import OL kernel-5.14.0-611.30.1.el9_7

2026-02-11 09:14:15 +00:00 · 2026-02-11 09:14:15 +00:00 · 0f767d46e1
commit 0f767d46e1
parent e6f0700f95
10 changed files with 344 additions and 47 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,6 @@
-SOURCES/kernel-abi-stablelists-5.14.0-611.27.1.el9_7.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-611.27.1.el9_7.tar.bz2
-SOURCES/linux-5.14.0-611.27.1.el9_7.tar.xz
+SOURCES/kernel-abi-stablelists-5.14.0-611.30.1.el9_7.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-611.30.1.el9_7.tar.bz2
+SOURCES/linux-5.14.0-611.30.1.el9_7.tar.xz
 SOURCES/nvidiagpuoot001.x509
 SOURCES/olima1.x509
 SOURCES/olimaca1.x509
--- a/.kernel.metadata
+++ b/.kernel.metadata
@ -1,6 +1,6 @@
-7f34ef5898e32466a6f434da56eeb0487136f6ac SOURCES/kernel-abi-stablelists-5.14.0-611.27.1.el9_7.tar.bz2
-e5b2834bd258fd71ccd96c1e23e590b5398301d7 SOURCES/kernel-kabi-dw-5.14.0-611.27.1.el9_7.tar.bz2
-d69b7cacfbbc95df583c8018d27f528ef840afe7 SOURCES/linux-5.14.0-611.27.1.el9_7.tar.xz
+40a33215f3219cf1805059712587a479900af57b SOURCES/kernel-abi-stablelists-5.14.0-611.30.1.el9_7.tar.bz2
+b798bb2cabb08f43d60107a82700e71373dd72f5 SOURCES/kernel-kabi-dw-5.14.0-611.30.1.el9_7.tar.bz2
+52afe54cbd876ae20218f10dfa859013446ad881 SOURCES/linux-5.14.0-611.30.1.el9_7.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
--- a/SOURCES/1000-debrand-some-messages.patch
+++ b/SOURCES/1000-debrand-some-messages.patch
@ -0,0 +1,59 @@
+From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001
+From: Louis Abel <label@rockylinux.org>
+Date: Wed, 20 Sep 2023 14:16:05 -0700
+Subject: [PATCH] debrand some messages
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ kernel/rh_shadowman.c | 55 ++++++++++++++++++++++---------------------
+ 4 files changed, 34 insertions(+), 33 deletions(-)
+
+diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c
+index 018d5c633..d05ea0790 100644
+--- a/kernel/rh_shadowman.c
+++ b/kernel/rh_shadowman.c
+@@ -1,39 +1 @@
+-#include <linux/kernel.h>
+-#include <linux/module.h>
+-#include <linux/printk.h>
+-
+-/* Display a shadowman logo on the console screen */
+-static int __init rh_shadowman(char *str)
+-{
+-	pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n");
+-	pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n");
+-	pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRR.    .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRR~       .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n");
+-	pr_info("R,````      RRR8        .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RR                                       ORRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRR                           ,HHtaa     HRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRO.                                 .RRRRO. .    .RRRRRRR\n");
+-	pr_info("RRRRRR                                ,RRHh,       :RRRRRRRR\n");
+-	pr_info("RRRRRRRR                             HRR         :RRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRr                         ..        ,RRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRt .                           .HRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRRr.                    =RRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info(" ");
+-	pr_info("                    Long Live Shadowman!");
+-	pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273");
+-	pr_info(" ");
+-	return 1;
+-}
+-
+-__setup("shadowman", rh_shadowman);
+// This file has been intentionally left blank
+-- 
+2.41.0
+
+
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.27.1
+RHEL_RELEASE = 611.30.1

