Article ID: 112426, created on Sep 30, 2011, last review on May 3, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.7

Release notes

Synopsis:          New Parallels Virtuozzo Containers 4.7 kernel provides an
                   update with security and stability fixes.
Issue date:        2011-09-30
Product:           Parallels Virtuozzo Containers 4.7
Keywords:          'bugfixing' 'stability' 'security'


This document provides information on the new Parallels Virtuozzo Containers 4.7
kernel, version 2.6.32-042stab037.1.


1. About This Release
2. Update Description
3. Obtaining a New Kernel
4. Required RPMs
5. References



The current update for the Parallels Virtuozzo Containers 4.7 kernel provides a
new kernel based on the Red Hat 6.1 kernel (2.6.32-131.12.1.el6). The updated
kernel includes a number of security and stability fixes.



This update contains fixes for the following issues:

* Synchronization on the ext4 sync() code has been enhanced; the
  sync_filesystem() warning is not shown any more. (PCLIN-29754)

* A read operation from /proc/self/mountinfo in a Container could return
  garbage data. (PCLIN-29979)

* I/O statistics shown when disk activity is low has been enhanced.

* The error path of a kernel thread start has been fixed to avoid possible
  kernel panics that might occur when users were stopping their Containers.

* Suspending or restoring a Container where one or more processes were using
  huge pages could cause a kernel panic. (PCLIN-29999, OVZ# 1959)

* A Hardware Node could get a soft lockup on a Container restore operation
  due to a bug in the asynchronous I/O context restore code. (OVZ# 1962)

* An NFS server running in a Container could cause a kernel panic due
  to a number of bugs. (PCLIN-30002, PCLIN-30024)

* An NFS server running in a Container could lead to an infinite loop in some
  kernel threads, for example, in kthreadd, khelper, and nfsiod.

* The modification time was not updated for memory-mapped files. (PCLIN-30015)

* The OOM algorithm has been improved to skip tasks frozen by the checkpointing
  mechanism to free memory on the Node more efficiently. (PCLIN-30026)

* The Container's 'directory cache shrinking' algorithm has been enhanced to
  work more efficiently when a Container is experiencing a local memory
  pressure.  Besides, VZFS magic file dentries are now shrunk last of all to
  provide better performance. (PCLIN-29410)

* A livelock could occur in the memory reclaimer code when a
  Container was experiencing a heavy memory pressure and had a lot of small
  objects in its memory. (PCLIN-29877)

* A Node could hang due to a possible deadlock in the scheduler code.
  (PSBM-9276, OVZ# 1954)

* The kernel bug "BUG: Bad page state in process ..." has been fixed.
  (PCLIN-29919, OVZ# 1843)

* "vzquota" has been disabled for the Hardware Node itself. This
  fixes the problem when messages similar to the following are added to logs:
  "BUG: Quota files for 0 are broken: no quota engine running". (PCLIN-30004)

* Running the 'vzcache' utility could make the kernel produce assert messages
  similar to the following:
  "WARNING: at ...fs/vefs/file.c:1119 vefs_cache_private...". (PCLIN-30005)

* A new interface for the PMC-Sierra's SRC based controller family has been
  added to the aacraid driver. (PCLIN-30060)

* A kernel BUG could be triggered on 32-bit systems due to a bug in the CFQ I/O
  scheduler. (OVZ# 1964)

* The issue with disabling the Hardware Node connection tracking functionality
  using the "ip_conntrack_disable_ve0" option of the "nf_conntrack" kernel
  module been fixed. (PCLIN-29539)
  Note: Unlike Parallels Virtuozzo Containers 4.6, in version 4.7, the
        connection tracking functionality for the Hardware Node is enabled
        by default.

* It was impossible to access Parallels Power Panel if the last octet in
  the Container IP address was greater than 239. (PCLIN-30069)

* A kernel deadlock could occur in asynchronous I/O code if the Node
  had the "O_DIRECT" feature enabled. This feature is managed by the
  "fs.odirect_enable" sysct and is disabled by default. (PCLIN-29989)

This update also contains fixes for the following security issues:

* Flaw in the client-side NLM implementation could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-2491, Important)

* Integer underflow in the Bluetooth implementation could allow a remote
  attacker to cause a denial of service or escalate their privileges by sending
  a specially-crafted request to a target system via Bluetooth.
  (CVE-2011-2497, Important)

* Buffer overflows in the netlink-based wireless configuration interface
  implementation could allow a local user, who has the CAP_NET_ADMIN
  capability, to cause a denial of service or escalate their privileges on
  systems that have an active wireless interface. (CVE-2011-2517, Important)

* Flaw in the way the maximum file offset was handled for ext4 file systems
  could allow a local, unprivileged user to cause a denial of service.
  (CVE-2011-2695, Important)

* Flaw allowed napi_reuse_skb() to be called on VLAN packets. An attacker
  on the local network could use this flaw to send crafted packets to a target,
  possibly causing a denial of service. (CVE-2011-1576, Moderate)

* Integer signedness error in next_pidmap() could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)

* The race condition in the memory merging support (KSM) could allow a local,
  unprivileged user to cause a denial of service. KSM is off by default, but on
  systems running VDSM, or on KVM hosts, it is likely turned on by the
  ksm/ksmtuned services. (CVE-2011-2183, Moderate)

* Flaw in inet_diag_bc_audit() could allow a local, unprivileged user to
  cause a denial of service. (CVE-2011-2213, Moderate)

* Flaw in the way space was allocated in the Global File System 2 (GFS2)
  implementation. If the file system was almost full, and a local, unprivileged
  user made an fallocate() request, it could result in a denial of service.
  Setting quotas to prevent users from using all available disk space would
  prevent exploitation of this flaw. (CVE-2011-2689, Moderate)

* Local, unprivileged users could send signals via the sigqueueinfo system
  call, with si_code set to SI_TKILL and with spoofed process and user IDs, to
  other processes. This flaw does not allow existing permission checks to be
  bypassed; signals can only be sent if your privileges allow you to already do
  so. (CVE-2011-1182, Low)

* Heap overflow in the EFI GUID Partition Table (GPT) implementation could
  allow a local attacker to cause a denial of service by mounting a disk
  containing crafted partition tables. (CVE-2011-1776, Low)

* Structure padding in two structures in the Bluetooth implementation was
  not initialized properly before being copied to user-space, possibly allowing
  local, unprivileged users to leak kernel stack memory to user-space.
  (CVE-2011-2492, Low)

* /proc/[PID]/io is world-readable by default. Previously, these files
  could be read without any further restrictions. A local, unprivileged user
  could read these files, belonging to other, possibly privileged processes to
  gather confidential information, such as the length of a password used in a
  process. (CVE-2011-2495, Low)



You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.7 distribution set.



Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 packages:


x86_64 packages:




Copyright (c) 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights

0c05f0c76fec3dd785e9feafce1099a9 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF