Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package kernel-source-longterm for
openSUSE:Factory checked in at 2025-04-28 16:16:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source-longterm (Old)
and /work/SRC/openSUSE:Factory/.kernel-source-longterm.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source-longterm"
Mon Apr 28 16:16:03 2025 rev:68 rq:1272826 version:6.12.25
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source-longterm/kernel-longterm.changes
2025-04-22 17:25:51.080958179 +0200
+++
/work/SRC/openSUSE:Factory/.kernel-source-longterm.new.30101/kernel-longterm.changes
2025-04-28 16:16:14.316907505 +0200
@@ -1,0 +2,387 @@
+Fri Apr 25 13:04:49 CEST 2025 - rfr...@suse.com
+
+- Linux 6.12.25 (bsc#1234429).
+- block: make struct rq_list available for !CONFIG_BLOCK
+ (bsc#1234429).
+- selftests/bpf: extend changes_pkt_data with cases w/o
+ subprograms (bsc#1234429).
+- bpf: fix null dereference when computing changes_pkt_data of
+ prog w/o subprogs (bsc#1234429).
+- selftests/bpf: validate that tail call invalidates packet
+ pointers (bsc#1234429).
+- selftests/bpf: freplace tests for tracking of
+ changes_packet_data (bsc#1234429).
+- bpf: check changes_pkt_data property for extension programs
+ (bsc#1234429).
+- selftests/bpf: test for changing packet data from global
+ functions (bsc#1234429).
+- bpf: track changes_pkt_data property for global functions
+ (bsc#1234429).
+- bpf: add find_containing_subprog() utility function
+ (bsc#1234429).
+- wifi: ath12k: Fix invalid entry fetch in
+ ath12k_dp_mon_srng_process (bsc#1234429).
+- MIPS: ds1287: Match ds1287_set_base_clock() function types
+ (bsc#1234429).
+- MIPS: cevt-ds1287: Add missing ds1287.h include (bsc#1234429).
+- MIPS: dec: Declare which_prom() as static (bsc#1234429).
+- Revert "wifi: ath12k: Fix invalid entry fetch in
+ ath12k_dp_mon_srng_process" (bsc#1234429).
+- mm/vma: add give_up_on_oom option on modify/merge, use in uffd
+ release (bsc#1234429).
+- block: don't reorder requests in blk_add_rq_to_plug
+ (bsc#1234429).
+- block: add a rq_list type (bsc#1234429).
+- block: remove rq_list_move (bsc#1234429).
+- nvmet-fc: Remove unused functions (bsc#1234429).
+- drm/amd/display: Temporarily disable hostvm on DCN31
+ (bsc#1234429).
+- LoongArch: Eliminate superfluous get_numa_distances_cnt()
+ (bsc#1234429).
+- efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32
+ (bsc#1234429).
+- misc: pci_endpoint_test: Fix 'irq_type' to convey the correct
+ type (bsc#1234429).
+- misc: pci_endpoint_test: Avoid issue of interrupts remaining
+ after request_irq error (bsc#1234429).
+- selftests/bpf: Fix raw_tp null handling test (bsc#1234429).
+- md: fix mddev uaf while iterating all_mddevs list (bsc#1234429).
+- platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug
+ (bsc#1234429).
+- platform/x86: msi-wmi-platform: Rename "data" variable
+ (bsc#1234429).
+- kbuild: Add '-fno-builtin-wcslen' (bsc#1234429).
+- scripts: generate_rust_analyzer: Add ffi crate (bsc#1234429).
+- cpufreq: Reference count policy in cpufreq_update_limits()
+ (bsc#1234429).
+- arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9
+ (bsc#1234429).
+- arm64/sysreg: Add register fields for HFGWTR2_EL2 (bsc#1234429).
+- arm64/sysreg: Add register fields for HFGRTR2_EL2 (bsc#1234429).
+- arm64/sysreg: Add register fields for HFGITR2_EL2 (bsc#1234429).
+- arm64/sysreg: Add register fields for HDFGWTR2_EL2
+ (bsc#1234429).
+- arm64/sysreg: Add register fields for HDFGRTR2_EL2
+ (bsc#1234429).
+- arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1
+ (bsc#1234429).
+- drm/mgag200: Fix value in <VBLKSTR> register (bsc#1234429).
+- drm/amdgpu: fix warning of drm_mm_clean (bsc#1234429).
+- drm/xe: Set LRC addresses before guc load (bsc#1234429).
+- drm/xe/userptr: fix notifier vs folio deadlock (bsc#1234429).
+- drm/xe/dma_buf: stop relying on placement in unmap
+ (bsc#1234429).
+- drm/amd/display: Add HP Probook 445 and 465 to the quirk list
+ for eDP on DP1 (bsc#1234429).
+- drm/amd/display: Protect FPU in dml2_init()/dml21_init()
+ (bsc#1234429).
+- drm/amd/display: Do not enable Replay and PSR while VRR is on
+ in amdgpu_dm_commit_planes() (bsc#1234429).
+- drm/amdgpu: immediately use GTT for new allocations
+ (bsc#1234429).
+- drm/i915/gvt: fix unterminated-string-initialization warning
+ (bsc#1234429).
+- drm/xe: Fix an out-of-bounds shift when invalidating TLB
+ (bsc#1234429).
+- drm/sti: remove duplicate object names (bsc#1234429).
+- drm/imagination: take paired job reference (bsc#1234429).
+- drm/imagination: fix firmware memory leaks (bsc#1234429).
+- drm/nouveau: prime: fix ttm_bo_delayed_delete oops
+ (bsc#1234429).
+- drm/amdgpu/dma_buf: fix page_link check (bsc#1234429).
+- drm/amdgpu/mes11: optimize MES pipe FW version fetching
+ (bsc#1234429).
+- drm/amd/display: Protect FPU in dml21_copy() (bsc#1234429).
+- drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()
+ (bsc#1234429).
+- drm/amd/display: Add HP Elitebook 645 to the quirk list for
+ eDP on DP1 (bsc#1234429).
+- drm/xe: Use local fence in error path of xe_migrate_clear
+ (bsc#1234429).
+- drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed
+ (bsc#1234429).
+- drm/amdgpu/mes12: optimize MES pipe FW version fetching
+ (bsc#1234429).
+- drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division
+ by zero (bsc#1234429).
+- drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero
+ (bsc#1234429).
+- drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by
+ zero (bsc#1234429).
+- drm/amd/pm/smu11: Prevent division by zero (bsc#1234429).
+- drm/amd/pm/powerplay: Prevent division by zero (bsc#1234429).
+- drm/amd/pm: Prevent division by zero (bsc#1234429).
+- drm/amd/display: Increase vblank offdelay for PSR panels
+ (bsc#1234429).
+- drm/amd/display: Actually do immediate vblank disable
+ (bsc#1234429).
+- drm/amd: Handle being compiled without SI or CIK support better
+ (bsc#1234429).
+- drm/amd/display: prevent hang on link training fail
+ (bsc#1234429).
+- drm/amdgpu: Prefer shadow rom when available (bsc#1234429).
+- drm/msm/a6xx: Fix stale rpmh votes from GPU (bsc#1234429).
+- drm/msm/dsi: Add check for devm_kstrdup() (bsc#1234429).
+- drm/ast: Fix ast_dp connection status (bsc#1234429).
+- drm/repaper: fix integer overflows in repeat functions
+ (bsc#1234429).
+- perf/x86/intel/uncore: Fix the scale of IIO free running
+ counters on SPR (bsc#1234429).
+- perf/x86/intel/uncore: Fix the scale of IIO free running
+ counters on ICX (bsc#1234429).
+- perf/x86/intel/uncore: Fix the scale of IIO free running
+ counters on SNR (bsc#1234429).
+- perf/x86/intel: Allow to update user space GPRs from PEBS
+ records (bsc#1234429).
+- platform/x86: amd: pmf: Fix STT limits (bsc#1234429).
+- RAS/AMD/FMPM: Get masked address (bsc#1234429).
+- RAS/AMD/ATL: Include row[13] bit in row retirement
+ (bsc#1234429).
+- RDMA/cma: Fix workqueue crash in cma_netevent_work_handler
+ (bsc#1234429).
+- scsi: ufs: exynos: Ensure consistent phy reference counts
+ (bsc#1234429).
+- scsi: megaraid_sas: Block zero-length ATA VPD inquiry
+ (bsc#1234429).
+- x86/boot/sev: Avoid shared GHCB page for early memory acceptance
+ (bsc#1234429).
+- x86/cpu/amd: Fix workaround for erratum 1054 (bsc#1234429).
+- x86/microcode/AMD: Extend the SHA check to Zen5, block
+ loading of any unreleased standalone Zen5 microcode patches
+ (bsc#1234429).
+- virtiofs: add filesystem context source name check
+ (bsc#1234429).
+- tracing: Fix filter string testing (bsc#1234429).
