From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out30-111.freemail.mail.aliyun.com (out30-111.freemail.mail.aliyun.com [115.124.30.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1C0917555; Mon, 11 May 2026 01:47:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.111 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778464040; cv=none; b=dBz8cJTTg8ZNXZVG7xRIvSGsaTvsq7Eugca0wlPaa9VIa8+PUXu+fDIqVm835VtZJWW7qPpv5Un2spKjUF+n5RQwlWWfvbZbo3bVJXUByz/Dder3gsdLgiNMat4LDK/i9ViYrp4irnKAC+FEybMHxMoR4fyB5HaU3obuiH+xeS8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778464040; c=relaxed/simple; bh=LIKXv1Kd6GGpmKPV+Z8tTgwfopFvpTic/tfiniEgv+Q=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=RAqX+/hb/9itEK0/YqCskA5rqYq4iklXWBd8cPM4oSEJ18w4lrVQk5heVMWu0qx5V94M/XrBqRGRTVNodQt6VXru3H+QnNfAIbIW6yyPcX4pYezJLRd79y+eDjwnVdu6atIkRXZXeyL0nG5Lken+N9/XnvCAXQ8krkYCWisotjE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=UcWEgmtK; arc=none smtp.client-ip=115.124.30.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="UcWEgmtK" DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1778464027; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=CIPIrrLvucNN4Oz2zVGs+g4XHuh9AjvK+xZgw+ovFcI=; b=UcWEgmtK82XlyW6t6DMJgOsZMVN8WbuRv3mePhbxrles2CGfgoM3IIEW/a8BCqy54J/ShvcDF9mUEV8YULpibz68/OfYIlIppwuSKP9TPux9ubrOFPFlbim9CzQN5RdXuifMAfyza6XRwC2/WfnOixY5cklZu8UBn8eFlwxtY8k= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R911e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033045098064;MF=dust.li@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0X2dfoJ._1778464026; Received: from localhost(mailfrom:dust.li@linux.alibaba.com fp:SMTPD_---0X2dfoJ._1778464026 cluster:ay36) by smtp.aliyun-inc.com; Mon, 11 May 2026 09:47:07 +0800 Date: Mon, 11 May 2026 09:47:06 +0800 From: Dust Li To: =?iso-8859-1?Q?Nicol=F2?= Coccia , alibuda@linux.alibaba.com, sidraya@linux.ibm.com, wenjia@linux.ibm.com Cc: mjambigi@linux.ibm.com, tonylu@linux.alibaba.com, guwen@linux.alibaba.com, linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, nicolo.coccia@leonardo.com Subject: Re: [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Message-ID: Reply-To: dust.li@linux.alibaba.com References: <20260510163414.16651-1-n.coccia96@gmail.com> Precedence: bulk X-Mailing-List: linux-s390@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260510163414.16651-1-n.coccia96@gmail.com> On 2026-05-10 12:34:13, Nicoḷ Coccia wrote: >A logic flaw in __smc_setsockopt() allows a local unprivileged user to >cause a Denial of Service (DoS) by holding the socket lock indefinitely. > >The function __smc_setsockopt() calls copy_from_sockptr() while holding >lock_sock(sk). By passing a userfaultfd-monitored memory page (or >FUSE-backed memory on systems where unprivileged userfaultfd is disabled) >as the optval, an attacker can halt execution during the copy operation, >keeping the lock held. > >Combined with asynchronous tear-down operations like shutdown(), this >exhausts the kernel wq (kworkers) and triggers the hung task watchdog. > >[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. >[ 240.123489] Call Trace: >[ 240.123501] smc_shutdown+... >[ 240.123512] lock_sock_nested+... > >This patch moves the user-space copy outside the lock_sock() critical >section to prevent the issue. > >Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options") > >Signed-off-by: Nicoḷ Coccia Reviewed-by: Dust Li Tested-by: Dust Li Best regards, Dust >--- > v1 -> v3: > - Resend via git send-email to fix webmail whitespace corruption > - Rebased against netdev/net tree > - Added Fixes tag > net/smc/af_smc.c | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > >diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c >index 185dbed7de5d..da28652f6810 100644 >--- a/net/smc/af_smc.c >+++ b/net/smc/af_smc.c >@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname, > > smc = smc_sk(sk); > >+ /* pre-fetch user data outside the lock */ >+ if (optname == SMC_LIMIT_HS) { >+ if (optlen < sizeof(int)) >+ return -EINVAL; >+ if (copy_from_sockptr(&val, optval, sizeof(int))) >+ return -EFAULT; >+ } >+ > lock_sock(sk); > switch (optname) { > case SMC_LIMIT_HS: >- if (optlen < sizeof(int)) { >- rc = -EINVAL; >- break; >- } >- if (copy_from_sockptr(&val, optval, sizeof(int))) { >- rc = -EFAULT; >- break; >- } >- > smc->limit_smc_hs = !!val; > rc = 0; > break; >-- >2.53.0