RHSA-2018:1318 Important: kernel security, bug fix, and enhancement update

Updated

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security Fixes are described in RHSA-2018:1318.

This update also fixes the following bugs:

  • After Enhanced Error Handling (EEH) recovery of PCI errors involving the Non-Volatile Memory Express (NVMe) device, the NVMe device driver did not automatically bind to the NVMe device. As a consequence, the NVMe device became inaccessible. With this update, the NVMe device driver is able to rebind to the NVMe device after EEH recovery. As a result, the NVMe device is accessible again after EEH recovery of PCI errors involving the NVMe device. (This content is not included.BZ#1561894)

  • Previously, certain Intel Xeon v5 processors had incorrect time frequency settings. As a consequence, a 1 second error was introduced every 10 minutes relative to the system master clock. This update provides the correct time frequency settings. As a result, the system time now runs precisely. (This content is not included.BZ#1563088)

  • Previously, removing a physical CPU from a running system triggered a redundant warning message. This update prevents resetting the processor id value during removal. As a result the warning message no longer appears. (This content is not included.BZ#1563091)

  • This update provides support for enabling or disabling the Return from Interrupt (RFI) flush functionality on IBM POWER Systems with up-to-date firmware. In certain secured environments, a system administrator prefers the system performance to its security. As a result, disabling RFI allows to choose higher system performance over its security. (This content is not included.BZ#1563096)

  • Previously, the nfs_commit_inode() function did not respect the FLUSH_SYNC argument and exited even if there were already the in-flight COMMIT requests. As a consequence, the mmap() system call occasionally returned the EBUSY error on NFS, and CPU soft lockups occurred during a writeback on NFS. This update fixes nfs_commit_inode() to respect FLUSH_SYNC. As a result, mmap() does not return EBUSY, and the CPU soft lockups no longer occur during NFS writebacks. (This content is not included.BZ#1563103)

  • Previously, a Z8G4 workstation failed to enter suspend mode (S3), since the MSI-X vectors of the i40e driver were released while still in use by the i40iw client. As a consequence, the system became unresponsive on entering S3. This update fixes i40e to close before releasing its MSI-X vectors. As a result, Z8G4 now enters S3 and resumes correctly. (This content is not included.BZ#1563106)

  • Previously, the UEFI top-level page table was not configured properly to work with the page table isolation (PTI) feature. As a consequence, certain memory locations got corrupted and page tables were set incorrectly, which caused random crashes or system reboots without any error message. With this update, the UEFI top-level page table has been modified to reflect the PTI requirement. As a result, the described problems no longer occur. (This content is not included.BZ#1565700)

  • Previously, the result of the prepare_ioctl() function was dropped too early. As a consequence, the ioctl system call and persistent reservations were issued to a partition without checking permissions of the CAP_SYS_RAWIO capability. This update stores the prepare_ioctl() return value in a different variable. As a result, ioctl and persistent reservations issued to the partition are now checked for permissions properly. (This content is not included.BZ#1567746)

  • Previously, keys for the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) encryption, that were bigger than 128 b, called the wrong handlers for encryption and decryption, in case that Intel AES New Instructions (Intel AES-NI) extension was enabled. As a consequence, any Internet Protocol Security (IPsec) setup using the described configuration failed to transmit data through the IPsec Tunnel Mode. This update verifies the key length and points to the correct handlers. As a result, data are successfully transmitted through the IPsec Tunnel Mode under the described conditions. (This content is not included.BZ#1570537)

  • Previously, boot IRQ mode did not restore successfully during reboot. As a consequence, the guest kernel printed a warning message when the kexec and kdump tools were loaded, and kdump became unresponsive during stress tests occasionally. This update ensures that IRQ mode restores correctly during reboot. As a result, the warning message does not appear and kdump no longer becomes unresponsive in the described scenario. (This content is not included.BZ#1563108)

Article Type