git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Sat, 26 Jul 2025 15:52:17 +0000 (11:52 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 1 Aug 2025 08:47:32 +0000 (09:47 +0100)
commit	1da8bd9a10ecd718692732294d15fd801c0eabb5
tree	4f7b92e60b4168d2436e7ac3efe08e9d01f6b29b	tree
parent	5ea224eaf636d8b90962de0488ea27dfe87658ba	commit \| diff

ksmbd: fix use-after-free in __smb2_lease_break_noti()

[ Upstream commit 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de ]

Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is
referenced when ksmbd server thread terminates, It will not be freed,
but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed
asynchronously when the connection is disconnected. __smb2_lease_break_noti
calls ksmbd_conn_write, which can cause use-after-free
when conn->ksmbd_transport is already freed.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Removed declaration of non-existent function ksmbd_find_netdev_name_iface_list() from transport_tcp.h. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/smb/server/connection.c		diff \| blob \| blame \| history
fs/smb/server/transport_tcp.c		diff \| blob \| blame \| history
fs/smb/server/transport_tcp.h		diff \| blob \| blame \| history