CVE-2025-40090

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix recursive locking in RPC handle list access

Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access"), ksmbdsessionrpcmethod() attempts to lock sess->rpclock.

This causes hung connections / tasks when a client attempts to open a named pipe. Using Samba's rpcclient tool:

$ rpcclient //192.168.1.254 -U user%password $ rpcclient $> srvinfo <connection hung here>

Kernel side: "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000 Workqueue: ksmbd-io handleksmbdwork Call trace: _schedule from schedule+0x3c/0x58 schedule from schedulepreemptdisabled+0xc/0x10 schedulepreemptdisabled from rwsemdownreadslowpath+0x1b0/0x1d8 rwsemdownreadslowpath from downread+0x28/0x30 downread from ksmbdsessionrpcmethod+0x18/0x3c ksmbdsessionrpcmethod from ksmbdrpcopen+0x34/0x68 ksmbdrpcopen from ksmbdsessionrpcopen+0x194/0x228 ksmbdsessionrpcopen from createsmb2pipe+0x8c/0x2c8 createsmb2pipe from smb2open+0x10c/0x27ac smb2open from handleksmbdwork+0x238/0x3dc handleksmbdwork from processscheduledworks+0x160/0x25c processscheduledworks from workerthread+0x16c/0x1e8 workerthread from kthread+0xa8/0xb8 kthread from retfromfork+0x14/0x38 Exception stack(0x8529ffb0 to 0x8529fff8)

The task deadlocks because the lock is already held: ksmbdsessionrpcopen downwrite(&sess->rpclock) ksmbdrpcopen ksmbdsessionrpcmethod downread(&sess->rpclock) <-- deadlock

Adjust ksmbdsessionrpc_method() callers to take the lock when necessary.