etmem: fix use-after-free of mm in the scan release process
chenrenhui (1): etmem: fix use-after-free of mm in the scan release process
fs/proc/etmem_proc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
euleros inclusion category: bugfix bugzilla:https://gitee.com/openeuler/kernel/issues/IBFHR4 CVE: NA
----------------------------------------------------
In the mm_idle_release function, etmem first uses the mmdrop to release this mm, and then call page_scan_release, resulting in a use-after-free problem.
Instead, this patch swaps the placement of mmdrop and page_scan_release to avoid uaf problem.
Fixes: 5d3b64fd78b8 ("etmem: add etmem scan feature") Signed-off-by: chenrenhui chenrenhui1@huawei.com --- fs/proc/etmem_proc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/proc/etmem_proc.c b/fs/proc/etmem_proc.c index 2e6712cc43b2..bbcbb53a949c 100644 --- a/fs/proc/etmem_proc.c +++ b/fs/proc/etmem_proc.c @@ -90,15 +90,15 @@ static int mm_idle_release(struct inode *inode, struct file *file) struct mm_struct *mm = file->private_data; int ret = 0;
+ if (proc_page_scan_operations.release) + ret = proc_page_scan_operations.release(inode, file); + if (mm) { if (!mm_kvm(mm)) flush_tlb_mm(mm); mmdrop(mm); }
- if (proc_page_scan_operations.release) - ret = proc_page_scan_operations.release(inode, file); - if (proc_page_scan_operations.owner) module_put(proc_page_scan_operations.owner);
-
chenrenhui