random: fix BUG_ON caused by accounting simplification

Commit ee1de406ba6eb1 ("random: simplify accounting logic") simplified things too much, in that it allows the following to trigger an overflow that results in a BUG_ON crash: dd if=/dev/urandom of=/dev/zero bs=67108707 count=1 Thanks to Peter Zihlstra for discovering the crash, and Hannes Frederic for analyizing the root cause. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Reported-by: Peter Zijlstra <peterz@infradead.org> Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Greg Price <price@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2014-05-17 05:40:41 +0400
committer: Theodore Ts'o <tytso@mit.edu> 2014-05-17 06:18:22 +0400
commit: f9c6d4987b23e0a514464bae6771933a48e4cd01 (patch)
tree: 4470c1ccd9ade767d3c3928ebb2432e9c9d32546 /drivers/char/random.c
parent: d6d211db37e75de2ddc3a4f979038c40df7cc79c (diff)
download: linux-f9c6d4987b23e0a514464bae6771933a48e4cd01.tar.xz
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 6b75713d953a..102c50d38902 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -995,8 +995,11 @@ retry:
 		ibytes = min_t(size_t, ibytes, have_bytes - reserved);
 	if (ibytes < min)
 		ibytes = 0;
-	entropy_count = max_t(int, 0,
-			      entropy_count - (ibytes << (ENTROPY_SHIFT + 3)));
+	if (have_bytes >= ibytes + reserved)
+		entropy_count -= ibytes << (ENTROPY_SHIFT + 3);
+	else
+		entropy_count = reserved << (ENTROPY_SHIFT + 3);
+
 	if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
 		goto retry;
author	Theodore Ts'o <tytso@mit.edu>	2014-05-17 05:40:41 +0400
committer	Theodore Ts'o <tytso@mit.edu>	2014-05-17 06:18:22 +0400
commit	f9c6d4987b23e0a514464bae6771933a48e4cd01 (patch)
tree	4470c1ccd9ade767d3c3928ebb2432e9c9d32546 /drivers/char/random.c
parent	d6d211db37e75de2ddc3a4f979038c40df7cc79c (diff)
download	linux-f9c6d4987b23e0a514464bae6771933a48e4cd01.tar.xz