From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH 5.10 19/25] random: fix data race on crng_node_pool
Date: Fri, 14 Jan 2022 09:16:27 +0100 [thread overview]
Message-ID: <20220114081543.352538528@linuxfoundation.org> (raw)
In-Reply-To: <20220114081542.698002137@linuxfoundation.org>
From: Eric Biggers <ebiggers@google.com>
commit 5d73d1e320c3fd94ea15ba5f79301da9a8bcc7de upstream.
extract_crng() and crng_backtrack_protect() load crng_node_pool with a
plain load, which causes undefined behavior if do_numa_crng_init()
modifies it concurrently.
Fix this by using READ_ONCE(). Note: as per the previous discussion
https://lore.kernel.org/lkml/20211219025139.31085-1-ebiggers@kernel.org/T/#u,
READ_ONCE() is believed to be sufficient here, and it was requested that
it be used here instead of smp_load_acquire().
Also change do_numa_crng_init() to set crng_node_pool using
cmpxchg_release() instead of mb() + cmpxchg(), as the former is
sufficient here but is more lightweight.
Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/random.c | 42 ++++++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 20 deletions(-)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -853,8 +853,8 @@ static void do_numa_crng_init(struct wor
crng_initialize_secondary(crng);
pool[i] = crng;
}
- mb();
- if (cmpxchg(&crng_node_pool, NULL, pool)) {
+ /* pairs with READ_ONCE() in select_crng() */
+ if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
for_each_node(i)
kfree(pool[i]);
kfree(pool);
@@ -867,8 +867,26 @@ static void numa_crng_init(void)
{
schedule_work(&numa_crng_init_work);
}
+
+static struct crng_state *select_crng(void)
+{
+ struct crng_state **pool;
+ int nid = numa_node_id();
+
+ /* pairs with cmpxchg_release() in do_numa_crng_init() */
+ pool = READ_ONCE(crng_node_pool);
+ if (pool && pool[nid])
+ return pool[nid];
+
+ return &primary_crng;
+}
#else
static void numa_crng_init(void) {}
+
+static struct crng_state *select_crng(void)
+{
+ return &primary_crng;
+}
#endif
/*
@@ -1015,15 +1033,7 @@ static void _extract_crng(struct crng_st
static void extract_crng(__u8 out[CHACHA_BLOCK_SIZE])
{
- struct crng_state *crng = NULL;
-
-#ifdef CONFIG_NUMA
- if (crng_node_pool)
- crng = crng_node_pool[numa_node_id()];
- if (crng == NULL)
-#endif
- crng = &primary_crng;
- _extract_crng(crng, out);
+ _extract_crng(select_crng(), out);
}
/*
@@ -1052,15 +1062,7 @@ static void _crng_backtrack_protect(stru
static void crng_backtrack_protect(__u8 tmp[CHACHA_BLOCK_SIZE], int used)
{
- struct crng_state *crng = NULL;
-
-#ifdef CONFIG_NUMA
- if (crng_node_pool)
- crng = crng_node_pool[numa_node_id()];
- if (crng == NULL)
-#endif
- crng = &primary_crng;
- _crng_backtrack_protect(crng, tmp, used);
+ _crng_backtrack_protect(select_crng(), tmp, used);
}
static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
next prev parent reply other threads:[~2022-01-14 8:19 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-14 8:16 [PATCH 5.10 00/25] 5.10.92-rc1 review Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 01/25] md: revert io stats accounting Greg Kroah-Hartman
2022-01-26 10:09 ` Jack Wang
2022-01-26 11:42 ` Greg Kroah-Hartman
2022-01-26 12:37 ` Jack Wang
2022-01-26 12:57 ` Greg Kroah-Hartman
2022-01-26 15:19 ` Guillaume Morin
2022-01-26 15:12 ` Guillaume Morin
2022-01-26 21:22 ` Jack Wang
2022-01-14 8:16 ` [PATCH 5.10 02/25] workqueue: Fix unbind_workers() VS wq_worker_running() race Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 03/25] bpf: Fix out of bounds access from invalid *_or_null type verification Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 04/25] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 05/25] Bluetooth: btusb: Add two more Bluetooth parts for WCN6855 Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 06/25] Bluetooth: btusb: Add support for Foxconn MT7922A Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 07/25] Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0 Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 08/25] Bluetooth: bfusb: fix division by zero in send path Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 09/25] ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100 Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 10/25] USB: core: Fix bug in resuming hubs handling of wakeup requests Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 11/25] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 12/25] ath11k: Fix buffer overflow when scanning with extraie Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 13/25] mmc: sdhci-pci: Add PCI ID for Intel ADL Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 14/25] veth: Do not record rx queue hint in veth_xmit Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 15/25] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 16/25] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 17/25] can: isotp: convert struct tpcon::{idx,len} to unsigned int Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 18/25] can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} Greg Kroah-Hartman
2022-01-14 8:16 ` Greg Kroah-Hartman [this message]
2022-01-14 8:16 ` [PATCH 5.10 20/25] random: fix data race on crng init time Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 21/25] random: fix crash on multiple early calls to add_bootloader_randomness() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 22/25] media: Revert "media: uvcvideo: Set unique vdev name based in type" Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 23/25] staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 24/25] drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 25/25] staging: greybus: fix stack size warning with UBSAN Greg Kroah-Hartman
2022-01-14 13:22 ` [PATCH 5.10 00/25] 5.10.92-rc1 review Pavel Machek
2022-01-14 18:09 ` Jon Hunter
2022-01-14 21:25 ` Fox Chen
2022-01-14 22:29 ` Florian Fainelli
2022-01-15 0:25 ` Shuah Khan
2022-01-15 5:35 ` Naresh Kamboju
2022-01-15 11:07 ` Sudip Mukherjee
2022-01-15 16:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220114081543.352538528@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jason@zx2c4.com \
--cc=ebiggers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).