Commit 3055c8a1 authored Jan 03, 2025 by chenrenhui

etmem: fix use-after-free of mm in the scan release process

euleros inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBFHR4


CVE: NA

----------------------------------------------------

In the mm_idle_release function, etmem first uses the mmdrop to release
this mm, and then call page_scan_release, resulting in a use-after-free
problem.

Instead, this patch swaps the placement of mmdrop and page_scan_release
to avoid uaf problem.

Fixes: 8a655676 ("memig: add memig-swap feature to openEuler")
Signed-off-by: chenrenhui <chenrenhui1@huawei.com>

parent d51fb86c

fs/proc/task_mmu.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -1950,15 +1950,15 @@ static int mm_idle_release(struct inode inode, struct file file)
		struct mm_struct *mm = file->private_data;
		int ret = 0;

		if (proc_page_scan_operations.release)
		ret = proc_page_scan_operations.release(inode, file);

		if (mm) {
		if (!mm_kvm(mm))
		flush_tlb_mm(mm);
		mmdrop(mm);
		}

		if (proc_page_scan_operations.release)
		ret = proc_page_scan_operations.release(inode, file);

		if (proc_page_scan_operations.owner)
		module_put(proc_page_scan_operations.owner);