8.82. kernel

Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.5 Extended Update Support.
Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-3673, CVE-2014-3687, Important
A flaw was found in the way the Linux kernel's SCTP implementation handled malformed or duplicate Address Configuration Change Chunks (ASCONF). A remote attacker could use either of these flaws to crash the system.
CVE-2014-3688, Important
A flaw was found in the way the Linux kernel's SCTP implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service.
CVE-2014-5045, Moderate
A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation.
CVE-2014-4608, Low
An integer overflow flaw was found in the way the lzo1x_decompress_safe() function of the Linux kernel's LZO implementation processed Literal Runs. A local attacker could, in extremely rare cases, use this flaw to crash the system or, potentially, escalate their privileges on the system.
Red Hat would like to thank Vasily Averin of Parallels for reporting CVE-2014-5045, and Don A. Bailey from Lab Mouse Security for reporting CVE-2014-4608. The CVE-2014-3673 issue was discovered by Liu Wei of Red Hat.

Bug Fixes

BZ#1108360
Before this update, under certain conditons, the kernel timer could cause the Intelligent Platform Management Interface (IPMI) driver to become unresponsive, resulting in high CPU load. With this update, a patch has been applied, and the IPMI driver no longer hangs.
BZ#1109270, BZ#1109712
Previously, when error recovery was restarted, the Orthonormal Basis Functions (OBF) timer in the KCS driver was not reset, which led to an immediate timeout. As a consequence, these timing issues caused caused ipmi to become unresponsive. In addition, numerous error messages were filling up the /var/log/messages file and causing high CPU usage. With this update, patches have been applied to fix this bug, and ipmi no longer hangs in the described situation.
BZ#1135993
Due to certain kernel changes, the TCP Small Queues (TSQ) process did not handle Nagle's algorithm properly when a TCP session became throttled. The underlying source code has been patched, and Nagle's algorithm now works correctly in TSQ.
BZ#1140976
Before this update, due to a bug in the error-handling path, corrupted metadata block could be used as a valid block. With this update, the error handling path is fixed and more checks are added to verify the metadata block. Now, when a corrupted metadata block is encountered, it is properly marked as corrupted and handled accordingly.
BZ#1154087, BZ#1158321
Previously, log forces with relatively little free stack available occurred deep in the call chain. As a consequence, a stack overflew in the (XFS) file system and the system could terminate unexpectedly. To fix this bug, moving log forces to a work queue relieves the stack pressure and avoids the system crash.
BZ#1158324
Before this update, TCP transmit interrupts could not be set lower than the default of 8 buffered tx frames, which under certain conditions led to TCP transmit delays occurring on ixgbe adapters. With this update, code change removes the restriction of minimum 8 buffered frames and now allows minimum of 1 frame a transmit to occur. And as a result, transmit delays are now minimized.
BZ#1165984
Previously, a coding error in Ethernet 100 driver update caused improper initialization for certain Physical Layers (PHYs) and return of RX errors. With this update, the coding error has been fixed, and the device driver works properly.
BZ#1158327
Before this update, the frame buffer (offb) driver did not support setting of the color palette registers on the QEMU standard VGA adapter, which caused incorrect color displaying. The offb driver has been updated for the QEMU standard VGA adapter, fixing the color issues.
BZ#1142569
Before this update, several race conditions occurred between PCI error recovery callbacks and potential calls of the ifup and ifdown commands in the tg3 driver. When triggered, these race conditions could cause unexpected kernel termination. This bug has been fixed, and the kernel no longer crashes.
BZ#1158889, BZ#1162748
Due to hardware bug conditions during Top Segmentation Offload (TSO) fragment processing, there was a page allocation failure in kernel and packets were not transmitted. With this update, more generic Generic Segmentation Offload (GSO) is used as a fallback when TSO fragment processing fails, and packets are now successfully transmitted.
BZ#1163397
Previously, the kernel became unresponsive when using a zombie PID and cgroup. To fix this bug, a patch has been applied, and the kernel no longer hangs.
BZ#1165000
Previously, under certain error conditions gfs2_converter introduced incorrect values for the on-disk inode's di_goal_meta field. As a consequence, gfs2_converter returned the EBADSLT error on such inodes and did not allow creation of the new files in directories or new blocks in regular files. The fix allows gfs2_converter to set a sensible goal value if a corrupt one is encountered and proceed with normal operations. With this update, gfs2_converter implicitly fixes any corrupt goal values, and thus no longer disrupts normal operations.
BZ#1169403
Previously, certain error conditions led to messages being sent to system logs. These messages could become lost instead of being logged, or repeated messages were not suppressed. In extreme cases, the resulting logging volume could cause system lockups or other problems. The relevant test has been reversed to fix this bug, and frequent messages are now suppressed and infrequent messages logged as expected.

Enhancement

BZ#1167209
This update adds fixes from Emulex and Oracle Enterprise Management (OEM) qualifications including latest fixes for Skyhawk hardware to the Emulex be2iscsi driver.
Users of kernel are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect.
Updated kernel packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.5 Extended Update Support.
The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-5077, Important
A NULL pointer dereference flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled simultaneous connections between the same hosts. A remote attacker could use this flaw to crash the system.

Bug Fixes

BZ#1110839
Due to a bug in the kernel signal handling, the decimal floating point (DFP) operations could have been executed with an incorrect rounding mode. As a consequence, DFP calculations could return incorrect or corrupted results. This update fixes this problem by replacing a simple bit mask that was previously used to verify validity of some values in the floating point control register. The bit mask is replaced by a trial load of the floating point control register.
BZ#1140163
Previously, when freeing a large number of huge pages (several TB), the kernel could experience soft lockup events. This could possibly result in performance problems. The memory management code has been modified to increase a chance of a context switch in this situation, which prevents occurrence of soft lockup events.
BZ#1122102
A bug in the nouveau driver could prevent the main display of a Lenovo ThinkPad W530 laptop from being initialized after the system was resumed from suspend. This happened if the laptop had an external screen that was detached while the system was suspended. This problem has been fixed by backporting an upstream patch related to the DisplayPort interface.
BZ#1139807
Due to race conditions in the IP Virtual server (IPVS) code, the kernel could trigger a general protection fault when running the IPVS connection synchronization daemon. With this update, the race conditions in the IPVS code have been addressed, and the kernel no longer crashes when running the IPVS daemon.
BZ#1139345
The kernel could sometimes panic due to a possible division by zero in the kernel scheduler. This bug has been fixed by defining a new div64_ul() division function and correcting the affected calculation in the proc_sched_show_task() function.
BZ#1125980
Removing the rtsc_pci_ms kernel module on some Lenovo ThinkPad series laptops could result in a kernel panic. This update resolves this problem by correcting a bug in the base drivers function, platform_uevent().
BZ#1125994
A bug in the Linux Netpoll API could result in a kernel oops if the system had the netconsole service configured over a bonding device. With this update, incorrect flag usage in the netpoll_poll_dev() function has been fixed and the kernel no longer crashes due to this bug.
BZ#1127580
The kernel did not handle exceptions caused by an invalid floating point control (FPC) register, resulting in a kernel oops. This problem has been fixed by placing the label to handle these exceptions to the correct place in the code.
BZ#1138301
Previously, certain network device drivers did not accept ethtool commands right after they were mounted. As a consequence, the current setting of the specified device driver was not applied and an error message was returned. The ETHTOOL_DELAY variable has been added, which makes sure the ethtool utility waits for some time before it tries to apply the options settings, thus fixing the bug.
BZ#1130630
A rare race between the file system unmount code and the file system notification code could lead to a kernel panic. With this update, a series of patches has been applied to the kernel to prevent this problem.
BZ#1131137
A bug in the bio layer could prevent user space programs from writing data to disk when the system run under heavy RAM memory fragmentation conditions. This problem has been fixed by modifying a respective function in the bio layer to refuse to add a new memory page only if the page would start a new memory segment and the maximum number of memory segments has already been reached.
BZ#1135713
Due to a bug in the ext3 code, the fdatasync() system call did not force the inode size change to be written to the disk if it was the only metadata change in the file. This could result in the wrong inode size and possible data loss if the system terminated unexpectedly. The code handling inode updates has been fixed and fdatasync() now writes data to the disk as expected in this situation.
BZ#1134258
Previously, the openvswitch driver did not handle frames that contained multiple VLAN headers correctly, which could result in a kernel panic. This update fixes the problem and ensures that openvswitch process such frames correctly.
BZ#1134696
Later Intel CPUs added a new "Condition Changed" bit to the MSR_CORE_PERF_GLOBAL_STATUS register. Previously, the kernel falsely assumed that this bit indicates a performance interrupt, which prevented other NMI handlers from running and executing. To fix this problem, a patch has been applied to the kernel to ignore this bit in the perf code, enabling other NMI handlers to run.
BZ#1135393
After the VLAN devices over the virtio_net driver were allowed to use the TCP Segmentation Offload (TSO) feature, the segmentation of packets was moved from virtual machines to the host. However, some devices cannot handle TSO using the 8021q module, and are breaking the packets, which resulted in very low throughput (less than 1 Mbps) and transmission of broken packets over the wire. Until this problem is properly fixed, a patch that allows using of the TSO feature has been reverted; the segmentation is now performed again on virtual machines as and the network throughput is normal.
BZ#1141165
Due to a race condition in the IP Virtual server (IPVS) code, the kernel could trigger a panic when processing packets from the same connection on different CPUs. This update adds missing spin locks to the code that hashes and unhashes connections from the connection table, and ensures that all packets from the same connection are processed by a single CPU.
BZ#1129994
Previously, small block random I/O operations on IBM Power 8 machines using Emulex 16 Gb Fibre Channel (FC) Host Bus Adapter (HBA) could become unresponsive due to a bug in the lpfc driver. To fix this problem, a memory barrier has been added to the lpfc code to ensure that a valid bit is read before the CQE payload.
BZ#1126681
Running the "bridge link show" command on a system with configured bridge devices could trigger a kernel panic. This happened because all RTNL message types were not properly unregistered from the bridge module registers. This update ensures that both RTNL message types are correctly unregistered and the kernel panic no longer occurs in this situation.
BZ#1114406
Previously, the NFS server did not handle correctly situations when multiple NFS clients were appending data to a file using write delegations, and the data might become corrupted. This update fixes this bug by adjusting a NFS cache validity check in the relevant NFS code, and the file accessed in this scenario now contains valid data.
BZ#1131977
Previously, the IPv4 routing code allowed the IPv4 garbage collector to run in parallel on multiple CPUs with the exact configuration. This could greatly decrease performance of the system, and eventually result in soft lockups after the system reached certain load. To resolve this problem and improve performance of the garbage collector, the collector has been moved to the work queue where it is run asynchronously.

Enhancements

BZ#1133834
A new "nordirplus" option has been implemented for the exportfs utility for NFSv3. This option allows the user to disable READDIRPLUS requests for the given NFSv3 export, and thus prevent unwanted disk access in certain scenarios.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-0205, Important
A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
CVE-2014-3535, Important
A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
CVE-2014-3917, Moderate
An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
CVE-2014-4667, Moderate
An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.
Red Hat would like to thank Gopal Reddy Kodudula of Nokia Siemens Networks for reporting CVE-2014-4667. The security impact of the CVE-2014-0205 issue was discovered by Mateusz Guzik of Red Hat.

Bug Fixes

BZ#1089359
Previously, NFSv4 allowed an NFSv4 client to resume an expired or lost file lock. This could result in file corruption if the file was modified in the meantime. This problem has been resolved by a series of patches ensuring that an NFSv4 client no longer attempts to recover expired or lost file locks.
BZ#1090613
A false positive bug in the NFSv4 code could result in a situation where an NFS4ERR_BAD_STATEID error was being resent in an infinite loop instead of a bad state ID being recovered. To fix this problem, a series of patches has been applied to the NFSv4 code. The NFS client no longer retries an I/O operation that resulted in a bad state ID error if the nfs4_select_rw_stateid() function returns an -EIO error.
BZ#1120651
A previous change to the Open vSwitch kernel module introduced a use-after-free problem that resulted in a kernel panic on systems that use this module. This update ensures that the affected object is freed on the correct place in the code, thus avoiding the problem.
BZ#1118782
Previously, the Huge Translation Lookaside Buffer (HugeTLB) unconditionally allowed access to huge pages. However, huge pages may be unsupported in some environments, such as a KVM guest on the PowerPC architecture when not backed by huge pages, and an attempt to use a base page as a huge page in memory would result in a kernel oops. This update ensures that HugeTLB denies access to huge pages if the huge pages are not supported on the system.
BZ#1096397
NFSv4 incorrectly handled a situation when an NFS client received an NFS4ERR_ADMIN_REVOKED error after sending a CLOSE operation. As a consequence, the client kept sending the same CLOSE operation indefinitely although it was receiving NFS4ERR_ADMIN_REVOKED errors. A patch has been applied to the NFSv4 code to ensure that the NFS client sends the particular CLOSE operation only once in this situation.
BZ#1099607
NFS previously called the drop_nlink() function after removing a file to directly decrease a link count on the related inode. Consequently, NFS did not revalidate an inode cache, and could thus use a stale file handle, resulting in an ESTALE error. A patch has been applied to ensure that NFS validates the inode cache correctly after removing a file.
BZ#1117582
A previous change to the SCSI code fixed a race condition that could occur when removing a SCSI device. However, that change caused performance degradation because it used a certain function from the block layer code that was returning different values compared with later versions of the kernel. This update alters the SCSI code to properly utilize the values returned by the block layer code.
BZ#1102794
Previously, when using a bridge interface configured on top of a bonding interface, the bonding driver was not aware of IP addresses assigned to the bridge. Consequently, with ARP monitoring enabled, the ARP monitor could not target the IP address of the bridge when probing the same subnet. The bridge was thus always reported as being down and could not be reached. With this update, the bonding driver has been made aware of IP addresses assigned to a bridge configured on top of a bonding interface, and the ARP monitor can now probe the bridge as expected. Note that the problem still occurs if the arp_validate option is used. Therefore, do not use this option in this case until this issue is fully resolved.
BZ#1113824
The automatic route cache rebuilding feature could incorrectly compute the length of a route hash chain if the cache contained multiple entries with the same key but a different TOS, mark, or OIF bit. Consequently, the feature could reach the rebuild limit and disable the routing cache on the system. This problem is fixed by using a helper function that avoids counting such duplicate routes.
BZ#1121541
Due to a race condition that allowed a RAID array to be written to while it was being stopped, the md driver could enter a deadlock situation. The deadlock prevented buffers from being written out to the disk, and all I/O operations to the device became unresponsive. With this update, the md driver has been modified so this deadlock is now avoided.
BZ#1112226
When booting a guest in the Hyper-V environment and enough of Programmable Interval Timer (PIT) interrupts were lost or not injected into the guest on time, the kernel panicked and the guest failed to boot. This problem has been fixed by bypassing the relevant PIT check when the guest is running under the Hyper-V environment.
All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-2851, Important
A use-after-free flaw was found in the way the ping_init_sock() function of the Linux kernel handled the group_info reference counter. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2014-6647, Moderate
A NULL pointer dereference flaw was found in the way the futex_wait_requeue_pi() function of the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could us this flaw to crash the system.
CVE-2014-7339, Moderate
A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.
CVE-2014-2672, Moderate
It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter.
CVE-2014-2678, Moderate
A NULL pointer dereference flaw was found in the rds_iw_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.
CVE-2014-2706, Moderate
A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.
CVE-2014-3144, CVE-2014-3145, Moderate
An out-of-bounds memory access flaw was found in the Netlink Attribute extension of the Berkeley Packet Filter (BPF) interpreter functionality in the Linux kernel's networking implementation. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space via a specially crafted socket filter.

Bug Fixes

BZ#1107503
Due to a bug in the mount option parser, prefix paths on a CIFS DFS share could be prepended with a double backslash ('\\'), resulting in an incorrect "No such file" error in certain environments. The mount option parser has been fixed and prefix paths now starts with a single backslash as expected.
BZ#1110170, BZ#1110169, BZ#1110168, BZ#1109885, BZ#1109883
Several concurrency problems, that could result in data corruption, were found in the implementation of CTR and CBC modes of operation for AES, DES, and DES3 algorithms on IBM S/390 systems. Specifically, a working page was not protected against concurrency invocation in CTR mode. The fallback solution for not getting a working page in CTR mode did not handle iv values correctly. The CBC mode used did not properly save and restore the key and iv values in some concurrency situations. All these problems have been addressed in the code and the concurrent use of the aforementioned algorithms no longer cause data corruption.
BZ#1090749
In cluster environment, the multicast traffic from the guest to a host could be sometimes unreliable. An attempt to resolve this problem was made with the RHSA-2013-1645 advisory, however, that attempt introduced a regression. This update reverts patches for this problem provided by RHSA-2013-1645 and introduces a new fix of the problem. The problem has been resolved by flooding the network with multicast packets if the multicast querier is disabled and no other querier has been detected.
BZ#1106472
The bridge MDB RTNL handlers were incorrectly removed after deleting a bridge from the system with more then one bridge configured. This led to various problems, such as that the multicast IGMP snooping data from the remaining bridges were not displayed. This update ensures that the bridge handlers are removed only after the bridge module is unloaded, and the multicast IGMP snooping data now displays correctly in the described situation.
BZ#1100574
Due to a bug in the nouveau kernel module, the wrong display output could be modified in certain multi-display configurations. Consequently, on Lenovo Thinkpad T420 and W530 laptops with an external display connected, this could result in the LVDS panel "bleeding" to white during startup, and the display controller might become non-functional until after a reboot. Changes to the display configuration could also trigger the bug under various circumstances. With this update, the nouveau kernel module has been corrected and the said configurations now work as expected.
BZ#1103821
When guest supports Supervisor Mode Execution Protection (SMEP), KVM sets the appropriate permissions bits on the guest page table entries (sptes) to emulate SMEP enforced access. Previously, KVM was incorrectly verifying whether the "smep" bit was set in the host cr4 register instead of the guest cr4 register. Consequently, if the host supported SMEP, it was enforced even though it was not requested, which could render the guest system unbootable. This update corrects the said "smep" bit check and the guest system boot as expected in this scenario.
BZ#1096059
Previously, if a hrtimer interrupt was delayed, all future pending hrtimer events that were queued on the same processor were also delayed until the initial hrtimer event was handled. This could cause all hrtimer processing to stop for a significant period of time. To prevent this problem, the kernel has been modified to handle all expired hrtimer events when handling the initially delayed hrtimer event.
BZ#1099725
Previously, hardware could execute commands send by drivers in FIFO order instead of tagged order. Commands thus could be executed out of sequence, which could result in large latencies and degradation of throughput. With this update, the ATA subsystem tags each command sent to the hardware, ensuring that the hardware executes commands in tagged order. Performance on controllers supporting tagged commands can now increase by 30-50%.
BZ#1107931
Due to a bug in the GRE tunneling code, it was impossible to create a GRE tunnel with a custom name. This update corrects behavior of the ip_tunnel_find() function, allowing users to create GRE tunnels with custom names.
BZ#1110658
The qla2xxx driver has been upgraded to version 8.05.00.03.06.5-k2, which provides a number of bug fixes over the previous version in order to correct various timeout problems with the mailbox command.
BZ#1093984
The kernel previously did not reset the kernel ring buffer if the trace clock was changed during tracing. However, the new clock source could be inconsistent with the previous clock source, and the result trace record thus could contain incomparable time stamps. To ensure that the trace record contains only comparable time stamps, the ring buffer is now reset whenever the trace clock changes.
BZ#1103972
Previously, KVM did not accept PCI domain (segment) number for host PCI devices, making it impossible to assign a PCI device that was a part of a non-zero PCI segment to a virtual machine. To resolve this problem, KVM has been extended to accept PCI domain number in addition to slot, device, and function numbers.

Enhancement

BZ#1094403
Users can now set ToS, TTL, and priority values in IPv4 on per-packet basis.
All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-3153, Important
A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system.
CVE-2014-1737, Important
A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory.
CVE-2014-1738, Low
It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement.

Note

A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.
CVE-2014-0203, Moderate
It was discovered that the proc_ns_follow_link() function did not properly return the LAST_BIND value in the last pathname component as is expected for procfs symbolic links, which could lead to excessive freeing of memory and consequent slab corruption. A local, unprivileged user could use this flaw to crash the system.
CVE-2014-2039, Moderate
A flaw was found in the way the Linux kernel handled exceptions when user-space applications attempted to use the linkage stack. On IBM S/390 systems, a local, unprivileged user could use this flaw to crash the system.
CVE-2013-6378, Low
An invalid pointer dereference flaw was found in the Marvell 8xxx Libertas WLAN (libertas) driver in the Linux kernel. A local user able to write to a file that is provided by the libertas driver and located on the debug file system (debugfs) could use this flaw to crash the system. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default.
CVE-2014-1874, Low
A denial of service flaw was discovered in the way the Linux kernel's SELinux implementation handled files with an empty SELinux security context. A local user who has the CAP_MAC_ADMIN capability could use this flaw to crash the system.
Red Hat would like to thank Kees Cook of Google for reporting CVE-2014-3153, Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738, and Vladimir Davydov of Parallels for reporting CVE-2014-0203. Google acknowledges Pinkie Pie as the original reporter of CVE-2014-3153.

Bug Fixes

BZ#1086839
Due to a ndlp list corruption bug in the lpfc driver, systems with Emulex LPe16002B-M6 PCIe 2-port 16Gb Fibre Channel Adapters could trigger a kernel panic during I/O operations. A series of patches has been backported to address this problem so the kernel no longer panics during I/O operations on the aforementioned systems.
BZ#1096214
A previous change enabled receive acceleration for VLAN interfaces configured on a bridge interface. However, this change allowed VLAN-tagged packets to bypass the bridge and be delivered directly to the VLAN interfaces. This update ensures that the traffic is correctly processed by a bridge before it is passed to any VLAN interfaces configured on that bridge.
BZ#1090750
A previous change that introduced global clock updates caused guest machines to boot slowly when the host Time Stamp Counter (TSC) was marked as unstable. The slow down increased with the number of vCPUs allocated. To resolve this problem, a patch has been applied to limit the rate of the global clock updates.
BZ#1094287
Due to a bug in the ixgbevf driver, the stripped VLAN information from incoming packets on the ixgbevf interface could be lost, and such packets thus did not reach a related VLAN interface. This problem has been fixed by adding the packet's VLAN information to the Socket Buffer (skb) before passing it to the network stack. As a result, the ixgbevf driver now passes the VLAN-tagged packets to the appropriate VLAN interface.
BZ#1089915
A race condition between completion and timeout handling in the block device code could sometimes trigger a BUG_ON() assertion, resulting in a kernel panic. This update resolves this problem by relocating a relevant function call and the BUG_ON() assertion in the code.
BZ#1088779
Systems that use NFS file systems could become unresponsive or trigger a kernel oops due to a use-after-free bug in the duplicate reply cache (DRC) code in the nfsd daemon. This problem has been resolved by modifying nfsd to unhash DRC entries before attempting to use them and to prefer to allocate a new DRC entry from the slab instead of reusing an expired entry from the list.
BZ#1092002
When an attempt to create a file on the GFS2 file system failed due to a file system quota violation, the relevant VFS inode was not completely uninitialized. This could result in a list corruption error. This update resolves this problem by correctly uninitializing the VFS inode in this situation.
BZ#1069630
Previously, automount could become unresponsive when trying to reconnect to mounts with the direct or offset mount types at system startup. This happened because the device ioctl code did not handle the situation when the relevant caller did not yet own the mount. Also, the umount() command sometimes failed to unmount an NFS file system with the stale root. Both problems have been addressed in the virtual file system code, and automount is now able to mount direct or offset mounts using a new lookup function, kern_path_mountpoint(). The umount() command now handles mount points without their revalidation, which allows the command to unmount NFS file systems with the stale root.
BZ#1091424
The kernel did not handle environmental and power warning (EPOW) interrupts correctly. This prevented successful usage of the "virsh shutdown" command to shut down guests on IBM POWER8 systems. This update ensures that the kernel handles EPOW events correctly and also prints informative descriptions for the respective EPOW events. The detailed information about each encountered EPOW can be found in the Real-Time Abstraction Service (RTAS) error log.
BZ#1081915
Due to a race condition in the cgroup code, the kernel task scheduler could trigger a kernel panic when it was moving an exiting task between cgroups. A patch has been applied to avoid this kernel panic by replacing several improperly used function calls in the cgroup code.
BZ#1081909
An incorrectly placed function call in the cgroup code prevented the notify_on_release functionality from working properly. This functionality is used to remove empty cgroup directories, however due to this bug, some empty cgroup directories were remaining on the system. This update ensures that the notify_on_release functionality is always correctly triggered by correctly ordering operations in the cgroup_task_migrate() function.
BZ#1081914
Due to a race condition in the cgroup code, the kernel task scheduler could trigger a use-after-free bug when it was moving an exiting task between cgroups, which resulted in a kernel panic. This update avoids the kernel panic by introducing a new function, cpu_cgroup_exit(). This function ensures that the kernel does not release a cgroup that is not empty yet.
BZ#1079869
Due to a bug in the hrtimers subsystem, the clock_was_set() function called an inter-processor interrupt (IPI) from soft IRQ context and waited for its completion, which could result in a deadlock situation. A patch has been applied to fix this problem by moving the clock_was_set() function call to the working context. Also during the resume process, the hrtimers_resume() function reprogrammed kernel timers only for the current CPU because it assumed that all other CPUs are offline. However, this assumption was incorrect in certain scenarios, such as when resuming a Xen guest with some non-boot CPUs being only stopped with IRQs disabled. As a consequence, kernel timers were not corrected on other than the boot CPU even though those CPUs were online. To resolve this problem, hrtimers_resume() has been modified to trigger an early soft IRQ to correctly reprogram kernel timers on all CPUs that are online.
BZ#1080104
Due to a previous change that altered the format of the txselect parameter, the InfiniBand qib driver was unable to support HP branded QLogic QDR InfiniBand cards in HP Blade servers. To resolve this problem, the driver's parsing routine, setup_txselect(), has been modified to handle multi-value strings.
BZ#1075653
A previous change to the virtual file system (VFS) code included the reduction of the PATH_MAX variable by 32 bytes. However, this change was not propagated to the do_getname() function, which had a negative impact on interactions between the getname() and do_getname() functions. This update modifies do_getname() accordingly and this function now works as expected.
BZ#1082622
Previously, in certain environments, such as an HP BladeSystem Enclosure with several Blade servers, the kdump kernel could experience a kernel panic or become unresponsive during boot due to lack of available interrupt vectors. As a consequence, kdump failed to capture a core dump. To increase a number of available interrupt vectors, the kdump kernel can boot up with more CPUs. However, the kdump kernel always tries to boot up with the bootstrap processor (BSP), which can cause the kernel to fail to bring up more than one CPU under certain circumstances. This update introduces a new kernel parameter, disable_cpu_acipid, which allows the kdump kernel to disable BSP during boot and then to successfully boot up with multiple processors. This resolves the problem of lack of available interrupt vectors for systems with a high number of devices and ensures that kdump can now successfully capture a core dump on these systems.
BZ#1091826
A previous patch to the kernel scheduler fixed a kernel panic caused by a divide-by-zero bug in the init_numa_sched_groups_power() function. However, that patch introduced a regression on systems with standard Non-Uniform Memory Access (NUMA) topology so that cpu_power in all but one NUMA domains was set to twice the expected value. This resulted in incorrect task scheduling and some processors being left idle even though there were enough queued tasks to handle, which had a negative impact on system performance. This update ensures that cpu_power on systems with standard NUMA topology is set to expected values by adding an estimate to cpu_power for every uncounted CPU.Task scheduling now works as expected on these systems without performance issues related to the said bug.
BZ#1092870
The RTM_NEWLINK messages can contain information about every virtual function (VF) for the given network interface (NIC) and can become very large if this information is not filtered. Previously, the kernel netlink interface allowed the getifaddr() function to process RTM_NEWLINK messages with unfiltered content. Under certain circumstances, the kernel netlink interface would omit data for the given group of NICs, causing getifaddr() to loop indefinitely being unable to return information about the affected NICs. This update resolves this problem by supplying only the RTM_NEWLINK messages with filtered content.
BZ#1063508
The ext4_releasepage() function previously emitted an unnecessary warning message when it was passed a page with the PageChecked flag set. To avoid irrelevant warnings in the kernel log, this update removes the related WARN_ON() from the ext4 code.
BZ#1070296
Microsoft Windows 7 KVM guests could become unresponsive during reboot because KVM did not manage to inject an Non-Maskable Interrupt (NMI) to the guest when handling page faults. To resolve this problem, a series of patches has been applied to the KVM code, ensuring that KVM handles page faults during the reboot of the guest machine as expected.
BZ#1096711
The turbostat utility produced error messages when used on systems with the fourth generation of Intel Core Processors. To fix this problem, the kernel has been updated to provide the C-state residency information for the C8, C9, and C10 C-states.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-2523, Important
A flaw was found in the way the Linux kernel's netfilter connection tracking implementation for Datagram Congestion Control Protocol (DCCP) packets used the skb_header_pointer() function. A remote attacker could use this flaw to send a specially crafted DCCP packet to crash the system or, potentially, escalate their privileges on the system.
CVE-2014-6383, Moderate
A flaw was found in the way the Linux kernel's Adaptec RAID controller (aacraid) checked permissions of compat IOCTLs. A local attacker could use this flaw to bypass intended security restrictions.
CVE-2014-0077, Moderate
A flaw was found in the way the handle_rx() function handled large network packets when mergeable buffers were disabled. A privileged guest user could use this flaw to crash the host or corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
The CVE-2014-0077 issue was discovered by Michael S. Tsirkin of Red Hat.

