From 2e1dcd0987ea77e287dc7e80b74f77f773e095bd Mon Sep 17 00:00:00 2001
From: Jacob Wang <jacob.wang@openanolis.org>
Date: Mon, 7 Jul 2025 10:11:39 +0800
Subject: [PATCH 1/2] [CVE]update to kernel-4.18.0-553.58.1

to #ICIOKA

update to kernel-4.18.0-553.58.1 for CVE-2022-48919

Project: TC2024080204
Signed-off-by: Jacob Wang <jacob.wang@openanolis.org>
---
 download                                      |  4 +-
 kernel.spec                                   | 72 +++++++++++++++++--
 ...es-causes-kernel-compilation-to-fail.patch | 11 ---
 3 files changed, 67 insertions(+), 20 deletions(-)
 delete mode 100644 repair-dwarves-causes-kernel-compilation-to-fail.patch

diff --git a/download b/download
index 91f0d9b..c16e94e 100644
--- a/download
+++ b/download
@@ -1,3 +1,3 @@
-c621e2183d07ae5632a37aaecf9eaf6f  kernel-abi-stablelists-4.18.0-553.tar.bz2
+1ac43c54b7753109d797ddd0db655bde  kernel-abi-stablelists-4.18.0-553.tar.bz2
 dacb6c59855053065f7f64fcfb9aa828  kernel-kabi-dw-4.18.0-553.tar.bz2
-5a4766ba157cdd7f10454d5de6988a63  linux-4.18.0-553.54.1.el8_10.tar.xz
+fa039f9a4a98f6caced87d9f0fac8906  linux-4.18.0-553.58.1.el8_10.tar.xz
diff --git a/kernel.spec b/kernel.spec
index 0a1f2d4..f663808 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -1,6 +1,5 @@
 # We have to override the new %%install behavior because, well... the kernel is special.
 %global __spec_install_pre %{___build_pre}
-%define anolis_release .0.1
 
 # At the time of this writing (2019-03), RHEL8 packages use w2.xzdio
 # compression for rpms (xz, level 2).
@@ -39,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.54.1.el8_10
+%define pkgrelease 553.58.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.54.1%{anolis_release}%{?dist}
+%define specrelease 553.58.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -545,7 +544,6 @@ Source4001: rpminspect.yaml
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
-Patch1000: repair-dwarves-causes-kernel-compilation-to-fail.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1103,7 +1101,6 @@ mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
 cd linux-%{KVERREL}
 
 ApplyOptionalPatch linux-kernel-test.patch
-%patch1000 -p0 -b .repair-dwarves-causes-kernel-compilation-to-fail
 
