readykernel-patch-40.4-44.0-1.vl7

vstorage-mount spent a lot of time in isolate_freepages_block() in some cases, causing performance issues.

Memory cgroups were not correctly released during start/stop of a container with Docker. If the node had a significant amount of containers with Docker, this could lead to stopped containers not starting again.

Starting from v17.11, Docker checks is all cgroups are mounted and refuses to start if some cgroups are not. Some of Virtuozzo-specific cgroups were visible in the containers and were not mounted there, which prevented Docker from starting properly.

It was discovered that some operations with files in a container could lead to denial of service on the host due to extensive memory consumption.

It was found that release() operation for the loop devices has insufficient protection for the device structures against the accesses from the concurrent open() operations. A local attacker can use specially arranged concurrent operations with a loop device to cause a denial of service (kernel crash due to a use-after-free error).

If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker may cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.