drivers/char/hw_random/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
hwrng_register(rng) does the following:
1. Checks if rng has name and read methods set
2. Checks if the name already exists
3. Adds rng to global rng_list
4. May try to set rng to current_rng
If step 4 fails, it returns an error. However, it does not remove the
rng from rng_list, causing a dangling reference which can result in
use-after-free if the caller frees rng, since registration failed.
Add a list_del_init() cleanup step.
Signed-off-by: Manos Pitsidianakis <manos@pitsidianak.is>
---
drivers/char/hw_random/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
index aba92d777f72604861b644469032c8f443f1ed50..3015b863412ee17c734eb4ce2feebe78f5049d89 100644
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -604,11 +604,13 @@ int hwrng_register(struct hwrng *rng)
*/
err = set_current_rng(rng);
if (err)
- goto out_unlock;
+ goto out_list_del;
}
}
mutex_unlock(&rng_mutex);
return 0;
+out_list_del:
+ list_del_init(&rng->list);
out_unlock:
mutex_unlock(&rng_mutex);
out:
---
base-commit: 8bc67e4db64aa72732c474b44ea8622062c903f0
change-id: 20260525-hw_random_registration_rng_list-7651b27b76c8
Best regards,
--
Manos Pitsidianakis <manos@pitsidianak.is>On Mon, May 25, 2026 at 10:25:39AM +0300, Manos Pitsidianakis wrote:
> hwrng_register(rng) does the following:
>
> 1. Checks if rng has name and read methods set
> 2. Checks if the name already exists
> 3. Adds rng to global rng_list
> 4. May try to set rng to current_rng
>
> If step 4 fails, it returns an error. However, it does not remove the
> rng from rng_list, causing a dangling reference which can result in
> use-after-free if the caller frees rng, since registration failed.
>
> Add a list_del_init() cleanup step.
>
> Signed-off-by: Manos Pitsidianakis <manos@pitsidianak.is>
> ---
> drivers/char/hw_random/core.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Good catch!
Please add a Fixes header for this:
Fixes: 2bbb6983887f ("hwrng: use rng source with best quality")
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Hi Herbert,
On Fri, 05 Jun 2026 11:34, Herbert Xu <herbert@gondor.apana.org.au> wrote:
>On Mon, May 25, 2026 at 10:25:39AM +0300, Manos Pitsidianakis wrote:
>> hwrng_register(rng) does the following:
>>
>> 1. Checks if rng has name and read methods set
>> 2. Checks if the name already exists
>> 3. Adds rng to global rng_list
>> 4. May try to set rng to current_rng
>>
>> If step 4 fails, it returns an error. However, it does not remove the
>> rng from rng_list, causing a dangling reference which can result in
>> use-after-free if the caller frees rng, since registration failed.
>>
>> Add a list_del_init() cleanup step.
>>
>> Signed-off-by: Manos Pitsidianakis <manos@pitsidianak.is>
>> ---
>> drivers/char/hw_random/core.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>Good catch!
>
>Please add a Fixes header for this:
>
>Fixes: 2bbb6983887f ("hwrng: use rng source with best quality")
Would this patch go through your maintainer tree?
If yes, you could add it along with your r-b directly, otherwise I can
send a new revision when it gets a review.
Thanks,
Manos
On Fri, Jun 05, 2026 at 12:18:29PM +0300, Manos Pitsidianakis wrote: > > If yes, you could add it along with your r-b directly, otherwise I can send > a new revision when it gets a review. It will go through my tree but please resend. Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
© 2016 - 2026 Red Hat, Inc.