FEDORA-2017-adc7d95627

security update in Fedora 26 for kernel

Status: stable a year ago

The 4.12.5 stable kernel update contains a number of important fixes across the tree.

Reboot Required

After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

Comments 46

This update has been submitted for testing by jforbes.

HP 850 G4, i5-7200U w/integrated GPU

karma: +1 critpath: +1 kernel regression: +1

For #176467, UEFI keys are now imported into the secondary keyring. Loading signed modules works.

ThinkPad T450s, GNOME wayland.

karma: +1 critpath: +1 #1476467: +1 kernel regression: +1

Handling of QXL video device in virtual guests as reported in #1462381 is still broken.

karma: +1 critpath: +1 #1462381: -1

tested and works fine on aarch64 (RPi3, mustang, Pine64+) and ARMv7 (Hummingboard, BBone Wireless, Jetson TK1, OrangePi PC, Raspberry Pi2, Raspberry Pi3, CubieTruck)

karma: +1 critpath: +1

Works fine with a Dell Latitude E7470

karma: +1 critpath: +1

When rebooting after a resume from hibernation it hangs on: sd 3:0:0:0: [sda] Synchronizing scsi cache

I need to do a hard power reset.

This also occurred with 4.12.3 This did not happen with 4.12.4.

What ever happened to the security? SELinux was giving errors on 4.12.x. If SELinux gives errors on that means system has been compromised. Did anyone looked into the kernel to find what module and code was doing it. Does it happen on 4.12.5? Was the code fixed. What code compromised the security? Who did put that code? Is it fixed and hardened in 4.12.5?

If hibernation fails (regression) that is a no go for the "production". Who meddled with the code for hardware to break it? Does the regression come from kernel or systemd?

Dell XPS 13 9630 - works great

karma: +1 critpath: +1

I have not run the regression tests this time. Boots fine, however I'm still getting selinux errors that where reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1476345 so I have had to reverted back to 4.11.11

karma: -1 critpath: -1

Personal LAMP and mail server. All OK.

karma: +1

UEFI importing is ok. Works.

karma: +1 critpath: +1 #1476467: +1

Wireless performance has dropped to 1-6 Mbps range after this upgrade (from kernel-4.11.11-300.fc26.x86_64) with Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter (rev 32) on my Dell XPS 15 9560.

More system info: https://da.gd/yesIJ

karma: +1 critpath: -1

it does seem to have fixed the fan issue with latest thinkpads. i have a X270.

karma: +1 critpath: +1
karma: +1 critpath: +1 kernel regression: +1

there seems to be regression in iwlwifi driver in this kernel (see https://pastebin.com/raw/VFK2ZDUJ)

on vmlinuz-4.11.11-300.fc26.x86_64 everything works fine

karma: -1 kernel regression: -1

correct that, seems I was not running different kernel. All work fine now.

karma: +1

Works for me on a MacBookPro10,1 with a Core i7 3820QM and an nVidia GeForce GT 650.

karma: +1 critpath: +1

Found https://bugzilla.redhat.com/show_bug.cgi?id=1440988 happens in this kernel on a lenovo x270, i7-7500U, Intel HD 620

Why does it take over 4 days for a critical path security update to go from:

'This update has been submitted for testing by jforbes.'

to:

'This update has been pushed to testing.'

What's the hold up??

Ryzen 1400, with btrfs RAID5 and NVMe M.2 SSD, booted perfectly.

karma: +1 critpath: +1

This update has been pushed to testing.

LGTM dell M5510 with nvidia driver.

karma: +1 critpath: +1 kernel regression: +1

works for me great on T450s

karma: +1

Kernel boots ok on a Dell Latitude E7270.

But it yields several SELinux dav_read_search AVCs:

Also related: https://bugzilla.redhat.com/show_bug.cgi?id=1467468#c1

critpath: -1

wfm

karma: +1 critpath: +1 kernel regression: +1

Still getting those SELinux denials with this kernel. Various DAC stuff. Not quite sure why.

karma: -1 critpath: -1

Works great! LGTM! =)

karma: +1

Lenovo T470s: wfm.

(I als get the SELinux denails, though)

karma: +1 critpath: +1 kernel regression: +1

This update has been submitted for stable by jforbes.

FYI the new selinux policy in "pending" fixes #1476345 for me.. No more selinux warnings on this box.

karma: +1 critpath: +1

This update has been pushed to stable.

