diff --git a/SOURCES/rhbz1873492.patch b/SOURCES/rhbz1873492.patch
new file mode 100644
index 0000000..f843fbf
--- /dev/null
+++ b/SOURCES/rhbz1873492.patch
@@ -0,0 +1,108 @@
+commit ea5f10ba55fce68d1ed614ca33afdb38816f0830
+Author: Frank Ch. Eigler <fche@redhat.com>
+Date: Mon Nov 16 18:54:11 2020 -0500
+
+ PR26665: mokutil output parsing tweaks
+
+ We encountered secureboot keys in the wild that didn't live up
+ to the expectations of the current little state machine. Tweaked
+ regexps to accept Issuer: O= as well as Issuer: CN= lines. With
+ more verbosity, produces output on parsing process.
+
+diff --git a/session.cxx b/session.cxx
+index b5a8044..0437ca4 100644
+--- a/session.cxx
++++ b/session.cxx
+@@ -2859,6 +2859,9 @@ systemtap_session::get_mok_info()
+ // PR26665: but only Systemtap MOK keys; there may be others.
+ getline(out, line);
+
++ if (verbose > 3)
++ clog << "MOK parse state: " << state << " line: " << line << endl;
++
+ if (state == "SHA1") { // look for a new key fingerprint
+ if (! regexp_match(line, "^SHA1 Fingerprint: ([0-9a-f:]+)$", matches))
+ {
+@@ -2871,11 +2874,14 @@ systemtap_session::get_mok_info()
+ }
+ // else stay in SHA1 state
+ } else if (state == "Issuer") { // validate issuer
+- if (! regexp_match(line, "^[ \t]*Issuer: O=(.*)$", matches)) {
++ if (! regexp_match(line, "^[ \t]*Issuer: [A-Z]*=(.*)$", matches)) {
+ if (verbose > 2)
+ clog << "Issuer found: " << matches[1] << endl;
+- if (! regexp_match(matches[1], "Systemtap", matches))
++ if (! regexp_match(matches[1], "Systemtap", matches)) {
++ if (verbose > 2)
++ clog << "Recognized Systemtap MOK fingerprint: " << fingerprint << endl;
+ mok_fingerprints.push_back(fingerprint);
++ }
+ state = "SHA1"; // start looking for another key
+ }
+ } else { // some other line in mokutil output ... there are plenty
+commit 532eb9a1502026300a7f0b4bd287499101dd5803
+Author: Frank Ch. Eigler <fche@redhat.com>
+Date: Tue Nov 17 16:34:59 2020 -0500
+
+ PR26665 detect rhel8 (4.18) era kernel_is_locked_down() as procfs trigger
+
+ A different older kernel API needs to be probed for rhel8 era detection
+ of lockdown in effect. Added an (undocumented) $SYSTEMTAP_NOSIGN env
+ var to override automatic --use-server on lockdown, so that one can
+ inspect runtime/autoconf* operation locally, without stap-server.
+
+diff --git a/buildrun.cxx b/buildrun.cxx
+index 9b4066d..9c8e648 100644
+--- a/buildrun.cxx
++++ b/buildrun.cxx
+@@ -517,6 +517,7 @@ compile_pass (systemtap_session& s)
+ output_autoconf(s, o, cs, "autoconf-atomic_fetch_add_unless.c",
+ "STAPCONF_ATOMIC_FETCH_ADD_UNLESS", NULL);
+ output_autoconf(s, o, cs, "autoconf-lockdown-debugfs.c", "STAPCONF_LOCKDOWN_DEBUGFS", NULL);
++ output_autoconf(s, o, cs, "autoconf-lockdown-kernel.c", "STAPCONF_LOCKDOWN_KERNEL", NULL);
+
+ // used by runtime/linux/netfilter.c
+ output_exportconf(s, o2, "nf_register_hook", "STAPCONF_NF_REGISTER_HOOK");
+diff --git a/runtime/linux/autoconf-lockdown-kernel.c b/runtime/linux/autoconf-lockdown-kernel.c
+new file mode 100644
+index 0000000..90c2414
+--- /dev/null
++++ b/runtime/linux/autoconf-lockdown-kernel.c
+@@ -0,0 +1,5 @@
++#include <linux/kernel.h>
++
++int foo(void) {
++ return kernel_is_locked_down("something");
++}
+diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c
+index bb4a98b..5795533 100644
+--- a/runtime/transport/transport.c
++++ b/runtime/transport/transport.c
+@@ -123,6 +123,12 @@ static int _stp_transport_fs_init(const char *module_name)
+ dbug_trans(1, "choosing procfs_p=1\n");
+ }
+ #endif
++#ifdef STAPCONF_LOCKDOWN_KERNEL
++ if (!debugfs_p && kernel_is_locked_down ("debugfs")) {
++ procfs_p = 1;
++ dbug_trans(1, "choosing procfs_p=1\n");
++ }
++#endif
+ if (!procfs_p) {
+ debugfs_p = 1;
+ dbug_trans(1, "choosing debugfs_p=1\n");
+diff --git a/session.cxx b/session.cxx
+index 0437ca4..36a4053 100644
+--- a/session.cxx
++++ b/session.cxx
+@@ -2804,7 +2804,9 @@ systemtap_session::modules_must_be_signed()
+
+ if (getenv("SYSTEMTAP_SIGN"))
+ return true;
+-
++ if (getenv("SYSTEMTAP_NOSIGN"))
++ return false;
++
+ statm >> status;
+ if (status == 'Y')
+ return true;
diff --git a/SOURCES/rhbz1898288.patch b/SOURCES/rhbz1898288.patch
new file mode 100644
index 0000000..c3f1653
--- /dev/null
+++ b/SOURCES/rhbz1898288.patch
@@ -0,0 +1,63 @@
+commit 34e62f15da5adf06361ac66489936d0ffa1cc430
+Author: Frank Ch. Eigler <fche@redhat.com>
+Date: Tue Nov 10 22:13:53 2020 -0500
+
+ RHBZ1892179: handle exhausted stp_task_work structs
+
+ In utrace_report_syscall_entry and _exit, there is a possibility of
+ dereferencing a NULL pointer, in case __stp_utrace_alloc_task_work
+ exhausts UTRACE_TASK_WORK_POOL_SIZE live elements. While OOM is
+ still a possibility, this patch handles it more gracefully.
