Acknowledged
Created: Oct 29, 2025
Updated: Oct 30, 2025
Found In Version: 10.25.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]ksmbd: Fix race condition in RPC handle list access[EOL][EOL]The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd[EOL]session. Access to this list is intended to be protected by[EOL]'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was[EOL]flawed, leading to potential race conditions.[EOL][EOL]In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock[EOL]before calling xa_store() and xa_erase(). Since these operations modify[EOL]the XArray structure, a write lock is required to ensure exclusive access[EOL]and prevent data corruption from concurrent modifications.[EOL][EOL]Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load()[EOL]without holding any lock at all. This could lead to reading inconsistent[EOL]data or a potential use-after-free if an entry is concurrently removed and[EOL]the pointer is dereferenced.[EOL][EOL]Fix these issues by:[EOL]1. Using down_write() and up_write() in ksmbd_session_rpc_open()[EOL] to ensure exclusive access during XArray modification, and ensuring[EOL] the lock is correctly released on error paths.[EOL]2. Adding down_read() and up_read() in ksmbd_session_rpc_method()[EOL] to safely protect the lookup.