Bug Fixes

BZ#1078007
Due to recent changes in the Linux memory management, the kernel did not properly handle per-CPU LRU page vectors when hot unplugging CPUs. As a consequence, the page vector of the relevant offline CPU kept memory pages for memory accounting. This prevented the libvirtd daemon from removing the relevant memory cgroup directory upon system shutdown, rendering libvirtd unresponsive. To resolve this problem, the Linux memory management now properly flushes memory pages of offline CPUs from the relevant page vectors.
BZ#1063201
Recent changes in the d_splice_alias() function introduced a bug that allowed d_splice_alias() to return a dentry from a different directory than was the directory being looked up. As a consequence in cluster environment, a kernel panic could be triggered when a directory was being removed while a concurrent cross-directory operation was performed on this directory on another cluster node. This update avoids the kernel panic in this situation by correcting the search logic in the d_splice_alias() function so that the function can no longer return a dentry from an incorrect directory.
BZ#1086095
A system could enter a deadlock situation when the Real-Time (RT) scheduler was moving RT tasks between CPUs and the wakeup_kswapd() function was called on multiple CPUs, resulting in a kernel panic. This problem has been fixed by removing a problematic memory allocation and therefore calling the wakeup_kswapd() function from a deadlock-safe context.
BZ#1086007
Previously some device mapper kernel modules, such as dm-thin, dm-space-map-metadata, and dm-bufio, contained various bugs that had adverse effects on their proper functioning. This update backports several upstream patches that resolve these problems, including a fix for the metadata resizing feature of device mapper thin provisioning (thinp) and fixes for read-only mode for dm-thin and dm-bufio. As a result, the aforementioned kernel modules now contain the latest upstream changes and work as expected.
BZ#1066535
A previous change in the TCP code that extended the "proto" struct with a new function, release_cb(), broke integrity of the kernel Application Binary Interface (kABI). If the core stack called a newly introduced pointer to this function for a module that was compiled against older kernel headers, the call resulted in out-of-bounds access and a subsequent kernel panic. To avoid this problem, the core stack has been modified to recognize a newly introduced slab flag, RHEL_EXTENDED_PROTO. This allows the core stack to safely access the release_cb pointer only for modules that support it.
BZ#1083350
The Completely Fair Scheduler (CFS) did not verify whether the CFS period timer is running while throttling tasks on the CFS run queue. Therefore under certain circumstances, the CFS run queue became stuck because the CFS period timer was inactive and could not be restarted. To fix this problem, the CFS now restarts the CFS period timer inside the throttling function if it is inactive.
BZ#1073562
A previous change removed the ZONE_RECLAIM_LOCKED flag from Linux memory management code in order to fix a NUMA node allocation problem in the memory zone reclaim logic. However, the flag removal allowed concurrent page reclaiming within one memory zone, which, under heavy system load, resulted in unwanted spin lock contention and subsequent performance problems (systems became slow or unresponsive). This update resolves this problem by preventing reclaim threads from scanning a memory zone if the zone does not satisfy scanning requirements. Systems under heavy load no longer suffer from CPU overloading but sustain their expected performance.
BZ#1073564
The restart logic for the memory reclaiming with compaction was previously applied on the level of LRU page vectors. This could, however, cause significant latency in memory allocation because memory compaction does not require only memory pages of a certain cgroup but a whole memory zone. This performance issue has been fixed by moving the restart logic to the zone level and restarting the memory reclaim for all memory cgroups in a zone when the compaction requires more free pages from the zone.
BZ#1074855
Previously, the for_each_isci_host() macro was incorrectly defined so it accessed an out-of-range element for a 2-element array. This macro was also wrongly optimized by GCC 4.8 so that it was executed too many times on platforms with two SCU controllers. As a consequence, the system triggered a kernel panic when entering the S3 state, or a kernel oops when removing the isci module. This update corrects the aforementioned macro and the described problems no longer occur.
BZ#1083175
A bug in the vmxnet3 driver allowed potential race conditions to be triggered when the driver was used with the netconsole module. The race conditions allowed the driver's internal NAPI poll routine to run concurrently with the netpoll controller routine, which resulted in data corruption and a subsequent kernel panic. To fix this problem, the vmxnet3 driver has been modified to call the appropriate interrupt handler to schedule NAPI poll requests properly.
BZ#1081908
The kernel task scheduler could trigger a race condition while migrating tasks over CPU cgroups. The race could result in accessing a task that pointed to an incorrect parent task group, causing the system to behave unpredictably, for example to appear being unresponsive. This problem has been resolved by ensuring that the correct task group information is properly stored during the task's migration.
BZ#1076056
A previously backported patch to the XFS code added an unconditional call to the xlog_cil_empty() function. If the XFS file system was mounted with the unsupported nodelaylog option, that call resulted in access to an uninitialized spin lock and a consequent kernel panic. To avoid this problem, the nodelaylog option has been disabled; the option is still accepted but has no longer any effect. (The nodelaylog mount option was originally intended only as a testing option upstream, and has since been removed.)
BZ#1076242
The SCTP sctp_connectx() ABI did not work properly for 64-bit kernels compiled with 32-bit emulation. As a consequence, applications utilizing the sctp_connectx() function did not run in this case. To fix this problem, a new ABI has been implemented; the COMPAT ABI enables to copy and transform user data from a COMPAT-specific structure to a SCTP-specific structure. Applications that require sctp_connectx() now work without any problems on a system with a 64-bit kernel compiled with 32-bit emulation.
BZ#1085660
A bug in the qla2xxx driver caused the kernel to crash. This update resolves this problem by fixing an incorrect condition in the "for" statement in the qla2x00_alloc_iocbs() function.
BZ#1079870
The code responsible for creating and binding of packet sockets was not optimized and therefore applications that utilized the socket() and bind() system calls did not perform as expected. A patch has been applied to the packet socket code so that latency for socket creating and binding is now significantly lower in certain cases.
BZ#1077874
Previously, the vmw_pwscsi driver could attempt to complete a command to the SCSI mid-layer after reporting a successful abort of the command. This led to a double completion bug and a subsequent kernel panic. This update ensures that the pvscsi_abort() function returns SUCCESS only after the abort is completed, preventing the driver from invalid attempts to complete the command.
BZ#1085658
Due to a bug in the mlx4_en module, a data structure related to time stamping could be accessed before being initialized. As a consequence, loading mlx4_en could result in a kernel crash. This problem has been fixed by moving the initiation of the time stamp mechanism to the correct place in the code.
BZ#1078011
Due to a previous change that was refactoring the Generic Routing Encapsulation (GRE) tunneling code, the ip_gre module did not work properly. As a consequence, GRE interfaces dropped every packet that had the Explicit Congestion Notification (ECN) bit set and did not have the ECN-Capable Transport (ECT) bit set. This update reintroduces the ipgre_ecn_decapsulate() function that is now used instead of the IP_ECN_decapsulate() function that was not properly implemented. The ip_gre module now works correctly and GRE devices process all packets as expected.
BZ#1078641
A bug in the megaraid_sas driver could cause the driver to read the hardware status values incorrectly. As a consequence, the RAID card was disabled during the system boot and the system could fail to boot. With this update, the megaraid_sas driver has been corrected to enable the RAID card on system boot as expected.
BZ#1081907
A bug in the Completely Fair Scheduler (CFS) could, under certain circumstances, trigger a race condition while moving a forking task between cgroups. This race could lead to a free-after-use error and a subsequent kernel panic when a child task was accessed while it was pointing to a stale cgroup of its parent task. A patch has been applied to the CFS to ensure that a child task always points to the valid parent's task group.
BZ#1078874
The Red Hat GFS2 file system previously limited a number of ACL entries per inode to 25. However, this number was insufficient in some cases, causing the setfacl command to fail. This update increases this limit to maximum of 300 ACL entries for the 4 KB block size. If the block size is smaller, this value is adjusted accordingly.
BZ#1085358
Previous patches to the CIFS code introduced a regression that prevented users from mounting a CIFS share using the NetBIOS over TCP service on the port 139. This problem has been fixed by masking off the top byte in the get_rfc1002_length() function.
BZ#1079872
Previously, user space packet capturing libraries, such as libcap, had a limited possibility to determine which Berkeley Packet Filter (BPF) extensions are supported by the current kernel. This limitation had a negative effect on VLAN packet filtering that is performed by the tcpdump utility and tcpdump sometimes was not able to capture filtered packets correctly. Therefore, this update introduces a new option, SO_BPF_EXTENSIONS, which can be specified as an argument of the getsockopt() function. This option enables packet capturing tools to obtain information about which BPF extensions are supported by the current kernel. As a result, the tcpdump utility can now capture packets properly.
BZ#1080600
The isci driver previously triggered an erroneous BUG_ON() assertion in case of a hard reset timeout in the sci_apc_agent_link_up() function. If a SATA device was unable to restore the link in time after the reset, the isci port had to return to the "awaiting link-up" state. However in such a case, the port may not have been in the "resetting" state, causing a kernel panic. This problem has been fixed by removing that incorrect BUG_ON() assertion.
BZ#1078798
Previously, when removing an IPv6 address from an interface, unreachable routes related to that address were not removed from the IPv6 routing table. This happened because the IPv6 code used inappropriate function when searching for the routes. To avoid this problem, the IPv6 code has been modified to use the ip6_route_lookup() function instead of rt6_lookup() in this situation. All related routes are now properly deleted from the routing tables when an IPv6 address is removed.
BZ#1075651
If the BIOS returned a negative value for the critical trip point for the given thermal zone during a system boot, the whole thermal zone was invalidated and an ACPI error was printed. However, the thermal zone may still have been needed for cooling. With this update, the ACPI thermal management has been modified to only disable the relevant critical trip point in this situation.
BZ#1075554
When allocating kernel memory, the SCSI device handlers called the sizeof() function with a structure name as its argument. However, the modified files were using an incorrect structure name, which resulted in an insufficient amount of memory being allocated and subsequent memory corruption. This update modifies the relevant sizeof() function calls to rather use a pointer to the structure instead of the structure name so that the memory is now always allocated correctly.
BZ#1069848
A previous change that modified the linkat() system call introduced a mount point reference leak and a subsequent memory leak in case that a file system link operation returned the ESTALE error code. These problems have been fixed by properly freeing the old mount point reference in such a case.
BZ#1086490
The dm-bufio driver did not call the blk_unplug() function to flush plugged I/O requests. Therefore, the requests submitted by dm-bufio were delayed by 3 ms, which could cause performance degradation. With this update, dm-bufio calls blk_unplug() as expected, avoiding any related performance issues.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-0055, Important
A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host.
CVE-2014-0101, Important
A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system.
CVE-2014-0069, Moderate
A flaw was found in the way the Linux kernel's CIFS implementation handled uncached write operations with specially crafted iovec structures. An unprivileged local user with access to a CIFS share could use this flaw to crash the system, leak kernel memory, or, potentially, escalate their privileges on the system. Note: the default cache settings for CIFS mounts on Red Hat Enterprise Linux 6 prohibit a successful exploitation of this issue.
CVE-2013-1860, Low
A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
Red Hat would like to thank Nokia Siemens Networks for reporting CVE-2014-0101, and Al Viro for reporting CVE-2014-0069.

Bug Fixes

BZ#1063507
A previous change in the Advanced Programmable Interrupt Controller (APIC) code caused a regression on certain Intel CPUs using a Multiprocessor (MP) table. An attempt to read from the local APIC (LAPIC) could be performed before the LAPIC was mapped, resulting in a kernel crash during a system boot. A patch has been applied to fix this problem by mapping the LAPIC as soon as possible when parsing the MP table.
BZ#1067775
When removing an inode from a name space on an XFS file system, the file system could enter a deadlock situation and become unresponsive. This happened because the removal operation incorrectly used the AGF and AGI locks in the opposite order than was required by the ordering constraint, which led to a possible deadlock between the file removal and inode allocation and freeing operations. With this update, the inode's reference count is dropped before removing the inode entry with the first transaction of the removal operation. This ensures that the AGI and AGF locks are locked in the correct order, preventing any further deadlocks in this scenario.
BZ#1064913
Previously, the GFS2 kernel module leaked memory in the gfs2_bufdata slab cache and allowed a use-after-free race condition to be triggered in the gfs2_remove_from_journal() function. As a consequence after unmounting the GFS2 file system, the GFS2 slab cache could still contain some objects, which subsequently could, under certain circumstances, result in a kernel panic. A series of patches has been applied to the GFS2 kernel module, ensuring that all objects are freed from the slab cache properly and the kernel panic is avoided.
BZ#1054072
Due to the locking mechanism that the kernel used while handling Out of Memory (OOM) situations in memory control groups (cgroups), the OOM killer did not work as intended in case that many processes triggered an OOM. As a consequence, the entire system could become or appear to be unresponsive. A series of patches has been applied to improve this locking mechanism so that the OOM killer now works as expected in memory cgroups under heavy OOM load.
BZ#1055364
Previously, certain SELinux functions did not correctly handle the TCP synchronize-acknowledgment (SYN-ACK) packets when processing IPv4 labeled traffic over an INET socket. The initial SYN-ACK packets were labeled incorrectly by SELinux, and as a result, the access control decision was made using the server socket's label instead of the new connection's label. In addition, SELinux was not properly inspecting outbound labeled IPsec traffic, which led to similar problems with incorrect access control decisions. A series of patches that addresses these problems has been applied to SELinux. The initial SYN-ACK packets are now labeled correctly and SELinux processes all SYN-ACK packets as expected.
BZ#1063199
In Red Hat Enterprise Linux 6.5, the TCP Segmentation Offload (TSO) feature is automatically disabled if the corresponding network device does not report any CSUM flag in the list of its features. Previously, VLAN devices that were configured over bonding devices did not propagate its NETIF_F_NO_CSUM flag as expected, and their feature lists thus did not contain any CSUM flags. As a consequence, the TSO feature was disabled for these VLAN devices, which led to poor bandwidth performance. With this update, the bonding driver propagates the aforementioned flag correctly so that network traffic now flows through VLAN devices over bonding without any performance problems.
BZ#1064464
Due to a bug in the Infiniband driver, the ip and ifconfig utilities reported the link status of the IP over Infiniband (IPoIB) interfaces incorrectly (as "RUNNING" in case of "ifconfig", and as "UP" in case of "ip") even if no cable was connected to the respective network card. The problem has been corrected by calling the respective netif_carrier_off() function on the right place in the code. The link status of the IPoIB interfaces is now reported correctly in the described situation.
BZ#1058418
When performing read operations on an XFS file system, failed buffer readahead can leave the buffer in the cache memory marked with an error. This could lead to incorrect detection of stale errors during completion of an I/O operation because most callers do not zero out the b_error field of the buffer on a subsequent read. To avoid this problem and ensure correct I/O error detection, the b_error field of the used buffer is now zeroed out before submitting an I/O operation on a file.
BZ#1062113
Previously, when hot adding memory to the system, the memory management subsystem always performed unconditional page-block scans for all memory sections being set online. The total duration of the hot add operation depends on both, the size of memory that the system already has and the size of memory that is being added. Therefore, the hot add operation took an excessive amount of time to complete if a large amount of memory was added or if the target node already had a considerable amount of memory. This update optimizes the code so that page-block scans are performed only when necessary, which greatly reduces the duration of the hot add operation.
BZ#1059991
Due to a bug in the SELinux socket receive hook, network traffic was not dropped upon receiving a peer:recv access control denial on some configurations. A broken labeled networking check in the SELinux socket receive hook has been corrected, and network traffic is now properly dropped in the described case.
BZ#1060491
When transferring a large amount of data over the peer-to-peer (PPP) link, a rare race condition between the throttle() and unthrottle() functions in the tty driver could be triggered. As a consequence, the tty driver became unresponsive, remaining in the throttled state, which resulted in the traffic being stalled. Also, if the PPP link was heavily loaded, another race condition in the tty driver could has been triggered. This race allowed an unsafe update of the available buffer space, which could also result in the stalled traffic. A series of patches addressing both race conditions has been applied to the tty driver; if the first race is triggered, the driver loops and forces re-evaluation of the respective test condition, which ensures uninterrupted traffic flow in the described situation. The second race is now completely avoided due to a well-placed read lock, and the update of the available buffer space proceeds correctly.
BZ#1058420
Previously, the e752x_edac module incorrectly handled the pci_dev usage count, which could reach zero and deallocate a PCI device structure. As a consequence, a kernel panic could occur when the module was loaded multiple times on some systems. This update fixes the usage count that is triggered by loading and unloading the module repeatedly, and a kernel panic no longer occurs.
BZ#1057165
When a page table is upgraded, a new top level of the page table is added for the virtual address space, which results in a new Address Space Control Element (ASCE). However, the Translation Lookaside Buffer (TLB) of the virtual address space was not previously flushed on page table upgrade. As a consequence, the TLB contained entries associated with the old ASCE, which led to unexpected program failures and random data corruption. To correct this problem, the TLB entries associated with the old ASCE are now flushed as expected upon page table upgrade.
BZ#1064115
When a network interface is running in promiscuous (PROMISC) mode, the interface may receive and process VLAN-tagged frames even though no VLAN is attached to the interface. However, the enic driver did not handle processing of the packets with the VLAN-tagged frames in PROMISC mode correctly if the frames had no VLAN group assigned, which led to various problems. To handle the VLAN-tagged frames without a VLAN group properly, the frames have to be processed by the VLAN code, and the enic driver thus no longer verifies whether the packet's VLAN group field is empty.
BZ#1057164
A previous change in the Linux memory management on IBM System z removed the handler for the Address Space Control Element (ASCE) type of exception. As a consequence, the kernel was unable to handle ASCE exceptions, which led to a kernel panic. Such an exception was triggered, for example, if the kernel attempted to access user memory with an address that was larger than the current page table limit from a user-space program. This problem has been fixed by calling the standard page fault handler, do_dat_exception, if an ASCE exception is raised.
BZ#1063271
Due to several bugs in the network console logging, a race condition between the network console send operation and the driver's IRQ handler could occur, or the network console could access invalid memory content. As a consequence, the respective driver, such as vmxnet3, triggered a BUG_ON() assertion and the system terminated unexpectedly. A patch addressing these bugs has been applied so that driver's IRQs are disabled before processing the send operation and the network console now accesses the RCU-protected (read-copy update) data properly. Systems using the network console logging no longer crashes due to the aforementioned conditions.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-6381, Important
A buffer overflow flaw was found in the way the qeth_snmp_command() function in the Linux kernel's QETH network device driver implementation handled SNMP IOCTL requests with an out-of-bounds length. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-2929, Low
A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information.
CVE-2013-7263, CVE-2013-7265, Low
It was found that certain protocol handlers in the Linux kernel's networking implementation could set the addr_len value without initializing the associated data structure. A local, unprivileged user could use this flaw to leak kernel stack memory to user space using the recvmsg, recvfrom, and recvmmsg system calls.

