[PATCH v3] net/smc: fix sleep-inside-lock in __smc

Linux s390 Architecture development
 help / color / mirror / Atom feed

* [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
@ 2026-05-10 16:34 Nicolò Coccia
  2026-05-11  1:47 ` Dust Li
  0 siblings, 1 reply; 2+ messages in thread
From: Nicolò Coccia @ 2026-05-10 16:34 UTC (permalink / raw)
  To: alibuda, dust.li, sidraya, wenjia
  Cc: mjambigi, tonylu, guwen, linux-rdma, linux-s390, linux-kernel,
	netdev, nicolo.coccia, Nicolò Coccia

A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.

The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.

Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.

[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[  240.123489] Call Trace:
[  240.123501]  smc_shutdown+...
[  240.123512]  lock_sock_nested+...

This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.

Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")

Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
---
 v1 -> v3:
 - Resend via git send-email to fix webmail whitespace corruption
 - Rebased against netdev/net tree
 - Added Fixes tag
 net/smc/af_smc.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 185dbed7de5d..da28652f6810 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname,
 
 	smc = smc_sk(sk);
 
+	/* pre-fetch user data outside the lock */
+	if (optname == SMC_LIMIT_HS) {
+		if (optlen < sizeof(int))
+			return -EINVAL;
+		if (copy_from_sockptr(&val, optval, sizeof(int)))
+			return -EFAULT;
+	}
+
 	lock_sock(sk);
 	switch (optname) {
 	case SMC_LIMIT_HS:
-		if (optlen < sizeof(int)) {
-			rc = -EINVAL;
-			break;
-		}
-		if (copy_from_sockptr(&val, optval, sizeof(int))) {
-			rc = -EFAULT;
-			break;
-		}
-
 		smc->limit_smc_hs = !!val;
 		rc = 0;
 		break;
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
  2026-05-10 16:34 [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Nicolò Coccia
@ 2026-05-11  1:47 ` Dust Li
  0 siblings, 0 replies; 2+ messages in thread
From: Dust Li @ 2026-05-11  1:47 UTC (permalink / raw)
  To: Nicolò Coccia, alibuda, sidraya, wenjia
  Cc: mjambigi, tonylu, guwen, linux-rdma, linux-s390, linux-kernel,
	netdev, nicolo.coccia

On 2026-05-10 12:34:13, Nicolò Coccia wrote:
>A logic flaw in __smc_setsockopt() allows a local unprivileged user to
>cause a Denial of Service (DoS) by holding the socket lock indefinitely.
>
>The function __smc_setsockopt() calls copy_from_sockptr() while holding
>lock_sock(sk). By passing a userfaultfd-monitored memory page (or
>FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
>as the optval, an attacker can halt execution during the copy operation,
>keeping the lock held.
>
>Combined with asynchronous tear-down operations like shutdown(), this
>exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
>
>[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
>[  240.123489] Call Trace:
>[  240.123501]  smc_shutdown+...
>[  240.123512]  lock_sock_nested+...
>
>This patch moves the user-space copy outside the lock_sock() critical
>section to prevent the issue.
>
>Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
>
>Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>

Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>

Best regards,
Dust

>---
> v1 -> v3:
> - Resend via git send-email to fix webmail whitespace corruption
> - Rebased against netdev/net tree
> - Added Fixes tag
> net/smc/af_smc.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
>diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>index 185dbed7de5d..da28652f6810 100644
>--- a/net/smc/af_smc.c
>+++ b/net/smc/af_smc.c
>@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname,
> 
> 	smc = smc_sk(sk);
> 
>+	/* pre-fetch user data outside the lock */
>+	if (optname == SMC_LIMIT_HS) {
>+		if (optlen < sizeof(int))
>+			return -EINVAL;
>+		if (copy_from_sockptr(&val, optval, sizeof(int)))
>+			return -EFAULT;
>+	}
>+
> 	lock_sock(sk);
> 	switch (optname) {
> 	case SMC_LIMIT_HS:
>-		if (optlen < sizeof(int)) {
>-			rc = -EINVAL;
>-			break;
>-		}
>-		if (copy_from_sockptr(&val, optval, sizeof(int))) {
>-			rc = -EFAULT;
>-			break;
>-		}
>-
> 		smc->limit_smc_hs = !!val;
> 		rc = 0;
> 		break;
>-- 
>2.53.0

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-11  1:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-10 16:34 [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Nicolò Coccia
2026-05-11  1:47 ` Dust Li

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox