From: Namjae Jeon linkinjeon@kernel.org
[ Upstream commit 3677ca67b9791481af16d86e47c3c7d1f2442f95 ]
we should use sock_create_kern() if the socket resides in kernel space.
Signed-off-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
YES – ksmbd now creates its listening sockets with `sock_create_kern()`, so the socket is marked as a kernel socket and bypasses LSM policy checks that would otherwise block the listener. - `fs/smb/server/transport_tcp.c:474-505` replaces both IPv6 and IPv4 calls to `sock_create()` with `sock_create_kern(current->nsproxy->net_ns, …)`, ensuring `__sock_create()` runs with `kern=1` (`net/socket.c:1661-1682`). - When `kern` stays 0 (old code) LSMs such as SELinux and AppArmor enforce their policy hooks, which often deny kernel threads from opening INET stream sockets (`security/selinux/hooks.c:4797-4839`, `security/apparmor/lsm.c:1261-1301`). That failure bubbles back to `create_socket()` and leaves the ksmbd interface unconfigured (`fs/smb/server/transport_tcp.c:474-519`), so the server never starts listening. - The change aligns ksmbd with other kernel networking users (e.g., the SMB client already calls `sock_create_kern()` in `fs/smb/client/connect.c:3366-3374`) and introduces no behavioral or API risk beyond correctly flagging the socket as kernel-owned.
Given that this fixes a real service outage on systems with enforcing LSM policies, is tightly scoped, and carries minimal regression risk, it is a strong candidate for stable backporting. Suggested verification: bring up ksmbd under SELinux/AppArmor enforcing and confirm the listener binds successfully.
fs/smb/server/transport_tcp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c index 1009cb324fd51..43401d09c9db4 100644 --- a/fs/smb/server/transport_tcp.c +++ b/fs/smb/server/transport_tcp.c @@ -473,12 +473,13 @@ static int create_socket(struct interface *iface) struct socket *ksmbd_socket; bool ipv4 = false;
- ret = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket); + ret = sock_create_kern(current->nsproxy->net_ns, PF_INET6, SOCK_STREAM, + IPPROTO_TCP, &ksmbd_socket); if (ret) { if (ret != -EAFNOSUPPORT) pr_err("Can't create socket for ipv6, fallback to ipv4: %d\n", ret); - ret = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP, - &ksmbd_socket); + ret = sock_create_kern(current->nsproxy->net_ns, PF_INET, + SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket); if (ret) { pr_err("Can't create socket for ipv4: %d\n", ret); goto out_clear;