+- string: Add load_unaligned_zeropad() code path to
+ sized_strscpy() (bsc#1234429).
+- smb3 client: fix open hardlink on deferred close file error
+ (bsc#1234429).
+- slab: ensure slab->obj_exts is clear in a newly allocated slab
+ page (bsc#1234429).
+- selftests/mm: generate a temporary mountpoint for cgroup
+ filesystem (bsc#1234429).
+- riscv: Avoid fortify warning in syscall_get_arguments()
+ (bsc#1234429).
+- Revert "smb: client: fix TCP timers deadlock after rmmod"
+ (bsc#1234429).
+- Revert "smb: client: Fix netns refcount imbalance causing
+ leaks and use-after-free" (bsc#1234429).
+- ksmbd: fix the warning from __kernel_write_iter (bsc#1234429).
+- ksmbd: Prevent integer overflow in calculation of deadtime
+ (bsc#1234429).
+- ksmbd: fix use-after-free in smb_break_all_levII_oplock()
+ (bsc#1234429).
+- ksmbd: Fix dangling pointer in krb_authenticate (bsc#1234429).
+- ovl: don't allow datadir only (bsc#1234429).
+- mm: fix apply_to_existing_page_range() (bsc#1234429).
+- mm: fix filemap_get_folios_contig returning batches of identical
+ folios (bsc#1234429).
+- mm/gup: fix wrongly calculated returned value in
+ fault_in_safe_writeable() (bsc#1234429).
+- mm/compaction: fix bug in hugetlb handling pathway
+ (bsc#1234429).
+- loop: LOOP_SET_FD: send uevents for partitions (bsc#1234429).
+- loop: properly send KOBJ_CHANGED uevent for disk device
+ (bsc#1234429).
+- isofs: Prevent the use of too small fid (bsc#1234429).
+- i2c: cros-ec-tunnel: defer probe if parent EC is not present
+ (bsc#1234429).
+- hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
+ (bsc#1234429).
+- crypto: caam/qi - Fix drv_ctx refcount bug (bsc#1234429).
+- cpufreq/sched: Explicitly synchronize limits_changed flag
+ handling (bsc#1234429).
+- btrfs: correctly escape subvol in btrfs_show_options()
+ (bsc#1234429).
+- Bluetooth: vhci: Avoid needless snprintf() calls (bsc#1234429).
+- Bluetooth: l2cap: Process valid commands in too long frame
+ (bsc#1234429).
+- drm/msm/a6xx+: Don't let IB_SIZE overflow (bsc#1234429).
+- ftrace: fix incorrect hash size in register_ftrace_direct()
+ (bsc#1234429).
+- i2c: atr: Fix wrong include (bsc#1234429).
+- nfsd: decrease sc_count directly if fail to queue dl_recall
+ (bsc#1234429).
+- nfs: add missing selections of CONFIG_CRC32 (bsc#1234429).
+- dma-buf/sw_sync: Decrement refcount on error in
+ sw_sync_ioctl_get_deadline() (bsc#1234429).
+- drm/v3d: Fix Indirect Dispatch configuration for V3D 7.1.6
+ and later (bsc#1234429).
+- block: integrity: Do not call set_page_dirty_lock()
+ (bsc#1234429).
+- asus-laptop: Fix an uninitialized variable (bsc#1234429).
+- ASoC: qcom: Fix sc7280 lpass potential buffer overflow
+ (bsc#1234429).
+- ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S16
+ (bsc#1234429).
+- ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels
+ (bsc#1234429).
+- ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate
+ (bsc#1234429).
+- ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on
+ TRIGGER_START event (bsc#1234429).
+- Revert "PCI: Avoid reset when disabled via sysfs" (bsc#1234429).
+- writeback: fix false warning in inode_to_wb() (bsc#1234429).
+- rust: kbuild: use `pound` to support GNU Make < 4.3
+ (bsc#1234429).
+- rust: disable `clippy::needless_continue` (bsc#1234429).
+- rust: kasan/kbuild: fix missing flags on first build
+ (bsc#1234429).
+- objtool/rust: add one more `noreturn` Rust function for Rust
+ 1.86.0 (bsc#1234429).
+- cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
+ (bsc#1234429).
+- riscv: KGDB: Remove ".option norvc/.option rvc" for
+ kgdb_compiled_break (bsc#1234429).
+- riscv: KGDB: Do not inline arch_kgdb_breakpoint() (bsc#1234429).
+- kunit: qemu_configs: SH: Respect kunit cmdline (bsc#1234429).
+- riscv: module: Allocate PLT entries for R_RISCV_PLT32
+ (bsc#1234429).
+- riscv: module: Fix out-of-bounds relocation access
+ (bsc#1234429).
+- riscv: Properly export reserved regions in /proc/iomem
+ (bsc#1234429).
+- riscv: Use kvmalloc_array on relocation_hashtable (bsc#1234429).
+- net: ethernet: mtk_eth_soc: revise QDMA packet scheduler
+ settings (bsc#1234429).
+- net: ethernet: mtk_eth_soc: correct the max weight of the
+ queue limit for 100Mbps (bsc#1234429).
+- net: ethernet: mtk_eth_soc: reapply mdc divider on reset
+ (bsc#1234429).
+- net: ti: icss-iep: Fix possible NULL pointer dereference for
+ perout request (bsc#1234429).
+- net: ti: icss-iep: Add phase offset configuration for perout
+ signal (bsc#1234429).
+- net: ti: icss-iep: Add pwidth configuration for perout signal
+ (bsc#1234429).
+- ptp: ocp: fix start time alignment in ptp_ocp_signal_set
+ (bsc#1234429).
+- net: dsa: avoid refcount warnings when
+ ds->ops->tag_8021q_vlan_del() fails (bsc#1234429).
+- net: dsa: free routing table on probe failure (bsc#1234429).
+- net: dsa: clean up FDB, MDB, VLAN entries on unbind
+ (bsc#1234429).
+- net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST
+ is unsupported (bsc#1234429).
+- net: dsa: mv88e6xxx: avoid unregistering devlink regions which
+ were never registered (bsc#1234429).
+- net: txgbe: fix memory leak in txgbe_probe() error path
+ (bsc#1234429).
+- net: bridge: switchdev: do not notify new brentries as changed
+ (bsc#1234429).
+- net: b53: enable BPDU reception for management port
+ (bsc#1234429).
+- netlink: specs: rt-link: adjust mctp attribute naming
+ (bsc#1234429).
+- netlink: specs: rt-link: add an attr layer around alt-ifname
+ (bsc#1234429).
+- cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error
+ path (bsc#1234429).
+- ata: libata-sata: Save all fields from sense data descriptor
+ (bsc#1234429).
+- loop: stop using vfs_iter_{read,write} for buffered I/O
+ (bsc#1234429).
+- loop: aio inherit the ioprio of original request (bsc#1234429).
+- eth: bnxt: fix missing ring index trim on error path
+ (bsc#1234429).
+- net: ethernet: ti: am65-cpsw: fix port_np reference counting
+ (bsc#1234429).
+- net: ngbe: fix memory leak in ngbe_probe() error path
+ (bsc#1234429).
+- can: rockchip_canfd: fix broken quirks checks (bsc#1234429).
+- net: openvswitch: fix nested key length validation in the set()
+ action (bsc#1234429).
+- netlink: specs: ovs_vport: align with C codegen capabilities
+ (bsc#1234429).
+- block: fix resource leak in blk_register_queue() error path
+ (bsc#1234429).