 #
 # ZSTREAM
--- a/SOURCES/bug34729535-change-certified-hw-message.patch
+++ b/SOURCES/bug34729535-change-certified-hw-message.patch
@ -0,0 +1,19 @@
+Update message about certified hardware list.
+
+Orabug: 34729535
+
+Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c
+--- linux-5.14.0-160.el8.x86_64.orig/init/main.c	2022-08-25 13:57:06.000000000 -0700
+++ linux-5.14.0-160.el8.x86_64/init/main.c	2022-10-26 13:15:39.700724777 -0700
+@@ -894,7 +894,7 @@
+ 	boot_cpu_init();
+ 	page_address_init();
+ 	pr_notice("%s", linux_banner);
+-	pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n");
+	pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n");
+ 	setup_arch(&command_line);
+ 	/* Static keys and static calls are needed by LSMs */
+ 	jump_label_init();
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@ -1,3 +1,76 @@
+* Thu Jan 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.30.1.el9_7]
+- io_uring/net: commit partial buffers on retry (Jeff Moyer) [RHEL-137329] {CVE-2025-38730}
+- io_uring/kbuf: add io_kbuf_commit() helper (Jeff Moyer) [RHEL-137329]
+- io_uring/kbuf: use 'bl' directly rather than req->buf_list (Jeff Moyer) [RHEL-137329]
+- ice: prevent NULL deref in ice_lag_move_new_vf_nodes() (Michal Schmidt) [RHEL-143296]
+- net: openvswitch: Avoid needlessly taking the RTNL on vport destroy (Adrian Moreno) [RHEL-141404]
+- atm: clip: Fix infinite recursive call of clip_push(). (Guillaume Nault) [RHEL-137601] {CVE-2025-38459}
+- dpll: zl3073x: Remove unused dev wrappers (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Cache all output properties in zl3073x_out (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Cache all reference properties in zl3073x_ref (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Cache reference monitor status (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Split ref, out, and synth logic from core (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Store raw register values instead of parsed state (Ivan Vecera) [RHEL-139699]
+- dpll: fix device-id-get and pin-id-get to return errors properly (Ivan Vecera) [RHEL-139699]
+- dpll: spec: add missing module-name and clock-id to pin-get reply (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Allow to configure phase offset averaging factor (Ivan Vecera) [RHEL-139699]
+- dpll: add phase_offset_avg_factor_get/set callback ops (Ivan Vecera) [RHEL-139699]
+- dpll: add phase-offset-avg-factor device attribute to netlink spec (Ivan Vecera) [RHEL-139699]
+- dpll: fix clock quality level reporting (Ivan Vecera) [RHEL-139699]
+- dpll: add reference sync get/set (Ivan Vecera) [RHEL-139699]
+- dpll: add reference-sync netlink attribute (Ivan Vecera) [RHEL-139699]
+- dpll: remove documentation of rclk_dev_name (Ivan Vecera) [RHEL-139699]
+- net: use dst_dev_rcu() in sk_setup_caps() (Hangbin Liu) [RHEL-129084] {CVE-2025-40170}
+- ipv4: use RCU protection in ip_dst_mtu_maybe_forward() (Hangbin Liu) [RHEL-129084]
+- net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward (Hangbin Liu) [RHEL-129084]
+- ipv6: use RCU in ip6_xmit() (Hangbin Liu) [RHEL-129018] {CVE-2025-40135}
+- ipv6: use RCU in ip6_output() (Hangbin Liu) [RHEL-128982] {CVE-2025-40158}
+- net: dst: introduce dst->dev_rcu (Hangbin Liu) [RHEL-128982]
+- ipv4: use RCU protection in __ip_rt_update_pmtu() (Hangbin Liu) [RHEL-128982]
+- net: Add locking to protect skb->dev access in ip_output (Hangbin Liu) [RHEL-128982]
+- net: dst: add four helpers to annotate data-races around dst->dev (Hangbin Liu) [RHEL-128982]
+- bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (Hangbin Liu) [RHEL-128982]
+- vrf: Fix lockdep splat in output path (Hangbin Liu) [RHEL-128982]
+- ipv6: remove nexthop_fib6_nh_bh() (Hangbin Liu) [RHEL-128982]
+- net: remove rcu_dereference_bh_rtnl() (Hangbin Liu) [RHEL-128982]
+- neighbour: switch to standard rcu, instead of rcu_bh (Hangbin Liu) [RHEL-128982]
+- ipv6: flowlabel: do not disable BH where not needed (Hangbin Liu) [RHEL-128982]
+- ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh() (Hangbin Liu) [RHEL-128982]
+- neigh: introduce neigh_confirm() helper function (Hangbin Liu) [RHEL-128982]
+- net: bonding: update the slave array for broadcast mode (Hangbin Liu) [RHEL-132923]
+- net: bonding: add broadcast_neighbor netlink option (Hangbin Liu) [RHEL-132923]
+- net: bonding: add broadcast_neighbor option for 802.3ad (Hangbin Liu) [RHEL-132923]
+- vsock/vmci: Clear the vmci transport packet properly when initializing it (CKI Backport Bot) [RHEL-137697] {CVE-2025-38403}
+- ALSA: usb-audio: Fix potential overflow of PCM transfer buffer (CKI Backport Bot) [RHEL-136909] {CVE-2025-40269}
+- nvme: tcp: Fix compilation warning with W=1 (John Meneghini) [RHEL-129928]
+- nvme-tcp: Fix I/O queue cpu spreading for multiple controllers (John Meneghini) [RHEL-129928]
+Resolves: RHEL-128982, RHEL-129018, RHEL-129084, RHEL-129928, RHEL-132923, RHEL-136909, RHEL-137329, RHEL-137601, RHEL-137697, RHEL-139699, RHEL-141404, RHEL-143296
+
+* Tue Jan 27 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.29.1.el9_7]
+- squashfs: fix memory leak in squashfs_fill_super (Abhi Das) [RHEL-138015] {CVE-2025-38415}
+- Squashfs: check return result of sb_min_blocksize (CKI Backport Bot) [RHEL-138015] {CVE-2025-38415}
