hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8787 ------------------------------------------ The twcb pointer is accessed after gen_pool_free() in memory_failure_cb, which leads to a use-after-free vulnerability. Fix this by moving gen_pool_free() to the end of the function after all twcb accesses. Fixes: a81f1aa5c8ea ("mm: memory-failure: use kill_accessing_process() in ghes") Signed-off-by: Wupeng Ma <mawupeng1@huawei.com> --- drivers/acpi/apei/ghes.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c index 8a3fc78ec4ea..925355f156b6 100644 --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -484,12 +484,14 @@ static void memory_failure_cb(struct callback_head *twork) container_of(twork, struct sync_task_work, twork); ret = memory_failure(twcb->pfn, twcb->flags); - gen_pool_free(ghes_estatus_pool, (unsigned long)twcb, sizeof(*twcb)); - if (!ret || ret == -EHWPOISON || ret == -EOPNOTSUPP) + if (!ret || ret == -EHWPOISON || ret == -EOPNOTSUPP) { + gen_pool_free(ghes_estatus_pool, (unsigned long)twcb, sizeof(*twcb)); return; + } kill_accessing_process(twcb->pfn, twcb->flags, true); + gen_pool_free(ghes_estatus_pool, (unsigned long)twcb, sizeof(*twcb)); } static bool ghes_do_memory_failure(u64 physical_addr, int flags) -- 2.43.0