summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Ellerman <mpe@ellerman.id.au>2016-07-31 00:23:08 +1000
committerLinus Torvalds <torvalds@linux-foundation.org>2016-07-30 21:00:06 -0700
commitdd0f0cf58af70dc9267409f113bea772d57f675c (patch)
treef0a655622dc3e030c2f12388f07bfafd20e2b049
parent7f155c702677d057d03b192ce652311de5434697 (diff)
random: Fix crashes with sparse node ids
On a system with sparse node ids, eg. a powerpc system with 4 nodes numbered like so: node 0: [mem 0x0000000000000000-0x00000007ffffffff] node 1: [mem 0x0000000800000000-0x0000000fffffffff] node 16: [mem 0x0000001000000000-0x00000017ffffffff] node 17: [mem 0x0000001800000000-0x0000001fffffffff] The code in rand_initialize() will allocate 4 pointers for the pool array, and initialise them correctly. However when go to use the pool, in eg. extract_crng(), we use the numa_node_id() to index into the array. For the higher numbered node ids this leads to random memory corruption, depending on what was kmalloc'ed adjacent to the pool array. Fix it by using nr_node_ids to size the pool array. Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs") Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/char/random.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 7f0622426b97..3efb3bf0ab83 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -249,6 +249,7 @@
#include <linux/genhd.h>
#include <linux/interrupt.h>
#include <linux/mm.h>
+#include <linux/nodemask.h>
#include <linux/spinlock.h>
#include <linux/kthread.h>
#include <linux/percpu.h>
@@ -1656,7 +1657,6 @@ static int rand_initialize(void)
{
#ifdef CONFIG_NUMA
int i;
- int num_nodes = num_possible_nodes();
struct crng_state *crng;
struct crng_state **pool;
#endif
@@ -1666,8 +1666,7 @@ static int rand_initialize(void)
crng_initialize(&primary_crng);
#ifdef CONFIG_NUMA
- pool = kmalloc(num_nodes * sizeof(void *),
- GFP_KERNEL|__GFP_NOFAIL|__GFP_ZERO);
+ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
for_each_online_node(i) {
crng = kmalloc_node(sizeof(struct crng_state),
GFP_KERNEL | __GFP_NOFAIL, i);