[El-errata] ELSA-2020-5885 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Oct 13 02:56:02 PDT 2020

Oracle Linux Security Advisory ELSA-2020-5885


The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- KVM: x86: always expose VIRT_SSBD to guests (Paolo Bonzini)  [Orabug: 31957046]

- iommu/amd: Restore IRTE.RemapEn bit after programming IRTE (Suravee Suthikulpanit)  [Orabug: 31931371]
- oracleasm: Access d_bdev before dropping inode (Stephen Brennan)  [Orabug: 31901948]
- net: Correct warning: label 'drop' defined but not used. (John Donnelly)  [Orabug: 31916130]
- KVM: Corrects build warnings for emulator_get_fpu/emulator_put_fpu (John Donnelly)  [Orabug: 31907286]
- ext4: fix potential negative array index in do_split() (Eric Sandeen)  [Orabug: 31895330]  {CVE-2020-14314}
- net/rds: Extract dest qp num for displaying in rds-info (Praveen Kumar Kannoju)  [Orabug: 31880143]
- bpf: Fix bpf_event_output re-entry issue (Allan Zhang)  [Orabug: 31865842]
- bpf: fix nested bpf tracepoints with per-cpu data (Matt Mullins)  [Orabug: 31865842]
- uek-rpm: Turn on module signing for embedded2 kernel (Dave Kleikamp)  [Orabug: 31895264]
- uek-rpm: Clean up config-aarch64-embedded2 (Dave Kleikamp)  [Orabug: 31895264]

- mm/hugetlb: fix a race between hugetlb sysctl handlers (Muchun Song)  [Orabug: 31884238]  {CVE-2020-25285}
- rbd: require global CAP_SYS_ADMIN for mapping and unmapping (Ilya Dryomov)  [Orabug: 31884165]  {CVE-2020-25284}
- nfs: Fix getxattr kernel panic and memory overflow (Jeffrey Mitchell)  [Orabug: 31872904]  {CVE-2020-25212}
- IB/mlx5: Fix MR registration flow to use UMR properly (Guy Levi)  [Orabug: 31631231]
- IB/mlx5: Prevent concurrent MR updates during invalidation (Moni Shoua)  [Orabug: 31631231]
- IB/mlx5: Replace kfree with kvfree (Chuhong Yuan)  [Orabug: 31631231]
- RDMA/odp: Do not leak dma maps when working with huge pages (Jason Gunthorpe)  [Orabug: 31631231]
- IB/mlx5: Respect new UMR capabilities (Majd Dibbiny)  [Orabug: 31631231]
- RDMA/mlx5: Unify error flows in rereg MR failure paths (Leon Romanovsky)  [Orabug: 31631231]
- IB/mlx5: Maintain a single emergency page (Ilya Lesokhin)  [Orabug: 31631231]
- genirq/irqdomain: Make sure all irq domain flags are distinct (Zenghui Yu)  [Orabug: 31885236]
- irq/msi: Direct update affinity if irq is for msix or, maskable (Joe Jin)  [Orabug: 31885236]
- x86/apic/msi: Plug non-maskable MSI affinity race (Joe Jin)  [Orabug: 31885236]
- mm: memcg: Optimize cgroup traversal in memory.stat read (Tom Hromatka)  [Orabug: 31849182]
- SUNRPC: Fix disconnection races (Trond Myklebust)  [Orabug: 31796863]
- SUNRPC: Add a helper to wake up a sleeping rpc_task and set its status (Trond Myklebust)  [Orabug: 31796863]
- dmaengine: ioatdma: Add Snow Ridge ioatdma device id (Dave Jiang)  [Orabug: 31669166]

- PCI: Probe bridge window attributes once at enumeration-time (Bjorn Helgaas)  [Orabug: 31867576]
- net/packet: fix overflow in tpacket_rcv (Or Cohen)  [Orabug: 31866489]  {CVE-2020-14386} {CVE-2020-14386}
- scsi: qla2xxx: Fix login timeout (Quinn Tran)  [Orabug: 31860034]
- block: better deal with the delayed not supported case in blk_cloned_rq_check_limits (Ritika Srivastava)  [Orabug: 31850343]
- block: Return blk_status_t instead of errno codes (Ritika Srivastava)  [Orabug: 31850343]
- block: print offending values when cloned rq limits are exceeded (John Pittman)  [Orabug: 31850343]
- iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE (Suravee Suthikulpanit)  [Orabug: 31849532]

