From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search




Patch from Vasily:

this patch prevent enable of 64-bit DMA on the Megaraid SATA 150-4 controller because of it does not support 64-bit DMA.

Bug #52530.


Patch prepared by Vasily, based on Linux mainstream patches.

Linux Kernel "proc/base.c" Userspace Interaction Local Privilege Escalation Vulnerability:

A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to obtain elevated privileges. This flaw is due to a race condition in the "pid_revalidate()" and "tid_fd_revalidate()" [fs/proc/base.c] functions, which could be exploited by malicious users to execute arbitrary commands with "root" privileges.

Fixed in and and mainstream kernels.

Bug #65414.


Patch from mainstream:
[PATCH] __group_complete_signal: remove bogus BUG_ON

[PATCH] RCU signal handling
made this BUG_ON() unsafe. This code runs under ->siglock, while switch_exec_pids() takes tasklist_lock.

Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>


Bug #64343.


Patch from Vasily Averin:
found by Andrey Savochkin using tescase created by Dmitry Monakhov:
fixed ext3 block bitmap leakage, cause of following fsck messages: Block bitmap differences: -64159 -73707

Bug #64460.

linux-2.6.18-sky2-1.4.patch, diff-drv-sky2-backport-20060714

Patch prepared by Kostja:
sky driver updated up to 1.4 version.
Many bugs fixed, in particular interface unavailability after "transmit interrupt missed" error.

Sources were taken from mainstream 2.6.18-rc1-git8.

Obsoletes linux-

Bug #60787.


Patch prepared by Kostja:
drbd driver updated up to 0.7.20 version.
Sources were taken from
Incremental from linux-

Bug #57086.


Patch from Pavel:
fixed issue triggered by 'RCU signal handling' exploit:
"Fix of signal_struct->curr_target value after __exit_signal(). When task calls __exit_signal() it moves curr_target pointer on the next thread. If task isn't changed - this pointer must be set to NULL. Otherwise race:

sys_execve()                                        sys_kill()
...                                                 ...
/* at this point thread and leader
* have shared signal_struct but splitted
* (empty) pids lists
sig-&gt;curr_target = next_thread(tsk);
/* at this point curr_target is set to
* tsk since it's PID_TYPE_TGID list is
* empty
                                        `- t = p-&gt;signal-&gt;curr_target
                                        /* t is the task which tries to
                                         * exit on the 1st cpu so its
                                         * memory may already be freed

Bug #65473.
Bug #64343.
Bug #64479.


Patch from mainstream, prepared by Pavel:
fixed issue trigered by 'RCU signal handling' exploit:
[PATCH] fix do_wait() vs exec() race

When non-leader thread does exec, de_thread adds old leader to the init's ->children list in EXIT_ZOMBIE state and drops tasklist_lock.

This means that release_task(leader) in de_thread() is racy vs do_wait() from init task.

I think de_thread() should set old leader's state to EXIT_DEAD instead.

Signed-off-by: Oleg Nesterov <>
Cc: george anzinger <>
Cc: Roland Dreier <>
Cc: Ingo Molnar <>
Cc: Linus Torvalds <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>

Bug #64343.
Bug #64684.
Bug #65473.