git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Nicolò Coccia <n.coccia96@gmail.com>
	Sun, 10 May 2026 16:34:13 +0000 (12:34 -0400)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 13 May 2026 01:43:40 +0000 (18:43 -0700)
commit	a3fdd924d88c30b9f488636ce0e4696012cf5511
tree	039aa34e8b60ebc72f6b4ec82c209b616b2d3934	tree \| snapshot
parent	f9e2342046ef1560d35bcd4a4b1197648ffd151d	commit \| diff

net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.

The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.

Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.

[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[  240.123489] Call Trace:
[  240.123501]  smc_shutdown+...
[  240.123512]  lock_sock_nested+...

This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.

Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>