Home

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. - Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour.

PUBLISHED Reserved 2025-12-24 | Published 2026-01-13 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

f44158485826c076335d6860d35872271a83791d (git) before 5adad9727a815c26013b0d41cfee92ffa7d4037c
affected

f44158485826c076335d6860d35872271a83791d (git) before ccc78781041589ea383e61d5d7a1e9a31b210b93
affected

f44158485826c076335d6860d35872271a83791d (git) before ee63729760f5b61a66f345c54dc4c7514e62383d
affected

f44158485826c076335d6860d35872271a83791d (git) before 991f8a79db99b14c48d20d2052c82d65b9186cad
affected

Default status
affected

5.15
affected

Any version before 5.15
unaffected

6.6.120 (semver)
unaffected

6.12.64 (semver)
unaffected

6.18.3 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/5adad9727a815c26013b0d41cfee92ffa7d4037c

git.kernel.org/...c/ccc78781041589ea383e61d5d7a1e9a31b210b93

git.kernel.org/...c/ee63729760f5b61a66f345c54dc4c7514e62383d

git.kernel.org/...c/991f8a79db99b14c48d20d2052c82d65b9186cad

cve.org (CVE-2025-68809)

nvd.nist.gov (CVE-2025-68809)

Download JSON