ksmbd: close accepted socket when per-IP limit rejects connection

When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.

Release client_sk before continuing.

This bug was found with ZeroPath.

Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c
index 7a1e3dcc2cdee24aca5adcd4abda2dd33f28b943..d2e391c29464e7f9cd38e428a86a5edb60b04427 100644 (file)
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -290,8 +290,11 @@ static int ksmbd_kthread_fn(void *p)
                        }
                }
                up_read(&conn_list_lock);
-               if (ret == -EAGAIN)
+               if (ret == -EAGAIN) {
+                       /* Per-IP limit hit: release the just-accepted socket. */
+                       sock_release(client_sk);
                        continue;
+               }
 
 skip_max_ip_conns_limit:
                if (server_conf.max_connections &&