From: Dust Li <dust.li@linux.alibaba.com>
To: "Nicolò Coccia" <n.coccia96@gmail.com>,
alibuda@linux.alibaba.com, sidraya@linux.ibm.com,
wenjia@linux.ibm.com
Cc: mjambigi@linux.ibm.com, tonylu@linux.alibaba.com,
guwen@linux.alibaba.com, linux-rdma@vger.kernel.org,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, nicolo.coccia@leonardo.com
Subject: Re: [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
Date: Mon, 11 May 2026 09:47:06 +0800 [thread overview]
Message-ID: <agE1Gnk_wJOxIi1V@linux.alibaba.com> (raw)
In-Reply-To: <20260510163414.16651-1-n.coccia96@gmail.com>
On 2026-05-10 12:34:13, Nicolò Coccia wrote:
>A logic flaw in __smc_setsockopt() allows a local unprivileged user to
>cause a Denial of Service (DoS) by holding the socket lock indefinitely.
>
>The function __smc_setsockopt() calls copy_from_sockptr() while holding
>lock_sock(sk). By passing a userfaultfd-monitored memory page (or
>FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
>as the optval, an attacker can halt execution during the copy operation,
>keeping the lock held.
>
>Combined with asynchronous tear-down operations like shutdown(), this
>exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
>
>[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
>[ 240.123489] Call Trace:
>[ 240.123501] smc_shutdown+...
>[ 240.123512] lock_sock_nested+...
>
>This patch moves the user-space copy outside the lock_sock() critical
>section to prevent the issue.
>
>Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
>
>Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>
Best regards,
Dust
>---
> v1 -> v3:
> - Resend via git send-email to fix webmail whitespace corruption
> - Rebased against netdev/net tree
> - Added Fixes tag
> net/smc/af_smc.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
>diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>index 185dbed7de5d..da28652f6810 100644
>--- a/net/smc/af_smc.c
>+++ b/net/smc/af_smc.c
>@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname,
>
> smc = smc_sk(sk);
>
>+ /* pre-fetch user data outside the lock */
>+ if (optname == SMC_LIMIT_HS) {
>+ if (optlen < sizeof(int))
>+ return -EINVAL;
>+ if (copy_from_sockptr(&val, optval, sizeof(int)))
>+ return -EFAULT;
>+ }
>+
> lock_sock(sk);
> switch (optname) {
> case SMC_LIMIT_HS:
>- if (optlen < sizeof(int)) {
>- rc = -EINVAL;
>- break;
>- }
>- if (copy_from_sockptr(&val, optval, sizeof(int))) {
>- rc = -EFAULT;
>- break;
>- }
>-
> smc->limit_smc_hs = !!val;
> rc = 0;
> break;
>--
>2.53.0
next prev parent reply other threads:[~2026-05-11 1:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-10 16:34 [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Nicolò Coccia
2026-05-11 1:47 ` Dust Li [this message]
2026-05-13 3:45 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agE1Gnk_wJOxIi1V@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=guwen@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=n.coccia96@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nicolo.coccia@leonardo.com \
--cc=sidraya@linux.ibm.com \
--cc=tonylu@linux.alibaba.com \
--cc=wenjia@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.