[Devel] [PATCH vz9 1/2] ve/cgroups: fix use after free in ve_exit_ns
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Wed Feb 1 16:06:37 MSK 2023
Nacked-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
This is not last reference to ve. Last reference is removed when we
remove cgroup directory with rmdir. One cant remove cgroup until there
is a process in it. ve_exit_ns is called from task in this ve cgroup.
On 30.01.2023 13:00, Alexander Atanasov wrote:
> Release the lock before dropping the last reference to ve in
> ve_exit_ns which can lead to a call to ve_destroy which in turns
> does free the ve. In general it is always a bug to drop a reference
> of an object with locks held inside of it.
>
> https://jira.sw.ru/browse/PSBM-144580
> Signed-off-by: Alexander Atanasov <alexander.atanasov at virtuozzo.com>
> ---
> kernel/ve/ve.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> i've checked vz7 and it does not have this issue.
>
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index 407d7de6e071..80865161670e 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -857,9 +857,11 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
> ve_hook_iterate_fini(VE_SS_CHAIN, ve);
> ve_list_del(ve);
> ve_drop_context(ve);
> + up_write(&ve->op_sem);
> +
> printk(KERN_INFO "CT: %s: stopped\n", ve_name(ve));
> +
> put_ve(ve); /* from ve_start_container() */
> - up_write(&ve->op_sem);
> }
>
> u64 ve_get_monotonic(struct ve_struct *ve)
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list