| Description: | The kernel packages contain the Linux kernel, the core of any Linuxoperating system.Security fixes:* A race condition flaw was found in the way the Linux kernel's KVMsubsystem handled PIT (Programmable Interval Timer) emulation. A guest userwho has access to the PIT I/O ports could use this flaw to crash the host.(CVE-2014-3611, Important)* A NULL pointer dereference flaw was found in the way the Linux kernel'sStream Control Transmission Protocol (SCTP) implementation handledsimultaneous connections between the same hosts. A remote attacker coulduse this flaw to crash the system. (CVE-2014-5077, Important)* It was found that the Linux kernel's KVM subsystem did not handle the VMexits gracefully for the invept (Invalidate Translations Derived from EPT)and invvpid (Invalidate Translations Based on VPID) instructions. On hostswith an Intel processor and invept/invppid VM exit support, an unprivilegedguest user could use these instructions to crash the guest. (CVE-2014-3645,CVE-2014-3646, Moderate)* A use-after-free flaw was found in the way the Linux kernel's AdvancedLinux Sound Architecture (ALSA) implementation handled user controls. Alocal, privileged user could use this flaw to crash the system.(CVE-2014-4653, Moderate)Red Hat would like to thank Lars Bull of Google for reportingCVE-2014-3611, and the Advanced Threat Research team at Intel Security forreporting CVE-2014-3645 and CVE-2014-3646.Bug fixes:* A known issue that could prevent Chelsio adapters using the cxgb4 driverfrom being initialized on IBM POWER8 systems has been fixed. Theseadapters can now be used on IBM POWER8 systems as expected. (BZ#1130548)* When bringing a hot-added CPU online, the kernel did not initialize aCPU mask properly, which could result in a kernel panic. This updatecorrects the bug by ensuring that the CPU mask is properly initialized andthe correct NUMA node selected. (BZ#1134715)* The kernel could fail to bring a CPU online if the hardware supportedboth, the acpi-cpufreq and intel_pstate modules. This update ensures thatthe acpi-cpufreq module is not loaded in the intel_pstate module isloaded. (BZ#1134716)* Due to a bug in the time accounting of the kernel scheduler, a divideerror could occur when hot adding a CPU. To fix this problem, the kernelscheduler time accounting has been reworked. (BZ#1134717)* The kernel did not handle exceptions caused by an invalid floating pointcontrol (FPC) register, resulting in a kernel oops. This problem has beenfixed by placing the label to handle these exceptions to the correct placein the code. (BZ#1138733)* A previous change to the kernel for the PowerPC architecture changedimplementation of the compat_sys_sendfile() function. Consequently, the64-bit sendfile() system call stopped working for files larger than 2 GBon PowerPC. This update restores previous behavior of sendfile() onPowerPC, and it again process files bigger than 2 GB as expected.(BZ#1139126)* Previously, the kernel scheduler could schedule a CPU topology updateeven though the topology did not change. This could negatively affect theCPU load balancing, cause degradation of the system performance, andeventually result in a kernel oops. This problem has been fixed byskipping the CPU topology update if the topology has not actually changed.(BZ#1140300)* Previously, recovery of a double-degraded RAID6 array could, undercertain circumstances, result in data corruption. This could happenbecause the md driver was using an optimization that is safe to use onlyfor single-degraded arrays. This update ensures that this optimization isskipped during the recovery of double-degraded RAID6 arrays. (BZ#1143850)All kernel users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. The system must berebooted for this update to take effect. |