE(name)
+#endif
+
+ #ifndef HAVE_KABI_2635_TRACEPOINT
+ 
+ #define kabi_2635_tracepoint_probe_register tracepoint_probe_register
+-- 
+2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0016-fix-statedump-undefined-symbols-caused-by-incorrect-.patch b/meta/recipes-kernel/lttng/lttng-modules/0016-fix-statedump-undefined-symbols-caused-by-incorrect-.patch
new file mode 100644
index 0000000000..e848e16f59
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0016-fix-statedump-undefined-symbols-caused-by-incorrect-.patch
@@ -0,0 +1,55 @@
+From 31f8bf794172102e9758928b481856c4a8800a7f Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Mon, 23 Nov 2020 18:14:25 +0800
+Subject: [PATCH 16/19] fix: statedump: undefined symbols caused by incorrect
+ patch backport
+bb346792c2cb ("fix: tracepoint: Optimize using static_call() (v5.10)")
+misses three definitions and causes the following build failures.
+ERROR: "__tracepoint_lttng_statedump_process_net_ns" [lttng-statedump.ko] undefined!
+ERROR: "__tracepoint_lttng_statedump_process_user_ns" [lttng-statedump.ko] undefined!
+ERROR: "__tracepoint_lttng_statedump_process_uts_ns" [lttng-statedump.ko] undefined!
+Fixes: #1290
+Upstream-Status: Backport
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ lttng-statedump-impl.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c
+index 67ecd33c..cf803a73 100644
+--- a/lttng-statedump-impl.c
+++ b/lttng-statedump-impl.c
+@@ -116,6 +116,24 @@ LTTNG_DEFINE_TRACE(lttng_statedump_process_mnt_ns,
+        TP_ARGS(session, p, mnt_ns));
+ #endif
+ 
+LTTNG_DEFINE_TRACE(lttng_statedump_process_net_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct net *net_ns),
+       TP_ARGS(session, p, net_ns));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_process_user_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct user_namespace *user_ns),
+       TP_ARGS(session, p, user_ns));
+
+LTTNG_DEFINE_TRACE(lttng_statedump_process_uts_ns,
+       TP_PROTO(struct lttng_session *session,
+               struct task_struct *p,
+               struct uts_namespace *uts_ns),
+       TP_ARGS(session, p, uts_ns));
+
+ LTTNG_DEFINE_TRACE(lttng_statedump_network_interface,
+        TP_PROTO(struct lttng_session *session,
+                struct net_device *dev, struct in_ifaddr *ifa),
+-- 
+2.19.1
diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.12.2.bb b/meta/recipes-kernel/lttng/lttng-modules_2.12.3.bb
index e36b327a08..3515e4f51e 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.12.2.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.12.3.bb
@@ -11,19 +11,16 @@ include lttng-platforms.inc
 SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
           file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
-           file://0001-Kconfig-fix-dependency-issue-when-building-in-tree-w.patch \
+           file://0001-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch \
-           file://0002-fix-Move-mmutrace.h-into-the-mmu-sub-directory-v5.9.patch \
+           file://0007-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch \
-           file://0003-fix-KVM-x86-mmu-Make-kvm_mmu_page-definition-and-acc.patch \
+           file://0009-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch \
-           file://0004-fix-ext4-limit-the-length-of-per-inode-prealloc-list.patch \
+           file://0010-fix-ext4-fast-commit-recovery-path-v5.10.patch \
-           file://0005-fix-ext4-indicate-via-a-block-bitmap-read-is-prefetc.patch \
+           file://0012-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch \
-           file://0006-fix-removal-of-smp_-read_barrier_depends-v5.9.patch \
+           file://0014-fix-tracepoint-Optimize-using-static_call-v5.10.patch \
-           file://0007-fix-writeback-Drop-I_DIRTY_TIME_EXPIRE-v5.9.patch \
+           file://0016-fix-statedump-undefined-symbols-caused-by-incorrect-.patch \
-           file://0008-fix-writeback-Fix-sync-livelock-due-to-b_dirty_time-.patch \
-           file://0009-fix-version-ranges-for-ext4_discard_preallocations-a.patch \
-           file://0010-Fix-system-call-filter-table.patch \
           "
-SRC_URI[sha256sum] = "df50bc3bd58679705714f17721acf619a8b0cedc694f8a97052aa5099626feca"
+SRC_URI[sha256sum] = "673ef85c9f03e9b8fed10795e09d4e68add39404b70068d08b10f7b85754d7f0"
 export INSTALL_MOD_DIR="kernel/lttng-modules"
@@ -46,7 +43,7 @@ SRC_URI_class-devupstream = "git://git.lttng.org/lttng-modules;branch=stable-2.1
           file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
           file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
           "
-SRCREV_class-devupstream = "ad594e3a953db1b0c3c059fde45b5a5494f6be78"
+SRCREV_class-devupstream = "be71b60a327d7ad2588abc5cad2861177119972b"
-PV_class-devupstream = "2.12.2+git${SRCPV}"
+PV_class-devupstream = "2.12.3+git${SRCPV}"
 S_class-devupstream = "${WORKDIR}/git"
 SRCREV_FORMAT ?= "lttng_git"
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.04.29.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb
index a5827b9ef0..05ab95ed7f 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.04.29.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "89fd031aed5977c219a71501e144375a10e7c90d1005d5d086ea7972886a2c7a"
+SRC_URI[sha256sum] = "b4164490d82ff7b0086e812ac42ab27baf57be24324d4c0ee1c5dd6ba27f2a52"
 inherit bin_package allarch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-libavutil-include-assembly-with-full-path-from-sourc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-libavutil-include-assembly-with-full-path-from-sourc.patch
new file mode 100644
index 0000000000..3b503c49c9
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-libavutil-include-assembly-with-full-path-from-sourc.patch
@@ -0,0 +1,97 @@
+From 24a58d70cbb3997e471366bd5afe54be9007bfb1 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 15:32:14 +0000
+Subject: [PATCH] libavutil: include assembly with full path from source root
+Otherwise nasm writes the full host-specific paths into .o
+output, which breaks binary reproducibility.
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ libavutil/x86/cpuid.asm      | 2 +-
+ libavutil/x86/emms.asm       | 2 +-
+ libavutil/x86/fixed_dsp.asm  | 2 +-
+ libavutil/x86/float_dsp.asm  | 2 +-
+ libavutil/x86/lls.asm        | 2 +-
+ libavutil/x86/pixelutils.asm | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+diff --git a/libavutil/x86/cpuid.asm b/libavutil/x86/cpuid.asm
+index c3f7866..766f77f 100644
+--- a/libavutil/x86/cpuid.asm
+++ b/libavutil/x86/cpuid.asm
+@@ -21,7 +21,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
+%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/emms.asm b/libavutil/x86/emms.asm
+index 8611762..df84f22 100644
+--- a/libavutil/x86/emms.asm
+++ b/libavutil/x86/emms.asm
+@@ -18,7 +18,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
+%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/fixed_dsp.asm b/libavutil/x86/fixed_dsp.asm
+index 979dd5c..2f41185 100644
+--- a/libavutil/x86/fixed_dsp.asm
+++ b/libavutil/x86/fixed_dsp.asm
+@@ -20,7 +20,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
+%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/float_dsp.asm b/libavutil/x86/float_dsp.asm
+index 517fd63..b773e61 100644
+--- a/libavutil/x86/float_dsp.asm
+++ b/libavutil/x86/float_dsp.asm
+@@ -20,7 +20,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
+%include "libavutil/x86/x86util.asm"
+ 
+ SECTION_RODATA 32
+ pd_reverse: dd 7, 6, 5, 4, 3, 2, 1, 0
+diff --git a/libavutil/x86/lls.asm b/libavutil/x86/lls.asm
+index 317fba6..d2526d1 100644
+--- a/libavutil/x86/lls.asm
+++ b/libavutil/x86/lls.asm
+@@ -20,7 +20,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
+%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/pixelutils.asm b/libavutil/x86/pixelutils.asm
+index 36c57c5..8b45ead 100644
+--- a/libavutil/x86/pixelutils.asm
+++ b/libavutil/x86/pixelutils.asm
+@@ -21,7 +21,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
+%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
new file mode 100644
index 0000000000..6b96bd674f
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
@@ -0,0 +1,75 @@
+From 27a99e2c7d450fef15594671eef4465c8a166bd7 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Wed, 28 Oct 2020 20:11:54 +0100
+Subject: [PATCH] avformat/vividas: improve extradata packing checks in
+ track_header()
+Fixes: out of array accesses
+Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7]
+CVE: CVE-2020-35964
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ libavformat/vividas.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+diff --git a/libavformat/vividas.c b/libavformat/vividas.c
+index 83d0ed116787..46c66bf9a0ae 100644
+--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
+@@ -28,6 +28,7 @@
+  * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV
+  */
+ 
+#include "libavutil/avassert.h"
+ #include "libavutil/intreadwrite.h"
+ #include "avio_internal.h"
+ #include "avformat.h"
+@@ -379,7 +380,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
+ 
+         if (avio_tell(pb) < off) {
+             int num_data;
+-            int xd_size = 0;
+            int xd_size = 1;
+             int data_len[256];
+             int offset = 1;
+             uint8_t *p;
+@@ -393,10 +394,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
+                     return AVERROR_INVALIDDATA;
+                 }
+                 data_len[j] = len;
+-                xd_size += len;
+                xd_size += len + 1 + len/255;
+             }
+ 
+-            ret = ff_alloc_extradata(st->codecpar, 64 + xd_size + xd_size / 255);
+            ret = ff_alloc_extradata(st->codecpar, xd_size);
+             if (ret < 0)
+                 return ret;
+ 
+@@ -405,9 +406,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
+ 
+             for (j = 0; j < num_data - 1; j++) {
+                 unsigned delta = av_xiphlacing(&p[offset], data_len[j]);
+-                if (delta > data_len[j]) {
+-                    return AVERROR_INVALIDDATA;
+-                }
+                av_assert0(delta <= xd_size - offset);
+                 offset += delta;
+             }
+ 
+@@ -418,6 +417,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
+                     av_freep(&st->codecpar->extradata);
+                     break;
+                 }
+                av_assert0(data_len[j] <= xd_size - offset);
+                 offset += data_len[j];
+             }
+ 
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
new file mode 100644
index 0000000000..ddab8e9aca
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
@@ -0,0 +1,35 @@
+From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 24 Oct 2020 22:21:48 +0200
+Subject: [PATCH] avcodec/exr: Check ymin vs. h
+Fixes: out of array access
+Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
+Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b]
+CVE: CVE-2020-35965
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ libavcodec/exr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c
+index e907c5c46401..8b701d1cd298 100644
+--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
+@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
+     // Zero out the start if ymin is not 0
+     for (i = 0; i < planes; i++) {
+         ptr = picture->data[i];
+-        for (y = 0; y < s->ymin; y++) {
+        for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
+             memset(ptr, 0, out_line_size);
+             ptr += picture->linesize[i];
+         }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
index 517dac7f05..f902b08811 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
@@ -25,6 +25,9 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://mips64_cpu_detection.patch \
+           file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
+           file://CVE-2020-35964.patch \
+           file://CVE-2020-35965.patch \
           "
 SRC_URI[sha256sum] = "ad009240d46e307b4e03a213a0f49c11b650e445b1f8be0dda2a9212b34d2ffb"
@@ -128,6 +131,11 @@ do_configure() {
    ${S}/configure ${EXTRA_OECONF}
 }
+# patch out build host paths for reproducibility
+do_compile_prepend_class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/config.h
+}
 PACKAGES =+ "libavcodec \
             libavdevice \
             libavfilter \
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
index a4f4772c1c..9daaf7587e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
@@ -97,3 +97,5 @@ def get_opengl_cmdline_list(switch_name, options, d):
        return '-D' + switch_name + '=' + ','.join(selected_options)
    else:
        return ''
+CVE_PRODUCT += "gst-plugins-base"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
index 14b34a2808..3eeb69d72c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
@@ -16,6 +16,8 @@ PNREAL = "gst-python"
 S = "${WORKDIR}/${PNREAL}-${PV}"
+EXTRA_OEMESON += "-Dlibpython-dir=${libdir}"
 # gobject-introspection is mandatory and cannot be configured
 REQUIRED_DISTRO_FEATURES = "gobject-introspection-data"
 UNKNOWN_CONFIGURE_WHITELIST_append = " introspection"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
index 5f1b1d44fa..ed51a5693e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
@@ -29,3 +29,5 @@ GIR_MESON_DISABLE_FLAG = "disabled"
 # Starting with 1.8.0 gst-rtsp-server includes dependency-less plugins as well
 require gstreamer1.0-plugins-packaging.inc
+CVE_PRODUCT += "gst-rtsp-server"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
new file mode 100644
index 0000000000..e0e64e2c7a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
@@ -0,0 +1,32 @@
+From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001
+From: Seungha Yang <seungha@centricular.com>
+Date: Tue, 15 Sep 2020 00:54:58 +0900
+Subject: [PATCH] tests: seek: Don't use too strict timeout for validation
+Expected segment-done message might not be seen within expected
+time if system is not powerful enough.
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625>
+Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ tests/check/pipelines/seek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c
+index 28bb8846d..5f7447bc5 100644
+--- a/tests/check/pipelines/seek.c
+++ b/tests/check/pipelines/seek.c
+@@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2)
+ 
+   GST_INFO ("wait for segment done message");
+ 
+-  msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND,
+  msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE,
+       GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR);
+   fail_unless (msg, "no message within the timed window");
+   fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done");
+-- 
+2.29.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 7afe56cd7b..632ef8819c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -22,6 +22,7 @@ SRC_URI = " \
    file://0003-meson-Add-valgrind-feature.patch \
    file://0004-meson-Add-option-for-installed-tests.patch \
    file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \
+    file://0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \
 "
 SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a"
 SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7"
diff --git a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
index 2061c280e4..82cdaf54c7 100644
--- a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
+++ b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Bellagio is an opensource implementation of the Khronos OpenMAX \
 HOMEPAGE = "http://omxil.sourceforge.net/"
 LICENSE = "LGPLv2.1+"
-LICENSE_FLAGS = "commercial"
+LICENSE_FLAGS = "${@bb.utils.contains('PACKAGECONFIG', 'amr', 'commercial', '', d)}"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ae6f0f4dbc7ac193b50f323a6ae191cb \
                    file://src/omxcore.h;beginline=1;endline=27;md5=806b1e5566c06486fe8e42b461e03a90"
@@ -28,6 +28,10 @@ PROVIDES += "virtual/libomxil"
 CFLAGS += "-fcommon"
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[amr] = "--enable-amr,,"
 #
 # The .so files under ${libdir}/bellagio are not intended to be versioned and symlinked.
 # Make sure they get packaged in the main package.
diff --git a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
index 3641217306..4f08d6eb64 100644
--- a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
+++ b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
@@ -1,3 +1,6 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
 require core-image-sato-sdk.bb
 require conf/distro/include/ptest-packagelists.inc
diff --git a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
index bf749acd79..4d59c9536b 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
@@ -1,3 +1,6 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
 require core-image-sato-sdk.bb
 require conf/distro/include/ptest-packagelists.inc
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
index 34b14f86ea..45b3ee2bce 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
@@ -134,3 +134,15 @@ GI_DATA_ENABLED_libc-musl_armv7ve = "False"
 # Can't be built with ccache
 CCACHE_DISABLE = "1"
+PACKAGE_PREPROCESS_FUNCS += "src_package_preprocess"
+src_package_preprocess () {
+        # Trim build paths from comments in generated sources to ensure reproducibility
+        sed -i -e "s,${WORKDIR},,g" \
+            ${B}/DerivedSources/webkit2gtk/webkit2/*.cpp \
+            ${B}/DerivedSources/ForwardingHeaders/JavaScriptCore/*.h \
+            ${B}/DerivedSources/JavaScriptCore/*.h \
+            ${B}/DerivedSources/JavaScriptCore/yarr/*.h \
+            ${B}/DerivedSources/MiniBrowser/*.c
+}
diff --git a/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb b/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb
index 519762d125..15f4f4276c 100644
--- a/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb
+++ b/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb
@@ -15,3 +15,6 @@ REQUIRED_DISTRO_FEATURES = "opengl"
 SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz"
 SRC_URI[sha256sum] = "9b980a73ea4e3762266c48f81ded56d9dcad4acf32bad9bd05d0dffdd454c6f5"
+FILES_${PN} += "${libdir}/libWPEBackend-fdo-1.0.so"
+FILES_SOLIBSDEV = ""
+INSANE_SKIP_${PN} += "dev-so"
diff --git a/meta/recipes-support/apr/apr-util_1.6.1.bb b/meta/recipes-support/apr/apr-util_1.6.1.bb
index 0dd8f025e8..4e183ca374 100644
--- a/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/meta/recipes-support/apr/apr-util_1.6.1.bb
@@ -19,10 +19,9 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
 SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f"
 SRC_URI[sha256sum] = "b65e40713da57d004123b6319828be7f1273fbc6490e145874ee1177e112c459"
-EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ 
+EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
                --without-odbc \
                --without-pgsql \
-                --with-dbm=gdbm \
                --without-sqlite2 \
                --with-expat=${STAGING_DIR_HOST}${prefix}"
@@ -36,6 +35,7 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'"
 do_configure_append() {
        if [ "${CLASSOVERRIDE}" = "class-target" ]; then
                cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk
+                sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${B}/build/rules.mk
        fi
 }
 do_configure_prepend_class-native() {
@@ -50,6 +50,7 @@ do_configure_append_class-native() {
 do_configure_prepend_class-nativesdk() {
        cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk
+        sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${S}/build/rules.mk
 }
 do_configure_append_class-nativesdk() {
@@ -69,7 +70,7 @@ PACKAGECONFIG ??= "crypto gdbm"
 PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
 PACKAGECONFIG[crypto] = "--with-openssl=${STAGING_DIR_HOST}${prefix} --with-crypto,--without-crypto,openssl"
 PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}${prefix},--without-sqlite3,sqlite3"
-PACKAGECONFIG[gdbm] = "--with-gdbm=${STAGING_DIR_HOST}${prefix},--without-gdbm,gdbm"
+PACKAGECONFIG[gdbm] = "--with-dbm=gdbm --with-gdbm=${STAGING_DIR_HOST}${prefix},--without-gdbm,gdbm"
 #files ${libdir}/apr-util-1/*.so are not symlinks but loadable modules thus they are packaged in ${PN}
 FILES_${PN}     += "${libdir}/apr-util-1/apr*${SOLIBS} ${libdir}/apr-util-1/apr*${SOLIBSDEV}"
diff --git a/meta/recipes-support/boost/boost/arm-intrinsics.patch b/meta/recipes-support/boost/boost/arm-intrinsics.patch
deleted file mode 100644
index fe85c69a82..0000000000
--- a/meta/recipes-support/boost/boost/arm-intrinsics.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Upstream-Status: Backport
-8/17/2010 - rebased to 1.44 by Qing He <qing.he@intel.com>
-diff --git a/boost/smart_ptr/detail/atomic_count_sync.hpp b/boost/smart_ptr/detail/atomic_count_sync.hpp
-index b6359b5..78b1cc2 100644
--- a/boost/smart_ptr/detail/atomic_count_sync.hpp
-+++ b/boost/smart_ptr/detail/atomic_count_sync.hpp
-@@ -33,17 +33,46 @@ public:
- 
-     long operator++()
-     {
-+#ifdef __ARM_ARCH_7A__
-+       int v1, tmp;
-+       asm volatile ("1:                 \n\t"
-+                     "ldrex   %0, %1     \n\t"
-+                     "add     %0 ,%0, #1 \n\t"
-+                     "strex   %2, %0, %1 \n\t"
-+                     "cmp     %2, #0     \n\t"
-+                     "bne     1b         \n\t"
-+                     : "=&r" (v1), "+Q"(value_), "=&r"(tmp)
-+                    );
-+#else
-         return __sync_add_and_fetch( &value_, 1 );
-+#endif
-     }
- 
-     long operator--()
-     {
-+#ifdef __ARM_ARCH_7A__
-+       int v1, tmp;
-+       asm volatile ("1:                 \n\t"
-+                     "ldrex   %0, %1     \n\t"
-+                     "sub     %0 ,%0, #1 \n\t"
-+                     "strex   %2, %0, %1 \n\t"
-+                     "cmp     %2, #0     \n\t"
-+                     "bne     1b         \n\t"
-+                     : "=&r" (v1), "+Q"(value_), "=&r"(tmp)
-+                    );
-+       return value_;
-+#else
-         return __sync_add_and_fetch( &value_, -1 );
-+#endif
-     }
- 
-     operator long() const
-     {
-+#if __ARM_ARCH_7A__
-+        return value_;
-+#else
-         return __sync_fetch_and_add( &value_, 0 );
-+#endif
-     }
- 
- private:
diff --git a/meta/recipes-support/boost/boost_1.74.0.bb b/meta/recipes-support/boost/boost_1.74.0.bb
index b01b390a59..9188303195 100644
--- a/meta/recipes-support/boost/boost_1.74.0.bb
+++ b/meta/recipes-support/boost/boost_1.74.0.bb
@@ -1,7 +1,7 @@
 require boost-${PV}.inc
 require boost.inc
-SRC_URI += "file://arm-intrinsics.patch \
+SRC_URI += " \
           file://boost-CVE-2012-2677.patch \
           file://boost-math-disable-pch-for-gcc.patch \
           file://0001-Apply-boost-1.62.0-no-forced-flags.patch.patch \
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch
deleted file mode 100644
index aa2c85ff43..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From b6d18ca77f131cdcaa10d0eaa9d303399767edf6 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 28 Aug 2019 19:18:14 +0200
-Subject: [PATCH] certdata2pem.py: use python3
-Comments in that file imply it is already py3 compatible.
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
- mozilla/Makefile        | 2 +-
- mozilla/certdata2pem.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/mozilla/Makefile b/mozilla/Makefile
-index 6f46118..f98877c 100644
--- a/mozilla/Makefile
-+++ b/mozilla/Makefile
-@@ -3,7 +3,7 @@
- #
- 
- all:
-       python certdata2pem.py
-+       python3 certdata2pem.py
- 
- clean:
-        -rm -f *.crt
-diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index 0b02b2a..7d796f1 100644
--- a/mozilla/certdata2pem.py
-+++ b/mozilla/certdata2pem.py
-@@ -1,4 +1,4 @@
-#!/usr/bin/python
-+#!/usr/bin/python3
- # vim:set et sw=4:
- #
- # certdata2pem.py - splits certdata.txt into multiple files
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20200601.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
index 6f39df7985..7dcc86fdc1 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20200601.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
@@ -14,7 +14,7 @@ DEPENDS_class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
-SRCREV = "b3a8980b781bc9a370e42714a605cd4191bb6c0b"
+SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144"
 SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
           file://0002-update-ca-certificates-use-SYSROOT.patch \
@@ -23,7 +23,6 @@ SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
           file://default-sysroot.patch \
           file://sbindir.patch \
           file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
-           file://0001-certdata2pem.py-use-python3.patch \
           "
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
@@ -84,8 +83,8 @@ do_install_append_class-native () {
    SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
 }
-RDEPENDS_${PN}_class-target = "openssl-bin"
+RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
-RDEPENDS_${PN}_class-native = "openssl-native"
+RDEPENDS_${PN}_append_class-native = " openssl-native"
-RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
+RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/curl/curl/0002-remove-void-protop-create-union-p.patch b/meta/recipes-support/curl/curl/0002-remove-void-protop-create-union-p.patch
new file mode 100644
index 0000000000..d0d01fb97c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0002-remove-void-protop-create-union-p.patch
@@ -0,0 +1,1609 @@
+From bfdb7ee65fc8b96f1fce10ef23871acb092b74b6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 23 Nov 2020 08:32:41 +0100
+Subject: [PATCH] urldata: remove 'void *protop' and create the union 'p'
+... to avoid the use of 'void *' for the protocol specific structs done
+per transfer.
+Closes #6238
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a95a6ce6b809693a1195e3b4347a6cfa0fbc2ee7]
+CVE: CVE-2020-8285
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ docs/INTERNALS.md  |  4 ++--
+ lib/file.c         | 14 +++++++-------
+ lib/ftp.c          | 36 ++++++++++++++++++------------------
+ lib/http.c         | 14 +++++++-------
+ lib/http2.c        | 50 +++++++++++++++++++++++++-------------------------
+ lib/http_proxy.c   |  6 +++---
+ lib/imap.c         | 26 +++++++++++++-------------
+ lib/mqtt.c         | 10 +++++-----
+ lib/openldap.c     |  8 ++++----
+ lib/pop3.c         | 14 +++++++-------
+ lib/rtsp.c         |  8 ++++----
+ lib/smb.c          | 20 ++++++++++----------
+ lib/smtp.c         | 22 +++++++++++-----------
+ lib/telnet.c       | 30 +++++++++++++++---------------
+ lib/transfer.c     |  8 ++++----
+ lib/url.c          |  2 +-
+ lib/urldata.h      | 19 +++++++++++++++++--
+ lib/vquic/ngtcp2.c | 24 ++++++++++++------------
+ lib/vquic/quiche.c | 10 +++++-----
+ lib/vssh/libssh.c  | 10 +++++-----
+ lib/vssh/libssh2.c |  8 ++++----
+ lib/vssh/wolfssh.c |  8 ++++----
+ 22 files changed, 183 insertions(+), 168 deletions(-)
+diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
+index 635e7b2..ca8988e 100644
+--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
+@@ -980,8 +980,8 @@ for older and later versions as things don't change drastically that often.
+   protocol specific data that then gets associated with that `Curl_easy` for
+   the rest of this transfer. It gets freed again at the end of the transfer.
+   It will be called before the `connectdata` for the transfer has been
+-  selected/created. Most protocols will allocate its private
+-  `struct [PROTOCOL]` here and assign `Curl_easy->req.protop` to point to it.
+  selected/created. Most protocols will allocate its private `struct
+  [PROTOCOL]` here and assign `Curl_easy->req.p.[protocol]` to it.
+ 
+   `->connect_it` allows a protocol to do some specific actions after the TCP
+   connect is done, that can still be considered part of the connection phase.
+diff --git a/lib/file.c b/lib/file.c
+index cd3e49c..110e5c2 100644
+--- a/lib/file.c
+++ b/lib/file.c
+@@ -119,8 +119,8 @@ const struct Curl_handler Curl_handler_file = {
+ static CURLcode file_setup_connection(struct connectdata *conn)
+ {
+   /* allocate the FILE specific struct */
+-  conn->data->req.protop = calloc(1, sizeof(struct FILEPROTO));
+-  if(!conn->data->req.protop)
+  conn->data->req.p.file = calloc(1, sizeof(struct FILEPROTO));
+  if(!conn->data->req.p.file)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   return CURLE_OK;
+@@ -135,7 +135,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
+ {
+   struct Curl_easy *data = conn->data;
+   char *real_path;
+-  struct FILEPROTO *file = data->req.protop;
+  struct FILEPROTO *file = data->req.p.file;
+   int fd;
+ #ifdef DOS_FILESYSTEM
+   size_t i;
+@@ -209,7 +209,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
+ static CURLcode file_done(struct connectdata *conn,
+                                CURLcode status, bool premature)
+ {
+-  struct FILEPROTO *file = conn->data->req.protop;
+  struct FILEPROTO *file = conn->data->req.p.file;
+   (void)status; /* not used */
+   (void)premature; /* not used */
+ 
+@@ -227,7 +227,7 @@ static CURLcode file_done(struct connectdata *conn,
+ static CURLcode file_disconnect(struct connectdata *conn,
+                                 bool dead_connection)
+ {
+-  struct FILEPROTO *file = conn->data->req.protop;
+  struct FILEPROTO *file = conn->data->req.p.file;
+   (void)dead_connection; /* not used */
+ 
+   if(file) {
+@@ -249,7 +249,7 @@ static CURLcode file_disconnect(struct connectdata *conn,
+ 
+ static CURLcode file_upload(struct connectdata *conn)
+ {
+-  struct FILEPROTO *file = conn->data->req.protop;
+  struct FILEPROTO *file = conn->data->req.p.file;
+   const char *dir = strchr(file->path, DIRSEP);
+   int fd;
+   int mode;
+@@ -391,7 +391,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
+   if(data->set.upload)
+     return file_upload(conn);
+ 
+-  file = conn->data->req.protop;
+  file = conn->data->req.p.file;
+ 
+   /* get the fd from the connection phase */
+   fd = file->fd;
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 9fadac5..d1a9447 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -1345,7 +1345,7 @@ static CURLcode ftp_state_use_pasv(struct connectdata *conn)
+ static CURLcode ftp_state_prepare_transfer(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   struct Curl_easy *data = conn->data;
+ 
+   if(ftp->transfer != FTPTRANSFER_BODY) {
+@@ -1388,7 +1388,7 @@ static CURLcode ftp_state_prepare_transfer(struct connectdata *conn)
+ static CURLcode ftp_state_rest(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+   if((ftp->transfer != FTPTRANSFER_BODY) && ftpc->file) {
+@@ -1409,7 +1409,7 @@ static CURLcode ftp_state_rest(struct connectdata *conn)
+ static CURLcode ftp_state_size(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+   if((ftp->transfer == FTPTRANSFER_INFO) && ftpc->file) {
+@@ -1430,7 +1430,7 @@ static CURLcode ftp_state_list(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+ 
+   /* If this output is to be machine-parsed, the NLST command might be better
+      to use, since the LIST command output is not specified or standard in any
+@@ -1508,7 +1508,7 @@ static CURLcode ftp_state_stor_prequote(struct connectdata *conn)
+ static CURLcode ftp_state_type(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   struct Curl_easy *data = conn->data;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+@@ -1565,7 +1565,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn,
+                                    bool sizechecked)
+ {
+   CURLcode result = CURLE_OK;
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   struct Curl_easy *data = conn->data;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+@@ -1664,7 +1664,7 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+   bool quote = FALSE;
+   struct curl_slist *item;
+@@ -2033,7 +2033,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+   switch(ftpcode) {
+@@ -2166,7 +2166,7 @@ static CURLcode ftp_state_retr(struct connectdata *conn,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+   if(data->set.max_filesize && (filesize > data->set.max_filesize)) {
+@@ -2378,7 +2378,7 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+ 
+   if((ftpcode == 150) || (ftpcode == 125)) {
+ 
+@@ -3138,7 +3138,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
+                          bool premature)
+ {
+   struct Curl_easy *data = conn->data;
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+   struct pingpong *pp = &ftpc->pp;
+   ssize_t nread;
+@@ -3492,7 +3492,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, int *completep)
+   bool complete = FALSE;
+ 
+   /* the ftp struct is inited in ftp_connect() */
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+ 
+   /* if the second connection isn't done yet, wait for it */
+   if(!conn->bits.tcpconnect[SECONDARYSOCKET]) {
+@@ -3657,7 +3657,7 @@ CURLcode ftp_perform(struct connectdata *conn,
+ 
+   if(conn->data->set.opt_no_body) {
+     /* requested no body means no transfer... */
+-    struct FTP *ftp = conn->data->req.protop;
+    struct FTP *ftp = conn->data->req.p.ftp;
+     ftp->transfer = FTPTRANSFER_INFO;
+   }
+ 
+@@ -3692,7 +3692,7 @@ static void wc_data_dtor(void *ptr)
+ static CURLcode init_wc_data(struct connectdata *conn)
+ {
+   char *last_slash;
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   char *path = ftp->path;
+   struct WildcardData *wildcard = &(conn->data->wildcard);
+   CURLcode result = CURLE_OK;
+@@ -3826,7 +3826,7 @@ static CURLcode wc_statemach(struct connectdata *conn)
+     /* filelist has at least one file, lets get first one */
+     struct ftp_conn *ftpc = &conn->proto.ftpc;
+     struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
+-    struct FTP *ftp = conn->data->req.protop;
+    struct FTP *ftp = conn->data->req.p.ftp;
+ 
+     char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
+     if(!tmp_path)
+@@ -4099,7 +4099,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+ {
+   struct Curl_easy *data = conn->data;
+   /* the ftp struct is already inited in ftp_connect() */
+-  struct FTP *ftp = data->req.protop;
+  struct FTP *ftp = data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+   const char *slashPos = NULL;
+   const char *fileName = NULL;
+@@ -4244,7 +4244,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+ static CURLcode ftp_dophase_done(struct connectdata *conn,
+                                  bool connected)
+ {
+-  struct FTP *ftp = conn->data->req.protop;
+  struct FTP *ftp = conn->data->req.p.ftp;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+   if(connected) {
+@@ -4341,7 +4341,7 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   char *type;
+   struct FTP *ftp;
+ 
+-  conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1);
+  conn->data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
+   if(NULL == ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
+diff --git a/lib/http.c b/lib/http.c
+index 8fcdd43..31d9112 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -162,14 +162,14 @@ static CURLcode http_setup_conn(struct connectdata *conn)
+      during this request */
+   struct HTTP *http;
+   struct Curl_easy *data = conn->data;
+-  DEBUGASSERT(data->req.protop == NULL);
+  DEBUGASSERT(data->req.p.http == NULL);
+ 
+   http = calloc(1, sizeof(struct HTTP));
+   if(!http)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   Curl_mime_initpart(&http->form, conn->data);
+-  data->req.protop = http;
+  data->req.p.http = http;
+ 
+   if(data->set.httpversion == CURL_HTTP_VERSION_3) {
+     if(conn->handler->flags & PROTOPT_SSL)
+@@ -425,7 +425,7 @@ static bool pickoneauth(struct auth *pick, unsigned long mask)
+ static CURLcode http_perhapsrewind(struct connectdata *conn)
+ {
+   struct Curl_easy *data = conn->data;
+-  struct HTTP *http = data->req.protop;
+  struct HTTP *http = data->req.p.http;
+   curl_off_t bytessent;
+   curl_off_t expectsend = -1; /* default is unknown */
+ 
+@@ -1109,7 +1109,7 @@ static size_t readmoredata(char *buffer,
+                            void *userp)
+ {
+   struct connectdata *conn = (struct connectdata *)userp;
+-  struct HTTP *http = conn->data->req.protop;
+  struct HTTP *http = conn->data->req.p.http;
+   size_t fullsize = size * nitems;
+ 
+   if(!http->postsize)
+@@ -1167,7 +1167,7 @@ CURLcode Curl_buffer_send(struct dynbuf *in,
+   char *ptr;
+   size_t size;
+   struct Curl_easy *data = conn->data;
+-  struct HTTP *http = data->req.protop;
+  struct HTTP *http = data->req.p.http;
+   size_t sendsize;
+   curl_socket_t sockfd;
+   size_t headersize;
+@@ -1517,7 +1517,7 @@ CURLcode Curl_http_done(struct connectdata *conn,
+                         CURLcode status, bool premature)
+ {
+   struct Curl_easy *data = conn->data;
+-  struct HTTP *http = data->req.protop;
+  struct HTTP *http = data->req.p.http;
+ 
+   /* Clear multipass flag. If authentication isn't done yet, then it will get
+    * a chance to be set back to true when we output the next auth header */
+@@ -1978,7 +1978,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
+         return result;
+     }
+   }
+-  http = data->req.protop;
+  http = data->req.p.http;
+   DEBUGASSERT(http);
+ 
+   if(!data->state.this_is_a_follow) {
+diff --git a/lib/http2.c b/lib/http2.c
+index d316da8..c41a1c2 100644
+--- a/lib/http2.c
+++ b/lib/http2.c
+@@ -257,7 +257,7 @@ static unsigned int http2_conncheck(struct connectdata *check,
+ /* called from http_setup_conn */
+ void Curl_http2_setup_req(struct Curl_easy *data)
+ {
+-  struct HTTP *http = data->req.protop;
+  struct HTTP *http = data->req.p.http;
+   http->bodystarted = FALSE;
+   http->status_code = -1;
+   http->pausedata = NULL;
+@@ -391,7 +391,7 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num)
+   if(!h || !GOOD_EASY_HANDLE(h->data))
+     return NULL;
+   else {
+-    struct HTTP *stream = h->data->req.protop;
+    struct HTTP *stream = h->data->req.p.http;
+     if(num < stream->push_headers_used)
+       return stream->push_headers[num];
+   }
+@@ -413,7 +413,7 @@ char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header)
+      !strcmp(header, ":") || strchr(header + 1, ':'))
+     return NULL;
+   else {
+-    struct HTTP *stream = h->data->req.protop;
+    struct HTTP *stream = h->data->req.p.http;
+     size_t len = strlen(header);
+     size_t i;
+     for(i = 0; i<stream->push_headers_used; i++) {
+@@ -460,7 +460,7 @@ static struct Curl_easy *duphandle(struct Curl_easy *data)
+       (void)Curl_close(&second);
+     }
+     else {
+-      second->req.protop = http;
+      second->req.p.http = http;
+       Curl_dyn_init(&http->header_recvbuf, DYN_H2_HEADERS);
+       Curl_http2_setup_req(second);
+       second->state.stream_weight = data->state.stream_weight;
+@@ -537,7 +537,7 @@ static int push_promise(struct Curl_easy *data,
+     /* ask the application */
+     H2BUGF(infof(data, "Got PUSH_PROMISE, ask application!\n"));
+ 
+-    stream = data->req.protop;
+    stream = data->req.p.http;
+     if(!stream) {
+       failf(data, "Internal NULL stream!\n");
+       (void)Curl_close(&newhandle);
+@@ -567,13 +567,13 @@ static int push_promise(struct Curl_easy *data,
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+       /* denied, kill off the new handle again */
+-      http2_stream_free(newhandle->req.protop);
+-      newhandle->req.protop = NULL;
+      http2_stream_free(newhandle->req.p.http);
+      newhandle->req.p.http = NULL;
+       (void)Curl_close(&newhandle);
+       goto fail;
+     }
+ 
+-    newstream = newhandle->req.protop;
+    newstream = newhandle->req.p.http;
+     newstream->stream_id = frame->promised_stream_id;
+     newhandle->req.maxdownload = -1;
+     newhandle->req.size = -1;
+@@ -583,8 +583,8 @@ static int push_promise(struct Curl_easy *data,
+     rc = Curl_multi_add_perform(data->multi, newhandle, conn);
+     if(rc) {
+       infof(data, "failed to add handle to multi\n");
+-      http2_stream_free(newhandle->req.protop);
+-      newhandle->req.protop = NULL;
+      http2_stream_free(newhandle->req.p.http);
+      newhandle->req.p.http = NULL;
+       Curl_close(&newhandle);
+       rv = CURL_PUSH_DENY;
+       goto fail;
+@@ -667,7 +667,7 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
+     return 0;
+   }
+ 
+-  stream = data_s->req.protop;
+  stream = data_s->req.p.http;
+   if(!stream) {
+     H2BUGF(infof(data_s, "No proto pointer for stream: %x\n",
+                  stream_id));
+@@ -783,7 +783,7 @@ static int on_data_chunk_recv(nghttp2_session *session, uint8_t flags,
+        internal error more than anything else! */
+     return NGHTTP2_ERR_CALLBACK_FAILURE;
+ 
+-  stream = data_s->req.protop;
+  stream = data_s->req.p.http;
+   if(!stream)
+     return NGHTTP2_ERR_CALLBACK_FAILURE;
+ 
+@@ -849,7 +849,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id,
+     }
+     H2BUGF(infof(data_s, "on_stream_close(), %s (err %d), stream %u\n",
+                  nghttp2_http2_strerror(error_code), error_code, stream_id));
+-    stream = data_s->req.protop;
+    stream = data_s->req.p.http;
+     if(!stream)
+       return NGHTTP2_ERR_CALLBACK_FAILURE;
+ 
+@@ -894,7 +894,7 @@ static int on_begin_headers(nghttp2_session *session,
+     return 0;
+   }
+ 
+-  stream = data_s->req.protop;
+  stream = data_s->req.p.http;
+   if(!stream || !stream->bodystarted) {
+     return 0;
+   }
+@@ -952,7 +952,7 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+        internal error more than anything else! */
+     return NGHTTP2_ERR_CALLBACK_FAILURE;
+ 
+-  stream = data_s->req.protop;
+  stream = data_s->req.p.http;
+   if(!stream) {
+     failf(data_s, "Internal NULL stream! 5\n");
+     return NGHTTP2_ERR_CALLBACK_FAILURE;
+@@ -1100,7 +1100,7 @@ static ssize_t data_source_read_callback(nghttp2_session *session,
+          internal error more than anything else! */
+       return NGHTTP2_ERR_CALLBACK_FAILURE;
+ 
+-    stream = data_s->req.protop;
+    stream = data_s->req.p.http;
+     if(!stream)
+       return NGHTTP2_ERR_CALLBACK_FAILURE;
+   }
+@@ -1161,7 +1161,7 @@ static void populate_settings(struct connectdata *conn,
+ 
+ void Curl_http2_done(struct Curl_easy *data, bool premature)
+ {
+-  struct HTTP *http = data->req.protop;
+  struct HTTP *http = data->req.p.http;
+   struct http_conn *httpc = &data->conn->proto.httpc;
+ 
+   /* there might be allocated resources done before this got the 'h2' pointer
+@@ -1398,7 +1398,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn)
+      (conn->handler == &Curl_handler_http2)) {
+     /* make sure this is only attempted for HTTP/2 transfers */
+ 
+-    struct HTTP *stream = conn->data->req.protop;
+    struct HTTP *stream = conn->data->req.p.http;
+ 
+     struct http_conn *httpc = &conn->proto.httpc;
+     nghttp2_session *h2 = httpc->h2;
+@@ -1522,7 +1522,7 @@ static void h2_pri_spec(struct Curl_easy *data,
+                         nghttp2_priority_spec *pri_spec)
+ {
+   struct HTTP *depstream = (data->set.stream_depends_on?
