Security Fixes

CVE-2011-4086, Moderate

A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service.

CVE-2012-1601, Moderate

A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host.

Bug Fixes

BZ#810454

Previously, the eth_type_trans() function was called with the VLAN device type set. If a VLAN device contained a MAC address different from the original device, an incorrect packet type was assigned to the host. Consequently, if the VLAN devices were set up on a bonding interface in Adaptive Load Balancing (ALB) mode, the TCP connection could not be established. With this update, the eth_type_trans() function is called with the original device, ensuring that the connection is established as expected.

BZ#801329

When short audio periods were configured, the ALSA PCM midlevel code, shared by all sound cards, could cause audio glitches and other problems. This update adds a time check for double acknowledged interrupts and improves stability of the snd-aloop kernel module, thus fixing this bug.

BZ#802852

Previously, the idmapper utility pre-allocated space for all user and group names on an NFS client in advance. Consequently, page allocation failure could occur, preventing a proper mount of a directory. With this update, the allocation of the names is done dynamically when needed, the size of the allocation table is now greatly reduced, and the allocation failures no longer occur.

BZ#803881

In a Boot-from-San (BFS) installation via certain iSCSI adapters, driver exported sendtarget entries in the sysfs file system but the iscsistart failed to perform discovery. Consequently, a kernel panic occurred during the first boot sequence. With this update, the driver performs the discovery instead, thus preventing this bug.

BZ#810322

The SCSI layer was not using a large enough buffer to properly read the entire BLOCK LIMITS VPD page that is advertised by a storage array. Consequently, the WRITE SAME MAX LEN parameter was read incorrectly and this could result in the block layer issuing discard requests that were too large for the storage array to handle. This update increases the size of the buffer that the BLOCK LIMITS VPD page is read into and the discard requests are now issued with proper size, thus fixing this bug.

BZ#805457

A bug in the try_to_wake_up() function could cause status change from TASK_DEAD to TASK_RUNNING in a race condition with an SMI (system management interrupt) or a guest environment of a virtual machine. As a consequence, the exited task was scheduled again and a kernel panic occurred. This update fixes the race condition in the do_exit() function and the panic no longer occurs in the described scenario.

BZ#806205

When expired user credentials were used in the RENEW() calls, the calls failed. Consequently, all access to the NFS share on the client became unresponsive. With this update, the machine credentials are used with these calls instead, thus preventing this bug most of the time. If no machine credentials are available, user credentials are used as before.

BZ#806859

When the python-perf subpackage was installed, the debug information for the bindings were added to the debuginfo-common subpackage, making it unable to install the debuginfo-common package of a different version. With this update, a separate subpackage is used to store debug information for python-perf, thus fixing this bug.

BZ#809388

Due to the netdevice handler for FCoE (Fibre Channel over Ethernet) and the exit path blocking the keventd work queue, the destroy operation on an NPIV (N_Port ID Virtualization) FCoE port led to a deadlock interdependency and caused the system to become unresponsive. With this update, the destroy_work item has been moved to its own work queue and is now executed in the context of the user space process requesting the destroy, thus preventing this bug.

BZ#809372

The fcoe_transport_destroy path uses a work queue to destroy the specified FCoE interface. Previously, the destroy_work work queue item blocked another single-threaded work queue. Consequently, a deadlock between queues occurred and the system became unresponsive. With this update, fcoe_transport_destroy has been modified and is now a synchronous operation, allowing to break the deadlock dependency. As a result, destroy operations are now able to complete properly, thus fixing this bug.

BZ#809378

During tests with active I/O on 256 LUNs (logical unit numbers) over FCoE, a large number SCSI mid layer error messages were returned. As a consequence, the system became unresponsive. This bug has been fixed by limiting the source of the error messages and the hangs no longer occur in the described scenario.

BZ#807158

When running AF_IUCV socket programs with IUCV transport, an IUCV SEVER call was missing in the callback of a receiving IUCV SEVER interrupt. Under certain circumstances, this could prevent z/VM from removing the corresponding IUCV-path completely. This update adds the IUCV SEVER call to the callback, thus fixing this bug. In addition, internal socket states have been merged, thus simplifying the AF_IUCV code.

BZ#809374

Previously, the AMD IOMMU (input/output memory management unit) driver could use the MSI address range for DMA (direct memory access) addresses. As a consequence, DMA could fail and spurious interrupts would occur if this address range was used. With this update, the MSI address range is reserved to prevent the driver from allocating wrong addresses and DMA is now assured to work as expected in the described scenario.

BZ#811299

Due to incorrect use of the list_for_each_entry_safe() function, the list_for_each_next_safe list macro failed to enumerate remote procedure calls (RPCs) of priority wait queue tasks stored in the tk_wait.links list. As a consequence, the rpc_wake_up() and rpc_wake_up_status() functions failed to wake up all tasks. This caused the system to become unresponsive and could significantly decrease system performance. Now, the list_for_each_entry_safe() function is no longer used in rpc_wake_up(), ensuring reasonable system performance.

BZ#809376

The AMD IOMMU driver used wrong shift direction in the alloc_new_range() function. Consequently, the system could terminate unexpectedly or become unresponsive. This update fixes the code and crashes and hangs no longer occur in the described scenario.

BZ#809104

Previously, a bonding device had always the UFO (UDP Fragmentation Offload) feature enabled even when no slave interfaces supported UFO. Consequently, the tracepath command could not return correct path MTU. With this update, UFO is no longer configured for bonding interfaces by default if the underlying hardware does not support it, thus fixing this bug.

BZ#807426

Previously, when the PCI driver switched from MSI/MSI-X (Message Signaled Interrupts) to the INTx emulation while shutting down a device, an unwanted interrupt was generated. Consequently, interrupt handler of IPMI was called repeatedly, causing the system to become unresponsive. This update adds a parameter to avoid using MSI/MSI-X for PCIe native hot plug operations and the hangs no longer occur in the described scenario.

BZ#811135

On NFS, when repeatedly reading a directory, content of which kept changing, the client issued the same readdir request twice. Consequently, the following warning messages were returned to the dmesg output:

NFS: directory A/B/C contains a readdir loop.

This update fixes the bug by turning off the loop detection and letting the NFS client try to recover in the described scenario and the messages are no longer returned.

BZ#806906

The Intelligent Platform Management Interface (IPMI) specification requires a minimum communication timeout of five seconds. Previously, the kernel incorrectly used a timeout of one second. This could result in failures to communicate with Baseboard Management Controllers (BMC) under certain circumstances. With this update, the timeout has been increased to five seconds to prevent such problems.

BZ#804548

Prior to this update, bugs in the close() and send() functions caused delays and operation of these two functions took too long to complete. This update adds the IUCV_CLOSED state change and improves locking for close(). Also, the net_device handling has been improved in send(). As a result, the delays no longer occur.

BZ#804547

When AF_IUCV sockets were using the HiperSockets transport, maximum message size for such transports depended on the MTU (maximum transmission unit) size of the HiperSockets device bound to a AF_IUCV socket. However, a socket program could not determine maximum size of a message. This update adds the MSGSIZE option for the getsockopt() function. Through this option, the maximum message size can be read and properly handled by AF_IUCV.

BZ#809391

Previously, on a system where intermediate P-states were disabled, the powernow-k8 driver could cause a kernel panic in the cpufreq subsystem. Additionally, not all available P-states were recognized by the driver. This update modifies the drive code so that it now properly recognizes all P-states and does not cause the panics in the described scenario.

Security Fixes

CVE-2012-0879, Moderate

Numerous reference count leaks were found in the Linux kernel's block layer I/O context handling implementation. This could allow a local, unprivileged user to cause a denial of service.

CVE-2012-1090, Moderate

A flaw was found in the Linux kernel's cifs_lookup() implementation. POSIX open during lookup should only be supported for regular files. When non-regular files (for example, a named (FIFO) pipe or other special files) are opened on lookup, it could cause a denial of service.

CVE-2012-1097, Moderate

It was found that the Linux kernel's register set (regset) common infrastructure implementation did not check if the required get and set handlers were initialized. A local, unprivileged user could use this flaw to cause a denial of service by performing a register set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request.

Bug Fixes

BZ#805458

Previously, if more than a certain number of qdiscs (Classless Queuing Disciplines) using the autohandle mechanism were allocated a soft lock-up error occurred. This update fixes the maximum loop count and adds the cond_resched() call in the loop, thus fixing this bug.

BZ#804961

Concurrent look-up operations of the same inode that was not in the per-AG (Allocation Group) inode cache caused a race condition, triggering warning messages to be returned in the unlock_new_inode() function. Although this bug could only be exposed by NFS or the xfsdump utility, it could lead to inode corruption, inode list corruption, or other related problems. With this update, the XFS_INEW flag is set before inserting the inode into the radix tree. Now, any concurrent look-up operation finds the new inode with XFS_INEW set and the operation is then forced to wait until XFS_INEW is removed, thus fixing this bug.

BZ#802430

Previously, when isolating pages for migration, the migration started at the start of a zone while the free scanner started at the end of the zone. Migration avoids entering a new zone by never going beyond what the free scanner scanned. In very rare cases, nodes overlapped and the migration isolated pages without the LRU lock held, which triggered errors in reclaim or during page freeing. With this update, the isolate_migratepages() function makes a check to ensure that it never isolates pages from a zone it does not hold the LRU lock for, thus fixing this bug.

BZ#802379

An anomaly in the memory map created by the mbind() function caused a segmentation fault in Hotspot Java Virtual Machines with the NUMA-aware Parallel Scavenge garbage collector. A backported upstream patch that fixes mbind() has been provided and the crashes no longer occur in the described scenario.

BZ#786873

Previously, the SFQ qdisc packet scheduler class had no bind_tcf() method. Consequently, if a filter was added with the classid parameter to SFQ, a kernel panic occurred due to a null pointer dereference. With this update, the dummy .unbind_tcf and .put qdisc class options have been added to conform with the behaviour of other schedulers, thus fixing this bug.

BZ#787764

The kernel code checks for conflicts when an application requests a specific port. If there is no conflict, the request is granted. However, the port auto-selection done by the kernel failed when all ports were bound, even if there was an available port with no conflicts. With this update, the port auto-selection code has been fixed to properly use ports with no conflicts.

BZ#789060

Due to a race condition between the notify_on_release() function and task movement between cpuset or memory cgroup directories, a system deadlock could occur. With this update, the cgroup_wq cgroup has been created and both async_rebuild_domains() and check_for_release() functions used for task movements use it, thus fixing this bug.

BZ#789061

Previously, the utime and stime values in the /proc/<pid>/stat file of a multi-threaded process could wrongly decrease when one of its threads exited. A backported patch has been provided to maintain monotonicity of utime and stime in the described scenario, thus fixing this bug.

BZ#801723

The vmxnet3 driver in Red Hat Enterprise Linux 6.2 introduced a regression. Due to an optimization, in which at least 54 bytes of a frame were copied to a contiguous buffer, shorter frames were dropped as the frame did not have 54 bytes available to copy. With this update, transfer size for a buffer is limited to 54 bytes or the frame size, whichever is smaller, and short frames are no longer dropped in the described scenario.

BZ#789373

In the Common Internet File System (CIFS), the oplock break jobs and async callback handlers both use the SLOW-WORK workqueue, which has a finite pool of threads. Previously, these oplock break jobs could end up taking all the running queues waiting for a page lock which blocks the callback required to free this page lock from being completed. This update separates the oplock break jobs into a separate workqueue VERY-SLOW-WORK, allowing the callbacks to be completed successfully and preventing the deadlock.

BZ#789911

Previously, the doorbell register was being unconditionally swapped. If the Blue Frame option was enabled, the register was incorrectly written to the descriptor in the little endian format. Consequently, certain adapters could not communicate over a configured IP address. With this update, the doorbell register is not swapped unconditionally, rather, it is always converted to big endian before it is written to the descriptor, thus fixing this bug.

BZ#790007

Previously, due to a bug in a graphics driver in systems running a future Intel processor with graphics acceleration, attempts to suspend the system to the S3/S4 state failed. This update resolves this issue and transitions to the suspend mode now work correctly in the described scenario.

BZ#790338

Prior to this update, the wrong size was being calculated for the vfinfo structure. Consequently, networking drivers that created a large number of virtual functions caused warning messages to appear when loading and unloading modules. Backported patches from upstream have been provided to resolve this issue, thus fixing this bug.

BZ#790341

Previously, when a MegaRAID 9265/9285 or 9360/9380 controller got a timeout in the megaraid_sas driver, the invalid SCp.ptr pointer could be called from the megasas_reset_timer() function. As a consequence, a kernel panic could occur. An upstream patch has been provided to address this issue and the pointer is now always set correctly.

BZ#790905

Previously, when pages were being migrated via NFS with an active requests on them, if a particular inode ended up deleted, then the VFS called the truncate_inode_pages() function. That function tried to take the page lock, but it was already locked when migrate_page() was called. As a consequence, a deadlock occurred in the code. This bug has been fixed and the migration request is now refused if the PagePrivate parameter is already set, indicating that the page is already associated with an active read or write request.

BZ#795326

Due to invalid calculations of the vruntime variable along with task movement between cgroups, moving tasks between cgroups could cause very long scheduling delays. This update fixes this problem by setting the cfs_rq and curr parameters after holding the rq->lock lock.

BZ#795335

Due to a race condition, running the ifenslave -d bond0 eth0 command to remove the slave interface from the bonding device could cause the system to terminate if a networking packet was being received at the same time. With this update, the race condition has been fixed and the system no longer crashes in the described scenario.

BZ#795338

Previously, an unnecessary assertion could trigger depending on the value of the xpt_pool field. As a consequence, a node could terminate unexpectedly. The xpt_pool field was in fact unnecessary and this update removes it from the sunrpc code, thus preventing this bug.

BZ#797241

Due to a race condition, the mac80211 framework could deauthenticate with an access point (AP) while still scheduling authentication retries with the same AP. If such an authentication attempt timed out, a warning message was returned to kernel log files. With this update, when deauthenticating, pending authentication retry attempts are checked and cancelled if found, thus fixing this bug.

BZ#801718

Prior to this update, the find_busiest_group() function used sched_group->cpu_power in the denominator of a fraction with a value of 0. Consequently, a kernel panic occurred. This update prevents the divide by zero in the kernel and the panic no longer occurs.

BZ#798572

When the nohz=off kernel parameter was set, kernel could not enter any CPU C-state. With this update, the underlying code has been fixed and transitions to CPU idle states now work as expected.

