euleros inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBFHR4 CVE: NA ---------------------------------------------------- In the mm_idle_release function, etmem first uses the mmdrop to release this mm, and then call page_scan_release, resulting in a use-after-free problem. Instead, this patch swaps the placement of mmdrop and page_scan_release to avoid uaf problem. Fixes: bad4d8833739 ("etmem: add etmem-scan feature") Signed-off-by: chenrenhui <chenrenhui1@huawei.com> --- fs/proc/task_mmu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 0175fd7b3598..9330da26e74a 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -1830,15 +1830,15 @@ static int mm_idle_release(struct inode *inode, struct file *file) struct mm_struct *mm = file->private_data; int ret = 0; + if (proc_page_scan_operations.release) + ret = proc_page_scan_operations.release(inode, file); + if (mm) { if (!mm_kvm(mm)) flush_tlb_mm(mm); mmdrop(mm); } - if (proc_page_scan_operations.release) - ret = proc_page_scan_operations.release(inode, file); - if (proc_page_scan_operations.owner) module_put(proc_page_scan_operations.owner); -- 2.33.0