Like the rmmod scenario mentioned by Ye Bin in proc: fix use-after-free in proc_get_inode()[1], we should get pde->proc_ops after use_pde for non-permanent pde to avoid UAF in proc_reg_open(). [1] https://lore.kernel.org/all/20250301034024.277290-1-yebin@xxxxxxxxxxxxxxx/ Signed-off-by: wangzijie <wangzijie1@xxxxxxxxx> --- fs/proc/inode.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/proc/inode.c b/fs/proc/inode.c index a3eb3b740..8de0af8c3 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c @@ -473,13 +473,13 @@ static int proc_reg_open(struct inode *inode, struct file *file) typeof_member(struct proc_ops, proc_open) open; struct pde_opener *pdeo; - if (!pde->proc_ops->proc_lseek) - file->f_mode &= ~FMODE_LSEEK; - if (pde_is_permanent(pde)) { open = pde->proc_ops->proc_open; - if (open) + if (open) { + if (!pde->proc_ops->proc_lseek) + file->f_mode &= ~FMODE_LSEEK; rv = open(inode, file); + } return rv; } @@ -506,6 +506,9 @@ static int proc_reg_open(struct inode *inode, struct file *file) } } + if (!pde->proc_ops->proc_lseek) + file->f_mode &= ~FMODE_LSEEK; + open = pde->proc_ops->proc_open; if (open) rv = open(inode, file); -- 2.25.1
