rpms/kernel
9
4
Fork 6
Code Issues Pull Requests Releases Activity

hpsa: bring back deprecated PCI ids #CFHack #CFHack2024

Browse Source 
mptsas: bring back deprecated PCI ids #CFHack #CFHack2024

megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024

qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024

qla4xxx: bring back deprecated PCI ids

lpfc: bring back deprecated PCI ids

be2iscsi: bring back deprecated PCI ids

kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained

Use AlmaLinux OS secure boot cert

Debrand for AlmaLinux OS

Add KVM support for ppc64le
This commit is contained in:
Andrew Lukoshko 2026-05-18 11:13:53 +00:00 committed by root
commit ba99d2d4ea
9 changed files with 20 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/kernel-abi-stablelists-5.14.0-611.54.1.el9_7.tar.bz2
SOURCES/kernel-kabi-dw-5.14.0-611.54.1.el9_7.tar.bz2
SOURCES/linux-5.14.0-611.54.1.el9_7.tar.xz
SOURCES/kernel-abi-stablelists-5.14.0-611.55.1.el9_7.tar.bz2
SOURCES/kernel-kabi-dw-5.14.0-611.55.1.el9_7.tar.bz2
SOURCES/linux-5.14.0-611.55.1.el9_7.tar.xz
SOURCES/nvidiagpuoot001.x509
SOURCES/olima1.x509
SOURCES/olimaca1.x509

6
.kernel.metadata
View File

@ -1,6 +1,6 @@
55bcc86c5e6b577c0cc216b3bd58f99af6ffac61 SOURCES/kernel-abi-stablelists-5.14.0-611.54.1.el9_7.tar.bz2
72fc5587656a1267bebfb66f846c7e1b89c3431f SOURCES/kernel-kabi-dw-5.14.0-611.54.1.el9_7.tar.bz2
67307c8b124afd46c91fd6f6465ac4b670d99d8d SOURCES/linux-5.14.0-611.54.1.el9_7.tar.xz
930ba685db585740e3419b2949051decb91de9f9 SOURCES/kernel-abi-stablelists-5.14.0-611.55.1.el9_7.tar.bz2
f78145d89439e77dfa4a2209074e34f05345fb25 SOURCES/kernel-kabi-dw-5.14.0-611.55.1.el9_7.tar.bz2
d008343a381ee2c66f3a1a22f82c7ef58227cdb5 SOURCES/linux-5.14.0-611.55.1.el9_7.tar.xz
4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509

75
SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
View File

@ -1,75 +0,0 @@
From: Andrew Lukoshko <alukoshko@almalinux.org>
Subject: [PATCH AlmaLinux 9] xfrm: esp: avoid in-place decrypt on shared skb frags
Backport of upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place
decrypt on shared skb frags") for AlmaLinux 9 (5.14 kernel).
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
against kernel-5.14.0-611.54.1.el9_7.
ESP-in-UDP packets built from caller-owned pages (e.g. pipe pages
attached via udp_sendpage(2) -> ip_append_page() -> skb_append_pagefrags())
look like ordinary uncloned nonlinear skbs. ESP input then takes the
no-COW fast path and decrypts in place over data that is not owned
privately by the skb.
Tree adaptation:
* Upstream patches __ip_append_data() / __ip6_append_data(), the
MSG_SPLICE_PAGES branch added by 7da0dde68486 / 6d8192bd69bb.
That feature has not been wired into UDP send paths on this tree
(no caller of skb_splice_from_iter in net/ipv{4,6}/).
* The age-equivalent producer is ip_append_page() (udp_sendpage).
Mark frags there with SKBFL_SHARED_FRAG so skb_has_shared_frag()
fires for these skbs.
* UDPv6 has no .sendpage op in this tree, so the esp6 hunk is
defense-in-depth in case a later backport adds one.
* The esp4/esp6 receiver-side hunks are taken verbatim from
upstream.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
---
net/ipv4/esp4.c | 3 ++-
net/ipv4/ip_output.c | 2 ++
net/ipv6/esp6.c | 3 ++-
3 files changed, 6 insertions(+), 2 deletions(-)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -920,7 +920,8 @@
nfrags = 1;
goto skip_cow;
- } else if (!skb_has_frag_list(skb)) {
+ } else if (!skb_has_frag_list(skb) &&
+ !skb_has_shared_frag(skb)) {
nfrags = skb_shinfo(skb)->nr_frags;
nfrags++;
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1467,6 +1467,8 @@
err = -EMSGSIZE;
goto error;
}
+ if (!(flags & MSG_NO_SHARED_FRAGS))
+ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
if (skb->ip_summed == CHECKSUM_NONE) {
__wsum csum;
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -960,7 +960,8 @@
nfrags = 1;
goto skip_cow;
- } else if (!skb_has_frag_list(skb)) {
+ } else if (!skb_has_frag_list(skb) &&
+ !skb_has_shared_frag(skb)) {
nfrags = skb_shinfo(skb)->nr_frags;
nfrags++;
--
2.43.0

