IPv6 routing tables incorrectly handled routing rules for throw routes.
It was discovered that IPv6 routing tables incorrectly handled routing rules for throw routes. This happened because errors were not propagated properly up to the fib_rules_lookup().
Container remained mounted in some cases after 'shutdown -h now' in it.
It was discovered that incorrect state of a container could be reported in /sys/fs/cgroup/ve/CTID/ve.state in some cases, which confused the user-space tools. As a result, a container could remain mounted after 'shutdown -h now' in it.
ebtables: out-of-bounds write via userland offsets in ebt_entry struct.
It was discovered that the implementation of ebtables in the kernel did not properly validate the offsets received from the user space. A local user with enough privileges in the user and network namespaces could use that to trigger an out-of-bounds write to the kernel address space.
Potential kernel hang (lockup) during destruction of cgroups.
'memory' and 'memsw' counters could be overcharged when the limit of 'kmem' counter was reached. This would result in a kernel lockup during destruction of cgroups.
Potential kernel hang (endless loop) in try_charge().
Ploop: some IO requests were not marked as completed in case of errors.
High cpu usage in isolate_freepages_block().
vstorage-mount spent a lot of time in isolate_freepages_block() in some cases, causing performance issues.
Memcg swpin/swpout stats were calculated incorrectly.
Memory cgroups were not released when starting/stopping a container with Docker.
Memory cgroups were not correctly released during start/stop of a container with Docker. If the node had a significant amount of containers with Docker, this could lead to stopped containers not starting again.
Hard lockups happened when the kernel was processing SAK (Secure Attention Key).
Docker v17.11 and newer failed to start in a container.
Starting from v17.11, Docker checks is all cgroups are mounted and refuses to start if some cgroups are not. Some of Virtuozzo-specific cgroups were visible in the containers and were not mounted there, which prevented Docker from starting properly.
Kernel crash in mem_cgroup_iter().
Potential denial of service due to extensive memory consumption.
It was discovered that some operations with files in a container could lead to denial of service on the host due to extensive memory consumption.
loop: potential data race between open() and release() leading to use-after-free.
It was found that release() operation for the loop devices has insufficient protection for the device structures against the accesses from the concurrent open() operations. A local attacker can use specially arranged concurrent operations with a loop device to cause a denial of service (kernel crash due to a use-after-free error).
netfilter: Use-after-free in tcpmss_mangle_packet().
If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker may cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.