CVE-2025-40320

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential cfid UAF in smb2_query_info_compound<br /> <br /> When smb2_query_info_compound() retries, a previously allocated cfid may<br /> have been freed in the first attempt.<br /> Because cfid wasn&amp;#39;t reset on replay, later cleanup could act on a stale<br /> pointer, leading to a potential use-after-free.<br /> <br /> Reinitialize cfid to NULL under the replay label.<br /> <br /> Example trace (trimmed):<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110<br /> [...]<br /> RIP: 0010:refcount_warn_saturate+0x9c/0x110<br /> [...]<br /> Call Trace:<br /> <br /> smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]<br /> ? step_into+0x10d/0x690<br /> ? __legitimize_path+0x28/0x60<br /> smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]<br /> smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]<br /> ? kmem_cache_alloc+0x18a/0x340<br /> ? getname_flags+0x46/0x1e0<br /> cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]<br /> statfs_by_dentry+0x67/0x90<br /> vfs_statfs+0x16/0xd0<br /> user_statfs+0x54/0xa0<br /> __do_sys_statfs+0x20/0x50<br /> do_syscall_64+0x58/0x80