import OL kernel-6.12.0-55.40.1.0.1.el10_0

2025-10-21 06:55:58 +00:00 · 2025-10-21 06:55:58 +00:00 · e0cf0a68f0
commit e0cf0a68f0
parent 7137471387
9 changed files with 325 additions and 54 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,6 @@
-fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-55.39.1.el10_0.tar.xz
-kernel-kabi-dw-6.12.0-55.39.1.el10_0.tar.xz
-linux-6.12.0-55.39.1.el10_0.tar.xz
+kernel-abi-stablelists-6.12.0-55.40.1.el10_0.tar.xz
+kernel-kabi-dw-6.12.0-55.40.1.el10_0.tar.xz
+linux-6.12.0-55.40.1.el10_0.tar.xz
 nvidiagpuoot001.x509
 olima1.x509
 olimaca1.x509
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 0
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 55.39.1
+RHEL_RELEASE = 55.40.1

 #
 # RHEL_REBASE_NUM
--- a/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
+++ b/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
@ -0,0 +1,44 @@
+From b0de5456e201c475d6a860ceeb3ed8ee2923695a Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Mon, 2 Dec 2024 09:45:48 -0800
+Subject: [PATCH] nvme-pci: remove two deallocate zeroes quirks
+
+The quirk was initially used as a signal to set the discard_zeroes_data
+queue limit because there were some use cases that relied on that
+behavior. The queue limit no longer exists as every user of it has been
+converted to use the write zeroes operation instead.
+
+The quirk now means to use a discard command as an alias to a write
+zeroes request. Two of the devices previously using the quirk support
+the write zeroes command directly, so these don't need or want to use
+discard when the desired operation is to write zeroes.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+
+Orabug: 37756650
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ drivers/nvme/host/pci.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 4c644bb7f06927..9535e35ef18a56 100644
+--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
+@@ -3588,12 +3588,10 @@ static const struct pci_device_id nvme_id_table[] = {
+ 				NVME_QUIRK_DEALLOCATE_ZEROES, },
+ 	{ PCI_VDEVICE(INTEL, 0x0a54),	/* Intel P4500/P4600 */
+ 		.driver_data = NVME_QUIRK_STRIPE_SIZE |
+-				NVME_QUIRK_DEALLOCATE_ZEROES |
+ 				NVME_QUIRK_IGNORE_DEV_SUBNQN |
+ 				NVME_QUIRK_BOGUS_NID, },
+ 	{ PCI_VDEVICE(INTEL, 0x0a55),	/* Dell Express Flash P4600 */
+-		.driver_data = NVME_QUIRK_STRIPE_SIZE |
+-				NVME_QUIRK_DEALLOCATE_ZEROES, },
+		.driver_data = NVME_QUIRK_STRIPE_SIZE, },
+ 	{ PCI_VDEVICE(INTEL, 0xf1a5),	/* Intel 600P/P3100 */
+ 		.driver_data = NVME_QUIRK_NO_DEEPEST_PS |
+ 				NVME_QUIRK_MEDIUM_PRIO_SQ |
--- a/kernel.changelog
+++ b/kernel.changelog
@ -1,3 +1,83 @@
+* Sat Oct 11 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-55.40.1.el10_0]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119125] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118460] {CVE-2025-39817}
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-116192]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-116192]
+- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110813]
+- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110813] {CVE-2025-38571}
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114447]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114447]
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114430]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114430]
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114438]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114438]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114438]
+- ipv6: reject malicious packets in ipv6_gso_segment() (CKI Backport Bot) [RHEL-113248] {CVE-2025-38572}
+- enic: fix incorrect MTU comparison in enic_change_mtu() (John Meneghini) [RHEL-108265]
+- net/enic: Allow at least 8 RQs to always be used (John Meneghini) [RHEL-108265]
+- enic: get max rq & wq entries supported by hw, 16K queues (John Meneghini) [RHEL-106602]
+- enic: cleanup of enic wq request completion path (John Meneghini) [RHEL-106602]
+- enic: added enic_wq.c and enic_wq.h (John Meneghini) [RHEL-106602]
+- enic: remove unused function cq_enet_wq_desc_dec (John Meneghini) [RHEL-106602]
+- enic: enable rq extended cq support (John Meneghini) [RHEL-106602]
+- enic: enic rq extended cq defines (John Meneghini) [RHEL-106602]
+- enic: enic rq code reorg (John Meneghini) [RHEL-106602]
+- enic: Move function from header file to c file (John Meneghini) [RHEL-106602]
+- enic: add dependency on Page Pool (John Meneghini) [RHEL-106602]
+- enic: remove copybreak tunable (John Meneghini) [RHEL-106602]
+- enic: Use the Page Pool API for RX (John Meneghini) [RHEL-106602]
+- enic: Simplify RX handler function (John Meneghini) [RHEL-106602]
+- enic: Move RX functions to their own file (John Meneghini) [RHEL-106602]
+- enic: Fix typo in comment in table indexed by link speed (John Meneghini) [RHEL-106602]
+- enic: Obtain the Link speed only after the link comes up (John Meneghini) [RHEL-106602]
+- enic: Move RX coalescing set function (John Meneghini) [RHEL-106602]
+- enic: Move kdump check into enic_adjust_resources() (John Meneghini) [RHEL-106602]
+- enic: Move enic resource adjustments to separate function (John Meneghini) [RHEL-106602]
+- enic: Adjust used MSI-X wq/rq/cq/interrupt resources in a more robust way (John Meneghini) [RHEL-106602]
+- enic: Allocate arrays in enic struct based on VIC config (John Meneghini) [RHEL-106602]
+- enic: Save resource counts we read from HW (John Meneghini) [RHEL-106602]
+- enic: Make MSI-X I/O interrupts come after the other required ones (John Meneghini) [RHEL-106602]
+- enic: Create enic_wq/rq structures to bundle per wq/rq data (John Meneghini) [RHEL-106602]
+- scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() (John Meneghini) [RHEL-111542]
+- scsi: fnic: Set appropriate logging level for log message (John Meneghini) [RHEL-111542]
+- scsi: fnic: Add and improve logs in FDMI and FDMI ABTS paths (John Meneghini) [RHEL-111542]
+- scsi: fnic: Turn off FDMI ACTIVE flags on link down (John Meneghini) [RHEL-111542]
+- scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out (John Meneghini) [RHEL-111542]
+- scsi: fnic: Remove unnecessary spinlock locking and unlocking (John Meneghini) [RHEL-111539]
+- scsi: fnic: Replace fnic->lock_flags with local flags (John Meneghini) [RHEL-111539]
+- scsi: fnic: Replace use of sizeof with standard usage (John Meneghini) [RHEL-111539]
+- scsi: fnic: Fix indentation and remove unnecessary parenthesis (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove unnecessary debug print (John Meneghini) [RHEL-111539]
+- scsi: fnic: Propagate SCSI error code from fnic_scsi_drv_init() (John Meneghini) [RHEL-111539]
+- scsi: fnic: Test for memory allocation failure and return error code (John Meneghini) [RHEL-111539]
+- scsi: fnic: Return appropriate error code from failure of scsi drv init (John Meneghini) [RHEL-111539]
+- scsi: fnic: Return appropriate error code for mem alloc failure (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove always-true IS_FNIC_FCP_INITIATOR macro (John Meneghini) [RHEL-111539]
+- scsi: fnic: Fix use of uninitialized value in debug message (John Meneghini) [RHEL-111539]
+- scsi: fnic: Delete incorrect debugfs error handling (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove unnecessary else to fix warning in FDLS FIP (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove extern definition from .c files (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove unnecessary else and unnecessary break in FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Increment driver version (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support to handle port channel RSCN (John Meneghini) [RHEL-111539]
+- scsi: fnic: Code cleanup (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add stats and related functionality (John Meneghini) [RHEL-111539]
+- scsi: fnic: Modify fnic interfaces to use FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Modify IO path to use FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add functionality in fnic to support FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add and integrate support for FIP (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add and integrate support for FDMI (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add Cisco hardware model names (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support for unsolicited requests and responses (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support for target based solicited requests and responses (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support for fabric based solicited requests and responses (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add headers and definitions for FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Replace shost_printk() with dev_info()/dev_err() (John Meneghini) [RHEL-111539]
+- eventpoll: Fix semi-unbounded recursion (CKI Backport Bot) [RHEL-111056] {CVE-2025-38614}
+- mm/memory-tier: fix abstract distance calculation overflow (Rafael Aquini) [RHEL-109447]
+- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (CKI Backport Bot) [RHEL-104737] {CVE-2025-38351}
+Resolves: RHEL-104737, RHEL-106602, RHEL-108265, RHEL-109447, RHEL-110813, RHEL-111056, RHEL-111539, RHEL-111542, RHEL-113248, RHEL-114430, RHEL-114438, RHEL-114447, RHEL-116192, RHEL-118460, RHEL-119125
+
 * Sat Oct 04 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-55.39.1.el10_0]
 - wifi: ath12k: Decrement TID on RX peer frag setup error handling (CKI Backport Bot) [RHEL-114712] {CVE-2025-39761}
 - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (CKI Backport Bot) [RHEL-114695] {CVE-2025-38729}
--- a/kernel.spec
+++ b/kernel.spec
@ -98,7 +98,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 s390x ppc64le
 %endif

