From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6EDC669954; Wed, 21 Feb 2024 13:12:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708521133; cv=none; b=rFRXWiT4mIl4aTLJpTBxwQpJAG1qkdR6IgsQqYxGOoMv9CXnz7iK3c4UVKV1srjh7nbQli5ufZnGo6JyP3J5EEP2VGf/YbO++2zc/Fmj6FDLlGldUxez0P7SiM2PgPwJdSqSiG+Bk118tD6JqcdkD7OFhjeBGUIR6wCqfOdSsRo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708521133; c=relaxed/simple; bh=Yx6Q5mYCLL+p77N1zMNhbPxLovHKd7Om/wAivbmJiaM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XiftNvAHsSp4/qs6RQg5k4CKsu5mHLnYuTZBfXmy4YoZsQaYyeJbDViWQQN1relVwHmiyetLDzyg5L+ZlWnGewA3tAbCuw6WOjMLIbtgIiOhTS3MlvAHsZljxCfzlRuMPE49Qt53SqUIBDrJOhJ/TG4RBHUrrJIac1N61mRfrqU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=vl9VtLNW; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="vl9VtLNW" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D3619C433F1; Wed, 21 Feb 2024 13:12:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1708521133; bh=Yx6Q5mYCLL+p77N1zMNhbPxLovHKd7Om/wAivbmJiaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vl9VtLNWHmHmUpkY7szbKe9TVWSTUlBofUWUCpiE1Yk8lqr2y2tmxNWOELfwDbC48 DV7dzelhIxgRpM2uf/JZOYbhTPtIhM1k2IPtIu9+ysqhLdKQq2fTkTe2I7DpHASoSu dnQIdVPHgQ2E18t2C+4+XkpKZBxRZ8FSK41mEpb0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Edward Adam Davis , syzbot+c52ab18308964d248092@syzkaller.appspotmail.com, Herbert Xu Subject: [PATCH 4.19 013/202] hwrng: core - Fix page fault dead lock on mmap-ed hwrng Date: Wed, 21 Feb 2024 14:05:14 +0100 Message-ID: <20240221125932.178994049@linuxfoundation.org> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240221125931.742034354@linuxfoundation.org> References: <20240221125931.742034354@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Herbert Xu commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream. There is a dead-lock in the hwrng device read path. This triggers when the user reads from /dev/hwrng into memory also mmap-ed from /dev/hwrng. The resulting page fault triggers a recursive read which then dead-locks. Fix this by using a stack buffer when calling copy_to_user. Reported-by: Edward Adam Davis Reported-by: syzbot+c52ab18308964d248092@syzkaller.appspotmail.com Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array") Cc: Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/char/hw_random/core.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) --- a/drivers/char/hw_random/core.c +++ b/drivers/char/hw_random/core.c @@ -24,10 +24,13 @@ #include #include #include +#include #include #define RNG_MODULE_NAME "hw_random" +#define RNG_BUFFER_SIZE (SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES) + static struct hwrng *current_rng; /* the current rng has been explicitly chosen by user via sysfs */ static int cur_rng_set_by_user; @@ -59,7 +62,7 @@ static inline int rng_get_data(struct hw static size_t rng_buffer_size(void) { - return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES; + return RNG_BUFFER_SIZE; } static void add_early_randomness(struct hwrng *rng) @@ -202,6 +205,7 @@ static inline int rng_get_data(struct hw static ssize_t rng_dev_read(struct file *filp, char __user *buf, size_t size, loff_t *offp) { + u8 buffer[RNG_BUFFER_SIZE]; ssize_t ret = 0; int err = 0; int bytes_read, len; @@ -229,34 +233,37 @@ static ssize_t rng_dev_read(struct file if (bytes_read < 0) { err = bytes_read; goto out_unlock_reading; + } else if (bytes_read == 0 && + (filp->f_flags & O_NONBLOCK)) { + err = -EAGAIN; + goto out_unlock_reading; } + data_avail = bytes_read; } - if (!data_avail) { - if (filp->f_flags & O_NONBLOCK) { - err = -EAGAIN; - goto out_unlock_reading; - } - } else { - len = data_avail; + len = data_avail; + if (len) { if (len > size) len = size; data_avail -= len; - if (copy_to_user(buf + ret, rng_buffer + data_avail, - len)) { + memcpy(buffer, rng_buffer + data_avail, len); + } + mutex_unlock(&reading_mutex); + put_rng(rng); + + if (len) { + if (copy_to_user(buf + ret, buffer, len)) { err = -EFAULT; - goto out_unlock_reading; + goto out; } size -= len; ret += len; } - mutex_unlock(&reading_mutex); - put_rng(rng); if (need_resched()) schedule_timeout_interruptible(1); @@ -267,6 +274,7 @@ static ssize_t rng_dev_read(struct file } } out: + memzero_explicit(buffer, sizeof(buffer)); return ret ? : err; out_unlock_reading: