[El-errata] New updates available via Ksplice (ELSA-2014-3002)

Thu Feb 13 01:17:59 PST 2014

Synopsis: ELSA-2014-3002 can now be patched using Ksplice
CVEs: CVE-2013-2147 CVE-2013-2148 CVE-2013-2850 CVE-2013-2893 CVE-2013-2895 CVE-2013-2896 CVE-2013-2897 CVE-2013-2898 CVE-2013-2899 CVE-2013-4205 CVE-2013-4247 CVE-2013-4270 CVE-2013-4300 CVE-2013-4350 CVE-2013-6431

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2014-3002.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-4270: Incorrect permission checks on networking sysctls.

Permission checks in the networking sysctl interface incorrectly use the
current uid/gid rather than the effective uid/gid which could allow an
unprivileged user to manipulate network settings using a setuid binary.

* Memory corruption in random number generation.

Incorrect locking in the random number generation code could result in
memory corruption and undefined behaviour.

* Filesystem corruption in btrfs during device replacement.

Incorrect offset calculation during device replacement could result in
the filesystem being corrupted on disk.

* Kernel crash in btrfs backref checking.

Incorrect handling of backref checking for blocks could result in
hitting a kernel assertion and kernel crash.

* NULL pointer dereference in ALSA driver.

A NULL pointer derference in the ALSA HDA driver can lead to
a kernel Oops.

* Kernel OOPS on NFS recovery dir creation.

Invalid parameters passed to the recovery dir creation may case
a kernel OOPS.

* NULL pointer dereference on mapping of unaligned memory on shared memory.

Mapping of unaligned memory block on the shared memory file system would
case a NULL pointer dereference.

* Denial-of-service in memory mapped packet socket interface.

Incorrect error handling in the memory mapped packet socket interface
could allow a local, unprivileged user to crash the system.

* Kernel stack information leak in IPv6 GRE tunnelling.

Missing structure clearing could result in leaking a number of bytes of
kernel stack data to userspace in the IPv6 GRE tunnel ioctl() call.

* Denial of service in watchdog registration.

A race condition in watchdog registration could lead to a deadlock.  This
could be used to cause a denial of service by a malicious user.

* Memory leak in Distributed Replicated Block Device detach.

A missing resource free caused a memory leak when detaching a a DRDB
device.

* Unchecked user input used in open source Radeon driver.

The Radeon driver didn't check user memory before copying it, which could
potentially be used to create a kernel exploit.

* NULL pointer dereference in usermodehelper.

A missing NULL pointer check could lead to a NULL pointer dereference
and a kernel crash.

* Denial-of-service in CIFS inode handling.

In some cases, CIFS inode ops that had already been set were being reset,
leading to a kernel oops.  This could be used by a malicious user to cause
a denial of service.

* Integer overflow in FAT filesystem mounting.

Integer overflow in FAT filesystems could result in a corrupted
filesystem.

* Race condition on Kernel list when removing waiters.

There is a race condition in the klist interface when removing
waiters leading to thread corruption to prior waiter.

* Kernel panic in mm pagewalk.

Invalid assumptions in the mm pagewalk code could cause a kernel
panic.  This can be triggered by simply cat'ing /proc/<pid>/smaps
while an application has a VM_PFNMAP range.

* Buffer overflow in CIFS options handling.

In some cases, insufficient memory was being allocated for the CIFS
mount options, leading to a buffer overflow.

* NULL pointer dereference in cgroup initialization.

A missing initialization of the extended attributes for cgroup
files can cause a NULL pointer dereference in various security
modules that verify extended attributes.

* CVE-2013-2850: Remote heap buffer overflow in iSCSI target subsystem.

If an iSCSI target is configured and listening on the network, a remote
attacker can corrupt heap memory, and gain kernel execution control over
the system and gain kernel code execution.

* System hang in JFS journal management.

Race conditions in the journaling filesystem could result in a system
hang under specific conditions triggered by xfstests.

* Kernel crash on Wireless P2P device connection.

