From: Zizhi Wo wozizhi@huawei.com
Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB5UKT
--------------------------------
At present, the trace point of fscache_cookie_put() has the UAF problem of cookie. Following is the process that triggers the issue:
process A process B fscache_cookie_put atomic_dec_return(&cookie->usage) fscache_cookie_put atomic_dec_return(&cookie->usage) trace_fscache_cookie(cookie...) fscache_free_cookie trace_fscache_cookie(cookie...)
After process B has set the cookie free, process A calls trace and the cookie UAF problem occurs. Fix this by calling trace before decrement cookie->usage.
Signed-off-by: Zizhi Wo wozizhi@huawei.com Signed-off-by: Baokun Li libaokun1@huawei.com --- fs/fscache/cookie.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c index bd4a6734d163..422248fa55ca 100644 --- a/fs/fscache/cookie.c +++ b/fs/fscache/cookie.c @@ -930,9 +930,8 @@ void fscache_cookie_put(struct fscache_cookie *cookie, _enter("%p", cookie);
do { + trace_fscache_cookie(cookie, where, atomic_read(&cookie->usage)); usage = atomic_dec_return(&cookie->usage); - trace_fscache_cookie(cookie, where, usage); - if (usage > 0) return; BUG_ON(usage < 0);