Google Git
Sign in
kernel/pub/scm/linux/kernel/git/ardb/linux.git/7492bfcc5b0908ca6a0e11af3bda49d5ac801e1d
commit
7492bfcc5b0908ca6a0e11af3bda49d5ac801e1d
[log] [tgz]
author
Ard Biesheuvel <ardb@kernel.org>
Wed Nov 26 17:26:28 2025 +0100
committer
Ard Biesheuvel <ardb@kernel.org>
Thu Nov 27 09:55:08 2025 +0100
tree
93399864ec40a2c2324dd93f6921fe6e5d29378b
parent
c0aebac6f39092e97ad08db32f80ccbc27049097 [diff]
random: Plug race in preceding patch

The lockless get_random_uXX() reads the next value from the linear
buffer and then overwrites it with a 0x0 value. This is racy, as the
code might be re-entered by an interrupt handler, and so the store might
redundantly wipe the location accessed by the interrupt context rather
than the interrupted context.

To plug this race, wipe the preceding location when reading the next
value from the linear buffer. Given that the position is always non-zero
outside of the critical section, this is guaranteed to be safe, and
ensures that the produced values are always wiped from the buffer.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
1 file changed
tree: 93399864ec40a2c2324dd93f6921fe6e5d29378b
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .clippy.toml
  27. .cocciconfig
  28. .editorconfig
  29. .get_maintainer.ignore
  30. .gitattributes
  31. .gitignore
  32. .mailmap
  33. .pylintrc
  34. .rustfmt.toml
  35. COPYING
  36. CREDITS
  37. Kbuild
  38. Kconfig
  39. MAINTAINERS
  40. Makefile
  41. README