kernel-rt-4.18.0-553.138.1.rt7.479.el8_10

* Wed Jun 24 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.138.1.rt7.479.el8_10]
- redhat: Temporary stop adding 'kernel' component to SBAT (Thomas Huth) [RHEL-182788]
- redhat: Switch to implicit enablement of CONFIG_EFI_SBAT_FILE (Thomas Huth) [RHEL-182788]
- redhat: Add SBAT information to Linux kernel (Thomas Huth) [RHEL-182788]
- x86/boot: Handle relative CONFIG_EFI_SBAT_FILE file paths (Thomas Huth) [RHEL-182788]
- x86/efi: Implement support for embedding SBAT data for x86 (Thomas Huth) [RHEL-182788]
- redhat: Add Kconfig switch for embedding SBAT section (Thomas Huth) [RHEL-182788]
- gfs2: Fix use-after-free in iomap inline data write path (Andrew Price) [RHEL-179596] {CVE-2026-45984}
- gfs2: Add metapath_dibh helper (Andrew Price) [RHEL-179596] {CVE-2026-45984}
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CKI Backport Bot) [RHEL-179963] {CVE-2026-46189}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (CKI Backport Bot) [RHEL-165556] {CVE-2026-23216}
Resolves: RHEL-165556, RHEL-179596, RHEL-179963, RHEL-182788

Signed-off-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

kernel-rt-aarch64-debug.config

@@ -3230,6 +3230,7 @@ CONFIG_EEPROM_MAX6875=m
 CONFIG_EFI=y
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_STUB=y
 CONFIG_EFI_VARS=y
 CONFIG_EFI_VARS_PSTORE=y

kernel-rt-aarch64.config

@@ -3259,6 +3259,7 @@ CONFIG_EEPROM_MAX6875=m
 CONFIG_EFI=y
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_STUB=y
 CONFIG_EFI_VARS=y
 CONFIG_EFI_VARS_PSTORE=y

kernel-rt-ppc64le-debug.config

@@ -2900,6 +2900,7 @@ CONFIG_EEPROM_AT24=m
 CONFIG_EEPROM_LEGACY=m
 CONFIG_EEPROM_MAX6875=m
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_ENABLE_MUST_CHECK=y
 CONFIG_ENCLOSURE_SERVICES=m
 CONFIG_ENCRYPTED_KEYS=y

kernel-rt-ppc64le.config

@@ -2926,6 +2926,7 @@ CONFIG_EEPROM_AT24=m
 CONFIG_EEPROM_LEGACY=m
 CONFIG_EEPROM_MAX6875=m
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_ENABLE_MUST_CHECK=y
 CONFIG_ENCLOSURE_SERVICES=m
 CONFIG_ENCRYPTED_KEYS=y

kernel-rt-s390x-debug.config

@@ -3006,6 +3006,7 @@ CONFIG_EDAC_GHES=y
 CONFIG_EDAC_LEGACY_SYSFS=y
 CONFIG_EDAC_PND2=m
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_ENABLE_MUST_CHECK=y
 CONFIG_ENCLOSURE_SERVICES=m
 CONFIG_ENCRYPTED_KEYS=m

kernel-rt-s390x-zfcpdump.config

@@ -3175,6 +3175,7 @@ CONFIG_EDAC_GHES=y
 CONFIG_EDAC_LEGACY_SYSFS=y
 CONFIG_EDAC_PND2=m
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_ELF_CORE=y
 CONFIG_ENABLE_MUST_CHECK=y
 CONFIG_ENCLOSURE_SERVICES=y

kernel-rt-s390x.config

@@ -3034,6 +3034,7 @@ CONFIG_EDAC_GHES=y
 CONFIG_EDAC_LEGACY_SYSFS=y
 CONFIG_EDAC_PND2=m
 CONFIG_EFI_PARTITION=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_ENABLE_MUST_CHECK=y
 CONFIG_ENCLOSURE_SERVICES=m
 CONFIG_ENCRYPTED_KEYS=m

kernel-rt-x86_64-debug.config

@@ -3075,6 +3075,7 @@ CONFIG_EFI_MIXED=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_STUB=y
 CONFIG_EFI_VARS=y
 CONFIG_EFI_VARS_PSTORE=y

kernel-rt-x86_64.config

@@ -3102,6 +3102,7 @@ CONFIG_EFI_MIXED=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_STUB=y
 CONFIG_EFI_VARS=y
 CONFIG_EFI_VARS_PSTORE=y

kernel.sbat.template

@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+kernel.@SBAT_SUFFIX,1,Red Hat,kernel-core,@KVER,mailto:secalert@redhat.com

kernel.spec

@@ -21,6 +21,17 @@
 %global signkernel 0
 %endif
 
+# RHEL/CentOS/Fedora specific .SBAT entries
+%if 0%{?centos}
+%global sbat_suffix centos
+%else
+%if 0%{?fedora}
+%global sbat_suffix fedora
+%else
+%global sbat_suffix rhel
+%endif
+%endif
+
 # Sign modules on all arches
 %global signmodules 1
 