Working well on x86_64 laptop and Xeon D server.

karma: +1 critpath: +1

As reported by others, this does not fix bug 1462381.

#1462381: -1

no issues .. lenovo T460

karma: +1 critpath: +1

There is a major wifi strength drop on this kernel possibly due to a regression. vmlinuz-4.11.11-300.fc26.x86_64 works fine for my Realtek RTL8723BE wireless adapter. It only gets borked after the 4.12 update.

critpath: -1 kernel regression: -1

My USB wi-fi adapter does not connect to my access point (wi-fi router) after the upgrading from the 4.11.x to the 4.12.x kernel series. The logs show the following errors:

Rebooting back to the earlier 4.11.x kernel and everything works once again.

[root@vinu vinu]# tail -f /var/log/messages Aug 16 18:20:57 vinu NetworkManager[806]: <info> [1502887857.5822] device (wlp0s20u5): set-hw-addr: set MAC address to aa:aa:aa:aa:aa:aa (scanning) Aug 16 18:20:57 vinu kernel: IPv6: ADDRCONF(NETDEV_UP): wlp0s20u5: link is not ready Aug 16 18:20:57 vinu NetworkManager[806]: <info> [1502887857.7216] device (wlp0s20u5): supplicant interface state: disconnected -> disabled Aug 16 18:20:57 vinu NetworkManager[806]: <info> [1502887857.7422] device (wlp0s20u5): supplicant interface state: disabled -> inactive Aug 16 18:20:57 vinu wpa_supplicant[970]: wlp0s20u5: Reject scan trigger since one is already pending Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.2898] policy: auto-activating connection 'vinu-dincy@754-C1-5MHz' Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.2921] device (wlp0s20u5): Activation: starting connection 'vinu-dincy@754-C1-5MHz' (0d9683dc-cacf-40ae-88fc-430e52254e9e) Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.2922] device (wlp0s20u5): state change: disconnected -> prepare (reason 'none', internal state 'managed') Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.2923] manager: NetworkManager state is now CONNECTING Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.3561] device (wlp0s20u5): set-hw-addr: reset MAC address to bb:bb:bb:bb:bb:bb (preserve) Aug 16 18:21:23 vinu kernel: IPv6: ADDRCONF(NETDEV_UP): wlp0s20u5: link is not ready Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.4928] device (wlp0s20u5): supplicant interface state: inactive -> disabled Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.4936] device (wlp0s20u5): state change: prepare -> config (reason 'none', internal state 'managed') Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.4939] device (wlp0s20u5): Activation: (wifi) access point 'vinu-dincy@754-C1-5MHz' has security, but secrets are required. Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.4940] device (wlp0s20u5): state change: config -> need-auth (reason 'none', internal state 'managed') Aug 16 18:21:23 vinu kdeinit5: plasma-nm: Unhandled active connection state change: 1 Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5150] device (wlp0s20u5): state change: need-auth -> prepare (reason 'none', internal state 'managed') Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5153] device (wlp0s20u5): state change: prepare -> config (reason 'none', internal state 'managed') Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5154] device (wlp0s20u5): Activation: (wifi) connection 'vinu-dincy@754-C1-5MHz' has security, and secrets exist. No new secrets needed. Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5155] Config: added 'ssid' value 'vinu-dincy@754-C1-5MHz' Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5155] Config: added 'scan_ssid' value '1' Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5155] Config: added 'key_mgmt' value 'WPA-PSK' Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5155] Config: added 'auth_alg' value 'OPEN' Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5155] Config: added 'psk' value '<hidden>' Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5222] device (wlp0s20u5): supplicant interface state: disabled -> inactive Aug 16 18:21:23 vinu NetworkManager[806]: <info> [1502887883.5319] device (wlp0s20u5): supplicant interface state: inactive -> scanning Aug 16 18:21:26 vinu wpa_supplicant[970]: wlp0s20u5: SME: Trying to authenticate with cc:cc:cc:cc:cc:cc (SSID='vinu-dincy@754-C1-5MHz' freq=5765 MHz) Aug 16 18:21:26 vinu kernel: wlp0s20u5: authenticate with cc:cc:cc:cc:cc:cc Aug 16 18:21:26 vinu kernel: wlp0s20u5: send auth to cc:cc:cc:cc:cc:cc (try 1/3) Aug 16 18:21:26 vinu NetworkManager[806]: <info> [1502887886.2401] device (wlp0s20u5): supplicant interface state: scanning -> authenticating Aug 16 18:21:26 vinu kernel: wlp0s20u5: send auth to cc:cc:cc:cc:cc:cc (try 2/3) Aug 16 18:21:26 vinu kernel: wlp0s20u5: send auth to cc:cc:cc:cc:cc:cc (try 3/3) Aug 16 18:21:26 vinu kernel: wlp0s20u5: authentication with cc:cc:cc:cc:cc:cc timed out Aug 16 18:21:26 vinu wpa_supplicant[970]: wlp0s20u5: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="vinu-dincy@754-C1-5MHz" auth_failures=1 duration=10 reason=CONN_FAILED Aug 16 18:21:26 vinu NetworkManager[806]: <info> [1502887886.3694] device (wlp0s20u5): supplicant interface state: authenticating -> disconnected Aug 16 18:21:31 vinu NetworkManager[806]: <info> [1502887891.3705] device (wlp0s20u5): supplicant interface state: disconnected -> scanning Aug 16 18:21:36 vinu wpa_supplicant[970]: wlp0s20u5: CTRL-EVENT-SSID-REENABLED id=0 ssid="vinu-dincy@754-C1-5MHz" Aug 16 18:21:36 vinu kernel: wlp0s20u5: authenticate with cc:cc:cc:cc:cc:cc Aug 16 18:21:36 vinu wpa_supplicant[970]: wlp0s20u5: SME: Trying to authenticate with cc:cc:cc:cc:cc:cc (SSID='vinu-dincy@754-C1-5MHz' freq=5765 MHz) Aug 16 18:21:36 vinu kernel: wlp0s20u5: send auth to cc:cc:cc:cc:cc:cc (try 1/3) Aug 16 18:21:36 vinu NetworkManager[806]: <info> [1502887896.0594] device (wlp0s20u5): supplicant interface state: scanning -> authenticating Aug 16 18:21:36 vinu kernel: wlp0s20u5: send auth to cc:cc:cc:cc:cc:cc (try 2/3) Aug 16 18:21:36 vinu kernel: wlp0s20u5: send auth to cc:cc:cc:cc:cc:cc (try 3/3) Aug 16 18:21:36 vinu kernel: wlp0s20u5: authentication with cc:cc:cc:cc:cc:cc timed out Aug 16 18:21:36 vinu wpa_supplicant[970]: wlp0s20u5: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="vinu-dincy@754-C1-5MHz" auth_failures=2 duration=20 reason=CONN_FAILED Aug 16 18:21:36 vinu NetworkManager[806]: <info> [1502887896.1681] device (wlp0s20u5): supplicant interface state: authenticating -> disconnected Aug 16 18:21:46 vinu NetworkManager[806]: <info> [1502887906.1698] device (wlp0s20u5): supplicant interface state: disconnected -> scanning Aug 16 18:21:48 vinu NetworkManager[806]: <warn> [1502887908.5682] device (wlp0s20u5): Activation: (wifi) association took too long, failing activation Aug 16 18:21:48 vinu NetworkManager[806]: <info> [1502887908.5682] device (wlp0s20u5): state change: config -> failed (reason 'ssid-not-found', internal state 'managed') Aug 16 18:21:48 vinu NetworkManager[806]: <info> [1502887908.5685] manager: NetworkManager state is now CONNECTED_LOCAL Aug 16 18:21:48 vinu NetworkManager[806]: <warn> [1502887908.5695] device (wlp0s20u5): Activation: failed for connection 'vinu-dincy@754-C1-5MHz' Aug 16 18:21:48 vinu NetworkManager[806]: <info> [1502887908.5702] device (wlp0s20u5): state change: failed -> disconnected (reason 'none', internal state 'managed') Aug 16 18:21:48 vinu kernel: IPv6: ADDRCONF(NETDEV_UP): wlp0s20u5: link is not ready Aug 16 18:21:48 vinu kdeconnectd: "No such interface 'org.freedesktop.DBus.Properties' on object at path /org/freedesktop/NetworkManager/ActiveConnection/5" Aug 16 18:21:48 vinu kdeinit5: "No such interface 'org.freedesktop.DBus.Properties' on object at path /org/freedesktop/NetworkManager/ActiveConnection/5" Aug 16 18:21:48 vinu NetworkManager[806]: <info> [1502887908.6474] device (wlp0s20u5): set-hw-addr: set MAC address to ee:ee:ee:ee:ee:ee (scanning) Aug 16 18:21:48 vinu kernel: IPv6: ADDRCONF(NETDEV_UP): wlp0s20u5: link is not ready Aug 16 18:21:48 vinu NetworkManager[806]: <info> [1502887908.7872] device (wlp0s20u5): supplicant interface state: scanning -> disabled Aug 16 18:21:48 vinu NetworkManager[806]: <info> [1502887908.7993] device (wlp0s20u5): supplicant interface state: disabled -> inactive Aug 16 18:21:48 vinu wpa_supplicant[970]: wlp0s20u5: Reject scan trigger since one is already pending</info></info></info></info></warn></info></info></warn></info></info></info></info></info></info></info></info></hidden></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