68
SOURCES/1101-rxrpc-linearize-paged-frags.patch
View File

@ -1,68 +0,0 @@
From: Andrew Lukoshko <alukoshko@almalinux.org>
Subject: [PATCH AlmaLinux 9] rxrpc: linearize incoming DATA packet when it has paged frags
AlmaLinux-specific backport of the intent of the upstream rxrpc fix
posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem).
The upstream patch can not be cherry-picked against this 5.14 tree:
its target lines were introduced by upstream commit d0d5c0cd1e71
("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
present here. The age-equivalent code path on AlmaLinux 9 is the
centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
every DATA packet with a non-zero securityIndex before in-place
decryption.
skb_unshare() only handles cloned skbs. An skb that is non-cloned but
carries paged fragments (skb->data_len != 0) — e.g. pages attached via
udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
rxrpc traffic — slips through and is decrypted in place over data the
skb does not own privately. With kernel-modules-partner installed
(rxrpc.ko enabled), this is exploitable.
Replace the unconditional skb_unshare() with skb_copy() whenever the
skb is cloned OR carries paged fragments. skb_copy() always returns a
freshly allocated linear skb, so subsequent in-place decryption only
touches kernel-owned memory. The original skb is consumed explicitly
(skb_unshare did this internally via consume_skb()).
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
rejects) against kernel-5.14.0-611.54.1.el9_7.
Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
---
net/rxrpc/io_thread.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/net/rxrpc/io_thread.c
+++ b/net/rxrpc/io_thread.c
@@ -225,16 +225,18 @@
* decryption.
*/
if (sp->hdr.securityIndex != 0) {
- skb = skb_unshare(skb, GFP_ATOMIC);
- if (!skb) {
- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
- *_skb = NULL;
- return just_discard;
- }
+ if (skb_cloned(skb) || skb->data_len) {
+ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+ if (!nskb) {
+ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+ return just_discard;
+ }
- if (skb != *_skb) {
rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
- *_skb = skb;
+ consume_skb(*_skb);
+ *_skb = nskb;
+ skb = nskb;
rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
sp = rxrpc_skb(skb);
}
--
2.43.0

