Commit 1e7f6ab7 authored Jan 06, 2025 by chenrenhui Committed by openeuler-sync-bot Jan 13, 2025

etmem: fix use-after-free of mm in the scan release process

euleros inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBFHR4


CVE: NA

----------------------------------------------------

In the mm_idle_release function, etmem first uses the mmdrop to release
this mm, and then call page_scan_release, resulting in a use-after-free
problem.

Instead, this patch swaps the placement of mmdrop and page_scan_release
to avoid uaf problem.

Fixes: 5d3b64fd ("etmem: add etmem scan feature")
Signed-off-by: chenrenhui <chenrenhui1@huawei.com>
(cherry picked from commit bdb21ae4)

parent 5cc57e85

fs/proc/etmem_proc.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -90,15 +90,15 @@ static int mm_idle_release(struct inode inode, struct file file)
		struct mm_struct *mm = file->private_data;
		int ret = 0;

		if (proc_page_scan_operations.release)
		ret = proc_page_scan_operations.release(inode, file);

		if (mm) {
		if (!mm_kvm(mm))
		flush_tlb_mm(mm);
		mmdrop(mm);
		}

		if (proc_page_scan_operations.release)
		ret = proc_page_scan_operations.release(inode, file);

		if (proc_page_scan_operations.owner)
		module_put(proc_page_scan_operations.owner);