BZ#797182

Under heavy memory and file system load, the mapping->nrpages == 0 assertion could occur in the end_writeback() function. As a consequence, a kernel panic could occur. This update provides a reliable check for mapping->nrpages that prevent the described assertion, thus fixing this bug.

BZ#797205

Due to a bug in the hid_reset() function, a deadlock could occur when a Dell iDRAC controller was reset. Consequently, its USB keyboard or mouse device became unresponsive. A patch that fixes the underlying code has been provided to address this bug and the hangs no longer occur in the described scenario.

BZ#796828

On a system that created and deleted lots of dynamic devices, the 31-bit Linux ifindex object failed to fit in the 16-bit macvtap minor range, resulting in unusable macvtap devices. The problem primarily occurred in a libvirt-controlled environment when many virtual machines were started or restarted, and caused libvirt to report the following message:

Error starting domain: cannot open macvtap tap device /dev/tap222364: No such device or address

With this update, the macvtap's minor device number allocation has been modified so that virtual machines can now be started and restarted as expected in the described scenario.

BZ#799943

The dm_mirror module can send discard requests. However, the dm_io interface did not support discard requests and running an LVM mirror over a discard-enabled device led to a kernel panic. This update adds support for the discard requests to the dm_io interface and kernel panics no longer occur in the described scenario.

BZ#749248

When a process isolation mechanism such as LXC (Linux Containers) was used and the user space was running without the CAP_SYS_ADMIN identifier set, a jailed root user could bypass the dmesg_restrict protection, creating an inconsistency. Now, writing to dmesg_restrict is only allowed when the root has CAP_SYS_ADMIN set, thus preventing this bug.

Enhancements

BZ#789371

With this update, the igb driver has been updated to the latest upstream version 3.2.10-k to provide up-to-date hardware support, features and bug fixes.

BZ#800552

This update provides support for the O_DIRECT flag for files in FUSE (Filesystem in Userspace). This flag minimizes cache effects of the I/O to and from a file. In general, using this flag degrades performance, but it is useful in special situations, such as when applications do their own caching.

BZ#770651

This update adds support for mount options to restrict access to /proc/<PID>/ directories. One of the options is called hidepid= and its value defines how much information about processes is provided to non-owners. The gid= option defines a group that gathers information about all processes. Untrusted users, which are not supposed to monitor tasks in the whole system, should not be added to the group.

Security Fixes

CVE-2011-4077, Moderate

A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.

CVE-2011-4081, Moderate

Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service.

CVE-2011-4132, Moderate

A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk.

CVE-2011-4347, Moderate

It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing.

CVE-2011-4594, Moderate

Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when invoked via the sendmmsg() system call, accessed user-space memory. A local, unprivileged user could use these flaws to cause a denial of service.

CVE-2011-4611, Moderate

The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel. On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service.

CVE-2011-4622, Moderate

A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A local, unprivileged user on the host could force this situation to occur, resulting in the host crashing.

CVE-2012-0038, Moderate

A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.

CVE-2012-0045, Moderate

A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to crash the guest.

CVE-2012-0207, Moderate

A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service.

Bug Fixes

BZ#789058

Windows clients never send write requests larger than 64 KB but the default size for write requests in Common Internet File System (CIFS) was set to a much larger value. Consequently, write requests larger than 64 KB caused various problems on certain third-party servers. This update lowers the default size for write requests to prevent this bug. The user can override this value to a larger one to get better performance.

BZ#788003

In certain circumstances, the qla2xxx driver was unable to discover fibre channel (FC) tape devices because the ADISC ELS request failed. This update adds the new module parameter, ql2xasynclogin, to address this issue. When this parameter is set to "0", FC tape devices are discovered properly.

BZ#787580

Socket callbacks use the svc_xprt_enqueue() function to add sockets to the pool->sp_sockets list. In normal operation, a server thread will later take the socket off that list. Previously, on the nfsd daemon shutdown, still-running svc_xprt_enqueue() could re-add an socket to the sp_sockets list just before it was deleted. Consequently, system could terminate unexpectedly by memory corruption in the sunrpc module. With this update, the XPT_BUSY flag is put on every socket and svc_xprt_enqueue() now checks this flag, thus preventing this bug.

BZ#787162

When trying to send a kdump file to a remote system via the tg3 driver, the tg3 NIC (network interface controller) could not establish the connection and the file could not be sent. The kdump kernel leaves the MSI-X interrupts enabled as set by the crashed kernel, however, the kdump kernel only enables one CPU and this could cause the interrupt delivery to the tg3 driver to fail. With this update, tg3 enables only a single MSI-X interrupt in the kdump kernel to match the overall environment, thus preventing this bug.

BZ#786022

Previously, the cfq_cic_link() function had a race condition. When some processes, which shared ioc issue I/O to the same block device simultaneously, cfq_cic_link() sometimes returned the -EEXIST error code. Consequently, one of the processes started to wait indefinitely. A patch has been provided to address this issue and the cfq_cic_lookup() call is now retried in the described scenario, thus fixing this bug.

BZ#783226

When transmitting a fragmented socket buffer (SKB), the qlge driver fills a descriptor with fragment addresses, after DMA-mapping them. On systems with pages larger than 8 KB and less than eight fragments per SKB, a macro defined the size of the OAL (Outbound Address List) list as 0. For SKBs with more than eight fragments, this would start overwriting the list of addresses already mapped and would make the driver fail to properly unmap the right addresses on architectures with pages larger than 8 KB. With this update, the size of external list for TX address descriptors have been fixed and qlge no longer fails in the described scenario.

BZ#781971

The time-out period in the qla2x00_fw_ready() function was hard-coded to 20 seconds. This period was too short for new QLogic host bus adapters (HBAs) for Fibre Channel over Ethernet (FCoE). Consequently, some logical unit numbers (LUNs) were missing after a reboot. With this update, the time-out period has been set to 60 seconds so that the modprobe utility is able to recheck the driver module, thus fixing this bug.

BZ#772687

Previously, the remove_from_page_cache() function was not exported. Consequently, the module for the Lustre file system did not work correctly. With this update, remove_from_page_cache() is properly exported, thus fixing this bug.

BZ#761536

Due to a regression, the updated vmxnet3 driver used the ndo_set_features() method instead of various methods of the ethtool utility. Consequently, it was not possible to make changes to vmxnet3-based network adapters in Red Hat Enterprise Linux 6.2. This update restores the ability of the driver to properly set features, such as csum or TSO (TCP Segmentation Offload), via ethtool.

BZ#771981

Due to regression, an attempt to open a directory that did not have a cached dentry failed and the EISDIR error code was returned. The same operation succeeded if a cached dentry existed. This update modifies the the nfs_atomic_lookup() function to allow fallbacks to normal look-up in the described scenario.

BZ#768916

On a system with an idle network interface card (NIC) controlled by the e1000e driver, when the card transmitted up to four descriptors, which delayed the write-back and nothing else, the run of the watchdog driver about two seconds later forced a check for a transmit hang in the hardware, which found the old entry in the TX ring. Consequently, a false "Detected Hardware Unit Hang" message was issued to the log. With this update, when the hang is detected, the descriptor is flushed and the hang check is run again, which fixes this bug.

BZ#769208

The CFQ (Completely Fair Queuing) scheduler does idling on sequential processes. With changes to the IOeventFD feature, traffic pattern at CFQ changed and CFQ considered everything a thread was doing sequential I/O operations. Consequently, CFQ did not allow preemption across threads in Qemu. This update increases the preemption threshold and the idling is now limited in the described scenario without the loss of throughput.

