diff --git a/.gitignore b/.gitignore index eb688dc70..c9c62dabc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ -SOURCES/kernel-abi-stablelists-5.14.0-570.21.1.el9_6.tar.bz2 -SOURCES/kernel-kabi-dw-5.14.0-570.21.1.el9_6.tar.bz2 -SOURCES/linux-5.14.0-570.21.1.el9_6.tar.xz +SOURCES/kernel-abi-stablelists-5.14.0-570.22.1.el9_6.tar.bz2 +SOURCES/kernel-kabi-dw-5.14.0-570.22.1.el9_6.tar.bz2 +SOURCES/linux-5.14.0-570.22.1.el9_6.tar.xz SOURCES/nvidiagpuoot001.x509 SOURCES/olima1.x509 SOURCES/olimaca1.x509 diff --git a/.kernel.metadata b/.kernel.metadata index 016f23aae..f50cde4c3 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,6 +1,6 @@ -51dad9e6359227ee71542273caf0e4a49d5bd1dc SOURCES/kernel-abi-stablelists-5.14.0-570.21.1.el9_6.tar.bz2 -6909c898143ff5188494043be7f22f98542b8d79 SOURCES/kernel-kabi-dw-5.14.0-570.21.1.el9_6.tar.bz2 -85597a937c7d26aa36d3aa1150c0afe01037114a SOURCES/linux-5.14.0-570.21.1.el9_6.tar.xz +b395f44c5cbfad792c59ef640b2c768477250054 SOURCES/kernel-abi-stablelists-5.14.0-570.22.1.el9_6.tar.bz2 +34ff1cb825173d244edc511528f2051acce1b40a SOURCES/kernel-kabi-dw-5.14.0-570.22.1.el9_6.tar.bz2 +a6562532e0efca9b30d733b128a75e01ecc7c559 SOURCES/linux-5.14.0-570.22.1.el9_6.tar.xz 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509 diff --git a/SOURCES/1000-debrand-some-messages.patch b/SOURCES/1000-debrand-some-messages.patch new file mode 100644 index 000000000..d82ef0f3d --- /dev/null +++ b/SOURCES/1000-debrand-some-messages.patch @@ -0,0 +1,59 @@ +From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001 +From: Louis Abel +Date: Wed, 20 Sep 2023 14:16:05 -0700 +Subject: [PATCH] debrand some messages + +Modified-by: Alex Burmashev +--- + kernel/rh_shadowman.c | 55 ++++++++++++++++++++++--------------------- + 4 files changed, 34 insertions(+), 33 deletions(-) + +diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c +index 018d5c633..d05ea0790 100644 +--- a/kernel/rh_shadowman.c ++++ b/kernel/rh_shadowman.c +@@ -1,39 +1 @@ +-#include +-#include +-#include +- +-/* Display a shadowman logo on the console screen */ +-static int __init rh_shadowman(char *str) +-{ +- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n"); +- pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n"); +- pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRR. .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRR~ .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n"); +- pr_info("R,```` RRR8 .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RR ORRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRR ,HHtaa HRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRO. .RRRRO. . .RRRRRRR\n"); +- pr_info("RRRRRR ,RRHh, :RRRRRRRR\n"); +- pr_info("RRRRRRRR HRR :RRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRr .. ,RRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRt . .HRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRr. =RRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info(" "); +- pr_info(" Long Live Shadowman!"); +- pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273"); +- pr_info(" "); +- return 1; +-} +- +-__setup("shadowman", rh_shadowman); ++// This file has been intentionally left blank +-- +2.41.0 + + diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver index 9880c7730..52ba9cd67 100644 --- a/SOURCES/Makefile.rhelver +++ b/SOURCES/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 6 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 570.21.1 +RHEL_RELEASE = 570.22.1 # # ZSTREAM diff --git a/SOURCES/bug34729535-change-certified-hw-message.patch b/SOURCES/bug34729535-change-certified-hw-message.patch new file mode 100644 index 000000000..879007081 --- /dev/null +++ b/SOURCES/bug34729535-change-certified-hw-message.patch @@ -0,0 +1,19 @@ +Update message about certified hardware list. + +Orabug: 34729535 + +Signed-off-by: Kevin Lyons +Reviewed-by: Laurence Rochfort +--- +diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c +--- linux-5.14.0-160.el8.x86_64.orig/init/main.c 2022-08-25 13:57:06.000000000 -0700 ++++ linux-5.14.0-160.el8.x86_64/init/main.c 2022-10-26 13:15:39.700724777 -0700 +@@ -894,7 +894,7 @@ + boot_cpu_init(); + page_address_init(); + pr_notice("%s", linux_banner); +- pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n"); ++ pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n"); + setup_arch(&command_line); + /* Static keys and static calls are needed by LSMs */ + jump_label_init(); diff --git a/SOURCES/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch b/SOURCES/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch new file mode 100644 index 000000000..79ea68fe1 --- /dev/null +++ b/SOURCES/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch @@ -0,0 +1,44 @@ +From b0de5456e201c475d6a860ceeb3ed8ee2923695a Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Mon, 2 Dec 2024 09:45:48 -0800 +Subject: [PATCH] nvme-pci: remove two deallocate zeroes quirks + +The quirk was initially used as a signal to set the discard_zeroes_data +queue limit because there were some use cases that relied on that +behavior. The queue limit no longer exists as every user of it has been +converted to use the write zeroes operation instead. + +The quirk now means to use a discard command as an alias to a write +zeroes request. Two of the devices previously using the quirk support +the write zeroes command directly, so these don't need or want to use +discard when the desired operation is to write zeroes. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch + +Orabug: 37756650 + +Modified-by: Alex Burmashev +Signed-off-by: Alex Burmashev +--- + drivers/nvme/host/pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 4c644bb7f06927..9535e35ef18a56 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3588,12 +3588,10 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_DEALLOCATE_ZEROES, }, + { PCI_VDEVICE(INTEL, 0x0a54), /* Intel P4500/P4600 */ + .driver_data = NVME_QUIRK_STRIPE_SIZE | +- NVME_QUIRK_DEALLOCATE_ZEROES | + NVME_QUIRK_IGNORE_DEV_SUBNQN | + NVME_QUIRK_BOGUS_NID, }, + { PCI_VDEVICE(INTEL, 0x0a55), /* Dell Express Flash P4600 */ +- .driver_data = NVME_QUIRK_STRIPE_SIZE | +- NVME_QUIRK_DEALLOCATE_ZEROES, }, ++ .driver_data = NVME_QUIRK_STRIPE_SIZE, }, + { PCI_VDEVICE(INTEL, 0xf1a5), /* Intel 600P/P3100 */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS | + NVME_QUIRK_MEDIUM_PRIO_SQ | diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog index fe660944b..0298d1b14 100644 --- a/SOURCES/kernel.changelog +++ b/SOURCES/kernel.changelog @@ -1,3 +1,27 @@ +* Sat Jun 07 2025 CKI KWF Bot [5.14.0-570.22.1.el9_6] +- Bluetooth: L2CAP: Fix corrupted list in hci_chan_del (David Marlin) [RHEL-87890] {CVE-2025-21969} +- Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd (David Marlin) [RHEL-87890] {CVE-2025-21969} +- Revert "SUNRPC: Revert e0a912e8ddba" (Benjamin Coddington) [RHEL-94811] +- mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio (Jay Shin) [RHEL-92291] +- mm: fix crashes from deferred split racing folio migration (Jay Shin) [RHEL-92291] {CVE-2024-42234} +- mm: memcg: fix split queue list crash when large folio migration (Jay Shin) [RHEL-92291] +- proc: fix UAF in proc_get_inode() (Ian Kent) [RHEL-86808] {CVE-2025-21999} +- cifs: Fix integer overflow while processing acdirmax mount option (Paulo Alcantara) [RHEL-87941] {CVE-2025-21963} +- wifi: cfg80211: init wiphy_work before allocating rfkill fails (CKI Backport Bot) [RHEL-87931] {CVE-2025-21979} +- wifi: cfg80211: cancel wiphy_work before freeing wiphy (CKI Backport Bot) [RHEL-87931] {CVE-2025-21979} +- eth: bnxt: fix truesize for mb-xdp-pass case (CKI Backport Bot) [RHEL-88328] {CVE-2025-21961} +- vmxnet3: unregister xdp rxq info in the reset path (CKI Backport Bot) [RHEL-92471] +- md: fix mddev uaf while iterating all_mddevs list (CKI Backport Bot) [RHEL-89062] {CVE-2025-22126} +- nvme: print firmware bug note for non-unique identifiers (Bryan Gurney) [RHEL-91163] +- nvme-pci: add BOGUS_NID quirk for Samsung PM1733 (Bryan Gurney) [RHEL-91163] +- media: v4l2-mediabus: Drop V4L2_MBUS_CSI2_CONTINUOUS_CLOCK flag (Kate Hsuan) [RHEL-90323] +- media: v4l2-mediabus: Drop legacy V4L2_MBUS_CSI2_CHANNEL_* flags (Kate Hsuan) [RHEL-90323] +- media: v4l2-mediabus: Use structures to describe bus configuration (Kate Hsuan) [RHEL-90323] +- media: v4l2-fwnode: Move bus config structure to v4l2_mediabus.h (Kate Hsuan) [RHEL-90323] +- sched/fair: Fix CPU bandwidth limit bypass during CPU hotplug (Phil Auld) [RHEL-86302] +- smb: client: fix UAF in decryption with multichannel (CKI Backport Bot) [RHEL-94460] {CVE-2025-37750} +Resolves: RHEL-86302, RHEL-86808, RHEL-87890, RHEL-87931, RHEL-87941, RHEL-88328, RHEL-89062, RHEL-90323, RHEL-91163, RHEL-92291, RHEL-92471, RHEL-94460, RHEL-94811 + * Tue Jun 03 2025 CKI KWF Bot [5.14.0-570.21.1.el9_6] - xsk: fix an integer overflow in xp_create_and_assign_umem() (CKI Backport Bot) [RHEL-87911] {CVE-2025-21997} - vlan: enforce underlying device type (Guillaume Nault) [RHEL-87884] {CVE-2025-21920} diff --git a/SOURCES/olkmod_signing_key.pem b/SOURCES/olkmod_signing_key.pem new file mode 100644 index 000000000..7a51daf16 --- /dev/null +++ b/SOURCES/olkmod_signing_key.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT +aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh +Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln +bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg +U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y +YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp +Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ +jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv +4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y +WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A +73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw +umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99 +37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5 +Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk +R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8 +3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6 +TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S +y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e +kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg== +-----END CERTIFICATE----- diff --git a/SOURCES/olkmod_signing_key1.pem b/SOURCES/olkmod_signing_key1.pem new file mode 100644 index 000000000..b99afba7a --- /dev/null +++ b/SOURCES/olkmod_signing_key1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL +BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx +MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP +cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET +MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw +MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5 +IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI +DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ +z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt +c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7 +P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt +wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi +5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn +tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF +sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/ +WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8 +gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR +52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA +m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE +FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw +ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K +6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH +PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W +FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ +IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C +/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ +QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y +8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw +szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6 +MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+ +68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF +JuZ4rgQv9ghmhQ== +-----END CERTIFICATE----- diff --git a/SOURCES/x509.genkey.rhel b/SOURCES/x509.genkey.rhel index b1bbe387f..5b7056d65 100644 --- a/SOURCES/x509.genkey.rhel +++ b/SOURCES/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = Oracle America, Inc.,c=US +CN = Oracle CA Server +emailAddress = support@oracle.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec old mode 100644 new mode 100755 index fb082201d..595eed1c5 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -104,7 +104,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 aarch64 s390x ppc64le +%define secure_boot_arch x86_64 s390x ppc64le %endif # Signing for secure boot authentication @@ -165,15 +165,15 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 570.21.1 +%define pkgrelease 570.22.1 %define kversion 5 -%define tarfile_release 5.14.0-570.21.1.el9_6 +%define tarfile_release 5.14.0-570.22.1.el9_6 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 570.21.1%{?buildid}%{?dist} +%define specrelease 570.22.1%{?buildid}.0.1%{?dist} # This defines the kabi tarball version -%define kabiversion 5.14.0-570.21.1.el9_6 +%define kabiversion 5.14.0-570.22.1.el9_6 # # End of genspec.sh variables @@ -636,6 +636,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) %endif +Provides: oracle(kernel-sig-key) == 202502 +Conflicts: shim-x64 < 15.8-1.0.4 # # List the packages used during the kernel build @@ -780,8 +782,6 @@ BuildRequires: WALinuxAgent-cvm # For UKI sb cert %if 0%{?centos} BuildRequires: centos-sb-certs >= 9.0-23 -%else -BuildRequires: redhat-sb-certs >= 9.4-0.1 %endif %endif @@ -798,30 +798,10 @@ Source2: kernel.changelog %if %{signkernel} -# Name of the packaged file containing signing key -%ifarch ppc64le -%define signing_key_filename kernel-signing-ppc.cer -%endif -%ifarch s390x -%define signing_key_filename kernel-signing-s390.cer -%endif - %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%if 0%{?centos} -%define pesign_name_0 centossecureboot201 -%else -%ifarch x86_64 aarch64 -%define pesign_name_0 redhatsecureboot501 -%endif -%ifarch s390x -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define pesign_name_0 redhatsecureboot701 -%endif -%endif +%define pesign_name_0 OracleLinuxSecureBootKey3 # signkernel %endif @@ -908,14 +888,20 @@ Source102: rhelimaca1.x509 Source103: rhelima.x509 Source104: rhelima_centos.x509 Source105: nvidiagpuoot001.x509 +# Oracle Linux IMA CA certificate +Source106: olimaca1.x509 +# Oracle Linux IMA signing certificate +Source107: olima1.x509 %if 0%{?centos} %define ima_signing_cert %{SOURCE104} %else %define ima_signing_cert %{SOURCE103} +%define ima_signing_cert_ol %{SOURCE107} %endif %define ima_cert_name ima.cer +%define ima_cert_name_ol ima_ol.cer Source150: dracut-virt.conf @@ -955,6 +941,10 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml +# Oracle Linux RHCK Module Signing Key +Source5001: olkmod_signing_key.pem +Source5002: olkmod_signing_key1.pem + ## Patches needed for building this package %if !%{nopatches} @@ -962,8 +952,13 @@ Source4002: gating.yaml Patch1: patch-%{patchversion}-redhat.patch %endif +# Oracle patches +Patch1000: bug34729535-change-certified-hw-message.patch +Patch1002: bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch + # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000000: 1000-debrand-some-messages.patch # END OF PATCH DEFINITIONS @@ -1112,10 +1107,10 @@ This package provides debug information for the libperf package. %package -n kernel-tools Summary: Assortment of tools for the Linux kernel %ifarch %{cpupowerarchs} -Provides: cpupowerutils = 1:009-0.6.p1 +Provides: cpupowerutils = 1:009-0.6.p1 Obsoletes: cpupowerutils < 1:009-0.6.p1 -Provides: cpufreq-utils = 1:009-0.6.p1 -Provides: cpufrequtils = 1:009-0.6.p1 +Provides: cpufreq-utils = 1:009-0.6.p1 +Provides: cpufrequtils = 1:009-0.6.p1 Obsoletes: cpufreq-utils < 1:009-0.6.p1 Obsoletes: cpufrequtils < 1:009-0.6.p1 Obsoletes: cpuspeed < 1:1.5-16 @@ -1136,7 +1131,7 @@ from the kernel source. Summary: Assortment of tools for the Linux kernel Requires: kernel-tools = %{version}-%{release} %ifarch %{cpupowerarchs} -Provides: cpupowerutils-devel = 1:009-0.6.p1 +Provides: cpupowerutils-devel = 1:009-0.6.p1 Obsoletes: cpupowerutils-devel < 1:009-0.6.p1 %endif Requires: kernel-tools-libs = %{version}-%{release} @@ -1699,6 +1694,8 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif +ApplyPatch bug34729535-change-certified-hw-message.patch +ApplyPatch bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -1778,6 +1775,13 @@ openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem +# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list +openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem +cat olimaca1.pem >> ../certs/rhel.pem +# Add olkmod_signing_key.pem to the kernel trusted certificates list +cat %{SOURCE5001} >> ../certs/rhel.pem +# Add olkmod_signing_key1.pem to the kernel trusted certificates list +cat %{SOURCE5002} >> ../certs/rhel.pem %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem @@ -2446,8 +2450,11 @@ BuildKernel() { %endif SBAT=$(cat <<- EOF linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com + kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com EOF ) @@ -2473,7 +2480,7 @@ BuildKernel() { python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} %if %{signkernel} - +%if ! %{?oraclelinux} %if 0%{?centos} UKI_secureboot_name=centossecureboot204 %else @@ -2495,6 +2502,7 @@ BuildKernel() { done # signkernel +%endif %endif # hmac sign the UKI for FIPS @@ -2578,7 +2586,7 @@ BuildKernel() { # prune junk from kernel-devel find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer @@ -2592,6 +2600,8 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} + # Oracle Linux IMA signing cert + install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -3784,6 +3794,41 @@ fi # # %changelog +* Mon Jun 16 2025 Craig Guiller [5.14.0-570.22.1.0.1.el9_6.OL9] +- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650] +- Disable UKI signing [Orabug: 36571828] +- Update Oracle Linux certificates (Kevin Lyons) +- Disable signing for aarch64 (Ilya Okomin) +- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] +- Update x509.genkey [Orabug: 24817676] +- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 +- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] +- Add Oracle Linux IMA certificates +- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764] + +* Sat Jun 07 2025 CKI KWF Bot [5.14.0-570.22.1.el9_6] +- Bluetooth: L2CAP: Fix corrupted list in hci_chan_del (David Marlin) [RHEL-87890] {CVE-2025-21969} +- Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd (David Marlin) [RHEL-87890] {CVE-2025-21969} +- Revert "SUNRPC: Revert e0a912e8ddba" (Benjamin Coddington) [RHEL-94811] +- mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio (Jay Shin) [RHEL-92291] +- mm: fix crashes from deferred split racing folio migration (Jay Shin) [RHEL-92291] {CVE-2024-42234} +- mm: memcg: fix split queue list crash when large folio migration (Jay Shin) [RHEL-92291] +- proc: fix UAF in proc_get_inode() (Ian Kent) [RHEL-86808] {CVE-2025-21999} +- cifs: Fix integer overflow while processing acdirmax mount option (Paulo Alcantara) [RHEL-87941] {CVE-2025-21963} +- wifi: cfg80211: init wiphy_work before allocating rfkill fails (CKI Backport Bot) [RHEL-87931] {CVE-2025-21979} +- wifi: cfg80211: cancel wiphy_work before freeing wiphy (CKI Backport Bot) [RHEL-87931] {CVE-2025-21979} +- eth: bnxt: fix truesize for mb-xdp-pass case (CKI Backport Bot) [RHEL-88328] {CVE-2025-21961} +- vmxnet3: unregister xdp rxq info in the reset path (CKI Backport Bot) [RHEL-92471] +- md: fix mddev uaf while iterating all_mddevs list (CKI Backport Bot) [RHEL-89062] {CVE-2025-22126} +- nvme: print firmware bug note for non-unique identifiers (Bryan Gurney) [RHEL-91163] +- nvme-pci: add BOGUS_NID quirk for Samsung PM1733 (Bryan Gurney) [RHEL-91163] +- media: v4l2-mediabus: Drop V4L2_MBUS_CSI2_CONTINUOUS_CLOCK flag (Kate Hsuan) [RHEL-90323] +- media: v4l2-mediabus: Drop legacy V4L2_MBUS_CSI2_CHANNEL_* flags (Kate Hsuan) [RHEL-90323] +- media: v4l2-mediabus: Use structures to describe bus configuration (Kate Hsuan) [RHEL-90323] +- media: v4l2-fwnode: Move bus config structure to v4l2_mediabus.h (Kate Hsuan) [RHEL-90323] +- sched/fair: Fix CPU bandwidth limit bypass during CPU hotplug (Phil Auld) [RHEL-86302] +- smb: client: fix UAF in decryption with multichannel (CKI Backport Bot) [RHEL-94460] {CVE-2025-37750} + * Tue Jun 03 2025 CKI KWF Bot [5.14.0-570.21.1.el9_6] - xsk: fix an integer overflow in xp_create_and_assign_umem() (CKI Backport Bot) [RHEL-87911] {CVE-2025-21997} - vlan: enforce underlying device type (Guillaume Nault) [RHEL-87884] {CVE-2025-21920}