1. Patchew
  2. linux
  3. View series

[PATCH 6.1] ksmbd: fix use-after-free in session logoff

Nazar Kalashnikov posted 1 patch 4 days, 6 hours ago
There is a newer version of this series
fs/smb/server/smb2pdu.c | 4 ----
1 file changed, 4 deletions(-)
[PATCH 6.1] ksmbd: fix use-after-free in session logoff
Posted by Nazar Kalashnikov 4 days, 6 hours ago 
From: Nazar Kalashnikov <sivartiwe@gmail.com>

From: Sean Heelan <seanheelan@gmail.com>

commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream.

The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.

Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Nazar Kalashnikov <sivartiwe@gmail.com>
---
Backport fix for CVE-2025-37899
 fs/smb/server/smb2pdu.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index d2dca5d2f17c..f72ef3fe4968 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2252,10 +2252,6 @@ int smb2_session_logoff(struct ksmbd_work *work)
 	sess->state = SMB2_SESSION_EXPIRED;
 	up_write(&conn->session_lock);
 
-	if (sess->user) {
-		ksmbd_free_user(sess->user);
-		sess->user = NULL;
-	}
 	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
 
 	rsp->StructureSize = cpu_to_le16(4);
-- 
2.39.2
Re: [PATCH 6.1] ksmbd: fix use-after-free in session logoff
Posted by Greg Kroah-Hartman 4 days, 6 hours ago 
On Thu, Nov 27, 2025 at 06:05:10PM +0300, Nazar Kalashnikov wrote:
> From: Nazar Kalashnikov <sivartiwe@gmail.com>
> 
> From: Sean Heelan <seanheelan@gmail.com>

That's odd, which is correct?

thanks,

greg k-h

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.