BZ#771870

A bug in the splice code has caused the file position on the write side of the sendfile() system call to be incorrectly set to the read side file position. This could result in the data being written to an incorrect offset. Now, sendfile() has been modified to correctly use the current file position for the write side file descriptor, thus fixing this bug.

Note

Note that in the following common sendfile() scenarios, this bug does not occur: when both read and write file positions are identical and when the file position is not important, for example, if the write side is a socket.

BZ#772884

On large SMP systems, the TSC (Time Stamp Counter) clock frequency could be incorrectly calculated. The discrepancy between the correct value and the incorrect value was within 0.5%. When the system rebooted, this small error would result in the system becoming out of synchronization with an external reference clock (typically a NTP server). With this update, the TSC frequency calculation has been improved and the clock correctly maintains synchronization with external reference clocks.

Security Fixes

CVE-2011-1020, Moderate

The proc file system could allow a local, unprivileged user to obtain sensitive information or possibly cause integrity issues.

CVE-2011-3347, Moderate

Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.

CVE-2011-3638, Moderate

A flaw was found in the Linux kernel in the way splitting two extents in ext4_ext_convert_to_initialized() worked. A local, unprivileged user with access to mount and unmount ext4 file systems could use this flaw to cause a denial of service.

CVE-2011-4110, Moderate

A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service.

Bug Fixes

BZ#713682

When a host was in recovery mode and a SCSI scan operation was initiated, the scan operation failed and provided no error output. This bug has been fixed and the SCSI layer now waits for recovery of the host to complete scan operations for devices.

BZ#712139

In a GFS2 file system, when the responsibility for deallocation was passed from one node to another, the receiving node may not have had a fully up-to-date inode state. If the sending node has changed the important parts of the state in the mean time (block allocation/deallocation) then this resulted in triggering an assert during the deallocation on the receiving node. With this update, the inode state is refreshed correctly during deallocation on the receiving node, ensuring that deallocation proceeds normally.

BZ#712131

Issues for which a host had older hypervisor code running on newer hardware, which exposed the new CPU features to the guests, were discovered. This was dangerous because newer guest kernels (such as Red Hat Enterprise Linux 6) may have attempted to use those features or assume certain machine behaviors that it would not be able to process because it was, in fact, a Xen guest. One such place was the intel_idle driver which attempts to use the MWAIT and MONITOR instructions. These instructions are invalid operations for a Xen PV guest. This update provides a patch, which masks the MWAIT instruction to avoid this issue.

BZ#712102

The 128-bit multiply operation in the pvclock.h function was missing an output constraint for EDX which caused a register corruption to appear. As a result, Red Hat Enterprise Linux 3.8 and Red Hat Enterprise Linux 3.9 KVM guests with a Red Hat Enterprise Linux 6.1 KVM host kernel exhibited time inconsistencies. With this update, the underlying source code has been modified to address this issue, and time runs as expected on the aforementioned systems.

BZ#712000

Prior to this update, the following message appeared in kernel log files:

[bnx2x_extract_max_cfg:1079(eth11)]Illegal configuration detected for Max BW - using 100 instead

The above message appeared on bnx2x interfaces in the multi-function mode which were not used and had no link, thus, not indicating any actual problems with connectivity. With this update, the message has been removed and no longer appears in kernel log files.

BZ#713730

Previously, some enclosure devices with a broken firmware reported incorrect values. As a consequence, kernel sometimes terminated unexpectedly. A patch has been provided to address this issue, and the kernel crashes no longer occur even if an enclosure device reports incorrect or duplicate data.

BZ#709856

Xen guests cannot make use of all CPU features, and in some cases they are even risky to be advertised. One such feature is CONSTANT_TSC. This feature prevents the TSC (Time Stamp Counter) from being marked as unstable, which allows the sched_clock_stable option to be enabled. Having the sched_clock_stable option enabled is problematic for Xen PV guests because the sched_clock() function has been overridden with the xen_sched_clock() function, which is not synchronized between virtual CPUs. This update provides a patch, which sets all x86_power features to 0 as a preventive measure against other potentially dangerous assumptions the kernel could make based on the features, fixing this issue.

BZ#623712

RHEL6.2 backported the scalability improvement on creating many 'cpu' control groups (cgroups) on a system with a large number of CPUs. The creation process for large number of cgroups will no longer hog the machine when the control groups feature is enabled.

In addition to the scalability improvement, a /proc tunable parameter, dd sysctl_sched_shares_window, has been added, and the default is set to 10 ms.

BZ#719304

Older versions of be2net cards firmware may not recognize certain commands and return illegal/unsupported errors, causing confusing error messages to appear in the logs. With this update, the driver handles these errors gracefully and does not log them.

BZ#722461

On IBM System z, if a Linux instance with large amounts of anonymous memory runs into a memory shortage the first time, all pages on the active or inactive lists are considered referenced. This causes the memory management on IBM System z to do a full check over all page cache pages and start writeback for all of them. As a consequence, the system became temporarily unresponsive when the described situation occurred. With this update, only pages with active mappers are checked and the page scan now does not cause the hangs.

BZ#722596

This update fixes the inability of the be2net driver to work in a kdump environment. It clears an interrupt bit (in the card) that may be set while the driver is probed by the kdump kernel after a crash.

BZ#705441

A previously introduced update intended to prevent IOMMU (I/O Memory Management Unit) domain exhaustion introduced two regressions. The first regression was a race where a domain pointer could be freed while a lazy flush algorithm still had a reference to it, eventually causing kernel panic. The second regression was an erroneous reference removal for identity mapped and VM IOMMU domains, causing I/O errors. Both of these regressions could only be triggered on Intel based platforms, supporting VT-d, booted with the intel_iommu=on boot option. With this update, the underlying source code of the intel-iommu driver has been modified to resolve both of these problems. A forced flush is now used to avoid the lazy use after free issue, and extra checks have been added to avoid the erroneous reference removal.

BZ#635596

This update fixes two bugs related to Rx checksum offloading. These bugs caused a data corruption transferred over r8169 NIC when Rx checksum offloading was enabled.

BZ#704401

Prior to this update, kdump failed to create a vmcore file after triggering a crash on POWER7 systems with Dynamic DMA Windows enabled. This update provides a number of fixes that address this issue.

BZ#703935

Previously, auditing system calls used a simple check to determine whether a return value was positive or negative, which also determined the success of the system call. With an exception of few, this worked on most platforms and with most system calls. For example, the 32 bit mmap system call on the AMD64 architecture could return a pointer which appeared to be of value negative even though pointers are normally of unsigned values. This resulted in the success field being incorrect. This patch fixes the success field for all system calls on all architectures.

BZ#703245

When VLANs stacked on top of multiqueue devices passed through these devices, the queue_mapping value was not properly decremented because the VLAN devices called the physical devices via the ndo_select_queue method. This update removes the multiqueue functionality, resolving this issue.

BZ#703055

Prior to this update, Red Hat Enterprise Linux Xen (up to version 5.6) did not hide 1 GB pages and RDTSCP (enumeration features of CPUID), causing guest soft lock ups on AMD hosts when the guest's memory was greater than 8 GB. With this update, a Red Hat Enterprise Linux 6 HVM (Hardware Virtual Machine) guest is able to run on Red Hat Enterprise Linux Xen 5.6 and lower.

