kernel-5.14.0-57.el9

* Tue Feb 08 2022 Herton R. Krzesinski <herton@redhat.com> [5.14.0-57.el9]
- block: assign bi_bdev for cloned bios in blk_rq_prep_clone (Benjamin Marzinski) [2026948]
- dm sysfs: use default_groups in kobj_type (Benjamin Marzinski) [2043224]
- dm space map common: add bounds check to sm_ll_lookup_bitmap() (Benjamin Marzinski) [2043224]
- dm btree: add a defensive bounds check to insert_at() (Benjamin Marzinski) [2043224]
- dm btree remove: change a bunch of BUG_ON() calls to proper errors (Benjamin Marzinski) [2043224]
- dm btree spine: eliminate duplicate le32_to_cpu() in node_check() (Benjamin Marzinski) [2043224]
- dm btree spine: remove extra node_check function declaration (Benjamin Marzinski) [2043224]
- redhat: drop the RELEASED_KERNEL switch (Herton R. Krzesinski) [2037084 2045327]
- redhat: switch the kernel package to use certs from system-sb-certs (Herton R. Krzesinski) [2037084 2045327]
- mptcp: disable by default (Davide Caratti) [2044392]
- sch_api: Don't skip qdisc attach on ingress (Davide Caratti) [2044560]
- flow_offload: return EOPNOTSUPP for the unsupported mpls action type (Davide Caratti) [2044560]
- sch_cake: do not call cake_destroy() from cake_init() (Davide Caratti) [2044560]
- net/sched: fq_pie: prevent dismantle issue (Davide Caratti) [2044560]
- vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit (Antoine Tenart) [2044252]
- qla2xxx: Add new messaging (Ewan D. Milne) [2039070]
- nvme-fc: remove freeze/unfreeze around update_nr_hw_queues (Ewan D. Milne) [2030051]
- nvme-fc: avoid race between time out and tear down (Ewan D. Milne) [2030051]
- nvme-fc: update hardware queues before using them (Ewan D. Milne) [2030051]
- lpfc: Add new messaging (Ewan D. Milne) [2039068]
- tee: handle lookup of shm with reference count 0 (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- dma-buf: move dma-buf symbols into the DMA_BUF module namespace (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- tee: add sec_world_id to struct tee_shm (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/i915/selftests: Do not use import_obj uninitialized (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gem: Provide drm_gem_fb_{vmap,vunmap}() (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm: Define DRM_FORMAT_MAX_PLANES (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/i915/gem: Correct the locking and pin pattern for dma-buf (v8) (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gm12u320: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gud: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/udl: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gem: Provide drm_gem_fb_{begin,end}_cpu_access() helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- dmaengine: idxd: Add wq occupancy information to sysfs attribute Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971888 Upstream Status: kernel/git/torvalds/linux.git (Julia Denham)
- arch/x86: KABI structs and array padding (Prarit Bhargava) [2033081]
- hpsa: add new messaging (Tomas Henzl) [2028575]
- aacraid: add new messaging (Tomas Henzl) [2028574]
- mptsas: add new messaging (Tomas Henzl) [2027741]
- megaraid_sas: add new messaging (Tomas Henzl) [2027741]
- mpt3sas: Add new messaging (Tomas Henzl) [2027741]
- scsi: mpi3mr: Use scnprintf() instead of snprintf() (Tomas Henzl) [1876005]
- scsi: mpi3mr: Clean up mpi3mr_print_ioc_info() (Tomas Henzl) [1876005]
- scsi: mpi3mr: Set up IRQs in resume path (Tomas Henzl) [1876005]
- scsi: mpi3mr: Use the proper SCSI midlayer interfaces for PI (Tomas Henzl) [1876005]
Resolves: rhbz#1876005, rhbz#2026948, rhbz#2027741, rhbz#2028574, rhbz#2028575, rhbz#2030051, rhbz#2030754, rhbz#2033081, rhbz#2037084, rhbz#2039068, rhbz#2039070, rhbz#2043224, rhbz#2044252, rhbz#2044392, rhbz#2044560, rhbz#2045327

Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
This commit is contained in:
Herton R. Krzesinski 2022-02-08 16:51:46 +00:00
parent f1c7d61c2c
commit 48a069db18
5 changed files with 85 additions and 58 deletions

View File

@ -12,7 +12,7 @@ RHEL_MINOR = 0
# #
# Use this spot to avoid future merge conflicts. # Use this spot to avoid future merge conflicts.
# Do not trim this comment. # Do not trim this comment.
RHEL_RELEASE = 56 RHEL_RELEASE = 57
# #
# Early y+1 numbering # Early y+1 numbering

View File

@ -71,12 +71,6 @@
Summary: The Linux kernel Summary: The Linux kernel
# Set released_kernel to 1 when the upstream source tarball contains a
# kernel release. (This includes prepatch or "rc" releases.)
# Set released_kernel to 0 when the upstream source tarball contains an
# unreleased kernel development snapshot.
%global released_kernel 0
# Set debugbuildsenabled to 1 to build separate base and debug kernels # Set debugbuildsenabled to 1 to build separate base and debug kernels
# (on supported architectures). The kernel-debug-* subpackages will # (on supported architectures). The kernel-debug-* subpackages will
# contain the debug kernel. # contain the debug kernel.
@ -85,7 +79,7 @@ Summary: The Linux kernel
# the --with-release option overrides this setting.) # the --with-release option overrides this setting.)
%define debugbuildsenabled 1 %define debugbuildsenabled 1
%global distro_build 56 %global distro_build 57
%if 0%{?fedora} %if 0%{?fedora}
%define secure_boot_arch x86_64 %define secure_boot_arch x86_64
@ -129,13 +123,13 @@ Summary: The Linux kernel
%define kversion 5.14 %define kversion 5.14
%define rpmversion 5.14.0 %define rpmversion 5.14.0
%define pkgrelease 56.el9 %define pkgrelease 57.el9
# This is needed to do merge window version magic # This is needed to do merge window version magic
%define patchlevel 14 %define patchlevel 14
# allow pkg_release to have configurable %%{?dist} tag # allow pkg_release to have configurable %%{?dist} tag
%define specrelease 56%{?buildid}%{?dist} %define specrelease 57%{?buildid}%{?dist}
%define pkg_release %{specrelease} %define pkg_release %{specrelease}
@ -644,6 +638,7 @@ BuildRequires: kabi-dw
%if %{signkernel}%{signmodules} %if %{signkernel}%{signmodules}
BuildRequires: openssl BuildRequires: openssl
%if %{signkernel} %if %{signkernel}
BuildRequires: system-sb-certs
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
BuildRequires: nss-tools BuildRequires: nss-tools
BuildRequires: pesign >= 0.10-4 BuildRequires: pesign >= 0.10-4
@ -680,10 +675,11 @@ BuildRequires: lld
# exact git commit you can run # exact git commit you can run
# #
# xzcat -qq ${TARBALL} | git get-tar-commit-id # xzcat -qq ${TARBALL} | git get-tar-commit-id
Source0: linux-5.14.0-56.el9.tar.xz Source0: linux-5.14.0-57.el9.tar.xz
Source1: Makefile.rhelver Source1: Makefile.rhelver
%if %{signkernel}
# Name of the packaged file containing signing key # Name of the packaged file containing signing key
%ifarch ppc64le %ifarch ppc64le
@ -693,42 +689,24 @@ Source1: Makefile.rhelver
%define signing_key_filename kernel-signing-s390.cer %define signing_key_filename kernel-signing-s390.cer
%endif %endif
%if %{?released_kernel} %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
Source10: redhatsecurebootca5.cer
Source11: redhatsecurebootca3.cer
Source12: redhatsecurebootca6.cer
Source13: redhatsecureboot501.cer
Source14: redhatsecureboot302.cer
Source15: redhatsecureboot601.cer
%if 0%{?centos}
%define pesign_name_0 centossecureboot201
%else
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 redhatsecureboot501 %define pesign_name_0 redhatsecureboot501
%endif %endif
%ifarch s390x %ifarch s390x
%define secureboot_ca_0 %{SOURCE11}
%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot302 %define pesign_name_0 redhatsecureboot302
%endif %endif
%ifarch ppc64le %ifarch ppc64le
%define secureboot_ca_0 %{SOURCE12}
%define secureboot_key_0 %{SOURCE15}
%define pesign_name_0 redhatsecureboot601 %define pesign_name_0 redhatsecureboot601
%endif %endif
%endif
# released_kernel # signkernel
%else
Source10: redhatsecurebootca4.cer
Source11: redhatsecureboot401.cer
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE11}
%define pesign_name_0 redhatsecureboot401
# released_kernel
%endif %endif
Source20: mod-denylist.sh Source20: mod-denylist.sh
@ -1364,8 +1342,8 @@ ApplyOptionalPatch()
fi fi
} }
%setup -q -n kernel-5.14.0-56.el9 -c %setup -q -n kernel-5.14.0-57.el9 -c
mv linux-5.14.0-56.el9 linux-%{KVERREL} mv linux-5.14.0-57.el9 linux-%{KVERREL}
cd linux-%{KVERREL} cd linux-%{KVERREL}
cp -a %{SOURCE1} . cp -a %{SOURCE1} .
@ -1452,10 +1430,12 @@ done
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
%if %{signkernel}
%ifarch s390x ppc64le %ifarch s390x ppc64le
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
cat secureboot.pem >> ../certs/rhel.pem cat secureboot.pem >> ../certs/rhel.pem
%endif %endif
%endif
for i in *.config; do for i in *.config; do
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
done done
@ -1641,7 +1621,7 @@ BuildKernel() {
%ifarch s390x ppc64le %ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then if [ -x /usr/bin/rpm-sign ]; then
rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
elif [ $DoModules -eq 1 ]; then elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then
chmod +x scripts/sign-file chmod +x scripts/sign-file
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
else else
@ -2070,14 +2050,6 @@ BuildKernel() {
rm -f $RPM_BUILD_ROOT/mod-extra.list rm -f $RPM_BUILD_ROOT/mod-extra.list
rm -f $RPM_BUILD_ROOT/mod-internal.list rm -f $RPM_BUILD_ROOT/mod-internal.list
%if %{signmodules}
if [ $DoModules -eq 1 ]; then
# Save the signing keys so we can sign the modules in __modsign_install_post
cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
fi
%endif
# Move the devel headers out of the root file system # Move the devel headers out of the root file system
mkdir -p $RPM_BUILD_ROOT/usr/src/kernels mkdir -p $RPM_BUILD_ROOT/usr/src/kernels
mv $RPM_BUILD_ROOT/lib/modules/$KernelVer/build $RPM_BUILD_ROOT/$DevelDir mv $RPM_BUILD_ROOT/lib/modules/$KernelVer/build $RPM_BUILD_ROOT/$DevelDir
@ -2098,18 +2070,29 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
%if %{signkernel}
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%ifarch s390x ppc64le %ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then
if [ -x /usr/bin/rpm-sign ]; then install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
else
install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
fi
fi fi
%endif %endif
%endif
%if %{signmodules}
if [ $DoModules -eq 1 ]; then
# Save the signing keys so we can sign the modules in __modsign_install_post
cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
%ifarch s390x ppc64le
if [ ! -x /usr/bin/rpm-sign ]; then
install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
fi
%endif
fi
%endif
%if %{with_ipaclones} %if %{with_ipaclones}
MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p') MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p')
@ -2959,6 +2942,50 @@ fi
# #
# #
%changelog %changelog
* Tue Feb 08 2022 Herton R. Krzesinski <herton@redhat.com> [5.14.0-57.el9]
- block: assign bi_bdev for cloned bios in blk_rq_prep_clone (Benjamin Marzinski) [2026948]
- dm sysfs: use default_groups in kobj_type (Benjamin Marzinski) [2043224]
- dm space map common: add bounds check to sm_ll_lookup_bitmap() (Benjamin Marzinski) [2043224]
- dm btree: add a defensive bounds check to insert_at() (Benjamin Marzinski) [2043224]
- dm btree remove: change a bunch of BUG_ON() calls to proper errors (Benjamin Marzinski) [2043224]
- dm btree spine: eliminate duplicate le32_to_cpu() in node_check() (Benjamin Marzinski) [2043224]
- dm btree spine: remove extra node_check function declaration (Benjamin Marzinski) [2043224]
- redhat: drop the RELEASED_KERNEL switch (Herton R. Krzesinski) [2037084 2045327]
- redhat: switch the kernel package to use certs from system-sb-certs (Herton R. Krzesinski) [2037084 2045327]
- mptcp: disable by default (Davide Caratti) [2044392]
- sch_api: Don't skip qdisc attach on ingress (Davide Caratti) [2044560]
- flow_offload: return EOPNOTSUPP for the unsupported mpls action type (Davide Caratti) [2044560]
- sch_cake: do not call cake_destroy() from cake_init() (Davide Caratti) [2044560]
- net/sched: fq_pie: prevent dismantle issue (Davide Caratti) [2044560]
- vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit (Antoine Tenart) [2044252]
- qla2xxx: Add new messaging (Ewan D. Milne) [2039070]
- nvme-fc: remove freeze/unfreeze around update_nr_hw_queues (Ewan D. Milne) [2030051]
- nvme-fc: avoid race between time out and tear down (Ewan D. Milne) [2030051]
- nvme-fc: update hardware queues before using them (Ewan D. Milne) [2030051]
- lpfc: Add new messaging (Ewan D. Milne) [2039068]
- tee: handle lookup of shm with reference count 0 (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- dma-buf: move dma-buf symbols into the DMA_BUF module namespace (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- tee: add sec_world_id to struct tee_shm (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/i915/selftests: Do not use import_obj uninitialized (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gem: Provide drm_gem_fb_{vmap,vunmap}() (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm: Define DRM_FORMAT_MAX_PLANES (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/i915/gem: Correct the locking and pin pattern for dma-buf (v8) (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gm12u320: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gud: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/udl: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- drm/gem: Provide drm_gem_fb_{begin,end}_cpu_access() helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733}
- dmaengine: idxd: Add wq occupancy information to sysfs attribute Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971888 Upstream Status: kernel/git/torvalds/linux.git (Julia Denham)
- arch/x86: KABI structs and array padding (Prarit Bhargava) [2033081]
- hpsa: add new messaging (Tomas Henzl) [2028575]
- aacraid: add new messaging (Tomas Henzl) [2028574]
- mptsas: add new messaging (Tomas Henzl) [2027741]
- megaraid_sas: add new messaging (Tomas Henzl) [2027741]
- mpt3sas: Add new messaging (Tomas Henzl) [2027741]
- scsi: mpi3mr: Use scnprintf() instead of snprintf() (Tomas Henzl) [1876005]
- scsi: mpi3mr: Clean up mpi3mr_print_ioc_info() (Tomas Henzl) [1876005]
- scsi: mpi3mr: Set up IRQs in resume path (Tomas Henzl) [1876005]
- scsi: mpi3mr: Use the proper SCSI midlayer interfaces for PI (Tomas Henzl) [1876005]
* Mon Feb 07 2022 Herton R. Krzesinski <herton@redhat.com> [5.14.0-56.el9] * Mon Feb 07 2022 Herton R. Krzesinski <herton@redhat.com> [5.14.0-56.el9]
- KVM: VMX: switch blocked_vcpu_on_cpu_lock to raw spinlock (Marcelo Tosatti) [2034007] - KVM: VMX: switch blocked_vcpu_on_cpu_lock to raw spinlock (Marcelo Tosatti) [2034007]
- x86/hyperv: Properly deal with empty cpumasks in hyperv_flush_tlb_multi() (Vitaly Kuznetsov) [2035993] - x86/hyperv: Properly deal with empty cpumasks in hyperv_flush_tlb_multi() (Vitaly Kuznetsov) [2035993]

