Whamcloud Community JIRA

Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us

9.4.14

940014

05-12-2023

[LU-9816] kernel upgrade [RHEL7.4 3.10.0-693.el7] https://jira.whamcloud.com/browse/LU-9816 Lustre <p>RHEL 7.4 was just announced as released. It is now officially GA as of 8/1/17.</p> <p>This mod represents switching our supported el7 version from RHEL 7.3 to RHEL 7.4</p> <p>Details of the kernel upgrade will follow in comments.</p> LU-9816

kernel upgrade [RHEL7.4 3.10.0-693.el7]

Improvement Minor Resolved Fixed Bob Glossman Bob Glossman Tue, 1 Aug 2017 15:07:15 +0000 Tue, 3 Oct 2017 03:32:28 +0000 Thu, 17 Aug 2017 04:35:52 +0000 Lustre 2.10.1 Lustre 2.11.0 0 2 <p>Security Fix(es):</p> <p>An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)<br/> A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)<br/> It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)</p> <p>This update also fixes multiple Moderate and Low impact security issues:</p> <p>CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685</p> <p>More documentation of these issues are in the release notes; <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html" class="external-link" target="_blank" rel="nofollow noopener">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html</a></p> <p>Fixes</p> <p>BZ - 1151095 - CVE-2014-7970 Kernel: fs: VFS denial of service<br/> BZ - 1151108 - CVE-2014-7975 Kernel: fs: umount denial of service<br/> BZ - 1178491 - intel_rapl: no valid rapl domains found in package 0"<br/> BZ - 1283257 - <span class="error">[RFE]</span> IOMMU support in Vhost-net<br/> BZ - 1322495 - CVE-2016-6213 kernel: user namespace: unlimited consumed of kernel mount resources <span class="error">[rhel-7.4]</span><br/> BZ - 1323577 - CVE-2015-8839 kernel: ext4 filesystem page fault race condition with fallocate call.<br/> BZ - 1330000 - kernel: Backport getrandom system call<br/> BZ - 1349647 - NFS client may keep phantom directory entry in dcache when rename is canceled<br/> BZ - 1352741 - tx array support in tun<br/> BZ - 1356471 - CVE-2016-6213 kernel: Overflowing kernel mount table using shared bind mount<br/> BZ - 1368577 - kernel crash after a few hours/days with NFS 4.1 and 4.2 enabled<br/> BZ - 1368938 - CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit<br/> BZ - 1371693 - Processes on nfs client have very high cpu usage in rpcauth_lookup_credcache<br/> BZ - 1371714 - btrfs module init creates a useless file in /sys/kernel/debug with 0666 permissions<br/> BZ - 1373966 - CVE-2016-7042 kernel: Stack corruption while reading /proc/keys when gcc stack protector is enabled<br/> BZ - 1378656 - <span class="error">[LLNL 7.4 Bug]</span> Serious Performance regression with NATed IPoIB connected mode<br/> BZ - 1383739 - BUG: Dentry ffff880232eeacc0</p> {i=800fe1,n=f290} <p> still in use (1)<br/> BZ - 1386286 - CVE-2015-8970 kernel: crypto: GPF in lrw_crypt caused by null-deref<br/> BZ - 1389433 - CVE-2016-9604 kernel: security: The built-in keyrings for security tokens can be joined as a session and then modified by the root user<br/> BZ - 1391299 - <span class="error">[LLNL 7.4 Bug]</span> Crash in Infiniband rdmavt layer when kernel consumer exhausts queue pairs<br/> BZ - 1393904 - CVE-2016-8645 kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c<br/> BZ - 1394089 - <span class="error">[LLNL 7.4 Bug]</span> 7.3 regression: the kernel does not create the /sys/block/<sd device>/devices/enclosure_device symlinks<br/> BZ - 1395104 - pci 0000:ff:1e.3: <span class="error">[Firmware Bug]</span>: reg 0x10: invalid BAR (can't size)<br/> BZ - 1396578 - RFE: Backport virtio-net multi-queue enablement by default patch<br/> BZ - 1396941 - CVE-2016-9685 kernel: Memory leaks in xfs_attr_list.c error paths<br/> BZ - 1399830 - GFS2: fallocate error message during gfs2_grow<br/> BZ - 1401433 - Vhost tx batching<br/> BZ - 1401436 - lockless en-queuing for vhost<br/> BZ - 1401502 - CVE-2016-9806 kernel: netlink: double-free in netlink_dump<br/> BZ - 1403145 - CVE-2016-9576 kernel: Use after free in SCSI generic device interface<br/> BZ - 1404200 - CVE-2016-10147 kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm<br/> BZ - 1404924 - CVE-2016-9588 Kernel: kvm: nVMX: uncaught software exceptions in L1 guest leads to DoS<br/> BZ - 1406885 - server supports labeled NFS by default<br/> BZ - 1412210 - CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression)<br/> BZ - 1412234 - extend virtio-net to expose host MTU to guest<br/> BZ - 1415780 - File permissions are not getting set as expected on nfs v4.0 mount<br/> BZ - 1416532 - Symlinks removed and replaced on an nfs mount from another system receive STALE nfs error and EIO from readlink()<br/> BZ - 1417812 - CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon<br/> BZ - 1418962 - Broken net:<span class="error">[...]