El-errata: ELSA-2021-9305 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2021-9305
http://linux.oracle.com/errata/ELSA-2021-9305.html
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:
x86_64:
kernel-uek-4.14.35-2047.504.2.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-2047.504.2.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-2047.504.2.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-2047.504.2.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-2047.504.2.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-2047.504.2.el7uek.noarch.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-2047.504.2.el7uek.src.rpm
Related CVEs:
CVE-2020-4788
CVE-2021-31916
Description of changes:
[4.14.35-2047.504.2.el7uek]
- md/raid1: properly indicate failure when ending a failed write request (Paul Clements) [Orabug: 32887159]
- video: hyperv_fb: Add ratelimit on error message (Michael Kelley) [Orabug: 32856879]
- Drivers: hv: vmbus: Initialize unload_event statically (Andrea Parri (Microsoft)) [Orabug: 32856879]
- Drivers: hv: vmbus: Increase wait time for VMbus unload (Michael Kelley) [Orabug: 32856879]
- dm ioctl: fix out of bounds array access when no devices (Mikulas Patocka) [Orabug: 32860493] {CVE-2021-31916}
- net/mlx4: Treat VFs fair when handling comm_channel_events (Hans Westgaard Ry) [Orabug: 32559464]
- Linux 4.14.210 (Greg Kroah-Hartman)
- USB: core: Fix regression in Hercules audio card (Alan Stern)
- USB: core: add endpoint-blacklist quirk (Johan Hovold)
- x86/resctrl: Add necessary kernfs_put() calls to prevent refcount leak (Xiaochen Shen)
- x86/resctrl: Remove superfluous kernfs_get() calls to prevent refcount leak (Xiaochen Shen)
- usb: gadget: Fix memleak in gadgetfs_fill_super (Zhang Qilong)
- usb: gadget: f_midi: Fix memleak in f_midi_alloc (Zhang Qilong)
- USB: core: Change %pK for __user pointers to %px (Alan Stern)
- perf probe: Fix to die_entrypc() returns error correctly (Masami Hiramatsu)
- can: m_can: fix nominal bitiming tseg2 min for version >= 3.1 (Marc Kleine-Budde)
- platform/x86: toshiba_acpi: Fix the wrong variable assignment (Kaixu Xia)
- can: gs_usb: fix endianess problem with candleLight firmware (Marc Kleine-Budde)
- efivarfs: revert "fix memory leak in efivarfs_create()" (Ard Biesheuvel)
- ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (Lijun Pan)
- ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues (Lijun Pan)
- net: ena: set initial DMA width to avoid intel iommu issue (Shay Agroskin)
- nfc: s3fwrn5: use signed integer for parsing GPIO numbers (Krzysztof Kozlowski)
- IB/mthca: fix return value of error branch in mthca_init_cq() (Xiongfeng Wang)
- scsi: ufs: Fix race between shutdown and runtime resume flow (Stanley Chu)
- batman-adv: set .owner to THIS_MODULE (Taehee Yoo)
- phy: tegra: xusb: Fix dangling pointer on probe failure (Marc Zyngier)
- perf/x86: fix sysfs type mismatches (Sami Tolvanen)
- scsi: target: iscsi: Fix cmd abort fabric stop race (Mike Christie)
- scsi: libiscsi: Fix NOP race condition (Lee Duncan)
- dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size (Sugar Zhang)
- nvme: free sq/cq dbbuf pointers when dbbuf set fails (Minwoo Im)
- proc: don't allow async path resolution of /proc/self components (Jens Axboe)
- HID: Add Logitech Dinovo Edge battery quirk (Hans de Goede)
- x86/xen: don't unbind uninitialized lock_kicker_irq (Brian Masney)
- dmaengine: xilinx_dma: use readl_poll_timeout_atomic variant (Marc Ferland)
- HID: hid-sensor-hub: Fix issue with devices with no report ID (Pablo Ceballos)
- Input: i8042 - allow insmod to succeed on devices without an i8042 controller (Hans de Goede)
- HID: cypress: Support Varmilo Keyboards' media hotkeys (Frank Yang)
- ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (Kai Vehmanen)
- ALSA: hda/hdmi: Use single mutex unlock in error paths (Takashi Iwai)
- arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (Will Deacon)
- arm64: pgtable: Fix pte_accessible() (Will Deacon)
- btrfs: adjust return values of btrfs_inode_by_name (Su Yue)
