diff options
author | Theodore Ts'o <tytso@mit.edu> | 2014-05-16 21:40:41 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2014-05-16 22:18:22 -0400 |
commit | f9c6d4987b23e0a514464bae6771933a48e4cd01 (patch) | |
tree | 4470c1ccd9ade767d3c3928ebb2432e9c9d32546 | |
parent | d6d211db37e75de2ddc3a4f979038c40df7cc79c (diff) | |
download | linux-f9c6d4987b23e0a514464bae6771933a48e4cd01.tar.bz2 |
random: fix BUG_ON caused by accounting simplification
Commit ee1de406ba6eb1 ("random: simplify accounting logic") simplified
things too much, in that it allows the following to trigger an
overflow that results in a BUG_ON crash:
dd if=/dev/urandom of=/dev/zero bs=67108707 count=1
Thanks to Peter Zihlstra for discovering the crash, and Hannes
Frederic for analyizing the root cause.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reported-by: Peter Zijlstra <peterz@infradead.org>
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Greg Price <price@mit.edu>
-rw-r--r-- | drivers/char/random.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index 6b75713d953a..102c50d38902 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -995,8 +995,11 @@ retry: ibytes = min_t(size_t, ibytes, have_bytes - reserved); if (ibytes < min) ibytes = 0; - entropy_count = max_t(int, 0, - entropy_count - (ibytes << (ENTROPY_SHIFT + 3))); + if (have_bytes >= ibytes + reserved) + entropy_count -= ibytes << (ENTROPY_SHIFT + 3); + else + entropy_count = reserved << (ENTROPY_SHIFT + 3); + if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) goto retry; |