+- usb: core: config: Prevent OOB read in SS endpoint companion parsing (CKI Backport Bot) [RHEL-137364] {CVE-2025-39760}
+- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (CKI Backport Bot) [RHEL-137069] {CVE-2025-38024}
+Resolves: RHEL-137069, RHEL-137364, RHEL-138015
+
+* Thu Jan 22 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.28.1.el9_7]
+- s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP (Luiz Capitulino) [RHEL-133337]
+- s390: mm: add stub for hugetlb_optimize_vmemmap_key (Luiz Capitulino) [RHEL-133337]
+- fs/proc: fix uaf in proc_readdir_de() (CKI Backport Bot) [RHEL-137098] {CVE-2025-40271}
+- Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once (CKI Backport Bot) [RHEL-136256] {CVE-2025-40318}
+- RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (CKI Backport Bot) [RHEL-134352] {CVE-2025-38022}
+- cifs: Fix deadlock in cifs_writepages during reconnect (Paulo Alcantara) [RHEL-134234]
+- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (CKI Backport Bot) [RHEL-131974] {CVE-2025-37819}
+- net: openvswitch: fix nested key length validation in the set() action (CKI Backport Bot) [RHEL-131801] {CVE-2025-37789}
+- md: avoid repeated calls to del_gendisk (Nigel Croxon) [RHEL-126532]
+- md: delete mddev kobj before deleting gendisk kobj (Nigel Croxon) [RHEL-126532]
+- md: add legacy_async_del_gendisk mode (Nigel Croxon) [RHEL-126532]
+- md: Don't clear MD_CLOSING until mddev is freed (Nigel Croxon) [RHEL-126532]
+- md: fix create on open mddev lifetime regression (Nigel Croxon) [RHEL-126532]
+- md: call del_gendisk in control path (Nigel Croxon) [RHEL-126532]
+- Bluetooth: ISO: Fix possible UAF on iso_conn_free (CKI Backport Bot) [RHEL-128891] {CVE-2025-40141}
+Resolves: RHEL-126532, RHEL-128891, RHEL-131801, RHEL-131974, RHEL-133337, RHEL-134234, RHEL-134352, RHEL-136256, RHEL-137098
+
 * Tue Jan 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.27.1.el9_7]
 - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (CKI Backport Bot) [RHEL-136822] {CVE-2025-38568}
 - devlink: rate: Unset parent pointer in devl_rate_nodes_destroy (CKI Backport Bot) [RHEL-134923] {CVE-2025-40251}
--- a/SOURCES/olkmod_signing_key.pem
+++ b/SOURCES/olkmod_signing_key.pem
@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
+aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
+Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
+bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
+U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
+YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
+jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
+4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
+WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
+73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
+umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
+37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
+Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
+R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
+3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
+TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
+y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
+kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
+-----END CERTIFICATE-----
--- a/SOURCES/olkmod_signing_key1.pem
+++ b/SOURCES/olkmod_signing_key1.pem
@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL
+BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx
+MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP
+cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET
+MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw
+MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5
+IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI
+DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ
+z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt
+c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7
+P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt
+wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi
+5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn
+tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF
+sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/
+WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8
+gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR
+52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA
+m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE
+FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw
+ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K
+6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH
+PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W
+FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ
+IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C
+/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ
+QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y
+8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw
+szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6
+MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+
+68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF
+JuZ4rgQv9ghmhQ==
+-----END CERTIFICATE-----
--- a/SOURCES/x509.genkey.rhel
+++ b/SOURCES/x509.genkey.rhel
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts

 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = Oracle America, Inc.,c=US
+CN = Oracle CA Server
+emailAddress = support@oracle.com

 [ myexts ]
 basicConstraints=critical,CA:FALSE
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -104,7 +104,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 s390x ppc64le
 %endif

 # Signing for secure boot authentication
@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.27.1
+%define pkgrelease 611.30.1
 %define kversion 5
-%define tarfile_release 5.14.0-611.27.1.el9_7
+%define tarfile_release 5.14.0-611.30.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.27.1%{?buildid}%{?dist}
+%define specrelease 611.30.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-611.27.1.el9_7
+%define kabiversion 5.14.0-611.30.1.el9_7

 #
 # End of genspec.sh variables
@ -615,6 +615,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL}
 Provides: installonlypkg(kernel)
 %endif

+Provides: oracle(kernel-sig-key) == 202502
+Conflicts: shim-x64 < 15.8-1.0.4

 #
 # List the packages used during the kernel build
@ -760,8 +762,6 @@ BuildRequires: tpm2-tools
 # For UKI sb cert
 %if 0%{?centos}
 BuildRequires: centos-sb-certs >= 9.0-23
-%else
-BuildRequires: redhat-sb-certs >= 9.4-0.1
 %endif
 %endif

@ -778,30 +778,10 @@ Source2: kernel.changelog

 %if %{signkernel}

-# Name of the packaged file containing signing key
-%ifarch ppc64le
-%define signing_key_filename kernel-signing-ppc.cer
-%endif
-%ifarch s390x
-%define signing_key_filename kernel-signing-s390.cer
-%endif
-
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer

-%if 0%{?centos}
-%define pesign_name_0 centossecureboot201
-%else
-%ifarch x86_64 aarch64
-%define pesign_name_0 redhatsecureboot801
-%endif
-%ifarch s390x
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
+%define pesign_name_0 OracleLinuxSecureBootKey3

 # signkernel
 %endif
@ -887,14 +867,20 @@ Source102: rhelimaca1.x509
 Source103: rhelima.x509
 Source104: rhelima_centos.x509
 Source105: nvidiagpuoot001.x509
+# Oracle Linux IMA CA certificate
+Source106: olimaca1.x509
+# Oracle Linux IMA signing certificate
+Source107: olima1.x509

 %if 0%{?centos}
 %define ima_signing_cert %{SOURCE104}
 %else
 %define ima_signing_cert %{SOURCE103}
+%define ima_signing_cert_ol %{SOURCE107}
 %endif

