{"id":"CVE-2025-68809","summary":"ksmbd: vfs: fix race on m_flags in vfs_cache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: vfs: fix race on m_flags in vfs_cache\n\nksmbd maintains delete-on-close and pending-delete state in\nksmbd_inode-\u003em_flags. In vfs_cache.c this field is accessed under\ninconsistent locking: some paths read and modify m_flags under\nci-\u003em_lock while others do so without taking the lock at all.\n\nExamples:\n\n - ksmbd_query_inode_status() and __ksmbd_inode_close() use\n   ci-\u003em_lock when checking or updating m_flags.\n - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n   ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()\n   used to read and modify m_flags without ci-\u003em_lock.\n\nThis creates a potential data race on m_flags when multiple threads\nopen, close and delete the same file concurrently. In the worst case\ndelete-on-close and pending-delete bits can be lost or observed in an\ninconsistent state, leading to confusing delete semantics (files that\nstay on disk after delete-on-close, or files that disappear while still\nin use).\n\nFix it by:\n\n - Making ksmbd_query_inode_status() look at m_flags under ci-\u003em_lock\n   after dropping inode_hash_lock.\n - Adding ci-\u003em_lock protection to all helpers that read or modify\n   m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n   ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).\n - Keeping the existing ci-\u003em_lock protection in __ksmbd_inode_close(),\n   and moving the actual unlink/xattr removal outside the lock.\n\nThis unifies the locking around m_flags and removes the data race while\npreserving the existing delete-on-close behaviour.","modified":"2026-04-16T00:09:52.309321117Z","published":"2026-01-13T15:29:15.817Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68809.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68809.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68809"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f44158485826c076335d6860d35872271a83791d"},{"fixed":"5adad9727a815c26013b0d41cfee92ffa7d4037c"},{"fixed":"ccc78781041589ea383e61d5d7a1e9a31b210b93"},{"fixed":"ee63729760f5b61a66f345c54dc4c7514e62383d"},{"fixed":"991f8a79db99b14c48d20d2052c82d65b9186cad"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68809.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68809.json"}}],"schema_version":"1.7.5"}