tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'v6.18-rc5-smb-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

- Fix smbdirect (RDMA) disconnect hang bug

- Fix potential Denial of Service when connection limit exceeded

- Fix smbdirect (RDMA) connection (potentially accessing freed memory)
bug

* tag 'v6.18-rc5-smb-server-fixes' of git://git.samba.org/ksmbd:
smb: server: let smb_direct_disconnect_rdma_connection() turn CREATED into DISCONNECTED
ksmbd: close accepted socket when per-IP limit rejects connection
smb: server: rdma: avoid unmapping posted recv on accept failure

Linus Torvalds 967a72fa 6fa9041b

+17 -2
+13 -1
fs/smb/server/transport_rdma.c
··· 334 334 break; 335 335 336 336 case SMBDIRECT_SOCKET_CREATED: 337 + sc->status = SMBDIRECT_SOCKET_DISCONNECTED; 338 + break; 339 + 337 340 case SMBDIRECT_SOCKET_CONNECTED: 338 341 sc->status = SMBDIRECT_SOCKET_ERROR; 339 342 break; ··· 1886 1883 static int smb_direct_prepare_negotiation(struct smbdirect_socket *sc) 1887 1884 { 1888 1885 struct smbdirect_recv_io *recvmsg; 1886 + bool recv_posted = false; 1889 1887 int ret; 1890 1888 1891 1889 WARN_ON_ONCE(sc->status != SMBDIRECT_SOCKET_CREATED); ··· 1903 1899 pr_err("Can't post recv: %d\n", ret); 1904 1900 goto out_err; 1905 1901 } 1902 + recv_posted = true; 1906 1903 1907 1904 ret = smb_direct_accept_client(sc); 1908 1905 if (ret) { ··· 1913 1908 1914 1909 return 0; 1915 1910 out_err: 1916 - put_recvmsg(sc, recvmsg); 1911 + /* 1912 + * If the recv was never posted, return it to the free list. 1913 + * If it was posted, leave it alone so disconnect teardown can 1914 + * drain the QP and complete it (flush) and the completion path 1915 + * will unmap it exactly once. 1916 + */ 1917 + if (!recv_posted) 1918 + put_recvmsg(sc, recvmsg); 1917 1919 return ret; 1918 1920 } 1919 1921
+4 -1
fs/smb/server/transport_tcp.c
··· 290 290 } 291 291 } 292 292 up_read(&conn_list_lock); 293 - if (ret == -EAGAIN) 293 + if (ret == -EAGAIN) { 294 + /* Per-IP limit hit: release the just-accepted socket. */ 295 + sock_release(client_sk); 294 296 continue; 297 + } 295 298 296 299 skip_max_ip_conns_limit: 297 300 if (server_conf.max_connections &&