 # END OF PATCH APPLICATIONS
 
@@ -2699,8 +2696,69 @@ fi
 #
 #
 %changelog
-* Tue Jun 03 2025 Xiaoping Liu <liuxiaoping@alibaba-inc.com> - 4.18.0-553.54.1.0.1
-- kernel:repair dwarves causes kernel compilation to fail
+* Thu Jun 12 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.58.1.el8_10]
+- ndisc: use RCU protection in ndisc_alloc_skb() (Xin Long) [RHEL-89535] {CVE-2025-21764}
+- ipv6: use RCU protection in ip6_default_advmss() (Xin Long) [RHEL-89535] {CVE-2025-21765}
+- net: add dev_net_rcu() helper (Xin Long) [RHEL-89535] {CVE-2025-21765}
+- net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu() (Xin Long) [RHEL-89535]
+- idpf: check error for register_netdev() on init (Michal Schmidt) [RHEL-71182] {CVE-2025-22116}
+- idpf: avoid mailbox timeout delays during reset (Michal Schmidt) [RHEL-71182]
+- idpf: fix a race in txq wakeup (Michal Schmidt) [RHEL-71182]
+- idpf: fix idpf_vport_splitq_napi_poll() (Michal Schmidt) [RHEL-71182]
+- idpf: fix null-ptr-deref in idpf_features_check (Michal Schmidt) [RHEL-71182]
+- idpf: protect shutdown from reset (Michal Schmidt) [RHEL-71182]
+- idpf: fix potential memory leak on kcalloc() failure (Michal Schmidt) [RHEL-71182]
+- idpf: fix offloads support for encapsulated packets (Michal Schmidt) [RHEL-71182]
+- idpf: fix adapter NULL pointer dereference on reboot (Michal Schmidt) [RHEL-71182] {CVE-2025-22065}
+- idpf: fix checksums set in idpf_rx_rsc() (Michal Schmidt) [RHEL-71182] {CVE-2025-21890}
+- idpf: fix handling rsc packet with a single segment (Michal Schmidt) [RHEL-71182]
+- idpf: add more info during virtchnl transaction timeout/salt mismatch (Michal Schmidt) [RHEL-71182]
+- idpf: convert workqueues to unbound (Michal Schmidt) [RHEL-71182] {CVE-2024-58057}
+- idpf: Acquire the lock before accessing the xn->salt (Michal Schmidt) [RHEL-71182]
+- idpf: fix transaction timeouts on reset (Michal Schmidt) [RHEL-71182]
+- idpf: add read memory barrier when checking descriptor done bit (Michal Schmidt) [RHEL-71182]
+- idpf: deinit virtchnl transaction manager after vport and vectors (Michal Schmidt) [RHEL-71182]
+- idpf: use actual mbx receive payload length (Michal Schmidt) [RHEL-71182]
+- idpf: call set_real_num_queues in idpf_open (Michal Schmidt) [RHEL-71182 RHEL-90849]
+- idpf: fix idpf_vc_core_init error path (Michal Schmidt) [RHEL-68233 RHEL-71182 RHEL-90846] {CVE-2024-53064}
+- idpf: avoid vport access in idpf_get_link_ksettings (Michal Schmidt) [RHEL-71182 RHEL-90846] {CVE-2024-50274}
+- idpf: fix netdev Tx queue stop/wake (Michal Schmidt) [RHEL-71182]
+- idpf: fix UAFs when destroying the queues (Michal Schmidt) [RHEL-71182] {CVE-2024-44932}
+- idpf: fix memleak in vport interrupt configuration (Michal Schmidt) [RHEL-71182]
+- idpf: fix memory leaks and crashes while performing a soft reset (Michal Schmidt) [RHEL-71182] {CVE-2024-44964}
+- idpf: compile singleq code only under default-n CONFIG_IDPF_SINGLEQ (Michal Schmidt) [RHEL-71182]
+- redhat/configs: set CONFIG_IDPF_SINGLEQ as disabled (Michal Schmidt) [RHEL-71182]
+- idpf: merge singleq and splitq &net_device_ops (Michal Schmidt) [RHEL-71182]
+- idpf: avoid bloating &idpf_q_vector with big %%NR_CPUS (Michal Schmidt) [RHEL-71182]
+- idpf: split &idpf_queue into 4 strictly-typed queue structures (Michal Schmidt) [RHEL-71182]
+- idpf: remove legacy Page Pool Ethtool stats (Michal Schmidt) [RHEL-71182]
+- net: remove gfp_mask from napi_alloc_skb() [idpf] (Michal Schmidt) [RHEL-71182]
+- idpf: stop using macros for accessing queue descriptors (Michal Schmidt) [RHEL-71182]
+- idpf: don't enable NAPI and interrupts prior to allocating Rx buffers (Michal Schmidt) [RHEL-71182]
+- idpf: Interpret .set_channels() input differently (Michal Schmidt) [RHEL-71182]
+- idpf: make virtchnl2.h self-contained (Michal Schmidt) [RHEL-71182]
+- s390/pci: Serialize device addition and removal (Mete Durlu) [RHEL-95783]
+- s390/pci: Allow re-add of a reserved but not yet removed device (Mete Durlu) [RHEL-95783]
+- s390/pci: Prevent self deletion in disable_slot() (Mete Durlu) [RHEL-95783]
+- s390/pci: Remove redundant bus removal and disable from zpci_release_device() (Mete Durlu) [RHEL-95783]
+- s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (Mete Durlu) [RHEL-95783]
+- s390/pci: Fix missing check for zpci_create_device() error return (Mete Durlu) [RHEL-95783]
+- s390/pci: Fix potential double remove of hotplug slot (Mete Durlu) [RHEL-95783]
+- s390/pci: remove hotplug slot when releasing the device (Mete Durlu) [RHEL-95783]
+- s390/pci: introduce lock to synchronize state of zpci_dev's (Mete Durlu) [RHEL-95783]
+- s390/pci: rename lock member in struct zpci_dev (Mete Durlu) [RHEL-95783]
+
+* Thu Jun 05 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.57.1.el8_10]
+- smb: client: fix warning in cifs_smb3_do_mount() (Paulo Alcantara) [RHEL-55825]
+- cifs: fix double free race when mount fails in cifs_get_root() (Paulo Alcantara) [RHEL-55825] {CVE-2022-48919}
+- security/keys: fix slab-out-of-bounds in key_task_permission (CKI Backport Bot) [RHEL-68090] {CVE-2024-50301}
+
+* Sun Jun 01 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.56.1.el8_10]
+- tools/power/x86_energy_perf_policy: Read energy_perf_bias from sysfs (David Arcari) [RHEL-86963]
+- um: Fix out-of-bounds read in LDT setup (CKI Backport Bot) [RHEL-90261] {CVE-2022-49395}
+
+* Fri May 23 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.55.1.el8_10]
+- sched/fair: Fix CPU bandwidth limit bypass during CPU hotplug (Phil Auld) [RHEL-85171]
 
