summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Büsch <m@bues.ch>2018-06-14 20:08:11 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2018-06-15 23:06:49 +0800
commit837bf7cc3b7504385ae0e829c72e470dfc27cf6c (patch)
treea81c740ca1b82b148c7ce6e29880d6c948eaa9f0
parenta81ae8095712d1513fe8d58527c92c439b43233e (diff)
downloadlinux-837bf7cc3b7504385ae0e829c72e470dfc27cf6c.tar.bz2
hwrng: core - Always drop the RNG in hwrng_unregister()
enable_best_rng() is used in hwrng_unregister() to switch away from the currently active RNG, if that is the one currently being removed. However enable_best_rng() might fail, if the next RNG's init routine fails. In that case enable_best_rng() will return an error code and the currently active RNG will remain active. After unregistering this might lead to crashes due to use-after-free. Fix this by dropping the currently active RNG, if enable_best_rng() failed. This will result in no RNG to be active, if the next-best one failed to initialize. This problem was introduced by 142a27f0a731ddcf467546960a5585970ca98e21 Fixes: 142a27f0a731 ("hwrng: core - Reset user selected rng by...") Reported-by: Wirz <spam@lukas-wirz.de> Tested-by: Wirz <spam@lukas-wirz.de> Signed-off-by: Michael Büsch <m@bues.ch> Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--drivers/char/hw_random/core.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
index 91bb98c42a1c..aaf9e5afaad4 100644
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -516,11 +516,18 @@ EXPORT_SYMBOL_GPL(hwrng_register);
void hwrng_unregister(struct hwrng *rng)
{
+ int err;
+
mutex_lock(&rng_mutex);
list_del(&rng->list);
- if (current_rng == rng)
- enable_best_rng();
+ if (current_rng == rng) {
+ err = enable_best_rng();
+ if (err) {
+ drop_current_rng();
+ cur_rng_set_by_user = 0;
+ }
+ }
if (list_empty(&rng_list)) {
mutex_unlock(&rng_mutex);