oss-sec mailing list archives

CVE Request -- Linux kernel: bridge: BUG at kernel/timer.c:729

From: Petr Matousek <pmatouse () redhat com>
Date: Mon, 15 Jul 2013 23:12:47 +0200

Several people reported the oops: "kernel BUG at kernel/timer.c:729!"
and the stack trace is:

    #7 [ffff880214d25c10] mod_timer+501 at ffffffff8106d905
    #8 [ffff880214d25c50] br_multicast_del_pg.isra.20+261 at
ffffffffa0731d25 [bridge]
    #9 [ffff880214d25c80] br_multicast_disable_port+88 at
ffffffffa0732948 [bridge]
    #10 [ffff880214d25cb0] br_stp_disable_port+154 at ffffffffa072bcca
[bridge]
    #11 [ffff880214d25ce8] br_device_event+520 at ffffffffa072a4e8
[bridge]
    #12 [ffff880214d25d18] notifier_call_chain+76 at ffffffff8164aafc
    #13 [ffff880214d25d50] raw_notifier_call_chain+22 at
ffffffff810858f6
    #14 [ffff880214d25d60] call_netdevice_notifiers+45 at
ffffffff81536aad
    #15 [ffff880214d25d80] dev_close_many+183 at ffffffff81536d17
    #16 [ffff880214d25dc0] rollback_registered_many+168 at
ffffffff81537f68
    #17 [ffff880214d25de8] rollback_registered+49 at ffffffff81538101
    #18 [ffff880214d25e10] unregister_netdevice_queue+72 at
ffffffff815390d8
    #19 [ffff880214d25e30] __tun_detach+272 at ffffffffa074c2f0 [tun]
    #20 [ffff880214d25e88] tun_chr_close+45 at ffffffffa074c4bd [tun]
    #21 [ffff880214d25ea8] __fput+225 at ffffffff8119b1f1
    #22 [ffff880214d25ef0] ____fput+14 at ffffffff8119b3fe
    #23 [ffff880214d25f00] task_work_run+159 at ffffffff8107cf7f
    #24 [ffff880214d25f30] do_notify_resume+97 at ffffffff810139e1
    #25 [ffff880214d25f50] int_signal+18 at ffffffff8164f292

The bug was usually hit when shutting down a KVM guest.

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9f00b2e7cf241fa389733d41b6

Introduced in upstream version:
v3.11-rc1 (but we had it in Fedora because of bz#880035)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=984743
https://bugzilla.redhat.com/show_bug.cgi?id=980254
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f19&id=a993279a9bb538ae524fca69ec23c5c1b428f47e

-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE Request -- Linux kernel: bridge: BUG at kernel/timer.c:729 Petr Matousek (Jul 15)
- Re: CVE Request -- Linux kernel: bridge: BUG at kernel/timer.c:729 Kurt Seifried (Jul 15)