 # Signing for secure boot authentication
@ -162,15 +162,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 55.39.1
+%define pkgrelease 55.40.1
 %define kversion 6
-%define tarfile_release 6.12.0-55.39.1.el10_0
+%define tarfile_release 6.12.0-55.40.1.el10_0
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 55.39.1%{?buildid}%{?dist}
+%define specrelease 55.40.1%{?buildid}.0.1%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-55.39.1.el10_0
+%define kabiversion 6.12.0-55.40.1.el10_0

 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@ -716,6 +716,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL}
 Provides: installonlypkg(kernel)
 %endif

+Provides: oracle(kernel-sig-key) == 202502
+Conflicts: shim-x64 < 15.8-1.0.6

 #
 # List the packages used during the kernel build
@ -875,8 +877,6 @@ BuildRequires: tpm2-tools
 %if 0%{?rhel}%{?centos} && !0%{?eln}
 %if 0%{?centos}
 BuildRequires: centos-sb-certs >= 9.0-23
-%else
-BuildRequires: redhat-sb-certs >= 9.4-0.1
 %endif
 %endif
 %endif
@ -896,42 +896,11 @@ Source10: redhatsecurebootca5.cer
 Source13: redhatsecureboot501.cer

 %if %{signkernel}
-# Name of the packaged file containing signing key
-%ifarch ppc64le
-%define signing_key_filename kernel-signing-ppc.cer
-%endif
-%ifarch s390x
-%define signing_key_filename kernel-signing-s390.cer
-%endif

-# Fedora/ELN pesign macro expects to see these cert file names, see:
-# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216
-%if 0%{?fedora}%{?eln}
-%define pesign_name_0 redhatsecureboot501
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE13}
-%endif
-
-# RHEL/centos certs come from system-sb-certs
-%if 0%{?rhel} && !0%{?eln}
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer

-%if 0%{?centos}
-%define pesign_name_0 centossecureboot201
-%else
-%ifarch x86_64 aarch64
-%define pesign_name_0 redhatsecureboot501
-%endif
-%ifarch s390x
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
-# rhel && !eln
-%endif
+%define pesign_name_0 OracleLinuxSecureBootKey3

 # signkernel
 %endif
@ -1008,7 +977,10 @@ Source102: nvidiagpuoot001.x509
 Source103: rhelimaca1.x509
 Source104: rhelima.x509
 Source105: rhelima_centos.x509
-Source106: fedoraimaca.x509
+# Oracle Linux IMA CA certificate
+Source106: olimaca1.x509
+# Oracle Linux IMA signing certificate
+Source107: olima1.x509

 %if 0%{?fedora}%{?eln}
 %define ima_ca_cert %{SOURCE106}
@ -1023,9 +995,11 @@ Source106: fedoraimaca.x509
 %define ima_signing_cert %{SOURCE105}
 %else
 %define ima_signing_cert %{SOURCE104}
+%define ima_signing_cert_ol %{SOURCE107}
 %endif

 %define ima_cert_name ima.cer
+%define ima_cert_name_ol ima_ol.cer

 Source200: check-kabi

@ -1090,6 +1064,10 @@ Source4000: README.rst
 Source4001: rpminspect.yaml
 Source4002: gating.yaml

+# Oracle Linux RHCK Module Signing Key
+Source5001: olkmod_signing_key.pem
+Source5002: olkmod_signing_key1.pem
+
 ## Patches needed for building this package

 %if !%{nopatches}
@ -1097,6 +1075,9 @@ Source4002: gating.yaml
 Patch1: patch-%{patchversion}-redhat.patch
 %endif

+# Oracle patches
+Patch1001: bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
+
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch

@ -1944,6 +1925,8 @@ ApplyOptionalPatch()
 mv linux-%{tarfile_release} linux-%{KVERREL}

 cd linux-%{KVERREL}
+#removal of git history
+rm -rf .git
 cp -a %{SOURCE1} .

