CVE-2026-31444

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()<br /> <br /> smb_grant_oplock() has two issues in the oplock publication sequence:<br /> <br /> 1) opinfo is linked into ci-&gt;m_op_list (via opinfo_add) before<br /> add_lease_global_list() is called. If add_lease_global_list()<br /> fails (kmalloc returns NULL), the error path frees the opinfo<br /> via __free_opinfo() while it is still linked in ci-&gt;m_op_list.<br /> Concurrent m_op_list readers (opinfo_get_list, or direct iteration<br /> in smb_break_all_levII_oplock) dereference the freed node.<br /> <br /> 2) opinfo-&gt;o_fp is assigned after add_lease_global_list() publishes<br /> the opinfo on the global lease list. A concurrent<br /> find_same_lease_key() can walk the lease list and dereference<br /> opinfo-&gt;o_fp-&gt;f_ci while o_fp is still NULL.<br /> <br /> Fix by restructuring the publication sequence to eliminate post-publish<br /> failure:<br /> <br /> - Set opinfo-&gt;o_fp before any list publication (fixes NULL deref).<br /> - Preallocate lease_table via alloc_lease_table() before opinfo_add()<br /> so add_lease_global_list() becomes infallible after publication.<br /> - Keep the original m_op_list publication order (opinfo_add before<br /> lease list) so concurrent opens via same_client_has_lease() and<br /> opinfo_get_list() still see the in-flight grant.<br /> - Use opinfo_put() instead of __free_opinfo() on err_out so that<br /> the RCU-deferred free path is used.<br /> <br /> This also requires splitting add_lease_global_list() to take a<br /> preallocated lease_table and changing its return type from int to void,<br /> since it can no longer fail.