[LU-9816] kernel upgrade [RHEL7.4 3.10.0-693.el7] - Whamcloud Community JIRA

Details

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.10.1, Lustre 2.11.0
Affects Version/s: None
Labels:
None

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

RHEL 7.4 was just announced as released. It is now officially GA as of 8/1/17.

This mod represents switching our supported el7 version from RHEL 7.3 to RHEL 7.4

Details of the kernel upgrade will follow in comments.

Attachments

Issue Links

has to be done before

LU-9882 kernel update [RHEL7.4 3.10.0-693.1.1.el7]

Resolved

is blocked by

LU-8619 Lustre to build against ZFS 0.7.0

Resolved

is related to

LU-9738 kernel update [RHEL7.3 3.10.0-514.26.2.el7]

Resolved

Activity

[LU-9816] kernel upgrade [RHEL7.4 3.10.0-693.el7]

Gerrit Updater added a comment - 15/Sep/17 5:41 PM

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/28532/
Subject: ~~LU-9816~~ kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7]
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: b982381f9cdbe7a04900f4192af054619f35b12b

Gerrit Updater added a comment - 15/Sep/17 5:41 PM John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/28532/ Subject: LU-9816 kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7] Project: fs/lustre-release Branch: b2_10 Current Patch Set: Commit: b982381f9cdbe7a04900f4192af054619f35b12b

Peter Jones added a comment - 17/Aug/17 4:35 AM

Landed for 2.11

Peter Jones added a comment - 17/Aug/17 4:35 AM Landed for 2.11

Gerrit Updater added a comment - 17/Aug/17 1:30 AM

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28301/
Subject: ~~LU-9816~~ kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7]
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: fd8ef48571a2752f6c6a4c47127178a765d5b328

Gerrit Updater added a comment - 17/Aug/17 1:30 AM Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28301/ Subject: LU-9816 kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7] Project: fs/lustre-release Branch: master Current Patch Set: Commit: fd8ef48571a2752f6c6a4c47127178a765d5b328

Gerrit Updater added a comment - 14/Aug/17 5:35 PM

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/28532
Subject: ~~LU-9816~~ kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7]
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: cf25ca414779e0381485fd1cbd3a665296d3ecfb

Gerrit Updater added a comment - 14/Aug/17 5:35 PM Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/28532 Subject: LU-9816 kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7] Project: fs/lustre-release Branch: b2_10 Current Patch Set: 1 Commit: cf25ca414779e0381485fd1cbd3a665296d3ecfb

Gerrit Updater added a comment - 01/Aug/17 3:22 PM

Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/28301
Subject: ~~LU-9816~~ kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7]
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 20ad2664285fdf3f362db5ec5d4cf4ab33e0e30d

Gerrit Updater added a comment - 01/Aug/17 3:22 PM Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/28301 Subject: LU-9816 kernel: kernel upgrade RHEL7.4 [3.10.0-693.el7] Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 20ad2664285fdf3f362db5ec5d4cf4ab33e0e30d

Bob Glossman (Inactive) added a comment - 01/Aug/17 3:10 PM - edited

Security Fix(es):

An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)
A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)
It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues:

CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

More documentation of these issues are in the release notes; https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html

Fixes

BZ - 1151095 - CVE-2014-7970 Kernel: fs: VFS denial of service
BZ - 1151108 - CVE-2014-7975 Kernel: fs: umount denial of service
BZ - 1178491 - intel_rapl: no valid rapl domains found in package 0"
BZ - 1283257 - [RFE] IOMMU support in Vhost-net
BZ - 1322495 - CVE-2016-6213 kernel: user namespace: unlimited consumed of kernel mount resources [rhel-7.4]
BZ - 1323577 - CVE-2015-8839 kernel: ext4 filesystem page fault race condition with fallocate call.
BZ - 1330000 - kernel: Backport getrandom system call
BZ - 1349647 - NFS client may keep phantom directory entry in dcache when rename is canceled
BZ - 1352741 - tx array support in tun
BZ - 1356471 - CVE-2016-6213 kernel: Overflowing kernel mount table using shared bind mount
BZ - 1368577 - kernel crash after a few hours/days with NFS 4.1 and 4.2 enabled
BZ - 1368938 - CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit
BZ - 1371693 - Processes on nfs client have very high cpu usage in rpcauth_lookup_credcache
BZ - 1371714 - btrfs module init creates a useless file in /sys/kernel/debug with 0666 permissions
BZ - 1373966 - CVE-2016-7042 kernel: Stack corruption while reading /proc/keys when gcc stack protector is enabled
BZ - 1378656 - [LLNL 7.4 Bug] Serious Performance regression with NATed IPoIB connected mode
BZ - 1383739 - BUG: Dentry ffff880232eeacc0

{i=800fe1,n=f290}

still in use (1)
BZ - 1386286 - CVE-2015-8970 kernel: crypto: GPF in lrw_crypt caused by null-deref
BZ - 1389433 - CVE-2016-9604 kernel: security: The built-in keyrings for security tokens can be joined as a session and then modified by the root user
BZ - 1391299 - [LLNL 7.4 Bug] Crash in Infiniband rdmavt layer when kernel consumer exhausts queue pairs
BZ - 1393904 - CVE-2016-8645 kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c
BZ - 1394089 - [LLNL 7.4 Bug] 7.3 regression: the kernel does not create the /sys/block/<sd device>/devices/enclosure_device symlinks
BZ - 1395104 - pci 0000:ff:1e.3: [Firmware Bug]: reg 0x10: invalid BAR (can't size)
BZ - 1396578 - RFE: Backport virtio-net multi-queue enablement by default patch
BZ - 1396941 - CVE-2016-9685 kernel: Memory leaks in xfs_attr_list.c error paths
BZ - 1399830 - GFS2: fallocate error message during gfs2_grow
BZ - 1401433 - Vhost tx batching
BZ - 1401436 - lockless en-queuing for vhost
BZ - 1401502 - CVE-2016-9806 kernel: netlink: double-free in netlink_dump
BZ - 1403145 - CVE-2016-9576 kernel: Use after free in SCSI generic device interface
BZ - 1404200 - CVE-2016-10147 kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm
BZ - 1404924 - CVE-2016-9588 Kernel: kvm: nVMX: uncaught software exceptions in L1 guest leads to DoS
BZ - 1406885 - server supports labeled NFS by default
BZ - 1412210 - CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression)
BZ - 1412234 - extend virtio-net to expose host MTU to guest
BZ - 1415780 - File permissions are not getting set as expected on nfs v4.0 mount
BZ - 1416532 - Symlinks removed and replaced on an nfs mount from another system receive STALE nfs error and EIO from readlink()
BZ - 1417812 - CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon
BZ - 1418962 - Broken net:[...] instead of path for net namespaces in /proc/self/mounts
BZ - 1421638 - CVE-2017-5970 kernel: ipv4: Invalid IP options could cause skb->dst drop
BZ - 1422825 - CVE-2017-6001 kernel: Race condition between multiple sys_perf_event_open() calls
BZ - 1424076 - vxlan: performance can suffer unless GRO is disabled on vxlan interface
BZ - 1428353 - CVE-2017-2647 kernel: Null pointer dereference in search_keyring
BZ - 1428684 - RFE: Backport of ICMP ratelimit fixes.
BZ - 1428973 - PANIC: "kernel BUG at fs/ceph/addr.c:91!"
BZ - 1430225 - kernel: fix crash in uio_release
BZ - 1430347 - CVE-2016-10200 kernel: l2tp: Race condition in the L2TPv3 IP encapsulation feature
BZ - 1433252 - CVE-2017-6951 kernel: NULL pointer dereference in keyring_search_aux function
BZ - 1433831 - NVMe SSD fails to initialize on AWS i3.4xlarge instances
BZ - 1434327 - CVE-2017-7187 kernel: scsi: Stack-based buffer overflow in sg_ioctl function
BZ - 1436649 - CVE-2017-2671 kernel: ping socket / AF_LLC connect() sin_family race
BZ - 1441088 - CVE-2017-7616 kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c
BZ - 1443999 - Deadlock in reshape on single core machine
BZ - 1444493 - CVE-2017-7889 kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism
BZ - 1445054 - Setting ipv6.disable=1 prevents both IPv4 and IPv6 socket opening for VXLAN tunnels
BZ - 1448312 - kernel panics in mce_register_decode_chain when booted on qemu
BZ - 1450203 - Irrelevant upper layer protocol traffic may erroneously "confirm" neigh entries
BZ - 1450972 - CVE-2017-8890 kernel: Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c
BZ - 1452679 - CVE-2017-9074 kernel: net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option
BZ - 1452688 - CVE-2017-9076 kernel: net: IPv6 DCCP implementation mishandles inheritance
BZ - 1452691 - CVE-2017-9075 kernel: net: sctp_v6_create_accept_sk function mishandles inheritance
BZ - 1452744 - CVE-2017-9077 kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance
BZ - 1456388 - CVE-2017-9242 kernel: Incorrect overwrite check in __ip6_append_data()
BZ - 1463241 - rlimit_stack problems after update to 3.10.0-514.21.2.el7, and JVM Crash after updating to kernel-3.10.0-514.21.2.el7.x86_64
BZ - 1466329 - CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand

CVEs

CVE-2014-7970
CVE-2014-7975
CVE-2015-8839
CVE-2015-8970
CVE-2016-10088
CVE-2016-10147
CVE-2016-10200
CVE-2016-6213
CVE-2016-7042
CVE-2016-7097
CVE-2016-8645
CVE-2016-9576
CVE-2016-9588
CVE-2016-9604
CVE-2016-9685
CVE-2016-9806
CVE-2017-2596
CVE-2017-2647
CVE-2017-2671
CVE-2017-5970
CVE-2017-6001
CVE-2017-6951
CVE-2017-7187
CVE-2017-7616
CVE-2017-7889
CVE-2017-8797
CVE-2017-8890
CVE-2017-9074
CVE-2017-9075
CVE-2017-9076
CVE-2017-9077
CVE-2017-9242

Bob Glossman (Inactive) added a comment - 01/Aug/17 3:10 PM - edited Security Fix(es): An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues: CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 More documentation of these issues are in the release notes; https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html Fixes BZ - 1151095 - CVE-2014-7970 Kernel: fs: VFS denial of service BZ - 1151108 - CVE-2014-7975 Kernel: fs: umount denial of service BZ - 1178491 - intel_rapl: no valid rapl domains found in package 0" BZ - 1283257 - [RFE] IOMMU support in Vhost-net BZ - 1322495 - CVE-2016-6213 kernel: user namespace: unlimited consumed of kernel mount resources [rhel-7.4] BZ - 1323577 - CVE-2015-8839 kernel: ext4 filesystem page fault race condition with fallocate call. BZ - 1330000 - kernel: Backport getrandom system call BZ - 1349647 - NFS client may keep phantom directory entry in dcache when rename is canceled BZ - 1352741 - tx array support in tun BZ - 1356471 - CVE-2016-6213 kernel: Overflowing kernel mount table using shared bind mount BZ - 1368577 - kernel crash after a few hours/days with NFS 4.1 and 4.2 enabled BZ - 1368938 - CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit BZ - 1371693 - Processes on nfs client have very high cpu usage in rpcauth_lookup_credcache BZ - 1371714 - btrfs module init creates a useless file in /sys/kernel/debug with 0666 permissions BZ - 1373966 - CVE-2016-7042 kernel: Stack corruption while reading /proc/keys when gcc stack protector is enabled BZ - 1378656 - [LLNL 7.4 Bug] Serious Performance regression with NATed IPoIB connected mode BZ - 1383739 - BUG: Dentry ffff880232eeacc0 {i=800fe1,n=f290} still in use (1) BZ - 1386286 - CVE-2015-8970 kernel: crypto: GPF in lrw_crypt caused by null-deref BZ - 1389433 - CVE-2016-9604 kernel: security: The built-in keyrings for security tokens can be joined as a session and then modified by the root user BZ - 1391299 - [LLNL 7.4 Bug] Crash in Infiniband rdmavt layer when kernel consumer exhausts queue pairs BZ - 1393904 - CVE-2016-8645 kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c BZ - 1394089 - [LLNL 7.4 Bug] 7.3 regression: the kernel does not create the /sys/block/<sd device>/devices/enclosure_device symlinks BZ - 1395104 - pci 0000:ff:1e.3: [Firmware Bug] : reg 0x10: invalid BAR (can't size) BZ - 1396578 - RFE: Backport virtio-net multi-queue enablement by default patch BZ - 1396941 - CVE-2016-9685 kernel: Memory leaks in xfs_attr_list.c error paths BZ - 1399830 - GFS2: fallocate error message during gfs2_grow BZ - 1401433 - Vhost tx batching BZ - 1401436 - lockless en-queuing for vhost BZ - 1401502 - CVE-2016-9806 kernel: netlink: double-free in netlink_dump BZ - 1403145 - CVE-2016-9576 kernel: Use after free in SCSI generic device interface BZ - 1404200 - CVE-2016-10147 kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm BZ - 1404924 - CVE-2016-9588 Kernel: kvm: nVMX: uncaught software exceptions in L1 guest leads to DoS BZ - 1406885 - server supports labeled NFS by default BZ - 1412210 - CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression) BZ - 1412234 - extend virtio-net to expose host MTU to guest BZ - 1415780 - File permissions are not getting set as expected on nfs v4.0 mount BZ - 1416532 - Symlinks removed and replaced on an nfs mount from another system receive STALE nfs error and EIO from readlink() BZ - 1417812 - CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon BZ - 1418962 - Broken net: [...] instead of path for net namespaces in /proc/self/mounts BZ - 1421638 - CVE-2017-5970 kernel: ipv4: Invalid IP options could cause skb->dst drop BZ - 1422825 - CVE-2017-6001 kernel: Race condition between multiple sys_perf_event_open() calls BZ - 1424076 - vxlan: performance can suffer unless GRO is disabled on vxlan interface BZ - 1428353 - CVE-2017-2647 kernel: Null pointer dereference in search_keyring BZ - 1428684 - RFE: Backport of ICMP ratelimit fixes. BZ - 1428973 - PANIC: "kernel BUG at fs/ceph/addr.c:91!" BZ - 1430225 - kernel: fix crash in uio_release BZ - 1430347 - CVE-2016-10200 kernel: l2tp: Race condition in the L2TPv3 IP encapsulation feature BZ - 1433252 - CVE-2017-6951 kernel: NULL pointer dereference in keyring_search_aux function BZ - 1433831 - NVMe SSD fails to initialize on AWS i3.4xlarge instances BZ - 1434327 - CVE-2017-7187 kernel: scsi: Stack-based buffer overflow in sg_ioctl function BZ - 1436649 - CVE-2017-2671 kernel: ping socket / AF_LLC connect() sin_family race BZ - 1441088 - CVE-2017-7616 kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c BZ - 1443999 - Deadlock in reshape on single core machine BZ - 1444493 - CVE-2017-7889 kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism BZ - 1445054 - Setting ipv6.disable=1 prevents both IPv4 and IPv6 socket opening for VXLAN tunnels BZ - 1448312 - kernel panics in mce_register_decode_chain when booted on qemu BZ - 1450203 - Irrelevant upper layer protocol traffic may erroneously "confirm" neigh entries BZ - 1450972 - CVE-2017-8890 kernel: Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c BZ - 1452679 - CVE-2017-9074 kernel: net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option BZ - 1452688 - CVE-2017-9076 kernel: net: IPv6 DCCP implementation mishandles inheritance BZ - 1452691 - CVE-2017-9075 kernel: net: sctp_v6_create_accept_sk function mishandles inheritance BZ - 1452744 - CVE-2017-9077 kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance BZ - 1456388 - CVE-2017-9242 kernel: Incorrect overwrite check in __ip6_append_data() BZ - 1463241 - rlimit_stack problems after update to 3.10.0-514.21.2.el7, and JVM Crash after updating to kernel-3.10.0-514.21.2.el7.x86_64 BZ - 1466329 - CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand CVEs CVE-2014-7970 CVE-2014-7975 CVE-2015-8839 CVE-2015-8970 CVE-2016-10088 CVE-2016-10147 CVE-2016-10200 CVE-2016-6213 CVE-2016-7042 CVE-2016-7097 CVE-2016-8645 CVE-2016-9576 CVE-2016-9588 CVE-2016-9604 CVE-2016-9685 CVE-2016-9806 CVE-2017-2596 CVE-2017-2647 CVE-2017-2671 CVE-2017-5970 CVE-2017-6001 CVE-2017-6951 CVE-2017-7187 CVE-2017-7616 CVE-2017-7889 CVE-2017-8797 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-9242

People

Assignee:: Bob Glossman (Inactive)

Reporter:: Bob Glossman (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 01/Aug/17 3:07 PM

Updated:: 03/Oct/17 3:32 AM

Resolved:: 17/Aug/17 4:35 AM