Re: [PATCH] ksmbd: fix use-after-free in __ksmbd_close_fd() lock cleanup

[Namjae Jeon]

On Thu, Apr 2, 2026 at 5:39 PM munan Huang <munanevil@xxxxxxxxx> wrote:
>
> In __ksmbd_close_fd(), when cleaning up byte-range locks on a durable
> file handle closed by the scavenger, the lock cleanup loop
> unconditionally dereferences fp->conn->llist_lock to remove each lock
> from the connection's list:
>
>   list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
>       spin_lock(&fp->conn->llist_lock);
>       list_del(&smb_lock->clist);
>       spin_unlock(&fp->conn->llist_lock);
>   }
>
> However, when a client disconnects without SMB2 LOGOFF, ksmbd preserves
> durable file handles via session_fd_check(), which sets fp->conn to
> NULL and arms the durable scavenger timeout, but does not detach the
> byte-range locks from the dying connection's lock list.
>
> When the scavenger timeout expires, ksmbd_durable_scavenger() calls
> __ksmbd_close_fd(NULL, fp). At this point fp->conn is NULL and the
> original connection object has already been freed by ksmbd_conn_free(),
> so it would cause a use-after-free or NULL pointer dereference.
>
> Fix by checking fp->conn for NULL before accessing fp->conn->llist_lock
> in the lock cleanup loop.
>
> Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: munan Huang <munanevil@xxxxxxxxx>
I will apply the following patch instead of your patch. Let me know if
I am missing something.
https://github.com/smfrench/smb3-kernel/commit/319ca5432460b0749e420f7cff637dfbc7e16be3
Thanks.