CVE-2025-40039

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: Fix race condition in RPC handle list access

The 'sess->rpchandlelist' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpclock' (an rwsemaphore). However, the locking implementation was flawed, leading to potential race conditions.

In ksmbdsessionrpcopen(), the code incorrectly acquired only a read lock before calling xastore() and xa_erase(). Since these operations modify the XArray structure, a write lock is required to ensure exclusive access and prevent data corruption from concurrent modifications.

Furthermore, ksmbdsessionrpcmethod() accessed the list using xaload() without holding any lock at all. This could lead to reading inconsistent data or a potential use-after-free if an entry is concurrently removed and the pointer is dereferenced.

Fix these issues by: 1. Using downwrite() and upwrite() in ksmbdsessionrpcopen() to ensure exclusive access during XArray modification, and ensuring the lock is correctly released on error paths. 2. Adding downread() and upread() in ksmbdsessionrpcmethod() to safely protect the lookup.