Three ksmbd server fixes

-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmkVV/QACgkQiiy9cAdy T1EQuwv9FU48FLM4fv2lG1NzhLtXDxwxYP/cY6c8kFmwiawVhRBxIQATJJJyp8PF fnBURW3LbodTqYs9+oL/coMGFE8HxH3OHb1JbJAiQ7cpMUTV8HIwzGe/hNnAwBM9 M9bQE5J3sDvM5KIgUnBGjoLY4LBTwjEiNF2Skukx4cKos/68NIg7pdhmuMe9Q1eR BiR30VtrvMtuA2cyCoe+KF48gB3rmpADnfs4jlIUb/NwWnTMD9KeL1lEB1T3WTP9 gyQDO2lEjggkmbLaV7XOhIolBTb3009oLihVMJBB40vJbGOcqPtBlXceERKWc69j w30r+nBzItCX637ZalzX19vLOsiWq7uHRB6VPulYf7G/OSwMqd9Ax1Cmk7M5pu67 MoeWIrbTOeIE1iq/ofN3ZL82IhLOzrsYyZBfoglaLJqv9gIg4tng3WSRK50Cb2Xf NlG89B3gYyOxWKV+9hyzZWafkakt7IojBFfX7lqrJQ/SFVziu+/l9UaqQZRVUYKP N6zIwP9G =yHP8 -----END PGP SIGNATURE----- Merge tag 'v6.18-rc5-smb-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - Fix smbdirect (RDMA) disconnect hang bug - Fix potential Denial of Service when connection limit exceeded - Fix smbdirect (RDMA) connection (potentially accessing freed memory) bug * tag 'v6.18-rc5-smb-server-fixes' of git://git.samba.org/ksmbd: smb: server: let smb_direct_disconnect_rdma_connection() turn CREATED into DISCONNECTED ksmbd: close accepted socket when per-IP limit rejects connection smb: server: rdma: avoid unmapping posted recv on accept failure
2026-05-24 23:22:31 +02:00 · 2025-11-13 04:57:38 -08:00 · 2025-11-13 04:57:38 -08:00 · 967a72fa7f
commit 967a72fa7f
parent 6fa9041b71 55286b1e1b
2 changed files with 17 additions and 2 deletions
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@ -334,6 +334,9 @@ smb_direct_disconnect_rdma_connection(struct smbdirect_socket *sc)
 		break;

 	case SMBDIRECT_SOCKET_CREATED:
+		sc->status = SMBDIRECT_SOCKET_DISCONNECTED;
+		break;
+
 	case SMBDIRECT_SOCKET_CONNECTED:
 		sc->status = SMBDIRECT_SOCKET_ERROR;
 		break;
@ -1883,6 +1886,7 @@ static int smb_direct_accept_client(struct smbdirect_socket *sc)
 static int smb_direct_prepare_negotiation(struct smbdirect_socket *sc)
 {
 	struct smbdirect_recv_io *recvmsg;
+	bool recv_posted = false;
 	int ret;

 	WARN_ON_ONCE(sc->status != SMBDIRECT_SOCKET_CREATED);
@ -1899,6 +1903,7 @@ static int smb_direct_prepare_negotiation(struct smbdirect_socket *sc)
 		pr_err("Can't post recv: %d\n", ret);
 		goto out_err;
 	}
+	recv_posted = true;

 	ret = smb_direct_accept_client(sc);
 	if (ret) {
@ -1908,7 +1913,14 @@ static int smb_direct_prepare_negotiation(struct smbdirect_socket *sc)

 	return 0;
 out_err:
-	put_recvmsg(sc, recvmsg);
+	/*
+	 * If the recv was never posted, return it to the free list.
+	 * If it was posted, leave it alone so disconnect teardown can
+	 * drain the QP and complete it (flush) and the completion path
+	 * will unmap it exactly once.
+	 */
+	if (!recv_posted)
+		put_recvmsg(sc, recvmsg);
 	return ret;
 }

--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@ -290,8 +290,11 @@ static int ksmbd_kthread_fn(void *p)
 			}
 		}
 		up_read(&conn_list_lock);
-		if (ret == -EAGAIN)
+		if (ret == -EAGAIN) {
+			/* Per-IP limit hit: release the just-accepted socket. */
+			sock_release(client_sk);
 			continue;
+		}

 skip_max_ip_conns_limit:
 		if (server_conf.max_connections &&