Binary file not shown.

Binary file not shown.

View File

@ -1,3 +1,3 @@
SHA512 (linux-5.14.0-56.el9.tar.xz) = ae1e23af0e5902780f20a41869450e21b25ff985636c968ea0c77f114b6289edbc76d5ae6f483930f057123fc320a5acd79be15dbb9dcde02708d3561a799cc7 SHA512 (linux-5.14.0-57.el9.tar.xz) = a6494ef24ea86a21958e8ae48873a6d97411e159ed46971c9abb66237c707aeaac9814825ba93c13b2c28e98ab8c033e000f9de100f696a7e1d7bd34b803d7ff
SHA512 (kernel-abi-stablelists-5.14.0-56.tar.bz2) = f3574bf301f4e90704f21c2329fa5b7acd956f5f647ea162a762597fb6af82a7250d57174fee749da3bfbd24ff8bdbdf8c0f177ff1475f567a3529072f67edc1 SHA512 (kernel-abi-stablelists-5.14.0-57.tar.bz2) = be430f0c21b10ce467f9c06ee6098be869c1f902bea4f7ee950fcdf676d648ed655a36fcbcd392c6ef340cf078962b3ef3d55f10cd6d9e23642efb21327a186b
SHA512 (kernel-kabi-dw-5.14.0-56.tar.bz2) = da079c029608ed0f60af06676c4b0cebb60454a785fedbda73db7e21e875c8a4199332d343dafec4942ced1fc9180a65bebfea01bef7c49ef29408a981cc226d SHA512 (kernel-kabi-dw-5.14.0-57.tar.bz2) = e15ad04f87b5c1ee7ef971b0e9c9d2835a8c6bbae4ede48eccb8a497b3de06485732ce84363a4b9a787c9dad33cd8e07c8eefd81ee835e74397c74c5748d0b77