← Back to team overview

kernel-packages team mailing list archive

[Bug 1316729] Re: CVE-2014-1737

 

This bug was fixed in the package linux - 3.11.0-22.38

---------------
linux (3.11.0-22.38) saucy; urgency=low

  [ Brad Figg ]

  * Revert "rtlwifi: Set the link state"

linux (3.11.0-22.37) saucy; urgency=low

  [ Kamal Mostafa ]

  * Merged back Ubuntu-3.11.0-20.35 security release
  * Revert "n_tty: Fix n_tty_write crash when echoing in raw mode"
    - LP: #1314762
  * Release Tracking Bug
    - LP: #1317207

  [ Tim Gardner ]

  * [Config] d-i -- add virtio_scsi to virtio-modules
    - LP: #1315462

  [ Upstream Kernel Changes ]

  * n_tty: Fix n_tty_write crash when echoing in raw mode
    - LP: #1314762
    - CVE-2014-0196
  * floppy: ignore kernel-only members in FDRAWCMD ioctl input
    - LP: #1316729
    - CVE-2014-1737
  * floppy: don't write kernel-only members to FDRAWCMD ioctl output
    - LP: #1316735
    - CVE-2014-1738

linux (3.11.0-21.35) saucy; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1313831

  [ Upstream Kernel Changes ]

  * Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines."
    - LP: #1311196
  * rds: prevent dereference of a NULL device in rds_iw_laddr_check
    - LP: #1302222
    - CVE-2014-2678
  * ALSA: oxygen: Xonar DG(X): capture from I2S channel 1, not 2
    - LP: #1311196
  * ALSA: oxygen: Xonar DG(X): modify DAC routing
    - LP: #1311196
  * jiffies: Avoid undefined behavior from signed overflow
    - LP: #1311196
  * mac80211: send control port protocol frames to the VO queue
    - LP: #1311196
  * mac80211: fix AP powersave TX vs. wakeup race
    - LP: #1311196
  * iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails
    - LP: #1311196
  * mwifiex: clean pcie ring only when device is present
    - LP: #1311196
  * mwifiex: add NULL check for PCIe Rx skb
    - LP: #1311196
  * mwifiex: fix cmd and Tx data timeout issue for PCIe cards
    - LP: #1311196
  * ath9k: protect tid->sched check
    - LP: #1311196
  * ath9k: Fix ETSI compliance for AR9462 2.0
    - LP: #1311196
  * mac80211: don't validate unchanged AP bandwidth while tracking
    - LP: #1311196
  * regulator: core: Replace direct ops->enable usage
    - LP: #1311196
  * regulator: core: Replace direct ops->disable usage
    - LP: #1311196
  * iwlwifi: mvm: change of listen interval from 70 to 10
    - LP: #1311196
  * iwlwifi: fix TX status for aggregated packets
    - LP: #1311196
  * genirq: Remove racy waitqueue_active check
    - LP: #1311196
  * sched: Fix double normalization of vruntime
    - LP: #1311196
  * cpuset: fix a locking issue in cpuset_migrate_mm()
    - LP: #1311196
  * cpuset: fix a race condition in __cpuset_node_allowed_softwall()
    - LP: #1311196
  * mac80211: fix association to 20/40 MHz VHT networks
    - LP: #1311196
  * firewire: net: fix use after free
    - LP: #1311196
  * mwifiex: do not advertise usb autosuspend support
    - LP: #1311196
  * ACPI / resources: ignore invalid ACPI device resources
    - LP: #1311196
  * NFS: Fix a delegation callback race
    - LP: #1311196
  * spi: spi-ath79: fix initial GPIO CS line setup
    - LP: #1311196
  * ALSA: hda - Added inverted digital-mic handling for Acer TravelMate
    8371
    - LP: #1311196
  * drm/i915: fix pch pci device enumeration
    - LP: #1311196
  * can: flexcan: fix shutdown: first disable chip, then all interrupts
    - LP: #1311196
  * can: flexcan: flexcan_open(): fix error path if flexcan_chip_start()
    fails
    - LP: #1311196
  * can: flexcan: Check the return value from clk_prepare_enable()
    - LP: #1311196
  * can: flexcan: fix transition from and to low power mode in
    chip_{en,dis}able
    - LP: #1311196
  * can: flexcan: factor out transceiver {en,dis}able into seperate
    functions
    - LP: #1311196
  * can: flexcan: fix transition from and to freeze mode in
    chip_{,un}freeze
    - LP: #1311196
  * drm/i915: vlv: reserve GT power context early
    - LP: #1311196
  * drm/i915: Reject >165MHz modes w/ DVI monitors
    - LP: #1311196
  * tracing: Do not add event files for modules that fail tracepoints
    - LP: #1311196
  * mm: include VM_MIXEDMAP flag in the VM_SPECIAL list to avoid
    m(un)locking
    - LP: #1311196
  * ocfs2: fix quota file corruption
    - LP: #1311196
  * zram: avoid null access when fail to alloc meta
    - LP: #1311196
  * rapidio/tsi721: fix tasklet termination in dma channel release
    - LP: #1311196
  * iscsi-target: Fix iscsit_get_tpg_from_np tpg_state bug
    - LP: #1311196
  * iscsi-target: Perform release of acknowledged tags from RX context
    - LP: #1311196
  * iscsi/iser-target: Use list_del_init for ->i_conn_node
    - LP: #1311196
  * pinctrl: sunxi: use chained_irq_{enter, exit} for GIC compatibility
    - LP: #1311196
  * ALSA: hda - Add missing loopback merge path for AD1884/1984 codecs
    - LP: #1311196
  * ALSA: usb-audio: Add quirk for Logitech Webcam C500
    - LP: #1311196
  * NFSv4: nfs4_stateid_is_current should return 'true' for an invalid
    stateid
    - LP: #1311196
  * ACPI / EC: Fix incorrect placement of __initdata
    - LP: #1311196
  * firewire: ohci: beautify some macro definitions
    - LP: #1311196
  * firewire: ohci: fix probe failure with Agere/LSI controllers
    - LP: #1311196
  * drm/radeon: TTM must be init with cpu-visible VRAM, v2
    - LP: #1311196
  * drm/radeon/dpm: fix typo in EVERGREEN_SMC_FIRMWARE_HEADER_softRegisters
    - LP: #1311196
  * drm/radeon/atom: select the proper number of lanes in transmitter setup
    - LP: #1311196
  * powerpc/tm: Fix crash when forking inside a transaction
    - LP: #1311196
  * powerpc: Align p_dyn, p_rela and p_st symbols
    - LP: #1311196
  * firewire: don't use PREPARE_DELAYED_WORK
    - LP: #1311196
  * libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus
    SpinPoint M8 (2BA30001)
    - LP: #1311196
  * usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e
    - LP: #1311196
  * usb: Make DELAY_INIT quirk wait 100ms between Get Configuration
    requests
    - LP: #1311196
