import OL kernel-5.14.0-611.9.1.el9_7

2025-11-27 13:08:41 +00:00 · 2025-11-27 13:08:41 +00:00 · 1a80fe4a0a
commit 1a80fe4a0a
parent be05de760f
16 changed files with 472 additions and 90 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,9 @@
-SOURCES/kernel-abi-stablelists-5.14.0-611.5.1.el9_7.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-611.5.1.el9_7.tar.bz2
-SOURCES/linux-5.14.0-611.5.1.el9_7.tar.xz
+SOURCES/kernel-abi-stablelists-5.14.0-611.9.1.el9_7.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-611.9.1.el9_7.tar.bz2
+SOURCES/linux-5.14.0-611.9.1.el9_7.tar.xz
 SOURCES/nvidiagpuoot001.x509
+SOURCES/olima1.x509
+SOURCES/olimaca1.x509
 SOURCES/redhatsecureboot504.cer
 SOURCES/rheldup3.x509
 SOURCES/rhelima.x509
--- a/.kernel.metadata
+++ b/.kernel.metadata
@ -1,7 +1,9 @@
-812344e0e704956beb5171bc0700229f5b13d0cd SOURCES/kernel-abi-stablelists-5.14.0-611.5.1.el9_7.tar.bz2
-414760362a9fc5fc5408496356454f28f0067af9 SOURCES/kernel-kabi-dw-5.14.0-611.5.1.el9_7.tar.bz2
-44f7428ead0ce9c1034922321ef09d050bfcd61d SOURCES/linux-5.14.0-611.5.1.el9_7.tar.xz
+80932c91094c1eb960fe0ce6a80d82af35e4f5af SOURCES/kernel-abi-stablelists-5.14.0-611.9.1.el9_7.tar.bz2
+88b33b037ebd091b82f91d4d23b5198e1a40dc09 SOURCES/kernel-kabi-dw-5.14.0-611.9.1.el9_7.tar.bz2
+0ebeddf4ed7c8c9a942ce2922bae115f03d601b9 SOURCES/linux-5.14.0-611.9.1.el9_7.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
+706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
+6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
 1d51d3a037ad287095b0a13c4deeb1252d8ff0cc SOURCES/redhatsecureboot504.cer
 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509
--- a/SOURCES/1000-debrand-some-messages.patch
+++ b/SOURCES/1000-debrand-some-messages.patch
@ -0,0 +1,59 @@
+From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001
+From: Louis Abel <label@rockylinux.org>
+Date: Wed, 20 Sep 2023 14:16:05 -0700
+Subject: [PATCH] debrand some messages
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ kernel/rh_shadowman.c | 55 ++++++++++++++++++++++---------------------
+ 4 files changed, 34 insertions(+), 33 deletions(-)
+
+diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c
+index 018d5c633..d05ea0790 100644
+--- a/kernel/rh_shadowman.c
+++ b/kernel/rh_shadowman.c
+@@ -1,39 +1 @@
+-#include <linux/kernel.h>
+-#include <linux/module.h>
+-#include <linux/printk.h>
+-
+-/* Display a shadowman logo on the console screen */
+-static int __init rh_shadowman(char *str)
+-{
+-	pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n");
+-	pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n");
+-	pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRR.    .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRR~       .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n");
+-	pr_info("R,````      RRR8        .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RR                                       ORRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRR                           ,HHtaa     HRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRO.                                 .RRRRO. .    .RRRRRRR\n");
+-	pr_info("RRRRRR                                ,RRHh,       :RRRRRRRR\n");
+-	pr_info("RRRRRRRR                             HRR         :RRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRr                         ..        ,RRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRt .                           .HRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRRr.                    =RRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
+-	pr_info(" ");
+-	pr_info("                    Long Live Shadowman!");
+-	pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273");
+-	pr_info(" ");
+-	return 1;
+-}
+-
+-__setup("shadowman", rh_shadowman);
+// This file has been intentionally left blank
+-- 
+2.41.0
+
+
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.5.1
+RHEL_RELEASE = 611.9.1

 #
 # ZSTREAM
--- a/SOURCES/bug34729535-change-certified-hw-message.patch
+++ b/SOURCES/bug34729535-change-certified-hw-message.patch
@ -0,0 +1,19 @@
+Update message about certified hardware list.
+
+Orabug: 34729535
+
+Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c
+--- linux-5.14.0-160.el8.x86_64.orig/init/main.c	2022-08-25 13:57:06.000000000 -0700
+++ linux-5.14.0-160.el8.x86_64/init/main.c	2022-10-26 13:15:39.700724777 -0700
+@@ -894,7 +894,7 @@
+ 	boot_cpu_init();
+ 	page_address_init();
+ 	pr_notice("%s", linux_banner);
+-	pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n");
+	pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n");
+ 	setup_arch(&command_line);
+ 	/* Static keys and static calls are needed by LSMs */
+ 	jump_label_init();
--- a/SOURCES/kernel-x86_64-debug-rhel.config
+++ b/SOURCES/kernel-x86_64-debug-rhel.config
@ -2564,7 +2564,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@ -2892,6 +2892,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_PROVE_MMU=y
@ -3396,6 +3397,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 # CONFIG_MLX4_CORE_GEN2 is not set
 CONFIG_MLX4_EN_DCB=y
--- a/SOURCES/kernel-x86_64-rhel.config
+++ b/SOURCES/kernel-x86_64-rhel.config
@ -2548,7 +2548,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@ -2872,6 +2872,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 # CONFIG_KVM_PROVE_MMU is not set
@ -3376,6 +3377,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 # CONFIG_MLX4_CORE_GEN2 is not set
 CONFIG_MLX4_EN_DCB=y
--- a/SOURCES/kernel-x86_64-rt-debug-rhel.config
+++ b/SOURCES/kernel-x86_64-rt-debug-rhel.config
@ -2619,7 +2619,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@ -2950,6 +2950,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_PROVE_MMU=y
@ -3455,6 +3456,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 # CONFIG_MLX4_CORE_GEN2 is not set
 CONFIG_MLX4_DEBUG=y
--- a/SOURCES/kernel-x86_64-rt-rhel.config
+++ b/SOURCES/kernel-x86_64-rt-rhel.config
@ -2603,7 +2603,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@ -2930,6 +2930,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 # CONFIG_KVM_PROVE_MMU is not set
@ -3435,6 +3436,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 # CONFIG_MLX4_CORE_GEN2 is not set
 CONFIG_MLX4_DEBUG=y
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@ -1,3 +1,111 @@
+* Sat Nov 15 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.9.1.el9_7]
+- NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-124651]
+- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-124651]
+- mm: slub: avoid wake up kswapd in set_track_prepare (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- slub: Reflow ___slab_alloc() (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123686]
+Resolves: RHEL-123686, RHEL-124651, RHEL-125521
+
+* Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.8.1.el9_7]
+- NFSD: Fix callback decoder status codes (Jay Shin) [RHEL-127193]
+- NFSD: Fix CB_GETATTR status fix (Jay Shin) [RHEL-127193]
+- NFSD: fix decoding in nfs4_xdr_dec_cb_getattr (Jay Shin) [RHEL-127193]
+- kernfs: Fix UAF in polling when open file is released (Pavel Reichl) [RHEL-122087] {CVE-2025-39881}
+- gitlab-ci: disable automotive pipelines (Scott Weaver)
+- NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (Benjamin Coddington) [RHEL-122154]
+- sched: Add wait/wake interface for variable updated under a lock. (Benjamin Coddington) [RHEL-122154]
+- sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (Benjamin Coddington) [RHEL-122154]
+- sched: Document wait_var_event() family of functions and wake_up_var() (Benjamin Coddington) [RHEL-122154]
+- sched: Improve documentation for wake_up_bit/wait_on_bit family of functions (Benjamin Coddington) [RHEL-122154]
+- sched: change wake_up_bit() and related function to expect unsigned long * (Benjamin Coddington) [RHEL-122154]
+- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} [rhel-9.7.z] (Xin Long) [RHEL-125513]
+- redhat: use the same cert as UKI's to sign addons (Li Tian) [RHEL-125317]
+- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123808]
+- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123808] {CVE-2025-39968}
+- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123808] {CVE-2025-39969}
+- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123808] {CVE-2025-39970}
+- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123808] {CVE-2025-39971}
+- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123808] {CVE-2025-39972}
+- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123808] {CVE-2025-39973}
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124971] {CVE-2025-40047}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124129] {CVE-2025-39983}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123821] {CVE-2025-39982}
+- use uniform permission checks for all mount propagation changes (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- do_change_type(): refuse to operate on unmounted/not ours mounts (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (Jon Maloy) [RHEL-117136] {CVE-2025-38351}
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-117438]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-117438]
+- NFS: Fix a race when updating an existing write (CKI Backport Bot) [RHEL-113855] {CVE-2025-39697}
+Resolves: RHEL-113855, RHEL-117136, RHEL-117438, RHEL-121704, RHEL-122087, RHEL-122154, RHEL-123808, RHEL-123821, RHEL-124129, RHEL-124971, RHEL-125317, RHEL-125513, RHEL-127193
+
+* Thu Oct 30 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.7.1.el9_7]
+- The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hájková)
+- crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494}
+- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874]
+- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540]
+- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730]
+- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702}
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434]
+- vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718}
+Resolves: RHEL-112874, RHEL-114298, RHEL-114434, RHEL-115730, RHEL-116383, RHEL-116540, RHEL-119236
+
+* Thu Oct 23 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.6.1.el9_7]
+- pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331}
+- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817}
+- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810]
+- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571}
+- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880]
+- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880]
+- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819}
+- sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566}
+- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849}
+- crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373}
+- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187]
+- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367}
+- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087}
+- hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070]
+- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070]
+- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070]
+- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070]
+- net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070]
+- net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451]
+- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146]
+- KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146]
+- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146]
+- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146]
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437]
+- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272]
+- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917]
+Resolves: RHEL-110810, RHEL-111069, RHEL-113837, RHEL-113917, RHEL-114272, RHEL-114437, RHEL-114451, RHEL-115070, RHEL-116187, RHEL-116662, RHEL-117235, RHEL-117580, RHEL-117880, RHEL-118257, RHEL-119074, RHEL-119130, RHEL-122068, RHEL-27146
+
 * Fri Oct 17 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.5.1.el9_7]
 - redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122230]
 Resolves: RHEL-122230
--- a/SOURCES/olkmod_signing_key.pem
+++ b/SOURCES/olkmod_signing_key.pem
@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
+aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
+Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
+bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
+U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
+YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
+jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
+4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
+WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
+73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
+umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
+37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
+Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
+R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
+3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
+TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
+y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
+kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
+-----END CERTIFICATE-----
--- a/SOURCES/olkmod_signing_key1.pem
+++ b/SOURCES/olkmod_signing_key1.pem
@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL
+BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx
+MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP
+cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET
+MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw
+MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5
+IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI
+DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ
+z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt
+c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7
+P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt
+wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi
+5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn
+tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF
+sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/
+WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8
+gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR
+52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA
+m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE
+FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw
+ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K
+6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH
+PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W
+FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ
+IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C
+/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ
+QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y
+8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw
+szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6
+MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+
+68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF
+JuZ4rgQv9ghmhQ==
+-----END CERTIFICATE-----
--- a/SOURCES/rpminspect.yaml
+++ b/SOURCES/rpminspect.yaml
@ -21,10 +21,21 @@ emptyrpm:
        - kernel-debug
        - kernel-debug-devel-matched
        - kernel-devel-matched
-        - kernel-lpae
        - kernel-zfcpdump
        - kernel-zfcpdump-devel-matched
        - kernel-zfcpdump-modules
+        - kernel-64k
+        - kernel-64k-debug
+        - kernel-64k-debug-devel-matched
+        - kernel-64k-devel-matched
+        - kernel-rt
+        - kernel-rt-debug
+        - kernel-rt-debug-devel-matched
+        - kernel-rt-devel-matched
+        - kernel-rt-64k
+        - kernel-rt-64k-debug
+        - kernel-rt-64k-debug-devel-matched
+        - kernel-rt-64k-devel-matched

