[PATCH] proc: don't update /proc file permissions when not needed.Update only when needed fields in proc_dir_entry in proc_notify_change().
VE can mess VE0 /proc mode, uid, gid on entries which have global PDE only.
No much harm can be done, i.e. not exploitable. But still very unpleasant.
Bug #95301
[PATCH] simfs: fix statfs() in case of HUGE limits If quota is too big then unsigned becomes negative signed. Get rid of explicit type cast and do honest math.http://bugzilla.openvz.org/show_bug.cgi?id=722
[PATCH] fairsched: fixup per-VE nrrunning/nrunint stats on VCPU add/del When any online ( >=2 ) vcpu is removed and attached again then its statistic is initialized. It leads to bad loadavg results. Right way is merge statistic of deleted VCPU into any online VCPU.http://bugzilla.openvz.org/show_bug.cgi?id=732
[PATCH] CPT: another fix for TUN/TAP restore1) Restore of tun->bind_file attribute added in rst_restore_tuntap.
tun->bind_file contains the pointer to open file which tun_struct is binded
to. tun->bind_file data is used for cpt/rst only. This attribute is to be
initialized on creating tun/tap device (tun_set_iff) and on restore tun/tap
device (rst_restore_tuntap). If it is not initialized on restore, futher
dumps will not contain any in...
[PATCH] set PER_LINUX32 personality when restoring 32bit app on 64bit OSCurrent implementation of task personality migration is incorrect:
cpt:
static int dump_one_process(cpt_object_t *obj, struct cpt_context *ctx)
{
...
v->cpt_personality = tsk->personality;
...
}
rst:
static int hook(void *arg)
{
...
if (ti->cpt_personality != 0)
__set_personality(ti->cpt_personality);
...
}
On both i686 and x86_64 task->personality == 0 == PER_LINUX. But for 32-bit VE...
[PATCH] NFS: lockd has unclosed sockets when stopping VE.Try force destroy hosts (nlm_host) when VE is stopped. It is needed because some
hosts may exists and has opened sockets when we call fini_venet(). But at the
time of fini_venet() all sockets related to given VE must be closed.
Thanks Denis Lunev <den@sw.ru> for help.
Bug #94468
[PATCH] OOM if swap is full even for GFP_NOFS allocation. The problem is that when swap if over, the kernel can hang tens of minutes looking for a memory... So when swap is over we have to be more agressive...Bug #93284
[PATCH] Alt-sysrq-p: do synchronous NMI IPI Wait for completion of the NMI IPI callbacks then do sysrq_handle_showregs(). Otherwise nested bust_spinlocks() calls may occur.Bug #94875
[PATCH] CPT: fix tun/tap dev flags restoredev flags were corrupted in rst_restore_tuntap. As a result
dev->qdisc->enqueue was not set to &pfifo_fast_enqueue but stayed
to be &noop_enqueue after restore. noop_enqueue drops all the skbs.
Bug #94879
[PATCH] fairsched: increase max VCPU timeslice Increase default MAX VCPU timeslice, this increases performance under high load. (vConsolidate test)FYI: VMware uses VCPU timeslice much bigger, 50ms.
[PATCH] taskstats: consider the pid, coming from the user-space to be a virtual one When the user send a netlink message to get the taskstats it can validly be a virtual one, but the find_task_by_pid_all() (which is used to convert this pid to task) assumes (with the appropriate BUG_ON) that his pid is global.Fix it by using the find_task_by_pid_ve() searching routine.
The rest of the taskstats.c code seems to handle pids properly.
http://bugzilla.openvz.org/show_bug.cgi?id=730
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
[PATCH] CPT: improve dst capabilities checks1. Return different error codes in case of unsupported features
and insufficient cpu capabilities.
2. Print error messages with prefix "Error: ".
This should improve checks of dst node capabilities.
