Maintainer Alexey Gladkov in the sisyphus branch: Information

- Workqueue update for RT prerequisites
- nvme: avoid race in shutdown namespace removal
- powerpc/xmon: Dump XIVE information for online-only processors.
- CVE-2021-20322 - ipv4: make exception cache less predictible
- [s390] s390/cio: make ccw_device_dma_* more robust
- [s390] s390/pci: add s390_iommu_aperture kernel parameter
- [s390] s390/pci: cleanup resources only if necessary
- [s390] s390/sclp: fix Secure-IPL facility detection
- Revert "[redhat] Generate a crashkernel.default for each kernel build"
- ibmvnic: fix kdump over nfs when auto priority disabled for ibmvnic
- ibmvnic: don't stop queue in xmit
- bpf/selftests: allow disabling tests
- kernel/crash_core: suppress unknown crashkernel parameter warning
- mm: fix memory onlining under the debug kernel
- Fixing CVE-2021-3752 for RHEL-9
- zstd: Sync with upstream 5.16 fixes and improvements

- New version (1.58.0).

- dm: sync with upstream 5.16 fixes and improvements
- redhat: Pull in openssl-devel as a build dependency correctly
- platform/x86: think-lmi: add debug_cmd
- include/linux/timer.h: Pad timer_list struct for KABI
- kernel: Include RHEL Ecosystem message
- include/linux/ioport.h: Pad resource struct for KABI
- include/linux/hrtimer.h: Pad hrtimer struct for KABI
- redhat/configs: Enable Zstandard compression
- Enable iSER on s390x

- Upstream snapshot.
- Build with OpenSSL.

- New version (4.33).

- NMU: New version (0.15.1).

- New version (1.7.1)

- New version (1.1).

- New version (0.9.9).

- New version (0.15.0)

- New version (1.7-rc2)

- NMU: New version (0.15.0).

- New release (96.0.1).

- mm: fix for "CoW after fork()" "GUP after fork()" bug
- powerpc/xive: Change IRQ domain to a tree domain
- net: core stable backport for rhel 9.0
- vhost_net: fix OoB on sendmsg() failure.
- printk changes for kernel-rt

- New release (96.0).
- Disable webrtc for armh, ppc64le.
- Security fixes:
  + CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
  + CVE-2022-22743: Browser window spoof using fullscreen mode
  + CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
  + CVE-2022-22741: Browser window spoof using fullscreen mode
  + CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
  + CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
  + CVE-2022-22737: Race condition when playing audio files
  + CVE-2021-4140: Iframe sandbox bypass with XSLT
  + CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass
  + CVE-2022-22749: Lack of URL restrictions when scanning QR codes
  + CVE-2022-22748: Spoofed origin on external protocol launch dialog
  + CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event
  + CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
  + CVE-2022-22747: Crash when handling empty pkcs7 sequence
  + CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.
  + CVE-2022-22739: Missing throttling on external protocol launch dialog
  + CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
  + CVE-2022-22752: Memory safety bugs fixed in Firefox 96

- smartpqi updates
- powerpc/module_64: Fix livepatching for RO modules
- net-sysfs: try not to restart the syscall if it will fail eventually
- CI: Cleanup residue from ARK and enable RT check baselines
- redhat: tune rpminspect configuration for upstream and badfuncs tests
- redhat/configs: Enable CONFIG_CRYPTO_BLAKE2B
- netfilter: conntrack: switch to siphash and include zone id in hash again
- redhat: configs: increase CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE
- iommu/dma: Fix incorrect error return on iommu deferred attach
- RDMA/siw: Mark Software iWARP Driver as tech-preview
- genirq changes for kernel-rt

- af_unix: Return errno instead of NULL in  unix_create1()
- ftrace: do CPU checking after preemption disabled
- redhat: build and include memfd to kernel-selftests-internal
- netfilter: stable backports for rhel 9.0
- netfilter: ipvs: make global sysctl readonly in non-init netns
- netfilter: ipvs: make global sysctl readonly in non-init netns
- net/sched: 9.0 P1 backports from upstream
- redhat/configs/evaluate_configs: Add find dead configs option

- Replace deprecated CPU-hotplug functions for kernel-rt
- Input: i8042 - Add quirk for Fujitsu Lifebook T725
- sctp: backports from upstream
- sctp: enhancements for the verification tag
- Fix CVE-2020-27820
- redhat/configs: NFS: disable UDP, insecure enctypes

