CVE-2026-53198

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free of a deferred file lock on double SMB2 CANCEL

A deferred byte-range lock (an SMB2 LOCK that blocks) registers an async work on conn->async requests via setup async work(), with cancel fn = smb2 remove blocked lock and cancel argv[0] pointing at the struct file lock.

When the request is cancelled, the worker frees the file lock with locks free lock() and takes the cancelled early-exit, which "goto out"s and never reaches release async work() -- the only site that unlinks the work from conn->async requests and clears cancel fn/cancel argv. The work therefore stays matchable on async requests with a live cancel fn pointing at the freed file lock, until connection teardown finally runs release async work().

smb2 cancel() fires cancel fn unconditionally with no state guard, so a second SMB2 CANCEL for the same AsyncId, arriving in that window, re-runs smb2 remove blocked lock() on the freed file lock -- a slab use-after-free:

BUG: KASAN: slab-use-after-free in locks delete block locks delete block locks delete block ksmbd vfs posix lock unblock smb2 remove blocked lock smb2 cancel <- 2nd SMB2 CANCEL fires cancel fn handle ksmbd work Allocated by ...: locks alloc lock <- smb2 lock Freed by ...: locks free lock <- smb2 lock (cancelled branch) ... cache file lock cache of size 192

Reproduced on mainline with KASAN by an authenticated SMB client.

Skip a work whose state is already KSMBD WORK CANCELLED so its cancel callback cannot be fired a second time.