euleros inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBFHR4 CVE: NA

----------------------------------------------------

In the mm_idle_release function, etmem first uses the mmdrop to release this mm, and then call page_scan_release, resulting in a use-after-free problem.

Instead, this patch swaps the placement of mmdrop and page_scan_release to avoid uaf problem.

Fixes: 8a655676e636 ("memig: add memig-swap feature to openEuler") Signed-off-by: chenrenhui chenrenhui1@huawei.com --- fs/proc/task_mmu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index decf5e287b7e..e02dead5b3b4 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -1950,15 +1950,15 @@ static int mm_idle_release(struct inode *inode, struct file *file) struct mm_struct *mm = file->private_data; int ret = 0;

+ if (proc_page_scan_operations.release) + ret = proc_page_scan_operations.release(inode, file); + if (mm) { if (!mm_kvm(mm)) flush_tlb_mm(mm); mmdrop(mm); }

- if (proc_page_scan_operations.release) - ret = proc_page_scan_operations.release(inode, file); - if (proc_page_scan_operations.owner) module_put(proc_page_scan_operations.owner);