  * ARM: fix noMMU kallsyms symbol filtering
    - LP: #1311196
  * ARM: 7991/1: sa1100: fix compile problem on Collie
    - LP: #1311196
  * x86: Ignore NMIs that come in during early boot
    - LP: #1311196
  * x86: fix compile error due to X86_TRAP_NMI use in asm files
    - LP: #1311196
  * drm/radeon: re-order firmware loading in preparation for dpm rework
    - LP: #1311196
  * net-tcp: fastopen: fix high order allocations
    - LP: #1311196
  * neigh: recompute reachabletime before returning from
    neigh_periodic_work()
    - LP: #1311196
  * virtio-net: alloc big buffers also when guest can receive UFO
    - LP: #1311196
  * ipv6: reuse ip6_frag_id from ip6_ufo_append_data
    - LP: #1311196
  * sfc: check for NULL efx->ptp_data in efx_ptp_event
    - LP: #1311196
  * ipv6: ipv6_find_hdr restore prev functionality
    - LP: #1311196
  * tg3: Don't check undefined error bits in RXBD
    - LP: #1311196
  * net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
    - LP: #1311196
  * s390/dasd: hold request queue sysfs lock when calling elevator_init()
    - LP: #1311196
  * iwlwifi: mvm: don't WARN when statistics are handled late
    - LP: #1311196
  * mac80211: clear sequence/fragment number in QoS-null frames
    - LP: #1311196
  * mwifiex: copy AP's HT capability info correctly
    - LP: #1311196
  * mwifiex: save and copy AP's VHT capability info correctly
    - LP: #1311196
  * net: unix socket code abuses csum_partial
    - LP: #1311196
  * ibmveth: Fix endian issues with MAC addresses
    - LP: #1311196
  * [SCSI] isci: fix reset timeout handling
    - LP: #1311196
  * [SCSI] isci: correct erroneous for_each_isci_host macro
    - LP: #1311196
  * [SCSI] qla2xxx: Poll during initialization for ISP25xx and ISP83xx
    - LP: #1311196
  * ocfs2 syncs the wrong range...
    - LP: #1311196
  * mm/compaction: break out of loop on !PageBuddy in
    isolate_freepages_block
    - LP: #1311196
  * fs/proc/base.c: fix GPF in /proc/$PID/map_files
    - LP: #1311196
  * vmxnet3: fix netpoll race condition
    - LP: #1311196
  * [SCSI] storvsc: NULL pointer dereference fix
    - LP: #1311196
  * PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not
    enabled
    - LP: #1311196
  * KVM: SVM: fix cr8 intercept window
    - LP: #1311196
  * dm cache: fix truncation bug when copying a block to/from >2TB fast
    device
    - LP: #1311196
  * dm cache: fix access beyond end of origin device
    - LP: #1311196
  * drm/ttm: don't oops if no invalidate_caches()
    - LP: #1311196
  * drm/radeon/cik: properly set sdma ring status on disable
    - LP: #1311196
  * drm/radeon/cik: stop the sdma engines in the enable() function
    - LP: #1311196
  * drm/radeon/cik: properly set compute ring status on disable
    - LP: #1311196
  * vmxnet3: fix building without CONFIG_PCI_MSI
    - LP: #1311196
  * ACPI / sleep: Add extra checks for HW Reduced ACPI mode sleep states
    - LP: #1311196
  * i2c: Remove usage of orphaned symbol OF_I2C
    - LP: #1311196
  * x86/amd/numa: Fix northbridge quirk to assign correct NUMA node
    - LP: #1311196
  * ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation
    - LP: #1311196
  * MIPS: include linux/types.h
    - LP: #1311196
  * iwlwifi: disable TX AMPDU by default for iwldvm
    - LP: #1311196
  * ARM: 7864/1: Handle 64-bit memory in case of 32-bit phys_addr_t
    - LP: #1311196
  * ARM: ignore memory below PHYS_OFFSET
    - LP: #1311196
  * iscsi/iser-target: Fix isert_conn->state hung shutdown issues
    - LP: #1311196
  * iser-target: Fix post_send_buf_count for RDMA READ/WRITE
    - LP: #1311196
  * memcg: reparent charges of children before processing parent
    - LP: #1311196
  * PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures
    - LP: #1311196
  * Btrfs: fix data corruption when reading/updating compressed extents
    - LP: #1311196
  * x86, fpu: Check tsk_used_math() in kernel_fpu_end() for eager FPU
    - LP: #1311196
  * Fix mountpoint reference leakage in linkat
    - LP: #1311196
  * clocksource: vf_pit_timer: use complement for sched_clock reading
    - LP: #1311196
  * drm/i915: Disable stolen memory when DMAR is active
    - LP: #1311196
  * ALSA: compress: Pass through return value of open ops callback
    - LP: #1311196
  * tracing: Fix array size mismatch in format string
    - LP: #1311196
  * net: davinci_emac: Replace devm_request_irq with request_irq
    - LP: #1311196
  * printk: fix syslog() overflowing user buffer
    - LP: #1311196
  * i2c: cpm: Fix build by adding of_address.h and of_irq.h
    - LP: #1311196
  * net: mvneta: rename MVNETA_GMAC2_PSC_ENABLE to MVNETA_GMAC2_PCS_ENABLE
    - LP: #1311196
  * net: mvneta: fix usage as a module on RGMII configurations
    - LP: #1311196
  * Input: synaptics - add manual min/max quirk
    - LP: #1311196
  * Input: synaptics - add manual min/max quirk for ThinkPad X240
    - LP: #1311196
  * x86: fix boot on uniprocessor systems
    - LP: #1311196
  * Input: mousedev - fix race when creating mixed device
    - LP: #1311196
  * ext4: atomically set inode->i_flags in ext4_set_inode_flags()
    - LP: #1311196
  * libceph: rename ceph_msg::front_max to front_alloc_len
    - LP: #1311196
  * libceph: rename front to front_len in get_reply()
    - LP: #1311196
  * libceph: fix preallocation check in get_reply()
    - LP: #1311196
  * ASoC: max98090: make REVISION_ID readable
    - LP: #1311196
  * libceph: block I/O when PAUSE or FULL osd map flags are set
    - LP: #1311196
  * libceph: resend all writes after the osdmap loses the full flag
    - LP: #1311196
  * [media] cxusb: unlock on error in cxusb_i2c_xfer()
    - LP: #1311196
  * [media] cx18: check for allocation failure in cx18_read_eeprom()
    - LP: #1311196
  * [media] dw2102: some missing unlocks on error
    - LP: #1311196
  * deb-pkg: Fix cross-building linux-headers package
    - LP: #1311196
  * p54: clamp properly instead of just truncating
    - LP: #1311196
  * x86: bpf_jit: support negative offsets
    - LP: #1311196
  * KVM: x86: handle invalid root_hpa everywhere
    - LP: #1311196
  * can: flexcan: flexcan_remove(): add missing netif_napi_del()
    - LP: #1311196
  * mmc: sdhci: fix lockdep error in tuning routine
    - LP: #1311196
  * HID:hid-lg4ff: Initialize device properties before we touch
    autocentering.
    - LP: #1311196
  * Linux 3.11.10.7
    - LP: #1311196
  * Input: cypress_ps2 - don't report as a button pads
    - LP: #1311196
  * netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
    - LP: #1311196
  * cpufreq: Fix timer/workqueue corruption due to double queueing
    - LP: #1311196
  * futex: Allow architectures to skip futex_atomic_cmpxchg_inatomic() test
    - LP: #1311196
  * m68k: Skip futex_atomic_cmpxchg_inatomic() test
    - LP: #1311196
  * powernow-k6: disable cache when changing frequency
    - LP: #1311196
  * powernow-k6: correctly initialize default parameters
    - LP: #1311196
  * powernow-k6: reorder frequencies
    - LP: #1311196
  * selinux: correctly label /proc inodes in use before the policy is
    loaded
    - LP: #1311196
  * net: fix for a race condition in the inet frag code
    - LP: #1311196
  * net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
    - LP: #1311196
  * bridge: multicast: add sanity check for query source addresses
    - LP: #1311196
  * inet: frag: make sure forced eviction removes all frags
    - LP: #1311196
  * net: unix: non blocking recvmsg() should not return -EINTR
    - LP: #1311196
  * ipv6: Fix exthdrs offload registration.
    - LP: #1311196
  * ipv6: don't set DST_NOCOUNT for remotely added routes
    - LP: #1311196
  * vlan: Set correct source MAC address with TX VLAN offload enabled
    - LP: #1311196
  * tcp: tcp_release_cb() should release socket ownership
    - LP: #1311196
  * net: socket: error on a negative msg_namelen
    - LP: #1311196
  * ipv6: Avoid unnecessary temporary addresses being generated
    - LP: #1311196
  * ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment
    properly
    - LP: #1311196
  * vxlan: fix potential NULL dereference in arp_reduce()
    - LP: #1311196
  * rtnetlink: fix fdb notification flags
    - LP: #1311196
  * ipmr: fix mfc notification flags
    - LP: #1311196
  * ip6mr: fix mfc notification flags
    - LP: #1311196
  * netpoll: fix the skb check in pkt_is_ns
    - LP: #1311196
  * tg3: Do not include vlan acceleration features in vlan_features
    - LP: #1311196
  * usbnet: include wait queue head in device structure
    - LP: #1311196
  * vlan: Set hard_header_len according to available acceleration
    - LP: #1311196
  * vhost: fix total length when packets are too short
    - LP: #1311196
    - CVE-2014-0077
  * vhost: validate vhost_get_vq_desc return value
    - LP: #1311196
    - CVE-2014-0055
  * xen-netback: remove pointless clause from if statement
    - LP: #1311196
  * ipv6: some ipv6 statistic counters failed to disable bh
    - LP: #1311196
  * netlink: don't compare the nul-termination in nla_strcmp
    - LP: #1311196
  * isdnloop: Validate NUL-terminated strings from user.
    - LP: #1311196
  * isdnloop: several buffer overflows
    - LP: #1311196
  * cpuidle: Check the result of cpuidle_get_driver() against NULL
    - LP: #1311196
  * sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on
    Simba-bridges
    - LP: #1311196
  * sparc32: fix build failure for arch_jump_label_transform
    - LP: #1311196
  * sparc64: don't treat 64-bit syscall return codes as 32-bit
    - LP: #1311196
  * sparc64: Make sure %pil interrupts are enabled during hypervisor yield.
    - LP: #1311196
  * netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
    - LP: #1311196
  * netfilter: Can't fail and free after table replacement
    - LP: #1311196
  * crypto: ghash-clmulni-intel - use C implementation for setkey()
    - LP: #1311196
  * Linux 3.11.10.8
    - LP: #1311196
  * net: ipv4: current group_info should be put after using.
    - CVE-2014-2851