</span> instead of path for net namespaces in /proc/self/mounts<br/> BZ - 1421638 - CVE-2017-5970 kernel: ipv4: Invalid IP options could cause skb->dst drop<br/> BZ - 1422825 - CVE-2017-6001 kernel: Race condition between multiple sys_perf_event_open() calls<br/> BZ - 1424076 - vxlan: performance can suffer unless GRO is disabled on vxlan interface<br/> BZ - 1428353 - CVE-2017-2647 kernel: Null pointer dereference in search_keyring<br/> BZ - 1428684 - RFE: Backport of ICMP ratelimit fixes.<br/> BZ - 1428973 - PANIC: "kernel BUG at fs/ceph/addr.c:91!"<br/> BZ - 1430225 - kernel: fix crash in uio_release<br/> BZ - 1430347 - CVE-2016-10200 kernel: l2tp: Race condition in the L2TPv3 IP encapsulation feature<br/> BZ - 1433252 - CVE-2017-6951 kernel: NULL pointer dereference in keyring_search_aux function<br/> BZ - 1433831 - NVMe SSD fails to initialize on AWS i3.4xlarge instances<br/> BZ - 1434327 - CVE-2017-7187 kernel: scsi: Stack-based buffer overflow in sg_ioctl function<br/> BZ - 1436649 - CVE-2017-2671 kernel: ping socket / AF_LLC connect() sin_family race<br/> BZ - 1441088 - CVE-2017-7616 kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c<br/> BZ - 1443999 - Deadlock in reshape on single core machine<br/> BZ - 1444493 - CVE-2017-7889 kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism<br/> BZ - 1445054 - Setting ipv6.disable=1 prevents both IPv4 and IPv6 socket opening for VXLAN tunnels<br/> BZ - 1448312 - kernel panics in mce_register_decode_chain when booted on qemu<br/> BZ - 1450203 - Irrelevant upper layer protocol traffic may erroneously "confirm" neigh entries<br/> BZ - 1450972 - CVE-2017-8890 kernel: Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c<br/> BZ - 1452679 - CVE-2017-9074 kernel: net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option<br/> BZ - 1452688 - CVE-2017-9076 kernel: net: IPv6 DCCP implementation mishandles inheritance<br/> BZ - 1452691 - CVE-2017-9075 kernel: net: sctp_v6_create_accept_sk function mishandles inheritance<br/> BZ - 1452744 - CVE-2017-9077 kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance<br/> BZ - 1456388 - CVE-2017-9242 kernel: Incorrect overwrite check in __ip6_append_data()<br/> BZ - 1463241 - rlimit_stack problems after update to 3.10.0-514.21.2.el7, and JVM Crash after updating to kernel-3.10.0-514.21.2.el7.x86_64<br/> BZ - 1466329 - CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand</p> <p>CVEs</p> <p>CVE-2014-7970<br/> CVE-2014-7975<br/> CVE-2015-8839<br/> CVE-2015-8970<br/> CVE-2016-10088<br/> CVE-2016-10147<br/> CVE-2016-10200<br/> CVE-2016-6213<br/> CVE-2016-7042<br/> CVE-2016-7097<br/> CVE-2016-8645<br/> CVE-2016-9576<br/> CVE-2016-9588<br/> CVE-2016-9604<br/> CVE-2016-9685<br/> CVE-2016-9806<br/> CVE-2017-2596<br/> CVE-2017-2647<br/> CVE-2017-2671<br/> CVE-2017-5970<br/> CVE-2017-6001<br/> CVE-2017-6951<br/> CVE-2017-7187<br/> CVE-2017-7616<br/> CVE-2017-7889<br/> CVE-2017-8797<br/> CVE-2017-8890<br/> CVE-2017-9074<br/> CVE-2017-9075<br/> CVE-2017-9076<br/> CVE-2017-9077<br/> CVE-2017-9242</p> <p>Bob Glossman (bob.glossman@intel.com) uploaded a new patch: <a href="https://review.whamcloud.com/28301" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/28301</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9816" title="kernel upgrade [RHEL7.4 3.10.0-693.el7]" class="issue-link" data-issue-key="LU-9816"><del>LU-9816</del></a> kernel: kernel upgrade RHEL7.4 <span class="error">[3.10.0-693.el7]</span><br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 20ad2664285fdf3f362db5ec5d4cf4ab33e0e30d</p> <p>Minh Diep (minh.diep@intel.com) uploaded a new patch: <a href="https://review.whamcloud.com/28532" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/28532</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9816" title="kernel upgrade [RHEL7.4 3.10.0-693.el7]" class="issue-link" data-issue-key="LU-9816"><del>LU-9816</del></a> kernel: kernel upgrade RHEL7.4 <span class="error">[3.10.0-693.el7]</span><br/> Project: fs/lustre-release<br/> Branch: b2_10<br/> Current Patch Set: 1<br/> Commit: cf25ca414779e0381485fd1cbd3a665296d3ecfb</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="https://review.whamcloud.com/28301/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/28301/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9816" title="kernel upgrade [RHEL7.4 3.10.0-693.el7]" class="issue-link" data-issue-key="LU-9816"><del>LU-9816</del></a> kernel: kernel upgrade RHEL7.4 <span class="error">[3.10.0-693.el7]</span><br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: fd8ef48571a2752f6c6a4c47127178a765d5b328</p> <p>Landed for 2.11</p> <p>John L. Hammond (john.hammond@intel.com) merged in patch <a href="https://review.whamcloud.com/28532/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/28532/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9816" title="kernel upgrade [RHEL7.4 3.10.0-693.el7]" class="issue-link" data-issue-key="LU-9816"><del>LU-9816</del></a> kernel: kernel upgrade RHEL7.4 <span class="error">[3.10.0-693.el7]</span><br/> Project: fs/lustre-release<br/> Branch: b2_10<br/> Current Patch Set: <br/> Commit: b982381f9cdbe7a04900f4192af054619f35b12b</p> Blocker LU-8619 Gantt End to Start LU-9882 Related LU-9738 Development Rank 1|hzzhk7: Rank (Obsolete) 9223372036854775807 Severity