If a P2P wireless device is present and a new one gets connected,
the Kernel will crash because of a bad check of a network device
internals.

* XHCI raise a Kernel panic due to unitialised list head.

The list_for_each_entry_safe macro, assumes list heads are
initialized (not NULL), and dereferences their 'next' pointer,
causing a kernel panic if this is not yet initialized.

* CVE-2013-4247: Heap buffer overflow when mounting CIFS share.

An off-by-one error when copying UNC paths in Distributed File System referrals
can cause a heap buffer overflow and possibly gain kernel code execution.

* Data loss in ecryptfs file syncing.

The ecryptfs filesystem does not correctly flush the contents of memory mapped
files to disk potentially causing data loss.

* Kernel panic when GPU acceleration is disabled.

When GPU acceleration is disabled, the related data is freed, but a
subsequent cleanup call after this will cause a kernel panic.

* Memory corruption in CephFS object storage client.

Incorrect locking in the Ceph distributed filesystem client can cause memory
corruption and kernel panic when requesting new OSD mappings.

* Use-after-free in Rados block device creation.

The Rados block device, as used by the Ceph distributed filesystem incorrectly
frees when failing to create a client leading to a use-after-free and kernel
panic.

* Race condition on Swap while waiting on discard I/O completion.

When reading the swap cache page it can get into a race condition
leading to a system deadlock.

* NULL pointer dereference in MMU notifier.

A race condition could lead to a NULL pointer dereference in the mmu
notifier code.

* Kernel crash on IPv6 cork release.

When copying cork options on IPV6, the target memory space
for those is not zeroed, which could lead to a Kernel crash
as it could contain garbage when invoking the free routines.

* Kernel crash on ip_tunnel due to garbage data on IPCB.

If the link failure routine is called and IPCB is not
cleared, it will lead to a Kernel crash due to the existence
of garbage data.

* Information leak in AF_PACKET getname() call.

The getname() syscall does not correctly sanitize memory when called on an
AF_PACKET socket causing the contents of kernel memory to be disclosed to
userspace.

* Memory leak on L2TP PPP header.

When adding a PPP header, it leaks two bytes of uninitialized memory
at the end of the socket buffer data buffer.

* Memory corruption in Bluetooth L2CAP MTU control.

An integer underflow and memory corruption can be triggered by reducing the MTU
of an L2CAP socket and then sending a large L2CAP packet.

* Kernel deadlock when removing a Frame Relay device.

Incorrect locking when removing a Frame Relay DLCI device can cause a deadlock
and kernel panic.

* Kernel panic when removing a Frame Relay device.

Using the DLCI ioctl to remove a Frame Relay device on a socket that is not a
Frame Relay device can cause an invalid memory access and kernel panic.

* Memory leak in IPv6 fragmentation tracking.

The kernel IPv6 connection tracker does not correctly handle fragmented IPv6
packets leading to a kernel memory leak.

* Format string vulnerability in power charger manager.

A lack of sanitisation of a parameter when notifying udev about power charger
events can trigger a format string vulnerability and cause a kernel panic.

* Format string vulnerability in crypto subsystem.

A lack of sanitisation of a parameter when looking up crypto algorithms in the
kernel can trigger a format string vulnerability and cause a kernel panic

* NULL pointer dereference in XHCI container allocation.

A missing error check when allocating DMA memory for a XHCI container can cause
a NULL pointer dereference and kernel panic.

* Race condition in cgroup event removal.

Incorrect reference counting when removing a cgroup event while the cgroup is
being unmounting can trigger a BUG_ON and kernel panic.

* Kernel crash when unregistering VLAN interfaces.

If a VLAN interface was registered after the AP, on unregistering
the system will crash because because it is not prepared to deal
with AP's being closed before to remove their VLANs.

* Truncated packet denial-of-service in SUNRPC server.

Truncated packets received by the kernel SunRPC are not handled correctly allowing
remote attackers to cause a kernel panic by sending truncated packets.

