Re: BUG_ON drivers/char/random.c:986 (Was: perf: use after free in perf_remove_from_context)
From: Theodore Ts'o
Date: Fri May 16 2014 - 22:19:48 EST
On Fri, May 16, 2014 at 05:46:22PM -0700, Hannes Frederic Sowa wrote:
> This should do the trick:
> dd if=/dev/urandom of=/dev/zero bs=67108707
>
> I suspect ee1de406ba6eb1 ("random: simplify accounting logic") as the
> culprit.
Yep, that it's it. Thanks for noticing this so quickly! I'll push
the following patch to Linus.
- Ted
commit 29fb0ca5b3922288fba3f4c975a55032a51df0f0
Author: Theodore Ts'o <tytso@xxxxxxx>
Date: Fri May 16 21:40:41 2014 -0400
random: fix BUG_ON caused by accounting simplification
Commit ee1de406ba6eb1 ("random: simplify accounting logic") simplified
things too much, in that it allows the following to trigger an
overflow that results in a BUG_ON crash:
dd if=/dev/urandom of=/dev/zero bs=67108707
Thanks to Peter Zihlstra for discovering the crash, and Hannes
Frederic for analyizing the root cause.
Signed-off-by: "Theodore Ts'o" <tytso@xxxxxxx>
Reported-by: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Reported-by: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>
Cc: Greg Price <price@xxxxxxx>
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 6b75713..102c50d 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -995,8 +995,11 @@ retry:
ibytes = min_t(size_t, ibytes, have_bytes - reserved);
if (ibytes < min)
ibytes = 0;
- entropy_count = max_t(int, 0,
- entropy_count - (ibytes << (ENTROPY_SHIFT + 3)));
+ if (have_bytes >= ibytes + reserved)
+ entropy_count -= ibytes << (ENTROPY_SHIFT + 3);
+ else
+ entropy_count = reserved << (ENTROPY_SHIFT + 3);
+
if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
goto retry;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/