From e548b7349e6ea1d3441b17b81c38372aa7bb1c65 Mon Sep 17 00:00:00 2001
From: Patrick Talbert <ptalbert@redhat.com>
Date: Wed, 22 Oct 2025 09:08:45 -0400
Subject: [PATCH] kernel-5.14.0-628.el9

* Wed Oct 22 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-628.el9]
- s390/qeth: Make hw_trap sysfs attribute idempotent (Mete Durlu) [RHEL-99997]
- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119116] {CVE-2025-39841}
- cgroup/cpuset: Remove the unnecessary css_get/put() in cpuset_partition_write() (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Fix a partition error with CPU hotplug (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (Waiman Long) [RHEL-107751]
- cgroup/cpuset: drop useless cpumask_empty() in compute_effective_exclusive_cpumask() (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Fix obsolete comment in cpuset_css_offline() (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Always use cpu_active_mask (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Remove unneeded goto in sched_partition_write() and rename it (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Don't allow creation of local partition over a remote one (Waiman Long) [RHEL-107751]
- cgroup/cpuset: remove kernfs active break (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Remove stale text (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing (Waiman Long) [RHEL-107751]
- cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set (Waiman Long) [RHEL-107751]
- do_io_accounting: use sig->stats_lock (Waiman Long) [RHEL-105165]
- do_io_accounting: use __for_each_thread() (Waiman Long) [RHEL-105165]
- procfs: block chmod on /proc/thread-self/comm (Waiman Long) [RHEL-105165]
Resolves: RHEL-105165, RHEL-107751, RHEL-119116, RHEL-99997

Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
---
 Makefile.rhelver        |   2 +-
 kernel.changelog        |  25 ++++++++++++++++++++++++
 kernel.spec             |  42 +++++++++++++++++++++++++++++++++-------
 redhatsecureboot504.cer | Bin 0 -> 964 bytes
 sources                 |   6 +++---
 5 files changed, 64 insertions(+), 11 deletions(-)
 create mode 100644 redhatsecureboot504.cer

diff --git a/Makefile.rhelver b/Makefile.rhelver
index c65665116..aa1461a54 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 8
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 627
+RHEL_RELEASE = 628
 
 #
 # ZSTREAM
diff --git a/kernel.changelog b/kernel.changelog
index dbe4b8a3d..7af23ced2 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,24 @@
+* Wed Oct 22 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-628.el9]
+- s390/qeth: Make hw_trap sysfs attribute idempotent (Mete Durlu) [RHEL-99997]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119116] {CVE-2025-39841}
+- cgroup/cpuset: Remove the unnecessary css_get/put() in cpuset_partition_write() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix a partition error with CPU hotplug (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: drop useless cpumask_empty() in compute_effective_exclusive_cpumask() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix obsolete comment in cpuset_css_offline() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Always use cpu_active_mask (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove unneeded goto in sched_partition_write() and rename it (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Don't allow creation of local partition over a remote one (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: remove kernfs active break (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove stale text (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set (Waiman Long) [RHEL-107751]
+- do_io_accounting: use sig->stats_lock (Waiman Long) [RHEL-105165]
+- do_io_accounting: use __for_each_thread() (Waiman Long) [RHEL-105165]
+- procfs: block chmod on /proc/thread-self/comm (Waiman Long) [RHEL-105165]
+Resolves: RHEL-105165, RHEL-107751, RHEL-119116, RHEL-99997
+
 * Tue Oct 21 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-627.el9]
 - pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122069] {CVE-2023-53331}
 - NFSv4: handle ERR_GRACE on delegation recalls (Scott Mayhew) [RHEL-115855]
@@ -1287,6 +1308,10 @@ Resolves: RHEL-102691, RHEL-105063, RHEL-107194, RHEL-110206, RHEL-110235, RHEL-
 - soc/tegra: pmc: Add SD wake event for Tegra234 (Marcin Juszkiewicz) [RHEL-26405]
 Resolves: RHEL-102713, RHEL-104119, RHEL-104667, RHEL-105598, RHEL-105605, RHEL-26405, RHEL-26426, RHEL-95631
 
