[PATCH 6.6] ksmbd: fix use-after-free in session logoff
From: Nazar Kalashnikov
Date: Thu Nov 27 2025 - 10:13:00 EST
From: Nazar Kalashnikov <sivartiwe@xxxxxxxxx>
From: Sean Heelan <seanheelan@xxxxxxxxx>
commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream.
The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.
Signed-off-by: Sean Heelan <seanheelan@xxxxxxxxx>
Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Nazar Kalashnikov <sivartiwe@xxxxxxxxx>
---
Backport fix for CVE-2025-37899
fs/smb/server/smb2pdu.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 9f64808c7917..a819f198c333 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2255,10 +2255,6 @@ int smb2_session_logoff(struct ksmbd_work *work)
sess->state = SMB2_SESSION_EXPIRED;
up_write(&conn->session_lock);
- if (sess->user) {
- ksmbd_free_user(sess->user);
- sess->user = NULL;
- }
ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
rsp->StructureSize = cpu_to_le16(4);
--
2.43.0