linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00

Go to file

Qianchang Zhao 708a620b47 ksmbd: ipc: fix use-after-free in ipc_msg_send_request

commit 1fab1fa091f5aa97265648b53ea031deedd26235 upstream.

ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.

Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():

  BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
  Write of size 12 at addr ffff888198ee6e20 by task pool/109349
  ...
  Freed by task:
    kvfree
    ipc_msg_send_request [ksmbd]
    ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]

Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
  entry->response, freeing it when invalid, and removing the entry from
  ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
  the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
  semantics.

This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.

Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2026-01-11 15:21:07 +01:00

arch

ARM: dts: nxp: imx6ul: correct SAI3 interrupt line

2025-12-07 06:18:51 +09:00

block

blk-cgroup: fix possible deadlock while configuring policy

2025-11-24 10:29:22 +01:00

certs

sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3

2025-04-25 10:45:58 +02:00

crypto

crypto: essiv - Check ssize for decryption and in-place encryption

2025-10-19 16:30:45 +02:00

Documentation

Documentation: process: Also mention Sasha Levin as stable tree maintainer

2026-01-11 15:21:06 +01:00

drivers

leds: spi-byte: Use devm_led_classdev_register_ext()

2026-01-11 15:21:06 +01:00

ksmbd: ipc: fix use-after-free in ipc_msg_send_request

2026-01-11 15:21:07 +01:00

include

Revert "xfrm: destroy xfrm_state synchronously on net exit path"

2026-01-11 15:21:06 +01:00

init

init: handle bootloader identifier in kernel parameters

2025-10-19 16:30:50 +02:00

io_uring

io_uring: correct __must_hold annotation in io_install_fixed_file

2025-10-29 14:07:04 +01:00

ipc

ipc: fix to protect IPCS lookups using RCU

2025-06-27 11:08:49 +01:00

kernel

ftrace: Fix BPF fexit with livepatch

2025-12-01 11:41:53 +01:00

lib

maple_tree: fix tracepoint string pointers

2025-12-01 11:41:52 +01:00

LICENSES

LICENSES: Add the copyleft-next-0.3.1 license

2022-11-08 15:44:01 +01:00

mm/mempool: fix poisoning order>0 pages with HIGHMEM

2025-12-01 11:41:54 +01:00

net

xfrm: flush all states in xfrm_state_fini

2026-01-11 15:21:06 +01:00

rust

mm/ksm: fix flag-dropping behavior in ksm_madvise

2025-10-23 16:16:44 +02:00

samples

ftrace/samples: Fix function size computation

2025-09-19 16:32:02 +02:00

scripts

kconfig/nconf: Initialize the default locale at startup

2025-12-01 11:41:50 +01:00

security

ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr

2025-11-24 10:29:46 +01:00

sound

ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230

2025-12-07 06:18:51 +09:00

tools

selftests: mptcp: join: properly kill background tasks

2025-12-07 06:18:54 +09:00

usr

kbuild: uapi: Strip comments before size type check

2025-11-24 10:29:49 +01:00

virt

KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock

2024-10-04 16:29:47 +02:00

.clang-format

iommu: Add for_each_group_device()

2023-05-23 08:15:51 +02:00

.cocciconfig

…

.get_maintainer.ignore

get_maintainer: add Alan to .get_maintainer.ignore

2022-08-20 15:17:44 -07:00

.gitattributes

.gitattributes: set diff driver for Rust source code files

2023-05-31 17:48:25 +02:00

.gitignore

Remove *.orig pattern from .gitignore

2024-10-04 16:29:44 +02:00

.mailmap

Merge tag 'mm-hotfixes-stable-2023-10-24-09-40' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2023-10-24 09:52:16 -10:00

.rustfmt.toml

rust: add .rustfmt.toml

2022-09-28 09:02:20 +02:00

COPYING

…

CREDITS

USB: Remove Wireless USB and UWB documentation

2023-08-09 14:17:32 +02:00

Kbuild

Merge tag 'kbuild-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

2022-10-10 12:00:45 -07:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

staging: rtl8712: Remove driver using deprecated API wext

2025-12-07 06:18:54 +09:00

Makefile

Linux 6.6.119

2025-12-07 06:18:54 +09:00

README

…

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.