From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out30-112.freemail.mail.aliyun.com (out30-112.freemail.mail.aliyun.com [115.124.30.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 373E62F8E81; Sun, 10 May 2026 15:19:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.112 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778426365; cv=none; b=SgRmddCs2vQdq1Z+/od+TFlqzSaoK4cteI4oq+6XmrkyyaoKd+os4gajDe2Vssrj1mXQ6c9GIONVvnvGIxS3qJKzErF0TOiKKg5WFCK7MFmsF33qegh8VW6M6qmR25aXGyIDbdlvGA3A9wUC8m7KwqFMxCHroJA61gAsjI//4mw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778426365; c=relaxed/simple; bh=KA/p1RhujIaTAg1hTVqbE076u80O9x23DXASfs8gZPE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Eb0RIEX8WnYw4T2djRsmXzQTQBYz8IlyqMpVBA2Y4GpSPH/ZOT9pUbQkRrSefD5sagpY+zx81OtKUQ7sz+/gGaz1A88igEmFKn50Nabm22zJ2nZEcoyBf4rrVnLzhjqKARi4PoZ49le1M8CNEzPMEx/pvf2hYrgv4IvWw3vZwQs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=B7gr0Djg; arc=none smtp.client-ip=115.124.30.112 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="B7gr0Djg" DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1778426353; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=h8xm0ICWFyWAHAFUbZ2x6pFmPnB7nZ1XWtBXDMkVHTY=; b=B7gr0DjgCvQaFFuoGvNTi4v0bV56JJQ1ykBne7gpROPhqkxEbvsQtyonu4J+LPsUZpGPrp1y9zFuBs4EOudwmheQ7jf/M71CZgp3zrTlIWU+A8tOPti3Tx/tj8dwde9OVAGWRcd3rkO55axfCAa44wl2hor9a+GgcSu+F+CB9Cw= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R151e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam011083073210;MF=dust.li@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0X2cvymd_1778426352; Received: from localhost(mailfrom:dust.li@linux.alibaba.com fp:SMTPD_---0X2cvymd_1778426352 cluster:ay36) by smtp.aliyun-inc.com; Sun, 10 May 2026 23:19:12 +0800 Date: Sun, 10 May 2026 23:19:12 +0800 From: Dust Li To: =?iso-8859-1?Q?Nicol=F2?= Coccia , alibuda@linux.alibaba.com, sidraya@linux.ibm.com, Wenjia Zhang Cc: Tony Lu , Wen Gu , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, mjambigi@linux.ibm.com, =?iso-8859-1?Q?Nicol=F2?= Coccia Subject: Re: [PATCH net] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Message-ID: Reply-To: dust.li@linux.alibaba.com References: Precedence: bulk X-Mailing-List: linux-s390@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On 2026-05-09 07:01:02, Nicoḷ Coccia wrote: >A logic flaw in __smc_setsockopt() allows a local unprivileged user to >cause a Denial of Service (DoS) by holding the socket lock indefinitely. > >The function __smc_setsockopt() calls copy_from_sockptr() while holding >lock_sock(sk). By passing a userfaultfd-monitored memory page (or >FUSE-backed memory on systems where unprivileged userfaultfd is disabled) >as the optval, an attacker can halt execution during the copy operation, >keeping the lock held. > >Combined with asynchronous tear-down operations like shutdown(), this >exhausts the kernel wq (kworkers) and triggers the hung task watchdog. > >[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. >[ 240.123489] Call Trace: >[ 240.123501] smc_shutdown+... >[ 240.123512] lock_sock_nested+... > >This patch moves the user-space copy outside the lock_sock() critical >section to prevent the issue. > >Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by >socket options") >Signed-off-by: Nicoḷ Coccia >--- >v1 -> v2: > - Rebased against netdev/net tree > - Added Fixes tag > > net/smc/af_smc.c | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > >diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c >index 185dbed7de5d..da28652f6810 100644 >--- a/net/smc/af_smc.c >+++ b/net/smc/af_smc.c >@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket >*sock, int level, int optname, Still not apply, have you changed this manually ? You can produce the patch simply using `git format-patch ` Best regards, Dust