[Devel] [PATCH vz9 1/2] ve/cgroups: fix use after free in ve_exit_ns
Alexander Atanasov
alexander.atanasov at virtuozzo.com
Mon Jan 30 08:00:02 MSK 2023
Release the lock before dropping the last reference to ve in
ve_exit_ns which can lead to a call to ve_destroy which in turns
does free the ve. In general it is always a bug to drop a reference
of an object with locks held inside of it.
https://jira.sw.ru/browse/PSBM-144580
Signed-off-by: Alexander Atanasov <alexander.atanasov at virtuozzo.com>
---
kernel/ve/ve.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
i've checked vz7 and it does not have this issue.
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 407d7de6e071..80865161670e 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -857,9 +857,11 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
ve_hook_iterate_fini(VE_SS_CHAIN, ve);
ve_list_del(ve);
ve_drop_context(ve);
+ up_write(&ve->op_sem);
+
printk(KERN_INFO "CT: %s: stopped\n", ve_name(ve));
+
put_ve(ve); /* from ve_start_container() */
- up_write(&ve->op_sem);
}
u64 ve_get_monotonic(struct ve_struct *ve)
--
2.31.1
More information about the Devel
mailing list