From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Qianchang Zhao <pioooooooooip@gmail.com>,
Zhitong Liu <liuzhitong1993@gmail.com>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.12 08/49] ksmbd: ipc: fix use-after-free in ipc_msg_send_request
Date: Wed, 10 Dec 2025 16:29:38 +0900 [thread overview]
Message-ID: <20251210072948.333067406@linuxfoundation.org> (raw)
In-Reply-To: <20251210072948.125620687@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianchang Zhao <pioooooooooip@gmail.com>
commit 1fab1fa091f5aa97265648b53ea031deedd26235 upstream.
ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.
Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():
BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
Write of size 12 at addr ffff888198ee6e20 by task pool/109349
...
Freed by task:
kvfree
ipc_msg_send_request [ksmbd]
ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]
Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
entry->response, freeing it when invalid, and removing the entry from
ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
semantics.
This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/transport_ipc.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -553,12 +553,16 @@ static void *ipc_msg_send_request(struct
up_write(&ipc_msg_table_lock);
ret = ipc_msg_send(msg);
- if (ret)
+ if (ret) {
+ down_write(&ipc_msg_table_lock);
goto out;
+ }
ret = wait_event_interruptible_timeout(entry.wait,
entry.response != NULL,
IPC_WAIT_TIMEOUT);
+
+ down_write(&ipc_msg_table_lock);
if (entry.response) {
ret = ipc_validate_msg(&entry);
if (ret) {
@@ -567,7 +571,6 @@ static void *ipc_msg_send_request(struct
}
}
out:
- down_write(&ipc_msg_table_lock);
hash_del(&entry.ipc_table_hlist);
up_write(&ipc_msg_table_lock);
return entry.response;
next prev parent reply other threads:[~2025-12-10 7:31 UTC|newest]
Thread overview: 142+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 7:29 [PATCH 6.12 00/49] 6.12.62-rc1 review Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 01/49] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 02/49] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 03/49] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 04/49] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 05/49] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 06/49] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 07/49] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:29 ` Greg Kroah-Hartman [this message]
2025-12-10 7:29 ` [PATCH 6.12 09/49] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 10/49] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 11/49] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 12/49] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 13/49] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 14/49] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 15/49] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 16/49] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 17/49] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 18/49] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 30/60] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 19/49] USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 20/49] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 21/49] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 22/49] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 23/49] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 24/49] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 25/49] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 26/49] drm/amdkfd: Fix GPU mappings for APU after prefetch Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 27/49] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 28/49] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 29/49] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 30/49] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 31/49] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 32/49] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 33/49] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 34/49] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 35/49] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 36/49] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 37/49] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 38/49] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 39/49] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 40/49] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 41/49] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 42/49] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 43/49] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 44/49] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 45/49] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 46/49] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 47/49] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 48/49] bus: mhi: host: pci_generic: Add Telit FN920C04 modem support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 49/49] bus: mhi: host: pci_generic: Add Telit FN990B40 " Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.12 00/49] 6.12.62-rc1 review Brett A C Sheffield
2025-12-10 11:22 ` Jeffrin Thalakkottoor
2025-12-10 12:33 ` Peter Schneider
2025-12-10 19:26 ` Florian Fainelli
2025-12-10 20:12 ` Brett Mastbergen
2025-12-10 20:40 ` Hardik Garg
2025-12-10 22:11 ` Ron Economos
2025-12-11 6:55 ` Naresh Kamboju
2025-12-11 9:06 ` Mark Brown
2025-12-11 10:31 ` Dileep malepu
2025-12-12 9:09 ` Jon Hunter
2025-12-13 16:31 ` Guenter Roeck
2025-12-14 1:24 ` Huacai Chen
2025-12-16 10:20 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2025-12-10 7:29 [PATCH 6.17 00/60] 6.17.12-rc1 review Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 01/60] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 02/60] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 03/60] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 04/60] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 05/60] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 06/60] crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 07/60] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 08/60] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 09/60] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 10/60] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 11/60] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 12/60] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 13/60] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 14/60] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 15/60] dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 16/60] serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 17/60] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 18/60] USB: serial: kobil_sct: " Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 19/60] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 20/60] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 21/60] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 22/60] ACPI: MRRM: Fix memory leaks and improve error handling Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 23/60] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 24/60] arm64: Reject modules with internal alternative callbacks Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 25/60] ALSA: hda/tas2781: Add new quirk for HP new projects Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 26/60] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 27/60] ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 28/60] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 29/60] drm/amdkfd: Fix GPU mappings for APU after prefetch Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 31/60] HID: lenovo: fixup Lenovo Yoga Slim 7x Keyboard rdesc Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 32/60] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 33/60] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 34/60] platform/x86/amd/pmc: Add support for Van Gogh SoC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 35/60] platform/x86: hp-wmi: mark Victus 16-r0 and 16-s0 for victus_s fan and thermal profile support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 36/60] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 37/60] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 38/60] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 39/60] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 40/60] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 41/60] platform/x86: intel-uncore-freq: Add additional client processors Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 42/60] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 43/60] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 44/60] sched_ext: Fix possible deadlock in the deferred_irq_workfn() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 45/60] platform/x86/intel/hid: Add Nova Lake support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 46/60] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 47/60] sched_ext: Use IRQ_WORK_INIT_HARD() to initialize rq->scx.kick_cpus_irq_work Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 48/60] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 49/60] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 50/60] platform/x86: hp-wmi: Add Omen 16-wf1xxx fan support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 51/60] platform/x86: hp-wmi: Add Omen MAX 16-ah0xx fan support and thermal profile Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 52/60] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 53/60] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 54/60] iio: adc: ad4080: fix chip identification Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 55/60] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 56/60] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 57/60] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 58/60] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 59/60] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 60/60] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.17 00/60] 6.17.12-rc1 review Brett A C Sheffield
2025-12-10 10:52 ` Jeffrin Thalakkottoor
2025-12-10 12:47 ` Greg Kroah-Hartman
2025-12-10 13:43 ` Jeffrin Thalakkottoor
2025-12-10 19:04 ` Brett A C Sheffield
2025-12-11 15:39 ` Jeffrin Thalakkottoor
2025-12-11 16:41 ` Brett A C Sheffield
2025-12-11 17:11 ` Jeffrin Thalakkottoor
2025-12-11 17:36 ` Jeffrin Thalakkottoor
2025-12-10 12:47 ` Achill Gilgenast
2025-12-10 13:00 ` Peter Schneider
2025-12-10 19:41 ` Florian Fainelli
2025-12-10 22:01 ` Ron Economos
2025-12-11 6:23 ` Naresh Kamboju
2025-12-11 9:11 ` Mark Brown
2025-12-11 10:02 ` Dileep malepu
2025-12-12 9:09 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251210072948.333067406@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=liuzhitong1993@gmail.com \
--cc=patches@lists.linux.dev \
--cc=pioooooooooip@gmail.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.