[Devel] [PATCH vz10] ve/pid: release RCU read lock on error paths in ve_pid_max_write_running_u64()

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 4 12:21:43 MSK 2026


Both early error returns inside the rcu_read_lock() section returned
without dropping the lock:

	rcu_read_lock();
	ve_nsproxy = rcu_dereference(ve->ve_nsproxy);
	if (!ve_nsproxy || !ve_nsproxy->pid_ns_for_children)
		return -EBUSY;          /* RCU read lock still held */
	if (pid_max_min > val || pid_max_max < val)
		return -EINVAL;         /* RCU read lock still held */

Writing an out-of-range value to the ve cgroup pid_max file, or writing
to a CT whose pid_ns_for_children is not set up yet, returned with the
RCU read lock held, leaving preempt_count/RCU unbalanced (RCU stalls and
"sleeping in RCU read-side critical section" splats on the next sleeping
call). Add rcu_read_unlock() before both error returns.

Fixes: 3f103833ed3b ("ve/pid: Export kernel.pid_max via ve cgroup")
https://virtuozzo.atlassian.net/browse/VSTOR-132310
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/ve/ve.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 198c82f010cc..37ac9c4ba0f5 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1403,9 +1403,11 @@ static int ve_pid_max_write_running_u64(struct cgroup_subsys_state *css,
 	rcu_read_lock();
 	ve_nsproxy = rcu_dereference(ve->ve_nsproxy);
 	if (!ve_nsproxy || !ve_nsproxy->pid_ns_for_children) {
+		rcu_read_unlock();
 		return -EBUSY;
 	}
 	if (pid_max_min > val || pid_max_max < val) {
+		rcu_read_unlock();
 		return -EINVAL;
 	}
 
-- 
2.47.1



More information about the Devel mailing list