[Devel] [PATCH vz9 v2 1/2] ve/cgroups: fix a potential use after free in ve_exit_ns

Alexander Atanasov alexander.atanasov at virtuozzo.com
Thu Feb 2 23:26:10 MSK 2023


Release the lock before dropping the reference to ve in
ve_exit_ns which can lead to a call to ve_destroy which in turn
can free the ve. In current code there are other places holding
the reference so it is not happening but to be correct
mutex must be released before the reference.

This probably came from a rebase since in the vz7 the mutex is
released before dropping the reference as it should be.

In general it is always a bug to drop a reference of an object
with locks held inside it.

https://jira.sw.ru/browse/PSBM-144580
Signed-off-by: Alexander Atanasov <alexander.atanasov at virtuozzo.com>
---
 kernel/ve/ve.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


Did v2 after Pavel's comments, only commit message is changed

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 407d7de6e071..80865161670e 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -857,9 +857,11 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
 	ve_hook_iterate_fini(VE_SS_CHAIN, ve);
 	ve_list_del(ve);
 	ve_drop_context(ve);
+	up_write(&ve->op_sem);
+
 	printk(KERN_INFO "CT: %s: stopped\n", ve_name(ve));
+
 	put_ve(ve); /* from ve_start_container() */
-	up_write(&ve->op_sem);
 }
 
 u64 ve_get_monotonic(struct ve_struct *ve)
-- 
2.31.1



More information about the Devel mailing list