Bug Fixes

BZ#1051393
Due to a bug in the NFS code, the state manager and the DELEGRETURN operation could enter a deadlock if an asynchronous session error was received while DELEGRETURN was being processed by the state manager. The state manager became unable to process the failing DELEGRETURN operation because it was waiting for an asynchronous RPC task to complete, which could not have been completed because the DELEGRETURN operation was cycling indefinitely with session errors. A series of patches has been applied to ensure that the asynchronous error handler waits for recovery when a session error is received and the deadlock no longer occurs.
BZ#1049590
The IPv4 and IPv6 code contained several issues related to the conntrack fragmentation handling that prevented fragmented packages from being properly reassembled. This update applies a series of patches and ensures that MTU discovery is handled properly, and fragments are correctly matched and packets reassembled.
BZ#1046043
Inefficient usage of Big Kernel Locks (BKLs) in the ptrace() system call could lead to BKL contention on certain systems that widely utilize ptrace(), such as User-mode Linux (UML) systems, resulting in degraded performance on these systems. This update removes the relevant BKLs from the ptrace() system call, thus resolving any related performance issues.
BZ#1046041
When utilizing SCTP over the bonding device in Red Hat Enterprise Linux 6.5, SCTP assumed offload capabilities on virtual devices where it was not guaranteed that underlying physical devices are equipped with these capabilities. As a consequence, checksums of the outgoing packets became corrupted and a network connection could not be properly established. A patch has been applied to ensure that checksums of the packages to the devices without SCTP checksum capabilities are properly calculated in software fallback. SCTP connections over the bonding devices can now be established as expected in Red Hat Enterprise Linux 6.5.
BZ#1044566
The context of the user's process could not be previously saved on PowerPC platforms if the VSX Machine State Register (MSR) bit was set but the user did not provide enough space to save the VSX state. This update allows to clear the VSX MSR bit in such a situation, indicating that there is no valid VSX state in the user context.
BZ#1043779
After a statically defined gateway became unreachable and its corresponding neighbor entry entered a FAILED state, the gateway stayed in the FAILED state even after it became reachable again. As a consequence, traffic was not routed through that gateway. This update enables probing such a gateway automatically so that the traffic can be routed through this gateway again once it becomes reachable.
BZ#1040826
Due to several bugs in the IPv6 code, a soft lockup could occur when the number of cached IPv6 destination entries reached the garbage collector treshold on a high-traffic router. A series of patches has been applied to address this problem. These patches ensure that the route probing is performed asynchronously to prevent a dead lock with garbage collection. Also, the garbage collector is now run asynchronously, preventing CPUs that concurrently requested the garbage collector from waiting until all other CPUs finish the garbage collection. As a result, soft lockups no longer occur in the described situation.
BZ#1035347
A previous change to the md driver disabled the TRIM operation for RAID5 volumes in order to prevent a possible kernel oops. However, if a MD RAID volume was reshaped to a different RAID level, this could result in TRIM being disabled on the resulting volume, as the RAID4 personality is used for certain reshapes. A patch has been applied that corrects this problem by setting the stacking limits before changing a RAID level, and thus ensuring the correct discard (TRIM) granularity for the RAID array.
BZ#1051395
NFS previously allowed a race between "silly rename" operations and the rmdir() function to occur when removing a directory right after an unlinked file in the directory was closed. As a result, rmdir() could fail with an EBUSY error. This update applies a patch ensuring that NFS waits for any asynchronous operations to complete before performing the rmdir() operation.
BZ#1051394
Due to a bug in the EDAC driver, the driver failed to decode and report errors on AMD family 16h processors correctly. This update incorporates a missing case statement to the code so that the EDAC driver now handles errors as expected.
BZ#1045094
A deadlock between the state manager, kswapd daemon, and the sys_open() function could occur when the state manager was recovering from an expired state and recovery OPEN operations were being processed. To fix this problem, NFS has been modified to ignore all errors from the LAYOUTRETURN operation (a pNFS operation) except for "NFS4ERR_DELAY" in this situation.
BZ#1040498
The bnx2x driver handled unsupported TLVs received from a Virtual Function (VF) using the VF-PF channel incorrectly; when a driver of the VF sent a known but unsupported TLV command to the Physical Function, the driver of the PF did not reply. As a consequence, the VF-PF channel was left in an unstable state and the VF eventually timed out. A patch has been applied to correct the VF-PF locking scheme so that unsupported TLVs are properly handled and responded to by the PF side. Also, unsupported TLVs could previously render a mutex used to lock the VF-PF operations. The mutex then stopped protecting critical sections of the code, which could result in error messages being generated when the PF received additional TLVs from the VF. A patch has been applied that corrects the VF-PF channel locking scheme, and unsupported TLVs thus can no longer break the VF-PF lock.
BZ#1040497
A bug in the statistics flow in the bnx2x driver caused the card's DMA Engine (DMAE) to be accessed without taking a necessary lock. As a consequence, previously queued DMAE commands could be overwritten and the Virtual Functions then could timeout on requests to their respective Physical Functions. The likelihood of triggering the bug was higher with more SR-IOV Virtual Functions configured. Overwriting of the DMAE commands could also result in other problems even without using SR-IOV. This update ensures that all flows utilizing DMAE will use the same API and the proper locking scheme is kept by all these flows.
BZ#1035339
When starting or waking up a system that utilized an AHCI controller with empty ports, and the EM transmit bit was busy, the AHCI driver incorrectly released the related error handler before initiation of the sleep operation. As a consequence, the error handler could be acquired by a different port of the AHCI controller and the Serial General Purpose Input/Output (SGPIO) signal could eventually blink the rebuild pattern on an empty port. This update implements cross-port error handler exclusion to the generic ATA driver and the AHCI driver has been modified to use the msleep() function in this particular case. The error handler is no longer released upon the sleep operation and the SGPIO signal can no longer indicate the disk's rebuild on the empty controller's slot.
BZ#1032389
Previous changes to the igb driver caused the ethtool utility to determine and display some capabilities of the Ethernet devices incorrectly. This update fixes the igb driver so that the actual link capabilities are now determined properly, and ethtool displays values as accurate as possible in dependency on the data available to the driver.
All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-4470, Important
A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system.
CVE-2013-6367, Important
A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host.
CVE-2013-6368, Important
A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-2141, Low
An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user space.
Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470, and Andrew Honig of Google for reporting CVE-2013-6367 and CVE-2013-6368.

Bug Fixes

BZ#1027343
Due to a regression bug in the mlx4 driver, Mellanox mlx4 adapters could become unresponsive on heavy load along with IOMMU allocation errors being logged to the systems logs. A patch has been applied to the mlx4 driver so that the driver now calculates the last memory page fragment when allocating memory in the Rx path.
BZ#1028278
A bug in the RSXX DMA handling code allowed DISCARD operations to call the pci_unmap_page() function, which triggered a race condition on the PowerPC architecture when DISCARD, READ, and WRITE operations were issued simultaneously. However, DISCARD operations are always assigned a DMA address of 0 because they are never mapped. Therefore, this race could result in freeing memory that was mapped for another operation and a subsequent EEH event. A patch has been applied, preventing the DISCARD operations from calling pci_unmap_page(), and thus avoiding the aforementioned race condition.
BZ#1029330
Due to a missing part of the bcma driver, the brcmsmac kernel module did not have a list of internal aliases that was needed by the kernel to properly handle the related udev events. Consequently, when the bcma driver scanned for the devices at boot time, these udev events were ignored and the kernel did not load the brcmsmac module automatically. A patch that provides missing aliases has been applied so that the udev requests of the brcmsmac module are now handled as expected and the kernel loads the brcmsmac module automatically on boot.
BZ#1029997
A bug in the mlx4 driver could trigger a race between the "blue flame" feature's traffic flow and the stamping mechanism in the Tx ring flow when processing Work Queue Elements (WQEs) in the Tx ring. Consequently, the related queue pair (QP) of the mlx4 Ethernet card entered an error state and the traffic on the related Tx ring was blocked. A patch has been applied to the mlx4 driver so that the driver does not stamp the last completed WQE in the Tx ring, and thus avoids the aforementioned race.
BZ#1030171
A previous change in the NFSv4 code resulted in breaking the sync NFSv4 mount option. A patch has been applied that restores functionality of the sync mount option.
BZ#1030713
Due to a bug in the Emulex lpfc driver, the driver could not allocate a SCSI buffer properly, which resulted in severe performance degradation of lpfc adapters on 64-bit PowerPC systems. A patch addressing this problem has been applied so that lpfc allocates the SCSI buffer correctly and lpfc adapters now work as expected on 64-bit PowerPC systems.
BZ#1032162
When performing I/O operations on a heavily-fragmented GFS2 file system, significant performance degradation could occur. This was caused by the allocation strategy that GFS2 used to search for an ideal contiguous chunk of free blocks in all the available resource groups (rgrp). A series of patches has been applied that improves performance of GFS2 file systems in case of heavy fragmentation. GFS2 now allocates the biggest extent found in the rgrp if it fulfills the minimum requirements. GFS2 has also reduced the amount of bitmap searching in case of multi-block reservations by keeping track of the smallest extent for which the multi-block reservation would fail in the given rgrp. This improves GFS2 performance by avoiding unnecessary rgrp free block searches that would fail. Additionally, this patch series fixes a bug in the GFS2 block allocation code where a multi-block reservation was not properly removed from the rgrp's reservation tree when it was disqualified, which eventually triggered a BUG_ON() macro due to an incorrect count of reserved blocks.
BZ#1032167
An earlier patch to the kernel added the dynamic queue depth throttling functionality to the QLogic's qla2xxx driver that allowed the driver to adjust queue depth for attached SCSI devices. However, the kernel might have crashed when having this functionality enabled in certain environments, such as on systems with EMC PowerPath Multipathing installed that were under heavy I/O load. To resolve this problem, the dynamic queue depth throttling functionality has been removed from the qla2xxx driver.
BZ#1032168
Previously, devices using the ixgbevf driver that were assigned to a virtual machine could not adjust their Jumbo MTU value automatically if the Physical Function (PF) interface was down; when the PF device was brought up, the MTU value on the related Virtual Function (VF) device was set incorrectly. This was caused by the way the communication channel between PF and VF interfaces was set up and the first negotiation attempt between PF and VF was made. To fix this problem, structural changes to the ixgbevf driver have been made so that the kernel can now negotiate the correct API between PF and VF successfully and the MTU value is now set correctly on the VF interface in this situation.
BZ#1032170
A bug in the ixgbe driver caused that IPv6 hardware filtering tables were not correctly rewritten upon interface reset when using a bridge device over the PF interface in an SR-IOV environment. As a result, the IPv6 traffic between VFs was interrupted. An upstream patch has been backported to modify the ixgbe driver so that the update of the Multimedia Terminal Adapter (MTA) table is now unconditional, avoiding possible inconsistencies in the MTA table upon PF's reset. The IPv6 traffic between VFs proceeds as expected in this scenario.
BZ#1032247
When using Haswell HDMI audio controllers with an unaligned DMA buffer size, these audio controllers could become locked up until the next reboot for certain audio stream configurations. A patch has been applied to the Intel's High Definition Audio (HDA) driver that enforces the DMA buffer alignment setting for the Haswell HDMI audio controllers. These audio controllers now work as expected.
BZ#1032249
As a result of a recent fix preventing a deadlock upon an attempt to cover an active XFS log, the behavior of the xfs_log_need_covered() function has changed. However, xfs_log_need_covered() is also called to ensure that the XFS log tail is correctly updated as a part of the XFS journal sync operation. As a consequence, when shutting down an XFS file system, the sync operation failed and some files might have been lost. A patch has been applied to ensure that the tail of the XFS log is updated by logging a dummy record to the XFS journal. The sync operation completes successfully and files are properly written to the disk in this situation.
BZ#1032250
A chunk of a patch was left out when backporting a batch of patches that fixed an infinite loop problem in the LOCK operation with zero state ID during NFSv4 state ID recovery. As a consequence, the system could become unresponsive on numerous occasions. The missing chunk of the patch has been added, resolving this hang issue.
BZ#1032260
When performing buffered WRITE operations from multiple processes to a single file, the NFS code previously always verified whether the lock owner information is identical for the file being accessed even though no file locks were involved. This led to performance degradation because forked child processes had to synchronize dirty data written to a disk by the parent process before writing to a file. Also, when coalescing requests into a single READ or WRITE RPC call, NFS refused the request if the lock owner information did not match for the given file even though no file locks were involved. This also caused performance degradation. A series of patches has been applied that relax relevant test conditions so that lock owner compatibility is no longer verified in the described cases, which resolves these performance issues.
BZ#1032395
Due to a bug in the mlx4 driver, Mellanox Ethernet cards were brought down unexpectedly while adjusting their Tx or Rx ring. A patch has been applied so that the mlx4 driver now properly verifies the state of the Ethernet card when the coalescing of the Tx or Rx ring is being set, which resolves this problem.
BZ#1032423
When the system was under memory stress, a double-free bug in the tg3 driver could have been triggered, resulting in a NIC being brought down unexpectedly followed by a kernel panic. A patch has been applied that restructures the respective code so that the affected ring buffer is freed correctly.
BZ#1032424
The RPC client always retransmitted zero-copy of the page data if it timed out before the first RPC transmission completed. However, such a retransmission could cause data corruption if using the O_DIRECT buffer and the first RPC call completed while the respective TCP socket still held a reference to the pages. To prevent the data corruption, retransmission of the RPC call is, in this situation, performed using the sendmsg() function. The sendmsg() function retransmits an authentic reproduction of the first RPC transmission because the TCP socket holds the full copy of the page data.
BZ#1032688
When creating an XFS file system, an attempt to cover an active XFS log could, under certain circumstances, result in a deadlock between the xfssyncd and xfsbufd daemons. Consequently, several kernel threads became unresponsive and the XFS file system could not have been successfully created, leading to a kernel oops. A patch has been applied to prevent this situation by forcing the active XFS log onto a disk.