+
+diff --git a/runtime/stp_utrace.c b/runtime/stp_utrace.c
+index 47355de..e2880f1 100644
+--- a/runtime/stp_utrace.c
++++ b/runtime/stp_utrace.c
+@@ -2337,11 +2337,11 @@ static void utrace_report_syscall_entry(void *cb_data __attribute__ ((unused)),
+
+ /* Defer the report_syscall_entry work so it doesn't happen in atomic context: */
+ work = __stp_utrace_alloc_task_work(utrace, NULL);
+- __stp_utrace_save_regs(work, regs);
+ if (work == NULL) {
+ _stp_error("Unable to allocate space for task_work");
+ return;
+ }
++ __stp_utrace_save_regs(work, regs);
+ stp_init_task_work(work, &utrace_syscall_entry_work);
+ rc = stp_task_work_add(task, work);
+ // stp_task_work_add() returns -ESRCH if the task has already
+@@ -2444,11 +2444,11 @@ static void utrace_report_syscall_exit(void *cb_data __attribute__ ((unused)),
+
+ /* Defer the report_syscall_exit work so it doesn't happen in atomic context: */
+ work = __stp_utrace_alloc_task_work(utrace, NULL);
+- __stp_utrace_save_regs(work, regs);
+ if (work == NULL) {
+ _stp_error("Unable to allocate space for task_work");
+ return;
+ }
++ __stp_utrace_save_regs(work, regs);
+ stp_init_task_work(work, &utrace_syscall_exit_work);
+ rc = stp_task_work_add(task, work);
+ // stp_task_work_add() returns -ESRCH if the task has already
+
+commit 83cb271b390a1b36abd4c3aa69f89c466e99e253
+Author: Frank Ch. Eigler <fche@redhat.com>
+Date: Fri Nov 13 12:36:07 2020 -0500
+
+ RHBZ1892179: double default UTRACE_TASK_WORKPOOL
+
+ Some workloads were observed to exhaust the previous limit of 288.
+
+diff --git a/runtime/stp_utrace.c b/runtime/stp_utrace.c
+index 46ba489..6022267 100644
+--- a/runtime/stp_utrace.c
++++ b/runtime/stp_utrace.c
+@@ -141,7 +141,7 @@ struct __stp_utrace_task_work { /* NB: about 216 bytes, 18 per page: */
+ TODO: UTRACE_TASK_WORK_POOL_SIZE can be specified on the Systemtap
+ command line. Experiment to find the best default value. */
+ #ifndef UTRACE_TASK_WORK_POOL_SIZE
+-#define UTRACE_TASK_WORK_POOL_SIZE 288
++#define UTRACE_TASK_WORK_POOL_SIZE 576
+ #endif
+ static DECLARE_BITMAP(__stp_utrace_task_work_pool_bitmap, UTRACE_TASK_WORK_POOL_SIZE);
+ static struct __stp_utrace_task_work __stp_utrace_task_work_pool[UTRACE_TASK_WORK_POOL_SIZE];
diff --git a/SPECS/systemtap.spec b/SPECS/systemtap.spec
index 9719efa..f010abb 100644
--- a/SPECS/systemtap.spec
+++ b/SPECS/systemtap.spec
@@ -89,7 +89,7 @@
Name: systemtap
Version: 4.4
-Release: 1%{?release_override}%{?dist}
+Release: 3%{?release_override}%{?dist}
# for version, see also configure.ac
@@ -125,6 +125,9 @@ License: GPLv2+
URL: http://sourceware.org/systemtap/
Source: ftp://sourceware.org/pub/systemtap/releases/systemtap-%{version}.tar.gz
+Patch1: rhbz1873492.patch
+Patch2: rhbz1898288.patch
+
# Build*
BuildRequires: gcc-c++
BuildRequires: cpio
@@ -510,6 +513,8 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1
%build
@@ -1229,6 +1234,13 @@ done
# PRERELEASE
%changelog
+* Tue Nov 17 2020 Frank Ch. Eigler <fche@redhat.com> - 4.4-3
+- rhbz1873492 related: rhel8 kernel_is_locked_down detection
+
+* Mon Nov 16 2020 Frank Ch. Eigler <fche@redhat.com> - 4.4-2
+- rhbz1898288: stability for exhausted UTRACE_TASK_WORK_POOL
+- rhbz1873492 related: mokutil parser robustness for RH keys
+
* Mon Nov 09 2020 Frank Ch. Eigler <fche@redhat.com> - 4.4-1
- Upstream release.