 patches:
    ignore_list:
--- a/SOURCES/uki_addons.json
+++ b/SOURCES/uki_addons.json
@ -1,39 +1,10 @@
 {
-    "virt": {
-        "rhel": {
-            "aarch64": {
-                "crashkernel-default.addon": [
-                    "crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n"
-                ]
-            }
-        },
-        "common": {
-            "fips-enable.addon": [
-                "fips=1\n"
-            ],
-            "fips-disable.addon": [
-                "fips=0\n"
-            ]
-        }
-    },
    "common": {
-        "systemd-volatile-overlay.addon": [
-            "systemd.volatile=overlay"
-        ],
-        "crashkernel-512M.addon": [
-            "crashkernel=512M\n"
-        ],
-        "crashkernel-192M.addon": [
-            "crashkernel=192M\n"
-        ],
-        "crashkernel-2G.addon": [
-            "crashkernel=2G\n"
-        ],
        "crashkernel-1536M.addon": [
            "crashkernel=1536M\n"
        ],
-        "debug.addon": [
-            "debug\n"
+        "crashkernel-192M.addon": [
+            "crashkernel=192M\n"
        ],
        "crashkernel-1G.addon": [
            "crashkernel=1G\n"
@ -41,8 +12,37 @@
        "crashkernel-256M.addon": [
            "crashkernel=256M\n"
        ],
+        "crashkernel-2G.addon": [
+            "crashkernel=2G\n"
+        ],
+        "crashkernel-512M.addon": [
+            "crashkernel=512M\n"
+        ],
        "crashkernel-default.addon": [
            "crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M\n"
+        ],
+        "debug.addon": [
+            "debug\n"
+        ],
+        "systemd-volatile-overlay.addon": [
+            "systemd.volatile=overlay"
        ]
+    },
+    "virt": {
+        "common": {
+            "fips-disable.addon": [
+                "fips=0\n"
+            ],
+            "fips-enable.addon": [
+                "fips=1\n"
+            ]
+        },
+        "rhel": {
+            "aarch64": {
+                "crashkernel-default.addon": [
+                    "crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n"
+                ]
+            }
+        }
    }
 }
--- a/SOURCES/x509.genkey.rhel
+++ b/SOURCES/x509.genkey.rhel
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts

 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = Oracle America, Inc.,c=US
+CN = Oracle CA Server
+emailAddress = support@oracle.com

 [ myexts ]
 basicConstraints=critical,CA:FALSE
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -104,7 +104,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 s390x ppc64le
 %endif

 # Signing for secure boot authentication
@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.5.1
+%define pkgrelease 611.9.1
 %define kversion 5
-%define tarfile_release 5.14.0-611.5.1.el9_7
+%define tarfile_release 5.14.0-611.9.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.5.1%{?buildid}%{?dist}
+%define specrelease 611.9.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-611.5.1.el9_7
+%define kabiversion 5.14.0-611.9.1.el9_7

 #
 # End of genspec.sh variables
@ -615,6 +615,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL}
 Provides: installonlypkg(kernel)
 %endif

+Provides: oracle(kernel-sig-key) == 202502
+Conflicts: shim-x64 < 15.8-1.0.4

 #
 # List the packages used during the kernel build
@ -760,8 +762,6 @@ BuildRequires: tpm2-tools
 # For UKI sb cert
 %if 0%{?centos}
 BuildRequires: centos-sb-certs >= 9.0-23
-%else
-BuildRequires: redhat-sb-certs >= 9.4-0.1
 %endif
 %endif

@ -778,30 +778,10 @@ Source2: kernel.changelog

 %if %{signkernel}

-# Name of the packaged file containing signing key
-%ifarch ppc64le
-%define signing_key_filename kernel-signing-ppc.cer
-%endif
-%ifarch s390x
-%define signing_key_filename kernel-signing-s390.cer
-%endif
-
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer

-%if 0%{?centos}
-%define pesign_name_0 centossecureboot201
-%else
-%ifarch x86_64 aarch64
-%define pesign_name_0 redhatsecureboot801
-%endif
-%ifarch s390x
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
+%define pesign_name_0 OracleLinuxSecureBootKey3

 # signkernel
 %endif
@ -887,14 +867,20 @@ Source102: rhelimaca1.x509
 Source103: rhelima.x509
 Source104: rhelima_centos.x509
 Source105: nvidiagpuoot001.x509
+# Oracle Linux IMA CA certificate
+Source106: olimaca1.x509
+# Oracle Linux IMA signing certificate
+Source107: olima1.x509

 %if 0%{?centos}
 %define ima_signing_cert %{SOURCE104}
 %else
 %define ima_signing_cert %{SOURCE103}
+%define ima_signing_cert_ol %{SOURCE107}
 %endif

