RHSA-2018:1965 Important: kernel security and bug fix update

Updated

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security Fixes are described in RHSA-2018:1965.

This update fixes the following bugs :

  • When accepting the Stream Control Transmission Protocol (SCTP) connection, its Transmission Control Block (TCB) migration did not set the data owner as a new socket. As a consequence, it was impossible to release the new socket, and the previous socket experienced a memory leak. This update sets the data owner as a new socket during the SCTP TCB migration. As a result, the new socket no longer underflows, and the memory leak on the previous socket no longer occurs during the described scenario. (This content is not included.BZ#1565983)

  • When the system was under a heavy load, the TX driver in some cases became unresponsive and TCP performed poorly. As a consequence, TX became unresponsive and TCP performed poorly. This update prevents the race condition in the TX driver code and sets the VMXNET 3 internal LRO flag properly. As a result, TX does not become unresponsive and TCP performs as expected under the heavy load. (This content is not included.BZ#1567771)

  • Adding or removing underlying disks changed the max-hw_sectors limit of the Multiple Device (MD) queue and the change was not updated to the upper layer. As a consequence, the "bio too big" message appeared together with input/output (I/O) failure. This update introduces the bio_split2() and bio_pair2_release() functions with splitting mechanism. As a result, the "bio too big" message and I/O failure no longer appear. (This content is not included.BZ#1568070)

  • Previously, the XFS file system allowed the data writeback mechanism to call into XFS for memory allocation. As a consequence, XFS experienced a deadlock. With this update, the writeback mechanism is not allowed to call into XFS for memory allocation. As a result XFS no longer deadlocks due to this bug. (This content is not included.BZ#1568320)

  • Previously, the prepend_path() function under certain circumstances generated unclear and outdated error messages. This update removes the warning. (This content is not included.BZ#1568322)

  • Previously, a live migration of a virtual machine from one host with updated firmware to another host without updated firmware resulted in incorrect kernel settings for Meltdown mitigations, which could leave the kernel vulnerable to Meltdown. With this fix, the firmware on the new physical host is re-scanned for updates after a live migration. As a result, the kernel uses the correct mitigation in the described scenario. (This content is not included.BZ#1570509)

  • Previously, configurations with the little-endian variant of IBM Power Systems CPU architectures and Hard Disk Drives (HDD) designed according to Nonvolatile Memory Express (NVMe) open standards, experienced crashes during shutdown or reboot due to race conditions of CPUs. As a consequence, the sysfs pseudo file system threw a stack trace report about an attempt to create a duplicate entry in sysfs. This update modifies the source code so that the irq_dispose_mapping() function is called first and the msi_bitmap_free_hwirqs() function is called afterwards. As a result, the race condition no longer appears in the described scenario. (This content is not included.BZ#1570511)

  • When a CPU thread went into an idle state, the Indirect Branch Restricted Speculation (IBRS) feature remained enabled on the core. As a consequence, the performance of the idle CPU's sibling decreased. This update disables IBRS before the CPU enters the idle state. As a result, the idle CPU thread no longer decreases the performance of its sibling. (This content is not included.BZ#1570532)

  • Previously, the mlx5_ib kernel driver set the default value (zero) of the active_width and active_speed parameters to IB_WIDTH_4X and IB_SPEED_QDR. As a consequence, the Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) network protocol did not negotiate active_width with a remote side, making the ibstat command panic. This update restores the original behavior. As a result, ibstat no longer panics in the described scenario. (This content is not included.BZ#1570536)

  • Previously, the microphone input connected through the analog jack to the side of Dell Precision 7530 and 7730 notebooks was not fully supported. As a consequence, the headset did not work correctly. This fix updates the Advanced Linux Sound Architecture (ALSA) driver to fully support this hardware. As a result, the headset works correctly in the above described scenario. (This content is not included.BZ#1571581)

  • Previously, when updating the kernel packages with the yum command, a race condition sometimes occurred due to decoupled steps performed to create the initramfs file system image. Consequently, depending on the amount of free space available at the /boot partition and the size of the artefacts required to be included into the initramfs image for the new kernel, the iniramfs image was sometimes not created properly. Subsequently, the operating system failed to boot. This update ensures that the bootloader menu entry is cleaned properly if the new kernel package fails to create initramfs. As a result, the new kernel package is not installed under the described circumstances, and the operating system boots as expected. This content is not included.(BZ#1575041)

  • Previously, a server with iSCSI multipath root volume sometimes booted with only a single path. Consequently, the root volume became unavailable, and the iscsid service failed, if a networking problem occurred on the remaining path. This update fixes iSCSI to be able to send a unicast netlink message directed at the correct PID in case of a networking problem. As a result, a server with iSCSI multipath root volume always boots with two paths, and the root volume no longer becomes unavailable under the described circumstances. This content is not included.(BZ#1576293)

  • Previously, the device mapper (DM) used the blkdev_get() function when issuing the pass-through input/output control (ioctl) system calls. Consequently, an additional cgroup permissions check, which required adding all devices in the IO stack to the device cgroup, was applied. With this update, DM has been fixed to hold live DM table for duration of ioctl instead of using blkdev_get(). As a result, the cgroup permissions check requiring the allowance of all underlying devices is no longer needed, and adding just the top-level DM multipath device to the cgroup is sufficient. This content is not included.(BZ#1576508)

  • Previously, the kernel sometimes deadlocked when the secondary GPU was resuming from suspend if the nouveau power management was enabled. This occurred when the user was docking the laptop or booting the laptop that was connected to a docking station. With this update, the underlying source code has been fixed, and the kernel no longer deadlocks in the described scenario. This content is not included.(BZ#1577760)

  • Due to a bug in a CPU's speculative execution engine, the CPU could previously leak data from other processes on the system, including passwords, encryption keys, or other sensitive information. With this update, the kernel build requirements have been updated to the GNU Compiler Collection (GCC) compiler version that has the support for Expoline for IBM z Systems. As a result, data leak no longer occurs under the described circumstances. This content is not included.(BZ#1577767)

  • With Large Receive Offload (LRO) enabled, packets could previously be received with a valid segment count of 1, even if the vmxnet3 driver did not allow this condition. Consequently, vmxnet3 halted the kernel in response to a valid condition. With this update, the halt instruction has been converted to the code that issues a warning instead. As a result, vmxnet3 receives LRO frames properly in the described scenario. This content is not included.(BZ#1577790)

  • On systems with built-in nvidia GPU, Direct Rendering Manager (DRM) deadlock occasionally occurred if a computer was docked with an external display connected through the docking station. Consequently, the operating system either terminated unexpectedly or rebooted, or the connected displays were not powered on. This update fixes the deadlock in the nv50_mstm_register_connector() function, As a result, the deadlock in DRM no longer occurs, and the operating system boots as expected under the described circumstances. This content is not included.(BZ#1577792)

  • Previously, microcode updates on 32 and 64-bit AMD and Intel architectures were not synchronized. As a consequence, it was not possible to apply the microcode updates. This fix adds the synchronization to the microcode updates so that processors of the stated architectures receive updates at the same time. As a result, microcode updates are now synchronized. This content is not included.(BZ#1578047)

  • Previously, the tcmu-runner service, which provides an operating environment for LIO TCM-User handlers, sometimes entered into an inconsistent state when attempting to disable an iscsi target portal group (TPG). Consequently, tcmu-runner became unresponsive. This update fixes the bug by adding the SCF_ACK_KREF assignment into the kernel target. As a result, tcmu-runner no longer hangs under the described circumstances. This content is not included.(BZ#1578048)

  • With the iproute package version higher than 3.10.0-79.el7, using the ss command caused kernel to load the sctp_diag module, including also unintentional loading of the Stream Control Transmission Protocol (SCTP) protocol module. This unintentional loading could lead to performance issues and some other problems when using certain debugging tools. This update fixes the sock_diag netlink subsystem to request the sctp_diag module only if SCTP protocol was registered. As a result, ss no longer causes kernel to load the SCTP protocol module unintentionally. This content is not included.(BZ#1578272)

  • Previously, the pNFS metadata clients did not work correctly if the pNFS metadata server (MDS) sent "LAYOUTUNAVAILABLE" in response to a "LAYOUTGET" request from a client. Specifically, the client I/O request failed with the "cannot allocate memory" error (ENOMEM) instead of the client attempting to send the I/O request through MDS. This has been corrected, and the client now attempts to send the I/O request through MDS in the described situation. This content is not included.(BZ#1578458)

  • Previously, using the event poll interface (epoll) produced unexpected SELinux AVC block_suspend messages in the audit log. This update fixes the control interface for an epoll file descriptor (epol_ctl) so that the AVC block_suspend messages no longer occur in the described situation. This content is not included.(BZ#1578734)

  • Previously, the unshare(CLONE_NEWPID) function could fail when racing with the get_task_mm() function, because the CLONE_NEWPID parameter incorrectly implied the CLONE_THREAD parameter and thus also the CLONE_VM parameter. This update fixes sys_unshare() to not imply CLONE_THREAD if CLONE_NEWPID is used, thus fixing the bug. This content is not included.(BZ#1578997)

Article Type