RHSA-2018:1129 Important: kernel security and bug fix update

Updated -

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links.

Security Fixes are described in RHSA-2018:1129.

This update also fixes the following bugs:

  • If a large number of cores on all sockets were disabled in firmware, the number of sockets available was previously calculated incorrectly on AMD64 and Intel 64 systems. Consequently, the operating system panicked on boot. This update fixes the calculation of the number of sockets, and the operating system now boots as expected under the described circumstances. (BZ#1517801)

  • The calculation of the number of sockets included in the uncore functions was previously incorrect. Consequently, a kernel panic could occur. This update fixes uncore to calculate the number of sockets correctly, and the kernel no longer panics due to this behavior. (BZ#1533020)

  • A previous kernel update added a new mount option to GFS2: -o loccookie. The option allows for better identification of NFS directory entries. However, the enhancement introduced a bug which could cause GFS to misidentify directory entries, which resulted in NFS missing some entries while showing others multiple times. This bug is now fixed, and GFS2 now handles NFS directory entries as expected. (BZ#1541292)

  • Previously, the XFS code included a circular dependency between the xfs-log and the xfs-cil workqueues. Consequently, an XFS deadlock occurred in some cases. This update adds a new workqueue dedicated to the log covering background task to avoid the deadlock. (BZ#1543304)

  • Prior to this update, removing a memory cgroup could result in a kernel warning or crash due kmem caches being handled in the memory resource controller (memcg) without taking into account whether they are shared with the parent. This patch introduces a fix that ensures delayed kmem cache removals and aliased kmem caches are handled properly. As a result, memory cgroups can be removed without warnings or crashes. (BZ#1546733)

  • Previously, the list of machine check exceptions (MCEs) was being iterated incorrectly, potentially leading to memory corruption. An attempt to display a corrupted list of MCEs then caused a kernel panic. This update ensures that the list is iterated correctly with a safe iterator, and MCE lists are no longer being corrupted. (BZ#1552623)

  • Prior to this update, a race condition in kernel's neighbouring subsystem lead to an attempt to release a neighbour entry twice, which caused a kernel panic. With this update, neighbor entries which are about to be removed are now skipped when processing Address Resolution Protocol (ARP) or Neighbor Discovery (ND) events, and the kernel panic no longer occurs. (BZ#1553607)

  • This update provides a standard vulnerability status file and a mitigation switch file for the Meltdown vulnerability on IBM Power systems. These files allow you to verify whether the system is vulnerable against the Meltdown attack with a standard sysfs file, and to switch the RFI Flush mitigation against the attack on and off at runtime using a debugfs file if required. The vulnerability status file is located at "/sys/devices/system/cpu/vulnerabilities/meltdown", and the mitigation switch is available at "/sys/kernel/debug/powerpc/rfi_flush". (BZ#1554728)

  • Previously, when connectivity to a Fibre Channel target port was lost during a scan for SCSI devices on that port, a race condition could occur which resulted in the target port being unremovable, resulting in a hang. This update fixes the race condition by removing an unnecessary overwrite of the scanned device's actual state. (BZ#1515288)

  • Previously, the system sometimes became unresponsive due to network traffic. This was caused by incorrect rescheduling of qdio queue tasklets and restarting outbound queue timers. With this update, the handling of queue tasklets and outbound queue timers has been fixed, and the described problem no longer occurs. (BZ#1544925)

  • The kernel build requirements have been updated to the GNU Compiler Collection (GCC) compiler version that has the support for Retpolines. The Retpolines mechanism is a software construct that leverages specific knowledge of the underlying hardware to mitigate the branch target injection, also known as Spectre variant 2 vulnerability described in CVE-2017-5715. (BZ#1553182)

Comments