122
SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch
View File

@ -1,122 +0,0 @@
From: Eduard Abdullin <eabdullin@almalinux.org>
Subject: [PATCH AlmaLinux 9] net: skbuff: propagate shared-frag marker through frag-transfer helpers
Backport of upstream v3 patch posted at
https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/
(sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place
decrypt on shared skb frags").
Three frag-transfer helpers in net/core/skbuff.c
(__pskb_copy_fclone(), skb_try_coalesce(), skb_shift()) and the
GRO accumulator path in net/core/gro.c (skb_gro_receive()) and the
UDP GRO list helper in net/ipv4/udp_offload.c
(skb_gro_receive_list(), kept as a static helper on AlmaLinux 9)
fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags
when moving frag descriptors from source to destination. As a
result, the destination skb keeps a reference to the same
externally-owned or page-cache-backed pages while reporting
skb_has_shared_frag() as false.
The mismatch is harmful in any in-place writer that uses
skb_has_shared_frag() to decide whether shared pages must be detoured
through skb_cow_data(). ESP input is one such writer (esp4.c,
esp6.c). Combined with an nft 'dup to <local>' rule, an
nf_dup_ipv4() / xt_TEE caller, or ESP-over-UDP with UDP GRO, this
lets an unprivileged user write into the page cache of a root-owned
read-only file via authencesn-ESN stray writes (CVE-2026-46300,
"Fragnesia").
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
were actually moved from the source. skb_copy() and skb_copy_expand()
share skb_copy_header() too but linearize all paged data into freshly
allocated head storage and emerge with nr_frags == 0, so
skb_has_shared_frag() returns false on its own; they need no change.
The same omission exists in skb_gro_receive() and
skb_gro_receive_list(). The former moves the incoming skb's frag
descriptors into the accumulator's last sub-skb via two paths plus a
"merge:" fallback that chains the whole skb onto frag_list; the
latter chains the incoming skb whole onto p's frag_list. Downstream
skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list()
reuses each sub-skb's shinfo as the nskb -- both p and lp must carry
the marker.
Tree adaptation:
* Upstream v3 places skb_gro_receive_list() in net/core/gro.c.
AlmaLinux 9 still keeps it as a static helper in
net/ipv4/udp_offload.c (it has not been promoted to a global
GRO helper in this tree). Apply the propagation hunk there
instead.
* Upstream skb_shift() uses skb_len_add() helpers (introduced in
v5.16); AlmaLinux 9 still has the open-coded
`skb->len -= shiftlen; ...` block. The insertion point (right
after both ip_summed assignments) is the same.
Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
Reported-by: William Bowling <vakzz@zellic.io>
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Eduard Abdullin <eabdullin@almalinux.org>
---
net/core/gro.c | 2 ++
net/core/skbuff.c | 6 ++++++
net/ipv4/udp_offload.c | 2 ++
3 files changed, 10 insertions(+)
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -222,10 +222,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
p->data_len += len;
p->truesize += delta_truesize;
p->len += len;
+ skb_shinfo(p)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG;
if (lp != p) {
lp->data_len += len;
lp->truesize += delta_truesize;
lp->len += len;
+ skb_shinfo(lp)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG;
}
NAPI_GRO_CB(skb)->same_flow = 1;
return 0;
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2026,6 +2026,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
skb_frag_ref(skb, i);
}
skb_shinfo(n)->nr_frags = i;
+ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
}
if (skb_has_frag_list(skb)) {
@@ -4029,6 +4030,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
tgt->ip_summed = CHECKSUM_PARTIAL;
skb->ip_summed = CHECKSUM_PARTIAL;
+ skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+
/* Yak, is it really working this way? Some helper please? */
skb->len -= shiftlen;
skb->data_len -= shiftlen;
@@ -5740,6 +5743,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
from_shinfo->frags,
from_shinfo->nr_frags * sizeof(skb_frag_t));
to_shinfo->nr_frags += from_shinfo->nr_frags;
+ if (from_shinfo->nr_frags)
+ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
if (!skb_cloned(from))
from_shinfo->nr_frags = 0;
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -487,6 +487,8 @@ static int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
p->truesize += skb->truesize;
p->len += skb->len;
+ skb_shinfo(p)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+
NAPI_GRO_CB(skb)->same_flow = 1;
return 0;
--
2.43.0

