(RHSA-2017:2437) Important: kernel security and bug fix update

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• A use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)

• A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)

• It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)

• The lrw_crypt() function in ‘crypto/lrw.c’ in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key. (CVE-2015-8970, Moderate)

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970.

Bug Fix(es):

• When running the LPAR with IBM Power 8 SMT8 mode, system performance degradation occurred due to the load getting spread across threads from the same core. The provided patches fix scheduler performance issues and assure the load is spread across cores, thus improving the system performance significantly. (BZ#1434853)

• Upon reboot, the bond slave with some network adapter ports became unresponsive in the backup state and never proceeded to the active state. As a consequence, the bond slave never transmitted any LACP PDU and the bond interface was never produced properly. With this update, the i40e network driver has been fixed for long link-down notification time and the bond slave now transmits LACP PDUs as expected. (BZ#1446783)

• When attempting to configure two or more Ethernet adapter cards using Virtual Function I/O (VFIO) in the KVM guest, subsequent KVM guests previously failed to boot returning an error message. The provided patch adds the ability of VFIO to support more than one card in the KVM guest environment. (BZ#1447718)

• It is possible to define the CPUs in which unbound kworkers can run by setting a “mask” in a specific file in the sysfs file system, helping on CPU isolation. However, this setup did not work properly, and unbounded kworkers were being activated on CPUs in which they were set to NOT run. The provided patchset prevents unbound kworkers from being run on CPUs that are masked, thus fixing this bug. (BZ#1458203)

• Due to a regression, the kernel previously failed to create the /sys/block/<sd device>/devices/enclosure_device symlinks. The provided patch corrects the call to the scsi_is_sas_rphy() function, which is now made on the SAS end device, instead of the SCSI device. (BZ#1460204)

• Previously, the system panic occurred when running mkfs.ext4 on newly created software RAID1 partitions on SATA SDD drives. The provided patch ensures the ext4 file system is created on the /dev/md0 partition and is mounted there successfully. (BZ#1463359)