++++ 90 more lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/kernel-source-longterm/kernel-longterm.changes
++++ and
/work/SRC/openSUSE:Factory/.kernel-source-longterm.new.30101/kernel-longterm.changes
kernel-source-longterm.changes: same change
kernel-syms-longterm.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-longterm.spec ++++++
--- /var/tmp/diff_new_pack.3YNpjm/_old 2025-04-28 16:16:19.605129831 +0200
+++ /var/tmp/diff_new_pack.3YNpjm/_new 2025-04-28 16:16:19.609129999 +0200
@@ -18,8 +18,8 @@
%define srcversion 6.12
-%define patchversion 6.12.24
-%define git_commit 726c2d06ad1d81b68e479b3bdffd8f8b7af66c72
+%define patchversion 6.12.25
+%define git_commit da82bfde6a1e237ce54a2751871fdc9cd96bd169
%define variant -longterm%{nil}
%define compress_modules zstd
%define compress_vmlinux xz
@@ -39,9 +39,9 @@
%(chmod +x
%_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb,check-module-license,splitflist,mergedep,moddep,modflist,kernel-subpackage-build})
Name: kernel-longterm
-Version: 6.12.24
+Version: 6.12.25
%if 0%{?is_kotd}
-Release: <RELEASE>.g726c2d0
+Release: <RELEASE>.gda82bfd
%else
Release: 0
%endif
++++++ kernel-source-longterm.spec ++++++
--- /var/tmp/diff_new_pack.3YNpjm/_old 2025-04-28 16:16:19.641131344 +0200
+++ /var/tmp/diff_new_pack.3YNpjm/_new 2025-04-28 16:16:19.645131513 +0200
@@ -17,8 +17,8 @@
%define srcversion 6.12
-%define patchversion 6.12.24
-%define git_commit 726c2d06ad1d81b68e479b3bdffd8f8b7af66c72
+%define patchversion 6.12.25
+%define git_commit da82bfde6a1e237ce54a2751871fdc9cd96bd169
%define variant -longterm%{nil}
%define gcc_package gcc
%define gcc_compiler gcc
@@ -28,9 +28,9 @@
%(chmod +x
%_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb,check-module-license,splitflist,mergedep,moddep,modflist,kernel-subpackage-build})
Name: kernel-source-longterm
-Version: 6.12.24
+Version: 6.12.25
%if 0%{?is_kotd}
-Release: <RELEASE>.g726c2d0
+Release: <RELEASE>.gda82bfd
%else
Release: 0
%endif
++++++ kernel-syms-longterm.spec ++++++
--- /var/tmp/diff_new_pack.3YNpjm/_old 2025-04-28 16:16:19.677132858 +0200
+++ /var/tmp/diff_new_pack.3YNpjm/_new 2025-04-28 16:16:19.681133026 +0200
@@ -16,16 +16,16 @@
#
-%define git_commit 726c2d06ad1d81b68e479b3bdffd8f8b7af66c72
+%define git_commit da82bfde6a1e237ce54a2751871fdc9cd96bd169
%define variant -longterm%{nil}
%include %_sourcedir/kernel-spec-macros
Name: kernel-syms-longterm
-Version: 6.12.24
+Version: 6.12.25
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.g726c2d0
+Release: <RELEASE>.gda82bfd
%else
Release: 0
%endif
++++++ patches.kernel.org.tar.bz2 ++++++
++++ 19042 lines of diff (skipped)
++++++ patches.suse.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/0001-Lock-down-x86_64-kernel-in-secure-boot-mode-in-subsy.patch
new/patches.suse/0001-Lock-down-x86_64-kernel-in-secure-boot-mode-in-subsy.patch
---
old/patches.suse/0001-Lock-down-x86_64-kernel-in-secure-boot-mode-in-subsy.patch
2025-03-28 23:00:36.000000000 +0100
+++
new/patches.suse/0001-Lock-down-x86_64-kernel-in-secure-boot-mode-in-subsy.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,60 +0,0 @@
-From 92a568fa4e2073cb00de90893240ba18bd4723f3 Mon Sep 17 00:00:00 2001
-From: Chun-Yi Lee <j...@suse.com>
-Date: Wed, 18 Dec 2024 20:25:30 +0800
-Subject: [PATCH 1/5] Lock down x86_64 kernel in secure boot mode in
- subsys_initcall stage
-Patch-mainline: Never, temporary solution
-References: bsc#1234646
-
-Since '77b644c39d6a init/main.c: Initialize early LSMs after arch code,
-static keys and calls' be merged to v6.12 kernel. The
-early_security_init() be moved behine setup_arch(). It causes that the
-original code CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in setup_arch() is
-invalid.
-
-This patch reuse the arm64_kernel_lockdown() on x86_64 in subsys_initcall
-stage. The following functions in early boot stage can not locked down by
-LSM:
-
-- LOCKDOWN_ACPI_TABLES in setup_arch() on x86_64
-- LOCKDOWN_DBG_WRITE_KERNEL in early_initcall stage
-
-For the above functions, I will apply old lockdown approach (e.g. SLE15-SP1),
-maintaining a lockdown flag for early boot stage. Until kernel upstream has
-solution for "early LSMs" (CONFIG_SECURITY_LOCKDOWN_LSM_EARLY).
-
-References: https://bugzilla.opensuse.org/show_bug.cgi?id=1234646
-Signed-off-by: Chun-Yi Lee <j...@suse.com>
----
- drivers/firmware/efi/secureboot.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/firmware/efi/secureboot.c
b/drivers/firmware/efi/secureboot.c
-index b0b4629e4..bd986125e 100644
---- a/drivers/firmware/efi/secureboot.c
-+++ b/drivers/firmware/efi/secureboot.c
-@@ -39,12 +39,12 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode
mode)
- }
- }
-
--#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)
-+#if defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)
- /*
- * The arm64_kernel_lockdown() must run after efisubsys_init() because the
- * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE.
- */
--static int __init arm64_kernel_lockdown(void)
-+static int __init kernel_lockdown(void)
- {
- if (arch_ima_get_secureboot())
- security_lock_kernel_down("EFI Secure Boot mode",
-@@ -52,5 +52,5 @@ static int __init arm64_kernel_lockdown(void)
- return 0;
- }
-
--subsys_initcall(arm64_kernel_lockdown);
-+subsys_initcall(kernel_lockdown);
- #endif
---
-2.35.3
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/0001-initcall_blacklist-Does-not-allow-kernel_lockdown-be.patch
new/patches.suse/0001-initcall_blacklist-Does-not-allow-kernel_lockdown-be.patch
---
old/patches.suse/0001-initcall_blacklist-Does-not-allow-kernel_lockdown-be.patch
1970-01-01 01:00:00.000000000 +0100
+++
new/patches.suse/0001-initcall_blacklist-Does-not-allow-kernel_lockdown-be.patch
2025-04-24 13:12:02.000000000 +0200
@@ -0,0 +1,30 @@
+From d5c32294f97b6d402bc3e5c6bd68afd2cf8d37e8 Mon Sep 17 00:00:00 2001
+From: Chun-Yi Lee <j...@suse.com>
+Date: Fri, 7 Mar 2025 14:04:06 +0800
+Subject: [PATCH] initcall_blacklist: Does not allow kernel_lockdown be
+ blacklisted
+Patch-mainline: Never, SUSE specific
+References: bsc#1237521
+
+The arm64_kernel_lockdown should not be blacklisted. Otherwise that kernel
+lockdown mechanism can be disabled by kernel parameter when booting.
+
+Signed-off-by: Chun-Yi Lee <j...@suse.com>
+Signed-off-by: Robert Frohl <rfr...@suse.com>
+---
+ init/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/init/main.c
++++ b/init/main.c
+@@ -1141,6 +1141,10 @@ static int __init initcall_blacklist(cha
+ do {
+ str_entry = strsep(&str, ",");
+ if (str_entry) {
++ if (!strcmp(str_entry, "arm64_kernel_lockdown")) {
++ pr_debug("The arm64_kernel_lockdown initcall
can not be blacklisted.\n");
++ continue;
++ }
+ pr_debug("blacklisting initcall %s\n", str_entry);
+ entry = memblock_alloc(sizeof(*entry),
+ SMP_CACHE_BYTES);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/0002-security-Add-a-kernel-lockdown-flag-for-early-boot-s.patch
new/patches.suse/0002-security-Add-a-kernel-lockdown-flag-for-early-boot-s.patch
---
old/patches.suse/0002-security-Add-a-kernel-lockdown-flag-for-early-boot-s.patch
2025-03-28 23:00:36.000000000 +0100
+++
new/patches.suse/0002-security-Add-a-kernel-lockdown-flag-for-early-boot-s.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,159 +0,0 @@
-From 8590e50095f5de31f7083ebd1fd0df5b52ea4b4b Mon Sep 17 00:00:00 2001
-From: Chun-Yi Lee <j...@suse.com>
-Date: Thu, 19 Dec 2024 13:49:09 +0800
-Subject: [PATCH 2/5] security: Add a kernel lockdown flag for early boot stage
-Patch-mainline: Never, temporary solution
-References: bsc#1234646
-
-This is a a temporary solution. After the patch '77b644c39d6a init/main.c:
-Initialize early LSMs after arch code, static keys and calls' be introduced
-to v6.12 kernel. The early_security_init() be moved behine setup_arch(). It
-causes that thee original code of CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in
-setup_arch() is invalid.
-
-The lockdown_early.c file includes two functions which are copied from
-security/lockdown/lockdown.c and just simply modified for keeping the
-original calling habits. For filling in the gap, I go back to use a
-lock flag in early boot stage before the lockdown LSM be initial after
-setup_arch(). The reason for creating a new C files instead of direct
-modifing lockdown.c is to avoid compromising the security of lockdown LSM.
-
-This solution only be used in limited lock-down functions in setup_arch()
-or even in early_initcall stage. I will removed this temporary solution
-after the real solution shows on kernel mainline.
