• Andrew Morton's avatar
    drivers/char/random.c: fix a race which can lead to a bogus BUG() · 8b76f46a
    Andrew Morton authored
    Fix a bug reported by and diagnosed by Aaron Straus.
    
    This is a regression intruduced into 2.6.26 by
    
        commit adc782da
        Author: Matt Mackall <mpm@selenic.com>
        Date:   Tue Apr 29 01:03:07 2008 -0700
    
            random: simplify and rename credit_entropy_store
    
    credit_entropy_bits() does:
    
    	spin_lock_irqsave(&r->lock, flags);
    	...
    	if (r->entropy_count > r->poolinfo->POOLBITS)
    		r->entropy_count = r->poolinfo->POOLBITS;
    
    so there is a time window in which this BUG_ON():
    
    static size_t account(struct entropy_store *r, size_t nbytes, int min,
    		      int reserved)
    {
    	unsigned long flags;
    
    	BUG_ON(r->entropy_count > r->poolinfo->POOLBITS);
    
    	/* Hold lock while accounting */
    	spin_lock_irqsave(&r->lock, flags);
    
    can trigger.
    
    We could fix this by moving the assertion inside the lock, but it seems
    safer and saner to revert to the old behaviour wherein
    entropy_store.entropy_count at no time exceeds
    entropy_store.poolinfo->POOLBITS.
    Reported-by: default avatarAaron Straus <aaron@merfinllc.com>
    Cc: Matt Mackall <mpm@selenic.com>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: <stable@kernel.org>		[2.6.26.x]
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    8b76f46a
random.c 48.8 KB