CVE-2026-43376: ksmbd: fix use-after-free by using call_rcu() for oplock_info

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free by using call_rcu() for oplock_info

ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().

Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.

Fix this by switching to deferred freeing using call_rcu().

The Linux kernel CVE team has assigned CVE-2026-43376 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.6.88 with commit 296cb5457cc6f4a754c4ae29855f8a253d52bcc6 and fixed in 6.6.130 with commit 302fef75512b2c8329a3f5efab1ae7ba2562387a
	Issue introduced in 6.12.25 with commit d54ab1520d43e95f9b2e22d7a05fc9614192e5a5 and fixed in 6.12.78 with commit 08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c
	Issue introduced in 6.15 with commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 and fixed in 6.18.19 with commit 1d6abf145615dbfe267ce3b0a271f95e3780e18e
	Issue introduced in 6.15 with commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 and fixed in 6.19.9 with commit ce8507ee82c888126d8e7565e27c016308d24cde
	Issue introduced in 6.15 with commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 and fixed in 7.0 with commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294
	Issue introduced in 6.14.4 with commit d73686367ad68534257cd88a36ca3c52cb8b81d8

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43376
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/smb/server/oplock.c
	fs/smb/server/oplock.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a
	https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c
	https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e
	https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde
	https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294