RHSA-2018:2748 Important: kernel security and bug fix update

Updated

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security Fixes are described in RHSA-2018:2748.

This update fixes the following bugs:

  • The lpfc driver provides a Technology Preview functionality of NVMe over Fibre Channel (NVMe/FC). The driver references symbols in the nvme_fc and nvmet_fc modules, which are loaded as dependencies. Previously, the Technology Preview warning message appeared whenever the lpfc driver with its dependencies was loaded, even if the NVMe/FC functionality was not enabled. This consequently tainted the kernel. With this update, the Technology Preview warning message is issued only if the FC drivers register their ports with the NVMe/FC transport code. In case of lpfc, the warning message is only displayed when the NVMe/FC operation is explicitly enabled in the lpfc driver using the "lpfc.lpfc_enable_fc4_type=3" module configuration and the "lpfc.lpfc_enable_nvmet" configuration for target mode. As a result, the kernel is no longer tainted when NVMe/FC is not enabled.

    Note that the NVMe/FC functionality remains a Technology Preview feature in RHEL 7.5.

    For more information about the scope of support for Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/. (This content is not included.BZ#1610381)

  • Prior to this update, an error in the qxl driver caused spice client to display a wrong framebuffer. As a consequence, the virtual consoles were unavailable. With this update, the bug has been fixed, and the described problem no longer occurs. (This content is not included.BZ#1614349)

  • Prior to this update, a regression in a Spectre v1.1 vulnerability fix broke various Remote Direct Memory Access (RDMA) functionalities. As a consequence, Infiniband RDMA services did not work as expected and the kernel log displayed "failed to modify QP to RTR: -22". With this update, the regression has been fixed, and the described problem no longer occurs. (This content is not included.BZ#1619624)

  • Previously, making the total buffer size bigger than the memory size for early allocation through the trace_buf_size boot option, made the system become unresponsive at the boot stage. This update introduces a change in the early memory allocation. As a result, the system no longer hangs in the above described scenario. (This content is not included.BZ#1588366)

  • Previously, the hrtimer function occasionally returned the HRTIMER_RESTART response with the HRTIMER_STATE_ENQUEUED flag set. As a consequence, the BUG_ON() condition was triggered, which led to a kernel panic. With this update, the BUG_ON() condition was removed and the enqueue_hrtimer() call was made conditional on the timer not being already in a queue. As a result, the kernel no longer panics in the described scenario. (This content is not included.BZ#1600911)

  • When inserting objects with the same keys, made the rhlist implementation corrupt the chain pointers. As a consequence, elements were missing on removal and traversal. This patch updates the chain pointers correctly. As a result, there are no missing elements on removal and traversal in the above-described scenario. (This content is not included.BZ#1601009)

  • Previously, the sfc driver stopped the transmission queue (TX) before pushing new buffers. As a consequence, the network device sometimes failed with the “NETDEV WATCHDOG“ timeout error after using the netperf utility. With this update, the efx_enqueue_skb function can push new buffers for the TX queue, and the described problem no longer occurs. (This content is not included.BZ#1601353)

  • On a system where the vmwgfx graphics driver was enabled, opening the /dev/snapshot file triggered hibernation before the vmwgfx hibernate code was prepared for it. As a consequence, the system displayed debug messages. With this update, vmwgfx refuses to hibernate when unprepared. As a result, the system no longer displays debug messages in the described scenario. (This content is not included.BZ#1601516)

  • Previously, an issue in the Hyper-V ring buffer code caused wrong signaling to the host. As a consequence, certain paravirtualized devices of Hyper-V became unresponsive during a high I/O load. With this update, the Hyper-V ring buffer code has been fixed, and the paravirtualized devices no longer freeze in the described scenario. (This content is not included.BZ#1605089)

  • When the “shmget” and “shmat” operations in System V were used to create the “hugetlbfs-backed” mapping, it was possible to munmap part of the mapping and split the underlying Virtual Memory Areas (VMA) so that it was not aligned to the huge page. This led to the “BUG_ON(end & ~huge_page_mask(h))” condition in the “__unmap_hugepage_range()” function at the mm/hugetlb.c file, which caused the system to crash with an oops message. A split function to the “shm_vm_ops” structure has been added, and the system no longer crashes in the described scenario. (This content is not included.BZ#1608225)

  • Previously, the kernel source code was missing support to report the Speculative Store Bypass Disable (SSBD) vulnerability status on IBM Power Systems and the little-endian variants of IBM Power Systems. As a consequence, the /sys/devices/system/cpu/vulnerabilities/spec_store_bypass file incorrectly reported "Not affected" on both CPU architectures. This fix updates the kernel source code to properly report the SSBD status either as "Vulnerable" or "Mitigation: Kernel entry/exit barrier (TYPE)" where TYPE is one of "eieio", "hwsync", "fallback", or "unknown". (This content is not included.BZ#1612353)

  • Previously, a highly relaxed memory model of PowerPC contributed to unexpected behavior in the multi-threaded application when the proper memory barriers were not used. As a consequence and under certain circumstances, the rwsem code occasionally missed wakeup calls probably due to insufficient memory barriers in the “__rwsem_mark_wake()” and “try_to_wake_up()” functions. The barriers have been changed to full memory barriers, and the abnormal behavior is not observed anymore. (This content is not included.BZ#1613814)

  • When using the enhanced mode for IP over InfiniBand (IPoIB), two threads sometimes executed the xmit statement in parallel to two different transmit queues, while the target was the same. As a consequence, both transmit queues added the same neighbor to the path's neigh link list as displayed in the message below:

       list_add double add: new=ffff88024767a348, prev=ffff88024767a348...
   WARNING: lib/list_debug.c:31__list_add_valid+0x4e/0x70
   ipoib_start_xmit+0x477/0x680 [ib_ipoib]
   dev_hard_start_xmit+0xb9/0x3e0
   sch_direct_xmit+0xf9/0x250
   __qdisc_run+0x176/0x5d0
   __dev_queue_xmit+0x1f5/0xb10
   __dev_queue_xmit+0x55/0xb10

    With this update, the link list is checked for emptiness prior to adding items to this list. As a result, the transmit queues no longer add the same neighbor to the path's neigh link list in the described scenario. (This content is not included.BZ#1616164)

  • Previously, the early microcode updater in the kernel was trying to perform a microcode update on virtualized guests. As a consequence, the virtualized guests sometimes mishandled the request to perform the microcode update and became unresponsive in the early boot stage. This update applies an upstream patch to avoid the early microcode update when running under a hypervisor. As a result, no kernel freezes appear in the described scenario. (This content is not included.BZ#1618390)

  • When attempting to initiate a late microcode update with disabled Simultaneous Multi-Threading (SMT), the late microcode loading failed with a message shown in the kernel dmesg log:

        "microcode: Not all CPUs online, aborting microcode update"

    With this update, the microcode is loaded late when SMT is disabled, as long as all the primary CPU threads are still online. As a result, the late microcode loading succeeds with SMT disabled in the described scenario. (This content is not included.BZ#1619622)

  • Previously, the kernel sent the TO_IN() message instead of the ALLOW() message when joining a source group with an include source address. As a consequence, the multicast router did not recognize the multicast join message, which led to a maximum of 2 minutes delay in receiving the multicast stream to the server. This update fixes the state init mode of Internet Group Management Protocol/Multicast Listener Discovery (IGMP/MLD). As a result, the router is able to update the multicast join message directly, and there is no delay in receiving the stream. (This content is not included.BZ#1610380)

  • Previously, a null pointer deference occurred during the tree connect. As a consequence, the kernel panicked in the Common Internet File System (CIFS) module. With this update, the underlying source code has been fixed, and the kernel no longer panics in the described scenario. (This content is not included.BZ#1609159)

  • When the tcmu-runner service was terminated or failed before the netlink event response was handled, the D state process in the kernel did not wake up. As a consequence, the tcmu-runner service blocked all the netlink events in the Linux-IO/Target Core Mod in Userspace (LIO/TCMU) driver and the node machine needed to be rebooted to recover. This update fixes the issue, so that when the tcmu-runner service is started or restarted, it completes all the old blocked netlink events for all the target devices. As a result, the node machine no longer needs rebooting to recover in the described scenario. (This content is not included.BZ#1608677)

  • Prior to this update, a bug in the Human Interface Devices (HID) descriptor of Wacom PTH-860 caused the cursor to not correspond with the position of the stylus at the bottom of the tablet screen. With this update, the bug has been fixed and tablet is mapped to the entire monitor. (This content is not included.BZ#1600660)

  • Prior to this update, when using a Chelsio network adapter, a variety of connection problems and soft lockups occurred under certain circumstances due to driver priorities. This update ensures that the cxgb4 driver, instead of the csiostor driver, always takes control of the initialization of the Chelsio adapter. As a result, the described problem no longer occurs. (This content is not included.BZ#1597529)

Article Type