Linux Kernel SMB Client Double-Free Vulnerability in Send I/O Management

A double-free vulnerability has been identified in the Linux kernel's SMB client implementation, specifically within the send I/O management functions. This issue arises because the function 'smbd_send_batch_flush()' already frees the send I/O request, but 'smbd_free_send_io()' is called again afterwards, leading to a double-free scenario. The vulnerability affects the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to memory corruption issues, commonly associated with double-free vulnerabilities, which can be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a batch of I/O requests using the SMB client. The 'smbd_send_batch_flush()' function will be called, freeing the I/O requests. However, due to the improper management of the request lifecycle, the 'smbd_free_send_io()' function is erroneously called again, causing a double-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.