ksmbd: reject non-VALID session in compound request branch

dhkts1 · namjaejeon · commit 6e00e12b44a9 · 2026-06-11T09:39:06.000+09:00
smb2_check_user_session() takes a shortcut for any operation that is not the
first in a COMPOUND request: it reuses work-&gt;sess (the session bound by the
first operation) and validates only the SessionId, then returns "valid". It
never re-checks work-&gt;sess-&gt;state == SMB2_SESSION_VALID, and a SessionId of
0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation value) skips even
the id comparison. The standalone path (ksmbd_session_lookup_all() plus the
SESSION_SETUP state machine) does enforce the VALID state; the compound branch
bypasses all of it.

A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes a
fresh SMB2_SESSION_IN_PROGRESS session whose sess-&gt;user is still NULL (-&gt;user is
assigned later, by ntlm_authenticate()). Used as operation 1 of a COMPOUND with
operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX, \\host\IPC$), the
tree-connect then runs on that IN_PROGRESS session and reaches
ksmbd_ipc_tree_connect_request(), which dereferences user_name(sess-&gt;user) with
sess-&gt;user == NULL (transport_ipc.c:687/701/704) -&gt; remote NULL-pointer
dereference and a kernel Oops that wedges the ksmbd worker for all clients.

Reject any non-first compound operation that lands on a session which is not
SMB2_SESSION_VALID, mirroring the validity the standalone lookup path enforces.
SESSION_SETUP itself legitimately runs on an IN_PROGRESS session, but it is
never carried as a non-first compound operation, so multi-leg authentication is
unaffected by this check.

Reproduced on mainline 7.1-rc7 with KASAN by an authenticated SMB client
(including a GUEST session): a single COMPOUND oopsed the kernel
(null-ptr-deref in ksmbd_ipc_tree_connect_request) and left the service
unresponsive to all subsequent clients.

Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy &lt;dddhkts1@gmail.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
diff --git a/smb2pdu.c b/smb2pdu.c
@@ -618,6 +618,11 @@ int smb2_check_user_session(struct ksmbd_work *work)
 					sess_id, work->sess->id);
 			return -EINVAL;
 		}
+		if (work->sess->state != SMB2_SESSION_VALID) {
+			pr_err("compound request on a non-valid session (state %d)\n",
+					work->sess->state);
+			return -EINVAL;
+		}
 		return 1;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -618,6 +618,11 @@ int smb2_check_user_session(struct ksmbd_work *work)`
`618`	`618`	`sess_id, work->sess->id);`
`619`	`619`	`return -EINVAL;`
`620`	`620`	`}`
	`621`	`+ if (work->sess->state != SMB2_SESSION_VALID) {`
	`622`	`+ pr_err("compound request on a non-valid session (state %d)\n",`
	`623`	`+ work->sess->state);`
	`624`	`+ return -EINVAL;`
	`625`	`+ }`
`621`	`626`	`return 1;`
`622`	`627`	`}`
`623`	`628`