ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency

Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. Reported-by: Qianchang Zhao <pioooooooooip@gmail.com> Reported-by: Zhitong Liu <liuzhitong1993@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Namjae Jeon <linkinjeon@kernel.org> 2025-11-18 09:05:46 +0900
committer: Steve French <stfrench@microsoft.com> 2025-11-30 21:11:45 -0600
commit: b39a1833cc4a2755b02603eec3a71a85e9dff926 (patch)
tree: 2018a961cddf11070732e0dbd5117e89a9c3f271 /fs/smb/server/smb2pdu.c
parent: 3316a8fc840d82fad5efcf76ad0ea3f76fdca209 (diff)
1 files changed, 0 insertions, 3 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index c2369415c6c4..c3eedc70e643 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2190,7 +2190,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
 		goto err_out;
 	}
 
-	WARN_ON_ONCE(atomic_dec_and_test(&tcon->refcount));
 	tcon->t_state = TREE_DISCONNECTED;
 	write_unlock(&sess->tree_conns_lock);
 
@@ -2200,8 +2199,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
 		goto err_out;
 	}
 
-	work->tcon = NULL;
-
 	rsp->StructureSize = cpu_to_le16(4);
 	err = ksmbd_iov_pin_rsp(work, rsp,
 				sizeof(struct smb2_tree_disconnect_rsp));
author	Namjae Jeon <linkinjeon@kernel.org>	2025-11-18 09:05:46 +0900
committer	Steve French <stfrench@microsoft.com>	2025-11-30 21:11:45 -0600
commit	b39a1833cc4a2755b02603eec3a71a85e9dff926 (patch)
tree	2018a961cddf11070732e0dbd5117e89a9c3f271 /fs/smb/server/smb2pdu.c
parent	3316a8fc840d82fad5efcf76ad0ea3f76fdca209 (diff)