ksmbd TreeConnect UAF

Vulnerability analysis

Summary: A use-after-free vulnerability in the ksmbd SMB server occurs when a tree connection object (tcon) is freed during disconnect while another thread still holds a reference to it.

Root Cause: The original fix in commit 33b235a6e6eb introduced a flawed reference counting mechanism using wait_event() to synchronize tree connection cleanup. Under high concurrency, the disconnect path would wait for the reference count to reach zero, then free the object, but other threads could still decrement the reference count and access the freed memory afterward.

Attack Surface: This vulnerability affects the ksmbd SMB server which handles network file sharing requests. It requires network access to the SMB service and the ability to establish and disconnect tree connections concurrently. The bug is triggered through normal SMB protocol operations under high concurrency scenarios.

Fix Mechanism: The patch simplifies the reference counting by removing the wait queue mechanism and using atomic_dec_and_test() consistently. Now both ksmbd_tree_connect_put() and ksmbd_tree_conn_disconnect() use atomic_dec_and_test() to safely free the tree connection object when the reference count reaches zero, eliminating the race window.