Enhancements

BZ#1020518
The kernel now supports memory configurations with more than 1TB of RAM on AMD systems.
BZ#1032426
The kernel has been modified to stop reporting ABS_MISC events on Wacom touch devices in order to ensure that the devices are correctly recognized by the HAL daemon.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fifth regular update.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-4387, Important
A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload (UFO) feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-0343, Moderate
A flaw was found in the way the Linux kernel handled the creation of temporary IPv6 addresses. If the IPv6 privacy extension was enabled (/proc/sys/net/ipv6/conf/eth0/use_tempaddr set to '2'), an attacker on the local network could disable IPv6 temporary address generation, leading to a potential information disclosure.
CVE-2013-2888, Moderate
A flaw was found in the way the Linux kernel handled HID (Human Interface Device) reports with an out-of-bounds Report ID. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-4345, Moderate
An off-by-one flaw was found in the way the ANSI CPRNG implementation in the Linux kernel processed non-block size aligned requests. This could lead to random numbers being generated with less bits of entropy than expected when ANSI CPRNG was used.
CVE-2013-4591, Moderate
It was found that the fix for CVE-2012-2375 released via RHSA-2012:1580 accidentally removed a check for small-sized result buffers. A local, unprivileged user with access to an NFSv4 mount with ACL support could use this flaw to crash the system or, potentially, escalate their privileges on the system .
CVE-2013-4592, Moderate
A flaw was found in the way IOMMU memory mappings were handled when moving memory slots. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host.
CVE-2013-2889, CVE-2013-2892, Moderate
Heap-based buffer overflow flaws were found in the way the Zeroplus and Pantherlord/GreenAsia game controllers handled HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system.
CVE-2012-6542, CVE-2013-3231, Low
Two information leak flaws were found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use these flaws to leak kernel stack memory to user space.
CVE-2013-1929, Low
A heap-based buffer overflow in the way the tg3 Ethernet driver parsed the vital product data (VPD) of devices could allow an attacker with physical access to a system to cause a denial of service or, potentially, escalate their privileges.
CVE-2012-6545, CVE-2013-1928, CVE-2013-2164, CVE-2013-2234, Low
Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user space.
CVE-2013-2851, Low
A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0).
Red Hat would like to thank Stephan Mueller for reporting CVE-2013-4345, and Kees Cook for reporting CVE-2013-2851.

