kernel-livepatch-SLE16-RT_Update_5-4-160000.1.1

- Fix for CVE-2026-31431 ("crypto: algif_aead - Revert to operating out-of-place")
  Live patch for CVE-2026-31431. Upstream commit: 2aa024412d16d02322bd442ff701c183568fa03e
  KLP: CVE-2026-31431
  References: bsc#1263689 CVE-2026-31431
- commit 5420078

- Bump up the version number in spec file
- commit 02e6a92

- Fix for CVE-2026-23204 ("net/sched: cls_u32: use skb_header_pointer_careful()")
  Live patch for CVE-2026-23204. Upstream commits:
- 13e00fdc9236 ("net: add skb_header_pointer_careful() helper")
- cabd1a976375 ("net/sched: cls_u32: use skb_header_pointer_careful()")
  KLP: CVE-2026-23204
  References: bsc#1259126 CVE-2026-23204
  fix
- commit 558fa93

- Fix for CVE-2026-23437 ("net: shaper: protect late read accesses to the hierarchy")
  Live patch for CVE-2026-23437. Upstream commit:
- 0f9ea7141f36 ("net: shaper: protect late read accesses to the hierarchy")
  KLP: CVE-2026-23437
  References: bsc#1261845 CVE-2026-23437
- commit e19e077

- Fix for CVE-2026-23004 ("dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()")
  Live patch for CVE-2026-23004. Upstream commit:
- 9a6f0c4d5796 ("dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()")
  KLP: CVE-2026-23004
  References: bsc#1258655 CVE-2026-23004
- commit 70afb11

- Fix for CVE-2026-31406 ("xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()")
  Live patch for CVE-2026-31406. Upstream commit:
- daf8e3b253aa ("xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()")
  KLP: CVE-2026-31406
  References: bsc#1261630 CVE-2026-31406
- commit 778b1fa

- Bump up the version number in spec file
- commit 2ce8a49

- Fix for CVE-2026-23268 ("apparmor: fix unprivileged local user can do privileged policy management")
  Live patch for CVE-2026-23268. Upstream commit:
- 6601e13e82841 ("apparmor: fix unprivileged local user can do privileged policy management")
  Included backports:
- patches.suse/01-0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch
- patches.suse/02-0002-apparmor-fix-memory-leak-in-verify_header.patch
- patches.suse/03-0003-apparmor-replace-recursive-profile-removal-with-iter.patch
- patches.suse/04-0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch
- patches.suse/05-0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch
- patches.suse/06-0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch
- patches.suse/07-0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch
- patches.suse/08-0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch
- patches.suse/09-0009-apparmor-fix-differential-encoding-verification.patch
  KLP: CVE-2026-23268
  References: bsc#1259859 CVE-2026-23268
- commit 839618b

- Bump up the version number in spec file
- commit 94916cc

- Fix for CVE-2026-23209 ("macvlan: fix error recovery in macvlan_common_newlink()")
  Live patch for CVE-2026-23209. Upstream commits:
- f8db6475a836 ("macvlan: fix error recovery in macvlan_common_newlink()")
- e3f000f0dee1 ("macvlan: observe an RCU grace period in macvlan_common_newlink() error path")
  KLP: CVE-2026-23209
  References: bsc#1258784 CVE-2026-23209
- commit 729712b

- Fix for CVE-2026-23111 ("netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()")
  Live patch for CVE-2026-23111. Upstream commit:
- f41c5d151078 ("netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()")
  KLP: CVE-2026-23111
  References: bsc#1258183 CVE-2026-23111
- commit 7012ce5

- Fix for CVE-2026-23074 ("net/sched: Enforce that teql can only be used as root qdisc")
  Live patch for CVE-2026-23074. Upstream commit:
- 50da4b9d07a7 ("net/sched: Enforce that teql can only be used as root qdisc")
  KLP: CVE-2026-23074
  References: bsc#1258051 CVE-2026-23074
- commit 94253c2

- Add IBS _buildenv files + update PATCHINFO_ID after the initial submission
- commit d8555fc

- scripts/tar-up.sh: Enable aarch64 from SLE16-SP1 onwards
  Enable aarch64 starting with SLE16-SP1. Only -default kernel for now as
  the situation around -rt is not clear yet.
  References: PED-7906
- commit 5312a73

- kernel-livepatch.spec: Pre-generate klp info when supported (jsc#PED-14811)
  The command "klp -v patches" shows an extra information about the currently
  loaded livepatches, namely the related rpm package name, CVE and feature
  ids. It gets the information using rpm queries. It stores the information
  under "/var/cache/livepatch" to make the next call faster. Also the cache
  is used to pass the info from a hidden snapshot to the currently running
  system on transactional systems.
  Products derived from SLE 16.1, such as UC, want to use technologies like
  systemd-sysexts. The software will be distributed using images and rpmdb
  may not be present.
  Remove the dependency on rpmdb by pre-generating the cached file during
  the livepatch package build. Store it under "/usr/share/livepatch/info"
  because packages could not contain files under "/var/cache/" directly.
  The last problem is that %%files section is defined in the generic stub
  "/usr/lib/rpm/kernel-livepatch-subpackage" provided by the package
  "kernel-livepatch-tools-devel". But the %%build and %%install phases
  are defined by "rpm/kernel-livepatch.spec" template in the master branch
  for particular livepatch sources.
  Keep the life easy by supporting all combinations of
  "kernel-livepatch.spec" template and "kernel-livepatch-tools-devel"
  packages. The solution uses the fact that the generic stub
  "kernel-livepatch-subpackage" is included into the generic template
  "kernel-livepatch.spec" after the initial metadata but before
  the %%build and %%install sections. It works the following way:
  + The generic stub "kernel-livepatch-subpackage" adds
    "/usr/share/livepatch/info/*" into %%files section only when
    the generic template "kernel-livepatch.spec" defines
    "%%with_klp_info 1" macro before the stub in included.
  + The generic "kernel-livepatch.spec" template builds and installs
    the klp info file only when "%klp_package_name" macro is defined by
    the generic "kernel-livepatch-subpackage" stub.
  Note that this solution supports any combination of the "klp" tool
  and livepatch package:
  + Older "klp" tool versions are not aware of the pre-generated info file.
    They will generate the cache using rpm queries.
  + Newer "klp" tool versions use the pre-generated info file when
    available. They are still able to generate it using rpm queries
    as a fallback.
  + SLE 16.1 will use only new "klp" tool and livepatches with
    the pre-generated info file.
- commit 78e4366

- New branch for SLE16-RT_Update_5
- commit 8f1e797

- klp_trace.h: add KLPR_TRACE_EVENT_CONDITION macro
- commit 17e9fce

- scripts/tar-up.sh: unconditionally enable s390x on SLE default
  Nowadays, s390x builds should be enabed for all SLE default kernels
  - - the versions from before the point where s390x coverage got
  added to the product have gone out of support a long time ago.
  Remove the conditional s390x enablement logic from tar-up.sh.
- commit 9bcbefb

- kernel-livepatch.spec: Replace kernel-syms with kernel-<flavor>-specific dependencies (bsc#1248108)
  The commit ead79afe7cbfae ("kernel-livepatch.spec: Update build
  dependencies for non-default flavors") broke build of livepatches
  which were built with kernel-syms-rt.
  The problem is that livepatch packages for already released kernels
  are built in exactly the same build environment as the initial livepatch.
  The BS (Build Service) installs the build environment using the given
  _buildinfo-*.xml and ignores BuildRequires. But the BuildRequires are
  later checked by rpmbuild tool. It would complain when new dependencies
  were added.
  Unfortunately, kernel-syms-rt does not exist on SLE16. This was the main
  motivation for the above mentioned commit.
  But the package kernel-syms is empty. Its only purpose is to add other
  dependencies. Replace it by opencoding the dependencies.
  Note that the kernel devel files are historically split into various
  packages, kernel-<flavor>-devel, kernel-devel-<flavor>, and
  even kernel-devel. But it is enough to require kernel-<flavor>-devel
  because it requires the other devel files on its own. This seems
  to be true back to SLE15-SP4 at minimum.
- commit 7696578

- kernel-livepatch.spec: Update build dependencies for non-default flavors
  Starting with commit 7c95ae0ac0bb ("mkspec: Exclude rt flavor from
  kernel-syms dependencies (bsc#1244337).") kernel-syms does not pull
  kernel-%variant-devel package for non-default %variant. It needs to be
  required alongside.
  Hence, add new BuildRequires for these cases (-rt flavor only at the
  time).
- commit ead79af

- Remove the support for different flavors, take 2
  There is a support for different kernel flavors from the beginning in
  our spec file. Originally, there were -default and -xen flavors.
  However, it is questionable. A live patch is built against a very
  specific kernel binary. Different flavors of the same kernel source can
  be easily different also in this respect.
  Remove it then. The build process is driven by "variant" macro deriving
  from a branch name. We can stick with that. %klp_module_package defines
  %flavor based on that. It also keeps %flavors_to_build definition for
  older releases without this change.
- commit b9cd481

- Revert "Remove the support for different flavors"
  The removal of flavors in spec file needs to go hand in hand with rpm
  macros update unfortunately. It is a work in progress so revert the spec
  file changes for now so that current builds do not fail.
  This reverts commit 6254bb4ada3a5af59ea00493698f92edc0b4c9a2.
- commit 0ae16b9

- scripts/tar-up.sh: Handle SLFO-Main_Update_0 package
  SLFO-Main_Update_0 (and possibly its -RT variant) will be used by QA for
  testing live patching in SLFO:Main project before a product like SLE16
  is branched off.
  Handle it in our scripts so that everything works properly.
- commit b8cab65

- Remove the support for different flavors
  There is a support for different kernel flavors from the beginning in
  our spec file. Originally, there were -default and -xen flavors.
  However, it is questionable. A live patch is built against a very
  specific kernel binary. Different flavors of the same kernel source can
  be easily different also in this respect.
  Remove it then. The build process is driven by "variant" macro deriving
  from a branch name. We can stick with that.
- commit 6254bb4

- uname_patch: don't use klp_convert.h wrappers
  With the removal of klp_convert.h, the uname_patch fails to compile.
  Replace all invocations of the KLP_SYM_LINKAGE or KLP_SYM() macros
  formerly defined there in by their expansions for the !USE_KLP_CONVERT
  case and drop the klp_convert.h #include.
  Fixes: b2fa29be2 ("Remove old klp-convert support")
- commit 601b6d1