BZ#702742

Prior to this update, code was missing from the netif_set_real_num_tx_queues() function which prevented an increment of the real number of TX queues (the real_num_tx_queues value). This update adds the missing code; thus, resolving this issue.

BZ#725711

Previously, the inet6_sk_generic() function was using the obj_size variable to compute the address of its inner structure, causing memory corruption. With this update, the sk_alloc_size() is called every time there is a request for allocation, and memory corruption no longer occurs.

BZ#702057

Multiple GFS2 nodes attempted to unlink, rename, or manipulate files at the same time, causing various forms of file system corruption, panics, and withdraws. This update adds multiple checks for dinode's i_nlink value to assure inode operations such as link, unlink, or rename no longer cause the aforementioned problems.

BZ#701951

A kernel panic in the mpt2sas driver could occur on an IBM system using a drive with SMART (Self-Monitoring, Analysis and Reporting Technology) issues. This was because the driver was sending an SEP request while the kernel was in the interrupt context, causing the driver to enter the sleep state. With this update, a fake event is not executed from the interrupt context, assuring the SEP request is properly issued.

BZ#700538

When using certain SELinux policies, such as the MLS policy, it was not possible to properly mount the cgroupfs file system due to the way security checks were applied to the new cgroupfs inodes during the mount operation. With this update, the security checks applied during the mount operation have been changed so that they always succeed, and the cgroupfs file system can now be successfully mounted and used with the MLS SELinux policy. This issue did not affect systems which used the default targeted policy.

BZ#729220

When a SCTP (Stream Control Transmission Protocol) packet contained two COOKIE_ECHO chunks and nothing else, the SCTP state machine disabled output processing for the socket while processing the first COOKIE_ECHO chunk, then lost the association and forgot to re-enable output processing for the socket. As a consequence, any data which needed to be sent to a peer were blocked and the socket appeared to be unresponsive. With this update, a new SCTP command has been added to the kernel code, which sets the association explicitly; the command is used when processing the second COOKIE_ECHO chunk to restore the context for SCTP state machine, thus fixing this bug.

BZ#698268

The hpsa driver has been updated to provide a fix for hpsa driver kdump failures.

BZ#696777

Prior to this update, interrupts were enabled before the dispatch log for the boot CPU was set up, causing kernel panic if a timer interrupt occurred before the log was set up. This update adds a check to the scan_dispatch_log function to ensure the dispatch log has been allocated.

BZ#696754

Prior to this update, the interrupt service routine was performing unnecessary MMIO operation during performance testing on IBM POWER7 machines. With this update, the logic of the routine has been modified so that there are fewer MMIO operations in the performance path of the code. Additionally, as a result of the aforementioned change, an existing condition was exposed where the IPR driver (the controller device driver) could return an unexpected HRRQ (Host Receive Request) interrupt. The original code flagged the interrupt as unexpected and then reset the adapter. After further analysis, it was confirmed that this condition could occasionally occur and the interrupt can be safely ignored. Additional code provided by this update detects this condition, clears the interrupt, and allows the driver to continue without resetting the adapter.

BZ#732706

The ACPI (Advanced Control and Power Interface) core places all events to the kacpi_notify queue including PCI hotplug events. When the acpiphp driver was loaded and a PCI card with a PCI-to-PCI bridge was removed from the system, the code path attempted to empty the kacpi_notify queue which causes a deadlock, and the kacpi_notify thread became unresponsive. With this update, the call sequence has been fixed, and the bridge is now cleaned-up properly in the described scenario.

BZ#669363

Prior to this update, the /proc/diskstats file showed erroneous values. This occurred when the kernel merged two I/O operations for adjacent sectors which were located on different disk partitions. Two merge requests were submitted for the adjacent sectors, the first request for the second partition and the second request for the first partition, which was then merged to the first request. The first submission of the merge request incremented the in_flight value for the second partition. However, at the completion of the merge request, the in_flight value of a different partition (the first one) was decremented. This resulted in the erroneous values displayed in the /proc/diskstats file. With this update, the merging of two I/O operations which are located on different disk partitions has been fixed and works as expected.

BZ#670765

Due to an uninitialized variable (specifically, the isr_ack variable), a virtual guest could become unresponsive when migrated while being rebooted. With this update, the said variable is properly initialized, and virtual guests no longer hang in the aforementioned scenario.

BZ#695231

Prior to this update, the be2net driver was using the BE3 chipset in legacy mode. This update enables this chipset to work in a native mode, making it possible to use all 4 ports on a 4-port integrated NIC.

BZ#694747

A Windows Server 2008 32-bit guest installation failed on a Red Hat Enterprise Linux 6.1 Snap2 KVM host when allocating more than one virtual CPU (vcpus > 1) during the installation. As soon the installation started after booting from ISO, a blue screen with the following error occurred:

A problem has been detected and windows has been shut down to prevent damage to your computer.

This was because a valid microcode update signature was not reported to the guest. This update fixes this issue by reporting a non-zero microcode update signature to the guest.

BZ#679526

Disk read operations on a memory constrained system could cause allocations to stall. As a result, the system performance would drop considerably. With this update, latencies seen in page reclaim operations have been reduced and their efficiency improved; thus, fixing this issue.

BZ#736667

A workaround to the megaraid_sas driver was provided to address an issue but as a side effect of the workaround, megaraid_sas stopped to report certain enclosures, CD-ROM drives, and other devices. The underlying problem for the issue has been fixed as reported in BZ#741166. With this update, the original workaround has been reverted, and megaraid_sas now reports many different devices as before.

BZ#694210

This update fixes a regression in which a client would use an UNCHECKED NFS CREATE call when an open system call was attempted with the O_EXCL|O_CREAT flag combination. An EXCLUSIVE NFS CREATE call should have been used instead to ensure that O_EXCL semantics were preserved. As a result, an application could be led to believe that it had created the file when it was in fact created by another application.

BZ#692167

A race between the FSFREEZE ioctl() command to freeze an ext4 file system and mmap I/O operations would result in a deadlock if these two operations ran simultaneously. This update provides a number of patches to address this issue, and a deadlock no longer occurs in the previously-described scenario.

BZ#712653

When a CPU is about to modify data protected by the RCU (Read Copy Update) mechanism, it has to wait for other CPUs in the system to pass a quiescent state. Previously, the guest mode was not considered a quiescent state. As a consequence, if a CPU was in the guest mode for a long time, another CPU had to wait a long time in order to modify RCU-protected data. With this update, the rcu_virt_note_context_switch() function, which marks the guest mode as a quiescent state, has been added to the kernel, thus resolving this issue.

BZ#683658

The patch that fixed BZ#556572 introduced a bug where the page lock was being released too soon, allowing the do_wp_page function to reuse the wrprotected page before PageKsm would be set in page->mapping. With this update, a new version of the original fix was introduced, thus fixing this issue.

BZ#738110

Due to the partial support of IPv6 multicast snooping, IPv6 multicast packets may have been dropped. This update fixes IPv6 multicast snooping so that packets are no longer dropped.

BZ#691310

While executing a multi-threaded process by multiple CPUs, page-directory-pointer-table entry (PDPTE) registers were not fully flushed from the CPU cache when a Page Global Directory (PGD) entry was changed in x86 Physical Address Extension (PAE) mode. As a consequence, the process failed to respond for a long time before it successfully finished. With this update, the kernel has been modified to flush the Translation Lookaside Buffer (TLB) for each CPU using a page table that has changed. Multi-threaded processes now finish without hanging.

