From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out30-124.freemail.mail.aliyun.com (out30-124.freemail.mail.aliyun.com [115.124.30.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FE1A2B2D7; Sat, 9 May 2026 01:26:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778290013; cv=none; b=S1jqjZmMAbH92HmJx0ZHcnSshf87Ijgi/r1i3cluIoXPNTs5g6o+5s0FojZcrL0se+HIhEVQBlsKuyDvb6vmFn+5taiCGQ7W/vVEtNf94I3eapodZlf7RqA7tXaCcFocmCEnNrsRUkU+xwV7+56qHxTLfysHjx4Ba6ypaWSxa8s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778290013; c=relaxed/simple; bh=o/pgEhujTgFW9ZrLOfE0EEkoxNHPRtp/uayciKrbSy8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ItRa1GQEaf6KtPLfh42MPSHTlgXcNUJN8Y5LW1lQNlsyk8T2GOFz9WpYIOnzrjXIznxTbK8nQ/eJDNYNgPszmnLPdQjhpiKcB2qzXoqChAcdB0sox/I2Bp77iNP/e7KKBL+/kJhqOgawaZkDpj5snYKuxeHHyMMUlwx9/Rm5S+Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=MzHKQbEN; arc=none smtp.client-ip=115.124.30.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="MzHKQbEN" DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1778290008; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=9UtXgVP0JZ98tn0yJorMvY+odKuLJcc0wOsPfDynW4E=; b=MzHKQbENAHOKa+E4dz8w525oX9uUTE5vKK4/EsjO0pyAu4rm4lp7CLGjBk2U2jJIDaaRwGI2iWNlR4HZ+yxjBCw26a5ccdmbnHM6RS9GTOSscqfgwYLUhquN2HcfVGEv/UoN3TLXwAiiJjpAyhXs+6k+7FGCK1PUAXiFWy0I1pE= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R191e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033037026112;MF=dust.li@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0X2YvkY1_1778290006; Received: from localhost(mailfrom:dust.li@linux.alibaba.com fp:SMTPD_---0X2YvkY1_1778290006 cluster:ay36) by smtp.aliyun-inc.com; Sat, 09 May 2026 09:26:47 +0800 Date: Sat, 9 May 2026 09:26:46 +0800 From: Dust Li To: =?iso-8859-1?Q?Nicol=F2?= Coccia , alibuda@linux.alibaba.com, sidraya@linux.ibm.com, Wenjia Zhang Cc: Tony Lu , Wen Gu , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, mjambigi@linux.ibm.com, =?iso-8859-1?Q?Nicol=F2?= Coccia Subject: Re: [PATCH net] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Message-ID: Reply-To: dust.li@linux.alibaba.com References: Precedence: bulk X-Mailing-List: linux-s390@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On 2026-05-08 21:33:10, Nicoḷ Coccia wrote: Hi Nicoḷ, This patch doesn't apply on net/main >A logic flaw in __smc_setsockopt() allows a local unprivileged user to >cause a Denial of Service (DoS) by holding the socket lock indefinitely. > >The function __smc_setsockopt() calls copy_from_sockptr() while holding >lock_sock(sk). By passing a userfaultfd-monitored memory page (or >FUSE-backed memory on systems where unprivileged userfaultfd is disabled) >as the optval, an attacker can halt execution during the copy operation, >keeping the lock held. > >Combined with asynchronous tear-down operations like shutdown(), this >exhausts the kernel wq (kworkers) and triggers the hung task watchdog. > >[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. >[ 240.123489] Call Trace: >[ 240.123501] smc_shutdown+... >[ 240.123512] lock_sock_nested+... > >This patch moves the user-space copy outside the lock_sock() critical >section to prevent the issue. > You should add a Fixes tag here. >Signed-off-by: Nicoḷ Coccia nicolo.coccia@leonardo.com> >--- > net/smc/af_smc.c | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-) > >diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c >--- a/net/smc/af_smc.c >+++ b/net/smc/af_smc.c >@@ -XXXX,X +XXXX,X @@ static int __smc_setsockopt(struct socket *sock, >int level, int optname, > > smc = smc_sk(sk); > >+ /* pre-fetch user data outside the lock */ >+ if (optname == SMC_LIMIT_HS) { >+ if (optlen < sizeof(int)) >+ return -EINVAL; >+ if (copy_from_sockptr(&val, optval, sizeof(int))) >+ return -EFAULT; >+ } >+ > lock_sock(sk); > switch (optname) { > case SMC_LIMIT_HS: >- if (optlen < sizeof(int)) { >- rc = -EINVAL; >- break; >- } >- if (copy_from_sockptr(&val, optval, sizeof(int))) { >- rc = -EFAULT; >- break; >- } >- The indenting is all messed up Best regards, Dust