From 8d3e13ed99df49cef2829ec35b8293e6e5b5f473 Mon Sep 17 00:00:00 2001
From: Eduard Abdullin <eabdullin@almalinux.org>
Date: Tue, 9 Dec 2025 08:54:22 +0000
Subject: [PATCH] Debrand for AlmaLinux OS

Use AlmaLinux OS secure boot cert

Enable Btrfs support for all kernel variants

hpsa: bring back deprecated PCI ids #CFHack #CFHack2024

mptsas: bring back deprecated PCI ids #CFHack #CFHack2024

megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024

qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024

qla4xxx: bring back deprecated PCI ids

lpfc: bring back deprecated PCI ids

be2iscsi: bring back deprecated PCI ids

kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained
---
 .gitignore                              |  6 +-
 Makefile.rhelver                        |  2 +-
 kernel-aarch64-64k-debug-rhel.config    |  3 +
 kernel-aarch64-64k-rhel.config          |  3 +
 kernel-aarch64-debug-rhel.config        |  3 +
 kernel-aarch64-rhel.config              |  3 +
 kernel-aarch64-rt-64k-debug-rhel.config |  3 +
 kernel-aarch64-rt-64k-rhel.config       |  3 +
 kernel-aarch64-rt-debug-rhel.config     |  3 +
 kernel-aarch64-rt-rhel.config           |  3 +
 kernel-ppc64le-debug-rhel.config        |  3 +
 kernel-ppc64le-rhel.config              |  3 +
 kernel-s390x-debug-rhel.config          |  3 +
 kernel-s390x-rhel.config                |  3 +
 kernel-s390x-zfcpdump-rhel.config       |  3 +
 kernel-x86_64-debug-rhel.config         |  5 +-
 kernel-x86_64-rhel.config               |  5 +-
 kernel-x86_64-rt-debug-rhel.config      |  5 +-
 kernel-x86_64-rt-rhel.config            |  5 +-
 kernel.changelog                        | 68 +++++++++++++++++++++
 kernel.spec                             | 78 ++++++++++++++++++++++---
 sources                                 |  6 +-
 22 files changed, 201 insertions(+), 18 deletions(-)