  [ Wen-chien Jesse Sung ]

  * SAUCE: Bluetooth: Give restart command more time to complete its job
    - LP: #1301908
 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>   Thu, 15 May 2014 11:08:09 -0700

** Changed in: linux (Ubuntu Saucy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316729

Title:
  CVE-2014-1737

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Released
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Fix Released
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Released
Status in “linux-armadaxp” source package in Precise:
  Fix Released
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Fix Released
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Released
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  Fix Released
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Committed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
  kernel through 3.14.3 does not properly handle error conditions during
  processing of an FDRAWCMD ioctl call, which allows local users to
  trigger kfree operations and gain privileges by leveraging write
  access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin.
  This function kmallocs space for a floppy_raw_cmd structure and stores
  the resulting allocation in the "rcmd" pointer argument. It then
  attempts to copy_from_user the structure from userspace. If this
  fails, an early EFAULT return is taken. The problem is that even if
  the early return is taken, the pointer to the non-/partially-
  initialized floppy_raw_cmd structure has already been returned via the
  "rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free
  this pointer. raw_cmd_free attempts to free any DMA pages allocated
  for the raw command, kfrees the raw command structure itself, and
  follows the linked list, if any, of further raw commands (a user can
  specify the FD_RAW_MORE flag to signal that there are more raw
  commands to follow in a single FDRAWCMD ioctl). So, a malicious user
  can send a FDRAWCMD ioctl with a raw command argument structure that
  has some bytes inaccessible (ie. off the end of an allocated page).
  The copy_from_user will fail but raw_cmd_free will attempt to process
  the floppy_raw_cmd as if it had been fully initialized by the rest of
  raw_cmd_copyin. The user can control the arguments passed to
  fd_dma_mem_free and kfree (by making use of the linked-list feature
  and specifying the target address as a next-in-list structure).

  Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions


References