+-                            data->set.stream_depends_on->req.protop:NULL);
+                            data->set.stream_depends_on->req.p.http:NULL);
+   int32_t depstream_id = depstream? depstream->stream_id:0;
+   nghttp2_priority_spec_init(pri_spec, depstream_id, data->set.stream_weight,
+                              data->set.stream_depends_e);
+@@ -1539,7 +1539,7 @@ static void h2_pri_spec(struct Curl_easy *data,
+ static int h2_session_send(struct Curl_easy *data,
+                            nghttp2_session *h2)
+ {
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   if((data->set.stream_weight != data->state.stream_weight) ||
+      (data->set.stream_depends_e != data->state.stream_depends_e) ||
+      (data->set.stream_depends_on != data->state.stream_depends_on) ) {
+@@ -1569,7 +1569,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
+   ssize_t nread;
+   struct http_conn *httpc = &conn->proto.httpc;
+   struct Curl_easy *data = conn->data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+ 
+   (void)sockindex; /* we always do HTTP2 on sockindex 0 */
+ 
+@@ -1874,7 +1874,7 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
+    */
+   int rv;
+   struct http_conn *httpc = &conn->proto.httpc;
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+   nghttp2_nv *nva = NULL;
+   size_t nheader;
+   size_t i;
+@@ -2183,7 +2183,7 @@ CURLcode Curl_http2_setup(struct connectdata *conn)
+ {
+   CURLcode result;
+   struct http_conn *httpc = &conn->proto.httpc;
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+ 
+   DEBUGASSERT(conn->data->state.buffer);
+ 
+@@ -2238,7 +2238,7 @@ CURLcode Curl_http2_switched(struct connectdata *conn,
+   int rv;
+   ssize_t nproc;
+   struct Curl_easy *data = conn->data;
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+ 
+   result = Curl_http2_setup(conn);
+   if(result)
+@@ -2358,7 +2358,7 @@ CURLcode Curl_http2_stream_pause(struct Curl_easy *data, bool pause)
+     return CURLE_OK;
+ #ifdef NGHTTP2_HAS_SET_LOCAL_WINDOW_SIZE
+   else {
+-    struct HTTP *stream = data->req.protop;
+    struct HTTP *stream = data->req.p.http;
+     struct http_conn *httpc = &data->conn->proto.httpc;
+     uint32_t window = !pause * HTTP2_HUGE_WINDOW_SIZE;
+     int rv = nghttp2_session_set_local_window_size(httpc->h2,
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index f188cbf..69aacb4 100644
+--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
+@@ -102,9 +102,9 @@ CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex)
+      * This function might be called several times in the multi interface case
+      * if the proxy's CONNECT response is not instant.
+      */
+-    prot_save = conn->data->req.protop;
+    prot_save = conn->data->req.p.http;
+     memset(&http_proxy, 0, sizeof(http_proxy));
+-    conn->data->req.protop = &http_proxy;
+    conn->data->req.p.http = &http_proxy;
+     connkeep(conn, "HTTP proxy CONNECT");
+ 
+     /* for the secondary socket (FTP), use the "connect to host"
+@@ -125,7 +125,7 @@ CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex)
+     else
+       remote_port = conn->remote_port;
+     result = Curl_proxyCONNECT(conn, sockindex, hostname, remote_port);
+-    conn->data->req.protop = prot_save;
+    conn->data->req.p.http = prot_save;
+     if(CURLE_OK != result)
+       return result;
+     Curl_safefree(data->state.aptr.proxyuserpwd);
+diff --git a/lib/imap.c b/lib/imap.c
+index cad0e59..bda23a5 100644
+--- a/lib/imap.c
+++ b/lib/imap.c
+@@ -244,7 +244,7 @@ static bool imap_matchresp(const char *line, size_t len, const char *cmd)
+ static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
+                            int *resp)
+ {
+-  struct IMAP *imap = conn->data->req.protop;
+  struct IMAP *imap = conn->data->req.p.imap;
+   struct imap_conn *imapc = &conn->proto.imapc;
+   const char *id = imapc->resptag;
+   size_t id_len = strlen(id);
+@@ -605,7 +605,7 @@ static CURLcode imap_perform_list(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+ 
+   if(imap->custom)
+     /* Send the custom request */
+@@ -640,7 +640,7 @@ static CURLcode imap_perform_select(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+   struct imap_conn *imapc = &conn->proto.imapc;
+   char *mailbox;
+ 
+@@ -679,7 +679,7 @@ static CURLcode imap_perform_select(struct connectdata *conn)
+ static CURLcode imap_perform_fetch(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct IMAP *imap = conn->data->req.protop;
+  struct IMAP *imap = conn->data->req.p.imap;
+   /* Check we have a UID */
+   if(imap->uid) {
+ 
+@@ -727,7 +727,7 @@ static CURLcode imap_perform_append(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+   char *mailbox;
+ 
+   /* Check we have a mailbox */
+@@ -797,7 +797,7 @@ static CURLcode imap_perform_append(struct connectdata *conn)
+ static CURLcode imap_perform_search(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct IMAP *imap = conn->data->req.protop;
+  struct IMAP *imap = conn->data->req.p.imap;
+ 
+   /* Check we have a query string */
+   if(!imap->query) {
+@@ -1051,7 +1051,7 @@ static CURLcode imap_state_select_resp(struct connectdata *conn, int imapcode,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = conn->data->req.protop;
+  struct IMAP *imap = conn->data->req.p.imap;
+   struct imap_conn *imapc = &conn->proto.imapc;
+   const char *line = data->state.buffer;
+ 
+@@ -1380,7 +1380,7 @@ static CURLcode imap_init(struct connectdata *conn)
+   struct Curl_easy *data = conn->data;
+   struct IMAP *imap;
+ 
+-  imap = data->req.protop = calloc(sizeof(struct IMAP), 1);
+  imap = data->req.p.imap = calloc(sizeof(struct IMAP), 1);
+   if(!imap)
+     result = CURLE_OUT_OF_MEMORY;
+ 
+@@ -1457,7 +1457,7 @@ static CURLcode imap_done(struct connectdata *conn, CURLcode status,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+ 
+   (void)premature;
+ 
+@@ -1517,7 +1517,7 @@ static CURLcode imap_perform(struct connectdata *conn, bool *connected,
+   /* This is IMAP and no proxy */
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+   struct imap_conn *imapc = &conn->proto.imapc;
+   bool selected = FALSE;
+ 
+@@ -1640,7 +1640,7 @@ static CURLcode imap_disconnect(struct connectdata *conn, bool dead_connection)
+ /* Call this when the DO phase has completed */
+ static CURLcode imap_dophase_done(struct connectdata *conn, bool connected)
+ {
+-  struct IMAP *imap = conn->data->req.protop;
+  struct IMAP *imap = conn->data->req.p.imap;
+ 
+   (void)connected;
+ 
+@@ -1942,7 +1942,7 @@ static CURLcode imap_parse_url_path(struct connectdata *conn)
+   /* The imap struct is already initialised in imap_connect() */
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+   const char *begin = &data->state.up.path[1]; /* skip leading slash */
+   const char *ptr = begin;
+ 
+@@ -2074,7 +2074,7 @@ static CURLcode imap_parse_custom_request(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct IMAP *imap = data->req.protop;
+  struct IMAP *imap = data->req.p.imap;
+   const char *custom = data->set.str[STRING_CUSTOMREQUEST];
+ 
+   if(custom) {
+diff --git a/lib/mqtt.c b/lib/mqtt.c
+index f6f4416..86b22b8 100644
+--- a/lib/mqtt.c
+++ b/lib/mqtt.c
+@@ -95,12 +95,12 @@ static CURLcode mqtt_setup_conn(struct connectdata *conn)
+      during this request */
+   struct MQTT *mq;
+   struct Curl_easy *data = conn->data;
+-  DEBUGASSERT(data->req.protop == NULL);
+  DEBUGASSERT(data->req.p.mqtt == NULL);
+ 
+   mq = calloc(1, sizeof(struct MQTT));
+   if(!mq)
+     return CURLE_OUT_OF_MEMORY;
+-  data->req.protop = mq;
+  data->req.p.mqtt = mq;
+   return CURLE_OK;
+ }
+ 
+@@ -110,7 +110,7 @@ static CURLcode mqtt_send(struct connectdata *conn,
+   CURLcode result = CURLE_OK;
+   curl_socket_t sockfd = conn->sock[FIRSTSOCKET];
+   struct Curl_easy *data = conn->data;
+-  struct MQTT *mq = data->req.protop;
+  struct MQTT *mq = data->req.p.mqtt;
+   ssize_t n;
+   result = Curl_write(conn, sockfd, buf, len, &n);
+   if(!result && data->set.verbose)
+@@ -426,7 +426,7 @@ static CURLcode mqtt_read_publish(struct connectdata *conn,
+   unsigned char *pkt = (unsigned char *)data->state.buffer;
+   size_t remlen;
+   struct mqtt_conn *mqtt = &conn->proto.mqtt;
+-  struct MQTT *mq = data->req.protop;
+  struct MQTT *mq = data->req.p.mqtt;
+   unsigned char packet;
+ 
+   switch(mqtt->state) {
+@@ -533,7 +533,7 @@ static CURLcode mqtt_doing(struct connectdata *conn, bool *done)
+   CURLcode result = CURLE_OK;
+   struct mqtt_conn *mqtt = &conn->proto.mqtt;
+   struct Curl_easy *data = conn->data;
+-  struct MQTT *mq = data->req.protop;
+  struct MQTT *mq = data->req.p.mqtt;
+   ssize_t nread;
+   curl_socket_t sockfd = conn->sock[FIRSTSOCKET];
+   unsigned char *pkt = (unsigned char *)data->state.buffer;
+diff --git a/lib/openldap.c b/lib/openldap.c
+index 782d6a0..c955df6 100644
+--- a/lib/openldap.c
+++ b/lib/openldap.c
+@@ -410,7 +410,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done)
+   if(!lr)
+     return CURLE_OUT_OF_MEMORY;
+   lr->msgid = msgid;
+-  data->req.protop = lr;
+  data->req.p.ldap = lr;
+   Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1);
+   *done = TRUE;
+   return CURLE_OK;
+@@ -419,7 +419,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done)
+ static CURLcode ldap_done(struct connectdata *conn, CURLcode res,
+                           bool premature)
+ {
+-  struct ldapreqinfo *lr = conn->data->req.protop;
+  struct ldapreqinfo *lr = conn->data->req.p.ldap;
+ 
+   (void)res;
+   (void)premature;
+@@ -431,7 +431,7 @@ static CURLcode ldap_done(struct connectdata *conn, CURLcode res,
+       ldap_abandon_ext(li->ld, lr->msgid, NULL, NULL);
+       lr->msgid = 0;
+     }
+-    conn->data->req.protop = NULL;
+    conn->data->req.p.ldap = NULL;
+     free(lr);
+   }
+ 
+@@ -443,7 +443,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf,
+ {
+   struct ldapconninfo *li = conn->proto.ldapc;
+   struct Curl_easy *data = conn->data;
+-  struct ldapreqinfo *lr = data->req.protop;
+  struct ldapreqinfo *lr = data->req.p.ldap;
+   int rc, ret;
+   LDAPMessage *msg = NULL;
+   LDAPMessage *ent;
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 9ff5c78..04cc887 100644
+--- a/lib/pop3.c
+++ b/lib/pop3.c
+@@ -551,7 +551,7 @@ static CURLcode pop3_perform_command(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct POP3 *pop3 = data->req.protop;
+  struct POP3 *pop3 = data->req.p.pop3;
+   const char *command = NULL;
+ 
+   /* Calculate the default command */
+@@ -884,7 +884,7 @@ static CURLcode pop3_state_command_resp(struct connectdata *conn,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct POP3 *pop3 = data->req.protop;
+  struct POP3 *pop3 = data->req.p.pop3;
+   struct pop3_conn *pop3c = &conn->proto.pop3c;
+   struct pingpong *pp = &pop3c->pp;
+ 
+@@ -1046,7 +1046,7 @@ static CURLcode pop3_init(struct connectdata *conn)
+   struct Curl_easy *data = conn->data;
+   struct POP3 *pop3;
+ 
+-  pop3 = data->req.protop = calloc(sizeof(struct POP3), 1);
+  pop3 = data->req.p.pop3 = calloc(sizeof(struct POP3), 1);
+   if(!pop3)
+     result = CURLE_OUT_OF_MEMORY;
+ 
+@@ -1120,7 +1120,7 @@ static CURLcode pop3_done(struct connectdata *conn, CURLcode status,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct POP3 *pop3 = data->req.protop;
+  struct POP3 *pop3 = data->req.p.pop3;
+ 
+   (void)premature;
+ 
+@@ -1154,7 +1154,7 @@ static CURLcode pop3_perform(struct connectdata *conn, bool *connected,
+ {
+   /* This is POP3 and no proxy */
+   CURLcode result = CURLE_OK;
+-  struct POP3 *pop3 = conn->data->req.protop;
+  struct POP3 *pop3 = conn->data->req.p.pop3;
+ 
+   DEBUGF(infof(conn->data, "DO phase starts\n"));
+ 
+@@ -1386,7 +1386,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn)
+ {
+   /* The POP3 struct is already initialised in pop3_connect() */
+   struct Curl_easy *data = conn->data;
+-  struct POP3 *pop3 = data->req.protop;
+  struct POP3 *pop3 = data->req.p.pop3;
+   const char *path = &data->state.up.path[1]; /* skip leading path */
+ 
+   /* URL decode the path for the message ID */
+@@ -1403,7 +1403,7 @@ static CURLcode pop3_parse_custom_request(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct POP3 *pop3 = data->req.protop;
+  struct POP3 *pop3 = data->req.p.pop3;
+   const char *custom = data->set.str[STRING_CUSTOMREQUEST];
+ 
+   /* URL decode the custom request */
+diff --git a/lib/rtsp.c b/lib/rtsp.c
+index dbd7dc6..29e6d58 100644
+--- a/lib/rtsp.c
+++ b/lib/rtsp.c
+@@ -114,7 +114,7 @@ static CURLcode rtsp_setup_connection(struct connectdata *conn)
+ {
+   struct RTSP *rtsp;
+ 
+-  conn->data->req.protop = rtsp = calloc(1, sizeof(struct RTSP));
+  conn->data->req.p.rtsp = rtsp = calloc(1, sizeof(struct RTSP));
+   if(!rtsp)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -199,7 +199,7 @@ static CURLcode rtsp_done(struct connectdata *conn,
+                           CURLcode status, bool premature)
+ {
+   struct Curl_easy *data = conn->data;
+-  struct RTSP *rtsp = data->req.protop;
+  struct RTSP *rtsp = data->req.p.rtsp;
+   CURLcode httpStatus;
+ 
+   /* Bypass HTTP empty-reply checks on receive */
+@@ -232,7 +232,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
+   struct Curl_easy *data = conn->data;
+   CURLcode result = CURLE_OK;
+   Curl_RtspReq rtspreq = data->set.rtspreq;
+-  struct RTSP *rtsp = data->req.protop;
+  struct RTSP *rtsp = data->req.p.rtsp;
+   struct dynbuf req_buffer;
+   curl_off_t postsize = 0; /* for ANNOUNCE and SET_PARAMETER */
+   curl_off_t putsize = 0; /* for ANNOUNCE and SET_PARAMETER */
+@@ -764,7 +764,7 @@ CURLcode Curl_rtsp_parseheader(struct connectdata *conn,
+     /* Store the received CSeq. Match is verified in rtsp_done */
+     int nc = sscanf(&header[4], ": %ld", &CSeq);
+     if(nc == 1) {
+-      struct RTSP *rtsp = data->req.protop;
+      struct RTSP *rtsp = data->req.p.rtsp;
+       rtsp->CSeq_recv = CSeq; /* mark the request */
+       data->state.rtsp_CSeq_recv = CSeq; /* update the handle */
+     }
+diff --git a/lib/smb.c b/lib/smb.c
+index d493adc..9eba7ab 100644
+--- a/lib/smb.c
+++ b/lib/smb.c
+@@ -204,7 +204,7 @@ static void conn_state(struct connectdata *conn, enum smb_conn_state newstate)
+ static void request_state(struct connectdata *conn,
+                           enum smb_req_state newstate)
+ {
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+ #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
+   /* For debug purposes */
+   static const char * const names[] = {
+@@ -234,7 +234,7 @@ static CURLcode smb_setup_connection(struct connectdata *conn)
+   struct smb_request *req;
+ 
+   /* Initialize the request state */
+-  conn->data->req.protop = req = calloc(1, sizeof(struct smb_request));
+  conn->data->req.p.smb = req = calloc(1, sizeof(struct smb_request));
+   if(!req)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -342,7 +342,7 @@ static void smb_format_message(struct connectdata *conn, struct smb_header *h,
+                                unsigned char cmd, size_t len)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+   unsigned int pid;
+ 
+   memset(h, 0, sizeof(*h));
+@@ -505,7 +505,7 @@ static CURLcode smb_send_tree_connect(struct connectdata *conn)
+ 
+ static CURLcode smb_send_open(struct connectdata *conn)
+ {
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+   struct smb_nt_create msg;
+   size_t byte_count;
+ 
+@@ -535,7 +535,7 @@ static CURLcode smb_send_open(struct connectdata *conn)
+ 
+ static CURLcode smb_send_close(struct connectdata *conn)
+ {
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+   struct smb_close msg;
+ 
+   memset(&msg, 0, sizeof(msg));
+@@ -556,7 +556,7 @@ static CURLcode smb_send_tree_disconnect(struct connectdata *conn)
+ 
+ static CURLcode smb_send_read(struct connectdata *conn)
+ {
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+   curl_off_t offset = conn->data->req.offset;
+   struct smb_read msg;
+ 
+@@ -575,7 +575,7 @@ static CURLcode smb_send_read(struct connectdata *conn)
+ static CURLcode smb_send_write(struct connectdata *conn)
+ {
+   struct smb_write *msg;
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+   curl_off_t offset = conn->data->req.offset;
+   curl_off_t upload_size = conn->data->req.size - conn->data->req.bytecount;
+   CURLcode result = Curl_get_upload_buffer(conn->data);
+@@ -738,7 +738,7 @@ static void get_posix_time(time_t *out, curl_off_t timestamp)
+ 
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
+ {
+-  struct smb_request *req = conn->data->req.protop;
+  struct smb_request *req = conn->data->req.p.smb;
+   struct smb_header *h;
+   struct smb_conn *smbc = &conn->proto.smbc;
+   enum smb_req_state next_state = SMB_DONE;
+@@ -923,7 +923,7 @@ static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+                          bool premature)
+ {
+   (void) premature;
+-  Curl_safefree(conn->data->req.protop);
+  Curl_safefree(conn->data->req.p.smb);
+   return status;
+ }
+ 
+@@ -957,7 +957,7 @@ static CURLcode smb_do(struct connectdata *conn, bool *done)
+ static CURLcode smb_parse_url_path(struct connectdata *conn)
+ {
+   struct Curl_easy *data = conn->data;
+-  struct smb_request *req = data->req.protop;
+  struct smb_request *req = data->req.p.smb;
+   struct smb_conn *smbc = &conn->proto.smbc;
+   char *path;
+   char *slash;
+diff --git a/lib/smtp.c b/lib/smtp.c
+index aea41bb..c5d0296 100644
+--- a/lib/smtp.c
+++ b/lib/smtp.c
+@@ -484,7 +484,7 @@ static CURLcode smtp_perform_command(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+ 
+   if(smtp->rcpt) {
+     /* We notify the server we are sending UTF-8 data if a) it supports the
+@@ -697,7 +697,7 @@ static CURLcode smtp_perform_mail(struct connectdata *conn)
+      any there do, as we need to correctly identify our support for SMTPUTF8
+      in the envelope, as per RFC-6531 sect. 3.4 */
+   if(conn->proto.smtpc.utf8_supported && !utf8) {
+-    struct SMTP *smtp = data->req.protop;
+    struct SMTP *smtp = data->req.p.smtp;
+     struct curl_slist *rcpt = smtp->rcpt;
+ 
+     while(rcpt && !utf8) {
+@@ -741,7 +741,7 @@ static CURLcode smtp_perform_rcpt_to(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+   char *address = NULL;
+   struct hostname host = { NULL, NULL, NULL, NULL };
+ 
+@@ -989,7 +989,7 @@ static CURLcode smtp_state_command_resp(struct connectdata *conn, int smtpcode,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+   char *line = data->state.buffer;
+   size_t len = strlen(line);
+ 
+@@ -1055,7 +1055,7 @@ static CURLcode smtp_state_rcpt_resp(struct connectdata *conn, int smtpcode,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+   bool is_smtp_err = FALSE;
+   bool is_smtp_blocking_err = FALSE;
+ 
+@@ -1278,7 +1278,7 @@ static CURLcode smtp_init(struct connectdata *conn)
+   struct Curl_easy *data = conn->data;
+   struct SMTP *smtp;
+ 
+-  smtp = data->req.protop = calloc(sizeof(struct SMTP), 1);
+  smtp = data->req.p.smtp = calloc(sizeof(struct SMTP), 1);
+   if(!smtp)
+     result = CURLE_OUT_OF_MEMORY;
+ 
+@@ -1356,7 +1356,7 @@ static CURLcode smtp_done(struct connectdata *conn, CURLcode status,
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+   struct pingpong *pp = &conn->proto.smtpc.pp;
+   char *eob;
+   ssize_t len;
+@@ -1442,7 +1442,7 @@ static CURLcode smtp_perform(struct connectdata *conn, bool *connected,
+   /* This is SMTP and no proxy */
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+ 
+   DEBUGF(infof(conn->data, "DO phase starts\n"));
+ 
+@@ -1550,7 +1550,7 @@ static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection)
+ /* Call this when the DO phase has completed */
+ static CURLcode smtp_dophase_done(struct connectdata *conn, bool connected)
+ {
+-  struct SMTP *smtp = conn->data->req.protop;
+  struct SMTP *smtp = conn->data->req.p.smtp;
+ 
+   (void)connected;
+ 
+@@ -1703,7 +1703,7 @@ static CURLcode smtp_parse_custom_request(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+   const char *custom = data->set.str[STRING_CUSTOMREQUEST];
+ 
+   /* URL decode the custom request */
+@@ -1796,7 +1796,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
+   ssize_t i;
+   ssize_t si;
+   struct Curl_easy *data = conn->data;
+-  struct SMTP *smtp = data->req.protop;
+  struct SMTP *smtp = data->req.p.smtp;
+   char *scratch = data->state.scratch;
+   char *newscratch = NULL;
+   char *oldscratch = NULL;
+diff --git a/lib/telnet.c b/lib/telnet.c
+index c3b58e5..1fc5af1 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -247,7 +247,7 @@ CURLcode init_telnet(struct connectdata *conn)
+   if(!tn)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  conn->data->req.protop = tn; /* make us known */
+  conn->data->req.p.telnet = tn; /* make us known */
+ 
+   tn->telrcv_state = CURL_TS_DATA;
+ 
+@@ -292,7 +292,7 @@ CURLcode init_telnet(struct connectdata *conn)
+ static void negotiate(struct connectdata *conn)
+ {
+   int i;
+-  struct TELNET *tn = (struct TELNET *) conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *) conn->data->req.p.telnet;
+ 
+   for(i = 0; i < CURL_NTELOPTS; i++) {
+     if(i == CURL_TELOPT_ECHO)
+@@ -365,7 +365,7 @@ static void send_negotiation(struct connectdata *conn, int cmd, int option)
+ static
+ void set_remote_option(struct connectdata *conn, int option, int newstate)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   if(newstate == CURL_YES) {
+     switch(tn->him[option]) {
+     case CURL_NO:
+@@ -439,7 +439,7 @@ void set_remote_option(struct connectdata *conn, int option, int newstate)
+ static
+ void rec_will(struct connectdata *conn, int option)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   switch(tn->him[option]) {
+   case CURL_NO:
+     if(tn->him_preferred[option] == CURL_YES) {
+@@ -487,7 +487,7 @@ void rec_will(struct connectdata *conn, int option)
+ static
+ void rec_wont(struct connectdata *conn, int option)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   switch(tn->him[option]) {
+   case CURL_NO:
+     /* Already disabled */
+@@ -529,7 +529,7 @@ void rec_wont(struct connectdata *conn, int option)
+ static void
+ set_local_option(struct connectdata *conn, int option, int newstate)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   if(newstate == CURL_YES) {
+     switch(tn->us[option]) {
+     case CURL_NO:
+@@ -603,7 +603,7 @@ set_local_option(struct connectdata *conn, int option, int newstate)
+ static
+ void rec_do(struct connectdata *conn, int option)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   switch(tn->us[option]) {
+   case CURL_NO:
+     if(tn->us_preferred[option] == CURL_YES) {
+@@ -663,7 +663,7 @@ void rec_do(struct connectdata *conn, int option)
+ static
+ void rec_dont(struct connectdata *conn, int option)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   switch(tn->us[option]) {
+   case CURL_NO:
+     /* Already disabled */
+@@ -822,7 +822,7 @@ static CURLcode check_telnet_options(struct connectdata *conn)
+   char option_keyword[128] = "";
+   char option_arg[256] = "";
+   struct Curl_easy *data = conn->data;
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   CURLcode result = CURLE_OK;
+   int binary_option;
+ 
+@@ -929,7 +929,7 @@ static void suboption(struct connectdata *conn)
+   char varname[128] = "";
+   char varval[128] = "";
+   struct Curl_easy *data = conn->data;
+-  struct TELNET *tn = (struct TELNET *)data->req.protop;
+  struct TELNET *tn = (struct TELNET *)data->req.p.telnet;
+ 
+   printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2);
+   switch(CURL_SB_GET(tn)) {
+@@ -1004,7 +1004,7 @@ static void sendsuboption(struct connectdata *conn, int option)
+   unsigned char *uc1, *uc2;
+ 
+   struct Curl_easy *data = conn->data;
+-  struct TELNET *tn = (struct TELNET *)data->req.protop;
+  struct TELNET *tn = (struct TELNET *)data->req.p.telnet;
+ 
+   switch(option) {
+   case CURL_TELOPT_NAWS:
+@@ -1062,7 +1062,7 @@ CURLcode telrcv(struct connectdata *conn,
+   int in = 0;
+   int startwrite = -1;
+   struct Curl_easy *data = conn->data;
+-  struct TELNET *tn = (struct TELNET *)data->req.protop;
+  struct TELNET *tn = (struct TELNET *)data->req.p.telnet;
+ 
+ #define startskipping()                                       \
+   if(startwrite >= 0) {                                       \
+@@ -1280,7 +1280,7 @@ static CURLcode send_telnet_data(struct connectdata *conn,
+ static CURLcode telnet_done(struct connectdata *conn,
+                                  CURLcode status, bool premature)
+ {
+-  struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
+  struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet;
+   (void)status; /* unused */
+   (void)premature; /* not used */
+ 
+@@ -1290,7 +1290,7 @@ static CURLcode telnet_done(struct connectdata *conn,
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+ 
+-  Curl_safefree(conn->data->req.protop);
+  Curl_safefree(conn->data->req.p.telnet);
+ 
+   return CURLE_OK;
+ }
+@@ -1333,7 +1333,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
+   if(result)
+     return result;
+ 
+-  tn = (struct TELNET *)data->req.protop;
+  tn = data->req.p.telnet;
+ 
+   result = check_telnet_options(conn);
+   if(result)
+diff --git a/lib/transfer.c b/lib/transfer.c
+index a07c7af..4630609 100644
+--- a/lib/transfer.c
+++ b/lib/transfer.c
+@@ -167,7 +167,7 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, size_t bytes,
+   bool sending_http_headers = FALSE;
+ 
+   if(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)) {
+-    const struct HTTP *http = data->req.protop;
+    const struct HTTP *http = data->req.p.http;
+ 
+     if(http->sending == HTTPSEND_REQUEST)
+       /* We're sending the HTTP request headers, not the data.
