ksmbd: fix use-after-free in __smb2_lease_break_noti() (21a4e475) · Commits · linux-arm / linux-dm

Commit 21a4e475 authored Apr 11, 2025 by Namjae Jeon Committed by Steve French Apr 14, 2025

ksmbd: fix use-after-free in __smb2_lease_break_noti()



Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is
referenced when ksmbd server thread terminates, It will not be freed,
but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed
asynchronously when the connection is disconnected. __smb2_lease_break_noti
calls ksmbd_conn_write, which can cause use-after-free
when conn->ksmbd_transport is already freed.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 1df0d4c6

Hide whitespace changes

Inline Side-by-side

Please register or to comment