net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS - kernel/linux.git

diff options

author	Nicolò Coccia <n.coccia96@gmail.com>	2026-05-10 19:34:13 +0300
committer	Jakub Kicinski <kuba@kernel.org>	2026-05-13 04:43:40 +0300
commit	a3fdd924d88c30b9f488636ce0e4696012cf5511 (patch)
tree	039aa34e8b60ebc72f6b4ec82c209b616b2d3934 /scripts/bash-completion/make
parent	f9e2342046ef1560d35bcd4a4b1197648ffd151d (diff)
download	linux-a3fdd924d88c30b9f488636ce0e4696012cf5511.tar.xz

net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS

A logic flaw in __smc_setsockopt() allows a local unprivileged user to cause a Denial of Service (DoS) by holding the socket lock indefinitely. The function __smc_setsockopt() calls copy_from_sockptr() while holding lock_sock(sk). By passing a userfaultfd-monitored memory page (or FUSE-backed memory on systems where unprivileged userfaultfd is disabled) as the optval, an attacker can halt execution during the copy operation, keeping the lock held. Combined with asynchronous tear-down operations like shutdown(), this exhausts the kernel wq (kworkers) and triggers the hung task watchdog. [ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. [ 240.123489] Call Trace: [ 240.123501] smc_shutdown+... [ 240.123512] lock_sock_nested+... This patch moves the user-space copy outside the lock_sock() critical section to prevent the issue. Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options") Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com> Reviewed-by: Dust Li <dust.li@linux.alibaba.com> Tested-by: Dust Li <dust.li@linux.alibaba.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'scripts/bash-completion/make')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: