RHSA-2016:0024: Important: kernel security and bug fix update

First published: Tue Jan 12 2016(Updated: )

The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br><li> It was found that the x86 ISA (Instruction Set Architecture) is prone to</li> a denial of service attack inside a virtualized environment in the form of<br>an infinite loop in the microcode due to the way (sequential) delivering of<br>benign exceptions such as #AC (alignment check exception) and #DB (debug<br>exception) is handled. A privileged user inside a guest could use these<br>flaws to create denial of service conditions on the host kernel.<br>(CVE-2015-5307, CVE-2015-8104, Important)<br>Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the<br>CVE-2015-5307 issue.<br>This update also fixes the following bugs:<br><li> When doing TSO/GSO in the presence of VLAN headers on a macvtap device,</li> the header offsets were incorrectly calculated. As a consequence, when 2<br>guests on the same host communicated over a guest configured VLAN,<br>performance dropped to about 1 Mbps. A set of patches has been provided to<br>fix this bug, and network performance with VLAN tags now works with optimal<br>performance. (BZ#1215914)<br><li> Prior to this update, TSO acceleration features have been removed from</li> the VLAN device which caused that VLAN performance on top of a virtio<br>device was much lower than that of a virtio device itself. This update<br>re-enables TSO acceleration features, and performance of VLAN devices on<br>top of a virtio device has thus been restored. (BZ#1240988)<br><li> With an IPv6 address on a bond and a slave failover, Unsolicited Neighbor</li> Advertisement (UNA) was previously sent using the link global IPv6 address<br>as source address. The underlying source code has been patched, and, after<br>the failover in bonding, UNA is sent using both the corresponding link IPv6<br>address and global IPv6 address of bond0 and bond0.vlan. (BZ#1258480)<br><li> Previously, Human Interface Device (HID) would run a report on an</li> unaligned buffer, which could cause a page fault interrupt and an oops when<br>the end of the report was read. This update fixes this bug by padding the<br>end of the report with extra bytes, so the reading of the report never<br>crosses a page boundary. As a result, a page fault and subsequent oops no<br>longer occur. (BZ#1268202)<br><li> Inside hugetlb, region data structures were protected by a combination of</li> a memory map semaphore and a single hugetlb instance mutex. However, a<br>page-fault scalability improvement backported to the kernel on previous<br>releases removed the single hugetlb instance mutex and introduced a new<br>mutex table, making the locking combination insufficient, leading to<br>possible race windows that could cause corruption and undefined behavior.<br>The problem could be seen for example with software mapping or re-mapping<br>hugetlb areas with concurrent threads reading/writing to same areas causing<br>page faults. This update fixes the problem by introducing now a required<br>spinlock to the region tracking functions for proper serialization. The<br>problem only affects software using huge pages through hugetlb interface.<br>(BZ#1274597)<br><li> Previously, VLAN stacked on the macvlan or macvtap device did not work</li> for devices that implement and use VLAN filters. As a consequence, macvtap<br>passthrough mode failed to transfer VLAN packets over the be2net driver.<br>This update implements VLAN ndo calls to the macvlan driver to pass<br>appropriate VLAN tag IDs to lower devices. As a result, macvtap transfers<br>VLAN packets over be2net successfully. (BZ#1280205)<br>All kernel users are advised to upgrade to these updated packages, which<br>contain backported patches to correct these issues. The system must be<br>rebooted for this update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2016:0024
• agent/severity
• agent/event
• agent/references
• agent/title
• agent/description
• agent/type
• agent/tags
• agent/remedy
• agent/first-publish-date
• agent/softwarecombine
• agent/last-modified-date
• package-manager/redhat