From 2f8b316046164cbf6b037744395bc61d2555ff75 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 25 2020 16:11:47 +0000 Subject: import kernel-4.18.0-240.el8 --- diff --git a/.gitignore b/.gitignore index ac0035d..c513408 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/kernel-abi-whitelists-4.18.0-236.tar.bz2 -SOURCES/kernel-kabi-dw-4.18.0-236.tar.bz2 -SOURCES/linux-4.18.0-236.el8.tar.xz +SOURCES/kernel-abi-whitelists-4.18.0-240.tar.bz2 +SOURCES/kernel-kabi-dw-4.18.0-240.tar.bz2 +SOURCES/linux-4.18.0-240.el8.tar.xz diff --git a/.kernel.metadata b/.kernel.metadata index c524a5a..8adbacd 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,3 +1,3 @@ -a2965c21b5588974df7de7457644d23afc183416 SOURCES/kernel-abi-whitelists-4.18.0-236.tar.bz2 -b607a6927b7d701fe65be84c813a64134c91c206 SOURCES/kernel-kabi-dw-4.18.0-236.tar.bz2 -92e3b9b2dfeb9d7b99011db4350d90cc6652f412 SOURCES/linux-4.18.0-236.el8.tar.xz +8d861248716a82a9ff7442c6150f5f9eccbb3243 SOURCES/kernel-abi-whitelists-4.18.0-240.tar.bz2 +59861274c73f8acc9a5c9da435ab98c09e54fac8 SOURCES/kernel-kabi-dw-4.18.0-240.tar.bz2 +e7437daa00fa8f06d91013db7a9d2d042bf93fc8 SOURCES/linux-4.18.0-240.el8.tar.xz diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centos.pem b/SOURCES/centos.pem deleted file mode 100644 index 82ad817..0000000 --- a/SOURCES/centos.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDgTCCAmmgAwIBAgIJALYWFXFy+zGAMA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjA0MFoXDTM4MDEwMTE0 -MjA0MFowVTEvMC0GA1UEAwwmQ2VudE9TIExpbnV4IERyaXZlciB1cGRhdGUgc2ln -bmluZyBrZXkxIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5ECuosQ4HKRRf+Kxfm+BcICBK -PGqB+E/qalqQ3CCM3LWezq0ns/GZTD0CtSAzmOObqJb3gJ9S5gcbaMVBc3JxLlQ+ -RwVy0oNy91uy9TKhYQ3lpHDyujxiFmXPSJLMKOYbOBNObJ7qF6+ptnmDWMu7GWDc -4UGdBdU/evt92LIxsi9ZQCEoZIqdyKBE/Y3V9gBZIZa/4oXMHfW9dWxhy9UszmR9 -hT7ZdgLFpWMFmJW+SS5QEWtp5CpRlcui4QJZl42bMp5JOrVWc+BlKPIsLdY8TqLp -9FdhQ5Ih4auT7zn2V89YgYpq6VMZnPsn/v5piB6i6RK8Falr6SP5SV0cwV/jAgMB -AAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQpvUwN -BtLpkRBEtdyXMwkTm1HW1TAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q6 -8zANBgkqhkiG9w0BAQsFAAOCAQEAK+f4c4aP9TQDiQM4TDyw8iDapr7eBc+Yr0M5 -ELkWEQu55/OwLQrgCA5bdD86diaAXQAlUOXCtFRrbUQHQACEL77/32YdooHfVZZ7 -04CeE+JWxF/cQ3M5hhJnkyxaqFKC+B+bn7Z6eloMnYUPsXwfQEOuyxKaKergAJdq -KnC0pEG3NGgwlwvnD0dwUqbbEUUqL3UQh96hCYDidhCUmuap1E2OGoxGex3ekszf -ErCgwVYb46cv91ba2KqXVWl1FoO3c5MyZcxL46ihQgiY0BI975+HDFjpUZ69n+Um -OhSscRUiKeEQKMVtHzyQUp5t+HCeaZBRPy3rFoIjTEqijKZ6tQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDejCCAmKgAwIBAgIJALYWFXFy+zF/MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjAwMloXDTM4MDEwMTE0 -MjAwMlowTjEoMCYGA1UEAwwfQ2VudE9TIExpbnV4IGtwYXRjaCBzaWduaW5nIGtl -eTEiMCAGCSqGSIb3DQEJARYTc2VjdXJpdHlAY2VudG9zLm9yZzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAMG+5OclqB0NE5azrGkSitqUFcZjpRk/rS2P -CetB6jwxOn06TrLGzqnhcE9VBKyEs7CXBLy6lfnORcYOybcR2XvrgqGa1txOZggl -hc8zCj9X7ZCMK2UsWglxQCOtbo0m/vdor/VO3SFbrf/W9+PXhvNtcxMP9yjydbP+ -lS1St8uQv952hu7C1TevyOQN3jpvWRD7DSJIU/2uRFcdIo2QCGokuB/xESXeuGJ2 -F2P9w0h74V18AlVTxtGp/RSJqZaQ2Gi5h4Oa7UsRmhmCoLdmdBe7xnYJrJ4GhxKQ -yG0kU1ikEhZW3YjoVPgBJzTsIhCAzFrOUq0d67a1wTVMiyL60fUCAwEAAaNdMFsw -DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFLSfCGIFkJ3E2iz6 -mTdvsZHS8J54MB8GA1UdIwQYMBaAFFTsgYWJPuka2wj3RIhUfo4/dDrzMA0GCSqG -SIb3DQEBCwUAA4IBAQBcDnjWh8Mx6yaS/OvBOYZprYy5Su0tn+YHiN0czpjVw+zl -NUt2YmRSA/g6xks04CYx+UAL/xnvRcxXd17Ni7eWiROxvgQvBo5nScVkFPq2IIP5 -8aj7LoHR1MUeXfiNqf1JoSlgpRV47wv/+jZD0hmbt1rC2NJp0ZU8OHmt2GWk0jmM -MK72D/pyCUfHetBzPpU9M0cNiukjMUdIL+U7+CXDgKsfdFHcQ76ebWyka7vRSXTs -lBMa2g20Atwz2Hj7tEEAZ74ioQ9029RAlUSNipACe31YdT4/BBWIqHPpeDFkp8W0 -9v4jeTX/2kMBXkjzMfKjhpooa+bFFFLogLeX3P4W ------END CERTIFICATE----- diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der deleted file mode 100644 index e8216b1..0000000 Binary files a/SOURCES/centossecureboot001.der and /dev/null differ diff --git a/SOURCES/centossecureboot201.der b/SOURCES/centossecureboot201.der deleted file mode 100644 index ca3c134..0000000 Binary files a/SOURCES/centossecureboot201.der and /dev/null differ diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der deleted file mode 100644 index 42bdfcf..0000000 Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index dbfe9a7..b1bbe38 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = CentOS -CN = CentOS kernel signing key -emailAddress = security@centos.org +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 5054cce..34858ad 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -16,10 +16,10 @@ # For internal testing builds during development, it should be 0. %global released_kernel 1 -%global distro_build 236 +%global distro_build 240 # Sign the x86_64 kernel for secure boot authentication -%ifarch x86_64 aarch64 +%ifarch x86_64 aarch64 s390x ppc64le %global signkernel 1 %else %global signkernel 0 @@ -42,10 +42,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 236.el8 +%define pkgrelease 240.el8 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 236%{?dist} +%define specrelease 240%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -445,34 +445,44 @@ Source9: x509.genkey %if %{?released_kernel} -Source10: centossecurebootca2.der -Source11: centos-ca-secureboot.der -Source12: centossecureboot201.der -Source13: centossecureboot001.der +Source10: redhatsecurebootca5.cer +Source11: redhatsecurebootca3.cer +Source12: redhatsecureboot501.cer +Source13: redhatsecureboot301.cer +Source14: secureboot_s390.cer +Source15: secureboot_ppc.cer %define secureboot_ca_0 %{SOURCE11} %define secureboot_ca_1 %{SOURCE10} %ifarch x86_64 aarch64 %define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 centossecureboot001 +%define pesign_name_0 redhatsecureboot301 %define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 centossecureboot201 +%define pesign_name_1 redhatsecureboot501 +%endif +%ifarch s390x +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot302 +%endif +%ifarch ppc64le +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else -Source11: centossecurebootca2.der -Source12: centos-ca-secureboot.der -Source13: centossecureboot201.der -Source14: centossecureboot001.der +Source11: redhatsecurebootca4.cer +Source12: redhatsecurebootca2.cer +Source13: redhatsecureboot401.cer +Source14: redhatsecureboot003.cer %define secureboot_ca_0 %{SOURCE12} %define secureboot_ca_1 %{SOURCE11} %define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 centossecureboot001 +%define pesign_name_0 redhatsecureboot003 %define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 centossecureboot201 +%define pesign_name_1 redhatsecureboot401 # released_kernel %endif @@ -529,8 +539,6 @@ Source400: mod-kvm.list Source2000: cpupower.service Source2001: cpupower.config -Source9000: centos.pem - ## Patches needed for building this package # empty final patch to facilitate testing of kernel patches @@ -541,8 +549,8 @@ Patch999999: linux-kernel-test.patch BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for CentOS. -It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for Red Hat Enterprise +Linux. It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -550,7 +558,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in CentOS, enhancements for +updates for supported hardware in Red Hat Enterprise Linux, enhancements for enterprise customers, etc. # @@ -791,12 +799,12 