[CIFS] fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_threadIt's a part of the following commit from mainstream
---------------------------------------------------
When kernel_recvmsg returns -EAGAIN or -ERESTARTSYS, then
cifs_demultiplex_thread sleeps for a bit and then tries the read again.
When it does this, it's not zeroing out the length and that throws off
the value of total_read. Fix it to zero out the length.
Can cause memory corruption:
If ke...
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)patch a3474224e6a01924be40a8255636ea5522c1023a in mainline
The original meaning of the old test (p->state > TASK_STOPPED) was
"not dead", since it was before TASK_TRACED existed and before the
state/exit_state split. It was a wrong correction in commit
14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
TASK_TRACED instead. It should have been changed when TASK_TRACED
was introduc...
[PATCH] netfilter: add ipt_hashlimit 32bit compat ipt_hashlimit doesn't have the compat function while its entry structure (ipt_hashlimit_info) requires it.The patch introduces compat function and fixes an oops
while trying to use ipt_hashlimit module from inside 32bit VE
on a 64bit host HN.
http://bugzilla.openvz.org/show_bug.cgi?id=707
[PATCH] netfilter: add xt_conntrack 32bit compatxt_conntrack doesn't have the compat function
while its entry structure (xt_conntrack_info) requires it.
[PATCH] netfilter: add xt_connmark 32bit compat ipt_connmark doesn't have the compat function while its entry structure (xt_connmark_info) requires it.Bug #93543
[PATCH] netfilter: add xt_CONNMARK 32bit compat xt_CONNMARK doesn't have the compat function while its entry structure (xt_connmark_target_info) requires it.Bug #93689
[PATCH] netfilter: add xt_MARK 32bit compatxt_MARK doesn't have the compat function while its entry
structure (xt_mark_target_info_v1) requires it.
Note: ipv6 correctness is not tested. TODO
Note 1:
/* Version 0 */
struct xt_mark_target_info {
unsigned long mark;
};
So the struct size differs for 32bit/64bit nodes, but mainstream does not have a compat for it.
ipv6 variant uses xt_mark_target_info (v0) so the testing will sho...
[NETFILTER]: ip_tables: fix compat related crash check_compat_entry_size_and_hooks iterates over the matches and calls
compat_check_calc_match, which loads the match and calculates the
compat offsets, but unlike the non-compat version, doesn't call
->checkentry yet. On error however it calls cleanup_matches, which in
turn calls ->destroy, which can result in crashes if the destroy
function (validly) expects to only get called after the ...
[PATCH] VE: virtualize ipt_recent Patch virtualizes ipt_recent module in the following way:1) Introduced struct ve_ipt_recent and corresponding _ipt_recent entry in
ve_struct. ve_ipt_recent contains global variables from ipt_recent module.
2) Functions init_ipt_recent, fini_ipt_recent implemented.
Current functions designed to be called from ipt_recent_init/fini and
ipt_recent_checkentry/destroy in purpose to alloc ve_ipt_recent
structure and initialize/cleanup _ipt_recent entry in...
[PATCH] CPT: TUN/TAP support in checkpointingNow live migration of VE with openvpn inside is supported.
1) tun/tap driver updated:
- Field void *bind_file added to tun_struct. Field is used for storing pointer
to open /dev/net/tun file. This pointer is to be written to dumpfile: on
restore it is necessary to carry out binding of created tun_struct to open
file /dev/net/tun.
2) dump:
- Introduced struct cpt_tuntap_image for storing...
[PATCH] CPT: fix compilation in case CONFIG_VE_IPTABLES=n With CONFIG_VE_IPTABLES off the following compilation error takes place:CONFIG_VE=y
CONFIG_VE_CALLS=m
CONFIG_VZ_GENCALLS=y
CONFIG_VE_NETDEV=m
CONFIG_VE_ETHDEV=m
CONFIG_VZ_DEV=m
CONFIG_VZ_WDOG=m
CONFIG_VZ_CHECKPOINT=m
......
