[{"id":3677464,"web_url":"http://patchwork.ozlabs.org/comment/3677464/","msgid":"","list_archive_url":null,"date":"2026-04-15T04:59:23","subject":"Re: [PATCH] smb: server: fix active_num_conn leak on transport\n allocation failure","submitter":{"id":79386,"url":"http://patchwork.ozlabs.org/api/people/79386/","name":"Namjae Jeon","email":"linkinjeon@kernel.org"},"content":"On Wed, Apr 15, 2026 at 7:54 AM Michael Bommarito\n wrote:\n>\n> Commit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\n> ksmbd_tcp_new_connection()\") addressed the kthread_run() failure\n> path. The earlier alloc_transport() == NULL path in the same\n> function has the same leak, is reachable pre-authentication via any\n> TCP connect to port 445, and was empirically reproduced on UML\n> (ARCH=um, v7.0-rc7): a small number of forced allocation failures\n> were sufficient to put ksmbd into a state where every subsequent\n> connection attempt was rejected for the remainder of the boot.\n>\n> ksmbd_kthread_fn() increments active_num_conn before calling\n> ksmbd_tcp_new_connection() and discards the return value, so when\n> alloc_transport() returns NULL the socket is released and -ENOMEM\n> returned without decrementing the counter. Each such failure\n> permanently consumes one slot from the max_connections pool; once\n> cumulative failures reach the cap, atomic_inc_return() hits the\n> threshold on every subsequent accept and every new connection is\n> rejected. The counter is only reset by module reload.\n>\n> An unauthenticated remote attacker can drive the server toward the\n> memory pressure that makes alloc_transport() fail by holding open\n> connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n> (0x00FFFFFF); natural transient allocation failures on a loaded\n> host produce the same drift more slowly.\n>\n> Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the\n> alloc_transport() failure path, decrement active_num_conn gated on\n> server_conf.max_connections.\n>\n> Repro details: with the patch reverted, forced alloc_transport()\n> NULL returns leaked counter slots and subsequent connection\n> attempts -- including legitimate connects issued after the\n> forced-fail window had closed -- were all rejected with \"Limit the\n> maximum number of connections\". With this patch applied, the same\n> connect sequence produces no rejections and the counter cycles\n> cleanly between zero and one on every accept.\n>\n> Fixes: 0d0d4680db22 (\"ksmbd: add max connections parameter\")\n> Cc: stable@vger.kernel.org\n> Assisted-by: Claude:claude-opus-4-6\n> Assisted-by: Codex:gpt-5-4\n> Signed-off-by: Michael Bommarito \nApplied it to #ksmbd-for-next-next.\nThanks!","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=i40I64Xd;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10829-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"i40I64Xd\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwTTW20fNz1yCv\n\tfor ; Wed, 15 Apr 2026 14:59:43 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id C6A6C302BE98\n\tfor ; Wed, 15 Apr 2026 04:59:38 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 64AE032E126;\n\tWed, 15 Apr 2026 04:59:38 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 41633313E3F\n\tfor ; Wed, 15 Apr 2026 04:59:38 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id D477DC2BCB5\n\tfor ; Wed, 15 Apr 2026 04:59:37 +0000 (UTC)","by mail-ej1-f48.google.com with SMTP id\n a640c23a62f3a-b9c04152730so939386266b.0\n for ;\n Tue, 14 Apr 2026 21:59:37 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776229178; cv=none;\n b=kITKRIVX7gkL1zctYIbcFAO1DqDSlrJePdmuKeoTW9lOque1HFW+h+OMU7OqGTNbokhXx8rELGa6bdzDmUXYTxUTqVnrp7JYheTvmgtN7LSMRVsez+38lcFkfrH626HGwTB30T/AkGWbg0uFcLaM6cSpheoL9ONsVjOITWGDoLg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776229178; c=relaxed/simple;\n\tbh=nm74J6zMW7Jm24cYJPZnGzZskMzr49BNL48S2Dz7OXc=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=OOGhJdpnnL70ZWicxTnSKT+14Fw2NEJBstCTtLciJZx5sLgxV6raoYH9eo4yY9y9ILZkPXbwzM/GnbgevNGyATsJsLRICIiSpf6HySMDN8Toh9frYJC3/OSGFVVS42cjKFXLuT8HMnzkmNi8JLEvKL4g2DyPP+C8rdRt7GlByn8=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=i40I64Xd; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776229177;\n\tbh=nm74J6zMW7Jm24cYJPZnGzZskMzr49BNL48S2Dz7OXc=;\n\th=References:In-Reply-To:From:Date:Subject:To:Cc:From;\n\tb=i40I64XdybPx2VnbwIcKE/AXUZKk79yVUL+eCwDIRJzk8Vd+Aq37IaRsRSJV1ADa2\n\t dmuHvGDgI4bc4UqW9XoSDMixl+nL+OfbpdW1Sr8UPA+9Yin8J4HmoKH1Y4HPyW7vE1\n\t 35Bawtz5kx/cBzTWU36KK3t2lcYrF8lOuBQzXRsM6+uZoZngau++IjVckg6j/NNwDK\n\t cjRdbkRBtKLvIHfQjiVwyGZIkslJYJo2W4vspLZS3+KDas/wmRPDeOE3OCBAk+kQbN\n\t NZpUSltLgsJVZFA+kDNXNc7NglABLMjE/06eSEyk0QO+ynC7QDdMZOXXJY1uTxRGHr\n\t YB6iR7hKKLM1g==","X-Gm-Message-State":"AOJu0YzjC9o4wA3Lh76ThHNV42VaDS+q6Qj3YMlPZoJbztNjUKehhgSq\n\tHKTxgEj+xOXezL52MNevoVo3S2eBfDDFRah+IEyCZ4W380y/si+ArdEVdfKn3/HUCCsY/c3yeK6\n\tP2KmoMDf0huefa5Dt4wy/6k+64cGyrPI=","X-Received":"by 2002:a17:907:3f9c:b0:b9d:ee01:6bbf with SMTP id\n a640c23a62f3a-b9dee016bdcmr620159166b.49.1776229176393; Tue, 14 Apr 2026\n 21:59:36 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","References":"<20260414225438.2210243-1-michael.bommarito@gmail.com>","In-Reply-To":"<20260414225438.2210243-1-michael.bommarito@gmail.com>","From":"Namjae Jeon ","Date":"Wed, 15 Apr 2026 13:59:23 +0900","X-Gmail-Original-Message-ID":"\n ","X-Gm-Features":"AQROBzCSrNjyDBMPlhMEzBU4ImLJbaM4RLke-JPomqQAkZOzl8IEUCMKZIhSMgQ","Message-ID":"\n ","Subject":"Re: [PATCH] smb: server: fix active_num_conn leak on transport\n allocation failure","To":"Michael Bommarito ","Cc":"linux-cifs@vger.kernel.org, Steve French ,\n\tHenrique Carvalho ,\n Sergey Senozhatsky ,\n\tTom Talpey , stable@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]