CVE-2024-53186

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free in SMB request handling<br /> <br /> A race condition exists between SMB request handling in<br /> `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the<br /> workqueue handler `handle_ksmbd_work()`. This leads to a UAF.<br /> - KASAN: slab-use-after-free Read in handle_ksmbd_work<br /> - KASAN: slab-use-after-free in rtlock_slowlock_locked<br /> <br /> This race condition arises as follows:<br /> - `ksmbd_conn_handler_loop()` waits for `conn-&gt;r_count` to reach zero:<br /> `wait_event(conn-&gt;r_count_q, atomic_read(&amp;conn-&gt;r_count) == 0);`<br /> - Meanwhile, `handle_ksmbd_work()` decrements `conn-&gt;r_count` using<br /> `atomic_dec_return(&amp;conn-&gt;r_count)`, and if it reaches zero, calls<br /> `ksmbd_conn_free()`, which frees `conn`.<br /> - However, after `handle_ksmbd_work()` decrements `conn-&gt;r_count`,<br /> it may still access `conn-&gt;r_count_q` in the following line:<br /> `waitqueue_active(&amp;conn-&gt;r_count_q)` or `wake_up(&amp;conn-&gt;r_count_q)`<br /> This results in a UAF, as `conn` has already been freed.<br /> <br /> The discovery of this UAF can be referenced in the following PR for<br /> syzkaller&amp;#39;s support for SMB requests.