Commit dd0f0cf5 authored Jul 31, 2016 by Michael Ellerman Committed by Linus Torvalds Jul 30, 2016

random: Fix crashes with sparse node ids



On a system with sparse node ids, eg. a powerpc system with 4 nodes
numbered like so:

  node   0: [mem 0x0000000000000000-0x00000007ffffffff]
  node   1: [mem 0x0000000800000000-0x0000000fffffffff]
  node  16: [mem 0x0000001000000000-0x00000017ffffffff]
  node  17: [mem 0x0000001800000000-0x0000001fffffffff]

The code in rand_initialize() will allocate 4 pointers for the pool
array, and initialise them correctly.

However when go to use the pool, in eg. extract_crng(), we use the
numa_node_id() to index into the array. For the higher numbered node ids
this leads to random memory corruption, depending on what was kmalloc'ed
adjacent to the pool array.

Fix it by using nr_node_ids to size the pool array.

Fixes: 1e7f583a ("random: make /dev/urandom scalable for silly userspace programs")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 7f155c70

drivers/char/random.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -249,6 +249,7 @@
		#include <linux/genhd.h>
		#include <linux/interrupt.h>
		#include <linux/mm.h>
		#include <linux/nodemask.h>
		#include <linux/spinlock.h>
		#include <linux/kthread.h>
		#include <linux/percpu.h>
		@@ -1656,7 +1657,6 @@ static int rand_initialize(void)
		{
		#ifdef CONFIG_NUMA
		int i;
		int num_nodes = num_possible_nodes();
		struct crng_state *crng;
		struct crng_state **pool;
		#endif
		@@ -1666,8 +1666,7 @@ static int rand_initialize(void)
		crng_initialize(&primary_crng);

		#ifdef CONFIG_NUMA
		pool = kmalloc(num_nodes * sizeof(void *),
		GFP_KERNEL\|__GFP_NOFAIL\|__GFP_ZERO);
		pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL\|__GFP_NOFAIL);
		for_each_online_node(i) {
		crng = kmalloc_node(sizeof(struct crng_state),
		GFP_KERNEL \| __GFP_NOFAIL, i);

Admin message