@@ -38,10 +49,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.137.1.rt7.478.el8_10
+%define pkgrelease 553.138.1.rt7.479.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.137.1.rt7.478%{?dist}
+%define specrelease 553.138.1.rt7.479%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -148,7 +159,7 @@
 # The preempt RT patch level
 %global rttag .rt7
 # realtimeN
-%global rtbuild .478
+%global rtbuild .479
 %define with_doc 0
 %define with_headers 0
 %define with_cross_headers 0
@@ -483,6 +494,7 @@ Source17: mod-blacklist.sh
 Source18: mod-sign.sh
 Source19: mod-extra.list
 Source80: parallel_xz.sh
+Source85: kernel.sbat.template
 Source90: filter-x86_64.sh
 Source93: filter-aarch64.sh
 Source96: filter-ppc64le.sh
@@ -1143,6 +1155,9 @@ pathfix.py -i %{__python3} -p -n \
 
 %define make make %{?cross_opts} HOSTCFLAGS="%{?build_hostcflags}" HOSTLDFLAGS="%{?build_hostldflags}"
 
+# SBAT data
+sed -e s,@KVER,%{KVERREL}, -e s,@SBAT_SUFFIX,%{sbat_suffix}, %{SOURCE85} > kernel.sbat
+
 # only deal with configs if we are going to build for the arch
 %ifnarch %nobuildarches
 
@@ -1185,6 +1200,7 @@ cat secureboot.pem >> ../certs/rhel.pem
 %endif
 for i in *.config; do
   sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
+  sed -i 's@CONFIG_EFI_SBAT_FILE=""@CONFIG_EFI_SBAT_FILE="kernel.sbat"@' $i
 done
 %endif
 %endif
@@ -2710,6 +2726,18 @@ fi
 #
 #
 %changelog
+* Wed Jun 24 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.138.1.rt7.479.el8_10]
+- redhat: Temporary stop adding 'kernel' component to SBAT (Thomas Huth) [RHEL-182788]
+- redhat: Switch to implicit enablement of CONFIG_EFI_SBAT_FILE (Thomas Huth) [RHEL-182788]
+- redhat: Add SBAT information to Linux kernel (Thomas Huth) [RHEL-182788]
+- x86/boot: Handle relative CONFIG_EFI_SBAT_FILE file paths (Thomas Huth) [RHEL-182788]
+- x86/efi: Implement support for embedding SBAT data for x86 (Thomas Huth) [RHEL-182788]
+- redhat: Add Kconfig switch for embedding SBAT section (Thomas Huth) [RHEL-182788]
+- gfs2: Fix use-after-free in iomap inline data write path (Andrew Price) [RHEL-179596] {CVE-2026-45984}
+- gfs2: Add metapath_dibh helper (Andrew Price) [RHEL-179596] {CVE-2026-45984}
+- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CKI Backport Bot) [RHEL-179963] {CVE-2026-46189}
+- scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (CKI Backport Bot) [RHEL-165556] {CVE-2026-23216}
+
 * Fri Jun 19 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.137.1.rt7.478.el8_10]
 - selinux: RHEL-only hotfix for execmem regression (Ondrej Mosnacek) [RHEL-179435] {CVE-2026-46054}
 - selinux: fix overlayfs mmap() and mprotect() access checks (Ondrej Mosnacek) [RHEL-179435] {CVE-2026-46054}

sources

@@ -1 +1 @@
-SHA512 (linux-4.18.0-553.137.1.rt7.478.el8_10.tar.xz) = 4ea5bb8810e6648f822cb98583c2c36ab3a943dea2fa19747f610a41aba1720cb64a2654f5a599c4301be3cf8fc3f89e9d7502dc0d43077d07fd3910f1f6ab39
+SHA512 (linux-4.18.0-553.138.1.rt7.479.el8_10.tar.xz) = cc985420bd7104bb61b9e5e425ce8597e7b6c2a149408b7fb54fe832f44a6eafa147e26ea810258a8c9c0e43a21469186e985970518c722f5a00717c2e9852bf