+* Fri Oct 17 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.5.1.el9_7]
+- redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122230]
+Resolves: RHEL-122230
+
 * Wed Oct 08 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.4.1.el9_7]
 - drm/amdgpu: Include sdma_4_4_4.bin (Peter Colberg) [RHEL-117568]
 - redhat: use new x86/aarch64 signing key (801/804) (Augusto Caringi) [RHEL-116727]
diff --git a/kernel.spec b/kernel.spec
index f20aa567e..3cc069492 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 627
+%define pkgrelease 628
 %define kversion 5
-%define tarfile_release 5.14.0-627.el9
+%define tarfile_release 5.14.0-628.el9
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 627%{?buildid}%{?dist}
+%define specrelease 628%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-627.el9
+%define kabiversion 5.14.0-628.el9
 
 #
 # End of genspec.sh variables
@@ -902,6 +902,9 @@ Source150: dracut-virt.conf
 Source151: uki_create_addons.py
 Source152: uki_addons.json
 
+# Temporary use redhatsecureboot504 for x86 UKI, see RHEL-122230
+Source153: redhatsecureboot504.cer
+
 Source200: check-kabi
 
 Source201: Module.kabi_aarch64
@@ -2417,10 +2420,12 @@ BuildKernel() {
 
 %if 0%{?centos}
 	UKI_secureboot_name=centossecureboot204
-%else
-	UKI_secureboot_name=redhatsecureboot804
-%endif
 	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
+%else
+	# RHEL only builds UKI for x86
+	UKI_secureboot_name=redhatsecureboot504
+	UKI_secureboot_cert=%{SOURCE153}
+%endif
 
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
         if [ ! -s $KernelUnifiedImage.signed ]; then
@@ -2435,6 +2440,9 @@ BuildKernel() {
         mv $addon.signed $addon
       done
 
+      mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
+      cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer
+
 # signkernel
 %endif
 
