CVE-2025-22077: smb: client: Fix netns refcount imbalance causing leaks and use-after-free

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: client: Fix netns refcount imbalance causing leaks and use-after-free

Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network
namespace.") attempted to fix a netns use-after-free issue by manually
adjusting reference counts via sk->sk_net_refcnt and sock_inuse_add().

However, a later commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock
after rmmod") pointed out that the approach of manually setting
sk->sk_net_refcnt in the first commit was technically incorrect, as
sk->sk_net_refcnt should only be set for user sockets. It led to issues
like TCP timers not being cleared properly on close. The second commit
moved to a model of just holding an extra netns reference for
server->ssocket using get_net(), and dropping it when the server is torn
down.

But there remain some gaps in the get_net()/put_net() balancing added by
these commits. The incomplete reference handling in these fixes results
in two issues:

1. Netns refcount leaks[1]

The problem process is as follows:

```
mount.cifs cifsd

cifs_do_mount
cifs_mount
cifs_mount_get_session
cifs_get_tcp_session
get_net() /* First get net. */
ip_connect
generic_ip_connect /* Try port 445 */
get_net()
->connect() /* Failed */
put_net()
generic_ip_connect /* Try port 139 */
get_net() /* Missing matching put_net() for this get...

Classification

CVE ID: CVE-2025-22077

Affected Products

Vendor: Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.07% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22077
https://git.kernel.org/stable/c/c6b6b8dcef4adf8ee4e439bb97e74106096c71b8
https://git.kernel.org/stable/c/7d8dfc27d90d41627c0d6ada97ed0ab57b3dae25
https://git.kernel.org/stable/c/961755d0055e0e96d1849cc0425da966c8a64e53
https://git.kernel.org/stable/c/476617a4ca0123f0df677d547a82a110c27c8c74
https://git.kernel.org/stable/c/4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef

Timeline