From 177b7eb267a94a151b944b64535ececc377b96d4 Mon Sep 17 00:00:00 2001
From: Julio Faracco <jfaracco@redhat.com>
Date: Fri, 23 May 2025 01:02:28 -0300
Subject: [PATCH] kernel-6.12.0-89.el10

* Thu May 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-89.el10]
- redhat: add downstream SBAT for UKI addons (Emanuele Giuseppe Esposito) [RHEL-92881]
- uki_addons: provide custom SBAT as input parameter (Emanuele Giuseppe Esposito) [RHEL-92881]
- uki_addons: remove completely sbat/sbat.conf (Emanuele Giuseppe Esposito) [RHEL-92881]
- redhat: create 'systemd-volatile-overlay' addon for UKI (Emanuele Giuseppe Esposito) [RHEL-92882]
- vfio/pci: Align huge faults to order (Alex Williamson) [RHEL-89852]
- cifs: Fix integer overflow while processing closetimeo mount option (CKI Backport Bot) [RHEL-87906] {CVE-2025-21962}
- scsi: iscsi: Fix missing scsi_host_put() in error path (Chris Leech) [RHEL-90551]
- scsi: qla4xxx: Constify 'struct bin_attribute' (Chris Leech) [RHEL-90551]
- scsi: qedi: Constify 'struct bin_attribute' (Chris Leech) [RHEL-90551]
- scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() (Chris Leech) [RHEL-90551]
- net: fix geneve_opt length integer overflow (CKI Backport Bot) [RHEL-87978] {CVE-2025-22055}
- tcp: drop secpath at the same time as we currently drop dst (Sabrina Dubroca) [RHEL-70101 RHEL-83227] {CVE-2025-21864}
Resolves: RHEL-70101, RHEL-83227, RHEL-87906, RHEL-87978, RHEL-89852, RHEL-90551, RHEL-92881, RHEL-92882

Signed-off-by: Julio Faracco <jfaracco@redhat.com>
---
 Makefile.rhelver     |  2 +-
 kernel.changelog     | 15 +++++++++++++++
 kernel.spec          | 30 +++++++++++++++++++++++++-----
 sources              |  6 +++---
 uki_addons.json      |  3 +++
 uki_create_addons.py | 41 +++++++++++++----------------------------
 6 files changed, 60 insertions(+), 37 deletions(-)

diff --git a/Makefile.rhelver b/Makefile.rhelver
index f6fc036f5..51857da4e 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 88
+RHEL_RELEASE = 89
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel.changelog b/kernel.changelog
index 4a25e6aa3..d518b93a6 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,18 @@
+* Thu May 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-89.el10]
+- redhat: add downstream SBAT for UKI addons (Emanuele Giuseppe Esposito) [RHEL-92881]
+- uki_addons: provide custom SBAT as input parameter (Emanuele Giuseppe Esposito) [RHEL-92881]
+- uki_addons: remove completely sbat/sbat.conf (Emanuele Giuseppe Esposito) [RHEL-92881]
+- redhat: create 'systemd-volatile-overlay' addon for UKI (Emanuele Giuseppe Esposito) [RHEL-92882]
+- vfio/pci: Align huge faults to order (Alex Williamson) [RHEL-89852]
+- cifs: Fix integer overflow while processing closetimeo mount option (CKI Backport Bot) [RHEL-87906] {CVE-2025-21962}
+- scsi: iscsi: Fix missing scsi_host_put() in error path (Chris Leech) [RHEL-90551]
+- scsi: qla4xxx: Constify 'struct bin_attribute' (Chris Leech) [RHEL-90551]
+- scsi: qedi: Constify 'struct bin_attribute' (Chris Leech) [RHEL-90551]
+- scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() (Chris Leech) [RHEL-90551]
+- net: fix geneve_opt length integer overflow (CKI Backport Bot) [RHEL-87978] {CVE-2025-22055}
+- tcp: drop secpath at the same time as we currently drop dst (Sabrina Dubroca) [RHEL-70101 RHEL-83227] {CVE-2025-21864}
+Resolves: RHEL-70101, RHEL-83227, RHEL-87906, RHEL-87978, RHEL-89852, RHEL-90551, RHEL-92881, RHEL-92882
+
 * Tue May 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-88.el10]
 - s390/ism: add release function for struct device (Mete Durlu) [RHEL-73487] {CVE-2025-21856}
 - s390/qeth: move netif_napi_add_tx() and napi_enable() from under BH (Mete Durlu) [RHEL-73487]
diff --git a/kernel.spec b/kernel.spec
index c95e23a84..04eb9e71d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -162,15 +162,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 88
+%define pkgrelease 89
 %define kversion 6
-%define tarfile_release 6.12.0-88.el10
+%define tarfile_release 6.12.0-89.el10
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 88%{?buildid}%{?dist}
+%define specrelease 89%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-88.el10
+%define kabiversion 6.12.0-89.el10
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -2699,6 +2699,12 @@ BuildKernel() {
 	EOF
 	)
 