55
SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch
View File

@ -1,55 +0,0 @@
From: Andrew Lukoshko <alukoshko@almalinux.org>
Subject: [PATCH AlmaLinux 9] ptrace: require CAP_SYS_PTRACE when task has no mm
kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
("ptrace: slightly saner 'get_dumpable()' logic") posted at
https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
The upstream fix adds a 'user_dumpable:1' bit to task_struct and
caches the last dumpability in exit_mm() so __ptrace_may_access()
can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
threads or already-exited user tasks). That layout change to
task_struct breaks kABI on RHEL/AlmaLinux 9 (the symtype
signature of struct task_struct is referenced by stablelist exports
such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot
import the field/exit_mm hunks as-is.
Take the minimal kABI-safe slice instead: when task->mm == NULL,
require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
the Qualys Security Advisory hole -- mm-less targets no longer pass
the dumpability check by default -- without touching task_struct or
exit.c. The only behavioural delta versus upstream is that a user
task that has already cleared its mm in exit_mm() (a dying/zombie
task) now also requires CAP_SYS_PTRACE to attach, instead of being
remembered as previously dumpable. Such targets are rarely ptraced
in practice.
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
against kernel-5.14.0-611.54.1.el9_7.
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
---
kernel/ptrace.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -349,8 +349,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
smp_rmb();
mm = task->mm;
- if (mm &&
- ((get_dumpable(mm) != SUID_DUMP_USER) &&
- !ptrace_has_cap(mm->user_ns, mode)))
- return -EPERM;
+ if (mm) {
+ if ((get_dumpable(mm) != SUID_DUMP_USER) &&
+ !ptrace_has_cap(mm->user_ns, mode))
+ return -EPERM;
+ } else if (!ptrace_has_cap(&init_user_ns, mode)) {
+ return -EPERM;
+ }
return security_ptrace_access_check(task, mode);
--
2.43.0

2
SOURCES/Makefile.rhelver
View File

@ -12,7 +12,7 @@ RHEL_MINOR = 7
#
# Use this spot to avoid future merge conflicts.
# Do not trim this comment.
RHEL_RELEASE = 611.54.1
RHEL_RELEASE = 611.55.1
#
# ZSTREAM

4
SOURCES/kernel.changelog
View File

@ -1,3 +1,7 @@
* Sat May 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.55.1.el9_7]
- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174561] {CVE-2026-43284}
Resolves: RHEL-174561
* Sat May 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.54.1.el9_7]
- crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172201]
- crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172201]

38
SPECS/kernel.spec
View File

@ -165,15 +165,15 @@ Summary: The Linux kernel
# define buildid .local
%define specversion 5.14.0
%define patchversion 5.14
%define pkgrelease 611.54.6
%define pkgrelease 611.55.1
%define kversion 5
%define tarfile_release 5.14.0-611.54.1.el9_7
%define tarfile_release 5.14.0-611.55.1.el9_7
# This is needed to do merge window version magic
%define patchlevel 14
# This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 611.54.6%{?buildid}%{?dist}
%define specrelease 611.55.1%{?buildid}%{?dist}
# This defines the kabi tarball version
%define kabiversion 5.14.0-611.54.1.el9_7
%define kabiversion 5.14.0-611.55.1.el9_7
#
# End of genspec.sh variables
@ -956,10 +956,6 @@ Patch2004: 0004-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
Patch2005: 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
Patch2006: 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
Patch1101: 1101-rxrpc-linearize-paged-frags.patch
Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch
Patch1103: 1103-ptrace-require-cap-on-mm-less-task.patch
Patch11111: ppc64le-kvm-support.patch
@ -1704,10 +1700,6 @@ ApplyPatch 0004-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
ApplyPatch 1101-rxrpc-linearize-paged-frags.patch
ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch
ApplyPatch 1103-ptrace-require-cap-on-mm-less-task.patch
# END OF PATCH APPLICATIONS
@ -3779,22 +3771,7 @@ fi
#
#
%changelog
* Fri May 15 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.6
- ptrace: require CAP_SYS_PTRACE when task has no mm (kABI-safe)
* Thu May 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.54.5
- net: skbuff: propagate shared-frag marker through frag-transfer helpers
* Wed May 13 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.4
- net: skbuff: propagate shared-frag marker through pskb_copy()
* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.3
- rxrpc: linearize incoming DATA packet when it has paged frags
* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.2
- xfrm: esp: avoid in-place decrypt on shared skb frags
* Wed May 06 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.1
* Mon May 18 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.55.1
- hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
- mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
- megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@ -3805,11 +3782,14 @@ fi
- kernel/rh_messages.h: enable all disabled pci devices by moving to
unmaintained
* Wed May 06 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.54.1
* Mon May 18 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.55.1
- Use AlmaLinux OS secure boot cert
- Debrand for AlmaLinux OS
- Add KVM support for ppc64le
* Sat May 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.55.1.el9_7]
- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174561] {CVE-2026-43284}
* Sat May 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.54.1.el9_7]
- crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172201]
- crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172201]