+@@ -426,7 +426,7 @@ CURLcode Curl_readrewind(struct connectdata *conn)
+      CURLOPT_HTTPPOST, call app to rewind
+   */
+   if(conn->handler->protocol & PROTO_FAMILY_HTTP) {
+-    struct HTTP *http = data->req.protop;
+    struct HTTP *http = data->req.p.http;
+ 
+     if(http->sendit)
+       mimepart = http->sendit;
+@@ -1028,7 +1028,7 @@ static CURLcode readwrite_upload(struct Curl_easy *data,
+         /* HTTP pollution, this should be written nicer to become more
+            protocol agnostic. */
+         size_t fillcount;
+-        struct HTTP *http = k->protop;
+        struct HTTP *http = k->p.http;
+ 
+         if((k->exp100 == EXP100_SENDING_REQUEST) &&
+            (http->sending == HTTPSEND_BODY)) {
+@@ -1853,7 +1853,7 @@ Curl_setup_transfer(
+ {
+   struct SingleRequest *k = &data->req;
+   struct connectdata *conn = data->conn;
+-  struct HTTP *http = data->req.protop;
+  struct HTTP *http = data->req.p.http;
+   bool httpsending = ((conn->handler->protocol&PROTO_FAMILY_HTTP) &&
+                       (http->sending == HTTPSEND_REQUEST));
+   DEBUGASSERT(conn != NULL);
+diff --git a/lib/url.c b/lib/url.c
+index 150667a..849d527 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -2060,7 +2060,7 @@ static CURLcode setup_connection_internals(struct connectdata *conn)
+ 
+ void Curl_free_request_state(struct Curl_easy *data)
+ {
+-  Curl_safefree(data->req.protop);
+  Curl_safefree(data->req.p.http);
+   Curl_safefree(data->req.newurl);
+ 
+ #ifndef CURL_DISABLE_DOH
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 0ae9269..76baee3 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -645,8 +645,23 @@ struct SingleRequest {
+      and the 'upload_present' contains the number of bytes available at this
+      position */
+   char *upload_fromhere;
+-  void *protop;       /* Allocated protocol-specific data. Each protocol
+-                         handler makes sure this points to data it needs. */
+
+  /* Allocated protocol-specific data. Each protocol handler makes sure this
+     points to data it needs. */
+  union {
+    struct FILEPROTO *file;
+    struct FTP *ftp;
+    struct HTTP *http;
+    struct IMAP *imap;
+    struct ldapreqinfo *ldap;
+    struct MQTT *mqtt;
+    struct POP3 *pop3;
+    struct RTSP *rtsp;
+    struct smb_request *smb;
+    struct SMTP *smtp;
+    struct SSHPROTO *ssh;
+    struct TELNET *telnet;
+  } p;
+ #ifndef CURL_DISABLE_DOH
+   struct dohdata doh; /* DoH specific data for this request */
+ #endif
+diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c
+index 20ee08d..18eeda8 100644
+--- a/lib/vquic/ngtcp2.c
+++ b/lib/vquic/ngtcp2.c
+@@ -962,7 +962,7 @@ static int cb_h3_stream_close(nghttp3_conn *conn, int64_t stream_id,
+                               void *stream_user_data)
+ {
+   struct Curl_easy *data = stream_user_data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   (void)conn;
+   (void)stream_id;
+   (void)app_error_code;
+@@ -1008,7 +1008,7 @@ static int cb_h3_recv_data(nghttp3_conn *conn, int64_t stream_id,
+                            void *user_data, void *stream_user_data)
+ {
+   struct Curl_easy *data = stream_user_data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   CURLcode result = CURLE_OK;
+   (void)conn;
+ 
+@@ -1067,7 +1067,7 @@ static int cb_h3_end_headers(nghttp3_conn *conn, int64_t stream_id,
+                              void *user_data, void *stream_user_data)
+ {
+   struct Curl_easy *data = stream_user_data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   CURLcode result = CURLE_OK;
+   (void)conn;
+   (void)stream_id;
+@@ -1091,7 +1091,7 @@ static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id,
+   nghttp3_vec h3name = nghttp3_rcbuf_get_buf(name);
+   nghttp3_vec h3val = nghttp3_rcbuf_get_buf(value);
+   struct Curl_easy *data = stream_user_data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   CURLcode result = CURLE_OK;
+   (void)conn;
+   (void)stream_id;
+@@ -1255,7 +1255,7 @@ static ssize_t ngh3_stream_recv(struct connectdata *conn,
+                                 CURLcode *curlcode)
+ {
+   curl_socket_t sockfd = conn->sock[sockindex];
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+   struct quicsocket *qs = conn->quic;
+ 
+   if(!stream->memlen) {
+@@ -1313,7 +1313,7 @@ static int cb_h3_acked_stream_data(nghttp3_conn *conn, int64_t stream_id,
+                                    void *stream_user_data)
+ {
+   struct Curl_easy *data = stream_user_data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   (void)conn;
+   (void)stream_id;
+   (void)user_data;
+@@ -1335,7 +1335,7 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id,
+ {
+   struct Curl_easy *data = stream_user_data;
+   size_t nread;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   (void)conn;
+   (void)stream_id;
+   (void)user_data;
+@@ -1398,7 +1398,7 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id,
+ static CURLcode http_request(struct connectdata *conn, const void *mem,
+                              size_t len)
+ {
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+   size_t nheader;
+   size_t i;
+   size_t authority_idx;
+@@ -1641,7 +1641,7 @@ static ssize_t ngh3_stream_send(struct connectdata *conn,
+   ssize_t sent;
+   struct quicsocket *qs = conn->quic;
+   curl_socket_t sockfd = conn->sock[sockindex];
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+ 
+   if(!stream->h3req) {
+     CURLcode result = http_request(conn, mem, len);
+@@ -1909,7 +1909,7 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn)
+ {
+   if(conn->handler == &Curl_handler_http3) {
+     /* only for HTTP/3 transfers */
+-    struct HTTP *stream = conn->data->req.protop;
+    struct HTTP *stream = conn->data->req.p.http;
+     struct quicsocket *qs = conn->quic;
+     stream->upload_done = TRUE;
+     (void)nghttp3_conn_resume_stream(qs->h3conn, stream->stream3_id);
+@@ -1926,7 +1926,7 @@ void Curl_quic_done(struct Curl_easy *data, bool premature)
+   (void)premature;
+   if(data->conn->handler == &Curl_handler_http3) {
+     /* only for HTTP/3 transfers */
+-    struct HTTP *stream = data->req.protop;
+    struct HTTP *stream = data->req.p.http;
+     Curl_dyn_free(&stream->overflow);
+   }
+ }
+@@ -1941,7 +1941,7 @@ bool Curl_quic_data_pending(const struct Curl_easy *data)
+      buffer and allocated an overflow buffer. Since it's possible that
+      there's no more data coming on the socket, we need to keep reading
+      until the overflow buffer is empty. */
+-  const struct HTTP *stream = data->req.protop;
+  const struct HTTP *stream = data->req.p.http;
+   return Curl_dyn_len(&stream->overflow) > 0;
+ }
+ 
+diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c
+index fd9cb8b..c0e250d 100644
+--- a/lib/vquic/quiche.c
+++ b/lib/vquic/quiche.c
+@@ -131,7 +131,7 @@ static unsigned int quiche_conncheck(struct connectdata *conn,
+ 
+ static CURLcode quiche_do(struct connectdata *conn, bool *done)
+ {
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+   stream->h3req = FALSE; /* not sent */
+   return Curl_http(conn, done);
+ }
+@@ -460,7 +460,7 @@ static ssize_t h3_stream_recv(struct connectdata *conn,
+   int rc;
+   struct h3h1header headers;
+   struct Curl_easy *data = conn->data;
+-  struct HTTP *stream = data->req.protop;
+  struct HTTP *stream = data->req.p.http;
+   headers.dest = buf;
+   headers.destlen = buffersize;
+   headers.nlen = 0;
+@@ -548,7 +548,7 @@ static ssize_t h3_stream_send(struct connectdata *conn,
+   ssize_t sent;
+   struct quicsocket *qs = conn->quic;
+   curl_socket_t sockfd = conn->sock[sockindex];
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+ 
+   if(!stream->h3req) {
+     CURLcode result = http_request(conn, mem, len);
+@@ -596,7 +596,7 @@ static CURLcode http_request(struct connectdata *conn, const void *mem,
+ {
+   /*
+    */
+-  struct HTTP *stream = conn->data->req.protop;
+  struct HTTP *stream = conn->data->req.p.http;
+   size_t nheader;
+   size_t i;
+   size_t authority_idx;
+@@ -824,7 +824,7 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn)
+   if(conn->handler == &Curl_handler_http3) {
+     /* only for HTTP/3 transfers */
+     ssize_t sent;
+-    struct HTTP *stream = conn->data->req.protop;
+    struct HTTP *stream = conn->data->req.p.http;
+     struct quicsocket *qs = conn->quic;
+     fprintf(stderr, "!!! Curl_quic_done_sending\n");
+     stream->upload_done = TRUE;
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 8988e23..a84e1bf 100644
+--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
+@@ -662,7 +662,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SSHPROTO *protop = data->req.protop;
+  struct SSHPROTO *protop = data->req.p.ssh;
+   struct ssh_conn *sshc = &conn->proto.sshc;
+   curl_socket_t sock = conn->sock[FIRSTSOCKET];
+   int rc = SSH_NO_ERROR, err;
+@@ -2129,7 +2129,7 @@ static CURLcode myssh_setup_connection(struct connectdata *conn)
+ {
+   struct SSHPROTO *ssh;
+ 
+-  conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO));
+  conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO));
+   if(!ssh)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -2152,7 +2152,7 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done)
+   int rc;
+ 
+   /* initialize per-handle data if not already */
+-  if(!data->req.protop)
+  if(!data->req.p.ssh)
+     myssh_setup_connection(conn);
+ 
+   /* We default to persistent connections. We set this already in this connect
+@@ -2353,7 +2353,7 @@ static CURLcode scp_disconnect(struct connectdata *conn,
+ static CURLcode myssh_done(struct connectdata *conn, CURLcode status)
+ {
+   CURLcode result = CURLE_OK;
+-  struct SSHPROTO *protop = conn->data->req.protop;
+  struct SSHPROTO *protop = conn->data->req.p.ssh;
+ 
+   if(!status) {
+     /* run the state-machine */
+@@ -2606,7 +2606,7 @@ static void sftp_quote(struct connectdata *conn)
+ {
+   const char *cp;
+   struct Curl_easy *data = conn->data;
+-  struct SSHPROTO *protop = data->req.protop;
+  struct SSHPROTO *protop = data->req.p.ssh;
+   struct ssh_conn *sshc = &conn->proto.sshc;
+   CURLcode result;
+ 
+diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
+index 4f56bb4..3ed777f 100644
+--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
+@@ -789,7 +789,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
+ {
+   CURLcode result = CURLE_OK;
+   struct Curl_easy *data = conn->data;
+-  struct SSHPROTO *sftp_scp = data->req.protop;
+  struct SSHPROTO *sftp_scp = data->req.p.ssh;
+   struct ssh_conn *sshc = &conn->proto.sshc;
+   curl_socket_t sock = conn->sock[FIRSTSOCKET];
+   int rc = LIBSSH2_ERROR_NONE;
+@@ -2989,7 +2989,7 @@ static CURLcode ssh_setup_connection(struct connectdata *conn)
+ {
+   struct SSHPROTO *ssh;
+ 
+-  conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO));
+  conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO));
+   if(!ssh)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -3013,7 +3013,7 @@ static CURLcode ssh_connect(struct connectdata *conn, bool *done)
+   struct Curl_easy *data = conn->data;
+ 
+   /* initialize per-handle data if not already */
+-  if(!data->req.protop)
+  if(!data->req.p.ssh)
+     ssh_setup_connection(conn);
+ 
+   /* We default to persistent connections. We set this already in this connect
+@@ -3192,7 +3192,7 @@ static CURLcode scp_disconnect(struct connectdata *conn, bool dead_connection)
+ static CURLcode ssh_done(struct connectdata *conn, CURLcode status)
+ {
+   CURLcode result = CURLE_OK;
+-  struct SSHPROTO *sftp_scp = conn->data->req.protop;
+  struct SSHPROTO *sftp_scp = conn->data->req.p.ssh;
+ 
+   if(!status) {
+     /* run the state-machine */
+diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c
+index dcbbab6..1b990e3 100644
+--- a/lib/vssh/wolfssh.c
+++ b/lib/vssh/wolfssh.c
+@@ -322,7 +322,7 @@ static CURLcode wssh_setup_connection(struct connectdata *conn)
+ {
+   struct SSHPROTO *ssh;
+ 
+-  conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO));
+  conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO));
+   if(!ssh)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -356,7 +356,7 @@ static CURLcode wssh_connect(struct connectdata *conn, bool *done)
+   int rc;
+ 
+   /* initialize per-handle data if not already */
+-  if(!data->req.protop)
+  if(!data->req.p.ssh)
+     wssh_setup_connection(conn);
+ 
+   /* We default to persistent connections. We set this already in this connect
+@@ -429,7 +429,7 @@ static CURLcode wssh_statemach_act(struct connectdata *conn, bool *block)
+   CURLcode result = CURLE_OK;
+   struct ssh_conn *sshc = &conn->proto.sshc;
+   struct Curl_easy *data = conn->data;
+-  struct SSHPROTO *sftp_scp = data->req.protop;
+  struct SSHPROTO *sftp_scp = data->req.p.ssh;
+   WS_SFTPNAME *name;
+   int rc = 0;
+   *block = FALSE; /* we're not blocking by default */
+@@ -1027,7 +1027,7 @@ static CURLcode wssh_block_statemach(struct connectdata *conn,
+ static CURLcode wssh_done(struct connectdata *conn, CURLcode status)
+ {
+   CURLcode result = CURLE_OK;
+-  struct SSHPROTO *sftp_scp = conn->data->req.protop;
+  struct SSHPROTO *sftp_scp = conn->data->req.p.ssh;
+ 
+   if(!status) {
+     /* run the state-machine */
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8284.patch b/meta/recipes-support/curl/curl/CVE-2020-8284.patch
new file mode 100644
index 0000000000..4ae514ffa8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8284.patch
@@ -0,0 +1,210 @@
+From ec9cc725d598ac77de7b6df8afeec292b3c8ad46 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 24 Nov 2020 14:56:57 +0100
+Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
+The command line tool also independently sets --ftp-skip-pasv-ip by
+default.
+Ten test cases updated to adapt the modified --libcurl output.
+Bug: https://curl.se/docs/CVE-2020-8284.html
+CVE-2020-8284
+Reported-by: Varnavas Papaioannou
+Upstream-Status: Backport [https://github.com/curl/curl/commit/ec9cc725d598ac]
+CVE: CVE-2020-8284
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ docs/cmdline-opts/ftp-skip-pasv-ip.d         |   2 ++
+ docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 |   8 +++++---
+ lib/url.c                                    |   1 +
+ src/tool_cfgable.c                           |   1 +
+ tests/data/test1400                          |   1 +
+ tests/data/test1401                          |   1 +
+ tests/data/test1402                          |   1 +
+ tests/data/test1403                          |   1 +
+ tests/data/test1404                          |   1 +
+ tests/data/test1405                          |   1 +
+ tests/data/test1406                          |   1 +
+ tests/data/test1407                          |   1 +
+ tests/data/test1420                          |   1 +
+ 14 files changed, 18 insertions(+), 3 deletions(-)
+diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+index d6fd4589b1e..bcf4e7e62f2 100644
+--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+@@ -10,4 +10,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
+ will re-use the same IP address it already uses for the control
+ connection.
+ 
+Since curl 7.74.0 this option is enabled by default.
+
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+index d6217d0d8ca..fa87ddce769 100644
+--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -35,11 +35,13 @@ address it already uses for the control connection. But it will use the port
+ number from the 227-response.
+ 
+ This option thus allows libcurl to work around broken server installations
+-that due to NATs, firewalls or incompetence report the wrong IP address back.
+that due to NATs, firewalls or incompetence report the wrong IP address
+back. Setting the option also reduces the risk for various sorts of client
+abuse by malicious servers.
+ 
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+ .SH DEFAULT
+-0
+1 since 7.74.0, was 0 before then.
+ .SH PROTOCOLS
+ FTP
+ .SH EXAMPLE
+diff --git a/lib/url.c b/lib/url.c
+index f8b2a0030de..2b0ba87ba87 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -497,6 +497,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
+   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
+   set->ftp_filemethod = FTPFILE_MULTICWD;
+  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
+ #endif
+   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
+ 
+diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
+index c52d8e1c6bb..4c06d3557b7 100644
+--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
+@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config)
+   config->tcp_nodelay = TRUE; /* enabled by default */
+   config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
+   config->http09_allowed = FALSE;
+  config->ftp_skip_ip = TRUE;
+ }
+ 
+ static void free_config_fields(struct OperationConfig *config)
+diff --git a/tests/data/test1400 b/tests/data/test1400
+index 812ad0b88d9..b7060eca58e 100644
+--- a/tests/data/test1400
+++ b/tests/data/test1400
+@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1401 b/tests/data/test1401
+index f93b3d637de..a2629683aff 100644
+--- a/tests/data/test1401
+++ b/tests/data/test1401
+@@ -87,6 +87,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
+                                            (long)CURLPROTO_FTP |
+diff --git a/tests/data/test1402 b/tests/data/test1402
+index 7593c516da1..1bd55cb4e3b 100644
+--- a/tests/data/test1402
+++ b/tests/data/test1402
+@@ -78,6 +78,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1403 b/tests/data/test1403
+index ecb4dd3dcab..a7c9fcca322 100644
+--- a/tests/data/test1403
+++ b/tests/data/test1403
+@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1404 b/tests/data/test1404
+index 97622b63948..1d8e8cf7779 100644
+--- a/tests/data/test1404
+++ b/tests/data/test1404
+@@ -147,6 +147,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1405 b/tests/data/test1405
+index 2bac79eda74..b4087704f7b 100644
+--- a/tests/data/test1405
+++ b/tests/data/test1405
+@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
+   curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1406 b/tests/data/test1406
+index 51a166adff2..38f68d11ee1 100644
+--- a/tests/data/test1406
+++ b/tests/data/test1406
+@@ -79,6 +79,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
+   curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
+   curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
+diff --git a/tests/data/test1407 b/tests/data/test1407
+index f6879008fb2..a7e13ba7585 100644
+--- a/tests/data/test1407
+++ b/tests/data/test1407
+@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1420 b/tests/data/test1420
+index 057ecc4773a..4b8d7bbf418 100644
+--- a/tests/data/test1420
+++ b/tests/data/test1420
+@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1");
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8285.patch b/meta/recipes-support/curl/curl/CVE-2020-8285.patch
new file mode 100644
index 0000000000..8a0231ba84
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8285.patch
@@ -0,0 +1,257 @@
+From 69a358f2186e04cf44698b5100332cbf1ee7f01d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 28 Nov 2020 00:27:21 +0100
+Subject: [PATCH] ftp: make wc_statemach loop instead of recurse
+CVE-2020-8285
+Fixes #6255
+Bug: https://curl.se/docs/CVE-2020-8285.html
+Reported-by: xnynx on github
+Upstream-Status: Backport [https://github.com/curl/curl/commit/69a358f2186e04]
+CVE: CVE-2020-8285
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ lib/ftp.c | 202 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 102 insertions(+), 100 deletions(-)
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 50e7d7ddac9..bc355742172 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -3800,129 +3800,131 @@ static CURLcode init_wc_data(struct connectdata *conn)
+   return result;
+ }
+ 
+-/* This is called recursively */
+ static CURLcode wc_statemach(struct connectdata *conn)
+ {
+   struct WildcardData * const wildcard = &(conn->data->wildcard);
+   CURLcode result = CURLE_OK;
+ 
+-  switch(wildcard->state) {
+-  case CURLWC_INIT:
+-    result = init_wc_data(conn);
+-    if(wildcard->state == CURLWC_CLEAN)
+-      /* only listing! */
+-      break;
+-    wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
+-    break;
+  for(;;) {
+    switch(wildcard->state) {
+    case CURLWC_INIT:
+      result = init_wc_data(conn);
+      if(wildcard->state == CURLWC_CLEAN)
+        /* only listing! */
+        return result;
+      wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
+      return result;
+ 
+-  case CURLWC_MATCHING: {
+-    /* In this state is LIST response successfully parsed, so lets restore
+-       previous WRITEFUNCTION callback and WRITEDATA pointer */
+-    struct ftp_wc *ftpwc = wildcard->protdata;
+-    conn->data->set.fwrite_func = ftpwc->backup.write_function;
+-    conn->data->set.out = ftpwc->backup.file_descriptor;
+-    ftpwc->backup.write_function = ZERO_NULL;
+-    ftpwc->backup.file_descriptor = NULL;
+-    wildcard->state = CURLWC_DOWNLOADING;
+-
+-    if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
+-      /* error found in LIST parsing */
+-      wildcard->state = CURLWC_CLEAN;
+-      return wc_statemach(conn);
+-    }
+-    if(wildcard->filelist.size == 0) {
+-      /* no corresponding file */
+-      wildcard->state = CURLWC_CLEAN;
+-      return CURLE_REMOTE_FILE_NOT_FOUND;
+    case CURLWC_MATCHING: {
+      /* In this state is LIST response successfully parsed, so lets restore
+         previous WRITEFUNCTION callback and WRITEDATA pointer */
+      struct ftp_wc *ftpwc = wildcard->protdata;
+      conn->data->set.fwrite_func = ftpwc->backup.write_function;
+      conn->data->set.out = ftpwc->backup.file_descriptor;
+      ftpwc->backup.write_function = ZERO_NULL;
+      ftpwc->backup.file_descriptor = NULL;
+      wildcard->state = CURLWC_DOWNLOADING;
+
+      if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
+        /* error found in LIST parsing */
+        wildcard->state = CURLWC_CLEAN;
+        continue;
+      }
+      if(wildcard->filelist.size == 0) {
+        /* no corresponding file */
+        wildcard->state = CURLWC_CLEAN;
+        return CURLE_REMOTE_FILE_NOT_FOUND;
+      }
+      continue;
+     }
+-    return wc_statemach(conn);
+-  }
+ 
+-  case CURLWC_DOWNLOADING: {
+-    /* filelist has at least one file, lets get first one */
+-    struct ftp_conn *ftpc = &conn->proto.ftpc;
+-    struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
+-    struct FTP *ftp = conn->data->req.p.ftp;
+    case CURLWC_DOWNLOADING: {
+      /* filelist has at least one file, lets get first one */
+      struct ftp_conn *ftpc = &conn->proto.ftpc;
+      struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
+      struct FTP *ftp = conn->data->req.p.ftp;
+ 
+-    char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
+-    if(!tmp_path)
+-      return CURLE_OUT_OF_MEMORY;
+      char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
+      if(!tmp_path)
+        return CURLE_OUT_OF_MEMORY;
+ 
+-    /* switch default ftp->path and tmp_path */
+-    free(ftp->pathalloc);
+-    ftp->pathalloc = ftp->path = tmp_path;
+-
+-    infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
+-    if(conn->data->set.chunk_bgn) {
+-      long userresponse;
+-      Curl_set_in_callback(conn->data, true);
+-      userresponse = conn->data->set.chunk_bgn(
+-        finfo, wildcard->customptr, (int)wildcard->filelist.size);
+-      Curl_set_in_callback(conn->data, false);
+-      switch(userresponse) {
+-      case CURL_CHUNK_BGN_FUNC_SKIP:
+-        infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
+-              finfo->filename);
+-        wildcard->state = CURLWC_SKIP;
+-        return wc_statemach(conn);
+-      case CURL_CHUNK_BGN_FUNC_FAIL:
+-        return CURLE_CHUNK_FAILED;
+      /* switch default ftp->path and tmp_path */
+      free(ftp->pathalloc);
+      ftp->pathalloc = ftp->path = tmp_path;
+
+      infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
+      if(conn->data->set.chunk_bgn) {
+        long userresponse;
+        Curl_set_in_callback(conn->data, true);
+        userresponse = conn->data->set.chunk_bgn(
+          finfo, wildcard->customptr, (int)wildcard->filelist.size);
+        Curl_set_in_callback(conn->data, false);
+        switch(userresponse) {
+        case CURL_CHUNK_BGN_FUNC_SKIP:
+          infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
+                finfo->filename);
+          wildcard->state = CURLWC_SKIP;
+          continue;
+        case CURL_CHUNK_BGN_FUNC_FAIL:
+          return CURLE_CHUNK_FAILED;
+        }
+       }
+-    }
+ 
+-    if(finfo->filetype != CURLFILETYPE_FILE) {
+-      wildcard->state = CURLWC_SKIP;
+-      return wc_statemach(conn);
+-    }
+      if(finfo->filetype != CURLFILETYPE_FILE) {
+        wildcard->state = CURLWC_SKIP;
+        continue;
+      }
+ 
+-    if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
+-      ftpc->known_filesize = finfo->size;
+      if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
+        ftpc->known_filesize = finfo->size;
+ 
+-    result = ftp_parse_url_path(conn);
+-    if(result)
+-      return result;
+      result = ftp_parse_url_path(conn);
+      if(result)
+        return result;
+ 
+-    /* we don't need the Curl_fileinfo of first file anymore */
+-    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+      /* we don't need the Curl_fileinfo of first file anymore */
+      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+ 
+-    if(wildcard->filelist.size == 0) { /* remains only one file to down. */
+-      wildcard->state = CURLWC_CLEAN;
+-      /* after that will be ftp_do called once again and no transfer
+-         will be done because of CURLWC_CLEAN state */
+-      return CURLE_OK;
+      if(wildcard->filelist.size == 0) { /* remains only one file to down. */
+        wildcard->state = CURLWC_CLEAN;
+        /* after that will be ftp_do called once again and no transfer
+           will be done because of CURLWC_CLEAN state */
+        return CURLE_OK;
+      }
+      return result;
+     }
+-  } break;
+ 
+-  case CURLWC_SKIP: {
+-    if(conn->data->set.chunk_end) {
+-      Curl_set_in_callback(conn->data, true);
+-      conn->data->set.chunk_end(conn->data->wildcard.customptr);
+-      Curl_set_in_callback(conn->data, false);
+    case CURLWC_SKIP: {
+      if(conn->data->set.chunk_end) {
+        Curl_set_in_callback(conn->data, true);
+        conn->data->set.chunk_end(conn->data->wildcard.customptr);
+        Curl_set_in_callback(conn->data, false);
+      }
+      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+      wildcard->state = (wildcard->filelist.size == 0) ?
+        CURLWC_CLEAN : CURLWC_DOWNLOADING;
+      continue;
+     }
+-    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+-    wildcard->state = (wildcard->filelist.size == 0) ?
+-                      CURLWC_CLEAN : CURLWC_DOWNLOADING;
+-    return wc_statemach(conn);
+-  }
+ 
+-  case CURLWC_CLEAN: {
+-    struct ftp_wc *ftpwc = wildcard->protdata;
+-    result = CURLE_OK;
+-    if(ftpwc)
+-      result = Curl_ftp_parselist_geterror(ftpwc->parser);
+    case CURLWC_CLEAN: {
+      struct ftp_wc *ftpwc = wildcard->protdata;
+      result = CURLE_OK;
+      if(ftpwc)
+        result = Curl_ftp_parselist_geterror(ftpwc->parser);
+ 
+-    wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
+-  } break;
+      wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
+      return result;
+    }
+ 
+-  case CURLWC_DONE:
+-  case CURLWC_ERROR:
+-  case CURLWC_CLEAR:
+-    if(wildcard->dtor)
+-      wildcard->dtor(wildcard->protdata);
+-    break;
+    case CURLWC_DONE:
+    case CURLWC_ERROR:
+    case CURLWC_CLEAR:
+      if(wildcard->dtor)
+        wildcard->dtor(wildcard->protdata);
+      return result;
+    }
+   }
+-
+-  return result;
+  /* UNREACHABLE */
+ }
+ 
+ /***********************************************************************
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8286.patch b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
new file mode 100644
index 0000000000..8c75cba844
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
@@ -0,0 +1,131 @@
+From 5d3b28deac44c19e4d73fc80e4917d42ee43adfe Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Dec 2020 23:01:11 +0100
+Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
+CVE-2020-8286
+Reported by anonymous
+Bug: https://curl.se/docs/CVE-2020-8286.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit/d9d01672785b]
+CVE: CVE-2020-8286
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ lib/vtls/openssl.c | 83 +++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 54 insertions(+), 29 deletions(-)
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1685a4a..22cbfe7 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -1777,6 +1777,11 @@ static CURLcode verifystatus(struct connectdata *conn,
+   X509_STORE     *st = NULL;
+   STACK_OF(X509) *ch = NULL;
+   struct ssl_backend_data *backend = connssl->backend;
+  X509 *cert;
+  OCSP_CERTID *id = NULL;
+  int cert_status, crl_reason;
+  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+  int ret;
+ 
+   long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
+ 
+@@ -1845,43 +1850,63 @@ static CURLcode verifystatus(struct connectdata *conn,
+     goto end;
+   }
+ 
+-  for(i = 0; i < OCSP_resp_count(br); i++) {
+-    int cert_status, crl_reason;
+-    OCSP_SINGLERESP *single = NULL;
+-
+-    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+  /* Compute the certificate's ID */
+  cert = SSL_get_peer_certificate(backend->handle);
+  if(!cert) {
+    failf(data, "Error getting peer certficate");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    single = OCSP_resp_get0(br, i);
+-    if(!single)
+-      continue;
+  for(i = 0; i < sk_X509_num(ch); i++) {
+    X509 *issuer = sk_X509_value(ch, i);
+    if(X509_check_issued(issuer, cert) == X509_V_OK) {
+      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
+      break;
+    }
+  }
+  X509_free(cert);
+ 
+-    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
+-                                          &thisupd, &nextupd);
+  if(!id) {
+    failf(data, "Error computing OCSP ID");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+-      failf(data, "OCSP response has expired");
+-      result = CURLE_SSL_INVALIDCERTSTATUS;
+-      goto end;
+-    }
+  /* Find the single OCSP response corresponding to the certificate ID */
+  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
+                              &thisupd, &nextupd);
+  OCSP_CERTID_free(id);
+  if(ret != 1) {
+    failf(data, "Could not find certificate ID in OCSP response");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    infof(data, "SSL certificate status: %s (%d)\n",
+-          OCSP_cert_status_str(cert_status), cert_status);
+  /* Validate the corresponding single OCSP response */
+  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+    failf(data, "OCSP response has expired");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+ 
+-    switch(cert_status) {
+-      case V_OCSP_CERTSTATUS_GOOD:
+-        break;
+  infof(data, "SSL certificate status: %s (%d)\n",
+        OCSP_cert_status_str(cert_status), cert_status);
+ 
+-      case V_OCSP_CERTSTATUS_REVOKED:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+  switch(cert_status) {
+  case V_OCSP_CERTSTATUS_GOOD:
+    break;
+ 
+-        failf(data, "SSL certificate revocation reason: %s (%d)",
+-              OCSP_crl_reason_str(crl_reason), crl_reason);
+-        goto end;
+  case V_OCSP_CERTSTATUS_REVOKED:
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    failf(data, "SSL certificate revocation reason: %s (%d)",
+          OCSP_crl_reason_str(crl_reason), crl_reason);
+    goto end;
+ 
+-      case V_OCSP_CERTSTATUS_UNKNOWN:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+-        goto end;
+-    }
+  case V_OCSP_CERTSTATUS_UNKNOWN:
+  default:
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+   }
+ 
+ end:
diff --git a/meta/recipes-support/curl/curl_7.72.0.bb b/meta/recipes-support/curl/curl_7.72.0.bb
index 7d0268253d..a9b52a8a1d 100644
--- a/meta/recipes-support/curl/curl_7.72.0.bb
+++ b/meta/recipes-support/curl/curl_7.72.0.bb
@@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2e9fb35867314fe31c6a4977ef7dd531"
 SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://0001-replace-krb5-config-with-pkg-config.patch \
+           file://0002-remove-void-protop-create-union-p.patch \
+           file://CVE-2020-8284.patch \
+           file://CVE-2020-8285.patch \
+           file://CVE-2020-8286.patch \
 "
 SRC_URI[sha256sum] = "ad91970864102a59765e20ce16216efc9d6ad381471f7accceceab7d905703ef"
diff --git a/meta/recipes-support/gpgme/gpgme_1.14.0.bb b/meta/recipes-support/gpgme/gpgme_1.14.0.bb
index 9fa8212808..fb7215381c 100644
--- a/meta/recipes-support/gpgme/gpgme_1.14.0.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.14.0.bb
@@ -48,7 +48,7 @@ DEFAULT_LANGUAGES_class-target = "cpp"
 LANGUAGES ?= "${DEFAULT_LANGUAGES} python"
 PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python2', 'pythonnative', '', d)}"
-PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}"
+PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native python3targetconfig', '', d)}"
 EXTRA_OECONF += '--enable-languages="${LANGUAGES}" \
                 --disable-gpgconf-test \
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb b/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb
index 9d02f5c794..0b4582b202 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb
@@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;"
+SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=https;branch=main;"
 SRCREV = "a36019e5014bff251f83d522ddcfebaecf52afd3"
 # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
new file mode 100644
index 0000000000..42f92e3607
--- /dev/null
+++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
@@ -0,0 +1,192 @@
+From fdf78a4877afa987ba646a8779b513f258e6d04c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Fri, 31 Jul 2020 15:21:53 -0500
+Subject: [PATCH] libcroco: Limit recursion in block and any productions
+ (CVE-2020-12825)
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+Fixes #8
+This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404
+CVE: CVE-2020-12825
+Upstream-Status: Backport [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
+Comment: No refreshing changes done.
+Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
+---
+ src/cr-parser.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index 18c9a01..f4a62e3 100644
+--- a/src/cr-parser.c
+++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+ 
+ #define CHARS_TAB_SIZE 12
+ 
+#define RECURSIVE_CALLERS_LIMIT 100
+
+ /**
+  * IS_NUM:
+  *@a_char: the char to test.
+@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+ 
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+ 
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
+static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
+                                               guint      n_calls);
+ 
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
+static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
+                                                 guint      n_calls);
+ 
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+ 
+@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+         cr_parser_try_to_skip_spaces_and_comments (a_this);
+ 
+         do {
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, 0);
+         } while (status == CR_OK);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, 
+                                       token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
+                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status,
+                                       FALSE);
+                 goto done;
+@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ 
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+-        status = cr_parser_parse_any_core (a_this);
+        status = cr_parser_parse_any_core (a_this, 0);
+         CHECK_PARSING_STATUS (status, FALSE);
+ 
+         do {
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, 0);
+ 
+         } while (status == CR_OK);
+ 
+@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+  *in chapter 4.1 of the css2 spec.
+  *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+  *@param a_this the current instance of #CRParser.
+ *@param n_calls used to limit recursion depth
+  *FIXME: code this function.
+  */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
+cr_parser_parse_block_core (CRParser * a_this,
+                            guint      n_calls)
+ {
+         CRToken *token = NULL;
+         CRInputPos init_pos;
+@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+ 
+         g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+ 
+        if (n_calls > RECURSIVE_CALLERS_LIMIT)
+                return CR_ERROR;
+
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -996,13 +1005,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+         } else if (token->type == CBO_TK) {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
+                status = cr_parser_parse_block_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         } else {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         }
+@@ -1109,7 +1118,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
+                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 ref++;
+                 goto continue_parsing;
+@@ -1123,7 +1132,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
+                status = cr_parser_parse_any_core (a_this, 0);
+                 if (status == CR_OK) {
+                         ref++;
+                         goto continue_parsing;
+@@ -1162,10 +1171,12 @@ cr_parser_parse_value_core (CRParser * a_this)
+  *        | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+  *
+  *@param a_this the current instance of #CRParser.
+ *@param n_calls used to limit recursion depth
+  *@return CR_OK upon successfull completion, an error code otherwise.
+  */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
+cr_parser_parse_any_core (CRParser * a_this,
+                          guint      n_calls)
+ {
+         CRToken *token1 = NULL,
+                 *token2 = NULL;
+@@ -1174,6 +1185,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+ 
+         g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+ 
+        if (n_calls > RECURSIVE_CALLERS_LIMIT)
+                return CR_ERROR;
+
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1212,7 +1226,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                  *We consider parameter as being an "any*" production.
+                  */
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
+                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1237,7 +1251,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+ 
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
+                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1265,7 +1279,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+ 
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
+                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 9171a9de5c..a443ff23fe 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -18,3 +18,6 @@ inherit gnomebase gtk-doc binconfig-disabled
 SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
 SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
+SRC_URI +="file://CVE-2020-12825.patch \
+"
diff --git a/meta/recipes-support/libevdev/libevdev/determinism.patch b/meta/recipes-support/libevdev/libevdev/determinism.patch
index f6b7fc82d3..71cbd876eb 100644
--- a/meta/recipes-support/libevdev/libevdev/determinism.patch
+++ b/meta/recipes-support/libevdev/libevdev/determinism.patch
@@ -9,7 +9,8 @@ Sort to remove this inconsistency.
 RP 2020/2/7
 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Pending
+Submitted: https://lists.freedesktop.org/archives/input-tools/2021-February/001560.html
+Upstream-Status: Backport [https://gitlab.freedesktop.org/libevdev/libevdev/-/commit/8d70f449892c6f7659e07bb0f06b8347677bb7d8]
 ---
 libevdev/make-event-names.py | 6 +++---
diff --git a/meta/recipes-support/libexif/files/CVE-2020-0198.patch b/meta/recipes-support/libexif/files/CVE-2020-0198.patch
new file mode 100644
index 0000000000..2a48844cb2
--- /dev/null
+++ b/meta/recipes-support/libexif/files/CVE-2020-0198.patch
@@ -0,0 +1,66 @@
+From ca71eda33fe8421f98fbe20eb4392473357c1c43 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 30 Dec 2020 10:22:47 +0800
+Subject: [PATCH] fixed another unsigned integer overflow
+first fixed by google in android fork,
+https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
+(use a more generic overflow check method, also check second overflow instance.)
+https://security-tracker.debian.org/tracker/CVE-2020-0198
+Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c]
+CVE: CVE-2020-0198
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-data.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 8b280d3..34d58fc 100644
+--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+ 
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
+ static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+ 
+ struct _ExifDataPrivate
+@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+                exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
+                return;
+        }
+-       if (s > ds - o) {
+       if (CHECKOVERFLOW(o,ds,s)) {
+                exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+                return;
+        }
+@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+        }
+ 
+        /* Read the number of entries */
+-       if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+       if (CHECKOVERFLOW(offset, ds, 2)) {
+                exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-                         "Tag data past end of buffer (%u > %u)", offset+2, ds);
+                         "Tag data past end of buffer (%u+2 > %u)", offset, ds);
+                return;
+        }
+        n = exif_get_short (d + offset, data->priv->order);
+@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+        offset += 2;
+ 
+        /* Check if we have enough data. */
+-       if (offset + 12 * n > ds) {
+       if (CHECKOVERFLOW(offset, ds, 12*n)) {
+                n = (ds - offset) / 12;
+                exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+                                  "Short data; only loading %hu entries...", n);
+-- 
+2.17.1
diff --git a/meta/recipes-support/libexif/files/CVE-2020-0452.patch b/meta/recipes-support/libexif/files/CVE-2020-0452.patch
new file mode 100644
index 0000000000..a117b8b369
--- /dev/null
+++ b/meta/recipes-support/libexif/files/CVE-2020-0452.patch
@@ -0,0 +1,39 @@
+From 302acd49eba0a125b0f20692df6abc6f7f7ca53e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 30 Dec 2020 10:18:51 +0800
+Subject: [PATCH] fixed a incorrect overflow check that could be optimized
+ away.
+inspired by:
+https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b
+https://source.android.com/security/bulletin/2020-11-01
+CVE-2020-0452
+Upsteam-Status: Backport[https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06]
+CVE: CVE-2020-0452
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
+index 5de215f..3a6ce84 100644
+--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
+@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+        {
+                unsigned char *utf16;
+ 
+-               /* Sanity check the size to prevent overflow */
+-               if (e->size+sizeof(uint16_t)+1 < e->size) break;
+               /* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */
+               if (e->size >= 65536 - sizeof(uint16_t)*2) break;
+ 
+                /* The tag may not be U+0000-terminated , so make a local
+                   U+0000-terminated copy before converting it */
+-- 
+2.17.1
diff --git a/meta/recipes-support/libexif/libexif_0.6.22.bb b/meta/recipes-support/libexif/libexif_0.6.22.bb
index 2478ba07d8..dc30926c59 100644
--- a/meta/recipes-support/libexif/libexif_0.6.22.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.22.bb
@@ -8,6 +8,8 @@ def version_underscore(v):
    return "_".join(v.split("."))