karma: -1 critpath: -1

I'm also having issues with 4.12 on Realtek RTL8723BE. Same as user above. Networking is completely dead on wireless adapter.

Why was this kernel even pushed to users without proper QA?

karma: -1 critpath: -1 kernel regression: -1

The system is laggy

karma: -1

Built a custom live CD with this kernel and used it on a desktop with an nVidia GTX 1080. Worked like a charm. 4.12 is the first kernel version with Pascal (nVidia GTX 1000 series) acceleration, and having it makes it possible to install and run Fedora on the machine without jumping through additional hoops.

Thank you very much for your work!

critpath: +1

after update with kernel 4.12.5-300 my system fails boot

karma: -1

kernel-core-4.12.5-300.fc26.x86_64 fails to boot in a qemu-kvm virtual machine. When selecting the previous version (kernel-core-4.11.11-300.fc26.x86_64) in the boot menu, this Fedora installation boots fine.

critpath: -1

Same here, 4.12.5-300.fc26.x86_64 also doesn't boot as a KVM virtual machine (running the same kernel on the host). Booting 4.11.11-300.fc26.x86_f64 in the virtual machine instead works fine.

https://imgur.com/a/WxQ1S

karma: -1

KVM clients on my AMD Windsor CPU system no longer boot. Over on the ARCHLinux forum, they were talking about this commit acing out older CPUs: commit 2c82878b0cb38fd516fd612c67852a6bbf282003 Author: Paolo Bonzini pbonzini@redhat.com Date: Mon Mar 27 14:37:28 2017 +0200 KVM: VMX: require virtual NMI support

Virtual NMIs are only missing in Prescott and Yonah chips.  Both are obsolete
for virtualization usage---Yonah is 32-bit only even---so drop vNMI emulation.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

My CPUinfo is: processor : 1 vendor_id : AuthenticAMD cpu family : 15 model : 67 model name : AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ stepping : 3 cpu MHz : 1000.000 cache size : 1024 KB physical id : 0 siblings : 2 core id : 1 cpu cores : 2 apicid : 1 initial apicid : 1 fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl cpuid extd_apicid pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch vmmcall bugs : fxsave_leak sysret_ss_attrs null_seg swapgs_fence amd_e400 bogomips : 2009.12 TLB size : 1024 4K pages clflush size : 64 cache_alignment : 64 address sizes : 40 bits physical, 48 bits virtual power management: ts fid vid ttp tm stc

critpath: -1

Regarding my kernel-core-4.12.5-300.fc26.x86_64 comment above: this only happens with QXL-Displays in KVM (which I had, maybe due to old configuration), now that I switched to a VirtIO-Display in my VMs, everything runs fine with this kernel and the following.


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

-1 0 +1 Feedback Guidelines
#1462381 Rawhide Workstation install fails to boot with qxl/SPICE and graphical boot enabled
#1468283 CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
#1471314 Provisioning on Azure fails due to lack of UDF driver in main kernel modules
#1476467 UEFI Keys not imported with kernel-4.12.4-300.fc26
#1478086 CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename() [fedora-all]
Test Case kernel regression
Does the system's basic functionality continue to work after this update?
Is the update generally functional?
Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
+15
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted a year ago
in testing a year ago
in stable a year ago

Related Bugs 5

-20 #1462381 Rawhide Workstation install fails to boot with qxl/SPICE and graphical boot enabled
00 #1468283 CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
00 #1471314 Provisioning on Azure fails due to lack of UDF driver in main kernel modules
0+1 #1476467 UEFI Keys not imported with kernel-4.12.4-300.fc26
00 #1478086 CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename() [fedora-all]

Automated Test Results

Test Cases

-1+5 Test Case kernel regression