From: Hyunwoo Kim <imv4bel@gmail.com> mainline inclusion from mainline-v7.0-rc6 commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14217 CVE: CVE-2026-31476 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put(). Cc: stable@vger.kernel.org Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/smb/server/smb2pdu.c [Commit 38c8a9a52082 ("smb: move client and server files to common directory fs/smb") move smb2pdu.c from fs/ksmbd to fs/smb/server.] Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> --- fs/ksmbd/smb2pdu.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index d75de3035327..176a6a51be6d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1912,8 +1912,14 @@ int smb2_sess_setup(struct ksmbd_work *work) if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION) try_delay = true; - sess->last_active = jiffies; - sess->state = SMB2_SESSION_EXPIRED; + /* + * For binding requests, session belongs to another + * connection. Do not expire it. + */ + if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + sess->last_active = jiffies; + sess->state = SMB2_SESSION_EXPIRED; + } if (try_delay) { ksmbd_conn_set_need_reconnect(conn); ssleep(5); -- 2.52.0