Commit 9bbb19d2 authored Mar 17, 2026 by Hyunwoo Kim Committed by Steve French Mar 22, 2026

ksmbd: do not expire session on binding failure



When a multichannel session binding request fails (e.g. wrong password),
the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
However, during binding, sess points to the target session looked up via
ksmbd_session_lookup_slowpath() -- which belongs to another connection's
user. This allows a remote attacker to invalidate any active session by
simply sending a binding request with a wrong password (DoS).

Fix this by skipping session expiration when the failed request was
a binding attempt, since the session does not belong to the current
connection. The reference taken by ksmbd_session_lookup_slowpath() is
still correctly released via ksmbd_user_session_put().

Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent c3692998

fs/smb/server/smb2pdu.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -1939,8 +1939,14 @@ int smb2_sess_setup(struct ksmbd_work *work)
		if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
		try_delay = true;

		/*
		* For binding requests, session belongs to another
		* connection. Do not expire it.
		*/
		if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
		sess->last_active = jiffies;
		sess->state = SMB2_SESSION_EXPIRED;
		}
		ksmbd_user_session_put(sess);
		work->sess = NULL;
		if (try_delay) {