From nobody Sat Jun 13 07:56:53 2026 Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4043D352921 for ; Fri, 8 May 2026 19:33:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.128.169 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778268803; cv=pass; b=opTwonf6xApNJg/ON2uxFxVwlSKHeu8F3EKjdTc9yamz+0qLuyICORGbgLtOaa2AwjkI54DsnpgpMMQcViwgFbzqOEswnZ4JgPeic3sGRWoRfTq8bccBU1MJK9cZ0K+1MALfcSV/M2oyDivqEkuNBmb2G2HICEjfwR8vTSDwlfY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778268803; c=relaxed/simple; bh=KOz2CthW9DZTi9DtDOS4s6UwKiyzP3Sh6aGujr/riF4=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=Qlkf9IDmxUbIZojPJ29XmzQVJPw3GODuLMV2g0Xgf0C1fD7Aqy0IxXA7atvXDxwr7B19DhcpOAIzy3ZFUBFapaXRVNLSuczJBnumXmt0fbHpXALOyony9r4bJjdSYuRUccn1zcmfPOLaXSqiuszkwioV/WWeNVoYMd0WMeF/Jcs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=boZEVMj8; arc=pass smtp.client-ip=209.85.128.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="boZEVMj8" Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-7bf14e33f5bso17807307b3.1 for ; Fri, 08 May 2026 12:33:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778268801; cv=none; d=google.com; s=arc-20240605; b=TlyWn+TtUxRZnKY503D2ocraXLD+mdmWobuAUGgeBirkngPmF6Kf9hU9DeaOlo5FUc eVWHP5Dr7STbWEJ6bTLubaJDqXMLP3cSnpiZb1Tb3LqF4MhNNxs11ScX8tNvN5huf047 G28snrGcAnWJz+GbpMgl+ZQESOfeqkMShA4vqhDfWsDCfQOCcRwK7ddFUFSJsaMK7e4W 37G7gooHE+5VlhIdMdSkRodUPeNMR3VlQoIncx2AXYNnBKmx6RWc2InZifFoDnPNqJS8 zs2mQhJBDk302Vqqmfq14aueLgc1+Xgmi7Q2z5J58+8TMvygbvxc0ZIv4rXDycq5pyKn +eIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=9WbqQFwC9sQ1kT2Ez9037TuxaYTirplDCZyYgdcthAE=; fh=OHklJlrH4ArLMtxyierIrb6Bcxp6yru5yZJ4R2xIDsE=; b=THWlf/QbMAQbvMKJAaAc7SUJ/4pQCCxDPB2sziddZQzTEk8vaPIRt9vQ+mF719W4p6 1S+ID9TsAZ9jE0sHs/vN/6j3VEJWaCxHGYoNcXUMohp6Z+C2sIBcaAQyyUtFiHuwpgmx y86N9fb2Mz2oI/gT9mDlnFP4dsxeuTpnl/oeHDZZS8gd/saU66a5GVW7I/EIDvFuh0Gv i0jJn/zBMO1fihQVP0GOGtqUgC74PDph2Q1WGyDFPWX/iZ5RDZUF8EXN7jPkZ0BxotlV k/O6VU+V0OW25qZ5v24ZONOi30cja7NhHT3Sph9skZVLI3xfPVq+jI9DMufQhZczMlFp qz9g==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778268801; x=1778873601; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9WbqQFwC9sQ1kT2Ez9037TuxaYTirplDCZyYgdcthAE=; b=boZEVMj8RhGvjAkdwEjwq5DtKyLdb9sXKJONA4I5PbKTihIXgsrRXpNDO8d5NtFw/5 hlrNB7nLNpOzjtWGfzvMjznhLPmDGL2sRWh3gMOrWgWser5ZBcsI5vUJ0rBok96sFnSH AyShRTK0PZxIy5aKMQetKrJ23HQjckcDYNwtOkXbRt3nuBIPLh/U1TgEwZ10aMXTusK4 YNr2sEBFvgLlNSXvACQCrA6OlSh8PaASTxrZSGA+2dsA7PDOqGba7h0qv/gDyHMJ/wA+ kcvJ1ZA84TT0HTIihx8m9tcA6/7AboezqcaLjtmCiyubuBEYOCTszGtDeyBhkTDMjvuc ETYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778268801; x=1778873601; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9WbqQFwC9sQ1kT2Ez9037TuxaYTirplDCZyYgdcthAE=; b=LA2ykbYvpaAfxC0IV/Vik6yxvSzRrrzRyzhF/TnQKyjvP3z2ZRiAhatRnyiRS8wYyn DU4tBe8cUmiHmCyEZaDJrMw6Vv+IKp7esNTjQdvFXdxxtLVvexoelaU2OwdVYDBqFpV3 7m9G9EpYTQekQgr3Z9ybDEX+VbV+y10q0Uz25gXKeW9hk5hybt+qE7joUzayuJYCSh0+ rvhr8kP1KNsbikh4olwDHIo2dy5SWJ8uvbWXb91MnGz4YoYxkDhAXruXK1zywIhvdKCO p77ecj81DrcAbD6ul5OD5ybr7s6O6L0G0iEMVo1Q3Rdr1O7JT+P5rrqvlPaTl70JnO7X Hceg== X-Forwarded-Encrypted: i=1; AFNElJ8slzhFc8fx53CmzrxmP8sE2X6QDqbygVXPrfpEE9fLKspBqItLb47QDH9C+2b3EAnZGNWBtyU74bpJ5y8=@vger.kernel.org X-Gm-Message-State: AOJu0YyvE64Hr4c4/LitSgKNxiBVuhyey+wx4bE46qd8Q8OofQWdK9W6 PB2mZttx+vqZSknazfG2tpYaeOjXNCw3teuFzL1zFXCE7VrniNYV/lZXm9h6dMeYb6svAK847ut ZERZMzkoMrOXcgdrPKQfab8VQEyN45ZI= X-Gm-Gg: Acq92OGz1Sqhsa8CI3rIeibFwikVpzpsSGCfSgDjyK+8ubUDmFtdY9JcY/pfGh8uezH SXhEjj+EGPMnYp8HM+DgocRXf+Ilcx711IcllrxwosYX/BwVE8nnAvF0VtNISf/RF4mVUvQPw1v I4CvvAqFzGUsvbbBv9N7zyjDG60jUMPFb8hLZDwwavffh3t5enObrydybSkuhSSaSkhQ+jx5DB2 rsmZH8/SVmwAsPxaM5ByPEoN4aT1xMqJSjeCW5E7Ve730jZ2m0qQBqN9oOILFV1H1ioFs6pUDEG 22kMpJxl5syGHtBD01DvT8V0s839JEfGqFypG058ywlu85YmpnIdKj8FbbMJkg== X-Received: by 2002:a05:690c:3482:b0:7ba:eefe:9f9c with SMTP id 00721157ae682-7bfb93b91bfmr36362517b3.23.1778268801312; Fri, 08 May 2026 12:33:21 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: =?UTF-8?Q?Nicol=C3=B2_Coccia?= Date: Fri, 8 May 2026 21:33:10 +0200 X-Gm-Features: AVHnY4IhlBncjhRtEcRWNeScfK7pKvEfB82Sn4DdDRYZUjuTlbimERLOeRjk1Nw Message-ID: Subject: [PATCH net] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS To: alibuda@linux.alibaba.com, dust.li@linux.alibaba.com, sidraya@linux.ibm.com, Wenjia Zhang Cc: Tony Lu , Wen Gu , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, mjambigi@linux.ibm.com, =?UTF-8?Q?Nicol=C3=B2_Coccia?= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue. Signed-off-by: Nicol=C3=B2 Coccia nicolo.coccia@leonardo.com> --- net/smc/af_smc.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -XXXX,X +XXXX,X @@ static int __smc_setsockopt(struct socket *sock, int level, int optname, smc =3D smc_sk(sk); + /* pre-fetch user data outside the lock */ + if (optname =3D=3D SMC_LIMIT_HS) { + if (optlen < sizeof(int)) + return -EINVAL; + if (copy_from_sockptr(&val, optval, sizeof(int))) + return -EFAULT; + } + lock_sock(sk); switch (optname) { case SMC_LIMIT_HS: - if (optlen < sizeof(int)) { - rc =3D -EINVAL; - break; - } - if (copy_from_sockptr(&val, optval, sizeof(int))) { - rc =3D -EFAULT; - break; - } - smc->limit_smc_hs =3D !!val; rc =3D 0; break;