This bug was fixed in the package linux - 3.8.0-33.48
---------------
linux (3.8.0-33.48) raring; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1242849
[ Maximiliano Curia ]
* SAUCE: (no-up) Only let characters through when there are active
readers.
- LP: #1208740
[ Upstream Kernel Changes ]
* cciss: fix info leak in cciss_ioctl32_passthru()
- LP: #1188355
- CVE-2013-2147
* cpqarray: fix info leak in ida_locked_ioctl()
- LP: #1188355
- CVE-2013-2147
* mount: consolidate permission checks
- LP: #1226726
* get rid of full-hash scan on detaching vfsmounts
- LP: #1226726
* Smack: Fix the bug smackcipso can't set CIPSO correctly
- LP: #1236743
* ipvs: add backup_only flag to avoid loops
- LP: #1238494
* tuntap: correctly handle error in tun_set_iff()
- LP: #1229975
- CVE-2013-4343
* htb: fix sign extension bug
- LP: #1240580
* net: avoid to hang up on sending due to sysctl configuration overflow.
- LP: #1240580
* net: check net.core.somaxconn sysctl values
- LP: #1240580
* macvlan: validate flags
- LP: #1240580
* neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
- LP: #1240580
* bonding: modify only neigh_parms owned by us
- LP: #1240580
* fib_trie: remove potential out of bound access
- LP: #1240580
* bridge: don't try to update timers in case of broken MLD queries
- LP: #1240580
* tcp: cubic: fix overflow error in bictcp_update()
- LP: #1240580
* tcp: cubic: fix bug in bictcp_acked()
- LP: #1240580
* ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
match
- LP: #1240580
* 8139cp: Fix skb leak in rx_status_loop failure path.
- LP: #1240580
* tun: signedness bug in tun_get_user()
- LP: #1240580
* ipv6: remove max_addresses check from ipv6_create_tempaddr
- LP: #1240580
* ipv6: Store Router Alert option in IP6CB directly.
- LP: #1240580
* ipv6: drop packets with multiple fragmentation headers
- LP: #1240580
* tcp: set timestamps for restored skb-s
- LP: #1240580
* net: usb: Add HP hs2434 device to ZLP exception table
- LP: #1240580
* tcp: initialize rcv_tstamp for restored sockets
- LP: #1240580
* ipv4: sendto/hdrincl: don't use destination address found in header
- LP: #1240580
* tcp: tcp_make_synack() should use sock_wmalloc
- LP: #1240580
* tipc: set sk_err correctly when connection fails
- LP: #1240580
* net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
max_delay
- LP: #1240580
* ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
- LP: #1240580
* tg3: Don't turn off led on 5719 serdes port 0
- LP: #1240580
* vhost_net: poll vhost queue after marking DMA is done
- LP: #1240580
* net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
- LP: #1240580
* drm/radeon/si: Add support for CP DMA to CS checker for compute v2
- LP: #1240580
* sfc: Fix efx_rx_buf_offset() for recycled pages
- LP: #1240580
* cfq: explicitly use 64bit divide operation for 64bit arguments
- LP: #1240580
* drm/radeon/atom: workaround vbios bug in transmitter table on rs880
(v2)
- LP: #1240580
* drm/ast: fix the ast open key function
- LP: #1240580
* sched/fair: Fix small race where child->se.parent,cfs_rq might point to
invalid ones
- LP: #1240580
* tg3: Expand led off fix to include 5720
- LP: #1240580
* HID: provide a helper for validating hid reports
- LP: #1240580
* HID: zeroplus: validate output report details
- LP: #1240580
- CVE-2013-2889
* HID: LG: validate HID output report details
- LP: #1240580
- CVE-2013-2893
* HID: lenovo-tpkbd: validate output report details
- LP: #1240580
- CVE-2013-2894
* HID: validate feature and input report details
- LP: #1240580
- CVE-2013-2897
* HID: logitech-dj: validate output report details
- LP: #1240580
- CVE-2013-2895
* HID: multitouch: validate indexes details
- LP: #1240580
- CVE-2013-2897
* HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
- LP: #1240580
* drm/radeon: fix panel scaling with eDP and LVDS bridges
- LP: #1240580
* cifs: fix filp leak in cifs_atomic_open()
- LP: #1240580
* net: usb: cdc_ether: Use wwan interface for Telit modules
- LP: #1240580
* usb: gadget: fix a bug and a WARN_ON in dummy-hcd
- LP: #1240580
* drm/i915: do not update cursor in crtc mode set
- LP: #1240580
* drm/i915: Don't enable the cursor on a disable pipe
- LP: #1240580
* drm/ttm: fix the tt_populated check in ttm_tt_destroy()
- LP: #1240580
* PCI / ACPI / PM: Clear pme_poll for devices in D3cold on wakeup
- LP: #1240580
* serial: pch_uart: fix tty-kref leak in dma-rx path
- LP: #1240580
* x86, efi: Don't map Boot Services on i386
- LP: #1240580
* ALSA: compress: Fix compress device unregister.