 SRC_URI = "https://github.com/libexif/libexif/releases/download/libexif-${@version_underscore("${PV}")}-release/libexif-${PV}.tar.xz \
+           file://CVE-2020-0198.patch \
+           file://CVE-2020-0452.patch \
           "
 SRC_URI[sha256sum] = "5048f1c8fc509cc636c2f97f4b40c293338b6041a5652082d5ee2cf54b530c56"
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
index ac09417e89..832d07d515 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
@@ -28,6 +28,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
 "
 SRC_URI[sha256sum] = "0cba2700617b99fc33864a0c16b1fa7fdf9781d9ed3509f5d767178e5fd7b975"
+# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
+CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
 BINCONFIG = "${bindir}/libgcrypt-config"
 inherit autotools texinfo binconfig-disabled pkgconfig
diff --git a/meta/recipes-support/lz4/lz4_1.9.2.bb b/meta/recipes-support/lz4/lz4_1.9.2.bb
index 6510156ed0..455d2a5141 100644
--- a/meta/recipes-support/lz4/lz4_1.9.2.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.2.bb
@@ -11,7 +11,7 @@ PE = "1"
 SRCREV = "fdf2ef5809ca875c454510610764d9125ef2ebbd"
-SRC_URI = "git://github.com/lz4/lz4.git \
+SRC_URI = "git://github.com/lz4/lz4.git;branch=dev \
           file://run-ptest \
           "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.21.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
index b1fd2334b2..c539ecdbc6 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.23.21.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
@@ -2,17 +2,18 @@ SUMMARY = "Provides a way to load and enumerate PKCS#11 modules"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=02933887f609807fbb57aa4237d14a50"
-inherit meson gettext pkgconfig gtk-doc bash-completion
+inherit meson gettext pkgconfig gtk-doc bash-completion manpages
 DEPENDS = "libtasn1 libtasn1-native libffi"
 DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}"
-SRC_URI = "git://github.com/p11-glue/p11-kit"
+SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23"
-SRCREV = "fd8b56f3ee971f94dc6fc95411fc01e1c12153ab"
+SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee"
 S = "${WORKDIR}/git"
 PACKAGECONFIG ??= ""
+PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native"
 PACKAGECONFIG[trust-paths] = "-Dtrust_paths=/etc/ssl/certs/ca-certificates.crt,,,ca-certificates"
 GTKDOC_MESON_OPTION = 'gtk_doc'
diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
index 611a1bd923..33f041a161 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
@@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
 # -19242 is only an issue in specific development branch commits
 CVE_CHECK_WHITELIST += "CVE-2019-19242"
+# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
+CVE_CHECK_WHITELIST += "CVE-2015-3717"
diff --git a/meta/recipes-support/vim/files/racefix.patch b/meta/recipes-support/vim/files/racefix.patch
new file mode 100644
index 0000000000..48dca44cad
--- /dev/null
+++ b/meta/recipes-support/vim/files/racefix.patch
@@ -0,0 +1,33 @@
+The creation of the LINGUAS file is duplicated for each desktop file
+which can lead the commands to race against each other. Rework
+the makefile to avoid this as the expense of leaving the file on disk.
+Upstream-Status: Pending
+RP 2021/2/15
+Index: git/src/po/Makefile
+===================================================================
+--- git.orig/src/po/Makefile
+++ git/src/po/Makefile
+@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../
+                po/gvim.desktop.in po/vim.desktop.in
+        mv -f ../$(PACKAGE).po $(PACKAGE).pot
+ 
+-vim.desktop: vim.desktop.in $(POFILES)
+LINGUAS:
+        echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS
+
+vim.desktop: vim.desktop.in $(POFILES) LINGUAS
+        $(MSGFMT) --desktop -d . --template vim.desktop.in -o tmp_vim.desktop
+-       rm -f LINGUAS
+        if command -v desktop-file-validate; then desktop-file-validate tmp_vim.desktop; fi
+        mv tmp_vim.desktop vim.desktop
+ 
+-gvim.desktop: gvim.desktop.in $(POFILES)
+-       echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS
+gvim.desktop: gvim.desktop.in $(POFILES) LINGUAS
+        $(MSGFMT) --desktop -d . --template gvim.desktop.in -o tmp_gvim.desktop
+-       rm -f LINGUAS
+        if command -v desktop-file-validate; then desktop-file-validate tmp_gvim.desktop; fi
+        mv tmp_gvim.desktop gvim.desktop
+ 
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 4d2886c19e..d57f784da5 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/vim/vim.git \
           file://vim-add-knob-whether-elf.h-are-checked.patch \
           file://0001-src-Makefile-improve-reproducibility.patch \
           file://no-path-adjust.patch \
+           file://racefix.patch \
 "
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
@@ -68,8 +69,10 @@ EXTRA_OECONF = " \
    --disable-gtktest \
    --disable-xim \
    --disable-netbeans \
+    --disable-desktop-database-update \
    --with-tlib=ncurses \
    ac_cv_small_wchar_t=no \
+    ac_cv_path_GLIB_COMPILE_RESOURCES=no \
    vim_cv_getcwd_broken=no \
    vim_cv_memmove_handles_overlap=yes \
    vim_cv_stat_ignores_slash=no \
diff --git a/scripts/contrib/documentation-audit.sh b/scripts/contrib/documentation-audit.sh
index 1191f57a8e..f436f9bae0 100755
--- a/scripts/contrib/documentation-audit.sh
+++ b/scripts/contrib/documentation-audit.sh
@@ -27,7 +27,7 @@ fi
 echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results"
 echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or "
-echo " you'll get false positives.  For example, LICENSE_FLAGS_WHITELIST = \"Commercial\""
+echo " you'll get false positives.  For example, LICENSE_FLAGS_WHITELIST = \"commercial\""
 for pkg in `bitbake -s | awk '{ print \$1 }'`; do
        if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" ||
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index 261d642d4a..f364a45283 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -474,7 +474,11 @@ def symlink_oelocal_files_srctree(rd,srctree):
                destpth = os.path.join(srctree, relpth, fn)
                if os.path.exists(destpth):
                    os.unlink(destpth)
-                os.symlink('oe-local-files/%s' % fn, destpth)
+                if relpth != '.':
+                    back_relpth = os.path.relpath(local_files_dir, root)
+                    os.symlink('%s/oe-local-files/%s/%s' % (back_relpth, relpth, fn), destpth)
+                else:
+                    os.symlink('oe-local-files/%s' % fn, destpth)
                addfiles.append(os.path.join(relpth, fn))
        if addfiles:
            bb.process.run('git add %s' % ' '.join(addfiles), cwd=srctree)
@@ -589,6 +593,16 @@ def _extract_source(srctree, keep_temp, devbranch, sync, config, basepath, works
            else:
                task = 'do_patch'
+                if 'noexec' in (d.getVarFlags(task, False) or []) or 'task' not in (d.getVarFlags(task, False) or []):
+                    logger.info('The %s recipe has %s disabled. Running only '
+                                       'do_configure task dependencies' % (pn, task))
+                    if 'depends' in d.getVarFlags('do_configure', False):
+                        pn = d.getVarFlags('do_configure', False)['depends']
+                        pn = pn.replace('${PV}', d.getVar('PV'))
+                        pn = pn.replace('${COMPILERDEP}', d.getVar('COMPILERDEP'))
+                        task = None
            # Run the fetch + unpack tasks
            res = tinfoil.build_targets(pn,
                                        task,
@@ -600,6 +614,17 @@ def _extract_source(srctree, keep_temp, devbranch, sync, config, basepath, works
        if not res:
            raise DevtoolError('Extracting source for %s failed' % pn)
+        if not is_kernel_yocto and ('noexec' in (d.getVarFlags('do_patch', False) or []) or 'task' not in (d.getVarFlags('do_patch', False) or [])):
+            workshareddir = d.getVar('S')
+            if os.path.islink(srctree):
+                os.unlink(srctree)
+            os.symlink(workshareddir, srctree)
+            # The initial_rev file is created in devtool_post_unpack function that will not be executed if
+            # do_unpack/do_patch tasks are disabled so we have to directly say that source extraction was successful
+            return True, True
        try:
            with open(os.path.join(tempdir, 'initial_rev'), 'r') as f:
                initial_rev = f.read()
@@ -847,10 +872,11 @@ def modify(args, config, basepath, workspace):
            if not initial_rev:
                return 1
            logger.info('Source tree extracted to %s' % srctree)
-            # Get list of commits since this revision
+            if os.path.exists(os.path.join(srctree, '.git')):
-            (stdout, _) = bb.process.run('git rev-list --reverse %s..HEAD' % initial_rev, cwd=srctree)
+                # Get list of commits since this revision
-            commits = stdout.split()
+                (stdout, _) = bb.process.run('git rev-list --reverse %s..HEAD' % initial_rev, cwd=srctree)
-            check_commits = True
+                commits = stdout.split()
+                check_commits = True
        else:
            if os.path.exists(os.path.join(srctree, '.git')):
                # Check if it's a tree previously extracted by us. This is done
@@ -927,12 +953,17 @@ def modify(args, config, basepath, workspace):
            if bb.data.inherits_class('kernel', rd):
                f.write('SRCTREECOVEREDTASKS = "do_validate_branches do_kernel_checkout '
-                        'do_fetch do_unpack do_kernel_configme do_kernel_configcheck"\n')
+                        'do_fetch do_unpack do_kernel_configcheck"\n')
                f.write('\ndo_patch[noexec] = "1"\n')
                f.write('\ndo_configure_append() {\n'
                        '    cp ${B}/.config ${S}/.config.baseline\n'
                        '    ln -sfT ${B}/.config ${S}/.config.new\n'
                        '}\n')
+                f.write('\ndo_kernel_configme_prepend() {\n'
+                        '    if [ -e ${S}/.config ]; then\n'
+                        '        mv ${S}/.config ${S}/.config.old\n'
+                        '    fi\n'
+                        '}\n')
            if rd.getVarFlag('do_menuconfig','task'):
                f.write('\ndo_configure_append() {\n'
                '    if [ ! ${DEVTOOL_DISABLE_MENUCONFIG} ]; then\n'
diff --git a/scripts/lib/devtool/upgrade.py b/scripts/lib/devtool/upgrade.py
index 0c1de8cdc7..5a057e95f5 100644
--- a/scripts/lib/devtool/upgrade.py
+++ b/scripts/lib/devtool/upgrade.py
@@ -178,7 +178,7 @@ def _extract_new_source(newpv, srctree, no_patch, srcrev, srcbranch, branch, kee
    uri, rev = _get_uri(crd)
    if srcrev:
        rev = srcrev
-    if uri.startswith('git://'):
+    if uri.startswith('git://') or uri.startswith('gitsm://'):
        __run('git fetch')
        __run('git checkout %s' % rev)
        __run('git tag -f devtool-base-new')
@@ -270,7 +270,7 @@ def _extract_new_source(newpv, srctree, no_patch, srcrev, srcbranch, branch, kee
            else:
                logger.warning('Command \'%s\' failed:\n%s' % (e.command, e.stdout))
        if not skiptag:
-            if uri.startswith('git://'):
+            if uri.startswith('git://') or uri.startswith('gitsm://'):
                suffix = 'new'
            else:
                suffix = newpv
diff --git a/scripts/lib/recipetool/create_npm.py b/scripts/lib/recipetool/create_npm.py
index 579b7ae48a..2bcae91dfa 100644
--- a/scripts/lib/recipetool/create_npm.py
+++ b/scripts/lib/recipetool/create_npm.py
@@ -204,6 +204,9 @@ class NpmRecipeHandler(RecipeHandler):
        self._run_npm_install(d, srctree, registry, dev)
        shrinkwrap_file = self._generate_shrinkwrap(d, srctree, dev)
+        with open(shrinkwrap_file, "r") as f:
+            shrinkwrap = json.load(f)
        if os.path.exists(lock_copy):
            bb.utils.movefile(lock_copy, lock_file)
@@ -226,7 +229,8 @@ class NpmRecipeHandler(RecipeHandler):
            value = origvalue.replace("version=" + data["version"], "version=${PV}")
            value = value.replace("version=latest", "version=${PV}")
            values = [line.strip() for line in value.strip('\n').splitlines()]
-            values.append(url_recipe)
+            if "dependencies" in shrinkwrap:
+                values.append(url_recipe)
            return values, None, 4, False
        (_, newlines) = bb.utils.edit_metadata(lines_before, ["SRC_URI"], _handle_srcuri)
diff --git a/scripts/lib/wic/canned-wks/common.wks.inc b/scripts/lib/wic/canned-wks/common.wks.inc
index 89880b417b..4fd29fa8c1 100644
--- a/scripts/lib/wic/canned-wks/common.wks.inc
+++ b/scripts/lib/wic/canned-wks/common.wks.inc
@@ -1,3 +1,3 @@
 # This file is included into 3 canned wks files from this directory
 part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --use-uuid --fstype=ext4 --label platform --align 1024
+part / --source rootfs --use-uuid --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024
diff --git a/scripts/lib/wic/canned-wks/directdisk-gpt.wks b/scripts/lib/wic/canned-wks/directdisk-gpt.wks
index 8d7d8de6ea..cf16c0c30b 100644
--- a/scripts/lib/wic/canned-wks/directdisk-gpt.wks
+++ b/scripts/lib/wic/canned-wks/directdisk-gpt.wks
@@ -4,7 +4,7 @@
 part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
 bootloader  --ptable gpt --timeout=0  --append="rootwait rootfstype=ext4 video=vesafb vga=0x318 console=tty0 console=ttyS0,115200n8"
diff --git a/scripts/lib/wic/canned-wks/mkefidisk.wks b/scripts/lib/wic/canned-wks/mkefidisk.wks
index 9f534fe184..d1878e23e5 100644
--- a/scripts/lib/wic/canned-wks/mkefidisk.wks
+++ b/scripts/lib/wic/canned-wks/mkefidisk.wks
@@ -4,7 +4,7 @@
 part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default"  --label platform --align 1024 --use-uuid
 part swap --ondisk sda --size 44 --label swap1 --fstype=swap
diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py
index 913e3283dc..3eb669da39 100644
--- a/scripts/lib/wic/ksparser.py
+++ b/scripts/lib/wic/ksparser.py
@@ -229,6 +229,23 @@ class KickStart():
                                err = "%s:%d: SquashFS does not support LABEL" \
                                       % (confpath, lineno)
                                raise KickStartError(err)
+                        if parsed.fstype == 'msdos' or parsed.fstype == 'vfat':
+                            if parsed.fsuuid:
+                                if parsed.fsuuid.upper().startswith('0X'):
+                                    if len(parsed.fsuuid) > 10:
+                                        err = "%s:%d: fsuuid %s given in wks kickstart file " \
+                                              "exceeds the length limit for %s filesystem. " \
+                                              "It should be in the form of a 32 bit hexadecimal" \
+                                              "number (for example, 0xABCD1234)." \
+                                              % (confpath, lineno, parsed.fsuuid, parsed.fstype)
+                                        raise KickStartError(err)
+                                elif len(parsed.fsuuid) > 8:
+                                    err = "%s:%d: fsuuid %s given in wks kickstart file " \
+                                          "exceeds the length limit for %s filesystem. " \
+                                          "It should be in the form of a 32 bit hexadecimal" \
+                                          "number (for example, 0xABCD1234)." \
+                                          % (confpath, lineno, parsed.fsuuid, parsed.fstype)
+                                    raise KickStartError(err)
                        if parsed.use_label and not parsed.label:
                            err = "%s:%d: Must set the label with --label" \
                                  % (confpath, lineno)
diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py
index 4b08d649c6..57c042c503 100644
--- a/scripts/lib/wic/misc.py
+++ b/scripts/lib/wic/misc.py
@@ -26,6 +26,7 @@ logger = logging.getLogger('wic')
 # executable -> recipe pairs for exec_native_cmd
 NATIVE_RECIPES = {"bmaptool": "bmap-tools",
+                  "dumpe2fs": "e2fsprogs",
                  "grub-mkimage": "grub-efi",
                  "isohybrid": "syslinux",
                  "mcopy": "mtools",
@@ -138,9 +139,12 @@ def exec_native_cmd(cmd_and_args, native_sysroot, pseudo=""):
    if pseudo:
        cmd_and_args = pseudo + cmd_and_args
-    native_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin:%s/bin" % \
+    hosttools_dir = get_bitbake_var("HOSTTOOLS_DIR")
+    native_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin:%s/bin:%s" % \
                   (native_sysroot, native_sysroot,
-                    native_sysroot, native_sysroot)
+                    native_sysroot, native_sysroot,
+                    hosttools_dir)
    native_cmd_and_args = "export PATH=%s:$PATH;%s" % \
                   (native_paths, cmd_and_args)
diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index ebe250b00d..85f9847047 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -54,6 +54,9 @@ class Partition():
        self.uuid = args.uuid
        self.fsuuid = args.fsuuid
        self.type = args.type
+        self.updated_fstab_path = None
+        self.has_fstab = False
+        self.update_fstab_in_rootfs = False
        self.lineno = lineno
        self.source_file = ""
@@ -118,11 +121,15 @@ class Partition():
        return self.fixed_size if self.fixed_size else self.size
    def prepare(self, creator, cr_workdir, oe_builddir, rootfs_dir,
-                bootimg_dir, kernel_dir, native_sysroot):
+                bootimg_dir, kernel_dir, native_sysroot, updated_fstab_path):
        """
        Prepare content for individual partitions, depending on
        partition command parameters.
        """
+        self.updated_fstab_path = updated_fstab_path
+        if self.updated_fstab_path and not (self.fstype.startswith("ext") or self.fstype == "msdos"):
+            self.update_fstab_in_rootfs = True
        if not self.source:
            if not self.size and not self.fixed_size:
                raise WicError("The %s partition has a size of zero. Please "
@@ -207,11 +214,21 @@ class Partition():
        p_prefix = os.environ.get("PSEUDO_PREFIX", "%s/usr" % native_sysroot)
        if (pseudo_dir):
+            # Canonicalize the ignore paths. This corresponds to
+            # calling oe.path.canonicalize(), which is used in bitbake.conf.
