diff --git a/.gitignore b/.gitignore index 744a450..111558f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,4 @@ SOURCES/kernel-abi-whitelists-514.tar.bz2 -SOURCES/linux-3.10.0-514.6.2.el7.tar.xz +SOURCES/linux-3.10.0-514.10.2.el7.tar.xz SOURCES/rheldup3.x509 SOURCES/rhelkpatch1.x509 -SOURCES/centos-kpatch.x509 -SOURCES/centos-ldup.x509 -SOURCES/centos.cer diff --git a/.kernel.metadata b/.kernel.metadata index 0be05b0..4b734c3 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,7 +1,4 @@ 9d627e35baa56e8ffc7dc32e5d9ffa68c185e19c SOURCES/kernel-abi-whitelists-514.tar.bz2 -776c4d9e15e33449bee866484a969d4ea5937e23 SOURCES/linux-3.10.0-514.6.2.el7.tar.xz +013022519bb8d261d8623e84db3f5c447e9d4354 SOURCES/linux-3.10.0-514.10.2.el7.tar.xz 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509 d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509 -5a7d05a8298cf38d43689470e8e43230d8add0f9 SOURCES/centos-kpatch.x509 -c61172887746663d3bdd9acaa263cbfacf99e8b3 SOURCES/centos-ldup.x509 -6e9105eb51e55a46761838f289a917611cad8091 SOURCES/centos.cer diff --git a/SOURCES/Makefile.common b/SOURCES/Makefile.common index bc95299..955567a 100644 --- a/SOURCES/Makefile.common +++ b/SOURCES/Makefile.common @@ -9,7 +9,7 @@ RPMVERSION:=3.10.0 # marker is git tag which we base off of for exporting patches MARKER:=v3.10 PREBUILD:= -BUILD:=514.6.2 +BUILD:=514.10.2 DIST:=.el7 SPECFILE:=kernel.spec RPM:=$(REDHAT)/rpm diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch deleted file mode 100644 index 739855c..0000000 --- a/SOURCES/debrand-rh-i686-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/boot/main.c 2014-06-04 10:05:04.000000000 -0700 -+++ b/arch/x86/boot/main.c 2014-07-09 12:54:40.000000000 -0700 -@@ -146,7 +146,7 @@ void main(void) - - /* Make sure we have all the proper CPU support */ - if (validate_cpu()) { -- puts("This processor is unsupported in RHEL7.\n"); -+ puts("This processor is unsupported in CentOS 7.\n"); - die(); - } - diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch deleted file mode 100644 index 8ef4557..0000000 --- a/SOURCES/debrand-rh_taint.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 69c0d42cfa26515196896dea086857c2caccb6eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Thu, 19 Jun 2014 10:05:12 -0500 -Subject: [PATCH] branding patch for rh_taint - ---- - kernel/rh_taint.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/rh_taint.c b/kernel/rh_taint.c -index 59a74b0..0708e15 100644 ---- a/kernel/rh_taint.c -+++ b/kernel/rh_taint.c -@@ -8,7 +8,7 @@ - void mark_hardware_unsupported(const char *msg) - { - /* Print one single message */ -- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg); -+ pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg); - } - EXPORT_SYMBOL(mark_hardware_unsupported); - --- -1.8.3.1 - diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch deleted file mode 100644 index 9d2e08b..0000000 --- a/SOURCES/debrand-single-cpu.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 66185f5c6f881847776702e3a7956c504400f4f2 Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Thu, 19 Jun 2014 09:53:13 -0500 -Subject: [PATCH] branding patch for single-cpu systems - ---- - arch/x86/kernel/setup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index b289118..9d25982 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -846,7 +846,7 @@ static void rh_check_supported(void) - if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && - !x86_hyper && !cpu_has_hypervisor && !is_kdump_kernel()) { - pr_crit("Detected single cpu native boot.\n"); -- pr_crit("Important: In Red Hat Enterprise Linux 7, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); -+ pr_crit("Important: In CentOS 7, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information"); - } - - /* The RHEL7 kernel does not support this hardware. The kernel will --- -1.8.3.1 - diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index d98f8fe..b1bbe38 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = CentOS -CN = CentOS Linux kernel signing key -emailAddress = security@centos.org +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index b0e92d1..6b5da1b 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -14,10 +14,10 @@ Summary: The Linux kernel %global distro_build 514 %define rpmversion 3.10.0 -%define pkgrelease 514.6.2.el7 +%define pkgrelease 514.10.2.el7 # allow pkg_release to have configurable %{?dist} tag -%define specrelease 514.6.2%{?dist} +%define specrelease 514.10.2%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -345,16 +345,16 @@ Source10: sign-modules Source11: x509.genkey Source12: extra_certificates %if %{?released_kernel} -Source13: centos.cer +Source13: securebootca.cer Source14: secureboot.cer %define pesign_name redhatsecureboot301 %else -Source13: centos.cer -Source14: secureboot.cer +Source13: redhatsecurebootca2.cer +Source14: redhatsecureboot003.cer %define pesign_name redhatsecureboot003 %endif -Source15: centos-ldup.x509 -Source16: centos-kpatch.x509 +Source15: rheldup3.x509 +Source16: rhelkpatch1.x509 Source18: check-kabi @@ -383,9 +383,6 @@ Source2001: cpupower.config # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch -Patch1000: debrand-single-cpu.patch -Patch1001: debrand-rh_taint.patch -Patch1002: debrand-rh-i686-cpu.patch BuildRoot: %{_tmppath}/kernel-%{KVRA}-root @@ -547,11 +544,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n kernel-abi-whitelists -Summary: The CentOS Linux kernel ABI symbol whitelists +Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n kernel-abi-whitelists -The kABI package contains information pertaining to the CentOS +The kABI package contains information pertaining to the Red Hat Enterprise Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. @@ -694,9 +691,6 @@ cd linux-%{KVRA} cp $RPM_SOURCE_DIR/kernel-%{version}-*.config . ApplyOptionalPatch linux-kernel-test.patch -ApplyOptionalPatch debrand-single-cpu.patch -ApplyOptionalPatch debrand-rh_taint.patch -ApplyOptionalPatch debrand-rh-i686-cpu.patch # Any further pre-build tree manipulations happen here. @@ -855,7 +849,7 @@ BuildKernel() { fi # EFI SecureBoot signing, x86_64-only %ifarch x86_64 - %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE13} + %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name} mv $KernelImage.signed $KernelImage %endif $CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer @@ -1550,12 +1544,68 @@ fi %kernel_variant_files %{with_kdump} kdump %changelog -* Wed Feb 22 2017 CentOS Sources - 3.10.0-514.6.2.el7 -- Apply debranding changes - -* Fri Feb 17 2017 Frantisek Hrbata [3.10.0-514.6.2.el7] +* Mon Feb 20 2017 Frantisek Hrbata [3.10.0-514.10.2.el7] - [net] dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Hannes Frederic Sowa) [1423462 1423463] +* Mon Jan 30 2017 Frantisek Hrbata [3.10.0-514.10.1.el7] +- [block] blk-mq: Fix NULL pointer updating nr_requests (David Milburn) [1416133 1384066] +- [scsi] cxlflash: Fix crash in cxlflash_restore_luntable() (Gustavo Duarte) [1415146 1400524] +- [scsi] cxlflash: Improve context_reset() logic (Gustavo Duarte) [1415146 1400524] +- [scsi] cxlflash: Avoid command room violation (Gustavo Duarte) [1415146 1400524] +- [x86] Mark Kaby Lake with Kaby Lake PCH as supported (David Arcari) [1415094 1391219] +- [scsi] be2iscsi: Add checks to validate completions (Maurizio Lombardi) [1414687 1324918] +- [scsi] be2iscsi: Fix bad WRB index error (Maurizio Lombardi) [1414687 1324918] +- [scsi] be2iscsi: Add lock to protect WRB alloc and free (Maurizio Lombardi) [1414687 1324918] +- [mm] meminit: initialise more memory for inode/dentry hash tables in early boot (Yasuaki Ishimatsu) [1413623 1404584] +- [s390] mem_detect: Revert "add DAT sanity check" (Hendrik Brueckner) [1413600 1391540] +- [cpufreq] intel_pstate: Fix code ordering in intel_pstate_set_policy() (Prarit Bhargava) [1411818 1398072] +- [scsi] cxlflash: Improve EEH recovery time (Steve Best) [1402442 1397588] +- [scsi] cxlflash: Fix to avoid EEH and host reset collisions (Steve Best) [1402442 1397588] +- [scsi] cxlflash: Remove the device cleanly in the system shutdown path (Steve Best) [1402442 1397588] +- [scsi] cxlflash: Scan host only after the port is ready for I/O (Steve Best) [1402442 1397588] +- [x86] kvm: x86: Check memopp before dereference (Mateusz Guzik) [1395805 1395806] {CVE-2016-8630} +- [vfio] pci: Fix integer overflows, bitmask check (Mateusz Guzik) [1394627 1394991 1394628 1394992] {CVE-2016-9083 CVE-2016-9084} +- [acpi] acpi / scan: use platform bus type by default for _HID enumeration (Tony Camuso) [1393727 1383505] +- [acpi] acpi / scan: introduce platform_id device PNP type flag (Tony Camuso) [1393727 1383505] +- [char] ipmi: Convert the IPMI SI ACPI handling to a platform device (Tony Camuso) [1393727 1383505] +- [acpi] acpi / ipmi: Cleanup coding styles (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Cleanup some inclusion codes (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Cleanup some initialization codes (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Cleanup several acpi_ipmi_device members (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Add reference counting for ACPI IPMI transfers (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Use global IPMI operation region handler (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Fix race caused by the unprotected ACPI IPMI user (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Fix race caused by the timed out ACPI IPMI transfers (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Fix race caused by the unprotected ACPI IPMI transfers (David Arcari) [1393725 1373703] +- [acpi] acpi / ipmi: Fix potential response buffer overflow (David Arcari) [1393725 1373703] + +* Sat Jan 21 2017 Frantisek Hrbata [3.10.0-514.9.1.el7] +- [drm] i915/kbl: Remove preliminary_hw_support protection from KBL. (Rob Clark) [1413092 1305702] +- [netdrv] slip: Fix deadlock in write_wakeup (Steve Best) [1412225 1403497] +- [netdrv] slip: fix spinlock variant (Steve Best) [1412225 1403497] +- [kernel] kmod: use system_unbound_wq instead of khelper (Luiz Capitulino) [1411816 1395860] +- [nvme] switch abort to blk_execute_rq_nowait (David Milburn) [1411669 1392923] +- [netdrv] ibmveth: calculate gso_segs for large packets (Gustavo Duarte) [1411382 1361958] +- [netdrv] ibmveth: set correct gso_size and gso_type (Gustavo Duarte) [1411382 1361958] +- [netdrv] allow macvlans to move to net namespace (Jarod Wilson) [1409829 1368830] +- [pci] Set Read Completion Boundary to 128 iff Root Port supports it (_HPX) (Myron Stowe) [1406290 1387674] +- [pci] Export pcie_find_root_port() (Myron Stowe) [1406290 1387674] +- [rtc] cmos: Initialize hpet timer before irq is registered (Pratyush Anand) [1404184 1299001] +- [x86] amd: Fix cpu_llc_id for AMD Fam17h systems (Suravee Suthikulpanit) [1402444 1395399] +- [powerpc] powernv: Fix stale PE primary bus (Steve Best) [1402440 1395275] +- [misc] cxl: Fix coredump generation when cxl_get_fd() is used (Gustavo Duarte) [1402439 1397943] +- [pci] cxl: use pcibios_free_controller_deferred() when removing vPHBs (Gustavo Duarte) [1402438 1395323] +- [scsi] qla2xxx: do not abort all commands in the adapter during EEH recovery (Gustavo Duarte) [1402436 1393254] +- [scsi] qla2xxx: fix invalid DMA access after command aborts in PCI device remove (Gustavo Duarte) [1402436 1393254] +- [scsi] qla2xxx: do not queue commands when unloading (Gustavo Duarte) [1402436 1393254] +- [net] packet: fix race condition in packet_set_ring (Hangbin Liu) [1401852 1401853] {CVE-2016-8655} + +* Tue Jan 17 2017 Frantisek Hrbata [3.10.0-514.8.1.el7] +- [netdrv] i40e: Fix corruption when transferring large files (Stefan Assmann) [1413101 1404060] + +* Wed Dec 21 2016 Frantisek Hrbata [3.10.0-514.7.1.el7] +- [kernel] printk: avoid livelock if another CPU printks continuously (Denys Vlasenko) [1402314 1294066] + * Sat Dec 10 2016 Frantisek Hrbata [3.10.0-514.6.1.el7] - [net] sctp: validate chunk len before actually using it (Hangbin Liu) [1399458 1399459] {CVE-2016-9555} - [net] sctp: rename WORD_TRUNC/ROUND macros (Hangbin Liu) [1399458 1399459] {CVE-2016-9555}