- btrfs: tree-checker: Enhance chunk checker to validate chunk profile (Qu Wenruo)
- PCI: Add device even if driver attach failed (Rajat Jain)
- wireless: Use linux/stddef.h instead of stddef.h (Hauke Mehrtens)
- btrfs: fix lockdep splat when reading qgroup config on mount (Filipe Manana)
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (Gerald Schaefer)
- perf event: Check ref_reloc_sym before using it (Igor Lubashev)
- Linux 4.14.209 (Greg Kroah-Hartman)
- x86/microcode/intel: Check patch signature before saving microcode for early loading (Chen Yu)
- s390/dasd: fix null pointer dereference for ERP requests (Stefan Haberland)
- s390/cpum_sf.c: fix file permission for cpum_sfb_size (Thomas Richter)
- mac80211: free sta in sta_info_insert_finish() on errors (Johannes Berg)
- mac80211: minstrel: fix tx status processing corner case (Felix Fietkau)
- mac80211: minstrel: remove deferred sampling code (Felix Fietkau)
- xtensa: disable preemption around cache alias management calls (Max Filippov)
- regulator: workaround self-referent regulators (Michał Mirosław)
- regulator: avoid resolve_supply() infinite recursion (Michał Mirosław)
- regulator: fix memory leak with repeated set_machine_constraints() (Michał Mirosław)
- iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode (Hans de Goede)
- iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum (Hans de Goede)
- ext4: fix bogus warning in ext4_update_dx_flag() (Jan Kara)
- staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids (Brian O'Keefe)
- efivarfs: fix memory leak in efivarfs_create() (Vamshi K Sthambamkadi)
- tty: serial: imx: keep console clocks always on (Fugang Duan)
- ALSA: mixart: Fix mutex deadlock (Takashi Iwai)
- ALSA: ctl: fix error path at adding user-defined element set (Takashi Sakamoto)
- speakup: Do not let the line discipline be used several times (Samuel Thibault)
- powerpc/uaccess-flush: fix missing includes in kup-radix.h (Daniel Axtens)
- libfs: fix error cast of negative value in simple_attr_write() (Yicong Yang)
- xfs: revert "xfs: fix rmap key and record comparison functions" (Darrick J. Wong)
- regulator: ti-abb: Fix array out of bound read access on the first transition (Nishanth Menon)
- MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu (Zhang Qilong)
- ASoC: qcom: lpass-platform: Fix memory leak (Srinivasa Rao Mandadapu)
- can: m_can: m_can_handle_state_change(): fix state change (Wu Bo)
- can: peak_usb: fix potential integer overflow on shift of a int (Colin Ian King)
- can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() (Marc Kleine-Budde)
- can: ti_hecc: Fix memleak in ti_hecc_probe (Zhang Qilong)
- can: dev: can_restart(): post buffer from the right context (Alejandro Concepcion Rodriguez)
- can: af_can: prevent potential access of uninitialized member in canfd_rcv() (Anant Thazhemadam)
- can: af_can: prevent potential access of uninitialized member in can_rcv() (Anant Thazhemadam)
- perf lock: Don't free "lock_seq_stat" if read_count isn't zero (Leo Yan)
- ARM: dts: imx50-evk: Fix the chip select 1 IOMUX (Fabio Estevam)
- arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy (Sergey Matyukevich)
- MIPS: export has_transparent_hugepage() for modules (Randy Dunlap)
- Input: adxl34x - clean up a data type in adxl34x_probe() (Dan Carpenter)
- vfs: remove lockdep bogosity in __sb_start_write (Darrick J. Wong)
- arm64: psci: Avoid printing in cpu_psci_cpu_die() (Will Deacon)
- pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq (Jianqun Xu)
- net: ftgmac100: Fix crash when removing driver (Joel Stanley)
- tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate (Ryan Sharpelletti)
- net: usb: qmi_wwan: Set DTR quirk for MR400 (Filip Moc)
- net/mlx5: Disable QoS when min_rates on all VFs are zero (Vladyslav Tarasiuk)
- sctp: change to hold/put transport for proto_unreach_timer (Xin Long)
- qlcnic: fix error return code in qlcnic_83xx_restart_hw() (Zhang Changzhong)
- net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request (Xie He)
- net/mlx4_core: Fix init_hca fields offset (Aya Levin)
- netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() (Paul Moore)
- netlabel: fix our progress tracking in netlbl_unlabel_staticlist() (Paul Moore)
- net: Have netpoll bring-up DSA management interface (Florian Fainelli)
- net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (Tobias Waldekranz)
- net: bridge: add missing counters to ndo_get_stats64 callback (Heiner Kallweit)
- net: b44: fix error return code in b44_init_one() (Zhang Changzhong)
- mlxsw: core: Use variable timeout for EMAD retries (Ido Schimmel)
- inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() (Wang Hai)
- devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() (Wang Hai)
- atm: nicstar: Unmap DMA on send error (Sebastian Andrzej Siewior)
- ah6: fix error return code in ah6_input() (Zhang Changzhong)
[4.14.35-2047.504.1.el7uek]
- Linux 4.14.208 (Greg Kroah-Hartman)
- ACPI: GED: fix -Wformat (Nick Desaulniers)
- can: proc: can_remove_proc(): silence remove_proc_entry warning (Zhang Changzhong)
- mac80211: always wind down STA state (Johannes Berg)
- Input: sunkbd - avoid use-after-free in teardown paths (Dmitry Torokhov)
- powerpc/8xx: Always fault when _PAGE_ACCESSED is not set (Christophe Leroy)
- gpio: mockup: fix resource leak in error path (Bartosz Golaszewski)
- i2c: imx: Fix external abort on interrupt in exit paths (Krzysztof Kozlowski)
- i2c: imx: use clk notifier for rate changes (Lucas Stach)
- powerpc/64s: flush L1D after user accesses (Nicholas Piggin) {CVE-2020-4788}
- powerpc/uaccess: Evaluate macro arguments once, before user access is allowed (Nicholas Piggin)
- powerpc: Fix __clear_user() with KUAP enabled (Andrew Donnellan)
- powerpc: Implement user_access_begin and friends (Christophe Leroy)
- powerpc: Add a framework for user access tracking (Christophe Leroy)
- powerpc/64s: flush L1D on kernel entry (Nicholas Piggin) {CVE-2020-4788}
- powerpc/64s: move some exception handlers out of line (Daniel Axtens)
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL (Daniel Axtens)
- Linux 4.14.207 (Greg Kroah-Hartman)
- mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race (Nicholas Piggin)
- Convert trailing spaces and periods in path components (Boris Protopopov)
- reboot: fix overflow parsing reboot cpu number (Matteo Croce)
- Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" (Matteo Croce)
- perf/core: Fix crash when using HW tracing kernel filters (Mathieu Poirier)
- x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP (Anand K Mistry)
- random32: make prandom_u32() output unpredictable (George Spelvin)
- net: Update window_clamp if SOCK_RCVBUF is set (Mao Wenan)
- r8169: fix potential skb double free in an error path (Heiner Kallweit)
- vrf: Fix fast path output packet handling with async Netfilter rules (Martin Willi)
- net/x25: Fix null-ptr-deref in x25_connect (Martin Schiller)
- net/af_iucv: fix null pointer dereference on shutdown (Ursula Braun)
- IPv6: Set SIT tunnel hard_header_len to zero (Oliver Herms)
- swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" (Stefano Stabellini)
- pinctrl: amd: fix incorrect way to disable debounce filter (Coiby Xu)
- pinctrl: amd: use higher precision for 512 RtcClk (Coiby Xu)
- drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] (Thomas Zimmermann)
- don't dump the threads that had been already exiting when zapped. (Al Viro)
- selinux: Fix error return code in sel_ib_pkey_sid_slow() (Chen Zhou)
- mei: protect mei_cl_mtu from null dereference (Alexander Usyskin)
- usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode (Chris Brandt)
- uio: Fix use-after-free in uio_unregister_device() (Shin'ichiro Kawasaki)
- thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (Jing Xiangfeng)
- ext4: unlock xattr_sem properly in ext4_inline_data_truncate() (Joseph Qi)
- ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA (Kaixu Xia)
- perf: Fix get_recursion_context() (Peter Zijlstra)
- cosa: Add missing kfree in error path of cosa_write (Wang Hai)
