From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Michael Bommarito <michael.bommarito@gmail.com>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 7.0 21/42] smb: server: fix active_num_conn leak on transport allocation failure
Date: Fri, 24 Apr 2026 15:30:46 +0200 [thread overview]
Message-ID: <20260424132424.890208544@linuxfoundation.org> (raw)
In-Reply-To: <20260424132420.410310336@linuxfoundation.org>
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 6551300dc452ac16a855a83dbd1e74899542d3b3 upstream.
Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in
ksmbd_tcp_new_connection()") addressed the kthread_run() failure
path. The earlier alloc_transport() == NULL path in the same
function has the same leak, is reachable pre-authentication via any
TCP connect to port 445, and was empirically reproduced on UML
(ARCH=um, v7.0-rc7): a small number of forced allocation failures
were sufficient to put ksmbd into a state where every subsequent
connection attempt was rejected for the remainder of the boot.
ksmbd_kthread_fn() increments active_num_conn before calling
ksmbd_tcp_new_connection() and discards the return value, so when
alloc_transport() returns NULL the socket is released and -ENOMEM
returned without decrementing the counter. Each such failure
permanently consumes one slot from the max_connections pool; once
cumulative failures reach the cap, atomic_inc_return() hits the
threshold on every subsequent accept and every new connection is
rejected. The counter is only reset by module reload.
An unauthenticated remote attacker can drive the server toward the
memory pressure that makes alloc_transport() fail by holding open
connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN
(0x00FFFFFF); natural transient allocation failures on a loaded
host produce the same drift more slowly.
Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the
alloc_transport() failure path, decrement active_num_conn gated on
server_conf.max_connections.
Repro details: with the patch reverted, forced alloc_transport()
NULL returns leaked counter slots and subsequent connection
attempts -- including legitimate connects issued after the
forced-fail window had closed -- were all rejected with "Limit the
maximum number of connections". With this patch applied, the same
connect sequence produces no rejections and the counter cycles
cleanly between zero and one on every accept.
Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/transport_tcp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -183,6 +183,8 @@ static int ksmbd_tcp_new_connection(stru
t = alloc_transport(client_sk);
if (!t) {
sock_release(client_sk);
+ if (server_conf.max_connections)
+ atomic_dec(&active_num_conn);
return -ENOMEM;
}
next prev parent reply other threads:[~2026-04-24 13:32 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 13:30 [PATCH 7.0 00/42] 7.0.2-rc1 review Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 01/42] crypto: authencesn - Fix src offset when decrypting in-place Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 02/42] pwm: th1520: fix `CLIPPY=1` warning Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 03/42] drm/amdgpu: replace PASID IDR with XArray Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 04/42] crypto: krb5enc - fix sleepable flag handling in encrypt dispatch Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 05/42] crypto: krb5enc - fix async decrypt skipping hash verification Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 06/42] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 07/42] ksmbd: validate owner of durable handle on reconnect Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 08/42] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 09/42] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 10/42] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 11/42] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 12/42] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 13/42] f2fs: fix to avoid memory leak in f2fs_rename() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 14/42] f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 15/42] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 16/42] fuse: abort on fatal signal during sync init Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 17/42] fuse: Check for large folio with SPLICE_F_MOVE Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 18/42] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 19/42] fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 20/42] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-04-24 13:30 ` Greg Kroah-Hartman [this message]
2026-04-24 13:30 ` [PATCH 7.0 22/42] smb: client: fix dir separator in SMB1 UNIX mounts Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 23/42] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 24/42] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 25/42] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 26/42] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 27/42] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 28/42] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 29/42] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 30/42] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 31/42] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 32/42] writeback: Fix use after free in inode_switch_wbs_work_fn() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 33/42] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 7.0 34/42] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 35/42] ALSA: hda/realtek: Add quirk for Legion S7 15IMH Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 36/42] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 37/42] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 38/42] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 39/42] crypto: ccp: Dont attempt to copy PDH cert " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 40/42] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 41/42] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 7.0 42/42] mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER Greg Kroah-Hartman
2026-04-24 14:09 ` [PATCH 7.0 00/42] 7.0.2-rc1 review Ronald Warsow
2026-04-24 16:19 ` Takeshi Ogasawara
2026-04-24 21:04 ` Florian Fainelli
2026-04-24 21:22 ` Mark Brown
2026-04-24 22:16 ` Peter Schneider
2026-04-24 22:22 ` Shuah Khan
2026-04-25 7:33 ` Brett A C Sheffield
2026-04-25 11:49 ` Miguel Ojeda
2026-04-25 22:19 ` Dileep malepu
2026-04-26 6:58 ` Barry K. Nathan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424132424.890208544@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=michael.bommarito@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox