From: Yang Yingliang yangyingliang@huawei.com
hulk inclusion category: bugfix bugzilla: NA CVE: NA
-------------------------------------------------
If free_task() is called on error path, it will free futex_exit_mutex of parent process and cause UAF, so move free of futex_exit_mutex to __put_task_struct().
Fixes: f9a5a3dea71b ("futex: sched: fix kabi broken in task_struct") Signed-off-by: Yang Yingliang yangyingliang@huawei.com Reviewed-by: Jian Cheng cj.chengjian@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- kernel/fork.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c index 36d3edeff7ac..80a7e29920cd 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -458,8 +458,6 @@ void free_task(struct task_struct *tsk) arch_release_task_struct(tsk); if (tsk->flags & PF_KTHREAD) free_kthread_struct(tsk); - kfree(tsk->futex_exit_mutex); - tsk->futex_exit_mutex = NULL; free_task_struct(tsk); } EXPORT_SYMBOL(free_task); @@ -731,6 +729,8 @@ void __put_task_struct(struct task_struct *tsk) exit_creds(tsk); delayacct_tsk_free(tsk); put_signal_struct(tsk->signal); + kfree(tsk->futex_exit_mutex); + tsk->futex_exit_mutex = NULL;
if (!profile_handoff_task(tsk)) free_task(tsk);