+        ADDONS_SBAT=$(cat <<- EOF
+	sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+	kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com
+	EOF
+	)
+
 	KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer"
     	KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi"
 
@@ -2720,7 +2726,7 @@ BuildKernel() {
 
   KernelAddonsDirOut="$KernelUnifiedImage.extra.d"
   mkdir -p $KernelAddonsDirOut
-  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu}
+  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT"
 
 %if %{signkernel}
 	%{log_msg "Sign the EFI UKI kernel"}
@@ -4244,6 +4250,20 @@ fi\
 #
 #
 %changelog
+* Thu May 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-89.el10]
+- redhat: add downstream SBAT for UKI addons (Emanuele Giuseppe Esposito) [RHEL-92881]
+- uki_addons: provide custom SBAT as input parameter (Emanuele Giuseppe Esposito) [RHEL-92881]
+- uki_addons: remove completely sbat/sbat.conf (Emanuele Giuseppe Esposito) [RHEL-92881]
+- redhat: create 'systemd-volatile-overlay' addon for UKI (Emanuele Giuseppe Esposito) [RHEL-92882]
+- vfio/pci: Align huge faults to order (Alex Williamson) [RHEL-89852]
+- cifs: Fix integer overflow while processing closetimeo mount option (CKI Backport Bot) [RHEL-87906] {CVE-2025-21962}
+- scsi: iscsi: Fix missing scsi_host_put() in error path (Chris Leech) [RHEL-90551]
+- scsi: qla4xxx: Constify 'struct bin_attribute' (Chris Leech) [RHEL-90551]
+- scsi: qedi: Constify 'struct bin_attribute' (Chris Leech) [RHEL-90551]
+- scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() (Chris Leech) [RHEL-90551]
+- net: fix geneve_opt length integer overflow (CKI Backport Bot) [RHEL-87978] {CVE-2025-22055}
+- tcp: drop secpath at the same time as we currently drop dst (Sabrina Dubroca) [RHEL-70101 RHEL-83227] {CVE-2025-21864}
+
 * Tue May 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-88.el10]
 - s390/ism: add release function for struct device (Mete Durlu) [RHEL-73487] {CVE-2025-21856}
 - s390/qeth: move netif_napi_add_tx() and napi_enable() from under BH (Mete Durlu) [RHEL-73487]
diff --git a/sources b/sources
index 3c84f94ea..a40db6f89 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,5 @@
 SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 4f917598056dee5e23814621ec96ff2e4a411c8c4ba9d56ecb01b23cb96431825bedbecfcbaac9338efbf5cb21694d85497fa0bf43e7c80d9cd10bc6dd144dbd
 SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 19308cd976031d05e18ef7f5d093218acdb89446418bab0cd956ff12cf66369915b9e64bb66fa9f20939428a60e81884fec5be3529c6c7461738d6540d3cc5c6
-SHA512 (linux-6.12.0-88.el10.tar.xz) = ea4bb16fdb065a0b517b4137ccc6b4e6ae7a8b83109886bde1afdfa61fc5260ddd1adbcb4329ec0ef50794a117e08b599e5573b6377f099b396bdc936eaeeed3
-SHA512 (kernel-abi-stablelists-6.12.0-88.el10.tar.xz) = f687a39c4246d19baee4a3c0d876725527b141f629c820b4012376695cab474aed688f50342218cc4dae5517aefc0cb6c7509a2bb97b2afbaf12481911ea7ba0
-SHA512 (kernel-kabi-dw-6.12.0-88.el10.tar.xz) = 60ebd251927400a2791c1844d03b746266ececf5424663b40ec83bd9b2495b3a5d3a56f00d41fc25757b9b6d5639406af26f1a104877c69785dbd17cc957484c
+SHA512 (linux-6.12.0-89.el10.tar.xz) = 37d8c7222aa74e89a5c993ce1337f49b4240b93dcd75f5c686c681d96a41f7e2353d5988586b0cac1a1d7731695988822b7f42ed6263cb62263d8b4235976f4c
+SHA512 (kernel-abi-stablelists-6.12.0-89.el10.tar.xz) = 66fec148b262530b9a5028493a73af965b8a640a834ca800beb8b9edd3fb10558467a4c9cec381d17abbf3d6619e525261467d68c75f686b942c6093a97378a5
+SHA512 (kernel-kabi-dw-6.12.0-89.el10.tar.xz) = 60ebd251927400a2791c1844d03b746266ececf5424663b40ec83bd9b2495b3a5d3a56f00d41fc25757b9b6d5639406af26f1a104877c69785dbd17cc957484c
diff --git a/uki_addons.json b/uki_addons.json
index accaf3901..4e579b167 100644
--- a/uki_addons.json
+++ b/uki_addons.json
@@ -23,6 +23,9 @@
         ],
         "debug.addon": [
             "debug"
+        ],
+        "systemd-volatile-overlay.addon": [
+            "systemd.volatile=overlay"
         ]
     },
     "virt": {
diff --git a/uki_create_addons.py b/uki_create_addons.py
index f94af88d5..e577023de 100755
--- a/uki_create_addons.py
+++ b/uki_create_addons.py
@@ -4,7 +4,7 @@
 # creates an addon for each key/value pair matching the given uki, distro and
 # arch provided in input.
 #
-# Usage: python uki_create_addons.py input_json out_dir uki distro arch
+# Usage: python uki_create_addons.py input_json out_dir uki distro arch [sbat]
 #
 # This tool requires the systemd-ukify and systemd-boot packages.
 #
@@ -26,14 +26,6 @@
 # json['virt']['common']['test.addon'] = ['test2'], any other uki except virt
 # will have a test.addon.efi with text "test1", and virt will have a
 # test.addon.efi with "test2"
-#
-# sbat.conf
-#----------
-# This dict is containing the sbat string for *all* addons being created.
-# This dict is optional, but when used has to be put in a sub-dict with
-# { 'sbat' : { 'sbat.conf' : ['your text here'] }}
-# It follows the same syntax as the addon files, meaning '#' is comment and
-# the rest is taken as sbat string and feed to ukify.
 
