ksmbd: close accepted socket when per-IP limit rejects connection

When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath. Cc: stable@vger.kernel.org Signed-off-by: Joshua Rogers <linux@joshua.hu> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Joshua Rogers <linux@joshua.hu> 2025-11-08 22:59:23 +0800
committer: Steve French <stfrench@microsoft.com> 2025-11-09 17:47:52 -0600
commit: 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 (patch)
tree: 1317104aa262b5a084c62da667fdd1d11aaa74cd
parent: e904d81ad1c04394e1cda4610de799a006cc141c (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c
index 7a1e3dcc2cde..d2e391c29464 100644
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -290,8 +290,11 @@ static int ksmbd_kthread_fn(void *p)
 			}
 		}
 		up_read(&conn_list_lock);
-		if (ret == -EAGAIN)
+		if (ret == -EAGAIN) {
+			/* Per-IP limit hit: release the just-accepted socket. */
+			sock_release(client_sk);
 			continue;
+		}
 
 skip_max_ip_conns_limit:
 		if (server_conf.max_connections &&
author	Joshua Rogers <linux@joshua.hu>	2025-11-08 22:59:23 +0800
committer	Steve French <stfrench@microsoft.com>	2025-11-09 17:47:52 -0600
commit	98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 (patch)
tree	1317104aa262b5a084c62da667fdd1d11aaa74cd
parent	e904d81ad1c04394e1cda4610de799a006cc141c (diff)