- Pensando: kernel config changes for kdump (Rob Gardner)  [Orabug: 31821490]
- Pensando: Enable iScsi in kernel config (Rob Gardner)  [Orabug: 31821490]
- sample-trace-array: Fix timer definition in samples/ftrace/sample-trace-array.c (Aruna Ramakrishna)  [Orabug: 31845460]
- IB/mlx5: Expose RoCE accelerator counters (Avihai Horon)  [Orabug: 31621816]
- net/mlx5: Add RoCE accelerator counters (Leon Romanovsky)  [Orabug: 31621816]
- lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() (Christophe Leroy)  [Orabug: 29623005]  {CVE-2018-20669}
- x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() (Will Deacon)  [Orabug: 29623005]  {CVE-2018-20669}
- arch/openrisc: Fix issues with access_ok() (Stafford Horne)  [Orabug: 29623005]  {CVE-2018-20669}
- Fix 'acccess_ok()' on alpha and SH (Linus Torvalds)  [Orabug: 29623005]  {CVE-2018-20669}
- make 'user_access_begin()' do 'access_ok()' (Linus Torvalds)  [Orabug: 29623005]  {CVE-2018-20669}
- kabi fix for reparent slab memory on cgroup removal patchset (Tom Hromatka)  [Orabug: 31746022]
- mm/memcontrol.c: add missed css_put() (Muchun Song)  [Orabug: 31746022]
- mm: memcg/slab: reparent memcg kmem_caches on cgroup removal (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: stop setting page->mem_cgroup pointer for slab pages (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: rework non-root kmem_cache lifecycle management (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: don't check the dying flag on kmem_cache creation (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: unify SLAB and SLUB page accounting (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: introduce __memcg_kmem_uncharge_memcg() (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: generalize postponed non-root kmem_cache deactivation (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: rename slab delayed deactivation functions and fields (Roman Gushchin)  [Orabug: 31746022]
- mm: memcg/slab: postpone kmem_cache memcg pointer initialization to memcg_link_cache() (Roman Gushchin)  [Orabug: 31746022]
- mm: introduce mem_cgroup_put() helper (Roman Gushchin)  [Orabug: 31746022]
- mm/memcontrol.c: export mem_cgroup_is_root() (Kirill Tkhai)  [Orabug: 31746022]
- memcg: localize memcg_kmem_enabled() check (Shakeel Butt)  [Orabug: 31746022]
- mm: fix race between kmem_cache destroy, create and deactivate (Shakeel Butt)  [Orabug: 31746022]
- uek-rpm: Sync up aarch64 config files with latest Marvell patches (Dave Kleikamp)  [Orabug: 31838205]
- drivers: marvell: otx2-sdei-ghes: correct issues with crashdump kernel (Rick Farrington)  [Orabug: 31838205]
- drivers: mtd: spi-nor: Add MX66L2G45GXRI00 macronix flash (Selvam Venkatachalam)  [Orabug: 31838205]
- irqchip/gic-v3: Add workaround for interrupt loss on IPI (Linu Cherian)  [Orabug: 31838205]
- octeontx2-af: fix Extended DSA and eDSA parsing (Satha Rao)  [Orabug: 31838205]
- drivers: gicv3: Adds workaround for Marvell erratum 38545 (Bhaskara Budiredla)  [Orabug: 31838205]
- octeontx2-af: reset HWS group mask during FLR (Michal Mazur)  [Orabug: 31838205]
- drivers: marvell: otx2: sdei-ghes: add BERT support for RAS errors (Rick Farrington)  [Orabug: 31838205]
- ACPI: APEI: BERT: support BERT in non-ACPI systems (Rick Farrington)  [Orabug: 31838205]
- Documentation: dt: edac: update sdei-ghes/bed-bert settings (Rick Farrington)  [Orabug: 31838205]
- btrfs: merge btrfs_find_device and find_device (Anand Jain)  [Orabug: 31351744]  {CVE-2019-18885}
- sctp: implement memory accounting on tx path (Xin Long)  [Orabug: 31351958]  {CVE-2019-3874}
- Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" (Wade Mealing)  [Orabug: 31510723]  {CVE-2020-10781}
- sample-trace-array: Fix sleeping function called from invalid context (Kefeng Wang)  [Orabug: 31543030]
- sample-trace-array: Remove trace_array 'sample-instance' (Kefeng Wang)  [Orabug: 31543030]