-
-References: https://bugzilla.opensuse.org/show_bug.cgi?id=1234646
-Signed-off-by: Chun-Yi Lee <j...@suse.com>
----
- include/linux/kernel.h | 9 ++++++
- include/linux/security.h | 9 ++++++
- security/Kconfig | 8 +++++
- security/Makefile | 3 ++
- security/lockdown_early.c | 63
++++++++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 92 insertions(+)
- create mode 100644 security/lockdown_early.c
-
---- a/include/linux/kernel.h
-+++ b/include/linux/kernel.h
-@@ -402,4 +402,13 @@ static inline void ftrace_dump(enum ftra
- /* OTHER_WRITABLE? Generally considered a bad idea. */
\
- BUILD_BUG_ON_ZERO((perms) & 2) +
\
- (perms))
-+
-+#ifdef CONFIG_LOCK_DOWN_KERNEL_EARLY
-+int kernel_is_locked_down_early(int what);
-+#else
-+static inline int kernel_is_locked_down_early(int what)
-+{
-+ return 0;
-+}
-+#endif
- #endif
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -2315,4 +2315,13 @@ static inline void security_initramfs_po
- }
- #endif /* CONFIG_SECURITY */
-
-+#ifdef CONFIG_LOCK_DOWN_KERNEL_EARLY
-+int __init lock_kernel_down_early(const char *where, enum lockdown_reason
level);
-+#else
-+static inline int lock_kernel_down_early(const char *where, enum
lockdown_reason level)
-+{
-+ return 0;
-+}
-+#endif
-+
- #endif /* ! __LINUX_SECURITY_H */
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -215,6 +215,14 @@ config STATIC_USERMODEHELPER_PATH
- If you wish for all usermode helper programs to be disabled,
- specify an empty string here (i.e. "").
-
-+config LOCK_DOWN_KERNEL_EARLY
-+ bool "Allow the kernel to be 'locked down' in early boot stage"
-+ help
-+ Allow the kernel to be locked down under certain circumstances in
-+ early boot stagse, for instance if UEFI secure boot is enabled.
-+ Locking down the kernel turns off various features that might
-+ otherwise allow access to the kernel image.
-+
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -29,3 +29,6 @@ obj-$(CONFIG_SECURITY_IPE) += ipe/
-
- # Object integrity file lists
- obj-$(CONFIG_INTEGRITY) += integrity/
-+
-+# Allow the kernel to be locked down in early boot stage
-+obj-$(CONFIG_LOCK_DOWN_KERNEL_EARLY) += lockdown_early.o
---- /dev/null
-+++ b/security/lockdown_early.c
-@@ -0,0 +1,63 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/* Lock down flag of the kernel in early stage
-+ *
-+ * Copyright (c) 2024 SUSE LLC. All Rights Reserved.
-+ * Written by Joey Lee (j...@suse.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+/* This is a a temporary solution. After the patch '77b644c39d6a init/main.c:
-+ * Initialize early LSMs after arch code, static keys and calls' be introduced
-+ * to v6.12 kernel. The early_security_init() be moved behine setup_arch().
-+ * It causes that thee original code of CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in
-+ * setup_arch() is invalid.
-+ *
-+ * This file includes two functions which are copied from
-+ * security/lockdown/lockdown.c and just simply modified for keeping the
-+ * original calling habits. For filling in the gap, I go back to use a lock
-+ * flag in early boot stage before the lockdown LSM be initial after
-+ * setup_arch(). The reason for creating a new C files instead of direct
-+ * modifing lockdown.c is to avoid compromising the security of lockdown LSM.
-+ *
-+ * This solution only be used in limited lock-down functions in setup_arch()
-+ * or even in early_initcall stage. I will removed this temporary solution
-+ * after the real solution shows on kernel mainline.
-+ */
-+
-+#include <linux/security.h>
-+
-+static enum lockdown_reason kernel_locked_down_early __ro_after_init;
-+
-+static const enum lockdown_reason early_lockdown_levels[] = {LOCKDOWN_NONE,
-+ LOCKDOWN_INTEGRITY_MAX,
-+ LOCKDOWN_CONFIDENTIALITY_MAX};
-+
-+int __init lock_kernel_down_early(const char *where, enum lockdown_reason
level)
-+{
-+ if (kernel_locked_down_early >= level)
-+ return -EPERM;
-+
-+ kernel_locked_down_early = level;
-+ pr_notice("Kernel is early locked down from %s; see man
kernel_lockdown.7\n",
-+ where);
-+ return 0;
-+}
-+
-+int kernel_is_locked_down_early(int what)
-+{
-+ if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
-+ "Invalid lockdown reason"))
-+ return -EPERM;
-+
-+ if (kernel_locked_down_early >= what) {
-+ if (lockdown_reasons[what])
-+ pr_notice_ratelimited("Lockdown early: %s: %s is
restricted; see man kernel_lockdown.7\n",
-+ current->comm, lockdown_reasons[what]);
-+ return -EPERM;
-+ }
-+
-+ return 0;
-+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/0003-efi-Set-early-kernel-lock-down-flag-if-booted-in-sec.patch
new/patches.suse/0003-efi-Set-early-kernel-lock-down-flag-if-booted-in-sec.patch
---
old/patches.suse/0003-efi-Set-early-kernel-lock-down-flag-if-booted-in-sec.patch
2025-03-28 23:00:36.000000000 +0100
+++
new/patches.suse/0003-efi-Set-early-kernel-lock-down-flag-if-booted-in-sec.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,37 +0,0 @@
-From 8827db53bf2d12c7c0233f27f3bd082564894e6b Mon Sep 17 00:00:00 2001
-From: Chun-Yi Lee <j...@suse.com>
-Date: Thu, 19 Dec 2024 15:56:20 +0800
-Subject: [PATCH 3/5] efi: Set early kernel lock down flag if booted in secure
- boot mode
-Patch-mainline: Never, temporary solution
-References: bsc#1234646
-
-After '77b644c39d6a init/main.c: Initialize early LSMs after arch code,
-static keys and calls' be introduced in v6.12, the lockdown LSM does
-not work in setup_arch() now. This patch set a early kernel lock down
-flag for filling the gap.
-
-Signed-off-by: Chun-Yi Lee <j...@suse.com>
----
- arch/x86/kernel/setup.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f6e985f64..2519960a1 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -908,8 +908,10 @@ void __init setup_arch(char **cmdline_p)
- efi_set_secure_boot(boot_params.secure_boot);
-
- #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-- if (efi_enabled(EFI_SECURE_BOOT))
-+ if (efi_enabled(EFI_SECURE_BOOT)) {
- security_lock_kernel_down("EFI Secure Boot mode",
LOCKDOWN_INTEGRITY_MAX);
-+ lock_kernel_down_early("EFI Secure Boot mode",
LOCKDOWN_INTEGRITY_MAX);
-+ }
- #endif
-
- reserve_ibft_region();
---
-2.35.3
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/0004-ACPI-Check-early-kernel-lockdown-flag-before-overlay.patch
new/patches.suse/0004-ACPI-Check-early-kernel-lockdown-flag-before-overlay.patch
---
old/patches.suse/0004-ACPI-Check-early-kernel-lockdown-flag-before-overlay.patch
2025-03-28 23:00:36.000000000 +0100
+++
new/patches.suse/0004-ACPI-Check-early-kernel-lockdown-flag-before-overlay.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,67 +0,0 @@
-From d8cb96c98e5e45214cf97b78a8e79e8ef2651de4 Mon Sep 17 00:00:00 2001
-From: Chun-Yi Lee <j...@suse.com>
-Date: Thu, 19 Dec 2024 16:36:15 +0800
-Subject: [PATCH 4/5] ACPI: Check early kernel lockdown flag before overlaying
- tables
-Patch-mainline: Never, temporary solution
-References: bsc#1234646
-
-This patch adds the codes for Checking the early kernel locdown flag
-before overlaying ACPI tables in early boot stage.
-
-Signed-off-by: Chun-Yi Lee <j...@suse.com>
----
- drivers/acpi/osl.c | 3 ++-
- drivers/acpi/tables.c | 3 ++-
- drivers/firmware/efi/efi.c | 7 ++++++-
- 3 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 70af3fbbe..ce827a06d 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -197,7 +197,8 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
- * specific location (if appropriate) so it can be carried
- * over further kexec()s.
