From OpenVZ Virtuozzo Containers Wiki
< Download‎ | kernel‎ | rhel5‎ | 028stab053.4
Revision as of 21:03, 20 March 2008 by Kir (talk | contribs) (created)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


  • Major mainstream security fix (CVE-2008-0001).
  • Updated to latest RHEL5 kernel (2.6.18-53.1.4.el5) -- security fixes (RHSA-2007:0993).
  • utimensat() syscall backport for new distros.
  • CPT fixes/improvements.
  • CIFS bugfix.
  • Other minor fixes.

Config changes




  • -CONFIG_FB_INTEL (was m)

Compatibility notes

  • Checkpointing file format changed; live migration to earlier kernels won't work.



Patch from Steve French <>

[CIFS] Fix oops in find_writable_file

There was a case in which find_writable_file was not waiting long enough under heavy stress when writepages was racing with close of the file handle being used by the write.

Signed-off-by: Steve French <>

X-Git-Tag: v2.6.24-rc1~1382~42


Patch from Andrey Mirkin <>

[PATCH] CPT: set correct context on socket close

Sockets should be closed in context of VE, in other case resets can be sent and connection on other side will be closed prematurely during live migration.

Bug #95113.


Patch from Andrey Mirkin <>

[PATCH] CPT: clone kernel threads for exec() with CLONE_VFORK

During checkpointing kernel threads are created to dump tmpfs with help of tar. Arguments are passed to this kernel thread from parent. If parent exits due to recieved signal then created kernel thread will get oops during access to args.

Create thread with CLONE_VFORK flag, so parent process will wait until thread will do exec().

Bug #96002.


Patch from Kirill Korotaev <>

[PATCH] CPT: rename VE -> CT (container) in user visible messages


Patch from Evgeny Kravtsunov <>

[PATCH] CPT: be carefull with MXCSR register on restore

Patch introduces rst_apply_mxcsr_mask function that is to be called from rst_restore_process for masking 6 and 16-31 bits in MXCSR register if SSE2 is not supported on destination HN.

When VE migrates from i386 HN with sse2 support to i386 HN without sse2 support (P3) we are facing general protection fault on restore process that uses fpu. The reason is described in Intel Architectures Software Developer's Manual (Volume 1 Basic Architecture):

  10.2.3 MXCSR Control and Status Register
  The 32-bit MXCSR register contains control and status information for SSE,
  SSE2, SSE3, and SSE3 SIMD floating-point operations. This register contains:
    denormals-are-zeros flag that controls how SIMD floating-point instructions
    handle denormal source operands
  Bits 16 through 31 of MXCSR register are reserved and are cleared on a
  power-up or reset of the processor; attempting to write a non-zero value to
  these bits, using either FXRSTOR or LDMXCSR instructions, will result in a
  general-protection exception (# GP) being generated.
  ... Denormals-Are-Zeros
  The denormals-are-zeros mode was introduced inthe Pentium 4 and Intel Xeon
  processor with the SSE2 extensions... In earlier IA-32 processors and in some
  models of Pentium 4 processor, this flag (bit 6) is reserved. Attempting to
  set bit 6 of the MXCSR registers on processors that do not support the DAZ
  flag will cause a general protection exception (# GP).

OpenVZ Bug #741.


Patch from Evgeny Kravtsunov <>

[PATCH] fairsched: requires timer ints even with NOHZ

We are facing hang on boot ovz-xen kernel on smp machines. Hang takes place on loading modules in stop_machine_run on waiting for completion do_stop thread (sys_init_module->stop_machine_run->__stop_machine_run-> wait_for_completion). This happens due to 1 or more of 4 physical cpus that are running idle tasks are not available for running stopmachine thread. The reason is next_timer_interrupt function prevents exiting tickless mode on an idle cpu in xen's stop_hz_timer.

The solution is to make next_timer_interrupt() return jiffies when CONFIG_SCHED_VCPU is defined. No better solution now available...

OpenVZ Bug #749.


Patch from Kirill Shileev <>

[PATCH] fs: utimensat syscall backported

Some newer glibc uses lutimes() syscall which asks for sys_utimensat(). sys_utimensat is backported from 2.6.23, with additional conversion timespec->timeval in order to get rid from "wrong pointer" warning.

OpenVZ Bug #725.


Patch from Konstantin Khorenko <>

[PATCH] xt_CONNMARK compat cleanup

The main fix is usage of xt_entry_target instead of xt_entry_match (found by Evgeny). Previous patch is still ok due to these structs are equal. Nevertheless - cleanup. Also some local variables renames: match->target.

Bug #93689.


Patch from Konstantin Khorenko <>

[PATCH] xt_MARK compat cleanup

The main change is usage of xt_entry_target instead of xt_entry_match (found by Evgeny). Previous patch is still ok due to these structs are equal. Nevertheless - cleanup. Also some local variables renames: match->target.


Patch from Vasily Averin <>

[PATCH] UBC: enhance orphan socket warnings

Messages like "Out of socket memory" disturbs the customers, they would like to know what VE generates these messages.

OpenVZ Bug #760.


Patch from Evgeny Kravtsunov <>

[PATCH] VE: ipt_hashlimit virtualization

Patch virtualizes ipt_hashlimit match:

  1. Introduced struct ve_ipt_hashlimit and corresponding _ipt_hashlimit entry in ve_struct. ve_ipt_hashlimit contains global variables from ipt_hashlimit module.
  2. Functions init_ipt_hashlimit, fini_ipt_hashlimit implemented. Current functions designed to be called from ipt_hashlimit_init/fini and hashlimit_checkentry/destroy to alloc ve_ipt_hashlimit structure and initialize/cleanup _ipt_hashlimit entry in ve_struct.
  3. Functions ipt_hashlimit_init, ipt_hashlimit_exit updated.


Patch from Kirill Korotaev <>

[PATCH] VE: rename VE -> CT (container) in user visible messages


Patch from Kirill Korotaev <>

[PATCH] fix compilation in case CONFIG_PRINTK=n

OpenVZ Bug #746.


[PATCH] VE: rename VE -> CT (container) in user visible messages.


Patch from Kostya (khorenko@):

Updates r8169 driver up to latest mainstream version.

Bug #96092.


Patch from Kirill Korotaev:

Fix intel hda compilation.

OpenVZ Bug #746.


Patch from Andrey Mirkin <>

[PATCH] CPT: Add support for netdevice hardware addresses

In current implementation netdevice hardware (MAC) address is not saved, so devices like tap will have different MAC address after restore. This will lead to creation of new local IPv6 address based on MAC address.

This patch allows to save/restore hardware addresses on all netdevices.

Also this patch changes cpt image version. This is done because of following code we have now:

                  err = rst_get_object(CPT_OBJ_NET_DEVICE, sec, &di, ctx);
                  if (err)
                          return err;
                  if (di.cpt_next > sizeof(di)) {
                          err = rst_restore_tuntap(sec, &di, ctx);
                          if (err)
                                  return err;

It was supposed that we will have only netdevice image or netdevice image and tuntap image.

With new code it will be possible to have netdevice and hwaddr image, so old kernel will consider hwaddr image as tuntap image. And will return -EINVAL while reading this image. So, migration to old kernel is prohibited, just to be sure that sensible error will be returned in this case.

Bug #96040.


Patch from Andrey Mirkin <>

[PATCH] CPT: Add support for network statistics

In current implementation network statistics are not dumped at all. This patch allows to save/restore network statistics on all supported network devices.

Statistics is restored on current cpu.


Patch from Andrey Mirkin <>

[PATCH] CPT: enhance support of veth device

In current implementation veth devices are not dumped correctly and we can lose private veth data.

This patch allows to save/restore private veth data.


Patch from Alexey Kuznetsov <>

[CPT] iterative shmem migration: restore part

It is logically simple and cannot hurt normal functionality.


Patch from Alexey Kuznetsov <>

[CPT] changes to core shmem to support iterative shmem migration

New exported function shmem_insert_page() to insert new page to shmem inode. No ifdefs. It cannot be private to CPT because triggers too much of exports.


Patch from Alexey Kuznetsov <>

[CPT] ugly struts to migrate 64bit ipc limits

Ugly mistake, only 32 bits of 64bit ipc limits migrate. Quick fix is to limit them to 0xFFFFFFFF while checkpointing.

Even uglier strut is to check for 0 limit and to promote it to something meaningful.

Probably, we can use the fact that image version is advanced, change the structure and promote this limit to 0xFFFFFFFF when we see old version.


Patch from Vasily Averin <>

[PATCH] enhance "time wait bucket table overflow" message

CTID added to the message "TCP: time wait bucket table overflow"

OpenVZ Bug #767.


Patch from Vasily Averin <>

[PATCH] kernel.cap-bound sysctl cleanup

  • proc entry is global and therefore it is ReadOnly-accessible from inside VE
  • added check for sysctl handler

OpenVZ Bug #524.


Mainstream security bug with O_TRUNC on directories.

CVE-2008-0001. Linus commit 22d699aa88897de59b33ed8579e1df8331035b86