Commit bceea667 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'v6.12-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6 

Pull smb client fix from Steve French:
 "Fix net namespace refcount use after free issue"

* tag 'v6.12-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: Fix use-after-free of network namespace.
parents a58f4dd9 ef7134c7

fs/smb/client/connect.c

+11 −3
Original line number Diff line number Diff line
@@ -1037,6 +1037,7 @@ clean_demultiplex_info(struct TCP_Server_Info *server) 
		 */

	}



	put_net(cifs_net_ns(server));

	kfree(server->leaf_fullpath);

	kfree(server);
@@ -1635,8 +1636,6 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) 
	/* srv_count can never go negative */

	WARN_ON(server->srv_count < 0);



	put_net(cifs_net_ns(server));



	list_del_init(&server->tcp_ses_list);

	spin_unlock(&cifs_tcp_ses_lock);
@@ -3070,13 +3069,22 @@ generic_ip_connect(struct TCP_Server_Info *server) 
	if (server->ssocket) {

		socket = server->ssocket;

	} else {

		rc = __sock_create(cifs_net_ns(server), sfamily, SOCK_STREAM,

		struct net *net = cifs_net_ns(server);

		struct sock *sk;



		rc = __sock_create(net, sfamily, SOCK_STREAM,

				   IPPROTO_TCP, &server->ssocket, 1);

		if (rc < 0) {

			cifs_server_dbg(VFS, "Error %d creating socket\n", rc);

			return rc;

		}



		sk = server->ssocket->sk;

		__netns_tracker_free(net, &sk->ns_tracker, false);

		sk->sk_net_refcnt = 1;

		get_net_track(net, &sk->ns_tracker, GFP_KERNEL);

		sock_inuse_add(net, 1);



		/* BB other socket options to set KEEPALIVE, NODELAY? */

		cifs_dbg(FYI, "Socket created\n");

		socket = server->ssocket;