git.kernel.dk Git - linux-block.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Fri, 11 Apr 2025 06:19:46 +0000 (15:19 +0900)
committer	Steve French <stfrench@microsoft.com>
	Tue, 15 Apr 2025 03:21:26 +0000 (22:21 -0500)
commit	21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de
tree	7ba00540ed13ec8720c02e8a3ffab0f161905af8	tree
parent	1df0d4c616138784e033ad337961b6e1a6bcd999	commit \| diff

ksmbd: fix use-after-free in __smb2_lease_break_noti()

Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is
referenced when ksmbd server thread terminates, It will not be freed,
but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed
asynchronously when the connection is disconnected. __smb2_lease_break_noti
calls ksmbd_conn_write, which can cause use-after-free
when conn->ksmbd_transport is already freed.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

fs/smb/server/connection.c		diff \| blob \| blame \| history
fs/smb/server/transport_tcp.c		diff \| blob \| blame \| history
fs/smb/server/transport_tcp.h		diff \| blob \| blame \| history