From patchwork Wed Dec 16 10:59:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luca Dariz X-Patchwork-Id: 345037 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86C7AC2BBCA for ; Wed, 16 Dec 2020 11:00:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3A58F23124 for ; Wed, 16 Dec 2020 11:00:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726000AbgLPLAW (ORCPT ); Wed, 16 Dec 2020 06:00:22 -0500 Received: from inet10.abb.com ([138.225.1.74]:36128 "EHLO inet10.abb.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725562AbgLPLAT (ORCPT ); Wed, 16 Dec 2020 06:00:19 -0500 Received: from gitsiv.ch.abb.com (gitsiv.keymile.net [10.41.156.251]) by inet10.abb.com (8.14.7/8.14.7) with SMTP id 0BGAxHjs013605; Wed, 16 Dec 2020 11:59:17 +0100 Received: from ch900154.keymile.net (ch900154.keymile.net [172.31.40.201]) by gitsiv.ch.abb.com (Postfix) with ESMTP id 5DD7461088F1; Wed, 16 Dec 2020 11:59:17 +0100 (CET) From: Luca Dariz To: linux-crypto@vger.kernel.org Cc: Luca Dariz , Matt Mackall , Herbert Xu , Colin Ian King , Holger Brunck , Valentin Longchamp Subject: [PATCH v2] hwrng: fix khwrng lifecycle Date: Wed, 16 Dec 2020 11:59:06 +0100 Message-Id: <20201216105906.6607-1-luca.dariz@hitachi-powergrids.com> X-Mailer: git-send-email 2.24.3 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org There are two issues with the management of the kernel thread to gather entropy: * it can terminate also if the rng is removed, and in this case it doesn't synchronize with kthread_should_stop(), but it directly sets hwrng_fill to NULL. If this happens after the NULL check but before kthread_stop() is called, we'll have a NULL pointer dereference. * if we have a register/unregister too fast, it can happen that the kthread is not yet started when kthread_stop is called, and this seems to leave a corrupted or uninitialized kthread struct. This is detected by the WARN_ON at kernel/kthread.c:75 and later causes a page domain fault. CC: Matt Mackall CC: Herbert Xu CC: Colin Ian King CC: Holger Brunck CC: Valentin Longchamp Signed-off-by: Luca Dariz --- v2: * reduced sleep from 10s to 10ms in case there is no rng; the termination should be faster in this case as it could block a pending register or unregister. drivers/char/hw_random/core.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c index 8c1c47dd9f46..367b122c1d70 100644 --- a/drivers/char/hw_random/core.c +++ b/drivers/char/hw_random/core.c @@ -31,6 +31,7 @@ static struct hwrng *current_rng; /* the current rng has been explicitly chosen by user via sysfs */ static int cur_rng_set_by_user; static struct task_struct *hwrng_fill; +static struct completion hwrng_started = COMPLETION_INITIALIZER(hwrng_started); /* list of registered rngs, sorted decending by quality */ static LIST_HEAD(rng_list); /* Protects rng_list and current_rng */ @@ -432,12 +433,15 @@ static int hwrng_fillfn(void *unused) { long rc; + complete(&hwrng_started); while (!kthread_should_stop()) { struct hwrng *rng; rng = get_current_rng(); - if (IS_ERR(rng) || !rng) - break; + if (IS_ERR(rng) || !rng) { + msleep_interruptible(10); + continue; + } mutex_lock(&reading_mutex); rc = rng_get_data(rng, rng_fillbuf, rng_buffer_size(), 1); @@ -462,6 +466,8 @@ static void start_khwrngd(void) if (IS_ERR(hwrng_fill)) { pr_err("hwrng_fill thread creation failed\n"); hwrng_fill = NULL; + } else { + wait_for_completion(&hwrng_started); } }