* Memory leak in Virtual IP tunneling initialization.

Duplicated memory allocations would cause a memory leak when
initializing Virtual IP resulting in a possible denial-of-service.

* Memory corruption in Plan 9 9p remote filesystem.

An off by one error could lead to memory access violations and memory
corruption when releasing pages in the 9p, leading to a kernel crash.

* Use-after-free in NFS lock daemon lock retry mechanism.

Missing locking could result in a race condition with the retry list
allowing the kernel to use a freed item resulting in a kernel crash.

* Buffer overflow in iSCSI target configfs.

An incorrect length check when configuring an iSCSI target via configfs can allow
kernel memory corruption and privilege escalation.

* Use-after-free in SCSI unit attention handling.

Incorrect handling of commands during a retry due to unit attention
codes could result in a use-after-free and kernel crash.

* NULL pointer dereference in USB XHCI doorbell.

A missing check for NULL could result in a kernel crash when handling
non-responsive XHCI peripherals.

* NULL pointer dereference in XHCI host controller failure.

Missing NULL pointer checks could result in a kernel crash when a XHCI
host controller fails.

* Denial-of-service in Moschip 7840/7820 USB serial driver.

Missing resource freeing would result in a memory leak when failing to
open the device allowing a user with sufficient privileges to exhaust
memory.

* Kernel crash in NFS file open failure.

Incorrect handling of the return value from a failed open() call on an
NFS filesystem could result in dereferencing an invalid pointer and
triggering a kernel crash.

* Use-after-free in ACPI memory hotplug failure.

Incorrect handling of memory hotplug failure could result in accessing a
stale pointer and triggering a kernel crash.

* Denial-of-service in memory policy management with mbind().

Incorrect handling of memory policies during mbind() calls could result
in leaking memory policies allowing a local user to cause a
denial-of-service.

* Livelock in filesystem mounting.

Incorrect locking in filesystem superblock handling could result in
livelock causing the filesystem to fail to mount and the mounting tasks
to hang.

* Deadlock in Xen event channel removal.

Incorrect locking in the Xen event channel driver could result in
deadlock and a system hang when unbinding a channel with the
IOCTL_EVTCHN_UNBIND ioctl.

* Use-after-free in freeing zram pages.

Incorrect locking the zram driver when freeing pages can trigger a use-after-free
or BUG_ON leading to a kernel panic.

* Memory corruption in zram reading and writing.

Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.

* Use-after-free in zram sysfs interface.

Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.

* CVE-2013-2148: Kernel information leak in file system notifications.

The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c
in the Linux kernel through 3.9.4 does not initialize a certain structure
member, which allows local users to obtain sensitive information from kernel
memory via a read operation on the fanotify descriptor.

* Race condition in unloading cgroup kernel modules.

A race condition between unloading a cgroup kernel module and unmounting a cgroup
filesystem can trigger a reference counting error and cause a kernel panic.

* CVE-2013-4205: Denial-of-service in user namespaces.

Unbound creation of user namespaces could result a memory leak allowing
a local, unprivileged user to crash the machine by repeatedly creating
new user namespaces.

* Use-after-free in IPv6 multicast routing namespace cleanup.

Incorrect locking could result in a use-after-free and kernel crash when
removing a network namespace.

* Kernel information leak in Class Based Queueing network scheduler.

Missing initialization in the CBQ network scheduler could result in
leaking kernel stack information to userspace.

* Kernel stack information leaks in PF_KEY sockets.

Missing initialization in a number of PF_KEY socket calls could result
in leaking kernel stack information to userspace.

* Kernel stack information leak in ATM network scheduler.

Missing initialization could cause kernel stack information to be leaked
from the ATM network scheduler to userspace.

* Use-after-free in ACPI sysfs attributes.

Missing locking in two sysfs attributes could cause a use-after-free and
kernel crash when accessing the attributes at the same time as device
hotplug or hot-unplug.

* Kernel crash in NFS lock manager lock freeing.