Bug Fixes

BZ#955712
A function in the RPC code responsible for verifying whether the cached credentials matches the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credential but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur.
BZ#629857
When the state of the netfilter module was out-of-sync, a TCP connection was recorded in the conntrack table although the TCP connection did not exist between two hosts. If a host re-established this connection with the same source, port, destination port, source address and destination address, the host sent a TCP SYN packet and the peer sent back acknowledgment for this SYN package. However, because netfilter was out-of-sync, netfilter dropped this acknowledgment, and deleted the connection item from the conntrack table, which consequently caused the host to retransmit the SYN packet. A patch has been applied to improve this handling; if an unexpected SYN packet appears, the TCP options are annotated. Acknowledgment for the SYN packet serves as a confirmation of the connection tracking being out-of-sync, then a new connection record is created using the information annotated previously to avoid the retransmission delay.
BZ#955807
Due to several bugs in the ext4 code, data integrity system calls did not always properly persist data on the disk. Therefore, the unsynchronized data in the ext4 file system could have been lost after the system's unexpected termination. A series of patches has been applied to the ext4 code to address this problem, including a fix that ensures proper usage of data barriers in the code responsible for file synchronization. Data loss no longer occurs in the described situation.
BZ#953630
C-states for the Intel Family 6, Model 58 and 62, processors were not properly initialized in Red Hat Enterprise Linux 6. Consequently, these processors were unable to enter deep C-states. Also, C-state accounting was not functioning properly and power management tools, such as powertop or turbostat, thus displayed incorrect C-state transitions. This update applies a patch that ensures proper C-states initialization so the aforementioned processors can now enter deep core power states as expected. Note that this update does not correct C-state accounting which has been addressed by a separate patch.
BZ#953342
The kernel previously did not handle situation where the system needed to fall back from non-flat Advanced Programmable Interrupt Controller (APIC) mode to flat APIC mode. Consequently, a NULL pointer was dereferenced and a kernel panic occurred. This update adds the flat_probe() function to the APIC driver, which allows the kernel using flat APIC mode as a fall-back option. The kernel no longer panics in this situation.
BZ#952785
When attempting to deploy a virtual machine on a hypervisor with multiple NICs and macvtap devices, a kernel panic could occur. This happened because the macvtap driver did not gracefully handle a situation when the macvlan_port.vlans list was empty and returned a NULL pointer. This update applies a series of patches which fix this problem using a read-copy-update (RCU) mechanism and by preventing the driver from returning a NULL pointer if the list is empty. The kernel no longer panics in this scenario.
BZ#952329
Due to a missing structure, the NFSv4 error handler did not handle exceptions caused by revoking NFSv4 delegations. Consequently, the NFSv4 client received the EIO error message instead of the NFS4ERR_ADMIN_REVOKED error. This update modifies the NFSv4 code to no longer require the nfs4_state structure in order to revoke a delegation.
BZ#952174
On KVM guests with the KVM clock (kvmclock) as a clock source and with some VCPUs pinned, certain VCPUs could experience significant sleep delays (elapsed time was greater 20 seconds). This resulted in unexpected delays by sleeping functions and inaccurate measurement for low latency events. The problem happened because a kvmclock update was isolated to a certain VCPU so the NTP frequency correction applied only to that single VCPU. This problem has been resolved by a patch allowing kvmclock updates to all VCPUs on the KVM guest. VCPU sleep time now does not exceed the expected amount and no longer causes the aforementioned problems.
BZ#951937
When using applications that intensively utilized memory mapping, customers experienced significant application latency, which led to serious performance degradation. A series of patches has been applied to fix the problem. Among other, the patches modifies the memory mapping code to allow block devices to require stable page writes, enforce stable page writes only if required by a backing device, and optionally snapshot page content to provide stable pages during write. As a result, application latency has been improved by a considerable amount and applications with high demand of memory mapping now perform as expected.
BZ#997845
The RAID1 and RAD10 code previously called the raise_barrier() and lower_barrier() functions instead of the freeze_array() and unfreeze_array() functions that are safe being called from within the management thread. As a consequence, a deadlock situation could occur if an MD array contained a spare disk, rendering the respective kernel thread unresponsive. Furthermore, if a shutdown sequence was initiated after this problem had occurred, the shutdown sequence became unresponsive and any in-cache file system data that were not synchronized to the disk were lost. A patch correcting this problem has been applied and the RAID1 and RAID10 code now uses management-thread safe functions as expected.
BZ#996802
Previous changes to the Linux kernel network driver code introduced the TCP Small Queues (TSQ) feature. However, these changes led to performance degradation on certain network devices, such as devices using the ixgbe driver. This problem has been fixed by a series of patches to the TCP Segmentation Offload (TSO) and TSQ features that include support for setting the size of TSO frames, and dynamic limit for the number of packet queues on device queues for a given TCP flow.
BZ#950598
If an NFSv4 client was checking open permissions for a delegated OPEN operation during OPEN state recovery of an NFSv4 server, the NFSv4 state manager could enter a deadlock. This happened because the client was holding the NFSv4 sequence ID of the OPEN operation. This problem is resolved by releasing the sequence ID before the client starts checking open permissions.
BZ#983288
NFS previously allowed extending an NFS file write to cover a full page only if the file had not set a byte-range lock. However, extending the write to cover the entire page is sometimes desirable in order to avoid fragmentation inefficiencies. For example, a noticeable performance decrease was reported if a series of small non-contiguous writes was performed on the file. A patch has been applied to the NFS code that allows NFS extending a file write to a full page write if the whole file is locked for writing or if the client holds a write delegation.
BZ#998752
A patch included in kernel version 2.6.32-358.9.1.el6, to fix handling of revoked NFSv4 delegations, introduced a regression bug to the NFSv4 code. This regression in the NFSv4 exception and asynchronous error handling allowed, under certain circumstances, passing a NULL inode to an NFSv4 delegation-related function, which resulted in a kernel panic. The NFSv4 exception and asynchronous error handling has been fixed so that a NULL inode can no longer be passed in this situation.
BZ#947582
XFS file systems were occasionally shut down with the "xfs_trans_ail_delete_bulk: attempting to delete a log item that is not in the AIL" error message. This happened because the EFI/EFD handling logic was incorrect and the EFI log item could have been freed before it was placed in the AIL and committed. A patch has been applied to the XFS code fixing the EFI/EFD handling logic and ensuring that the EFI log items are never freed before the EFD log items are processed. The aforementioned error no longer occurs on an XFS shutdown.
BZ#947275
A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as "not in use". Consequently, automount attempted to unmount the tree and failed with a "failed to umount offset" error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs.
BZ#927988
Cyclic adding and removing of the st kernel module could previously cause a system to become unresponsive. This was caused by a disk queue reference count bug in the SCSI tape driver. An upstream patch addressing this bug has been backported to the SCSI tape driver and the system now responds as expected in this situation.
BZ#927918
A previous update introduced a new failure mode to the blk_get_request() function returning the -ENODEV error code when a block device queue is being destroyed. However, the change did not include a NULL pointer check for all callers of the function. Consequently, the kernel could dereference a NULL pointer when removing a block device from the system, which resulted in a kernel panic. This update applies a patch that adds these missing NULL pointer checks. Also, some callers of the blk_get_request() function could previously return the -ENOMEM error code instead of -ENODEV, which would lead to incorrect call chain propagation. This update applies a patch ensuring that correct return codes are propagated.
BZ#790921
By default, the kernel uses a best-fit algorithm for allocating Virtual Memory Areas (VMAs) to map processed files to the address space. However, if an enormous number of small files (hundreds of thousands or millions) was being mapped, the address space became extremely fragmented, which resulted in significant CPU usage and performance degradation. This update introduces an optional next-fit policy which, if enabled, allows for mapping of a file to the first suitable unused area in the address space that follows after the previously allocated VMA.
BZ#960717
A rare race condition between the "devloss" timeout and discovery state machine could trigger a bug in the lpfc driver that nested two levels of spin locks in reverse order. The reverse order of spin locks led to a deadlock situation and the system became unresponsive. With this update, a patch addressing the deadlock problem has been applied and the system no longer hangs in this situation.
BZ#922999
An error in backporting the block reservation feature from upstream resulted in a missing allocation of a reservation structure when an allocation is required during the rename system call. Renaming a file system object (for example, file or directory) requires a block allocation for the destination directory. If the destination directory had not had a reservation structure allocated, a NULL pointer dereference occurred, leading to a kernel panic. With this update, a reservation structure is allocated before the rename operation, and a kernel panic no longer occurs in this scenario.
BZ#805407
A system could become unresponsive due to an attempt to shut down an XFS file system that was waiting for log I/O completion. A patch to the XFS code has been applied that allows for the shutdown method to be called from different contexts so XFS log items can be deleted properly even outside the AIL, which fixes this problem.
BZ#922931
A bug in the dm_btree_remove() function could cause leaf values to have incorrect reference counts. Removal of a shared block could result in space maps considering the block as no longer used. As a consequence, sending a discard request to a shared region of a thin device could corrupt its snapshot. The bug has been fixed to prevent corruption in this scenario.
BZ#980273
A recent change in the memory mapping code introduced a new optional next-fit algorithm for allocating VMAs to map processed files to the address space. This change, however, broke behavior of a certain internal function which then always followed the next-fit VMA allocation scheme instead of the first-fit VMA allocation scheme. Consequently, when the first-fit VMA allocation scheme was in use, this bug caused linear address space fragmentation and could lead to early "-ENOMEM" failures for mmap() requests. This patch restores the original first-fit behavior to the function so the aforementioned problems no longer occur.
BZ#922779
The GFS2 discard code did not calculate the sector offset correctly for block devices with the sector size of 4 KB, which led to loss of data and metadata on these devices. A patch correcting this problem has been applied so the discard and FITRIM requests now work as expected for the block devices with the 4 KB sector size.
BZ#1002765
A bug in the real-time (RT) scheduler could cause a RT priority process to stop running due to an invalid attribute of the run queue. When a CPU became affected by this bug, the migration kernel thread stopped running on the CPU, and subsequently every other process that was migrated to the affected CPU by the system stopped running as well. A patch has been applied to the RT scheduler and RT priority processes are no longer affected this problem.
BZ#920794
When using the congestion window lock functionality of the ip utility, the system could become unresponsive. This happened because the tcp_slow_start() function could enter an infinite loop if the congestion window was locked using route metrics. A set of patches has been applied to comply with the upstream kernel, ensuring the problem no longer occurs in this scenario.
BZ#978609
A race condition in the abort task and SPP device task management path of the isci driver could, under certain circumstances, cause the driver to fail cleaning up timed-out I/O requests that were pending on an SAS disk device. As a consequence, the kernel removed such a device from the system. A patch applied to the isci driver fixes this problem by sending the task management function request to the SAS drive anytime the abort function is entered and the task has not completed. The driver now cleans up timed-out I/O requests as expected in this situation.
BZ#920672
Due to a race condition in the kernel's DMA initialization code, DMA requests from the hpsa and hpilo drivers could fail with IO_PAGE_FAULT errors during initialization of the AMD iommu driver on AMD systems with the IOMMU feature enabled. To avoid triggering this race condition, the kernel now executes the init_device_table_dma() function to block DMA requests from all devices only after the initialization of unity mappings is finished.
BZ#1003697
If the arp_interval and arp_validate bonding options were not enabled on the configured bond device in the correct order, the bond device did not process ARP replies, which led to link failures and changes of the active slave device. A series of patches has been applied to modify an internal bond ARP hook based on the values of arp_validate and arp_interval. Therefore, the ARP hook is registered even if arp_interval is set after arp_validate has already been enabled, and ARP replies are processed as expected.
BZ#920445
The kernel could rarely terminate instead of creating a dump file when a multi-threaded process using FPU aborted. This happened because the kernel did not wait until all threads became inactive and attempted to dump the FPU state of active threads into memory which triggered a BUG_ON() routine. A patch addressing this problem has been applied and the kernel now waits for the threads to become inactive before dumping their FPU state into memory.
BZ#962460
Previously, the Generic Receive Offload (GRO) functionality was not enabled by default for VLAN devices. Consequently, certain network adapters, such as Emulex Virtual Fabric Adapter (VFA) II, that use be2net driver, were dropping packets when VLAN tagging was enabled and the 8021q kernel module loaded. This update applies a patch that enables GRO by default for VLAN devices.
BZ#827548
A race condition between the read_swap_cache_async() and get_swap_page() functions in the Memory management (mm) code could lead to a deadlock situation. The deadlock could occur only on systems that deployed swap partitions on devices supporting block DISCARD and TRIM operations if kernel preemption was disabled (the !CONFIG_PREEMPT parameter). If the read_swap_cache_async() function was given a SWAP_HAS_CACHE entry that did not have a page in the swap cache yet, a DISCARD operation was performed in the scan_swap_map() function. Consequently, completion of an I/O operation was scheduled on the same CPU's working queue the read_swap_cache_async() was running on. This caused the thread in read_swap_cache_async() to loop indefinitely around its "-EEXIST" case, rendering the system unresponsive. The problem has been fixed by adding an explicit cond_resched() call to read_swap_cache_async(), which allows other tasks to run on the affected CPU, and thus avoiding the deadlock.
BZ#987426
An infinite loop bug in the NFSv4 code caused an NFSv4 mount process to hang on a busy loop of the LOOKUP_ROOT operation when attempting to mount an NFSv4 file system and the first iteration on this operation failed. A patch has been applied that allows to exit the LOOKUP_ROOT operation properly and a mount attempt now either succeeds or fails in this situation.
BZ#828936
A bug in the OProfile tool led to a NULL pointer dereference while unloading the OProfile kernel module, which resulted in a kernel panic. The problem was triggered if the kernel was running with the nolapic parameter set and OProfile was configured to use the NMI timer interrupt. The problem has been fixed by correctly setting the NMI timer when initializing OProfile.
BZ#976915
An NFS client previously did not wait for completing of unfinished I/O operations before sending the LOCKU and RELEASE_LOCKOWNER operations to the NFS server in order to release byte range locks on files. Consequently, if the server processed the LOCKU and RELEASE_LOCKOWNER operations before some of the related READ operations, it released all locking states associated with the requested lock owner, and the READs returned the NFS4ERR_BAD_STATEID error code. This resulted in the "Lock reclaim failed!" error messages being generated in the system log and the NFS client had to recover from the error. A series of patches has been applied ensuring that an NFS client waits for all outstanding I/O operations to complete before releasing the locks.
BZ#918239
When the Red Hat Enterprise Linux 6 kernel runs as a virtual machine, it performs boot-time detection of the hypervisor in order to enable hypervisor-specific optimizations. Red Hat Enterprise Linux 6.4 introduces detection and optimization for the Microsoft Hyper-V hypervisor. Previously Hyper-V was detected first, however, because some Xen hypervisors can attempt to emulate Hyper-V, this could lead to a boot failure when that emulation was not exact. A patch has been applied to ensure that the attempt to detect Xen is always done before Hyper-V, resolving this issue.
BZ#962976
If the audit queue is too long, the kernel schedules the kauditd daemon to alleviate the load on the audit queue. Previously, if the current audit process had any pending signals in such a situation, it entered a busy-wait loop for the duration of an audit backlog timeout because the wait_for_auditd() function was called as an interruptible task. This could lead to system lockup in non-preemptive uniprocessor systems. This update fixes the problem by setting wait_for_auditd() as uninterruptible.
BZ#833299
Due to a bug in firmware, systems using the LSI MegaRAID controller failed to initialize this device in the kdump kernel if the "intel_iommu=on" and "iommu=pt"kernel parameters were specified in the first kernel. As a workaround until a firmware fix is available, a patch to the megaraid_sas driver has been applied so if the firmware is not in the ready state upon the first attempt to initialize the controller, the driver resets the controller and retries for firmware transition to the ready state.
BZ#917872
A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
BZ#994430
A previous patch to the bridge multicast code introduced a bug allowing reinitialization of an active timer for a multicast group whenever an IPv6 multicast query was received. A patch has been applied to the bridge multicast code so that a bridge multicast timer is no longer reinitialized when it is active.
BZ#916994
A kernel panic could occur during path failover on systems using multiple iSCSI, FC or SRP paths to connect an iSCSI initiator and an iSCSI target. This happened because a race condition in the SCSI driver allowed removing a SCSI device from the system before processing its run queue, which led to a NULL pointer dereference. The SCSI driver has been modified and the race is now avoided by holding a reference to a SCSI device run queue while it is active.
BZ#994382
The kernel's md driver contained multiple bugs, including a use-after-free bug in the raid10 code that could cause a kernel panic. Also a data corruption bug in the raid5 code was discovered. The bug occurred when a hard drive was replaced while a RAID4, RAID5, or RAID6 array contained by the drive was in process of recovery. A series of patches has been applied to fix all bugs that have been discovered. The md driver now contains necessary tests that prevent the mentioned use-after-free and data corruption bugs from occurring.
BZ#840860
The sunrpc code paths that wake up an RPC task are highly optimized for speed so the code avoids using any locking mechanism but requires precise operation ordering. Multiple bugs were found related to operation ordering, which resulted in a kernel crash involving either a BUG_ON() assertion or an incorrect use of a data structure in the sunrpc layer. These problems have been fixed by properly ordering operations related to the RPC_TASK_QUEUED and RPC_TASK_RUNNING bits in the wake-up code paths of the sunrpc layer.
BZ#916735
In the RPC code, when a network socket backed up due to high network traffic, a timer was set causing a retransmission, which in turn could cause even larger amount of network traffic to be generated. To prevent this problem, the RPC code now waits for the socket to empty instead of setting the timer.
BZ#916726
When using parallel NFS (pNFS), a kernel panic could occur when a process was killed while getting the file layout information during the open() system call. A patch has been applied to prevent this problem from occurring in this scenario.
BZ#916722
Previously, when open(2) system calls were processed, the GETATTR routine did not check to see if valid attributes were also returned. As a result, the open() call succeeded with invalid attributes instead of failing in such a case. This update adds the missing check, and the open() call succeeds only when valid attributes are returned.
BZ#916361
The crypto_larval_lookup() function could return a larval, an in-between state when a cryptographic algorithm is being registered, even if it did not create one. This could cause a larval to be terminated twice, and result in a kernel panic. This occurred for example when the NFS service was run in FIPS mode, and attempted to use the MD5 hashing algorithm even though FIPS mode has this algorithm blacklisted. A condition has been added to the crypto_larval_lookup() function to check whether a larval was created before returning it.
BZ#976879
Previously, systems running heavily-loaded NFS servers could experience poor performance of the NFS READDIR operations on large directories that were undergoing concurrent modifications, especially over higher latency connections. This happened because the NFS code performed certain dentry operations inefficiently and revalidated directory attributes too often. This update applies a series of patches that address the problem as follows; needed dentries can be accessed from dcache after the READDIR operation, and directory attributes are revalidated only at the beginning of the directory or if the cached attributes expire.
BZ#976823
The GFS2 did not reserve journal space for a quota change block while growing the size of a file. Consequently, a fatal assertion causing a withdraw of the GFS2 file system could have been triggered when the free blocks were allocated from the secondary bitmap. With this update, GFS2 reserves additional blocks in the journal for the quota change so the file growing transaction can now complete successfully in this situation.
BZ#976535
A previous patch to the CIFS code caused a regression of a problem where under certain conditions, a mount attempt of a CIFS DFS share fails with a "mount error(6): No such device or address" error message. This happened because the return code variable was not properly reset after a previous unsuccessful mount attempt. A backported patch has been applied to properly reset the variable and CIFS DFS shares can now be mounted as expected.
BZ#965002
A bug in the PCI driver allowed to use a pointer to the Virtual Function (VF) device entry that was already freed. Consequently, when hot-removing an I/O unit with enabled SR-IOV devices, a kernel panic occurred. This update modifies the PCI driver so a valid pointer to the Physical Function (PF) device entry is used and the kernel no longer panics in this situation.
BZ#915834
A race condition could occur in the uhci-hcd kernel module if the IRQ line was shared with other devices. The race condition allowed the IRQ handler routine to be called before the data structures were fully initialized, which caused the system to become unresponsive. This update applies a patch that fixes the problem by adding a test condition to the IRQ handler routine; if the data structure initialization is still in progress, the handler routine finishes immediately.
BZ#975507
An insufficiently designed calculation in the CPU accelerator could cause an arithmetic overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to using kexec to boot into a new kernel. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) clock source, primarily the systems using Intel Xeon E5 processors that do not reset TSC on soft power cycles. A patch has been applied to modify the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
BZ#915479
Due to a bug in the NFSv4 nfsd code, a NULL pointer could have been dereferenced when nfsd was looking up a path to the NFSv4 recovery directory for the fsync operation, which resulted in a kernel panic. This update applies a patch that modifies the NFSv4 nfsd code to open a file descriptor for fsync in the NFSv4 recovery directory instead of looking up the path. The kernel no longer panics in this situation.
BZ#858198
Previously, bond and bridge devices did not pass Generic Receive Offload (GRO) information to their slave devices, and bridge devices also did not propagate VLAN information to their ports. As a consequence, in environments with VLAN configured over a bridge or bonding device, performance of the slave devices configured on the bridge and bonding devices was significantly low. A series of patches has been applied that adds the GRO feature for bonding and bridge devices and allows VLANs to be registered with the participating bridge ports. If a slave device supports GRO, its performance is now significantly increased in environments with VLAN configured over a bridge or bonding device.
BZ#975211
Due to a bug in the NFS code, kernel size-192 and size-256 slab caches could leak memory. This could eventually result in an OOM issue when the most of available memory was used by the respective slab cache. A patch has been applied to fix this problem and the respective attributes in the NFS code are now freed properly.
BZ#913704
Previously, the NFS Lock Manager (NLM) did not resend blocking lock requests after NFSv3 server reboot recovery. As a consequence, when an application was running on a NFSv3 mount and requested a blocking lock, the application received an -ENOLCK error. This patch ensures that NLM always resend blocking lock requests after the grace period has expired.
BZ#862758
When counting CPU time, the utime and stime values are scaled based on rtime. Prior to this update, the utime value was multiplied with the rtime value, but the integer multiplication overflow could happen, and the resulting value could be then truncated to 64 bits. As a consequence, utime values visible in the user space were stall even if an application consumed a lot of CPU time. With this update, the multiplication is performed on stime instead of utime. This significantly reduces the chances of an overflow on most workloads because the stime value, unlike the utime value, cannot grow fast.
BZ#913660
In a case of a broken or malicious server, an index node (inode) of an incorrect type could be matched. This led to an NFS client NULL pointer dereference, and, consequently, to a kernel oops. To prevent this problem from occurring in this scenario, a check has been added to verify that the inode type is correct.
BZ#913645
A previously-applied patch introduced a bug in the ipoib_cm_destroy_tx() function, which allowed a CM object to be moved between lists without any supported locking. Under a heavy system load, this could cause the system to crash. With this update, proper locking of the CM objects has been re-introduced to fix the race condition, and the system no longer crashes under a heavy load.
BZ#966853
Previously, when booting a Red Hat Enterprise Linux 6.4 system and the ACPI Static Resource Affinity Table (SRAT) had a hot-pluggable bit enabled, the kernel considered the SRAT table incorrect and NUMA was not configured. This led to a general protection fault and a kernel panic occurring on the system. The problem has been fixed by using an SMBIOS check in the code in order to avoid the SRAT code table consistency checks. NUMA is now configured as expected and the kernel no longer panics in this situation.
BZ#912963
When booting the normal kernel on certain servers, such as HP ProLiant DL980 G7, some interrupts may have been lost which resulted in the system bein unresponsive or rarely even in data loss. This happened because the kernel did not set correct destination mode during the boot; the kernel booted in "logical cluster mode" that is default while this system supported only "x2apic physical mode". This update applies a series of patches addressing the problem. The underlying APIC code has been modified so the x2apic probing code now checks the Fixed ACPI Description Table (FADT) and installs the x2apic "physical" driver as expected. Also, the APIC code has been simplified and the code now uses probe routines to select destination APIC mode and install the correct APIC drivers.
BZ#912867
Previously, the fsync(2) system call incorrectly returned the EIO (Input/Output) error instead of the ENOSPC (No space left on device) error. This was due to incorrect error handling in the page cache. This problem has been fixed and the correct error value is now returned.
BZ#912842
Previously, an NFS RPC task could enter a deadlock and become unresponsive if it was waiting for an NFSv4 state serialization lock to become available and the session slot was held by the NFSv4 server. This update fixes this problem along with the possible race condition in the pNFS return-on-close code. The NFSv4 client has also been modified to not accepting delegated OPEN operations if a delegation recall is in effect. The client now also reports NFSv4 servers that try to return a delegation when the client is using the CLAIM_DELEGATE_CUR open mode.
BZ#912662
Due to the way the CPU time was calculated, an integer multiplication overflow bug could occur after several days of running CPU bound processes that were using hundreds of kernel threads. As a consequence, the kernel stopped updating the CPU time and provided an incorrect CPU time instead. This could confuse users and lead to various application problems. This update applies a patch fixing this problem by decreasing the precision of calculations when the stime and rtime values become too large. Also, a bug allowing stime values to be sometimes erroneously calculated as utime values has been fixed.
BZ#967095
An NFS server could terminate unexpectedly due to a NULL pointer dereference caused by a rare race condition in the lockd daemon. An applied patch fixes this problem by protecting the relevant code with spin locks, and thus avoiding the race in lockd.
BZ#911359
Virtual LAN (VLAN) support of the eHEA ethernet adapter did not work as expected. A "device ethX has buggy VLAN hw accel" message could have been reported when running the "dmesg" command. This was because an upstream backport patch removed the vlan_rx_register() function. This update adds the function back, and eHEA VLAN support works as expected. This update also addresses a possible kernel panic, which could occur due to a NULL pointer dereference when processing received VLAN packets. The patch adds a test condition verifying whether a VLAN group is set by the network stack, which prevents a possible NULL pointer to be dereferenced, and the kernel no longer crashes in this situation.
BZ#910597
The kernel's implementation of RTAS (RunTime Abstraction Services) previously allowed the stop_topology_update() function to be called from an interrupt context during live partition migration on PowerPC and IBM System p machines. As a consequence, the system became unresponsive. This update fixes the problem by calling stop_topology_update() earlier in the migration process, and the system no longer hangs in this situation.
BZ#875753
Truncating files on a GFS2 file system could fail with an "unable to handle kernel NULL pointer dereference" error. This was because of a missing reservation structure that caused the truncate code to reference an incorrect pointer. To prevent this, a patch has been applied to allocate a block reservation structure before truncating a file.
BZ#909464
Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events.
BZ#908990
Previously, power-limit notification interrupts were enabled by default on the system. This could lead to degradation of system performance or even render the system unusable on certain platforms, such as Dell PowerEdge servers. A patch has been applied to disable power-limit notification interrupts by default and a new kernel command line parameter "int_pln_enable" has been added to allow users observing these events using the existing system counters. Power-limit notification messages are also no longer displayed on the console. The affected platforms no longer suffer from degraded system performance due to this problem.
BZ#876778
A change in the ipmi_si driver handling caused an extensively long delay while booting Red Hat Enterprise Linux 6.4 on SIG UV platforms. The driver was loaded as a kernel module on previous versions of Red Hat Enterprise Linux 6 while it is now built within the kernel. However, SIG UV does not use, and thus does not support the ipmi_si driver. A patch has been applied and the kernel now does not initialize the ipmi_si driver when booting on SIG UV.
BZ#908851
Previously, the queue limits were not being retained as they should have been if a device did not contain any data or if a multipath device temporarily lost all its paths. This problem has been fixed by avoiding a call to the dm_calculate_queue_limits() function.
BZ#908751
When adding a virtual PCI device, such as virtio disk, virtio net, e1000 or rtl8139, to a KVM guest, the kacpid thread reprograms the hot plug parameters of all devices on the PCI bus to which the new device is being added. When reprogramming the hot plug parameters of a VGA or QXL graphics device, the graphics device emulation requests flushing of the guest's shadow page tables. Previously, if the guest had a huge and complex set of shadow page tables, the flushing operation took a significant amount of time and the guest could appear to be unresponsive for several minutes. This resulted in exceeding the threshold of the "soft lockup" watchdog and the "BUG: soft lockup" events were logged by both, the guest and host kernel. This update applies a series of patches that deal with this problem. The KVM's Memory Management Unit (MMU) now avoids creating multiple page table roots in connection with processors that support Extended Page Tables (EPT). This prevents the guest's shadow page tables from becoming too complex on machines with EPT support. MMU now also flushes only large memory mappings, which alleviates the situation on machines where the processor does not support EPT. Additionally, a free memory accounting race that could prevent KVM MMU from freeing memory pages has been fixed.
BZ#908608
Certain CPUs contain on-chip virtual-machine control structure (VMCS) caches that are used to keep active VMCSs managed by the KVM module. These VMCSs contain runtime information of the guest machines operated by KVM. These CPUs require support of the VMCLEAR instruction that allows flushing the cache's content into memory. The kernel previously did not use the VMCLEAR instruction in Kdump. As a consequence, when dumping a core of the QEMU KVM host, the respective CPUs did not flush VMCSs to the memory and the guests' runtime information was not included in the core dump. This problem has been addressed by a series of patches that implement support of using the VMCLEAR instruction in Kdump. The kernel is now performs the VMCLEAR operation in Kdump if it is required by a CPU so the vmcore file of the QEMU KVM host contains all VMCSs information as expected.
BZ#908524
When pNFS (parallel NFS) code was in use, a file locking process could enter a deadlock while trying to recover form a server reboot. This update introduces a new locking mechanism that avoids the deadlock situation in this scenario.
BZ#878708
Sometimes, the irqbalance tool could not get the CPU NUMA node information because of missing symlinks for CPU devices in sysfs. This update adds the NUMA node symlinks for CPU devices in sysfs, which is also useful when using irqbalance to build a CPU topology.
BZ#908158
The virtual file system (VFS) code had a race condition between the unlink and link system calls that allowed creating hard links to deleted (unlinked) files. This could, under certain circumstances, cause inode corruption that eventually resulted in a file system shutdown. The problem was observed in Red Hat Storage during rsync operations on replicated Gluster volumes that resulted in an XFS shutdown. A testing condition has been added to the VFS code, preventing hard links to deleted files from being created.
BZ#908093
When an inconsistency is detected in a GFS2 file system after an I/O operation, the kernel performs the withdraw operation on the local node. However, the kernel previously did not wait for an acknowledgement from the GFS control daemon (gfs_controld) before proceeding with the withdraw operation. Therefore, if a failure isolating the GFS2 file system from a data storage occurred, the kernel was not aware of this problem and an I/O operation to the shared block device may have been performed after the withdraw operation was logged as successful. This could lead to corruption of the file system or prevent the node from journal recovery. This patch modifies the GFS2 code so the withdraw operation no longer proceeds without the acknowledgement from gfs_controld, and the GFS2 file system can no longer become corrupted after performing the withdraw operation.
BZ#907844
If a logical volume was created on devices with thin provisioning enabled, the mkfs.ext4 command took a long time to complete, and the following message was recorded in the system log:
kernel: blk: request botched
This was caused by discard request merging that was not completely functional in the block and SCSI layers. This functionality has been temporarily disabled to prevent such problems from occurring.
BZ#907512
A previous patch that modified dcache and autofs code caused a regression. Due to this regression, unmounting a large number of expired automounts on a system under heavy NFS load caused soft lockups, rendering the system unresponsive. If a "soft lockup" watchdog was configured, the machine rebooted. To fix the regression, the erroneous patch has been reverted and the system now handle the aforementioned scenario properly without any soft lockups.
BZ#907227
Previously, when using parallel network file system (pNFS) and data was written to the appropriate storage device, the LAYOUTCOMMIT requests being sent to the metadata server could fail internally. The metadata server was not provided with the modified layout based on the written data, and these changes were not visible to the NFS client. This happened because the encoding functions for the LAYOUTCOMMIT and LAYOUTRETURN operations were defined as void, and returned thus an arbitrary status. This update corrects these encoding functions to return 0 on success as expected. The changes on the storage device are now propagated to the metadata server and can be observed as expected.
BZ#883905
When the Active Item List (AIL) becomes empty, the xfsaild daemon is moved to a task sleep state that depends on the timeout value returned by the xfsaild_push() function. The latest changes modified xfsaild_push() to return a 10-ms value when the AIL is empty, which sets xfsaild into the uninterruptible sleep state (D state) and artificially increased system load average. This update applies a patch that fixes this problem by setting the timeout value to the allowed maximum, 50 ms. This moves xfsaild to the interruptible sleep state (S state), avoiding the impact on load average.
BZ#905126
Previously, init scripts were unable to set the master interface MAC address properly because it was overwritten by the first slave MAC address. To avoid this problem, this update re-introduces the check for an unassigned MAC address before adopting the first slaves as its own.
BZ#884442
Due to a bug in the be2net driver, events in the RX, TX, and MCC queues were not acknowledged before closing the respective queue. This could cause unpredictable behavior when creating RX rings during the subsequent queue opening. This update applies a patch that corrects this problem and events are now acknowledged as expected in this scenario.
BZ#904726
Previously, the mlx4 driver set the number of requested MSI-X vectors to 2 under multi-function mode on mlx4 cards. However, the default setting of the mlx4 firmware allows for a higher number of requested MSI-X vectors (4 of them with the current firmware). This update modifies the mlx4 driver so that it uses these default firmware settings, which improves performance of mlx4 cards.
BZ#904025
Reading a large number of files from a pNFS (parallel NFS) mount and canceling the running operation by pressing Ctrl+C caused a general protection fault in the XDR code, which could manifest itself as a kernel oops with an "unable to handle kernel paging request" message. This happened because decoding of the LAYOUTGET operation is done by a worker thread and the caller waits for the worker thread to complete. When the reading operation was canceled, the caller stopped waiting and freed the pages. So the pages no longer existed at the time the worker thread called the relevant function in the XDR code. The cleanup process of these pages has been moved to a different place in the code, which prevents the kernel oops from happening in this scenario.
BZ#903644
A previous patch to the mlx4 driver enabled an internal loopback to allow communication between functions on the same host. However, this change introduced a regression that caused virtual switch (vSwitch) bridge devices using Mellanox Ethernet adapter as the uplink to become inoperative in native (non-SRIOV) mode under certain circumstances. To fix this problem, the destination MAC address is written to Tx descriptors of transmitted packets only in SRIOV or eSwitch mode, or during the device self-test. Uplink traffic works as expected in the described setup.
BZ#887006
The Intel 5520 and 5500 chipsets do not properly handle remapping of MSI and MSI-X interrupts. If the interrupt remapping feature is enabled on the system with such a chipset, various problems and service disruption could occur (for example, a NIC could stop receiving frames), and the "kernel: do_IRQ: 7.71 No irq handler for vector (irq -1)" error message appears in the system logs. As a workaround to this problem, it has been recommended to disable the interrupt remapping feature in the BIOS on such systems, and many vendors have updated their BIOS to disable interrupt remapping by default. However, the problem is still being reported by users without proper BIOS level with this feature properly turned off. Therefore, this update modifies the kernel to check if the interrupt remapping feature is enabled on these systems and to provide users with a warning message advising them on turning off the feature and updating the BIOS.
BZ#887045
When booting Red Hat Enterprise Linux 6 system that utilized a large number of CPUs (more than 512), the system could fail to boot or could appear to be unresponsive after initialization. This happened because the CPU frequency driver used a regular spin lock (cpufreq_driver_lock) to serialize frequency transitions, and this lock could, under certain circumstances, become a source of heavy contention during the system initialization and operation. A patch has been applied to convert cpufreq_driver_lock into a read-write lock, which resolves the contention problem. All Red Hat Enterprise Linux 6 systems now boot and operate as expected.
BZ#903220
A previous patch to the kernel introduced a bug by assigning a different value to the IFLA_EXT_MASK Netlink attribute than found in the upstream kernels. This could have caused various problems; for example, a binary compiled against upstream headers could have failed or behaved unexpectedly on Red Hat Enterprise Linux 6.4 and later kernels. This update realigns IFLA_EXT_MASK in the enumeration correctly by synchronizing the IFLA_* enumeration with the upstream. This ensures that binaries compiled against Red Hat Enterprise Linux 6.4 kernel headers will function as expected. Backwards compatibility is guaranteed.
BZ#887868
Due to a bug in the SCTP code, a NULL pointer dereference could occur when freeing an SCTP association that was hashed, resulting in a kernel panic. A patch addresses this problem by trying to unhash SCTP associations before freeing them and the problem no longer occurs.
BZ#888417
Previously, a kernel panic could occur on machines using the SCSI sd driver with Data Integrity Field (DIF) type 2 protection. This was because the scsi_register_driver() function registered the prep_fn()function that might have needed to use the sd_cdp_pool variable for the DIF functionality. However, the variable had not yet been initialized at this point. The underlying code has been updated so that the driver is registered last, which prevents a kernel panic from occurring in this scenario.
BZ#901747
The bnx2x driver could have previously reported an occasional MDC/MDIO timeout error along with the loss of the link connection. This could happen in environments using an older boot code because the MDIO clock was set in the beginning of each boot code sequence instead of per CL45 command. To avoid this problem, the bnx2x driver now sets the MDIO clock per CL45 command. Additionally, the MDIO clock is now implemented per EMAC register instead of per port number, which prevents ports from using different EMAC addresses for different PHY accesses. Also, boot code or Management Firmware (MFW) upgrade is required to prevent the boot code (firmware) from taking over link ownership if the driver's pulse is delayed. The BCM57711 card requires boot code version 6.2.24 or later, and the BCM57712/578xx cards require MFW version 7.4.22 or later.
BZ#990806
When the Audit subsystem was under heavy load, it could loop infinitely in the audit_log_start() function instead of failing over to the error recovery code. This would cause soft lockups in the kernel. With this update, the timeout condition in the audit_log_start() function has been modified to properly fail over when necessary.
BZ#901701
A previous kernel update broke queue pair (qp) hash list deletion in the qp_remove() function. This could cause a general protection fault in the InfiniBand stack or QLogic InfiniBand driver. A patch has been applied to restore the former behavior so the general protection fault no longer occurs.
BZ#896233
Under rare circumstances, if a TCP retransmission was multiple times partially acknowledged and collapsed, the used Socked Buffer (SKB) could become corrupted due to an overflow caused by the transmission headroom. This resulted in a kernel panic. The problem was observed rarely when using an IP-over-InfiniBand (IPoIB) connection. This update applies a patch that verifies whether a transmission headroom exceeded the maximum size of the used SKB, and if so, the headroom is reallocated. It was also discovered that a TCP stack could retransmit misaligned SKBs if a malicious peer acknowledged sub MSS frame and output interface did not have a sequence generator (SG) enabled. This update introduces a new function that allows for copying of a SKB with a new head so the SKB remains aligned in this situation.
BZ#896020
When using transparent proxy (TProxy) over IPv6, the kernel previously created neighbor entries for local interfaces and peers that were not reachable directly. This update corrects this problem and the kernel no longer creates invalid neighbor entries.
BZ#894683
A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
BZ#893584
Timeouts could occur on an NFS client with heavy read workloads; for example when using rsync and ldconfig. Both client-side and server-side causes were found for the problem. On the client side, problems that could prevent the client reconnecting lost TCP connections have been fixed. On the server side, TCP memory pressure on the server forced the send buffer size to be lower than the size required to send a single Remote Procedure Call (RPC), which consequently caused the server to be unable to reply to the client. Code fixes are still being considered. To work around the problem, increase the minimum TCP buffer sizes, for example using:
echo "1048576 1048576 4194304" >/proc/sys/net/ipv4/tcp_wmem
BZ#895336
Broadcom 5719 NIC could previously sometimes drop received jumbo frame packets due to cyclic redundancy check (CRC) errors. This update modifies the tg3 driver so that CRC errors no longer occur and Broadcom 5719 NICs process jumbo frame packets as expected.
BZ#896224
When running a high thread workload of small-sized files on an XFS file system, sometimes, the system could become unresponsive or a kernel panic could occur. This occurred because the xfsaild daemon had a subtle code path that led to lock recursion on the xfsaild lock when a buffer in the AIL was already locked and an attempt was made to force the log to unlock it. This patch removes the dangerous code path and queues the log force to be invoked from a safe locking context with respect to xfsaild. This patch also fixes the race condition between buffer locking and buffer pinned state that exposed the original problem by rechecking the state of the buffer after a lock failure. The system no longer hangs and kernel no longer panics in this scenario.
BZ#902965
The NFSv4.1 client could stop responding while recovering from a server reboot on an NFSv4.1 or pNFS mount with delegations disabled. This could happen due to insufficient locking in the NFS code and several related bugs in the NFS and RPC scheduler code which could trigger a deadlock situation. This update applies a series of patches which prevent possible deadlock situations from occurring. The NFSv4.1 client now recovers and continue with workload as expected in the described situation.
BZ#1010840
The default sfc driver on Red Hat Enterprise Linux 6 allowed toggling the Large Receive Offset (LRO) flag on and off on a network device regardless of whether LRO was supported by the device or not. Therefore, when the LRO flag was enabled on devices without LRO support, the action had no effect and could confuse users. A patch to the sfc driver has been applied so that the sfc driver properly validates whether LRO is supported by the device. If the device does not support LRO, sfc disables the LRO flag so that users can no longer toggle it for that device.
BZ#886867
During device discovery, the system creates a temporary SCSI device with the LUN ID 0 if the LUN 0 is not mapped on the system. Previously, this led to a NULL pointer dereference because inquiry data was not allocated for the temporary LUN 0 device, which resulted in a kernel panic. This update adds a NULL pointer test in the underlying SCSI code, and the kernel no longer panics in this scenario.
BZ#886420
When a network interface (NIC) is running in promiscuous (PROMISC) mode, the NIC may receive and process VLAN tagged frames even though no VLAN is attached to the NIC. However, some network drivers, such as bnx2, igb, tg3, and e1000e did not handle processing of packets with VLAN tagged frames in PROMISC mode correctly if the frames had no VLAN group assigned. The drivers processed the packets with incorrect routines and various problems could occur; for example, a DHCPv6 server connected to a VLAN could assign an IPv6 address from the VLAN pool to a NIC with no VLAN interface. To handle the VLAN tagged frames without a VLAN group properly, the frames have to be processed by the VLAN code so the aforementioned drivers have been modified to restrain from performing a NULL value test of the packet's VLAN group field when the NIC is in PROMISC mode. This update also includes a patch fixing a bug where the bnx2x driver did not strip a VLAN header from the frame if no VLAN was configured on the NIC, and another patch that implements some register changes in order to enable receiving and transmitting of VLAN packets on a NIC even if no VLAN is registered with the card.
BZ#988460
When a slave device started up, the current_arp_slave parameter was unset but the active flags on the slave were not marked inactive. Consequently, more than one slave device with active flags in active-backup mode could be present on the system. A patch has been applied to fix this problem by marking the active flags inactive for a slave device before the current_arp_slave parameter is unset.
BZ#883575
Due to a bug in descriptor handling, the ioat driver did not correctly process pending descriptors on systems with the Intel Xeon Processor E5 family. Consequently, the CPU was utilized excessively on these systems. A patch has been applied to the ioat driver so the driver now determines pending descriptors correctly and CPU usage is normal again for the described processor family.
BZ#905561
A previous change in the bridge multicast code allowed sending general multicast queries in order to achieve faster convergence on startup. To prevent interference with multicast routers, send packets contained a zero source IP address. However, these packets interfered with certain multicast-aware switches, which resulted in the system being flooded with the IGMP membership queries with zero source IP address. A series of patches addresses this problem by disabling multicast queries by default and implementing multicast querier that allows to toggle up sending of general multicast queries if needed.
BZ#882413
A bug was causing bad block detection to try to isolate which blocks were bad in a device that had suffered a complete failure - even when bad block tracking was not turned on. This was causing very large delays in returning I/O errors when the entire set of RAID devices was lost to failure. The large delays caused problems during disaster recovery scenarios. The bad block tracking code is now properly disabled and errors return in a timely fashion when enough devices fail in a RAID array to exceed its redundancy.
BZ#876600
Previously, running commands such as "ls", "find" or "move" on a MultiVersion File System (MVFS) could cause a kernel panic. This happened because the d_validate() function, which is used for dentry validation, called the kmem_ptr_validate() function to validate a pointer to a parent dentry. The pointer could have been freed anytime so the kmem_ptr_validate() function could not guarantee the pointer to be dereferenced, which could lead to a NULL pointer derefence. This update modifies d_validate() to verify the parent-child relationship by traversing the parent dentry's list of child dentries, which solves this problem. The kernel no longer panics in the described scenario.
BZ#1008705
The sfc driver exposes on-board flash partitions using the MTD subsystem and it must expose up to 9 flash partitions per board. However, the MTD subsystem in Red Hat Enterprise Linux 6 has a static limit of 32 flash partitions. As a consequence, the Solarflare tools cannot operate on all boards if more than 3 boards are installed, preventing firmware on some boards from being updated or queried for a version number. With this update, a new EFX_MCDI_REQUEST sub-command has been added to the driver-private SIOCEFX ioctl, which allows bypassing the MTD layer and sending requests directly to the controller's firmware. The Solarflare tools can now be used and the firmware on all installed devices can be updated as expected in this scenario.
BZ#871795
Previously, the VLAN code incorrectly cleared the timestamping interrupt bit for network devices using the igb driver. Consequently, timestamping failed on the igb network devices with Precision Time Protocol (PTP) support. This update modifies the igb driver to preserve the interrupt bit if interrupts are disabled.
BZ#869736
When using more than 4 GB of RAM with an AMD processor, reserved regions and memory holes (E820 regions) can also be placed above the 4 GB range. For example, on configurations with more than 1 TB of RAM, AMD processors reserve the 1012 GB - 1024 GB range for the Hyper Transport (HT) feature. However, the Linux kernel does not correctly handle E820 regions that are located above the 4 GB range. Therefore, when installing Red Hat Enterprise Linux on a machine with an AMD processor and 1 TB of RAM, a kernel panic occurred and the installation failed. This update modifies the kernel to exclude E820 regions located above the 4 GB range from direct mapping. The kernel also no longer maps the whole memory on boot but only finds memory ranges that are necessary to be mapped. The system can now be successfully installed on the above-described configuration.
BZ#867689
The kernel interface to ACPI had implemented error messaging incorrectly. The following error message was displayed when the system had a valid ACPI Error Record Serialization Table (ERST) and the pstore.backend kernel parameter had been used to disable use of ERST by the pstore interface:
ERST: Could not register with persistent store
However, the same message was also used to indicate errors precluding registration. A series of patches modifies the relevant ACPI code so that ACPI now properly distinguish between different cases and accordingly prints unique and informative messages.
BZ#965132
When setting up a bonding device, a certain flag was used to distinguish between TLB and ALB modes. However, usage of this flag in ALB mode allowed enslaving NICs before the bond was activated. This resulted in enslaved NICs not having unique MAC addresses as required, and consequent loss of "reply" packets sent to the slaves. This patch modifies the function responsible for the setup of the slave's MAC address so the flag is no longer needed to discriminate ALB mode from TLB and the flag was removed. The described problem no longer occur in this situation.
BZ#920752
A bug in the do_filp_open() function caused it to exit early if any write access was requested on a read-only file system. This prevented the opening of device nodes on a read-only file system. With this update, the do_filp_open() has been fixed to no longer exit if a write request is made on a read-only file system.
BZ#981741
A dentry leak occurred in the FUSE code when, after a negative lookup, a negative dentry was neither dropped nor was the reference counter of the dentry decremented. This triggered a BUG() macro when unmounting a FUSE subtree containing the dentry, resulting in a kernel panic. A series of patches related to this problem has been applied to the FUSE code and negative dentries are now properly dropped so that triggering the BUG() macro is now avoided.
BZ#924804
This update reverts two previously-included qla2xxx patches. These patches changed the fibre channel target port discovery procedure, which resulted in some ports not being discovered in some corner cases. Reverting these two patches fixes the discovery issues.
BZ#957821
Due a bug in the memory mapping code, the fadvise64() system call sometimes did not flush all the relevant pages of the given file from cache memory. A patch addresses this problem by adding a test condition that verifies whether all the requested pages were flushed and retries with an attempt to empty the LRU pagevecs in the case of test failure.
BZ#957231
The xen-netback and xen-netfront drivers cannot handle packets with size greater than 64 KB including headers. The xen-netfront driver previously did not account for any headers when determining the maximum size of GSO (Generic Segmentation Offload). Consequently, Xen DomU guest operations could have caused a network DoS issue on DomU when sending packets larger than 64 KB. This update adds a patch that corrects calculation of the GSO maximum size and the problem no longer occurs.
BZ#848085
A possible race in the tty layer could result in a kernel panic after triggering the BUG_ON() macro. As a workaround, the BUG_ON() macro has been replaced by the WARN_ON() macro, which allows for avoiding the kernel panic and investigating the race problem further.
BZ#980876
A bug in the network bridge code allowed an internal function to call code which was not atomic-safe while holding a spin lock. Consequently, a "BUG: scheduling while atomic" error has been triggered and a call trace logged by the kernel. This update applies a patch that orders the function properly so the function no longer holds a spin lock while calling code which is not atomic-safe. The aforementioned error with a call trace no longer occurs in this case.
BZ#916806
An NFSv4 client could previously enter a deadlock situation with the state recovery thread during state recovery after a reboot of an NFSv4 server. This happened because the client did not release the NFSv4 sequence ID of an OPEN operation that was requested before the reboot. This problem is resolved by releasing the sequence ID before the client starts waiting for the server to recover.
BZ#859562
A bug in the device-mapper RAID kernel module was preventing the "sync" directive from being honored. The result was that users were unable to force their RAID arrays to undergo a complete resync if desired. This has been fixed and users can use 'lvchange --resync my_vg/my_raid_lv' to force a complete resynchronization on their LVM RAID arrays.

