From: Dust Li <dust.li@linux.alibaba.com>
To: "Nicolò Coccia" <n.coccia96@gmail.com>,
alibuda@linux.alibaba.com, sidraya@linux.ibm.com,
"Wenjia Zhang" <wenjia@linux.ibm.com>
Cc: "Tony Lu" <tonylu@linux.alibaba.com>,
"Wen Gu" <guwen@linux.alibaba.com>,
linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
mjambigi@linux.ibm.com,
"Nicolò Coccia" <nicolo.coccia@leonardo.com>
Subject: Re: [PATCH net] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
Date: Sun, 10 May 2026 23:19:12 +0800 [thread overview]
Message-ID: <agCh8NuM69sYSIRA@linux.alibaba.com> (raw)
In-Reply-To: <CALSA8UZaE8FR2K-60fPYE6uSUvUNuLnH=8pPq0Hak2ADQpp1Qw@mail.gmail.com>
On 2026-05-09 07:01:02, Nicolò Coccia wrote:
>A logic flaw in __smc_setsockopt() allows a local unprivileged user to
>cause a Denial of Service (DoS) by holding the socket lock indefinitely.
>
>The function __smc_setsockopt() calls copy_from_sockptr() while holding
>lock_sock(sk). By passing a userfaultfd-monitored memory page (or
>FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
>as the optval, an attacker can halt execution during the copy operation,
>keeping the lock held.
>
>Combined with asynchronous tear-down operations like shutdown(), this
>exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
>
>[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
>[ 240.123489] Call Trace:
>[ 240.123501] smc_shutdown+...
>[ 240.123512] lock_sock_nested+...
>
>This patch moves the user-space copy outside the lock_sock() critical
>section to prevent the issue.
>
>Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by
>socket options")
>Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
>---
>v1 -> v2:
> - Rebased against netdev/net tree
> - Added Fixes tag
>
> net/smc/af_smc.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
>diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>index 185dbed7de5d..da28652f6810 100644
>--- a/net/smc/af_smc.c
>+++ b/net/smc/af_smc.c
>@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket
>*sock, int level, int optname,
Still not apply, have you changed this manually ?
You can produce the patch simply using `git format-patch `
Best regards,
Dust
next prev parent reply other threads:[~2026-05-10 15:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 11:01 [PATCH net] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Nicolò Coccia
2026-05-10 15:19 ` Dust Li [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-08 19:33 Nicolò Coccia
2026-05-09 1:26 ` Dust Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agCh8NuM69sYSIRA@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=guwen@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=n.coccia96@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nicolo.coccia@leonardo.com \
--cc=sidraya@linux.ibm.com \
--cc=tonylu@linux.alibaba.com \
--cc=wenjia@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.