 %{log_msg "Start of patch applications"}
@ -1952,6 +1935,7 @@ cp -a %{SOURCE1} .
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif

+ApplyPatch bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
 ApplyOptionalPatch linux-kernel-test.patch

 %{log_msg "End of patch applications"}
@ -2064,6 +2048,13 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
+openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
+cat olimaca1.pem >> ../certs/rhel.pem
+# Add olkmod_signing_key.pem to the kernel trusted certificates list
+cat %{SOURCE5001} >> ../certs/rhel.pem
+# Add olkmod_signing_key1.pem to the kernel trusted certificates list
+cat %{SOURCE5002} >> ../certs/rhel.pem
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@ -2086,7 +2077,7 @@ done
 %if 0%{?rhel}
 %{log_msg "Adjust FIPS module name for RHEL"}
 for i in *.config; do
-  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i
+  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Oracle Linux 10 Kernel Crypto API Cryptographic Module"/' $i
 done
 %endif

@ -2736,8 +2727,11 @@ BuildKernel() {
 %endif
        SBAT=$(cat <<- EOF
 	linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
+	kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
 	EOF
 	)

@ -2765,6 +2759,7 @@ BuildKernel() {
  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu}

 %if %{signkernel}
+%if ! %{?oraclelinux}
 	%{log_msg "Sign the EFI UKI kernel"}
 %if 0%{?fedora}%{?eln}
        %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
@ -2792,6 +2787,7 @@ BuildKernel() {
      done

 # signkernel
+%endif
 %endif

    # hmac sign the UKI for FIPS
@ -2967,7 +2963,7 @@ BuildKernel() {
    # prune junk from kernel-debuginfo
    find $RPM_BUILD_ROOT/usr/src/kernels -name "*.mod.c" -delete

-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    %{log_msg "Install certs"}
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
@ -2982,6 +2978,8 @@ BuildKernel() {
 %if 0%{?rhel}
    # Red Hat IMA code-signing cert, which is used to authenticate package files
    install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+    # Oracle Linux IMA signing cert
+    install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
 %endif