 %define ima_cert_name ima.cer
+%define ima_cert_name_ol ima_ol.cer

 Source150: dracut-virt.conf

@ -937,6 +923,10 @@ Source4000: README.rst
 Source4001: rpminspect.yaml
 Source4002: gating.yaml

+# Oracle Linux RHCK Module Signing Key
+Source5001: olkmod_signing_key.pem
+Source5002: olkmod_signing_key1.pem
+
 ## Patches needed for building this package

 %if !%{nopatches}
@ -944,8 +934,12 @@ Source4002: gating.yaml
 Patch1: patch-%{patchversion}-redhat.patch
 %endif

+# Oracle patches
+Patch1000: bug34729535-change-certified-hw-message.patch
+
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
+Patch1000000: 1000-debrand-some-messages.patch

 # END OF PATCH DEFINITIONS

@ -1094,10 +1088,10 @@ This package provides debug information for the libperf package.
 %package -n kernel-tools
 Summary: Assortment of tools for the Linux kernel
 %ifarch %{cpupowerarchs}
-Provides:  cpupowerutils = 1:009-0.6.p1
+Provides: cpupowerutils = 1:009-0.6.p1
 Obsoletes: cpupowerutils < 1:009-0.6.p1
-Provides:  cpufreq-utils = 1:009-0.6.p1
-Provides:  cpufrequtils = 1:009-0.6.p1
+Provides: cpufreq-utils = 1:009-0.6.p1
+Provides: cpufrequtils = 1:009-0.6.p1
 Obsoletes: cpufreq-utils < 1:009-0.6.p1
 Obsoletes: cpufrequtils < 1:009-0.6.p1
 Obsoletes: cpuspeed < 1:1.5-16
@ -1118,7 +1112,7 @@ from the kernel source.
 Summary: Assortment of tools for the Linux kernel
 Requires: kernel-tools = %{version}-%{release}
 %ifarch %{cpupowerarchs}
-Provides:  cpupowerutils-devel = 1:009-0.6.p1
+Provides: cpupowerutils-devel = 1:009-0.6.p1
 Obsoletes: cpupowerutils-devel < 1:009-0.6.p1
 %endif
 Requires: kernel-tools-libs = %{version}-%{release}
@ -1645,6 +1639,7 @@ cp -a %{SOURCE1} .
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif

+ApplyPatch bug34729535-change-certified-hw-message.patch
 ApplyOptionalPatch linux-kernel-test.patch

 # END OF PATCH APPLICATIONS
@ -1724,6 +1719,13 @@ openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem
 openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
+openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
+cat olimaca1.pem >> ../certs/rhel.pem
+# Add olkmod_signing_key.pem to the kernel trusted certificates list
+cat %{SOURCE5001} >> ../certs/rhel.pem
+# Add olkmod_signing_key1.pem to the kernel trusted certificates list
+cat %{SOURCE5002} >> ../certs/rhel.pem
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@ -2383,8 +2385,11 @@ BuildKernel() {
 %endif
        SBAT=$(cat <<- EOF
 	linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
+	kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
 	EOF
 	)

@ -2416,15 +2421,13 @@ BuildKernel() {
        python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT"

 %if %{signkernel}
-
+%if ! %{?oraclelinux}
 %if 0%{?centos}
 	UKI_secureboot_name=centossecureboot204
-	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
 %else
-	# RHEL only builds UKI for x86
 	UKI_secureboot_name=redhatsecureboot504
-	UKI_secureboot_cert=%{SOURCE153}
 %endif
+	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer

        %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
        if [ ! -s $KernelUnifiedImage.signed ]; then
@ -2434,7 +2437,7 @@ BuildKernel() {
        mv $KernelUnifiedImage.signed $KernelUnifiedImage

      for addon in "$KernelAddonsDirOut"/*; do
-        %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+        %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
        rm -f $addon
        mv $addon.signed $addon
      done
@ -2443,6 +2446,7 @@ BuildKernel() {
      cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer

 # signkernel
+%endif
 %endif

      # hmac sign the UKI for FIPS
@ -2523,7 +2527,7 @@ BuildKernel() {
    # prune junk from kernel-devel
    find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete

-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@ -2537,6 +2541,8 @@ BuildKernel() {
 %if 0%{?rhel}
    # Red Hat IMA code-signing cert, which is used to authenticate package files
    install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+    # Oracle Linux IMA signing cert
+    install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
 %endif