 %define ima_cert_name ima.cer
+%define ima_cert_name_ol ima_ol.cer

 Source150: dracut-virt.conf

@ -937,6 +923,10 @@ Source4000: README.rst
 Source4001: rpminspect.yaml
 Source4002: gating.yaml

+# Oracle Linux RHCK Module Signing Key
+Source5001: olkmod_signing_key.pem
+Source5002: olkmod_signing_key1.pem
+
 ## Patches needed for building this package

 %if !%{nopatches}
@ -944,8 +934,12 @@ Source4002: gating.yaml
 Patch1: patch-%{patchversion}-redhat.patch
 %endif

+# Oracle patches
+Patch1000: bug34729535-change-certified-hw-message.patch
+
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
+Patch1000000: 1000-debrand-some-messages.patch

 # END OF PATCH DEFINITIONS

@ -1097,10 +1091,10 @@ This package provides debug information for the libperf package.
 %package -n kernel-tools
 Summary: Assortment of tools for the Linux kernel
 %ifarch %{cpupowerarchs}
-Provides:  cpupowerutils = 1:009-0.6.p1
+Provides: cpupowerutils = 1:009-0.6.p1
 Obsoletes: cpupowerutils < 1:009-0.6.p1
-Provides:  cpufreq-utils = 1:009-0.6.p1
-Provides:  cpufrequtils = 1:009-0.6.p1
+Provides: cpufreq-utils = 1:009-0.6.p1
+Provides: cpufrequtils = 1:009-0.6.p1
 Obsoletes: cpufreq-utils < 1:009-0.6.p1
 Obsoletes: cpufrequtils < 1:009-0.6.p1
 Obsoletes: cpuspeed < 1:1.5-16
@ -1121,7 +1115,7 @@ from the kernel source.
 Summary: Assortment of tools for the Linux kernel
 Requires: kernel-tools = %{version}-%{release}
 %ifarch %{cpupowerarchs}
-Provides:  cpupowerutils-devel = 1:009-0.6.p1
+Provides: cpupowerutils-devel = 1:009-0.6.p1
 Obsoletes: cpupowerutils-devel < 1:009-0.6.p1
 %endif
 Requires: kernel-tools-libs = %{version}-%{release}
@ -1648,6 +1642,7 @@ cp -a %{SOURCE1} .
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif

+ApplyPatch bug34729535-change-certified-hw-message.patch
 ApplyOptionalPatch linux-kernel-test.patch

 # END OF PATCH APPLICATIONS
@ -1727,6 +1722,13 @@ openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem
 openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
+openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
+cat olimaca1.pem >> ../certs/rhel.pem
+# Add olkmod_signing_key.pem to the kernel trusted certificates list
+cat %{SOURCE5001} >> ../certs/rhel.pem
+# Add olkmod_signing_key1.pem to the kernel trusted certificates list
+cat %{SOURCE5002} >> ../certs/rhel.pem
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@ -2386,8 +2388,11 @@ BuildKernel() {
 %endif
        SBAT=$(cat <<- EOF
 	linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
+	kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
 	EOF
 	)

@ -2419,15 +2424,13 @@ BuildKernel() {
        python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT"

 %if %{signkernel}
-
+%if ! %{?oraclelinux}
 %if 0%{?centos}
 	UKI_secureboot_name=centossecureboot204
-	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
 %else
-	# RHEL only builds UKI for x86
 	UKI_secureboot_name=redhatsecureboot504
-	UKI_secureboot_cert=%{SOURCE153}
 %endif
+	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer

        %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
        if [ ! -s $KernelUnifiedImage.signed ]; then
@ -2446,6 +2449,7 @@ BuildKernel() {
      cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer

 # signkernel
+%endif
 %endif

      # hmac sign the UKI for FIPS
@ -2526,7 +2530,7 @@ BuildKernel() {
    # prune junk from kernel-devel
    find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete

-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@ -2540,6 +2544,8 @@ BuildKernel() {
 %if 0%{?rhel}
    # Red Hat IMA code-signing cert, which is used to authenticate package files
    install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+    # Oracle Linux IMA signing cert
+    install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
 %endif

