hwrng: core - Fix page fault dead lock on mmap-ed hwrng
authorHerbert Xu <herbert@gondor.apana.org.au>
Sat, 2 Dec 2023 01:01:54 +0000 (09:01 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 1 Feb 2024 00:18:50 +0000 (16:18 -0800)
commitecabe8cd456d3bf81e92c53b074732f3140f170d
tree3c07bcc34cc39f60910d64c1961d05e70f4cd457
parent7692e29d191c097e406126413769bdde8f2670b7
hwrng: core - Fix page fault dead lock on mmap-ed hwrng

commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream.

There is a dead-lock in the hwrng device read path.  This triggers
when the user reads from /dev/hwrng into memory also mmap-ed from
/dev/hwrng.  The resulting page fault triggers a recursive read
which then dead-locks.

Fix this by using a stack buffer when calling copy_to_user.

Reported-by: Edward Adam Davis <eadavis@qq.com>
Reported-by: syzbot+c52ab18308964d248092@syzkaller.appspotmail.com
Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/char/hw_random/core.c