El-errata: ELSA-2020-5885 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2020-5885
http://linux.oracle.com/errata/ELSA-2020-5885.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-4.14.35-2025.401.4.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-2025.401.4.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-2025.401.4.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-2025.401.4.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-2025.401.4.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-2025.401.4.el7uek.noarch.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-2025.401.4.el7uek.src.rpm
Description of changes:
[4.14.35-2025.401.4.el7uek]
- KVM: x86: always expose VIRT_SSBD to guests (Paolo Bonzini) [Orabug: 31957046]
[4.14.35-2025.401.3.el7uek]
- iommu/amd: Restore IRTE.RemapEn bit after programming IRTE (Suravee Suthikulpanit) [Orabug: 31931371]
- oracleasm: Access d_bdev before dropping inode (Stephen Brennan) [Orabug: 31901948]
- net: Correct warning: label 'drop' defined but not used. (John Donnelly) [Orabug: 31916130]
- KVM: Corrects build warnings for emulator_get_fpu/emulator_put_fpu (John Donnelly) [Orabug: 31907286]
- ext4: fix potential negative array index in do_split() (Eric Sandeen) [Orabug: 31895330] {CVE-2020-14314}
- net/rds: Extract dest qp num for displaying in rds-info (Praveen Kumar Kannoju) [Orabug: 31880143]
- bpf: Fix bpf_event_output re-entry issue (Allan Zhang) [Orabug: 31865842]
- bpf: fix nested bpf tracepoints with per-cpu data (Matt Mullins) [Orabug: 31865842]
- uek-rpm: Turn on module signing for embedded2 kernel (Dave Kleikamp) [Orabug: 31895264]
- uek-rpm: Clean up config-aarch64-embedded2 (Dave Kleikamp) [Orabug: 31895264]
[4.14.35-2025.401.2.el7uek]
- mm/hugetlb: fix a race between hugetlb sysctl handlers (Muchun Song) [Orabug: 31884238] {CVE-2020-25285}
- rbd: require global CAP_SYS_ADMIN for mapping and unmapping (Ilya Dryomov) [Orabug: 31884165] {CVE-2020-25284}
- nfs: Fix getxattr kernel panic and memory overflow (Jeffrey Mitchell) [Orabug: 31872904] {CVE-2020-25212}
- IB/mlx5: Fix MR registration flow to use UMR properly (Guy Levi) [Orabug: 31631231]
- IB/mlx5: Prevent concurrent MR updates during invalidation (Moni Shoua) [Orabug: 31631231]
- IB/mlx5: Replace kfree with kvfree (Chuhong Yuan) [Orabug: 31631231]
- RDMA/odp: Do not leak dma maps when working with huge pages (Jason Gunthorpe) [Orabug: 31631231]
- IB/mlx5: Respect new UMR capabilities (Majd Dibbiny) [Orabug: 31631231]
- RDMA/mlx5: Unify error flows in rereg MR failure paths (Leon Romanovsky) [Orabug: 31631231]
- IB/mlx5: Maintain a single emergency page (Ilya Lesokhin) [Orabug: 31631231]
- genirq/irqdomain: Make sure all irq domain flags are distinct (Zenghui Yu) [Orabug: 31885236]
- irq/msi: Direct update affinity if irq is for msix or, maskable (Joe Jin) [Orabug: 31885236]
- x86/apic/msi: Plug non-maskable MSI affinity race (Joe Jin) [Orabug: 31885236]
- mm: memcg: Optimize cgroup traversal in memory.stat read (Tom Hromatka) [Orabug: 31849182]
- SUNRPC: Fix disconnection races (Trond Myklebust) [Orabug: 31796863]
- SUNRPC: Add a helper to wake up a sleeping rpc_task and set its status (Trond Myklebust) [Orabug: 31796863]
- dmaengine: ioatdma: Add Snow Ridge ioatdma device id (Dave Jiang) [Orabug: 31669166]
[4.14.35-2025.401.1.el7uek]
- PCI: Probe bridge window attributes once at enumeration-time (Bjorn Helgaas) [Orabug: 31867576]
- net/packet: fix overflow in tpacket_rcv (Or Cohen) [Orabug: 31866489] {CVE-2020-14386} {CVE-2020-14386}
- scsi: qla2xxx: Fix login timeout (Quinn Tran) [Orabug: 31860034]
- block: better deal with the delayed not supported case in blk_cloned_rq_check_limits (Ritika Srivastava) [Orabug: 31850343]
- block: Return blk_status_t instead of errno codes (Ritika Srivastava) [Orabug: 31850343]
- block: print offending values when cloned rq limits are exceeded (John Pittman) [Orabug: 31850343]
- iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE (Suravee Suthikulpanit) [Orabug: 31849532]
[4.14.35-2025.401.0.el7uek]
- Pensando: kernel config changes for kdump (Rob Gardner) [Orabug: 31821490]
- Pensando: Enable iScsi in kernel config (Rob Gardner) [Orabug: 31821490]
- sample-trace-array: Fix timer definition in samples/ftrace/sample-trace-array.c (Aruna Ramakrishna) [Orabug: 31845460]
- IB/mlx5: Expose RoCE accelerator counters (Avihai Horon) [Orabug: 31621816]
- net/mlx5: Add RoCE accelerator counters (Leon Romanovsky) [Orabug: 31621816]
- lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() (Christophe Leroy) [Orabug: 29623005] {CVE-2018-20669}
- x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() (Will Deacon) [Orabug: 29623005] {CVE-2018-20669}
- arch/openrisc: Fix issues with access_ok() (Stafford Horne) [Orabug: 29623005] {CVE-2018-20669}
- Fix 'acccess_ok()' on alpha and SH (Linus Torvalds) [Orabug: 29623005] {CVE-2018-20669}
- make 'user_access_begin()' do 'access_ok()' (Linus Torvalds) [Orabug: 29623005] {CVE-2018-20669}
- kabi fix for reparent slab memory on cgroup removal patchset (Tom Hromatka) [Orabug: 31746022]
- mm/memcontrol.c: add missed css_put() (Muchun Song) [Orabug: 31746022]
- mm: memcg/slab: reparent memcg kmem_caches on cgroup removal (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: stop setting page->mem_cgroup pointer for slab pages (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: rework non-root kmem_cache lifecycle management (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: don't check the dying flag on kmem_cache creation (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: unify SLAB and SLUB page accounting (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: introduce __memcg_kmem_uncharge_memcg() (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: generalize postponed non-root kmem_cache deactivation (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: rename slab delayed deactivation functions and fields (Roman Gushchin) [Orabug: 31746022]
- mm: memcg/slab: postpone kmem_cache memcg pointer initialization to memcg_link_cache() (Roman Gushchin) [Orabug: 31746022]
- mm: introduce mem_cgroup_put() helper (Roman Gushchin) [Orabug: 31746022]
- mm/memcontrol.c: export mem_cgroup_is_root() (Kirill Tkhai) [Orabug: 31746022]
- memcg: localize memcg_kmem_enabled() check (Shakeel Butt) [Orabug: 31746022]
- mm: fix race between kmem_cache destroy, create and deactivate (Shakeel Butt) [Orabug: 31746022]
- uek-rpm: Sync up aarch64 config files with latest Marvell patches (Dave Kleikamp) [Orabug: 31838205]
- drivers: marvell: otx2-sdei-ghes: correct issues with crashdump kernel (Rick Farrington) [Orabug: 31838205]
- drivers: mtd: spi-nor: Add MX66L2G45GXRI00 macronix flash (Selvam Venkatachalam) [Orabug: 31838205]
- irqchip/gic-v3: Add workaround for interrupt loss on IPI (Linu Cherian) [Orabug: 31838205]
- octeontx2-af: fix Extended DSA and eDSA parsing (Satha Rao) [Orabug: 31838205]
- drivers: gicv3: Adds workaround for Marvell erratum 38545 (Bhaskara Budiredla) [Orabug: 31838205]
- octeontx2-af: reset HWS group mask during FLR (Michal Mazur) [Orabug: 31838205]
- drivers: marvell: otx2: sdei-ghes: add BERT support for RAS errors (Rick Farrington) [Orabug: 31838205]
- ACPI: APEI: BERT: support BERT in non-ACPI systems (Rick Farrington) [Orabug: 31838205]
- Documentation: dt: edac: update sdei-ghes/bed-bert settings (Rick Farrington) [Orabug: 31838205]
- btrfs: merge btrfs_find_device and find_device (Anand Jain) [Orabug: 31351744] {CVE-2019-18885}
- sctp: implement memory accounting on tx path (Xin Long) [Orabug: 31351958] {CVE-2019-3874}
- Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" (Wade Mealing) [Orabug: 31510723] {CVE-2020-10781}
- sample-trace-array: Fix sleeping function called from invalid context (Kefeng Wang) [Orabug: 31543030]
- sample-trace-array: Remove trace_array 'sample-instance' (Kefeng Wang) [Orabug: 31543030]
- tracing: Sample module to demonstrate kernel access to Ftrace instances. (Divya Indi) [Orabug: 31543030]
- tracing: Adding new functions for kernel access to Ftrace instances (Aruna Ramakrishna) [Orabug: 31543030]
- tracing: Adding NULL checks for trace_array descriptor pointer (Divya Indi) [Orabug: 31543030]
- tracing: Verify if trace array exists before destroying it. (Divya Indi) [Orabug: 31543030]
- tracing: Declare newly exported APIs in include/linux/trace.h (Divya Indi) [Orabug: 31543030]
- tracing: Kernel access to Ftrace instances (Divya Indi) [Orabug: 31543030]
- x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. (Anthony Steinhauser) [Orabug: 31557803] {CVE-2020-10767}
- md: get sysfs entry after redundancy attr group create (Junxiao Bi) [Orabug: 31682037]
- md: fix deadlock causing by sysfs_notify (Junxiao Bi) [Orabug: 31682037]
- random32: update the net random state on interrupt and activity (Willy Tarreau) [Orabug: 31698082] {CVE-2020-16166}
- vgacon: Fix for missing check in scrollback handling (Yunhai Zhang) [Orabug: 31705119] {CVE-2020-14331} {CVE-2020-14331}
- KVM: x86: take as_id into account when checking PGD (Vitaly Kuznetsov) [Orabug: 31722725]
- KVM: X86: Fix MSR range of APIC registers in X2APIC mode (Xiaoyao Li) [Orabug: 31722725]
- KVM: nVMX: Report NMIs as allowed when in L2 and Exit-on-NMI is set (Sean Christopherson) [Orabug: 31722725]
- KVM: nVMX: Remove non-functional "support" for CR3 target values (Sean Christopherson) [Orabug: 31722725]
- KVM: x86/mmu: Avoid an extra memslot lookup in try_async_pf() for L2 (Paolo Bonzini) [Orabug: 31722725]
- KVM: x86: Adjust counter sample period after a wrmsr (Eric Hankland) [Orabug: 31722725]
- KVM: nVMX: Handle pending #DB when injecting INIT VM-exit (Oliver Upton) [Orabug: 31722725]
- KVM: x86: Fix perfctr WRMSR for running counters (Eric Hankland) [Orabug: 31722725]
- KVM: nVMX: Check GUEST_DR7 on vmentry of nested guests (Krish Sadhukhan) [Orabug: 31722725]
- perf/core: Provide a kernel-internal interface to recalibrate event period (Like Xu) [Orabug: 31722725]
- KVM: VMX: Consume pending LAPIC INIT event when exit on INIT_SIGNAL (Liran Alon) [Orabug: 31722725]
- KVM: nVMX: cleanup and fix host 64-bit mode checks (Paolo Bonzini) [Orabug: 31722725]
- KVM: nVMX: Check Host Address Space Size on vmentry of nested guests (Krish Sadhukhan) [Orabug: 31722725]
- KVM: hyperv: Fix Direct Synthetic timers assert an interrupt w/o lapic_in_kernel (Wanpeng Li) [Orabug: 31722725]
- KVM: x86: Fix INIT signal handling in various CPU states (Liran Alon) [Orabug: 31722725]
- KVM: VMX: Introduce exit reason for receiving INIT signal on guest-mode (Liran Alon) [Orabug: 31722725]
- KVM: nVMX: add tracepoint for failed nested VM-Enter (Sean Christopherson) [Orabug: 31722725]
- KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS (Liran Alon) [Orabug: 31722725]
- kvm: LAPIC: write down valid APIC registers (Paolo Bonzini) [Orabug: 31722725]
- KVM: LAPIC: ARBPRI is a reserved register for x2APIC (Paolo Bonzini) [Orabug: 31722725]
- KVM nVMX: Check Host Segment Registers and Descriptor Tables on vmentry of nested guests (Krish Sadhukhan) [Orabug: 31722725]
- KVM/nVMX: Use kvm_vcpu_map for accessing the shadow VMCS (KarimAllah Ahmed) [Orabug: 31722725]
- KVM/nVMX: Use kvm_vcpu_map when mapping the virtual APIC page (KarimAllah Ahmed) [Orabug: 31722725]
- KVM: nVMX: Return -EINVAL when signaling failure in VM-Entry helpers (Sean Christopherson) [Orabug: 31722725]
- KVM: nVMX: Move guest non-reg state checks to VM-Exit path (Sean Christopherson) [Orabug: 31722725]
- kvm: nVMX: Check "load IA32_PAT" VM-entry control on vmentry (Krish Sadhukhan) [Orabug: 31722725]
- kvm: nVMX: Check "load IA32_PAT" VM-exit control on vmentry (Krish Sadhukhan) [Orabug: 31722725]
- KVM: x86: optimize check for valid PAT value (Paolo Bonzini) [Orabug: 31722725]
