RHSA-2015:2152 Important: kernel security, bug fix, and enhancement update

Updated -

Red Hat Product Security has rated this update as having Important security impact. For information on the security issues included in this erratum, see RHSA-2015-2152.

The kernel packages contain the Linux kernel, the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.

This update fixes the following bugs:

  • Previously, some KVM hosts were intermittently having problems allocating interrupts to guests after they booted. As a consequence, configuring guests could fail when CIAA/D registers were being accessed. This update removes the read/write operations to the CIAA/D registers and makes use of standard kernel functions for accessing the PCI config space. In addition, the ixgbevf_check_for_bad_vf() function has been moved into the watchdog subtask, which reduces the frequency of the checks. Now, KVM hosts allocate interrupts to guests as expected. (BZ#1205903)

  • Transparent huge pages were not being correctly synchronized during read and write operations. In some circumstances, this resulted in memory corruption when transparent huge pages were enabled. Memory barriers have been added to transparent huge page handling so that this memory corruption no longer occurs. (BZ#1199016)

  • VxLAN offloading was not functional if the Network Interface Controller (NIC) was running in multichannel mode. As a consequence, when VxLAN offloading was enabled by the be2net driver, remote connectivity stopped, returning an error message. An upstream patch has been backported to fix this bug, and network connectivity is now preserved when VxLAN offloading is enabled. (BZ#1232327)

  • An NFS client could previously have more than a single open file lease expired while an NFS server was down, but only one of those leases could be marked properly for recovery. When the NFS server became available again, only one of the open file leases attempted recovery. A branch in the client's state management code has been replaced to fix this bug, and previously skipped file leases are now properly marked for recovery. (BZ#1205048)

  • Some applications using the sysfs parameter of release date did not work correctly because of a removal of release date from sysfs. The provided patch upgrades the driver version and adds back the release date and sysfs hook, thus fixing this bug. (BZ#1207175)

  • Prior to this update, very high latency was observed for small synchronous write operations (O_DSYNC) within a KVM guest. For example, KVM using the virtio-blk block device only achieved 30% of the bare metal performance for synchronous write operations to a local disk controller with battery-backed write-back cache. This update introduces a new module parameter for the KVM module which assists with latency-bound workloads. When using this parameter on the host, guests can achieve an improved rate of synchronous writes. (BZ#1198205)

  • Due to an assertion failure, the kernel previously panicked when mounting an NFSv4 file system using the "-o fsc" mount option under heavy NFS load. This bug has been fixed within the kernel. (BZ#1231809, BZ#1130457)

  • Due to a failure to clear the timestamp flag when reusing a tx descriptor in the mlx4_en driver, programs that did not request a hardware timestamp packet on their sent data received it anyway, resulting in unexpected behavior in certain applications. With this update, when reusing the tx descriptor in the mlx4_en driver in the aforementioned situation, the hardware timestamp flag is cleared, and applications now behave as expected. (BZ#1178070)

  • Moving an Open vSwitch (OVS) internal vport to a different net name space and subsequently deleting that name space led to a kernel panic. This bug has been fixed by removing such an OVS internal vport at net name space deletion. (BZ#1200859)

  • Previously, the dm-crypt encryption subsystem processed the requests on the same CPU they were submitted from. However, dm-crypt did not scale well when one CPU was submitting a large number of requests. To avoid a bottleneck on the I/O worker, this update changes the crypto code to process requests on any available CPU. As a result, the encryption work is parallel, which improves performance of encrypted file system. (BZ#752438)

  • Due to a regression, the crypto adapter could not be set online. A patch has been provided that fixes the device registration process so that the device can be used also before the registration process is completed, thus fixing this bug. (BZ#1196398)

  • Previously, the "Splice Read" operation of the GFS2 file system, which is used for operations such as "sendfile", was not properly allocating a required multi-block reservation structure in memory. Consequently, when the GFS2 block allocator was called to assign blocks of data, it tried to dereference the structure, which resulted in a kernel panic. With this update, the GFS2 "Splice read" operation has been changed so that it properly allocates the necessary reservation structure in memory prior to calling the block allocator. As a result, "sendfile" now works properly for GFS2. (BZ#1193910)

  • Previously, the kernel audit subsystem did not correctly track file path names which could lead to empty, or "(null)" path names in the PATH audit records. This update fixes the bug by correctly tracking file path names and displaying the names in the audit PATH records. (BZ#1155208)

  • A patch in an earlier update caused that the kernel no longer pinned DMA engines active for the network-receive-offload use case. Consequently, the ->free_chan_resources() call that occurred after the driver self test no longer had a NET_DMA induced ->alloc_chan_resources() to back it up. A late firing Interrupt Request (IRQ) could lead to the ksoftirqd process spinning indefinitely due to the tasklet_disable() call performed by ->free_chan_resources(), which led to unnecessarily high CPU usage. With this update, the IRQ is disabled from triggering the tasklet and re-arming, and inflight interrupts, the timer and inflight tasklets are flushed. As a result, the high CPU usage is prevented. (BZ#1210093)

  • Previously, the xen-netfront driver was unconditionally dropping network packets which consisted of more than 17 fragments of different memory pages on transmit path. As a consequence, some TCP connections failed to complete. An upstream patch has been applied to fix this bug, the xen-netfront driver now tries linearizing (reducing the number of fragments by copying them to a continuous memory region) such packets before transmitting them. (BZ#1144931)

  • A patch included in Red Hat Enterprise Linux 7.1 introduced a regression by changing the stored return value from a queuecommand() call but failing to take into account that the return value was used again later on. This update fixes the bug by changing the later usage. (BZ#1167454)

  • Under intermittent network outages, a race condition could occur in the find_writable_file() function which caused list corruption in the Common Internet File System (CIFS) code. Consequently, the kernel terminated unexpectedly. The update fixes the race condition, and the kernel no longer crashes in this situation. (BZ#1186260)

  • On Lenovo X1 Carbon 3rd Gen, X250, and T550 laptops, the thinkpad_acpi module was not properly loaded, and thus the function keys and radio switches did not work. This update applies a new string pattern of BIOS version, which fixes this bug, and function keys and radio switches now work as intended. (BZ#1194830)

  • With certain SMI VGA cards, when copying to or from the VGA memory, the VGA card on a 64-bit system caused console corruption. A workaround avoiding 64-bit transactions has been implemented, which prevents the console from corruption in the described scenario. (BZ#1132826, BZ#1187449)

  • The kernel could previously delay interrupts for a long time which could lead to timers being delayed as well. As a consequence, the intel_pstate driver terminated unexpectedly with a "divide by zero" error. This update changes the div_fp() function to use div64_s64() to allow for "long" division, which avoids the overflow condition on long delays. As a result, the kernel no longer delays for a long time and intel_pstate no longer panics in this situation. (BZ#1228346)

  • Previously, the dm-crypt encryption subsystem processed the requests on the same CPU they were submitted from. However, dm-crypt did not scale well when one CPU was submitting a large number of requests. To avoid a bottleneck on the I/O worker, this update changes the crypto code to process requests on any available CPU. As a result, the encryption work is parallel, which improves performance of encrypted file systems. (BZ#752438)

  • The TCP/IP stack has been upgraded to upstream version 3.18, which provides a number of bug fixes and enhancements over the previous version. Notably, this update fixes the TCP Fast Open extension, which now works as expected when using IPv6 addressing. In addition, this update provides support for optional TCP autocorking and implements Data Center TCP (DCTCP). (BZ#1151756)

  • Previously, if the "watchdog_thresh" kernel parameter was changed to a non-default value, the kernel only updated the timer interval of the soft lockup detector even though it was supposed to update the monitoring interval of the hard lockup detector (NMI watchdog) as well. As a consequence, the soft lockup timer could exceed the interval of the NMI watchdog, and thus the following panic could occur even though a busy CPU was actually not locked up (false positive):

Watchdog detected hard LOCKUP on cpu N

WIth this update, the kernel updates the intervals for both - the soft lockup detector and the NMI watchdog, and no longer panics after the "watchdog_thresh" parameter is set to a value higher than the default. (BZ#1216074)

  • As the release_date field had been removed from the sysfs() function, some utilities were not able to work correctly and failed to detect controllers. To fix this bug, release_date has been returned, and utilities and controllers now work as expected. (BZ#1207175)

  • Previously, the get_futex_key_refs() function completed without a memory barrier, which is required before checking the "waiters" in futex_wake() -> hb_waiters_pending(). As a consequence, a race with a thread waiting on a futex on another CPU occurred causing soft lockups and crashes on Haswell CPUs when using the HPC application. The provided patchset fixes the bug by adding a memory barrier to the default case in get_futex_key_refs(), and lockups and crashes no longer occur in the described scenario. (BZ#1205862)

  • Large Receive Offload (LRO) is designed only for packets that terminate at the host and cannot be generally enabled for traffic that is being forwarded. The Linux kernel disables LRO in such cases. However, the code that disabled LRO for interfaces connected to the Open vSwitch bridge was not sufficient for stacked setups, leaving LRO enabled in some cases. This update ensures that LRO is disabled correctly for interfaces added to OVS bridges. (BZ#1181282)

  • If not specified as a parameter during module loading, the default number of buckets is calculated by dividing the total memory by 16384. The hash table will never have fewer than 32 buckets and is limited to 16384 buckets. For systems with more than 4 GB of memory, however, this limit is 65536 buckets. (BZ#1176947)

  • In an environment where the Key Distribution Center (KDC) is running Active Directory, the exported composite name field returned in the context could previously be large enough to span a page boundary. As a consequence, NFS clients using Kerberos authentication, specified by the "sec=krb5" parameter in the "/etc/fstab file, could not be mounted. To fix this bug, a scratch buffer has been attached to the decoding xdr_stream, and NFS clients now mount as expected. (BZ#1120860)

In addition, this update adds the following enhancements:

  • The HugeTLB utility automatically creates a default pool for 2M pages, which is the default pool, while a pool for 1G pages had to be created manually by appending the "hugepagesz=1G" argument to the kernel command-line option. This enhancement update enables creating a default pool of 1G pages on machines supporting 1G HugeTLB page sizes automatically. (BZ#1197899)

  • This enhancement update backports the upstream patches on unbound worker affinity control, which allows to modify the CPU affinity of all unbound workqueues through a single low-level cpumask in the sysfs file system, providing more control on workloads requiring noise-free CPUs. (BZ#1176155)

  • The /proc/pid/cmdline file length limit for the ps command was previously hard-coded in the kernel to 4096 characters. This update makes sure the length of /proc/pid/cmdline is unlimited, which is especially useful for listing processes with long command line arguments. (BZ#1193998)

  • This update introduces the "kernelpagesize_kB" line element to the /proc/[pid]/numa_maps report file in order to help identify the size of pages that are backing memory areas mapped by a given task. This is also useful for discovering the page size of current mapping. (BZ#1071987)

  • This update adds a separate function to the vmstat utility to fold per CPU diffs into local counters. This reduces the vmstat update overhead by avoiding the interrupt enable and disable processes and the use of per CPU atomics. (BZ#1157802)

All Red Hat Enterprise Linux 7 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

Updated September 22, 2017
This update also fixes the following bug:

  • If the client mounted the /exports directory and tried to execute the "chown -R" command across the entire mount point, a warning about a circular directory structure was previously returned because all mount points had the same inode number. A set of patches has been provided to fix this bug, and mount points are now assigned with unique inode numbers as expected. (BZ#1225090)