CVE-2025-21673

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix double free of TCPServerInfo::hostname

When shutting down the server in cifsputtcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen:

RIP: 0010:__slabfree+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? showtrace_loglvl+0x1c4/0x2df ? showtraceloglvl+0x1c4/0x2df ? __reconnecttargetunlocked+0x3e/0x160 [cifs] ? __diebody.cold+0x8/0xd ? die+0x2b/0x50 ? dotrap+0xce/0x120 ? __slabfree+0x223/0x3c0 ? doerror_trap+0x65/0x80 ? __slabfree+0x223/0x3c0 ? excinvalid_op+0x4e/0x70 ? __slabfree+0x223/0x3c0 ? asmexcinvalidop+0x16/0x20 ? __slabfree+0x223/0x3c0 ? extracthostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnecttargetunlocked+0x3e/0x160 [cifs] reconnectdfsserver+0x145/0x430 [cifs] cifshandlestandard+0x1ad/0x1d0 [cifs] cifsdemultiplexthread+0x592/0x730 [cifs] ? __pfxcifsdemultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? _pfxkthread+0x10/0x10 retfromfork+0x29/0x50 </TASK>