 %if %{signmodules}
@ -3694,6 +3700,87 @@ fi
 #
 #
 %changelog
+* Sun Feb 08 2026 EL Errata <el-errata_ww@oracle.com> [5.14.0-611.30.1.el9_7.OL9]
+- Disable UKI signing [Orabug: 36571828]
+- Update Oracle Linux certificates (Kevin Lyons)
+- Disable signing for aarch64 (Ilya Okomin)
+- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
+- Update x509.genkey [Orabug: 24817676]
+- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
+- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
+- Add Oracle Linux IMA certificates
+- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
+
+* Thu Jan 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.30.1.el9_7]
+- io_uring/net: commit partial buffers on retry (Jeff Moyer) [RHEL-137329] {CVE-2025-38730}
+- io_uring/kbuf: add io_kbuf_commit() helper (Jeff Moyer) [RHEL-137329]
+- io_uring/kbuf: use 'bl' directly rather than req->buf_list (Jeff Moyer) [RHEL-137329]
+- ice: prevent NULL deref in ice_lag_move_new_vf_nodes() (Michal Schmidt) [RHEL-143296]
+- net: openvswitch: Avoid needlessly taking the RTNL on vport destroy (Adrian Moreno) [RHEL-141404]
+- atm: clip: Fix infinite recursive call of clip_push(). (Guillaume Nault) [RHEL-137601] {CVE-2025-38459}
+- dpll: zl3073x: Remove unused dev wrappers (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Cache all output properties in zl3073x_out (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Cache all reference properties in zl3073x_ref (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Cache reference monitor status (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Split ref, out, and synth logic from core (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Store raw register values instead of parsed state (Ivan Vecera) [RHEL-139699]
+- dpll: fix device-id-get and pin-id-get to return errors properly (Ivan Vecera) [RHEL-139699]
+- dpll: spec: add missing module-name and clock-id to pin-get reply (Ivan Vecera) [RHEL-139699]
+- dpll: zl3073x: Allow to configure phase offset averaging factor (Ivan Vecera) [RHEL-139699]
+- dpll: add phase_offset_avg_factor_get/set callback ops (Ivan Vecera) [RHEL-139699]
+- dpll: add phase-offset-avg-factor device attribute to netlink spec (Ivan Vecera) [RHEL-139699]
+- dpll: fix clock quality level reporting (Ivan Vecera) [RHEL-139699]
+- dpll: add reference sync get/set (Ivan Vecera) [RHEL-139699]
+- dpll: add reference-sync netlink attribute (Ivan Vecera) [RHEL-139699]
+- dpll: remove documentation of rclk_dev_name (Ivan Vecera) [RHEL-139699]
+- net: use dst_dev_rcu() in sk_setup_caps() (Hangbin Liu) [RHEL-129084] {CVE-2025-40170}
+- ipv4: use RCU protection in ip_dst_mtu_maybe_forward() (Hangbin Liu) [RHEL-129084]
+- net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward (Hangbin Liu) [RHEL-129084]
+- ipv6: use RCU in ip6_xmit() (Hangbin Liu) [RHEL-129018] {CVE-2025-40135}
+- ipv6: use RCU in ip6_output() (Hangbin Liu) [RHEL-128982] {CVE-2025-40158}
+- net: dst: introduce dst->dev_rcu (Hangbin Liu) [RHEL-128982]
+- ipv4: use RCU protection in __ip_rt_update_pmtu() (Hangbin Liu) [RHEL-128982]
+- net: Add locking to protect skb->dev access in ip_output (Hangbin Liu) [RHEL-128982]
+- net: dst: add four helpers to annotate data-races around dst->dev (Hangbin Liu) [RHEL-128982]
+- bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (Hangbin Liu) [RHEL-128982]
+- vrf: Fix lockdep splat in output path (Hangbin Liu) [RHEL-128982]