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-whitelists -Summary: The CentOS kernel ABI symbol whitelists +Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n %{name}-abi-whitelists -The kABI package contains information pertaining to the CentOS -kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the Red Hat Enterprise +Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -805,8 +813,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the CentOS -kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the Red Hat Enterprise +Linux kernel, suitable for the kabi-dw tool. %endif # @@ -878,7 +886,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for CentOS internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ %{nil} # @@ -1076,7 +1084,6 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c -cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} @@ -2560,6 +2567,39 @@ fi # # %changelog +* Wed Sep 23 2020 Frantisek Hrbata [4.18.0-240.el8] +- [include] block: allow for_each_bvec to support zero len bvec (Ming Lei) [1872032] +- [nvme] nvme-pci: disable the write zeros command for Intel 600P/P3100 (David Milburn) [1875391] + +* Sat Sep 19 2020 Frantisek Hrbata [4.18.0-239.el8] +- [init] init/Kconfig: disable io_uring (Jeff Moyer) [1879754] +- [block] blk-mq: always allow reserved allocation in hctx_may_queue (Ming Lei) [1740874] +- [nvme] nvme-rdma: Avoid double freeing of async event data (Gopal Tiwari) [1878140] +- [kernel] printk: queue wake_up_klogd irq_work only if per-CPU areas are ready (Igor Mammedov) [1867022] + +* Thu Sep 17 2020 Frantisek Hrbata [4.18.0-238.el8] +- [firmware] efi: don't reserve MOK config table memory region (Kairui Song) [1878584] +- [fs] xfs: fix boundary test in xfs_attr_shortform_verify (Eric Sandeen) [1875316] {CVE-2020-14385} +- [powerpc] powerpc/pseries: Do not initiate shutdown when system is running on UPS (Diego Domingos) [1870477] + +* Tue Sep 15 2020 Frantisek Hrbata [4.18.0-237.el8] +- [fs] nfsd: avoid a NULL dereference in __cld_pipe_upcall() (Scott Mayhew) [1847225] +- [net] packet: fix overflow in tpacket_rcv (Hangbin Liu) [1876224] {CVE-2020-14386} +- [net] packet: make tp_drops atomic (Hangbin Liu) [1876224] {CVE-2020-14386} +- [net] espintcp: restore IP CB before handing the packet to xfrm (Sabrina Dubroca) [1868201] +- [fs] Revert "NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE" (Benjamin Coddington) [1865978] +- [fs] Revert "NFSv4.x recover from pre-mature loss of openstateid" (Benjamin Coddington) [1865978] +- [infiniband] RDMA/mlx4: Read pkey table length instead of hardcoded value (Alaa Hleihel) [1853564] +- [net] net/smc: set rx_off for SMCR explicitly (Philipp Rudo) [1875833] +- [drm] drm/i915: Auto detect DPCD backlight support by default (Lyude Paul) [1872381] +- [drm] drm/i915: Fix DPCD register order in intel_dp_aux_enable_backlight() (Lyude Paul) [1872381] +- [drm] drm/i915: Assume 100 brightness when not in DPCD control mode (Lyude Paul) [1872381] +- [drm] drm/i915: Fix eDP DPCD aux max backlight calculations (Lyude Paul) [1872381] +- [kernel] tracing: Define MCOUNT_INSN_SIZE when not defined without direct calls (Jiri Olsa) [1857599] +- [kernel] ftrace: Fix function_graph tracer interaction with BPF trampoline (Jiri Olsa) [1857599] +- [x86] x86/function_graph: Simplify with function_graph_enter() (Jiri Olsa) [1857599] +- [kernel] function_graph: Create function_graph_enter() to consolidate architecture code (Jiri Olsa) [1857599] + * Wed Sep 09 2020 Frantisek Hrbata [4.18.0-236.el8] - [crypto] pefile: Support multiple signatures in verify_pefile_signature (Lenny Szubowicz) [1862072] - [security] integrity: Load certs from the EFI MOK config table (Lenny Szubowicz) [1868306]