Incorrect handling of the system hostname across UTS namespaces could
result in a kernel oops when freeing locks.

* Kernel oops in VIRTIO console with splice().

A splice() with no buffers to a VIRTIO console device would result in a
kernel oops, triggerable by a local user with permissions to access the
serial device.

* Kernel crash in simultaneous VIRTIO console splice().

Missing locking could result in a kernel crash when multiple processes
tried to splice to and from a VIRTIO console device.

* Kernel oops in simultaneous VIRTIO console open + unplug.

Missing synchronization could result in a crash if the device was opened
at the same time as the device was unplugged.

* Buffer overflow in CIFS credentials.

An incorrectly sized buffer could result in a buffer overflow, allowing
a malicious server to cause heap memory corruption.

* Kernel panic in cgroup memory control cache.

The cgroup memory control subsystem does not correctly initialise a data structure
when registering a cache in a control group causing a page fault and kernel panic.

* Heap buffer overflow when reading "pagemap" procfs file.

The kernel does not correctly allocate a temporary buffer when reading from the
"pagemap" procfs file, leading to a kernel heap overflow and possible code
execution.

* NULL pointer dereference in Keyspan USB-to-serial driver.

A NULL pointer dereference and kernel panic can be triggered if a memory
allocation fails when attaching a Keyspan USB device.

* NULL pointer in Wireless USB data transfer.

A NULL pointer dereference and kernel panic can be triggered when disconnecting
a wireless USB device while transferring data.

* Use-after-free in ext4 metadata error path.

If an error is encountered when writing dirty ext4 metadata to disk, a use-after-
free condition can be triggered causing a kernel panic.

* Kernel crash during simultaneous iee80211 channel switch and removal.

Removing a WiFi device during a channel switch could result in a NULL
pointer dereference and kernel crash.

* Kernel panic in removable memory sysfs interface.

When showing the contents of the /sys/devices/system/memory/memory*/removable
sysfs file, the kernel does not validate that all memory sections are present
causing a kernel panic.

* NULL pointer dereference in memory control groups.

The kernel does not validate a pointer when querying the memory control group
cache causing a NULL pointer dereference and kernel panic.

* Kernel panic in Hierarchical Token Bucket scheduler.

The kernel HTB scheduler does not validate priority levels causing an out-of-bounds
read leading to a kernel panic.

* Use-after-free in IPv6 options processing.

The kernel IPv6 implementation incorrectly uses freed memory when processing
received IPv6 packets leading to a use-after-free condition and kernel panic.

* Use-after-free in Xen grant table callbacks.

Xen allows individual callbacks to be registered multiple times for individual
grant tables leading to a use-after-free condition and kernel panic.

* CVE-2013-4300: Privilege escalation in AF_UNIX credential passing.

The kernel uses the wrong namespace when validating credentials passed via a
AF_UNIX socket allowing users in a namespace to spoof credentials and gain
elevated privileges.

* Denial-of-service in USB configuration parsing.

The generic USB driver does not correctly validate the length of USB configuration
blocks allowing a malicious USB device to cause a kernel panic.

* CVE-2013-2898: Information leak in HID sensor framework.

The kernel HID sensor framework does not correctly validate data from devices
allowing a malicious device to leak the contents of kernel memory.

* CVE-2013-2899: NULL pointer dereference in PicoLCD device driver.

The PicoLCD HID driver does not correctly validate data from devices allowing a
malicious device to trigger a NULL pointer dereference causing a kernel panic.

* CVE-2013-2896: NULL pointer dereference in N-Trig HID driver.

The N-Trig touch-screen device driver does not correctly validate data from
devices allowing a malicious device to trigger a NULL pointer dereference causing
a kernel panic.

* NULL pointer dereference in PicoLCD device removal.

The PicoLCD HID driver does not validate a pointer when removing a PicoLCD device
leading to a NULL pointer dereference and kernel panic.

* NULL pointer dereference in HID report field setting.

Missing NULL pointer checks could result in a NULL pointer dereference
when a driver populated the results of field enquiries.

