Skip to content

Commit c707193

Browse files
q2venSteve French
q2ven
authored and
Steve French
committed
Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"
This reverts commit 4e7f164. The commit e9f2517 ("smb: client: fix TCP timers deadlock after rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also introduces a real issue, TCP sockets leak, which will be explained in detail in the next revert. Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0] Thus, we are reverting the commit and its follow-up commit 4e7f164 ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free"). Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0] Fixes: 4e7f164 ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Cc: stable@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com>
1 parent 262b73e commit c707193

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

fs/smb/client/connect.c

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -300,7 +300,6 @@ cifs_abort_connection(struct TCP_Server_Info *server)
300300
server->ssocket->flags);
301301
sock_release(server->ssocket);
302302
server->ssocket = NULL;
303-
put_net(cifs_net_ns(server));
304303
}
305304
server->sequence_number = 0;
306305
server->session_estab = false;
@@ -3369,12 +3368,8 @@ generic_ip_connect(struct TCP_Server_Info *server)
33693368
/*
33703369
* Grab netns reference for the socket.
33713370
*
3372-
* This reference will be released in several situations:
3373-
* - In the failure path before the cifsd thread is started.
3374-
* - In the all place where server->socket is released, it is
3375-
* also set to NULL.
3376-
* - Ultimately in clean_demultiplex_info(), during the final
3377-
* teardown.
3371+
* It'll be released here, on error, or in clean_demultiplex_info() upon server
3372+
* teardown.
33783373
*/
33793374
get_net(net);
33803375

@@ -3390,8 +3385,10 @@ generic_ip_connect(struct TCP_Server_Info *server)
33903385
}
33913386

33923387
rc = bind_socket(server);
3393-
if (rc < 0)
3388+
if (rc < 0) {
3389+
put_net(cifs_net_ns(server));
33943390
return rc;
3391+
}
33953392

33963393
/*
33973394
* Eventually check for other socket options to change from
@@ -3446,6 +3443,9 @@ generic_ip_connect(struct TCP_Server_Info *server)
34463443
(server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
34473444
rc = ip_rfc1001_connect(server);
34483445

3446+
if (rc < 0)
3447+
put_net(cifs_net_ns(server));
3448+
34493449
return rc;
34503450
}
34513451

0 commit comments

Comments
 (0)