CVE-2025-40242

In the Linux kernel's GFS2 filesystem, function gdlm_put_lock() contains a small race window. After the DFL_UNMOUNT flag is set, the lockspace may not have been released yet. During that window, DLM can still invoke gdlm_ast() and gdlm_bast() callbacks that attempt to dereference glock objects that have already been freed, leading to a use-after-free condition [1][2].

The vulnerability is triggered during unmount. The prerequisite is that the system must be performing a GFS2 unmount operation while DLM callbacks are still pending for locks being released. No special authentication is required beyond local access capable of mounting and unmounting a GFS2 filesystem [1].

An attacker who can trigger the race may cause a crash (denial of service) or potentially exploit the use-after-free to achieve arbitrary code execution in kernel context, depending on memory layout and heap manipulation [1].

The fix, already applied to the stable kernel tree, ensures that glocks are only freed after the lockspace has actually been released, thus preventing the callbacks from accessing freed memory [1][2].