Linux Kernel ksmbd Recursive Locking Vulnerability in RPC Handle List Access

A deadlock vulnerability has been identified in the Linux kernel's ksmbd component, specifically in the handling of RPC sessions. This issue arises from improper locking mechanisms, which can cause connections to hang when a client tries to access a named pipe. The problem was introduced in a previous commit that aimed to fix a race condition but inadvertently created a deadlock scenario. When the rpcclient tool from Samba is used to connect to the server and request information about the server, the connection hangs indefinitely. This issue can be temporarily masked by disabling the hung task timeout in the kernel, but the underlying problem remains.

Impact

The vulnerability leads to a deadlock situation where tasks become unresponsive, causing hung connections that can disrupt normal operations.

Reproduction

To reproduce this vulnerability, use Samba's rpcclient tool to connect to a server running the affected version of the Linux kernel with ksmbd enabled. After establishing the connection, issue the 'srvinfo' command. The connection will hang, indicating a deadlock situation. This can be verified by checking the kernel's hung task timeout settings, which will show that the task is stuck and not progressing.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.