From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from n169-112.mail.139.com (n169-112.mail.139.com [120.232.169.112]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E70F637BE66; Thu, 7 May 2026 09:02:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=120.232.169.112 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778144547; cv=none; b=NToldcNrs2n8rv1wZthYOT7TUDcPRt/hUEXnACZj9G2CyST+a17/BdXlYlIkhAGTGLfESG8ie36cFuRCWPzDD28bwOxe86HYLbmDCoCdIWIIFNuCtnI9GdaieIuVSwvGxFGRL/jJFjxDBsFmjiQZBp6zej3zTWQdqdi4F1dqY+w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778144547; c=relaxed/simple; bh=mHbfeNpi8n7SK7jlBtSsz1V/k39W5l3V0arwOXf+BTg=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=POpCFKGzh9FPtXkaiG1aNYT5Ia3PsjV52LTn7+ICaiMOpI/HzwWDqUzmlgSTSaYKi8ZP37YPkr9CULZfBHcnVoQ+6WJDXXLT44DrWePDB34MpDFRNWgH3xeSCsZqjluJLEpbs/vhmYrQBfEf8SkdXvS+d5tEoW7z2aZOQUvyF7E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com; spf=pass smtp.mailfrom=139.com; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b=tw6yBIv3; arc=none smtp.client-ip=120.232.169.112 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=139.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b="tw6yBIv3" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=139.com; s=dkim; l=0; h=from:subject:message-id:to:cc:mime-version; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=tw6yBIv34hr8l5iiKXp3m8LLmxfhX33wX2pTnB77QO1AjamrvkQQ4CujAvv73/Fg+BnZ7dOZfx3tQ QEkxa17q0PGJw3zeJpjSp2cmakN+v1q7JX/gSiYzD/HtAJVeOkiS9l3XUerFEr7JeqRY0NwCWugUuF anCRO1I8dNpJM0vU= X-RM-TagInfo: emlType=0 X-RM-SPAM: X-RM-SPAM-FLAG:00000000 Received:from NTT-kernel-dev (unknown[60.247.85.88]) by rmsmtp-lg-appmail-26-12031 (RichMail) with SMTP id 2eff69fc5412ab4-00ac0; Thu, 07 May 2026 16:57:59 +0800 (CST) X-RM-TRANSID:2eff69fc5412ab4-00ac0 From: Li hongliang <1468888505@139.com> To: gregkh@linuxfoundation.org, stable@vger.kernel.org, imv4bel@gmail.com Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, linkinjeon@kernel.org, senozhatsky@chromium.org, sfrench@samba.org, hyc.lee@gmail.com, linux-cifs@vger.kernel.org, stfrench@microsoft.com Subject: [PATCH 5.15.y] ksmbd: do not expire session on binding failure Date: Thu, 7 May 2026 16:57:58 +0800 Message-Id: <20260507085758.3514265-1-1468888505@139.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Hyunwoo Kim [ Upstream commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 ] When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put(). Cc: stable@vger.kernel.org Signed-off-by: Hyunwoo Kim Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Li hongliang <1468888505@139.com> --- fs/ksmbd/smb2pdu.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 978a103e72bb..fb0dc06b2aff 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1938,8 +1938,14 @@ int smb2_sess_setup(struct ksmbd_work *work) if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION) try_delay = true; - sess->last_active = jiffies; - sess->state = SMB2_SESSION_EXPIRED; + /* + * For binding requests, session belongs to another + * connection. Do not expire it. + */ + if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + sess->last_active = jiffies; + sess->state = SMB2_SESSION_EXPIRED; + } ksmbd_user_session_put(sess); work->sess = NULL; if (try_delay) { -- 2.34.1