Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4953666iob;
        Mon, 9 May 2022 05:39:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxLyZ86xEVutQXG2FwVHkQktNrWQWtTAGWRXtCMVr5Tgnlj8/2u2SZUvw3nS2NnKO6rRO4Y
X-Received: by 2002:a17:902:d505:b0:15e:8b5c:bbe3 with SMTP id b5-20020a170902d50500b0015e8b5cbbe3mr15554834plg.38.1652099991244;
        Mon, 09 May 2022 05:39:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652099991; cv=none;
        d=google.com; s=arc-20160816;
        b=W1nDzXzY95Wcvk//1xgMrXkw0P4VaE2i6z5BVCwbJ8BvoA00nL32BghwfBfgkBaozA
         yP8pFl1jCOidHlrqp15nBxmG19+SNL2ZNVAObkdGeQU1vtRubJOlVMKzeJ41uNrviH7t
         7dTCiJPHHqCVPGxloJ4zH3il3TvkHkMYG4NOzx3A9XnVG529wVl5ZT7lRAhDSeSeeUPT
         eCTQrAfNCHN/ZVGxWokesr4oy5oAdc0p2HxHa9yK4QReQZ9hSc6u8MM1m+yf8J0xdM7P
         r+slEceBksouWA/psNmMAMjSMNv6yuWm7csz69uQnbUh14yUY7xrgFyzoSn1gsASU/kc
         gBog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=Tn/p+e/zd5471hC2h3Zuq6XRE1+9iMi7L+cCU6cVm/M=;
        b=Qq8Ghu7VrWHtumnBDQ6hXxztNLhFIfQS3pXgYn5jUHft1MhZIQuT9Nu6nfEPPeVEmI
         iY3x+Yfnb+vvMKtpmw0n+KQYMGQlKwZWDzd54RRsThtEvcWKSJq89QaMjdKDQ7utMsOa
         fVv7hSeztXRA7+i8WBjqd2IOZbiBZ3+3O0A+48de+AH8SwJrYy/TIS1TMHESM7NSai9k
         0JZE7ib42IXjVFzJBDyN1OwzQAkOrc0XHKh3nfWTr0Y94O4YJ3H/kpf3VD+oAVibuyV+
         hNC5OKALkcDNSgRKCWMnZyTalod/dWFy3CrTk1XhXL3kBxK4Jen6JSHJ5qXwv/zzMkTL
         j3/A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=CJAavsZB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id c4-20020a170902d48400b0015448e01af7si13859706plg.96.2022.05.09.05.39.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 09 May 2022 05:39:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=CJAavsZB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6E824247342;
	Mon,  9 May 2022 05:14:31 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234187AbiEIMSR (ORCPT <rfc822;apple4onegiven@gmail.com>
        + 99 others); Mon, 9 May 2022 08:18:17 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52440 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233942AbiEIMSP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 May 2022 08:18:15 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6E2523E2AC
        for <linux-kernel@vger.kernel.org>; Mon,  9 May 2022 05:14:20 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 615BE612D7
        for <linux-kernel@vger.kernel.org>; Mon,  9 May 2022 12:14:20 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76050C385AB;
        Mon,  9 May 2022 12:14:19 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
        dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="CJAavsZB"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
        t=1652098457;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=Tn/p+e/zd5471hC2h3Zuq6XRE1+9iMi7L+cCU6cVm/M=;
        b=CJAavsZB9CV1ventXjO8dXbX50fDRde+YUKRQLv5oxOIsi5z+UO/sx8NJaX+YdU8/htFUO
        QS59N9vyMcnV3Y2FoTQN9zd7IMzGQydjPoX1L/cqEj4czS6gb078qsVnM1w+3CbrVKj2CE
        ukLRyf4Q6a5xiEMGBpVtwhaRbRMwLC0=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 83cff8db (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
        Mon, 9 May 2022 12:14:16 +0000 (UTC)
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
To:     linux-kernel@vger.kernel.org
Cc:     "Jason A. Donenfeld" <Jason@zx2c4.com>,
        Dominik Brodowski <linux@dominikbrodowski.net>
Subject: [PATCH 1/2] random: avoid init'ing twice in credit race
Date:   Mon,  9 May 2022 14:14:08 +0200
Message-Id: <20220509121409.529788-1-Jason@zx2c4.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Since all changes of crng_init now go through credit_init_bits(), we can
fix a long standing race in which two concurrent callers of
credit_init_bits() have the new bit count >= some threshold, but are
doing so with crng_init as a lower threshold, checked outside of a lock,
resulting in crng_reseed() or similar being called twice.

In order to fix this, we can use the original cmpxchg value of the bit
count, and only change crng_init when the bit count transitions from
below a threshold to meeting the threshold.

Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 drivers/char/random.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index a1a76487ea35..79409cf27a25 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -823,7 +823,7 @@ static void extract_entropy(void *buf, size_t nbytes)
 
 static void credit_init_bits(size_t nbits)
 {
-	unsigned int init_bits, orig, add;
+	unsigned int new, orig, add;
 	unsigned long flags;
 
 	if (crng_ready() || !nbits)
@@ -833,12 +833,12 @@ static void credit_init_bits(size_t nbits)
 
 	do {
 		orig = READ_ONCE(input_pool.init_bits);
-		init_bits = min_t(unsigned int, POOL_BITS, orig + add);
-	} while (cmpxchg(&input_pool.init_bits, orig, init_bits) != orig);
+		new = min_t(unsigned int, POOL_BITS, orig + add);
+	} while (cmpxchg(&input_pool.init_bits, orig, new) != orig);
 
-	if (!crng_ready() && init_bits >= POOL_READY_BITS)
+	if (orig < POOL_READY_BITS && new >= POOL_READY_BITS)
 		crng_reseed();
-	else if (unlikely(crng_init == CRNG_EMPTY && init_bits >= POOL_EARLY_BITS)) {
+	else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) {
 		spin_lock_irqsave(&base_crng.lock, flags);
 		if (crng_init == CRNG_EMPTY) {
 			extract_entropy(base_crng.key, sizeof(base_crng.key));
-- 
2.35.1