+            ignore_paths = [rootfs] + (get_bitbake_var("PSEUDO_IGNORE_PATHS") or "").split(",")
+            canonical_paths = []
+            for path in ignore_paths:
+                if "$" not in path:
+                    trailing_slash = path.endswith("/") and "/" or ""
+                    canonical_paths.append(os.path.realpath(path) + trailing_slash)
+            ignore_paths = ",".join(canonical_paths)
            pseudo = "export PSEUDO_PREFIX=%s;" % p_prefix
            pseudo += "export PSEUDO_LOCALSTATEDIR=%s;" % pseudo_dir
            pseudo += "export PSEUDO_PASSWD=%s;" % rootfs_dir
            pseudo += "export PSEUDO_NOSYMLINKEXP=1;"
-            pseudo += "export PSEUDO_IGNORE_PATHS=%s;" % (rootfs + "," + (get_bitbake_var("PSEUDO_IGNORE_PATHS") or ""))
+            pseudo += "export PSEUDO_IGNORE_PATHS=%s;" % ignore_paths
            pseudo += "%s " % get_bitbake_var("FAKEROOTCMD")
        else:
            pseudo = None
@@ -237,7 +254,7 @@ class Partition():
        prefix = "ext" if self.fstype.startswith("ext") else self.fstype
        method = getattr(self, "prepare_rootfs_" + prefix)
-        method(rootfs, oe_builddir, rootfs_dir, native_sysroot, pseudo)
+        method(rootfs, cr_workdir, oe_builddir, rootfs_dir, native_sysroot, pseudo)
        self.source_file = rootfs
        # get the rootfs size in the right units for kickstart (kB)
@@ -245,7 +262,7 @@ class Partition():
        out = exec_cmd(du_cmd)
        self.size = int(out.split()[0])
-    def prepare_rootfs_ext(self, rootfs, oe_builddir, rootfs_dir,
+    def prepare_rootfs_ext(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                           native_sysroot, pseudo):
        """
        Prepare content for an ext2/3/4 rootfs partition.
@@ -269,10 +286,21 @@ class Partition():
            (self.fstype, extraopts, rootfs, label_str, self.fsuuid, rootfs_dir)
        exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
+        if self.updated_fstab_path and self.has_fstab:
+            debugfs_script_path = os.path.join(cr_workdir, "debugfs_script")
+            with open(debugfs_script_path, "w") as f:
+                f.write("cd etc\n")
+                f.write("rm fstab\n")
+                f.write("write %s fstab\n" % (self.updated_fstab_path))
+            debugfs_cmd = "debugfs -w -f %s %s" % (debugfs_script_path, rootfs)
+            exec_native_cmd(debugfs_cmd, native_sysroot)
        mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs)
        exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
-    def prepare_rootfs_btrfs(self, rootfs, oe_builddir, rootfs_dir,
+        self.check_for_Y2038_problem(rootfs, native_sysroot)
+    def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                             native_sysroot, pseudo):
        """
        Prepare content for a btrfs rootfs partition.
@@ -295,7 +323,7 @@ class Partition():
             self.mkfs_extraopts, self.fsuuid, rootfs)
        exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
-    def prepare_rootfs_msdos(self, rootfs, oe_builddir, rootfs_dir,
+    def prepare_rootfs_msdos(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                             native_sysroot, pseudo):
        """
        Prepare content for a msdos/vfat rootfs partition.
@@ -324,12 +352,16 @@ class Partition():
        mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (rootfs, rootfs_dir)
        exec_native_cmd(mcopy_cmd, native_sysroot)
+        if self.updated_fstab_path and self.has_fstab:
+            mcopy_cmd = "mcopy -i %s %s ::/etc/fstab" % (rootfs, self.updated_fstab_path)
+            exec_native_cmd(mcopy_cmd, native_sysroot)
        chmod_cmd = "chmod 644 %s" % rootfs
        exec_cmd(chmod_cmd)
    prepare_rootfs_vfat = prepare_rootfs_msdos
-    def prepare_rootfs_squashfs(self, rootfs, oe_builddir, rootfs_dir,
+    def prepare_rootfs_squashfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                                native_sysroot, pseudo):
        """
        Prepare content for a squashfs rootfs partition.
@@ -358,6 +390,8 @@ class Partition():
            (self.fstype, extraopts, label_str, self.fsuuid, rootfs)
        exec_native_cmd(mkfs_cmd, native_sysroot)
+        self.check_for_Y2038_problem(rootfs, native_sysroot)
    def prepare_empty_partition_btrfs(self, rootfs, oe_builddir,
                                      native_sysroot):
        """
@@ -419,3 +453,37 @@ class Partition():
        mkswap_cmd = "mkswap %s -U %s %s" % (label_str, self.fsuuid, path)
        exec_native_cmd(mkswap_cmd, native_sysroot)
+    def check_for_Y2038_problem(self, rootfs, native_sysroot):
+        """
+        Check if the filesystem is affected by the Y2038 problem
+        (Y2038 problem = 32 bit time_t overflow in January 2038)
+        """
+        def get_err_str(part):
+            err = "The {} filesystem {} has no Y2038 support."
+            if part.mountpoint:
+                args = [part.fstype, "mounted at %s" % part.mountpoint]
+            elif part.label:
+                args = [part.fstype, "labeled '%s'" % part.label]
+            elif part.part_name:
+                args = [part.fstype, "in partition '%s'" % part.part_name]
+            else:
+                args = [part.fstype, "in partition %s" % part.num]
+            return err.format(*args)
+        # ext2 and ext3 are always affected by the Y2038 problem
+        if self.fstype in ["ext2", "ext3"]:
+            logger.warn(get_err_str(self))
+            return
+        ret, out = exec_native_cmd("dumpe2fs %s" % rootfs, native_sysroot)
+        # if ext4 is affected by the Y2038 problem depends on the inode size
+        for line in out.splitlines():
+            if line.startswith("Inode size:"):
+                size = int(line.split(":")[1].strip())
+                if size < 256:
+                    logger.warn("%s Inodes (of size %d) are too small." %
+                                (get_err_str(self), size))
+                break
diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py
index 55db826e93..ea709e8c54 100644
--- a/scripts/lib/wic/plugins/imager/direct.py
+++ b/scripts/lib/wic/plugins/imager/direct.py
@@ -54,15 +54,16 @@ class DirectPlugin(ImagerPlugin):
        self.native_sysroot = native_sysroot
        self.oe_builddir = oe_builddir
+        self.debug = options.debug
        self.outdir = options.outdir
        self.compressor = options.compressor
        self.bmap = options.bmap
        self.no_fstab_update = options.no_fstab_update
-        self.original_fstab = None
+        self.updated_fstab_path = None
        self.name = "%s-%s" % (os.path.splitext(os.path.basename(wks_file))[0],
                               strftime("%Y%m%d%H%M"))
-        self.workdir = tempfile.mkdtemp(dir=self.outdir, prefix='tmp.wic.')
+        self.workdir = self.setup_workdir(options.workdir)
        self._image = None
        self.ptable_format = self.ks.bootloader.ptable
        self.parts = self.ks.partitions
@@ -78,6 +79,16 @@ class DirectPlugin(ImagerPlugin):
        self._image = PartitionedImage(image_path, self.ptable_format,
                                       self.parts, self.native_sysroot)
+    def setup_workdir(self, workdir):
+        if workdir:
+            if os.path.exists(workdir):
+                raise WicError("Internal workdir '%s' specified in wic arguments already exists!" % (workdir))
+            os.makedirs(workdir)
+            return workdir
+        else:
+            return tempfile.mkdtemp(dir=self.outdir, prefix='tmp.wic.')
    def do_create(self):
        """
        Plugin entry point.
@@ -90,11 +101,8 @@ class DirectPlugin(ImagerPlugin):
        finally:
            self.cleanup()
-    def _write_fstab(self, image_rootfs):
+    def update_fstab(self, image_rootfs):
-        """overriden to generate fstab (temporarily) in rootfs. This is called
+        """Assume partition order same as in wks"""
-        from _create, make sure it doesn't get called from
-        BaseImage.create()
-        """
        if not image_rootfs:
            return
@@ -104,18 +112,9 @@ class DirectPlugin(ImagerPlugin):
        with open(fstab_path) as fstab:
            fstab_lines = fstab.readlines()
-            self.original_fstab = fstab_lines.copy()
-        if self._update_fstab(fstab_lines, self.parts):
-            with open(fstab_path, "w") as fstab:
-                fstab.writelines(fstab_lines)
-        else:
-            self.original_fstab = None
-    def _update_fstab(self, fstab_lines, parts):
-        """Assume partition order same as in wks"""
        updated = False
-        for part in parts:
+        for part in self.parts:
            if not part.realnum or not part.mountpoint \
               or part.mountpoint == "/":
                continue
@@ -144,7 +143,10 @@ class DirectPlugin(ImagerPlugin):
            fstab_lines.append(line)
            updated = True
-        return updated
+        if updated:
+            self.updated_fstab_path = os.path.join(self.workdir, "fstab")
+            with open(self.updated_fstab_path, "w") as f:
+                f.writelines(fstab_lines)
    def _full_path(self, path, name, extention):
        """ Construct full file path to a file we generate. """
@@ -160,7 +162,7 @@ class DirectPlugin(ImagerPlugin):
        a partitioned image.
        """
        if not self.no_fstab_update:
-            self._write_fstab(self.rootfs_dir.get("ROOTFS_DIR"))
+            self.update_fstab(self.rootfs_dir.get("ROOTFS_DIR"))
        for part in self.parts:
            # get rootfs size from bitbake variable if it's not set in .ks file
@@ -273,14 +275,9 @@ class DirectPlugin(ImagerPlugin):
            if os.path.isfile(path):
                shutil.move(path, os.path.join(self.outdir, fname))
-        #Restore original fstab
+        # remove work directory when it is not in debugging mode
-        if self.original_fstab:
+        if not self.debug:
-            fstab_path = self.rootfs_dir.get("ROOTFS_DIR") + "/etc/fstab"
+            shutil.rmtree(self.workdir, ignore_errors=True)
-            with open(fstab_path, "w") as fstab:
-                fstab.writelines(self.original_fstab)
-        # remove work directory
-        shutil.rmtree(self.workdir, ignore_errors=True)
 # Overhead of the MBR partitioning scheme (just one sector)
 MBR_OVERHEAD = 1
@@ -343,6 +340,13 @@ class PartitionedImage():
                    part.fsuuid = '0x' + str(uuid.uuid4())[:8].upper()
                else:
                    part.fsuuid = str(uuid.uuid4())
+            else:
+                #make sure the fsuuid for vfat/msdos align with format 0xYYYYYYYY
+                if part.fstype == 'vfat' or part.fstype == 'msdos':
+                    if part.fsuuid.upper().startswith("0X"):
+                        part.fsuuid = '0x' + part.fsuuid.upper()[2:].rjust(8,"0")
+                    else:
+                        part.fsuuid = '0x' + part.fsuuid.upper().rjust(8,"0")
    def prepare(self, imager):
        """Prepare an image. Call prepare method of all image partitions."""
@@ -351,7 +355,8 @@ class PartitionedImage():
            # sizes before we can add them and do the layout.
            part.prepare(imager, imager.workdir, imager.oe_builddir,
                         imager.rootfs_dir, imager.bootimg_dir,
-                         imager.kernel_dir, imager.native_sysroot)
+                         imager.kernel_dir, imager.native_sysroot,
+                         imager.updated_fstab_path)
            # Converting kB to sectors for parted
            part.size_sec = part.disk_size * 1024 // self.sector_size
diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
index f1db83f8a1..96d940a91d 100644
--- a/scripts/lib/wic/plugins/source/rootfs.py
+++ b/scripts/lib/wic/plugins/source/rootfs.py
@@ -94,6 +94,7 @@ class RootfsPlugin(SourcePlugin):
                               "it is not a valid path, exiting" % part.rootfs_dir)
        part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+        part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
        pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
        if not os.path.lexists(pseudo_dir):
            logger.warn("%s folder does not exist. "
@@ -103,9 +104,9 @@ class RootfsPlugin(SourcePlugin):
        new_rootfs = None
        new_pseudo = None
        # Handle excluded paths.
-        if part.exclude_path or part.include_path or part.change_directory:
+        if part.exclude_path or part.include_path or part.change_directory or part.update_fstab_in_rootfs:
-            # We need a new rootfs directory we can delete files from. Copy to
+            # We need a new rootfs directory we can safely modify without
-            # workdir.
+            # interfering with other tasks. Copy to workdir.
            new_rootfs = os.path.realpath(os.path.join(cr_workdir, "rootfs%d" % part.lineno))
            if os.path.lexists(new_rootfs):
@@ -199,17 +200,33 @@ class RootfsPlugin(SourcePlugin):
                if not os.path.lexists(full_path):
                    continue
+                if new_pseudo:
+                    pseudo = cls.__get_pseudo(native_sysroot, new_rootfs, new_pseudo)
+                else:
+                    pseudo = None
                if path.endswith(os.sep):
                    # Delete content only.
                    for entry in os.listdir(full_path):
                        full_entry = os.path.join(full_path, entry)
-                        if os.path.isdir(full_entry) and not os.path.islink(full_entry):
+                        rm_cmd = "rm -rf %s" % (full_entry)
-                            shutil.rmtree(full_entry)
+                        exec_native_cmd(rm_cmd, native_sysroot, pseudo)
-                        else:
-                            os.remove(full_entry)
                else:
                    # Delete whole directory.
-                    shutil.rmtree(full_path)
+                    rm_cmd = "rm -rf %s" % (full_path)
+                    exec_native_cmd(rm_cmd, native_sysroot, pseudo)
+            # Update part.has_fstab here as fstab may have been added or
+            # removed by the above modifications.
+            part.has_fstab = os.path.exists(os.path.join(new_rootfs, "etc/fstab"))
+            if part.update_fstab_in_rootfs and part.has_fstab:
+                fstab_path = os.path.join(new_rootfs, "etc/fstab")
+                # Assume that fstab should always be owned by root with fixed permissions
+                install_cmd = "install -m 0644 %s %s" % (part.updated_fstab_path, fstab_path)
+                if new_pseudo:
+                    pseudo = cls.__get_pseudo(native_sysroot, new_rootfs, new_pseudo)
+                else:
+                    pseudo = None
+                exec_native_cmd(install_cmd, native_sysroot, pseudo)
        part.prepare_rootfs(cr_workdir, oe_builddir,
                            new_rootfs or part.rootfs_dir, native_sysroot,
diff --git a/scripts/oe-pkgdata-util b/scripts/oe-pkgdata-util
index 93220e3617..75dd23efa3 100755
--- a/scripts/oe-pkgdata-util
+++ b/scripts/oe-pkgdata-util
@@ -598,6 +598,9 @@ def main():
            logger.error("Unable to find bitbake by searching parent directory of this script or PATH")
            sys.exit(1)
        logger.debug('Found bitbake path: %s' % bitbakepath)
+        if not os.environ.get('BUILDDIR', ''):
+            logger.error("This script can only be run after initialising the build environment (e.g. by using oe-init-build-env)")
+            sys.exit(1)
        tinfoil = tinfoil_init()
        try:
            args.pkgdata_dir = tinfoil.config_data.getVar('PKGDATA_DIR')
diff --git a/scripts/oe-run-native b/scripts/oe-run-native
index 4e63e69cc4..22958d97e7 100755
--- a/scripts/oe-run-native
+++ b/scripts/oe-run-native
@@ -43,7 +43,7 @@ fi
 OLD_PATH=$PATH
 # look for a tool only in native sysroot
-PATH=$OECORE_NATIVE_SYSROOT/usr/bin:$OECORE_NATIVE_SYSROOT/bin:$OECORE_NATIVE_SYSROOT/usr/sbin:$OECORE_NATIVE_SYSROOT/sbin$(find $OECORE_NATIVE_SYSROOT/usr/bin/*-native -maxdepth 1 -type d -printf ":%p")
+PATH=$OECORE_NATIVE_SYSROOT/usr/bin:$OECORE_NATIVE_SYSROOT/bin:$OECORE_NATIVE_SYSROOT/usr/sbin:$OECORE_NATIVE_SYSROOT/sbin$(find $OECORE_NATIVE_SYSROOT/usr/bin -maxdepth 1 -name "*-native" -type d -printf ":%p")
 tool_find=`/usr/bin/which $tool 2>/dev/null`
 if [ -n "$tool_find" ] ; then
diff --git a/scripts/runqemu b/scripts/runqemu
index e5e66f3453..b80fec1c99 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1340,6 +1340,8 @@ class BaseConfig(object):
        for ovmf in self.ovmf_bios:
            format = ovmf.rsplit('.', 1)[-1]
+            if format == "bin":
+                format = "raw"
            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
        self.qemu_opt += ' ' + self.qemu_opt_script
diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms
index fb0cc719ea..14d8c298e9 100755
--- a/scripts/verify-bashisms
+++ b/scripts/verify-bashisms
@@ -100,7 +100,7 @@ if __name__=='__main__':
    args = parser.parse_args()
    if shutil.which("checkbashisms.pl") is None:
-        print("Cannot find checkbashisms.pl on $PATH, get it from https://anonscm.debian.org/cgit/collab-maint/devscripts.git/plain/scripts/checkbashisms.pl")
+        print("Cannot find checkbashisms.pl on $PATH, get it from https://salsa.debian.org/debian/devscripts/raw/master/scripts/checkbashisms.pl")
        sys.exit(1)
    # The order of defining the worker function,
diff --git a/scripts/wic b/scripts/wic
index 24700f380f..a741aed364 100755
--- a/scripts/wic
+++ b/scripts/wic
@@ -312,6 +312,8 @@ def wic_init_parser_create(subparser):
    subparser.add_argument("-o", "--outdir", dest="outdir", default='.',
                      help="name of directory to create image in")
+    subparser.add_argument("-w", "--workdir",
+                      help="temporary workdir to use for intermediate files")
    subparser.add_argument("-e", "--image-name", dest="image_name",
                      help="name of the image to use the artifacts from "
                           "e.g. core-image-sato")
diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer
index b7c83c8b54..deba3cb4f8 100755
--- a/scripts/yocto-check-layer
+++ b/scripts/yocto-check-layer
@@ -138,6 +138,9 @@ def main():
                layer['type'] == LayerType.ERROR_BSP_DISTRO:
            continue
+        # Reset to a clean backup copy for each run
+        shutil.copyfile(bblayersconf + '.backup', bblayersconf)
        if check_bblayers(bblayersconf, layer['path'], logger):
            logger.info("%s already in %s. To capture initial signatures, layer under test should not present "
               "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name']))