- LP: #1240580
* dm snapshot: workaround for a false positive lockdep warning
- LP: #1240580
* dm-snapshot: fix performance degradation due to small hash size
- LP: #1240580
* drm/radeon: Make r100_cp_ring_info() and radeon_ring_gfx() safe (v2)
- LP: #1240580
* ARM: 7837/3: fix Thumb-2 bug in AES assembler code
- LP: #1240580
* x86/reboot: Add quirk to make Dell C6100 use reboot=pci automatically
- LP: #1240580
* drm/radeon: disable tests/benchmarks if accel is disabled
- LP: #1240580
* xhci: Fix oops happening after address device timeout
- LP: #1240580
* xhci: Ensure a command structure points to the correct trb on the
command ring
- LP: #1240580
* drm/i915/dp: increase i2c-over-aux retry interval on AUX DEFER
- LP: #1240580
* staging: vt6656: [BUG] main_usb.c oops on device_close move flag
earlier.
- LP: #1240580
* staging: vt6656: [BUG] iwctl_siwencodeext return if device not open
- LP: #1240580
* USB: UHCI: accept very late isochronous URBs
- LP: #1240580
* USB: OHCI: accept very late isochronous URBs
- LP: #1240580
* USB: fix PM config symbol in uhci-hcd, ehci-hcd, and xhci-hcd
- LP: #1240580
* usb/core/devio.c: Don't reject control message to endpoint with wrong
direction bit
- LP: #1240580
* hwmon: (applesmc) Check key count before proceeding
- LP: #1240580
* fsl/usb: Resolve PHY_CLK_VLD instability issue for ULPI phy
- LP: #1240580
* driver core : Fix use after free of dev->parent in device_shutdown
- LP: #1240580
* USB: Fix breakage in ffs_fs_mount()
- LP: #1240580
* usb: dwc3: pci: add support for BayTrail
- LP: #1240580
* usb: dwc3: add support for Merrifield
- LP: #1240580
* ASoC: max98095: a couple array underflows
- LP: #1240580
* ASoC: ab8500-codec: info leak in anc_status_control_put()
- LP: #1240580
* ASoC: 88pm860x: array overflow in snd_soc_put_volsw_2r_st()
- LP: #1240580
* Bluetooth: Add a new PID/VID 0cf3/e005 for AR3012.
- LP: #1240580
* Bluetooth: Fix security level for peripheral role
- LP: #1240580
* Bluetooth: Fix encryption key size for peripheral role
- LP: #1240580
* Bluetooth: Add support for BCM20702A0 [0b05, 17cb]
- LP: #1240580
* Bluetooth: Introduce a new HCI_RFKILLED flag
- LP: #1240580
* rtlwifi: Align private space in rtl_priv struct
- LP: #1240580
* p54usb: add USB ID for Corega WLUSB2GTST USB adapter
- LP: #1240580
* mwifiex: fix hang issue for USB chipsets
- LP: #1240580
* mwifiex: fix NULL pointer dereference in usb suspend handler
- LP: #1240580
* fs/binfmt_elf.c: prevent a coredump with a large vm_map_count from
Oopsing
- LP: #1240580
* nilfs2: fix issue with race condition of competition between segments
for dirty blocks
- LP: #1240580
* mm: avoid reinserting isolated balloon pages into LRU lists
- LP: #1240580
* USB: serial: option: Ignore card reader interface on Huawei E1750
- LP: #1240580
* gpio/omap: maintain GPIO and IRQ usage separately
- LP: #1240580
* gpio/omap: auto-setup a GPIO when used as an IRQ
- LP: #1240580
* ib_srpt: Destroy cm_id before destroying QP.
