[PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

[PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

[Nicolò Coccia]

A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.

The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.

Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.

[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[  240.123489] Call Trace:
[  240.123501]  smc_shutdown+...
[  240.123512]  lock_sock_nested+...

This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.

Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")

Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
---
 v1 -> v3:
 - Resend via git send-email to fix webmail whitespace corruption
 - Rebased against netdev/net tree
 - Added Fixes tag
 net/smc/af_smc.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 185dbed7de5d..da28652f6810 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname,
 
 	smc = smc_sk(sk);
 
+	/* pre-fetch user data outside the lock */
+	if (optname == SMC_LIMIT_HS) {
+		if (optlen < sizeof(int))
+			return -EINVAL;
+		if (copy_from_sockptr(&val, optval, sizeof(int)))
+			return -EFAULT;
+	}
+
 	lock_sock(sk);
 	switch (optname) {
 	case SMC_LIMIT_HS:
-		if (optlen < sizeof(int)) {
-			rc = -EINVAL;
-			break;
-		}
-		if (copy_from_sockptr(&val, optval, sizeof(int))) {
-			rc = -EFAULT;
-			break;
-		}
-
 		smc->limit_smc_hs = !!val;
 		rc = 0;
 		break;
-- 
2.53.0

Re: [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

[Dust Li]

On 2026-05-10 12:34:13, Nicolò Coccia wrote:
>A logic flaw in __smc_setsockopt() allows a local unprivileged user to
>cause a Denial of Service (DoS) by holding the socket lock indefinitely.
>
>The function __smc_setsockopt() calls copy_from_sockptr() while holding
>lock_sock(sk). By passing a userfaultfd-monitored memory page (or
>FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
>as the optval, an attacker can halt execution during the copy operation,
>keeping the lock held.
>
>Combined with asynchronous tear-down operations like shutdown(), this
>exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
>
>[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
>[  240.123489] Call Trace:
>[  240.123501]  smc_shutdown+...
>[  240.123512]  lock_sock_nested+...
>
>This patch moves the user-space copy outside the lock_sock() critical
>section to prevent the issue.
>
>Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
>
>Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>

Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>

Best regards,
Dust

>---
> v1 -> v3:
> - Resend via git send-email to fix webmail whitespace corruption
> - Rebased against netdev/net tree
> - Added Fixes tag
> net/smc/af_smc.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
>diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>index 185dbed7de5d..da28652f6810 100644
>--- a/net/smc/af_smc.c
>+++ b/net/smc/af_smc.c
>@@ -3054,18 +3054,17 @@ static int __smc_setsockopt(struct socket *sock, int level, int optname,
> 
> 	smc = smc_sk(sk);
> 
>+	/* pre-fetch user data outside the lock */
>+	if (optname == SMC_LIMIT_HS) {
>+		if (optlen < sizeof(int))
>+			return -EINVAL;
>+		if (copy_from_sockptr(&val, optval, sizeof(int)))
>+			return -EFAULT;
>+	}
>+
> 	lock_sock(sk);
> 	switch (optname) {
> 	case SMC_LIMIT_HS:
>-		if (optlen < sizeof(int)) {
>-			rc = -EINVAL;
>-			break;
>-		}
>-		if (copy_from_sockptr(&val, optval, sizeof(int))) {
>-			rc = -EFAULT;
>-			break;
>-		}
>-
> 		smc->limit_smc_hs = !!val;
> 		rc = 0;
> 		break;
>-- 
>2.53.0

Re: [PATCH v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Sun, 10 May 2026 12:34:13 -0400 you wrote:
> A logic flaw in __smc_setsockopt() allows a local unprivileged user to
> cause a Denial of Service (DoS) by holding the socket lock indefinitely.
> 
> The function __smc_setsockopt() calls copy_from_sockptr() while holding
> lock_sock(sk). By passing a userfaultfd-monitored memory page (or
> FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
> as the optval, an attacker can halt execution during the copy operation,
> keeping the lock held.
> 
> [...]

Here is the summary with links:
  - [v3] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
    https://git.kernel.org/netdev/net/c/a3fdd924d88c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html