Acknowledged
Created: Aug 17, 2025
Updated: Aug 18, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]smb: client: fix use-after-free in cifs_oplock_break[EOL][EOL]A race condition can occur in cifs_oplock_break() leading to a[EOL]use-after-free of the cinode structure when unmounting:[EOL][EOL] cifs_oplock_break()[EOL] _cifsFileInfo_put(cfile)[EOL] cifsFileInfo_put_final()[EOL] cifs_sb_deactive()[EOL] [last ref, start releasing sb][EOL] kill_sb()[EOL] kill_anon_super()[EOL] generic_shutdown_super()[EOL] evict_inodes()[EOL] dispose_list()[EOL] evict()[EOL] destroy_inode()[EOL] call_rcu(&inode->i_rcu, i_callback)[EOL] spin_lock(&cinode->open_file_lock) <- OK[EOL] [later] i_callback()[EOL] cifs_free_inode()[EOL] kmem_cache_free(cinode)[EOL] spin_unlock(&cinode->open_file_lock) <- UAF[EOL] cifs_done_oplock_break(cinode) <- UAF[EOL][EOL]The issue occurs when umount has already released its reference to the[EOL]superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this[EOL]releases the last reference, triggering the immediate cleanup of all[EOL]inodes under RCU. However, cifs_oplock_break() continues to access the[EOL]cinode after this point, resulting in use-after-free.[EOL][EOL]Fix this by holding an extra reference to the superblock during the[EOL]entire oplock break operation. This ensures that the superblock and[EOL]its inodes remain valid until the oplock break completes.
CREATE(Triage):(User=pbi-cn) [CVE-2025-38527 (https://nvd.nist.gov/vuln/detail/CVE-2025-38527)
