-
Laurent Vivier authored
Commit daae28de has moved add_early_randomness() out of the rng_mutex and tries to protect the reference of the new rng device by incrementing the reference counter. But in hwrng_register(), the function can be called with a new device that is not set as the current_rng device and the reference has not been initialized. This patch fixes the problem by not using the reference counter when the device is not the current one: the reference counter is only meaningful in the case of the current rng device and a device is not used if it is not the current one (except in hwrng_register()) The problem has been reported by Marek Szyprowski on ARM 32bit Exynos5420-based Chromebook Peach-Pit board: WARNING: CPU: 3 PID: 1 at lib/refcount.c:156 hwrng_register+0x13c/0x1b4 refcount_t: increment on 0; use-after-free. Modules linked in: CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00061-gdaae28de Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [<c01124c8>] (unwind_backtrace) from [<c010dfb8>] (show_stack+0x10/0x14) [<c010dfb8>] (show_stack) from [<c0ae86d8>] (dump_stack+0xa8/0xd4) [<c0ae86d8>] (dump_stack) from [<c0127428>] (__warn+0xf4/0x10c) [<c0127428>] (__warn) from [<c01274b4>] (warn_slowpath_fmt+0x74/0xb8) [<c01274b4>] (warn_slowpath_fmt) from [<c054729c>] (hwrng_register+0x13c/0x1b4) [<c054729c>] (hwrng_register) from [<c0547e54>] (tpm_chip_register+0xc4/0x274) ... Reported-by:
Marek Szyprowski <m.szyprowski@samsung.com> Fixes: daae28de ("hwrng: core - move add_early_randomness() out of rng_mutex") Tested-by:
Laurent Vivier <lvivier@redhat.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
28443671