BZ#738379

When a kernel NFS server was being stopped, kernel sometimes terminated unexpectedly. A bug has been fixed in the wait_for_completion_interruptible_timeout() function and the crashes no longer occur in the described scenario.

BZ#690745

Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically em1 is used instead of eth0 on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.

BZ#740465

A scenario for this bug involves two hosts, configured to use IPv4 network, and two guests, configured to use IPv6 network. When a guest on host A attempted to send a large UDP datagram to host B, host A terminated unexpectedly. With this update, the ipv6_select_ident() function has been fixed to accept the in6_addr parameter and to use the destination address in IPv6 header when no route is attached, and the crashes no longer occur in the described scenario.

BZ#693894

Migration of a Windows XP virtual guest during the early stage of a boot caused the virtual guest OS to fail to boot correctly. With this update, the underlying source code has been modified to address this issue, and the virtual guest OS no longer fails to boot.

BZ#694358

This update adds a missing patch to the ixgbe driver to use the kernel's generic routine to set and obtain the DCB (Data Center Bridging) priority. Without this fix, applications could not properly query the DCB priority.

BZ#679262

In Red Hat Enterprise Linux 6.2, due to security concerns, addresses in /proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.

BZ#695859

Red Hat Enterprise Linux 6.0 and 6.1 defaulted to running UEFI systems in a physical addressing mode. Red Hat Enterprise Linux 6.2 defaults to running UEFI systems in a virtual addressing mode. The previous behavior may be obtained by passing the physefi kernel parameter.

BZ#695966

After receiving an ABTS response, the FCoE (Fibre Channel over Ethernet) DDP error status was cleared. As a result, the FCoE DDP context invalidation was incorrectly bypassed and caused memory corruption. With this update, the underlying source code has been modified to address this issue, and memory corruption no longer occurs.

BZ#696511

Suspending a system to RAM and consequently resuming it caused USB3.0 ports to not work properly. This was because a USB3.0 device configured for MSIX would, during the resume operation, incorrectly read its previous interrupt state. This would lead it to fall back to a legacy mode and appear unresponsive. With this update, the interrupt state is cached, allowing the driver to properly resume its previous state.

BZ#662666

Deleting the lost+found directory on a file system with inodes of size greater than 128 bytes and reusing inode 11 for a different file caused the extended attributes for inode 11 (which were set before a umount operation) to not be saved after a file system remount. As a result, the extended attributes were lost after the remount. With this update, inodes store their extended attributes under all circumstances.

BZ#698023

Prior to this update, in the __cache_alloc() function, the ac variable could be changed after cache_alloc_refill() and the following kmemleak_erase() function could receive an incorrect pointer, causing kernel panic. With this update, the ac variable is updated after the cache_alloc_refill() unconditionally.

BZ#698625

This update includes two fixes for the bna driver, specifically:

• A memory leak was caused by an unintentional assignment of the NULL value to the RX path destroy callback function pointer after a correct initialization.
• During a kernel crash, the bna driver control path state machine and firmware did not receive a notification of the crash, and, as a result, were not shut down cleanly.

BZ#700165

When an event caused the ibmvscsi driver to reset its CRQ, re-registering the CRQ returned H_CLOSED, indicating that the Virtual I/O Server was not ready to receive commands. As a consequence, the ibmvscsi driver offlined the adapter and did not recover. With this update, the interrupt is re-enabled after the reset so that when the Virtual I/O server is ready and sends a CRQ init, it is able to receive it and resume initialization of the VSCSI adapter.

BZ#700299

This update standardizes the printed format of UUIDs (Universally Unique Identifier)/GUIDs (Globally Unique Identifier) by using an additional extension to the %p format specifier (which is used to show the memory address value of a pointer).

BZ#702036

Prior to this update, the ehea driver caused a kernel oops during a memory hotplug if the ports were not up. With this update, the waitqueues are initialized during the port probe operation, instead of during the port open operation.

BZ#702263

While running gfs2_grow, the file system became unresponsive. This was due to the log not getting flushed when a node dropped its rindex glock so that another node could grow the file system. If the log did not get flushed, GFS2 could corrupt the sd_log_le_rg list, ultimately causing a hang. With this update, a log flush is forced when the rindex glock is invalidated; gfs2_grow completes as expected and the file system remains accessible.

BZ#703251

The Brocade BFA FC/FCoE driver was previously selectively marked as a Technology Preview based on the type of the adapter. With this update, the Brocade BFA FC/FCoE driver is always marked as a Technology Preview.

BZ#703265

The Brocade BFA FC SCSI driver (bfa driver) has been upgraded to version 2.3.2.4. Additionally, this update provides the following two fixes:

• A firmware download memory leak was caused by the release_firmware() function not being called after the request_firmware() function. Similarly, the firmware download interface has been fixed and now works as expected.
• During a kernel crash, the bfa I/O control state machine and firmware did not receive a notification of the crash, and, as a result, were not shut down cleanly.

BZ#704231

A previously released patch for BZ#625487 introduced a kABI (Kernel Application Binary Interface) workaround that extended struct sock (the network layer representation of sockets) by putting the extension structure in the memory right after the original structure. As a result, the prot->obj_size pointer had to be adjusted in the proto_register function. Prior to this update, the adjustment was done only if the alloc_slab parameter of the proto_register function was not 0. When the alloc_slab parameter was 0, drivers performed allocations themselves using sk_alloc and as the allocated memory was lower than needed, a memory corruption could occur. With this update, the underlying source code has been modified to address this issue, and a memory corruption no longer occurs.

BZ#705082

A scalability issue with KVM/QEMU was discovered in the idr_lock spinlock in the posix-timers code, resulting in excessive CPU resource usage. With this update, the underlying source code has been modified to address this issue, and the aforementioned spinlock no longer uses excessive amounts of CPU resources.

BZ#723650

When a NFS server returned more than two GETATTR bitmap words in response to the FATTR4_ACL attribute request, decoding operations of the nfs4_getfacl() function failed. A patch has been provided to address this issue and the ACLs are now returned in the described scenario.

BZ#707268

After hot plugging one of the disks of a non-boot 2-disk RAID1 pair, the md driver would enter an infinite resync loop thinking there was a spare disk available, when, in fact, there was none. This update adds an additional check to detect the previously mentioned situation; thus, fixing this issue.

BZ#707757

The default for CFQ's group_isolation variable has been changed from 0 to 1 (/sys/block/<device>/queue/iosched/group_isolation). After various testing and numerous user reports, it was found that having default 1 is more useful. When set to 0, all random I/O queues become part of the root cgroup and not the actual cgroup which the application is part of. Consequently, this leads to no service differentiation for applications.

BZ#691945

In error recovery, most SCSI error recovery stages send a TUR (Test Unit Ready) command for every bad command when a driver error handler reports success. When several bad commands pointed to a same device, the device was probed multiple times. When the device was in a state where the device did not respond to commands even after a recovery function returned success, the error handler had to wait for the commands to time out. This significantly impeded the recovery process. With this update, SCSI mid-layer error routines to send test commands have been fixed to respond once per device instead of once per bad command, thus reducing error recovery time considerably.

