rpms/kernel
8
2
Fork 6
Code Issues Pull Requests Releases Activity

import OL kernel-5.14.0-570.17.1.0.1.el9_6

Browse Source
This commit is contained in:
Andrew Lukoshko 2025-05-24 14:29:27 +00:00
parent 7b05b27f8f
commit b18fb024eb
11 changed files with 323 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/kernel-abi-stablelists-5.14.0-570.16.1.el9_6.tar.bz2 SOURCES/kernel-abi-stablelists-5.14.0-570.17.1.el9_6.tar.bz2
SOURCES/kernel-kabi-dw-5.14.0-570.16.1.el9_6.tar.bz2 SOURCES/kernel-kabi-dw-5.14.0-570.17.1.el9_6.tar.bz2
SOURCES/linux-5.14.0-570.16.1.el9_6.tar.xz SOURCES/linux-5.14.0-570.17.1.el9_6.tar.xz
SOURCES/nvidiagpuoot001.x509 SOURCES/nvidiagpuoot001.x509
SOURCES/olima1.x509 SOURCES/olima1.x509
SOURCES/olimaca1.x509 SOURCES/olimaca1.x509

6
.kernel.metadata
View File

@ -1,6 +1,6 @@
532d24cb7a75a27defc293d87e5a3ec0538b9ac4 SOURCES/kernel-abi-stablelists-5.14.0-570.16.1.el9_6.tar.bz2 40504f40c13b052b2162b397ca29c9b4215992d5 SOURCES/kernel-abi-stablelists-5.14.0-570.17.1.el9_6.tar.bz2
f823591541eaabeb6c8b39ae6cca11c9a1a7b041 SOURCES/kernel-kabi-dw-5.14.0-570.16.1.el9_6.tar.bz2 d218c5ddc727978e57aec4da142c50fc664d7ad2 SOURCES/kernel-kabi-dw-5.14.0-570.17.1.el9_6.tar.bz2
103e2f047d4077fbc2f76a34b867723d993a2193 SOURCES/linux-5.14.0-570.16.1.el9_6.tar.xz 44f3fde3ea21c1a381636785cdad3631a78aae39 SOURCES/linux-5.14.0-570.17.1.el9_6.tar.xz
4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509

59
SOURCES/1000-debrand-some-messages.patch Normal file
View File

@ -0,0 +1,59 @@
From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001
From: Louis Abel <label@rockylinux.org>
Date: Wed, 20 Sep 2023 14:16:05 -0700
Subject: [PATCH] debrand some messages
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
kernel/rh_shadowman.c | 55 ++++++++++++++++++++++---------------------
4 files changed, 34 insertions(+), 33 deletions(-)
diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c
index 018d5c633..d05ea0790 100644
--- a/kernel/rh_shadowman.c
+++ b/kernel/rh_shadowman.c
@@ -1,39 +1 @@
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/printk.h>
-
-/* Display a shadowman logo on the console screen */
-static int __init rh_shadowman(char *str)
-{
- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n");
- pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n");
- pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n");
- pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRR. .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRR~ .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n");
- pr_info("R,```` RRR8 .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n");
- pr_info("RR ORRRRRRRRRRRRRRRRRR\n");
- pr_info("RRR ,HHtaa HRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRO. .RRRRO. . .RRRRRRR\n");
- pr_info("RRRRRR ,RRHh, :RRRRRRRR\n");
- pr_info("RRRRRRRR HRR :RRRRRRRRRR\n");
- pr_info("RRRRRRRRRRr .. ,RRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRt . .HRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRRRRRr. =RRRRRRRRRRRRRRRRRRRR\n");
- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n");
- pr_info(" ");
- pr_info(" Long Live Shadowman!");
- pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273");
- pr_info(" ");
- return 1;
-}
-
-__setup("shadowman", rh_shadowman);
+// This file has been intentionally left blank
--
2.41.0

2
SOURCES/Makefile.rhelver
View File

@ -12,7 +12,7 @@ RHEL_MINOR = 6
# #
# Use this spot to avoid future merge conflicts. # Use this spot to avoid future merge conflicts.
# Do not trim this comment. # Do not trim this comment.
RHEL_RELEASE = 570.16.1 RHEL_RELEASE = 570.17.1
# #
# ZSTREAM # ZSTREAM

19
SOURCES/bug34729535-change-certified-hw-message.patch Normal file
View File

@ -0,0 +1,19 @@
Update message about certified hardware list.
Orabug: 34729535
Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
---
diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c
--- linux-5.14.0-160.el8.x86_64.orig/init/main.c 2022-08-25 13:57:06.000000000 -0700
+++ linux-5.14.0-160.el8.x86_64/init/main.c 2022-10-26 13:15:39.700724777 -0700
@@ -894,7 +894,7 @@
boot_cpu_init();
page_address_init();
pr_notice("%s", linux_banner);
- pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n");
+ pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n");
setup_arch(&command_line);
/* Static keys and static calls are needed by LSMs */
jump_label_init();

44
SOURCES/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch Normal file
View File

@ -0,0 +1,44 @@
From b0de5456e201c475d6a860ceeb3ed8ee2923695a Mon Sep 17 00:00:00 2001
From: Keith Busch <kbusch@kernel.org>
Date: Mon, 2 Dec 2024 09:45:48 -0800
Subject: [PATCH] nvme-pci: remove two deallocate zeroes quirks
The quirk was initially used as a signal to set the discard_zeroes_data
queue limit because there were some use cases that relied on that
behavior. The queue limit no longer exists as every user of it has been
converted to use the write zeroes operation instead.
The quirk now means to use a discard command as an alias to a write
zeroes request. Two of the devices previously using the quirk support
the write zeroes command directly, so these don't need or want to use
discard when the desired operation is to write zeroes.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Orabug: 37756650
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
drivers/nvme/host/pci.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 4c644bb7f06927..9535e35ef18a56 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3588,12 +3588,10 @@ static const struct pci_device_id nvme_id_table[] = {
NVME_QUIRK_DEALLOCATE_ZEROES, },
{ PCI_VDEVICE(INTEL, 0x0a54), /* Intel P4500/P4600 */
.driver_data = NVME_QUIRK_STRIPE_SIZE |
- NVME_QUIRK_DEALLOCATE_ZEROES |
NVME_QUIRK_IGNORE_DEV_SUBNQN |
NVME_QUIRK_BOGUS_NID, },
{ PCI_VDEVICE(INTEL, 0x0a55), /* Dell Express Flash P4600 */
- .driver_data = NVME_QUIRK_STRIPE_SIZE |
- NVME_QUIRK_DEALLOCATE_ZEROES, },
+ .driver_data = NVME_QUIRK_STRIPE_SIZE, },
{ PCI_VDEVICE(INTEL, 0xf1a5), /* Intel 600P/P3100 */
.driver_data = NVME_QUIRK_NO_DEEPEST_PS |
NVME_QUIRK_MEDIUM_PRIO_SQ |