Enhancements

BZ#823012
This update provides simplified performance analysis for software on Linux on System z by using the Linux perf tool to access the hardware performance counters.
BZ#829506
The fnic driver previously allowed I/O requests with the number of SGL descriptors greater than is supported by Cisco UCS Palo adapters. Consequently, the adapter returned any I/O request with more than 256 SGL descriptors with an error indicating invalid SGLs. A patch has been applied to limit the maximum number of supported SGLs in the fnic driver to 256 and the problem no longer occurs.
BZ#840454
To transmit data, for example, trace data, from guests to hosts, a low-overhead communication channel was required. Support for the splice() call has been added to the virtio_console module in the Linux kernel. This enables sending guest kernel data to the host without extra copies of the data being made inside the guest. Low-overhead communication between the guest Linux kernel and host userspace is performed via virtio-serial.
BZ#888903
A new MTIOCTOP operation, MTWEOFI, has been added to the SCSI tape driver, which allows writing of "filemarks" with the "immediate" bit. This allows a SCSI tape drive to preserve the content of its buffer, enabling the next file operation to start immediately. This can significantly increase write performance for applications that have to write multiple small files to the tape while it also reduces tape weariness.
BZ#913650
Previously, a user needed to unmount, deactivate their RAID LV, and re-activate it in order to restore a transiently failed device in their array. Now it is possible to restore such devices without unmounting by simply running 'lvchange --refresh'.
BZ#923212
Open vSwitch (OVS) is an open-source, multi-layer software switch designed to be used as a virtual switch in virtualized server environments. Starting with Red Hat Enterprise Linux 6.4, the Open vSwitch kernel module is included as an enabler for Red Hat Enterprise Linux OpenStack Platform. Open vSwitch is only supported in conjunction with Red Hat products containing the accompanying user-space packages. Without theses packages, Open vSwitch will not function and cannot be used with other Red Hat Enterprise Linux variants.
BZ#928983
The RHEL6.5 bfa driver changes behavior of the dev_loss_tmo value such that it can only be set to a value greater than the bfa driver specific path_tov value. The minimum default value that the dev_loss_tmo can be set to is 31 seconds. Attempting to set the dev_loss_tmo value lower than 31 seconds without lowering the default bfa path_tov value will not succeed.
BZ#929257
Error recovery support has been added to the flash device driver, which allows hardware service upgrades without negative impact on I/O of flash devices.
BZ#929259
The crypto adapter resiliency feature has been added. This feature provides System z typical RAS for cryptographic adapters through comprehensive failure recovery. For example, this feature handles unexpected failures or changes caused by Linux guest relocation, suspend and resume activities or configuration changes.
BZ#929262
The "fuzzy live dump" feature has been added. With this feature kernel dumps from running Linux systems can be created, to allow problem analysis without taking down systems. Because the Linux system continues running while the dump is written, and kernel data structures are changing during the dump process, the resulting dump contains inconsistencies.
BZ#929264, BZ#929264
The kernel now provides an offline interface for DASD devices. Instead of setting a DASD device offline and returning all outstanding I/O requests as failed, with this interface you can set a DASD device offline and write all outstanding data to the device before setting the device offline.
BZ#929274
The kernel now provides the Physical Channel ID (PCHID) mapping that enables hardware detection with a machine-wide unique identifier.
BZ#929275
The kernel now provides VEPA mode support. VEPA mode routes traffic between virtual machines on the same mainframe through an external switch. The switch then becomes a single point of control for security, filtering, and management.
BZ#755486, BZ#755486
Message Transfer Part Level 3 User Adaptation Layer (M3UA) is a protocol defined by the IETF standard for transporting MTP Level 3 user part signaling messages over IP using Stream Control Transmission Protocol (SCTP) instead of telephony equipment like ISDN and PSTN. With this update, M3AU measurement counters have been included for SCTP.
BZ#818344
Support for future Intel 2D and 3D graphics has been added to allow systems using future Intel processors to be certified through the Red Hat Hardware Certification program.
BZ#826061
In certain storage configurations (for example, configurations with many LUNs), the SCSI error handling code can spend a large amount of time issuing commands such as TEST UNIT READY to unresponsive storage devices. A new sysfs parameter, eh_timeout, has been added to the SCSI device object, which allows configuration of the timeout value for TEST UNIT READY and REQUEST SENSE commands used by the SCSI error handling code. This decreases the amount of time spent checking these unresponsive devices. The default value of eh_timeout is 10 seconds, which was the timeout value used prior to adding this functionality.
BZ#839470, BZ#839470
With this update, 12Gbps LSI SAS devices are now supported in Red Hat Enterprise Linux 6.
BZ#859446
Red Hat Enterprise Linux 6.5 introduces the Orlov block allocator that provides better locality for files which are truly related to each other and likely to be accessed together. In addition, when resource groups are highly contended, a different group is used to maximize performance.
BZ#869622
The mdadm tool now supports the TRIM commands for RAID0, RAID1, RAID10 and RAID5.
BZ#880142
Network namespace support for OpenStack has been added. Network namespaces (netns) is a lightweight container-based virtualization technology. A virtual network stack can be associated with a process group. Each namespace has its own loopback device and process space. Virtual or real devices can be added to each network namespace, and the user can assign IP addresses to these devices and use them as a network node.
BZ#908606
Support for dynamic hardware partitioning and system board slot recognition has been added. The dynamic hardware partitioning and system board slot recognition features alert high-level system middleware or applications for reconfiguration and allow users to grow the system to support additional workloads without reboot.
BZ#914771, BZ#920155, BZ#914797, BZ#914829, BZ#914832, BZ#914835
An implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux was introduced as a Technology Preview in Red Hat Enterprise Linux 6.4. The PTP infrastructure, both kernel and user space, is now fully supported in Red Hat Enterprise Linux 6.5. Network driver time stamping support now also includes the following drivers: bnx2x, tg3, e1000e, igb, ixgbe, and sfc.
BZ#862340
The Solarflare driver (sfc) has been updated to add PTP support as a Technology Preview.
BZ#918316
In Red Hat Enterprise Linux 6.5, users can change the cryptography hash function from MD5 to SHA1 for Stream Control Transmission Protocol (SCTP) connections.
BZ#922129
The pm8001/pm80xx driver adds support for PMC-Sierra Adaptec Series 6H and 7H SAS/SATA HBA cards as well as PMC Sierra 8081, 8088, and 8089 chip based SAS/SATA controllers.
BZ#922299
VMware Platform Drivers Updates The VMware network para-virtualized driver has been updated to the latest upstream version.
BZ#922941
The Error-correcting code (ECC) memory has been enabled for future generation of AMD processors. This feature provides the ability to check for performance and errors by accessing ECC memory related counters and status bits.
BZ#922965
Device support is enabled in the operating system for future Intel System-on-Chip (SOC) processors. These include Dual Atom processors, memory controller, SATA, Universal Asynchronous Receiver/Transmitter, System Management Bus (SMBUS), USB and Intel Legacy Block (ILB - lpc, timers, SMBUS (i2c_801 module)).
BZ#947944
Kernel Shared Memory (KSM) has been enhanced to consider non-uniform memory access (NUMA) when coalescing pages, which improves performance of the applications on the system. Also, additional page types have been included to increase the density of applications available for Red Hat OpenShift.
BZ#949805
FUSE (Filesystem in User Space) is a framework that allows for development of file systems purely in the user space without requiring modifications to the kernel. Red Hat Enterprise Linux 6.5 delivers performance enhancements for user space file systems that use FUSE, for example, GlusterFS (Red Hat Storage).
BZ#864597
The default TCP stack buffers are too large for high bandwidth applications that fully utilize the Ethernet link. This could result in a situation where connection bandwidth could not be fully utilized and could be distributed unequally if the link was shared by multiple client devices. To resolve this problem, a new feature, TCP Small Queues (TSQ), has been introduced to the TCP code. The TSQ feature reduces a number of TCP packets in xmit queues, TCP round-trip time (RTT), and the congestion window (CWND) size. It also mitigates an impact of a possible bufferbloat problem. This change also includes a patch that resolves a performance problem on mlx4 devices caused by setting the default value of the Tx coalescing too high.
All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.