[lvc-project] Patch "ksmbd: fix use-after-free in session logoff" has been added to the 6.6-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Tue Dec 2 18:59:03 MSK 2025 

This is a note to let you know that I've just added the patch titled

    ksmbd: fix use-after-free in session logoff

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-fix-use-after-free-in-session-logoff.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-197515-greg=kroah.com at vger.kernel.org Thu Nov 27 17:23:43 2025
From: Nazar Kalashnikov <sivartiwe at gmail.com>
Date: Thu, 27 Nov 2025 19:23:37 +0300
Subject: ksmbd: fix use-after-free in session logoff
To: stable at vger.kernel.org, Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Cc: Nazar Kalashnikov <sivartiwe at gmail.com>, Namjae Jeon <linkinjeon at kernel.org>, Steve French <sfrench at samba.org>, Sergey Senozhatsky <senozhatsky at chromium.org>, Tom Talpey <tom at talpey.com>, linux-cifs at vger.kernel.org, linux-kernel at vger.kernel.org, lvc-project at linuxtesting.org, Sean Heelan <seanheelan at gmail.com>, Steve French <stfrench at microsoft.com>
Message-ID: <20251127162338.7276-1-sivartiwe at gmail.com>

From: Sean Heelan <seanheelan at gmail.com>

commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream.

The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.

Signed-off-by: Sean Heelan <seanheelan at gmail.com>
Acked-by: Namjae Jeon <linkinjeon at kernel.org>
Signed-off-by: Steve French <stfrench at microsoft.com>
Signed-off-by: Nazar Kalashnikov <sivartiwe at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
v2: Fix duplicate From: header
Backport fix for CVE-2025-37899
 fs/smb/server/smb2pdu.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2255,10 +2255,6 @@ int smb2_session_logoff(struct ksmbd_wor
 	sess->state = SMB2_SESSION_EXPIRED;
 	up_write(&conn->session_lock);
 
-	if (sess->user) {
-		ksmbd_free_user(sess->user);
-		sess->user = NULL;
-	}
 	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
 
 	rsp->StructureSize = cpu_to_le16(4);


Patches currently in stable-queue which might be from sivartiwe at gmail.com are

queue-6.6/ksmbd-fix-use-after-free-in-session-logoff.patch

More information about the lvc-project mailing list