- */
-- if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) {
-+ if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES) &&
-+ !kernel_is_locked_down_early(LOCKDOWN_ACPI_TABLES)) {
- acpi_arch_set_root_pointer(acpi_rsdp);
- return acpi_rsdp;
- }
-diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index 9e1b01c35..76f54f131 100644
---- a/drivers/acpi/tables.c
-+++ b/drivers/acpi/tables.c
-@@ -486,7 +486,8 @@ void __init acpi_table_upgrade(void)
- if (table_nr == 0)
- return;
-
-- if (security_locked_down(LOCKDOWN_ACPI_TABLES)) {
-+ if (kernel_is_locked_down_early(LOCKDOWN_ACPI_TABLES) ||
-+ security_locked_down(LOCKDOWN_ACPI_TABLES)) {
- pr_notice("kernel is locked down, ignoring table override\n");
- return;
- }
-diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index 70490bf26..61960b2f4 100644
---- a/drivers/firmware/efi/efi.c
-+++ b/drivers/firmware/efi/efi.c
-@@ -254,7 +254,12 @@ EXPORT_SYMBOL_GPL(efivars_generic_ops_unregister);
- static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
- static int __init efivar_ssdt_setup(char *str)
- {
-- int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
-+ int ret = kernel_is_locked_down_early(LOCKDOWN_ACPI_TABLES);
-+
-+ if (ret)
-+ return ret;
-+
-+ ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
-
- if (ret)
- return ret;
---
-2.35.3
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/0005-kgdb-Check-early-kernel-lockdown-flag-before-using-k.patch
new/patches.suse/0005-kgdb-Check-early-kernel-lockdown-flag-before-using-k.patch
---
old/patches.suse/0005-kgdb-Check-early-kernel-lockdown-flag-before-using-k.patch
2025-03-28 23:00:36.000000000 +0100
+++
new/patches.suse/0005-kgdb-Check-early-kernel-lockdown-flag-before-using-k.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,50 +0,0 @@
-From 0f51a23758906903c2a4d1276018030d24de1d2b Mon Sep 17 00:00:00 2001
-From: Chun-Yi Lee <j...@suse.com>
-Date: Thu, 19 Dec 2024 19:58:48 +0800
-Subject: [PATCH 5/5] kgdb: Check early kernel lockdown flag before using kgdb
-Patch-mainline: Never, temporary solution
-References: bsc#1234646
-
-Signed-off-by: Chun-Yi Lee <j...@suse.com>
----
- kernel/debug/debug_core.c | 3 ++-
- kernel/debug/kdb/kdb_main.c | 6 ++++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
-index ce1bb2301..7d962f038 100644
---- a/kernel/debug/debug_core.c
-+++ b/kernel/debug/debug_core.c
-@@ -754,7 +754,8 @@ static int kgdb_cpu_enter(struct kgdb_state *ks, struct
pt_regs *regs,
- * themselves, especially with help from the lockdown
- * message printed on the console!
- */
-- if (security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL)) {
-+ if (security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL) ||
-+
kernel_is_locked_down_early(LOCKDOWN_DBG_WRITE_KERNEL)) {
- if (IS_ENABLED(CONFIG_KGDB_KDB)) {
- /* Switch back to kdb if possible... */
- dbg_kdb_mode = 1;
-diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index f5f7d7fb5..403a19ef5 100644
---- a/kernel/debug/kdb/kdb_main.c
-+++ b/kernel/debug/kdb/kdb_main.c
-@@ -189,11 +189,13 @@ static void kdb_check_for_lockdown(void)
-
- if (kdb_cmd_enabled & (KDB_ENABLE_ALL | write_flags))
- need_to_lockdown_write =
-- security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL);
-+ security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL) ||
-+ kernel_is_locked_down_early(LOCKDOWN_DBG_WRITE_KERNEL);
-
- if (kdb_cmd_enabled & (KDB_ENABLE_ALL | read_flags))
- need_to_lockdown_read =
-- security_locked_down(LOCKDOWN_DBG_READ_KERNEL);
-+ security_locked_down(LOCKDOWN_DBG_READ_KERNEL) ||
-+ kernel_is_locked_down_early(LOCKDOWN_DBG_READ_KERNEL);
-
- /* De-compose KDB_ENABLE_ALL if required */
- if (need_to_lockdown_write || need_to_lockdown_read)
---
-2.35.3
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.suse/lockdown-fix-kernel-lockdown-enforcement-issue-when-secure.patch
new/patches.suse/lockdown-fix-kernel-lockdown-enforcement-issue-when-secure.patch
---
old/patches.suse/lockdown-fix-kernel-lockdown-enforcement-issue-when-secure.patch
1970-01-01 01:00:00.000000000 +0100
+++
new/patches.suse/lockdown-fix-kernel-lockdown-enforcement-issue-when-secure.patch
2025-04-24 13:12:02.000000000 +0200
@@ -0,0 +1,103 @@
+From 6b5ef62853a660182662d87230e9fcba9d7c36ce Mon Sep 17 00:00:00 2001
+From: Srish Srinivasan <ssr...@linux.ibm.com>
+Date: Thu, 13 Mar 2025 10:40:43 +0100
+Subject: [PATCH] lockdown: fix kernel lockdown enforcement issue when secure
+ boot is enabled
+Patch-mainline: Never, SUSE specific
+References: bsc#1237521
+
+On secure boot enabled systems, the kernel is expected to be locked down early
+in setup_arch. The registration of the lockdown LSM's hook list is carried
+out as a part of early_security_init. But early_security_init is no longer
+happening before setup_arch after the inclusion of the patch series (Reduce
+overhead of LSMs with static calls).
+Link: https://lore.kernel.org/all/20240816154307.3031838-1-kpsi...@kernel.org/
+
+Access the lockdown LSM's hook list directly from security_lock_kernel_down and
+security_locked_down. Define a macro to invoke a hook function upon getting
+the hook list and the hook name. This enforces lockdown when secure boot is
enabled.
+
+These changes are based on the SLES-16 Linux Kernel source code, src rpm
+version is 6.12.0-slfo.1.2.2.
+
+Fixes: 77b644c39d6a ("init/main.c: Initialize early LSMs after arch code,
static keys and calls.")
+Signed-off-by: Srish Srinivasan <ssr...@linux.ibm.com>
+Reviewed-by: Nayna Jain <na...@linux.ibm.com>
+Acked-by: Lee, Chun-Yi <j...@suse.com>
+Signed-off-by: Robert Frohl <rfr...@suse.com>
+---
+ include/linux/lsm_hooks.h | 5 +++++
+ security/lockdown/lockdown.c | 2 ++
+ security/security.c | 22 ++++++++++++++++++++--
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -173,6 +173,11 @@ extern struct lsm_static_calls_table sta
+ extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
+ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
+
++extern struct security_hook_list* lockdown_hooks_secure_boot;
++
++#define INDEX_LOCKED_DOWN 0
++#define INDEX_LOCK_KERNEL_DOWN 1
++
+ /**
+ * lsm_get_xattr_slot - Return the next available slot and increment the index
+ * @xattrs: array storing LSM-provided xattrs
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -77,6 +77,8 @@ static struct security_hook_list lockdow
+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+
++struct security_hook_list *lockdown_hooks_secure_boot = lockdown_hooks;
++
+ static const struct lsm_id lockdown_lsmid = {
+ .name = "lockdown",
+ .id = LSM_ID_LOCKDOWN,
+--- a/security/security.c
++++ b/security/security.c
+@@ -982,6 +982,16 @@ OUT:
\
+ scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \
+ if (static_key_enabled(&scall->active->key))
+
++#define call_int_hook_direct(HOOK_DESC, INDEX, HOOK, ...) \
++({ \
++ int RC = LSM_RET_DEFAULT(HOOK); \
++ do { \
++ struct security_hook_list *P = &HOOK_DESC[INDEX]; \
++ RC = P->hook.HOOK(__VA_ARGS__); \
++ } while (0); \
++ RC; \
++})
++
