ksmbd: call rcu_barrier() in ksmbd_server_exit()

namjaejeon · Steve French · commit eb307d09fe15 · 2023-05-03T23:03:02.000-05:00
racy issue is triggered the bug by racing between closing a connection
and rmmod. In ksmbd, rcu_barrier() is not called at module unload time,
so nothing prevents ksmbd from getting unloaded while it still has RCU
callbacks pending. It leads to trigger unintended execution of kernel
code locally and use to defeat protections such as Kernel Lockdown

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20477
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c
@@ -606,6 +606,7 @@ static int __init ksmbd_server_init(void)
 static void __exit ksmbd_server_exit(void)
 {
 	ksmbd_server_shutdown();
+	rcu_barrier();
 	ksmbd_release_inode_hash();
 }
 

Original file line number	Diff line number	Diff line change
`@@ -606,6 +606,7 @@ static int __init ksmbd_server_init(void)`
`606`	`606`	`static void __exit ksmbd_server_exit(void)`
`607`	`607`	`{`
`608`	`608`	`ksmbd_server_shutdown();`
	`609`	`+ rcu_barrier();`
`609`	`610`	`ksmbd_release_inode_hash();`
`610`	`611`	`}`
`611`	`612`