- LP: #1240580
* powerpc: Fix parameter clobber in csum_partial_copy_generic()
- LP: #1240580
* powerpc: Restore registers on error exit from
csum_partial_copy_generic()
- LP: #1240580
* powerpc/sysfs: Disable writing to PURR in guest mode
- LP: #1240580
* powerpc/iommu: Use GFP_KERNEL instead of GFP_ATOMIC in
iommu_init_table()
- LP: #1240580
* powerpc/vio: Fix modalias_show return values
- LP: #1240580
* ib_srpt: always set response for task management
- LP: #1240580
* xen/hvc: allow xenboot console to be used again
- LP: #1240580
* net: Update the sysctl permissions handler to test effective uid/gid
- LP: #1240580
* Linux 3.8.13.11
- LP: #1240580
-- Brad Figg <brad.f...@canonical.com> Mon, 21 Oct 2013 12:04:49 -0700
** Changed in: linux (Ubuntu Raring)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2147
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2889
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2893
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2894
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2895
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2897
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4343
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1238494
Title:
Kernel panic on 3.8.0-29 when using ipvs
Status in “linux” package in Ubuntu:
Fix Released
Status in “linux” source package in Raring:
Fix Released
Status in “linux” source package in Saucy:
Fix Released
Bug description:
SRU Justification:
Impact:
A NULL pointer dereferrence will occur when a user adds an IPVS
service. This occurs since kernel 3.8.0-28.41 (Raring), after commit:
dc7b3eb ipvs: Fix reuse connection if real server is dead
The NULL pointer occurs when accessing the ipvs variable in line 1658:
1658 if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest &&
1659 unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs &&
1660 is_new_conn(skb, &iph)) {
1661 ip_vs_conn_expire_now(cp);
1662 __ip_vs_conn_put(cp);
1663 cp = NULL;
1664 }
Mainline kernel has this variable initialised earlier, with commit:
0c12582 ipvs: add backup_only flag to avoid loops
Fix:
Apply commit 0c12582 "ipvs: add backup_only flag to avoid loops" fix
the problem. Bug reporter has claimed success with a test kernel that
contains this commit.
Testcase:
Simply running the command:
sudo ipvsadm -A -u 10.0.50.4:53
Will trigger the bug.
---
In kernel 3.8.0-29 and higher (I've tested 3.8.0-30 and 3.8.0-31), the
kernel panics when adding IPVS service. Specifically, when I execute
the following command:
sudo ipvsadm -A -u 10.0.50.4:53
The kernel immediately panics. I've reverted the kernel to 3.8.0-27,
and IPVS executes without a problem.
The panic is completely reproducable, using a clean install, no extra
packages installed, all packages upgraded.
I've attached the apport report of the system running 3.8.0-29.
Best,
Luc van Donkersgoed
---
AlsaDevices:
total 0
crw-rw---T 1 root audio 116, 1 Oct 11 10:04 seq
crw-rw---T 1 root audio 116, 33 Oct 11 10:04 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.9.2-0ubuntu8.3
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
DistroRelease: Ubuntu 13.04
HibernationDevice: RESUME=UUID=566497ef-0abf-42f0-85ee-988bf9ba2034
InstallationDate: Installed on 2012-12-03 (311 days ago)
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64
(20120424.1)
IwConfig:
eth0 no wireless extensions.
lo no wireless extensions.
Lsusb: Error: command ['lsusb'] failed with exit code 1: unable to initialize
libusb: -99
MachineType: VMware, Inc. VMware Virtual Platform
MarkForUpload: True
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.8.0-31-generic
root=/dev/mapper/dnslb01-root ro
ProcVersionSignature: Ubuntu 3.8.0-31.46-generic 3.8.13.8
RelatedPackageVersions:
linux-restricted-modules-3.8.0-31-generic N/A
linux-backports-modules-3.8.0-31-generic N/A
linux-firmware 1.106
RfKill: Error: [Errno 2] No such file or directory
Tags: raring
Uname: Linux 3.8.0-31-generic x86_64
UpgradeStatus: Upgraded to raring on 2013-10-10 (0 days ago)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
dmi.bios.date: 06/22/2012
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd06/22/2012:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1238494/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
