[Devel] [PATCH RHEL9 COMMIT] ve/cgroups: Fix a potential use after free in ve_exit_ns

Thu Feb 9 17:27:29 MSK 2023

The commit is pushed to "branch-rh9-5.14.0-162.6.1.vz9.18.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-162.6.1.vz9.18.8
------>
commit 1591938255eff971544b42b14685d8f30742fa68
Author: Alexander Atanasov <alexander.atanasov at virtuozzo.com>
Date:   Thu Feb 2 22:26:10 2023 +0200

    ve/cgroups: Fix a potential use after free in ve_exit_ns
    
    Release the lock before dropping the reference to VE in
    ve_exit_ns which() can lead to a call to ve_destroy() which in turn
    can free the VE. In current code there are other places holding
    the reference so it is not happening but to be correct
    mutex must be released before the reference.
    
    This probably came from a rebase since in the vz7 the mutex is
    released before dropping the reference as it should be.
    
    In general it is always a bug to drop a reference of an object
    with locks held inside it.
    
    Fixes: 4dacd8fd3797 ("ve: Add ve cgroup and ve_hook subsys")
    
    https://jira.sw.ru/browse/PSBM-144580
    Signed-off-by: Alexander Atanasov <alexander.atanasov at virtuozzo.com>
    Acked-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/ve/ve.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 407d7de6e071..80865161670e 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -857,9 +857,11 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
 	ve_hook_iterate_fini(VE_SS_CHAIN, ve);
 	ve_list_del(ve);
 	ve_drop_context(ve);
+	up_write(&ve->op_sem);
+
 	printk(KERN_INFO "CT: %s: stopped\n", ve_name(ve));
+
 	put_ve(ve); /* from ve_start_container() */
-	up_write(&ve->op_sem);
 }
 
 u64 ve_get_monotonic(struct ve_struct *ve)