- tracing: Sample module to demonstrate kernel access to Ftrace instances. (Divya Indi)  [Orabug: 31543030]
- tracing: Adding new functions for kernel access to Ftrace instances (Aruna Ramakrishna)  [Orabug: 31543030]
- tracing: Adding NULL checks for trace_array descriptor pointer (Divya Indi)  [Orabug: 31543030]
- tracing: Verify if trace array exists before destroying it. (Divya Indi)  [Orabug: 31543030]
- tracing: Declare newly exported APIs in include/linux/trace.h (Divya Indi)  [Orabug: 31543030]
- tracing: Kernel access to Ftrace instances (Divya Indi)  [Orabug: 31543030]
- x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. (Anthony Steinhauser)  [Orabug: 31557803]  {CVE-2020-10767}
- md: get sysfs entry after redundancy attr group create (Junxiao Bi)  [Orabug: 31682037]
- md: fix deadlock causing by sysfs_notify (Junxiao Bi)  [Orabug: 31682037]
- random32: update the net random state on interrupt and activity (Willy Tarreau)  [Orabug: 31698082]  {CVE-2020-16166}
- vgacon: Fix for missing check in scrollback handling (Yunhai Zhang)  [Orabug: 31705119]  {CVE-2020-14331} {CVE-2020-14331}
- KVM: x86: take as_id into account when checking PGD (Vitaly Kuznetsov)  [Orabug: 31722725]
- KVM: X86: Fix MSR range of APIC registers in X2APIC mode (Xiaoyao Li)  [Orabug: 31722725]
- KVM: nVMX: Report NMIs as allowed when in L2 and Exit-on-NMI is set (Sean Christopherson)  [Orabug: 31722725]
- KVM: nVMX: Remove non-functional "support" for CR3 target values (Sean Christopherson)  [Orabug: 31722725]
- KVM: x86/mmu: Avoid an extra memslot lookup in try_async_pf() for L2 (Paolo Bonzini)  [Orabug: 31722725]
- KVM: x86: Adjust counter sample period after a wrmsr (Eric Hankland)  [Orabug: 31722725]
- KVM: nVMX: Handle pending #DB when injecting INIT VM-exit (Oliver Upton)  [Orabug: 31722725]
- KVM: x86: Fix perfctr WRMSR for running counters (Eric Hankland)  [Orabug: 31722725]
- KVM: nVMX: Check GUEST_DR7 on vmentry of nested guests (Krish Sadhukhan)  [Orabug: 31722725]
- perf/core: Provide a kernel-internal interface to recalibrate event period (Like Xu)  [Orabug: 31722725]
- KVM: VMX: Consume pending LAPIC INIT event when exit on INIT_SIGNAL (Liran Alon)  [Orabug: 31722725]
- KVM: nVMX: cleanup and fix host 64-bit mode checks (Paolo Bonzini)  [Orabug: 31722725]
- KVM: nVMX: Check Host Address Space Size on vmentry of nested guests (Krish Sadhukhan)  [Orabug: 31722725]
- KVM: hyperv: Fix Direct Synthetic timers assert an interrupt w/o lapic_in_kernel (Wanpeng Li)  [Orabug: 31722725]
- KVM: x86: Fix INIT signal handling in various CPU states (Liran Alon)  [Orabug: 31722725]
- KVM: VMX: Introduce exit reason for receiving INIT signal on guest-mode (Liran Alon)  [Orabug: 31722725]
- KVM: nVMX: add tracepoint for failed nested VM-Enter (Sean Christopherson)  [Orabug: 31722725]
- KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS (Liran Alon)  [Orabug: 31722725]
- kvm: LAPIC: write down valid APIC registers (Paolo Bonzini)  [Orabug: 31722725]
- KVM: LAPIC: ARBPRI is a reserved register for x2APIC (Paolo Bonzini)  [Orabug: 31722725]
- KVM nVMX: Check Host Segment Registers and Descriptor Tables on vmentry of nested guests (Krish Sadhukhan)  [Orabug: 31722725]
- KVM/nVMX: Use kvm_vcpu_map for accessing the shadow VMCS (KarimAllah Ahmed)  [Orabug: 31722725]
- KVM/nVMX: Use kvm_vcpu_map when mapping the virtual APIC page (KarimAllah Ahmed)  [Orabug: 31722725]
- KVM: nVMX: Return -EINVAL when signaling failure in VM-Entry helpers (Sean Christopherson)  [Orabug: 31722725]
- KVM: nVMX: Move guest non-reg state checks to VM-Exit path (Sean Christopherson)  [Orabug: 31722725]
- kvm: nVMX: Check "load IA32_PAT" VM-entry control on vmentry (Krish Sadhukhan)  [Orabug: 31722725]
- kvm: nVMX: Check "load IA32_PAT" VM-exit control on vmentry (Krish Sadhukhan)  [Orabug: 31722725]
- KVM: x86: optimize check for valid PAT value (Paolo Bonzini)  [Orabug: 31722725]
