git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Sat, 7 Mar 2026 02:32:31 +0000 (11:32 +0900)
committer	Steve French <stfrench@microsoft.com>
	Mon, 9 Mar 2026 02:28:39 +0000 (21:28 -0500)
commit	1dfd062caa165ec9d7ee0823087930f3ab8a6294
tree	f2aede1eaf756939273d2245c7397b2df476bc7a	tree \| snapshot
parent	40955015fae4908157ac6c959ea696d05e6e9b31	commit \| diff

ksmbd: fix use-after-free by using call_rcu() for oplock_info

ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().

Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.

Fix this by switching to deferred freeing using call_rcu().

Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

fs/smb/server/oplock.c		diff \| blob \| blame \| history
fs/smb/server/oplock.h		diff \| blob \| blame \| history