Commit 98a5fd31 authored Nov 08, 2025 by Joshua Rogers Committed by Steve French Nov 09, 2025

ksmbd: close accepted socket when per-IP limit rejects connection



When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.

Release client_sk before continuing.

This bug was found with ZeroPath.

Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent e904d81a

fs/smb/server/transport_tcp.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -290,8 +290,11 @@ static int ksmbd_kthread_fn(void *p)
		}
		}
		up_read(&conn_list_lock);
		if (ret == -EAGAIN)
		if (ret == -EAGAIN) {
		/* Per-IP limit hit: release the just-accepted socket. */
		sock_release(client_sk);
		continue;
		}

		skip_max_ip_conns_limit:
		if (server_conf.max_connections &&