kernel update [RHEL7.4 3.10.0-693.21.1.el7]

Security Fix(es):

Kernel: KVM: MMU potential stack buffer overrun during page walks (CVE-2017-12188, Important)
Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518, Moderate)

This update also fixes the following bugs:

Previously, the CPU scheduler did not provide sufficient information for the cpufreq subsystem to increase CPU frequencies. Consequently, CPU frequencies could not exceed the base frequency in powersave mode. With this update, the cpufreq subsystem has been modified to use a timer to determine if the CPU frequency needs to be increased. As a result, in powersave mode, CPU frequencies can now exceed the base frequency. (BZ#1519850)

Previously, the timeout work handler provided by the blk_timeout_work() function did not work correctly. Consequently, IO sometimes became unresponsive during the unplugging of disks. This update fixes the handling of the timed out requests in blk_timeout_work(), and the IO hang during the unplugging of disks no longer occurs. (BZ#1522698)

Previously, the algif_hash implementation for unkeyed hashes such as sha1 did not work correctly. With this update, the underlying source code has been fixed, and using unkeyed hashes through algif_hash now works as expected. (BZ#1522932)

Updating the kernel autofs module with current upstream patches caused a change to the automount expiry policy. Consequently, more frequent automount expires occurred, which caused a significantly increased server load, especially on systems with many clients. With this update, the change to the kernel autofs module has been reverted in the affected Red Hat Enterprise Linux kernels. As a result, the previous expire semantics are restored, and server loads are no longer increased due to this behavior. (BZ#1525994)

Previously, if an NFSv4 mount operation encountered an NFS client structure that has not completed initialization, the trunking detection logic waited for the operation to complete. Consequently, if a concurrent NFSv4 mount operation added another item to the list of NFS client structures, this client was not able to begin initialization, because it was waiting on the mutex held by the other process, and a deadlock occurred. This update fixes NFS to wait until the NFS client structure initialization is completed before adding a new structure to the list. As a result, the deadlock no longer occurs, and the NFS client can now initialize as expected under the described circumstances. (BZ#1530135)

Moving the flock open mode check into the nfs_flock() function changed NFSv3 behavior for the flock() function so that it requires that the open mode matches the lock type, even if this requirement was not enforced for flock(). Consequently, nfs_flock() locked with the following error message:

Raw
int fd = open(path, O_RDONLY);
flock(fd, LOCK_EX); // fails with EBADF
This update reverts the change of nfs_flock(), and the incorrect locking no longer occurs. (BZ#1531095)

This series fixes performance issues for IOMMU on AMD Naples systems, where the current implementation does not scale well on systems with a large number of IOMMUs. (BZ#1531456)

When hotplugging a SATA disk, the disk driver in some cases limited the link speed if the current link speed was not available to the driver. Consequently, the link speed slowed down when the disk was reconnected. This update fixes the driver to not limit the link speed under the described circumstances. As a result, the original link speed is reestablished if reconnecting a drive. (BZ#1530136)

Previously, the SELinux file system mounting code contained a bug where a part of previously allocated memory could be released twice. Consequently, a kernel panic sometimes occurred. With this update, the underlying source code has been fixed, and the kernel no longer panics due to this behavior. (BZ#1532288)

Previously, the NFS server imposed too strict limit on the total reply cache size. Consequently, the NFS client mounts failed if the limit was exceeded. With this update, the NFS server has been fixed to increase the limit, and to negotiate smaller reply caches instead of failing. As a result, the NFS server now supports more simultaneous client mounts, and it no longer fails due to too strict limit on the total reply cache size.
Note that duplicate reply cache size negotiation at mount time is available with NFS protocol version 4.1 and later. (BZ#1533377)

Previously, the NFS clients' code contained an arithmetic error, which caused the client to request a larger reply cache than it needed. Consequently, the NFS server could run out of resources after only a few clients mounts, causing the next mounts to fail. With this update, the arithmetic error has been corrected. As a result, the NFS server now supports more client mounts before exhausting resources.
Note that duplicate reply cache size negotiation at mount time is available with NFS protocol version 4.1 and later. (BZ#1533378)

A race condition in raid5 stripe batching could lead to a kernel panic when using Lustre on top of mdraid on a large servers with many CPUs. This update fixes the race condition. (BZ#1535883)

Previously, the Hyper-V storvsc driver handled some error codes incorrectly. Consequently, performing hot backup of a Hyper-V Virtual Machine sometimes led to a system lockup. This update fixes the driver to handle the error codes properly. As a result, hot backup of Red Hat Enterprise Linux Virtual Machines running on Hyper-V no longer leads to a system lockup. (BZ#1536978)

The Return Trampoline (Retpoline) mechanism mitigates the branch target injection, also known as the Spectre variant 2 vulnerability. With this update, Retpoline has been implemented into the Red Hat Enterprise Linux kernel. (BZ#1539649)

The new paravirtualized qspinlock in Red Hat Enterprise Linux 7.4 has two operating modes depending on the capability of the hypervisor - the paravirtual qspinlock mode and the unfair lock mode. Previously, the unfair lock mode was not able to handle the pre-7.4 kernel modules with spinlock code. Consequently, if the unfair lock mode was used, as in the case of VMware, the pre-7.4 kernel modules with the spinlock code did not work. This update modifies the unfair lock code to handle the pre-7.4 kernel module spinlock calls properly. As a result, the pre-7.4 kernel modules now work as expected under the described circumstances. (BZ#1539797)

Support for Time Stamp Counter (TSC) set by BIOS has been updated on SGI UV platforms. TSC set by BIOS provides higher accuracy compared to the generic kernel TSC ADJUST functions, which is important for applications that read the TSC values directly for accessing databases. (BZ#1547870)

Previously, the timeout work handler provided by the blk_timeout_work() function did not work correctly. Consequently, IO sometimes became unresponsive during the unplugging of disks. This update fixes the handling of the timed out requests in blk_timeout_work(), and the IO hang during the unplugging of disks no longer occurs. (BZ#1522698)

When hotplugging a SATA disk, the disk driver in some cases limited the link speed if the current link speed was not available to the driver. Consequently, the link speed slowed down when the disk was reconnected. This update fixes the driver to not limit the link speed under the described circumstances. As a result, the original link speed is reestablished if reconnecting a drive. (BZ#1530136)