From nobody Mon Dec  1 23:33:38 2025
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B23591A5B84
	for <linux-kernel@vger.kernel.org>; Wed, 26 Nov 2025 01:49:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764121792; cv=none;
 b=ouBqLxofS3BbESqQY2FGBZxPmIG2E3J5OKbOyGjSWIxd4PGHzePcLdTlc7Gv9O9w4xO0zI4DUPIM299hiXZ5SyFdQ+gcY95u0PndqojZHuglpUAEYzsQrs/Kxb54qj1nFfnIBUoolcRjUrUTMJHUegE2fEFdzZ+8IbCiNSED77Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764121792; c=relaxed/simple;
	bh=pWKdAtmbcjOBC/rjEzN8Ynk6y/vXR4p9htT1qe9JR4k=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Xs9IdcoBaiXUX2ZDpowI0N74QdGEkRZrpzZyYxhzUVdIYcy0Y/VwyoJwn8afXDLAzcksMPRug7pURLKjt5We962l1R6Y3cdUUae9EsEi21E8xQ9nCvQ2ScTWfAKqSoAc+36KgRkYirv/PFA30NWhq3cdhA5ZPcwvMO1vcDZRcNU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=jcQ5ODI+; arc=none smtp.client-ip=209.85.216.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="jcQ5ODI+"
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-340ad724ea4so818999a91.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 25 Nov 2025 17:49:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764121790; x=1764726590;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=c2JIwhg1M/+/Us4TNcrvjEWCQJJcUG3hiuOxKjzzsq8=;
        b=jcQ5ODI+PFrMXzjVV/SSc+gsg6lDKiqqPtAwlNgmH5En1koBOf40KLSaLk8OrCppUl
         qTnA4qNS7yI56q8cCfisfrKWzPJ+ceW+O4xYxUHloRZrdRR8oZvuW1zlmVWpFwotlrDt
         RvzgcwW25xn8mIrOlL2S6Uy53z5lF9sll3cVAzs8Y0INZ9iMYBsRgnkFHStSYO5Rw8+N
         2za0owNybyNhRcPMntkALozfH5ERHcOR0qXVceJhBpVpV98lkk4XJdjz5IBDfrx6mZhL
         uqmA70mgFrMnYJYdsgcRp4/OqLQfZay/YEpZBNPG7RihRuQ762RCzAs6dsIz0b0ebM4L
         Vm9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764121790; x=1764726590;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=c2JIwhg1M/+/Us4TNcrvjEWCQJJcUG3hiuOxKjzzsq8=;
        b=nMy37n7wuCZeFaFl5SGmSElP/5UIuXqij6s6fb0FGW93Hk+esOp5VPP+0L3A9p6TEz
         PRy4hC6IATcj8ADTUn+ogdwUAo5XPPgkfSuKZFPLPbzKkgYQBLKP4nU3WT3vGKPsuPe0
         G+3mcZi/3NfysXeW5Pxxzefdx6ZNyAPxgzN3FPZ4/dNMu3mOpzikB3g3A15BIK6XKvsU
         QoZ0yhKBvsYnmFABp9owHnj3vXjFKWbyc4xDhQVyVphwhEp3nycPVFM5tNm+ZyTVXT3n
         pZeEUvPn2oXSYxUPgPpbgRUDThjHqGmw4qJ5ISq73MoiUI5psN2CxRp5YvsQ8P4tx916
         p9Kw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWZef+hpcJuHggYaz8GhpJ+6EUBMq6KRS+KxrMi78wW4foqDEQUbb/Zr4xsmYAOwXk6zJ1KjVeWf9FDaOk=@vger.kernel.org
X-Gm-Message-State: AOJu0YzBN0r+buhYtdRR8DODtjG59QWqM6ksHncqJPfF7icsBTi2RoPq
	VJu4sm6QMZ2EGDcPe09w18CvG2ypF+uAGLV9ouuY647XcwFqbe4OPtfx
X-Gm-Gg: ASbGnct56/iHRLE2rcc4vMlmb2AzHCUcRI/CpLUN06Ome/tbN0QcRUtgAPvy9DOQ0mI
	uOfZ9ctGVIndMyLoWMlG9vnBkCVHYN/3Q/UnG1Rh3kC4xKBeWU+lGpVCR0hKzJBvLvz6tsdRH2P
	/kwAFFaMeVfjvxTnEP6Op+KSK2pDWgGhX4rFDqtPMhIohZTuEo83iOSkd8CUDuiyRYX0jpi3YjN
	d8sLV8UGgRCXZVmRFjsxoVQnZt8pK2izlnq7wXDeyyvwdVwnNdT/DuoVtv08pWU9M35mUDrDYc9
	cmdYOKYk+xO+pc/rSRXCDsI5zaCBLgXHHoNQjtfseidBRcO7KcVDOWstUojTl7HBaSTzgahXptD
	ixplT8rFWAFeHwtVdGoQv0GChcuTqn8rgUyxOsfB1BGDevv5zC6r44iC3Em3G3rhY2U6amfq7Wp
	jEDzqi5aseugoD82QqeCBOJVt+yKmTM63NWqtMOWp4hnl1NAYfU6rgBZQyHmHmy4enNSgabdbh
X-Google-Smtp-Source: 
 AGHT+IHrljL275fXtsXNqEjG58xd1IF8GPPmptkpdwAzH5JqK8ILh0LAGkZo45N/WI2fpgRCE5WxoQ==
X-Received: by 2002:a17:903:1ae3:b0:290:c94a:f4c8 with SMTP id
 d9443c01a7336-29b6be83ec2mr109629045ad.1.1764121790102;
        Tue, 25 Nov 2025 17:49:50 -0800 (PST)
Received: from poi.localdomain (KD118158218050.ppp-bb.dion.ne.jp.
 [118.158.218.50])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29b5b138c08sm174994755ad.25.2025.11.25.17.49.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Nov 2025 17:49:49 -0800 (PST)
From: Qianchang Zhao <pioooooooooip@gmail.com>
To: Namjae Jeon <linkinjeon@kernel.org>,
	Steve French <smfrench@gmail.com>
Cc: gregkh@linuxfoundation.org,
	linux-cifs@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Zhitong Liu <liuzhitong1993@gmail.com>,
	Qianchang Zhao <pioooooooooip@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] ksmbd: ipc: fix use-after-free in ipc_msg_send_request
Date: Wed, 26 Nov 2025 10:49:33 +0900
Message-Id: <20251126014933.10085-1-pioooooooooip@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
 <CAKYAXd8=buKQRve+pdBFp9ce+5MiR02ZnHtGHy-hYDfhGWn=pQ@mail.gmail.com>
References: 
 <CAKYAXd8=buKQRve+pdBFp9ce+5MiR02ZnHtGHy-hYDfhGWn=pQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.

Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():

  BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmb=
d]
  Write of size 12 at addr ffff888198ee6e20 by task pool/109349
  ...
  Freed by task:
    kvfree
    ipc_msg_send_request [ksmbd]
    ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]

Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
  entry->response, freeing it when invalid, and removing the entry from
  ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
  the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
  semantics.

This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.

Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 fs/smb/server/transport_ipc.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 46f87fd1c..7b1a060da 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -532,6 +532,7 @@ static int ipc_validate_msg(struct ipc_msg_table_entry =
*entry)
 static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int =
handle)
 {
 	struct ipc_msg_table_entry entry;
+	void *response =3D NULL;
 	int ret;
=20
 	if ((int)handle < 0)
@@ -553,6 +554,8 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg =
*msg, unsigned int handle
 	ret =3D wait_event_interruptible_timeout(entry.wait,
 					       entry.response !=3D NULL,
 					       IPC_WAIT_TIMEOUT);
+
+	down_write(&ipc_msg_table_lock);
 	if (entry.response) {
 		ret =3D ipc_validate_msg(&entry);
 		if (ret) {
@@ -560,11 +563,19 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_ms=
g *msg, unsigned int handle
 			entry.response =3D NULL;
 		}
 	}
+
+	response =3D entry.response;
+	hash_del(&entry.ipc_table_hlist);
+	up_write(&ipc_msg_table_lock);
+
+	return response;
+
 out:
 	down_write(&ipc_msg_table_lock);
 	hash_del(&entry.ipc_table_hlist);
 	up_write(&ipc_msg_table_lock);
-	return entry.response;
+
+	return NULL;
 }
=20
 static int ksmbd_ipc_heartbeat_request(void)
--=20
2.34.1