Commit 8839e4ea authored by Takashi Iwai's avatar Takashi Iwai Committed by Zheng Zengkai
Browse files

Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() 

mainline inclusion
from mainline-v5.14-rc7
commit 99c23da0
category: bugfix
bugzilla: 185743 https://gitee.com/openeuler/kernel/issues/I4DDEL
CVE: CVE-2021-3640

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951



-------------------------------------------------

The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
call that may be endlessly blocked by a task with userfaultd
technique, and this will result in a hung task watchdog trigger.

Just like the similar fix for hci_sock_sendmsg() in commit
92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
the  memcpy_from_msg() out of lock_sock() for addressing the hang.

This should be the last piece for fixing CVE-2021-3640 after a few
already queued fixes.

Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarLijun Fang <fanglijun3@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>

Signed-off-by: default avatarChen Jun <chenjun102@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 06742c56
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment