module: Taint the kernel when write-protecting ro_after_init fails#60
Closed
modules-kpd-app[bot] wants to merge 2 commits into
Closed
module: Taint the kernel when write-protecting ro_after_init fails#60modules-kpd-app[bot] wants to merge 2 commits into
modules-kpd-app[bot] wants to merge 2 commits into
Conversation
Author
|
Upstream branch: afa9286 |
Author
|
Upstream branch: afa9286 |
modules-kpd-app
Bot
force-pushed
the
series/940956=>modules-next
branch
from
87c7db5 to
5519fcb
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
b5b7508 to
96f6e22
Compare
Author
|
Upstream branch: 085c5e3 |
modules-kpd-app
Bot
force-pushed
the
series/940956=>modules-next
branch
from
5519fcb to
0d5ca8f
Compare
dagomez137
force-pushed
the
modules-next_base
branch
from
96f6e22 to
7c2b408
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
7c2b408 to
2996654
Compare
Author
|
Upstream branch: 897c0b4 |
modules-kpd-app
Bot
force-pushed
the
series/940956=>modules-next
branch
from
0d5ca8f to
763fd3e
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
2996654 to
d4037eb
Compare
Author
|
Upstream branch: b464e57 |
modules-kpd-app
Bot
force-pushed
the
series/940956=>modules-next
branch
from
763fd3e to
cba9279
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
d4037eb to
39f16b8
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
39f16b8 to
d6fb02c
Compare
Author
|
Upstream branch: a0b018a |
modules-kpd-app
Bot
force-pushed
the
series/940956=>modules-next
branch
from
cba9279 to
6b3b34d
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
d6fb02c to
b788ac1
Compare
In the unlikely case that setting ro_after_init data to read-only fails, it is too late to cancel loading of the module. The loader then issues only a warning about the situation. Given that this reduces the kernel's protection, it was suggested to make the failure more visible by tainting the kernel. Allow TAINT_BAD_PAGE to be set per-module and use it in this case. The flag is set in similar situations and has the following description in Documentation/admin-guide/tainted-kernels.rst: "bad page referenced or some unexpected page flags". Adjust the warning that reports the failure to avoid references to internal functions and to add information about the kernel being tainted, both to match the style of other messages in the file. Additionally, merge the message on a single line because checkpatch.pl recommends that for the ability to grep for the string. Suggested-by: Kees Cook <kees@kernel.org> Signed-off-by: Petr Pavlu <petr.pavlu@suse.com> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Author
|
Upstream branch: a0b018a |
modules-kpd-app
Bot
force-pushed
the
series/940956=>modules-next
branch
from
6b3b34d to
784f0b9
Compare
dagomez137
force-pushed
the
modules-next_base
branch
from
b788ac1 to
e04c78d
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
cbdca0b to
6a1a12c
Compare
dagomez137
force-pushed
the
modules-next_base
branch
from
6a1a12c to
7c2b408
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
2 times, most recently
from
6381fa5 to
aaa7ece
Compare
dagomez137
force-pushed
the
modules-next_base
branch
2 times, most recently
from
b4d1c4e to
61dc34e
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
2 times, most recently
from
1df8185 to
9aab33d
Compare
dagomez137
force-pushed
the
modules-next_base
branch
from
9aab33d to
99d099e
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
99d099e to
3aed49d
Compare
dagomez137
force-pushed
the
modules-next_base
branch
from
3aed49d to
856647c
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
from
856647c to
e1b99f5
Compare
dagomez137
force-pushed
the
modules-next_base
branch
from
e1b99f5 to
856647c
Compare
modules-kpd-app
Bot
force-pushed
the
modules-next_base
branch
3 times, most recently
from
0299e02 to
cdc6b9e
Compare