@@ -3684,6 +3692,26 @@ fi
 #
 #
 %changelog
+* Wed Oct 22 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-628.el9]
+- s390/qeth: Make hw_trap sysfs attribute idempotent (Mete Durlu) [RHEL-99997]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119116] {CVE-2025-39841}
+- cgroup/cpuset: Remove the unnecessary css_get/put() in cpuset_partition_write() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix a partition error with CPU hotplug (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: drop useless cpumask_empty() in compute_effective_exclusive_cpumask() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix obsolete comment in cpuset_css_offline() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Always use cpu_active_mask (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove unneeded goto in sched_partition_write() and rename it (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Don't allow creation of local partition over a remote one (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: remove kernfs active break (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove stale text (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set (Waiman Long) [RHEL-107751]
+- do_io_accounting: use sig->stats_lock (Waiman Long) [RHEL-105165]
+- do_io_accounting: use __for_each_thread() (Waiman Long) [RHEL-105165]
+- procfs: block chmod on /proc/thread-self/comm (Waiman Long) [RHEL-105165]
+
 * Tue Oct 21 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-627.el9]
 - pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122069] {CVE-2023-53331}
 - NFSv4: handle ERR_GRACE on delegation recalls (Scott Mayhew) [RHEL-115855]
diff --git a/redhatsecureboot504.cer b/redhatsecureboot504.cer
new file mode 100644
index 0000000000000000000000000000000000000000..dfeccf644b3c147c6a91fd4170f759ffb7d86405
GIT binary patch
literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^zlf;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1mFf%qVG%+?cFpd)EHMTG?G&F~D4bpHr
zK*K-{;sAMU4hYUn&&$k9S1>g&A<7+1j7rFUXJlnyZerwTFlb`rVrpV!WLP~x_4{UV
ziHj2t{mNWpaJJ`$YsGSYgB_m?HpM7apRLo6sZM|MF=GA&WAVP%dp2#Wi#l}ibk38_
zHrlTk^orEV5AX?u{?kkBxjmn)zVL}s(;MGg+C?XpABuk+d@1yMAj8)Vd&PGL*}pXJ
ztbYAC?W>pmmIJIBSB{#_TNJQ#>w}PI%Y!6-+gg-Oz4Bz+17A+jC>FidjB<Tbmu1;~
zGYXq;x{g`v{PBA2C9(+?QsE+3T1-;CKm0e$OFwdZme0M0<_prQU)g^NT#S&Y==|_P
zUGehcXNFPJgr5k05Im(JQMA4LQ;OUKhkX-zCT7c2R`8yg&B4Fs((PAuDYb6zIahu>
znyS>!#LURRxVXZg%zy_N>axO&jQ?4f3>XafKs<gBkA<0uy}>{X#8(CJc?`JNIJDUq
zSy|bcnGIw?;(RP(EFzzJAIGIV$eZ`4aFwNa-?{JWnz}N;X-QU@MZ!R=LF7#S(&ri(
zyFC3S&)%ECJ<+9X*8G0txB;e1VB9b=tbEN^wtpqN?IY)@4O1R^MCcx!B)TAGJ>zBX
zAO7j##@Ba#*R(z+@68tTM{||x+oaQZA974ShFAz*Ox{{^;ixF5sj~R24;J5BTng*1
zH!%h=WlQa!%yWwU*G6W;4g1e|`p7g%n*}N;FdUi8J%7?f-2(QEwYgpI_D?b~-n1zx
zb<*k&MrJ;@_PmpyIq%j2wZx@{nYs*<c^Zz+e)K^=cS?2j!)sM}N|Q7+8@1c#pISD>
zt-3;LGi&Z<(WJHMW?3HuAH2|Lb-vtMIpMNH|B=EeGE*9i+FIHA9o<f`YgymrexWFn
m9=eo!UV{C%^NVs%M@-tlV6-99mNn+!twmqbFTGH^R006tM`vOH

literal 0
HcmV?d00001

diff --git a/sources b/sources
index 816a329fe..26c154af3 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14.0-627.el9.tar.xz) = b2370c082157a4c8f873eeac8a22efdd8a034fc960bb35e64dac668bd0e248f480c432f8a74ae5928eb4c66289365b697adb5a207f6e30f7094835503f7c4c67
-SHA512 (kernel-abi-stablelists-5.14.0-627.el9.tar.bz2) = 161af0e5dc7c76a3fd207686a5a750ec6fe71ec01fbc620342f56d2bc2a6ddb04048094f62e4c3d3e53cdc169473f0c35f2a2d09202705a563bc1c94678083de
-SHA512 (kernel-kabi-dw-5.14.0-627.el9.tar.bz2) = 0a9710400b727f3821fd722ad5fa95d4fe14014732513f7fcca6ad83f5017cb8378e7fa70fa97b4bc4204627f6d05ec17a09a52c75a5acbfc5d81409842060c4
+SHA512 (linux-5.14.0-628.el9.tar.xz) = 34e6264a7f073df413228a6387d69ec6b442193061d523c8c78ff0c6fefd13585a5b4c5c5a590ba96cf506a4b1a587a9e0a017498acead6b6e2196a10ec2917c
+SHA512 (kernel-abi-stablelists-5.14.0-628.el9.tar.bz2) = 5e482cef14ee8a1e7261009547c35b56ced18d79024f812d21e26fcac3d4aed4d99d09539f5df8f7e17352bdaf51e7b087617d3c86c5f0626389c3a61d2e30f2
+SHA512 (kernel-kabi-dw-5.14.0-628.el9.tar.bz2) = ff3357fa5572b2558a6e39245d8ab35a4e1a74a33ca02a85ca20a2b97a93e202078515275dc7d8097291af45ceab78636ed836a43f7fbb987fd91b476265a7f3