 %if %{signmodules}
@ -3691,12 +3697,120 @@ fi
 #
 #
 %changelog
-* Tue Nov 11 2025 Andrew Lukoshko <alukoshko@almalinux.org> [5.14.0-611.5.1.el9_7]
- Update RHEL_RELEASE, ZSTREAM, and DIST (Andrew Lukoshko)
- kernel-5.14.0-611.5.1.el9_7 (Augusto Caringi)
- Merge: kabi: add symbols to stablelist and enable check-kabi (Augusto Caringi) [RHEL-113010]
- Merge tag 'kernel-5.14.0-611.4.1.el9_7' into main (Patrick Talbert)
- Merge tag 'kernel-5.14.0-611.2.1.el9_7' from 9.7 (Augusto Caringi)
+* Mon Nov 24 2025 Darren Archibald <darren.archibald@oracle.com> [5.14.0-611.9.1.el9_7.OL9]
+- Disable UKI signing [Orabug: 36571828]
+- Update Oracle Linux certificates (Kevin Lyons)
+- Disable signing for aarch64 (Ilya Okomin)
+- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
+- Update x509.genkey [Orabug: 24817676]
+- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
+- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
+- Add Oracle Linux IMA certificates
+- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
+
+* Sat Nov 15 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.9.1.el9_7]
+- NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-124651]
+- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-124651]
+- mm: slub: avoid wake up kswapd in set_track_prepare (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- slub: Reflow ___slab_alloc() (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123686]
+
+* Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.8.1.el9_7]
+- NFSD: Fix callback decoder status codes (Jay Shin) [RHEL-127193]
+- NFSD: Fix CB_GETATTR status fix (Jay Shin) [RHEL-127193]
+- NFSD: fix decoding in nfs4_xdr_dec_cb_getattr (Jay Shin) [RHEL-127193]
+- kernfs: Fix UAF in polling when open file is released (Pavel Reichl) [RHEL-122087] {CVE-2025-39881}
+- gitlab-ci: disable automotive pipelines (Scott Weaver)
+- NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (Benjamin Coddington) [RHEL-122154]
+- sched: Add wait/wake interface for variable updated under a lock. (Benjamin Coddington) [RHEL-122154]
+- sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (Benjamin Coddington) [RHEL-122154]
+- sched: Document wait_var_event() family of functions and wake_up_var() (Benjamin Coddington) [RHEL-122154]
+- sched: Improve documentation for wake_up_bit/wait_on_bit family of functions (Benjamin Coddington) [RHEL-122154]
+- sched: change wake_up_bit() and related function to expect unsigned long * (Benjamin Coddington) [RHEL-122154]
+- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} [rhel-9.7.z] (Xin Long) [RHEL-125513]
+- redhat: use the same cert as UKI's to sign addons (Li Tian) [RHEL-125317]
+- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123808]
+- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123808] {CVE-2025-39968}
+- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123808] {CVE-2025-39969}
+- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123808] {CVE-2025-39970}
+- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123808] {CVE-2025-39971}
+- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123808] {CVE-2025-39972}
+- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123808] {CVE-2025-39973}
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124971] {CVE-2025-40047}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124129] {CVE-2025-39983}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123821] {CVE-2025-39982}
+- use uniform permission checks for all mount propagation changes (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- do_change_type(): refuse to operate on unmounted/not ours mounts (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (Jon Maloy) [RHEL-117136] {CVE-2025-38351}
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-117438]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-117438]
+- NFS: Fix a race when updating an existing write (CKI Backport Bot) [RHEL-113855] {CVE-2025-39697}
+
+* Thu Oct 30 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.7.1.el9_7]
+- The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hájková)
+- crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494}
+- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874]
+- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540]
+- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730]
+- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702}
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434]
+- vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718}
+
+* Thu Oct 23 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.6.1.el9_7]
+- pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331}
+- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817}
+- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810]
+- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571}
+- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880]
+- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880]
+- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819}
+- sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566}
+- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849}
+- crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373}
+- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187]
+- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367}
+- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087}
+- hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070]
+- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070]
+- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070]
+- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070]
+- net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070]
+- net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451]
+- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146]
+- KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146]
+- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146]
+- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146]
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437]
+- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272]
+- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917]

 * Fri Oct 17 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.5.1.el9_7]
 - redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122230]