- New version (3.74).
- Certificate Authority Changes:
  + Add HiPKI Root CA - G1
  + Add ISRG Root X2
  + Add vTrus Root CA
  + Add vTrus ECC Root CA
  + Add Autoridad de Certificacion Firmaprofesional CIF A62634068
  + Remove DST Root CA X3
  + Remove GlobalSign Root CA - R2
  + Remove Cybertrust Global Root
  + Replace GlobalSign ECC Root CA - R4
  + Replace GTS Root R1
  + Replace GTS Root R2
  + Replace GTS Root R3
  + Replace GTS Root R4

- New version (97.0.4692.71).
- Security fixes:
  - CVE-2022-0096: Use after free in Storage.
  - CVE-2022-0097: Inappropriate implementation in DevTools.
  - CVE-2022-0098: Use after free in Screen Capture.
  - CVE-2022-0099: Use after free in Sign-in.
  - CVE-2022-0100: Heap buffer overflow in Media streams API.
  - CVE-2022-0101: Heap buffer overflow in Bookmarks.
  - CVE-2022-0102: Type Confusion in V8 .
  - CVE-2022-0103: Use after free in SwiftShader.
  - CVE-2022-0104: Heap buffer overflow in ANGLE.
  - CVE-2022-0105: Use after free in PDF.
  - CVE-2022-0106: Use after free in Autofill.
  - CVE-2022-0107: Use after free in File Manager API.
  - CVE-2022-0108: Inappropriate implementation in Navigation.
  - CVE-2022-0109: Inappropriate implementation in Autofill.
  - CVE-2022-0110: Incorrect security UI in Autofill.
  - CVE-2022-0111: Inappropriate implementation in Navigation.
  - CVE-2022-0112: Incorrect security UI in Browser UI.
  - CVE-2022-0113: Inappropriate implementation in Blink.
  - CVE-2022-0114: Out of bounds memory access in Web Serial.
  - CVE-2022-0115: Uninitialized Use in File API.
  - CVE-2022-0116: Inappropriate implementation in Compositing.
  - CVE-2022-0117: Policy bypass in Service Workers.
  - CVE-2022-0118: Inappropriate implementation in WebShare.
  - CVE-2022-0120: Inappropriate implementation in Passwords.

- New git snapshot (v1.7.0-17-g07cd8973).
- Remove Email::MIME dependency.

- cpuidle: pseries: Fixup CEDE0 latency only for POWER10 onwards
- powerpc/mce: Fix access error in mce handler
- powerpc/pseries/mobility: ignore ibm, platform-facilities updates
- KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure
- redhat/configs: enable DWARF5 feature if toolchain supports it
- init: make unknown command line param message clearer
- Enable BT WCN6855 2.1 module
- cgroup: Make rebind_subsystems() disable v2 controllers all at once
- bnxt_en: PTP related commits for inclusion in RHEL 9.0

- Enable AMX(TMUL) for Sapphire Rapids

- drm/hyperv: Fix device removal on Gen1 VMs
- redhat/configs: Always enable CONFIG_PCI_IOV for RHEL on s390x
- wireguard: device: reset peer src endpoint when netns exits
- NVMe-TCP fixes
- ovl: fix missing negative dentry check in ovl_rename()
- selftests/bpf: Fix some issues for selftest test_xdp_redirect_multi.sh

- block: update to v5.16

- mm: update generic MM code to upstream v5.15

- New version (2.9.4).
- Build from upstream git repository.
- Use system gnulib.
- Update license tag.

- New release (95.0.1).

- Add conflict to systemd to make it impossible to install systemd on a system
  with sysvinit (ALT#41579).

- Disable CONFIG_DEBUG_PREEMPT to restore performance
- tcp: phase 1 stable backport for rhel 9.0
- ibmvnic: Fixes for check failover_pending
- kernfs: upstream kernfs concurrency improvement series
- drm/hyperv: Fix double mouse pointers
- Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
- redhat/kernel.spec.template: enable dependencies generation
- redhat: configs: Update configs for vmware
- redhat/configs: Enable CONFIG_DRM_VMWGFX on aarch64

- New version (96.0.4664.110).
- Security fixes:
  - CVE-2021-4098: Insufficient data validation in Mojo.
  - CVE-2021-4099: Use after free in Swiftshader.
  - CVE-2021-4100: Object lifecycle issue in ANGLE.
  - CVE-2021-4101: Heap buffer overflow in Swiftshader.
  - CVE-2021-4102: Use after free in V8.

- Rebase KVM x86 to 5.15

- hrtimer updates for RT prerequisites

- Backport v5.15 rcu/locking/cgroup dependencies for kernel-rt

- Don't use system libgit2 for now (ALT#41534).

- New version (2.2.33).
- Set GPG_TTY in profile.d (ALT#41509).

- New release (95.0).
- Security fixes:
  + CVE-2021-43536: URL leakage when navigating while executing asynchronous function
  + CVE-2021-43537: Heap buffer overflow when using structured clone
  + CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
  + CVE-2021-43539: GC rooting failure when calling wasm instance methods
  + MOZ-2021-0010: Use-after-free in fullscreen objects on MacOS
  + CVE-2021-43540: WebExtensions could have installed persistent ServiceWorkers
  + CVE-2021-43541: External protocol handler parameters were unescaped
  + CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
  + CVE-2021-43543: Bypass of CSP sandbox directive when embedding
  + CVE-2021-43544: Receiving a malicious URL as text through a SEND intent could have led to XSS
  + CVE-2021-43545: Denial of Service when using the Location API in a loop
  + CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
  + MOZ-2021-0009: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

- x86: change default to spec_store_bypass_disable=prctl spectre_v2_user=prctl
- Provide and Configure DYNAMIC_PREEMPT
- x86/sgx: mark tech preview
- net: ipv6 p1 stable backport from upstream
- ipv4: stable backports for rhel 9.0
- crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
- net/l2tp: Fix reference count leak in l2tp_udp_recv_core
- megaraid_sas: driver update
- tpm: Avoid error message when process gets signal while waiting and other upstream fixes

- Add 9p modules.

- New version (1.57.0).

- fix  '/proc/pid/wchan is always "0"'
- powerpc/bpf: Fix write protecting JIT code
- vfs: check fd has read access in kernel_read_file_from_fd()
- Disable idmapped mounts
- Sync s390x KVM code with upstream kernel v5.15
- redhat/configs: Remove CONFIG_INFINIBAND_I40IW

- First build for sisyphus.

- perf test: Handle fd gaps in test__dso_data_reopen
- perf tests vmlinux-kallsyms: Ignore hidden symbols
- perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support
- redhat/kernel.spec.template: Link perf with --export-dynamic
- xfs: fix I_DONTCACHE
- Fix virtio problem on s390x with raw DASD devices
- net/tls: backport fixes from 5.15
- x86: hv: Hyper-V x86-64 updates for Centos Stream 9
- Upgrade the SMC driver for s390x to latest from upstream
- cifs: enable SMB_DIRECT in RHEL9
- mpt3sas: driver update
- Support DMA implementation of Offload Service Engine (OSE) for Elkhart Lake
- vmxnet3: Update network driver for RHEL 9.0

- New version (3.73).
- Security fixes:
  + CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures

- CNB: pci: add several VPD helpers

- Add automotive CI jobs
- post 5.14 scheduler fixes

- Add files needed for kbuild.

- Allow fallback to any GL implementation (ALT#41430).

- clocksource: Workaround the hpet fallback problem
- scsi: target: Fix the pgr/alua_support_store functions
- redhat: fix typo and make the output more silent for dist-git sync
- Improve performace of AMD C3 entry for Family 17h and later
- lpfc updates for centos-9 14.0.0.3
- x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically
- ucounts: Fix signal ucount refcounting
- x86/cpu: Fix migration safety with X86_BUG_NULL_SEL
- net: gre: fix csum validation for gre4 and gre6
- redhat/configs: enable KEXEC_SIG for aarch64
- kernel.spec: add bpf_testmod.ko to kselftests/bpf
- netfilter: Add deprecation notices for xtables

- First build for ALTLinux.

- New version (1.43).

- New version (1.9.4).

- New version (2.5.5).

- New version 590.
- lessfile.sh:
  + Fix .xz detection.
- lessfile.sh, lesspipe.sh:
  + Add zstd detection.