RHSA-2018:3459 Important: kernel security, bug fix and enhancement update

Updated

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security Fixes are described in RHSA-2018:3459.

This update fixes the following bugs:

  • Previously, the t4_get_flash_params() function failed if the flash part was not recognized. As a consequence, the Network Interface Card (NIC) driver requested an update of various flash parts. With this update, if the flash part is not recognized, it is assumed to be 4MB in size. As a result, the NIC no longer requests an update of various flash parts in the described scenario. (This content is not included.BZ#1620554)

  • Previously, a number of key patches were missing in the Qlogic host bus adapter driver. Consequently, the system occasionally experienced timing issues and other code races, which exposed the kernel to panic during the error recovery and fabric events. This update adds the missing key patches and the system is now stable and avoids kernel panics during the fabric events. (This content is not included.BZ#1622526)

  • Previously, the lockd manager was only removed from the grace list during a shutdown for the init_net namespace only. Consequently, if the nfsd process was started in a namespace other than init_net, and was subsequently restarted, a kernel oops was triggered. This update provides a fix to remove lockd from the grace list in the described scenario. As a result, the kernel oops no longer occurs. (This content is not included.BZ#1623241)

  • Previously, when the user activated a device or a file for swapping, the following warning message appeared:

    Trying to vfree() bad address

If the swap file was empty, the following error message appeared:

fixpoint divide exception (s390x) / divide error (x86_64)

Consequently, the kernel terminated unexpectedly. With this update, the appropriate kernel API in error paths and checks for zero-length swap files are used. As a result, the kernel no longer crashes in the described scenario. (This content is not included.BZ#1624501)

  • On systems running Red Hat Enterprise Linux 7.4 with Red Hat OpenShift Container Platform 3.5, a node sometimes got into "NodeNotReady" state after a CPU softlockup. Consequently, the node was not available. This update fixes some scheduling latency sources in memory compaction and in the inodes memory reclaim. As a result, nodes no longer get into "NodeNotReady" state under the described circumstances. (This content is not included.BZ#1625144)

  • Previously, when a CPU was unwinding the stack of a task while the task was running on another CPU, the CPU occasionally became unresponsive indefinitely. This update fixes the issue by adding a recursion check in the 64-bit unwinder. As a result, the CPU no longer hangs indefinitely while trying to unwind the task stacks. (This content is not included.BZ#1625537)

  • Previously, the ipv4 route did not set the expire time for the redirect cache when updating the current cache. As a consequence, the redirect cache did not expire. This update sets the expire time for the redirect cache, and the described problem no longer occurs. (This content is not included.BZ#1627788)

  • Previously, the "shm_mnt" VFS mount was not treated as an internal and long-term mount, as was expected. Consequently, a bug in the kernel mount reference counting code caused the mount to be deallocated. With this update, the mount is now properly protected and is no longer deallocated in the described scenario. (This content is not included.BZ#1628073)

  • Previously, any NFS client v4.1 or higher, that could handle the CB_NOTIFY_LOCK callback sometimes requested a blocking lock and then expired if the client failed to keep its lease active. As a consequence, when the blocked lock became available and the nfsd service attempted to notify the non-existent NFS client, a kernel panic was triggered. With this update, the blocked locks held by a client are now removed as part of expiring that client. As a result, the kernel panic no longer occurs in the described scenario. (This content is not included.BZ#1628562)

  • Previously, the Common Internet File System (CIFS) session handling repeatedly tried the failed operations after receiving the STATUS_USER_SESSION_DELETED response. As a consequence, the error messages similar to the following appeared:

    4 19 10.73.4.199 -> 10.16.41.48 SMB2 198 Create Request File:
    5 19 10.16.41.48 -> 10.73.4.199 SMB2 143 Create Response, Error: STATUS_USER_SESSION_DELETED
    6 19 10.73.4.199 -> 10.16.41.48 TCP 66 41020 > microsoft-ds [ACK] Seq=205 Ack=150 Win=312 Len=0 TSval=44877738 TSecr=189923311
    7 19 10.73.4.199 -> 10.16.41.48 SMB2 198 Create Request File:
    8 20 10.16.41.48 -> 10.73.4.199 SMB2 143 Create Response, Error: STATUS_USER_SESSION_DELETED

This update makes sure that CIFS session handling is reconnected after receiving STATUS_USER_SESSION_DELETED. As a result, CIFS session handling does not repeatedly try the failed operations anymore, but reconnects instead, in the described scenario. (This content is not included.BZ#1630195)

  • Previously, the kernel IP tunnel driver did not clear the bit indicating that the packet needed tunneling offloads. As a consequence, the Generic Segmentation Offload (GSO) packets from the tunneled devices that were sent to virtual machines consumed more resources. With this update, the kernel IP tunnel driver clears the appropriate bit, and the GSO packets are now more resource-efficient. (This content is not included.BZ#1631648)

  • When processing the I/O control block (iocb) parameter in a timeout case, the qla2xxx driver was trying to log messages without verifying whether the fcport structure had valid data. As a consequence, the system halted unexpectedly. With this update, the qla2xxx driver no longer logs messages if there are no valid data in fcport. As a result, the system continues to operate without any crash. (This content is not included.BZ#1597546)

  • Previously, improper locking in an abort handler did not protect I/O operations from being aborted. As a consequence, the Originator eXchange IDentifier (OXID) was occasionally reused before the abort handler was put in the work queue. Subsequently, the reused OXID and the abort handler could incorrectly end up in two different work queues. This update fixes the issue and the abort handler and OXID are correctly put in the same work queue. (This content is not included.BZ#1605235)

  • Previously, a bug caused that the dm-cache component did not treat all cache blocks as dirty if an unclean shutdown occurred, regardless of whether the blocks were marked as dirty or not. Consequently, if some of the cache blocks were marked as dirty at the time of the shutdown, some data could become corrupted. This update fixes the bug, and no data corruption is observed in the described scenario anymore.

Note: A cache block is considered dirty if it has not yet been written to the origin device. (This content is not included.BZ#1620552)

  • When processing the I/O control block (iocb) parameter in a timeout case, the qla2xxx driver was trying to log messages without verifying whether the fcport structure had valid data. As a consequence, the system halted unexpectedly. With this update, the qla2xxx driver no longer logs messages if there are no valid data in fcport. As a result, the system continues to operate without any crash. (This content is not included.BZ#1624503)

  • Previously, a kernel panic occurred when the kernel tried to make an out of bound access to the array that describes the L1 Terminal Fault (L1TF) mitigation state on systems without Extended Page Tables (EPT) support. This update extends the array of mitigation states to cover all the states, which effectively prevents out of bound array access. Also, this update enables rejecting invalid, irrelevant values, that might be erroneously provided by the userspace. As a result, the kernel no longer panics in the described scenario. (This content is not included.BZ#1629568)

  • Previously, a patch designed to prevent a NULL dereference did not set the default value to "max_sectors". Consequently, the RAID10 array was not correctly created. This update adds a value which defaults to "max_sectors". As a result, the RAID10 array is created correctly in the described scenario. (This content is not included.BZ#1630436)

  • Previously, detaching the Elastic Block Store (EBS) volume from the m5.large instance led to the following error messages during initialization when the nvme_reset_work() function was called:

    [ 365.256155] pci 0000:00:1f.0: BAR 0: assigned [mem 0xc0000000-0xc0003fff]
    [ 365.263904] nvme nvme1: pci function 0000:00:1f.0
    [ 365.272333] pci 0000:00:1e.0: BAR 0: assigned [mem 0xc0004000-0xc0007fff]
    [ 365.278848] nvme nvme2: pci function 0000:00:1e.0
    [ 365.475302] nvme nvme1: failed to mark controller live
    [ 365.481811] nvme nvme1: Removing after probe failure status: 0

Consequently, the volume backed on the Solid-state Drive (SSD) stuck in the "detaching" state. This update fixes the bug by serializing PCI resets. As a result, all kinds of EBS volumes can be successfully detached in the described scenario. (This content is not included.BZ#1637104)

Article Type