ksmbd: close accepted socket when per-IP limit rejects connection

Joshua Rogers · smfrench · commit 98a5fd31cbf7 · 2025-11-09T17:47:52.000-06:00
When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.

Release client_sk before continuing.

This bug was found with ZeroPath.

Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers &lt;linux@joshua.hu&gt;
Acked-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c
@@ -290,8 +290,11 @@ static int ksmbd_kthread_fn(void *p)
 			}
 		}
 		up_read(&conn_list_lock);
-		if (ret == -EAGAIN)
+		if (ret == -EAGAIN) {
+			/* Per-IP limit hit: release the just-accepted socket. */
+			sock_release(client_sk);
 			continue;
+		}
 
 skip_max_ip_conns_limit:
 		if (server_conf.max_connections &&

Original file line number	Diff line number	Diff line change
`@@ -290,8 +290,11 @@ static int ksmbd_kthread_fn(void *p)`
`290`	`290`	`}`
`291`	`291`	`}`
`292`	`292`	`up_read(&conn_list_lock);`
`293`		`- if (ret == -EAGAIN)`
	`293`	`+ if (ret == -EAGAIN) {`
	`294`	`+ /* Per-IP limit hit: release the just-accepted socket. */`
	`295`	`+ sock_release(client_sk);`
`294`	`296`	`continue;`
	`297`	`+ }`
`295`	`298`
`296`	`299`	`skip_max_ip_conns_limit:`
`297`	`300`	`if (server_conf.max_connections &&`