5258572aa5
__ksmbd_tree_conn_disconnect() drops the share_conf reference before
checking tree_conn->refcount. When someone uses SMB3 multichannel and
binds two connections to one session, a SESSION_LOGOFF on connection A
calls ksmbd_conn_wait_idle(conn) which only drains connection A's
request counter, not connection B's. This means there's a race condition:
requests already dispatched on connection B hold tree_conn references via
work->tcon. The disconnect path frees share_conf while those requests
are still walking work->tcon->share_conf, causing a use-after-free.
This fix combines the share_conf put with the tree_conn free so it
only happens when the last reference is dropped.
Fixes:
|
||
|---|---|---|
| .. | ||
| ksmbd_ida.c | ||
| ksmbd_ida.h | ||
| share_config.c | ||
| share_config.h | ||
| tree_connect.c | ||
| tree_connect.h | ||
| user_config.c | ||
| user_config.h | ||
| user_session.c | ||
| user_session.h | ||