import OL kernel-5.14.0-427.31.1.el9_4

2024-08-15 16:57:21 +00:00 · 2024-08-15 16:57:21 +00:00 · 2f7bd90ae5
commit 2f7bd90ae5
parent 97d1cd2de5
8 changed files with 234 additions and 44 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,9 @@
-SOURCES/kernel-abi-stablelists-5.14.0-427.28.1.el9_4.tar.bz2
+SOURCES/kernel-abi-stablelists-5.14.0-427.31.1.el9_4.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-427.28.1.el9_4.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-427.31.1.el9_4.tar.bz2
-SOURCES/linux-5.14.0-427.28.1.el9_4.tar.xz
+SOURCES/linux-5.14.0-427.31.1.el9_4.tar.xz
 SOURCES/nvidiagpuoot001.x509
 SOURCES/olima1.x509
 SOURCES/olimaca1.x509
 SOURCES/rheldup3.x509
 SOURCES/rhelima.x509
 SOURCES/rhelima_centos.x509
--- a/.kernel.metadata
+++ b/.kernel.metadata
@ -1,7 +1,9 @@
-54ba02b74b5371523724848a36e8237b47ec3e24 SOURCES/kernel-abi-stablelists-5.14.0-427.28.1.el9_4.tar.bz2
+e702fc158f91cbbc800ce5d7bb717902d3615788 SOURCES/kernel-abi-stablelists-5.14.0-427.31.1.el9_4.tar.bz2
-807a4b9e9b87d4493e814e6542152ec5b2485109 SOURCES/kernel-kabi-dw-5.14.0-427.28.1.el9_4.tar.bz2
+cff4c079f7c27f4b9a6d0df15efdd1240fd2ec2a SOURCES/kernel-kabi-dw-5.14.0-427.31.1.el9_4.tar.bz2
-c1a64b9b71d2ceb6c734da788000220d6c32ea13 SOURCES/linux-5.14.0-427.28.1.el9_4.tar.xz
+3056b9b862af226d016a75c5112a0a60461fc3db SOURCES/linux-5.14.0-427.31.1.el9_4.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509
 61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/rhelima_centos.x509
--- a/SOURCES/1000-debrand-some-messages.patch
+++ b/SOURCES/1000-debrand-some-messages.patch
@ -0,0 +1,59 @@
 From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001
 From: Louis Abel <label@rockylinux.org>
 Date: Wed, 20 Sep 2023 14:16:05 -0700
 Subject: [PATCH] debrand some messages
 Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
 ---
 kernel/rh_shadowman.c | 55 ++++++++++++++++++++++---------------------
 4 files changed, 34 insertions(+), 33 deletions(-)
 diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c
 index 018d5c633..d05ea0790 100644
 --- a/kernel/rh_shadowman.c
 +++ b/kernel/rh_shadowman.c
@@ -1,39 +1 @@
 -#include <linux/kernel.h>
 -#include <linux/module.h>
 -#include <linux/printk.h>
 -
 -/* Display a shadowman logo on the console screen */
 -static int __init rh_shadowman(char *str)
 -{
 -	pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n");
 -	pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n");
 -	pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRR.    .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRR~       .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n");
 -	pr_info("R,````      RRR8        .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RR                                       ORRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRR                           ,HHtaa     HRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRO.                                 .RRRRO. .    .RRRRRRR\n");
 -	pr_info("RRRRRR                                ,RRHh,       :RRRRRRRR\n");
 -	pr_info("RRRRRRRR                             HRR         :RRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRr                         ..        ,RRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRt .                           .HRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRRRRRr.                    =RRRRRRRRRRRRRRRRRRRR\n");
 -	pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
 -	pr_info(" ");
 -	pr_info("                    Long Live Shadowman!");
 -	pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273");
 -	pr_info(" ");
 -	return 1;
 -}
 -
 -__setup("shadowman", rh_shadowman);
 +// This file has been intentionally left blank
 -- 
 2.41.0
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 4
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 427.28.1
+RHEL_RELEASE = 427.31.1
 #
 # ZSTREAM
--- a/SOURCES/bug34729535-change-certified-hw-message.patch
+++ b/SOURCES/bug34729535-change-certified-hw-message.patch
@ -0,0 +1,19 @@
 Update message about certified hardware list.
 Orabug: 34729535
 Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
 Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
 ---
 diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c
 --- linux-5.14.0-160.el8.x86_64.orig/init/main.c	2022-08-25 13:57:06.000000000 -0700
 +++ linux-5.14.0-160.el8.x86_64/init/main.c	2022-10-26 13:15:39.700724777 -0700
@@ -936,7 +936,7 @@
 	boot_cpu_init();
 	page_address_init();
 	pr_notice("%s", linux_banner);
 -	pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n");
 +	pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n");
 	early_security_init();
 	setup_arch(&command_line);
 	setup_boot_config();
--- a/SOURCES/olkmod_signing_key.pem
+++ b/SOURCES/olkmod_signing_key.pem
@ -0,0 +1,24 @@
 -----BEGIN CERTIFICATE-----
 MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
 VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
 aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
 Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
 bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
 A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
 U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
 YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
 Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
 jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
 4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
 WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
 73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
 umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
 37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
 Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
 /zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
 R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
 3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
 TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
 y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
 kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
 -----END CERTIFICATE-----
--- a/SOURCES/x509.genkey.rhel
+++ b/SOURCES/x509.genkey.rhel
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 [ req_distinguished_name ]
-O = Red Hat
+O = Oracle America, Inc.,c=US
-CN = Red Hat Enterprise Linux kernel signing key
+CN = Oracle CA Server
-emailAddress = secalert@redhat.com
+emailAddress = support@oracle.com
 [ myexts ]
 basicConstraints=critical,CA:FALSE
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -104,7 +104,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 s390x ppc64le
 %endif
 # Signing for secure boot authentication
@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 427.28.1
+%define pkgrelease 427.31.1
 %define kversion 5
-%define tarfile_release 5.14.0-427.28.1.el9_4
+%define tarfile_release 5.14.0-427.31.1.el9_4
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 427.28.1%{?buildid}%{?dist}
+%define specrelease 427.31.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-427.28.1.el9_4
+%define kabiversion 5.14.0-427.31.1.el9_4
 #
 # End of genspec.sh variables
@ -645,6 +645,9 @@ Requires: kernel-modules-core-uname-r = %{KVERREL}
 Provides: installonlypkg(kernel)
 %endif
 Provides: oracle(kernel-sig-key) == 202204
 Conflicts: shim-ia32 <= 15.3-1.0.5.el9
 Conflicts: shim-x64 <= 15.3-1.0.5.el9
 #
 # List the packages used during the kernel build
@ -791,8 +794,6 @@ BuildRequires: WALinuxAgent-cvm
 # For UKI sb cert
 %if 0%{?centos}
 BuildRequires: centos-sb-certs >= 9.0-23
 %else
 BuildRequires: redhat-sb-certs >= 9.4-0.1
 %endif
 %endif
@ -808,30 +809,10 @@ Source1: Makefile.rhelver
 %if %{signkernel}
 # Name of the packaged file containing signing key
 %ifarch ppc64le
 %define signing_key_filename kernel-signing-ppc.cer
 %endif
 %ifarch s390x
 %define signing_key_filename kernel-signing-s390.cer
 %endif
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
-%if 0%{?centos}
+%define pesign_name_0 OracleSecureBootkernelsigningkey2
 %define pesign_name_0 centossecureboot201
 %else
 %ifarch x86_64 aarch64
 %define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
 %define pesign_name_0 redhatsecureboot701
 %endif
 %endif
 # signkernel
 %endif
@ -916,14 +897,20 @@ Source102: rhelimaca1.x509
 Source103: rhelima.x509
 Source104: rhelima_centos.x509
 Source105: nvidiagpuoot001.x509
 # Oracle Linux IMA CA certificate
 Source106: olimaca1.x509
 # Oracle Linux IMA signing certificate
 Source107: olima1.x509
 %if 0%{?centos}
 %define ima_signing_cert %{SOURCE104}
 %else
 %define ima_signing_cert %{SOURCE103}
 %define ima_signing_cert_ol %{SOURCE107}
 %endif
 %define ima_cert_name ima.cer
 %define ima_cert_name_ol ima_ol.cer
 Source150: dracut-virt.conf
@ -960,6 +947,9 @@ Source4000: README.rst
 Source4001: rpminspect.yaml
 Source4002: gating.yaml
 # Oracle Linux RHCK Module Signing Key
 Source5001: olkmod_signing_key.pem
 ## Patches needed for building this package
 %if !%{nopatches}
@ -967,8 +957,12 @@ Source4002: gating.yaml
 Patch1: patch-%{patchversion}-redhat.patch
 %endif
 # Oracle patches
 Patch1000: bug34729535-change-certified-hw-message.patch
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
 Patch1000000: 1000-debrand-some-messages.patch
 # END OF PATCH DEFINITIONS
@ -1696,6 +1690,7 @@ cp -a %{SOURCE1} .
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif
 ApplyPatch bug34729535-change-certified-hw-message.patch
 ApplyOptionalPatch linux-kernel-test.patch
 # END OF PATCH APPLICATIONS
@ -1775,6 +1770,11 @@ openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem
 openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
 # Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
 openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
 cat olimaca1.pem >> ../certs/rhel.pem
 # Add olkmod_signing_key.pem to the kernel trusted certificates list
 cat %{SOURCE5001} >> ../certs/rhel.pem
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@ -2442,8 +2442,11 @@ BuildKernel() {
 %endif
        SBAT=$(cat <<- EOF
 	linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
 	linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
 	linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
 	kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
 	EOF
 	)
@ -2465,7 +2468,7 @@ BuildKernel() {
    	   $KernelUnifiedImage
 %if %{signkernel}
-
+%if ! %{?oraclelinux}
 %if 0%{?centos}
 	UKI_secureboot_name=centossecureboot204
 %else
@ -2481,6 +2484,7 @@ BuildKernel() {
        mv $KernelUnifiedImage.signed $KernelUnifiedImage
 # signkernel
 %endif
 %endif
        pushd $RPM_BUILD_ROOT
@ -2558,7 +2562,7 @@ BuildKernel() {
    # prune junk from kernel-devel
    find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete
-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@ -2572,6 +2576,8 @@ BuildKernel() {
 %if 0%{?rhel}
    # Red Hat IMA code-signing cert, which is used to authenticate package files
    install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
    # Oracle Linux IMA signing cert
    install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
 %endif
 %if %{signmodules}
@ -3732,6 +3738,84 @@ fi
 #
 #
 %changelog
 * Wed Aug 14 2024 Darren Archibald <darren.archibald@oracle.com> [5.14.0-427.31.1.el9_4.OL9]
 - Disable UKI signing [Orabug: 36571828]
 - Update Oracle Linux certificates (Kevin Lyons)
 - Disable signing for aarch64 (Ilya Okomin)
 - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
 - Update x509.genkey [Orabug: 24817676]
 - Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
 - Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
 - Add Oracle Linux IMA certificates
 * Fri Aug 09 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.31.1.el9_4]
 - net: fix __dst_negative_advice() race (CKI Backport Bot) [RHEL-46798] {CVE-2024-36971}
 - net: annotate data-races around sk->sk_dst_pending_confirm (CKI Backport Bot) [RHEL-46798] {CVE-2024-36971}
 * Mon Aug 05 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.30.1.el9_4]
 - dmaengine: idxd: add a write() method for applications to submit work (Jerry Snitselaar) [RHEL-35840] {CVE-2024-21823}
 - dmaengine: idxd: add a new security check to deal with a hardware erratum (Jerry Snitselaar) [RHEL-35840] {CVE-2024-21823}
 - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist (Jerry Snitselaar) [RHEL-35840] {CVE-2024-21823}
 - tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer (Mark Salter) [RHEL-49538 RHEL-39308]
 - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails (Jon Maloy) [RHEL-44467] {CVE-2024-37353}
 - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (Izabela Bakollari) [RHEL-36271 RHEL-26682] {CVE-2024-26600}
 - eeprom: at24: fix memory corruption race condition (CKI Backport Bot) [RHEL-42970] {CVE-2024-35848}
 - eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (CKI Backport Bot) [RHEL-42970] {CVE-2024-35848}
 - eeprom: at24: Use dev_err_probe for nvmem register failure (CKI Backport Bot) [RHEL-42970] {CVE-2024-35848}
 - eeprom: at24: Add support for 24c1025 EEPROM (CKI Backport Bot) [RHEL-42970] {CVE-2024-35848}
 - eeprom: at24: remove struct at24_client (CKI Backport Bot) [RHEL-42970] {CVE-2024-35848}
 - at24: Support probing while in non-zero ACPI D state (CKI Backport Bot) [RHEL-42970] {CVE-2024-35848}
 - tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). (CKI Backport Bot) [RHEL-44439] {CVE-2024-37356}
 - cxl/region: Fix cxlr_pmem leaks (cki-backport-bot) [RHEL-44486] {CVE-2024-38391}
 - tls: fix missing memory barrier in tls_init (cki-backport-bot) [RHEL-44480] {CVE-2024-36489}
 - igc: avoid returning frame twice in XDP_REDIRECT (Corinna Vinschen) [RHEL-42714 RHEL-33266] {CVE-2024-26853}
 - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound (Hangbin Liu) [RHEL-44404 RHEL-44402] {CVE-2024-33621}
 - ipvlan: add ipvlan_route_v6_outbound() helper (Davide Caratti) [RHEL-44404 RHEL-32205]
 - ipvlan: properly track tx_errors (Davide Caratti) [RHEL-44404 RHEL-32205]
 - wifi: nl80211: don't free NULL coalescing rule (Jose Ignacio Tornos Martinez) [RHEL-41698 RHEL-39754] {CVE-2024-36941}
 - wifi: iwlwifi: dbg-tlv: ensure NUL termination (Jose Ignacio Tornos Martinez) [RHEL-41658 RHEL-37028] {CVE-2024-35845}
 - mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work (Ivan Vecera) [RHEL-41556 RHEL-37018] {CVE-2024-35852}
 - net: openvswitch: fix overwriting ct original tuple for ICMPv6 (cki-backport-bot) [RHEL-44215] {CVE-2024-38558}
 - wifi: iwlwifi: read txq->read_ptr under lock (Jose Ignacio Tornos Martinez) [RHEL-41520 RHEL-39799] {CVE-2024-36922}
 - wifi: cfg80211: check A-MSDU format more carefully (Jose Ignacio Tornos Martinez) [RHEL-38754 RHEL-37345] {CVE-2024-35937}
 - ice: fix memory corruption bug with suspend and rebuild (Petr Oros) [RHEL-49858 RHEL-17486] {CVE-2024-35911}
 - ipv6: prevent possible NULL deref in fib6_nh_init() (Hangbin Liu) [RHEL-48182 RHEL-45826] {CVE-2024-40961}
 - netns: Make get_net_ns() handle zero refcount net (Paolo Abeni) [RHEL-48117 RHEL-46610] {CVE-2024-40958}
 - net: do not leave a dangling sk pointer, when socket creation fails (Paolo Abeni) [RHEL-48072 RHEL-46610] {CVE-2024-40954}
 - net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() (CKI Backport Bot) [RHEL-47902] {CVE-2024-40928}
 - net: netlink: af_netlink: Prevent empty skb by adding a check on len. (Ivan Vecera) [RHEL-43619 RHEL-30344] {CVE-2021-47606}
 - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() (CKI Backport Bot) [RHEL-46921] {CVE-2024-39487}
 - nfs: fix panic when nfs4_ff_layout_prepare_ds() fails (Benjamin Coddington) [RHEL-42732 RHEL-34875] {CVE-2024-26868}
 - efi: fix panic in kdump kernel (Steve Best) [RHEL-42920 RHEL-36998] {CVE-2024-35800}
 - ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() (Hangbin Liu) [RHEL-41735 RHEL-31050] {CVE-2024-27417}
