diff options
| author |   Kuniyuki Iwashima <kuniyu@amazon.com> | 2025-04-02 13:26:47 -0700 |
|---|---|---|
| committer |   Steve French <stfrench@microsoft.com> | 2025-04-13 17:24:55 -0500 |
| commit | c707193a17128fae2802d10cbad7239cc57f0c95 (patch) | |
| tree | 1bcd86ee0d796352e87c2b8e246e175eb47242e5 | |
| parent | smb3 client: fix open hardlink on deferred close file error (diff) | |
| download | wireguard-linux-c707193a17128fae2802d10cbad7239cc57f0c95.tar.xz wireguard-linux-c707193a17128fae2802d10cbad7239cc57f0c95.zip | |
Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"
This reverts commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef.
The commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also
introduces a real issue, TCP sockets leak, which will be explained in
detail in the next revert.
Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0]
Thus, we are reverting the commit and its follow-up commit 4e7f1644f2ac
("smb: client: Fix netns refcount imbalance causing leaks and
use-after-free").
Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0]
Fixes: 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
| -rw-r--r-- | fs/smb/client/connect.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 4a0b2d220fe8..370b79b2eaa6 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -300,7 +300,6 @@ cifs_abort_connection(struct TCP_Server_Info *server) server->ssocket->flags); sock_release(server->ssocket); server->ssocket = NULL; - put_net(cifs_net_ns(server)); } server->sequence_number = 0; server->session_estab = false; @@ -3369,12 +3368,8 @@ generic_ip_connect(struct TCP_Server_Info *server) /* * Grab netns reference for the socket. * - * This reference will be released in several situations: - * - In the failure path before the cifsd thread is started. - * - In the all place where server->socket is released, it is - * also set to NULL. - * - Ultimately in clean_demultiplex_info(), during the final - * teardown. + * It'll be released here, on error, or in clean_demultiplex_info() upon server + * teardown. */ get_net(net); @@ -3390,8 +3385,10 @@ generic_ip_connect(struct TCP_Server_Info *server) } rc = bind_socket(server); - if (rc < 0) + if (rc < 0) { + put_net(cifs_net_ns(server)); return rc; + } /* * Eventually check for other socket options to change from @@ -3446,6 +3443,9 @@ generic_ip_connect(struct TCP_Server_Info *server) (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT))) rc = ip_rfc1001_connect(server); + if (rc < 0) + put_net(cifs_net_ns(server)); + return rc; } |