[Devel] [PATCH vz8] ve: fix double-free if cgroup_mark_ve_roots fails

Valeriy Vdovin valeriy.vdovin at virtuozzo.com
Fri Apr 9 20:29:57 MSK 2021 

Below is a dmesg output whne cgroup_mark_ve_roots exits with error.

[  +0.973416] ============================================================
[  +0.000140] BUG: KASAN: double-free or invalid-free in kfree+0xd6/0x2d0

[  +0.000088] CPU: 0 PID: 285 Comm: kworker/0:3 ve: / Not tainted
[  +0.000002] Hardware name: Virtuozzo KVM, BIOS
[  +0.000017] Workqueue: cgroup_destroy css_killed_work_fn
[  +0.000007] Call Trace:
[  +0.000019]  dump_stack+0x9a/0xf0
[  +0.000006]  print_address_description.cold.3+0x9/0x23b
[  +0.000004]  ? kfree+0xd6/0x2d0
[  +0.000005]  kasan_report_invalid_free+0x65/0xa0
[  +0.000004]  ? kfree+0xd6/0x2d0
[  +0.000003]  __kasan_slab_free+0x157/0x170
[  +0.000006]  slab_free_freelist_hook+0x5e/0x140
[  +0.000012]  ? ve_offline+0x34/0x70
[  +0.000005]  kfree+0xd6/0x2d0
[  +0.000007]  ve_offline+0x34/0x70
[  +0.000004]  css_killed_work_fn+0xa5/0x490
[  +0.000015]  process_one_work+0x8f0/0x17a0
[  +0.000013]  ? pwq_dec_nr_in_flight+0x320/0x320
[  +0.000003]  ? lock_acquire+0x14f/0x3b0
[  +0.000015]  worker_thread+0x87/0xb50
[  +0.000010]  ? __kthread_parkme+0xb6/0x180
[  +0.000006]  ? process_one_work+0x17a0/0x17a0
[  +0.000004]  kthread+0x30e/0x3d0
[  +0.000003]  ? kthread_create_fn+0x70/0x70
[  +0.000012]  ret_from_fork+0x3a/0x50

[  +0.000036] Allocated by task 2817:
[  +0.000038]  kasan_kmalloc+0xbf/0xe0
[  +0.000003]  __kmalloc+0x157/0x320
[  +0.000022]  ext4_htree_store_dirent+0x88/0x570 [ext4]
[  +0.000018]  htree_dirblock_to_tree+0x235/0x540 [ext4]
[  +0.000016]  ext4_htree_fill_tree+0x1e0/0x880 [ext4]
[  +0.000014]  ext4_readdir+0xf5e/0x2910 [ext4]
[  +0.000010]  iterate_dir+0x3b0/0x610
[  +0.000003]  ksys_getdents64+0x11f/0x1f0
[  +0.000003]  __x64_sys_getdents64+0x6f/0xb0
[  +0.000004]  do_syscall_64+0xa5/0x4d0
[  +0.000006]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf
[  +0.000003]  0xffffffffffffffff

[  +0.000022] Freed by task 2817:
[  +0.000034]  __kasan_slab_free+0x125/0x170
[  +0.000003]  slab_free_freelist_hook+0x5e/0x140
[  +0.000003]  kfree+0xd6/0x2d0
[  +0.000015]  free_rb_tree_fname+0x67/0xb0 [ext4]
[  +0.000014]  ext4_release_dir+0x3c/0x60 [ext4]
[  +0.000003]  __fput+0x272/0x7b0
[  +0.000003]  task_work_run+0x115/0x180
[  +0.000003]  exit_to_usermode_loop+0x152/0x170
[  +0.000003]  do_syscall_64+0x41e/0x4d0
[  +0.000003]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf
[  +0.000003]  0xffffffffffffffff

[  +0.000022] The buggy address belongs to the object at ffff888107da8b80
               which belongs to the cache kmalloc-64 of size 64
[  +0.000120] The buggy address is located 0 bytes inside of
               64-byte region [ffff888107da8b80, ffff888107da8bc0)
[  +0.000107] The buggy address belongs to the page:
[  +0.000054] page:ffffea00041f6a00 refcount:1 mapcount:0
              mapping:ffff888107c0f000 index:0xffff888107da8b80
[  +0.000004] flags: 0x17ffffc0000100(slab)
[  +0.000004] raw: 0017ffffc0000100 ffffea000436a0c8 ffffea000428c748
[  +0.000003] raw: ffff888107da8b80 000000000020001f 00000001ffffffff
[  +0.000002] page dumped because: kasan: bad access detected

[  +0.000021] Memory state around the buggy address:
[  +0.000117]  ffff888107da8a80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[  +0.000071]  ffff888107da8b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[  +0.000103] >ffff888107da8b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[  +0.000102]                    ^
[  +0.000035]  ffff888107da8c00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[  +0.000069]  ffff888107da8c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  +0.000069]
==================================================================

When this happens, ve_start_container proceeds to error path and does
kfree(ve->ve_owner). The same kfree is later done in ve_offline function.
Fix adds ve->ve_owner = NULL after kfree.

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
---
 kernel/ve/ve.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 15f511f..1fd7d0d 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -676,6 +676,7 @@ static int ve_start_container(struct ve_struct *ve)
 err_list:
 	ve_drop_context(ve);
 	kfree(ve->ve_name);
+	ve->ve_name = NULL;
 	return err;
 }
 
-- 
1.8.3.1

More information about the Devel mailing list