BZ#696396

Prior to this update, loading the FS-Cache kernel module would cause the kernel to be tainted as a Technology Preview via the mark_tech_preview() function, which would cause kernel lock debugging to be disabled by the add_taint() function. However, the NFS and CIFS modules depend on the FS-Cache module so using either NFS or CIFS would cause the FS-Cache module to be loaded and the kernel tainted. With this update, FS-Cache only taints the kernel when a cache is brought online (for instance by starting the cachefilesd service) and, additionally, the add_taint() function has been modified so that it does not disable lock debugging for informational-only taints.

BZ#703728

This update removes temporary and unneeded files that were previously included with the kernel source code.

BZ#632802

Previously removed flushing of MMU updates in the kmap_atomic() and kunmap_atomic() functions resulted in a dereference bug when processing a fork() under a heavy load. This update fixes page table entries in the kmap_atomic() and kunmap_atomic() functions to be synchronous, regardless of the lazy_mmu mode, thus fixing this issue.

BZ#746570

Previously fixed ABI issues in Red Hat Enterprise Linux 6.2 resulted in broken drivers that were built against the Red Hat Enterprise Linux 6.1 sources. This update adds padding to the net_device private structure so that the overruns resulting from an excessively-long pointer computed in the netdev_priv structure do not exceed the bounds of allocated memory.

BZ#737753

A previously introduced patch increased the value of the cpuid field from 8 to 16 bits. As a result, in some cases, modules built against the Red Hat Enterprise Linux 6.0 kernel source panicked when loaded into the new Red Hat Enterprise Linux 6.2 kernel. This update provides a patch which fixes this guaranteed backwards compatibility.

BZ#745253

KABI issues with additional fields in the "uv_blade_info" structure were discovered that prevented existing SGI modules from loading against the Red Hat Enterprise Linux 6.2 kernel. This update fixes the code in the "uv_blade_info" structure, and SGI modules load against the Red Hat Enterprise Linux 6.2 kernel as expected.

BZ#748503

Incorrect duplicate MAC addresses were being used on a rack network daughter card that contained a quad-port Intel I350 Gigabit Ethernet Controller. With this update, the underlying source code has been modified to address this issue, and correct MAC addresses are now used under all circumstances.

BZ#728676

Prior to this update, on certain HP systems, the hpsa and cciss drivers could become unresponsive and cause the system to crash when booting due to an attempt to read from a write-only register. This update fixes this issue, and the aforementioned crashes no longer occur.

BZ#693930

The cxgb4 driver never waited for RDMA_WR/FINI completions because the condition variable used to determine whether the completion happened was never reset, and this condition variable was reused for both connection setup and teardown. This caused various driver crashes under heavy loads because resources were released too early. With this update, atomic bits are used to correctly reset the condition immediately after the completion is detected.

BZ#710497

If a Virtual I/O server failed in a dual virtual I/O server multipath configuration, not all remote ports were deleted, causing path failover to not work properly. With this update, all remote ports are deleted so that path failover works as expected. For a single path configuration, the remote ports will enter the devloss state.

BZ#713868

When using the "crashkernel=auto" parameter and the "crashk_res.start" variable was set to 0, the existing logic automatically set the value of the "crashk_res.start" variable to 32M. However, to keep enough space in the RMO region for the first stage kernel on 64-bit PowerPC, the "crashk_res.start" should have been set to KDUMP_KERNELBASE (64M). This update fixes this issue and properly assigns the correct value to the "crashk_res.start" variable.

BZ#743959

Due to a delay in settling of the usb-storage driver, the kernel failed to report all the disk drive devices in time to Anaconda, when booted in Unified Extensible Firmware Interface (UEFI) mode. Consequently, Anaconda presumed that no driver disks were available and loaded the standard drivers. With this update, both Anaconda and the driver use a one second delay, all devices are enumerated and inspected for driver disks properly.

BZ#690129

Prior to this update, the remap_file_pages() call was disabled for mappings without the VM_CAN_NONLINEAR flag set. Shared mappings of temporary file storage facilities (tmpfs) had this flag set but the flag was not set for the shared mappings of the /dev/zero device or shared anonymous mappings. With this update, the code has been modified and the VM_CAN_NONLINEAR flag is set also on the shared mappings of the /dev/zero device and shared anonymous mappings.

BZ#694309

The NFS client iterates through individual elements of a vector and issues a write request for each element to the server when the writev() function is called on a file opened with the O_DIRECT flag. Consequently, the server commits each individual write to the disk before replying to the client and the request transfer for the NFS client to the NFS server causes performance problems. With this update, the larger I/Os from the client are submitted only if all buffers are page-aligned, each individual vector element is aligned and has multiple pages, and the total I/O size is less than wsize (write block size).

BZ#699042

Improper shutdown in the e1000e driver caused a client with Intel 82578DM Gigabit Ethernet PHY to ignore the Wake-on-LAN signal and attempt to boot the client failed. This update applies the upstream Intel patch which fixes the problem.

BZ#703357

The "ifconfig up" command allocates memory for Direct Memory Access (DMA) operations. The memory is released when the "ifconfig down" command is issued. Previously, if another "ifconfig up" command was issued after an ifconfig up/down session, it re-enabled the DMA operations before sending the new DMA memory address to the NIC and the NIC could access the DMA address allocated during the previous ifconfig up/down session. However, the DMA address was already freed and could be used by another process. With this update, the underlying code has been modified and the problem no longer occurs.

BZ#729737

The in-process I/O operations of the Chelsio iWARP (cxgb3) driver could attempt to access a control data structure, which was previously freed after a hardware error that disabled the offload functionality occurred. This caused the system to terminate unexpectedly. With this update, the driver delays the freeing of the data structure and the problem no longer occurs.

BZ#734509

Previously, the capabilities flag of the WHEA_OSC call was set to 0. This could cause certain machines to disable APEI (ACPI Platform Error Interface). The flag is now set to 1, which enables APEI and fixes the problem.

BZ#748441

Previously, the origin device was being read when overwriting a complete chunk in the snapshot. This led to a significant memory leak when using the dm-snapshot module. With this update, reading of the origin device is skipped, and the memory leak no longer occurs.

BZ#750208

When the user attempted to list the mounted GFS2 file systems, a kernel panic occurred. This happened if the file in the location which the user tried to list was at the same time being manipulated by using the "fallocate" command. With this update, page cache is no longer used; the block is zeroed out at allocation time instead. Now, a kernel panic no longer occurs.

BZ#749018

The queuecommand error-handling function could cause memory leaks or prevent the TUR command from finishing for SCSI device drivers that enabled the support for lockless dispatching (lockless=1). This happened because the device driver did not call the scsi_cmd_get_serial() function and the serial_number property of the command remained zero. Consequently, the SCSI command could not be finished or aborted as the error-handling function always returned success for "serial_number == 0". The check for the serial number has been removed and the SCSI command can be finished or aborted.

BZ#750583

A previous patch for the Ironlake graphics controller and memory controller hub (GMCH) with a workaround for Virtualization Technology for Directed I/O (VT-d) introduced recursive calls to the unmap() function. With this update, a flag, which prevents the recursion, was added to the call chain, which allows the called routines to prevent the recursion.

BZ#707287

This update introduces a kernel module option that allows the disabling of the Flow Director.

BZ#706167

This update adds XTS (XEX-based Tweaked CodeBook) AES256 self-tests to meet the FIPS-140 requirements.

BZ#635968

This update introduces parallel port printer support for Red Hat Enterprise Linux 6.

BZ#699865

This update reduces the overhead of probes provided by kprobe (a dynamic instrumentation system), and enhances the performance of SystemTap.