CC [M] kernel/cpt/cpt_net.o
kernel/cpt/cpt_net.c: In function �cpt_dump_iptables�:
kernel/cpt/cpt_net.c:365: error: �struct ve_struct� has no member named
�_iptables_modules�
make[2]: *** [kernel/cpt/cpt_net.o] Error 1
make[1]: *** [kernel/cp...
[PATCH] fix oops in dump_trace() in NMI This patch fixes OOPS of dump_trace in NMI. If one is running 32 bit task and NMI tries to dump_stack() OOPS happens, since user space stack is tried to be dumped. Backport of patch from mainstream.Bug #93558
[PATCH] VE: mark venet as vlan-incapable Many places in vlan code assume ethernet underlying device, which is not working for venet. So mark vene as vlan-incapable.http://bugzilla.openvz.org/show_bug.cgi?id=703
[PATCH] x86-64: Fix ENOSYS in system call tracing This patch:- out of range system calls failing to return -ENOSYS under
system call tracing
[AK: split out from another patch by Jan as separate bugfix]
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andi Kleen <ak@suse.de>
cc7d479fe56133e79840beffe9cb4fd193af93aa
[PATCH] VE: introduce OVZ version in oops output and in /proc/vz/versionIntroduce OVZ-specific build version in /proc/vz/version file and print it in
oops messages. This should help OVZ developers to identify OVZ patch version in
different distros like Debian/ALTLinux.
[PATCH] VE: restore back find_task_by_pid() for ATI video driver find_task_by_pid_all() and macro find_task_by_pid() are returned back, since ATI binary driver is using it (what for???). Print a big warning when this function is used still.http://bugzilla.openvz.org/show_bug.cgi?id=634
[PATCH] grsecurity: fix compilation with GRSEC, but w/o GRSEC_TPEfix compilation with GRSEC, but w/o GRSEC_TPE config option.
http://bugzilla.openvz.org/show_bug.cgi?id=718
[PATCH] Fix boot code head.S warningWhen compiling a 64-bit kernel on an Ubuntu 6.06 32bit system (whose GCC is also
a cross-compiler for x86_64) I've seen that head.o is compiled as a 64-bit file
(while it should not) and ld complaining about this during linking:
[AK: it happens on all systems with new binutils]
ld: warning: i386:x86-64 architecture of input file
`arch/x86_64/boot/compressed/head.o' is incompatible with i386 ou...
[PATCH] fix NFS compilation when NFS_FS=n and NFSD=yWhen CONFIG_NFS_FS is disabled and CONFIG_NFSD is enabled in .config
the following compilation error occurs:
.....
CC [M] fs/lockd/host.o
fs/lockd/host.c: In function �nlm_bind_host�:
fs/lockd/host.c:204: error: �struct ve_struct� has no member named
�_nlmsvc_timeout�
make[2]: *** [fs/lockd/host.o] Error 1
make[1]: *** [fs/lockd] Error 2
make: *** [fs] Error 2
[PATCH] Fix compilation issues in vpid code Patch fixes compilation issue in kernel/pid.c: ... kernel/pid.c: In function 'free_pid': kernel/pid.c:197: error: dereferencing pointer to incomplete type kernel/pid.c: In function 'alloc_pid': kernel/pid.c:233: error: dereferencing pointer to incomplete type make[2]: *** [kernel/pid.o] Error 1 make[1]: *** [kernel] Error 2If linux/kmem_cache is not included kmem_cache type is undefined.
http://bugzilla.openvz.org/show_bug.cgi?id=689
[PATCH] ia64: fix kernel thread exit codeCPT during restore creates kernel thread to start iptables-restore.
On ia64 start_kernel_thread is used for kernel thread creation.
GLOBAL_ENTRY(start_kernel_thread)
.prologue
.save rp, r0 // this is the end of the
call-chain
.body
alloc r2 = ar.pfs, 0, 0, 2, 0
mov out0 = r9
mov out1 = r11;;
br.call.sptk.many rp...
OpenVZ team