* Information leak in procfs filesystem.

A missing privilege check in the procfs filesystem allows users inside a namespace
to remount the procfs filesystem with weak permissions, leaking information about
processes in other namespaces.

* Resource leak in CIFS client under low memory conditions.

The kernel CIFS client does not free file resources when opening a file on a CIFS
share fails, leading to a kernel memory leak and kernel panic.

* CVE-2013-2897: Memory corruption in multitouch HID driver.

The multitouch HID driver does not correctly validate data from devices allowing
a malicious device to cause kernel memory corruption and potentially gain kernel
code execution.

* CVE-2013-2893: Memory corruption in Logitech force feedback devices.

The Logitech force feedback driver does not correctly validate data from devices
allowing a malicious device to cause kernel memory corruption and potentially
gain kernel code execution.

* CVE-2013-2895: NULL pointer dereference in Logitech DJ driver.

The Logitech DJ Unifying driver does not correctly validate data from devices
allowing a malicious device to leak the contents of kernel memory or trigger a
NULL pointer dereference causing a kernel panic.

* Use-after-free in kernel device management.

The kernel does not correctly manage reference counts when removing devices from
the system leading to a use-after-free condition and kernel panic.

* CVE-2013-2147: Kernel memory leak in HP and Compaq controllers.

Missing initialization of a returned result in the HP Smart Array and
Compaq SMART2 controllers could leak internal kernel memory back to
userspace.

* CVE-2013-6431: NULL pointer dereference in IPv6 FIB rule addition failure.

Incorrect error handling could trigger a NULL pointer dereference when
failing to add an IPv6 FIB rule and causing a kernel crash.

* NULL pointer dereference in netpoll driver cleanup.

Incorrect locking could result in a NULL pointer dereference when
cleaning up a netpoll device as used in netconsole resulting in a kernel
crash.

* CVE-2013-4350: SCTP over IPv6 disables encryption.

When transporting SCTP data over an IPv6 link, an incorrect assumption in the
kernel IPv6 stack can disable IPv6 encryption leading to the SCTP data being
visible to malicious users on the network.

* Fix NULL pointer dereference in Bridge interface.

* Kernel panic in ELF coredumping with large number of mmapped files.

On a system where a large number of mappings are permitted, a local,
unprivileged user could trigger a NULL pointer dereference when writing
corefiles and storing the filenames of the mapped files.

* Denial-of-service in ext4 extended attribute error handling.

Missing memory freeing in the error path of extended attribute handling
could cause a memory leak and denial of service under specific
circumstances.

* Information leak in netlink connector.

When sending messages through the netlink connector, some elements of the message
are not initialised causing the contents of kernel memory to be exposed to
userspace.

* Kernel panic in netlink kernel/userspace connector.

An incorrect length check when processing netlink messages in the kernel/
userspace connector can cause an out-of-bounds access and kernel panic.

* Memory leak in ecrypt filesystem initialization.

When initializing a ecrypt filesystem the ecryptfs driver does not free memory
when decrypting the session key causing a kernel memory leak.

* Denial-of-service in IPv4 CIPSO header validation.

The kernel IPv4 stack does not correctly handle malformed CIPSO headers in IPv4
packets leading to an infinite loop and kernel panic.

* Use-after free in NFS client file locking.

If a file locking operation is denied by a NFS server, the kernel NFS client does
not correctly free memory leading to a use-after-free condition and kernel panic
when retrying the file lock operation.

* Memory leak in LSI Megaraid controller management firmware interface.

Incorrect handling of scatter-gather lists with 0 sized entries could
result in a memory leak of DMA coherent memory.

* Use-after-free in kernel cryptography subsystem.

The kernel cryptography subsystem incorrectly frees kernel memory when initializing
a cryptographic algorithm leading to a use-after-free condition and kernel panic.

* Use-after-free in Mellanox Connect-IB HCA device removal.

Incorrect removal of a workqueue could result in a use-after-free
condition which may trigger a memory corruption and a kernel crash.

* Memory leak in Mellanox Connect-IB HCA initialization failure.

Incorrect error handling could result in a memory leak during error
handling on device initialization.

* Denial-of-service in Mellanox gigabit Ethernet loopback test.

Incorrect resource freeing during the ethtool loopback test could result
in a use-after-free and subsequent kernel crash.  A local, privileged
user could use this to trigger a denial-of-service.

* Use-after-free in Ethernet over IP-over-Infiniband.

Incorrect freeing of socket buffers during transmission could result in
memory corruption and a kernel crash.

* Use-after-free in Mellanox Connect-IB HCA completions.

Incorrect handling of asynchronous work could result in a use-after-free
and kernel crash when processing deferred work.

* Kernel crash in IP-over-Infiniband error handling.

Incorrect error handling when opening an IP-over-infiniband device could
result in dereferencing invalid memory and crashing the kernel.

* Use-after-free in Infiniband queue pairs.

Missing locking could result in a use-after-free and kernel crash when
processing asynchronous events.

* Hard lockup in Mellanox completion queue resizing.

Missing error handling when resizing completion queues could result in a
hard lockup of the system.

* Use-after-free in IP-over-Infiniband connection destruction.

Missing resource cleanup during connection destruction could lead to a
use-after-free condition and kernel crash.

* Filesystem corruption during suspend/resume cycles.

Missing locking could result in filesystem corruption during heavy
filesystem accesses and a suspend/resume cycle.

* Denial-of-service in ext4 filesystem truncation.

Incorrect handling of zero-length extents could result in hitting an
assertion and crashing the system.  A local, unprivileged user could use
this to trigger a denial-of-service.

* Use-after-free in Emulex LightPulse Fibre Channel list traversal.

Incorrect list traversal could result in a use-after-free and kernel
crash when processing linked lists in the Emulex LightPulse driver.

* Memory leak in Emulex LightPulse Fibre Channel unregistration.

A missing memory free could result in a memory leak when unregistering a
mailbox.

* Memory leak in btrfs backref walking.

Incorrect reference counting in btrfs backref walking could result in a
memory leak and an eventual kernel crash on a filesystem with a lot of
I/O.

* Memory leak in compressed btrfs extents.

Under specific conditions, a compressed btrfs filesystem could leak
memory resulting in a kernel crash under heavy I/O.

* Deadlock in btrfs filesystem superblock writing.

A missing mutex unlock operation could result in deadlock when updating
filesystem superblocks.

* Deadlock in btrfs filesystem extent writing.

Incorrect locking when writing btrfs extents could result in filesystem
deadlock, exploitable by an unprivileged user.

* XFS filesystem corruption in write failure handling.

Incorrect integer handling on 32-bit systems could result in hitting an
XFS assertion or corrupting the filesystem when a write failure occurs.

* Double-free in XFS file attribute error handling.

The error handling for adding an XFS file attribute could trigger a
double-free and kernel crash under specific conditions.

* Stack overflow in XFS page cache allocation.

Deeply nested call chains when allocating in the page cache for an XFS
filesystem could result in a stack overflow causing a kernel crash or
possibly allowing the user to escalate privileges under specific
conditions.

* NULL pointer dereference in XFS log buffers.

Missing assertions in the XFS log code could result in dereferencing a
NULL pointer triggering a kernel crash under specific conditions.

* Filesystem corruption via preallocated file truncation.

Missing permission checks in a preallocated XFS file could allow an
unprivileged local user to corrupt files that they did not own.

* Memory corruption in block core on control group queue initialization failure.

Incorrect error handling could result in memory corruption and a kernel
crash when queue initialization fails.

* Resource leak in Xen blkback block driver during discard.

Incorrect reference counting could result in a failure to free the block
interface.  This could cause device hotplug to fail.

* Denial-of-service in NFSv4 open recovery.

Incorrect handling of open recoveries on an NFSv4 filesystem with
delegations enabled could result in a NULL pointer dereference.  A
local, unprivileged user could use this flaw to crash the system.

* Incorrect permissions in XFS subdirectories with SGID bit set and ACL's.

New files and directories in a subdirectory with an access control list
and the SGID bit set would not have the group correctly inherited.

* Use-after-free in SCSI device removal.

Incorrect locking could result in a use-after-free and kernel crash when
removing a SCSI device from the system.

* Kernel crash in ServerEngines BladeEngine 2 iSCSI driver command timeout.

Incorrect reference counting could result in hitting a kernel assertion
during command timeout triggering a kernel crash.

* Invalid access time writes to read-only subvolumes.

Reads from a read-only mounted subvolume could still modify the access
time resulting in writes to a read-only filesystem.

* Incorrect default ACLs on btrfs directories.

When creating a directory on a btrfs filesystem which inherits default ACLs from
its parent, an incorrect error check causes the ACLs to be discarded from the
newly created directory.

* Kernel crash in Xen netback frontend slot packing.

Under specific conditions the number of slots required to send packets
were incorrectly counted in the backend.  This could cause the frontend
to lose synchronization and later crash the guest kernel.

* NULL pointer dereference in Mellanox Gigabit Ethernet coalescing.

Changing of coalescing parameters whilst a port was down would trigger a
NULL pointer dereferene and kernel crash.

* Deadlock in IP-over-Infiniband transmission.

Incorrect locking in the IP-over-Infiniband driver could result in
deadlock during transmission under specific conditions.

* Kernel crash in Ethernet-over-IP-over-Infiniband.

Missing locking to an internal structure in
Ethernet-over-IP-over-Infiniband could result in accessing invalid data
and triggering a kernel panic.

* SCTP bind() failure during non-graceful socket shutdown.

Incorrect destruction of SCTP sockets could result in bind() failures
when an existing socket was not shut down gracefully.  This could result
in SCTP based servers failing to restart under specific conditions.

* Kernel crash in bonding device updelay/downdelay setting.

Missing locking in the updelay/downdelay setting functions could result
in the kernel using a user-supplied value before validation.  A
privileged, local user could use this to cause a divide-by-zero error,
crashing the kernel.

* Kernel crash in Emulex LightPulse Fibre Channel I/O control buffers.

Incorrect handling of freed I/O control buffers could result in a NULL
pointer dereference or use-after-free triggering a kernel crash.

* NULL pointer dereference in OCFS2 incoming connection race.

Incorrect state management in the OCFS2 incomming connection handling
code could result in a NULL pointer dereference and kernel crash when
racing with incoming data.

* Kernel panic on btrfs-image restored filesystem.

Incorrect handling of a filesystem restored with btrfs-image could
result in failing a kernel assertion and crashing the system.  A
privileged user in a container could use this to crash the host.

* Data corruption on NFS mounts during writeback.

Incorrect handling of inode writeback could result in data corruption of
NFS mounted filesystems under specific conditions.

* Kernel panic in OCFS2 file hole punching.

Incorrect handling of user-supplied lengths could result in a kernel
panic.  A local, privileged user in a container could use this flaw to
crash the host.

* Kernel crash in memory control group non-root cache management.

Incorrect handling of non-root caches could result in corrupting memory
when writing new resource limits.

* Deadlock in network core during MTU modification.

Incorrect memory allocation flags could result in a deadlock when
changing the MTU of a network device causing a system hang.

* Deadlock in Broadcom Tigon3 network driver MTU modification.

Incorrect locking in the Broadcom Tigon3 driver during MTU modification
could result in deadlock and hanging the system.

* Kernel panic in btrfs balance operation.

When running a balance operation and defragmentation operation concurrently, an
incorrect assumption in the btrfs filesystem driver can trigger a kernel panic.

* Task hang on OCFS filesystems with asynchronous I/O+fsync race.

Incorrect locking could cause a race condition between synchronizing
asynchronous I/O operations with the filesystem.  This could cause the
writing process to hang indefinitely.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.