41
SOURCES/kernel.changelog
View File

@ -1,3 +1,44 @@
* Mon May 12 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-570.17.1.el9_6]
- vsock: Orphan socket after transport release (Jay Shin) [RHEL-89113] {CVE-2025-21756}
- vsock: Keep the binding until socket destruction (Jay Shin) [RHEL-89113] {CVE-2025-21756}
- bpf, vsock: Invoke proto::close on close() (Jay Shin) [RHEL-89113] {CVE-2025-21756}
- net: ppp: Add bound checking for skb data on ppp_sync_txmung (Guillaume Nault) [RHEL-89646] {CVE-2025-37749}
- cgroup/cpuset: Add warnings to catch inconsistency in exclusive CPUs (Waiman Long) [RHEL-88640]
- selftest/cgroup: Add a remote partition transition test to test_cpuset_prs.sh (Waiman Long) [RHEL-88640]
- selftest/cgroup: Clean up and restructure test_cpuset_prs.sh (Waiman Long) [RHEL-88640]
- selftest/cgroup: Update test_cpuset_prs.sh to use | as effective CPUs and state separator (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Code cleanup and comment update (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Remove remote_partition_check() & make update_cpumasks_hier() handle remote partition (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix error handling in remote_partition_disable() (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix race between newly created partition and dying one (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Prevent leakage of isolated CPUs into sched domains (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Enforce at most one rebuild_sched_domains_locked() call per operation (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Revert "Allow suppression of sched domain rebuild in update_cpumasks_hier()" (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix spelling errors in file kernel/cgroup/cpuset.c (Waiman Long) [RHEL-88640]
- selftest/cgroup: Make test_cpuset_prs.sh deal with pre-isolated CPUs (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Account for boot time isolated CPUs (Waiman Long) [RHEL-88640]
- cgroup/cpuset: remove use_parent_ecpus of cpuset (Waiman Long) [RHEL-88640]
- cgroup/cpuset: remove fetch_xcpus (Waiman Long) [RHEL-88640]
- selftest/cgroup: Add new test cases to test_cpuset_prs.sh (Waiman Long) [RHEL-88640]
- cgroup/cpuset: remove child_ecpus_count (Waiman Long) [RHEL-88640]
- cpuset: use Union-Find to optimize the merging of cpumasks (Waiman Long) [RHEL-88640]
- Union-Find: add a new module in kernel library (Waiman Long) [RHEL-88640]
- dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature (CKI Backport Bot) [RHEL-86899] {CVE-2025-21966}
- ixgbe: fix media type detection for E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbevf: Add support for Intel(R) E610 device (Corinna Vinschen) [RHEL-85809]
- PCI: Add PCI_VDEVICE_SUB helper macro (Corinna Vinschen) [RHEL-85809]
- ixgbe: fix media cage present detection for E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Enable link management in E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Clean up the E610 link management related code (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add ixgbe_x540 multiple header inclusion protection (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for EEPROM dump in E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for NVM handling in E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add link management support for E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for E610 device capabilities detection (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for E610 FW Admin Command Interface (Corinna Vinschen) [RHEL-85809]
Resolves: RHEL-85809, RHEL-86899, RHEL-88640, RHEL-89113, RHEL-89646
* Tue Apr 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-570.16.1.el9_6] * Tue Apr 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-570.16.1.el9_6]
- soc: qcom: socinfo: Avoid out of bounds read of serial number (Jared Kangas) [RHEL-88252] {CVE-2024-58007} - soc: qcom: socinfo: Avoid out of bounds read of serial number (Jared Kangas) [RHEL-88252] {CVE-2024-58007}
- soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() (Jared Kangas) [RHEL-88252] - soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() (Jared Kangas) [RHEL-88252]

24
SOURCES/olkmod_signing_key.pem Normal file
View File

@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
-----END CERTIFICATE-----

70
SOURCES/uki_addons.json
View File

@ -1,45 +1,45 @@
{ {
"common": {
"crashkernel-1536M.addon": [
"crashkernel=1536M\n"
],
"crashkernel-192M.addon": [
"crashkernel=192M\n"
],
"crashkernel-1G.addon": [
"crashkernel=1G\n"
],
"crashkernel-256M.addon": [
"crashkernel=256M\n"
],
"crashkernel-2G.addon": [
"crashkernel=2G\n"
],
"crashkernel-512M.addon": [
"crashkernel=512M\n"
],
"crashkernel-default.addon": [
"crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M\n"
],
"debug.addon": [
"debug\n"
]
},
"virt": { "virt": {
"common": {
"fips-disable.addon": [
"fips=0\n"
],
"fips-enable.addon": [
"fips=1\n"
]
},
"rhel": { "rhel": {
"aarch64": { "aarch64": {
"crashkernel-default.addon": [ "crashkernel-default.addon": [
"crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n" "crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n"
] ]
} }
} },
"common": {
"fips-enable.addon": [
"fips=1\n"
],
"fips-disable.addon": [
"fips=0\n"
]
}
},
"common": {
"debug.addon": [
"debug\n"
],
"crashkernel-default.addon": [
"crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M\n"
],
"crashkernel-512M.addon": [
"crashkernel=512M\n"
],
"crashkernel-2G.addon": [
"crashkernel=2G\n"
],
"crashkernel-256M.addon": [
"crashkernel=256M\n"
],
"crashkernel-1G.addon": [
"crashkernel=1G\n"
],
"crashkernel-192M.addon": [
"crashkernel=192M\n"
],
"crashkernel-1536M.addon": [
"crashkernel=1536M\n"
]
} }
} }

6
SOURCES/x509.genkey.rhel
View File

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts x509_extensions = myexts
[ req_distinguished_name ] [ req_distinguished_name ]
O = Red Hat O = Oracle America, Inc.,c=US
CN = Red Hat Enterprise Linux kernel signing key CN = Oracle CA Server
emailAddress = secalert@redhat.com emailAddress = support@oracle.com
[ myexts ] [ myexts ]
basicConstraints=critical,CA:FALSE basicConstraints=critical,CA:FALSE

118
SPECS/kernel.spec Normal file → Executable file
View File

@ -104,7 +104,7 @@ Summary: The Linux kernel
%if 0%{?fedora} %if 0%{?fedora}
%define secure_boot_arch x86_64 %define secure_boot_arch x86_64
%else %else
%define secure_boot_arch x86_64 aarch64 s390x ppc64le %define secure_boot_arch x86_64 s390x ppc64le
%endif %endif
# Signing for secure boot authentication # Signing for secure boot authentication
@ -165,15 +165,15 @@ Summary: The Linux kernel
# define buildid .local # define buildid .local
%define specversion 5.14.0 %define specversion 5.14.0
%define patchversion 5.14 %define patchversion 5.14
%define pkgrelease 570.16.1 %define pkgrelease 570.17.1
%define kversion 5 %define kversion 5
%define tarfile_release 5.14.0-570.16.1.el9_6 %define tarfile_release 5.14.0-570.17.1.el9_6
# This is needed to do merge window version magic # This is needed to do merge window version magic
%define patchlevel 14 %define patchlevel 14
# This allows pkg_release to have configurable %%{?dist} tag # This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 570.16.1%{?buildid}%{?dist} %define specrelease 570.17.1%{?buildid}.0.1%{?dist}
# This defines the kabi tarball version # This defines the kabi tarball version
%define kabiversion 5.14.0-570.16.1.el9_6 %define kabiversion 5.14.0-570.17.1.el9_6
# #
# End of genspec.sh variables # End of genspec.sh variables
@ -636,6 +636,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL}
Provides: installonlypkg(kernel) Provides: installonlypkg(kernel)
%endif %endif
Provides: oracle(kernel-sig-key) == 202502
Conflicts: shim-x64 < 15.8-1.0.4
# #
# List the packages used during the kernel build # List the packages used during the kernel build
@ -780,8 +782,6 @@ BuildRequires: WALinuxAgent-cvm
# For UKI sb cert # For UKI sb cert
%if 0%{?centos} %if 0%{?centos}
BuildRequires: centos-sb-certs >= 9.0-23 BuildRequires: centos-sb-certs >= 9.0-23
%else
BuildRequires: redhat-sb-certs >= 9.4-0.1
%endif %endif
%endif %endif
@ -798,30 +798,10 @@ Source2: kernel.changelog
%if %{signkernel} %if %{signkernel}
# Name of the packaged file containing signing key
%ifarch ppc64le
%define signing_key_filename kernel-signing-ppc.cer
%endif
%ifarch s390x
%define signing_key_filename kernel-signing-s390.cer
%endif
%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
%if 0%{?centos} %define pesign_name_0 OracleLinuxSecureBootKey3
%define pesign_name_0 centossecureboot201
%else
%ifarch x86_64 aarch64
%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
%define pesign_name_0 redhatsecureboot701
%endif
%endif
# signkernel # signkernel
%endif %endif
@ -908,14 +888,20 @@ Source102: rhelimaca1.x509
Source103: rhelima.x509 Source103: rhelima.x509
Source104: rhelima_centos.x509 Source104: rhelima_centos.x509
Source105: nvidiagpuoot001.x509 Source105: nvidiagpuoot001.x509
# Oracle Linux IMA CA certificate
Source106: olimaca1.x509
# Oracle Linux IMA signing certificate
Source107: olima1.x509
%if 0%{?centos} %if 0%{?centos}
%define ima_signing_cert %{SOURCE104} %define ima_signing_cert %{SOURCE104}
%else %else
%define ima_signing_cert %{SOURCE103} %define ima_signing_cert %{SOURCE103}
%define ima_signing_cert_ol %{SOURCE107}
%endif %endif
%define ima_cert_name ima.cer %define ima_cert_name ima.cer
%define ima_cert_name_ol ima_ol.cer
Source150: dracut-virt.conf Source150: dracut-virt.conf
@ -955,6 +941,9 @@ Source4000: README.rst
Source4001: rpminspect.yaml Source4001: rpminspect.yaml
Source4002: gating.yaml Source4002: gating.yaml
# Oracle Linux RHCK Module Signing Key
Source5001: olkmod_signing_key.pem
## Patches needed for building this package ## Patches needed for building this package
%if !%{nopatches} %if !%{nopatches}
@ -962,8 +951,13 @@ Source4002: gating.yaml
Patch1: patch-%{patchversion}-redhat.patch Patch1: patch-%{patchversion}-redhat.patch
%endif %endif
# Oracle patches
Patch1000: bug34729535-change-certified-hw-message.patch
Patch1002: bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
# empty final patch to facilitate testing of kernel patches # empty final patch to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch Patch999999: linux-kernel-test.patch
Patch1000000: 1000-debrand-some-messages.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
@ -1699,6 +1693,8 @@ cp -a %{SOURCE1} .
ApplyOptionalPatch patch-%{patchversion}-redhat.patch ApplyOptionalPatch patch-%{patchversion}-redhat.patch
%endif %endif
ApplyPatch bug34729535-change-certified-hw-message.patch
ApplyPatch bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
ApplyOptionalPatch linux-kernel-test.patch ApplyOptionalPatch linux-kernel-test.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
@ -1778,6 +1774,11 @@ openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem
openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem
cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
cat olimaca1.pem >> ../certs/rhel.pem
# Add olkmod_signing_key.pem to the kernel trusted certificates list
cat %{SOURCE5001} >> ../certs/rhel.pem
%if %{signkernel} %if %{signkernel}
%ifarch s390x ppc64le %ifarch s390x ppc64le
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@ -2446,8 +2447,11 @@ BuildKernel() {
%endif %endif
SBAT=$(cat <<- EOF SBAT=$(cat <<- EOF
linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
EOF EOF
) )
@ -2473,7 +2477,7 @@ BuildKernel() {
python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu}
%if %{signkernel} %if %{signkernel}
%if ! %{?oraclelinux}
%if 0%{?centos} %if 0%{?centos}
UKI_secureboot_name=centossecureboot204 UKI_secureboot_name=centossecureboot204
%else %else
@ -2495,6 +2499,7 @@ BuildKernel() {
done done
# signkernel # signkernel
%endif
%endif %endif
# hmac sign the UKI for FIPS # hmac sign the UKI for FIPS
@ -2578,7 +2583,7 @@ BuildKernel() {
# prune junk from kernel-devel # prune junk from kernel-devel
find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
%if %{signkernel} %if %{signkernel}
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@ -2592,6 +2597,8 @@ BuildKernel() {
%if 0%{?rhel} %if 0%{?rhel}
# Red Hat IMA code-signing cert, which is used to authenticate package files # Red Hat IMA code-signing cert, which is used to authenticate package files
install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
# Oracle Linux IMA signing cert
install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
%endif %endif
%if %{signmodules} %if %{signmodules}
@ -3784,6 +3791,57 @@ fi
# #
# #
%changelog %changelog
* Tue May 20 2025 Darren Archibald <darren.archibald@oracle.com> [5.14.0-570.17.1.0.1.el9_6.OL9]
- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
* Mon May 12 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-570.17.1.el9_6]
- vsock: Orphan socket after transport release (Jay Shin) [RHEL-89113] {CVE-2025-21756}
- vsock: Keep the binding until socket destruction (Jay Shin) [RHEL-89113] {CVE-2025-21756}
- bpf, vsock: Invoke proto::close on close() (Jay Shin) [RHEL-89113] {CVE-2025-21756}