- KVM: nVMX: allow tests to use bad virtual-APIC page address (Paolo Bonzini)  [Orabug: 31722725]
- x86/kvm/hyper-v: avoid spurious pending stimer on vCPU init (Vitaly Kuznetsov)  [Orabug: 31722725]
- kvm: nVMX: Add a vmentry check for HOST_SYSENTER_ESP and HOST_SYSENTER_EIP fields (Krish Sadhukhan)  [Orabug: 31722725]
- KVM: nVMX: Apply addr size mask to effective address for VMX instructions (Sean Christopherson)  [Orabug: 31722725]
- Reverts "rds: avoid unnecessary cong_update in loop transport" (Iraimani Pavadai)  [Orabug: 31741323]
- net/mlx5e: Poll event queue upon TX timeout before performing full channels recovery (Eran Ben Elisha)  [Orabug: 31753101]
- net/rds: Incorrect pointer used in rds_getname() (Ka-Cheong Poon)  [Orabug: 31755754]
- nfsd: apply umask on fs without ACL support (J. Bruce Fields)  [Orabug: 31779886]  {CVE-2020-24394}
- RDMA/mlx5: Fix Shared PD prefetch of ODP memory region (Mark Haywood)  [Orabug: 31688621]
- uek-rpm: aarch64: build embedded kernel for Pensando (Dave Kleikamp)  [Orabug: 31627078]
- Make low-speed APB bus accesses single threaded (Dave Kleikamp)  [Orabug: 31627078]
- Add /dev/capmem driver for Pensando (David Clear)  [Orabug: 31627078]
- Kconfig option to disable outer-cache-allocate for Pensando (David Clear)  [Orabug: 31627078]
- Provide for precise control of pgprot for Pensando (David Clear)  [Orabug: 31627078]
- Add Pensando Capri board .dts files and default configs (David Clear)  [Orabug: 31627078]
- Add /proc/xmaps (David Clear)  [Orabug: 31627078]
- mtd/spi-nor/cadence-quadspi.c: Speed up reads. (David Clear)  [Orabug: 31627078]
- Add mnic nodes to the Pensando devicetree (David Clear)  [Orabug: 31627078]
- Pensando Boot State Machine (BSM) integration. (David Clear)  [Orabug: 31627078]
- Pensando crash dump driver (David Clear)  [Orabug: 31627078]
- Pensando/Capri PCIE panic handler. (David Clear)  [Orabug: 31627078]
- Add uio support for Capri PCIE and Link interrupts (David Clear)  [Orabug: 31627078]
- Interrupt domain controllers for Capri ASIC. (David Clear)  [Orabug: 31627078]
- Capri SPI driver (David Clear)  [Orabug: 31627078]
- Add Capri EMMC phy and instantiate the driver in the dts (David Clear)  [Orabug: 31627078]
- Initial Pensando Capri SoC declaration (David Clear)  [Orabug: 31627078]
- New quirk for Pensando QSPI controller (David Clear)  [Orabug: 31627078]
- Add pensando,cpld device tree compat entry (David Clear)  [Orabug: 31627078]
- add support for NXP PCF85363/PCF85263 real-time clock (David Clear)  [Orabug: 31627078]
- Support the reset pulse width from the device-tree. (David Clear)  [Orabug: 31627078]
- Attempt to recover from a stuck SDA line (David Clear)  [Orabug: 31627078]
- Add driver for the TI TPS53659 (David Clear)  [Orabug: 31627078]
- support spi-rx-bus-width property on subnodes (David Clear)  [Orabug: 31627078]
- Support for SPI_NOR_DUAL_READ on Micron (David Clear)  [Orabug: 31627078]
- mtd: spi-nor: cadence-quadspi: fix spelling mistake: "Couldnt't" -> "Couldn't" (Colin Ian King)  [Orabug: 31627078]
- mtd: spi-nor: cadence-quadspi: Add support for Octal SPI controller (Vignesh R)  [Orabug: 31627078]
- mtd: spi-nor: Add Micron MT25QU02 support (Thor Thayer)  [Orabug: 31627078]
- arm64: tlb: Ensure we execute an ISB following walk cache invalidation (Will Deacon)  [Orabug: 31627078]
- arm64: mm: Add ISB instruction to set_pgd() (Will Deacon)  [Orabug: 31627078]
- mtd: spi-nor: Allow Cadence QSPI support for ARM64 (Thor Thayer)  [Orabug: 31627078]
- irqchip/gic-v3: Add workaround for Synquacer pre-ITS (Ard Biesheuvel)  [Orabug: 31627078]
- irqchip/gic: Make quirks matching conditional on init return value (Ard Biesheuvel)  [Orabug: 31627078]
- irqchip/gic-v3: Probe device ID space before quirks handling (Ard Biesheuvel)  [Orabug: 31627078]
- rename kABI whitelists to lockedlists (Dan Duval)  [Orabug: 31783149]

More information about the El-errata mailing list