- KVM: nVMX: allow tests to use bad virtual-APIC page address (Paolo Bonzini) [Orabug: 31722725]
- x86/kvm/hyper-v: avoid spurious pending stimer on vCPU init (Vitaly Kuznetsov) [Orabug: 31722725]
- kvm: nVMX: Add a vmentry check for HOST_SYSENTER_ESP and HOST_SYSENTER_EIP fields (Krish Sadhukhan) [Orabug: 31722725]
- KVM: nVMX: Apply addr size mask to effective address for VMX instructions (Sean Christopherson) [Orabug: 31722725]
- Reverts "rds: avoid unnecessary cong_update in loop transport" (Iraimani Pavadai) [Orabug: 31741323]
- net/mlx5e: Poll event queue upon TX timeout before performing full channels recovery (Eran Ben Elisha) [Orabug: 31753101]
- net/rds: Incorrect pointer used in rds_getname() (Ka-Cheong Poon) [Orabug: 31755754]
- nfsd: apply umask on fs without ACL support (J. Bruce Fields) [Orabug: 31779886] {CVE-2020-24394}
- RDMA/mlx5: Fix Shared PD prefetch of ODP memory region (Mark Haywood) [Orabug: 31688621]
- uek-rpm: aarch64: build embedded kernel for Pensando (Dave Kleikamp) [Orabug: 31627078]
- Make low-speed APB bus accesses single threaded (Dave Kleikamp) [Orabug: 31627078]
- Add /dev/capmem driver for Pensando (David Clear) [Orabug: 31627078]
- Kconfig option to disable outer-cache-allocate for Pensando (David Clear) [Orabug: 31627078]
- Provide for precise control of pgprot for Pensando (David Clear) [Orabug: 31627078]
- Add Pensando Capri board .dts files and default configs (David Clear) [Orabug: 31627078]
- Add /proc/xmaps (David Clear) [Orabug: 31627078]
- mtd/spi-nor/cadence-quadspi.c: Speed up reads. (David Clear) [Orabug: 31627078]
- Add mnic nodes to the Pensando devicetree (David Clear) [Orabug: 31627078]
- Pensando Boot State Machine (BSM) integration. (David Clear) [Orabug: 31627078]
- Pensando crash dump driver (David Clear) [Orabug: 31627078]
- Pensando/Capri PCIE panic handler. (David Clear) [Orabug: 31627078]
- Add uio support for Capri PCIE and Link interrupts (David Clear) [Orabug: 31627078]
- Interrupt domain controllers for Capri ASIC. (David Clear) [Orabug: 31627078]
- Capri SPI driver (David Clear) [Orabug: 31627078]
- Add Capri EMMC phy and instantiate the driver in the dts (David Clear) [Orabug: 31627078]
- Initial Pensando Capri SoC declaration (David Clear) [Orabug: 31627078]
- New quirk for Pensando QSPI controller (David Clear) [Orabug: 31627078]
- Add pensando,cpld device tree compat entry (David Clear) [Orabug: 31627078]
- add support for NXP PCF85363/PCF85263 real-time clock (David Clear) [Orabug: 31627078]
- Support the reset pulse width from the device-tree. (David Clear) [Orabug: 31627078]
- Attempt to recover from a stuck SDA line (David Clear) [Orabug: 31627078]
- Add driver for the TI TPS53659 (David Clear) [Orabug: 31627078]
- support spi-rx-bus-width property on subnodes (David Clear) [Orabug: 31627078]
- Support for SPI_NOR_DUAL_READ on Micron (David Clear) [Orabug: 31627078]
- mtd: spi-nor: cadence-quadspi: fix spelling mistake: "Couldnt't" -> "Couldn't" (Colin Ian King) [Orabug: 31627078]
- mtd: spi-nor: cadence-quadspi: Add support for Octal SPI controller (Vignesh R) [Orabug: 31627078]
- mtd: spi-nor: Add Micron MT25QU02 support (Thor Thayer) [Orabug: 31627078]
- arm64: tlb: Ensure we execute an ISB following walk cache invalidation (Will Deacon) [Orabug: 31627078]
- arm64: mm: Add ISB instruction to set_pgd() (Will Deacon) [Orabug: 31627078]
- mtd: spi-nor: Allow Cadence QSPI support for ARM64 (Thor Thayer) [Orabug: 31627078]
- irqchip/gic-v3: Add workaround for Synquacer pre-ITS (Ard Biesheuvel) [Orabug: 31627078]
- irqchip/gic: Make quirks matching conditional on init return value (Ard Biesheuvel) [Orabug: 31627078]
- irqchip/gic-v3: Probe device ID space before quirks handling (Ard Biesheuvel) [Orabug: 31627078]
- rename kABI whitelists to lockedlists (Dan Duval) [Orabug: 31783149]
An unbreakable Enterprise kernel security update has been released for Oracle Linux 7.