+ /* Security operations */
+
+ /**
+@@ -5797,7 +5807,11 @@ void security_bpf_token_free(struct bpf_
+ */
+ int security_locked_down(enum lockdown_reason what)
+ {
+- return call_int_hook(locked_down, what);
++#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
++ return call_int_hook_direct(lockdown_hooks_secure_boot,
INDEX_LOCKED_DOWN, locked_down, what);
++#else
++ return 0;
++#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+ }
+ EXPORT_SYMBOL(security_locked_down);
+
+@@ -5890,7 +5904,11 @@ EXPORT_SYMBOL(security_bdev_setintegrity
+ */
+ int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+ {
+- return call_int_hook(lock_kernel_down, where, level);
++#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
++ return call_int_hook_direct(lockdown_hooks_secure_boot,
INDEX_LOCK_KERNEL_DOWN, lock_kernel_down, where, level);
++#else
++ return 0;
++#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+ }
+ EXPORT_SYMBOL(security_lock_kernel_down);
+
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.3YNpjm/_old 2025-04-28 16:16:22.529252766 +0200
+++ /var/tmp/diff_new_pack.3YNpjm/_new 2025-04-28 16:16:22.533252934 +0200
@@ -5419,6 +5419,224 @@
patches.kernel.org/6.12.24-392-s390-cpumf-Fix-double-free-on-error-in-cpumf_.patch
patches.kernel.org/6.12.24-393-HSI-ssi_protocol-Fix-use-after-free-vulnerabi.patch
patches.kernel.org/6.12.24-394-Linux-6.12.24.patch
+
patches.kernel.org/6.12.25-001-scsi-hisi_sas-Enable-force-phy-when-SATA-disk.patch
+
patches.kernel.org/6.12.25-002-wifi-at76c50x-fix-use-after-free-access-in-at.patch
+
patches.kernel.org/6.12.25-003-wifi-mac80211-Update-skb-s-control-block-key-.patch
+
patches.kernel.org/6.12.25-004-wifi-mac80211-Purge-vif-txq-in-ieee80211_do_s.patch
+
patches.kernel.org/6.12.25-005-wifi-wl1251-fix-memory-leak-in-wl1251_tx_work.patch
+
patches.kernel.org/6.12.25-006-scsi-iscsi-Fix-missing-scsi_host_put-in-error.patch
+
patches.kernel.org/6.12.25-007-driver-core-bus-add-irq_get_affinity-callback.patch
+
patches.kernel.org/6.12.25-008-blk-mq-introduce-blk_mq_map_hw_queues.patch
+
patches.kernel.org/6.12.25-009-scsi-replace-blk_mq_pci_map_queues-with-blk_m.patch
+
patches.kernel.org/6.12.25-010-scsi-smartpqi-Use-is_kdump_kernel-to-check-fo.patch
+
patches.kernel.org/6.12.25-011-md-raid10-fix-missing-discard-IO-accounting.patch
+
patches.kernel.org/6.12.25-012-md-md-bitmap-fix-stats-collection-for-externa.patch
+
patches.kernel.org/6.12.25-013-ASoC-dwc-always-enable-disable-i2s-irqs.patch
+
patches.kernel.org/6.12.25-014-ASoC-Intel-avs-Fix-null-ptr-deref-in-avs_comp.patch
+
patches.kernel.org/6.12.25-015-crypto-tegra-remove-redundant-error-check-on-.patch
+
patches.kernel.org/6.12.25-016-crypto-tegra-Do-not-use-fixed-size-buffers.patch
+
patches.kernel.org/6.12.25-017-crypto-tegra-Fix-IV-usage-for-AES-ECB.patch
+
patches.kernel.org/6.12.25-018-ovl-remove-unused-forward-declaration.patch
+
patches.kernel.org/6.12.25-019-RDMA-usnic-Fix-passing-zero-to-PTR_ERR-in-usn.patch
+
patches.kernel.org/6.12.25-020-RDMA-hns-Fix-wrong-maximum-DMA-segment-size.patch
+
patches.kernel.org/6.12.25-021-ALSA-hda-cirrus_scodec_test-Don-t-select-depe.patch
+
patches.kernel.org/6.12.25-022-ALSA-hda-improve-bass-speaker-support-for-ASU.patch
+
patches.kernel.org/6.12.25-023-ALSA-hda-realtek-Workaround-for-resume-on-Del.patch
+
patches.kernel.org/6.12.25-024-ALSA-hda-realtek-Fixed-ASUS-platform-headset-.patch
+
patches.kernel.org/6.12.25-025-ASoC-cs42l43-Reset-clamp-override-on-jack-rem.patch
+
patches.kernel.org/6.12.25-026-RDMA-core-Silence-oversized-kvmalloc-warning.patch
+
patches.kernel.org/6.12.25-027-Bluetooth-hci_event-Fix-sending-MGMT_EV_DEVIC.patch
+
patches.kernel.org/6.12.25-028-Bluetooth-btrtl-Prevent-potential-NULL-derefe.patch
+
patches.kernel.org/6.12.25-029-Bluetooth-l2cap-Check-encryption-key-size-on-.patch
+
patches.kernel.org/6.12.25-030-ipv6-add-exception-routes-to-GC-list-in-rt6_i.patch
+ patches.kernel.org/6.12.25-031-xen-fix-multicall-debug-feature.patch
+
patches.kernel.org/6.12.25-032-Revert-wifi-mac80211-Update-skb-s-control-blo.patch
+ patches.kernel.org/6.12.25-033-igc-fix-PTM-cycle-trigger-logic.patch
+
patches.kernel.org/6.12.25-034-igc-increase-wait-time-before-retrying-PTM.patch
+
patches.kernel.org/6.12.25-035-igc-move-ktime-snapshot-into-PTM-retry-loop.patch
+
patches.kernel.org/6.12.25-036-igc-handle-the-IGC_PTP_ENABLED-flag-correctly.patch
+
patches.kernel.org/6.12.25-037-igc-cleanup-PTP-module-if-probe-fails.patch
+
patches.kernel.org/6.12.25-038-igc-add-lock-preventing-multiple-simultaneous.patch
+
patches.kernel.org/6.12.25-039-dt-bindings-soc-fsl-fsl-ls1028a-reset-Fix-mai.patch
+
patches.kernel.org/6.12.25-040-smc-Fix-lockdep-false-positive-for-IPPROTO_SM.patch
+ patches.kernel.org/6.12.25-041-test-suite-use-zu-to-print-size_t.patch
+
patches.kernel.org/6.12.25-042-pds_core-fix-memory-leak-in-pdsc_debugfs_add_.patch
+
patches.kernel.org/6.12.25-043-ethtool-cmis_cdb-use-correct-rpl-size-in-etht.patch
+ patches.kernel.org/6.12.25-044-net-mctp-Set-SOCK_RCU_FREE.patch
+
patches.kernel.org/6.12.25-045-block-fix-resource-leak-in-blk_register_queue.patch
+
patches.kernel.org/6.12.25-046-netlink-specs-ovs_vport-align-with-C-codegen-.patch
+
patches.kernel.org/6.12.25-047-net-openvswitch-fix-nested-key-length-validat.patch
+
patches.kernel.org/6.12.25-048-can-rockchip_canfd-fix-broken-quirks-checks.patch
+
patches.kernel.org/6.12.25-049-net-ngbe-fix-memory-leak-in-ngbe_probe-error-.patch
+
patches.kernel.org/6.12.25-050-net-ethernet-ti-am65-cpsw-fix-port_np-referen.patch
+
patches.kernel.org/6.12.25-051-eth-bnxt-fix-missing-ring-index-trim-on-error.patch
+
patches.kernel.org/6.12.25-052-loop-aio-inherit-the-ioprio-of-original-reque.patch
+
patches.kernel.org/6.12.25-053-loop-stop-using-vfs_iter_-read-write-for-buff.patch
+
patches.kernel.org/6.12.25-054-ata-libata-sata-Save-all-fields-from-sense-da.patch
+
patches.kernel.org/6.12.25-055-cxgb4-fix-memory-leak-in-cxgb4_init_ethtool_f.patch
+
patches.kernel.org/6.12.25-056-netlink-specs-rt-link-add-an-attr-layer-aroun.patch
+
patches.kernel.org/6.12.25-057-netlink-specs-rt-link-adjust-mctp-attribute-n.patch
+
patches.kernel.org/6.12.25-058-net-b53-enable-BPDU-reception-for-management-.patch
+
patches.kernel.org/6.12.25-059-net-bridge-switchdev-do-not-notify-new-brentr.patch
+
patches.kernel.org/6.12.25-060-net-txgbe-fix-memory-leak-in-txgbe_probe-erro.patch
+
patches.kernel.org/6.12.25-061-net-dsa-mv88e6xxx-avoid-unregistering-devlink.patch
+
patches.kernel.org/6.12.25-062-net-dsa-mv88e6xxx-fix-ENOENT-when-deleting-VL.patch
+
patches.kernel.org/6.12.25-063-net-dsa-clean-up-FDB-MDB-VLAN-entries-on-unbi.patch
+
patches.kernel.org/6.12.25-064-net-dsa-free-routing-table-on-probe-failure.patch
+
patches.kernel.org/6.12.25-065-net-dsa-avoid-refcount-warnings-when-ds-ops-t.patch
+
patches.kernel.org/6.12.25-066-ptp-ocp-fix-start-time-alignment-in-ptp_ocp_s.patch
+
patches.kernel.org/6.12.25-067-net-ti-icss-iep-Add-pwidth-configuration-for-.patch
+