diff --git a/.gitignore b/.gitignore
index b54ead673..3651afcc9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz
-kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz
-linux-6.12.0-124.16.1.el10_1.tar.xz
+kernel-abi-stablelists-6.12.0-124.20.1.el10_1.tar.xz
+kernel-kabi-dw-6.12.0-124.20.1.el10_1.tar.xz
+linux-6.12.0-124.20.1.el10_1.tar.xz
 nvidiagpuoot001.x509
 redhatsecureboot501.cer
 redhatsecureboot504.cer
diff --git a/Makefile.rhelver b/Makefile.rhelver
index 4d1bff452..ed5527efd 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.16.1
+RHEL_RELEASE = 124.20.1
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel-aarch64-64k-debug-rhel.config b/kernel-aarch64-64k-debug-rhel.config
index 833b5b1d4..09c9efa48 100644
--- a/kernel-aarch64-64k-debug-rhel.config
+++ b/kernel-aarch64-64k-debug-rhel.config
@@ -8417,6 +8417,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-64k-rhel.config b/kernel-aarch64-64k-rhel.config
index d782e43b7..b46b33fca 100644
--- a/kernel-aarch64-64k-rhel.config
+++ b/kernel-aarch64-64k-rhel.config
@@ -8392,6 +8392,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config
index 4b5385336..62d74be2e 100644
--- a/kernel-aarch64-debug-rhel.config
+++ b/kernel-aarch64-debug-rhel.config
@@ -8413,6 +8413,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config
index 666c5da6a..a8a47cb15 100644
--- a/kernel-aarch64-rhel.config
+++ b/kernel-aarch64-rhel.config
@@ -8388,6 +8388,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-rt-64k-debug-rhel.config b/kernel-aarch64-rt-64k-debug-rhel.config
index 568bd9be3..15290da21 100644
--- a/kernel-aarch64-rt-64k-debug-rhel.config
+++ b/kernel-aarch64-rt-64k-debug-rhel.config
@@ -8472,6 +8472,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-rt-64k-rhel.config b/kernel-aarch64-rt-64k-rhel.config
index 626ef5ee2..6b7ec37e4 100644
--- a/kernel-aarch64-rt-64k-rhel.config
+++ b/kernel-aarch64-rt-64k-rhel.config
@@ -8447,6 +8447,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-rt-debug-rhel.config b/kernel-aarch64-rt-debug-rhel.config
index 4da55b5f7..3b0326684 100644
--- a/kernel-aarch64-rt-debug-rhel.config
+++ b/kernel-aarch64-rt-debug-rhel.config
@@ -8468,6 +8468,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-aarch64-rt-rhel.config b/kernel-aarch64-rt-rhel.config
index f7f62b4dd..a22d8047a 100644
--- a/kernel-aarch64-rt-rhel.config
+++ b/kernel-aarch64-rt-rhel.config
@@ -8443,6 +8443,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config
index 9c7f58e1a..856778a02 100644
--- a/kernel-ppc64le-debug-rhel.config
+++ b/kernel-ppc64le-debug-rhel.config
@@ -7844,6 +7844,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config
index 8cfc75cb8..ed1e8f4b7 100644
--- a/kernel-ppc64le-rhel.config
+++ b/kernel-ppc64le-rhel.config
@@ -7821,6 +7821,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config
index da3339ce5..0abd32fd4 100644
--- a/kernel-s390x-debug-rhel.config
+++ b/kernel-s390x-debug-rhel.config
@@ -7826,6 +7826,9 @@ CONFIG_ZCRYPT_MULTIDEVNODES=y
 CONFIG_ZFCP=m
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+# CONFIG_ZL3073X_I2C is not set
+# CONFIG_ZL3073X is not set
+# CONFIG_ZL3073X_SPI is not set
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config
index ccc02b11c..149ddef4d 100644
--- a/kernel-s390x-rhel.config
+++ b/kernel-s390x-rhel.config
@@ -7803,6 +7803,9 @@ CONFIG_ZCRYPT_MULTIDEVNODES=y
 CONFIG_ZFCP=m
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+# CONFIG_ZL3073X_I2C is not set
+# CONFIG_ZL3073X is not set
+# CONFIG_ZL3073X_SPI is not set
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config
index ed98ddf36..7fb44a755 100644
--- a/kernel-s390x-zfcpdump-rhel.config
+++ b/kernel-s390x-zfcpdump-rhel.config
@@ -7824,6 +7824,9 @@ CONFIG_ZCRYPT_MULTIDEVNODES=y
 CONFIG_ZFCP=y
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+# CONFIG_ZL3073X_I2C is not set
+# CONFIG_ZL3073X is not set
+# CONFIG_ZL3073X_SPI is not set
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config
index e0541b7e0..a5b8780e9 100644
--- a/kernel-x86_64-debug-rhel.config
+++ b/kernel-x86_64-debug-rhel.config
@@ -2592,7 +2592,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8323,6 +8323,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config
index d99ef7f5b..4f435d185 100644
--- a/kernel-x86_64-rhel.config
+++ b/kernel-x86_64-rhel.config
@@ -2576,7 +2576,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8299,6 +8299,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config
index 3fd5b6b70..41b174497 100644
--- a/kernel-x86_64-rt-debug-rhel.config
+++ b/kernel-x86_64-rt-debug-rhel.config
@@ -2633,7 +2633,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8379,6 +8379,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config
index cbb01d7ff..444660e9a 100644
--- a/kernel-x86_64-rt-rhel.config
+++ b/kernel-x86_64-rt-rhel.config
@@ -2617,7 +2617,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8355,6 +8355,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y
diff --git a/kernel.changelog b/kernel.changelog
index ca10061f6..093ba771a 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,71 @@
+* Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
+- iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
+- net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
+- dpll: zl3073x: Fix output pin registration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Handle missing or corrupted flash configuration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Refactor DPLL initialization (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (Ivan Vecera) [RHEL-114795]
+- dpll: Make ZL3073X invisible (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fix build failure (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_ZL3073X* (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_I2C_MUX_PCA954x on x86 (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get fractional frequency offset (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to adjust phase (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement phase offset monitor feature (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get phase offset on connected input pin (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set esync on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set frequency on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin state setting in automatic mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set priority on input pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin selection in manual mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Register DPLL devices and pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Read DPLL types and pin properties from system firmware (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fetch invariants during probe (Ivan Vecera) [RHEL-114795]
+- dpll: Add basic Microchip ZL3073x support (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add support for Microchip Azurite chip family (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add DPLL device and pin (Ivan Vecera) [RHEL-114795]
+- idpf: set mac type when adding and removing MAC filters (CKI Backport Bot) [RHEL-123372]
+- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-76557]
+- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-76557]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114448]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114448]
+Resolves: RHEL-114448, RHEL-114795, RHEL-123372, RHEL-124432, RHEL-125482, RHEL-76557
+
+* Sat Nov 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.19.1.el10_1]
+- Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix sparse errors (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix possible UAFs (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_sync: fix set_local_name race condition (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: set_mesh: update LE scan interval and window (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124134] {CVE-2025-39983}
+- can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123824] {CVE-2025-39982}
+Resolves: RHEL-122901, RHEL-123824, RHEL-124110, RHEL-124134
+
+* Thu Nov 27 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.18.1.el10_1]
+- ice: ice_adapter: release xa entry on adapter allocation failure (CKI Backport Bot) [RHEL-128472] {CVE-2025-40185}
+- cifs: Fix oops due to uninitialised variable (CKI Backport Bot) [RHEL-120562] {CVE-2025-38737}
+Resolves: RHEL-120562, RHEL-128472
+
+* Tue Nov 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.17.1.el10_1]
+- x86/hyperv: Fix kdump on Azure CVMs (Li Tian) [RHEL-129777]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113919]
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124974] {CVE-2025-40047}
+Resolves: RHEL-113919, RHEL-124974, RHEL-129777
+
 * Sat Nov 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.16.1.el10_1]
 - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759]
 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883}
diff --git a/kernel.spec b/kernel.spec
index 014dde0fa..f272297ac 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -176,15 +176,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.16.1
+%define pkgrelease 124.20.1
 %define kversion 6
-%define tarfile_release 6.12.0-124.16.1.el10_1
+%define tarfile_release 6.12.0-124.20.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.16.1%{?buildid}%{?dist}
+%define specrelease 124.20.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-124.16.1.el10_1
+%define kabiversion 6.12.0-124.20.1.el10_1
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -4389,14 +4389,14 @@ fi\
 #
 #
 %changelog
-* Mon Dec 08 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.16.1
+* Tue Dec 09 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.20.1
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert
 
-* Mon Dec 08 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.16.1
+* Tue Dec 09 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.20.1
 - Enable Btrfs support for all kernel variants
 
-* Mon Dec 08 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.16.1
+* Tue Dec 09 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.20.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -4407,6 +4407,70 @@ fi\
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
+* Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
+- iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
+- net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
+- dpll: zl3073x: Fix output pin registration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Handle missing or corrupted flash configuration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Refactor DPLL initialization (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (Ivan Vecera) [RHEL-114795]
+- dpll: Make ZL3073X invisible (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fix build failure (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_ZL3073X* (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_I2C_MUX_PCA954x on x86 (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get fractional frequency offset (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to adjust phase (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement phase offset monitor feature (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get phase offset on connected input pin (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set esync on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set frequency on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin state setting in automatic mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set priority on input pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin selection in manual mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Register DPLL devices and pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Read DPLL types and pin properties from system firmware (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fetch invariants during probe (Ivan Vecera) [RHEL-114795]
+- dpll: Add basic Microchip ZL3073x support (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add support for Microchip Azurite chip family (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add DPLL device and pin (Ivan Vecera) [RHEL-114795]
+- idpf: set mac type when adding and removing MAC filters (CKI Backport Bot) [RHEL-123372]
+- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-76557]
+- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-76557]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114448]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114448]
+
+* Sat Nov 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.19.1.el10_1]
+- Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix sparse errors (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix possible UAFs (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_sync: fix set_local_name race condition (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: set_mesh: update LE scan interval and window (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124134] {CVE-2025-39983}
+- can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123824] {CVE-2025-39982}
+
+* Thu Nov 27 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.18.1.el10_1]
+- ice: ice_adapter: release xa entry on adapter allocation failure (CKI Backport Bot) [RHEL-128472] {CVE-2025-40185}
+- cifs: Fix oops due to uninitialised variable (CKI Backport Bot) [RHEL-120562] {CVE-2025-38737}
+
+* Tue Nov 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.17.1.el10_1]
+- x86/hyperv: Fix kdump on Azure CVMs (Li Tian) [RHEL-129777]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113919]
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124974] {CVE-2025-40047}
+
 * Sat Nov 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.16.1.el10_1]
 - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759]
 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883}
diff --git a/sources b/sources
index 4393687e0..d52aaf969 100644
--- a/sources
+++ b/sources
@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz) = 54e465b309293c077574d471cd8d90f940acb310259487fa5eb5fd17805db402d38b5bf807d5a63b663c4db7425aec1009cc322c1114ef8f75073305b31b529a
-SHA512 (kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz) = 3a0f5bdc5d4da217879ad9130dfe2820a120d3e6c80581e50db08f5213a5de6ee475be126bdac827d76afafcb8ff4d0648539d0a5bfba5a098dbeb8825bf265f
-SHA512 (linux-6.12.0-124.16.1.el10_1.tar.xz) = c960227a79319864f9934f28072dcfee635b50e7e0a85c634e117ff5772d99fc44a0f4a872bf97d0f37c6b60fb2ca71ad662e12c60b93bf6c0b9142f29d9a8e6
+SHA512 (kernel-abi-stablelists-6.12.0-124.20.1.el10_1.tar.xz) = d72912e431e842bf3a63a3211ff91ec5e33cc986f82a5e81866cd25cd16f45d60fa62202831d96cb0bbd8aaa054364a585b0e34dbbbe1cd72c38833529039e60 
+SHA512 (kernel-kabi-dw-6.12.0-124.20.1.el10_1.tar.xz) = d4fad9591096d5c38bca0a0a2aa559130ef085ea09160f6979014e9316ae1ef29f9fbe0de90ce65c0281bf8d938c6e32ec580022a517467f71ec591a27f2a903 
+SHA512 (linux-6.12.0-124.20.1.el10_1.tar.xz) = 09031bc085358168fd20e5385033ede032ef6fa116243f081bbce27475659acf8a5e5b6c30901aedd09e7b31bf646eeb3844658ab221bf5c82875a547856af20 
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
 SHA512 (redhatsecureboot504.cer) = d6e9b54c378769bb934ead996c1003b495bde48a17d02c8880124f36a529ef799f1e3a97202f9536c71c0d2cefe20a3532053ab73ce798ba550934eedce23ff9