Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix race condition in RPC handle list access The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was flawed, leading to potential race conditions. In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock before calling xa_store() and xa_erase(). Since these operations modify the XArray structure, a write lock is required to ensure exclusive access and prevent data corruption from concurrent modifications. Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load() without holding any lock at all. This could lead to reading inconsistent data or a potential use-after-free if an entry is concurrently removed and the pointer is dereferenced. Fix these issues by: 1. Using down_write() and up_write() in ksmbd_session_rpc_open() to ensure exclusive access during XArray modification, and ensuring the lock is correctly released on error paths. 2. Adding down_read() and up_read() in ksmbd_session_rpc_method() to safely protect the lookup.
Product status
b685757c7b08d5073046fb379be965fd6c06aafc (git) before 5cc679ba0f4505936124cd4179ba66bb0a4bd9f3
b685757c7b08d5073046fb379be965fd6c06aafc (git) before 6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1
b685757c7b08d5073046fb379be965fd6c06aafc (git) before 305853cce379407090a73b38c5de5ba748893aee
1f485b54d04a920723984062c912174330a05178 (git)
052b41ef2abe274f068e892aee81406f11bd1f3a (git)
6.3
Any version before 6.3
6.12.53 (semver)
6.17.3 (semver)
6.18-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3
git.kernel.org/...c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1
git.kernel.org/...c/305853cce379407090a73b38c5de5ba748893aee