patches.kernel.org/6.12.25-068-net-ti-icss-iep-Add-phase-offset-configuratio.patch
+
patches.kernel.org/6.12.25-069-net-ti-icss-iep-Fix-possible-NULL-pointer-der.patch
+
patches.kernel.org/6.12.25-070-net-ethernet-mtk_eth_soc-reapply-mdc-divider-.patch
+
patches.kernel.org/6.12.25-071-net-ethernet-mtk_eth_soc-correct-the-max-weig.patch
+
patches.kernel.org/6.12.25-072-net-ethernet-mtk_eth_soc-revise-QDMA-packet-s.patch
+
patches.kernel.org/6.12.25-073-riscv-Use-kvmalloc_array-on-relocation_hashta.patch
+
patches.kernel.org/6.12.25-074-riscv-Properly-export-reserved-regions-in-pro.patch
+
patches.kernel.org/6.12.25-075-riscv-module-Fix-out-of-bounds-relocation-acc.patch
+
patches.kernel.org/6.12.25-076-riscv-module-Allocate-PLT-entries-for-R_RISCV.patch
+
patches.kernel.org/6.12.25-077-kunit-qemu_configs-SH-Respect-kunit-cmdline.patch
+
patches.kernel.org/6.12.25-078-riscv-KGDB-Do-not-inline-arch_kgdb_breakpoint.patch
+
patches.kernel.org/6.12.25-079-riscv-KGDB-Remove-.option-norvc-.option-rvc-f.patch
+
patches.kernel.org/6.12.25-080-cpufreq-sched-Fix-the-usage-of-CPUFREQ_NEED_U.patch
+
patches.kernel.org/6.12.25-081-objtool-rust-add-one-more-noreturn-Rust-funct.patch
+
patches.kernel.org/6.12.25-082-rust-kasan-kbuild-fix-missing-flags-on-first-.patch
+
patches.kernel.org/6.12.25-083-rust-disable-clippy-needless_continue.patch
+
patches.kernel.org/6.12.25-084-rust-kbuild-use-pound-to-support-GNU-Make-4.3.patch
+
patches.kernel.org/6.12.25-085-writeback-fix-false-warning-in-inode_to_wb.patch
+
patches.kernel.org/6.12.25-086-Revert-PCI-Avoid-reset-when-disabled-via-sysf.patch
+
patches.kernel.org/6.12.25-087-ASoC-fsl-fsl_qmc_audio-Reset-audio-data-point.patch
+
patches.kernel.org/6.12.25-088-ASoC-codecs-lpass-wsa-macro-Fix-vi-feedback-r.patch
+
patches.kernel.org/6.12.25-089-ASoC-codecs-lpass-wsa-macro-Fix-logic-of-enab.patch
+
patches.kernel.org/6.12.25-090-ASoC-Intel-sof_sdw-Add-quirk-for-Asus-Zenbook.patch
+
patches.kernel.org/6.12.25-091-ASoC-qcom-Fix-sc7280-lpass-potential-buffer-o.patch
+
patches.kernel.org/6.12.25-092-asus-laptop-Fix-an-uninitialized-variable.patch
+
patches.kernel.org/6.12.25-093-block-integrity-Do-not-call-set_page_dirty_lo.patch
+
patches.kernel.org/6.12.25-094-drm-v3d-Fix-Indirect-Dispatch-configuration-f.patch
+
patches.kernel.org/6.12.25-095-dma-buf-sw_sync-Decrement-refcount-on-error-i.patch
+
patches.kernel.org/6.12.25-096-nfs-add-missing-selections-of-CONFIG_CRC32.patch
+
patches.kernel.org/6.12.25-097-nfsd-decrease-sc_count-directly-if-fail-to-qu.patch
+ patches.kernel.org/6.12.25-098-i2c-atr-Fix-wrong-include.patch
+
patches.kernel.org/6.12.25-099-ftrace-fix-incorrect-hash-size-in-register_ft.patch
+
patches.kernel.org/6.12.25-100-drm-msm-a6xx-Don-t-let-IB_SIZE-overflow.patch
+
patches.kernel.org/6.12.25-101-Bluetooth-l2cap-Process-valid-commands-in-too.patch
+
patches.kernel.org/6.12.25-102-Bluetooth-vhci-Avoid-needless-snprintf-calls.patch
+
patches.kernel.org/6.12.25-103-btrfs-correctly-escape-subvol-in-btrfs_show_o.patch
+
patches.kernel.org/6.12.25-104-cpufreq-sched-Explicitly-synchronize-limits_c.patch
+
patches.kernel.org/6.12.25-105-crypto-caam-qi-Fix-drv_ctx-refcount-bug.patch
+
patches.kernel.org/6.12.25-106-hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bno.patch
+
patches.kernel.org/6.12.25-107-i2c-cros-ec-tunnel-defer-probe-if-parent-EC-i.patch
+
patches.kernel.org/6.12.25-108-isofs-Prevent-the-use-of-too-small-fid.patch
+
patches.kernel.org/6.12.25-109-loop-properly-send-KOBJ_CHANGED-uevent-for-di.patch
+
patches.kernel.org/6.12.25-110-loop-LOOP_SET_FD-send-uevents-for-partitions.patch
+
patches.kernel.org/6.12.25-111-mm-compaction-fix-bug-in-hugetlb-handling-pat.patch
+
patches.kernel.org/6.12.25-112-mm-gup-fix-wrongly-calculated-returned-value-.patch
+
patches.kernel.org/6.12.25-113-mm-fix-filemap_get_folios_contig-returning-ba.patch
+ patches.kernel.org/6.12.25-114-mm-fix-apply_to_existing_page_range.patch
+ patches.kernel.org/6.12.25-115-ovl-don-t-allow-datadir-only.patch
+
patches.kernel.org/6.12.25-116-ksmbd-Fix-dangling-pointer-in-krb_authenticat.patch
+
patches.kernel.org/6.12.25-117-ksmbd-fix-use-after-free-in-smb_break_all_lev.patch
+
patches.kernel.org/6.12.25-118-ksmbd-Prevent-integer-overflow-in-calculation.patch
+
patches.kernel.org/6.12.25-119-ksmbd-fix-the-warning-from-__kernel_write_ite.patch
+
patches.kernel.org/6.12.25-120-Revert-smb-client-Fix-netns-refcount-imbalanc.patch
+
patches.kernel.org/6.12.25-121-Revert-smb-client-fix-TCP-timers-deadlock-aft.patch
+
patches.kernel.org/6.12.25-122-riscv-Avoid-fortify-warning-in-syscall_get_ar.patch
+
patches.kernel.org/6.12.25-123-selftests-mm-generate-a-temporary-mountpoint-.patch
+
patches.kernel.org/6.12.25-124-slab-ensure-slab-obj_exts-is-clear-in-a-newly.patch
+
patches.kernel.org/6.12.25-125-smb3-client-fix-open-hardlink-on-deferred-clo.patch
+
patches.kernel.org/6.12.25-126-string-Add-load_unaligned_zeropad-code-path-t.patch
+ patches.kernel.org/6.12.25-127-tracing-Fix-filter-string-testing.patch
+
patches.kernel.org/6.12.25-128-virtiofs-add-filesystem-context-source-name-c.patch
+
patches.kernel.org/6.12.25-129-x86-microcode-AMD-Extend-the-SHA-check-to-Zen.patch
+
patches.kernel.org/6.12.25-130-x86-cpu-amd-Fix-workaround-for-erratum-1054.patch
+
patches.kernel.org/6.12.25-131-x86-boot-sev-Avoid-shared-GHCB-page-for-early.patch
+
patches.kernel.org/6.12.25-132-scsi-megaraid_sas-Block-zero-length-ATA-VPD-i.patch
+
patches.kernel.org/6.12.25-133-scsi-ufs-exynos-Ensure-consistent-phy-referen.patch
+
patches.kernel.org/6.12.25-134-RDMA-cma-Fix-workqueue-crash-in-cma_netevent_.patch
+
patches.kernel.org/6.12.25-135-RAS-AMD-ATL-Include-row-13-bit-in-row-retirem.patch
+ patches.kernel.org/6.12.25-136-RAS-AMD-FMPM-Get-masked-address.patch
+ patches.kernel.org/6.12.25-137-platform-x86-amd-pmf-Fix-STT-limits.patch
+
patches.kernel.org/6.12.25-138-perf-x86-intel-Allow-to-update-user-space-GPR.patch
+
patches.kernel.org/6.12.25-139-perf-x86-intel-uncore-Fix-the-scale-of-IIO-fr.patch
+
patches.kernel.org/6.12.25-140-perf-x86-intel-uncore-Fix-the-scale-of-IIO-fr.patch
+
patches.kernel.org/6.12.25-141-perf-x86-intel-uncore-Fix-the-scale-of-IIO-fr.patch
+
patches.kernel.org/6.12.25-142-drm-repaper-fix-integer-overflows-in-repeat-f.patch
+
patches.kernel.org/6.12.25-143-drm-ast-Fix-ast_dp-connection-status.patch
+
patches.kernel.org/6.12.25-144-drm-msm-dsi-Add-check-for-devm_kstrdup.patch
+
patches.kernel.org/6.12.25-145-drm-msm-a6xx-Fix-stale-rpmh-votes-from-GPU.patch
+
patches.kernel.org/6.12.25-146-drm-amdgpu-Prefer-shadow-rom-when-available.patch
+
patches.kernel.org/6.12.25-147-drm-amd-display-prevent-hang-on-link-training.patch
+
patches.kernel.org/6.12.25-148-drm-amd-Handle-being-compiled-without-SI-or-C.patch
+
patches.kernel.org/6.12.25-149-drm-amd-display-Actually-do-immediate-vblank-.patch
+
patches.kernel.org/6.12.25-150-drm-amd-display-Increase-vblank-offdelay-for-.patch
+ patches.kernel.org/6.12.25-151-drm-amd-pm-Prevent-division-by-zero.patch
+