- net: ppp: Add bound checking for skb data on ppp_sync_txmung (Guillaume Nault) [RHEL-89646] {CVE-2025-37749}
- cgroup/cpuset: Add warnings to catch inconsistency in exclusive CPUs (Waiman Long) [RHEL-88640]
- selftest/cgroup: Add a remote partition transition test to test_cpuset_prs.sh (Waiman Long) [RHEL-88640]
- selftest/cgroup: Clean up and restructure test_cpuset_prs.sh (Waiman Long) [RHEL-88640]
- selftest/cgroup: Update test_cpuset_prs.sh to use | as effective CPUs and state separator (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Code cleanup and comment update (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Remove remote_partition_check() & make update_cpumasks_hier() handle remote partition (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix error handling in remote_partition_disable() (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix race between newly created partition and dying one (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Prevent leakage of isolated CPUs into sched domains (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Enforce at most one rebuild_sched_domains_locked() call per operation (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Revert "Allow suppression of sched domain rebuild in update_cpumasks_hier()" (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Fix spelling errors in file kernel/cgroup/cpuset.c (Waiman Long) [RHEL-88640]
- selftest/cgroup: Make test_cpuset_prs.sh deal with pre-isolated CPUs (Waiman Long) [RHEL-88640]
- cgroup/cpuset: Account for boot time isolated CPUs (Waiman Long) [RHEL-88640]
- cgroup/cpuset: remove use_parent_ecpus of cpuset (Waiman Long) [RHEL-88640]
- cgroup/cpuset: remove fetch_xcpus (Waiman Long) [RHEL-88640]
- selftest/cgroup: Add new test cases to test_cpuset_prs.sh (Waiman Long) [RHEL-88640]
- cgroup/cpuset: remove child_ecpus_count (Waiman Long) [RHEL-88640]
- cpuset: use Union-Find to optimize the merging of cpumasks (Waiman Long) [RHEL-88640]
- Union-Find: add a new module in kernel library (Waiman Long) [RHEL-88640]
- dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature (CKI Backport Bot) [RHEL-86899] {CVE-2025-21966}
- ixgbe: fix media type detection for E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbevf: Add support for Intel(R) E610 device (Corinna Vinschen) [RHEL-85809]
- PCI: Add PCI_VDEVICE_SUB helper macro (Corinna Vinschen) [RHEL-85809]
- ixgbe: fix media cage present detection for E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Enable link management in E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Clean up the E610 link management related code (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add ixgbe_x540 multiple header inclusion protection (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for EEPROM dump in E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for NVM handling in E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add link management support for E610 device (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for E610 device capabilities detection (Corinna Vinschen) [RHEL-85809]
- ixgbe: Add support for E610 FW Admin Command Interface (Corinna Vinschen) [RHEL-85809]
* Tue Apr 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-570.16.1.el9_6] * Tue Apr 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-570.16.1.el9_6]
- soc: qcom: socinfo: Avoid out of bounds read of serial number (Jared Kangas) [RHEL-88252] {CVE-2024-58007} - soc: qcom: socinfo: Avoid out of bounds read of serial number (Jared Kangas) [RHEL-88252] {CVE-2024-58007}
- soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() (Jared Kangas) [RHEL-88252] - soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() (Jared Kangas) [RHEL-88252]