readykernel-patch-33.22-29.1-1.vl7

If transparent huge pages were enabled, certain processes could enter an infinite loop in __get_user_pages() and become unkillable preventing the container from stopping.

It was found that memcg_numa_isolate_pages() used unsafe operations with lists, which lead to kernel crashes in memcg_numa_migrate_write() during NUMA balancing.

It was found that wrong memory pages were invalidated in tcache in certain situations. That caused kernel crashes ("bad page state") in free_pages_prepare().

ploop could use inconsistent values for iblock and the corresponding delta for IO because of a race over map->levels[]. This could result in incorrect read and write operations for ploop devices.

Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.

Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code which may result in out-of-bounds accesses to the heap memory. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code.

Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.

Kernel crash (BUG()) in rpc_abort_task().

Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.

Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function.