Linux Kernel SMB Double-Free Vulnerability in SMB Direct Send Message Handling

A double-free vulnerability has been addressed in the Linux kernel's SMB server implementation. The issue arises in the handling of send messages over SMB Direct. The function `smb_direct_flush_send_list()` already frees the send message, so it should not be called again after `post_sendmsg()` has moved the message to the batch list. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to memory corruption issues, commonly associated with double-free vulnerabilities, which can be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending data over an SMB Direct connection in a way that triggers the `smb_direct_post_send_data()` function. This function will process the send message and, depending on the context, may inadvertently cause the message to be freed twice, leading to a double-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.