Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.
Product status
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before cb52d9c86d70298de0ab7c7953653898cbc0efd6
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before 065bd62412271a2d734810dd50336cae88c54427
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before bdb596ceb4b7c3f28786a33840263728217fbcf5
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before 734e99623c5b65bf2c03e35978a0b980ebc3c2f8
6.1
Any version before 6.1
6.6.117 (semver)
6.12.58 (semver)
6.17.8 (semver)
6.18 (original_commit_for_fix)
References
git.kernel.org/...c/cb52d9c86d70298de0ab7c7953653898cbc0efd6
git.kernel.org/...c/065bd62412271a2d734810dd50336cae88c54427
git.kernel.org/...c/bdb596ceb4b7c3f28786a33840263728217fbcf5
git.kernel.org/...c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8
