B.38.3. RHSA-2011:0283 — Moderate: kernel security, bug fix and enhancement update
tcp_select_initial_window()function in the Linux kernel's
IPprotocol suite implementation. A local, unprivileged user could use this flaw to trigger a denial of service by calling
setsockopt()with certain options. (CVE-2010-4165, Moderate)
mprotect()system call in the Linux kernel could allow a local, unprivileged user to cause a local denial of service. (CVE-2010-4169, Moderate)
execve()system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. (CVE-2010-4243, Moderate)
- Prior to this update, a guest could use the
poll()function to find out whether the host-side connection was open or closed. However, with a
SIGIOsignal, this can be done asynchronously, without having to explicitly poll each port. With this update, a
SIGIOsignal is sent for any host connect/disconnect events. Once the
SIGIOsignal is received, the open/close status of
virtio-serialports can be obtained using the
- A Red Hat Enterprise Linux 6.0 host (with root on a local disk) with
dm-multipathconfigured on multiple LUNs (Logical Unit Number) hit kernel panic (at
scsi_error_handler) with target controller faults during an I/O operation on the
dm-multipathdevices. This was caused by
blk_abort_queue()function to allow lower latency path deactivation. The call to
blk_abort_queueproved to be unsafe due to a race (between
scsi_request_fn). With this update, the race has been resolved and kernel panic no longer occurs on Red Hat Enterprise Linux 6.0 hosts.
- Prior to this update, running context-switch intensive workloads on KVM guests resulted in a large number of exits (
kvm_exit) due to control register (CR) accesses by the guest, thus, resulting in poor performance. This update includes a number of optimizations which allow the guest not to exit to the hypervisor in the aforementioned case and improve the overall performance.
- Handling ALUA (Asymmetric Logical Unit Access) transitioning states did not work properly due to a faulty
SCSI(Small Computer System Interface)
ALUAhandler. With this update, optimized state transitioning prevents the aforementioned behavior.
- Prior to this update, when using Red Hat Enterprise Linux 6 with a
FC(Fibre Channel) drivers using the
fcclass, a device might have been put in the offline state due to a transport problem. Once the transport problem was resolved, the device was not usable until a user manually corrected the state. This update enables the transition from the offline state to the running state, thus, fixing the problem.
- The zfcpdump tool was not able to mount
ext4file systems. Because
ext4is the default file system on Red Hat Enterprise Linux 6, with this update,
ext4file system support was added for the zfcpdump tool.
- The zfcpdump tool was not able to mount
ext2file systems. With this update,
ext2file system support was added for the zfcpdump tool.
- The lock reclaim operation on a Red Hat Enterprise Linux 6
NFSv4client did not work properly when, after a server reboot, an I/O operation which resulted in a
STALE_STATEIDresponse was performed before the
RENEWcall was sent to the server. This behavior was caused due to the improper use of the state flags. While investigating this bug, a different bug was discovered in the state recovery operation which resulted in a reclaim thread looping in the
nfs4_reclaim_open_state()function. With this update, both operations have been fixed and work as expected.
- Prior to this update, the execve utility exhibited the following flaw. When an argument and any environment data were copied from an old task's user stack to the user stack of a newly-execve'd task, the kernel would not allow the process to be interrupted or rescheduled. Therefore, when the argument or environment string data was (abnormally) large, there was no "interactivity" with the process while the
execve()function was transferring the data. With this update, fatal signals (like CTRL+c) can now be received and handled and a process is allowed to yield to higher priority processes during the data transfer.
- The memory cgroup controller has its own Out of Memory routine (OOM killer) and kills a process at an OOM event. However, a race condition could cause the
pagefault_out_of_memoryfunction to be called after the memory cgroup's OOM. This invoked the generic OOM killer and a
panic_on_oomcould occur. With this update, only the memory cgroup's OOM killer is invoked and used to kill a process should an OOM occur.
- In some cases, under a small system load involve some I/O operation, processes started to lock up in the
Dstate (that is, became unresponsive). The system load could in some cases climb steadily. This was due to the way the event channel IRQ (Interrupt Request) was set up. Xen events behave like edge-triggered IRQs, however, the kernel was setting them up as level-triggered IRQs. As a result, any action using Xen event channels could lock up a process in the
Dstate. With this update, the handling has been changed from edge-triggered IRQs to level-triggered IRQs and process no longer lock up in the
- When an
scsicommand timed out and the
fcoe/libfcdriver aborted the command, a race could occur during the clean-up of the command which could result in kernel panic. With this update, the locking mechanism in the clean-up and abort paths was modified, thus, fixing the aforementioned issue.
- The lack of synchronization between the clearing of the
QUEUE_FLAG_CLUSTERflag and the setting of the
no_clusterflag in the
queue_limitsvariable caused corruption of data. Note that this issue only occurred on hardware that did not support segment merging (that is, clustering). With this update, the synchronization between the aforementioned flags works as expected, thus, corruption of data no longer occurs.
virtio-consoledevice did not handle the hot-unplug operation properly. As a result,
virtio-consolecould access the memory outside the driver's memory area and cause kernel panic on the guest. With this update, multiple fixes to the
virtio-consoledevice resolved this issue and the hot-unplug operation works as expected.
- Prior to this update, running the
hwclock --systohccommand could halt a running system. This was due to the interrupt transactions being looped back from a local IOH (Input/Output Hub), through the IOH to a local CPU (erroneously), which caused a conflict with I/O port operations and other transactions. With this update, the conflicts are avoided and the system continues to run after executing the
- An I/O operation could fast fail when using Device-Mapper Multipathing (
dm-multipath) if the I/O operation could be retried by the
scsilayer. This prevented the multipath layer from starting its error recovery procedure and resulted in unnecessary log messages in the appropriate log files. This update includes a number of optimizations that resolve the aforementioned issue.
- Outgoing packets were not fragmented after receiving the icmpv6 pkt-too-big message when using the
IPSecv6tunnel mode. This was due to the lack of
IPv6fragmentation support over an
IPsectunnel. With this update,
IPv6fragmentation is fully supported and works as expected when using the
- Bonding, when operating in the
ARPmonitoring mode, made erroneous assumptions regarding the ownership of
ARPframes when it received them for processing. Specifically, it was assumed that the bonding driver code was the only execution context which had access to the
ARPframes network buffer data. As a result, an operation was attempted on the said buffer (specifically, to modify the size of the data buffer) which was forbidden by the kernel when a buffer was shared among several execution contexts. The result of such an operation on a shared buffer could lead to data corruption. Consequently, trying to prevent the corruption, the kernel panicked. This shared state in the network buffer could be forced to occur, for example, when running the tcpdump utility to monitor traffic on the bonding interface. Every buffer the bond interface received would be shared between the driver and the
tcpdumpprocess, thus, resulting in the aforementioned kernel panic. With this update, for the particular affected path in the bonding driver, each inbound frame is checked whether it is in the shared state. In case a buffer is shared, a private copy is made for exclusive use by the bonding driver, thus, preventing the kernel panic.
- For a device that used a Target Portal Group (TPG) ID which occupied the full 2 bytes in the RTPG (Report Target Port Groups) response (with either byte exceeding the maximum value that may be stored in a signed char), the kernel's calculated TPG ID would never match the
group_idthat it should. As a result, this signed char overflow also caused the ALUA handler to incorrectly identify the Asymmetric Access State (AAS) of the specified device as well as incorrectly interpret the supported AAS of the target. With this update, the aforementioned issue has been addressed and no longer occurs.
ixgbedriver has been updated to address various FCoE (Fibre Channel over Ethernet) issues related to Direct Data Placement (FCoE DDP).
qla2xxxdriver for QLogic Fibre Channel Host Bus Adapters (HBAs) has been updated to upstream version 8.03.05.01.06.1-k0, which provides a number of bug fixes and enhancements over the previous version.