Live migration of containers failed: it could not create tun device.
If a container used its own network namespace for tun devices, suspend/resume and live migration of the container would fail with errors like "Can't create tun device".
IPv6 routing tables incorrectly handled routing rules for throw routes.
It was discovered that IPv6 routing tables incorrectly handled routing rules for throw routes. This happened because errors were not propagated properly up to the fib_rules_lookup().
Container remained mounted in some cases after 'shutdown -h now' in it.
It was discovered that incorrect state of a container could be reported in /sys/fs/cgroup/ve/CTID/ve.state in some cases, which confused the user-space tools. As a result, a container could remain mounted after 'shutdown -h now' in it.
Potential kernel crash in fs/file.c: out-of-bounds access to the file descriptor table.
ebtables: out-of-bounds write via userland offsets in ebt_entry struct.
It was discovered that the implementation of ebtables in the kernel did not properly validate the offsets received from the user space. A local user with enough privileges in the user and network namespaces could use that to trigger an out-of-bounds write to the kernel address space.
tcache invalidation was broken.
The fix for a race in tcache inadvertently broke tcache invalidation, leading to kernel warnings in tcache_invalidate_node_pages() among other things.
Potential kernel hang (endless loop) in try_charge().