 * Thu May 15 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.54.1.el8_10]
 - ice: fix stats being updated by way too large values (CKI Backport Bot) [RHEL-70834]
diff --git a/repair-dwarves-causes-kernel-compilation-to-fail.patch b/repair-dwarves-causes-kernel-compilation-to-fail.patch
deleted file mode 100644
index 74f4020..0000000
--- a/repair-dwarves-causes-kernel-compilation-to-fail.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- Makefile.orig	2022-10-07 22:45:37.000000000 +0800
-+++ Makefile	2023-02-22 15:37:33.069118145 +0800
-@@ -378,7 +378,7 @@
- STRIP		= $(CROSS_COMPILE)strip
- OBJCOPY		= $(CROSS_COMPILE)objcopy
- OBJDUMP		= $(CROSS_COMPILE)objdump
--PAHOLE		= pahole
-+PAHOLE		= pahole --skip_encoding_btf_enum64
- RESOLVE_BTFIDS	= $(objtree)/tools/bpf/resolve_btfids/resolve_btfids
- LEX		= flex
- YACC		= bison
-- 
Gitee


From 2225ff7b00fb80f14761a3320c1e2d0b5cdfcbff Mon Sep 17 00:00:00 2001
From: liuxiaoping <lxp01404969@alibaba-inc.com>
Date: Wed, 22 Feb 2023 15:53:19 +0800
Subject: [PATCH 2/2] kernel:repair dwarves causes kernel compilation to fail

---
 kernel.spec                                           |  8 +++++++-
 ...ir-dwarves-causes-kernel-compilation-to-fail.patch | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 repair-dwarves-causes-kernel-compilation-to-fail.patch

diff --git a/kernel.spec b/kernel.spec
index f663808..13cd629 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -1,5 +1,6 @@
 # We have to override the new %%install behavior because, well... the kernel is special.
 %global __spec_install_pre %{___build_pre}
+%define anolis_release .0.1
 
 # At the time of this writing (2019-03), RHEL8 packages use w2.xzdio
 # compression for rpms (xz, level 2).
@@ -41,7 +42,7 @@
 %define pkgrelease 553.58.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.58.1%{?dist}
+%define specrelease 553.58.1%{anolis_release}%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -544,6 +545,7 @@ Source4001: rpminspect.yaml
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
+Patch1000: repair-dwarves-causes-kernel-compilation-to-fail.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1101,6 +1103,7 @@ mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
 cd linux-%{KVERREL}
 
 ApplyOptionalPatch linux-kernel-test.patch
+%patch1000 -p0 -b .repair-dwarves-causes-kernel-compilation-to-fail
 
 # END OF PATCH APPLICATIONS
 
@@ -2696,6 +2699,9 @@ fi
 #
 #
 %changelog
+* Mon Jul 07 2025 Xiaoping Liu <liuxiaoping@alibaba-inc.com> - 4.18.0-553.58.1.0.1
+- kernel:repair dwarves causes kernel compilation to fail
+
 * Thu Jun 12 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.58.1.el8_10]
 - ndisc: use RCU protection in ndisc_alloc_skb() (Xin Long) [RHEL-89535] {CVE-2025-21764}
 - ipv6: use RCU protection in ip6_default_advmss() (Xin Long) [RHEL-89535] {CVE-2025-21765}
diff --git a/repair-dwarves-causes-kernel-compilation-to-fail.patch b/repair-dwarves-causes-kernel-compilation-to-fail.patch
new file mode 100644
index 0000000..74f4020
--- /dev/null
+++ b/repair-dwarves-causes-kernel-compilation-to-fail.patch
@@ -0,0 +1,11 @@
+--- Makefile.orig	2022-10-07 22:45:37.000000000 +0800
++++ Makefile	2023-02-22 15:37:33.069118145 +0800
+@@ -378,7 +378,7 @@
+ STRIP		= $(CROSS_COMPILE)strip
+ OBJCOPY		= $(CROSS_COMPILE)objcopy
+ OBJDUMP		= $(CROSS_COMPILE)objdump
+-PAHOLE		= pahole
++PAHOLE		= pahole --skip_encoding_btf_enum64
+ RESOLVE_BTFIDS	= $(objtree)/tools/bpf/resolve_btfids/resolve_btfids
+ LEX		= flex
+ YACC		= bison
-- 
Gitee