mm/sharepool: Avoid UAF on spa

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5PIA0 CVE: NA -------------------------------- The spa is used during the update_mem_usage. In this case, the spa has been released in the case of concurrency (mg_sp_unshare). Signed-off-by: N Zhou Guanghui <zhouguanghui1@huawei.com>

mm/sharepool: Avoid UAF on spa
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5PIA0 CVE: NA -------------------------------- The spa is used during the update_mem_usage. In this case, the spa has been released in the case of concurrency (mg_sp_unshare). Signed-off-by: N Zhou Guanghui <zhouguanghui1@huawei.com>
27d0e771 · Zhou Guanghui · Wang Wensheng · 142bfed2 · 27d0e771
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

mm/share_pool.c mm/share_pool.c +2 -2

未找到文件。
--- a/mm/share_pool.c
+++ b/mm/share_pool.c
@@ -2726,7 +2726,6 @@ static void *sp_make_share_kva_to_task(unsigned long kva, unsigned long size, un
 	spa->kva = kva;
 	kc.sp_flags = sp_flags;
 	uva = (void *)sp_remap_kva_to_vma(kva, spa, current->mm, prot, &kc);
-	__sp_area_drop(spa);
 	if (IS_ERR(uva))
 		pr_err("remap k2u to task failed %ld\n", PTR_ERR(uva));
 	else {
@@ -2734,6 +2733,7 @@ static void *sp_make_share_kva_to_task(unsigned long kva, unsigned long size, un
 		update_mem_usage(size, true, spa->is_hugepage, spg_node, SPA_TYPE_K2TASK);
 		spa->mm = current->mm;
 	}
+	__sp_area_drop(spa);

 	return uva;
 }
@@ -2785,9 +2785,9 @@ static void *sp_make_share_kva_to_spg(unsigned long kva, unsigned long size,

 out:
 	up_read(&spg->rw_lock);
-	__sp_area_drop(spa);
 	if (!IS_ERR(uva))
 		sp_update_process_stat(current, true, spa);
+	__sp_area_drop(spa);

 	return uva;
 }