Bug 984743 - (CVE-2013-4129) CVE-2013-4129 kernel: bridge: kernel BUG at kernel/timer.c:729
CVE-2013-4129 kernel: bridge: kernel BUG at kernel/timer.c:729
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130701,repor...
: Security
Depends On: 902454 952012 980254 1019950 1090670 1124106
Blocks: 984746
  Show dependency treegraph
 
Reported: 2013-07-15 17:01 EDT by Petr Matousek
Modified: 2015-07-27 09:26 EDT (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-15 17:06:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2013-07-15 17:01:04 EDT
Several people reported the oops: "kernel BUG at kernel/timer.c:729!"
and the stack trace is:

    #7 [ffff880214d25c10] mod_timer+501 at ffffffff8106d905
    #8 [ffff880214d25c50] br_multicast_del_pg.isra.20+261 at ffffffffa0731d25 [bridge]
    #9 [ffff880214d25c80] br_multicast_disable_port+88 at ffffffffa0732948 [bridge]
    #10 [ffff880214d25cb0] br_stp_disable_port+154 at ffffffffa072bcca [bridge]
    #11 [ffff880214d25ce8] br_device_event+520 at ffffffffa072a4e8 [bridge]
    #12 [ffff880214d25d18] notifier_call_chain+76 at ffffffff8164aafc
    #13 [ffff880214d25d50] raw_notifier_call_chain+22 at ffffffff810858f6
    #14 [ffff880214d25d60] call_netdevice_notifiers+45 at ffffffff81536aad
    #15 [ffff880214d25d80] dev_close_many+183 at ffffffff81536d17
    #16 [ffff880214d25dc0] rollback_registered_many+168 at ffffffff81537f68
    #17 [ffff880214d25de8] rollback_registered+49 at ffffffff81538101
    #18 [ffff880214d25e10] unregister_netdevice_queue+72 at ffffffff815390d8
    #19 [ffff880214d25e30] __tun_detach+272 at ffffffffa074c2f0 [tun]
    #20 [ffff880214d25e88] tun_chr_close+45 at ffffffffa074c4bd [tun]
    #21 [ffff880214d25ea8] __fput+225 at ffffffff8119b1f1
    #22 [ffff880214d25ef0] ____fput+14 at ffffffff8119b3fe
    #23 [ffff880214d25f00] task_work_run+159 at ffffffff8107cf7f
    #24 [ffff880214d25f30] do_notify_resume+97 at ffffffff810139e1
    #25 [ffff880214d25f50] int_signal+18 at ffffffff8164f292

The bug was usually hit when shutting down a KVM guest.

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9f00b2e7cf241fa389733d41b6

Introduced in upstream version:
v3.11-rc1 (but we had it in Fedora because of bz#880035)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=980254
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f19&id=a993279a9bb538ae524fca69ec23c5c1b428f47e
Comment 1 Petr Matousek 2013-07-15 17:06:01 EDT
Statement:

Not vulnerable.

This issue did not affect the kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

Note You need to log in before you can comment on or make changes to this bug.