[PATCH 6.6] ksmbd: fix use-after-free in session logoff

27 Nov 2025

From: Nazar Kalashnikov sivartiwe@gmail.com
From: Sean Heelan seanheelan@gmail.com
commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream.
The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.
Signed-off-by: Sean Heelan seanheelan@gmail.com
Acked-by: Namjae Jeon linkinjeon@kernel.org
Signed-off-by: Steve French stfrench@microsoft.com
Signed-off-by: Nazar Kalashnikov sivartiwe@gmail.com
---
Backport fix for CVE-2025-37899
 fs/smb/server/smb2pdu.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 9f64808c7917..a819f198c333 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2255,10 +2255,6 @@ int smb2_session_logoff(struct ksmbd_work *work)
    sess->state = SMB2_SESSION_EXPIRED;
    up_write(&conn->session_lock);
-	if (sess->user) {
-		ksmbd_free_user(sess->user);
-		sess->user = NULL;
-	}
    ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
rsp->StructureSize = cpu_to_le16(4);
-- 
2.43.0



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.6] ksmbd: fix use-after-free in session logoff