[PATCH 5.15.y] ksmbd: do not expire session on binding failure

Linux CIFS filesystem development
 help / color / mirror / Atom feed

* [PATCH 5.15.y] ksmbd: do not expire session on binding failure
@ 2026-05-07  8:57 Li hongliang
  2026-05-08 21:11 ` Sasha Levin
  0 siblings, 1 reply; 2+ messages in thread
From: Li hongliang @ 2026-05-07  8:57 UTC (permalink / raw)
  To: gregkh, stable, imv4bel
  Cc: patches, linux-kernel, linkinjeon, senozhatsky, sfrench, hyc.lee,
	linux-cifs, stfrench

From: Hyunwoo Kim <imv4bel@gmail.com>

[ Upstream commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 ]

When a multichannel session binding request fails (e.g. wrong password),
the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
However, during binding, sess points to the target session looked up via
ksmbd_session_lookup_slowpath() -- which belongs to another connection's
user. This allows a remote attacker to invalidate any active session by
simply sending a binding request with a wrong password (DoS).

Fix this by skipping session expiration when the failed request was
a binding attempt, since the session does not belong to the current
connection. The reference taken by ksmbd_session_lookup_slowpath() is
still correctly released via ksmbd_user_session_put().

Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Li hongliang <1468888505@139.com>
---
 fs/ksmbd/smb2pdu.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 978a103e72bb..fb0dc06b2aff 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1938,8 +1938,14 @@ int smb2_sess_setup(struct ksmbd_work *work)
 			if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
 				try_delay = true;

-			sess->last_active = jiffies;
-			sess->state = SMB2_SESSION_EXPIRED;
+			/*
+			 * For binding requests, session belongs to another
+			 * connection. Do not expire it.
+			 */
+			if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
+				sess->last_active = jiffies;
+				sess->state = SMB2_SESSION_EXPIRED;
+			}
 			ksmbd_user_session_put(sess);
 			work->sess = NULL;
 			if (try_delay) {
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 5.15.y] ksmbd: do not expire session on binding failure
  2026-05-07  8:57 [PATCH 5.15.y] ksmbd: do not expire session on binding failure Li hongliang
@ 2026-05-08 21:11 ` Sasha Levin
  0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2026-05-08 21:11 UTC (permalink / raw)
  To: gregkh, stable, imv4bel
  Cc: Sasha Levin, patches, linux-kernel, linkinjeon, senozhatsky,
	sfrench, hyc.lee, linux-cifs, stfrench, Li hongliang

> Subject: [PATCH 5.15.y] ksmbd: do not expire session on binding failure
>
> commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.

Now queued for 5.15, thanks.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-08 21:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-07  8:57 [PATCH 5.15.y] ksmbd: do not expire session on binding failure Li hongliang
2026-05-08 21:11 ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox