Commit 837bf7cc authored Jun 14, 2018 by Michael Buesch Committed by Herbert Xu Jun 15, 2018

hwrng: core - Always drop the RNG in hwrng_unregister()



enable_best_rng() is used in hwrng_unregister() to switch away from the
currently active RNG, if that is the one currently being removed.
However enable_best_rng() might fail, if the next RNG's init routine
fails. In that case enable_best_rng() will return an error code and
the currently active RNG will remain active.
After unregistering this might lead to crashes due to use-after-free.

Fix this by dropping the currently active RNG, if enable_best_rng()
failed. This will result in no RNG to be active, if the next-best
one failed to initialize.

This problem was introduced by 142a27f0

Fixes: 142a27f0 ("hwrng: core - Reset user selected rng by...")
Reported-by: Wirz <spam@lukas-wirz.de>
Tested-by: Wirz <spam@lukas-wirz.de>
Signed-off-by: Michael Büsch <m@bues.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

parent a81ae809

drivers/char/hw_random/core.c

+9 −2

Original line number	Diff line number	Diff line
		@@ -516,11 +516,18 @@ EXPORT_SYMBOL_GPL(hwrng_register);

		void hwrng_unregister(struct hwrng *rng)
		{
		int err;

		mutex_lock(&rng_mutex);

		list_del(&rng->list);
		if (current_rng == rng)
		enable_best_rng();
		if (current_rng == rng) {
		err = enable_best_rng();
		if (err) {
		drop_current_rng();
		cur_rng_set_by_user = 0;
		}
		}

		if (list_empty(&rng_list)) {
		mutex_unlock(&rng_mutex);