Re: [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()

From: Marcel Holtmann
Date: Mon Aug 30 2021 - 10:49:08 EST

Next message: Michal Koutný: "Re: [mm] 2d146aa3aa: vm-scalability.throughput -36.4% regression"
Previous message: kernel test robot: "pci-xtalk-bridge.c:undefined reference to `crc16'"
In reply to: Takashi Iwai: "[PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Takashi,

> The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
> call that may be endlessly blocked by a task with userfaultd
> technique, and this will result in a hung task watchdog trigger.
>
> Just like the similar fix for hci_sock_sendmsg() in commit
> 92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
> the memcpy_from_msg() out of lock_sock() for addressing the hang.
>
> This should be the last piece for fixing CVE-2021-3640 after a few
> already queued fixes.
>
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> ---
> net/bluetooth/sco.c | 23 +++++++++++++++--------
> 1 file changed, 15 insertions(+), 8 deletions(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel

Next message: Michal Koutný: "Re: [mm] 2d146aa3aa: vm-scalability.throughput -36.4% regression"
Previous message: kernel test robot: "pci-xtalk-bridge.c:undefined reference to `crc16'"
In reply to: Takashi Iwai: "[PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]