From: Michael Ellerman <mpe@ellerman.id.au>
To: Linus Torvalds <torvalds@osdl.org>
Cc: tytso@mit.edu, <linux-kernel@vger.kernel.org>, <linuxppc-dev@ozlabs.org>
Subject: [PATCH] random: Fix crashes with sparse node ids
Date: Sun, 31 Jul 2016 00:23:08 +1000 [thread overview]
Message-ID: <1469888588-5918-1-git-send-email-mpe@ellerman.id.au> (raw)
On a system with sparse node ids, eg. a powerpc system with 4 nodes
numbered like so:
node 0: [mem 0x0000000000000000-0x00000007ffffffff]
node 1: [mem 0x0000000800000000-0x0000000fffffffff]
node 16: [mem 0x0000001000000000-0x00000017ffffffff]
node 17: [mem 0x0000001800000000-0x0000001fffffffff]
The code in rand_initialize() will allocate 4 pointers for the pool
array, and initialise them correctly.
However when go to use the pool, in eg. extract_crng(), we use the
numa_node_id() to index into the array. For the higher numbered node ids
this leads to random memory corruption, depending on what was kmalloc'ed
adjacent to the pool array.
Fix it by using nr_node_ids to size the pool array.
Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
drivers/char/random.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 7f0622426b97..ea03dfe2f21c 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -249,6 +249,7 @@
#include <linux/genhd.h>
#include <linux/interrupt.h>
#include <linux/mm.h>
+#include <linux/nodemask.h>
#include <linux/spinlock.h>
#include <linux/kthread.h>
#include <linux/percpu.h>
@@ -1656,7 +1657,6 @@ static int rand_initialize(void)
{
#ifdef CONFIG_NUMA
int i;
- int num_nodes = num_possible_nodes();
struct crng_state *crng;
struct crng_state **pool;
#endif
@@ -1666,7 +1666,7 @@ static int rand_initialize(void)
crng_initialize(&primary_crng);
#ifdef CONFIG_NUMA
- pool = kmalloc(num_nodes * sizeof(void *),
+ pool = kmalloc(nr_node_ids * sizeof(void *),
GFP_KERNEL|__GFP_NOFAIL|__GFP_ZERO);
for_each_online_node(i) {
crng = kmalloc_node(sizeof(struct crng_state),
--
2.7.4
next reply other threads:[~2016-07-30 14:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-30 14:23 Michael Ellerman [this message]
2016-07-30 20:27 ` [PATCH] random: Fix crashes with sparse node ids Linus Torvalds
2016-07-31 3:27 ` Michael Ellerman
2016-07-31 3:56 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469888588-5918-1-git-send-email-mpe@ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).