ksmbd: fix memory leaks and NULL deref in smb2_lock()

Summary

CVE	CVE-2026-31477
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-22 14:16:44 UTC
Updated	2026-04-22 14:16:44 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 cdac6f7e7e428dc70e3b5898ac6999a72ed13993 git	Not specified
CNA	Linux	Linux	affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9 git	Not specified
CNA	Linux	Linux	affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 91aeaa7256006d79a37298f5a1df23325db91599 git	Not specified
CNA	Linux	Linux	affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 3cdacd11b41569ce75b3162142240f2355e04900 git	Not specified
CNA	Linux	Linux	affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 aab42f0795620cf0d3955a520f571f697d0f9a2a git	Not specified
CNA	Linux	Linux	affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 309b44ed684496ed3f9c5715d10b899338623512 git	Not specified
CNA	Linux	Linux	affected 5.15	Not specified
CNA	Linux	Linux	unaffected 5.15 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.168 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.131 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.80 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.21 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.11 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.