 import os
 import sys
@@ -45,7 +37,7 @@ import subprocess
 UKIFY_PATH = '/usr/lib/systemd/ukify'
 
 def usage(err):
-    print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch')
+    print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch [sbat]')
     print(f'Error:{err}')
     sys.exit(1)
 
@@ -62,9 +54,8 @@ def check_clean_arguments(input_json, out_dir):
 UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline'])
 uki_addons_list = []
 uki_addons = {}
-addon_sbat_string = None
 
-def parse_lines(lines, rstrip=True):
+def parse_lines(lines):
     cmdline = ''
     for l in lines:
         l = l.lstrip()
@@ -72,27 +63,17 @@ def parse_lines(lines, rstrip=True):
             continue
         if l[0] == '#':
             continue
-        # rstrip is used only for addons cmdline, not sbat.conf, as it replaces
-        # return lines with spaces.
-        if rstrip:
-            l = l.rstrip() + ' '
-        cmdline += l
+        cmdline += l.rstrip() + ' '
     if cmdline == '':
         return ''
     return cmdline
 
 def parse_all_addons(in_obj):
-    global addon_sbat_string
-
     for el in in_obj.keys():
         # addon found: copy it in our global dict uki_addons
         if el.endswith('.addon'):
             uki_addons[el] = in_obj[el]
 
-    if 'sbat' in in_obj and 'sbat.conf' in in_obj['sbat']:
-        # sbat.conf found: override sbat with the most specific one found
-        addon_sbat_string = parse_lines(in_obj['sbat']['sbat.conf'], rstrip=False)
-
 def recursively_find_addons(in_obj, folder_list):
     # end of recursion, leaf directory. Search all addons here
     if len(folder_list) == 0:
@@ -121,21 +102,21 @@ def parse_in_json(in_json, uki_name, distro, arch):
         if cmdline:
             uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline))
 
-def create_addons(out_dir):
+def create_addons(out_dir, sbat):
     for uki_addon in uki_addons_list:
         out_path = os.path.join(out_dir, uki_addon.name)
         cmd = [
             f'{UKIFY_PATH}', 'build',
             '--cmdline', uki_addon.cmdline,
             '--output', out_path]
-        if addon_sbat_string:
-            cmd.extend(['--sbat', addon_sbat_string.rstrip()])
+        if sbat:
+            cmd.extend(['--sbat', sbat.rstrip()])
 
         subprocess.check_call(cmd, text=True)
 
 if __name__ == "__main__":
     argc = len(sys.argv) - 1
-    if argc != 5:
+    if argc < 5 or argc > 6:
         usage('too few or too many parameters!')
 
     input_json = sys.argv[1]
@@ -144,8 +125,12 @@ if __name__ == "__main__":
     distro = sys.argv[4]
     arch = sys.argv[5]
 
+    custom_sbat = None
+    if argc == 6:
+        custom_sbat = sys.argv[6]
+
     out_dir = check_clean_arguments(input_json, out_dir)
     parse_in_json(input_json, uki_name, distro, arch)
-    create_addons(out_dir)
+    create_addons(out_dir, custom_sbat)