dagomez137
pushed a commit
that referenced
this pull request
Mar 23, 2026
smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely. If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf. KASAN report: [ 4.144653] ================================================================== [ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [ 4.145772] [ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work [ 4.145888] Call Trace: [ 4.145892] <TASK> [ 4.145894] dump_stack_lvl+0x64/0x80 [ 4.145910] print_report+0xce/0x660 [ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 4.145928] ? smb2_write+0xc74/0xe70 [ 4.145931] kasan_report+0xce/0x100 [ 4.145934] ? smb2_write+0xc74/0xe70 [ 4.145937] smb2_write+0xc74/0xe70 [ 4.145939] ? __pfx_smb2_write+0x10/0x10 [ 4.145942] ? _raw_spin_unlock+0xe/0x30 [ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 [ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 [ 4.145951] handle_ksmbd_work+0x40f/0x1080 [ 4.145953] process_one_work+0x5fa/0xef0 [ 4.145962] ? assign_work+0x122/0x3e0 [ 4.145964] worker_thread+0x54b/0xf70 [ 4.145967] ? __pfx_worker_thread+0x10/0x10 [ 4.145970] kthread+0x346/0x470 [ 4.145976] ? recalc_sigpending+0x19b/0x230 [ 4.145980] ? __pfx_kthread+0x10/0x10 [ 4.145984] ret_from_fork+0x4fb/0x6c0 [ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 [ 4.145995] ? __switch_to+0x36c/0xbe0 [ 4.145999] ? __pfx_kthread+0x10/0x10 [ 4.146003] ret_from_fork_asm+0x1a/0x30 [ 4.146013] </TASK> [ 4.146014] [ 4.149858] Allocated by task 44: [ 4.149953] kasan_save_stack+0x33/0x60 [ 4.150061] kasan_save_track+0x14/0x30 [ 4.150169] __kasan_kmalloc+0x8f/0xa0 [ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 [ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 [ 4.150529] smb2_tree_connect+0x2e6/0x1000 [ 4.150645] handle_ksmbd_work+0x40f/0x1080 [ 4.150761] process_one_work+0x5fa/0xef0 [ 4.150873] worker_thread+0x54b/0xf70 [ 4.150978] kthread+0x346/0x470 [ 4.151071] ret_from_fork+0x4fb/0x6c0 [ 4.151176] ret_from_fork_asm+0x1a/0x30 [ 4.151286] [ 4.151332] Freed by task 44: [ 4.151418] kasan_save_stack+0x33/0x60 [ 4.151526] kasan_save_track+0x14/0x30 [ 4.151634] kasan_save_free_info+0x3b/0x60 [ 4.151751] __kasan_slab_free+0x43/0x70 [ 4.151861] kfree+0x1ca/0x430 [ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 [ 4.152088] smb2_tree_disconnect+0x1cd/0x480 [ 4.152211] handle_ksmbd_work+0x40f/0x1080 [ 4.152326] process_one_work+0x5fa/0xef0 [ 4.152438] worker_thread+0x54b/0xf70 [ 4.152545] kthread+0x346/0x470 [ 4.152638] ret_from_fork+0x4fb/0x6c0 [ 4.152743] ret_from_fork_asm+0x1a/0x30 [ 4.152853] [ 4.152900] The buggy address belongs to the object at ffff88810430c180 [ 4.152900] which belongs to the cache kmalloc-96 of size 96 [ 4.153226] The buggy address is located 20 bytes inside of [ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [ 4.153549] [ 4.153596] The buggy address belongs to the physical page: [ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) [ 4.154160] page_type: f5(slab) [ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 [ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 [ 4.154668] page dumped because: kasan: bad access detected [ 4.154820] [ 4.154866] Memory state around the buggy address: [ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 4.155587] ^ [ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4.156087] ================================================================== Add the same t_state validation to the compound reuse path, consistent with ksmbd_tree_conn_lookup(). Fixes: 5005bcb ("ksmbd: validate session id and tree id in the compound request") Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: module: Taint the kernel when write-protecting ro_after_init fails
version: 1
url: https://patchwork.kernel.org/project/linux-modules/list/?series=940956