From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8933419E968 for ; Sun, 10 May 2026 16:35:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778430928; cv=none; b=tXMsx691mFyKkhcf1p7V2AmvLYiiQPAg5cbHMCdGy5xIRblIXvSlwXN6/B20ZPLlXOlrpI/PFrseYtw3ql/dkqLAjI11oPtM2qGz3BpAohEY0fKanOAJ7ELmrapiF8cHVwmuOi5O4784tA+oY7psBLYUZ2pwAbV42ApQ0s7Epc8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778430928; c=relaxed/simple; bh=dD6l8VmKuNQkIv7tvRgwMxIbtAjjBGjAsfRUM+v1bss=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=I342JU7WhN3xQtrsBTwcrmlJB6pzPgCCc1L8gdWEZymMVWalOLaAhLn50F38uXMfrhHTp1nhG7yf+r6jaGkskMTL8bqci+YrJEEYAMNTJYJxA58fsnY2qwr63A5hz3AAHpRGaxwWmoLE1hjbueDV2MVxRDJCKTVRnnm31aebMcU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Byym8Uok; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Byym8Uok" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-488b0e1b870so59627095e9.2 for ; Sun, 10 May 2026 09:35:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778430925; x=1779035725; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=66E1wRA9xWgEOR2dqWlyPjo6zh/YZ58R9fKD8OAxMUY=; b=Byym8UokMGbCigue6+UHQHftxYr4A1Ck8dCM5TM6lCjSw3uQm8fA4UducmVbErqPUd v1JvAcihawzU3zCdgZbLkVMM1/Ez/0OHe2/AaKqt5Y6LeYKfjxqD2CtVsQrqOiOApgos 8hPsNmDq8ByqJ2re1VN//bpUTFteTHa6CDdbl1X7elx3XZuuoItbwx6qhPT3LLm7OpuB qrBFoAI2SGdmCKzdqwjlT7FSptud5jn2Wdl7KMbSdsLjeN4A9hzAc5KjpsyWFRpJRgP3 bMfp73Q/ZzVbSCtJmVZYgbwr5vSK4NLTSurMKWQlMHsP+DKh077e14ZlKWlleUN84ksV 226w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778430925; x=1779035725; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=66E1wRA9xWgEOR2dqWlyPjo6zh/YZ58R9fKD8OAxMUY=; b=pwDVMExIK2QWla9VHY9ZEfmsvXkJuV7P8wBIPMiFJoO9QG8qY2jQ3GaBNfbKw/VANY ql7VtOC6r79I5l/byyRuCoxwFLAqWEbjU7N5pN1oGXVK8gK0NN7sPuxyK/nC5jPDO5gb Sjj+TkJfjFanN3mGe7ycZaEZWp4qtF0F30H+NlbILOCxNHP3Wm3+Gd6Awmb+cRWNbsYe arAI8I8GctfOs2t2TdLWyR6xYPmbh+LoQkoRA/CUf7UGzon/sB+1sMsoEQbIAyUqvi2o vnbx1DIMRmR+z8BOiH/7eay3WoDlzU+7NQ2qkltzxAJdt9y3SfcY09FVM55H0/doDvwr fHAA== X-Forwarded-Encrypted: i=1; AFNElJ8RYlh0yX6EgkzotQ+5KMQt3gwwzpgG7XWeZr3SJ44wbhg9QG/DnDshGZcesScuyM7x/eEeb6mzYgWSJ2s=@vger.kernel.org X-Gm-Message-State: AOJu0YwE/5AwF093LLNGnBq+OeYzpBm2mBMFAT/YwzU3mtEmaMriDcQd K1FSdhDNHuJVVsF807xVjsCBKP/eXBUACjgT7Yv4lW6mgJ8zg13UZSJn X-Gm-Gg: Acq92OE2bMipxn5I8sldv7Iq2522jJECmxmmdd08bbf6c+yn4fmcPE9DuMcla6wjkGf H0jA8TdidTise3M17a2i8jzr4njHeZuET1W55a9GDol+9LM5kQ87NE2Br8GKfgx7xkcs55H3Lvh KtKas4obKUHvxLQX7SW0eGbN89vXEQE+JkJIy8fbdmrRcv7IHY2gjRBPSTnT9hej6V9UzhIhBxL zfw13Fqrs0dFkUfXfDIw+fX22PrCTE5wdKD2qwtuj/d5A1lac04BeePkwPgJAXcilYK2DEWIksE JLh1KDRQaT+Sy0qVr8xKqhh88l22c8C0dsGW1jQk7aaG67p/mkusTU32h3ci7kXg5b8sYMmj3vw +d4Em0/eD83mixFtuv4IiDX9gCmVqlPA3BRZS3zhaV1I32/Kj3qUhIzwcO/amD0Tt69/z+Tk/7R W4S65tLjkjDMNyUIVYqhe4yBYjl1um5e8nk7YMIIV0wWObHv664hvgrGgHf6Q= X-Received: by 2002:a05:600c:696:b0:489:1c1f:35df with SMTP id 5b1f17b1804b1-48e51e215a4mr190222805e9.10.1778430924757; Sun, 10 May 2026 09:35:24 -0700 (PDT) Received: from kali (93-41-117-77.ip81.fastwebnet.it. [93.41.117.77]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e6fffba52sm143706015e9.3.2026.05.10.09.35.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 09:35:24 -0700 (PDT) From: =?UTF-8?q?Nicol=C3=B2=20Coccia?= To: alibuda@linux.alibaba.com, dust.li@linux.alibaba.com, sidraya@linux.ibm.com, wenjia@linux.ibm.com Cc: mjambigi@linux.ibm.com, tonylu@linux.alibaba.com, guwen@linux.alibaba.com, linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, nicolo.coccia@leonardo.com, =?UTF-8?q?Nicol=C3=B2=20Coccia?= Subject: [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Date: Sun, 10 May 2026 12:34:13 -0400 Message-ID: <20260510163414.16651-1-n.coccia96@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue. Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options") Signed-off-by: Nicolò Coccia --- v1 -> v3: - Resend via git send-email to fix webmail whitespace corruption - Rebased against netdev/net tree - Added Fixes tag net/smc/af_smc.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index 185dbed7de5d..da28652f6810 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname, smc = smc_sk(sk); + /* pre-fetch user data outside the lock */ + if (optname == SMC_LIMIT_HS) { + if (optlen < sizeof(int)) + return -EINVAL; + if (copy_from_sockptr(&val, optval, sizeof(int))) + return -EFAULT; + } + lock_sock(sk); switch (optname) { case SMC_LIMIT_HS: - if (optlen < sizeof(int)) { - rc = -EINVAL; - break; - } - if (copy_from_sockptr(&val, optval, sizeof(int))) { - rc = -EFAULT; - break; - } - smc->limit_smc_hs = !!val; rc = 0; break; -- 2.53.0