patches.kernel.org/6.12.25-152-drm-amd-pm-powerplay-Prevent-division-by-zero.patch
+
patches.kernel.org/6.12.25-153-drm-amd-pm-smu11-Prevent-division-by-zero.patch
+
patches.kernel.org/6.12.25-154-drm-amd-pm-powerplay-hwmgr-smu7_thermal-Preve.patch
+
patches.kernel.org/6.12.25-155-drm-amd-pm-swsmu-smu13-smu_v13_0-Prevent-divi.patch
+
patches.kernel.org/6.12.25-156-drm-amd-pm-powerplay-hwmgr-vega20_thermal-Pre.patch
+
patches.kernel.org/6.12.25-157-drm-amdgpu-mes12-optimize-MES-pipe-FW-version.patch
+
patches.kernel.org/6.12.25-158-drm-i915-vrr-Add-vrr.vsync_-start-end-in-vrr_.patch
+
patches.kernel.org/6.12.25-159-drm-xe-Use-local-fence-in-error-path-of-xe_mi.patch
+
patches.kernel.org/6.12.25-160-drm-amd-display-Add-HP-Elitebook-645-to-the-q.patch
+
patches.kernel.org/6.12.25-161-drm-amd-display-Protect-FPU-in-dml2_validate-.patch
+
patches.kernel.org/6.12.25-162-drm-amd-display-Protect-FPU-in-dml21_copy.patch
+
patches.kernel.org/6.12.25-163-drm-amdgpu-mes11-optimize-MES-pipe-FW-version.patch
+
patches.kernel.org/6.12.25-164-drm-amdgpu-dma_buf-fix-page_link-check.patch
+
patches.kernel.org/6.12.25-165-drm-nouveau-prime-fix-ttm_bo_delayed_delete-o.patch
+
patches.kernel.org/6.12.25-166-drm-imagination-fix-firmware-memory-leaks.patch
+
patches.kernel.org/6.12.25-167-drm-imagination-take-paired-job-reference.patch
+
patches.kernel.org/6.12.25-168-drm-sti-remove-duplicate-object-names.patch
+
patches.kernel.org/6.12.25-169-drm-xe-Fix-an-out-of-bounds-shift-when-invali.patch
+
patches.kernel.org/6.12.25-170-drm-i915-gvt-fix-unterminated-string-initiali.patch
+
patches.kernel.org/6.12.25-171-drm-amdgpu-immediately-use-GTT-for-new-alloca.patch
+
patches.kernel.org/6.12.25-172-drm-amd-display-Do-not-enable-Replay-and-PSR-.patch
+
patches.kernel.org/6.12.25-173-drm-amd-display-Protect-FPU-in-dml2_init-dml2.patch
+
patches.kernel.org/6.12.25-174-drm-amd-display-Add-HP-Probook-445-and-465-to.patch
+
patches.kernel.org/6.12.25-175-drm-xe-dma_buf-stop-relying-on-placement-in-u.patch
+
patches.kernel.org/6.12.25-176-drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch
+
patches.kernel.org/6.12.25-177-drm-xe-Set-LRC-addresses-before-guc-load.patch
+
patches.kernel.org/6.12.25-178-drm-amdgpu-fix-warning-of-drm_mm_clean.patch
+
patches.kernel.org/6.12.25-179-drm-mgag200-Fix-value-in-VBLKSTR-register.patch
+
patches.kernel.org/6.12.25-180-arm64-sysreg-Update-register-fields-for-ID_AA.patch
+
patches.kernel.org/6.12.25-181-arm64-sysreg-Add-register-fields-for-HDFGRTR2.patch
+
patches.kernel.org/6.12.25-182-arm64-sysreg-Add-register-fields-for-HDFGWTR2.patch
+
patches.kernel.org/6.12.25-183-arm64-sysreg-Add-register-fields-for-HFGITR2_.patch
+
patches.kernel.org/6.12.25-184-arm64-sysreg-Add-register-fields-for-HFGRTR2_.patch
+
patches.kernel.org/6.12.25-185-arm64-sysreg-Add-register-fields-for-HFGWTR2_.patch
+
patches.kernel.org/6.12.25-186-arm64-boot-Enable-EL2-requirements-for-FEAT_P.patch
+
patches.kernel.org/6.12.25-187-cpufreq-Reference-count-policy-in-cpufreq_upd.patch
+
patches.kernel.org/6.12.25-188-scripts-generate_rust_analyzer-Add-ffi-crate.patch
+ patches.kernel.org/6.12.25-189-kbuild-Add-fno-builtin-wcslen.patch
+
patches.kernel.org/6.12.25-190-platform-x86-msi-wmi-platform-Rename-data-var.patch
+
patches.kernel.org/6.12.25-191-platform-x86-msi-wmi-platform-Workaround-a-AC.patch
+
patches.kernel.org/6.12.25-192-md-fix-mddev-uaf-while-iterating-all_mddevs-l.patch
+
patches.kernel.org/6.12.25-193-selftests-bpf-Fix-raw_tp-null-handling-test.patch
+
patches.kernel.org/6.12.25-194-misc-pci_endpoint_test-Avoid-issue-of-interru.patch
+
patches.kernel.org/6.12.25-195-misc-pci_endpoint_test-Fix-irq_type-to-convey.patch
+
patches.kernel.org/6.12.25-196-efi-libstub-Bump-up-EFI_MMAP_NR_SLACK_SLOTS-t.patch
+
patches.kernel.org/6.12.25-197-LoongArch-Eliminate-superfluous-get_numa_dist.patch
+
patches.kernel.org/6.12.25-198-drm-amd-display-Temporarily-disable-hostvm-on.patch
+ patches.kernel.org/6.12.25-199-nvmet-fc-Remove-unused-functions.patch
+ patches.kernel.org/6.12.25-200-block-remove-rq_list_move.patch
+ patches.kernel.org/6.12.25-201-block-add-a-rq_list-type.patch
+
patches.kernel.org/6.12.25-202-block-don-t-reorder-requests-in-blk_add_rq_to.patch
+
patches.kernel.org/6.12.25-203-mm-vma-add-give_up_on_oom-option-on-modify-me.patch
+
patches.kernel.org/6.12.25-204-Revert-wifi-ath12k-Fix-invalid-entry-fetch-in.patch
+
patches.kernel.org/6.12.25-205-MIPS-dec-Declare-which_prom-as-static.patch
+
patches.kernel.org/6.12.25-206-MIPS-cevt-ds1287-Add-missing-ds1287.h-include.patch
+
patches.kernel.org/6.12.25-207-MIPS-ds1287-Match-ds1287_set_base_clock-funct.patch
+
patches.kernel.org/6.12.25-208-wifi-ath12k-Fix-invalid-entry-fetch-in-ath12k.patch
+
patches.kernel.org/6.12.25-209-bpf-add-find_containing_subprog-utility-funct.patch
+
patches.kernel.org/6.12.25-210-bpf-track-changes_pkt_data-property-for-globa.patch
+
patches.kernel.org/6.12.25-211-selftests-bpf-test-for-changing-packet-data-f.patch
+
patches.kernel.org/6.12.25-212-bpf-check-changes_pkt_data-property-for-exten.patch
+
patches.kernel.org/6.12.25-213-selftests-bpf-freplace-tests-for-tracking-of-.patch
+
patches.kernel.org/6.12.25-214-selftests-bpf-validate-that-tail-call-invalid.patch
+
patches.kernel.org/6.12.25-215-bpf-fix-null-dereference-when-computing-chang.patch
+
patches.kernel.org/6.12.25-216-selftests-bpf-extend-changes_pkt_data-with-ca.patch
+
patches.kernel.org/6.12.25-217-block-make-struct-rq_list-available-for-CONFI.patch
+ patches.kernel.org/6.12.25-218-Linux-6.12.25.patch
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -5541,16 +5759,12 @@
# Bug 1198101 - VUL-0: shim: openSUSE tumbleweed not fully locked down?
Add opensuse-cert-prompt back to openSUSE shim
# Lock down functions for secure boot
patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch
+
patches.suse/lockdown-fix-kernel-lockdown-enforcement-issue-when-secure.patch
patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch
patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch
patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch
- # Bug 1234646 - Lockdown is not activated with Secure Boot in kernel
6.12
-
patches.suse/0001-Lock-down-x86_64-kernel-in-secure-boot-mode-in-subsy.patch
-
patches.suse/0002-security-Add-a-kernel-lockdown-flag-for-early-boot-s.patch
-
patches.suse/0003-efi-Set-early-kernel-lock-down-flag-if-booted-in-sec.patch
-
patches.suse/0004-ACPI-Check-early-kernel-lockdown-flag-before-overlay.patch
-
patches.suse/0005-kgdb-Check-early-kernel-lockdown-flag-before-using-k.patch
+
patches.suse/0001-initcall_blacklist-Does-not-allow-kernel_lockdown-be.patch
# crypto
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.3YNpjm/_old 2025-04-28 16:16:22.565254279 +0200
+++ /var/tmp/diff_new_pack.3YNpjm/_new 2025-04-28 16:16:22.569254447 +0200
@@ -1,4 +1,4 @@
-2025-04-20 21:53:08 +0000
-GIT Revision: 726c2d06ad1d81b68e479b3bdffd8f8b7af66c72
+2025-04-25 11:06:49 +0000
+GIT Revision: da82bfde6a1e237ce54a2751871fdc9cd96bd169
GIT Branch: slowroll