 - netfilter: nf_tables: do not compare internal table flags on updates (Florian Westphal) [RHEL-41682 RHEL-33985] {CVE-2024-27065}
 - ipv6: Fix potential uninit-value access in __ip6_make_skb() (Antoine Tenart) [RHEL-41466 RHEL-39786] {CVE-2024-36903}
 - netfilter: nf_tables: honor table dormant flag from netdev release event path (Florian Westphal) [RHEL-40056 RHEL-33985] {CVE-2024-36005}
 - cifs: fix underflow in parse_server_interfaces() (Paulo Alcantara) [RHEL-34636 RHEL-31245] {CVE-2024-26828}
 - drm/i915/audio: Fix audio time stamp programming for DP (CKI Backport Bot) [RHEL-45843]
 - platform/x86: wmi: Fix opening of char device (David Arcari) [RHEL-42548 RHEL-38260] {CVE-2023-52864}
 - platform/x86: wmi: remove unnecessary initializations (David Arcari) [RHEL-42548 RHEL-38260] {CVE-2023-52864}
 - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation (CKI Backport Bot) [RHEL-43170] {CVE-2024-36017}
 - netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (Florian Westphal) [RHEL-40062 RHEL-33985] {CVE-2024-26808}
 - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr (Jiri Benc) [RHEL-39017 RHEL-32372] {CVE-2024-35969}
 - netfilter: nf_tables: flush pending destroy work before exit_net release (Florian Westphal) [RHEL-38765 RHEL-33985] {CVE-2024-35899}
 - vt: fix unicode buffer corruption when deleting characters (Andrew Halaney) [RHEL-42947 RHEL-24205] {CVE-2024-35823}
 * Fri Jul 26 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.29.1.el9_4]
 - net: Avoid address overwrite in kernel_connect (Davide Caratti) [RHEL-45728 RHEL-30875]
 - net: replace calls to sock->ops->connect() with kernel_connect() (Davide Caratti) [RHEL-45728 RHEL-33410]
 - i40e: fix vf may be used uninitialized in this function warning (Kamal Heib) [RHEL-41638 RHEL-39704] {CVE-2024-36020}
 - cifs: translate network errors on send to -ECONNABORTED (Jay Shin) [RHEL-47047 RHEL-31245]
 - wifi: brcmfmac: pcie: handle randbuf allocation failure (Jose Ignacio Tornos Martinez) [RHEL-44132] {CVE-2024-38575}
 - wifi: iwlwifi: mvm: guard against invalid STA ID on removal (Jose Ignacio Tornos Martinez) [RHEL-43208 RHEL-39803] {CVE-2024-36921}
 - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (Jose Ignacio Tornos Martinez) [RHEL-42906 RHEL-36809] {CVE-2024-35789}
 - wifi: iwlwifi: mvm: don't set the MFP flag for the GTK (Jose Ignacio Tornos Martinez) [RHEL-42886 RHEL-36900] {CVE-2024-27434}
 - wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work (Jose Ignacio Tornos Martinez) [RHEL-42860 RHEL-35142] {CVE-2024-27052}
 - wifi: mt76: mt7925e: fix use-after-free in free_irq() (Jose Ignacio Tornos Martinez) [RHEL-42856 RHEL-35148] {CVE-2024-27049}
 - wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete (Jose Ignacio Tornos Martinez) [RHEL-42743 RHEL-34187] {CVE-2024-26897}
 - wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (Jose Ignacio Tornos Martinez) [RHEL-42383 RHEL-35199] {CVE-2023-52651}
 - net: core: reject skb_copy(_expand) for fraglist GSO skbs (Xin Long) [RHEL-41402 RHEL-39781] {CVE-2024-36929}
 * Fri Jul 19 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.28.1.el9_4]
 - mlxbf_gige: call request_irq() after NAPI initialized (Kamal Heib) [RHEL-43012 RHEL-37179] {CVE-2024-35907}
 - mlxbf_gige: stop PHY during open() error paths (Kamal Heib) [RHEL-43012 RHEL-37179] {CVE-2024-35907}