* [PATCH] proc: avoid use-after-free in proc_reg_open()
@ 2025-05-28 3:47 wangzijie
0 siblings, 0 replies; only message in thread
From: wangzijie @ 2025-05-28 3:47 UTC (permalink / raw)
To: akpm, rick.p.edgecombe, ast, adobriyan, kirill.shutemov,
linux-fsdevel
Cc: yebin, zuofenghua, bintian.wang, tao.wangtao, wangzijie
Like the rmmod scenario mentioned by Ye Bin in proc: fix use-after-free in proc_get_inode()[1],
we should get pde->proc_ops after use_pde for non-permanent pde to avoid UAF in proc_reg_open().
[1] https://lore.kernel.org/all/20250301034024.277290-1-yebin@huaweicloud.com/
Signed-off-by: wangzijie <wangzijie1@honor.com>
---
fs/proc/inode.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
index a3eb3b740..8de0af8c3 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -473,13 +473,13 @@ static int proc_reg_open(struct inode *inode, struct file *file)
typeof_member(struct proc_ops, proc_open) open;
struct pde_opener *pdeo;
- if (!pde->proc_ops->proc_lseek)
- file->f_mode &= ~FMODE_LSEEK;
-
if (pde_is_permanent(pde)) {
open = pde->proc_ops->proc_open;
- if (open)
+ if (open) {
+ if (!pde->proc_ops->proc_lseek)
+ file->f_mode &= ~FMODE_LSEEK;
rv = open(inode, file);
+ }
return rv;
}
@@ -506,6 +506,9 @@ static int proc_reg_open(struct inode *inode, struct file *file)
}
}
+ if (!pde->proc_ops->proc_lseek)
+ file->f_mode &= ~FMODE_LSEEK;
+
open = pde->proc_ops->proc_open;
if (open)
rv = open(inode, file);
--
2.25.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-05-28 3:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-28 3:47 [PATCH] proc: avoid use-after-free in proc_reg_open() wangzijie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).