CVE-2026-31718

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger<br /> <br /> When a durable file handle survives session disconnect (TCP close without<br /> SMB2_LOGOFF), session_fd_check() sets fp-&gt;conn = NULL to preserve the<br /> handle for later reconnection. However, it did not clean up the byte-range<br /> locks on fp-&gt;lock_list.<br /> <br /> Later, when the durable scavenger thread times out and calls<br /> __ksmbd_close_fd(NULL, fp), the lock cleanup loop did:<br /> <br /> spin_lock(&amp;fp-&gt;conn-&gt;llist_lock);<br /> <br /> This caused a slab use-after-free because fp-&gt;conn was NULL and the<br /> original connection object had already been freed by<br /> ksmbd_tcp_disconnect().<br /> <br /> The root cause is asymmetric cleanup: lock entries (smb_lock-&gt;clist) were<br /> left dangling on the freed conn-&gt;lock_list while fp-&gt;conn was nulled out.<br /> <br /> To fix this issue properly, we need to handle the lifetime of<br /> smb_lock-&gt;clist across three paths:<br /> - Safely skip clist deletion when list is empty and fp-&gt;conn is NULL.<br /> - Remove the lock from the old connection&amp;#39;s lock_list in<br /> session_fd_check()<br /> - Re-add the lock to the new connection&amp;#39;s lock_list in<br /> ksmbd_reopen_durable_fd().