 %if %{signmodules}
@ -4316,6 +4314,98 @@ fi\
 #
 #
 %changelog
+* Mon Oct 20 2025 Codrin Pruteanu <codrin.pruteanu@oracle.com> [6.12.0-55.40.1.0.1.el10_0.OL10]
+- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
+- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782]
+- Disable UKI signing [Orabug: 36571828]
+- Update Oracle Linux certificates (Kevin Lyons)
+- Disable signing for aarch64 (Ilya Okomin)
+- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
+- Update x509.genkey [Orabug: 24817676]
+- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
+- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
+- Add Oracle Linux IMA certificates
+- Update module name for cryptographic module [Orabug: 37400433]
+
+* Sat Oct 11 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-55.40.1.el10_0]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119125] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118460] {CVE-2025-39817}
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-116192]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-116192]
+- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110813]
+- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110813] {CVE-2025-38571}
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114447]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114447]
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114430]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114430]
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114438]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114438]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114438]
+- ipv6: reject malicious packets in ipv6_gso_segment() (CKI Backport Bot) [RHEL-113248] {CVE-2025-38572}
+- enic: fix incorrect MTU comparison in enic_change_mtu() (John Meneghini) [RHEL-108265]
+- net/enic: Allow at least 8 RQs to always be used (John Meneghini) [RHEL-108265]
+- enic: get max rq & wq entries supported by hw, 16K queues (John Meneghini) [RHEL-106602]
+- enic: cleanup of enic wq request completion path (John Meneghini) [RHEL-106602]
+- enic: added enic_wq.c and enic_wq.h (John Meneghini) [RHEL-106602]
+- enic: remove unused function cq_enet_wq_desc_dec (John Meneghini) [RHEL-106602]
+- enic: enable rq extended cq support (John Meneghini) [RHEL-106602]
+- enic: enic rq extended cq defines (John Meneghini) [RHEL-106602]
+- enic: enic rq code reorg (John Meneghini) [RHEL-106602]
+- enic: Move function from header file to c file (John Meneghini) [RHEL-106602]
+- enic: add dependency on Page Pool (John Meneghini) [RHEL-106602]
+- enic: remove copybreak tunable (John Meneghini) [RHEL-106602]
+- enic: Use the Page Pool API for RX (John Meneghini) [RHEL-106602]
+- enic: Simplify RX handler function (John Meneghini) [RHEL-106602]
+- enic: Move RX functions to their own file (John Meneghini) [RHEL-106602]
+- enic: Fix typo in comment in table indexed by link speed (John Meneghini) [RHEL-106602]
+- enic: Obtain the Link speed only after the link comes up (John Meneghini) [RHEL-106602]
+- enic: Move RX coalescing set function (John Meneghini) [RHEL-106602]
+- enic: Move kdump check into enic_adjust_resources() (John Meneghini) [RHEL-106602]
+- enic: Move enic resource adjustments to separate function (John Meneghini) [RHEL-106602]
+- enic: Adjust used MSI-X wq/rq/cq/interrupt resources in a more robust way (John Meneghini) [RHEL-106602]
+- enic: Allocate arrays in enic struct based on VIC config (John Meneghini) [RHEL-106602]
+- enic: Save resource counts we read from HW (John Meneghini) [RHEL-106602]
+- enic: Make MSI-X I/O interrupts come after the other required ones (John Meneghini) [RHEL-106602]
+- enic: Create enic_wq/rq structures to bundle per wq/rq data (John Meneghini) [RHEL-106602]
+- scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() (John Meneghini) [RHEL-111542]
+- scsi: fnic: Set appropriate logging level for log message (John Meneghini) [RHEL-111542]
+- scsi: fnic: Add and improve logs in FDMI and FDMI ABTS paths (John Meneghini) [RHEL-111542]
+- scsi: fnic: Turn off FDMI ACTIVE flags on link down (John Meneghini) [RHEL-111542]
+- scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out (John Meneghini) [RHEL-111542]
+- scsi: fnic: Remove unnecessary spinlock locking and unlocking (John Meneghini) [RHEL-111539]
+- scsi: fnic: Replace fnic->lock_flags with local flags (John Meneghini) [RHEL-111539]
+- scsi: fnic: Replace use of sizeof with standard usage (John Meneghini) [RHEL-111539]
+- scsi: fnic: Fix indentation and remove unnecessary parenthesis (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove unnecessary debug print (John Meneghini) [RHEL-111539]
+- scsi: fnic: Propagate SCSI error code from fnic_scsi_drv_init() (John Meneghini) [RHEL-111539]
+- scsi: fnic: Test for memory allocation failure and return error code (John Meneghini) [RHEL-111539]
+- scsi: fnic: Return appropriate error code from failure of scsi drv init (John Meneghini) [RHEL-111539]
+- scsi: fnic: Return appropriate error code for mem alloc failure (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove always-true IS_FNIC_FCP_INITIATOR macro (John Meneghini) [RHEL-111539]
+- scsi: fnic: Fix use of uninitialized value in debug message (John Meneghini) [RHEL-111539]
+- scsi: fnic: Delete incorrect debugfs error handling (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove unnecessary else to fix warning in FDLS FIP (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove extern definition from .c files (John Meneghini) [RHEL-111539]
+- scsi: fnic: Remove unnecessary else and unnecessary break in FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Increment driver version (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support to handle port channel RSCN (John Meneghini) [RHEL-111539]
+- scsi: fnic: Code cleanup (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add stats and related functionality (John Meneghini) [RHEL-111539]
+- scsi: fnic: Modify fnic interfaces to use FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Modify IO path to use FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add functionality in fnic to support FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add and integrate support for FIP (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add and integrate support for FDMI (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add Cisco hardware model names (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support for unsolicited requests and responses (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support for target based solicited requests and responses (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add support for fabric based solicited requests and responses (John Meneghini) [RHEL-111539]
+- scsi: fnic: Add headers and definitions for FDLS (John Meneghini) [RHEL-111539]
+- scsi: fnic: Replace shost_printk() with dev_info()/dev_err() (John Meneghini) [RHEL-111539]
+- eventpoll: Fix semi-unbounded recursion (CKI Backport Bot) [RHEL-111056] {CVE-2025-38614}
+- mm/memory-tier: fix abstract distance calculation overflow (Rafael Aquini) [RHEL-109447]
+- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (CKI Backport Bot) [RHEL-104737] {CVE-2025-38351}
+
 * Sat Oct 04 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-55.39.1.el10_0]
 - wifi: ath12k: Decrement TID on RX peer frag setup error handling (CKI Backport Bot) [RHEL-114712] {CVE-2025-39761}
 - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (CKI Backport Bot) [RHEL-114695] {CVE-2025-38729}
--- a/olkmod_signing_key.pem
+++ b/olkmod_signing_key.pem
@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
+aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
+Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
+bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
+U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
+YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
+jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
+4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
+WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
+73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
+umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
+37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
+Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
+R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
+3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
+TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
+y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
+kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
+-----END CERTIFICATE-----
--- a/olkmod_signing_key1.pem
+++ b/olkmod_signing_key1.pem
@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL
+BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx
+MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP
+cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET
+MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw
+MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5
+IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI
+DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ
+z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt
+c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7
+P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt
+wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi
+5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn
+tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF
+sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/
+WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8
+gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR
+52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA
+m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE
+FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw
+ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K
+6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH
+PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W
+FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ
+IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C
+/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ
+QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y
+8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw
+szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6
+MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+
+68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF
+JuZ4rgQv9ghmhQ==
+-----END CERTIFICATE-----
--- a/7
+++ b/7
@ -1,7 +1,6 @@
-SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-55.39.1.el10_0.tar.xz) = d494cde20c86e6fcd6e6c5b8abba425ed463d51478afd95defef128220e7c6909723f42949841d8ce62c88cfae27bcb753f833a0701407fd0baf321186eca4e5
-SHA512 (kernel-kabi-dw-6.12.0-55.39.1.el10_0.tar.xz) = ae12a2f15f0f025f7601c44b4b0beb1176243aa32ccd96ccbcb5f56c7af18e659fae238d9b4e300a769d71de37e1794c03e19b2d3e10bc107d0f62b30af1293f
-SHA512 (linux-6.12.0-55.39.1.el10_0.tar.xz) = 833cbec0d6bd205c7677bf0da6af03c9548cb3a842697b63c0fde8fb523b9f07707bd144ae43479d399b97a21ec8b81eaf64f9ee4cea35693a66bb05d65b266b
+SHA512 (kernel-abi-stablelists-6.12.0-55.40.1.el10_0.tar.xz) = a03bdc33c7f16a9f0d2bfa12ea6c35edb6de7725c88e9c400dd7f5c85e2413562a1176839654c207e465ad2da6ef832c4b640cb54cefd761341f74c9783ccc33
+SHA512 (kernel-kabi-dw-6.12.0-55.40.1.el10_0.tar.xz) = 107670f97a77cb44b0da03db027408419da7c173e9717ac1907b1188caaa45814fc81ae247b6b45fda3bbca922dd6b4832b6410deb2b974be3ff2b3204bafba1
+SHA512 (linux-6.12.0-55.40.1.el10_0.tar.xz) = 72cc6aceae764277c46116359cc0147a07cd270156afae0c43ba2bd45c8ab1d1b0c816badcd3d28f4dbf8c32fc7d317f711abd5c6cb36dbd2aa48d10e267e088
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (olima1.x509) = 123c26c1d698cc8523845c6e1103b9c72abf855acd225d37baf1f3388a47f912166d6d786fb367fe46de39e011b586ad7f3963aa2e8923da30a6ea9ae0d76ad3
 SHA512 (olimaca1.x509) = 3a779415fad29d6f7250ec97ab1f0a5eb62c351b724feee06b22e17f065bf74a558f32cc524d3222c4485635ae5b9cd5287855c94010fe743b51a4d954340c4c
--- a/x509.genkey.rhel
+++ b/x509.genkey.rhel
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts

 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = Oracle America, Inc.,c=US
+CN = Oracle CA Server
+emailAddress = support@oracle.com

 [ myexts ]
 basicConstraints=critical,CA:FALSE