1.74.2. RHSA-2011:1479: Important: kernel security, bug fix, and enhancement update
keyctlutility to cause a denial of service. (CVE-2011-4110, Moderate)
tpm_read()could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)
- Previously, when the
iput()function was called while it held the
nfs_access_lrulock could result in problems since
iput()can sleep, and it can also attempt to allocate memory. This update removes an optimisation that is not present in the mainline kernel series. Now,
iput()is never called while holding a spinlock in the
nfs_access_cache_shrinker()function, thus preventing this bug.
- Under certain circumstances, a deadlock could occur between the khubd process of the USB stack and the modprobe of the usb-storage module. This was because the khubd process, when attempting to delete a USB device, waited for the reference count of knode_bus to be of value 0. However, modprobe, when loading the usb-storage module, scans all USB devices and increments the reference count, preventing the khubd process from continuing. With this update, the underlying source code has been modified to address this issue, and a deadlock no longer occurs in the described scenario.
- A previously applied patch (introduced as a fix in CVE-2011-1898) prevented PCI pass-through inside the
assign_devicedomctl via a security check. Because the security check was not included in the
test_assign_devicedomctl, qemu-dm could not handle any failures in the
test_assign_devicedomctl, ultimately causing an HVM guest to have a partly accessible PCI device, which in come cases resulted in a crash of the host machine. With this update, the security check introduced in CVE-2011-1898 has been replicated in the
test_assign_devicedomctl, thus fixing this issue.
- In error recovery, most SCSI error recovery stages send a TUR (Test Unit Ready) command for every bad command when a driver error handler reports success. When several bad commands pointed to a same device, the device was probed multiple times. When the device was in a state where it did not respond to commands even after a recovery function returned success, the error handler had to wait for the commands to time out. This significantly impeded the recovery process. With this update, SCSI mid-layer error routines to send test commands have been fixed to respond once per device instead of once per bad command, thus reducing error recovery time considerably.
- When an INIT_ACK packet is sent with no STATE COOKIE mandatory parameter, the expected abort error cause is
Mandatory Parameter missing. Previously, the
Invalid mandatory parametererror cause was given instead. With this update, a bug in the
sctp_process_missing_param()function has been fixed and now, correct error cause value for missing parameters is set in the described scenario.
- When a COOKIE_ACK message with a packet length smaller then the chunk length defined was received, SCTP (Stream Control Transmission Protocol) sent an ABORT message with incorrectly encoded PROTOCOL VIOLATION error cause. With this update, the underlying code has been fixed and the ABORT message is now encoded properly in the described scenario.
- Due to a regression, the byte count on the wrong buffer was adjusted to account for endian differences. This resulted in the wrong buffer length being passed to the callers on big endian machines, which in turn resulted in data returned from the server being incorrectly rejected with "Invalid transact2 SMB: " error messages. This bug was first reported on the 64-bit PowerPC architecture. With this update, the correct buffer length is now passed in the described scenario.
- Previously, if a connect change occurs on a USB device, it is reported the same way as a disconnect. As a consequence, the "hub 1-1.6:1.0: Cannot enable port X. Maybe the USB cable is bad?" were issued by the dmesg utility when a low speed USB device was connected to port X. With this update, the port reset code in the hub driver has been changed, code of the
usb_reset_device()function has been fixed to prevent the routine from futilely retrying the reset after a disconnect has occurred, and no error messages are now returned in the described scenario.
- The operational state of a network device, represented by the value in
/sys/class/net/eth<X>/operstate, was not initialized by default and reported
unknownwhen the network device was up and was using the
tg3driver. This update fixes the
tg3driver to properly set the
be2netdriver does not use lock-less Tx paths and its
xmit()function is protected by the
netif_tx_lockspinlock; as are the
set_rx_mode()functions. This configuration setup involves sending a message to the card firmware and getting a reply back, which involves delay up to several miliseconds long. As a consequence, the requeue counter increased by high numbers. With this update, the
NETIF_F_LLTXfeature has been enabled and locking of own Tx paths has been implemented. Now, only small portions of multicast configuration needs to be locked in the described scenario.
- Prior to this update, the
ndisc_send_skb()function was using an incorrect macro to increment the ICMP6 statistics. As a result, an out-of-bound element in an array which resides in the size-128 slab pool was incremented, causing data corruption. If the array was near the end of the slab page, user data corruption could occur. This update fixes the above-mentioned function to use the correct macro for incrementing the ICMP6 statistics, and data corruption no longer occurs.
- A previously introduced patch reduced the size of the DMA zone under the Xen hypervisor. Consequently, drivers trying to allocate contiguous memory with the
dma_alloc_coherent()API often had their requests fail. This resulted in BIOS update failures on some systems with large flash memory. With this update, the zone restriction in
dma_alloc_coherent()is relaxed, thus fixing this issue.
- When the hangcheck timer expires and tries to reboot the machine, it stops all other CPUs in the configuration. However, the CPU that stops the other CPUs is still enabled for interrupts. Consequently, I/O or external interrupts might arrive at the local CPU and the corresponding interrupt handler might try to acquire a lock. Previously, if a remote CPU was holding the lock while the local CPU stopped it, the result was a deadlock. The system became unresponsive instead of performing a reboot. With this update, interrupts are disabled before stopping remote CPUs and the hangs no longer occur in the described scenario.
- On IBM System z, if a Linux instance with large amounts of anonymous memory runs into a memory shortage the first time, all pages on the active or inactive lists are considered referenced. This causes the memory management on IBM System z to do a full check over all page cache pages and start writeback for all of them. As a consequence, the system became temporarily unresponsive when the described situation occurred. With this update, only pages with active mappers are checked and the page scan now does not cause the hangs.
- Previously, kernel was allowed to reduce the number of unnecessary commit calls by skipping the commit when there was a large number of outstanding pages being written. However, that test did not properly handle the edge case when the number of commits (ncommit) was zero. Consequently, inodes sometimes remained on the
sb->s_dirtylist and could not be freed by the inode cache shrinker. As a result, the
nfs_inode_cachestructure grew very large over time. With this update, the call to the
nfs_write_inode()function is immediately returned when
commit == 0, thus fixing this bug.
- A previous kernel patch removed a call in the
nfs_file_release()function to the
filemap_fdatawrite()function. Consequently, data written to a NFS file, which had been mapped into memory via the
mmap()function and not yet flushed to the backing device, were lost as soon as the file was closed. This update adds the
filemap_fdatawrite()call back to the
nfs_file_flush()function, which fixes this regression.
- The Xen network back-end driver was supposed to turn on all of its possible features until it negotiated with the front-end. However, after the negotiation, it did not disable the features declined by the front-end. This caused Windows guest using the
xenpv-winnetwork driver to not be able to transmit data to the host over TCP. This update properly disables the features which are not supported by the front-end.
- This update improves the performance of delete/unlink operations in a
GFS2file system containing large files by adding a layer of metadata read-ahead for indirect blocks.