BZ#696695

With this update, the JSM driver has been updated to support for enabling the Bell2 (with PLX chip) 2-port adapter on POWER7 systems. Additionally, EEH support has been added for to JSM driver.

BZ#669739

Memory limit for x86_64 domU PV guests has been increased to 128 GB: CONFIG_XEN_MAX_DOMAIN_MEMORY=128.

BZ#662208

In Red Hat Enterprise Linux 6.2, the taskstat utility (which prints ASET tasks status) in the kernel has been enhanced by the providing microsecond CPU time granularity to the top utility.

BZ#708365

Red Hat Enterprise Linux 6.2 introduced the multi-message send syscall, which is the send version of the existing recvmmsg syscall in Red Hat Enterprise Linux 6.

The following is the syscall sendmmsg socket API:

struct mmsghdr {
struct msghdr	msg_hdr;
unsigned	msg_len;
};

ssize_t sendmmsg(int socket, struct mmsghdr *datagrams, int vlen, int flags);

BZ#647700

Red Hat Enterprise Linux 6.2's EDAC driver support for the latest Intel chipset is available as a Technical Preview.

BZ#599054

In Red Hat Enterprise Linux 6.2, the ipset feature in the kernel is added to store multiple IP addresses or port numbers, and match against the collection by iptables.

Security Fixes

CVE-2011-1770, Important

An integer underflow flaw, leading to a buffer overflow, was found in the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service.

CVE-2010-3858, Moderate

Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service.

CVE-2011-1598, CVE-2011-1748, Moderate

A missing validation check was found in the bcm_release() and raw_release() functions in the Linux kernel's Controller Area Network (CAN) implementation. This could allow a local, unprivileged user to cause a denial of service.

CVE-2011-1771, Moderate

The fix for Red Hat Bugzilla bug 656461, as provided in RHSA-2011:0542, introduced a regression in the cifs_close() function in the Linux kernel's Common Internet File System (CIFS) implementation. A local, unprivileged user with write access to a CIFS file system could use this flaw to cause a denial of service.

Security Fix

CVE-2011-1767, CVE-2011-1768, Moderate

It was found that the receive hook in the ipip_init() function in the ipip module, and in the ipgre_init() function in the ip_gre module, could be called before network namespaces setup is complete. If packets were received at the time the ipip or ip_gre module was still being loaded into the kernel, it could cause a denial of service.

CVE-2011-2479, Moderate

It was found that an mmap() call with the MAP_PRIVATE flag on "/dev/zero" would create transparent hugepages and trigger a certain robustness check. A local, unprivileged user could use this flaw to cause a denial of service.

Security Fixes

CVE-2011-1898, Important

Using PCI passthrough without interrupt remapping support allowed KVM guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details.

CVE-2011-2491, Important

Flaw in the client-side NLM implementation could allow a local, unprivileged user to cause a denial of service.

CVE-2011-2497, Important

Integer underflow in the Bluetooth implementation could allow a remote attacker to cause a denial of service or escalate their privileges by sending a specially-crafted request to a target system via Bluetooth.

CVE-2011-2517, Important

Buffer overflows in the netlink-based wireless configuration interface implementation could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface.

CVE-2011-2695, Important

Flaw in the way the maximum file offset was handled for ext4 file systems could allow a local, unprivileged user to cause a denial of service.

CVE-2011-1576, Moderate

Flaw allowed napi_reuse_skb() to be called on VLAN packets. An attacker on the local network could use this flaw to send crafted packets to a target, possibly causing a denial of service.

CVE-2011-1593, Moderate

Integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service.

CVE-2011-2183, Moderate

Race condition in the memory merging support (KSM) could allow a local, unprivileged user to cause a denial of service. KSM is off by default, but on systems running VDSM, or on KVM hosts, it is likely turned on by the ksm/ksmtuned services.

CVE-2011-2213, Moderate

Flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service.

CVE-2011-2689, Moderate

Flaw in the way space was allocated in the Global File System 2 (GFS2) implementation. If the file system was almost full, and a local, unprivileged user made an fallocate() request, it could result in a denial of service. Setting quotas to prevent users from using all available disk space would prevent exploitation of this flaw.

CVE-2011-1182, Low

Local, unprivileged users could send signals via the sigqueueinfo system call, with si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so.

CVE-2011-1776, Low

Heap overflow in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing crafted partition tables.

CVE-2011-2492, Low

Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space.

CVE-2011-2495, Low

/proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process.

Security Fixes

CVE-2011-1745, CVE-2011-2022, Important

Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges.

CVE-2011-1746, Important

An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges.

CVE-2011-1833, Moderate

A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed.

CVE-2011-2484, Moderate

A denial of service flaw was found in the way the taskstats subsystem handled the registration of process exit handlers. A local, unprivileged user could register an unlimited amount of these handlers, leading to excessive CPU time and memory use.

CVE-2011-2496, Moderate

A flaw was found in the way mapping expansions were handled. A local, unprivileged user could use this flaw to cause a wrapping condition, triggering a denial of service.

CVE-2011-2521, Moderate

A flaw was found in the Linux kernel's Performance Events implementation. It could falsely lead the NMI (Non-Maskable Interrupt) Watchdog to detect a lockup and panic the system. A local, unprivileged user could use this flaw to cause a denial of service (kernel panic) using the perf tool.

CVE-2011-2723, Moderate

A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it.

CVE-2011-2918, Moderate

A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service.

CVE-2011-1160, Low

A flaw was found in the Linux kernel's Trusted Platform Module (TPM) implementation. A local, unprivileged user could use this flaw to leak information to user-space.

CVE-2011-2898, Low

Flaws were found in the tpacket_rcv() and packet_recvmsg() functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space.

Security Fixes

CVE-2011-2699, Important

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services.

CVE-2011-3191, Important

A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted.

CVE-2011-4326, Important

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service.

CVE-2011-3188, Moderate

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random.

CVE-2011-3353, Moderate

A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service.

CVE-2011-3359, Moderate

A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service.

CVE-2011-3363, Moderate

A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash.

CVE-2011-3593, Moderate

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service.

CVE-2011-1162, Low

A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command.

CVE-2011-1577, Low

A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partition tables.

CVE-2011-2494, Low

The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process.

CVE-2011-2905, Low

It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially-crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.

BZ#710609

Xen guests cannot make use of all CPU features, and in some cases they are even risky to be advertised. One such feature is CONSTANT_TSC. This feature prevents the TSC (Time Stamp Counter) from being marked as unstable, which allows the sched_clock_stable option to be enabled. Having the sched_clock_stable option enabled is problematic for Xen PV guests because the sched_clock() function has been overridden with the xen_sched_clock() function, which is not synchronized between virtual CPUs. This update provides a patch, which sets all x86_power features to 0 as a preventive measure against other potentially dangerous assumptions the kernel could make based on the features, fixing this issue.

BZ#712191

Issues for which a host had older hypervisor code running on newer hardware, which exposed the new CPU features to the guests, were discovered. This was dangerous because newer guest kernels (such as Red Hat Enterprise Linux 6) may have attempted to use those features or assume certain machine behaviors that it would not be able to process because it was, in fact, a Xen guest. One such place was the intel_idle driver which attempts to use the MWAIT and MONITOR instructions. These instructions are invalid operations for a Xen PV guest. This update provides a patch, which masks the MWAIT instruction to avoid this issue.