+- ipv6: remove nexthop_fib6_nh_bh() (Hangbin Liu) [RHEL-128982]
+- net: remove rcu_dereference_bh_rtnl() (Hangbin Liu) [RHEL-128982]
+- neighbour: switch to standard rcu, instead of rcu_bh (Hangbin Liu) [RHEL-128982]
+- ipv6: flowlabel: do not disable BH where not needed (Hangbin Liu) [RHEL-128982]
+- ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh() (Hangbin Liu) [RHEL-128982]
+- neigh: introduce neigh_confirm() helper function (Hangbin Liu) [RHEL-128982]
+- net: bonding: update the slave array for broadcast mode (Hangbin Liu) [RHEL-132923]
+- net: bonding: add broadcast_neighbor netlink option (Hangbin Liu) [RHEL-132923]
+- net: bonding: add broadcast_neighbor option for 802.3ad (Hangbin Liu) [RHEL-132923]
+- vsock/vmci: Clear the vmci transport packet properly when initializing it (CKI Backport Bot) [RHEL-137697] {CVE-2025-38403}
+- ALSA: usb-audio: Fix potential overflow of PCM transfer buffer (CKI Backport Bot) [RHEL-136909] {CVE-2025-40269}
+- nvme: tcp: Fix compilation warning with W=1 (John Meneghini) [RHEL-129928]
+- nvme-tcp: Fix I/O queue cpu spreading for multiple controllers (John Meneghini) [RHEL-129928]
+
+* Tue Jan 27 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.29.1.el9_7]
+- squashfs: fix memory leak in squashfs_fill_super (Abhi Das) [RHEL-138015] {CVE-2025-38415}
+- Squashfs: check return result of sb_min_blocksize (CKI Backport Bot) [RHEL-138015] {CVE-2025-38415}
+- usb: core: config: Prevent OOB read in SS endpoint companion parsing (CKI Backport Bot) [RHEL-137364] {CVE-2025-39760}
+- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (CKI Backport Bot) [RHEL-137069] {CVE-2025-38024}
+
+* Thu Jan 22 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.28.1.el9_7]
+- s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP (Luiz Capitulino) [RHEL-133337]
+- s390: mm: add stub for hugetlb_optimize_vmemmap_key (Luiz Capitulino) [RHEL-133337]
+- fs/proc: fix uaf in proc_readdir_de() (CKI Backport Bot) [RHEL-137098] {CVE-2025-40271}
+- Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once (CKI Backport Bot) [RHEL-136256] {CVE-2025-40318}
+- RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (CKI Backport Bot) [RHEL-134352] {CVE-2025-38022}
+- cifs: Fix deadlock in cifs_writepages during reconnect (Paulo Alcantara) [RHEL-134234]
+- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (CKI Backport Bot) [RHEL-131974] {CVE-2025-37819}
+- net: openvswitch: fix nested key length validation in the set() action (CKI Backport Bot) [RHEL-131801] {CVE-2025-37789}
+- md: avoid repeated calls to del_gendisk (Nigel Croxon) [RHEL-126532]
+- md: delete mddev kobj before deleting gendisk kobj (Nigel Croxon) [RHEL-126532]
+- md: add legacy_async_del_gendisk mode (Nigel Croxon) [RHEL-126532]
+- md: Don't clear MD_CLOSING until mddev is freed (Nigel Croxon) [RHEL-126532]
+- md: fix create on open mddev lifetime regression (Nigel Croxon) [RHEL-126532]
+- md: call del_gendisk in control path (Nigel Croxon) [RHEL-126532]
+- Bluetooth: ISO: Fix possible UAF on iso_conn_free (CKI Backport Bot) [RHEL-128891] {CVE-2025-40141}
+
 * Tue Jan 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.27.1.el9_7]
 - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (CKI Backport Bot) [RHEL-136822] {CVE-2025-38568}
 - devlink: rate: Unset parent pointer in devl_rate_nodes_destroy (CKI Backport Bot) [RHEL-134923] {CVE-2025-40251}