- of/address: Fix of_node memory leak in of_dma_is_coherent (Evan Nimmo)
- xfs: fix a missing unlock on error in xfs_fs_map_blocks (Christoph Hellwig)
- xfs: fix rmap key and record comparison functions (Darrick J. Wong)
- xfs: fix flags argument to rmap lookup when converting shared file rmaps (Darrick J. Wong)
- nbd: fix a block_device refcount leak in nbd_release (Christoph Hellwig)
- pinctrl: aspeed: Fix GPI only function problem. (Billy Tsai)
- ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe template (Andrew Jeffery)
- pinctrl: intel: Set default bias in case no particular value given (Andy Shevchenko)
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() (Hannes Reinecke)
- cfg80211: regulatory: Fix inconsistent format argument (Ye Bin)
- mac80211: fix use of skb payload instead of header (Johannes Berg)
- drm/amdgpu: perform srbm soft reset always on SDMA resume (Evan Quan)
- scsi: hpsa: Fix memory leak in hpsa_init_one() (Keita Suzuki)
- gfs2: check for live vs. read-only file system in gfs2_fitrim (Bob Peterson)
- gfs2: Add missing truncate_inode_pages_final for sd_aspace (Bob Peterson)
- gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free (Bob Peterson)
- usb: gadget: goku_udc: fix potential crashes in probe (Evgeny Novikov)
- ath9k_htc: Use appropriate rs_datalen type (Masashi Honma)
- Btrfs: fix missing error return if writeback for extent buffer never started (Filipe Manana)
- xfs: flush new eof page on truncate to avoid post-eof corruption (Brian Foster)
- can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (Stephane Grosjean)
- can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (Stephane Grosjean)
- can: peak_usb: add range checking in decode operations (Dan Carpenter)
- can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (Oleksij Rempel)
- can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (Oliver Hartkopp)
- can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (Vincent Mailhol)
- can: rx-offload: don't call kfree_skb() from IRQ context (Marc Kleine-Budde)
- ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (Dan Carpenter)
- perf tools: Add missing swap for ino_generation (Jiri Olsa)
- net: xfrm: fix a race condition during allocing spi (zhuoliang zhang)
- hv_balloon: disable warning when floor reached (Olaf Hering)
- genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY (Marc Zyngier)
- btrfs: reschedule when cloning lots of extents (Johannes Thumshirn)
- btrfs: sysfs: init devices outside of the chunk_mutex (Josef Bacik)
- nbd: don't update block size after device is started (Ming Lei)
- time: Prevent undefined behaviour in timespec64_to_ns() (Zeng Tao)
- mm: mempolicy: fix potential pte_unmap_unlock pte error (Shijie Luo)
- ring-buffer: Fix recursion protection transitions between interrupt context (Steven Rostedt (VMware))
- regulator: defer probe when trying to get voltage from unresolved supply (Michał Mirosław)
- rds: Change return code from rds_send_xmit() when lock is taken (Håkon Bugge) [Orabug: 32852117]
- rds: Fix unintended fall-through in rds_send_worker (Håkon Bugge) [Orabug: 32852117]
- tcp: send in-queue bytes in cmsg upon read (Soheil Hassas Yeganeh) [Orabug: 32871463]
[4.14.35-2047.504.0.el7uek]
- IB/ipoib: Improve latency in ipoib/cm connection formation (Manjunath Patil) [Orabug: 32853000]
- x86/amd: Disable IBS on Rome processors due to erratum 1215 (Boris Ostrovsky) [Orabug: 32817187]
- net/mlx5e: Rx, Fix checksum calculation for new hardware (Saeed Mahameed) [Orabug: 32553186]
- net/mlx5e: Rx, Fixup skb checksum for packets with tail padding (Saeed Mahameed) [Orabug: 32553186]
- net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames (Cong Wang) [Orabug: 32553186]
- mlx5: fix get_ip_proto() (Cong Wang) [Orabug: 32553186]
- net/mlx5e: Set ECN for received packets using CQE indication (Natali Shechtman) [Orabug: 32553186]
- net/mlx5e: CHECKSUM_COMPLETE offload for VLAN/QinQ packets (Gal Pressman) [Orabug: 32553186]
An unbreakable enterprise kernel security update has been released for Oracle Linux 7.