CVE-2022-49281 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix handlecache and multiuser
In multiuser each individual user has their own tcon structure for the share and thus their own handle for a cached directory. When we umount such a share we much make sure to release the pinned down dentry for each such tcon and not just the master tcon.
Otherwise we will get nasty warnings on umount that dentries are still in use: [ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/} still in use\
(2) [unmount of cifs cifs]
... [ 3459.590492] Call Trace:
[ 3459.590500] d_walk+0x61/0x2a0
[ 3459.590518] ? shrink_lock_dentry.part.0+0xe0/0xe0
[ 3459.590526] shrink_dcache_for_umount+0x49/0x110
[ 3459.590535] generic_shutdown_super+0x1a/0x110
[ 3459.590542] kill_anon_super+0x14/0x30
[ 3459.590549] cifs_kill_sb+0xf5/0x104 [cifs]
[ 3459.590773] deactivate_locked_super+0x36/0xa0
[ 3459.590782] cleanup_mnt+0x131/0x190
[ 3459.590789] task_work_run+0x5c/0x90
[ 3459.590798] exit_to_user_mode_loop+0x151/0x160
[ 3459.590809] exit_to_user_mode_prepare+0x83/0xd0
[ 3459.590818] syscall_exit_to_user_mode+0x12/0x30
[ 3459.590828] do_syscall_64+0x48/0x90
[ 3459.590833] entry_SYSCALL_64_after_hwframe+0x44/0xae
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/21/2025
This vulnerability exists within the Linux kernel's Common Internet File System implementation where improper handling of handle caching in multiuser environments creates a critical resource management issue. The flaw specifically affects how the kernel manages dentry structures when unmounting CIFS shares under multiuser authentication scenarios. Each individual user in a multiuser setup maintains their own tcon (tree connection) structure for the share, which includes their own handle for cached directories. When the system attempts to unmount such a share, the kernel fails to properly release all pinned dentry references associated with each user's individual tcon structure, instead only releasing references from the master tcon.
The technical manifestation of this vulnerability stems from inadequate cleanup procedures during the unmount operation process. When users access CIFS shares using different credentials in multiuser mode, the kernel creates separate connection contexts for each user session. Each of these contexts maintains its own directory handle cache, and consequently its own set of dentry references that point to cached directory entries. The improper implementation fails to iterate through all these individual tcon structures during cleanup, leaving some dentry references in an active state even after the unmount operation should have completed successfully.
The operational impact of this vulnerability is significant as it results in kernel-level warnings and potential system instability during CIFS share unmount operations. The kernel logs display explicit warnings indicating that dentries are still in use, which suggests that the filesystem's internal reference counting mechanism has detected active references that should have been released. This behavior can lead to system hangs, resource leaks, and potential data inconsistency issues when multiple users access the same CIFS share with different credentials. The call trace reveals that the issue originates from the cifs_kill_sb function within the CIFS module, which fails to properly traverse all tcon structures during the shutdown process.
This vulnerability aligns with CWE-404, which describes improper resource release or cleanup, and relates to ATT&CK technique T1484.001 for Privilege Escalation through manipulation of system resources. The fix addresses the fundamental issue by ensuring that all individual tcon structures are properly traversed during the unmount process, guaranteeing that every pinned dentry reference is released regardless of which user context originally created it. This implementation aligns with best practices for resource management in multi-user environments and prevents the accumulation of stale references that could lead to system instability. The resolution specifically targets the handlecache functionality within the CIFS subsystem, ensuring proper cleanup of directory entry references across all user sessions rather than only the master connection context.