)]}'
{
  "commit": "3f963759dca7eaf23a5910ac17bfe6325f2bb6ec",
  "tree": "02a767e709c522c82a686a449c1a29cbc6d055c0",
  "parents": [
    "6e177bb905c51ee9a3ddd6ea161ed8f340e07da6"
  ],
  "author": {
    "name": "Ye Bin",
    "email": "yebin10@huawei.com",
    "time": "Sat Mar 01 15:06:24 2025 +0300"
  },
  "committer": {
    "name": "Michael Kochera",
    "email": "kochera@google.com",
    "time": "Thu Apr 10 13:38:08 2025 -0700"
  },
  "message": "proc: fix UAF in proc_get_inode()\n\ncommit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream.\n\nFix race between rmmod and /proc/XXX\u0027s inode instantiation.\n\nThe bug is that pde-\u003eproc_ops don\u0027t belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde-\u003eproc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde-\u003eproc_ops-\u003e...  dereference.\n\n      rmmod                         lookup\nsys_delete_module\n                         proc_lookup_de\n\t\t\t   pde_get(de);\n\t\t\t   proc_get_inode(dir-\u003ei_sb, de);\n  mod-\u003eexit()\n    proc_remove\n      remove_proc_subtree\n       proc_entry_rundown(de);\n  free_module(mod);\n\n                               if (S_ISREG(inode-\u003ei_mode))\n\t                         if (de-\u003eproc_ops-\u003eproc_read_iter)\n                           --\u003e As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don\u0027t do 2 atomic ops on the common path]\nBUG\u003db/409514439\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2025-21999 in the Linux kernel.\n\ncos-patch: security-high\nLink: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183\nFixes: 778f3dd5a13c (\"Fix procfs compat_ioctl regression\")\nChange-Id: I7642d6151f33195261ce98de591646b2a6ae7aad\nSigned-off-by: Ye Bin \u003cyebin10@huawei.com\u003e\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: David S. Miller \u003cdavem@davemloft.net\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/98741\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Shuo Yang \u003cgshuoy@google.com\u003e\nReviewed-by: Michael Kochera \u003ckochera@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "775ce0bcf08ce28954be8d6cec1b77c08c0bc722",
      "old_mode": 33188,
      "old_path": "fs/proc/generic.c",
      "new_id": "c8785d68e870bf7be50c2f93f89b37f1672afe37",
      "new_mode": 33188,
      "new_path": "fs/proc/generic.c"
    },
    {
      "type": "modify",
      "old_id": "532dc9d240f7f991015ba02ee8c55a899a4666d0",
      "old_mode": 33188,
      "old_path": "fs/proc/inode.c",
      "new_id": "897c71077a0f7e470659c729850ed7ce0797765c",
      "new_mode": 33188,
      "new_path": "fs/proc/inode.c"
    },
    {
      "type": "modify",
      "old_id": "9a8f32f21ff569d0dc40e1d7c31b63b9aea293bc",
      "old_mode": 33188,
      "old_path": "fs/proc/internal.h",
      "new_id": "445c74a39a931f22762bd6034159e8e16ccacd11",
      "new_mode": 33188,
      "new_path": "fs/proc/internal.h"
    },
    {
      "type": "modify",
      "old_id": "de407e7c3b55fdbd9b5d3cbe93585b1e417a3e20",
      "old_mode": 33188,
      "old_path": "include/linux/proc_fs.h",
      "new_id": "1aca3f332d9c06ae3294abf0d8d112bf5865643c",
      "new_mode": 33188,
      "new_path": "include/linux/proc_fs.h"
    }
  ]
}